@j0hanz/superfetch 2.0.0 → 2.0.1

package/README.md

@@ -23,15 +23,15 @@ A [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server that f
 
 ## Features
 
-| Feature              | Description                                                                           |
-| -------------------- | ------------------------------------------------------------------------------------- |
-| Smart extraction     | Mozilla Readability with quality gates to strip boilerplate when it improves results  |
-| Clean Markdown       | Markdown output with optional YAML frontmatter (title + source)                       |
-| Raw content handling | Preserves raw markdown/text and rewrites GitHub/GitLab/Bitbucket blob URLs to raw     |
-| Built-in caching     | In-memory cache with TTL, max keys, and resource subscriptions                        |
-| Resilient fetching   | Redirect handling with validation, timeouts, and response size limits                 |
-| Security first       | URL validation plus SSRF/DNS/IP blocklists                                            |
-| HTTP mode            | Static token or OAuth auth, session management, rate limiting, host/origin validation |
+| Feature              | Description                                                                                                        |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| Smart extraction     | Mozilla Readability with quality gates to strip boilerplate when it improves results                               |
+| Clean Markdown       | Markdown output with optional YAML frontmatter (title + source)                                                    |
+| Raw content handling | Preserves raw markdown/text, detects common text extensions, and rewrites GitHub/GitLab/Bitbucket/Gist URLs to raw |
+| Built-in caching     | In-memory cache with TTL, max keys, and resource subscriptions                                                     |
+| Resilient fetching   | Redirect handling with validation, timeouts, and response size limits                                              |
+| Security first       | URL validation plus SSRF/DNS/IP blocklists                                                                         |
+| HTTP mode            | Static token or OAuth auth, session management, rate limiting, host/origin validation                              |
 
 ---
 
@@ -243,13 +243,15 @@ npx -y @j0hanz/superfetch@latest
 
 For multiple static tokens, set `ACCESS_TOKENS` (comma/space separated).
 
-Endpoints (auth required via `Authorization: Bearer <token>`; in static token mode, `X-API-Key` is also accepted):
+Auth is required for `/mcp` and `/mcp/downloads` via `Authorization: Bearer <token>` (static mode also accepts `X-API-Key`).
 
-- `GET /health`
-- `POST /mcp`
-- `GET /mcp` (SSE stream)
-- `DELETE /mcp`
-- `GET /mcp/downloads/:namespace/:hash`
+Endpoints:
+
+- `GET /health` (no auth; returns status, name, version, uptime)
+- `POST /mcp` (auth required)
+- `GET /mcp` (auth required; SSE stream; requires `Accept: text/event-stream`)
+- `DELETE /mcp` (auth required)
+- `GET /mcp/downloads/:namespace/:hash` (auth required)
 
 Sessions are managed via the `mcp-session-id` header (see [HTTP Mode Details](#http-mode-details)).
 
@@ -268,6 +270,7 @@ The response includes:
 - a `text` block containing JSON of `structuredContent`
 - a `resource` block embedding markdown when inline content is available (always in stdio mode)
 - when content exceeds the inline limit and cache is enabled, a `resource_link` block pointing to `superfetch://cache/...` (inline markdown may be omitted)
+- error responses set `isError: true` and return `structuredContent` with `error` and `url`
 
 ---
 
@@ -415,6 +418,7 @@ Optional:
 - Inline markdown limit: 20,000 characters
 - Cache max entries: 100
 - Session TTL: 30 minutes
+- Session init timeout: 10 seconds
 - Max sessions: 200
 - Rate limit: 100 req/min per IP (60s window)
 
@@ -434,6 +438,11 @@ If the `mcp-protocol-version` header is missing, the server defaults it to `2025
 
 `GET /mcp` and `DELETE /mcp` require `mcp-session-id`. `POST /mcp` without an `initialize` request will return 400.
 
+Additional HTTP transport notes:
+
+- `GET /mcp` requires `Accept: text/event-stream` (otherwise 406).
+- JSON-RPC batch requests are not supported (400).
+
 If the server reaches its session cap (200), it evicts the oldest session when possible; otherwise it returns a 503.
 
 Host and Origin headers are always validated. Allowed values include loopback hosts, the configured `HOST` (if not a wildcard), and any entries in `ALLOWED_HOSTS`. When binding to `0.0.0.0` or `::`, set `ALLOWED_HOSTS` to the hostnames clients will send.
@@ -484,12 +493,14 @@ Rate limiting applies to `/mcp` and `/mcp/downloads` (100 req/min per IP, 60s wi
 | `npm run build`         | Compile TypeScript                   |
 | `npm start`             | Production server                    |
 | `npm run lint`          | Run ESLint                           |
+| `npm run lint:fix`      | Auto-fix lint issues                 |
 | `npm run type-check`    | TypeScript type checking             |
 | `npm run format`        | Format with Prettier                 |
 | `npm test`              | Run Node test runner (builds dist)   |
 | `npm run test:coverage` | Run tests with experimental coverage |
 | `npm run knip`          | Find unused exports/dependencies     |
 | `npm run knip:fix`      | Auto-fix unused code                 |
+| `npm run inspector`     | Launch MCP Inspector                 |
 
 > **Note:** Tests run via `node --test` with `--experimental-transform-types` to execute `.ts` test files. Node will emit an experimental warning.
 
@@ -499,9 +510,9 @@ Rate limiting applies to `/mcp` and `/mcp/downloads` (100 req/min per IP, 60s wi
 | ------------------ | --------------------------------- |
 | Runtime            | Node.js >=20.12                   |
 | Language           | TypeScript 5.9                    |
-| MCP SDK            | @modelcontextprotocol/sdk ^1.25.1 |
+| MCP SDK            | @modelcontextprotocol/sdk ^1.25.2 |
 | Content Extraction | @mozilla/readability ^0.6.0       |
-| HTML Parsing       | LinkeDOM ^0.18.12                 |
+| HTML Parsing       | linkedom ^0.18.12                 |
 | Markdown           | Turndown ^7.2.2                   |
 | HTTP               | Express ^5.2.1, undici ^6.23.0    |
 | Validation         | Zod ^4.3.5                        |

package/dist/config/index.js

@@ -1,3 +1,4 @@
+import { buildIpv4 } from '../utils/ip-address.js';
 import packageJson from '../../package.json' with { type: 'json' };
 import { buildAuthConfig } from './auth-config.js';
 import { SIZE_LIMITS, TIMEOUT } from './constants.js';
@@ -8,10 +9,14 @@ function formatHostForUrl(hostname) {
     }
     return hostname;
 }
-const host = process.env.HOST ?? '127.0.0.1';
+const LOOPBACK_V4 = buildIpv4([127, 0, 0, 1]);
+const ANY_V4 = buildIpv4([0, 0, 0, 0]);
+const METADATA_V4_AWS = buildIpv4([169, 254, 169, 254]);
+const METADATA_V4_AZURE = buildIpv4([100, 100, 100, 200]);
+const host = process.env.HOST ?? LOOPBACK_V4;
 const port = parseInteger(process.env.PORT, 3000, 1024, 65535);
 const baseUrl = new URL(`http://${formatHostForUrl(host)}:${port}`);
-const isRemoteHost = host === '0.0.0.0' || host === '::';
+const isRemoteHost = host === ANY_V4 || host === '::';
 const runtimeState = {
     httpMode: false,
 };
@@ -51,13 +56,13 @@ export const config = {
     security: {
         blockedHosts: new Set([
             'localhost',
-            '127.0.0.1',
-            '0.0.0.0',
+            LOOPBACK_V4,
+            ANY_V4,
             '::1',
-            '169.254.169.254',
+            METADATA_V4_AWS,
             'metadata.google.internal',
             'metadata.azure.com',
-            '100.100.100.200',
+            METADATA_V4_AZURE,
             'instance-data',
         ]),
         blockedIpPatterns: [

package/dist/http/auth.js

@@ -1,8 +1,167 @@
+import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
 import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
 import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, } from '@modelcontextprotocol/sdk/server/auth/router.js';
 import { config } from '../config/index.js';
-import { verifyWithIntrospection } from './auth-introspection.js';
-import { verifyStaticToken } from './auth-static.js';
+import { timingSafeEqualUtf8 } from '../utils/crypto.js';
+import { isRecord } from '../utils/guards.js';
+const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
+function stripHash(url) {
+    const copy = new URL(url.href);
+    copy.hash = '';
+    return copy.href;
+}
+function parseScopes(value) {
+    if (typeof value === 'string') {
+        return value
+            .split(' ')
+            .map((scope) => scope.trim())
+            .filter((scope) => scope.length > 0);
+    }
+    if (Array.isArray(value)) {
+        return value.filter((scope) => typeof scope === 'string');
+    }
+    return [];
+}
+function parseResourceUrl(value) {
+    if (typeof value !== 'string')
+        return undefined;
+    if (!URL.canParse(value))
+        return undefined;
+    return new URL(value);
+}
+function parseAudResource(aud) {
+    if (typeof aud === 'string') {
+        return parseResourceUrl(aud);
+    }
+    if (Array.isArray(aud)) {
+        for (const entry of aud) {
+            const parsed = parseResourceUrl(entry);
+            if (parsed)
+                return parsed;
+        }
+    }
+    return undefined;
+}
+function extractResource(data) {
+    const resource = parseResourceUrl(data.resource);
+    if (resource)
+        return resource;
+    return parseAudResource(data.aud);
+}
+function extractScopes(data) {
+    if (data.scope !== undefined) {
+        return parseScopes(data.scope);
+    }
+    if (data.scopes !== undefined) {
+        return parseScopes(data.scopes);
+    }
+    if (data.scp !== undefined) {
+        return parseScopes(data.scp);
+    }
+    return [];
+}
+function readExpiresAt(data) {
+    const expiresAt = typeof data.exp === 'number' ? data.exp : Number.NaN;
+    if (!Number.isFinite(expiresAt)) {
+        throw new InvalidTokenError('Token has no expiration time');
+    }
+    return expiresAt;
+}
+function resolveClientId(data) {
+    if (typeof data.client_id === 'string')
+        return data.client_id;
+    if (typeof data.cid === 'string')
+        return data.cid;
+    if (typeof data.sub === 'string')
+        return data.sub;
+    return 'unknown';
+}
+function ensureResourceMatch(resource) {
+    if (resource && stripHash(resource) !== stripHash(config.auth.resourceUrl)) {
+        throw new InvalidTokenError('Token resource mismatch');
+    }
+    return resource;
+}
+function buildIntrospectionAuthInfo(token, data) {
+    const resource = ensureResourceMatch(extractResource(data));
+    return {
+        token,
+        clientId: resolveClientId(data),
+        scopes: extractScopes(data),
+        expiresAt: readExpiresAt(data),
+        resource: resource ?? config.auth.resourceUrl,
+        extra: data,
+    };
+}
+function buildBasicAuthHeader(clientId, clientSecret) {
+    const secret = clientSecret ?? '';
+    const basic = Buffer.from(`${clientId}:${secret}`, 'utf8').toString('base64');
+    return `Basic ${basic}`;
+}
+function buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
+    const body = new URLSearchParams({
+        token,
+        token_type_hint: 'access_token',
+        resource: stripHash(resourceUrl),
+    }).toString();
+    const headers = {
+        'content-type': 'application/x-www-form-urlencoded',
+    };
+    if (clientId) {
+        headers.authorization = buildBasicAuthHeader(clientId, clientSecret);
+    }
+    return { body, headers };
+}
+async function requestIntrospection(introspectionUrl, request, timeoutMs) {
+    const response = await fetch(introspectionUrl, {
+        method: 'POST',
+        headers: request.headers,
+        body: request.body,
+        signal: AbortSignal.timeout(timeoutMs),
+    });
+    if (!response.ok) {
+        await response.body?.cancel();
+        throw new ServerError(`Token introspection failed: ${response.status}`);
+    }
+    return response.json();
+}
+function parseIntrospectionPayload(payload) {
+    if (!isRecord(payload) || Array.isArray(payload)) {
+        throw new ServerError('Invalid introspection response');
+    }
+    if (payload.active !== true) {
+        throw new InvalidTokenError('Token is inactive');
+    }
+    return payload;
+}
+async function verifyWithIntrospection(token) {
+    const { auth } = config;
+    if (!auth.introspectionUrl) {
+        throw new ServerError('Token introspection is not configured');
+    }
+    const request = buildIntrospectionRequest(token, auth.resourceUrl, auth.clientId, auth.clientSecret);
+    const payload = await requestIntrospection(auth.introspectionUrl, request, auth.introspectionTimeoutMs);
+    return buildIntrospectionAuthInfo(token, parseIntrospectionPayload(payload));
+}
+function buildStaticAuthInfo(token) {
+    return {
+        token,
+        clientId: 'static-token',
+        scopes: config.auth.requiredScopes,
+        expiresAt: Math.floor(Date.now() / 1000) + STATIC_TOKEN_TTL_SECONDS,
+        resource: config.auth.resourceUrl,
+    };
+}
+function verifyStaticToken(token) {
+    if (config.auth.staticTokens.length === 0) {
+        throw new InvalidTokenError('No static tokens configured');
+    }
+    const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
+    if (!matched) {
+        throw new InvalidTokenError('Invalid token');
+    }
+    return buildStaticAuthInfo(token);
+}
 function normalizeHeaderValue(header) {
     return Array.isArray(header) ? header[0] : header;
 }

package/dist/http/host-allowlist.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+export declare function createHostValidationMiddleware(): RequestHandler;
+export declare function createOriginValidationMiddleware(): RequestHandler;

package/dist/http/host-allowlist.js

@@ -0,0 +1,117 @@
+import { config } from '../config/index.js';
+const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+function getNonEmptyStringHeader(value) {
+    if (typeof value !== 'string')
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+}
+function respondHostNotAllowed(res) {
+    res.status(403).json({
+        error: 'Host not allowed',
+        code: 'HOST_NOT_ALLOWED',
+    });
+}
+function respondOriginNotAllowed(res) {
+    res.status(403).json({
+        error: 'Origin not allowed',
+        code: 'ORIGIN_NOT_ALLOWED',
+    });
+}
+function tryParseOriginHostname(originHeader) {
+    try {
+        return new URL(originHeader).hostname.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+}
+function takeFirstHostValue(value) {
+    const first = value.split(',')[0];
+    if (!first)
+        return null;
+    const trimmed = first.trim();
+    return trimmed ? trimmed : null;
+}
+function stripIpv6Brackets(value) {
+    if (!value.startsWith('['))
+        return null;
+    const end = value.indexOf(']');
+    if (end === -1)
+        return null;
+    return value.slice(1, end);
+}
+function stripPortIfPresent(value) {
+    const colonIndex = value.indexOf(':');
+    if (colonIndex === -1)
+        return value;
+    return value.slice(0, colonIndex);
+}
+function normalizeHost(value) {
+    const trimmed = value.trim().toLowerCase();
+    if (!trimmed)
+        return null;
+    const first = takeFirstHostValue(trimmed);
+    if (!first)
+        return null;
+    const ipv6 = stripIpv6Brackets(first);
+    if (ipv6)
+        return ipv6;
+    return stripPortIfPresent(first);
+}
+function isWildcardHost(host) {
+    return host === '0.0.0.0' || host === '::';
+}
+function addLoopbackHosts(allowedHosts) {
+    for (const host of LOOPBACK_HOSTS) {
+        allowedHosts.add(host);
+    }
+}
+function addConfiguredHost(allowedHosts) {
+    const configuredHost = normalizeHost(config.server.host);
+    if (!configuredHost)
+        return;
+    if (isWildcardHost(configuredHost))
+        return;
+    allowedHosts.add(configuredHost);
+}
+function addExplicitAllowedHosts(allowedHosts) {
+    for (const host of config.security.allowedHosts) {
+        allowedHosts.add(host);
+    }
+}
+function buildAllowedHosts() {
+    const allowedHosts = new Set();
+    addLoopbackHosts(allowedHosts);
+    addConfiguredHost(allowedHosts);
+    addExplicitAllowedHosts(allowedHosts);
+    return allowedHosts;
+}
+export function createHostValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const hostHeader = typeof req.headers.host === 'string' ? req.headers.host : '';
+        const normalized = normalizeHost(hostHeader);
+        if (!normalized || !allowedHosts.has(normalized)) {
+            respondHostNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}
+export function createOriginValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const originHeader = getNonEmptyStringHeader(req.headers.origin);
+        if (!originHeader) {
+            next();
+            return;
+        }
+        const originHostname = tryParseOriginHostname(originHeader);
+        if (!originHostname || !allowedHosts.has(originHostname)) {
+            respondOriginNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}

package/dist/http/mcp-routes.d.ts

@@ -1,3 +1,9 @@
-import type { Express } from 'express';
-import { type McpSessionOptions } from './mcp-session.js';
+import type { Express, Request, Response } from 'express';
+import type { McpRequestBody } from '../config/types/runtime.js';
+import { type McpSessionOptions } from './mcp-sessions.js';
+export declare function isJsonRpcBatchRequest(body: unknown): boolean;
+export declare function isMcpRequestBody(body: unknown): body is McpRequestBody;
+export declare function ensureMcpProtocolVersionHeader(req: Request, res: Response): boolean;
+export declare function ensurePostAcceptHeader(req: Request): void;
+export declare function acceptsEventStream(req: Request): boolean;
 export declare function registerMcpRoutes(app: Express, options: McpSessionOptions): void;

package/dist/http/mcp-routes.js

@@ -1,11 +1,24 @@
+import { z } from 'zod';
 import { logError, logInfo } from '../services/logger.js';
-import { acceptsEventStream, ensurePostAcceptHeader } from './accept-policy.js';
-import { wrapAsync } from './async-handler.js';
-import { sendJsonRpcError } from './jsonrpc-http.js';
-import { resolveTransportForPost, } from './mcp-session.js';
-import { isJsonRpcBatchRequest, isMcpRequestBody } from './mcp-validation.js';
-import { ensureMcpProtocolVersionHeader } from './protocol-policy.js';
-import { getSessionId } from './sessions.js';
+import { getSessionId, resolveTransportForPost, sendJsonRpcError, } from './mcp-sessions.js';
+const paramsSchema = z.looseObject({});
+const mcpRequestSchema = z.looseObject({
+    jsonrpc: z.literal('2.0'),
+    method: z.string().min(1),
+    id: z.union([z.string(), z.number()]).optional(),
+    params: paramsSchema.optional(),
+});
+function wrapAsync(fn) {
+    return (req, res, next) => {
+        Promise.resolve(fn(req, res)).catch(next);
+    };
+}
+export function isJsonRpcBatchRequest(body) {
+    return Array.isArray(body);
+}
+export function isMcpRequestBody(body) {
+    return mcpRequestSchema.safeParse(body).success;
+}
 function respondInvalidRequestBody(res) {
     sendJsonRpcError(res, -32600, 'Invalid Request: Malformed request body', 400);
 }
@@ -67,6 +80,81 @@ function resolveSessionTransport(sessionId, options, res) {
     sessionStore.touch(sessionId);
     return session.transport;
 }
+const MCP_PROTOCOL_VERSION_HEADER = 'mcp-protocol-version';
+const MCP_PROTOCOL_VERSIONS = {
+    defaultVersion: '2025-03-26',
+    supported: new Set(['2025-03-26', '2025-11-25']),
+};
+function getHeaderValue(req, headerNameLower) {
+    const value = req.headers[headerNameLower];
+    if (typeof value === 'string')
+        return value;
+    if (Array.isArray(value))
+        return value[0] ?? null;
+    return null;
+}
+function setHeaderValue(req, headerNameLower, value) {
+    // Express exposes req.headers as a plain object, but the type is readonly-ish.
+    req.headers[headerNameLower] = value;
+}
+export function ensureMcpProtocolVersionHeader(req, res) {
+    const raw = getHeaderValue(req, MCP_PROTOCOL_VERSION_HEADER);
+    const version = raw?.trim();
+    if (!version) {
+        setHeaderValue(req, MCP_PROTOCOL_VERSION_HEADER, MCP_PROTOCOL_VERSIONS.defaultVersion);
+        return true;
+    }
+    if (!MCP_PROTOCOL_VERSIONS.supported.has(version)) {
+        sendJsonRpcError(res, -32600, `Unsupported MCP-Protocol-Version: ${version}`, 400);
+        return false;
+    }
+    return true;
+}
+function getAcceptHeader(req) {
+    const value = req.headers.accept;
+    if (typeof value === 'string')
+        return value;
+    return '';
+}
+function setAcceptHeader(req, value) {
+    req.headers.accept = value;
+    const { rawHeaders } = req;
+    if (!Array.isArray(rawHeaders))
+        return;
+    for (let i = 0; i + 1 < rawHeaders.length; i += 2) {
+        const key = rawHeaders[i];
+        if (typeof key === 'string' && key.toLowerCase() === 'accept') {
+            rawHeaders[i + 1] = value;
+            return;
+        }
+    }
+    rawHeaders.push('Accept', value);
+}
+function hasToken(header, token) {
+    return header
+        .split(',')
+        .map((part) => part.trim().toLowerCase())
+        .some((part) => part === token || part.startsWith(`${token};`));
+}
+export function ensurePostAcceptHeader(req) {
+    const accept = getAcceptHeader(req);
+    // Some clients send */* or omit Accept; the SDK transport is picky.
+    if (!accept || hasToken(accept, '*/*')) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+        return;
+    }
+    const hasJson = hasToken(accept, 'application/json');
+    const hasSse = hasToken(accept, 'text/event-stream');
+    if (!hasJson || !hasSse) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+    }
+}
+export function acceptsEventStream(req) {
+    const accept = getAcceptHeader(req);
+    if (!accept)
+        return false;
+    return hasToken(accept, 'text/event-stream');
+}
 async function handlePost(req, res, options) {
     ensurePostAcceptHeader(req);
     if (!ensureMcpProtocolVersionHeader(req, res))
@@ -76,7 +164,12 @@ async function handlePost(req, res, options) {
     if (!payload)
         return;
     logPostRequest(payload, sessionId, options);
-    const transport = await resolveTransportForPost(req, res, payload, sessionId, options);
+    const transport = await resolveTransportForPost({
+        res,
+        body: payload,
+        sessionId,
+        options,
+    });
     if (!transport)
         return;
     await handleTransportRequest(transport, req, res, payload);

package/dist/http/mcp-session-eviction.d.ts

@@ -0,0 +1,3 @@
+import type { SessionStore } from './sessions.js';
+export declare function evictExpiredSessions(store: SessionStore): number;
+export declare function evictOldestSession(store: SessionStore): boolean;

package/dist/http/mcp-session-eviction.js

@@ -0,0 +1,24 @@
+import { logWarn } from '../services/logger.js';
+import { getErrorMessage } from '../utils/error-details.js';
+export function evictExpiredSessions(store) {
+    const evicted = store.evictExpired();
+    for (const session of evicted) {
+        void session.transport.close().catch((error) => {
+            logWarn('Failed to close expired session', {
+                error: getErrorMessage(error),
+            });
+        });
+    }
+    return evicted.length;
+}
+export function evictOldestSession(store) {
+    const session = store.evictOldest();
+    if (!session)
+        return false;
+    void session.transport.close().catch((error) => {
+        logWarn('Failed to close evicted session', {
+            error: getErrorMessage(error),
+        });
+    });
+    return true;
+}

package/dist/http/mcp-session-init.d.ts

@@ -0,0 +1,7 @@
+import type { Response } from 'express';
+import type { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import type { McpSessionOptions } from './mcp-session-types.js';
+export declare function createAndConnectTransport({ options, res, }: {
+    options: McpSessionOptions;
+    res: Response;
+}): Promise<StreamableHTTPServerTransport | null>;