npm - @insforge/mcp - Versions diffs - 1.2.6 → 1.2.8 - Mend

@insforge/mcp 1.2.6 → 1.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +21 -0
package/dist/{chunk-3S2HFIGS.js → chunk-DZ5W3BSP.js} +1057 -669
package/dist/http-server.js +2087 -130
package/dist/index.js +3 -2
package/package.json +34 -7
package/server.json +29 -6

package/dist/http-server.js CHANGED Viewed

@@ -1,191 +1,2148 @@
 #!/usr/bin/env node
 import {
   registerInsforgeTools
-} from "./chunk-3S2HFIGS.js";
+} from "./chunk-DZ5W3BSP.js";
 // src/http/server.ts
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import "dotenv/config";
+import express from "express";
+import { randomUUID, createHash as createHash2 } from "crypto";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+// src/http/session-manager.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+// src/http/redis.ts
+import Redis from "ioredis";
+function getRedisConfig() {
+  return {
+    host: process.env.REDIS_HOST || "localhost",
+    port: parseInt(process.env.REDIS_PORT || "6379", 10),
+    tls: process.env.REDIS_TLS === "true",
+    cluster: process.env.REDIS_CLUSTER === "true"
+  };
+}
+function createRedisClient(config) {
+  const redisConfig = config || getRedisConfig();
+  const { host, port, tls, cluster } = redisConfig;
+  const tlsOptions = tls ? { tls: {} } : {};
+  if (cluster) {
+    return new Redis.Cluster(
+      [{ host, port }],
+      {
+        redisOptions: {
+          ...tlsOptions
+        },
+        dnsLookup: (address, callback) => callback(null, address),
+        slotsRefreshTimeout: 2e3,
+        enableReadyCheck: true
+      }
+    );
+  } else {
+    return new Redis({
+      host,
+      port,
+      ...tlsOptions,
+      maxRetriesPerRequest: 3,
+      retryStrategy(times) {
+        const delay = Math.min(times * 100, 3e3);
+        return delay;
+      }
+    });
+  }
+}
+var redisClient = null;
+function getRedisClient() {
+  if (!redisClient) {
+    redisClient = createRedisClient();
+    redisClient.on("error", (err) => {
+      console.error("[Redis] Connection error:", err.message);
+    });
+    redisClient.on("connect", () => {
+      console.log("[Redis] Connected successfully");
+    });
+    redisClient.on("ready", () => {
+      console.log("[Redis] Ready to accept commands");
+    });
+  }
+  return redisClient;
+}
+async function closeRedisClient() {
+  if (redisClient) {
+    await redisClient.quit();
+    redisClient = null;
+    console.log("[Redis] Connection closed");
+  }
+}
+// src/http/session-manager.ts
+var SESSION_KEY_PREFIX = "mcp:session:";
+var SESSION_TTL = 24 * 60 * 60;
+var SessionManager = class {
+  // In-memory cache for runtime instances
+  runtimeSessions = /* @__PURE__ */ new Map();
+  /**
+   * Create a new session
+   *
+   * Uses connect-first strategy: establishes transport connection before
+   * persisting to Redis to avoid orphaned records if connection fails
+   */
+  async createSession(sessionId, sessionData, transport) {
+    const redis = getRedisClient();
+    const now = Date.now();
+    const server = new McpServer({
+      name: "insforge-mcp",
+      version: "1.0.0"
+    });
+    const toolsConfig = await registerInsforgeTools(server, {
+      apiKey: sessionData.apiKey,
+      apiBaseUrl: sessionData.apiBaseUrl,
+      mode: "remote"
+    });
+    await server.connect(transport);
+    const fullSessionData = {
+      ...sessionData,
+      createdAt: now,
+      lastAccessedAt: now,
+      backendVersion: toolsConfig.backendVersion
+    };
+    await redis.setex(
+      SESSION_KEY_PREFIX + sessionId,
+      SESSION_TTL,
+      JSON.stringify(fullSessionData)
+    );
+    this.runtimeSessions.set(sessionId, { server, transport, transportType: "streamable" });
+    console.log(`[SessionManager] Session created: ${sessionId}`);
+    return server;
+  }
+  /**
+   * Get session data from Redis
+   */
+  async getSessionData(sessionId) {
+    const redis = getRedisClient();
+    const data = await redis.get(SESSION_KEY_PREFIX + sessionId);
+    if (!data) {
+      return null;
+    }
+    return JSON.parse(data);
+  }
+  /**
+   * Get runtime session (transport + server) from memory
+   * If session exists in Redis but not in memory, it needs to be restored
+   */
+  getRuntimeSession(sessionId) {
+    return this.runtimeSessions.get(sessionId) || null;
+  }
+  /**
+   * Get runtime session with Streamable HTTP transport
+   * Returns null if session doesn't exist or uses SSE transport
+   */
+  getStreamableSession(sessionId) {
+    const session = this.runtimeSessions.get(sessionId);
+    if (!session || session.transportType !== "streamable") {
+      return null;
+    }
+    return { server: session.server, transport: session.transport };
+  }
+  /**
+   * Get runtime session with SSE transport
+   * Returns null if session doesn't exist or uses Streamable HTTP transport
+   */
+  getSSESession(sessionId) {
+    const session = this.runtimeSessions.get(sessionId);
+    if (!session || session.transportType !== "sse") {
+      return null;
+    }
+    return { server: session.server, transport: session.transport };
+  }
+  /**
+   * Check if session exists (either in memory or Redis)
+   */
+  async hasSession(sessionId) {
+    if (this.runtimeSessions.has(sessionId)) {
+      return true;
+    }
+    const redis = getRedisClient();
+    const exists = await redis.exists(SESSION_KEY_PREFIX + sessionId);
+    return exists === 1;
+  }
+  /**
+   * Restore a session from Redis into memory
+   * Called when request comes in with session ID but runtime is not in memory
+   * (e.g., after server restart or load balancer routing to different instance)
+   */
+  async restoreSession(sessionId, transport) {
+    const sessionData = await this.getSessionData(sessionId);
+    if (!sessionData) {
+      console.log(`[SessionManager] Session not found in Redis: ${sessionId}`);
+      return null;
+    }
+    console.log(`[SessionManager] Restoring session from Redis: ${sessionId}`);
+    const server = new McpServer({
+      name: "insforge-mcp",
+      version: "1.0.0"
+    });
+    await registerInsforgeTools(server, {
+      apiKey: sessionData.apiKey,
+      apiBaseUrl: sessionData.apiBaseUrl,
+      mode: "remote"
+    });
+    await server.connect(transport);
+    this.runtimeSessions.set(sessionId, { server, transport, transportType: "streamable" });
+    await this.touchSession(sessionId);
+    console.log(`[SessionManager] Session restored: ${sessionId}`);
+    return server;
+  }
+  /**
+   * Create a new SSE session (for legacy SSE transport)
+   *
+   * Uses connect-first strategy: establishes transport connection before
+   * persisting to Redis to avoid orphaned records if connection fails
+   */
+  async createSSESession(sessionId, sessionData, transport) {
+    const redis = getRedisClient();
+    const now = Date.now();
+    const server = new McpServer({
+      name: "insforge-mcp",
+      version: "1.0.0"
+    });
+    const toolsConfig = await registerInsforgeTools(server, {
+      apiKey: sessionData.apiKey,
+      apiBaseUrl: sessionData.apiBaseUrl,
+      mode: "remote"
+    });
+    await server.connect(transport);
+    const fullSessionData = {
+      ...sessionData,
+      createdAt: now,
+      lastAccessedAt: now,
+      backendVersion: toolsConfig.backendVersion
+    };
+    await redis.setex(
+      SESSION_KEY_PREFIX + sessionId,
+      SESSION_TTL,
+      JSON.stringify(fullSessionData)
+    );
+    this.runtimeSessions.set(sessionId, { server, transport, transportType: "sse" });
+    console.log(`[SessionManager] SSE session created: ${sessionId}`);
+    return server;
+  }
+  /**
+   * Update last accessed time and refresh TTL
+   */
+  async touchSession(sessionId) {
+    const redis = getRedisClient();
+    const sessionData = await this.getSessionData(sessionId);
+    if (sessionData) {
+      sessionData.lastAccessedAt = Date.now();
+      await redis.setex(
+        SESSION_KEY_PREFIX + sessionId,
+        SESSION_TTL,
+        JSON.stringify(sessionData)
+      );
+    }
+  }
+  /**
+   * Delete a session from both Redis and memory
+   */
+  async deleteSession(sessionId) {
+    const redis = getRedisClient();
+    const runtime = this.runtimeSessions.get(sessionId);
+    if (runtime) {
+      try {
+        await runtime.server.close();
+        await runtime.transport.close();
+      } catch (error) {
+        console.error(`[SessionManager] Error closing session ${sessionId}:`, error);
+      }
+      this.runtimeSessions.delete(sessionId);
+    }
+    await redis.del(SESSION_KEY_PREFIX + sessionId);
+    console.log(`[SessionManager] Session deleted: ${sessionId}`);
+  }
+  /**
+   * Get all session IDs (from memory - for graceful shutdown)
+   */
+  getActiveSessionIds() {
+    return Array.from(this.runtimeSessions.keys());
+  }
+  /**
+   * Close all sessions (for graceful shutdown)
+   */
+  async closeAllSessions() {
+    const sessionIds = this.getActiveSessionIds();
+    console.log(`[SessionManager] Closing ${sessionIds.length} sessions...`);
+    for (const sessionId of sessionIds) {
+      await this.deleteSession(sessionId);
+    }
+    console.log("[SessionManager] All sessions closed");
+  }
+  /**
+   * Get session statistics
+   */
+  async getStats() {
+    const redis = getRedisClient();
+    let cursor = "0";
+    let count = 0;
+    do {
+      const [newCursor, keys] = await redis.scan(
+        cursor,
+        "MATCH",
+        SESSION_KEY_PREFIX + "*",
+        "COUNT",
+        100
+      );
+      cursor = newCursor;
+      count += keys.length;
+    } while (cursor !== "0");
+    return {
+      activeSessions: count,
+      memorySessionCount: this.runtimeSessions.size
+    };
+  }
+};
+var sessionManager = null;
+function getSessionManager() {
+  if (!sessionManager) {
+    sessionManager = new SessionManager();
+  }
+  return sessionManager;
+}
+// src/http/oauth-manager.ts
+import { createHash, randomBytes } from "crypto";
+// src/http/insforge-api.ts
+import fetch2 from "node-fetch";
+var INSFORGE_API_BASE = process.env.INSFORGE_API_BASE || "https://api.insforge.dev";
+var InsforgeApiError = class extends Error {
+  constructor(message, statusCode, code) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.name = "InsforgeApiError";
+  }
+};
+async function validateToken(token) {
+  const response = await fetch2(`${INSFORGE_API_BASE}/auth/v1/profile`, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new InsforgeApiError(
+      `Token validation failed: ${errorText}`,
+      response.status
+    );
+  }
+  const data = await response.json();
+  return data.user;
+}
+async function getOrganizations(token) {
+  const response = await fetch2(`${INSFORGE_API_BASE}/organizations/v1`, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new InsforgeApiError(
+      `Failed to get organizations: ${errorText}`,
+      response.status
+    );
+  }
+  const data = await response.json();
+  return data.organizations;
+}
+async function getProjects(token, organizationId) {
+  const response = await fetch2(`${INSFORGE_API_BASE}/organizations/v1/${organizationId}/projects`, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new InsforgeApiError(
+      `Failed to get projects: ${errorText}`,
+      response.status
+    );
+  }
+  const data = await response.json();
+  return data.projects;
+}
+async function getProject(token, projectId) {
+  const response = await fetch2(`${INSFORGE_API_BASE}/projects/v1/${projectId}`, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new InsforgeApiError(
+      `Failed to get project: ${errorText}`,
+      response.status
+    );
+  }
+  const data = await response.json();
+  return data.project;
+}
+async function getProjectApiKey(token, projectId) {
+  const response = await fetch2(`${INSFORGE_API_BASE}/projects/v1/${projectId}/access-api-key`, {
+    method: "GET",
+    headers: {
+      "Authorization": `Bearer ${token}`,
+      "Content-Type": "application/json"
+    }
+  });
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new InsforgeApiError(
+      `Failed to get project API key: ${errorText}`,
+      response.status
+    );
+  }
+  const data = await response.json();
+  return data.access_api_key;
+}
+function buildAccessHost(project) {
+  if (project.customized_domain) {
+    return `https://${project.customized_domain}`;
+  }
+  return `https://${project.appkey}.${project.region}.insforge.app`;
+}
+async function getProjectAccess(token, projectId) {
+  const [project, apiKey] = await Promise.all([
+    getProject(token, projectId),
+    getProjectApiKey(token, projectId)
+  ]);
+  return {
+    projectId: project.id,
+    projectName: project.name,
+    organizationId: project.organization_id,
+    accessHost: buildAccessHost(project),
+    apiKey,
+    region: project.region,
+    status: project.status
+  };
+}
+async function getAllUserProjects(token) {
+  const organizations = await getOrganizations(token);
+  const results = await Promise.all(
+    organizations.map(async (org) => {
+      const projects = await getProjects(token, org.id);
+      return {
+        organization: org,
+        projects: projects.filter((p) => p.status === "active")
+        // Only active projects
+      };
+    })
+  );
+  return results.filter((r) => r.projects.length > 0);
+}
+// src/http/oauth-manager.ts
+function generateCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+var AUTH_STATE_PREFIX = "mcp:auth:state:";
+var TOKEN_BINDING_PREFIX = "mcp:auth:binding:";
+var AUTH_CODE_PREFIX = "mcp:auth:code:";
+var AUTH_STATE_TTL = 10 * 60;
+var AUTH_CODE_TTL = 5 * 60;
+var TOKEN_BINDING_TTL = 30 * 24 * 60 * 60;
+function hashToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+function generateCode() {
+  return randomBytes(32).toString("base64url");
+}
+var OAuthManager = class {
+  /**
+   * Create a new authorization state (step 1 of OAuth flow)
+   * Returns a state ID and the PKCE code challenge for Insforge OAuth
+   */
+  async createAuthorizationState(params) {
+    if (params.codeChallenge && params.codeChallengeMethod && params.codeChallengeMethod !== "S256") {
+      throw new Error(`Unsupported code_challenge_method: ${params.codeChallengeMethod}. Only S256 is supported.`);
+    }
+    const redis = getRedisClient();
+    const stateId = generateCode();
+    const insforgeCodeVerifier = generateCodeVerifier();
+    const insforgeCodeChallenge = generateCodeChallenge(insforgeCodeVerifier);
+    const authState = {
+      ...params,
+      codeChallengeMethod: params.codeChallenge ? "S256" : void 0,
+      insforgeCodeVerifier,
+      createdAt: Date.now()
+    };
+    await redis.setex(
+      AUTH_STATE_PREFIX + stateId,
+      AUTH_STATE_TTL,
+      JSON.stringify(authState)
+    );
+    return { stateId, insforgeCodeChallenge };
+  }
+  /**
+   * Get authorization state
+   */
+  async getAuthorizationState(stateId) {
+    const redis = getRedisClient();
+    const data = await redis.get(AUTH_STATE_PREFIX + stateId);
+    if (!data) {
+      return null;
+    }
+    return JSON.parse(data);
+  }
+  /**
+   * Create an authorization code after user approves and selects a project
+   * Returns the code to be exchanged for a token
+   */
+  async createAuthorizationCode(stateId, token, projectId) {
+    const redis = getRedisClient();
+    const authState = await this.getAuthorizationState(stateId);
+    if (!authState) {
+      throw new Error("Invalid or expired authorization state");
+    }
+    const user = await validateToken(token);
+    const projectAccess = await getProjectAccess(token, projectId);
+    const tokenHash = hashToken(token);
+    const binding = {
+      tokenHash,
+      userId: user.id,
+      userEmail: user.email,
+      projectId: projectAccess.projectId,
+      projectName: projectAccess.projectName,
+      organizationId: projectAccess.organizationId,
+      accessHost: projectAccess.accessHost,
+      apiKey: projectAccess.apiKey,
+      createdAt: Date.now(),
+      lastUsedAt: Date.now()
+    };
+    await redis.setex(
+      TOKEN_BINDING_PREFIX + tokenHash,
+      TOKEN_BINDING_TTL,
+      JSON.stringify(binding)
+    );
+    const code = generateCode();
+    await redis.setex(
+      AUTH_CODE_PREFIX + code,
+      AUTH_CODE_TTL,
+      JSON.stringify({
+        tokenHash,
+        stateId,
+        redirectUri: authState.redirectUri,
+        codeChallenge: authState.codeChallenge,
+        codeChallengeMethod: authState.codeChallengeMethod
+      })
+    );
+    await redis.del(AUTH_STATE_PREFIX + stateId);
+    return code;
+  }
+  /**
+   * Exchange authorization code for token binding info
+   * This is called by the MCP client after OAuth callback
+   *
+   * Uses atomic GETDEL to prevent authorization code replay attacks
+   */
+  async exchangeCode(code, redirectUri, codeVerifier) {
+    const redis = getRedisClient();
+    const codeData = await redis.getdel(AUTH_CODE_PREFIX + code);
+    if (!codeData) {
+      throw new Error("Invalid or expired authorization code");
+    }
+    const { tokenHash, redirectUri: storedRedirectUri, codeChallenge, codeChallengeMethod } = JSON.parse(codeData);
+    if (redirectUri !== storedRedirectUri) {
+      throw new Error("Redirect URI mismatch");
+    }
+    if (codeChallenge) {
+      if (!codeVerifier) {
+        throw new Error("Code verifier required");
+      }
+      if (codeChallengeMethod && codeChallengeMethod !== "S256") {
+        throw new Error(`Unsupported code_challenge_method: ${codeChallengeMethod}. Only S256 is supported.`);
+      }
+      const computedChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+      if (computedChallenge !== codeChallenge) {
+        throw new Error("Code verifier mismatch");
+      }
+    }
+    return { tokenHash };
+  }
+  /**
+   * Get token binding by token hash
+   */
+  async getTokenBinding(tokenHash) {
+    const redis = getRedisClient();
+    const data = await redis.get(TOKEN_BINDING_PREFIX + tokenHash);
+    if (!data) {
+      return null;
+    }
+    return JSON.parse(data);
+  }
+  /**
+   * Get token binding by raw token
+   */
+  async getBindingByToken(token) {
+    const tokenHash = hashToken(token);
+    return this.getTokenBinding(tokenHash);
+  }
+  /**
+   * Update last used time for a token binding
+   */
+  async touchBinding(tokenHash) {
+    const redis = getRedisClient();
+    const binding = await this.getTokenBinding(tokenHash);
+    if (binding) {
+      binding.lastUsedAt = Date.now();
+      await redis.setex(
+        TOKEN_BINDING_PREFIX + tokenHash,
+        TOKEN_BINDING_TTL,
+        JSON.stringify(binding)
+      );
+    }
+  }
+  /**
+   * Revoke a token binding
+   */
+  async revokeBinding(tokenHash) {
+    const redis = getRedisClient();
+    await redis.del(TOKEN_BINDING_PREFIX + tokenHash);
+  }
+  /**
+   * Resolve project info from OAuth token or tokenHash
+   * This is the main entry point used by the MCP server
+   *
+   * The token parameter can be either:
+   * 1. A tokenHash (returned by /oauth/token endpoint) - used by MCP clients after OAuth
+   * 2. A raw Insforge OAuth token - used for direct API access
+   *
+   * Flow:
+   * 1. Try to find binding using token directly as tokenHash
+   * 2. If not found, try hashing the token and look up again
+   * 3. If still not found, return null (client needs to go through OAuth flow)
+   */
+  async resolveProjectFromToken(token) {
+    let binding = await this.getTokenBinding(token);
+    let actualTokenHash = token;
+    if (!binding) {
+      actualTokenHash = hashToken(token);
+      binding = await this.getTokenBinding(actualTokenHash);
+    }
+    if (!binding) {
+      return null;
+    }
+    await this.touchBinding(actualTokenHash);
+    return {
+      apiKey: binding.apiKey,
+      apiBaseUrl: binding.accessHost,
+      projectId: binding.projectId,
+      projectName: binding.projectName,
+      userId: binding.userId,
+      organizationId: binding.organizationId,
+      oauthTokenHash: actualTokenHash
+    };
+  }
+  /**
+   * Get all available projects for a user (for project selection UI)
+   */
+  async getAvailableProjects(token) {
+    return getAllUserProjects(token);
+  }
+  /**
+   * Bind a token to a project directly (skip OAuth code flow)
+   * Used when user selects a project via API
+   */
+  async bindTokenToProject(token, projectId) {
+    const redis = getRedisClient();
+    const user = await validateToken(token);
+    const projectAccess = await getProjectAccess(token, projectId);
+    const tokenHash = hashToken(token);
+    const binding = {
+      tokenHash,
+      userId: user.id,
+      userEmail: user.email,
+      projectId: projectAccess.projectId,
+      projectName: projectAccess.projectName,
+      organizationId: projectAccess.organizationId,
+      accessHost: projectAccess.accessHost,
+      apiKey: projectAccess.apiKey,
+      createdAt: Date.now(),
+      lastUsedAt: Date.now()
+    };
+    await redis.setex(
+      TOKEN_BINDING_PREFIX + tokenHash,
+      TOKEN_BINDING_TTL,
+      JSON.stringify(binding)
+    );
+    console.log(`[OAuthManager] Token bound to project: ${projectAccess.projectName}`);
+    return binding;
+  }
+};
+var oauthManager = null;
+function getOAuthManager() {
+  if (!oauthManager) {
+    oauthManager = new OAuthManager();
+  }
+  return oauthManager;
+}
+// src/http/config.ts
+import "dotenv/config";
 import { program } from "commander";
-import express from "express";
-import { randomUUID } from "crypto";
-program.option("--port <number>", "Port to run HTTP server on", "3000");
+program.option("--port <number>", "Port to run HTTP server on", "3000").option("--host <string>", "Host to bind to", "127.0.0.1");
 program.parse(process.argv);
-var options = program.opts();
-var { port } = options;
-var PORT = parseInt(port) || 3e3;
-var transports = /* @__PURE__ */ new Map();
-var servers = /* @__PURE__ */ new Map();
+var cliOptions = program.opts();
+var SERVER_CONFIG = {
+  /** Port to run HTTP server on */
+  port: parseInt(cliOptions.port) || 3e3,
+  /** Host to bind to */
+  host: cliOptions.host || "127.0.0.1",
+  /** Public URL of this MCP server */
+  publicUrl: process.env.MCP_SERVER_URL || "http://localhost:3000"
+};
+var INSFORGE_CONFIG = {
+  /** Insforge API base URL */
+  apiBase: process.env.INSFORGE_API_BASE || "https://api.insforge.dev",
+  /** Insforge frontend URL */
+  frontendUrl: process.env.INSFORGE_FRONTEND_URL || "https://insforge.dev",
+  /** OAuth client ID (registered with Insforge platform) */
+  clientId: process.env.INSFORGE_CLIENT_ID || "",
+  /** OAuth client secret (registered with Insforge platform) */
+  clientSecret: process.env.INSFORGE_CLIENT_SECRET || "",
+  /** OAuth scopes to request from Insforge */
+  oauthScopes: "user:read organizations:read projects:read projects:write"
+};
+var OAUTH_CONFIG = {
+  /** OAuth callback URL for Insforge OAuth */
+  callbackUrl: `${SERVER_CONFIG.publicUrl}/oauth/callback`,
+  /** Scopes supported by this MCP server */
+  supportedScopes: ["mcp:read", "mcp:write", "project:select"],
+  /** Grant types supported */
+  grantTypes: ["authorization_code"],
+  /** Response types supported */
+  responseTypes: ["code"],
+  /** Code challenge methods supported (only S256 for security) */
+  codeChallengesMethods: ["S256"]
+};
+var REDIS_CONFIG = {
+  /** Redis host */
+  host: process.env.REDIS_HOST || "localhost",
+  /** Redis port */
+  port: parseInt(process.env.REDIS_PORT || "6379"),
+  /** Redis password */
+  password: process.env.REDIS_PASSWORD || void 0,
+  /** Use TLS for Redis connection */
+  tls: process.env.REDIS_TLS === "true",
+  /** Use Redis cluster mode */
+  cluster: process.env.REDIS_CLUSTER === "true"
+};
+var SESSION_CONFIG = {
+  /** Session TTL in seconds (24 hours) */
+  ttl: 24 * 60 * 60,
+  /** Redis key prefix for sessions */
+  keyPrefix: "mcp:session:"
+};
+var ANALYTICS_CONFIG = {
+  /** Mixpanel project token */
+  mixpanelToken: process.env.MIXPANEL_TOKEN || ""
+};
+function isAnalyticsConfigured() {
+  return !!ANALYTICS_CONFIG.mixpanelToken && process.env.ENABLE_ANALYTICS !== "false";
+}
+var STREAMABLE_HTTP_ENDPOINTS = {
+  /** Main MCP endpoint - handles POST (messages), GET (SSE stream), DELETE (close) */
+  mcp: "/mcp"
+};
+var SSE_ENDPOINTS = {
+  /** SSE stream endpoint - GET to establish Server-Sent Events connection */
+  sse: "/sse",
+  /** Messages endpoint - POST to send messages to server */
+  messages: "/messages"
+};
+var OAUTH_ENDPOINTS = {
+  /** OAuth authorization server metadata (RFC 8414) */
+  metadata: "/.well-known/oauth-authorization-server",
+  /** OAuth protected resource metadata */
+  protectedResource: "/.well-known/oauth-protected-resource",
+  /** Dynamic client registration (RFC 7591) */
+  register: "/oauth/register",
+  /** Authorization endpoint */
+  authorize: "/oauth/authorize",
+  /** OAuth callback from Insforge */
+  callback: "/oauth/callback",
+  /** Project selection page */
+  selectProject: "/oauth/select-project",
+  /** Token endpoint */
+  token: "/oauth/token",
+  /** Token revocation endpoint */
+  revoke: "/oauth/revoke"
+};
+var API_ENDPOINTS = {
+  /** Health check */
+  health: "/health",
+  /** List projects */
+  projects: "/api/projects",
+  /** Bind token to project */
+  bindProject: "/api/projects/:projectId/bind"
+};
+function isOAuthConfigured() {
+  return !!(INSFORGE_CONFIG.clientId && INSFORGE_CONFIG.clientSecret);
+}
+function validateConfig() {
+  if (!isOAuthConfigured()) {
+    console.warn("[Config] WARNING: OAuth client credentials not configured.");
+    console.warn("[Config] Set INSFORGE_CLIENT_ID and INSFORGE_CLIENT_SECRET environment variables.");
+  }
+  if (!isAnalyticsConfigured()) {
+    console.log("[Config] Analytics not configured. Set MIXPANEL_TOKEN to enable Mixpanel tracking.");
+  }
+}
+// src/http/templates/project-selection.ts
+function renderProjectSelectionPage(options) {
+  const { stateId, projectGroups, selectProjectEndpoint } = options;
+  const projectsHtml = projectGroups.length > 0 ? projectGroups.map((group) => `
+      <div class="org-section">
+        <div class="org-name">${escapeHtml(group.organization.name)}</div>
+        ${group.projects.map((project) => `
+          <form method="POST" action="${selectProjectEndpoint}">
+            <input type="hidden" name="state_id" value="${escapeHtml(stateId)}">
+            <input type="hidden" name="project_id" value="${escapeHtml(project.id)}">
+            <button type="submit" class="project-card">
+              <div class="project-info">
+                <div class="project-name">${escapeHtml(project.name)}</div>
+                <div class="project-url">https://${escapeHtml(project.appkey)}.${escapeHtml(project.region)}.insforge.app</div>
+              </div>
+              <span class="project-region">${escapeHtml(project.region)}</span>
+              <span class="project-arrow">
+                <svg width="20" height="20" viewBox="0 0 20 20" fill="none">
+                  <path d="M7 4L13 10L7 16" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>
+                </svg>
+              </span>
+            </button>
+          </form>
+        `).join("")}
+      </div>
+    `).join("") : `
+      <div class="no-projects">
+        <p>No active projects found.</p>
+        <p>Please create a project in the InsForge dashboard first.</p>
+      </div>
+    `;
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <title>Select Project - InsForge MCP</title>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Manrope:wght@400;500;600;700&display=swap" rel="stylesheet">
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      font-family: 'Manrope', -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #0F0F0F;
+      color: #e5e5e5;
+      min-height: 100vh;
+      padding: 60px 20px;
+      position: relative;
+    }
+    /* Dot grid background pattern */
+    body::before {
+      content: '';
+      position: fixed;
+      top: 0;
+      left: 0;
+      right: 0;
+      bottom: 0;
+      background-image: radial-gradient(circle, rgba(255,255,255,0.08) 1px, transparent 1px);
+      background-size: 24px 24px;
+      pointer-events: none;
+      z-index: 0;
+    }
+    /* Gradient overlay */
+    body::after {
+      content: '';
+      position: fixed;
+      top: 0;
+      left: 0;
+      right: 0;
+      height: 400px;
+      background: radial-gradient(ellipse at top, rgba(110, 231, 183, 0.08) 0%, transparent 70%);
+      pointer-events: none;
+      z-index: 0;
+    }
+    .container {
+      max-width: 560px;
+      margin: 0 auto;
+      position: relative;
+      z-index: 1;
+    }
+    .logo {
+      text-align: left;
+      margin-bottom: 20px;
+    }
+    h1 {
+      font-size: 32px;
+      font-weight: 700;
+      color: #fff;
+      margin-bottom: 12px;
+      text-align: center;
+      letter-spacing: -0.02em;
+    }
+    .subtitle {
+      color: #a0a0a0;
+      text-align: center;
+      margin-bottom: 48px;
+      font-size: 16px;
+      font-weight: 400;
+    }
+    .org-section {
+      margin-bottom: 32px;
+    }
+    .org-name {
+      font-size: 12px;
+      font-weight: 600;
+      color: #6EE7B7;
+      text-transform: uppercase;
+      letter-spacing: 0.1em;
+      margin-bottom: 16px;
+      padding-left: 4px;
+      display: flex;
+      align-items: center;
+      gap: 8px;
+    }
+    .org-name::before {
+      content: '';
+      width: 6px;
+      height: 6px;
+      background: #6EE7B7;
+      border-radius: 50%;
+    }
+    .project-card {
+      background: linear-gradient(135deg, #1C1C1C 0%, #171717 100%);
+      border: 1px solid #262626;
+      border-radius: 8px;
+      padding: 20px 24px;
+      margin-bottom: 12px;
+      cursor: pointer;
+      transition: all 0.2s ease;
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      position: relative;
+      overflow: hidden;
+    }
+    .project-card::before {
+      content: '';
+      position: absolute;
+      top: 0;
+      left: 0;
+      right: 0;
+      bottom: 0;
+      background: linear-gradient(135deg, rgba(110, 231, 183, 0.05) 0%, transparent 50%);
+      opacity: 0;
+      transition: opacity 0.2s ease;
+    }
+    .project-card:hover {
+      border-color: #6EE7B7;
+      transform: translateY(-2px);
+      box-shadow: 0 8px 32px rgba(110, 231, 183, 0.1);
+    }
+    .project-card:hover::before {
+      opacity: 1;
+    }
+    .project-card:active {
+      transform: translateY(0);
+    }
+    .project-info {
+      flex: 1;
+      position: relative;
+      z-index: 1;
+    }
+    .project-name {
+      font-weight: 600;
+      font-size: 16px;
+      color: #fff;
+      margin-bottom: 6px;
+      letter-spacing: -0.01em;
+    }
+    .project-url {
+      font-size: 13px;
+      color: #6EE7B7;
+      font-family: 'SF Mono', Monaco, 'Cascadia Code', monospace;
+      opacity: 0.8;
+    }
+    .project-region {
+      font-size: 11px;
+      font-weight: 600;
+      color: #6EE7B7;
+      background: rgba(110, 231, 183, 0.1);
+      border: 1px solid rgba(110, 231, 183, 0.2);
+      padding: 6px 12px;
+      border-radius: 20px;
+      margin-left: 16px;
+      text-transform: uppercase;
+      letter-spacing: 0.05em;
+      position: relative;
+      z-index: 1;
+    }
+    .project-arrow {
+      color: #6EE7B7;
+      opacity: 0;
+      transform: translateX(-8px);
+      transition: all 0.2s ease;
+      margin-left: 12px;
+      position: relative;
+      z-index: 1;
+    }
+    .project-card:hover .project-arrow {
+      opacity: 1;
+      transform: translateX(0);
+    }
+    .no-projects {
+      text-align: center;
+      color: #525252;
+      padding: 60px 40px;
+      background: linear-gradient(135deg, #1C1C1C 0%, #171717 100%);
+      border: 1px solid #262626;
+      border-radius: 8px;
+    }
+    .no-projects p {
+      margin-bottom: 8px;
+    }
+    .no-projects p:last-child {
+      margin-bottom: 0;
+    }
+    .cancel-link {
+      display: inline-flex;
+      align-items: center;
+      justify-content: center;
+      width: 100%;
+      margin-top: 32px;
+      color: #737373;
+      text-decoration: none;
+      font-size: 14px;
+      font-weight: 500;
+      padding: 12px;
+      border-radius: 6px;
+      transition: all 0.2s ease;
+    }
+    .cancel-link:hover {
+      color: #a3a3a3;
+      background: rgba(255, 255, 255, 0.03);
+    }
+    form { display: contents; }
+    button.project-card {
+      width: 100%;
+      text-align: left;
+      font: inherit;
+    }
+    /* Footer branding */
+    .footer {
+      text-align: center;
+      margin-top: 48px;
+      padding-top: 24px;
+      border-top: 1px solid #262626;
+    }
+    .footer-text {
+      font-size: 12px;
+      color: #525252;
+    }
+    .footer-text a {
+      color: #6EE7B7;
+      text-decoration: none;
+      transition: opacity 0.2s;
+    }
+    .footer-text a:hover {
+      opacity: 0.8;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">
+      <img alt="InsForge Logo" width="100" height="24" decoding="async" data-nimg="1" style="color:transparent" src="https://insforge.dev/assets/logos/logo_text.svg">
+    </div>
+    <h1>Select a Project</h1>
+    <p class="subtitle">Choose the project to connect with your coding agent</p>
+    ${projectsHtml}
+    <a href="javascript:history.back()" class="cancel-link">Cancel</a>
+  </div>
+</body>
+</html>`;
+}
+function escapeHtml(text) {
+  const htmlEscapes = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#39;"
+  };
+  return text.replace(/[&<>"']/g, (char) => htmlEscapes[char]);
+}
+// src/http/analytics.ts
+import Mixpanel from "mixpanel";
+function extractClientInfo(body) {
+  if (!body || typeof body !== "object") return null;
+  const single = body;
+  if (single.method === "initialize" && single.params?.clientInfo?.name) {
+    return {
+      name: single.params.clientInfo.name,
+      version: single.params.clientInfo.version || "unknown"
+    };
+  }
+  if (Array.isArray(body)) {
+    for (const req of body) {
+      const result = extractClientInfo(req);
+      if (result) return result;
+    }
+  }
+  return null;
+}
+var CLIENT_PATTERNS = [
+  // Anthropic
+  [["claude-code", "claudecode", "claude code"], "claude_code"],
+  [["claude-desktop", "claudedesktop", "claude desktop"], "claude_desktop"],
+  // Editors / IDEs
+  [["cursor"], "cursor"],
+  [["cline"], "cline"],
+  [["windsurf"], "windsurf"],
+  [["roocode", "roo-code", "roo code"], "roocode"],
+  [["trae"], "trae"],
+  [["kiro"], "kiro"],
+  [["github copilot", "github-copilot"], "github_copilot"],
+  [["vscode", "visual studio code"], "vscode"],
+  // CLI agents
+  [["codex"], "codex"],
+  [["opencode", "open-code"], "opencode"],
+  [["gemini-cli", "gemini cli", "gemini_cli"], "gemini_cli"],
+  [["antigravity", "google-antigravity"], "google_antigravity"],
+  [["qoder"], "qoder"],
+  [["goose"], "goose"]
+];
+function wordBoundaryMatch(input, pattern) {
+  const idx = input.indexOf(pattern);
+  if (idx === -1) return false;
+  const before = idx === 0 || !/[a-z]/.test(input[idx - 1]);
+  const after = idx + pattern.length >= input.length || !/[a-z]/.test(input[idx + pattern.length]);
+  return before && after;
+}
+function matchClientType(input) {
+  const lower = input.toLowerCase();
+  for (const [patterns, clientType] of CLIENT_PATTERNS) {
+    if (patterns.some((p) => wordBoundaryMatch(lower, p))) return clientType;
+  }
+  return "unknown";
+}
+function normalizeClientName(name) {
+  return matchClientType(name);
+}
+function parseUserAgent(userAgent) {
+  if (!userAgent) return "unknown";
+  return matchClientType(userAgent);
+}
+var AnalyticsService = class {
+  mixpanel = null;
+  enabled;
+  constructor() {
+    const mixpanelToken = ANALYTICS_CONFIG.mixpanelToken;
+    this.enabled = isAnalyticsConfigured();
+    if (this.enabled && mixpanelToken) {
+      this.mixpanel = Mixpanel.init(mixpanelToken, {
+        protocol: "https",
+        keepAlive: false
+      });
+      console.log("[Analytics] Mixpanel initialized");
+    } else {
+      console.log("[Analytics] Disabled (no MIXPANEL_TOKEN or ENABLE_ANALYTICS=false)");
+    }
+  }
+  /**
+   * Track when a new MCP session is created.
+   * Uses clientInfo (from MCP initialize) as primary source, User-Agent as fallback.
+   */
+  trackSessionCreated(params) {
+    if (!this.enabled || !this.mixpanel) return;
+    const clientType = params.clientName ? normalizeClientName(params.clientName) : parseUserAgent(params.userAgent);
+    const distinctId = params.userId !== "legacy" && params.userId !== "unknown" ? params.userId : `anon_${params.projectId}`;
+    try {
+      this.mixpanel.track("mcp_session_created", {
+        distinct_id: distinctId,
+        client_type: clientType,
+        client_name: params.clientName || "not_provided",
+        client_version: params.clientVersion || "not_provided",
+        user_agent: params.userAgent || "not_provided",
+        transport_type: params.transportType,
+        project_id: params.projectId,
+        user_id: params.userId,
+        organization_id: params.organizationId,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } catch (error) {
+      console.warn("[Analytics] Failed to track mcp_session_created:", error instanceof Error ? error.message : error);
+    }
+  }
+  /**
+   * Track a successful OAuth token exchange.
+   */
+  trackOAuthSuccess(params) {
+    if (!this.enabled || !this.mixpanel) return;
+    try {
+      this.mixpanel.track("mcp_oauth_success", {
+        distinct_id: params.clientId,
+        client_id: params.clientId,
+        scope: params.scope,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } catch (error) {
+      console.warn("[Analytics] Failed to track mcp_oauth_success:", error instanceof Error ? error.message : error);
+    }
+  }
+  /**
+   * Track an OAuth failure.
+   */
+  trackOAuthFailure(params) {
+    if (!this.enabled || !this.mixpanel) return;
+    try {
+      this.mixpanel.track("mcp_oauth_failure", {
+        distinct_id: "system",
+        error_type: params.errorType,
+        error_description: params.errorDescription,
+        endpoint: params.endpoint,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } catch (error) {
+      console.warn("[Analytics] Failed to track mcp_oauth_failure:", error instanceof Error ? error.message : error);
+    }
+  }
+};
+var _instance = null;
+function getAnalyticsService() {
+  if (!_instance) _instance = new AnalyticsService();
+  return _instance;
+}
+// src/http/server.ts
 var app = express();
+app.set("trust proxy", true);
 app.use(express.json({ limit: "10mb" }));
+app.use(express.urlencoded({ extended: true }));
 app.use((req, res, next) => {
   res.setHeader("Access-Control-Allow-Origin", "*");
   res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
-  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, Authorization, X-Base-URL, Mcp-Session-Id, Last-Event-ID");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, Authorization, Mcp-Session-Id, Last-Event-ID");
   res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");
   if (req.method === "OPTIONS") {
     return res.sendStatus(200);
   }
   next();
 });
-app.get("/health", (_req, res) => {
-  res.json({
-    status: "ok",
-    server: "insforge-mcp-streamable",
-    version: "1.0.0",
-    protocol: "Streamable HTTP",
-    sessions: transports.size,
-    authentication: "per-request via headers",
-    requiredHeaders: {
-      "Authorization": "Bearer <API_KEY>",
-      "X-Base-URL": "<BACKEND_URL> (e.g. http://localhost:7130)"
-    }
-  });
-});
 function isInitializeRequest(body) {
   if (!body) return false;
-  if (body.method === "initialize") {
-    return true;
+  if (typeof body === "object" && body !== null && "method" in body) {
+    if (body.method === "initialize") {
+      return true;
+    }
   }
   if (Array.isArray(body)) {
-    return body.some((req) => req.method === "initialize");
+    return body.some(
+      (req) => typeof req === "object" && req !== null && "method" in req && req.method === "initialize"
+    );
   }
   return false;
 }
-app.post("/mcp", async (req, res) => {
-  const sessionId = req.headers["mcp-session-id"];
-  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] POST /mcp - Session: ${sessionId || "none"}`);
+function tokenFingerprint(token) {
+  return createHash2("sha256").update(token).digest("hex").substring(0, 8);
+}
+async function resolveProjectFromToken(token) {
+  const oauthManager2 = getOAuthManager();
+  return oauthManager2.resolveProjectFromToken(token);
+}
+function extractOAuthToken(req) {
   const authHeader = req.headers["authorization"];
-  let apiKey;
   if (authHeader?.startsWith("Bearer ")) {
-    apiKey = authHeader.substring(7);
+    return authHeader.substring(7);
   }
-  const apiBaseUrl = req.headers["x-base-url"];
-  let transport;
-  let mcpServer;
-  if (sessionId && transports.has(sessionId)) {
-    transport = transports.get(sessionId);
-    console.log("Using existing transport for session:", sessionId);
-  } else if (isInitializeRequest(req.body)) {
-    if (!apiKey) {
-      return res.status(401).json({
-        error: "Missing required Authorization header. Expected: Authorization: Bearer <API_KEY>"
+  return void 0;
+}
+function extractLegacyHeaders(req) {
+  return {
+    apiKey: req.headers["x-api-key"],
+    apiBaseUrl: req.headers["x-base-url"]
+  };
+}
+app.get(API_ENDPOINTS.health, async (_req, res) => {
+  const sessionManager2 = getSessionManager();
+  const stats = await sessionManager2.getStats();
+  res.json({
+    status: "ok",
+    server: "insforge-mcp",
+    version: "1.0.0",
+    protocols: {
+      streamableHttp: "2025-03-26",
+      sse: "2024-11-05 (deprecated)"
+    },
+    sessions: stats,
+    authentication: "OAuth Bearer Token"
+  });
+});
+app.get(OAUTH_ENDPOINTS.metadata, (_req, res) => {
+  const baseUrl = SERVER_CONFIG.publicUrl;
+  res.json({
+    issuer: baseUrl,
+    authorization_endpoint: `${baseUrl}${OAUTH_ENDPOINTS.authorize}`,
+    token_endpoint: `${baseUrl}${OAUTH_ENDPOINTS.token}`,
+    revocation_endpoint: `${baseUrl}${OAUTH_ENDPOINTS.revoke}`,
+    registration_endpoint: `${baseUrl}${OAUTH_ENDPOINTS.register}`,
+    response_types_supported: OAUTH_CONFIG.responseTypes,
+    grant_types_supported: OAUTH_CONFIG.grantTypes,
+    code_challenge_methods_supported: OAUTH_CONFIG.codeChallengesMethods,
+    scopes_supported: OAUTH_CONFIG.supportedScopes
+  });
+});
+app.get(OAUTH_ENDPOINTS.protectedResource, (_req, res) => {
+  const baseUrl = SERVER_CONFIG.publicUrl;
+  res.json({
+    resource: `${baseUrl}/mcp`,
+    authorization_servers: [baseUrl],
+    scopes_supported: ["mcp:read", "mcp:write"]
+  });
+});
+app.post(OAUTH_ENDPOINTS.register, async (req, res) => {
+  const {
+    client_name,
+    redirect_uris,
+    grant_types,
+    response_types,
+    token_endpoint_auth_method,
+    scope
+  } = req.body;
+  if (!redirect_uris || !Array.isArray(redirect_uris) || redirect_uris.length === 0) {
+    return res.status(400).json({
+      error: "invalid_client_metadata",
+      error_description: "redirect_uris is required and must be a non-empty array"
+    });
+  }
+  const clientId = `mcp_${randomUUID().replace(/-/g, "")}`;
+  const redis = getRedisClient();
+  const clientData = {
+    client_id: clientId,
+    client_name: client_name || "MCP Client",
+    redirect_uris,
+    grant_types: grant_types || OAUTH_CONFIG.grantTypes,
+    response_types: response_types || ["code"],
+    token_endpoint_auth_method: token_endpoint_auth_method || "none",
+    scope: scope || "mcp:read mcp:write",
+    created_at: Date.now()
+  };
+  await redis.setex(
+    `mcp:oauth:client:${clientId}`,
+    30 * 24 * 60 * 60,
+    JSON.stringify(clientData)
+  );
+  console.log(`[OAuth] Registered new client: ${clientId} (${clientData.client_name})`);
+  res.status(201).json({
+    client_id: clientId,
+    client_name: clientData.client_name,
+    redirect_uris: clientData.redirect_uris,
+    grant_types: clientData.grant_types,
+    response_types: clientData.response_types,
+    token_endpoint_auth_method: clientData.token_endpoint_auth_method,
+    scope: clientData.scope
+  });
+});
+app.get(OAUTH_ENDPOINTS.authorize, async (req, res) => {
+  const { client_id, redirect_uri, response_type, scope, state, code_challenge, code_challenge_method } = req.query;
+  if (!isOAuthConfigured()) {
+    return res.status(500).json({
+      error: "server_error",
+      error_description: "OAuth client credentials not configured. Set INSFORGE_CLIENT_ID and INSFORGE_CLIENT_SECRET."
+    });
+  }
+  if (!client_id || !redirect_uri || !response_type) {
+    return res.status(400).json({
+      error: "invalid_request",
+      error_description: "Missing required parameters: client_id, redirect_uri, response_type"
+    });
+  }
+  const resolvedScope = scope || OAUTH_CONFIG.supportedScopes.join(" ");
+  if (response_type !== "code") {
+    return res.status(400).json({
+      error: "unsupported_response_type",
+      error_description: "Only response_type=code is supported"
+    });
+  }
+  const redis = getRedisClient();
+  const clientDataStr = await redis.get(`mcp:oauth:client:${client_id}`);
+  if (!clientDataStr) {
+    return res.status(400).json({
+      error: "invalid_client",
+      error_description: "Unknown client_id. Register client first via /oauth/register."
+    });
+  }
+  let clientData;
+  try {
+    clientData = JSON.parse(clientDataStr);
+  } catch (parseError) {
+    console.error(`[OAuth] Failed to parse client data for client_id ${client_id}:`, parseError);
+    return res.status(500).json({
+      error: "server_error",
+      error_description: "Failed to read client registration data."
+    });
+  }
+  if (!clientData.client_id || typeof clientData.client_id !== "string") {
+    console.error(`[OAuth] Invalid client data: missing or invalid client_id for ${client_id}`);
+    return res.status(500).json({
+      error: "server_error",
+      error_description: "Client registration data is corrupted."
+    });
+  }
+  if (!Array.isArray(clientData.redirect_uris)) {
+    console.error(`[OAuth] Invalid client data: missing or invalid redirect_uris for ${client_id}`);
+    return res.status(500).json({
+      error: "server_error",
+      error_description: "Client registration data is corrupted."
+    });
+  }
+  if (!clientData.redirect_uris.includes(redirect_uri)) {
+    return res.status(400).json({
+      error: "invalid_request",
+      error_description: "redirect_uri does not match any registered redirect URIs for this client."
+    });
+  }
+  try {
+    const oauthManager2 = getOAuthManager();
+    const { stateId, insforgeCodeChallenge } = await oauthManager2.createAuthorizationState({
+      clientId: client_id,
+      redirectUri: redirect_uri,
+      scope: resolvedScope,
+      state,
+      codeChallenge: code_challenge,
+      codeChallengeMethod: code_challenge_method
+    });
+    const authUrl = new URL(`${INSFORGE_CONFIG.apiBase}/api/oauth/v1/authorize`);
+    authUrl.searchParams.set("client_id", INSFORGE_CONFIG.clientId);
+    authUrl.searchParams.set("redirect_uri", OAUTH_CONFIG.callbackUrl);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("scope", INSFORGE_CONFIG.oauthScopes);
+    authUrl.searchParams.set("state", stateId);
+    authUrl.searchParams.set("code_challenge", insforgeCodeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    console.log(`[OAuth] Redirecting to Insforge OAuth: ${authUrl.toString()}`);
+    res.redirect(authUrl.toString());
+  } catch (error) {
+    console.error("OAuth authorize error:", error);
+    res.status(500).json({
+      error: "server_error",
+      error_description: "Failed to initiate authorization"
+    });
+  }
+});
+app.get(OAUTH_ENDPOINTS.callback, async (req, res) => {
+  const { code, state, error, error_description } = req.query;
+  const oauthManager2 = getOAuthManager();
+  if (error) {
+    console.error("[OAuth] Insforge returned error:", error, error_description);
+    getAnalyticsService().trackOAuthFailure({
+      errorType: "insforge_error",
+      errorDescription: error_description || error || "Unknown Insforge error",
+      endpoint: "/oauth/callback"
+    });
+    const authState = state ? await oauthManager2.getAuthorizationState(state) : null;
+    if (authState?.redirectUri) {
+      const redirectUrl = new URL(authState.redirectUri);
+      redirectUrl.searchParams.set("error", error);
+      if (error_description) {
+        redirectUrl.searchParams.set("error_description", error_description);
+      }
+      if (authState.state) {
+        redirectUrl.searchParams.set("state", authState.state);
+      }
+      return res.redirect(redirectUrl.toString());
+    }
+    return res.status(400).json({ error, error_description });
+  }
+  if (!code || !state) {
+    getAnalyticsService().trackOAuthFailure({
+      errorType: "invalid_request",
+      errorDescription: "Missing required parameters: code, state",
+      endpoint: "/oauth/callback"
+    });
+    return res.status(400).json({
+      error: "invalid_request",
+      error_description: "Missing required parameters: code, state"
+    });
+  }
+  try {
+    const authState = await oauthManager2.getAuthorizationState(state);
+    if (!authState) {
+      getAnalyticsService().trackOAuthFailure({
+        errorType: "invalid_request",
+        errorDescription: "Invalid or expired state",
+        endpoint: "/oauth/callback"
+      });
+      return res.status(400).json({
+        error: "invalid_request",
+        error_description: "Invalid or expired state"
       });
     }
-    if (!apiBaseUrl) {
+    console.log("[OAuth] Exchanging code for tokens...");
+    const tokenResponse = await fetch(`${INSFORGE_CONFIG.apiBase}/api/oauth/v1/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: OAUTH_CONFIG.callbackUrl,
+        client_id: INSFORGE_CONFIG.clientId,
+        client_secret: INSFORGE_CONFIG.clientSecret,
+        code_verifier: authState.insforgeCodeVerifier
+      })
+    });
+    const tokens = await tokenResponse.json();
+    if (tokens.error || !tokens.access_token) {
+      console.error("[OAuth] Token exchange error:", tokens);
+      getAnalyticsService().trackOAuthFailure({
+        errorType: "token_exchange_failed",
+        errorDescription: "Token exchange failed",
+        endpoint: "/oauth/callback"
+      });
       return res.status(400).json({
-        error: "Missing required X-Base-URL header. Expected: X-Base-URL: <BACKEND_URL>"
+        error: "token_exchange_failed",
+        error_description: tokens.error_description || tokens.error || "No access token returned"
       });
     }
+    console.log("[OAuth] Token received, redirecting to project selection...");
+    const redis = getRedisClient();
+    await redis.setex(
+      `mcp:oauth:token:${state}`,
+      10 * 60,
+      tokens.access_token
+    );
+    res.redirect(`${SERVER_CONFIG.publicUrl}${OAUTH_ENDPOINTS.selectProject}?state_id=${state}`);
+  } catch (error2) {
+    console.error("OAuth callback error:", error2);
+    getAnalyticsService().trackOAuthFailure({
+      errorType: "server_error",
+      errorDescription: "Failed to process callback",
+      endpoint: "/oauth/callback"
+    });
+    res.status(500).json({
+      error: "server_error",
+      error_description: error2 instanceof Error ? error2.message : "Failed to process callback"
+    });
+  }
+});
+app.get(OAUTH_ENDPOINTS.selectProject, async (req, res) => {
+  const { state_id } = req.query;
+  if (!state_id) {
+    return res.status(400).send("Missing state_id parameter");
+  }
+  try {
+    const oauthManager2 = getOAuthManager();
+    const redis = getRedisClient();
+    const token = await redis.get(`mcp:oauth:token:${state_id}`);
+    if (!token) {
+      return res.status(400).send("Session expired. Please start the authorization process again.");
+    }
+    const authState = await oauthManager2.getAuthorizationState(state_id);
+    if (!authState) {
+      return res.status(400).send("Invalid or expired state");
+    }
+    const projectGroups = await oauthManager2.getAvailableProjects(token);
+    res.send(renderProjectSelectionPage({
+      stateId: state_id,
+      projectGroups,
+      selectProjectEndpoint: OAUTH_ENDPOINTS.selectProject
+    }));
+  } catch (error) {
+    console.error("Project selection page error:", error);
+    res.status(500).send("Failed to load projects. Please try again.");
+  }
+});
+app.post(OAUTH_ENDPOINTS.selectProject, async (req, res) => {
+  const { state_id, project_id } = req.body;
+  if (!state_id || !project_id) {
+    return res.status(400).json({
+      error: "invalid_request",
+      error_description: "Missing required parameters: state_id, project_id"
+    });
+  }
+  try {
+    const oauthManager2 = getOAuthManager();
+    const redis = getRedisClient();
+    const token = await redis.get(`mcp:oauth:token:${state_id}`);
+    if (!token) {
+      return res.status(400).send("Session expired. Please start the authorization process again.");
+    }
+    const authState = await oauthManager2.getAuthorizationState(state_id);
+    if (!authState) {
+      return res.status(400).json({
+        error: "invalid_request",
+        error_description: "Invalid or expired state"
+      });
+    }
+    const code = await oauthManager2.createAuthorizationCode(
+      state_id,
+      token,
+      project_id
+    );
+    await redis.del(`mcp:oauth:token:${state_id}`);
+    const redirectUrl = new URL(authState.redirectUri);
+    redirectUrl.searchParams.set("code", code);
+    if (authState.state) {
+      redirectUrl.searchParams.set("state", authState.state);
+    }
+    console.log(`[OAuth] Authorization complete, redirecting to client: ${redirectUrl.toString()}`);
+    res.redirect(redirectUrl.toString());
+  } catch (error) {
+    console.error("Project selection error:", error);
+    res.status(500).json({
+      error: "server_error",
+      error_description: error instanceof Error ? error.message : "Failed to process project selection"
+    });
+  }
+});
+app.post(OAUTH_ENDPOINTS.token, async (req, res) => {
+  const { grant_type, code, redirect_uri, code_verifier } = req.body;
+  if (grant_type === "authorization_code") {
+    if (!code || !redirect_uri) {
+      getAnalyticsService().trackOAuthFailure({
+        errorType: "invalid_request",
+        errorDescription: "Missing required parameters: code, redirect_uri",
+        endpoint: "/oauth/token"
+      });
+      return res.status(400).json({
+        error: "invalid_request",
+        error_description: "Missing required parameters: code, redirect_uri"
+      });
+    }
+    try {
+      const oauthManager2 = getOAuthManager();
+      const { tokenHash } = await oauthManager2.exchangeCode(
+        code,
+        redirect_uri,
+        code_verifier
+      );
+      getAnalyticsService().trackOAuthSuccess({
+        clientId: req.body.client_id || "unknown",
+        scope: "mcp:read mcp:write"
+      });
+      res.json({
+        access_token: tokenHash,
+        token_type: "Bearer",
+        expires_in: 30 * 24 * 60 * 60,
+        scope: "mcp:read mcp:write"
+      });
+    } catch (error) {
+      console.error("OAuth token error:", error);
+      getAnalyticsService().trackOAuthFailure({
+        errorType: "invalid_grant",
+        errorDescription: "Invalid authorization code",
+        endpoint: "/oauth/token"
+      });
+      res.status(400).json({
+        error: "invalid_grant",
+        error_description: error instanceof Error ? error.message : "Invalid authorization code"
+      });
+    }
+  } else if (grant_type === "refresh_token") {
+    getAnalyticsService().trackOAuthFailure({
+      errorType: "unsupported_grant_type",
+      errorDescription: "Refresh tokens are not supported",
+      endpoint: "/oauth/token"
+    });
+    return res.status(400).json({
+      error: "unsupported_grant_type",
+      error_description: "Refresh tokens are not supported"
+    });
+  } else {
+    getAnalyticsService().trackOAuthFailure({
+      errorType: "unsupported_grant_type",
+      errorDescription: "Only authorization_code grant type is supported",
+      endpoint: "/oauth/token"
+    });
+    return res.status(400).json({
+      error: "unsupported_grant_type",
+      error_description: "Only authorization_code grant type is supported"
+    });
+  }
+});
+app.post(OAUTH_ENDPOINTS.revoke, async (req, res) => {
+  const { token } = req.body;
+  if (!token) {
+    return res.status(400).json({
+      error: "invalid_request",
+      error_description: "Missing token parameter"
+    });
+  }
+  try {
+    const oauthManager2 = getOAuthManager();
+    await oauthManager2.revokeBinding(token);
+    res.status(200).send();
+  } catch {
+    res.status(200).send();
+  }
+});
+app.get(API_ENDPOINTS.projects, async (req, res) => {
+  const authHeader = req.headers["authorization"];
+  if (!authHeader?.startsWith("Bearer ")) {
+    return res.status(401).json({ error: "Missing or invalid Authorization header" });
+  }
+  const token = authHeader.substring(7);
+  try {
+    const oauthManager2 = getOAuthManager();
+    const projects = await oauthManager2.getAvailableProjects(token);
+    res.json({ organizations: projects });
+  } catch (error) {
+    console.error("Get projects error:", error);
+    res.status(500).json({
+      error: "Failed to get projects",
+      details: error instanceof Error ? error.message : "Unknown error"
+    });
+  }
+});
+app.post(API_ENDPOINTS.bindProject, async (req, res) => {
+  const authHeader = req.headers["authorization"];
+  if (!authHeader?.startsWith("Bearer ")) {
+    return res.status(401).json({ error: "Missing or invalid Authorization header" });
+  }
+  const token = authHeader.substring(7);
+  const projectId = req.params.projectId;
+  try {
+    const oauthManager2 = getOAuthManager();
+    const binding = await oauthManager2.bindTokenToProject(token, projectId);
+    res.json({
+      success: true,
+      project: {
+        id: binding.projectId,
+        name: binding.projectName,
+        organizationId: binding.organizationId
+      },
+      message: "Token successfully bound to project. You can now use this token with the MCP endpoint."
+    });
+  } catch (error) {
+    console.error("Bind project error:", error);
+    res.status(500).json({
+      error: "Failed to bind project",
+      details: error instanceof Error ? error.message : "Unknown error"
+    });
+  }
+});
+app.post(STREAMABLE_HTTP_ENDPOINTS.mcp, async (req, res) => {
+  const sessionId = req.headers["mcp-session-id"];
+  const sessionManager2 = getSessionManager();
+  const oauthToken = extractOAuthToken(req);
+  const { apiKey: legacyApiKey, apiBaseUrl: legacyApiBaseUrl } = extractLegacyHeaders(req);
+  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] POST ${STREAMABLE_HTTP_ENDPOINTS.mcp} - Session: ${sessionId || "none"}, Token: ${oauthToken ? tokenFingerprint(oauthToken) : "none"}`);
+  let transport;
+  const existingRuntime = sessionId ? sessionManager2.getStreamableSession(sessionId) : null;
+  if (existingRuntime) {
+    transport = existingRuntime.transport;
+    console.log("[Streamable HTTP] Using existing transport for session:", sessionId);
+    await sessionManager2.touchSession(sessionId);
+  } else if (sessionId && await sessionManager2.hasSession(sessionId)) {
+    console.log("[Streamable HTTP] Session found in Redis, restoring:", sessionId);
     transport = new StreamableHTTPServerTransport({
-      sessionIdGenerator: () => randomUUID(),
-      onsessioninitialized: (sessionId2) => {
-        console.log(`Session initialized: ${sessionId2}`);
-        transports.set(sessionId2, transport);
-        if (mcpServer) {
-          servers.set(sessionId2, mcpServer);
-        }
+      sessionIdGenerator: () => sessionId,
+      onsessioninitialized: () => {
+        console.log(`[Streamable HTTP] Session restored: ${sessionId}`);
       }
     });
-    mcpServer = new McpServer({
-      name: "insforge-mcp",
-      version: "1.0.0"
-    });
-    await registerInsforgeTools(mcpServer, {
-      apiKey,
-      apiBaseUrl
+    const server = await sessionManager2.restoreSession(sessionId, transport);
+    if (!server) {
+      return res.status(500).json({
+        error: "Failed to restore session from Redis"
+      });
+    }
+  } else if (isInitializeRequest(req.body)) {
+    let projectInfo = oauthToken ? await resolveProjectFromToken(oauthToken) : null;
+    if (!projectInfo) {
+      if (!legacyApiKey && !oauthToken) {
+        return res.status(401).json({
+          error: "authentication_required",
+          error_description: "Missing authentication. Provide Authorization: Bearer <OAUTH_TOKEN> or X-Api-Key header.",
+          oauth_authorize_url: `${SERVER_CONFIG.publicUrl}${OAUTH_ENDPOINTS.authorize}`
+        });
+      }
+      if (oauthToken && !legacyApiBaseUrl) {
+        return res.status(401).json({
+          error: "project_binding_required",
+          error_description: "OAuth token is valid but not bound to a project. Complete the OAuth flow or call POST /api/projects/{projectId}/bind",
+          oauth_authorize_url: `${SERVER_CONFIG.publicUrl}${OAUTH_ENDPOINTS.authorize}`,
+          projects_url: `${SERVER_CONFIG.publicUrl}${API_ENDPOINTS.projects}`
+        });
+      }
+      if (!legacyApiBaseUrl) {
+        return res.status(400).json({
+          error: "Missing X-Base-URL header (required for legacy authentication)."
+        });
+      }
+      if (!legacyApiKey) {
+        return res.status(401).json({
+          error: "invalid_credentials",
+          error_description: "Legacy authentication requires X-Api-Key header. OAuth tokens cannot be used as API keys."
+        });
+      }
+      projectInfo = {
+        apiKey: legacyApiKey,
+        apiBaseUrl: legacyApiBaseUrl,
+        projectId: "legacy",
+        projectName: "Legacy Session",
+        userId: "legacy",
+        organizationId: "legacy",
+        oauthTokenHash: "legacy"
+      };
+    }
+    const newSessionId = randomUUID();
+    transport = new StreamableHTTPServerTransport({
+      sessionIdGenerator: () => newSessionId,
+      onsessioninitialized: async (initializedSessionId) => {
+        console.log(`[Streamable HTTP] Session initialized: ${initializedSessionId}`);
+      }
     });
-    console.log("Connecting server to transport...");
-    await mcpServer.connect(transport);
-    console.log("Server connected successfully");
+    try {
+      await sessionManager2.createSession(newSessionId, projectInfo, transport);
+      console.log("[Streamable HTTP] New session created:", newSessionId);
+      const clientInfo = extractClientInfo(req.body);
+      getAnalyticsService().trackSessionCreated({
+        clientName: clientInfo?.name,
+        clientVersion: clientInfo?.version,
+        userAgent: req.headers["user-agent"],
+        transportType: "streamable_http",
+        projectId: projectInfo.projectId,
+        userId: projectInfo.userId,
+        organizationId: projectInfo.organizationId
+      });
+    } catch (error) {
+      console.error("[Streamable HTTP] Failed to create session:", error);
+      return res.status(500).json({
+        error: "Failed to create session",
+        details: error instanceof Error ? error.message : "Unknown error"
+      });
+    }
   } else {
     return res.status(400).json({
-      error: "Session required. Send initialize request first or provide Mcp-Session-Id header."
+      error: "Session required. Send initialize request first or provide valid Mcp-Session-Id header."
     });
   }
-  console.log("Handling request with transport...");
+  console.log("[Streamable HTTP] Handling request...");
   await transport.handleRequest(req, res, req.body);
-  console.log("Request handled");
+  console.log("[Streamable HTTP] Request handled");
 });
-app.get("/mcp", async (req, res) => {
+app.get(STREAMABLE_HTTP_ENDPOINTS.mcp, async (req, res) => {
   const sessionId = req.headers["mcp-session-id"];
-  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] GET /mcp - Session: ${sessionId || "none"}`);
-  if (!sessionId || !transports.has(sessionId)) {
+  const authHeader = req.headers["authorization"];
+  const sessionManager2 = getSessionManager();
+  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] GET ${STREAMABLE_HTTP_ENDPOINTS.mcp} - Session: ${sessionId || "none"}, Auth: ${authHeader ? "present" : "missing"}`);
+  if (!sessionId) {
+    return res.status(400).json({
+      error: "Missing Mcp-Session-Id header."
+    });
+  }
+  const runtime = sessionManager2.getStreamableSession(sessionId);
+  if (!runtime) {
+    if (await sessionManager2.hasSession(sessionId)) {
+      return res.status(400).json({
+        error: "Session exists but not active. Send a POST request to restore the session first."
+      });
+    }
     return res.status(404).json({
       error: "Session not found. Initialize first with POST request."
     });
   }
-  const transport = transports.get(sessionId);
-  await transport.handleRequest(req, res, req.body);
+  await runtime.transport.handleRequest(req, res, req.body);
 });
-app.delete("/mcp", async (req, res) => {
+app.delete(STREAMABLE_HTTP_ENDPOINTS.mcp, async (req, res) => {
   const sessionId = req.headers["mcp-session-id"];
-  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] DELETE /mcp - Session: ${sessionId || "none"}`);
-  if (!sessionId || !transports.has(sessionId)) {
+  const sessionManager2 = getSessionManager();
+  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] DELETE ${STREAMABLE_HTTP_ENDPOINTS.mcp} - Session: ${sessionId || "none"}`);
+  if (!sessionId) {
+    return res.status(400).json({
+      error: "Missing Mcp-Session-Id header."
+    });
+  }
+  const runtime = sessionManager2.getStreamableSession(sessionId);
+  if (!runtime) {
+    if (await sessionManager2.hasSession(sessionId)) {
+      await sessionManager2.deleteSession(sessionId);
+      return res.status(200).json({
+        message: "Session deleted from storage."
+      });
+    }
     return res.status(404).json({
       error: "Session not found."
     });
   }
-  const transport = transports.get(sessionId);
-  const server2 = servers.get(sessionId);
-  await transport.handleRequest(req, res, req.body);
-  if (server2) {
-    await server2.close();
-    servers.delete(sessionId);
-  }
-  transports.delete(sessionId);
-  console.log(`Session ${sessionId} closed`);
-});
-var server = app.listen(PORT, "127.0.0.1", () => {
-  console.log(`
-\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
-\u2551         Insforge MCP Streamable HTTP Server             \u2551
-\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
-\u{1F680} Server: http://127.0.0.1:${PORT}
-\u{1F517} Endpoint: http://127.0.0.1:${PORT}/mcp
-\u{1F49A} Health: http://127.0.0.1:${PORT}/health
-\u{1F4CB} Protocol: Streamable HTTP (2024-11-05+ spec)
-\u{1F510} Required Headers (per-request):
-   \u2022 Authorization: Bearer <API_KEY>
-   \u2022 X-Base-URL: <BACKEND_URL>
-\u{1F4DD} Client Configuration Example:
-{
-  "mcpServers": {
-    "insforge": {
-      "url": "http://127.0.0.1:${PORT}/mcp",
-      "headers": {
-        "Authorization": "Bearer YOUR_API_KEY",
-        "X-Base-URL": "http://localhost:7130"
-      }
-    }
+  try {
+    await runtime.transport.handleRequest(req, res, req.body);
+  } finally {
+    await sessionManager2.deleteSession(sessionId);
+    console.log(`[Streamable HTTP] Session ${sessionId} closed`);
   }
-}
-\u{1F504} Session Management: Automatic (stateful)
-\u{1F6E1}\uFE0F  Security: Binding to localhost only (127.0.0.1)
-`);
 });
-process.on("SIGINT", async () => {
-  console.log("\n\u{1F6D1} Shutting down server...");
-  for (const [sessionId, server2] of servers.entries()) {
-    try {
-      console.log(`Closing session: ${sessionId}`);
-      await server2.close();
-      const transport = transports.get(sessionId);
-      if (transport) {
-        await transport.close();
-      }
-    } catch (error) {
-      console.error(`Error closing session ${sessionId}:`, error);
+var sseTransports = /* @__PURE__ */ new Map();
+app.get(SSE_ENDPOINTS.sse, async (req, res) => {
+  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] GET ${SSE_ENDPOINTS.sse} - Establishing SSE connection (DEPRECATED protocol)`);
+  const oauthToken = extractOAuthToken(req);
+  const { apiKey: legacyApiKey, apiBaseUrl: legacyApiBaseUrl } = extractLegacyHeaders(req);
+  let projectInfo = oauthToken ? await resolveProjectFromToken(oauthToken) : null;
+  if (!projectInfo) {
+    if (!legacyApiKey && !oauthToken) {
+      return res.status(401).json({
+        error: "authentication_required",
+        error_description: "Missing authentication. Provide Authorization: Bearer <OAUTH_TOKEN> or X-Api-Key header."
+      });
+    }
+    if (oauthToken && !legacyApiBaseUrl) {
+      return res.status(401).json({
+        error: "project_binding_required",
+        error_description: "OAuth token is valid but not bound to a project. Complete the OAuth flow."
+      });
     }
+    if (!legacyApiBaseUrl || !legacyApiKey) {
+      return res.status(400).json({
+        error: "Missing X-Api-Key or X-Base-URL header (required for legacy authentication)."
+      });
+    }
+    projectInfo = {
+      apiKey: legacyApiKey,
+      apiBaseUrl: legacyApiBaseUrl,
+      projectId: "legacy",
+      projectName: "Legacy Project",
+      userId: "unknown",
+      organizationId: "unknown",
+      oauthTokenHash: ""
+    };
   }
-  servers.clear();
-  transports.clear();
-  server.close(() => {
-    console.log("\u2705 Server shutdown complete");
-    process.exit(0);
+  const validProjectInfo = projectInfo;
+  const transport = new SSEServerTransport(SSE_ENDPOINTS.messages, res);
+  sseTransports.set(transport.sessionId, transport);
+  console.log(`[SSE] Session created: ${transport.sessionId}, Project: ${validProjectInfo.projectName}`);
+  res.on("close", () => {
+    console.log(`[SSE] Session closed: ${transport.sessionId}`);
+    sseTransports.delete(transport.sessionId);
+    const sessionManager3 = getSessionManager();
+    sessionManager3.deleteSession(transport.sessionId).catch((error) => {
+      console.error(`[SSE] Failed to cleanup session ${transport.sessionId}:`, error);
+    });
   });
+  const sessionManager2 = getSessionManager();
+  try {
+    await sessionManager2.createSSESession(transport.sessionId, {
+      apiKey: validProjectInfo.apiKey,
+      apiBaseUrl: validProjectInfo.apiBaseUrl,
+      projectId: validProjectInfo.projectId,
+      projectName: validProjectInfo.projectName,
+      userId: validProjectInfo.userId,
+      organizationId: validProjectInfo.organizationId,
+      oauthTokenHash: validProjectInfo.oauthTokenHash
+    }, transport);
+    console.log(`[SSE] MCP server connected for session: ${transport.sessionId}`);
+    getAnalyticsService().trackSessionCreated({
+      clientName: void 0,
+      // SSE: clientInfo not available until initialize message
+      clientVersion: void 0,
+      userAgent: req.headers["user-agent"],
+      transportType: "sse",
+      projectId: validProjectInfo.projectId,
+      userId: validProjectInfo.userId,
+      organizationId: validProjectInfo.organizationId
+    });
+  } catch (error) {
+    console.error(`[SSE] Failed to create session ${transport.sessionId}:`, error);
+    sseTransports.delete(transport.sessionId);
+    try {
+      await transport.close();
+    } catch (closeError) {
+      console.error(`[SSE] Error closing transport ${transport.sessionId}:`, closeError);
+    }
+    sessionManager2.deleteSession(transport.sessionId).catch(() => {
+    });
+    if (!res.headersSent) {
+      res.status(500).json({
+        error: "session_creation_failed",
+        error_description: error instanceof Error ? error.message : "Failed to create MCP session"
+      });
+    } else {
+      res.end();
+    }
+  }
 });
+app.post(SSE_ENDPOINTS.messages, async (req, res) => {
+  const sessionId = req.query.sessionId;
+  console.log(`[${(/* @__PURE__ */ new Date()).toISOString()}] POST ${SSE_ENDPOINTS.messages} - Session: ${sessionId || "none"}`);
+  if (!sessionId) {
+    return res.status(400).json({
+      error: "Missing sessionId query parameter"
+    });
+  }
+  const transport = sseTransports.get(sessionId);
+  if (!transport) {
+    return res.status(404).json({
+      error: `Session not found. Establish SSE connection first via GET ${SSE_ENDPOINTS.sse}`
+    });
+  }
+  await transport.handlePostMessage(req, res, req.body);
+});
+async function startServer() {
+  try {
+    validateConfig();
+    const redis = getRedisClient();
+    await redis.ping();
+    console.log("[Redis] Connection verified");
+    const server = app.listen(SERVER_CONFIG.port, SERVER_CONFIG.host, () => {
+      const redisConfig = getRedisConfig();
+      console.log(`
+\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557
+\u2551           Insforge MCP Remote Server (OAuth + Redis)                  \u2551
+\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D
+\u{1F680} Server: http://${SERVER_CONFIG.host}:${SERVER_CONFIG.port}
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+\u2502 \u{1F4CB} Streamable HTTP Transport (Protocol 2025-03-26) - RECOMMENDED
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+\u2502   POST/GET/DELETE ${SERVER_CONFIG.publicUrl}${STREAMABLE_HTTP_ENDPOINTS.mcp}
+\u2502
+\u2502   Client config:
+\u2502   {
+\u2502     "mcpServers": {
+\u2502       "insforge": {
+\u2502         "url": "${SERVER_CONFIG.publicUrl}${STREAMABLE_HTTP_ENDPOINTS.mcp}"
+\u2502       }
+\u2502     }
+\u2502   }
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+\u2502 \u{1F4CB} Legacy SSE Transport (Protocol 2024-11-05) - DEPRECATED
+\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+\u2502   GET  ${SERVER_CONFIG.publicUrl}${SSE_ENDPOINTS.sse}       (establish SSE stream)
+\u2502   POST ${SERVER_CONFIG.publicUrl}${SSE_ENDPOINTS.messages}  (send messages)
+\u2502
+\u2502   Client config:
+\u2502   {
+\u2502     "mcpServers": {
+\u2502       "insforge": {
+\u2502         "type": "sse",
+\u2502         "url": "${SERVER_CONFIG.publicUrl}${SSE_ENDPOINTS.sse}"
+\u2502       }
+\u2502     }
+\u2502   }
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+\u{1F510} OAuth 2.0 Endpoints:
+   \u2022 Discovery:  ${SERVER_CONFIG.publicUrl}${OAUTH_ENDPOINTS.metadata}
+   \u2022 Authorize:  ${SERVER_CONFIG.publicUrl}${OAUTH_ENDPOINTS.authorize}
+   \u2022 Token:      ${SERVER_CONFIG.publicUrl}${OAUTH_ENDPOINTS.token}
+   \u2022 Revoke:     ${SERVER_CONFIG.publicUrl}${OAUTH_ENDPOINTS.revoke}
+\u{1F3AF} Project API:
+   \u2022 List:       GET  ${SERVER_CONFIG.publicUrl}${API_ENDPOINTS.projects}
+   \u2022 Bind:       POST ${SERVER_CONFIG.publicUrl}${API_ENDPOINTS.bindProject}
+\u{1F4BE} Configuration:
+   \u2022 Redis:      ${redisConfig.host}:${redisConfig.port} (TLS: ${redisConfig.tls}, Cluster: ${redisConfig.cluster})
+   \u2022 Insforge:   ${INSFORGE_CONFIG.apiBase}
+   \u2022 Frontend:   ${INSFORGE_CONFIG.frontendUrl}
+   \u2022 Analytics:  ${isAnalyticsConfigured() ? "Mixpanel enabled" : "Disabled (set MIXPANEL_TOKEN)"}
+`);
+    });
+    const shutdown = async (signal) => {
+      console.log(`
+\u{1F6D1} Received ${signal}, shutting down...`);
+      const forceExitTimer = setTimeout(() => {
+        console.error("\u26A0\uFE0F Forced shutdown after timeout");
+        process.exit(1);
+      }, 1e4);
+      try {
+        console.log(`[Shutdown] Closing ${sseTransports.size} SSE connections...`);
+        for (const [sessionId, transport] of sseTransports) {
+          try {
+            await transport.close();
+          } catch (error) {
+            console.error(`[Shutdown] Error closing SSE transport ${sessionId}:`, error);
+          }
+        }
+        sseTransports.clear();
+        try {
+          const sessionManager2 = getSessionManager();
+          await sessionManager2.closeAllSessions();
+        } catch (error) {
+          console.error("[Shutdown] Error closing sessions:", error);
+        }
+        try {
+          await closeRedisClient();
+        } catch (error) {
+          console.error("[Shutdown] Error closing Redis client:", error);
+        }
+      } finally {
+        server.close(() => {
+          clearTimeout(forceExitTimer);
+          console.log("\u2705 Server shutdown complete");
+          process.exit(0);
+        });
+      }
+    };
+    process.on("SIGINT", () => shutdown("SIGINT"));
+    process.on("SIGTERM", () => shutdown("SIGTERM"));
+  } catch (error) {
+    console.error("Failed to start server:", error);
+    process.exit(1);
+  }
+}
+startServer();