@harness-fe/mcp-server 4.0.0-next.3 → 4.0.0-next.4

package/dist/mcp.js

@@ -488,7 +488,7 @@ function registerTools(server, bridge, auth) {
         const store = bridge.store;
         const all = await bridge.listTasks({ status: status ?? 'pending', limit });
         const tasks = store
-            ? all.filter((t) => canSeeProject(principal, ownerChainOf(t.projectId, store)))
+            ? all.filter((t) => canSeeProject(principal, t.projectId, ownerChainOf(t.projectId, store)))
             : all.filter((t) => canSee(principal, t.createdBy));
         const summary = tasks.map((t) => ({
             id: t.id,
@@ -518,14 +518,34 @@ function registerTools(server, bridge, auth) {
         return ok(task);
     });
     server.registerTool(COMMAND.TASKS_RESOLVE, {
-        description: 'Mark a task as resolved with an optional note. Use after addressing the user request.',
+        description: 'Mark a task as resolved with an optional note and structured resolution. ' +
+            'Use after addressing the user request. Pass `resolution` to close the ' +
+            'feedback loop: how it was fixed (type), the fix commit/PR, and the ' +
+            'verificationSessionId of the post-fix re-test that proved the fix.',
         inputSchema: {
             taskId: z.string(),
             note: z.string().optional(),
+            resolution: z
+                .object({
+                type: z
+                    .enum(['code-fix', 'config', 'wontfix', 'duplicate', 'cannot-reproduce'])
+                    .optional(),
+                commit: z.string().optional().describe('Git commit SHA of the fix.'),
+                prUrl: z.string().optional().describe('Pull-request URL for the fix.'),
+                verificationSessionId: z
+                    .string()
+                    .optional()
+                    .describe('Session id of the post-fix re-test that verified the fix.'),
+                verifiedAt: z
+                    .number()
+                    .optional()
+                    .describe('Epoch ms; defaulted when verificationSessionId is given.'),
+            })
+                .optional(),
         },
-    }, async ({ taskId, note }, extra) => {
+    }, async ({ taskId, note, resolution }, extra) => {
         const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
-        const task = await bridge.resolveTask(taskId, note, principal);
+        const task = await bridge.resolveTask(taskId, note, resolution, principal);
         if (!task) {
             throw new Error(`tasks.resolve: no task with id "${taskId}"`);
         }
@@ -585,7 +605,7 @@ function registerStoreTools(server, store, memoryStore, bridge, auth) {
     }, async ({ projectId, limit }, extra) => {
         const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
         // Owning a project (or a host ancestor) grants its whole session set.
-        if (!canSeeProject(principal, ownerChainOf(projectId, store)))
+        if (!canSeeProject(principal, projectId, ownerChainOf(projectId, store)))
             return ok([]);
         return ok(store.listSessions({ projectId, limit: limit ?? 10 }));
     });
@@ -659,7 +679,7 @@ function registerStoreTools(server, store, memoryStore, bridge, auth) {
         const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
         const projects = store
             .listProjects()
-            .filter((p) => canSeeProject(principal, ownerChainOf(p.id, store)));
+            .filter((p) => canSeeProject(principal, p.id, ownerChainOf(p.id, store)));
         const result = projects.map((p) => ({
             ...p,
             recentSessions: store.listSessions({ projectId: p.id, limit: 3 }),

package/dist/mcpHttp.js

@@ -8,6 +8,7 @@
  */
 import { randomUUID } from 'node:crypto';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import { createMcpServer } from './mcp.js';
 import { identifyPrincipal } from '@harness-fe/daemon';
 import { runWithCaller } from '@harness-fe/daemon';
@@ -20,42 +21,105 @@ import { MemoryEventStore } from '@harness-fe/daemon';
 export async function startMcpHttpServer(bridge, opts = {}) {
     const path = opts.path ?? '/mcp';
     const stateful = opts.stateful !== false;
-    const eventStore = opts.eventStore === null
-        ? undefined
-        : opts.eventStore ?? new MemoryEventStore();
-    // Pass the daemon's auth so MCP tools can identify the per-call principal
-    // from request headers (4.0 · P4). stdio (startMcpStdioServer) omits this,
-    // so stdio calls resolve to the local principal.
-    const server = createMcpServer(bridge, {
-        experimentalEnvVar: opts.experimentalEnvVar,
-        auth: bridge.getAuthOptions(),
-    });
-    const transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: stateful ? () => randomUUID() : undefined,
-        eventStore,
-    });
-    await server.connect(transport);
     const b = bridge;
     if (typeof b.prependHttpHandler !== 'function') {
         throw new Error('mcpHttp: bridge does not support prependHttpHandler (need a Bridge instance with HTTP server)');
     }
+    // Pass the daemon's auth so MCP tools can identify the per-call principal
+    // from request headers (4.0 · P4). stdio (startMcpStdioServer) omits this,
+    // so stdio calls resolve to the local principal.
     const auth = b.getAuthOptions();
+    const sessions = new Map();
+    function newSession() {
+        const server = createMcpServer(bridge, { experimentalEnvVar: opts.experimentalEnvVar, auth });
+        const transport = new StreamableHTTPServerTransport({
+            sessionIdGenerator: stateful ? () => randomUUID() : undefined,
+            // null → resumability off; an explicit store → use it; default → a
+            // fresh per-session MemoryEventStore.
+            eventStore: opts.eventStore === null ? undefined : (opts.eventStore ?? new MemoryEventStore()),
+            onsessioninitialized: (sid) => {
+                sessions.set(sid, { transport, server });
+            },
+        });
+        transport.onclose = () => {
+            const sid = transport.sessionId;
+            if (sid)
+                sessions.delete(sid);
+        };
+        return { transport, server };
+    }
     b.prependHttpHandler(async (req, res) => {
         const url = req.url ?? '';
         const qi = url.indexOf('?');
         const reqPath = qi < 0 ? url : url.slice(0, qi);
         if (reqPath !== path)
             return false;
-        // Establish the per-call caller for command-target scoping (4.0 · A):
-        // every sendCommand within this request reads it via currentCaller().
+        // Per-call caller for command-target scoping (4.0 · A): every sendCommand
+        // within this request reads it via currentCaller().
         const principal = identifyPrincipal(req.headers, auth);
-        await runWithCaller(principal, () => transport.handleRequest(req, res));
+        const sid = req.headers['mcp-session-id'];
+        // Established session — route by id (POST follow-ups, GET SSE, DELETE).
+        if (typeof sid === 'string' && sessions.has(sid)) {
+            const { transport } = sessions.get(sid);
+            await runWithCaller(principal, () => transport.handleRequest(req, res));
+            return true;
+        }
+        // No (known) session id. A POST `initialize` opens one; anything else is invalid.
+        if (req.method === 'POST') {
+            let body;
+            try {
+                body = await readJsonBody(req);
+            }
+            catch {
+                sendMcpError(res, 400, -32700, 'Parse error');
+                return true;
+            }
+            if (stateful && !isInitializeRequest(body)) {
+                sendMcpError(res, 400, -32600, 'Bad Request: no valid mcp-session-id (initialize first)');
+                return true;
+            }
+            const { server, transport } = newSession();
+            await server.connect(transport);
+            if (!stateful) {
+                // Stateless one-shot: tear down when the response ends.
+                res.on('close', () => {
+                    void transport.close();
+                    void server.close();
+                });
+            }
+            await runWithCaller(principal, () => transport.handleRequest(req, res, body));
+            return true;
+        }
+        // GET/DELETE without a known session — nothing to attach to.
+        sendMcpError(res, 400, -32600, 'Bad Request: unknown or missing mcp-session-id');
         return true;
     });
     return {
         path,
         async close() {
-            await server.close();
+            for (const { server } of sessions.values()) {
+                await server.close().catch(() => undefined);
+            }
+            sessions.clear();
         },
     };
 }
+async function readJsonBody(req) {
+    const chunks = [];
+    let total = 0;
+    const MAX = 4 * 1024 * 1024; // 4 MiB cap — MCP requests are small
+    for await (const c of req) {
+        const buf = c;
+        total += buf.length;
+        if (total > MAX)
+            throw new Error('mcp body too large');
+        chunks.push(buf);
+    }
+    const raw = Buffer.concat(chunks).toString('utf8');
+    return raw ? JSON.parse(raw) : undefined;
+}
+function sendMcpError(res, status, code, message) {
+    res.statusCode = status;
+    res.setHeader('content-type', 'application/json');
+    res.end(JSON.stringify({ jsonrpc: '2.0', error: { code, message }, id: null }));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@harness-fe/mcp-server",
-  "version": "4.0.0-next.3",
+  "version": "4.0.0-next.4",
   "description": "Unified MCP daemon: stdio MCP for AI agents + WS bridge for Vite plugin and runtime client.",
   "type": "module",
   "license": "MIT",
@@ -37,8 +37,8 @@
     "@modelcontextprotocol/sdk": "^1.26.0",
     "ws": "^8.18.0",
     "zod": "^4.4.3",
-    "@harness-fe/protocol": "4.0.0-next.0",
-    "@harness-fe/daemon": "4.0.0-next.3"
+    "@harness-fe/daemon": "4.0.0-next.4",
+    "@harness-fe/protocol": "4.0.0-next.4"
   },
   "devDependencies": {
     "@types/ws": "^8.5.10",

package/src/mcp.ts

@@ -777,7 +777,7 @@ function registerTools(server: McpServer, bridge: IBridge, auth?: AuthOptions):
             const store = (bridge as Bridge).store;
             const all = await bridge.listTasks({ status: status ?? 'pending', limit });
             const tasks = store
-                ? all.filter((t) => canSeeProject(principal, ownerChainOf(t.projectId, store)))
+                ? all.filter((t) => canSeeProject(principal, t.projectId, ownerChainOf(t.projectId, store)))
                 : all.filter((t) => canSee(principal, t.createdBy));
             const summary = tasks.map((t) => ({
                 id: t.id,
@@ -818,15 +818,35 @@ function registerTools(server: McpServer, bridge: IBridge, auth?: AuthOptions):
         COMMAND.TASKS_RESOLVE,
         {
             description:
-                'Mark a task as resolved with an optional note. Use after addressing the user request.',
+                'Mark a task as resolved with an optional note and structured resolution. ' +
+                'Use after addressing the user request. Pass `resolution` to close the ' +
+                'feedback loop: how it was fixed (type), the fix commit/PR, and the ' +
+                'verificationSessionId of the post-fix re-test that proved the fix.',
             inputSchema: {
                 taskId: z.string(),
                 note: z.string().optional(),
+                resolution: z
+                    .object({
+                        type: z
+                            .enum(['code-fix', 'config', 'wontfix', 'duplicate', 'cannot-reproduce'])
+                            .optional(),
+                        commit: z.string().optional().describe('Git commit SHA of the fix.'),
+                        prUrl: z.string().optional().describe('Pull-request URL for the fix.'),
+                        verificationSessionId: z
+                            .string()
+                            .optional()
+                            .describe('Session id of the post-fix re-test that verified the fix.'),
+                        verifiedAt: z
+                            .number()
+                            .optional()
+                            .describe('Epoch ms; defaulted when verificationSessionId is given.'),
+                    })
+                    .optional(),
             },
         },
-        async ({ taskId, note }, extra) => {
+        async ({ taskId, note, resolution }, extra) => {
             const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
-            const task = await bridge.resolveTask(taskId, note, principal);
+            const task = await bridge.resolveTask(taskId, note, resolution, principal);
             if (!task) {
                 throw new Error(`tasks.resolve: no task with id "${taskId}"`);
             }
@@ -905,7 +925,7 @@ function registerStoreTools(server: McpServer, store: IStore, memoryStore: IMemo
         async ({ projectId, limit }, extra) => {
             const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
             // Owning a project (or a host ancestor) grants its whole session set.
-            if (!canSeeProject(principal, ownerChainOf(projectId, store))) return ok([]);
+            if (!canSeeProject(principal, projectId, ownerChainOf(projectId, store))) return ok([]);
             return ok(store.listSessions({ projectId, limit: limit ?? 10 }));
         },
     );
@@ -996,7 +1016,7 @@ function registerStoreTools(server: McpServer, store: IStore, memoryStore: IMemo
             const principal = identifyPrincipal(extra.requestInfo?.headers, auth ?? {});
             const projects = store
                 .listProjects()
-                .filter((p) => canSeeProject(principal, ownerChainOf(p.id, store)));
+                .filter((p) => canSeeProject(principal, p.id, ownerChainOf(p.id, store)));
             const result = projects.map((p) => ({
                 ...p,
                 recentSessions: store.listSessions({ projectId: p.id, limit: 3 }),

package/src/mcpHttp.test.ts

@@ -99,6 +99,55 @@ describe('mcpHttp', () => {
         expect(withAuth.status).not.toBe(401);
     });
 
+    it('supports multiple concurrent clients (per-session transports)', async () => {
+        // Regression: the old single shared transport threw "Server already
+        // initialized" on the 2nd initialize, blocking multi-agent (gateway) use
+        // and any reconnect. Per-session transports must let each client init.
+        const bridge = await startBridge();
+        const handle = await startMcpHttpServer(bridge, { path: '/mcp' });
+        cleanups.push(() => handle.close());
+        const port = bridge.getBoundPort()!;
+
+        const headers = {
+            'content-type': 'application/json',
+            accept: 'application/json, text/event-stream',
+        };
+        const initBody = (name: string) =>
+            JSON.stringify({
+                jsonrpc: '2.0',
+                method: 'initialize',
+                params: {
+                    protocolVersion: '2025-06-18',
+                    capabilities: {},
+                    clientInfo: { name, version: '1' },
+                },
+                id: 1,
+            });
+
+        const r1 = await fetch(`http://127.0.0.1:${port}/mcp`, { method: 'POST', headers, body: initBody('c1') });
+        await r1.text();
+        const sid1 = r1.headers.get('mcp-session-id');
+        expect(r1.status).toBe(200);
+        expect(sid1).toBeTruthy();
+
+        const r2 = await fetch(`http://127.0.0.1:${port}/mcp`, { method: 'POST', headers, body: initBody('c2') });
+        await r2.text();
+        const sid2 = r2.headers.get('mcp-session-id');
+        expect(r2.status).toBe(200);
+        expect(sid2).toBeTruthy();
+        // Distinct sessions — the whole point of per-session transports.
+        expect(sid2).not.toBe(sid1);
+
+        // A request carrying an unknown session id is rejected (not silently
+        // attached to some shared transport).
+        const bad = await fetch(`http://127.0.0.1:${port}/mcp`, {
+            method: 'POST',
+            headers: { ...headers, 'mcp-session-id': 'does-not-exist' },
+            body: JSON.stringify({ jsonrpc: '2.0', method: 'tools/list', id: 2 }),
+        });
+        expect(bad.status).toBe(400);
+    });
+
     // SSE Last-Event-ID resumption — end-to-end wiring proof.
     //
     // What this asserts:

package/src/mcpHttp.ts

@@ -9,6 +9,7 @@
 
 import { randomUUID } from 'node:crypto';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import type { IncomingMessage, ServerResponse } from 'node:http';
 import type { Bridge, IBridge } from '@harness-fe/daemon';
 import { createMcpServer } from './mcp.js';
@@ -58,48 +59,120 @@ export async function startMcpHttpServer(
 ): Promise<McpHttpHandle> {
     const path = opts.path ?? '/mcp';
     const stateful = opts.stateful !== false;
-    const eventStore =
-        opts.eventStore === null
-            ? undefined
-            : opts.eventStore ?? new MemoryEventStore();
-
-    // Pass the daemon's auth so MCP tools can identify the per-call principal
-    // from request headers (4.0 · P4). stdio (startMcpStdioServer) omits this,
-    // so stdio calls resolve to the local principal.
-    const server = createMcpServer(bridge, {
-        experimentalEnvVar: opts.experimentalEnvVar,
-        auth: (bridge as Bridge).getAuthOptions(),
-    });
-    const transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: stateful ? () => randomUUID() : undefined,
-        eventStore,
-    });
-    await server.connect(transport);
-
     const b = bridge as Bridge;
     if (typeof b.prependHttpHandler !== 'function') {
         throw new Error(
             'mcpHttp: bridge does not support prependHttpHandler (need a Bridge instance with HTTP server)',
         );
     }
-
+    // Pass the daemon's auth so MCP tools can identify the per-call principal
+    // from request headers (4.0 · P4). stdio (startMcpStdioServer) omits this,
+    // so stdio calls resolve to the local principal.
     const auth = b.getAuthOptions();
+
+    // Per-session transports (4.0) — the MCP HTTP spec's stateful model: each
+    // client gets its own transport + server keyed by `mcp-session-id`, created
+    // on `initialize`. The old shape shared ONE transport for the whole daemon,
+    // which locked after the first initialize — a second agent (or any reconnect)
+    // hit "Server already initialized". Per-session is what lets multiple agents
+    // share one daemon through the gateway, and lets a client reconnect.
+    type Session = { transport: StreamableHTTPServerTransport; server: ReturnType<typeof createMcpServer> };
+    const sessions = new Map<string, Session>();
+
+    function newSession(): Session {
+        const server = createMcpServer(bridge, { experimentalEnvVar: opts.experimentalEnvVar, auth });
+        const transport = new StreamableHTTPServerTransport({
+            sessionIdGenerator: stateful ? () => randomUUID() : undefined,
+            // null → resumability off; an explicit store → use it; default → a
+            // fresh per-session MemoryEventStore.
+            eventStore: opts.eventStore === null ? undefined : (opts.eventStore ?? new MemoryEventStore()),
+            onsessioninitialized: (sid: string) => {
+                sessions.set(sid, { transport, server });
+            },
+        });
+        transport.onclose = () => {
+            const sid = transport.sessionId;
+            if (sid) sessions.delete(sid);
+        };
+        return { transport, server };
+    }
+
     b.prependHttpHandler(async (req: IncomingMessage, res: ServerResponse) => {
         const url = req.url ?? '';
         const qi = url.indexOf('?');
         const reqPath = qi < 0 ? url : url.slice(0, qi);
         if (reqPath !== path) return false;
-        // Establish the per-call caller for command-target scoping (4.0 · A):
-        // every sendCommand within this request reads it via currentCaller().
+
+        // Per-call caller for command-target scoping (4.0 · A): every sendCommand
+        // within this request reads it via currentCaller().
         const principal = identifyPrincipal(req.headers, auth);
-        await runWithCaller(principal, () => transport.handleRequest(req, res));
+        const sid = req.headers['mcp-session-id'];
+
+        // Established session — route by id (POST follow-ups, GET SSE, DELETE).
+        if (typeof sid === 'string' && sessions.has(sid)) {
+            const { transport } = sessions.get(sid)!;
+            await runWithCaller(principal, () => transport.handleRequest(req, res));
+            return true;
+        }
+
+        // No (known) session id. A POST `initialize` opens one; anything else is invalid.
+        if (req.method === 'POST') {
+            let body: unknown;
+            try {
+                body = await readJsonBody(req);
+            } catch {
+                sendMcpError(res, 400, -32700, 'Parse error');
+                return true;
+            }
+            if (stateful && !isInitializeRequest(body)) {
+                sendMcpError(res, 400, -32600, 'Bad Request: no valid mcp-session-id (initialize first)');
+                return true;
+            }
+            const { server, transport } = newSession();
+            await server.connect(transport);
+            if (!stateful) {
+                // Stateless one-shot: tear down when the response ends.
+                res.on('close', () => {
+                    void transport.close();
+                    void server.close();
+                });
+            }
+            await runWithCaller(principal, () => transport.handleRequest(req, res, body));
+            return true;
+        }
+
+        // GET/DELETE without a known session — nothing to attach to.
+        sendMcpError(res, 400, -32600, 'Bad Request: unknown or missing mcp-session-id');
         return true;
     });
 
     return {
         path,
         async close() {
-            await server.close();
+            for (const { server } of sessions.values()) {
+                await server.close().catch(() => undefined);
+            }
+            sessions.clear();
         },
     };
 }
+
+async function readJsonBody(req: IncomingMessage): Promise<unknown> {
+    const chunks: Buffer[] = [];
+    let total = 0;
+    const MAX = 4 * 1024 * 1024; // 4 MiB cap — MCP requests are small
+    for await (const c of req) {
+        const buf = c as Buffer;
+        total += buf.length;
+        if (total > MAX) throw new Error('mcp body too large');
+        chunks.push(buf);
+    }
+    const raw = Buffer.concat(chunks).toString('utf8');
+    return raw ? (JSON.parse(raw) as unknown) : undefined;
+}
+
+function sendMcpError(res: ServerResponse, status: number, code: number, message: string): void {
+    res.statusCode = status;
+    res.setHeader('content-type', 'application/json');
+    res.end(JSON.stringify({ jsonrpc: '2.0', error: { code, message }, id: null }));
+}