@ganintegrity/mcp 1.0.0

package/dist/errors/index.js

@@ -0,0 +1,78 @@
+/**
+ * The only code the library itself emits — surfaced in the redacted
+ * envelope when a thrown error has no mapping. Consumer codes are theirs.
+ */
+export const INTERNAL_ERROR = "INTERNAL_ERROR";
+function logMappedError(mapped, meta) {
+    if (mapped.severity === "error") {
+        meta.logger.error({
+            cause: mapped.cause,
+            code: mapped.code,
+            tool: meta.tool,
+            sessionId: meta.sessionId,
+        }, "mcp tool failed");
+    }
+    else {
+        meta.logger.info({
+            code: mapped.code,
+            tool: meta.tool,
+            sessionId: meta.sessionId,
+            message: mapped.message,
+        }, "mcp tool rejected");
+    }
+}
+function mappedEnvelope(mapped) {
+    return {
+        isError: true,
+        content: [{ type: "text", text: mapped.message }],
+        structuredContent: {
+            code: mapped.code,
+            message: mapped.message,
+            ...(mapped.details ? { details: mapped.details } : {}),
+        },
+    };
+}
+function unknownErrorEnvelope(err, meta) {
+    const message = err instanceof Error ? err.message : String(err);
+    meta.logger.error({
+        err: err instanceof Error ? err : undefined,
+        tool: meta.tool,
+        sessionId: meta.sessionId,
+    }, "mcp tool unhandled error");
+    return {
+        isError: true,
+        content: [
+            { type: "text", text: "An unexpected error occurred. Please try again." },
+        ],
+        structuredContent: {
+            code: INTERNAL_ERROR,
+            message,
+        },
+    };
+}
+/**
+ * Build the MCP `CallToolResult` envelope for a thrown error. Called
+ * automatically by `tool()` after the consumer's {@link McpErrorMapper}
+ * has had a chance to translate the throwable. Exported for consumers
+ * writing their own tool wrappers.
+ *
+ * Behaviour:
+ * - `mapped` non-null with `severity: "warn"` → logged at info; envelope
+ *   carries the mapped `code`/`message`/`details`. The agent sees the
+ *   message so it can react.
+ * - `mapped` non-null with `severity: "error"` → logged at error (with
+ *   `cause`); envelope carries the mapped `code`/`message`/`details`.
+ * - `mapped` null → logged at error with the original throwable; envelope
+ *   is a generic `INTERNAL_ERROR` with a redacted message. The original
+ *   error message is **not** surfaced.
+ *
+ * Never throws (assumes `meta.logger` does not throw).
+ */
+export function toCallToolError(mapped, originalErr, meta) {
+    if (mapped) {
+        logMappedError(mapped, meta);
+        return mappedEnvelope(mapped);
+    }
+    return unknownErrorEnvelope(originalErr, meta);
+}
+//# sourceMappingURL=index.js.map

package/dist/errors/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/errors/index.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,gBAAgB,CAAC;AAE/C,SAAS,cAAc,CAAC,MAAoB,EAAE,IAAmB;IAC/D,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf;YACE,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,EACD,iBAAiB,CAClB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;YACE,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,EACD,mBAAmB,CACpB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,MAAoB;IAC1C,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;QACjD,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACvD;KACF,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,GAAY,EACZ,IAAmB;IAEnB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,KAAK,CACf;QACE,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QAC3C,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,EACD,0BAA0B,CAC3B,CAAC;IACF,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iDAAiD,EAAE;SAC1E;QACD,iBAAiB,EAAE;YACjB,IAAI,EAAE,cAAc;YACpB,OAAO;SACR;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,eAAe,CAC7B,MAA2B,EAC3B,WAAoB,EACpB,IAAmB;IAEnB,IAAI,MAAM,EAAE,CAAC;QACX,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC7B,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,oBAAoB,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;AACjD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,20 @@
+import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
+declare global {
+    namespace Express {
+        interface Request {
+            mcpSessionId?: string;
+            auth?: AuthInfo;
+        }
+    }
+}
+export { createMcpServer } from "./server/index.ts";
+export type { CreateMcpServerOptions, CreateMcpServerResult, } from "./server/server.types.ts";
+export { tool } from "./tool/index.ts";
+export type { ToolSpec, ToolAnnotations, ToolContext, } from "./tool/tool.types.ts";
+export type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export { mcpAuth } from "./auth/index.ts";
+export type { McpAuthOptions, AuthUser } from "./auth/auth.types.ts";
+export { INTERNAL_ERROR, toCallToolError } from "./errors/index.ts";
+export type { McpErrorMapper, McpToolError, McpToolErrorSeverity, ToolErrorMeta, } from "./errors/errors.types.ts";
+export type { RequestStore } from "./als.ts";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAE/E,OAAO,CAAC,MAAM,CAAC;IAIb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,YAAY,CAAC,EAAE,MAAM,CAAC;YACtB,IAAI,CAAC,EAAE,QAAQ,CAAC;SACjB;KACF;CACF;AAED,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,YAAY,EACV,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,YAAY,EACV,QAAQ,EACR,eAAe,EACf,WAAW,GACZ,MAAM,sBAAsB,CAAC;AAE9B,YAAY,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,YAAY,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAErE,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpE,YAAY,EACV,cAAc,EACd,YAAY,EACZ,oBAAoB,EACpB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAElC,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,5 @@
+export { createMcpServer } from "./server/index.js";
+export { tool } from "./tool/index.js";
+export { mcpAuth } from "./auth/index.js";
+export { INTERNAL_ERROR, toCallToolError } from "./errors/index.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAMpD,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AASvC,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAG1C,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/server/index.d.ts

@@ -0,0 +1,18 @@
+import type { CreateMcpServerOptions, CreateMcpServerResult } from "./server.types.ts";
+/**
+ * Build an MCP server bound to the Streamable HTTP transport.
+ *
+ * Returns a `{ server, mount }` pair. Register tools against `server` using
+ * `tool()` at boot time, then call `mount(router)` to wire the JSON-RPC
+ * endpoint onto an Express router. Each incoming HTTP request runs through:
+ *
+ *   `express.json()` → auth middleware → caller's `setupPostgan` → tool dispatch
+ *
+ * Tool handlers run inside an `AsyncLocalStorage` scope, so they pull
+ * `user` / `postgan` / `transaction` / `sessionId` / `logger` from
+ * `ToolContext` without Express objects leaking in.
+ *
+ * Synchronous and never throws.
+ */
+export declare function createMcpServer(options: CreateMcpServerOptions): CreateMcpServerResult;
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,sBAAsB,EACtB,qBAAqB,EAKtB,MAAM,mBAAmB,CAAC;AA2G3B;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,sBAAsB,GAC9B,qBAAqB,CAuBvB"}

package/dist/server/index.js

@@ -0,0 +1,130 @@
+import express, {} from "express";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { mcpAuth } from "../auth/index.js";
+import { requestStore } from "../als.js";
+/**
+ * Build the recording shim handed to consumers as `server`.
+ *
+ * Why a shim and not a real `McpServer`: the SDK's
+ * `StreamableHTTPServerTransport` (stateless mode) is single-use — once it
+ * has handled one request it cannot be reused. The transport must be paired
+ * with an `McpServer`, so we need a fresh server per HTTP request. But
+ * consumers register tools once at boot, not per request — so registration
+ * is split in two:
+ *
+ *   - boot:    `tool(server, spec)` lands here and pushes onto `registrations`.
+ *   - request: {@link handleMcpRequest} constructs a real `McpServer` and
+ *              replays every recorded registration onto it before connecting
+ *              the transport.
+ *
+ * The recorder is typed as `McpServer` so `tool(server, spec)` type-checks,
+ * but `registerTool` is the only method actually implemented. Nothing in
+ * the library calls anything else on it, and the consumer is documented to
+ * only pass it to `tool()` — calls to other methods are undefined behaviour.
+ */
+function createToolRecorder() {
+    const registrations = [];
+    const recorder = {
+        registerTool: (name, config, handler) => {
+            registrations.push({ name, config, handler });
+            // Real `registerTool` returns a registration handle for later
+            // update/remove. We don't expose that surface — empty object satisfies
+            // the return type and is never read.
+            return {};
+        },
+    };
+    return { server: recorder, registrations };
+}
+/**
+ * Per-request handler. Builds the ALS store from `req.user` / `req.postgan`
+ * (set upstream by the auth + setupPostgan middleware), spins up a fresh
+ * `McpServer` + transport pair, replays the recorded tool registrations,
+ * dispatches the JSON-RPC call inside `requestStore.run(...)`, and tears
+ * down server + transport in `finally`.
+ */
+function handleMcpRequest(deps) {
+    return async (req, res) => {
+        const { user, postgan } = req;
+        if (!user || !postgan) {
+            // Defensive: mcpAuth + setupPostgan should have populated both.
+            res.status(401).json({ error: "Unauthenticated" });
+            return;
+        }
+        const sessionId = req.mcpSessionId;
+        const store = {
+            user,
+            postgan,
+            sessionId,
+            logger: deps.logger.child({
+                sessionId,
+                userId: user.id,
+                company: user.companySubdomainName,
+            }),
+            errorMapper: deps.errorMapper,
+        };
+        const requestServer = new McpServer({
+            name: deps.name,
+            version: deps.version,
+        });
+        for (const reg of deps.registrations) {
+            requestServer.registerTool(reg.name, reg.config, reg.handler);
+        }
+        const transport = new StreamableHTTPServerTransport({
+            sessionIdGenerator: undefined,
+        });
+        await requestServer.connect(transport);
+        await requestStore.run(store, async () => {
+            try {
+                await transport.handleRequest(req, res, req.body);
+            }
+            catch (err) {
+                deps.logger.error({ err, sessionId }, "mcp: transport.handleRequest threw");
+                if (!res.headersSent) {
+                    res.status(500).json({ error: "Internal MCP transport error" });
+                }
+            }
+            finally {
+                await transport.close().catch((closeErr) => {
+                    deps.logger.warn({ err: closeErr }, "mcp: transport close failed");
+                });
+                await requestServer.close().catch((closeErr) => {
+                    deps.logger.warn({ err: closeErr }, "mcp: server close failed");
+                });
+            }
+        });
+    };
+}
+/**
+ * Build an MCP server bound to the Streamable HTTP transport.
+ *
+ * Returns a `{ server, mount }` pair. Register tools against `server` using
+ * `tool()` at boot time, then call `mount(router)` to wire the JSON-RPC
+ * endpoint onto an Express router. Each incoming HTTP request runs through:
+ *
+ *   `express.json()` → auth middleware → caller's `setupPostgan` → tool dispatch
+ *
+ * Tool handlers run inside an `AsyncLocalStorage` scope, so they pull
+ * `user` / `postgan` / `transaction` / `sessionId` / `logger` from
+ * `ToolContext` without Express objects leaking in.
+ *
+ * Synchronous and never throws.
+ */
+export function createMcpServer(options) {
+    const mcpLogger = options.logger.child({ component: "mcp" });
+    const { server, registrations } = createToolRecorder();
+    const mount = async (target) => {
+        target.use(express.json());
+        target.use(mcpAuth({ tokenToUser: options.tokenToUser, logger: mcpLogger }));
+        target.use(options.setupPostgan);
+        target.post("/", handleMcpRequest({
+            name: options.name,
+            version: options.version,
+            registrations,
+            logger: mcpLogger,
+            errorMapper: options.errorMapper,
+        }));
+    };
+    return { server, mount };
+}
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,EAAE,EAA4C,MAAM,SAAS,CAAC;AAC5E,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAEnG,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAqB,MAAM,WAAW,CAAC;AAU5D;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAS,kBAAkB;IAIzB,MAAM,aAAa,GAAuB,EAAE,CAAC;IAC7C,MAAM,QAAQ,GAAG;QACf,YAAY,EAAE,CACZ,IAAyB,EACzB,MAA2B,EAC3B,OAA4B,EAC5B,EAAE;YACF,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YAC9C,8DAA8D;YAC9D,uEAAuE;YACvE,qCAAqC;YACrC,OAAO,EAA2C,CAAC;QACrD,CAAC;KACsB,CAAC;IAC1B,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,CAAC;AAC7C,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CAAC,IAAuB;IAC/C,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAiB,EAAE;QAC1D,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,GAAyB,CAAC;QACpD,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACtB,gEAAgE;YAChE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC;QACnC,MAAM,KAAK,GAAiB;YAC1B,IAAI;YACJ,OAAO;YACP,SAAS;YACT,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;gBACxB,SAAS;gBACT,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,OAAO,EAAE,IAAI,CAAC,oBAAoB;aACnC,CAAC;YACF,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;QAEF,MAAM,aAAa,GAAG,IAAI,SAAS,CAAC;YAClC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;QACH,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACrC,aAAa,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;YAClD,kBAAkB,EAAE,SAAS;SAC9B,CAAC,CAAC;QACH,MAAM,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEvC,MAAM,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,GAAG,EAAE,SAAS,EAAE,EAClB,oCAAoC,CACrC,CAAC;gBACF,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;oBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;gBAClE,CAAC;YACH,CAAC;oBAAS,CAAC;gBACT,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,QAAiB,EAAE,EAAE;oBAClD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,6BAA6B,CAAC,CAAC;gBACrE,CAAC,CAAC,CAAC;gBACH,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,QAAiB,EAAE,EAAE;oBACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,0BAA0B,CAAC,CAAC;gBAClE,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,eAAe,CAC7B,OAA+B;IAE/B,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7D,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,EAAE,CAAC;IAEvD,MAAM,KAAK,GAAG,KAAK,EAAE,MAAc,EAAiB,EAAE;QACpD,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3B,MAAM,CAAC,GAAG,CACR,OAAO,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CACjE,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CACT,GAAG,EACH,gBAAgB,CAAC;YACf,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,aAAa;YACb,MAAM,EAAE,SAAS;YACjB,WAAW,EAAE,OAAO,CAAC,WAAW;SACjC,CAAC,CACH,CAAC;IACJ,CAAC,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC"}

package/dist/server/server.types.d.ts

@@ -0,0 +1,78 @@
+import type { Request, RequestHandler, Router } from "express";
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { Postgan } from "@ganintegrity/postgan";
+import type { Logger } from "pino";
+import type { AuthUser } from "../auth/auth.types.ts";
+import type { McpErrorMapper } from "../errors/errors.types.ts";
+/**
+ * Configuration for `createMcpServer()`.
+ */
+export interface CreateMcpServerOptions {
+    /** MCP server name advertised to clients during initialisation. */
+    name: string;
+    /** MCP server version advertised to clients during initialisation. */
+    version: string;
+    /**
+     * Service logger. The library calls `logger.child({ component: "mcp" })`
+     * internally and further childs with `sessionId` / `userId` / `company`
+     * per request and with `tool` / `sessionId` per tool call.
+     */
+    logger: Logger;
+    /**
+     * Resolve a bearer token to a user. See `McpAuthOptions.tokenToUser`.
+     * Reject by throwing — the library responds `401`.
+     */
+    tokenToUser: (token: string) => Promise<AuthUser>;
+    /**
+     * Express middleware that attaches a `Postgan` instance to `req.postgan`.
+     * Mounted automatically between the auth middleware and the JSON-RPC
+     * dispatcher; tools open per-call transactions against `ctx.postgan`.
+     *
+     * The library is neutral about how Postgan is constructed — supply your
+     * service's existing setup-postgan middleware.
+     */
+    setupPostgan: RequestHandler;
+    /**
+     * Translate a thrown error into an MCP envelope. Return `null` to fall
+     * through to a redacted `INTERNAL_ERROR` envelope — appropriate for
+     * anything you don't want surfaced to the agent. Without a mapper every
+     * thrown error becomes `INTERNAL_ERROR`.
+     */
+    errorMapper?: McpErrorMapper;
+}
+/**
+ * Return value of `createMcpServer()`.
+ */
+export interface CreateMcpServerResult {
+    /**
+     * Tool-registration target. Pass to `tool()` at boot, once per tool.
+     * Treat as opaque — `tool()` is the only supported way to use it.
+     */
+    server: McpServer;
+    /**
+     * Attach the MCP route handlers (auth + setupPostgan + JSON-RPC dispatch)
+     * to the supplied Express router. Caller decides the mount path
+     * (`app.use("/mcp", router)`).
+     *
+     * Resolves once the route is attached. Never throws.
+     */
+    mount: (target: Router) => Promise<void>;
+}
+export type RegisterToolArgs = Parameters<McpServer["registerTool"]>;
+export type ReqWithUserPostgan = Request & {
+    user?: AuthUser;
+    postgan?: Postgan;
+};
+export interface ToolRegistration {
+    name: RegisterToolArgs[0];
+    config: RegisterToolArgs[1];
+    handler: RegisterToolArgs[2];
+}
+export interface HandleRequestDeps {
+    name: string;
+    version: string;
+    registrations: readonly ToolRegistration[];
+    logger: Logger;
+    errorMapper?: McpErrorMapper;
+}
+//# sourceMappingURL=server.types.d.ts.map

package/dist/server/server.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.types.d.ts","sourceRoot":"","sources":["../../src/server/server.types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAEnC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,OAAO,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,WAAW,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD;;;;;;;OAOG;IACH,YAAY,EAAE,cAAc,CAAC;IAC7B;;;;;OAKG;IACH,WAAW,CAAC,EAAE,cAAc,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,MAAM,EAAE,SAAS,CAAC;IAClB;;;;;;OAMG;IACH,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1C;AAID,MAAM,MAAM,gBAAgB,GAAG,UAAU,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC;AAErE,MAAM,MAAM,kBAAkB,GAAG,OAAO,GAAG;IACzC,IAAI,CAAC,EAAE,QAAQ,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,SAAS,gBAAgB,EAAE,CAAC;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,cAAc,CAAC;CAC9B"}

package/dist/server/server.types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=server.types.js.map

package/dist/server/server.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.types.js","sourceRoot":"","sources":["../../src/server/server.types.ts"],"names":[],"mappings":""}

package/dist/tool/index.d.ts

@@ -0,0 +1,26 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { z } from "zod";
+import type { ToolSpec } from "./tool.types.ts";
+/**
+ * Register a tool against the MCP server returned by `createMcpServer()`.
+ * The wrapper around your handler:
+ *
+ * 1. Builds a {@link ToolContext} from the active request scope.
+ * 2. Opens a fresh `Postgan.Transaction` before calling your handler.
+ * 3. On resolve, commits the transaction and returns a `CallToolResult`
+ *    where the handler's return value is surfaced both as a JSON `text`
+ *    content block (for non-structured-aware clients) and as
+ *    `structuredContent` (for AI-SDK clients).
+ * 4. On throw, rolls back the transaction and routes the error through
+ *    the consumer's `McpErrorMapper` (passed to `createMcpServer`) to
+ *    build an MCP error envelope.
+ *
+ * Registration itself is synchronous and does not throw. The wrapped handler
+ * **may** throw at request time — but only if it is invoked outside an
+ * active request scope, which indicates a programming bug (the handler was
+ * dispatched without going through `mount()`'s ALS wrapper). Such throws
+ * propagate to the SDK transport and surface as an HTTP 500. Errors raised
+ * by your own handler logic are caught and never propagate.
+ */
+export declare function tool<Schema extends z.ZodObject, Output extends Record<string, unknown>>(server: McpServer, spec: ToolSpec<Schema, Output>): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/tool/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tool/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAIzE,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAI7B,OAAO,KAAK,EAAe,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AA6B7D;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,IAAI,CAClB,MAAM,SAAS,CAAC,CAAC,SAAS,EAC1B,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACtC,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAiDzD"}

package/dist/tool/index.js

@@ -0,0 +1,88 @@
+import { requestStore } from "../als.js";
+import { toCallToolError } from "../errors/index.js";
+/**
+ * Open a postgan transaction, run `body` against it, and finalise:
+ * commit on resolve, rollback on throw. A failing rollback is logged at
+ * error level but never re-thrown — the original error from `body` is what
+ * propagates.
+ */
+async function withTransaction(postgan, logger, body) {
+    const tx = new postgan.Transaction();
+    await tx.begin();
+    try {
+        const result = await body(tx);
+        await tx.commit();
+        return result;
+    }
+    catch (err) {
+        if (tx.active) {
+            await tx.rollback().catch((rollbackErr) => {
+                logger.error({ err: rollbackErr }, "mcp: transaction rollback failed");
+            });
+        }
+        throw err;
+    }
+}
+/**
+ * Register a tool against the MCP server returned by `createMcpServer()`.
+ * The wrapper around your handler:
+ *
+ * 1. Builds a {@link ToolContext} from the active request scope.
+ * 2. Opens a fresh `Postgan.Transaction` before calling your handler.
+ * 3. On resolve, commits the transaction and returns a `CallToolResult`
+ *    where the handler's return value is surfaced both as a JSON `text`
+ *    content block (for non-structured-aware clients) and as
+ *    `structuredContent` (for AI-SDK clients).
+ * 4. On throw, rolls back the transaction and routes the error through
+ *    the consumer's `McpErrorMapper` (passed to `createMcpServer`) to
+ *    build an MCP error envelope.
+ *
+ * Registration itself is synchronous and does not throw. The wrapped handler
+ * **may** throw at request time — but only if it is invoked outside an
+ * active request scope, which indicates a programming bug (the handler was
+ * dispatched without going through `mount()`'s ALS wrapper). Such throws
+ * propagate to the SDK transport and surface as an HTTP 500. Errors raised
+ * by your own handler logic are caught and never propagate.
+ */
+export function tool(server, spec) {
+    server.registerTool(spec.name, {
+        description: spec.description,
+        inputSchema: spec.inputSchema.shape,
+        ...(spec.annotations ? { annotations: spec.annotations } : {}),
+    }, async (args, extra) => {
+        const store = requestStore.getStore();
+        if (!store) {
+            // Unreachable: createMcpServer.mount() always wraps tool dispatch in
+            // requestStore.run(). Throw to surface the bug rather than silently
+            // returning an error envelope without a logger.
+            throw new Error("mcp tool invoked outside request scope");
+        }
+        const sessionId = store.sessionId ?? extra?.sessionId;
+        const logger = store.logger.child({ tool: spec.name, sessionId });
+        try {
+            const result = await withTransaction(store.postgan, logger, (transaction) => {
+                const ctx = {
+                    user: store.user,
+                    postgan: store.postgan,
+                    transaction,
+                    sessionId,
+                    logger,
+                };
+                return spec.handler(args, ctx);
+            });
+            return {
+                content: [{ type: "text", text: JSON.stringify(result) }],
+                structuredContent: result,
+            };
+        }
+        catch (err) {
+            const mapped = store.errorMapper?.(err) ?? null;
+            return toCallToolError(mapped, err, {
+                tool: spec.name,
+                sessionId,
+                logger,
+            });
+        }
+    });
+}
+//# sourceMappingURL=index.js.map

package/dist/tool/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/tool/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAGrD;;;;;GAKG;AACH,KAAK,UAAU,eAAe,CAC5B,OAAgB,EAChB,MAAc,EACd,IAA4C;IAE5C,MAAM,EAAE,GAAG,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9B,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,CAAC;YACd,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,WAAoB,EAAE,EAAE;gBACjD,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,EAAE,kCAAkC,CAAC,CAAC;YACzE,CAAC,CAAC,CAAC;QACL,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,IAAI,CAGlB,MAAiB,EAAE,IAA8B;IACjD,MAAM,CAAC,YAAY,CACjB,IAAI,CAAC,IAAI,EACT;QACE,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;QACnC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,EACD,KAAK,EAAE,IAAI,EAAE,KAAK,EAA2B,EAAE;QAC7C,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAC;QACtC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,qEAAqE;YACrE,oEAAoE;YACpE,gDAAgD;YAChD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,KAAK,EAAE,SAAS,CAAC;QACtD,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QAElE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,KAAK,CAAC,OAAO,EACb,MAAM,EACN,CAAC,WAAW,EAAmB,EAAE;gBAC/B,MAAM,GAAG,GAAgB;oBACvB,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,OAAO,EAAE,KAAK,CAAC,OAAO;oBACtB,WAAW;oBACX,SAAS;oBACT,MAAM;iBACP,CAAC;gBACF,OAAO,IAAI,CAAC,OAAO,CAAC,IAAuB,EAAE,GAAG,CAAC,CAAC;YACpD,CAAC,CACF,CAAC;YACF,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,iBAAiB,EAAE,MAAM;aAC1B,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;YAChD,OAAO,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,SAAS;gBACT,MAAM;aACP,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/tool/tool.types.d.ts

@@ -0,0 +1,72 @@
+import type { Postgan, PostganTransaction } from "@ganintegrity/postgan";
+import type { Logger } from "pino";
+import type { z } from "zod";
+import type { AuthUser } from "../auth/auth.types.ts";
+/**
+ * What every tool handler receives as its second argument.
+ */
+export interface ToolContext {
+    /** Authenticated user. Cast to your service's richer type for extra fields. */
+    user: AuthUser;
+    /** Per-request Postgan instance. */
+    postgan: Postgan;
+    /**
+     * Transaction opened immediately before the handler runs. Auto-committed
+     * if the handler resolves; rolled back if it throws. **Do not call
+     * `commit()` or `rollback()` yourself** — the library owns the lifecycle.
+     */
+    transaction: PostganTransaction;
+    /** Forwarded `X-Session-Id` header value if present. Useful for log correlation. */
+    sessionId?: string;
+    /** Logger childed with this tool's name and the session id. */
+    logger: Logger;
+}
+/**
+ * MCP-spec tool annotations surfaced to clients during `tools/list`. All
+ * fields are optional hints — clients use them to decide things like whether
+ * to auto-approve calls or warn users.
+ *
+ * Pick honestly: `readOnlyHint: true` on a tool that mutates is worse than
+ * leaving the hint unset.
+ */
+export interface ToolAnnotations {
+    /** Human-readable display title (defaults to `name` if omitted). */
+    title?: string;
+    /** True if the tool only reads — never writes or mutates state. */
+    readOnlyHint?: boolean;
+    /** True if the tool may delete or destroy data. */
+    destructiveHint?: boolean;
+    /** True if calling twice with the same args produces the same result. */
+    idempotentHint?: boolean;
+    /** True if the tool reaches out to external systems (network, third-party APIs). */
+    openWorldHint?: boolean;
+}
+/**
+ * Specification passed to `tool()`. Defines the tool's name, description,
+ * input schema, optional annotations, and the handler that executes it.
+ *
+ * @template Schema  Zod object schema describing the tool's input.
+ * @template Output  Plain object the handler returns. Surfaced as both a JSON
+ *   `text` content block and as `structuredContent`.
+ */
+export interface ToolSpec<Schema extends z.ZodObject, Output> {
+    /** Stable identifier the agent uses to invoke the tool. */
+    name: string;
+    /**
+     * Description shown to the agent. Treat this as a prompt — be precise about
+     * when to call the tool, when not to, and how to interpret the output.
+     */
+    description: string;
+    /** Zod object schema. The library forwards `.shape` to the SDK. */
+    inputSchema: Schema;
+    /** Optional MCP annotations; see {@link ToolAnnotations}. */
+    annotations?: ToolAnnotations;
+    /**
+     * The actual tool implementation. Receives the parsed input plus the
+     * per-call {@link ToolContext}. Throw to signal failure — the wrapper
+     * rolls back the transaction and routes the error through the consumer's
+     * `McpErrorMapper` to build an MCP error envelope.
+     */
+    handler: (args: z.infer<Schema>, ctx: ToolContext) => Promise<Output>;
+}
+//# sourceMappingURL=tool.types.d.ts.map

package/dist/tool/tool.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool.types.d.ts","sourceRoot":"","sources":["../../src/tool/tool.types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AACzE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AACnC,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAC7B,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEtD;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,+EAA+E;IAC/E,IAAI,EAAE,QAAQ,CAAC;IACf,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB;;;;OAIG;IACH,WAAW,EAAE,kBAAkB,CAAC;IAChC,oFAAoF;IACpF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAe;IAC9B,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mEAAmE;IACnE,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,mDAAmD;IACnD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,yEAAyE;IACzE,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,oFAAoF;IACpF,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,QAAQ,CAAC,MAAM,SAAS,CAAC,CAAC,SAAS,EAAE,MAAM;IAC1D,2DAA2D;IAC3D,IAAI,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;;;OAKG;IACH,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACvE"}

package/dist/tool/tool.types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=tool.types.js.map

package/dist/tool/tool.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool.types.js","sourceRoot":"","sources":["../../src/tool/tool.types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,65 @@
+{
+  "name": "@ganintegrity/mcp",
+  "version": "1.0.0",
+  "description": "Provides tooling to scaffold an MCP server",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint 'src/**/*.ts'",
+    "typecheck": "tsc --noEmit && tsc -p tsconfig.test.json",
+    "format": "pnpx prettier . -w",
+    "format:check": "pnpx prettier . -c",
+    "typecheck:watch": "tsc --noEmit --watch"
+  },
+  "keywords": [
+    "mcp",
+    "ai"
+  ],
+  "author": "GAN Integrity",
+  "license": "Proprietary",
+  "packageManager": "pnpm@10.33.0",
+  "peerDependencies": {
+    "@ganintegrity/postgan": "^28",
+    "@ganintegrity/postgres-migrations": "^16",
+    "express": "^5",
+    "pino": "^10",
+    "zod": "^4"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "1.29.0"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^20.5.3",
+    "@commitlint/config-conventional": "^20.5.3",
+    "@eslint/js": "^10.0.1",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/gitlab": "^13.3.2",
+    "@types/express": "^5.0.6",
+    "@types/node": "^25.6.0",
+    "@types/supertest": "^7.2.0",
+    "@vitest/coverage-v8": "^4.1.4",
+    "eslint": "^10.3.0",
+    "fallow": "^2.58.0",
+    "prettier": "^3.8.3",
+    "semantic-release": "^25.0.3",
+    "supertest": "^7.2.2",
+    "typescript": "^6.0.3",
+    "typescript-eslint": "^8.59.1",
+    "vitest": "^4.1.4"
+  }
+}