@frontmcp/sdk 0.5.1 → 0.6.0

package/src/transport/flows/handle.sse.flow.js

@@ -47,7 +47,14 @@ let HandleSseFlow = class HandleSseFlow extends common_1.FlowBase {
         //             This is the ID the client received from initialize and is referencing.
         // Priority 2: Use session from authorization if header matches or is absent
         // Priority 3: Create new session (first request - no header, no authorization.session)
-        const mcpSessionHeader = request.headers?.['mcp-session-id'];
+        const raw = request.headers?.['mcp-session-id'];
+        const rawMcpSessionHeader = typeof raw === 'string' ? raw : undefined;
+        const mcpSessionHeader = (0, common_1.validateMcpSessionHeader)(rawMcpSessionHeader);
+        // If client sent a header but validation failed, return 404
+        if (raw !== undefined && !mcpSessionHeader) {
+            this.respond(common_1.httpRespond.sessionNotFound('invalid session id'));
+            return;
+        }
         let session;
         if (mcpSessionHeader) {
             // Client sent session ID - ALWAYS use it for transport lookup
@@ -68,7 +75,7 @@ let HandleSseFlow = class HandleSseFlow extends common_1.FlowBase {
             // No session - create new one (initialize request)
             session = (0, session_id_utils_1.createSessionId)('legacy-sse', token, {
                 userAgent: request.headers?.['user-agent'],
-                platformDetectionConfig: this.scope.metadata?.session?.platformDetection,
+                platformDetectionConfig: this.scope.metadata.transport?.platformDetection,
             });
         }
         this.state.set(exports.stateSchema.parse({ token, session }));

package/src/transport/flows/handle.sse.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"handle.sse.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.sse.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAcsB;AACtB,6BAAwB;AAExB,gFAA4E;AAE/D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,gBAAgB,CAAC;IACxD,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,CAAC,SAAS,CAAC;CACc,CAAC;AAEtC,mGAAmG;AACnG,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;QAClB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;QACnB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACvB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACxG,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAChC,YAAY,EAAE,OAAC;aACZ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;aACxG,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,kBAAkB;IAC3B,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC1E,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,mBAA4B,CAAC;AAC1C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAqBrB,IAAM,aAAa,GAAnB,MAAM,aAAc,SAAQ,iBAAqB;IAExD,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,MAAM,aAAa,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QACzE,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC;QAEhC,kFAAkF;QAClF,2DAA2D;QAC3D,EAAE;QACF,oFAAoF;QACpF,qFAAqF;QACrF,4EAA4E;QAC5E,uFAAuF;QACvF,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QAEnF,IAAI,OAAoF,CAAC;QAEzF,IAAI,gBAAgB,EAAE,CAAC;YACrB,8DAA8D;YAC9D,sFAAsF;YACtF,iGAAiG;YACjG,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,KAAK,gBAAgB,EAAE,CAAC;gBACnD,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,EAAE,EAAE,EAAE,gBAAgB,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACjC,qFAAqF;YACrF,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,OAAO,GAAG,IAAA,kCAAe,EAAC,YAAY,EAAE,KAAK,EAAE;gBAC7C,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAuB;gBAChE,uBAAuB,EAAG,IAAI,CAAC,KAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,iBAAiB;aACpF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAc,CAAC;QAClC,MAAM,WAAW,GAAG,IAAA,6BAAoB,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,IAAA,6BAAoB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,IAAA,2BAAkB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,SAAS,EAAE,CAAC;QAEzC,IAAI,WAAW,KAAK,GAAG,QAAQ,MAAM,EAAE,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,WAAW,KAAK,GAAG,QAAQ,UAAU,EAAE,CAAC;YACjD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC/F,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,qFAAqF;QACrF,oBAAoB;QACpB,mEAAmE;QACnE,YAAY;QACZ,IAAI;QACJ,oDAAoD;QACpD,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAErE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAClF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,yFAAyF;YACzF,MAAM,UAAU,GAAG,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YAChF,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;YAEjE,IAAI,UAAU,EAAE,CAAC;gBACf,sFAAsF;gBACtF,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;oBAC3D,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;iBACxB,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC9D,CAAC;iBAAM,CAAC;gBACN,6FAA6F;gBAC7F,MAAM,CAAC,IAAI,CAAC,yEAAyE,EAAE;oBACrF,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAwB,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACjF,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvE,CAAC;YACD,OAAO;QACT,CAAC;QACD,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF,CAAA;AA1HO;IADL,KAAK,CAAC,YAAY,CAAC;;;;+CAuCnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;2CAcf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACrE,CAAC;;;;iDASD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACvE,CAAC;;;;mDASD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAClE,CAAC;;;;8CAqCD;AA3HkB,aAAa;IAPjC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;QAC9B,IAAI,EAAJ,YAAI;KACL,CAAC;GACmB,aAAa,CA4HjC;kBA5HoB,aAAa","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  FlowHooksOf,\n  sessionIdSchema,\n  httpRespond,\n  ServerRequestTokens,\n  Authorization,\n  normalizeEntryPrefix,\n  normalizeScopeBase,\n} from '../../common';\nimport { z } from 'zod';\nimport { Scope } from '../../scope';\nimport { createSessionId } from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: ['parseInput', 'router'],\n  execute: ['onInitialize', 'onMessage', 'onElicitResult'],\n  post: [],\n  finalize: ['cleanup'],\n} as const satisfies FlowPlan<string>;\n\n// Relaxed session schema for state - payload is optional when using mcp-session-id header directly\nconst stateSessionSchema = z.object({\n  id: z.string(),\n  payload: z\n    .object({\n      nodeId: z.string(),\n      authSig: z.string(),\n      uuid: z.string().uuid(),\n      iat: z.number(),\n      protocol: z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),\n      isPublic: z.boolean().optional(),\n      platformType: z\n        .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])\n        .optional(),\n    })\n    .optional(),\n});\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: stateSessionSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult']).optional(),\n});\n\nconst name = 'handle:legacy-sse' as const;\nconst { Stage } = FlowHooksOf(name);\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:legacy-sse': FlowRunOptions<\n      HandleSseFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n  plan,\n})\nexport default class HandleSseFlow extends FlowBase<typeof name> {\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n\n    const authorization = request[ServerRequestTokens.auth] as Authorization;\n    const { token } = authorization;\n\n    // CRITICAL: The mcp-session-id header is the client's reference to their session.\n    // We MUST use this exact ID for transport registry lookup.\n    //\n    // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)\n    //             This is the ID the client received from initialize and is referencing.\n    // Priority 2: Use session from authorization if header matches or is absent\n    // Priority 3: Create new session (first request - no header, no authorization.session)\n    const mcpSessionHeader = request.headers?.['mcp-session-id'] as string | undefined;\n\n    let session: { id: string; payload?: z.infer<typeof stateSchema>['session']['payload'] };\n\n    if (mcpSessionHeader) {\n      // Client sent session ID - ALWAYS use it for transport lookup\n      // If authorization.session exists and matches, use its payload for protocol detection\n      // If authorization.session differs or is missing, still use header ID (payload may be undefined)\n      if (authorization.session?.id === mcpSessionHeader) {\n        session = authorization.session;\n      } else {\n        session = { id: mcpSessionHeader };\n      }\n    } else if (authorization.session) {\n      // No header but authorization has session - use it (shouldn't happen in normal flow)\n      session = authorization.session;\n    } else {\n      // No session - create new one (initialize request)\n      session = createSessionId('legacy-sse', token, {\n        userAgent: request.headers?.['user-agent'] as string | undefined,\n        platformDetectionConfig: (this.scope as Scope).metadata?.session?.platformDetection,\n      });\n    }\n\n    this.state.set(stateSchema.parse({ token, session }));\n  }\n\n  @Stage('router')\n  async router() {\n    const { request } = this.rawInput;\n    const scope = this.scope as Scope;\n    const requestPath = normalizeEntryPrefix(request.path);\n    const prefix = normalizeEntryPrefix(scope.entryPath);\n    const scopePath = normalizeScopeBase(scope.routeBase);\n    const basePath = `${prefix}${scopePath}`;\n\n    if (requestPath === `${basePath}/sse`) {\n      this.state.set('requestType', 'initialize');\n    } else if (requestPath === `${basePath}/message`) {\n      this.state.set('requestType', 'message');\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({ state: { requestType } }) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n    const transport = await transportService.createTransporter('sse', token, session.id, response);\n    await transport.initialize(request, response);\n    this.handled();\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({ state: { requestType } }) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    // const transport = await transportService.getTransporter('sse', token, session.id);\n    // if (!transport) {\n    //   this.respond(httpRespond.rpcError('session not initialized'));\n    //   return;\n    // }\n    // await transport.handleRequest(request, response);\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({ state: { requestType } }) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = this.scopeLogger.child('handle:legacy-sse:onMessage');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n    const transport = await transportService.getTransporter('sse', token, session.id);\n    if (!transport) {\n      // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25\n      const wasCreated = transportService.wasSessionCreated('sse', token, session.id);\n      const body = request.body as Record<string, unknown> | undefined;\n\n      if (wasCreated) {\n        // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)\n        logger.info('Session expired - client should re-initialize', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n        });\n        this.respond(httpRespond.sessionExpired('session expired'));\n      } else {\n        // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)\n        logger.warn('Session not initialized - client attempted request without initializing', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          userAgent: (request.headers?.['user-agent'] as string | undefined)?.slice(0, 50),\n        });\n        this.respond(httpRespond.sessionNotFound('session not initialized'));\n      }\n      return;\n    }\n    await transport.handleRequest(request, response);\n    this.handled();\n  }\n}\n"]}
+{"version":3,"file":"handle.sse.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.sse.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAesB;AACtB,6BAAwB;AAExB,gFAA4E;AAE/D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,gBAAgB,CAAC;IACxD,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,CAAC,SAAS,CAAC;CACc,CAAC;AAEtC,mGAAmG;AACnG,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;QAClB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;QACnB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACvB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACxG,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAChC,YAAY,EAAE,OAAC;aACZ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;aACxG,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,kBAAkB;IAC3B,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC1E,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,mBAA4B,CAAC;AAC1C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAqBrB,IAAM,aAAa,GAAnB,MAAM,aAAc,SAAQ,iBAAqB;IAExD,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,MAAM,aAAa,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QACzE,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC;QAEhC,kFAAkF;QAClF,2DAA2D;QAC3D,EAAE;QACF,oFAAoF;QACpF,qFAAqF;QACrF,4EAA4E;QAC5E,uFAAuF;QACvF,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC,CAAC;QAChD,MAAM,mBAAmB,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QACtE,MAAM,gBAAgB,GAAG,IAAA,iCAAwB,EAAC,mBAAmB,CAAC,CAAC;QAEvE,4DAA4D;QAC5D,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,oBAAoB,CAAC,CAAC,CAAC;YAChE,OAAO;QACT,CAAC;QAED,IAAI,OAAoF,CAAC;QAEzF,IAAI,gBAAgB,EAAE,CAAC;YACrB,8DAA8D;YAC9D,sFAAsF;YACtF,iGAAiG;YACjG,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,KAAK,gBAAgB,EAAE,CAAC;gBACnD,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,EAAE,EAAE,EAAE,gBAAgB,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACjC,qFAAqF;YACrF,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,OAAO,GAAG,IAAA,kCAAe,EAAC,YAAY,EAAE,KAAK,EAAE;gBAC7C,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAuB;gBAChE,uBAAuB,EAAG,IAAI,CAAC,KAAe,CAAC,QAAQ,CAAC,SAAS,EAAE,iBAAiB;aACrF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAc,CAAC;QAClC,MAAM,WAAW,GAAG,IAAA,6BAAoB,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,IAAA,6BAAoB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,IAAA,2BAAkB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,SAAS,EAAE,CAAC;QAEzC,IAAI,WAAW,KAAK,GAAG,QAAQ,MAAM,EAAE,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,WAAW,KAAK,GAAG,QAAQ,UAAU,EAAE,CAAC;YACjD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC/F,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,qFAAqF;QACrF,oBAAoB;QACpB,mEAAmE;QACnE,YAAY;QACZ,IAAI;QACJ,oDAAoD;QACpD,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAErE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAClF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,yFAAyF;YACzF,MAAM,UAAU,GAAG,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YAChF,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;YAEjE,IAAI,UAAU,EAAE,CAAC;gBACf,sFAAsF;gBACtF,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;oBAC3D,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;iBACxB,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC9D,CAAC;iBAAM,CAAC;gBACN,6FAA6F;gBAC7F,MAAM,CAAC,IAAI,CAAC,yEAAyE,EAAE;oBACrF,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAwB,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACjF,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvE,CAAC;YACD,OAAO;QACT,CAAC;QACD,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF,CAAA;AAlIO;IADL,KAAK,CAAC,YAAY,CAAC;;;;+CA+CnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;2CAcf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACrE,CAAC;;;;iDASD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACvE,CAAC;;;;mDASD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAClE,CAAC;;;;8CAqCD;AAnIkB,aAAa;IAPjC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;QAC9B,IAAI,EAAJ,YAAI;KACL,CAAC;GACmB,aAAa,CAoIjC;kBApIoB,aAAa","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  FlowHooksOf,\n  sessionIdSchema,\n  httpRespond,\n  ServerRequestTokens,\n  Authorization,\n  normalizeEntryPrefix,\n  normalizeScopeBase,\n  validateMcpSessionHeader,\n} from '../../common';\nimport { z } from 'zod';\nimport { Scope } from '../../scope';\nimport { createSessionId } from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: ['parseInput', 'router'],\n  execute: ['onInitialize', 'onMessage', 'onElicitResult'],\n  post: [],\n  finalize: ['cleanup'],\n} as const satisfies FlowPlan<string>;\n\n// Relaxed session schema for state - payload is optional when using mcp-session-id header directly\nconst stateSessionSchema = z.object({\n  id: z.string(),\n  payload: z\n    .object({\n      nodeId: z.string(),\n      authSig: z.string(),\n      uuid: z.string().uuid(),\n      iat: z.number(),\n      protocol: z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),\n      isPublic: z.boolean().optional(),\n      platformType: z\n        .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])\n        .optional(),\n    })\n    .optional(),\n});\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: stateSessionSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult']).optional(),\n});\n\nconst name = 'handle:legacy-sse' as const;\nconst { Stage } = FlowHooksOf(name);\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:legacy-sse': FlowRunOptions<\n      HandleSseFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n  plan,\n})\nexport default class HandleSseFlow extends FlowBase<typeof name> {\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n\n    const authorization = request[ServerRequestTokens.auth] as Authorization;\n    const { token } = authorization;\n\n    // CRITICAL: The mcp-session-id header is the client's reference to their session.\n    // We MUST use this exact ID for transport registry lookup.\n    //\n    // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)\n    //             This is the ID the client received from initialize and is referencing.\n    // Priority 2: Use session from authorization if header matches or is absent\n    // Priority 3: Create new session (first request - no header, no authorization.session)\n    const raw = request.headers?.['mcp-session-id'];\n    const rawMcpSessionHeader = typeof raw === 'string' ? raw : undefined;\n    const mcpSessionHeader = validateMcpSessionHeader(rawMcpSessionHeader);\n\n    // If client sent a header but validation failed, return 404\n    if (raw !== undefined && !mcpSessionHeader) {\n      this.respond(httpRespond.sessionNotFound('invalid session id'));\n      return;\n    }\n\n    let session: { id: string; payload?: z.infer<typeof stateSchema>['session']['payload'] };\n\n    if (mcpSessionHeader) {\n      // Client sent session ID - ALWAYS use it for transport lookup\n      // If authorization.session exists and matches, use its payload for protocol detection\n      // If authorization.session differs or is missing, still use header ID (payload may be undefined)\n      if (authorization.session?.id === mcpSessionHeader) {\n        session = authorization.session;\n      } else {\n        session = { id: mcpSessionHeader };\n      }\n    } else if (authorization.session) {\n      // No header but authorization has session - use it (shouldn't happen in normal flow)\n      session = authorization.session;\n    } else {\n      // No session - create new one (initialize request)\n      session = createSessionId('legacy-sse', token, {\n        userAgent: request.headers?.['user-agent'] as string | undefined,\n        platformDetectionConfig: (this.scope as Scope).metadata.transport?.platformDetection,\n      });\n    }\n\n    this.state.set(stateSchema.parse({ token, session }));\n  }\n\n  @Stage('router')\n  async router() {\n    const { request } = this.rawInput;\n    const scope = this.scope as Scope;\n    const requestPath = normalizeEntryPrefix(request.path);\n    const prefix = normalizeEntryPrefix(scope.entryPath);\n    const scopePath = normalizeScopeBase(scope.routeBase);\n    const basePath = `${prefix}${scopePath}`;\n\n    if (requestPath === `${basePath}/sse`) {\n      this.state.set('requestType', 'initialize');\n    } else if (requestPath === `${basePath}/message`) {\n      this.state.set('requestType', 'message');\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({ state: { requestType } }) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n    const transport = await transportService.createTransporter('sse', token, session.id, response);\n    await transport.initialize(request, response);\n    this.handled();\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({ state: { requestType } }) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    // const transport = await transportService.getTransporter('sse', token, session.id);\n    // if (!transport) {\n    //   this.respond(httpRespond.rpcError('session not initialized'));\n    //   return;\n    // }\n    // await transport.handleRequest(request, response);\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({ state: { requestType } }) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = this.scopeLogger.child('handle:legacy-sse:onMessage');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n    const transport = await transportService.getTransporter('sse', token, session.id);\n    if (!transport) {\n      // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25\n      const wasCreated = transportService.wasSessionCreated('sse', token, session.id);\n      const body = request.body as Record<string, unknown> | undefined;\n\n      if (wasCreated) {\n        // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)\n        logger.info('Session expired - client should re-initialize', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n        });\n        this.respond(httpRespond.sessionExpired('session expired'));\n      } else {\n        // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)\n        logger.warn('Session not initialized - client attempted request without initializing', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          userAgent: (request.headers?.['user-agent'] as string | undefined)?.slice(0, 50),\n        });\n        this.respond(httpRespond.sessionNotFound('session not initialized'));\n      }\n      return;\n    }\n    await transport.handleRequest(request, response);\n    this.handled();\n  }\n}\n"]}

package/src/transport/flows/handle.streamable-http.flow.js

@@ -40,7 +40,15 @@ let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.F
     name = name;
     async parseInput() {
         const { request } = this.rawInput;
+        console.log('[DEBUG] parseInput: starting');
         const authorization = request[common_1.ServerRequestTokens.auth];
+        console.log('[DEBUG] parseInput: authorization =', authorization
+            ? {
+                hasToken: !!authorization.token,
+                hasSession: !!authorization.session,
+                sessionId: authorization.session?.id?.slice(0, 30),
+            }
+            : 'undefined');
         const { token } = authorization;
         // CRITICAL: The mcp-session-id header is the client's reference to their session.
         // We MUST use this exact ID for transport registry lookup.
@@ -49,7 +57,14 @@ let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.F
         //             This is the ID the client received from initialize and is referencing.
         // Priority 2: Use session from authorization if header matches or is absent
         // Priority 3: Create new session (first request - no header, no authorization.session)
-        const mcpSessionHeader = request.headers?.['mcp-session-id'];
+        const raw = request.headers?.['mcp-session-id'];
+        const rawMcpSessionHeader = typeof raw === 'string' ? raw : undefined;
+        const mcpSessionHeader = (0, common_1.validateMcpSessionHeader)(rawMcpSessionHeader);
+        // If client sent a header but validation failed, return 404
+        if (raw !== undefined && !mcpSessionHeader) {
+            this.respond(common_1.httpRespond.sessionNotFound('invalid session id'));
+            return;
+        }
         let session;
         if (mcpSessionHeader) {
             // Client sent session ID - ALWAYS use it for transport lookup
@@ -70,7 +85,7 @@ let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.F
             // No session - create new one (initialize request)
             session = (0, session_id_utils_1.createSessionId)('streamable-http', token, {
                 userAgent: request.headers?.['user-agent'],
-                platformDetectionConfig: this.scope.metadata?.session?.platformDetection,
+                platformDetectionConfig: this.scope.metadata.transport?.platformDetection,
             });
         }
         this.state.set(exports.stateSchema.parse({ token, session }));
@@ -138,10 +153,31 @@ let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.F
         const logger = this.scopeLogger.child('handle:streamable-http:onMessage');
         const { request, response } = this.rawInput;
         const { token, session } = this.state.required;
-        const transport = await transportService.getTransporter('streamable-http', token, session.id);
+        // 1. Try to get existing transport from memory
+        let transport = await transportService.getTransporter('streamable-http', token, session.id);
+        // 2. If not in memory, check if session exists in Redis and recreate
+        if (!transport) {
+            try {
+                const storedSession = await transportService.getStoredSession('streamable-http', token, session.id);
+                if (storedSession) {
+                    logger.info('Recreating transport from Redis session', {
+                        sessionId: session.id?.slice(0, 20),
+                        createdAt: storedSession.createdAt,
+                    });
+                    transport = await transportService.recreateTransporter('streamable-http', token, session.id, storedSession, response);
+                }
+            }
+            catch (error) {
+                // Log and fall through to 404 logic - transport remains undefined
+                logger.warn('Failed to recreate transport from stored session', {
+                    sessionId: session.id?.slice(0, 20),
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
         if (!transport) {
             // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25
-            const wasCreated = transportService.wasSessionCreated('streamable-http', token, session.id);
+            const wasCreated = await transportService.wasSessionCreatedAsync('streamable-http', token, session.id);
             const body = request.body;
             if (wasCreated) {
                 // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)
@@ -188,10 +224,31 @@ let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.F
     }
     async onSseListener() {
         const transportService = this.scope.transportService;
+        const logger = this.scopeLogger.child('handle:streamable-http:onSseListener');
         const { request, response } = this.rawInput;
         const { token, session } = this.state.required;
-        // Get existing transport for this session - SSE listener requires existing session
-        const transport = await transportService.getTransporter('streamable-http', token, session.id);
+        // 1. Try to get existing transport from memory
+        let transport = await transportService.getTransporter('streamable-http', token, session.id);
+        // 2. If not in memory, check if session exists in Redis and recreate
+        if (!transport) {
+            try {
+                const storedSession = await transportService.getStoredSession('streamable-http', token, session.id);
+                if (storedSession) {
+                    logger.info('Recreating transport from Redis session for SSE listener', {
+                        sessionId: session.id?.slice(0, 20),
+                        createdAt: storedSession.createdAt,
+                    });
+                    transport = await transportService.recreateTransporter('streamable-http', token, session.id, storedSession, response);
+                }
+            }
+            catch (error) {
+                // Log and fall through to 404 logic - transport remains undefined
+                logger.warn('Failed to recreate transport from stored session for SSE listener', {
+                    sessionId: session.id?.slice(0, 20),
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
         if (!transport) {
             this.respond(common_1.httpRespond.notFound('Session not found'));
             return;

package/src/transport/flows/handle.streamable-http.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"handle.streamable-http.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.streamable-http.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAasB;AACtB,6BAAwB;AACxB,iEAAuF;AAEvF,gFAA4E;AAE/D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,CAAC;IACzE,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,CAAC,SAAS,CAAC;CACc,CAAC;AAEtC,mGAAmG;AACnG,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;QAClB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;QACnB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACvB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACxG,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAChC,YAAY,EAAE,OAAC;aACZ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;aACxG,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,kBAAkB;IAC3B,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE;CACzF,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,wBAAiC,CAAC;AAC/C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAqBrB,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAqB;IACzE,IAAI,GAAG,IAAI,CAAC;IAGN,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,MAAM,aAAa,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QACzE,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC;QAEhC,kFAAkF;QAClF,2DAA2D;QAC3D,EAAE;QACF,oFAAoF;QACpF,qFAAqF;QACrF,4EAA4E;QAC5E,uFAAuF;QACvF,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QAEnF,IAAI,OAAoF,CAAC;QAEzF,IAAI,gBAAgB,EAAE,CAAC;YACrB,8DAA8D;YAC9D,sFAAsF;YACtF,iGAAiG;YACjG,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,KAAK,gBAAgB,EAAE,CAAC;gBACnD,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,EAAE,EAAE,EAAE,gBAAgB,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACjC,qFAAqF;YACrF,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,OAAO,GAAG,IAAA,kCAAe,EAAC,iBAAiB,EAAE,KAAK,EAAE;gBAClD,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAuB;gBAChE,uBAAuB,EAAG,IAAI,CAAC,KAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,iBAAiB;aACpF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,2DAA2D;QAC3D,iFAAiF;QACjF,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAuC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,CAAC;QAE5B,8EAA8E;QAC9E,wEAAwE;QACxE,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,6BAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,MAAM,IAAI,wBAAa,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACnE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAI,IAAI,CAAC,KAAe,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAEzF,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;YAC9C,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,KAAK;YACjB,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;YAC3G,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACnE,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACpD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,2EAA2E;YAC3E,IAAI,KAAK,YAAY,oBAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAE1E,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,yFAAyF;YACzF,MAAM,UAAU,GAAG,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YAC5F,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;YAEjE,IAAI,UAAU,EAAE,CAAC;gBACf,sFAAsF;gBACtF,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;oBAC3D,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;iBAClD,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC9D,CAAC;iBAAM,CAAC;gBACN,6FAA6F;gBAC7F,MAAM,CAAC,IAAI,CAAC,yEAAyE,EAAE;oBACrF,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;oBACjD,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAwB,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACjF,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvE,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACjD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;gBACjE,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;oBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK;oBACxG,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,EAAE,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACpC,CAAC,CAAC;YACL,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,aAAa;QACjB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,mFAAmF;QACnF,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,sFAAsF;QACtF,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF,CAAA;AA5LO;IADL,KAAK,CAAC,YAAY,CAAC;;;;0DAuCnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;sDA0Bf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACrE,CAAC;;;;4DA+BD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACvE,CAAC;;;;8DAGD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAClE,CAAC;;;;yDAsDD;AAKK;IAHL,KAAK,CAAC,eAAe,EAAE;QACtB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,aAAa;KACtE,CAAC;;;;6DAiBD;AA/LkB,wBAAwB;IAP5C,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI,EAAJ,YAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;KAC/B,CAAC;GACmB,wBAAwB,CAgM5C;kBAhMoB,wBAAwB","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  FlowHooksOf,\n  sessionIdSchema,\n  httpRespond,\n  ServerRequestTokens,\n  Authorization,\n  FlowControl,\n} from '../../common';\nimport { z } from 'zod';\nimport { ElicitResultSchema, RequestSchema } from '@modelcontextprotocol/sdk/types.js';\nimport { Scope } from '../../scope';\nimport { createSessionId } from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: ['parseInput', 'router'],\n  execute: ['onInitialize', 'onMessage', 'onElicitResult', 'onSseListener'],\n  post: [],\n  finalize: ['cleanup'],\n} as const satisfies FlowPlan<string>;\n\n// Relaxed session schema for state - payload is optional when using mcp-session-id header directly\nconst stateSessionSchema = z.object({\n  id: z.string(),\n  payload: z\n    .object({\n      nodeId: z.string(),\n      authSig: z.string(),\n      uuid: z.string().uuid(),\n      iat: z.number(),\n      protocol: z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),\n      isPublic: z.boolean().optional(),\n      platformType: z\n        .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])\n        .optional(),\n    })\n    .optional(),\n});\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: stateSessionSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult', 'sseListener']).optional(),\n});\n\nconst name = 'handle:streamable-http' as const;\nconst { Stage } = FlowHooksOf(name);\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:streamable-http': FlowRunOptions<\n      HandleStreamableHttpFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n})\nexport default class HandleStreamableHttpFlow extends FlowBase<typeof name> {\n  name = name;\n\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n\n    const authorization = request[ServerRequestTokens.auth] as Authorization;\n    const { token } = authorization;\n\n    // CRITICAL: The mcp-session-id header is the client's reference to their session.\n    // We MUST use this exact ID for transport registry lookup.\n    //\n    // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)\n    //             This is the ID the client received from initialize and is referencing.\n    // Priority 2: Use session from authorization if header matches or is absent\n    // Priority 3: Create new session (first request - no header, no authorization.session)\n    const mcpSessionHeader = request.headers?.['mcp-session-id'] as string | undefined;\n\n    let session: { id: string; payload?: z.infer<typeof stateSchema>['session']['payload'] };\n\n    if (mcpSessionHeader) {\n      // Client sent session ID - ALWAYS use it for transport lookup\n      // If authorization.session exists and matches, use its payload for protocol detection\n      // If authorization.session differs or is missing, still use header ID (payload may be undefined)\n      if (authorization.session?.id === mcpSessionHeader) {\n        session = authorization.session;\n      } else {\n        session = { id: mcpSessionHeader };\n      }\n    } else if (authorization.session) {\n      // No header but authorization has session - use it (shouldn't happen in normal flow)\n      session = authorization.session;\n    } else {\n      // No session - create new one (initialize request)\n      session = createSessionId('streamable-http', token, {\n        userAgent: request.headers?.['user-agent'] as string | undefined,\n        platformDetectionConfig: (this.scope as Scope).metadata?.session?.platformDetection,\n      });\n    }\n\n    this.state.set(stateSchema.parse({ token, session }));\n  }\n\n  @Stage('router')\n  async router() {\n    const { request } = this.rawInput;\n\n    // GET requests are SSE listener streams - no body expected\n    // Per MCP spec, clients can open SSE stream with GET + Accept: text/event-stream\n    if (request.method.toUpperCase() === 'GET') {\n      this.state.set('requestType', 'sseListener');\n      return;\n    }\n\n    // POST requests have MCP JSON-RPC body\n    const body = request.body as { method?: string } | undefined;\n    const method = body?.method;\n\n    // Use method-based detection for routing (more permissive than strict schema)\n    // The actual schema validation happens in the MCP SDK's transport layer\n    if (method === 'initialize') {\n      this.state.set('requestType', 'initialize');\n    } else if (ElicitResultSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'elicitResult');\n    } else if (method && RequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'message');\n    } else {\n      this.respond(httpRespond.rpcError('Invalid Request'));\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({ state: { requestType } }) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = (this.scope as Scope).logger.child('handle:streamable-http:onInitialize');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    logger.info('onInitialize: creating transport', {\n      sessionId: session.id.slice(0, 30),\n      hasToken: !!token,\n      tokenPrefix: token?.slice(0, 10),\n    });\n\n    try {\n      const transport = await transportService.createTransporter('streamable-http', token, session.id, response);\n      logger.info('onInitialize: transport created, calling initialize');\n      await transport.initialize(request, response);\n      logger.info('onInitialize: completed successfully');\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow (from this.handled()), not an error\n      if (error instanceof FlowControl) {\n        throw error;\n      }\n      logger.error('onInitialize: failed', {\n        error: error instanceof Error ? error.message : String(error),\n        stack: error instanceof Error ? error.stack : undefined,\n      });\n      throw error;\n    }\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({ state: { requestType } }) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({ state: { requestType } }) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = this.scopeLogger.child('handle:streamable-http:onMessage');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25\n      const wasCreated = transportService.wasSessionCreated('streamable-http', token, session.id);\n      const body = request.body as Record<string, unknown> | undefined;\n\n      if (wasCreated) {\n        // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)\n        logger.info('Session expired - client should re-initialize', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n        });\n        this.respond(httpRespond.sessionExpired('session expired'));\n      } else {\n        // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)\n        logger.warn('Session not initialized - client attempted request without initializing', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n          userAgent: (request.headers?.['user-agent'] as string | undefined)?.slice(0, 50),\n        });\n        this.respond(httpRespond.sessionNotFound('session not initialized'));\n      }\n      return;\n    }\n\n    try {\n      await transport.handleRequest(request, response);\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        const body = request.body as Record<string, unknown> | undefined;\n        logger.error('handleRequest failed', {\n          error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : error,\n          method: body?.['method'],\n          id: body?.['id'],\n          sessionId: session.id?.slice(0, 20),\n        });\n      }\n      throw error;\n    }\n  }\n\n  @Stage('onSseListener', {\n    filter: ({ state: { requestType } }) => requestType === 'sseListener',\n  })\n  async onSseListener() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    // Get existing transport for this session - SSE listener requires existing session\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      this.respond(httpRespond.notFound('Session not found'));\n      return;\n    }\n\n    // Forward GET request to transport (opens SSE stream for server→client notifications)\n    await transport.handleRequest(request, response);\n    this.handled();\n  }\n}\n"]}
+{"version":3,"file":"handle.streamable-http.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.streamable-http.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAcsB;AACtB,6BAAwB;AACxB,iEAAuF;AAEvF,gFAA4E;AAE/D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,CAAC;IACzE,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,CAAC,SAAS,CAAC;CACc,CAAC;AAEtC,mGAAmG;AACnG,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;QAClB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;QACnB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACvB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACxG,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAChC,YAAY,EAAE,OAAC;aACZ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;aACxG,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,kBAAkB;IAC3B,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE;CACzF,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,wBAAiC,CAAC;AAC/C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAqBrB,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAqB;IACzE,IAAI,GAAG,IAAI,CAAC;IAGN,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,MAAM,aAAa,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QACzE,OAAO,CAAC,GAAG,CACT,qCAAqC,EACrC,aAAa;YACX,CAAC,CAAC;gBACE,QAAQ,EAAE,CAAC,CAAC,aAAa,CAAC,KAAK;gBAC/B,UAAU,EAAE,CAAC,CAAC,aAAa,CAAC,OAAO;gBACnC,SAAS,EAAE,aAAa,CAAC,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACnD;YACH,CAAC,CAAC,WAAW,CAChB,CAAC;QACF,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC;QAEhC,kFAAkF;QAClF,2DAA2D;QAC3D,EAAE;QACF,oFAAoF;QACpF,qFAAqF;QACrF,4EAA4E;QAC5E,uFAAuF;QACvF,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC,CAAC;QAChD,MAAM,mBAAmB,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QACtE,MAAM,gBAAgB,GAAG,IAAA,iCAAwB,EAAC,mBAAmB,CAAC,CAAC;QAEvE,4DAA4D;QAC5D,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3C,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,oBAAoB,CAAC,CAAC,CAAC;YAChE,OAAO;QACT,CAAC;QAED,IAAI,OAAoF,CAAC;QAEzF,IAAI,gBAAgB,EAAE,CAAC;YACrB,8DAA8D;YAC9D,sFAAsF;YACtF,iGAAiG;YACjG,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,KAAK,gBAAgB,EAAE,CAAC;gBACnD,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,EAAE,EAAE,EAAE,gBAAgB,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACjC,qFAAqF;YACrF,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,OAAO,GAAG,IAAA,kCAAe,EAAC,iBAAiB,EAAE,KAAK,EAAE;gBAClD,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAuB;gBAChE,uBAAuB,EAAG,IAAI,CAAC,KAAe,CAAC,QAAQ,CAAC,SAAS,EAAE,iBAAiB;aACrF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,2DAA2D;QAC3D,iFAAiF;QACjF,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAuC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,CAAC;QAE5B,8EAA8E;QAC9E,wEAAwE;QACxE,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,6BAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,MAAM,IAAI,wBAAa,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACnE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAI,IAAI,CAAC,KAAe,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAEzF,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;YAC9C,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,KAAK;YACjB,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;YAC3G,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACnE,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACpD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,2EAA2E;YAC3E,IAAI,KAAK,YAAY,oBAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAE1E,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,+CAA+C;QAC/C,IAAI,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAE5F,qEAAqE;QACrE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;gBACpG,IAAI,aAAa,EAAE,CAAC;oBAClB,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;wBACrD,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;wBACnC,SAAS,EAAE,aAAa,CAAC,SAAS;qBACnC,CAAC,CAAC;oBACH,SAAS,GAAG,MAAM,gBAAgB,CAAC,mBAAmB,CACpD,iBAAiB,EACjB,KAAK,EACL,OAAO,CAAC,EAAE,EACV,aAAa,EACb,QAAQ,CACT,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,kEAAkE;gBAClE,MAAM,CAAC,IAAI,CAAC,kDAAkD,EAAE;oBAC9D,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,yFAAyF;YACzF,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,sBAAsB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YACvG,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;YAEjE,IAAI,UAAU,EAAE,CAAC;gBACf,sFAAsF;gBACtF,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;oBAC3D,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;iBAClD,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC9D,CAAC;iBAAM,CAAC;gBACN,6FAA6F;gBAC7F,MAAM,CAAC,IAAI,CAAC,yEAAyE,EAAE;oBACrF,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;oBACjD,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAwB,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACjF,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvE,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACjD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;gBACjE,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;oBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK;oBACxG,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,EAAE,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACpC,CAAC,CAAC;YACL,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,aAAa;QACjB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAE9E,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,+CAA+C;QAC/C,IAAI,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAE5F,qEAAqE;QACrE,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,gBAAgB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;gBACpG,IAAI,aAAa,EAAE,CAAC;oBAClB,MAAM,CAAC,IAAI,CAAC,0DAA0D,EAAE;wBACtE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;wBACnC,SAAS,EAAE,aAAa,CAAC,SAAS;qBACnC,CAAC,CAAC;oBACH,SAAS,GAAG,MAAM,gBAAgB,CAAC,mBAAmB,CACpD,iBAAiB,EACjB,KAAK,EACL,OAAO,CAAC,EAAE,EACV,aAAa,EACb,QAAQ,CACT,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,kEAAkE;gBAClE,MAAM,CAAC,IAAI,CAAC,mEAAmE,EAAE;oBAC/E,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,sFAAsF;QACtF,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF,CAAA;AAxQO;IADL,KAAK,CAAC,YAAY,CAAC;;;;0DA0DnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;sDA0Bf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACrE,CAAC;;;;4DA+BD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACvE,CAAC;;;;8DAGD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAClE,CAAC;;;;yDAmFD;AAKK;IAHL,KAAK,CAAC,eAAe,EAAE;QACtB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,aAAa;KACtE,CAAC;;;;6DA6CD;AA3QkB,wBAAwB;IAP5C,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI,EAAJ,YAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;KAC/B,CAAC;GACmB,wBAAwB,CA4Q5C;kBA5QoB,wBAAwB","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  FlowHooksOf,\n  sessionIdSchema,\n  httpRespond,\n  ServerRequestTokens,\n  Authorization,\n  FlowControl,\n  validateMcpSessionHeader,\n} from '../../common';\nimport { z } from 'zod';\nimport { ElicitResultSchema, RequestSchema } from '@modelcontextprotocol/sdk/types.js';\nimport { Scope } from '../../scope';\nimport { createSessionId } from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: ['parseInput', 'router'],\n  execute: ['onInitialize', 'onMessage', 'onElicitResult', 'onSseListener'],\n  post: [],\n  finalize: ['cleanup'],\n} as const satisfies FlowPlan<string>;\n\n// Relaxed session schema for state - payload is optional when using mcp-session-id header directly\nconst stateSessionSchema = z.object({\n  id: z.string(),\n  payload: z\n    .object({\n      nodeId: z.string(),\n      authSig: z.string(),\n      uuid: z.string().uuid(),\n      iat: z.number(),\n      protocol: z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),\n      isPublic: z.boolean().optional(),\n      platformType: z\n        .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])\n        .optional(),\n    })\n    .optional(),\n});\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: stateSessionSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult', 'sseListener']).optional(),\n});\n\nconst name = 'handle:streamable-http' as const;\nconst { Stage } = FlowHooksOf(name);\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:streamable-http': FlowRunOptions<\n      HandleStreamableHttpFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n})\nexport default class HandleStreamableHttpFlow extends FlowBase<typeof name> {\n  name = name;\n\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n\n    console.log('[DEBUG] parseInput: starting');\n    const authorization = request[ServerRequestTokens.auth] as Authorization;\n    console.log(\n      '[DEBUG] parseInput: authorization =',\n      authorization\n        ? {\n            hasToken: !!authorization.token,\n            hasSession: !!authorization.session,\n            sessionId: authorization.session?.id?.slice(0, 30),\n          }\n        : 'undefined',\n    );\n    const { token } = authorization;\n\n    // CRITICAL: The mcp-session-id header is the client's reference to their session.\n    // We MUST use this exact ID for transport registry lookup.\n    //\n    // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)\n    //             This is the ID the client received from initialize and is referencing.\n    // Priority 2: Use session from authorization if header matches or is absent\n    // Priority 3: Create new session (first request - no header, no authorization.session)\n    const raw = request.headers?.['mcp-session-id'];\n    const rawMcpSessionHeader = typeof raw === 'string' ? raw : undefined;\n    const mcpSessionHeader = validateMcpSessionHeader(rawMcpSessionHeader);\n\n    // If client sent a header but validation failed, return 404\n    if (raw !== undefined && !mcpSessionHeader) {\n      this.respond(httpRespond.sessionNotFound('invalid session id'));\n      return;\n    }\n\n    let session: { id: string; payload?: z.infer<typeof stateSchema>['session']['payload'] };\n\n    if (mcpSessionHeader) {\n      // Client sent session ID - ALWAYS use it for transport lookup\n      // If authorization.session exists and matches, use its payload for protocol detection\n      // If authorization.session differs or is missing, still use header ID (payload may be undefined)\n      if (authorization.session?.id === mcpSessionHeader) {\n        session = authorization.session;\n      } else {\n        session = { id: mcpSessionHeader };\n      }\n    } else if (authorization.session) {\n      // No header but authorization has session - use it (shouldn't happen in normal flow)\n      session = authorization.session;\n    } else {\n      // No session - create new one (initialize request)\n      session = createSessionId('streamable-http', token, {\n        userAgent: request.headers?.['user-agent'] as string | undefined,\n        platformDetectionConfig: (this.scope as Scope).metadata.transport?.platformDetection,\n      });\n    }\n\n    this.state.set(stateSchema.parse({ token, session }));\n  }\n\n  @Stage('router')\n  async router() {\n    const { request } = this.rawInput;\n\n    // GET requests are SSE listener streams - no body expected\n    // Per MCP spec, clients can open SSE stream with GET + Accept: text/event-stream\n    if (request.method.toUpperCase() === 'GET') {\n      this.state.set('requestType', 'sseListener');\n      return;\n    }\n\n    // POST requests have MCP JSON-RPC body\n    const body = request.body as { method?: string } | undefined;\n    const method = body?.method;\n\n    // Use method-based detection for routing (more permissive than strict schema)\n    // The actual schema validation happens in the MCP SDK's transport layer\n    if (method === 'initialize') {\n      this.state.set('requestType', 'initialize');\n    } else if (ElicitResultSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'elicitResult');\n    } else if (method && RequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'message');\n    } else {\n      this.respond(httpRespond.rpcError('Invalid Request'));\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({ state: { requestType } }) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = (this.scope as Scope).logger.child('handle:streamable-http:onInitialize');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    logger.info('onInitialize: creating transport', {\n      sessionId: session.id.slice(0, 30),\n      hasToken: !!token,\n      tokenPrefix: token?.slice(0, 10),\n    });\n\n    try {\n      const transport = await transportService.createTransporter('streamable-http', token, session.id, response);\n      logger.info('onInitialize: transport created, calling initialize');\n      await transport.initialize(request, response);\n      logger.info('onInitialize: completed successfully');\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow (from this.handled()), not an error\n      if (error instanceof FlowControl) {\n        throw error;\n      }\n      logger.error('onInitialize: failed', {\n        error: error instanceof Error ? error.message : String(error),\n        stack: error instanceof Error ? error.stack : undefined,\n      });\n      throw error;\n    }\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({ state: { requestType } }) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({ state: { requestType } }) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = this.scopeLogger.child('handle:streamable-http:onMessage');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    // 1. Try to get existing transport from memory\n    let transport = await transportService.getTransporter('streamable-http', token, session.id);\n\n    // 2. If not in memory, check if session exists in Redis and recreate\n    if (!transport) {\n      try {\n        const storedSession = await transportService.getStoredSession('streamable-http', token, session.id);\n        if (storedSession) {\n          logger.info('Recreating transport from Redis session', {\n            sessionId: session.id?.slice(0, 20),\n            createdAt: storedSession.createdAt,\n          });\n          transport = await transportService.recreateTransporter(\n            'streamable-http',\n            token,\n            session.id,\n            storedSession,\n            response,\n          );\n        }\n      } catch (error) {\n        // Log and fall through to 404 logic - transport remains undefined\n        logger.warn('Failed to recreate transport from stored session', {\n          sessionId: session.id?.slice(0, 20),\n          error: error instanceof Error ? error.message : String(error),\n        });\n      }\n    }\n\n    if (!transport) {\n      // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25\n      const wasCreated = await transportService.wasSessionCreatedAsync('streamable-http', token, session.id);\n      const body = request.body as Record<string, unknown> | undefined;\n\n      if (wasCreated) {\n        // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)\n        logger.info('Session expired - client should re-initialize', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n        });\n        this.respond(httpRespond.sessionExpired('session expired'));\n      } else {\n        // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)\n        logger.warn('Session not initialized - client attempted request without initializing', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n          userAgent: (request.headers?.['user-agent'] as string | undefined)?.slice(0, 50),\n        });\n        this.respond(httpRespond.sessionNotFound('session not initialized'));\n      }\n      return;\n    }\n\n    try {\n      await transport.handleRequest(request, response);\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        const body = request.body as Record<string, unknown> | undefined;\n        logger.error('handleRequest failed', {\n          error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : error,\n          method: body?.['method'],\n          id: body?.['id'],\n          sessionId: session.id?.slice(0, 20),\n        });\n      }\n      throw error;\n    }\n  }\n\n  @Stage('onSseListener', {\n    filter: ({ state: { requestType } }) => requestType === 'sseListener',\n  })\n  async onSseListener() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = this.scopeLogger.child('handle:streamable-http:onSseListener');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    // 1. Try to get existing transport from memory\n    let transport = await transportService.getTransporter('streamable-http', token, session.id);\n\n    // 2. If not in memory, check if session exists in Redis and recreate\n    if (!transport) {\n      try {\n        const storedSession = await transportService.getStoredSession('streamable-http', token, session.id);\n        if (storedSession) {\n          logger.info('Recreating transport from Redis session for SSE listener', {\n            sessionId: session.id?.slice(0, 20),\n            createdAt: storedSession.createdAt,\n          });\n          transport = await transportService.recreateTransporter(\n            'streamable-http',\n            token,\n            session.id,\n            storedSession,\n            response,\n          );\n        }\n      } catch (error) {\n        // Log and fall through to 404 logic - transport remains undefined\n        logger.warn('Failed to recreate transport from stored session for SSE listener', {\n          sessionId: session.id?.slice(0, 20),\n          error: error instanceof Error ? error.message : String(error),\n        });\n      }\n    }\n\n    if (!transport) {\n      this.respond(httpRespond.notFound('Session not found'));\n      return;\n    }\n\n    // Forward GET request to transport (opens SSE stream for server→client notifications)\n    await transport.handleRequest(request, response);\n    this.handled();\n  }\n}\n"]}

package/src/transport/mcp-handlers/initialize-request.handler.js

@@ -5,6 +5,7 @@ const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
 const types_js_2 = require("@modelcontextprotocol/sdk/types.js");
 const unsupported_client_version_exception_1 = require("../../exceptions/mcp-exceptions/unsupported-client-version.exception");
 const notification_1 = require("../../notification");
+const session_id_utils_1 = require("../../auth/session/utils/session-id.utils");
 /**
  * Validates that the client's protocol version is a valid date string format.
  * Per MCP spec, older versions should be accepted if supported - version negotiation
@@ -51,22 +52,31 @@ function initializeRequestHandler({ serverOptions, scope, }) {
                 // Store client info (name/version) for platform detection
                 // and update the session payload with the detected platform type
                 if (request.params.clientInfo) {
-                    // If not detected from capabilities, use client info detection
-                    const clientInfoPlatform = scope.notifications.setClientInfo(sessionId, {
+                    // Try to store in notification service (may fail for HTTP transports without registered server)
+                    scope.notifications.setClientInfo(sessionId, {
                         name: request.params.clientInfo.name,
                         version: request.params.clientInfo.version,
                     });
+                    // Detect platform directly from client info (don't rely on setClientInfo return)
+                    // Use platform detection config from scope if available
+                    const platformDetectionConfig = scope.metadata.transport?.platformDetection;
+                    const clientInfoPlatform = (0, notification_1.detectAIPlatform)(request.params.clientInfo, platformDetectionConfig);
                     // Prefer capability-based detection (ext-apps) over client info detection
                     const finalPlatform = detectedPlatform ?? clientInfoPlatform;
                     // Update the session payload with the detected platform type
                     // This makes platformType available via ctx.authInfo.sessionIdPayload.platformType
                     if (finalPlatform && ctx.authInfo?.sessionIdPayload) {
                         ctx.authInfo.sessionIdPayload.platformType = finalPlatform;
+                        // Persist the platformType to the session cache so subsequent requests can access it
+                        // This is critical for HTTP transports where sessions are parsed from encrypted headers
+                        (0, session_id_utils_1.updateSessionPayload)(sessionId, { platformType: finalPlatform });
                     }
                 }
                 else if (detectedPlatform && ctx.authInfo?.sessionIdPayload) {
                     // Update platform even without client info if detected from capabilities
                     ctx.authInfo.sessionIdPayload.platformType = detectedPlatform;
+                    // Persist to session cache
+                    (0, session_id_utils_1.updateSessionPayload)(sessionId, { platformType: detectedPlatform });
                 }
             }
             // MCP Protocol Version Negotiation (per spec):

package/src/transport/mcp-handlers/initialize-request.handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"initialize-request.handler.js","sourceRoot":"","sources":["../../../../src/transport/mcp-handlers/initialize-request.handler.ts"],"names":[],"mappings":";;AAmBA,2CA4FC;AA/GD,iEAAkH;AAClH,iEAA0G;AAE1G,+HAAyH;AAEzH,qDAAoE;AAEpE;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,aAAqB;IAC/C,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC5B,MAAM,wEAAiC,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IACrE,CAAC;IACD,kEAAkE;AACpE,CAAC;AACD,SAAwB,wBAAwB,CAAC,EAC/C,aAAa,EACb,KAAK,GACa;IAClB,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAExD,OAAO;QACL,aAAa,EAAE,kCAAuB;QACtC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAA6B,EAAE;YACzD,MAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE;gBAC1C,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI;gBAC3C,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO;gBACjD,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,eAAe;gBAC/C,eAAe,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY;gBAC9C,SAAS,EAAE,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACjD,CAAC,CAAC;YAEH,kBAAkB,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YAEnD,wEAAwE;YACxE,kEAAkE;YAClE,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC;YAC1C,IAAI,gBAAgB,GAAsD,SAAS,CAAC;YAEpF,IAAI,SAAS,EAAE,CAAC;gBACd,wCAAwC;gBACxC,IAAI,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;oBAChC,kEAAkE;oBAClE,MAAM,kBAAkB,GAAuB;wBAC7C,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,KAAoC;wBACvE,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,QAA0C;wBAChF,qEAAqE;wBACrE,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,YAAkD;qBAC7F,CAAC;oBACF,KAAK,CAAC,aAAa,CAAC,qBAAqB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;oBAEzE,4EAA4E;oBAC5E,gBAAgB,GAAG,IAAA,6CAA8B,EAAC,kBAAkB,CAAC,CAAC;gBACxE,CAAC;gBAED,0DAA0D;gBAC1D,iEAAiE;gBACjE,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;oBAC9B,+DAA+D;oBAC/D,MAAM,kBAAkB,GAAG,KAAK,CAAC,aAAa,CAAC,aAAa,CAAC,SAAS,EAAE;wBACtE,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI;wBACpC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO;qBAC3C,CAAC,CAAC;oBAEH,0EAA0E;oBAC1E,MAAM,aAAa,GAAG,gBAAgB,IAAI,kBAAkB,CAAC;oBAE7D,6DAA6D;oBAC7D,mFAAmF;oBACnF,IAAI,aAAa,IAAI,GAAG,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,YAAY,GAAG,aAAa,CAAC;oBAC7D,CAAC;gBACH,CAAC;qBAAM,IAAI,gBAAgB,IAAI,GAAG,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC;oBAC9D,yEAAyE;oBACzE,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,YAAY,GAAG,gBAAgB,CAAC;gBAChE,CAAC;YACH,CAAC;YAED,+CAA+C;YAC/C,iGAAiG;YACjG,kFAAkF;YAClF,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC;YACxD,MAAM,eAAe,GAAG,sCAA2B,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBAC5E,CAAC,CAAC,gBAAgB;gBAClB,CAAC,CAAC,kCAAuB,CAAC;YAE5B,MAAM,MAAM,GAAqB;gBAC/B,YAAY,EAAE,aAAa,CAAC,YAAa;gBACzC,YAAY,EAAE,aAAa,CAAC,YAAY;gBACxC,UAAU,EAAE;oBACV,IAAI,EAAE,gBAAgB;oBACtB,OAAO,EAAE,OAAO;oBAChB,KAAK,EAAE,gBAAgB;iBACxB;gBACD,eAAe;aAChB,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE;gBAC1C,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC;gBACjD,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI;gBAClC,SAAS,EAAE,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACjD,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC","sourcesContent":["import { InitializeRequestSchema, InitializeRequest, InitializeResult } from '@modelcontextprotocol/sdk/types.js';\nimport { LATEST_PROTOCOL_VERSION, SUPPORTED_PROTOCOL_VERSIONS } from '@modelcontextprotocol/sdk/types.js';\nimport { McpHandler, McpHandlerOptions } from './mcp-handlers.types';\nimport { UnsupportedClientVersionException } from '../../exceptions/mcp-exceptions/unsupported-client-version.exception';\nimport type { ClientCapabilities } from '../../notification';\nimport { detectPlatformFromCapabilities } from '../../notification';\n\n/**\n * Validates that the client's protocol version is a valid date string format.\n * Per MCP spec, older versions should be accepted if supported - version negotiation\n * determines which version to use, not this guard.\n */\nfunction guardClientVersion(clientVersion: string): void {\n  const parsed = new Date(clientVersion);\n  if (isNaN(parsed.getTime())) {\n    throw UnsupportedClientVersionException.fromVersion(clientVersion);\n  }\n  // Don't reject older versions - let version negotiation handle it\n}\nexport default function initializeRequestHandler({\n  serverOptions,\n  scope,\n}: McpHandlerOptions): McpHandler<InitializeRequest, InitializeResult> {\n  const logger = scope.logger.child('initialize-handler');\n\n  return {\n    requestSchema: InitializeRequestSchema,\n    handler: async (request, ctx): Promise<InitializeResult> => {\n      logger.info('initialize: received request', {\n        clientName: request.params.clientInfo?.name,\n        clientVersion: request.params.clientInfo?.version,\n        protocolVersion: request.params.protocolVersion,\n        hasCapabilities: !!request.params.capabilities,\n        sessionId: ctx.authInfo?.sessionId?.slice(0, 20),\n      });\n\n      guardClientVersion(request.params.protocolVersion);\n\n      // Store client capabilities and client info from the initialize request\n      // The session ID is available in the auth info from the transport\n      const sessionId = ctx.authInfo?.sessionId;\n      let detectedPlatform: ReturnType<typeof detectPlatformFromCapabilities> = undefined;\n\n      if (sessionId) {\n        // Store client capabilities if provided\n        if (request.params.capabilities) {\n          // Map MCP client capabilities to our ClientCapabilities interface\n          const clientCapabilities: ClientCapabilities = {\n            roots: request.params.capabilities.roots as ClientCapabilities['roots'],\n            sampling: request.params.capabilities.sampling as ClientCapabilities['sampling'],\n            // Include experimental capabilities for MCP Apps extension detection\n            experimental: request.params.capabilities.experimental as ClientCapabilities['experimental'],\n          };\n          scope.notifications.setClientCapabilities(sessionId, clientCapabilities);\n\n          // Try to detect platform from capabilities first (e.g., MCP Apps extension)\n          detectedPlatform = detectPlatformFromCapabilities(clientCapabilities);\n        }\n\n        // Store client info (name/version) for platform detection\n        // and update the session payload with the detected platform type\n        if (request.params.clientInfo) {\n          // If not detected from capabilities, use client info detection\n          const clientInfoPlatform = scope.notifications.setClientInfo(sessionId, {\n            name: request.params.clientInfo.name,\n            version: request.params.clientInfo.version,\n          });\n\n          // Prefer capability-based detection (ext-apps) over client info detection\n          const finalPlatform = detectedPlatform ?? clientInfoPlatform;\n\n          // Update the session payload with the detected platform type\n          // This makes platformType available via ctx.authInfo.sessionIdPayload.platformType\n          if (finalPlatform && ctx.authInfo?.sessionIdPayload) {\n            ctx.authInfo.sessionIdPayload.platformType = finalPlatform;\n          }\n        } else if (detectedPlatform && ctx.authInfo?.sessionIdPayload) {\n          // Update platform even without client info if detected from capabilities\n          ctx.authInfo.sessionIdPayload.platformType = detectedPlatform;\n        }\n      }\n\n      // MCP Protocol Version Negotiation (per spec):\n      // \"If the server supports the requested protocol version, it MUST respond with the same version.\n      //  Otherwise, the server MUST respond with another protocol version it supports.\"\n      const requestedVersion = request.params.protocolVersion;\n      const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion)\n        ? requestedVersion\n        : LATEST_PROTOCOL_VERSION;\n\n      const result: InitializeResult = {\n        capabilities: serverOptions.capabilities!,\n        instructions: serverOptions.instructions,\n        serverInfo: {\n          name: 'FrontMcpServer',\n          version: '0.0.1',\n          title: 'FrontMcpServer',\n        },\n        protocolVersion,\n      };\n\n      logger.info('initialize: sending response', {\n        capabilities: JSON.stringify(result.capabilities),\n        protocolVersion: result.protocolVersion,\n        serverName: result.serverInfo.name,\n        sessionId: ctx.authInfo?.sessionId?.slice(0, 20),\n      });\n\n      return result;\n    },\n  };\n}\n"]}
+{"version":3,"file":"initialize-request.handler.js","sourceRoot":"","sources":["../../../../src/transport/mcp-handlers/initialize-request.handler.ts"],"names":[],"mappings":";;AAoBA,2CAwGC;AA5HD,iEAAkH;AAClH,iEAA0G;AAE1G,+HAAyH;AAEzH,qDAAsF;AACtF,gFAAiF;AAEjF;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,aAAqB;IAC/C,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC5B,MAAM,wEAAiC,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IACrE,CAAC;IACD,kEAAkE;AACpE,CAAC;AACD,SAAwB,wBAAwB,CAAC,EAC/C,aAAa,EACb,KAAK,GACa;IAClB,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAExD,OAAO;QACL,aAAa,EAAE,kCAAuB;QACtC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAA6B,EAAE;YACzD,MAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE;gBAC1C,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI;gBAC3C,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO;gBACjD,eAAe,EAAE,OAAO,CAAC,MAAM,CAAC,eAAe;gBAC/C,eAAe,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY;gBAC9C,SAAS,EAAE,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACjD,CAAC,CAAC;YAEH,kBAAkB,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YAEnD,wEAAwE;YACxE,kEAAkE;YAClE,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC;YAC1C,IAAI,gBAAgB,GAAsD,SAAS,CAAC;YAEpF,IAAI,SAAS,EAAE,CAAC;gBACd,wCAAwC;gBACxC,IAAI,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;oBAChC,kEAAkE;oBAClE,MAAM,kBAAkB,GAAuB;wBAC7C,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,KAAoC;wBACvE,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,QAA0C;wBAChF,qEAAqE;wBACrE,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,YAAkD;qBAC7F,CAAC;oBACF,KAAK,CAAC,aAAa,CAAC,qBAAqB,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;oBAEzE,4EAA4E;oBAC5E,gBAAgB,GAAG,IAAA,6CAA8B,EAAC,kBAAkB,CAAC,CAAC;gBACxE,CAAC;gBAED,0DAA0D;gBAC1D,iEAAiE;gBACjE,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;oBAC9B,gGAAgG;oBAChG,KAAK,CAAC,aAAa,CAAC,aAAa,CAAC,SAAS,EAAE;wBAC3C,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI;wBACpC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO;qBAC3C,CAAC,CAAC;oBAEH,iFAAiF;oBACjF,wDAAwD;oBACxD,MAAM,uBAAuB,GAAG,KAAK,CAAC,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;oBAC5E,MAAM,kBAAkB,GAAG,IAAA,+BAAgB,EAAC,OAAO,CAAC,MAAM,CAAC,UAAU,EAAE,uBAAuB,CAAC,CAAC;oBAEhG,0EAA0E;oBAC1E,MAAM,aAAa,GAAG,gBAAgB,IAAI,kBAAkB,CAAC;oBAE7D,6DAA6D;oBAC7D,mFAAmF;oBACnF,IAAI,aAAa,IAAI,GAAG,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC;wBACpD,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,YAAY,GAAG,aAAa,CAAC;wBAE3D,qFAAqF;wBACrF,wFAAwF;wBACxF,IAAA,uCAAoB,EAAC,SAAS,EAAE,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC,CAAC;oBACnE,CAAC;gBACH,CAAC;qBAAM,IAAI,gBAAgB,IAAI,GAAG,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC;oBAC9D,yEAAyE;oBACzE,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,YAAY,GAAG,gBAAgB,CAAC;oBAE9D,2BAA2B;oBAC3B,IAAA,uCAAoB,EAAC,SAAS,EAAE,EAAE,YAAY,EAAE,gBAAgB,EAAE,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;YAED,+CAA+C;YAC/C,iGAAiG;YACjG,kFAAkF;YAClF,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC;YACxD,MAAM,eAAe,GAAG,sCAA2B,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBAC5E,CAAC,CAAC,gBAAgB;gBAClB,CAAC,CAAC,kCAAuB,CAAC;YAE5B,MAAM,MAAM,GAAqB;gBAC/B,YAAY,EAAE,aAAa,CAAC,YAAa;gBACzC,YAAY,EAAE,aAAa,CAAC,YAAY;gBACxC,UAAU,EAAE;oBACV,IAAI,EAAE,gBAAgB;oBACtB,OAAO,EAAE,OAAO;oBAChB,KAAK,EAAE,gBAAgB;iBACxB;gBACD,eAAe;aAChB,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE;gBAC1C,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC;gBACjD,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI;gBAClC,SAAS,EAAE,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;aACjD,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC","sourcesContent":["import { InitializeRequestSchema, InitializeRequest, InitializeResult } from '@modelcontextprotocol/sdk/types.js';\nimport { LATEST_PROTOCOL_VERSION, SUPPORTED_PROTOCOL_VERSIONS } from '@modelcontextprotocol/sdk/types.js';\nimport { McpHandler, McpHandlerOptions } from './mcp-handlers.types';\nimport { UnsupportedClientVersionException } from '../../exceptions/mcp-exceptions/unsupported-client-version.exception';\nimport type { ClientCapabilities } from '../../notification';\nimport { detectPlatformFromCapabilities, detectAIPlatform } from '../../notification';\nimport { updateSessionPayload } from '../../auth/session/utils/session-id.utils';\n\n/**\n * Validates that the client's protocol version is a valid date string format.\n * Per MCP spec, older versions should be accepted if supported - version negotiation\n * determines which version to use, not this guard.\n */\nfunction guardClientVersion(clientVersion: string): void {\n  const parsed = new Date(clientVersion);\n  if (isNaN(parsed.getTime())) {\n    throw UnsupportedClientVersionException.fromVersion(clientVersion);\n  }\n  // Don't reject older versions - let version negotiation handle it\n}\nexport default function initializeRequestHandler({\n  serverOptions,\n  scope,\n}: McpHandlerOptions): McpHandler<InitializeRequest, InitializeResult> {\n  const logger = scope.logger.child('initialize-handler');\n\n  return {\n    requestSchema: InitializeRequestSchema,\n    handler: async (request, ctx): Promise<InitializeResult> => {\n      logger.info('initialize: received request', {\n        clientName: request.params.clientInfo?.name,\n        clientVersion: request.params.clientInfo?.version,\n        protocolVersion: request.params.protocolVersion,\n        hasCapabilities: !!request.params.capabilities,\n        sessionId: ctx.authInfo?.sessionId?.slice(0, 20),\n      });\n\n      guardClientVersion(request.params.protocolVersion);\n\n      // Store client capabilities and client info from the initialize request\n      // The session ID is available in the auth info from the transport\n      const sessionId = ctx.authInfo?.sessionId;\n      let detectedPlatform: ReturnType<typeof detectPlatformFromCapabilities> = undefined;\n\n      if (sessionId) {\n        // Store client capabilities if provided\n        if (request.params.capabilities) {\n          // Map MCP client capabilities to our ClientCapabilities interface\n          const clientCapabilities: ClientCapabilities = {\n            roots: request.params.capabilities.roots as ClientCapabilities['roots'],\n            sampling: request.params.capabilities.sampling as ClientCapabilities['sampling'],\n            // Include experimental capabilities for MCP Apps extension detection\n            experimental: request.params.capabilities.experimental as ClientCapabilities['experimental'],\n          };\n          scope.notifications.setClientCapabilities(sessionId, clientCapabilities);\n\n          // Try to detect platform from capabilities first (e.g., MCP Apps extension)\n          detectedPlatform = detectPlatformFromCapabilities(clientCapabilities);\n        }\n\n        // Store client info (name/version) for platform detection\n        // and update the session payload with the detected platform type\n        if (request.params.clientInfo) {\n          // Try to store in notification service (may fail for HTTP transports without registered server)\n          scope.notifications.setClientInfo(sessionId, {\n            name: request.params.clientInfo.name,\n            version: request.params.clientInfo.version,\n          });\n\n          // Detect platform directly from client info (don't rely on setClientInfo return)\n          // Use platform detection config from scope if available\n          const platformDetectionConfig = scope.metadata.transport?.platformDetection;\n          const clientInfoPlatform = detectAIPlatform(request.params.clientInfo, platformDetectionConfig);\n\n          // Prefer capability-based detection (ext-apps) over client info detection\n          const finalPlatform = detectedPlatform ?? clientInfoPlatform;\n\n          // Update the session payload with the detected platform type\n          // This makes platformType available via ctx.authInfo.sessionIdPayload.platformType\n          if (finalPlatform && ctx.authInfo?.sessionIdPayload) {\n            ctx.authInfo.sessionIdPayload.platformType = finalPlatform;\n\n            // Persist the platformType to the session cache so subsequent requests can access it\n            // This is critical for HTTP transports where sessions are parsed from encrypted headers\n            updateSessionPayload(sessionId, { platformType: finalPlatform });\n          }\n        } else if (detectedPlatform && ctx.authInfo?.sessionIdPayload) {\n          // Update platform even without client info if detected from capabilities\n          ctx.authInfo.sessionIdPayload.platformType = detectedPlatform;\n\n          // Persist to session cache\n          updateSessionPayload(sessionId, { platformType: detectedPlatform });\n        }\n      }\n\n      // MCP Protocol Version Negotiation (per spec):\n      // \"If the server supports the requested protocol version, it MUST respond with the same version.\n      //  Otherwise, the server MUST respond with another protocol version it supports.\"\n      const requestedVersion = request.params.protocolVersion;\n      const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion)\n        ? requestedVersion\n        : LATEST_PROTOCOL_VERSION;\n\n      const result: InitializeResult = {\n        capabilities: serverOptions.capabilities!,\n        instructions: serverOptions.instructions,\n        serverInfo: {\n          name: 'FrontMcpServer',\n          version: '0.0.1',\n          title: 'FrontMcpServer',\n        },\n        protocolVersion,\n      };\n\n      logger.info('initialize: sending response', {\n        capabilities: JSON.stringify(result.capabilities),\n        protocolVersion: result.protocolVersion,\n        serverName: result.serverInfo.name,\n        sessionId: ctx.authInfo?.sessionId?.slice(0, 20),\n      });\n\n      return result;\n    },\n  };\n}\n"]}

package/src/transport/transport.registry.d.ts

@@ -1,6 +1,7 @@
 import { Transporter, TransportType } from './transport.types';
-import { ServerResponse } from '../common';
+import { ServerResponse, TransportPersistenceConfigInput } from '../common';
 import { Scope } from '../scope';
+import { StoredSession } from '../auth/session';
 export declare class TransportService {
     readonly ready: Promise<void>;
     private readonly byType;
@@ -12,15 +13,60 @@ export declare class TransportService {
      * Used to differentiate between "session never initialized" (HTTP 400) and
      * "session expired/terminated" (HTTP 404) per MCP Spec 2025-11-25.
      *
-     * Key: "type:tokenHash:sessionId", Value: creation timestamp
+     * Key: JSON-encoded {type, tokenHash, sessionId}, Value: creation timestamp
+     * Note: We use JSON instead of colon-delimiter because sessionId can contain colons.
      */
     private readonly sessionHistory;
     private readonly MAX_SESSION_HISTORY;
-    constructor(scope: Scope);
+    /**
+     * Redis session store for transport persistence
+     * Used to persist session metadata across server restarts
+     */
+    private sessionStore?;
+    /**
+     * Transport persistence configuration
+     */
+    private persistenceConfig?;
+    /**
+     * Mutex map for preventing concurrent transport creation for the same key.
+     * Key: JSON-encoded {t: type, h: tokenHash, s: sessionId}, Value: Promise that resolves when creation completes
+     */
+    private readonly creationMutex;
+    constructor(scope: Scope, persistenceConfig?: TransportPersistenceConfigInput);
     private initialize;
     destroy(): Promise<void>;
     getTransporter(type: TransportType, token: string, sessionId: string): Promise<Transporter | undefined>;
+    /**
+     * Get stored session from Redis (without creating a transport).
+     * Used by flows to check if session exists and can be recreated.
+     *
+     * @param type - Transport type
+     * @param token - Authorization token
+     * @param sessionId - Session ID
+     * @returns Stored session data if exists and token matches, undefined otherwise
+     */
+    getStoredSession(type: TransportType, token: string, sessionId: string): Promise<StoredSession | undefined>;
+    /**
+     * Recreate a transport from stored session data.
+     * Must be called with a valid response object to create the actual transport.
+     *
+     * @param type - Transport type
+     * @param token - Authorization token
+     * @param sessionId - Session ID
+     * @param storedSession - Previously stored session data
+     * @param res - Server response object for the new transport
+     * @returns The recreated transport
+     */
+    recreateTransporter(type: TransportType, token: string, sessionId: string, storedSession: StoredSession, res: ServerResponse): Promise<Transporter>;
+    /**
+     * Internal method to actually recreate the transport (called with mutex protection)
+     */
+    private doRecreateTransporter;
     createTransporter(type: TransportType, token: string, sessionId: string, res: ServerResponse): Promise<Transporter>;
+    /**
+     * Internal method to actually create the transport (called with mutex protection)
+     */
+    private doCreateTransporter;
     destroyTransporter(type: TransportType, token: string, sessionId: string, reason?: string): Promise<void>;
     /**
      * Get or create a shared singleton transport for anonymous stateless requests.
@@ -37,13 +83,31 @@ export declare class TransportService {
      * Used to differentiate between "session never initialized" (HTTP 400) and
      * "session expired/terminated" (HTTP 404) per MCP Spec 2025-11-25.
      *
+     * Note: This is synchronous and only checks local history. For async Redis check,
+     * use wasSessionCreatedAsync.
+     *
      * @param type - Transport type (e.g., 'streamable-http', 'sse')
      * @param token - The authorization token
      * @param sessionId - The session ID to check
-     * @returns true if session was ever created, false otherwise
+     * @returns true if session was ever created locally, false otherwise
      */
     wasSessionCreated(type: TransportType, token: string, sessionId: string): boolean;
+    /**
+     * Async version that also checks Redis for session existence.
+     * Used when we need to check if session was ever created across server restarts.
+     */
+    wasSessionCreatedAsync(type: TransportType, token: string, sessionId: string): Promise<boolean>;
     private sha256;
+    /**
+     * Create a history key from components.
+     * Uses JSON encoding to handle sessionIds that contain special characters.
+     */
+    private makeHistoryKey;
+    /**
+     * Parse a history key back into components.
+     * Returns undefined if the key is malformed.
+     */
+    private parseHistoryKey;
     private keyOf;
     private ensureTypeBucket;
     private ensureTokenBucket;