@j0hanz/fetch-url-mcp 1.12.0 → 1.12.2

package/README.md

@@ -18,7 +18,7 @@ By default it runs over stdio. Pass `--http` if you need a proper HTTP endpoint
 
 - **HTML to Markdown** — Turns any public web page into clean, readable Markdown with metadata like `title`, `url`, `contentSize`, and `truncated`.
 - **Smart URL handling** — Recognizes GitHub, GitLab, Bitbucket, and Gist page URLs and rewrites them to raw-content endpoints before fetching.
-- **Task mode** — Big or slow pages can run as async MCP tasks with progress updates, instead of blocking.
+- **Task mode** — Big or slow pages can run as async MCP tasks with progress updates, instead of blocking. In HTTP mode, tasks are bound to the authenticated caller rather than a single MCP session, so they can be resumed after reconnecting with the same credentials. Polling task state also exposes `progress` and `total` when available.
 - **Self-documenting** — Includes an `internal://instructions` resource and a `get-help` prompt so clients know how to use it.
 - **HTTP mode** — Optionally serves over Streamable HTTP with host/origin validation, bearer or OAuth auth, rate limiting, health checks, and TLS.
 
@@ -484,7 +484,7 @@ For more info, see [Kilo Code docs](https://kilocode.ai/docs).
 
 - **Documentation for LLMs** — Grab a docs page, blog post, or reference article as Markdown and pass it straight into a context window.
 - **Repository content** — Hand it a GitHub, GitLab, or Bitbucket URL and it resolves the raw content endpoint. Works with Gists too.
-- **Slow or large pages** — Task mode lets big fetches run in the background while sending progress updates back to the client.
+- **Slow or large pages** — Task mode lets big fetches run in the background while sending monotonic progress updates back to the client, while `tasks/get` exposes the latest `statusMessage`, `progress`, and `total`.
 
 ## Architecture
 
@@ -530,7 +530,7 @@ For more info, see [Kilo Code docs](https://kilocode.ai/docs).
 
 #### `fetch-url`
 
-Takes a URL and returns Markdown. Read-only — no JavaScript execution. Supports running as a background MCP task for large or slow pages.
+Takes a URL and returns Markdown. Read-only — no JavaScript execution. Supports running as a background MCP task for large or slow pages. When task mode is used, `tasks/get` and `tasks/list` include `statusMessage`, `progress`, and `total` whenever progress has been reported.
 
 | Parameter | Type     | Required | Description                 |
 | --------- | -------- | -------- | --------------------------- |
@@ -538,6 +538,23 @@ Takes a URL and returns Markdown. Read-only — no JavaScript execution. Support
 
 You get text content back by default. If output validation passes, the response also includes `structuredContent` with typed fields: `url`, `resolvedUrl`, `finalUrl`, `title`, `metadata`, `markdown`, `fetchedAt`, `contentSize`, and `truncated`. A `true` value for `truncated` means the content hit a server-side size limit.
 
+To opt into progress updates, include `_meta.progressToken` in the tool call. The token may be a string or number. The server may then emit monotonic `notifications/progress` updates, and task mode reuses the same token until the task reaches a terminal state.
+
+```json
+{
+  "method": "tools/call",
+  "params": {
+    "name": "fetch-url",
+    "arguments": {
+      "url": "https://example.com/docs"
+    },
+    "_meta": {
+      "progressToken": 7
+    }
+  }
+}
+```
+
 ```text
 1. [Client] -- tools/call {name: "fetch-url", arguments} --> [Server]
 2. [Server] -- dispatch("fetch-url") --> [src/tools/fetch-url.ts]
@@ -560,14 +577,14 @@ You get text content back by default. If output validation passes, the response
 
 ## MCP Capabilities
 
-| Capability                      | Status    | Notes                                                                                                              |
-| ------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------ |
-| completions                     | confirmed | Advertised in `createServerCapabilities()`.                                                                        |
-| logging                         | confirmed | Advertised in `createServerCapabilities()` and handled through `SetLevelRequestSchema`.                            |
-| resources subscribe/listChanged | confirmed | Advertised in `createServerCapabilities()`.                                                                        |
-| prompts                         | confirmed | `get-help` is registered during server startup.                                                                    |
-| tasks                           | confirmed | Advertised in `createServerCapabilities()` and backed by registered task handlers plus optional tool task support. |
-| progress notifications          | confirmed | Tool execution reports `notifications/progress` updates during fetch and transform stages.                         |
+| Capability                      | Status    | Notes                                                                                                                                                                                                          |
+| ------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| completions                     | confirmed | Advertised in `createServerCapabilities()`.                                                                                                                                                                    |
+| logging                         | confirmed | Advertised in `createServerCapabilities()` and handled through `SetLevelRequestSchema`.                                                                                                                        |
+| resources subscribe/listChanged | confirmed | Advertised in `createServerCapabilities()`.                                                                                                                                                                    |
+| prompts                         | confirmed | `get-help` is registered during server startup.                                                                                                                                                                |
+| tasks                           | confirmed | Advertised in `createServerCapabilities()` and backed by registered task handlers plus optional tool task support.                                                                                             |
+| progress notifications          | confirmed | Opt-in via `_meta.progressToken`. Tool execution reports monotonic `notifications/progress` updates during fetch and transform stages, and task-mode progress reuses the caller's token for the task lifetime. |
 
 ### Tool Annotations
 
@@ -642,12 +659,12 @@ All configuration is through environment variables. For basic stdio usage, nothi
 
 ### Tasks
 
-| Variable                     | Default | Notes                                                  |
-| ---------------------------- | ------- | ------------------------------------------------------ |
-| `TASKS_MAX_TOTAL`            | `5000`  | Total task capacity.                                   |
-| `TASKS_MAX_PER_OWNER`        | `1000`  | Per-owner task cap, clamped to the total cap.          |
-| `TASKS_STATUS_NOTIFICATIONS` | `false` | Enables status notifications for tasks.                |
-| `TASKS_REQUIRE_INTERCEPTION` | `true`  | Requires interception for task-capable tool execution. |
+| Variable                     | Default | Notes                                                                                |
+| ---------------------------- | ------- | ------------------------------------------------------------------------------------ |
+| `TASKS_MAX_TOTAL`            | `5000`  | Total retained task capacity, including completed/cancelled tasks until they expire. |
+| `TASKS_MAX_PER_OWNER`        | `1000`  | Per-owner retained task cap, clamped to the total cap.                               |
+| `TASKS_STATUS_NOTIFICATIONS` | `false` | Enables status notifications for tasks.                                              |
+| `TASKS_REQUIRE_INTERCEPTION` | `true`  | Requires interception for task-capable tool execution.                               |
 
 ### Transform Workers
 

package/dist/http/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/http/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEjE,OAAO,EACL,iBAAiB,EAElB,MAAM,iDAAiD,CAAC;AACzD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAY/E,OAAO,EAEL,KAAK,cAAc,EAIpB,MAAM,cAAc,CAAC;AAMtB,cAAM,UAAU;IAId,MAAM,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO;CAuBrC;AAED,eAAO,MAAM,UAAU,YAAmB,CAAC;AAS3C,cAAM,sBAAuB,SAAQ,iBAAiB;IAElD,QAAQ,CAAC,cAAc,EAAE,SAAS,MAAM,EAAE;gBAAjC,cAAc,EAAE,SAAS,MAAM,EAAE,EAC1C,OAAO,SAAuB;CAKjC;AAED,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,sBAAsB,CAEjC;AAwCD,cAAM,gBAAgB;IACpB,QAAQ,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO;IA2BtC,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,oBAAoB;IAqB5B,OAAO,CAAC,aAAa;IAsBrB,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,MAAM;CAQf;AAED,eAAO,MAAM,gBAAgB,kBAAyB,CAAC;AAMvD,wBAAgB,2BAA2B,IAAI,IAAI,CA2BlD;AAMD,eAAO,MAAM,4BAA4B,eAAe,CAAC;AACzD,eAAO,MAAM,+BAA+B,aAE1C,CAAC;AAEH,UAAU,8BAA8B;IACtC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAUD,wBAAgB,wBAAwB,CACtC,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,OAAO,CAAC,EAAE,8BAA8B,GACvC,OAAO,CAwBT;AAED,wBAAgB,sBAAsB,IAAI,OAAO,CAEhD;AAQD,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,QAAQ,GAAG,SAAS,GACzB,MAAM,GAAG,IAAI,CAWf;AAiBD,cAAM,WAAW;IACf,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAEjC;IAEF,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAA0C;IAEvE,YAAY,CAChB,GAAG,EAAE,eAAe,EACpB,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,QAAQ,CAAC;IAUpB,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,sBAAsB;IAiB9B,OAAO,CAAC,kBAAkB;IAW1B,OAAO,CAAC,mBAAmB;IAU3B,OAAO,CAAC,iBAAiB;IAYzB,OAAO,CAAC,SAAS;IAMjB,OAAO,CAAC,uBAAuB;IAgB/B,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,mBAAmB;IAsB3B,OAAO,CAAC,oBAAoB;IAS5B,OAAO,CAAC,yBAAyB;YA0BnB,oBAAoB;IAyBlC,OAAO,CAAC,0BAA0B;IAmBlC,OAAO,CAAC,oBAAoB;YAWd,uBAAuB;IAiDrC,OAAO,CAAC,iBAAiB;CAa1B;AA+BD,wBAAgB,4BAA4B,CAC1C,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,GAClB,IAAI,CAUN;AAED,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,cAAc,EAAE,SAAS,MAAM,EAAE,EACjC,OAAO,SAA+C,GACrD,IAAI,CAYN;AAED,wBAAgB,sCAAsC,CAAC,GAAG,EAAE,eAAe,GAAG;IAC5E,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B,CAeA;AAED,wBAAgB,+BAA+B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAKzE;AAED,eAAO,MAAM,WAAW,aAAoB,CAAC"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/http/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEjE,OAAO,EACL,iBAAiB,EAElB,MAAM,iDAAiD,CAAC;AACzD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAY/E,OAAO,EAEL,KAAK,cAAc,EAIpB,MAAM,cAAc,CAAC;AAMtB,cAAM,UAAU;IAId,MAAM,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO;CAuBrC;AAED,eAAO,MAAM,UAAU,YAAmB,CAAC;AAS3C,cAAM,sBAAuB,SAAQ,iBAAiB;IAElD,QAAQ,CAAC,cAAc,EAAE,SAAS,MAAM,EAAE;gBAAjC,cAAc,EAAE,SAAS,MAAM,EAAE,EAC1C,OAAO,SAAuB;CAKjC;AAED,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,sBAAsB,CAEjC;AAwCD,cAAM,gBAAgB;IACpB,QAAQ,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO;IA6BtC,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,oBAAoB;IAqB5B,OAAO,CAAC,aAAa;IAsBrB,OAAO,CAAC,oBAAoB;IAI5B,OAAO,CAAC,MAAM;CAoBf;AAED,eAAO,MAAM,gBAAgB,kBAAyB,CAAC;AAMvD,wBAAgB,2BAA2B,IAAI,IAAI,CA2BlD;AAMD,eAAO,MAAM,4BAA4B,eAAe,CAAC;AACzD,eAAO,MAAM,+BAA+B,aAE1C,CAAC;AAEH,UAAU,8BAA8B;IACtC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAUD,wBAAgB,wBAAwB,CACtC,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,OAAO,CAAC,EAAE,8BAA8B,GACvC,OAAO,CA2DT;AAED,wBAAgB,sBAAsB,IAAI,OAAO,CAEhD;AAQD,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,QAAQ,GAAG,SAAS,GACzB,MAAM,GAAG,IAAI,CAWf;AAiBD,cAAM,WAAW;IACf,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAEjC;IAEF,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAA0C;IAEvE,YAAY,CAChB,GAAG,EAAE,eAAe,EACpB,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,QAAQ,CAAC;IAwBpB,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,sBAAsB;IAuB9B,OAAO,CAAC,kBAAkB;IAW1B,OAAO,CAAC,mBAAmB;IAU3B,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,SAAS;IAMjB,OAAO,CAAC,uBAAuB;IAgB/B,OAAO,CAAC,kBAAkB;IAiB1B,OAAO,CAAC,mBAAmB;IAwB3B,OAAO,CAAC,oBAAoB;IAS5B,OAAO,CAAC,yBAAyB;YA0BnB,oBAAoB;IA8BlC,OAAO,CAAC,0BAA0B;IAmBlC,OAAO,CAAC,oBAAoB;YAgBd,uBAAuB;IAyDrC,OAAO,CAAC,iBAAiB;CAa1B;AA+BD,wBAAgB,4BAA4B,CAC1C,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,GAClB,IAAI,CAUN;AAED,wBAAgB,iCAAiC,CAC/C,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,cAAc,EAAE,SAAS,MAAM,EAAE,EACjC,OAAO,SAA+C,GACrD,IAAI,CAYN;AAED,wBAAgB,sCAAsC,CAAC,GAAG,EAAE,eAAe,GAAG;IAC5E,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B,CAeA;AAED,wBAAgB,+BAA+B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAKzE;AAED,eAAO,MAAM,WAAW,aAAoB,CAAC"}

package/dist/http/auth.js

@@ -1,6 +1,6 @@
 import { randomBytes } from 'node:crypto';
 import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
-import { config } from '../lib/core.js';
+import { config, logDebug, logWarn } from '../lib/core.js';
 import { normalizeHost } from '../lib/url.js';
 import { composeAbortSignal, hmacSha256Hex, isObject, parseUrlOrNull, timingSafeEqualUtf8, } from '../lib/utils.js';
 import { getHeaderValue, sendEmpty, sendError, sendJson, } from './helpers.js';
@@ -74,26 +74,28 @@ function buildAllowedHosts() {
 const ALLOWED_HOSTS = buildAllowedHosts();
 class HostOriginPolicy {
     validate(ctx) {
-        const { req, res } = ctx;
+        const { req } = ctx;
         const host = this.resolveHostHeader(req);
         if (!host)
-            return this.reject(res, 400, 'Missing or invalid Host header');
+            return this.reject(ctx, 400, 'Missing or invalid Host header');
         if (!ALLOWED_HOSTS.has(host))
-            return this.reject(res, 403, 'Host not allowed');
+            return this.reject(ctx, 403, 'Host not allowed');
         const originHeader = getHeaderValue(req, 'origin');
         if (!originHeader)
             return true;
         const requestOrigin = this.resolveRequestOrigin(req);
         const origin = this.resolveOrigin(originHeader);
-        if (!requestOrigin || !origin)
-            return this.reject(res, 403, 'Invalid Origin header');
-        if (!ALLOWED_HOSTS.has(origin.host))
-            return this.reject(res, 403, 'Origin not allowed');
+        if (!requestOrigin || !origin) {
+            return this.reject(ctx, 403, 'Invalid Origin header');
+        }
+        if (!ALLOWED_HOSTS.has(origin.host)) {
+            return this.reject(ctx, 403, 'Origin not allowed');
+        }
         const isSameOrigin = requestOrigin.scheme === origin.scheme &&
             requestOrigin.host === origin.host &&
             requestOrigin.port === origin.port;
         if (!isSameOrigin)
-            return this.reject(res, 403, 'Origin not allowed');
+            return this.reject(ctx, 403, 'Origin not allowed');
         return true;
     }
     resolveHostHeader(req) {
@@ -142,8 +144,16 @@ class HostOriginPolicy {
     defaultPortForScheme(scheme) {
         return scheme === 'https' ? '443' : '80';
     }
-    reject(res, status, message) {
-        sendJson(res, status, { error: message });
+    reject(ctx, status, message) {
+        logWarn('Host/Origin policy rejection', {
+            status,
+            reason: message,
+            method: ctx.method,
+            path: ctx.url.pathname,
+            host: getHeaderValue(ctx.req, 'host'),
+            origin: getHeaderValue(ctx.req, 'origin'),
+        }, 'http');
+        sendJson(ctx.res, status, { error: message });
         return false;
     }
 }
@@ -184,17 +194,31 @@ function resolveMcpProtocolVersion(req) {
 }
 export function ensureMcpProtocolVersion(req, res, options) {
     const version = resolveMcpProtocolVersion(req);
+    const path = URL.parse(req.url ?? '', 'http://localhost')?.pathname;
     if (!version) {
-        sendError(res, -32600, 'Missing MCP-Protocol-Version header');
+        // Tolerate missing header on sessioned requests (expectedVersion set)
+        // to avoid breaking older clients that don't send it yet.
+        if (options?.expectedVersion) {
+            return true;
+        }
+        logWarn('MCP protocol version rejected', { reason: 'missing_header', path }, 'http');
+        sendError(res, -32600, 'Please include the MCP-Protocol-Version header in your request.');
         return false;
     }
     if (!SUPPORTED_MCP_PROTOCOL_VERSIONS.has(version)) {
-        sendError(res, -32600, `Unsupported MCP-Protocol-Version: ${version}`);
+        logWarn('MCP protocol version rejected', { reason: 'unsupported_version', version, path }, 'http');
+        sendError(res, -32600, `The protocol version '${version}' isn't supported right now. Please check and try again.`);
         return false;
     }
     const expectedVersion = options?.expectedVersion;
     if (expectedVersion && version !== expectedVersion) {
-        sendError(res, -32600, `MCP-Protocol-Version mismatch: expected ${expectedVersion}, got ${version}`);
+        logWarn('MCP protocol version rejected', {
+            reason: 'version_mismatch',
+            version,
+            expectedVersion,
+            path,
+        }, 'http');
+        sendError(res, -32600, `There's a protocol version mismatch. We expected '${expectedVersion}', but received '${version}'.`);
         return false;
     }
     return true;
@@ -227,11 +251,17 @@ class AuthService {
     introspectionCache = new Map();
     async authenticate(req, signal) {
         const authHeader = getHeaderValue(req, 'authorization');
-        if (!authHeader) {
-            return this.authenticateWithApiKey(req);
-        }
-        const token = this.resolveBearerToken(authHeader);
-        return this.authenticateWithToken(token, signal);
+        const source = authHeader ? 'authorization' : 'api-key';
+        const info = authHeader
+            ? await this.authenticateWithToken(this.resolveBearerToken(authHeader), signal)
+            : this.authenticateWithApiKey(req);
+        logDebug('Authentication succeeded', {
+            mode: config.auth.mode,
+            source,
+            clientId: info.clientId,
+            scopeCount: info.scopes.length,
+        }, 'auth');
+        return info;
     }
     authenticateWithToken(token, signal) {
         return config.auth.mode === 'oauth'
@@ -244,8 +274,10 @@ class AuthService {
             return this.verifyStaticToken(apiKey);
         }
         if (apiKey && config.auth.mode === 'oauth') {
+            logWarn('Auth failed: X-API-Key not supported for OAuth', {}, 'auth');
             throw new InvalidTokenError('X-API-Key not supported for OAuth');
         }
+        logWarn('Auth failed: missing credentials', { authMode: config.auth.mode }, 'auth');
         throw new InvalidTokenError(config.auth.mode === 'static'
             ? 'Missing Authorization or X-API-Key header'
             : 'Missing Authorization header');
@@ -275,8 +307,10 @@ class AuthService {
         }
         const tokenDigest = hmacSha256Hex(STATIC_TOKEN_HMAC_KEY, token);
         const matched = hasConstantTimeMatch(this.staticTokenDigests, tokenDigest);
-        if (!matched)
+        if (!matched) {
+            logWarn('Auth failed: invalid static token', {}, 'auth');
             throw new InvalidTokenError('Invalid token');
+        }
         return this.buildStaticAuthInfo(token);
     }
     stripHash(url) {
@@ -320,9 +354,11 @@ class AuthService {
             .map((value) => this.canonicalizeResourceUri(value))
             .filter((value) => value !== null);
         if (audiences.length === 0) {
+            logWarn('Auth failed: token missing audience binding', {}, 'auth');
             throw new InvalidTokenError('Token missing audience binding');
         }
         if (!audiences.includes(expected)) {
+            logWarn('Auth failed: audience mismatch', {}, 'auth');
             throw new InvalidTokenError('Token audience does not match this MCP server');
         }
     }
@@ -357,6 +393,7 @@ class AuthService {
             if (response.body) {
                 await response.body.cancel();
             }
+            logWarn('Token introspection HTTP error', { status: response.status }, 'auth');
             throw new ServerError(`Token introspection failed: ${response.status}`);
         }
         return response.json();
@@ -382,6 +419,7 @@ class AuthService {
         const tokenScopeSet = new Set(tokenScopes);
         const missing = requiredScopes.filter((s) => !tokenScopeSet.has(s));
         if (missing.length > 0) {
+            logWarn('Auth failed: insufficient scopes', { missingCount: missing.length }, 'auth');
             throw new InsufficientScopeError(missing);
         }
     }
@@ -394,17 +432,20 @@ class AuthService {
         if (cached && cached.expiresAt > Date.now()) {
             this.introspectionCache.delete(cacheKey);
             this.introspectionCache.set(cacheKey, cached);
+            logDebug('Token introspection cache hit', {}, 'auth');
             return cached.info;
         }
         const req = this.buildIntrospectionRequest(token, config.auth.resourceUrl, config.auth.clientId, config.auth.clientSecret);
         const payload = await this.requestIntrospection(config.auth.introspectionUrl, req, config.auth.introspectionTimeoutMs, signal);
         if (!isObject(payload) || payload['active'] !== true) {
             this.introspectionCache.delete(cacheKey);
+            logWarn('Auth failed: token inactive', {}, 'auth');
             throw new InvalidTokenError('Token is inactive');
         }
         this.assertTokenAudience(payload);
         const info = this.buildIntrospectionAuthInfo(token, payload);
         this.assertRequiredScopes(info.scopes);
+        logDebug('Token introspection successful', { clientId: info.clientId }, 'auth');
         this.evictStaleEntries();
         this.introspectionCache.set(cacheKey, {
             info,

package/dist/http/helpers.d.ts

@@ -63,6 +63,6 @@ interface SessionTeardownOptions {
 }
 export declare function teardownSessionResources(session: SessionRecordLike, options: SessionTeardownOptions): Promise<void>;
 export declare function teardownUnregisteredSessionResources(session: SessionRecordLike, context: string): Promise<void>;
-export declare function teardownSessionRegistration(server: McpServer, cancelMessage: string): void;
+export declare function teardownSessionRegistration(server: McpServer): void;
 export {};
 //# sourceMappingURL=helpers.d.ts.map

package/dist/http/helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/http/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AACzE,OAAO,KAAK,EAAE,MAAM,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AAKxD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACxG,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,+CAA+C,CAAC;AAQ/E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAUvD,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,WAAW,CAAC;AAcjD,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,eAAe,CAAC;IACrB,GAAG,EAAE,cAAc,CAAC;IACpB,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,EAAE,OAAO,CAAC;IACd,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,oBAAqB,SAAQ,cAAc;IAC1D,IAAI,EAAE,QAAQ,CAAC;CAChB;AAWD,wBAAgB,QAAQ,CACtB,GAAG,EAAE,cAAc,EACnB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,OAAO,GACZ,IAAI,CAKN;AAED,wBAAgB,SAAS,CAAC,GAAG,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAInE;AAED,wBAAgB,SAAS,CACvB,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,MAAM,SAAM,EACZ,EAAE,GAAE,SAAgB,GACnB,IAAI,CAMN;AAMD,wBAAgB,cAAc,CAC5B,GAAG,EAAE,eAAe,EACpB,IAAI,EAAE,MAAM,GACX,MAAM,GAAG,IAAI,CAIf;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAKnE;AAkBD,wBAAgB,8BAA8B,CAC5C,GAAG,EAAE,eAAe,GACnB,MAAM,GAAG,IAAI,CAKf;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,eAAe,GAAG,IAAI,CAOvD;AAMD,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,eAAe,GAAG;IAC9D,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,MAAM,IAAI,CAAC;CACrB,CAwCA;AAgBD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAoBpE;AAMD,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,MAAM,CAAC,EAAE,WAAW,GACnB,cAAc,GAAG,IAAI,CAgBvB;AAMD,wBAAsB,wBAAwB,CAC5C,SAAS,EAAE;IAAE,KAAK,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAA;CAAE,EAC5C,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAgB,sBAAsB,CACpC,aAAa,EAAE,6BAA6B,GAC3C,SAAS,CA4CX;AAMD,KAAK,iBAAiB,GAAG,mBAAmB,GAAG,cAAc,GAAG,aAAa,CAAC;AAE9E,qBAAa,aAAc,SAAQ,KAAK;IACtC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;gBAErB,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM;CAKrD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,aAAa,CAEtE;AAED,eAAO,MAAM,wBAAwB,QAAc,CAAC;AAMpD,cAAM,cAAc;IACZ,IAAI,CACR,GAAG,EAAE,eAAe,EACpB,KAAK,SAA2B,EAChC,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,OAAO,CAAC;YA0BL,QAAQ;YAyCR,aAAa;IAkD3B,OAAO,CAAC,cAAc;CAIvB;AAED,eAAO,MAAM,cAAc,gBAAuB,CAAC;AAEnD,UAAU,iBAAiB;IACzB,MAAM,EAAE,SAAS,CAAC;IAClB,SAAS,EAAE,6BAA6B,CAAC;CAC1C;AAED,UAAU,sBAAsB;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAqCD,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,oCAAoC,CACxD,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,SAAS,EACjB,aAAa,EAAE,MAAM,GACpB,IAAI,CAEN"}
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/http/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AACzE,OAAO,KAAK,EAAE,MAAM,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AAKxD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACxG,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,+CAA+C,CAAC;AAQ/E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAQvD,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,WAAW,CAAC;AAcjD,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,eAAe,CAAC;IACrB,GAAG,EAAE,cAAc,CAAC;IACpB,GAAG,EAAE,GAAG,CAAC;IACT,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,EAAE,OAAO,CAAC;IACd,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,oBAAqB,SAAQ,cAAc;IAC1D,IAAI,EAAE,QAAQ,CAAC;CAChB;AAWD,wBAAgB,QAAQ,CACtB,GAAG,EAAE,cAAc,EACnB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,OAAO,GACZ,IAAI,CAKN;AAED,wBAAgB,SAAS,CAAC,GAAG,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAInE;AAED,wBAAgB,SAAS,CACvB,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,MAAM,SAAM,EACZ,EAAE,GAAE,SAAgB,GACnB,IAAI,CAMN;AAMD,wBAAgB,cAAc,CAC5B,GAAG,EAAE,eAAe,EACpB,IAAI,EAAE,MAAM,GACX,MAAM,GAAG,IAAI,CAIf;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAKnE;AAkBD,wBAAgB,8BAA8B,CAC5C,GAAG,EAAE,eAAe,GACnB,MAAM,GAAG,IAAI,CAKf;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,eAAe,GAAG,IAAI,CAOvD;AAMD,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,eAAe,GAAG;IAC9D,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,MAAM,IAAI,CAAC;CACrB,CAwCA;AAgBD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAwBpE;AAMD,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,MAAM,CAAC,EAAE,WAAW,GACnB,cAAc,GAAG,IAAI,CAgBvB;AAMD,wBAAsB,wBAAwB,CAC5C,SAAS,EAAE;IAAE,KAAK,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAA;CAAE,EAC5C,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAsB,wBAAwB,CAC5C,MAAM,EAAE,SAAS,EACjB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAgB,sBAAsB,CACpC,aAAa,EAAE,6BAA6B,GAC3C,SAAS,CA4CX;AAMD,KAAK,iBAAiB,GAAG,mBAAmB,GAAG,cAAc,GAAG,aAAa,CAAC;AAE9E,qBAAa,aAAc,SAAQ,KAAK;IACtC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;gBAErB,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM;CAKrD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,aAAa,CAEtE;AAED,eAAO,MAAM,wBAAwB,QAAc,CAAC;AAMpD,cAAM,cAAc;IACZ,IAAI,CACR,GAAG,EAAE,eAAe,EACpB,KAAK,SAA2B,EAChC,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,OAAO,CAAC;YA0BL,QAAQ;YAyCR,aAAa;IAkD3B,OAAO,CAAC,cAAc;CAIvB;AAED,eAAO,MAAM,cAAc,gBAAuB,CAAC;AAEnD,UAAU,iBAAiB;IACzB,MAAM,EAAE,SAAS,CAAC;IAClB,SAAS,EAAE,6BAA6B,CAAC;CAC1C;AAED,UAAU,sBAAsB;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAoCD,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,oCAAoC,CACxD,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAEnE"}

package/dist/http/helpers.js

@@ -4,7 +4,6 @@ import { composeCloseHandlers, config, logWarn } from '../lib/core.js';
 import { resolveMcpSessionIdByServer, unregisterMcpSessionServer, unregisterMcpSessionServerByServer, } from '../lib/core.js';
 import { createDefaultBlockList, normalizeIpForBlockList } from '../lib/url.js';
 import { getErrorMessage, toError } from '../lib/utils.js';
-import { cancelTasksForOwner } from '../tasks/handlers.js';
 function abortControllerBestEffort(controller) {
     if (!controller.signal.aborted)
         controller.abort();
@@ -155,7 +154,7 @@ export function registerInboundBlockList(server) {
             logWarn('Blocked inbound connection', {
                 remoteAddress: normalized.ip,
                 family: normalized.family,
-            });
+            }, 'http');
             socket.destroy();
         }
     });
@@ -187,7 +186,7 @@ export async function closeTransportBestEffort(transport, context) {
         await transport.close();
     }
     catch (error) {
-        logWarn('Transport close failed', { context, error });
+        logWarn('Transport close failed', { context, error }, 'http');
     }
 }
 export async function closeMcpServerBestEffort(server, context) {
@@ -195,7 +194,7 @@ export async function closeMcpServerBestEffort(server, context) {
         await server.close();
     }
     catch (error) {
-        logWarn('MCP server close failed', { context, error });
+        logWarn('MCP server close failed', { context, error }, 'http');
     }
 }
 export function createTransportAdapter(transportImpl) {
@@ -357,11 +356,10 @@ class JsonBodyReader {
     }
 }
 export const jsonBodyReader = new JsonBodyReader();
-function cancelSessionTasks(server, message) {
+function unregisterSessionTaskScope(server) {
     const sessionId = resolveMcpSessionIdByServer(server);
     if (!sessionId)
         return null;
-    cancelTasksForOwner(`session:${sessionId}`, message);
     unregisterMcpSessionServer(sessionId);
     return sessionId;
 }
@@ -378,7 +376,7 @@ async function closeSessionResources(session, options) {
     }
 }
 export async function teardownSessionResources(session, options) {
-    cancelSessionTasks(session.server, options.cancelMessage);
+    unregisterSessionTaskScope(session.server);
     if (options.unregisterByServer) {
         unregisterMcpSessionServerByServer(session.server);
     }
@@ -391,6 +389,6 @@ export async function teardownUnregisteredSessionResources(session, context) {
         awaitClose: true,
     });
 }
-export function teardownSessionRegistration(server, cancelMessage) {
-    cancelSessionTasks(server, cancelMessage);
+export function teardownSessionRegistration(server) {
+    unregisterSessionTaskScope(server);
 }

package/dist/http/native.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"native.d.ts","sourceRoot":"","sources":["../../src/http/native.ts"],"names":[],"mappings":"AAqmCA,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd,CAAC,CA0DD"}
+{"version":3,"file":"native.d.ts","sourceRoot":"","sources":["../../src/http/native.ts"],"names":[],"mappings":"AAm+CA,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;CACd,CAAC,CA2DD"}