@frontmcp/sdk 0.4.1 → 0.5.0

package/src/transport/flows/handle.streamable-http.flow.js

@@ -7,47 +7,94 @@ const zod_1 = require("zod");
 const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
 const session_id_utils_1 = require("../../auth/session/utils/session-id.utils");
 exports.plan = {
-    pre: [
-        'parseInput',
-        'router',
-    ],
-    execute: [
-        'onInitialize',
-        'onMessage',
-        'onElicitResult',
-    ],
+    pre: ['parseInput', 'router'],
+    execute: ['onInitialize', 'onMessage', 'onElicitResult', 'onSseListener'],
     post: [],
-    finalize: [
-        'cleanup',
-    ],
+    finalize: ['cleanup'],
 };
+// Relaxed session schema for state - payload is optional when using mcp-session-id header directly
+const stateSessionSchema = zod_1.z.object({
+    id: zod_1.z.string(),
+    payload: zod_1.z
+        .object({
+        nodeId: zod_1.z.string(),
+        authSig: zod_1.z.string(),
+        uuid: zod_1.z.string().uuid(),
+        iat: zod_1.z.number(),
+        protocol: zod_1.z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),
+        isPublic: zod_1.z.boolean().optional(),
+        platformType: zod_1.z
+            .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])
+            .optional(),
+    })
+        .optional(),
+});
 exports.stateSchema = zod_1.z.object({
     token: zod_1.z.string(),
-    session: common_1.sessionIdSchema,
-    requestType: zod_1.z.enum(['initialize', 'message', 'elicitResult']).optional(),
+    session: stateSessionSchema,
+    requestType: zod_1.z.enum(['initialize', 'message', 'elicitResult', 'sseListener']).optional(),
 });
 const name = 'handle:streamable-http';
 const { Stage } = (0, common_1.FlowHooksOf)(name);
 let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.FlowBase {
     name = name;
-    async paseInput() {
+    async parseInput() {
         const { request } = this.rawInput;
-        let { token, session } = request[common_1.ServerRequestTokens.auth];
-        if (!session) {
-            session = (0, session_id_utils_1.createSessionId)('streamable-http', token);
-            request[common_1.ServerRequestTokens.auth].session = session;
+        const authorization = request[common_1.ServerRequestTokens.auth];
+        const { token } = authorization;
+        // CRITICAL: The mcp-session-id header is the client's reference to their session.
+        // We MUST use this exact ID for transport registry lookup.
+        //
+        // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)
+        //             This is the ID the client received from initialize and is referencing.
+        // Priority 2: Use session from authorization if header matches or is absent
+        // Priority 3: Create new session (first request - no header, no authorization.session)
+        const mcpSessionHeader = request.headers?.['mcp-session-id'];
+        let session;
+        if (mcpSessionHeader) {
+            // Client sent session ID - ALWAYS use it for transport lookup
+            // If authorization.session exists and matches, use its payload for protocol detection
+            // If authorization.session differs or is missing, still use header ID (payload may be undefined)
+            if (authorization.session?.id === mcpSessionHeader) {
+                session = authorization.session;
+            }
+            else {
+                session = { id: mcpSessionHeader };
+            }
+        }
+        else if (authorization.session) {
+            // No header but authorization has session - use it (shouldn't happen in normal flow)
+            session = authorization.session;
+        }
+        else {
+            // No session - create new one (initialize request)
+            session = (0, session_id_utils_1.createSessionId)('streamable-http', token, {
+                userAgent: request.headers?.['user-agent'],
+                platformDetectionConfig: this.scope.metadata?.session?.platformDetection,
+            });
         }
         this.state.set(exports.stateSchema.parse({ token, session }));
     }
     async router() {
         const { request } = this.rawInput;
-        if (types_js_1.InitializeRequestSchema.safeParse(request.body).success) {
+        // GET requests are SSE listener streams - no body expected
+        // Per MCP spec, clients can open SSE stream with GET + Accept: text/event-stream
+        if (request.method.toUpperCase() === 'GET') {
+            this.state.set('requestType', 'sseListener');
+            return;
+        }
+        // POST requests have MCP JSON-RPC body
+        const body = request.body;
+        const method = body?.method;
+        // Use method-based detection for routing (more permissive than strict schema)
+        // The actual schema validation happens in the MCP SDK's transport layer
+        if (method === 'initialize') {
             this.state.set('requestType', 'initialize');
         }
         else if (types_js_1.ElicitResultSchema.safeParse(request.body).success) {
             this.state.set('requestType', 'elicitResult');
         }
-        else if (types_js_1.RequestSchema.safeParse(request.body).success) {
+        else if (method && types_js_1.RequestSchema.safeParse(request.body).success) {
             this.state.set('requestType', 'message');
         }
         else {
@@ -56,25 +103,102 @@ let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.F
     }
     async onInitialize() {
         const transportService = this.scope.transportService;
+        const logger = this.scope.logger.child('handle:streamable-http:onInitialize');
         const { request, response } = this.rawInput;
         const { token, session } = this.state.required;
-        const transport = await transportService.createTransporter('streamable-http', token, session.id, response);
-        await transport.initialize(request, response);
-        this.handled();
+        logger.info('onInitialize: creating transport', {
+            sessionId: session.id.slice(0, 30),
+            hasToken: !!token,
+            tokenPrefix: token?.slice(0, 10),
+        });
+        try {
+            const transport = await transportService.createTransporter('streamable-http', token, session.id, response);
+            logger.info('onInitialize: transport created, calling initialize');
+            await transport.initialize(request, response);
+            logger.info('onInitialize: completed successfully');
+            this.handled();
+        }
+        catch (error) {
+            // FlowControl is expected control flow (from this.handled()), not an error
+            if (error instanceof common_1.FlowControl) {
+                throw error;
+            }
+            logger.error('onInitialize: failed', {
+                error: error instanceof Error ? error.message : String(error),
+                stack: error instanceof Error ? error.stack : undefined,
+            });
+            throw error;
+        }
     }
     async onElicitResult() {
         this.fail(new Error('Not implemented'));
     }
     async onMessage() {
+        const transportService = this.scope.transportService;
+        const logger = this.scopeLogger.child('handle:streamable-http:onMessage');
+        const { request, response } = this.rawInput;
+        const { token, session } = this.state.required;
+        const transport = await transportService.getTransporter('streamable-http', token, session.id);
+        if (!transport) {
+            // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25
+            const wasCreated = transportService.wasSessionCreated('streamable-http', token, session.id);
+            const body = request.body;
+            if (wasCreated) {
+                // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)
+                logger.info('Session expired - client should re-initialize', {
+                    sessionId: session.id?.slice(0, 20),
+                    tokenHash: token.slice(0, 8),
+                    method: body?.['method'],
+                    requestId: body?.['id'],
+                    mcpSessionId: request.headers?.['mcp-session-id'],
+                });
+                this.respond(common_1.httpRespond.sessionExpired('session expired'));
+            }
+            else {
+                // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)
+                logger.warn('Session not initialized - client attempted request without initializing', {
+                    sessionId: session.id?.slice(0, 20),
+                    tokenHash: token.slice(0, 8),
+                    method: body?.['method'],
+                    requestId: body?.['id'],
+                    mcpSessionId: request.headers?.['mcp-session-id'],
+                    userAgent: request.headers?.['user-agent']?.slice(0, 50),
+                });
+                this.respond(common_1.httpRespond.sessionNotFound('session not initialized'));
+            }
+            return;
+        }
+        try {
+            await transport.handleRequest(request, response);
+            this.handled();
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                const body = request.body;
+                logger.error('handleRequest failed', {
+                    error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : error,
+                    method: body?.['method'],
+                    id: body?.['id'],
+                    sessionId: session.id?.slice(0, 20),
+                });
+            }
+            throw error;
+        }
+    }
+    async onSseListener() {
         const transportService = this.scope.transportService;
         const { request, response } = this.rawInput;
         const { token, session } = this.state.required;
+        // Get existing transport for this session - SSE listener requires existing session
         const transport = await transportService.getTransporter('streamable-http', token, session.id);
         if (!transport) {
-            this.respond(common_1.httpRespond.rpcError('session not initialized'));
+            this.respond(common_1.httpRespond.notFound('Session not found'));
             return;
         }
+        // Forward GET request to transport (opens SSE stream for server→client notifications)
         await transport.handleRequest(request, response);
+        this.handled();
     }
 };
 tslib_1.__decorate([
@@ -82,7 +206,7 @@ tslib_1.__decorate([
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
     tslib_1.__metadata("design:returntype", Promise)
-], HandleStreamableHttpFlow.prototype, "paseInput", null);
+], HandleStreamableHttpFlow.prototype, "parseInput", null);
 tslib_1.__decorate([
     Stage('router'),
     tslib_1.__metadata("design:type", Function),
@@ -113,6 +237,14 @@ tslib_1.__decorate([
     tslib_1.__metadata("design:paramtypes", []),
     tslib_1.__metadata("design:returntype", Promise)
 ], HandleStreamableHttpFlow.prototype, "onMessage", null);
+tslib_1.__decorate([
+    Stage('onSseListener', {
+        filter: ({ state: { requestType } }) => requestType === 'sseListener',
+    }),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HandleStreamableHttpFlow.prototype, "onSseListener", null);
 HandleStreamableHttpFlow = tslib_1.__decorate([
     (0, common_1.Flow)({
         name,

package/src/transport/flows/handle.streamable-http.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"handle.streamable-http.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.streamable-http.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAGsB;AACtB,6BAAsB;AACtB,iEAA8G;AAE9G,gFAA0E;AAE7D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE;QACH,YAAY;QACZ,QAAQ;KACT;IACD,OAAO,EAAE;QACP,cAAc;QACd,WAAW;QACX,gBAAgB;KACjB;IACD,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE;QACR,SAAS;KACV;CACkC,CAAC;AAGzB,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,wBAAe;IACxB,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC1E,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,wBAAiC,CAAC;AAC/C,MAAM,EAAC,KAAK,EAAC,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAsBnB,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAqB;IACzE,IAAI,GAAG,IAAI,CAAC;IAGN,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEhC,IAAI,EAAC,KAAK,EAAE,OAAO,EAAC,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QAE1E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,IAAA,kCAAe,EAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;YACpD,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,GAAG,OAAO,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAC,KAAK,EAAE,OAAO,EAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEhC,IAAI,kCAAuB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC5D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,6BAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,wBAAa,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACzD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC1C,MAAM,EAAC,KAAK,EAAE,OAAO,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC3G,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC1C,MAAM,EAAC,KAAK,EAAE,OAAO,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,yBAAyB,CAAC,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QACD,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;CAGF,CAAA;AAhEO;IADL,KAAK,CAAC,YAAY,CAAC;;;;yDAWnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;sDAaf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,WAAW,EAAC,EAAC,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACjE,CAAC;;;;4DASD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,WAAW,EAAC,EAAC,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACnE,CAAC;;;;8DAGD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,WAAW,EAAC,EAAC,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAC9D,CAAC;;;;yDAYD;AAjEkB,wBAAwB;IAP5C,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI,EAAJ,YAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;KAC/B,CAAC;GACmB,wBAAwB,CAoE5C;kBApEoB,wBAAwB","sourcesContent":["import {\n  Flow, httpInputSchema, FlowRunOptions, httpOutputSchema, FlowPlan,\n  FlowBase, FlowHooksOf, sessionIdSchema, httpRespond, ServerRequestTokens, Authorization,\n} from '../../common';\nimport {z} from 'zod';\nimport {ElicitResultSchema, InitializeRequestSchema, RequestSchema} from '@modelcontextprotocol/sdk/types.js';\nimport {Scope} from '../../scope';\nimport {createSessionId} from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: [\n    'parseInput',\n    'router',\n  ],\n  execute: [\n    'onInitialize',\n    'onMessage',\n    'onElicitResult',\n  ],\n  post: [],\n  finalize: [\n    'cleanup',\n  ],\n} as const satisfies FlowPlan<string>;\n\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: sessionIdSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult']).optional(),\n});\n\nconst name = 'handle:streamable-http' as const;\nconst {Stage} = FlowHooksOf(name);\n\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:streamable-http': FlowRunOptions<\n      HandleStreamableHttpFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n})\nexport default class HandleStreamableHttpFlow extends FlowBase<typeof name> {\n  name = name;\n\n  @Stage('parseInput')\n  async paseInput() {\n    const {request} = this.rawInput;\n\n    let {token, session} = request[ServerRequestTokens.auth] as Authorization;\n\n    if (!session) {\n      session = createSessionId('streamable-http', token);\n      request[ServerRequestTokens.auth].session = session;\n    }\n    this.state.set(stateSchema.parse({token, session}));\n  }\n\n  @Stage('router')\n  async router() {\n    const {request} = this.rawInput;\n\n    if (InitializeRequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'initialize');\n    } else if (ElicitResultSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'elicitResult');\n    } else if (RequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'message');\n    } else {\n      this.respond(httpRespond.rpcError('Invalid Request'));\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({state: {requestType}}) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const {request, response} = this.rawInput;\n    const {token, session} = this.state.required;\n    const transport = await transportService.createTransporter('streamable-http', token, session.id, response);\n    await transport.initialize(request, response);\n    this.handled();\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({state: {requestType}}) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({state: {requestType}}) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const {request, response} = this.rawInput;\n    const {token, session} = this.state.required;\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      this.respond(httpRespond.rpcError('session not initialized'));\n      return;\n    }\n    await transport.handleRequest(request, response);\n  }\n\n\n}\n"]}
+{"version":3,"file":"handle.streamable-http.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.streamable-http.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAasB;AACtB,6BAAwB;AACxB,iEAAuF;AAEvF,gFAA4E;AAE/D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,CAAC;IACzE,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,CAAC,SAAS,CAAC;CACc,CAAC;AAEtC,mGAAmG;AACnG,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;QAClB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;QACnB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACvB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACxG,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAChC,YAAY,EAAE,OAAC;aACZ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;aACxG,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,kBAAkB;IAC3B,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE;CACzF,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,wBAAiC,CAAC;AAC/C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAqBrB,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAqB;IACzE,IAAI,GAAG,IAAI,CAAC;IAGN,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,MAAM,aAAa,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QACzE,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC;QAEhC,kFAAkF;QAClF,2DAA2D;QAC3D,EAAE;QACF,oFAAoF;QACpF,qFAAqF;QACrF,4EAA4E;QAC5E,uFAAuF;QACvF,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QAEnF,IAAI,OAAoF,CAAC;QAEzF,IAAI,gBAAgB,EAAE,CAAC;YACrB,8DAA8D;YAC9D,sFAAsF;YACtF,iGAAiG;YACjG,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,KAAK,gBAAgB,EAAE,CAAC;gBACnD,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,EAAE,EAAE,EAAE,gBAAgB,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACjC,qFAAqF;YACrF,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,OAAO,GAAG,IAAA,kCAAe,EAAC,iBAAiB,EAAE,KAAK,EAAE;gBAClD,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAuB;gBAChE,uBAAuB,EAAG,IAAI,CAAC,KAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,iBAAiB;aACpF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,2DAA2D;QAC3D,iFAAiF;QACjF,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAuC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,CAAC;QAE5B,8EAA8E;QAC9E,wEAAwE;QACxE,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,6BAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,MAAM,IAAI,wBAAa,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACnE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAI,IAAI,CAAC,KAAe,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAEzF,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;YAC9C,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,KAAK;YACjB,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;YAC3G,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACnE,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACpD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,2EAA2E;YAC3E,IAAI,KAAK,YAAY,oBAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAE1E,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,yFAAyF;YACzF,MAAM,UAAU,GAAG,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YAC5F,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;YAEjE,IAAI,UAAU,EAAE,CAAC;gBACf,sFAAsF;gBACtF,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;oBAC3D,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;iBAClD,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC9D,CAAC;iBAAM,CAAC;gBACN,6FAA6F;gBAC7F,MAAM,CAAC,IAAI,CAAC,yEAAyE,EAAE;oBACrF,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;oBACjD,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAwB,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACjF,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvE,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACjD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;gBACjE,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;oBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK;oBACxG,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,EAAE,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACpC,CAAC,CAAC;YACL,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,aAAa;QACjB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,mFAAmF;QACnF,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,sFAAsF;QACtF,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF,CAAA;AA5LO;IADL,KAAK,CAAC,YAAY,CAAC;;;;0DAuCnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;sDA0Bf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACrE,CAAC;;;;4DA+BD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACvE,CAAC;;;;8DAGD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAClE,CAAC;;;;yDAsDD;AAKK;IAHL,KAAK,CAAC,eAAe,EAAE;QACtB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,aAAa;KACtE,CAAC;;;;6DAiBD;AA/LkB,wBAAwB;IAP5C,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI,EAAJ,YAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;KAC/B,CAAC;GACmB,wBAAwB,CAgM5C;kBAhMoB,wBAAwB","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  FlowHooksOf,\n  sessionIdSchema,\n  httpRespond,\n  ServerRequestTokens,\n  Authorization,\n  FlowControl,\n} from '../../common';\nimport { z } from 'zod';\nimport { ElicitResultSchema, RequestSchema } from '@modelcontextprotocol/sdk/types.js';\nimport { Scope } from '../../scope';\nimport { createSessionId } from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: ['parseInput', 'router'],\n  execute: ['onInitialize', 'onMessage', 'onElicitResult', 'onSseListener'],\n  post: [],\n  finalize: ['cleanup'],\n} as const satisfies FlowPlan<string>;\n\n// Relaxed session schema for state - payload is optional when using mcp-session-id header directly\nconst stateSessionSchema = z.object({\n  id: z.string(),\n  payload: z\n    .object({\n      nodeId: z.string(),\n      authSig: z.string(),\n      uuid: z.string().uuid(),\n      iat: z.number(),\n      protocol: z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),\n      isPublic: z.boolean().optional(),\n      platformType: z\n        .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])\n        .optional(),\n    })\n    .optional(),\n});\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: stateSessionSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult', 'sseListener']).optional(),\n});\n\nconst name = 'handle:streamable-http' as const;\nconst { Stage } = FlowHooksOf(name);\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:streamable-http': FlowRunOptions<\n      HandleStreamableHttpFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n})\nexport default class HandleStreamableHttpFlow extends FlowBase<typeof name> {\n  name = name;\n\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n\n    const authorization = request[ServerRequestTokens.auth] as Authorization;\n    const { token } = authorization;\n\n    // CRITICAL: The mcp-session-id header is the client's reference to their session.\n    // We MUST use this exact ID for transport registry lookup.\n    //\n    // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)\n    //             This is the ID the client received from initialize and is referencing.\n    // Priority 2: Use session from authorization if header matches or is absent\n    // Priority 3: Create new session (first request - no header, no authorization.session)\n    const mcpSessionHeader = request.headers?.['mcp-session-id'] as string | undefined;\n\n    let session: { id: string; payload?: z.infer<typeof stateSchema>['session']['payload'] };\n\n    if (mcpSessionHeader) {\n      // Client sent session ID - ALWAYS use it for transport lookup\n      // If authorization.session exists and matches, use its payload for protocol detection\n      // If authorization.session differs or is missing, still use header ID (payload may be undefined)\n      if (authorization.session?.id === mcpSessionHeader) {\n        session = authorization.session;\n      } else {\n        session = { id: mcpSessionHeader };\n      }\n    } else if (authorization.session) {\n      // No header but authorization has session - use it (shouldn't happen in normal flow)\n      session = authorization.session;\n    } else {\n      // No session - create new one (initialize request)\n      session = createSessionId('streamable-http', token, {\n        userAgent: request.headers?.['user-agent'] as string | undefined,\n        platformDetectionConfig: (this.scope as Scope).metadata?.session?.platformDetection,\n      });\n    }\n\n    this.state.set(stateSchema.parse({ token, session }));\n  }\n\n  @Stage('router')\n  async router() {\n    const { request } = this.rawInput;\n\n    // GET requests are SSE listener streams - no body expected\n    // Per MCP spec, clients can open SSE stream with GET + Accept: text/event-stream\n    if (request.method.toUpperCase() === 'GET') {\n      this.state.set('requestType', 'sseListener');\n      return;\n    }\n\n    // POST requests have MCP JSON-RPC body\n    const body = request.body as { method?: string } | undefined;\n    const method = body?.method;\n\n    // Use method-based detection for routing (more permissive than strict schema)\n    // The actual schema validation happens in the MCP SDK's transport layer\n    if (method === 'initialize') {\n      this.state.set('requestType', 'initialize');\n    } else if (ElicitResultSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'elicitResult');\n    } else if (method && RequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'message');\n    } else {\n      this.respond(httpRespond.rpcError('Invalid Request'));\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({ state: { requestType } }) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = (this.scope as Scope).logger.child('handle:streamable-http:onInitialize');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    logger.info('onInitialize: creating transport', {\n      sessionId: session.id.slice(0, 30),\n      hasToken: !!token,\n      tokenPrefix: token?.slice(0, 10),\n    });\n\n    try {\n      const transport = await transportService.createTransporter('streamable-http', token, session.id, response);\n      logger.info('onInitialize: transport created, calling initialize');\n      await transport.initialize(request, response);\n      logger.info('onInitialize: completed successfully');\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow (from this.handled()), not an error\n      if (error instanceof FlowControl) {\n        throw error;\n      }\n      logger.error('onInitialize: failed', {\n        error: error instanceof Error ? error.message : String(error),\n        stack: error instanceof Error ? error.stack : undefined,\n      });\n      throw error;\n    }\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({ state: { requestType } }) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({ state: { requestType } }) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = this.scopeLogger.child('handle:streamable-http:onMessage');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25\n      const wasCreated = transportService.wasSessionCreated('streamable-http', token, session.id);\n      const body = request.body as Record<string, unknown> | undefined;\n\n      if (wasCreated) {\n        // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)\n        logger.info('Session expired - client should re-initialize', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n        });\n        this.respond(httpRespond.sessionExpired('session expired'));\n      } else {\n        // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)\n        logger.warn('Session not initialized - client attempted request without initializing', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n          userAgent: (request.headers?.['user-agent'] as string | undefined)?.slice(0, 50),\n        });\n        this.respond(httpRespond.sessionNotFound('session not initialized'));\n      }\n      return;\n    }\n\n    try {\n      await transport.handleRequest(request, response);\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        const body = request.body as Record<string, unknown> | undefined;\n        logger.error('handleRequest failed', {\n          error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : error,\n          method: body?.['method'],\n          id: body?.['id'],\n          sessionId: session.id?.slice(0, 20),\n        });\n      }\n      throw error;\n    }\n  }\n\n  @Stage('onSseListener', {\n    filter: ({ state: { requestType } }) => requestType === 'sseListener',\n  })\n  async onSseListener() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    // Get existing transport for this session - SSE listener requires existing session\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      this.respond(httpRespond.notFound('Session not found'));\n      return;\n    }\n\n    // Forward GET request to transport (opens SSE stream for server→client notifications)\n    await transport.handleRequest(request, response);\n    this.handled();\n  }\n}\n"]}

package/src/transport/legacy/legacy.sse.tranporter.d.ts

@@ -34,6 +34,8 @@ export declare class SSEServerTransport implements Transport {
     private _sseResponse?;
     private _sessionId;
     private _options;
+    /** Incrementing event ID counter for SSE events (MCP 2025-11-25 spec compliance) */
+    private _eventIdCounter;
     onclose?: () => void;
     onerror?: (error: Error) => void;
     onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;
@@ -72,4 +74,11 @@ export declare class SSEServerTransport implements Transport {
      * This can be used to route incoming POST requests.
      */
     get sessionId(): string;
+    /**
+     * Returns the current event ID counter value.
+     *
+     * This is the ID that was used for the last sent event.
+     * Useful for testing and debugging reconnection scenarios.
+     */
+    get lastEventId(): number;
 }

package/src/transport/legacy/legacy.sse.tranporter.js

@@ -19,6 +19,8 @@ class SSEServerTransport {
     _sseResponse;
     _sessionId;
     _options;
+    /** Incrementing event ID counter for SSE events (MCP 2025-11-25 spec compliance) */
+    _eventIdCounter = 0;
     onclose;
     onerror;
     onmessage;
@@ -78,7 +80,9 @@ class SSEServerTransport {
         endpointUrl.searchParams.set('sessionId', this._sessionId);
         // Reconstruct the relative URL string (pathname + search + hash)
         const relativeUrlWithSession = endpointUrl.pathname + endpointUrl.search + endpointUrl.hash;
-        this.res.write(`event: endpoint\ndata: ${relativeUrlWithSession}\n\n`);
+        // Include event ID per MCP 2025-11-25 spec for client reconnection support
+        const eventId = ++this._eventIdCounter;
+        this.res.write(`id: ${eventId}\nevent: endpoint\ndata: ${relativeUrlWithSession}\n\n`);
         this._sseResponse = this.res;
         this.res.on('close', () => {
             this._sseResponse = undefined;
@@ -155,7 +159,9 @@ class SSEServerTransport {
         if (!this._sseResponse) {
             throw new Error('Not connected');
         }
-        this._sseResponse.write(`event: message\ndata: ${JSON.stringify(message)}\n\n`);
+        // Include event ID per MCP 2025-11-25 spec for client reconnection support
+        const eventId = ++this._eventIdCounter;
+        this._sseResponse.write(`id: ${eventId}\nevent: message\ndata: ${JSON.stringify(message)}\n\n`);
     }
     /**
      * Returns the session ID for this transport.
@@ -165,6 +171,15 @@ class SSEServerTransport {
     get sessionId() {
         return this._sessionId;
     }
+    /**
+     * Returns the current event ID counter value.
+     *
+     * This is the ID that was used for the last sent event.
+     * Useful for testing and debugging reconnection scenarios.
+     */
+    get lastEventId() {
+        return this._eventIdCounter;
+    }
 }
 exports.SSEServerTransport = SSEServerTransport;
 //# sourceMappingURL=legacy.sse.tranporter.js.map

package/src/transport/legacy/legacy.sse.tranporter.js.map

@@ -1 +1 @@
-{"version":3,"file":"legacy.sse.tranporter.js","sourceRoot":"","sources":["../../../../src/transport/legacy/legacy.sse.tranporter.ts"],"names":[],"mappings":";;;;AAAA,6CAAyC;AAEzC,gEAAkC;AAClC,wEAAuC;AACvC,6BAA0B;AAE1B,iEAA4G;AAG5G,MAAM,oBAAoB,GAAG,KAAK,CAAC;AA2BnC;;;;GAIG;AACH,MAAa,kBAAkB;IAWT;IAA2B;IAVvC,YAAY,CAAkB;IAC9B,UAAU,CAAS;IACnB,QAAQ,CAA4B;IAC5C,OAAO,CAAc;IACrB,OAAO,CAA0B;IACjC,SAAS,CAA+D;IAExE;;OAEG;IACH,YAAoB,SAAiB,EAAU,GAAmB,EAAE,OAAmC;QAAnF,cAAS,GAAT,SAAS,CAAQ;QAAU,QAAG,GAAH,GAAG,CAAgB;QAChE,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,SAAS,IAAI,IAAA,wBAAU,GAAE,CAAC;QACrD,IAAI,CAAC,QAAQ,GAAG,OAAO,IAAI,EAAE,4BAA4B,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED;;;OAGG;IACK,sBAAsB,CAAC,GAAoB;QACjD,+CAA+C;QAC/C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,4BAA4B,EAAE,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,qDAAqD;QACrD,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxE,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;YACpC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBACpE,OAAO,wBAAwB,UAAU,EAAE,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5E,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;YACxC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC1E,OAAO,0BAA0B,YAAY,EAAE,CAAC;YAClD,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,6GAA6G,CAC9G,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACtB,cAAc,EAAE,mBAAmB;YACnC,eAAe,EAAE,wBAAwB;YACzC,UAAU,EAAE,YAAY;SACzB,CAAC,CAAC;QAEH,0BAA0B;QAC1B,2DAA2D;QAC3D,uEAAuE;QACvE,MAAM,SAAS,GAAG,kBAAkB,CAAC,CAAC,uBAAuB;QAC7D,MAAM,WAAW,GAAG,IAAI,SAAG,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QACvD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAE3D,iEAAiE;QACjE,MAAM,sBAAsB,GAAG,WAAW,CAAC,QAAQ,GAAG,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC;QAE5F,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,0BAA0B,sBAAsB,MAAM,CAAC,CAAC;QAEvE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC;QAC7B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACxB,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;YAC9B,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CACrB,GAA0C,EAC1C,GAAmB,EACnB,UAAoB;QAEpB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,gCAAgC,CAAC;YACjD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;QAC3B,CAAC;QAED,wDAAwD;QACxD,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACzD,IAAI,eAAe,EAAE,CAAC;YACpB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YACxC,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAyB,GAAG,CAAC,IAAI,CAAC;QAChD,MAAM,WAAW,GAAgB,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAS,CAAC;QAEjE,IAAI,IAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,sBAAW,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC;YAChE,IAAI,EAAE,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CAAC,6BAA6B,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1D,CAAC;YAED,IAAI;gBACF,UAAU;oBACV,CAAC,MAAM,IAAA,kBAAU,EAAC,GAAG,EAAE;wBACrB,KAAK,EAAE,oBAAoB;wBAC3B,QAAQ,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,IAAI,OAAO;qBAC3C,CAAC,CAAC,CAAC;QACR,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACtC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAc,CAAC,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAS,CAAC,CAAC;QACjH,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,OAAgB,EAAE,KAAwB;QAC5D,IAAI,aAA6B,CAAC;QAClC,IAAI,CAAC;YACH,aAAa,GAAG,+BAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,EAAE,CAAC,KAAc,CAAC,CAAC;YAC/B,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;QAC9B,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAuB;QAChC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,yBAAyB,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAClF,CAAC;IAED;;;;OAIG;IACH,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;CACF;AA/KD,gDA+KC","sourcesContent":["import { randomUUID } from 'node:crypto';\nimport { IncomingMessage, ServerResponse } from 'node:http';\nimport getRawBody from 'raw-body';\nimport contentType from 'content-type';\nimport { URL } from 'url';\nimport { Transport } from '@modelcontextprotocol/sdk/shared/transport.js';\nimport { JSONRPCMessage, JSONRPCMessageSchema, MessageExtraInfo } from '@modelcontextprotocol/sdk/types.js';\nimport { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';\n\nconst MAXIMUM_MESSAGE_SIZE = '4mb';\n\n/**\n * Configuration options for SSEServerTransport.\n */\nexport interface SSEServerTransportOptions {\n  /**\n   * List of allowed host header values for DNS rebinding protection.\n   * If not specified, host validation is disabled.\n   */\n  allowedHosts?: string[];\n\n  /**\n   * List of allowed origin header values for DNS rebinding protection.\n   * If not specified, origin validation is disabled.\n   */\n  allowedOrigins?: string[];\n\n  /**\n   * Enable DNS rebinding protection (requires allowedHosts and/or allowedOrigins to be configured).\n   * Default is false for backwards compatibility.\n   */\n  enableDnsRebindingProtection?: boolean;\n\n  sessionId?: string;\n}\n\n/**\n * Server transport for SSE: this will send messages over an SSE connection and receive messages from HTTP POST requests.\n *\n * This transport is only available in Node.js environments.\n */\nexport class SSEServerTransport implements Transport {\n  private _sseResponse?: ServerResponse;\n  private _sessionId: string;\n  private _options: SSEServerTransportOptions;\n  onclose?: () => void;\n  onerror?: (error: Error) => void;\n  onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;\n\n  /**\n   * Creates a new SSE server transport, which will direct the client to POST messages to the relative or absolute URL identified by `_endpoint`.\n   */\n  constructor(private _endpoint: string, private res: ServerResponse, options?: SSEServerTransportOptions) {\n    this._sessionId = options?.sessionId ?? randomUUID();\n    this._options = options || { enableDnsRebindingProtection: false };\n  }\n\n  /**\n   * Validates request headers for DNS rebinding protection.\n   * @returns Error message if validation fails, undefined if validation passes.\n   */\n  private validateRequestHeaders(req: IncomingMessage): string | undefined {\n    // Skip validation if protection is not enabled\n    if (!this._options.enableDnsRebindingProtection) {\n      return undefined;\n    }\n\n    // Validate Host header if allowedHosts is configured\n    if (this._options.allowedHosts && this._options.allowedHosts.length > 0) {\n      const hostHeader = req.headers.host;\n      if (!hostHeader || !this._options.allowedHosts.includes(hostHeader)) {\n        return `Invalid Host header: ${hostHeader}`;\n      }\n    }\n\n    // Validate Origin header if allowedOrigins is configured\n    if (this._options.allowedOrigins && this._options.allowedOrigins.length > 0) {\n      const originHeader = req.headers.origin;\n      if (!originHeader || !this._options.allowedOrigins.includes(originHeader)) {\n        return `Invalid Origin header: ${originHeader}`;\n      }\n    }\n\n    return undefined;\n  }\n\n  /**\n   * Handles the initial SSE connection request.\n   *\n   * This should be called when a GET request is made to establish the SSE stream.\n   */\n  async start(): Promise<void> {\n    if (this._sseResponse) {\n      throw new Error(\n        'SSEServerTransport already started! If using Server class, note that connect() calls start() automatically.',\n      );\n    }\n\n    this.res.writeHead(200, {\n      'Content-Type': 'text/event-stream',\n      'Cache-Control': 'no-cache, no-transform',\n      Connection: 'keep-alive',\n    });\n\n    // Send the endpoint event\n    // Use a dummy base URL because this._endpoint is relative.\n    // This allows using URL/URLSearchParams for robust parameter handling.\n    const dummyBase = 'http://localhost'; // Any valid base works\n    const endpointUrl = new URL(this._endpoint, dummyBase);\n    endpointUrl.searchParams.set('sessionId', this._sessionId);\n\n    // Reconstruct the relative URL string (pathname + search + hash)\n    const relativeUrlWithSession = endpointUrl.pathname + endpointUrl.search + endpointUrl.hash;\n\n    this.res.write(`event: endpoint\\ndata: ${relativeUrlWithSession}\\n\\n`);\n\n    this._sseResponse = this.res;\n    this.res.on('close', () => {\n      this._sseResponse = undefined;\n      this.onclose?.();\n    });\n  }\n\n  /**\n   * Handles incoming POST messages.\n   *\n   * This should be called when a POST request is made to send a message to the server.\n   */\n  async handlePostMessage(\n    req: IncomingMessage & { auth?: AuthInfo },\n    res: ServerResponse,\n    parsedBody?: unknown,\n  ): Promise<void> {\n    if (!this._sseResponse) {\n      const message = 'SSE connection not established';\n      res.writeHead(500).end(message);\n      throw new Error(message);\n    }\n\n    // Validate request headers for DNS rebinding protection\n    const validationError = this.validateRequestHeaders(req);\n    if (validationError) {\n      res.writeHead(403).end(validationError);\n      this.onerror?.(new Error(validationError));\n      return;\n    }\n\n    const authInfo: AuthInfo | undefined = req.auth;\n    const requestInfo: RequestInfo = { headers: req.headers } as any;\n\n    let body: string | unknown;\n    try {\n      const ct = contentType.parse(req.headers['content-type'] ?? '');\n      if (ct.type !== 'application/json') {\n        throw new Error(`Unsupported content-type: ${ct.type}`);\n      }\n\n      body =\n        parsedBody ??\n        (await getRawBody(req, {\n          limit: MAXIMUM_MESSAGE_SIZE,\n          encoding: ct.parameters.charset ?? 'utf-8',\n        }));\n    } catch (error) {\n      res.writeHead(400).end(String(error));\n      this.onerror?.(error as Error);\n      return;\n    }\n\n    try {\n      await this.handleMessage(typeof body === 'string' ? JSON.parse(body) : body, { requestInfo, authInfo } as any);\n    } catch {\n      res.writeHead(400).end(`Invalid message: ${body}`);\n      return;\n    }\n\n    res.writeHead(202).end('Accepted');\n  }\n\n  /**\n   * Handle a client message, regardless of how it arrived. This can be used to inform the server of messages that arrive via a means different than HTTP POST.\n   */\n  async handleMessage(message: unknown, extra?: MessageExtraInfo): Promise<void> {\n    let parsedMessage: JSONRPCMessage;\n    try {\n      parsedMessage = JSONRPCMessageSchema.parse(message);\n    } catch (error) {\n      this.onerror?.(error as Error);\n      throw error;\n    }\n\n    this.onmessage?.(parsedMessage, extra);\n  }\n\n  async close(): Promise<void> {\n    this._sseResponse?.end();\n    this._sseResponse = undefined;\n    this.onclose?.();\n  }\n\n  async send(message: JSONRPCMessage): Promise<void> {\n    if (!this._sseResponse) {\n      throw new Error('Not connected');\n    }\n\n    this._sseResponse.write(`event: message\\ndata: ${JSON.stringify(message)}\\n\\n`);\n  }\n\n  /**\n   * Returns the session ID for this transport.\n   *\n   * This can be used to route incoming POST requests.\n   */\n  get sessionId(): string {\n    return this._sessionId;\n  }\n}\n"]}
+{"version":3,"file":"legacy.sse.tranporter.js","sourceRoot":"","sources":["../../../../src/transport/legacy/legacy.sse.tranporter.ts"],"names":[],"mappings":";;;;AAAA,6CAAyC;AAEzC,gEAAkC;AAClC,wEAAuC;AACvC,6BAA0B;AAE1B,iEAA4G;AAG5G,MAAM,oBAAoB,GAAG,KAAK,CAAC;AA2BnC;;;;GAIG;AACH,MAAa,kBAAkB;IAaT;IAA2B;IAZvC,YAAY,CAAkB;IAC9B,UAAU,CAAS;IACnB,QAAQ,CAA4B;IAC5C,oFAAoF;IAC5E,eAAe,GAAG,CAAC,CAAC;IAC5B,OAAO,CAAc;IACrB,OAAO,CAA0B;IACjC,SAAS,CAA+D;IAExE;;OAEG;IACH,YAAoB,SAAiB,EAAU,GAAmB,EAAE,OAAmC;QAAnF,cAAS,GAAT,SAAS,CAAQ;QAAU,QAAG,GAAH,GAAG,CAAgB;QAChE,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,SAAS,IAAI,IAAA,wBAAU,GAAE,CAAC;QACrD,IAAI,CAAC,QAAQ,GAAG,OAAO,IAAI,EAAE,4BAA4B,EAAE,KAAK,EAAE,CAAC;IACrE,CAAC;IAED;;;OAGG;IACK,sBAAsB,CAAC,GAAoB;QACjD,+CAA+C;QAC/C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,4BAA4B,EAAE,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,qDAAqD;QACrD,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxE,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;YACpC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBACpE,OAAO,wBAAwB,UAAU,EAAE,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5E,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;YACxC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC1E,OAAO,0BAA0B,YAAY,EAAE,CAAC;YAClD,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,6GAA6G,CAC9G,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACtB,cAAc,EAAE,mBAAmB;YACnC,eAAe,EAAE,wBAAwB;YACzC,UAAU,EAAE,YAAY;SACzB,CAAC,CAAC;QAEH,0BAA0B;QAC1B,2DAA2D;QAC3D,uEAAuE;QACvE,MAAM,SAAS,GAAG,kBAAkB,CAAC,CAAC,uBAAuB;QAC7D,MAAM,WAAW,GAAG,IAAI,SAAG,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QACvD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAE3D,iEAAiE;QACjE,MAAM,sBAAsB,GAAG,WAAW,CAAC,QAAQ,GAAG,WAAW,CAAC,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC;QAE5F,2EAA2E;QAC3E,MAAM,OAAO,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC;QACvC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,OAAO,4BAA4B,sBAAsB,MAAM,CAAC,CAAC;QAEvF,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC;QAC7B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACxB,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;YAC9B,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;QACnB,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CACrB,GAA0C,EAC1C,GAAmB,EACnB,UAAoB;QAEpB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,gCAAgC,CAAC;YACjD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;QAC3B,CAAC;QAED,wDAAwD;QACxD,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACzD,IAAI,eAAe,EAAE,CAAC;YACpB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YACxC,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAyB,GAAG,CAAC,IAAI,CAAC;QAChD,MAAM,WAAW,GAAgB,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAS,CAAC;QAEjE,IAAI,IAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,sBAAW,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC;YAChE,IAAI,EAAE,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CAAC,6BAA6B,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YAC1D,CAAC;YAED,IAAI;gBACF,UAAU;oBACV,CAAC,MAAM,IAAA,kBAAU,EAAC,GAAG,EAAE;wBACrB,KAAK,EAAE,oBAAoB;wBAC3B,QAAQ,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,IAAI,OAAO;qBAC3C,CAAC,CAAC,CAAC;QACR,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACtC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAc,CAAC,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAS,CAAC,CAAC;QACjH,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,OAAgB,EAAE,KAAwB;QAC5D,IAAI,aAA6B,CAAC;QAClC,IAAI,CAAC;YACH,aAAa,GAAG,+BAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,EAAE,CAAC,KAAc,CAAC,CAAC;YAC/B,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;QAC9B,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAuB;QAChC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;QACnC,CAAC;QAED,2EAA2E;QAC3E,MAAM,OAAO,GAAG,EAAE,IAAI,CAAC,eAAe,CAAC;QACvC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,OAAO,OAAO,2BAA2B,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAClG,CAAC;IAED;;;;OAIG;IACH,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;;;;OAKG;IACH,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;CACF;AA/LD,gDA+LC","sourcesContent":["import { randomUUID } from 'node:crypto';\nimport { IncomingMessage, ServerResponse } from 'node:http';\nimport getRawBody from 'raw-body';\nimport contentType from 'content-type';\nimport { URL } from 'url';\nimport { Transport } from '@modelcontextprotocol/sdk/shared/transport.js';\nimport { JSONRPCMessage, JSONRPCMessageSchema, MessageExtraInfo } from '@modelcontextprotocol/sdk/types.js';\nimport { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';\n\nconst MAXIMUM_MESSAGE_SIZE = '4mb';\n\n/**\n * Configuration options for SSEServerTransport.\n */\nexport interface SSEServerTransportOptions {\n  /**\n   * List of allowed host header values for DNS rebinding protection.\n   * If not specified, host validation is disabled.\n   */\n  allowedHosts?: string[];\n\n  /**\n   * List of allowed origin header values for DNS rebinding protection.\n   * If not specified, origin validation is disabled.\n   */\n  allowedOrigins?: string[];\n\n  /**\n   * Enable DNS rebinding protection (requires allowedHosts and/or allowedOrigins to be configured).\n   * Default is false for backwards compatibility.\n   */\n  enableDnsRebindingProtection?: boolean;\n\n  sessionId?: string;\n}\n\n/**\n * Server transport for SSE: this will send messages over an SSE connection and receive messages from HTTP POST requests.\n *\n * This transport is only available in Node.js environments.\n */\nexport class SSEServerTransport implements Transport {\n  private _sseResponse?: ServerResponse;\n  private _sessionId: string;\n  private _options: SSEServerTransportOptions;\n  /** Incrementing event ID counter for SSE events (MCP 2025-11-25 spec compliance) */\n  private _eventIdCounter = 0;\n  onclose?: () => void;\n  onerror?: (error: Error) => void;\n  onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;\n\n  /**\n   * Creates a new SSE server transport, which will direct the client to POST messages to the relative or absolute URL identified by `_endpoint`.\n   */\n  constructor(private _endpoint: string, private res: ServerResponse, options?: SSEServerTransportOptions) {\n    this._sessionId = options?.sessionId ?? randomUUID();\n    this._options = options || { enableDnsRebindingProtection: false };\n  }\n\n  /**\n   * Validates request headers for DNS rebinding protection.\n   * @returns Error message if validation fails, undefined if validation passes.\n   */\n  private validateRequestHeaders(req: IncomingMessage): string | undefined {\n    // Skip validation if protection is not enabled\n    if (!this._options.enableDnsRebindingProtection) {\n      return undefined;\n    }\n\n    // Validate Host header if allowedHosts is configured\n    if (this._options.allowedHosts && this._options.allowedHosts.length > 0) {\n      const hostHeader = req.headers.host;\n      if (!hostHeader || !this._options.allowedHosts.includes(hostHeader)) {\n        return `Invalid Host header: ${hostHeader}`;\n      }\n    }\n\n    // Validate Origin header if allowedOrigins is configured\n    if (this._options.allowedOrigins && this._options.allowedOrigins.length > 0) {\n      const originHeader = req.headers.origin;\n      if (!originHeader || !this._options.allowedOrigins.includes(originHeader)) {\n        return `Invalid Origin header: ${originHeader}`;\n      }\n    }\n\n    return undefined;\n  }\n\n  /**\n   * Handles the initial SSE connection request.\n   *\n   * This should be called when a GET request is made to establish the SSE stream.\n   */\n  async start(): Promise<void> {\n    if (this._sseResponse) {\n      throw new Error(\n        'SSEServerTransport already started! If using Server class, note that connect() calls start() automatically.',\n      );\n    }\n\n    this.res.writeHead(200, {\n      'Content-Type': 'text/event-stream',\n      'Cache-Control': 'no-cache, no-transform',\n      Connection: 'keep-alive',\n    });\n\n    // Send the endpoint event\n    // Use a dummy base URL because this._endpoint is relative.\n    // This allows using URL/URLSearchParams for robust parameter handling.\n    const dummyBase = 'http://localhost'; // Any valid base works\n    const endpointUrl = new URL(this._endpoint, dummyBase);\n    endpointUrl.searchParams.set('sessionId', this._sessionId);\n\n    // Reconstruct the relative URL string (pathname + search + hash)\n    const relativeUrlWithSession = endpointUrl.pathname + endpointUrl.search + endpointUrl.hash;\n\n    // Include event ID per MCP 2025-11-25 spec for client reconnection support\n    const eventId = ++this._eventIdCounter;\n    this.res.write(`id: ${eventId}\\nevent: endpoint\\ndata: ${relativeUrlWithSession}\\n\\n`);\n\n    this._sseResponse = this.res;\n    this.res.on('close', () => {\n      this._sseResponse = undefined;\n      this.onclose?.();\n    });\n  }\n\n  /**\n   * Handles incoming POST messages.\n   *\n   * This should be called when a POST request is made to send a message to the server.\n   */\n  async handlePostMessage(\n    req: IncomingMessage & { auth?: AuthInfo },\n    res: ServerResponse,\n    parsedBody?: unknown,\n  ): Promise<void> {\n    if (!this._sseResponse) {\n      const message = 'SSE connection not established';\n      res.writeHead(500).end(message);\n      throw new Error(message);\n    }\n\n    // Validate request headers for DNS rebinding protection\n    const validationError = this.validateRequestHeaders(req);\n    if (validationError) {\n      res.writeHead(403).end(validationError);\n      this.onerror?.(new Error(validationError));\n      return;\n    }\n\n    const authInfo: AuthInfo | undefined = req.auth;\n    const requestInfo: RequestInfo = { headers: req.headers } as any;\n\n    let body: string | unknown;\n    try {\n      const ct = contentType.parse(req.headers['content-type'] ?? '');\n      if (ct.type !== 'application/json') {\n        throw new Error(`Unsupported content-type: ${ct.type}`);\n      }\n\n      body =\n        parsedBody ??\n        (await getRawBody(req, {\n          limit: MAXIMUM_MESSAGE_SIZE,\n          encoding: ct.parameters.charset ?? 'utf-8',\n        }));\n    } catch (error) {\n      res.writeHead(400).end(String(error));\n      this.onerror?.(error as Error);\n      return;\n    }\n\n    try {\n      await this.handleMessage(typeof body === 'string' ? JSON.parse(body) : body, { requestInfo, authInfo } as any);\n    } catch {\n      res.writeHead(400).end(`Invalid message: ${body}`);\n      return;\n    }\n\n    res.writeHead(202).end('Accepted');\n  }\n\n  /**\n   * Handle a client message, regardless of how it arrived. This can be used to inform the server of messages that arrive via a means different than HTTP POST.\n   */\n  async handleMessage(message: unknown, extra?: MessageExtraInfo): Promise<void> {\n    let parsedMessage: JSONRPCMessage;\n    try {\n      parsedMessage = JSONRPCMessageSchema.parse(message);\n    } catch (error) {\n      this.onerror?.(error as Error);\n      throw error;\n    }\n\n    this.onmessage?.(parsedMessage, extra);\n  }\n\n  async close(): Promise<void> {\n    this._sseResponse?.end();\n    this._sseResponse = undefined;\n    this.onclose?.();\n  }\n\n  async send(message: JSONRPCMessage): Promise<void> {\n    if (!this._sseResponse) {\n      throw new Error('Not connected');\n    }\n\n    // Include event ID per MCP 2025-11-25 spec for client reconnection support\n    const eventId = ++this._eventIdCounter;\n    this._sseResponse.write(`id: ${eventId}\\nevent: message\\ndata: ${JSON.stringify(message)}\\n\\n`);\n  }\n\n  /**\n   * Returns the session ID for this transport.\n   *\n   * This can be used to route incoming POST requests.\n   */\n  get sessionId(): string {\n    return this._sessionId;\n  }\n\n  /**\n   * Returns the current event ID counter value.\n   *\n   * This is the ID that was used for the last sent event.\n   * Useful for testing and debugging reconnection scenarios.\n   */\n  get lastEventId(): number {\n    return this._eventIdCounter;\n  }\n}\n"]}

package/src/transport/mcp-handlers/call-tool-request.handler.js

@@ -3,15 +3,41 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.default = callToolRequestHandler;
 const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
 const errors_1 = require("../../errors");
+const common_1 = require("../../common");
 function callToolRequestHandler({ scope, }) {
+    const logger = scope.logger.child('call-tool-request-handler');
     return {
         requestSchema: types_js_1.CallToolRequestSchema,
         handler: async (request, ctx) => {
+            const toolName = request.params?.name || 'unknown';
+            logger.verbose(`tools/call: ${toolName}`);
             try {
                 return await scope.runFlowForOutput('tools:call-tool', { request, ctx });
             }
             catch (e) {
-                scope.logger.error("CallTool Failed", e);
+                // FlowControl is a control flow mechanism, not an error - handle silently
+                if (e instanceof common_1.FlowControl) {
+                    if (e.type === 'respond') {
+                        // Validate output using MCP schema
+                        const parseResult = types_js_1.CallToolResultSchema.safeParse(e.output);
+                        if (parseResult.success) {
+                            return parseResult.data;
+                        }
+                        logger.error('FlowControl.respond has invalid output', {
+                            tool: toolName,
+                            validationErrors: parseResult.error.issues,
+                        });
+                        return (0, errors_1.formatMcpErrorResponse)(new errors_1.InternalMcpError('FlowControl output is not a valid CallToolResult'));
+                    }
+                    // For handled, next, abort, fail - return appropriate response
+                    logger.warn(`FlowControl ended with type: ${e.type}`, { tool: toolName, type: e.type, output: e.output });
+                    return (0, errors_1.formatMcpErrorResponse)(new errors_1.InternalMcpError(`Flow ended with: ${e.type}`));
+                }
+                // Log detailed error info
+                logger.error('CallTool Failed', {
+                    tool: toolName,
+                    error: e instanceof Error ? { name: e.name, message: e.message, stack: e.stack } : e,
+                });
                 return (0, errors_1.formatMcpErrorResponse)(e);
             }
         },

package/src/transport/mcp-handlers/call-tool-request.handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"call-tool-request.handler.js","sourceRoot":"","sources":["../../../../src/transport/mcp-handlers/call-tool-request.handler.ts"],"names":[],"mappings":";;AAIA,yCAcC;AAlBD,iEAA4G;AAE5G,yCAAsD;AAEtD,SAAwB,sBAAsB,CAAC,EAC7C,KAAK,GACa;IAClB,OAAO;QACL,aAAa,EAAE,gCAAqB;QACpC,OAAO,EAAE,KAAK,EAAE,OAAwB,EAAE,GAAG,EAAE,EAAE;YAC/C,IAAI,CAAC;gBACH,OAAO,MAAM,KAAK,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YAC3E,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC;gBACzC,OAAO,IAAA,+BAAsB,EAAC,CAAC,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;KACoD,CAAC;AAC1D,CAAC","sourcesContent":["import { CallToolRequest, CallToolRequestSchema, CallToolResult } from '@modelcontextprotocol/sdk/types.js';\nimport { McpHandler, McpHandlerOptions } from './mcp-handlers.types';\nimport { formatMcpErrorResponse } from '../../errors';\n\nexport default function callToolRequestHandler({\n  scope,\n}: McpHandlerOptions): McpHandler<CallToolRequest, CallToolResult> {\n  return {\n    requestSchema: CallToolRequestSchema,\n    handler: async (request: CallToolRequest, ctx) => {\n      try {\n        return await scope.runFlowForOutput('tools:call-tool', { request, ctx });\n      } catch (e) {\n        scope.logger.error(\"CallTool Failed\", e);\n        return formatMcpErrorResponse(e);\n      }\n    },\n  } satisfies McpHandler<CallToolRequest, CallToolResult>;\n}\n"]}
+{"version":3,"file":"call-tool-request.handler.js","sourceRoot":"","sources":["../../../../src/transport/mcp-handlers/call-tool-request.handler.ts"],"names":[],"mappings":";;AAUA,yCA0CC;AApDD,iEAK4C;AAE5C,yCAAwE;AACxE,yCAA2C;AAE3C,SAAwB,sBAAsB,CAAC,EAC7C,KAAK,GACa;IAClB,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAE/D,OAAO;QACL,aAAa,EAAE,gCAAqB;QACpC,OAAO,EAAE,KAAK,EAAE,OAAwB,EAAE,GAAG,EAAE,EAAE;YAC/C,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,IAAI,IAAI,SAAS,CAAC;YACnD,MAAM,CAAC,OAAO,CAAC,eAAe,QAAQ,EAAE,CAAC,CAAC;YAE1C,IAAI,CAAC;gBACH,OAAO,MAAM,KAAK,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YAC3E,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,0EAA0E;gBAC1E,IAAI,CAAC,YAAY,oBAAW,EAAE,CAAC;oBAC7B,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;wBACzB,mCAAmC;wBACnC,MAAM,WAAW,GAAG,+BAAoB,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;wBAC7D,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;4BACxB,OAAO,WAAW,CAAC,IAAI,CAAC;wBAC1B,CAAC;wBACD,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;4BACrD,IAAI,EAAE,QAAQ;4BACd,gBAAgB,EAAE,WAAW,CAAC,KAAK,CAAC,MAAM;yBAC3C,CAAC,CAAC;wBACH,OAAO,IAAA,+BAAsB,EAAC,IAAI,yBAAgB,CAAC,kDAAkD,CAAC,CAAC,CAAC;oBAC1G,CAAC;oBACD,+DAA+D;oBAC/D,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;oBAC1G,OAAO,IAAA,+BAAsB,EAAC,IAAI,yBAAgB,CAAC,oBAAoB,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBACpF,CAAC;gBAED,0BAA0B;gBAC1B,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE;oBAC9B,IAAI,EAAE,QAAQ;oBACd,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;iBACrF,CAAC,CAAC;gBACH,OAAO,IAAA,+BAAsB,EAAC,CAAC,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;KACoD,CAAC;AAC1D,CAAC","sourcesContent":["import {\n  CallToolRequest,\n  CallToolRequestSchema,\n  CallToolResult,\n  CallToolResultSchema,\n} from '@modelcontextprotocol/sdk/types.js';\nimport { McpHandler, McpHandlerOptions } from './mcp-handlers.types';\nimport { formatMcpErrorResponse, InternalMcpError } from '../../errors';\nimport { FlowControl } from '../../common';\n\nexport default function callToolRequestHandler({\n  scope,\n}: McpHandlerOptions): McpHandler<CallToolRequest, CallToolResult> {\n  const logger = scope.logger.child('call-tool-request-handler');\n\n  return {\n    requestSchema: CallToolRequestSchema,\n    handler: async (request: CallToolRequest, ctx) => {\n      const toolName = request.params?.name || 'unknown';\n      logger.verbose(`tools/call: ${toolName}`);\n\n      try {\n        return await scope.runFlowForOutput('tools:call-tool', { request, ctx });\n      } catch (e) {\n        // FlowControl is a control flow mechanism, not an error - handle silently\n        if (e instanceof FlowControl) {\n          if (e.type === 'respond') {\n            // Validate output using MCP schema\n            const parseResult = CallToolResultSchema.safeParse(e.output);\n            if (parseResult.success) {\n              return parseResult.data;\n            }\n            logger.error('FlowControl.respond has invalid output', {\n              tool: toolName,\n              validationErrors: parseResult.error.issues,\n            });\n            return formatMcpErrorResponse(new InternalMcpError('FlowControl output is not a valid CallToolResult'));\n          }\n          // For handled, next, abort, fail - return appropriate response\n          logger.warn(`FlowControl ended with type: ${e.type}`, { tool: toolName, type: e.type, output: e.output });\n          return formatMcpErrorResponse(new InternalMcpError(`Flow ended with: ${e.type}`));\n        }\n\n        // Log detailed error info\n        logger.error('CallTool Failed', {\n          tool: toolName,\n          error: e instanceof Error ? { name: e.name, message: e.message, stack: e.stack } : e,\n        });\n        return formatMcpErrorResponse(e);\n      }\n    },\n  } satisfies McpHandler<CallToolRequest, CallToolResult>;\n}\n"]}

package/src/transport/mcp-handlers/complete-request.handler.d.ts

@@ -0,0 +1,69 @@
+import { CompleteRequest } from '@modelcontextprotocol/sdk/types.js';
+import { McpHandlerOptions } from './mcp-handlers.types';
+export default function CompleteRequestHandler({ scope }: McpHandlerOptions): {
+    requestSchema: import("zod").ZodObject<{
+        method: import("zod").ZodLiteral<"completion/complete">;
+        params: import("zod").ZodObject<{
+            _meta: import("zod").ZodOptional<import("zod").ZodObject<{
+                progressToken: import("zod").ZodOptional<import("zod").ZodUnion<readonly [import("zod").ZodString, import("zod").ZodNumber]>>;
+            }, import("zod/v4/core").$loose>>;
+            ref: import("zod").ZodUnion<readonly [import("zod").ZodObject<{
+                type: import("zod").ZodLiteral<"ref/prompt">;
+                name: import("zod").ZodString;
+            }, import("zod/v4/core").$strip>, import("zod").ZodObject<{
+                type: import("zod").ZodLiteral<"ref/resource">;
+                uri: import("zod").ZodString;
+            }, import("zod/v4/core").$strip>]>;
+            argument: import("zod").ZodObject<{
+                name: import("zod").ZodString;
+                value: import("zod").ZodString;
+            }, import("zod/v4/core").$strip>;
+            context: import("zod").ZodOptional<import("zod").ZodObject<{
+                arguments: import("zod").ZodOptional<import("zod").ZodRecord<import("zod").ZodString, import("zod").ZodString>>;
+            }, import("zod/v4/core").$strip>>;
+        }, import("zod/v4/core").$loose>;
+    }, import("zod/v4/core").$strip>;
+    handler: (request: CompleteRequest, ctx: import("./mcp-handlers.types").McpRequestHandler<{
+        method: "completion/complete";
+        params: {
+            [x: string]: unknown;
+            ref: {
+                type: "ref/prompt";
+                name: string;
+            } | {
+                type: "ref/resource";
+                uri: string;
+            };
+            argument: {
+                name: string;
+                value: string;
+            };
+            _meta?: {
+                [x: string]: unknown;
+                progressToken?: string | number | undefined;
+            } | undefined;
+            context?: {
+                arguments?: {
+                    [x: string]: string;
+                } | undefined;
+            } | undefined;
+        };
+    }, {
+        method: string;
+        params?: {
+            [x: string]: unknown;
+            _meta?: {
+                [x: string]: unknown;
+            } | undefined;
+        } | undefined;
+    }>) => Promise<{
+        [x: string]: unknown;
+        completion: {
+            [x: string]: unknown;
+            values: string[];
+            total?: number | undefined;
+            hasMore?: boolean | undefined;
+        };
+        _meta?: Record<string, unknown> | undefined;
+    }>;
+};

package/src/transport/mcp-handlers/complete-request.handler.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.default = CompleteRequestHandler;
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+function CompleteRequestHandler({ scope }) {
+    return {
+        requestSchema: types_js_1.CompleteRequestSchema,
+        handler: (request, ctx) => scope.runFlowForOutput('completion:complete', { request, ctx }),
+    };
+}
+//# sourceMappingURL=complete-request.handler.js.map

package/src/transport/mcp-handlers/complete-request.handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"complete-request.handler.js","sourceRoot":"","sources":["../../../../src/transport/mcp-handlers/complete-request.handler.ts"],"names":[],"mappings":";;AAGA,yCAKC;AARD,iEAA4G;AAG5G,SAAwB,sBAAsB,CAAC,EAAE,KAAK,EAAqB;IACzE,OAAO;QACL,aAAa,EAAE,gCAAqB;QACpC,OAAO,EAAE,CAAC,OAAwB,EAAE,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,gBAAgB,CAAC,qBAAqB,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;KACtD,CAAC;AAC1D,CAAC","sourcesContent":["import { CompleteRequestSchema, CompleteRequest, CompleteResult } from '@modelcontextprotocol/sdk/types.js';\nimport { McpHandler, McpHandlerOptions } from './mcp-handlers.types';\n\nexport default function CompleteRequestHandler({ scope }: McpHandlerOptions) {\n  return {\n    requestSchema: CompleteRequestSchema,\n    handler: (request: CompleteRequest, ctx) => scope.runFlowForOutput('completion:complete', { request, ctx }),\n  } satisfies McpHandler<CompleteRequest, CompleteResult>;\n}\n"]}