@j0hanz/fetch-url-mcp 1.3.1 → 1.5.0

package/README.md

@@ -150,35 +150,38 @@ docker compose up --build
 
 ### Runtime Modes
 
-| Flag              | Description                                 |
-| ----------------- | ------------------------------------------- |
-| `--stdio`, `-s`   | Run in stdio mode (for desktop MCP clients) |
-| `--help`, `-h`    | Show usage help                             |
-| `--version`, `-v` | Print server version                        |
+| Flag              | Description                                                |
+| ----------------- | ---------------------------------------------------------- |
+| `--stdio`, `-s`   | Run in stdio mode (for desktop MCP clients; default)       |
+| `--http`          | Run in HTTP mode (Streamable HTTP on port 3000 by default) |
+| `--help`, `-h`    | Show usage help                                            |
+| `--version`, `-v` | Print server version                                       |
 
-When no `--stdio` flag is passed, the server starts in **HTTP mode** (Streamable HTTP on port 3000 by default).
+When no transport flag is passed, the server starts in **stdio mode**.
 
 ### Environment Variables
 
 #### Core Settings
 
-| Variable           | Default                   | Description                                         |
-| ------------------ | ------------------------- | --------------------------------------------------- |
-| `HOST`             | `127.0.0.1`               | HTTP server bind address                            |
-| `PORT`             | `3000`                    | HTTP server port (1024–65535)                       |
-| `LOG_LEVEL`        | `info`                    | Log level: `debug`, `info`, `warn`, `error`         |
-| `FETCH_TIMEOUT_MS` | `15000`                   | HTTP fetch timeout in ms (1000–60000)               |
-| `CACHE_ENABLED`    | `true`                    | Enable/disable in-memory content cache              |
-| `USER_AGENT`       | `fetch-url-mcp/{version}` | Custom User-Agent header                            |
-| `ALLOW_REMOTE`     | `false`                   | Allow remote connections in HTTP mode               |
-| `ALLOWED_HOSTS`    | _(empty)_                 | Comma-separated host/origin allowlist for HTTP mode |
+| Variable                             | Default                   | Description                                                                                             |
+| ------------------------------------ | ------------------------- | ------------------------------------------------------------------------------------------------------- |
+| `HOST`                               | `127.0.0.1`               | HTTP server bind address                                                                                |
+| `PORT`                               | `3000`                    | HTTP server port (1024–65535)                                                                           |
+| `LOG_LEVEL`                          | `info`                    | Log level: `debug`, `info`, `warn`, `error`                                                             |
+| `FETCH_TIMEOUT_MS`                   | `15000`                   | HTTP fetch timeout in ms (1000–60000)                                                                   |
+| `CACHE_ENABLED`                      | `true`                    | Enable/disable in-memory content cache                                                                  |
+| `USER_AGENT`                         | `fetch-url-mcp/{version}` | Custom User-Agent header                                                                                |
+| `ALLOW_REMOTE`                       | `false`                   | Allow remote connections in HTTP mode                                                                   |
+| `ALLOWED_HOSTS`                      | _(empty)_                 | Comma-separated host/origin allowlist for HTTP mode                                                     |
+| `MCP_STRICT_PROTOCOL_VERSION_HEADER` | `true`                    | Require `MCP-Protocol-Version` on HTTP session initialize (`false` allows legacy headerless initialize) |
 
 #### Task Management
 
-| Variable              | Default | Description                                      |
-| --------------------- | ------- | ------------------------------------------------ |
-| `TASKS_MAX_TOTAL`     | `5000`  | Maximum retained task records across all owners  |
-| `TASKS_MAX_PER_OWNER` | `1000`  | Maximum retained task records per session/client |
+| Variable                     | Default | Description                                              |
+| ---------------------------- | ------- | -------------------------------------------------------- |
+| `TASKS_MAX_TOTAL`            | `5000`  | Maximum retained task records across all owners          |
+| `TASKS_MAX_PER_OWNER`        | `1000`  | Maximum retained task records per session/client         |
+| `TASKS_STATUS_NOTIFICATIONS` | `false` | Emit experimental `notifications/tasks/status` extension |
 
 #### Authentication (HTTP Mode)
 
@@ -595,7 +598,7 @@ npm run inspector
 | `VALIDATION_ERROR` on URL | URL is blocked (private IP/localhost) or malformed. Do not retry.                     |
 | `queue_full` error        | Worker pool busy. Wait briefly, then retry or use async task mode.                    |
 | Garbled output            | Binary content (images, PDFs) cannot be converted. Ensure the URL serves HTML.        |
-| No output in stdio mode   | Ensure `--stdio` flag is passed. Without it, the server starts in HTTP mode.          |
+| No output in stdio mode   | If you intended HTTP mode, pass `--http`. Stdio is the default transport.             |
 | Auth errors in HTTP mode  | Set `ACCESS_TOKENS` or `API_KEY` env var and pass as `Authorization: Bearer <token>`. |
 
 ### Stdout / Stderr Guidance

package/dist/cli.d.ts

@@ -1,5 +1,6 @@
-export interface CliValues {
+interface CliValues {
     readonly stdio: boolean;
+    readonly http: boolean;
     readonly help: boolean;
     readonly version: boolean;
 }
@@ -11,8 +12,7 @@ interface CliParseFailure {
     readonly ok: false;
     readonly message: string;
 }
-export type CliParseResult = CliParseSuccess | CliParseFailure;
+type CliParseResult = CliParseSuccess | CliParseFailure;
 export declare function renderCliUsage(): string;
 export declare function parseCliArgs(args: readonly string[]): CliParseResult;
 export {};
-//# sourceMappingURL=cli.d.ts.map

package/dist/cli.js

@@ -1,24 +1,24 @@
 import { parseArgs } from 'node:util';
+import { getErrorMessage } from './lib/utils.js';
 const usageLines = [
     'Fetch URL MCP server',
     '',
     'Usage:',
-    '  fetch-url-mcp [--stdio|-s] [--help|-h] [--version|-v]',
+    '  fetch-url-mcp [--stdio|-s | --http] [--help|-h] [--version|-v]',
     '',
     'Options:',
-    '  --stdio, -s   Run in stdio mode (no HTTP server).',
+    '  --stdio, -s   Run in stdio mode (default).',
+    '  --http        Run in Streamable HTTP mode.',
     '  --help, -h    Show this help message.',
     '  --version, -v Show server version.',
     '',
 ];
 const optionSchema = {
     stdio: { type: 'boolean', short: 's', default: false },
+    http: { type: 'boolean', default: false },
     help: { type: 'boolean', short: 'h', default: false },
     version: { type: 'boolean', short: 'v', default: false },
 };
-function toErrorMessage(error) {
-    return error instanceof Error ? error.message : String(error);
-}
 function toBoolean(value) {
     return value === true;
 }
@@ -28,6 +28,7 @@ function readCliFlag(values, key) {
 function buildCliValues(values) {
     return {
         stdio: readCliFlag(values, 'stdio'),
+        http: readCliFlag(values, 'http'),
         help: readCliFlag(values, 'help'),
         version: readCliFlag(values, 'version'),
     };
@@ -43,16 +44,22 @@ export function parseCliArgs(args) {
             strict: true,
             allowPositionals: false,
         });
+        const cliValues = buildCliValues(values);
+        if (cliValues.stdio && cliValues.http) {
+            return {
+                ok: false,
+                message: 'Choose either --stdio or --http, not both',
+            };
+        }
         return {
             ok: true,
-            values: buildCliValues(values),
+            values: cliValues,
         };
     }
     catch (error) {
         return {
             ok: false,
-            message: toErrorMessage(error),
+            message: getErrorMessage(error),
         };
     }
 }
-//# sourceMappingURL=cli.js.map

package/dist/http/auth.d.ts

@@ -1,5 +1,5 @@
-import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
 import type { IncomingMessage, ServerResponse } from 'node:http';
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
 import { type RequestContext } from './helpers.js';
 declare class CorsPolicy {
     handle(ctx: RequestContext): boolean;
@@ -8,17 +8,18 @@ export declare const corsPolicy: CorsPolicy;
 declare class HostOriginPolicy {
     validate(ctx: RequestContext): boolean;
     private resolveHostHeader;
-    private resolveOriginHost;
+    private resolveRequestOrigin;
+    private resolveOrigin;
+    private defaultPortForScheme;
     private reject;
 }
 export declare const hostOriginPolicy: HostOriginPolicy;
 export declare function assertHttpModeConfiguration(): void;
 export declare const SUPPORTED_MCP_PROTOCOL_VERSIONS: Set<string>;
-export interface McpProtocolVersionCheckOptions {
+interface McpProtocolVersionCheckOptions {
     requireHeader?: boolean;
     expectedVersion?: string;
 }
-export declare function resolveMcpProtocolVersion(req: IncomingMessage): string | undefined;
 export declare function ensureMcpProtocolVersion(req: IncomingMessage, res: ServerResponse, options?: McpProtocolVersionCheckOptions): boolean;
 export declare function buildAuthFingerprint(auth: AuthInfo | undefined): string | null;
 declare class AuthService {
@@ -34,9 +35,9 @@ declare class AuthService {
     private buildIntrospectionRequest;
     private requestIntrospection;
     private buildIntrospectionAuthInfo;
+    private assertRequiredScopes;
     private verifyWithIntrospection;
 }
-export declare function buildResourceMetadataUrl(req: IncomingMessage): string;
 export declare function applyUnauthorizedAuthHeaders(req: IncomingMessage, res: ServerResponse): void;
 export declare function buildProtectedResourceMetadataDocument(req: IncomingMessage): {
     resource: string;
@@ -48,4 +49,3 @@ export declare function buildProtectedResourceMetadataDocument(req: IncomingMess
 export declare function isProtectedResourceMetadataPath(pathname: string): boolean;
 export declare const authService: AuthService;
 export {};
-//# sourceMappingURL=auth.d.ts.map

package/dist/http/auth.js

@@ -1,10 +1,10 @@
-import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
 import { Buffer } from 'node:buffer';
 import { randomBytes } from 'node:crypto';
-import { config } from '../config.js';
-import { hmacSha256Hex, timingSafeEqualUtf8 } from '../crypto.js';
-import { normalizeHost } from '../host-normalization.js';
-import { isObject } from '../type-guards.js';
+import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
+import { config } from '../lib/core.js';
+import { normalizeHost } from '../lib/url.js';
+import { hmacSha256Hex, timingSafeEqualUtf8 } from '../lib/utils.js';
+import { isObject } from '../lib/utils.js';
 import { getHeaderValue, sendEmpty, sendError, sendJson, } from './helpers.js';
 // ---------------------------------------------------------------------------
 // CORS
@@ -20,11 +20,9 @@ class CorsPolicy {
             res.setHeader('Access-Control-Allow-Origin', origin);
             res.setHeader('Vary', 'Origin');
         }
-        else {
-            res.setHeader('Access-Control-Allow-Origin', '*');
-        }
         res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, DELETE');
         res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key, MCP-Protocol-Version, MCP-Session-ID, X-MCP-Session-ID, Last-Event-ID');
+        res.setHeader('Access-Control-Expose-Headers', 'MCP-Session-ID, X-MCP-Session-ID, MCP-Protocol-Version, WWW-Authenticate');
         if (req.method !== 'OPTIONS')
             return false;
         sendEmpty(res, 204);
@@ -76,10 +74,16 @@ class HostOriginPolicy {
         const originHeader = getHeaderValue(req, 'origin');
         if (!originHeader)
             return true;
-        const originHost = this.resolveOriginHost(originHeader);
-        if (!originHost)
+        const requestOrigin = this.resolveRequestOrigin(req);
+        const origin = this.resolveOrigin(originHeader);
+        if (!requestOrigin || !origin)
             return this.reject(res, 403, 'Invalid Origin header');
-        if (!ALLOWED_HOSTS.has(originHost))
+        if (!ALLOWED_HOSTS.has(origin.host))
+            return this.reject(res, 403, 'Origin not allowed');
+        const isSameOrigin = requestOrigin.scheme === origin.scheme &&
+            requestOrigin.host === origin.host &&
+            requestOrigin.port === origin.port;
+        if (!isSameOrigin)
             return this.reject(res, 403, 'Origin not allowed');
         return true;
     }
@@ -89,17 +93,52 @@ class HostOriginPolicy {
             return null;
         return normalizeHost(host);
     }
-    resolveOriginHost(origin) {
+    resolveRequestOrigin(req) {
+        const hostHeader = getHeaderValue(req, 'host');
+        if (!hostHeader)
+            return null;
+        const isEncrypted = req.socket.encrypted === true;
+        const scheme = isEncrypted ? 'https' : 'http';
+        try {
+            const parsed = new URL(`${scheme}://${hostHeader}`);
+            const normalizedHost = normalizeHost(parsed.host);
+            if (!normalizedHost)
+                return null;
+            return {
+                scheme,
+                host: normalizedHost,
+                port: parsed.port || this.defaultPortForScheme(scheme),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    resolveOrigin(origin) {
         if (origin === 'null')
             return null;
         try {
             const parsed = new URL(origin);
-            return normalizeHost(parsed.host);
+            const scheme = parsed.protocol === 'https:' ? 'https' : 'http';
+            if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+                return null;
+            }
+            const normalizedHost = normalizeHost(parsed.host);
+            if (!normalizedHost)
+                return null;
+            return {
+                scheme,
+                host: normalizedHost,
+                port: parsed.port || this.defaultPortForScheme(scheme),
+            };
         }
         catch {
             return null;
         }
     }
+    defaultPortForScheme(scheme) {
+        return scheme === 'https' ? '443' : '80';
+    }
     reject(res, status, message) {
         sendJson(res, status, { error: message });
         return false;
@@ -132,7 +171,7 @@ export const SUPPORTED_MCP_PROTOCOL_VERSIONS = new Set([
     DEFAULT_MCP_PROTOCOL_VERSION,
     LEGACY_MCP_PROTOCOL_VERSION,
 ]);
-export function resolveMcpProtocolVersion(req) {
+function resolveMcpProtocolVersion(req) {
     const versionHeader = getHeaderValue(req, 'mcp-protocol-version');
     if (!versionHeader)
         return undefined;
@@ -292,6 +331,16 @@ class AuthService {
             info.expiresAt = expiresAt;
         return info;
     }
+    assertRequiredScopes(tokenScopes) {
+        const { requiredScopes } = config.auth;
+        if (requiredScopes.length === 0)
+            return;
+        const tokenScopeSet = new Set(tokenScopes);
+        const missing = requiredScopes.filter((s) => !tokenScopeSet.has(s));
+        if (missing.length > 0) {
+            throw new InvalidTokenError('Insufficient scope');
+        }
+    }
     async verifyWithIntrospection(token, signal) {
         if (!config.auth.introspectionUrl) {
             throw new ServerError('Introspection not configured');
@@ -301,7 +350,9 @@ class AuthService {
         if (!isObject(payload) || payload['active'] !== true) {
             throw new InvalidTokenError('Token is inactive');
         }
-        return this.buildIntrospectionAuthInfo(token, payload);
+        const info = this.buildIntrospectionAuthInfo(token, payload);
+        this.assertRequiredScopes(info.scopes);
+        return info;
     }
 }
 function resolvePublicOrigin(req) {
@@ -312,23 +363,28 @@ function resolvePublicOrigin(req) {
     }
     return config.auth.resourceUrl.origin;
 }
+function buildRequestScopedProtectedResourceUrls(req) {
+    const origin = resolvePublicOrigin(req);
+    return {
+        resource: new URL('/mcp', `${origin}/`).href,
+        resourceMetadata: new URL(resolveResourceMetadataPath(), `${origin}/`).href,
+    };
+}
 function resolveResourceMetadataPath() {
     return '/.well-known/oauth-protected-resource/mcp';
 }
-export function buildResourceMetadataUrl(req) {
-    const origin = resolvePublicOrigin(req);
-    const path = resolveResourceMetadataPath();
-    return new URL(path, `${origin}/`).href;
+function buildResourceMetadataUrl(req) {
+    return buildRequestScopedProtectedResourceUrls(req).resourceMetadata;
 }
 export function applyUnauthorizedAuthHeaders(req, res) {
     const resourceMetadata = buildResourceMetadataUrl(req);
     res.setHeader('WWW-Authenticate', `Bearer resource_metadata="${resourceMetadata}"`);
 }
 export function buildProtectedResourceMetadataDocument(req) {
-    const metadataUrl = buildResourceMetadataUrl(req);
+    const urls = buildRequestScopedProtectedResourceUrls(req);
     return {
-        resource: config.auth.resourceUrl.href,
-        resource_metadata: metadataUrl,
+        resource: urls.resource,
+        resource_metadata: urls.resourceMetadata,
         authorization_servers: config.auth.issuerUrl
             ? [config.auth.issuerUrl.href]
             : [],
@@ -341,4 +397,3 @@ export function isProtectedResourceMetadataPath(pathname) {
         pathname === '/.well-known/oauth-protected-resource/mcp');
 }
 export const authService = new AuthService();
-//# sourceMappingURL=auth.js.map

package/dist/http/health.d.ts

@@ -1,7 +1,6 @@
-import type { SessionStore } from '../session.js';
+import type { SessionStore } from '../lib/core.js';
 import { type RequestContext } from './helpers.js';
 export declare function resetEventLoopMonitoring(): void;
 export declare function disableEventLoopMonitoring(): void;
 export declare function shouldHandleHealthRoute(ctx: RequestContext): boolean;
 export declare function sendHealthRouteResponse(store: SessionStore, ctx: RequestContext, authPresent: boolean): boolean;
-//# sourceMappingURL=health.d.ts.map

package/dist/http/health.js

@@ -1,8 +1,8 @@
 import { freemem, hostname, totalmem } from 'node:os';
 import { monitorEventLoopDelay, performance } from 'node:perf_hooks';
 import process from 'node:process';
-import { keys as cacheKeys } from '../cache.js';
-import { config, serverVersion } from '../config.js';
+import { keys as cacheKeys } from '../lib/core.js';
+import { config, serverVersion } from '../lib/core.js';
 import { getTransformPoolStats } from '../transform/transform.js';
 import { sendJson } from './helpers.js';
 // ---------------------------------------------------------------------------
@@ -110,20 +110,14 @@ function isVerboseHealthRequest(ctx) {
     const normalized = value.trim().toLowerCase();
     return normalized === '1' || normalized === 'true';
 }
-function isGetHealthRoute(ctx) {
+function isHealthRoute(ctx) {
     return ctx.method === 'GET' && ctx.url.pathname === '/health';
 }
 function isVerboseHealthRoute(ctx) {
-    return isGetHealthRoute(ctx) && isVerboseHealthRequest(ctx);
-}
-function isHealthRoute(ctx) {
-    return isGetHealthRoute(ctx);
+    return isHealthRoute(ctx) && isVerboseHealthRequest(ctx);
 }
 function ensureHealthAuthIfNeeded(ctx, authPresent) {
-    if (!isHealthRoute(ctx))
-        return true;
-    const isVerbose = isVerboseHealthRequest(ctx);
-    if (!isVerbose)
+    if (!isVerboseHealthRoute(ctx))
         return true;
     if (!config.security.allowRemote)
         return true;
@@ -135,14 +129,10 @@ function ensureHealthAuthIfNeeded(ctx, authPresent) {
     return false;
 }
 function resolveHealthDiagnosticsMode(ctx, authPresent) {
-    if (!isVerboseHealthRoute(ctx))
-        return false;
-    if (authPresent)
-        return true;
-    return !config.security.allowRemote;
+    return (isVerboseHealthRoute(ctx) && (authPresent || !config.security.allowRemote));
 }
 export function shouldHandleHealthRoute(ctx) {
-    return isGetHealthRoute(ctx);
+    return isHealthRoute(ctx);
 }
 export function sendHealthRouteResponse(store, ctx, authPresent) {
     if (!shouldHandleHealthRoute(ctx))
@@ -153,4 +143,3 @@ export function sendHealthRouteResponse(store, ctx, authPresent) {
     sendHealth(store, ctx.res, includeDiagnostics);
     return true;
 }
-//# sourceMappingURL=health.js.map

package/dist/http/helpers.d.ts

@@ -1,10 +1,10 @@
+import type { IncomingMessage, Server, ServerResponse } from 'node:http';
+import type { Server as HttpsServer } from 'node:https';
 import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import type { Transport } from '@modelcontextprotocol/sdk/shared/transport.js';
-import type { IncomingMessage, Server, ServerResponse } from 'node:http';
-import type { Server as HttpsServer } from 'node:https';
-import type { JsonRpcId } from '../mcp-validator.js';
+import type { JsonRpcId } from '../lib/mcp-tools.js';
 export type NetworkServer = Server | HttpsServer;
 export interface RequestContext {
     req: IncomingMessage;
@@ -18,7 +18,6 @@ export interface RequestContext {
 export interface AuthenticatedContext extends RequestContext {
     auth: AuthInfo;
 }
-export declare function setNoStoreHeaders(res: ServerResponse): void;
 export declare function sendJson(res: ServerResponse, status: number, body: unknown): void;
 export declare function sendText(res: ServerResponse, status: number, body: string): void;
 export declare function sendEmpty(res: ServerResponse, status: number): void;
@@ -31,7 +30,6 @@ export declare function createRequestAbortSignal(req: IncomingMessage): {
     signal: AbortSignal;
     cleanup: () => void;
 };
-export declare function normalizeRemoteAddress(address: string | undefined): string | null;
 export declare function registerInboundBlockList(server: NetworkServer): void;
 export declare function buildRequestContext(req: IncomingMessage, res: ServerResponse, signal?: AbortSignal): RequestContext | null;
 export declare function closeTransportBestEffort(transport: {
@@ -39,11 +37,6 @@ export declare function closeTransportBestEffort(transport: {
 }, context: string): Promise<void>;
 export declare function closeMcpServerBestEffort(server: McpServer, context: string): Promise<void>;
 export declare function createTransportAdapter(transportImpl: StreamableHTTPServerTransport): Transport;
-type JsonBodyErrorKind = 'payload-too-large' | 'invalid-json' | 'read-failed';
-export declare class JsonBodyError extends Error {
-    readonly kind: JsonBodyErrorKind;
-    constructor(kind: JsonBodyErrorKind, message: string);
-}
 export declare const DEFAULT_BODY_LIMIT_BYTES: number;
 declare class JsonBodyReader {
     read(req: IncomingMessage, limit?: number, signal?: AbortSignal): Promise<unknown>;
@@ -55,4 +48,3 @@ declare class JsonBodyReader {
 }
 export declare const jsonBodyReader: JsonBodyReader;
 export {};
-//# sourceMappingURL=helpers.d.ts.map

package/dist/http/helpers.js

@@ -1,14 +1,27 @@
 import { Buffer } from 'node:buffer';
 import { Writable } from 'node:stream';
 import { pipeline } from 'node:stream/promises';
-import { config } from '../config.js';
-import { createDefaultBlockList, normalizeIpForBlockList, } from '../ip-blocklist.js';
-import { logWarn } from '../observability.js';
-import { composeCloseHandlers } from '../session.js';
+import { config } from '../lib/core.js';
+import { logWarn } from '../lib/core.js';
+import { composeCloseHandlers } from '../lib/core.js';
+import { createDefaultBlockList, normalizeIpForBlockList } from '../lib/url.js';
+import { getErrorMessage, toError } from '../lib/utils.js';
+function abortControllerBestEffort(controller) {
+    if (!controller.signal.aborted)
+        controller.abort();
+}
+function destroyRequestBestEffort(req) {
+    try {
+        req.destroy();
+    }
+    catch {
+        // Best-effort only.
+    }
+}
 // ---------------------------------------------------------------------------
 // Response helpers
 // ---------------------------------------------------------------------------
-export function setNoStoreHeaders(res) {
+function setNoStoreHeaders(res) {
     res.setHeader('X-Content-Type-Options', 'nosniff');
     res.setHeader('Cache-Control', 'no-store');
 }
@@ -55,6 +68,7 @@ const SINGLE_VALUE_HEADER_NAMES = [
     'host',
     'origin',
     'content-length',
+    'mcp-protocol-version',
     'mcp-session-id',
     'x-mcp-session-id',
 ];
@@ -88,8 +102,7 @@ export function createRequestAbortSignal(req) {
     const abortRequest = () => {
         if (cleanedUp)
             return;
-        if (!controller.signal.aborted)
-            controller.abort();
+        abortControllerBestEffort(controller);
     };
     if (req.destroyed) {
         abortRequest();
@@ -126,7 +139,7 @@ export function createRequestAbortSignal(req) {
 // ---------------------------------------------------------------------------
 // IP & connection helpers
 // ---------------------------------------------------------------------------
-export function normalizeRemoteAddress(address) {
+function normalizeRemoteAddress(address) {
     if (!address)
         return null;
     const trimmed = address.trim();
@@ -233,7 +246,7 @@ export function createTransportAdapter(transportImpl) {
         },
     };
 }
-export class JsonBodyError extends Error {
+class JsonBodyError extends Error {
     kind;
     constructor(kind, message) {
         super(message);
@@ -254,12 +267,7 @@ class JsonBodyReader {
         if (contentLengthHeader) {
             const contentLength = Number.parseInt(contentLengthHeader, 10);
             if (Number.isFinite(contentLength) && contentLength > limit) {
-                try {
-                    req.destroy();
-                }
-                catch {
-                    // Best-effort only.
-                }
+                destroyRequestBestEffort(req);
                 throw new JsonBodyError('payload-too-large', 'Payload too large');
             }
         }
@@ -273,7 +281,7 @@ class JsonBodyReader {
             return JSON.parse(body);
         }
         catch (err) {
-            throw new JsonBodyError('invalid-json', err instanceof Error ? err.message : String(err));
+            throw new JsonBodyError('invalid-json', getErrorMessage(err));
         }
     }
     async readBody(req, limit, signal) {
@@ -292,12 +300,7 @@ class JsonBodyReader {
         if (!signal)
             return null;
         const listener = () => {
-            try {
-                req.destroy();
-            }
-            catch {
-                // Best-effort only.
-            }
+            destroyRequestBestEffort(req);
         };
         if (signal.aborted) {
             listener();
@@ -330,7 +333,7 @@ class JsonBodyReader {
                     const buf = this.normalizeChunk(chunk);
                     size += buf.length;
                     if (size > limit) {
-                        req.destroy();
+                        destroyRequestBestEffort(req);
                         callback(new JsonBodyError('payload-too-large', 'Payload too large'));
                         return;
                     }
@@ -338,7 +341,7 @@ class JsonBodyReader {
                     callback();
                 }
                 catch (err) {
-                    callback(err instanceof Error ? err : new Error(String(err)));
+                    callback(toError(err));
                 }
             },
         });
@@ -355,7 +358,7 @@ class JsonBodyReader {
             if (signal?.aborted || isRequestReadAborted(req)) {
                 throw new JsonBodyError('read-failed', 'Request aborted');
             }
-            throw new JsonBodyError('read-failed', err instanceof Error ? err.message : String(err));
+            throw new JsonBodyError('read-failed', getErrorMessage(err));
         }
     }
     normalizeChunk(chunk) {
@@ -367,4 +370,3 @@ class JsonBodyReader {
     }
 }
 export const jsonBodyReader = new JsonBodyReader();
-//# sourceMappingURL=helpers.js.map

package/dist/http/native.d.ts

@@ -3,4 +3,3 @@ export declare function startHttpServer(): Promise<{
     port: number;
     host: string;
 }>;
-//# sourceMappingURL=native.d.ts.map