@harness-fe/mcp-server 4.0.0-next.2 → 4.0.0-next.3

package/src/dashboardUrl.ts

@@ -1,28 +0,0 @@
-/**
- * Compose dashboard URLs the user (or agent) should hit.
- *
- * Carries the configured auth token in the query string so the browser
- * lands pre-authenticated. On loopback hosts with no token configured,
- * the URL is left bare.
- */
-
-import type { IBridge } from './bridge.js';
-
-export interface DashboardUrlOptions {
-    /** When provided, deep-link to a specific session detail page. */
-    sessionId?: string;
-}
-
-export function buildDashboardUrl(
-    bridge: IBridge,
-    opts: DashboardUrlOptions = {},
-): string | undefined {
-    const base = bridge.getViewerBaseUrl();
-    if (!base) return undefined;
-    const path = opts.sessionId
-        ? `/dashboard/sessions/${encodeURIComponent(opts.sessionId)}`
-        : '/dashboard/';
-    const token = bridge.getAuthToken();
-    const qs = token ? `?token=${encodeURIComponent(token)}` : '';
-    return `${base}${path}${qs}`;
-}

package/src/eventsHandler.test.ts

@@ -1,247 +0,0 @@
-/**
- * Unit tests for createEventsHandler — POST /events, GET /events/ping, CORS.
- */
-
-import { describe, expect, it, beforeEach, afterEach, vi } from 'vitest';
-import type { IncomingMessage, ServerResponse } from 'node:http';
-import { PROTOCOL_VERSION } from '@harness-fe/protocol';
-import { createEventsHandler } from './eventsHandler.js';
-
-// ─── Minimal IncomingMessage / ServerResponse mocks ──────────────────────────
-
-function makeReq(opts: {
-    url: string;
-    method: string;
-    host?: string;
-    body?: string;
-}): IncomingMessage {
-    const { Readable } = require('node:stream') as typeof import('node:stream');
-    const stream = new Readable({ read() {} });
-    const req = stream as unknown as IncomingMessage;
-    req.url = opts.url;
-    req.method = opts.method;
-    req.headers = opts.host ? { host: opts.host } : {};
-    if (opts.body !== undefined) {
-        process.nextTick(() => {
-            stream.push(Buffer.from(opts.body!));
-            stream.push(null);
-        });
-    } else {
-        process.nextTick(() => stream.push(null));
-    }
-    return req;
-}
-
-interface MockRes {
-    statusCode: number;
-    headers: Record<string, string>;
-    body: string;
-    setHeader(name: string, value: string): void;
-    end(data?: string): void;
-}
-
-function makeRes(): MockRes {
-    const res: MockRes = {
-        statusCode: 200,
-        headers: {},
-        body: '',
-        setHeader(name, value) { this.headers[name.toLowerCase()] = value; },
-        end(data) { if (data) this.body = data; },
-    };
-    return res;
-}
-
-// ─── Bridge stub ─────────────────────────────────────────────────────────────
-
-function makeBridge(onBatch?: (hello: unknown, events: unknown[]) => void) {
-    return {
-        handleHttpBatch: vi.fn((hello: unknown, events: unknown[]) => {
-            onBatch?.(hello, events);
-        }),
-    };
-}
-
-// ─── Tests ───────────────────────────────────────────────────────────────────
-
-describe('eventsHandler', () => {
-    describe('GET /events/ping', () => {
-        it('returns 200 with ok + version', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events/ping', method: 'GET' });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(true);
-            expect(res.statusCode).toBe(200);
-            const payload = JSON.parse(res.body) as { ok: boolean; version: string };
-            expect(payload.ok).toBe(true);
-            expect(payload.version).toBe(PROTOCOL_VERSION);
-        });
-
-        it('does not set CORS when host is not loopback', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events/ping', method: 'GET', host: 'example.com' });
-            const res = makeRes();
-            await handler(req, res as unknown as ServerResponse);
-            expect(res.headers['access-control-allow-origin']).toBeUndefined();
-        });
-
-        it('sets CORS when host is localhost', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events/ping', method: 'GET', host: 'localhost:47729' });
-            const res = makeRes();
-            await handler(req, res as unknown as ServerResponse);
-            expect(res.headers['access-control-allow-origin']).toBe('*');
-        });
-
-        it('sets CORS when host is 127.0.0.1', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events/ping', method: 'GET', host: '127.0.0.1:47729' });
-            const res = makeRes();
-            await handler(req, res as unknown as ServerResponse);
-            expect(res.headers['access-control-allow-origin']).toBe('*');
-        });
-    });
-
-    describe('OPTIONS preflight', () => {
-        it('returns 204 for /events', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events', method: 'OPTIONS', host: 'localhost:47729' });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(true);
-            expect(res.statusCode).toBe(204);
-        });
-
-        it('returns 204 for /events/ping', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events/ping', method: 'OPTIONS', host: 'localhost:47729' });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(true);
-            expect(res.statusCode).toBe(204);
-        });
-    });
-
-    describe('POST /events', () => {
-        it('returns 204 and calls handleHttpBatch with valid body', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const body = JSON.stringify({
-                hello: {
-                    role: 'node-runtime',
-                    projectId: 'test-proj',
-                    sessionId: 'sess-abc',
-                    buildId: 'build-1',
-                },
-                events: [
-                    { id: 'e1', name: 'server-err', ts: 1000, payload: { message: 'boom' } },
-                    { id: 'e2', name: 'server-log', ts: 1001, payload: { level: 'info' } },
-                ],
-            });
-            const req = makeReq({ url: '/events', method: 'POST', host: 'localhost:47729', body });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(true);
-            expect(res.statusCode).toBe(204);
-            expect(bridge.handleHttpBatch).toHaveBeenCalledOnce();
-            const [hello, events] = bridge.handleHttpBatch.mock.calls[0] as [unknown, unknown[]];
-            expect((hello as { projectId: string }).projectId).toBe('test-proj');
-            expect(events).toHaveLength(2);
-        });
-
-        it('returns 400 for invalid JSON', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events', method: 'POST', host: 'localhost:47729', body: '{bad json' });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(true);
-            expect(res.statusCode).toBe(400);
-            expect(bridge.handleHttpBatch).not.toHaveBeenCalled();
-        });
-
-        it('returns 400 when body fails schema validation (bad role)', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const body = JSON.stringify({
-                hello: {
-                    role: 'runtime-client', // wrong role
-                    projectId: 'test',
-                },
-                events: [],
-            });
-            const req = makeReq({ url: '/events', method: 'POST', host: 'localhost:47729', body });
-            const res = makeRes();
-            await handler(req, res as unknown as ServerResponse);
-            expect(res.statusCode).toBe(400);
-        });
-
-        it('returns 400 when hello.projectId is missing', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const body = JSON.stringify({
-                hello: { role: 'node-runtime' },
-                events: [],
-            });
-            const req = makeReq({ url: '/events', method: 'POST', host: 'localhost:47729', body });
-            const res = makeRes();
-            await handler(req, res as unknown as ServerResponse);
-            expect(res.statusCode).toBe(400);
-        });
-
-        it('returns 500 when handleHttpBatch throws', async () => {
-            const bridge = {
-                handleHttpBatch: vi.fn(() => { throw new Error('store error'); }),
-            };
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const body = JSON.stringify({
-                hello: { role: 'node-runtime', projectId: 'test', sessionId: 's1' },
-                events: [],
-            });
-            const req = makeReq({ url: '/events', method: 'POST', host: 'localhost:47729', body });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(true);
-            expect(res.statusCode).toBe(500);
-        });
-    });
-
-    describe('fall-through for unmatched routes', () => {
-        it('returns false for /other', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/other', method: 'GET' });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(false);
-        });
-
-        it('returns false for /events/unknown-sub-path', async () => {
-            const bridge = makeBridge();
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            const handler = createEventsHandler(bridge as any);
-            const req = makeReq({ url: '/events/unknown', method: 'GET' });
-            const res = makeRes();
-            const handled = await handler(req, res as unknown as ServerResponse);
-            expect(handled).toBe(false);
-        });
-    });
-});

package/src/eventsHandler.ts

@@ -1,136 +0,0 @@
-/**
- * HTTP POST /events handler — stateless alternative to the WebSocket path.
- *
- * Accepts a JSON body matching `httpBatchSchema`:
- *   { hello: { role: 'node-runtime', projectId, sessionId, ... },
- *     events: [ { id, name, ts, payload, ... }, ... ] }
- *
- * Each POST is treated as a one-shot hello+events sequence:
- *   1. Register (or re-register) the peer via the same bridge internals.
- *   2. Persist every event to the right session timeline.
- *   3. Respond 204 No Content.
- *
- * Also handles:
- *   GET /events/ping  → 200 { ok: true, version }
- *   OPTIONS /events   → 204 CORS preflight
- */
-
-import type { IncomingMessage, ServerResponse } from 'node:http';
-import { randomUUID } from 'node:crypto';
-import { PROTOCOL_VERSION, httpBatchSchema } from '@harness-fe/protocol';
-import type { Bridge } from './bridge.js';
-
-// ─── CORS helpers ────────────────────────────────────────────────────────────
-
-function isLoopback(req: IncomingMessage): boolean {
-    const host = req.headers['host'] ?? '';
-    // Match 127.0.0.1:* and localhost:*
-    return /^(127\.0\.0\.1|localhost)(:\d+)?$/.test(host);
-}
-
-function setCorsHeaders(res: ServerResponse): void {
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'POST, GET, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'content-type');
-}
-
-// ─── Body reader ─────────────────────────────────────────────────────────────
-
-function readBody(req: IncomingMessage): Promise<string> {
-    return new Promise((resolve, reject) => {
-        const chunks: Buffer[] = [];
-        req.on('data', (chunk: Buffer) => chunks.push(chunk));
-        req.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
-        req.on('error', reject);
-    });
-}
-
-// ─── Factory ─────────────────────────────────────────────────────────────────
-
-/**
- * Returns a handler that matches /events/* routes and returns `true` when it
- * handled the request (so the bridge can short-circuit its 404 fallback).
- */
-export function createEventsHandler(
-    bridge: Bridge,
-): (req: IncomingMessage, res: ServerResponse) => Promise<boolean> {
-    return async (req, res): Promise<boolean> => {
-        const url = req.url ?? '';
-        const method = req.method ?? 'GET';
-
-        // Only intercept /events and /events/ping
-        if (url !== '/events' && url !== '/events/ping') return false;
-
-        // CORS: only emit headers when request comes from loopback
-        if (isLoopback(req)) {
-            setCorsHeaders(res);
-        }
-
-        // Preflight for both routes
-        if (method === 'OPTIONS') {
-            res.statusCode = 204;
-            res.end();
-            return true;
-        }
-
-        // GET /events/ping
-        if (url === '/events/ping' && method === 'GET') {
-            res.statusCode = 200;
-            res.setHeader('content-type', 'application/json; charset=utf-8');
-            res.end(JSON.stringify({ ok: true, version: PROTOCOL_VERSION }));
-            return true;
-        }
-
-        // POST /events
-        if (url === '/events' && method === 'POST') {
-            let rawBody: string;
-            try {
-                rawBody = await readBody(req);
-            } catch {
-                res.statusCode = 400;
-                res.setHeader('content-type', 'application/json; charset=utf-8');
-                res.end(JSON.stringify({ error: 'failed to read request body' }));
-                return true;
-            }
-
-            let parsed: unknown;
-            try {
-                parsed = JSON.parse(rawBody);
-            } catch {
-                res.statusCode = 400;
-                res.setHeader('content-type', 'application/json; charset=utf-8');
-                res.end(JSON.stringify({ error: 'invalid JSON' }));
-                return true;
-            }
-
-            const validated = httpBatchSchema.safeParse(parsed);
-            if (!validated.success) {
-                res.statusCode = 400;
-                res.setHeader('content-type', 'application/json; charset=utf-8');
-                res.end(JSON.stringify({ error: validated.error.message }));
-                return true;
-            }
-
-            const { hello, events } = validated.data;
-
-            try {
-                bridge.handleHttpBatch(hello, events);
-            } catch (err) {
-                res.statusCode = 500;
-                res.setHeader('content-type', 'application/json; charset=utf-8');
-                res.end(JSON.stringify({
-                    error: err instanceof Error ? err.message : 'internal error',
-                }));
-                return true;
-            }
-
-            res.statusCode = 204;
-            res.end();
-            return true;
-        }
-
-        return false;
-    };
-}
-
-export type EventsHandler = ReturnType<typeof createEventsHandler>;

package/src/identity.test.ts

@@ -1,109 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import type { IncomingMessage } from 'node:http';
-import {
-    HOST_PRINCIPAL,
-    LOCAL_PRINCIPAL,
-    canSee,
-    identifyPrincipal,
-    resolvePrincipal,
-    tokenPrincipalId,
-} from './identity.js';
-
-function fakeReq(init: { headers?: Record<string, string>; url?: string } = {}): IncomingMessage {
-    return {
-        headers: init.headers ?? {},
-        url: init.url ?? '/',
-    } as unknown as IncomingMessage;
-}
-
-describe('identity: tokenPrincipalId', () => {
-    it('is stable + prefixed + hashed (never the raw token)', () => {
-        const id = tokenPrincipalId('super-secret');
-        expect(id).toMatch(/^token:[0-9a-f]{12}$/);
-        expect(id).toBe(tokenPrincipalId('super-secret'));
-        expect(id).not.toContain('super-secret');
-    });
-    it('different tokens → different ids', () => {
-        expect(tokenPrincipalId('a')).not.toBe(tokenPrincipalId('b'));
-    });
-});
-
-describe('identity: resolvePrincipal', () => {
-    it('loopback (auth disabled) → LOCAL_PRINCIPAL', () => {
-        expect(resolvePrincipal(fakeReq(), {})).toBe(LOCAL_PRINCIPAL);
-        expect(resolvePrincipal(fakeReq(), { token: '' })).toBe(LOCAL_PRINCIPAL);
-    });
-
-    it('token mode: matching token → token principal', () => {
-        const req = fakeReq({ headers: { authorization: 'Bearer s3cr3t' } });
-        const p = resolvePrincipal(req, { token: 's3cr3t' });
-        expect(p).toEqual({ id: tokenPrincipalId('s3cr3t'), kind: 'token' });
-    });
-
-    it('token mode: missing/wrong token → null (mirrors deny)', () => {
-        expect(resolvePrincipal(fakeReq(), { token: 's3cr3t' })).toBeNull();
-        expect(
-            resolvePrincipal(fakeReq({ headers: { authorization: 'Bearer nope' } }), { token: 's3cr3t' }),
-        ).toBeNull();
-    });
-
-    it('custom authorize: accept → HOST_PRINCIPAL, reject → null', () => {
-        expect(resolvePrincipal(fakeReq(), { authorize: () => true })).toBe(HOST_PRINCIPAL);
-        expect(resolvePrincipal(fakeReq(), { authorize: () => false })).toBeNull();
-    });
-
-    it('authorize wins over token (same precedence as isAuthorized)', () => {
-        const req = fakeReq({ headers: { authorization: 'Bearer wrong' } });
-        expect(resolvePrincipal(req, { token: 'right', authorize: () => true })).toBe(HOST_PRINCIPAL);
-    });
-});
-
-describe('identity: identifyPrincipal (P4 — identify, not authorize)', () => {
-    it('no auth → local', () => {
-        expect(identifyPrincipal({ authorization: 'Bearer x' }, {})).toBe(LOCAL_PRINCIPAL);
-    });
-
-    it('stdio (no headers) → local even when a token is configured', () => {
-        expect(identifyPrincipal(undefined, { token: 's3cr3t' })).toBe(LOCAL_PRINCIPAL);
-    });
-
-    it('token mode: names the caller from the Authorization header', () => {
-        const p = identifyPrincipal({ authorization: 'Bearer s3cr3t' }, { token: 's3cr3t' });
-        expect(p).toEqual({ id: tokenPrincipalId('s3cr3t'), kind: 'token' });
-    });
-
-    it('token mode: handles array-valued headers', () => {
-        const p = identifyPrincipal({ authorization: ['Bearer s3cr3t'] }, { token: 's3cr3t' });
-        expect(p.id).toBe(tokenPrincipalId('s3cr3t'));
-    });
-
-    it('token mode without a bearer header → local (already past auth wrapper)', () => {
-        expect(identifyPrincipal({}, { token: 's3cr3t' })).toBe(LOCAL_PRINCIPAL);
-    });
-
-    it('authorize mode → host', () => {
-        expect(identifyPrincipal({ authorization: 'Bearer x' }, { authorize: () => true })).toBe(HOST_PRINCIPAL);
-    });
-});
-
-describe('identity: canSee (P3 tenant visibility)', () => {
-    const tokenA = { id: 'token:aaa', kind: 'token' as const };
-    const tokenB = { id: 'token:bbb', kind: 'token' as const };
-
-    it('local sees everything (zero behaviour change for solo dev)', () => {
-        expect(canSee(LOCAL_PRINCIPAL, 'token:aaa')).toBe(true);
-        expect(canSee(LOCAL_PRINCIPAL, undefined)).toBe(true);
-        expect(canSee(LOCAL_PRINCIPAL, null)).toBe(true);
-    });
-
-    it('unowned data (no createdBy) is visible to everyone', () => {
-        expect(canSee(tokenA, undefined)).toBe(true);
-        expect(canSee(tokenA, null)).toBe(true);
-    });
-
-    it('named principal sees only its own owned data', () => {
-        expect(canSee(tokenA, 'token:aaa')).toBe(true);
-        expect(canSee(tokenA, 'token:bbb')).toBe(false);
-        expect(canSee(tokenB, 'token:aaa')).toBe(false);
-    });
-});

package/src/identity.ts

@@ -1,137 +0,0 @@
-/**
- * Caller identity (4.0 · P1) — turns the auth boundary from a plain
- * allow/deny into "allow/deny + *who*".
- *
- * Phase 1 scope: this module only *establishes* and *carries* a Principal,
- * and the bridge *tags* writes with it (createdBy). It deliberately does NOT
- * filter reads by owner — that's P3 (tenant isolation). Keeping the two apart
- * means identity plumbing lands with zero behaviour change: loopback solo dev
- * stays a single implicit `local` principal, and an authorized caller sees
- * everything exactly as before.
- *
- * Why a separate module from auth.ts: `isAuthorized` answers a boolean and is
- * consumed on the hot path of every HTTP route / WS upgrade. `resolvePrincipal`
- * is the richer, additive view layered on top — it reuses the same primitives
- * (isAuthEnabled / extractToken / verifyToken) so the two can never disagree on
- * who is allowed in.
- */
-
-import { createHash } from 'node:crypto';
-import type { IncomingMessage } from 'node:http';
-
-import { extractToken, isAuthEnabled, verifyToken, type AuthOptions } from './auth.js';
-
-export type PrincipalKind = 'local' | 'token' | 'host';
-
-export interface Principal {
-    /** Stable id for this caller. Loopback / stdio solo dev → `local`. */
-    id: string;
-    /** How the identity was established. */
-    kind: PrincipalKind;
-    /** Optional human-readable label (for dashboards / audit). */
-    displayName?: string;
-}
-
-/**
- * The implicit single principal for loopback and stdio solo dev. The daemon
- * trusts everything that can reach the loopback socket, so there is one
- * caller and it owns everything — exactly today's behaviour, now named.
- */
-export const LOCAL_PRINCIPAL: Principal = Object.freeze({
-    id: 'local',
-    kind: 'local',
-    displayName: 'local',
-});
-
-/**
- * Principal for the custom-`authorize` path. Hosts that embed the daemon own
- * their own user model; until `authorize` can return a richer identity
- * (future work), an authorized host caller maps to this single principal.
- */
-export const HOST_PRINCIPAL: Principal = Object.freeze({
-    id: 'host',
-    kind: 'host',
-    displayName: 'host',
-});
-
-/**
- * Derive a stable principal id from a bearer token. One token = one principal
- * in 4.0's trusted-team model. We hash so the raw secret never becomes an id
- * that could leak into stored `createdBy` tags or audit logs.
- */
-export function tokenPrincipalId(token: string): string {
-    return `token:${createHash('sha256').update(token).digest('hex').slice(0, 12)}`;
-}
-
-/**
- * Resolve the caller behind a request.
- *
- * Returns `null` when auth is enabled and the request is NOT authorized — this
- * mirrors `isAuthorized(req) === false` exactly, so callers can treat a null
- * principal as "reject" without a second auth check.
- *
- * - auth disabled (loopback): {@link LOCAL_PRINCIPAL}
- * - custom `authorize`: {@link HOST_PRINCIPAL} when it accepts, else `null`
- * - token: a {@link tokenPrincipalId}-derived principal when it matches, else `null`
- */
-export function resolvePrincipal(req: IncomingMessage, opts: AuthOptions): Principal | null {
-    if (!isAuthEnabled(opts)) return LOCAL_PRINCIPAL;
-    if (opts.authorize) return opts.authorize(req) ? HOST_PRINCIPAL : null;
-    const token = extractToken(req, opts);
-    if (!verifyToken(token, opts.token!)) return null;
-    return { id: tokenPrincipalId(token!), kind: 'token' };
-}
-
-type HeaderBag = Record<string, string | string[] | undefined>;
-
-function bearerFromHeaders(headers: HeaderBag): string | undefined {
-    const raw = headers['authorization'] ?? headers['Authorization'];
-    const v = Array.isArray(raw) ? raw[0] : raw;
-    if (typeof v === 'string' && v.startsWith('Bearer ')) {
-        const t = v.slice(7).trim();
-        if (t) return t;
-    }
-    return undefined;
-}
-
-/**
- * Identify (not authorize) the caller behind an MCP tool call (4.0 · P4).
- *
- * The HTTP MCP request has already cleared the bridge's auth wrapper by the
- * time a tool runs, so this only needs to *name* the caller — never to
- * re-check them. Pass the per-request headers from the MCP SDK's
- * `extra.requestInfo`; stdio calls have no requestInfo and resolve to `local`
- * (the daemon trusts its local stdio agent).
- *
- * - auth disabled, or no headers (stdio) → {@link LOCAL_PRINCIPAL}
- * - custom authorize → {@link HOST_PRINCIPAL}
- * - token mode → token principal from the Authorization header (LOCAL if absent)
- */
-export function identifyPrincipal(headers: HeaderBag | undefined, opts: AuthOptions): Principal {
-    if (!isAuthEnabled(opts)) return LOCAL_PRINCIPAL;
-    if (opts.authorize) return HOST_PRINCIPAL;
-    if (!headers) return LOCAL_PRINCIPAL;
-    const token = bearerFromHeaders(headers);
-    return token ? { id: tokenPrincipalId(token), kind: 'token' } : LOCAL_PRINCIPAL;
-}
-
-/**
- * Tenant-isolation visibility check (4.0 · P3). Decides whether `principal`
- * may see a record tagged with `createdBy`.
- *
- * - `local` (loopback / stdio solo / no-auth) → sees everything. This keeps
- *   solo dev's behaviour completely unchanged.
- * - unowned data (`createdBy` null/undefined — legacy rows from before P1, or
- *   records the daemon never tagged) → visible to everyone (backward compat).
- * - otherwise → visible only to the principal that created it.
- *
- * Note: in the current single-token / loopback reality the data creator
- * (plugin / runtime client) and the querying agent share one principal, so
- * this is exact. A full `project → agent` binding (creator ≠ consumer, once
- * P6 splits write/read scopes) is deferred to P6.
- */
-export function canSee(principal: Principal, createdBy: string | null | undefined): boolean {
-    if (principal.kind === 'local') return true;
-    if (createdBy == null) return true;
-    return createdBy === principal.id;
-}