@gmag11/nodered-mcp-server 1.0.1

package/src/tools/update-flow.js

@@ -0,0 +1,95 @@
+/**
+ * MCP tool: update-flow
+ *
+ * Updates metadata fields (label, disabled, info, env) of an existing Node-RED flow tab.
+ * Stages the change locally — call `deploy` to push to Node-RED.
+ * Preserves the nodes array unchanged. Refuses to update a locked flow.
+ */
+
+import { formatSuccess } from './response-utils.js';
+
+import { ANN_MUTATION } from './constants.js';
+import { UpdateFlowResponseSchema } from '../schemas/responses.js';
+const ALLOWED_FIELDS = ['label', 'disabled', 'info', 'env'];
+
+/**
+ * Apply updates to a flow object, returning the merged result and the original.
+ *
+ * @param {object} currentFlow - Full flow object
+ * @param {object} updates - Fields to update (only label/disabled/info/env honoured)
+ * @returns {{ updatedFlow: object, previousState: object }}
+ */
+export function applyFlowUpdate(currentFlow, updates) {
+  if (!updates || Object.keys(updates).length === 0) {
+    throw new Error('No properties to update. Provide at least one of: label, disabled, info, env.');
+  }
+
+  if (currentFlow.locked) {
+    throw new Error(`Flow '${currentFlow.id}' is locked. This flow is locked (read-only). Use get-flow-nodes to inspect its nodes without modifying them.`);
+  }
+
+  const filteredUpdates = Object.fromEntries(
+    Object.entries(updates).filter(([k]) => ALLOWED_FIELDS.includes(k)),
+  );
+
+  const updatedFlow = {
+    ...currentFlow,
+    ...filteredUpdates,
+  };
+
+  return { updatedFlow, previousState: currentFlow };
+}
+
+/**
+ * Apply an update-flow mutation to the flows array.
+ *
+ * Finds the tab by ID, applies updates, replaces it in the array.
+ * No HTTP — pure data transformation.
+ *
+ * @param {object} rawResponse - Wrapper with `flows` array
+ * @param {string} flowId - ID of the flow tab to update
+ * @param {object} updates - Fields to update
+ * @returns {{ updatedFlows: object[], previousState: object, currentState: object }}
+ * @throws {Error} If flow not found or locked
+ */
+export function applyUpdateFlow(rawResponse, flowId, updates) {
+  const flows = rawResponse.flows ?? rawResponse;
+
+  const tabIndex = flows.findIndex((n) => n.type === 'tab' && n.id === flowId);
+  if (tabIndex === -1) {
+    throw new Error(`Flow '${flowId}' not found. Use get-flows to list available flow tabs.`);
+  }
+
+  const { updatedFlow, previousState } = applyFlowUpdate(flows[tabIndex], updates);
+
+  const updatedFlows = flows.map((n, i) => (i === tabIndex ? updatedFlow : n));
+
+  return { updatedFlows, previousState, currentState: updatedFlow };
+}
+
+/**
+ * Handler for the update-flow MCP tool.
+ *
+ * @param {import('../staging-store.js').StagingStore} staging
+ * @param {object} params
+ * @param {string} params.flowId
+ * @param {object} params.updates
+ * @returns {Promise<{ content: Array<{ type: string, text: string }> }>}
+ */
+export async function handleUpdateFlow(staging, params) {
+  const { flowId, updates } = params;
+
+  const { previousState, currentState } = await staging.applyMutation((rawResponse) => {
+    return applyUpdateFlow(rawResponse, flowId, updates);
+  });
+
+      const data = { flowId, previousState, currentState, staging: staging.getStagingSummary() };
+    return formatSuccess(data);
+}
+
+export const updateFlowDefinition = {
+  name: 'update-flow',
+  annotations: ANN_MUTATION,
+  outputSchema: UpdateFlowResponseSchema,
+  handler: handleUpdateFlow,
+};

package/src/tools/update-group.js

@@ -0,0 +1,77 @@
+/**
+ * MCP tool: update-group
+ *
+ * Modifies a Node-RED group node's metadata (name, style, position, size).
+ * Delegates to update-node's applyNodeUpdate after validating the target
+ * is a `type: "group"` node.
+ */
+
+import { applyNodeUpdate } from './update-node.js';
+
+import { ANN_MUTATION } from './constants.js';
+import { UpdateNodeResponseSchema } from '../schemas/responses.js';
+/**
+ * Apply a property update to a group node in the flows array.
+ * Validates that the target node is `type: "group"` before delegating.
+ *
+ * @param {object} rawResponse - Raw GET /flows response (must contain `flows` array)
+ * @param {string} groupId - ID of the group node to update
+ * @param {object} properties - Properties to shallow-merge onto the group node
+ * @returns {{ updatedFlows: object[], previousState: object, currentState: object }}
+ */
+export function applyUpdateGroup(rawResponse, groupId, properties) {
+  const flows = rawResponse.flows ?? rawResponse;
+
+  // Validate the target is a group node
+  const groupNode = flows.find((n) => n.id === groupId);
+  if (!groupNode) {
+    throw new Error(`Group '${groupId}' not found. Use get-flow-nodes to list groups in the parent flow, or search-nodes with type: "group" to find it.`);
+  }
+  if (groupNode.type !== 'group') {
+    throw new Error(`Node '${groupId}' is not a group. Use get-flow-nodes to find group nodes or search-nodes with type: "group".`);
+  }
+
+  // Delegate to update-node's logic
+  return applyNodeUpdate(rawResponse, groupId, properties);
+}
+
+/**
+ * Handler for the update-group MCP tool.
+ *
+ * @param {ReturnType<import('../nodered/client.js').createNodeRedClient>} client
+ * @param {object} params
+ * @param {string} params.groupId
+ * @param {object} params.properties
+ * @returns {Promise<{ content: Array<{ type: string, text: string }> }>}
+ */
+export async function handleUpdateGroup(staging, client, params) {
+  const { groupId, properties } = params;
+
+  const result = await staging.applyMutation((rawResponse) => {
+    return applyUpdateGroup(rawResponse, groupId, properties);
+  });
+
+  const responseData = {
+    groupId,
+    previousState: result.previousState,
+    currentState: result.currentState,
+    staging: staging.getStagingSummary(),
+  };
+
+  return {
+    content: [
+      {
+        type: 'text',
+        text: JSON.stringify(responseData, null, 2),
+      },
+    ],
+    structuredContent: responseData,
+  };
+}
+
+export const updateGroupDefinition = {
+  name: 'update-group',
+  annotations: ANN_MUTATION,
+  outputSchema: UpdateNodeResponseSchema,
+  handler: handleUpdateGroup,
+};

package/src/tools/update-node.js

@@ -0,0 +1,132 @@
+/**
+ * MCP tool: update-node
+ *
+ * Shallow-merges a `properties` object onto an existing Node-RED node's
+ * configuration and deploys the result. Wiring changes are explicitly
+ * rejected — agents must use connect-nodes / disconnect-nodes instead.
+ * Refuses to mutate nodes in locked flows.
+ *
+ * Credential handling (via normalizeCredentials from flow-utils.js):
+ * When updating configuration nodes (e.g. mqtt-broker, http-proxy),
+ * credential fields like `username`, `password`, `key`, `token`, etc.
+ * must be nested under a `credentials` sub-object to match Node-RED's
+ * credential storage model. This module automatically detects and moves
+ * credential fields into the `credentials` object.
+ *
+ * Node-RED strips credential values from GET /flows responses for privacy,
+ * so the `credentials` property may be absent from the node. Detection uses
+ * a well-known set of credential field names as a fallback.
+ *
+ * Partial credential updates are supported: only the fields you specify
+ * are updated; unspecified credential fields retain their previous values.
+ */
+
+import { normalizeCredentials } from './flow-utils.js';
+
+import { formatSuccess } from './response-utils.js';
+import { ANN_MUTATION } from './constants.js';
+import { UpdateNodeResponseSchema } from '../schemas/responses.js';
+/**
+ * Apply a property update to a node in the flows array.
+ *
+ * @param {object} rawResponse - Raw GET /flows response (must contain `flows` array)
+ * @param {string} nodeId - ID of the node to update
+ * @param {object} properties - Properties to shallow-merge onto the node
+ * @param {string[]|null} [credentialKeys=null] - Authoritative credential field names from the API, or null to auto-detect
+ * @returns {{ updatedFlows: object[], previousState: object, currentState: object }}
+ */
+export function applyNodeUpdate(rawResponse, nodeId, properties, credentialKeys = null) {
+  // Reject wires in properties — wiring is managed by connect/disconnect tools
+  if (Object.prototype.hasOwnProperty.call(properties, 'wires')) {
+    throw new Error(
+      "Cannot set 'wires' via update-node. " +
+      "To add a connection: call connect-nodes with { fromNodeId, toNodeId, outputPort }. " +
+      "To remove a connection: call disconnect-nodes with { fromNodeId, toNodeId, outputPort }.",
+    );
+  }
+
+  const flows = rawResponse.flows ?? rawResponse;
+
+  // Find the target node
+  const nodeIndex = flows.findIndex((n) => n.id === nodeId);
+  if (nodeIndex === -1) {
+    throw new Error(`Node '${nodeId}' not found. Use search-nodes with the node name or get-flow-nodes to list nodes in the parent flow.`);
+  }
+
+  const node = flows[nodeIndex];
+
+  // Check parent flow lock
+  const parentFlowId = node.z;
+  if (parentFlowId) {
+    const parentFlow = flows.find(
+      (n) => (n.type === 'tab' || n.type === 'subflow') && n.id === parentFlowId,
+    );
+    if (parentFlow?.locked) {
+      throw new Error(`Flow '${parentFlowId}' is locked. This flow is locked (read-only). Use get-flow-nodes to inspect its nodes without modifying them.`);
+    }
+  }
+
+  // Normalize properties: move credential fields under `credentials` and
+  // deep-merge with existing credentials to preserve unspecified fields.
+  // credentialKeys comes from the Node-RED /credentials/:type/:id API when available.
+  const normalizedProperties = normalizeCredentials(properties, node, credentialKeys);
+
+  const previousState = { ...node };
+  const currentState = { ...node, ...normalizedProperties };
+
+  const updatedFlows = flows.map((n, i) => (i === nodeIndex ? currentState : n));
+
+  return { updatedFlows, previousState, currentState };
+}
+
+/**
+ * Handler for the update-node MCP tool.
+ *
+ * @param {import('../staging-store.js').StagingStore} staging
+ * @param {ReturnType<import('../nodered/client.js').createNodeRedClient>} client
+ * @param {object} params
+ * @param {string} params.nodeId
+ * @param {object} params.properties
+ * @returns {Promise<{ content: Array<{ type: string, text: string }> }>}
+ */
+export async function handleUpdateNode(staging, client, params) {
+  const { nodeId, properties } = params;
+
+  // Fetch credential metadata once (outside mutation — just for detection)
+  let credentialKeys = null;
+  try {
+    const initialFlows = await staging.getFlows();
+    const initialNode = initialFlows.find((n) => n.id === nodeId);
+    if (initialNode) {
+      try {
+        const credResponse = await client.request('GET', `/credentials/${encodeURIComponent(initialNode.type)}/${encodeURIComponent(nodeId)}`);
+        if (credResponse && typeof credResponse === 'object') {
+          credentialKeys = Object.keys(credResponse).flatMap((k) => {
+            if (k.startsWith('has_')) {
+              return [k.slice(4)]; // has_password → password
+            }
+            return [k];
+          });
+        }
+      } catch {
+        // Fall back to heuristic detection
+      }
+    }
+  } catch {
+    // Node not found or other error — applyNodeUpdate will handle validation
+  }
+
+  const { previousState, currentState } = await staging.applyMutation((rawResponse) => {
+    return applyNodeUpdate(rawResponse, nodeId, properties, credentialKeys);
+  });
+
+      const data = { nodeId, previousState, currentState, staging: staging.getStagingSummary() };
+    return formatSuccess(data);
+}
+
+export const updateNodeDefinition = {
+  name: 'update-node',
+  annotations: ANN_MUTATION,
+  outputSchema: UpdateNodeResponseSchema,
+  handler: handleUpdateNode,
+};

package/src/tools/update-subflow.js

@@ -0,0 +1,84 @@
+/**
+ * MCP tool: update-subflow
+ *
+ * Updates metadata fields of an existing subflow definition.
+ * Allowed fields: name, info, category, color, icon, in, out.
+ * Performs a partial merge — unspecified fields are preserved.
+ * Refuses to update a locked subflow.
+ */
+
+import { formatSuccess } from './response-utils.js';
+
+import { ANN_MUTATION } from './constants.js';
+import { UpdateSubflowResponseSchema } from '../schemas/responses.js';
+const ALLOWED_FIELDS = ['name', 'info', 'category', 'color', 'icon', 'in', 'out'];
+
+/**
+ * Apply updates to a subflow object, returning the merged result.
+ *
+ * @param {object} currentSubflow - Full subflow node from GET /flows
+ * @param {object} updates - Fields to update (only allowed fields honoured)
+ * @returns {{ updatedSubflow: object, previousState: object }}
+ * @throws {Error} If no valid updates provided or subflow is locked
+ */
+export function applySubflowUpdate(currentSubflow, updates) {
+  if (!updates || Object.keys(updates).length === 0) {
+    throw new Error('No properties to update. Provide at least one of: name, info, category, color, icon, in, out.');
+  }
+
+  if (currentSubflow.locked) {
+    throw new Error(`Subflow '${currentSubflow.id}' is locked. This subflow is locked (read-only). Use get-subflow-detail to inspect it without modifying.`);
+  }
+
+  const filteredUpdates = Object.fromEntries(
+    Object.entries(updates).filter(([k]) => ALLOWED_FIELDS.includes(k)),
+  );
+
+  if (Object.keys(filteredUpdates).length === 0) {
+    throw new Error('No valid properties to update. Allowed fields are: name, info, category, color, icon, in, out.');
+  }
+
+  const updatedSubflow = {
+    ...currentSubflow,
+    ...filteredUpdates,
+  };
+
+  return { updatedSubflow, previousState: currentSubflow };
+}
+
+/**
+ * Handler for the update-subflow MCP tool.
+ *
+ * @param {ReturnType<import('../nodered/client.js').createNodeRedClient>} client
+ * @param {object} params
+ * @param {string} params.subflowId
+ * @param {object} params.updates
+ * @returns {Promise<{ content: Array<{ type: string, text: string }> }>}
+ */
+export async function handleUpdateSubflow(staging, client, params) {
+  const { subflowId, updates } = params;
+
+  const { previousState, updatedSubflow: currentState } = await staging.applyMutation((rawResponse) => {
+    const flows = rawResponse.flows || [];
+    const subflowIndex = flows.findIndex(
+      (n) => n.type === 'subflow' && n.id === subflowId,
+    );
+    if (subflowIndex === -1) {
+      throw new Error(`Subflow '${subflowId}' not found. Use get-subflows to list available subflow definitions.`);
+    }
+    const { updatedSubflow, previousState } = applySubflowUpdate(flows[subflowIndex], updates);
+    const updatedFlows = [...flows];
+    updatedFlows[subflowIndex] = updatedSubflow;
+    return { updatedFlows, previousState, updatedSubflow };
+  });
+
+      const data = { subflowId, previousState, currentState, staging: staging.getStagingSummary() };
+    return formatSuccess(data);
+}
+
+export const updateSubflowDefinition = {
+  name: 'update-subflow',
+  annotations: ANN_MUTATION,
+  outputSchema: UpdateSubflowResponseSchema,
+  handler: handleUpdateSubflow,
+};

package/src/transport/http.js

@@ -0,0 +1,252 @@
+/**
+ * Streamable HTTP transport for the MCP server.
+ */
+
+import express from 'express';
+import http from 'node:http';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
+import { mcpAuthRouter, getOAuthProtectedResourceMetadataUrl } from '@modelcontextprotocol/sdk/server/auth/router.js';
+import { randomUUID } from 'node:crypto';
+import { WSServer } from './ws-server.js';
+import { buildHTML } from '../renderer/html-builder.js';
+import { createCompositeVerifier } from '../auth/composite-verifier.js';
+
+/**
+ * Start the MCP server using Streamable HTTP transport via Express.
+ *
+ * @param {() => import('@modelcontextprotocol/sdk/server/mcp.js').McpServer} serverFactory
+ * @param {number} port
+ * @param {import('../staging-store.js').StagingStore} [initialStaging] - eagerly-loaded staging for the viewer/WS
+ * @param {object} [authOptions] - Authentication configuration
+ * @param {string|null} [authOptions.apiKey] - API key for Bearer token auth
+ * @param {import('../auth/oauth-provider.js').OAuthProvider} [authOptions.oauthProvider] - OAuth provider (when OAuth is enabled)
+ * @param {string} [authOptions.oauthIssuerUrl] - Base issuer URL for OAuth
+ */
+export async function startHttpTransport(serverFactory, port, initialStaging, authOptions) {
+  const app = express();
+  app.use(express.json());
+
+  // Map of sessionId -> transport
+  const transports = {};
+
+  // ── Authentication middleware ─────────────────────────────────────
+
+  const hasAuth = !!(authOptions?.apiKey || authOptions?.oauthProvider);
+
+  if (hasAuth) {
+    // Build the composite verifier: API key first, then OAuth
+    const verifier = createCompositeVerifier({
+      apiKey: authOptions.apiKey,
+      oauthVerifier: authOptions.oauthProvider || null,
+    });
+
+    // Determine resource metadata URL for WWW-Authenticate header
+    const resourceMetadataUrl = authOptions.oauthProvider && authOptions.oauthIssuerUrl
+      ? getOAuthProtectedResourceMetadataUrl(new URL('/mcp', authOptions.oauthIssuerUrl))
+      : undefined;
+
+    const authMiddleware = requireBearerAuth({
+      verifier,
+      requiredScopes: [],
+      resourceMetadataUrl,
+    });
+
+    // Apply auth BEFORE the logging middleware so unauthorized requests
+    // are rejected early. The SDK middleware handles 401/403 responses.
+    app.use('/mcp', authMiddleware);
+  }
+
+  // Log every incoming request (runs after auth middleware if active)
+  app.use('/mcp', (req, _res, next) => {
+    const sid = req.headers['mcp-session-id'] || '(none)';
+    const accept = req.headers['accept'] || '(none)';
+    console.error(`[nodered-mcp] ${req.method} /mcp  session=${sid}  accept=${accept}  bodyType=${typeof req.body}`);
+    next();
+  });
+
+  app.get('/mcp', async (req, res) => {
+    const sessionId = req.headers['mcp-session-id'];
+    if (!sessionId || !transports[sessionId]) {
+      console.error(`[nodered-mcp] GET /mcp rejected - unknown session: ${sessionId}`);
+      res.status(400).json({ error: 'Missing or invalid session ID' });
+      return;
+    }
+    console.error(`[nodered-mcp] GET /mcp SSE stream opened  session=${sessionId}`);
+    await transports[sessionId].handleRequest(req, res);
+  });
+
+  app.delete('/mcp', async (req, res) => {
+    const sessionId = req.headers['mcp-session-id'];
+    if (sessionId && transports[sessionId]) {
+      console.error(`[nodered-mcp] Session closed: ${sessionId}`);
+      await transports[sessionId].close();
+      delete transports[sessionId];
+    }
+    res.status(200).end();
+  });
+
+  // ── Staging snapshot endpoint ─────────────────────────────────────
+
+  // Track the most recently created staging store for WebSocket/snapshot
+  let activeStaging = initialStaging || null;
+
+  app.get('/staging-snapshot', async (_req, res) => {
+    try {
+      if (!activeStaging) {
+        res.json({ flows: [], dirtyNodeIds: [], dirtyFlowIds: [] });
+        return;
+      }
+      const flows = await activeStaging.getFlows();
+      const dirtyNodeIds = [...activeStaging.getDirtyNodeIds()];
+      const dirtyFlowIds = [...activeStaging.getDirtyFlowIds()];
+      res.json({ flows, dirtyNodeIds, dirtyFlowIds });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // ── Staging refresh endpoint (re-fetches from Node-RED backend) ───
+
+  app.post('/staging-refresh', async (_req, res) => {
+    try {
+      if (!activeStaging) {
+        res.status(503).json({ error: 'No staging session active yet' });
+        return;
+      }
+      await activeStaging.invalidate();
+      await activeStaging.ensureLoaded();
+      const flows = await activeStaging.getFlows();
+      const dirtyNodeIds = [...activeStaging.getDirtyNodeIds()];
+      const dirtyFlowIds = [...activeStaging.getDirtyFlowIds()];
+      res.json({ flows, dirtyNodeIds, dirtyFlowIds });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // ── Staging visualization HTML endpoint ───────────────────────────
+
+  app.get('/staging', async (_req, res) => {
+    try {
+      if (!activeStaging) {
+        res.type('html').send('<html><body><h2>No staging session active yet</h2><p>Make a request to the MCP first to initialize staging.</p></body></html>');
+        return;
+      }
+      const flows = await activeStaging.getFlows();
+      const dirtyNodeIds = activeStaging.getDirtyNodeIds();
+      const dirtyFlowIds = activeStaging.getDirtyFlowIds();
+      const html = buildHTML(flows, { highlightDirty: true, dirtyNodeIds, dirtyFlowIds });
+      res.type('html').send(html);
+    } catch (err) {
+      res.status(500).type('html').send(`<html><body><h2>Error</h2><pre>${err.message}</pre></body></html>`);
+    }
+  });
+
+  // ── OAuth 2.0 authorization server (optional) ─────────────────────
+
+  if (authOptions?.oauthProvider && authOptions?.oauthIssuerUrl) {
+    const issuerUrl = new URL(authOptions.oauthIssuerUrl);
+
+    // Mount the full OAuth authorization server router
+    const authRouter = mcpAuthRouter({
+      provider: authOptions.oauthProvider,
+      issuerUrl,
+      baseUrl: issuerUrl, // Authorization server is at the same origin
+      scopesSupported: ['*'],
+      resourceName: 'Node-RED MCP Server',
+    });
+
+    app.use(authRouter);
+
+    console.error(`[nodered-mcp] OAuth authorization server mounted at ${issuerUrl.href}`);
+    console.error(`[nodered-mcp] OAuth discovery: ${issuerUrl.href}.well-known/oauth-authorization-server`);
+  }
+
+  // ── WebSocket server ──────────────────────────────────────────────
+
+  const wsServer = new WSServer();
+
+  // ── Create HTTP server explicitly for WebSocket upgrade support ────
+
+  const httpServer = http.createServer(app);
+
+  wsServer.attach(httpServer, async () => {
+    if (!activeStaging) return { flows: [], dirtyNodeIds: new Set(), dirtyFlowIds: new Set() };
+    const flows = await activeStaging.getFlows();
+    return { flows, dirtyNodeIds: activeStaging.getDirtyNodeIds(), dirtyFlowIds: activeStaging.getDirtyFlowIds() };
+  });
+
+  // If we have an eagerly-loaded staging, subscribe to changes for WebSocket broadcast
+  if (initialStaging) {
+    initialStaging.on('staging:changed', () => {
+      if (activeStaging === initialStaging) {
+        initialStaging.getFlows().then((flows) => {
+          wsServer.broadcast({
+            flows,
+            dirtyNodeIds: initialStaging.getDirtyNodeIds(),
+            dirtyFlowIds: initialStaging.getDirtyFlowIds(),
+          });
+        }).catch(() => { /* ignore */ });
+      }
+    });
+  }
+
+  // ── Start listening ────────────────────────────────────────────────
+
+  httpServer.listen(port, () => {
+    console.error(`[nodered-mcp] Server running on HTTP transport at http://localhost:${port}/mcp`);
+    console.error(`[nodered-mcp] Staging viewer: http://localhost:${port}/staging`);
+    console.error(`[nodered-mcp] WebSocket endpoint: ws://localhost:${port}/staging-ws`);
+  });
+
+  // ── MCP POST handler with staging capture for WebSocket/snapshot ──
+  app.post('/mcp', async (req, res) => {
+    try {
+      const sessionId = req.headers['mcp-session-id'] || randomUUID();
+      const isNew = !transports[sessionId];
+      let transport = transports[sessionId];
+
+      if (isNew) {
+        console.error(`[nodered-mcp] New session: ${sessionId}`);
+        transport = new StreamableHTTPServerTransport({
+          sessionIdGenerator: () => sessionId,
+        });
+        transports[sessionId] = transport;
+        const server = await serverFactory();
+        await server.connect(transport);
+        console.error(`[nodered-mcp] Session ${sessionId} connected`);
+
+        // Capture staging for WebSocket/snapshot
+        if (server.__staging) {
+          activeStaging = server.__staging;
+
+          // Subscribe to staging changes → broadcast via WebSocket
+          server.__staging.on('staging:changed', () => {
+            if (activeStaging === server.__staging) {
+              const dirtyNodeIds = server.__staging.getDirtyNodeIds();
+              const dirtyFlowIds = server.__staging.getDirtyFlowIds();
+              // We need to get flows - schedule async broadcast
+              server.__staging.getFlows().then((flows) => {
+                wsServer.broadcast({ flows, dirtyNodeIds, dirtyFlowIds });
+              }).catch(() => { /* ignore */ });
+            }
+          });
+        }
+      }
+
+      const method = req.body?.method ?? '(notification/unknown)';
+      console.error(`[nodered-mcp] → ${method}  session=${sessionId}`);
+
+      await transport.handleRequest(req, res, req.body);
+
+      console.error(`[nodered-mcp] ← ${method} responded  status=${res.statusCode}`);
+    } catch (err) {
+      console.error('[nodered-mcp] HTTP transport error:', err.message);
+      console.error(err.stack);
+      if (!res.headersSent) {
+        res.status(500).json({ error: 'Internal server error' });
+      }
+    }
+  });
+}

package/src/transport/stdio.js

@@ -0,0 +1,16 @@
+/**
+ * stdio transport for the MCP server.
+ */
+
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+
+/**
+ * Start the MCP server using stdio transport.
+ *
+ * @param {import('@modelcontextprotocol/sdk/server/mcp.js').McpServer} server
+ */
+export async function startStdioTransport(server) {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error('[nodered-mcp] Server running on stdio transport');
+}