@j0hanz/superfetch 2.0.1 → 2.1.0

package/dist/http.js

@@ -0,0 +1,1437 @@
+import { randomUUID } from 'node:crypto';
+import { isIP } from 'node:net';
+import { setInterval as setIntervalPromise } from 'node:timers/promises';
+import { z } from 'zod';
+import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
+import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
+import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, } from '@modelcontextprotocol/sdk/server/auth/router.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
+import { registerDownloadRoutes } from './cache.js';
+import { config, enableHttpMode } from './config.js';
+import { timingSafeEqualUtf8 } from './crypto.js';
+import { FetchError, getErrorMessage } from './errors.js';
+import { destroyAgents } from './fetch.js';
+import { createMcpServer } from './mcp.js';
+import { logDebug, logError, logInfo, logWarn, runWithRequestContext, } from './observability.js';
+import { shutdownTransformWorkerPool } from './transform.js';
+function getRateLimitKey(req) {
+    return req.ip ?? req.socket.remoteAddress ?? 'unknown';
+}
+function createCleanupInterval(store, options) {
+    const controller = new AbortController();
+    void startCleanupLoop(store, options, controller.signal).catch(handleCleanupError);
+    return controller;
+}
+function createRateLimitMiddleware(options) {
+    const store = new Map();
+    const cleanupController = createCleanupInterval(store, options);
+    const stop = () => {
+        cleanupController.abort();
+    };
+    const middleware = createRateLimitHandler(store, options);
+    return { middleware, stop, store };
+}
+function createRateLimitHandler(store, options) {
+    return (req, res, next) => {
+        if (shouldSkipRateLimit(req, options)) {
+            next();
+            return;
+        }
+        const now = Date.now();
+        const key = getRateLimitKey(req);
+        const resolution = resolveRateLimitEntry(store, key, now, options);
+        if (resolution.isNew) {
+            next();
+            return;
+        }
+        if (handleRateLimitExceeded(res, resolution.entry, now, options)) {
+            return;
+        }
+        next();
+    };
+}
+async function startCleanupLoop(store, options, signal) {
+    for await (const getNow of setIntervalPromise(options.cleanupIntervalMs, Date.now, { signal, ref: false })) {
+        evictStaleEntries(store, options, getNow());
+    }
+}
+function evictStaleEntries(store, options, now) {
+    for (const [key, entry] of store.entries()) {
+        if (now - entry.lastAccessed > options.windowMs * 2) {
+            store.delete(key);
+        }
+    }
+}
+function isSessionAbortError(error) {
+    return error instanceof Error && error.name === 'AbortError';
+}
+function handleCleanupError(error) {
+    if (isAbortError(error)) {
+        return;
+    }
+    logWarn('Rate limit cleanup loop failed', {
+        error: error instanceof Error ? error.message : 'Unknown error',
+    });
+}
+function shouldSkipRateLimit(req, options) {
+    return !options.enabled || req.method === 'OPTIONS';
+}
+function resolveRateLimitEntry(store, key, now, options) {
+    const existing = store.get(key);
+    if (!existing || now > existing.resetTime) {
+        const entry = createNewEntry(now, options);
+        store.set(key, entry);
+        return { entry, isNew: true };
+    }
+    updateEntry(existing, now);
+    return { entry: existing, isNew: false };
+}
+function createNewEntry(now, options) {
+    return {
+        count: 1,
+        resetTime: now + options.windowMs,
+        lastAccessed: now,
+    };
+}
+function updateEntry(entry, now) {
+    entry.count += 1;
+    entry.lastAccessed = now;
+}
+function handleRateLimitExceeded(res, entry, now, options) {
+    if (entry.count <= options.maxRequests) {
+        return false;
+    }
+    const retryAfter = Math.max(1, Math.ceil((entry.resetTime - now) / 1000));
+    res.set('Retry-After', String(retryAfter));
+    res.status(429).json({
+        error: 'Rate limit exceeded',
+        retryAfter,
+    });
+    return true;
+}
+function assertHttpConfiguration() {
+    ensureBindAllowed();
+    ensureStaticTokens();
+    if (config.auth.mode === 'oauth') {
+        ensureOauthConfiguration();
+    }
+}
+function ensureBindAllowed() {
+    const isLoopback = ['127.0.0.1', '::1', 'localhost'].includes(config.server.host);
+    if (!config.security.allowRemote && !isLoopback) {
+        logError('Refusing to bind to non-loopback host without ALLOW_REMOTE=true', { host: config.server.host });
+        process.exit(1);
+    }
+    if (!isLoopback &&
+        config.security.allowRemote &&
+        config.auth.mode !== 'oauth') {
+        logError('Remote HTTP mode requires OAuth configuration; refusing to start');
+        process.exit(1);
+    }
+}
+function ensureStaticTokens() {
+    if (config.auth.mode === 'static' && config.auth.staticTokens.length === 0) {
+        logError('At least one static access token is required for HTTP mode');
+        process.exit(1);
+    }
+}
+function ensureOauthConfiguration() {
+    if (!config.auth.issuerUrl || !config.auth.authorizationUrl) {
+        logError('OAUTH_ISSUER_URL and OAUTH_AUTHORIZATION_URL are required for OAuth mode');
+        process.exit(1);
+    }
+    if (!config.auth.tokenUrl) {
+        logError('OAUTH_TOKEN_URL is required for OAuth mode');
+        process.exit(1);
+    }
+    if (!config.auth.introspectionUrl) {
+        logError('OAUTH_INTROSPECTION_URL is required for OAuth mode');
+        process.exit(1);
+    }
+}
+function createShutdownHandler(server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
+    let inFlight = null;
+    let initialSignal = null;
+    return (signal) => {
+        if (inFlight) {
+            logWarn('Shutdown already in progress; ignoring signal', {
+                signal,
+                initialSignal,
+            });
+            return inFlight;
+        }
+        initialSignal = signal;
+        inFlight = shutdownServer(signal, server, sessionStore, sessionCleanupController, stopRateLimitCleanup).catch((error) => {
+            logError('Shutdown handler failed', error instanceof Error ? error : { error: getErrorMessage(error) });
+            throw error;
+        });
+        return inFlight;
+    };
+}
+async function shutdownServer(signal, server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
+    logInfo(`${signal} received, shutting down gracefully...`);
+    stopRateLimitCleanup();
+    sessionCleanupController.abort();
+    await closeSessions(sessionStore);
+    destroyAgents();
+    await shutdownTransformWorkerPool();
+    drainConnectionsOnShutdown(server);
+    closeServer(server);
+    scheduleForcedShutdown(10000);
+}
+async function closeSessions(sessionStore) {
+    const sessions = sessionStore.clear();
+    await Promise.allSettled(sessions.map((session) => session.transport.close().catch((error) => {
+        logWarn('Failed to close session during shutdown', {
+            error: getErrorMessage(error),
+        });
+    })));
+}
+function closeServer(server) {
+    server.close(() => {
+        logInfo('HTTP server closed');
+        process.exit(0);
+    });
+}
+function scheduleForcedShutdown(timeoutMs) {
+    setTimeout(() => {
+        logError('Forced shutdown after timeout');
+        process.exit(1);
+    }, timeoutMs).unref();
+}
+function registerSignalHandlers(shutdown) {
+    process.once('SIGINT', () => {
+        void shutdown('SIGINT');
+    });
+    process.once('SIGTERM', () => {
+        void shutdown('SIGTERM');
+    });
+}
+function startListening(app) {
+    return app
+        .listen(config.server.port, config.server.host, () => {
+        logInfo('superFetch MCP server started', {
+            host: config.server.host,
+            port: config.server.port,
+        });
+        const baseUrl = `http://${config.server.host}:${config.server.port}`;
+        logInfo(`superFetch MCP server running at ${baseUrl} (health: ${baseUrl}/health, mcp: ${baseUrl}/mcp)`);
+        logInfo('Run with --stdio flag for direct stdio integration');
+    })
+        .on('error', (err) => {
+        logError('Failed to start server', err);
+        process.exit(1);
+    });
+}
+function buildMiddleware() {
+    const { middleware: rateLimitMiddleware, stop: stopRateLimitCleanup } = createRateLimitMiddleware(config.rateLimit);
+    const authMiddleware = createAuthMiddleware();
+    // No CORS - MCP clients don't run in browsers
+    const corsMiddleware = createCorsMiddleware();
+    return {
+        rateLimitMiddleware,
+        stopRateLimitCleanup,
+        authMiddleware,
+        corsMiddleware,
+    };
+}
+function createSessionInfrastructure() {
+    const sessionStore = createSessionStore(config.server.sessionTtlMs);
+    const sessionCleanupController = startSessionCleanupLoop(sessionStore, config.server.sessionTtlMs);
+    return { sessionStore, sessionCleanupController };
+}
+function registerHttpRoutes(app, sessionStore, authMiddleware) {
+    app.use('/mcp', authMiddleware);
+    app.use('/mcp/downloads', authMiddleware);
+    registerMcpRoutes(app, {
+        sessionStore,
+        maxSessions: config.server.maxSessions,
+    });
+    registerDownloadRoutes(app);
+    app.use(errorHandler);
+}
+function attachAuthMetadata(app) {
+    const authMetadataRouter = createAuthMetadataRouter();
+    if (authMetadataRouter) {
+        app.use(authMetadataRouter);
+    }
+}
+async function buildServerContext() {
+    const { app, authMiddleware, stopRateLimitCleanup } = await createAppWithMiddleware();
+    const { sessionStore, sessionCleanupController } = attachSessionRoutes(app, authMiddleware);
+    return { app, sessionStore, sessionCleanupController, stopRateLimitCleanup };
+}
+async function createAppWithMiddleware() {
+    const { app, jsonParser } = await createExpressApp();
+    const { rateLimitMiddleware, stopRateLimitCleanup, authMiddleware, corsMiddleware, } = buildMiddleware();
+    attachBaseMiddleware({
+        app,
+        jsonParser,
+        rateLimitMiddleware,
+        corsMiddleware,
+    });
+    attachAuthMetadata(app);
+    assertHttpConfiguration();
+    return { app, authMiddleware, stopRateLimitCleanup };
+}
+function attachSessionRoutes(app, authMiddleware) {
+    const { sessionStore, sessionCleanupController } = createSessionInfrastructure();
+    registerHttpRoutes(app, sessionStore, authMiddleware);
+    return { sessionStore, sessionCleanupController };
+}
+export async function startHttpServer() {
+    enableHttpMode();
+    const { app, sessionStore, sessionCleanupController, stopRateLimitCleanup } = await buildServerContext();
+    const server = startListening(app);
+    applyHttpServerTuning(server);
+    const shutdown = createShutdownHandler(server, sessionStore, sessionCleanupController, stopRateLimitCleanup);
+    registerSignalHandlers(shutdown);
+    return { shutdown };
+}
+async function createExpressApp() {
+    const { default: express } = await import('express');
+    const app = express();
+    const jsonParser = express.json({ limit: '1mb' });
+    return { app, jsonParser };
+}
+function getStatusCode(fetchError) {
+    return fetchError ? fetchError.statusCode : 500;
+}
+function getErrorCode(fetchError) {
+    return fetchError ? fetchError.code : 'INTERNAL_ERROR';
+}
+function getFetchErrorMessage(fetchError) {
+    return fetchError ? fetchError.message : 'Internal Server Error';
+}
+function getErrorDetails(fetchError) {
+    if (fetchError && Object.keys(fetchError.details).length > 0) {
+        return fetchError.details;
+    }
+    return undefined;
+}
+function resolveRetryAfter(fetchError) {
+    if (fetchError?.statusCode !== 429)
+        return undefined;
+    const { retryAfter } = fetchError.details;
+    return isRetryAfterValue(retryAfter) ? String(retryAfter) : undefined;
+}
+function isRetryAfterValue(value) {
+    return typeof value === 'number' || typeof value === 'string';
+}
+function setRetryAfterHeader(res, fetchError) {
+    const retryAfter = resolveRetryAfter(fetchError);
+    if (retryAfter === undefined)
+        return;
+    res.set('Retry-After', retryAfter);
+}
+function buildErrorResponse(fetchError) {
+    const details = getErrorDetails(fetchError);
+    const response = {
+        error: {
+            message: getFetchErrorMessage(fetchError),
+            code: getErrorCode(fetchError),
+            statusCode: getStatusCode(fetchError),
+            ...(details && { details }),
+        },
+    };
+    return response;
+}
+export function errorHandler(err, req, res, next) {
+    if (res.headersSent) {
+        next(err);
+        return;
+    }
+    const fetchError = err instanceof FetchError ? err : null;
+    const statusCode = getStatusCode(fetchError);
+    logError(`HTTP ${statusCode}: ${err.message} - ${req.method} ${req.path}`, err);
+    setRetryAfterHeader(res, fetchError);
+    res.status(statusCode).json(buildErrorResponse(fetchError));
+}
+export function normalizeHost(value) {
+    const trimmed = value.trim().toLowerCase();
+    if (!trimmed)
+        return null;
+    const first = takeFirstHostValue(trimmed);
+    if (!first)
+        return null;
+    const ipv6 = stripIpv6Brackets(first);
+    if (ipv6)
+        return ipv6;
+    if (isIpV6Literal(first)) {
+        return first;
+    }
+    return stripPortIfPresent(first);
+}
+function takeFirstHostValue(value) {
+    const first = value.split(',')[0];
+    if (!first)
+        return null;
+    const trimmed = first.trim();
+    return trimmed ? trimmed : null;
+}
+function stripIpv6Brackets(value) {
+    if (!value.startsWith('['))
+        return null;
+    const end = value.indexOf(']');
+    if (end === -1)
+        return null;
+    return value.slice(1, end);
+}
+function stripPortIfPresent(value) {
+    const colonIndex = value.indexOf(':');
+    if (colonIndex === -1)
+        return value;
+    return value.slice(0, colonIndex);
+}
+function isIpV6Literal(value) {
+    return isIP(value) === 6;
+}
+const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+function getNonEmptyStringHeader(value) {
+    if (typeof value !== 'string')
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+}
+function respondHostNotAllowed(res) {
+    res.status(403).json({
+        error: 'Host not allowed',
+        code: 'HOST_NOT_ALLOWED',
+    });
+}
+function respondOriginNotAllowed(res) {
+    res.status(403).json({
+        error: 'Origin not allowed',
+        code: 'ORIGIN_NOT_ALLOWED',
+    });
+}
+function tryParseOriginHostname(originHeader) {
+    try {
+        return new URL(originHeader).hostname.toLowerCase();
+    }
+    catch {
+        return null;
+    }
+}
+function isWildcardHost(host) {
+    return host === '0.0.0.0' || host === '::';
+}
+function addLoopbackHosts(allowedHosts) {
+    for (const host of LOOPBACK_HOSTS) {
+        allowedHosts.add(host);
+    }
+}
+function addConfiguredHost(allowedHosts) {
+    const configuredHost = normalizeHost(config.server.host);
+    if (!configuredHost)
+        return;
+    if (isWildcardHost(configuredHost))
+        return;
+    allowedHosts.add(configuredHost);
+}
+function addExplicitAllowedHosts(allowedHosts) {
+    for (const host of config.security.allowedHosts) {
+        const normalized = normalizeHost(host);
+        if (!normalized) {
+            logDebug('Ignoring invalid allowed host entry', { host });
+            continue;
+        }
+        allowedHosts.add(normalized);
+    }
+}
+function buildAllowedHosts() {
+    const allowedHosts = new Set();
+    addLoopbackHosts(allowedHosts);
+    addConfiguredHost(allowedHosts);
+    addExplicitAllowedHosts(allowedHosts);
+    return allowedHosts;
+}
+function createHostValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const hostHeader = typeof req.headers.host === 'string' ? req.headers.host : '';
+        const normalized = normalizeHost(hostHeader);
+        if (!normalized || !allowedHosts.has(normalized)) {
+            respondHostNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}
+function createOriginValidationMiddleware() {
+    const allowedHosts = buildAllowedHosts();
+    return (req, res, next) => {
+        const originHeader = getNonEmptyStringHeader(req.headers.origin);
+        if (!originHeader) {
+            next();
+            return;
+        }
+        const originHostname = tryParseOriginHostname(originHeader);
+        if (!originHostname || !allowedHosts.has(originHostname)) {
+            respondOriginNotAllowed(res);
+            return;
+        }
+        next();
+    };
+}
+function createJsonParseErrorHandler() {
+    return (err, _req, res, next) => {
+        if (err instanceof SyntaxError && 'body' in err) {
+            res.status(400).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32700,
+                    message: 'Parse error: Invalid JSON',
+                },
+                id: null,
+            });
+            return;
+        }
+        next();
+    };
+}
+function createContextMiddleware() {
+    return (req, _res, next) => {
+        const requestId = randomUUID();
+        const sessionId = getSessionId(req);
+        const context = sessionId === undefined
+            ? { requestId, operationId: requestId }
+            : { requestId, operationId: requestId, sessionId };
+        runWithRequestContext(context, () => {
+            next();
+        });
+    };
+}
+function registerHealthRoute(app) {
+    app.get('/health', (_req, res) => {
+        res.json({
+            status: 'healthy',
+            name: config.server.name,
+            version: config.server.version,
+            uptime: process.uptime(),
+        });
+    });
+}
+export function attachBaseMiddleware(options) {
+    const { app, jsonParser, rateLimitMiddleware, corsMiddleware } = options;
+    app.use(createHostValidationMiddleware());
+    app.use(createOriginValidationMiddleware());
+    app.use(jsonParser);
+    app.use(createContextMiddleware());
+    app.use(createJsonParseErrorHandler());
+    app.use(corsMiddleware);
+    app.use('/mcp', rateLimitMiddleware);
+    registerHealthRoute(app);
+}
+export function createCorsMiddleware() {
+    return (req, res, next) => {
+        if (req.method === 'OPTIONS') {
+            res.sendStatus(200);
+            return;
+        }
+        next();
+    };
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null;
+}
+function parseScopes(value) {
+    if (typeof value === 'string') {
+        return value
+            .split(' ')
+            .map((scope) => scope.trim())
+            .filter((scope) => scope.length > 0);
+    }
+    if (Array.isArray(value)) {
+        return value.filter((scope) => typeof scope === 'string');
+    }
+    return [];
+}
+function parseResourceUrl(value) {
+    if (typeof value !== 'string')
+        return undefined;
+    if (!URL.canParse(value))
+        return undefined;
+    return new URL(value);
+}
+function parseAudResource(aud) {
+    if (typeof aud === 'string') {
+        return parseResourceUrl(aud);
+    }
+    if (Array.isArray(aud)) {
+        for (const entry of aud) {
+            const parsed = parseResourceUrl(entry);
+            if (parsed)
+                return parsed;
+        }
+    }
+    return undefined;
+}
+function extractResource(data) {
+    const resource = parseResourceUrl(data.resource);
+    if (resource)
+        return resource;
+    return parseAudResource(data.aud);
+}
+function extractScopes(data) {
+    if (data.scope !== undefined) {
+        return parseScopes(data.scope);
+    }
+    if (data.scopes !== undefined) {
+        return parseScopes(data.scopes);
+    }
+    if (data.scp !== undefined) {
+        return parseScopes(data.scp);
+    }
+    return [];
+}
+function readExpiresAt(data) {
+    const expiresAt = typeof data.exp === 'number' ? data.exp : Number.NaN;
+    if (!Number.isFinite(expiresAt)) {
+        throw new InvalidTokenError('Token has no expiration time');
+    }
+    return expiresAt;
+}
+function resolveClientId(data) {
+    if (typeof data.client_id === 'string')
+        return data.client_id;
+    if (typeof data.cid === 'string')
+        return data.cid;
+    if (typeof data.sub === 'string')
+        return data.sub;
+    return 'unknown';
+}
+function stripHash(url) {
+    const copy = new URL(url.href);
+    copy.hash = '';
+    return copy.href;
+}
+function ensureResourceMatch(resource) {
+    if (!resource) {
+        throw new InvalidTokenError('Token resource mismatch');
+    }
+    if (stripHash(resource) !== stripHash(config.auth.resourceUrl)) {
+        throw new InvalidTokenError('Token resource mismatch');
+    }
+    return resource;
+}
+function buildIntrospectionAuthInfo(token, data) {
+    const resource = ensureResourceMatch(extractResource(data));
+    return {
+        token,
+        clientId: resolveClientId(data),
+        scopes: extractScopes(data),
+        expiresAt: readExpiresAt(data),
+        resource,
+        extra: data,
+    };
+}
+function buildBasicAuthHeader(clientId, clientSecret) {
+    const secret = clientSecret ?? '';
+    const basic = Buffer.from(`${clientId}:${secret}`, 'utf8').toString('base64');
+    return `Basic ${basic}`;
+}
+function buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
+    const body = new URLSearchParams({
+        token,
+        token_type_hint: 'access_token',
+        resource: stripHash(resourceUrl),
+    }).toString();
+    const headers = {
+        'content-type': 'application/x-www-form-urlencoded',
+    };
+    if (clientId) {
+        headers.authorization = buildBasicAuthHeader(clientId, clientSecret);
+    }
+    return { body, headers };
+}
+async function requestIntrospection(introspectionUrl, request, timeoutMs) {
+    const response = await fetch(introspectionUrl, {
+        method: 'POST',
+        headers: request.headers,
+        body: request.body,
+        signal: AbortSignal.timeout(timeoutMs),
+    });
+    if (!response.ok) {
+        await response.body?.cancel();
+        throw new ServerError(`Token introspection failed: ${response.status}`);
+    }
+    return response.json();
+}
+function parseIntrospectionPayload(payload) {
+    if (!isRecord(payload) || Array.isArray(payload)) {
+        throw new ServerError('Invalid introspection response');
+    }
+    if (payload.active !== true) {
+        throw new InvalidTokenError('Token is inactive');
+    }
+    return payload;
+}
+async function verifyWithIntrospection(token) {
+    const { auth } = config;
+    if (!auth.introspectionUrl) {
+        throw new ServerError('Token introspection is not configured');
+    }
+    const request = buildIntrospectionRequest(token, auth.resourceUrl, auth.clientId, auth.clientSecret);
+    const payload = await requestIntrospection(auth.introspectionUrl, request, auth.introspectionTimeoutMs);
+    return buildIntrospectionAuthInfo(token, parseIntrospectionPayload(payload));
+}
+const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
+function buildStaticAuthInfo(token) {
+    return {
+        token,
+        clientId: 'static-token',
+        scopes: config.auth.requiredScopes,
+        expiresAt: Math.floor(Date.now() / 1000) + STATIC_TOKEN_TTL_SECONDS,
+        resource: config.auth.resourceUrl,
+    };
+}
+function verifyStaticToken(token) {
+    if (config.auth.staticTokens.length === 0) {
+        throw new InvalidTokenError('No static tokens configured');
+    }
+    const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
+    if (!matched) {
+        throw new InvalidTokenError('Invalid token');
+    }
+    return buildStaticAuthInfo(token);
+}
+function normalizeHeaderValue(header) {
+    return Array.isArray(header) ? header[0] : header;
+}
+function getApiKeyHeader(req) {
+    const apiKeyHeader = normalizeHeaderValue(req.headers['x-api-key']);
+    return apiKeyHeader ? apiKeyHeader.trim() : null;
+}
+function createLegacyApiKeyMiddleware() {
+    return (req, _res, next) => {
+        if (config.auth.mode !== 'static') {
+            next();
+            return;
+        }
+        if (!req.headers.authorization) {
+            const apiKey = getApiKeyHeader(req);
+            if (apiKey) {
+                req.headers.authorization = `Bearer ${apiKey}`;
+            }
+        }
+        next();
+    };
+}
+async function verifyAccessToken(token) {
+    if (config.auth.mode === 'oauth') {
+        return verifyWithIntrospection(token);
+    }
+    return verifyStaticToken(token);
+}
+function resolveMetadataUrl() {
+    if (config.auth.mode !== 'oauth')
+        return null;
+    return getOAuthProtectedResourceMetadataUrl(new URL(config.auth.resourceUrl));
+}
+function resolveOptionalScopes(requiredScopes) {
+    return requiredScopes.length > 0 ? [...requiredScopes] : undefined;
+}
+function resolveOAuthMetadataParams(authConfig) {
+    const { issuerUrl, authorizationUrl, tokenUrl, revocationUrl, registrationUrl, requiredScopes, } = authConfig;
+    if (!issuerUrl || !authorizationUrl || !tokenUrl)
+        return null;
+    return {
+        issuerUrl,
+        authorizationUrl,
+        tokenUrl,
+        revocationUrl,
+        registrationUrl,
+        requiredScopes,
+    };
+}
+function buildBaseOAuthMetadata(params) {
+    return {
+        issuer: params.issuerUrl.href,
+        authorization_endpoint: params.authorizationUrl.href,
+        response_types_supported: ['code'],
+        code_challenge_methods_supported: ['S256'],
+        token_endpoint: params.tokenUrl.href,
+        token_endpoint_auth_methods_supported: ['client_secret_post', 'none'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
+    };
+}
+function applyOptionalScopes(metadata, requiredScopes) {
+    const scopesSupported = resolveOptionalScopes(requiredScopes);
+    if (scopesSupported !== undefined) {
+        metadata.scopes_supported = scopesSupported;
+    }
+}
+function applyOptionalEndpoint(metadata, key, url) {
+    if (!url)
+        return;
+    metadata[key] = url.href;
+}
+function buildOAuthMetadata(params) {
+    const oauthMetadata = buildBaseOAuthMetadata(params);
+    applyOptionalScopes(oauthMetadata, params.requiredScopes);
+    applyOptionalEndpoint(oauthMetadata, 'revocation_endpoint', params.revocationUrl);
+    applyOptionalEndpoint(oauthMetadata, 'registration_endpoint', params.registrationUrl);
+    return oauthMetadata;
+}
+function createAuthMiddleware() {
+    const metadataUrl = resolveMetadataUrl();
+    const authHandler = requireBearerAuth({
+        verifier: { verifyAccessToken },
+        requiredScopes: config.auth.requiredScopes,
+        ...(metadataUrl ? { resourceMetadataUrl: metadataUrl } : {}),
+    });
+    const legacyHandler = createLegacyApiKeyMiddleware();
+    return (req, res, next) => {
+        legacyHandler(req, res, () => {
+            authHandler(req, res, next);
+        });
+    };
+}
+function createAuthMetadataRouter() {
+    if (config.auth.mode !== 'oauth')
+        return null;
+    const oauthMetadataParams = resolveOAuthMetadataParams(config.auth);
+    if (!oauthMetadataParams)
+        return null;
+    return mcpAuthMetadataRouter({
+        oauthMetadata: buildOAuthMetadata(oauthMetadataParams),
+        resourceServerUrl: config.auth.resourceUrl,
+        scopesSupported: config.auth.requiredScopes,
+        resourceName: config.server.name,
+    });
+}
+function sendJsonRpcError(res, code, message, status = 400, id = null) {
+    res.status(status).json({
+        jsonrpc: '2.0',
+        error: {
+            code,
+            message,
+        },
+        id,
+    });
+}
+function getSessionId(req) {
+    const header = req.headers['mcp-session-id'];
+    return Array.isArray(header) ? header[0] : header;
+}
+export function createSessionStore(sessionTtlMs) {
+    const sessions = new Map();
+    return {
+        get: (sessionId) => sessions.get(sessionId),
+        touch: (sessionId) => {
+            touchSession(sessions, sessionId);
+        },
+        set: (sessionId, entry) => {
+            sessions.set(sessionId, entry);
+        },
+        remove: (sessionId) => removeSession(sessions, sessionId),
+        size: () => sessions.size,
+        clear: () => clearSessions(sessions),
+        evictExpired: () => evictExpiredSessions(sessions, sessionTtlMs),
+        evictOldest: () => evictOldestSession(sessions),
+    };
+}
+function touchSession(sessions, sessionId) {
+    const session = sessions.get(sessionId);
+    if (session) {
+        session.lastSeen = Date.now();
+    }
+}
+function removeSession(sessions, sessionId) {
+    const session = sessions.get(sessionId);
+    sessions.delete(sessionId);
+    return session;
+}
+function clearSessions(sessions) {
+    const entries = Array.from(sessions.values());
+    sessions.clear();
+    return entries;
+}
+function evictExpiredSessions(sessions, sessionTtlMs) {
+    const now = Date.now();
+    const evicted = [];
+    for (const [id, session] of sessions.entries()) {
+        if (now - session.lastSeen > sessionTtlMs) {
+            sessions.delete(id);
+            evicted.push(session);
+        }
+    }
+    return evicted;
+}
+function evictOldestSession(sessions) {
+    let oldestId;
+    let oldestSeen = Number.POSITIVE_INFINITY;
+    for (const [id, session] of sessions.entries()) {
+        if (session.lastSeen < oldestSeen) {
+            oldestSeen = session.lastSeen;
+            oldestId = id;
+        }
+    }
+    if (!oldestId)
+        return undefined;
+    const session = sessions.get(oldestId);
+    sessions.delete(oldestId);
+    return session;
+}
+let inFlightSessions = 0;
+export function reserveSessionSlot(store, maxSessions) {
+    if (store.size() + inFlightSessions >= maxSessions) {
+        return false;
+    }
+    inFlightSessions += 1;
+    return true;
+}
+function releaseSessionSlot() {
+    if (inFlightSessions > 0) {
+        inFlightSessions -= 1;
+    }
+}
+export function createSlotTracker() {
+    let slotReleased = false;
+    let initialized = false;
+    return {
+        releaseSlot: () => {
+            if (slotReleased)
+                return;
+            slotReleased = true;
+            releaseSessionSlot();
+        },
+        markInitialized: () => {
+            initialized = true;
+        },
+        isInitialized: () => initialized,
+    };
+}
+function isServerAtCapacity(store, maxSessions) {
+    return store.size() + inFlightSessions >= maxSessions;
+}
+function tryEvictSlot(store, maxSessions, evictOldest) {
+    const currentSize = store.size();
+    const canFreeSlot = currentSize >= maxSessions &&
+        currentSize - 1 + inFlightSessions < maxSessions;
+    return canFreeSlot && evictOldest(store);
+}
+export function ensureSessionCapacity({ store, maxSessions, res, evictOldest, }) {
+    if (!isServerAtCapacity(store, maxSessions)) {
+        return true;
+    }
+    if (tryEvictSlot(store, maxSessions, evictOldest)) {
+        return !isServerAtCapacity(store, maxSessions);
+    }
+    respondServerBusy(res);
+    return false;
+}
+function respondServerBusy(res) {
+    sendJsonRpcError(res, -32000, 'Server busy: maximum sessions reached', 503, null);
+}
+function respondBadRequest(res, id) {
+    sendJsonRpcError(res, -32000, 'Bad Request: Missing session ID or not an initialize request', 400, id);
+}
+function createTimeoutController() {
+    let initTimeout = null;
+    return {
+        clear: () => {
+            if (!initTimeout)
+                return;
+            clearTimeout(initTimeout);
+            initTimeout = null;
+        },
+        set: (timeout) => {
+            initTimeout = timeout;
+        },
+    };
+}
+function createTransportAdapter(transport) {
+    const adapter = buildTransportAdapter(transport);
+    attachTransportAccessors(adapter, transport);
+    return adapter;
+}
+function buildTransportAdapter(transport) {
+    return {
+        start: () => transport.start(),
+        send: (message, options) => transport.send(message, options),
+        close: () => transport.close(),
+    };
+}
+function createAccessorDescriptor(getter, setter) {
+    return {
+        get: getter,
+        ...(setter ? { set: setter } : {}),
+        enumerable: true,
+        configurable: true,
+    };
+}
+function createOnCloseDescriptor(transport) {
+    return createAccessorDescriptor(() => transport.onclose, (handler) => {
+        transport.onclose = handler;
+    });
+}
+function createOnErrorDescriptor(transport) {
+    return createAccessorDescriptor(() => transport.onerror, (handler) => {
+        transport.onerror = handler;
+    });
+}
+function createOnMessageDescriptor(transport) {
+    return createAccessorDescriptor(() => transport.onmessage, (handler) => {
+        transport.onmessage = handler;
+    });
+}
+function attachTransportAccessors(adapter, transport) {
+    Object.defineProperties(adapter, {
+        onclose: createOnCloseDescriptor(transport),
+        onerror: createOnErrorDescriptor(transport),
+        onmessage: createOnMessageDescriptor(transport),
+        sessionId: createAccessorDescriptor(() => transport.sessionId),
+    });
+}
+function startSessionInitTimeout({ transport, tracker, clearInitTimeout, timeoutMs, }) {
+    if (timeoutMs <= 0)
+        return null;
+    const timeout = setTimeout(() => {
+        clearInitTimeout();
+        if (tracker.isInitialized())
+            return;
+        tracker.releaseSlot();
+        void transport.close().catch((error) => {
+            logWarn('Failed to close stalled session', {
+                error: getErrorMessage(error),
+            });
+        });
+        logWarn('Session initialization timed out', { timeoutMs });
+    }, timeoutMs);
+    timeout.unref();
+    return timeout;
+}
+function createSessionTransport({ tracker, timeoutController, }) {
+    const transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+    });
+    transport.onclose = () => {
+        timeoutController.clear();
+        if (!tracker.isInitialized()) {
+            tracker.releaseSlot();
+        }
+    };
+    timeoutController.set(startSessionInitTimeout({
+        transport,
+        tracker,
+        clearInitTimeout: timeoutController.clear,
+        timeoutMs: config.server.sessionInitTimeoutMs,
+    }));
+    return transport;
+}
+async function connectTransportOrThrow({ transport, clearInitTimeout, releaseSlot, }) {
+    const mcpServer = createMcpServer();
+    const transportAdapter = createTransportAdapter(transport);
+    try {
+        await mcpServer.connect(transportAdapter);
+    }
+    catch (error) {
+        clearInitTimeout();
+        releaseSlot();
+        void transport.close().catch((closeError) => {
+            logWarn('Failed to close transport after connect error', {
+                error: getErrorMessage(closeError),
+            });
+        });
+        logError('Failed to initialize MCP session', error instanceof Error ? error : undefined);
+        throw error;
+    }
+}
+function evictExpiredSessionsWithClose(store) {
+    const evicted = store.evictExpired();
+    for (const session of evicted) {
+        void session.transport.close().catch((error) => {
+            logWarn('Failed to close expired session', {
+                error: getErrorMessage(error),
+            });
+        });
+    }
+    return evicted.length;
+}
+function evictOldestSessionWithClose(store) {
+    const session = store.evictOldest();
+    if (!session)
+        return false;
+    void session.transport.close().catch((error) => {
+        logWarn('Failed to close evicted session', {
+            error: getErrorMessage(error),
+        });
+    });
+    return true;
+}
+function reserveSessionIfPossible({ options, res, }) {
+    if (!ensureSessionCapacity({
+        store: options.sessionStore,
+        maxSessions: options.maxSessions,
+        res,
+        evictOldest: evictOldestSessionWithClose,
+    })) {
+        return false;
+    }
+    if (!reserveSessionSlot(options.sessionStore, options.maxSessions)) {
+        respondServerBusy(res);
+        return false;
+    }
+    return true;
+}
+function resolveSessionId({ transport, res, tracker, clearInitTimeout, }) {
+    const { sessionId } = transport;
+    if (typeof sessionId !== 'string') {
+        clearInitTimeout();
+        tracker.releaseSlot();
+        respondBadRequest(res, null);
+        return null;
+    }
+    return sessionId;
+}
+function finalizeSession({ store, transport, sessionId, tracker, clearInitTimeout, }) {
+    clearInitTimeout();
+    tracker.markInitialized();
+    tracker.releaseSlot();
+    const now = Date.now();
+    store.set(sessionId, {
+        transport,
+        createdAt: now,
+        lastSeen: now,
+    });
+    transport.onclose = () => {
+        store.remove(sessionId);
+        logInfo('Session closed');
+    };
+    logInfo('Session initialized');
+}
+async function createAndConnectTransport({ options, res, }) {
+    if (!reserveSessionIfPossible({ options, res }))
+        return null;
+    const tracker = createSlotTracker();
+    const timeoutController = createTimeoutController();
+    const transport = createSessionTransport({ tracker, timeoutController });
+    await connectTransportOrThrow({
+        transport,
+        clearInitTimeout: timeoutController.clear,
+        releaseSlot: tracker.releaseSlot,
+    });
+    const sessionId = resolveSessionId({
+        transport,
+        res,
+        tracker,
+        clearInitTimeout: timeoutController.clear,
+    });
+    if (!sessionId)
+        return null;
+    finalizeSession({
+        store: options.sessionStore,
+        transport,
+        sessionId,
+        tracker,
+        clearInitTimeout: timeoutController.clear,
+    });
+    return transport;
+}
+export async function resolveTransportForPost({ res, body, sessionId, options, }) {
+    if (sessionId) {
+        const existingSession = options.sessionStore.get(sessionId);
+        if (existingSession) {
+            options.sessionStore.touch(sessionId);
+            return existingSession.transport;
+        }
+        // Client supplied a session id but it doesn't exist; Streamable HTTP: invalid session IDs => 404.
+        sendJsonRpcError(res, -32600, 'Session not found', 404, body.id ?? null);
+        return null;
+    }
+    if (!isInitializeRequest(body)) {
+        respondBadRequest(res, body.id ?? null);
+        return null;
+    }
+    evictExpiredSessionsWithClose(options.sessionStore);
+    return createAndConnectTransport({ options, res });
+}
+function startSessionCleanupLoop(store, sessionTtlMs) {
+    const controller = new AbortController();
+    void runSessionCleanupLoop(store, sessionTtlMs, controller.signal).catch(handleSessionCleanupError);
+    return controller;
+}
+async function runSessionCleanupLoop(store, sessionTtlMs, signal) {
+    const intervalMs = getCleanupIntervalMs(sessionTtlMs);
+    for await (const getNow of setIntervalPromise(intervalMs, Date.now, {
+        signal,
+        ref: false,
+    })) {
+        handleSessionEvictions(store, getNow());
+    }
+}
+function getCleanupIntervalMs(sessionTtlMs) {
+    return Math.min(Math.max(Math.floor(sessionTtlMs / 2), 10000), 60000);
+}
+function isAbortError(error) {
+    return error instanceof Error && error.name === 'AbortError';
+}
+function handleSessionEvictions(store, now) {
+    const evicted = evictExpiredSessionsWithClose(store);
+    if (evicted > 0) {
+        logInfo('Expired sessions evicted', {
+            evicted,
+            timestamp: new Date(now).toISOString(),
+        });
+    }
+}
+function handleSessionCleanupError(error) {
+    if (isSessionAbortError(error)) {
+        return;
+    }
+    logWarn('Session cleanup loop failed', {
+        error: error instanceof Error ? error.message : 'Unknown error',
+    });
+}
+const paramsSchema = z.looseObject({});
+const mcpRequestSchema = z.looseObject({
+    jsonrpc: z.literal('2.0'),
+    method: z.string().min(1),
+    id: z.union([z.string(), z.number()]).optional(),
+    params: paramsSchema.optional(),
+});
+function wrapAsync(fn) {
+    return (req, res, next) => {
+        Promise.resolve(fn(req, res)).catch(next);
+    };
+}
+export function isJsonRpcBatchRequest(body) {
+    return Array.isArray(body);
+}
+export function isMcpRequestBody(body) {
+    return mcpRequestSchema.safeParse(body).success;
+}
+function respondInvalidRequestBody(res) {
+    sendJsonRpcError(res, -32600, 'Invalid Request: Malformed request body', 400);
+}
+function respondMissingSession(res) {
+    sendJsonRpcError(res, -32600, 'Missing mcp-session-id header', 400);
+}
+function respondSessionNotFound(res) {
+    sendJsonRpcError(res, -32600, 'Session not found', 404);
+}
+function validatePostPayload(payload, res) {
+    if (isJsonRpcBatchRequest(payload)) {
+        sendJsonRpcError(res, -32600, 'Batch requests are not supported', 400);
+        return null;
+    }
+    if (!isMcpRequestBody(payload)) {
+        respondInvalidRequestBody(res);
+        return null;
+    }
+    return payload;
+}
+function logPostRequest(body, sessionId, options) {
+    logInfo('[MCP POST]', {
+        method: body.method,
+        id: body.id,
+        isInitialize: body.method === 'initialize',
+        sessionCount: options.sessionStore.size(),
+    });
+}
+async function handleTransportRequest(transport, req, res, body) {
+    try {
+        await dispatchTransportRequest(transport, req, res, body);
+    }
+    catch (error) {
+        logError('MCP request handling failed', error instanceof Error ? error : undefined);
+        handleTransportError(res);
+    }
+}
+function handleTransportError(res) {
+    if (res.headersSent)
+        return;
+    res.status(500).json({ error: 'Internal Server Error' });
+}
+function dispatchTransportRequest(transport, req, res, body) {
+    return body
+        ? transport.handleRequest(req, res, body)
+        : transport.handleRequest(req, res);
+}
+function resolveSessionTransport(sessionId, options, res) {
+    const { sessionStore } = options;
+    if (!sessionId) {
+        respondMissingSession(res);
+        return null;
+    }
+    const session = sessionStore.get(sessionId);
+    if (!session) {
+        respondSessionNotFound(res);
+        return null;
+    }
+    sessionStore.touch(sessionId);
+    return session.transport;
+}
+const MCP_PROTOCOL_VERSION_HEADER = 'mcp-protocol-version';
+const MCP_PROTOCOL_VERSIONS = {
+    defaultVersion: '2025-03-26',
+    supported: new Set(['2025-11-25']),
+};
+function getHeaderValue(req, headerNameLower) {
+    const value = req.headers[headerNameLower];
+    if (typeof value === 'string')
+        return value;
+    if (Array.isArray(value))
+        return value[0] ?? null;
+    return null;
+}
+function setHeaderValue(req, headerNameLower, value) {
+    // Express exposes req.headers as a plain object, but the type is readonly-ish.
+    req.headers[headerNameLower] = value;
+}
+export function ensureMcpProtocolVersionHeader(req, res) {
+    const raw = getHeaderValue(req, MCP_PROTOCOL_VERSION_HEADER);
+    const version = raw?.trim();
+    if (!version) {
+        const assumed = MCP_PROTOCOL_VERSIONS.defaultVersion;
+        setHeaderValue(req, MCP_PROTOCOL_VERSION_HEADER, assumed);
+        if (!MCP_PROTOCOL_VERSIONS.supported.has(assumed)) {
+            sendJsonRpcError(res, -32600, `Unsupported MCP-Protocol-Version: ${assumed}`, 400);
+            return false;
+        }
+        return true;
+    }
+    if (!MCP_PROTOCOL_VERSIONS.supported.has(version)) {
+        sendJsonRpcError(res, -32600, `Unsupported MCP-Protocol-Version: ${version}`, 400);
+        return false;
+    }
+    return true;
+}
+function getAcceptHeader(req) {
+    const value = req.headers.accept;
+    if (typeof value === 'string')
+        return value;
+    return '';
+}
+function setAcceptHeader(req, value) {
+    req.headers.accept = value;
+    const { rawHeaders } = req;
+    if (!Array.isArray(rawHeaders))
+        return;
+    for (let i = 0; i + 1 < rawHeaders.length; i += 2) {
+        const key = rawHeaders[i];
+        if (typeof key === 'string' && key.toLowerCase() === 'accept') {
+            rawHeaders[i + 1] = value;
+            return;
+        }
+    }
+    rawHeaders.push('Accept', value);
+}
+function hasToken(header, token) {
+    return header
+        .split(',')
+        .map((part) => part.trim().toLowerCase())
+        .some((part) => part === token || part.startsWith(`${token};`));
+}
+export function ensurePostAcceptHeader(req) {
+    const accept = getAcceptHeader(req);
+    // Some clients send */* or omit Accept; the SDK transport is picky.
+    if (!accept || hasToken(accept, '*/*')) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+        return;
+    }
+    const hasJson = hasToken(accept, 'application/json');
+    const hasSse = hasToken(accept, 'text/event-stream');
+    if (!hasJson || !hasSse) {
+        setAcceptHeader(req, 'application/json, text/event-stream');
+    }
+}
+export function acceptsEventStream(req) {
+    const accept = getAcceptHeader(req);
+    if (!accept)
+        return false;
+    return hasToken(accept, 'text/event-stream');
+}
+async function handlePost(req, res, options) {
+    ensurePostAcceptHeader(req);
+    if (!ensureMcpProtocolVersionHeader(req, res))
+        return;
+    const sessionId = getSessionId(req);
+    const payload = validatePostPayload(req.body, res);
+    if (!payload)
+        return;
+    logPostRequest(payload, sessionId, options);
+    const transport = await resolveTransportForPost({
+        res,
+        body: payload,
+        sessionId,
+        options,
+    });
+    if (!transport)
+        return;
+    await handleTransportRequest(transport, req, res, payload);
+}
+async function handleGet(req, res, options) {
+    if (!ensureMcpProtocolVersionHeader(req, res))
+        return;
+    if (!acceptsEventStream(req)) {
+        res.status(406).json({
+            error: 'Not Acceptable',
+            code: 'ACCEPT_NOT_SUPPORTED',
+        });
+        return;
+    }
+    const transport = resolveSessionTransport(getSessionId(req), options, res);
+    if (!transport)
+        return;
+    await handleTransportRequest(transport, req, res);
+}
+async function handleDelete(req, res, options) {
+    if (!ensureMcpProtocolVersionHeader(req, res))
+        return;
+    const transport = resolveSessionTransport(getSessionId(req), options, res);
+    if (!transport)
+        return;
+    await handleTransportRequest(transport, req, res);
+}
+function registerMcpRoutes(app, options) {
+    app.post('/mcp', wrapAsync((req, res) => handlePost(req, res, options)));
+    app.get('/mcp', wrapAsync((req, res) => handleGet(req, res, options)));
+    app.delete('/mcp', wrapAsync((req, res) => handleDelete(req, res, options)));
+}
+export function applyHttpServerTuning(server) {
+    const { headersTimeoutMs, requestTimeoutMs, keepAliveTimeoutMs } = config.server.http;
+    if (headersTimeoutMs !== undefined) {
+        server.headersTimeout = headersTimeoutMs;
+    }
+    if (requestTimeoutMs !== undefined) {
+        server.requestTimeout = requestTimeoutMs;
+    }
+    if (keepAliveTimeoutMs !== undefined) {
+        server.keepAliveTimeout = keepAliveTimeoutMs;
+    }
+    if (headersTimeoutMs !== undefined ||
+        requestTimeoutMs !== undefined ||
+        keepAliveTimeoutMs !== undefined) {
+        logDebug('Applied HTTP server tuning', {
+            headersTimeoutMs,
+            requestTimeoutMs,
+            keepAliveTimeoutMs,
+        });
+    }
+}
+export function drainConnectionsOnShutdown(server) {
+    const { shutdownCloseAllConnections, shutdownCloseIdleConnections } = config.server.http;
+    if (shutdownCloseAllConnections) {
+        if (typeof server.closeAllConnections === 'function') {
+            server.closeAllConnections();
+            logDebug('Closed all HTTP connections during shutdown');
+        }
+        else {
+            logDebug('HTTP server does not support closeAllConnections()');
+        }
+        return;
+    }
+    if (shutdownCloseIdleConnections) {
+        if (typeof server.closeIdleConnections === 'function') {
+            server.closeIdleConnections();
+            logDebug('Closed idle HTTP connections during shutdown');
+        }
+        else {
+            logDebug('HTTP server does not support closeIdleConnections()');
+        }
+    }
+}