@j0hanz/superfetch 2.2.0 → 2.2.2

package/dist/http.js

@@ -1,1576 +0,0 @@
-import { randomUUID } from 'node:crypto';
-import { once } from 'node:events';
-import { isIP } from 'node:net';
-import { setInterval as setIntervalPromise } from 'node:timers/promises';
-import { z } from 'zod';
-import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
-import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
-import { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, } from '@modelcontextprotocol/sdk/server/auth/router.js';
-import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
-import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
-import { registerDownloadRoutes } from './cache.js';
-import { config, enableHttpMode } from './config.js';
-import { timingSafeEqualUtf8 } from './crypto.js';
-import { FetchError, getErrorMessage } from './errors.js';
-import { destroyAgents } from './fetch.js';
-import { createMcpServer } from './mcp.js';
-import { logDebug, logError, logInfo, logWarn, runWithRequestContext, } from './observability.js';
-import { shutdownTransformWorkerPool } from './transform.js';
-import { isRecord } from './type-guards.js';
-function formatHostForUrl(hostname) {
-    if (hostname.includes(':') && !hostname.startsWith('[')) {
-        return `[${hostname}]`;
-    }
-    return hostname;
-}
-function getRateLimitKey(req) {
-    return req.ip ?? req.socket.remoteAddress ?? 'unknown';
-}
-function createCleanupInterval(store, options) {
-    const controller = new AbortController();
-    void startCleanupLoop(store, options, controller.signal).catch(handleCleanupError);
-    return controller;
-}
-function createRateLimitMiddleware(options) {
-    const store = new Map();
-    const cleanupController = createCleanupInterval(store, options);
-    const stop = () => {
-        cleanupController.abort();
-    };
-    const middleware = createRateLimitHandler(store, options);
-    return { middleware, stop, store };
-}
-function createRateLimitHandler(store, options) {
-    return (req, res, next) => {
-        if (shouldSkipRateLimit(req, options)) {
-            next();
-            return;
-        }
-        const now = Date.now();
-        const key = getRateLimitKey(req);
-        const resolution = resolveRateLimitEntry(store, key, now, options);
-        if (resolution.isNew) {
-            next();
-            return;
-        }
-        if (handleRateLimitExceeded(res, resolution.entry, now, options)) {
-            return;
-        }
-        next();
-    };
-}
-async function startCleanupLoop(store, options, signal) {
-    for await (const getNow of setIntervalPromise(options.cleanupIntervalMs, Date.now, { signal, ref: false })) {
-        evictStaleEntries(store, options, getNow());
-    }
-}
-function evictStaleEntries(store, options, now) {
-    for (const [key, entry] of store.entries()) {
-        if (now - entry.lastAccessed > options.windowMs * 2) {
-            store.delete(key);
-        }
-    }
-}
-function handleCleanupError(error) {
-    if (isAbortError(error)) {
-        return;
-    }
-    logWarn('Rate limit cleanup loop failed', {
-        error: error instanceof Error ? error.message : 'Unknown error',
-    });
-}
-function shouldSkipRateLimit(req, options) {
-    return !options.enabled || req.method === 'OPTIONS';
-}
-function resolveRateLimitEntry(store, key, now, options) {
-    const existing = store.get(key);
-    if (!existing || now > existing.resetTime) {
-        const entry = createNewEntry(now, options);
-        store.set(key, entry);
-        return { entry, isNew: true };
-    }
-    updateEntry(existing, now);
-    return { entry: existing, isNew: false };
-}
-function createNewEntry(now, options) {
-    return {
-        count: 1,
-        resetTime: now + options.windowMs,
-        lastAccessed: now,
-    };
-}
-function updateEntry(entry, now) {
-    entry.count += 1;
-    entry.lastAccessed = now;
-}
-function handleRateLimitExceeded(res, entry, now, options) {
-    if (entry.count <= options.maxRequests) {
-        return false;
-    }
-    const retryAfter = Math.max(1, Math.ceil((entry.resetTime - now) / 1000));
-    res.set('Retry-After', String(retryAfter));
-    res.status(429).json({
-        error: 'Rate limit exceeded',
-        retryAfter,
-    });
-    return true;
-}
-function assertHttpConfiguration() {
-    ensureBindAllowed();
-    ensureStaticTokens();
-    if (config.auth.mode === 'oauth') {
-        ensureOauthConfiguration();
-    }
-}
-function ensureBindAllowed() {
-    const isLoopback = ['127.0.0.1', '::1', 'localhost'].includes(config.server.host);
-    if (!config.security.allowRemote && !isLoopback) {
-        logError('Refusing to bind to non-loopback host without ALLOW_REMOTE=true', { host: config.server.host });
-        process.exit(1);
-    }
-    if (!isLoopback &&
-        config.security.allowRemote &&
-        config.auth.mode !== 'oauth') {
-        logError('Remote HTTP mode requires OAuth configuration; refusing to start');
-        process.exit(1);
-    }
-}
-function ensureStaticTokens() {
-    if (config.auth.mode === 'static' && config.auth.staticTokens.length === 0) {
-        logError('At least one static access token is required for HTTP mode');
-        process.exit(1);
-    }
-}
-function ensureOauthConfiguration() {
-    if (!config.auth.issuerUrl || !config.auth.authorizationUrl) {
-        logError('OAUTH_ISSUER_URL and OAUTH_AUTHORIZATION_URL are required for OAuth mode');
-        process.exit(1);
-    }
-    if (!config.auth.tokenUrl) {
-        logError('OAUTH_TOKEN_URL is required for OAuth mode');
-        process.exit(1);
-    }
-    if (!config.auth.introspectionUrl) {
-        logError('OAUTH_INTROSPECTION_URL is required for OAuth mode');
-        process.exit(1);
-    }
-}
-function createShutdownHandler(server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
-    let inFlight = null;
-    let initialSignal = null;
-    return (signal) => {
-        if (inFlight) {
-            logWarn('Shutdown already in progress; ignoring signal', {
-                signal,
-                initialSignal,
-            });
-            return inFlight;
-        }
-        initialSignal = signal;
-        inFlight = shutdownServer(signal, server, sessionStore, sessionCleanupController, stopRateLimitCleanup).catch((error) => {
-            logError('Shutdown handler failed', error instanceof Error ? error : { error: getErrorMessage(error) });
-            throw error;
-        });
-        return inFlight;
-    };
-}
-async function shutdownServer(signal, server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
-    logInfo(`${signal} received, shutting down gracefully...`);
-    stopRateLimitCleanup();
-    sessionCleanupController.abort();
-    await closeSessions(sessionStore);
-    destroyAgents();
-    await shutdownTransformWorkerPool();
-    drainConnectionsOnShutdown(server);
-    closeServer(server);
-    scheduleForcedShutdown(10000);
-}
-async function closeSessions(sessionStore) {
-    const sessions = sessionStore.clear();
-    await Promise.allSettled(sessions.map((session) => session.transport.close().catch((error) => {
-        logWarn('Failed to close session during shutdown', {
-            error: getErrorMessage(error),
-        });
-    })));
-}
-function closeServer(server) {
-    server.close(() => {
-        logInfo('HTTP server closed');
-        process.exit(0);
-    });
-}
-function scheduleForcedShutdown(timeoutMs) {
-    setTimeout(() => {
-        logError('Forced shutdown after timeout');
-        process.exit(1);
-    }, timeoutMs).unref();
-}
-function registerSignalHandlers(shutdown) {
-    process.once('SIGINT', () => {
-        void shutdown('SIGINT');
-    });
-    process.once('SIGTERM', () => {
-        void shutdown('SIGTERM');
-    });
-}
-function startListening(app) {
-    const server = app.listen(config.server.port, config.server.host, () => {
-        const address = server.address();
-        const resolvedPort = typeof address === 'object' && address
-            ? address.port
-            : config.server.port;
-        logInfo('superFetch MCP server started', {
-            host: config.server.host,
-            port: resolvedPort,
-        });
-        const baseUrl = `http://${formatHostForUrl(config.server.host)}:${resolvedPort}`;
-        logInfo(`superFetch MCP server running at ${baseUrl} (health: ${baseUrl}/health, mcp: ${baseUrl}/mcp)`);
-        logInfo('Run with --stdio flag for direct stdio integration');
-    });
-    server.on('error', (err) => {
-        logError('Failed to start server', err);
-        process.exit(1);
-    });
-    return server;
-}
-async function stopServerWithoutExit(server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
-    stopRateLimitCleanup();
-    sessionCleanupController.abort();
-    await closeSessions(sessionStore);
-    await new Promise((resolve) => {
-        server.close(() => {
-            resolve();
-        });
-    });
-}
-function buildMiddleware() {
-    const { middleware: rateLimitMiddleware, stop: stopRateLimitCleanup } = createRateLimitMiddleware(config.rateLimit);
-    const authMiddleware = createAuthMiddleware();
-    // No CORS - MCP clients don't run in browsers
-    const corsMiddleware = createCorsMiddleware();
-    return {
-        rateLimitMiddleware,
-        stopRateLimitCleanup,
-        authMiddleware,
-        corsMiddleware,
-    };
-}
-function createSessionInfrastructure() {
-    const sessionStore = createSessionStore(config.server.sessionTtlMs);
-    const sessionCleanupController = startSessionCleanupLoop(sessionStore, config.server.sessionTtlMs);
-    return { sessionStore, sessionCleanupController };
-}
-function registerHttpRoutes(app, sessionStore, authMiddleware) {
-    app.use('/mcp', authMiddleware);
-    app.use('/mcp/downloads', authMiddleware);
-    registerMcpRoutes(app, {
-        sessionStore,
-        maxSessions: config.server.maxSessions,
-    });
-    registerDownloadRoutes(app);
-    app.use(errorHandler);
-}
-function attachAuthMetadata(app) {
-    const authMetadataRouter = createAuthMetadataRouter();
-    if (authMetadataRouter) {
-        app.use(authMetadataRouter);
-    }
-}
-async function buildServerContext() {
-    const { app, authMiddleware, stopRateLimitCleanup } = await createAppWithMiddleware();
-    const { sessionStore, sessionCleanupController } = attachSessionRoutes(app, authMiddleware);
-    return { app, sessionStore, sessionCleanupController, stopRateLimitCleanup };
-}
-async function createAppWithMiddleware() {
-    const { app, jsonParser } = await createExpressApp();
-    const { rateLimitMiddleware, stopRateLimitCleanup, authMiddleware, corsMiddleware, } = buildMiddleware();
-    attachBaseMiddleware({
-        app,
-        jsonParser,
-        rateLimitMiddleware,
-        corsMiddleware,
-    });
-    attachAuthMetadata(app);
-    assertHttpConfiguration();
-    return { app, authMiddleware, stopRateLimitCleanup };
-}
-function attachSessionRoutes(app, authMiddleware) {
-    const { sessionStore, sessionCleanupController } = createSessionInfrastructure();
-    registerHttpRoutes(app, sessionStore, authMiddleware);
-    return { sessionStore, sessionCleanupController };
-}
-async function ensureServerListening(server) {
-    if (server.listening)
-        return;
-    await once(server, 'listening');
-}
-function resolveServerAddress(server) {
-    const address = server.address();
-    const resolvedPort = typeof address === 'object' && address ? address.port : config.server.port;
-    const { host } = config.server;
-    const url = `http://${formatHostForUrl(host)}:${resolvedPort}`;
-    return { host, port: resolvedPort, url };
-}
-function createStopHandler(server, sessionStore, sessionCleanupController, stopRateLimitCleanup) {
-    return async () => {
-        await stopServerWithoutExit(server, sessionStore, sessionCleanupController, stopRateLimitCleanup);
-    };
-}
-function buildServerLifecycle(options) {
-    const { server, sessionStore, sessionCleanupController, stopRateLimitCleanup, registerSignals, } = options;
-    const shutdown = createShutdownHandler(server, sessionStore, sessionCleanupController, stopRateLimitCleanup);
-    const stop = createStopHandler(server, sessionStore, sessionCleanupController, stopRateLimitCleanup);
-    if (registerSignals)
-        registerSignalHandlers(shutdown);
-    return { shutdown, stop };
-}
-export async function startHttpServer(options) {
-    enableHttpMode();
-    const { app, sessionStore, sessionCleanupController, stopRateLimitCleanup } = await buildServerContext();
-    const server = startListening(app);
-    applyHttpServerTuning(server);
-    await ensureServerListening(server);
-    const { host, port, url } = resolveServerAddress(server);
-    const { shutdown, stop } = buildServerLifecycle({
-        server,
-        sessionStore,
-        sessionCleanupController,
-        stopRateLimitCleanup,
-        registerSignals: options?.registerSignalHandlers !== false,
-    });
-    return { shutdown, stop, url, host, port };
-}
-async function createExpressApp() {
-    const { default: express } = await import('express');
-    const app = express();
-    const jsonParser = express.json({ limit: '1mb' });
-    return { app, jsonParser };
-}
-function getStatusCode(fetchError) {
-    return fetchError ? fetchError.statusCode : 500;
-}
-function getErrorCode(fetchError) {
-    return fetchError ? fetchError.code : 'INTERNAL_ERROR';
-}
-function getFetchErrorMessage(fetchError) {
-    return fetchError ? fetchError.message : 'Internal Server Error';
-}
-function getErrorDetails(fetchError) {
-    if (fetchError && Object.keys(fetchError.details).length > 0) {
-        return fetchError.details;
-    }
-    return undefined;
-}
-function resolveRetryAfter(fetchError) {
-    if (fetchError?.statusCode !== 429)
-        return undefined;
-    const { retryAfter } = fetchError.details;
-    return isRetryAfterValue(retryAfter) ? String(retryAfter) : undefined;
-}
-function isRetryAfterValue(value) {
-    return typeof value === 'number' || typeof value === 'string';
-}
-function setRetryAfterHeader(res, fetchError) {
-    const retryAfter = resolveRetryAfter(fetchError);
-    if (retryAfter === undefined)
-        return;
-    res.set('Retry-After', retryAfter);
-}
-function buildErrorResponse(fetchError) {
-    const details = getErrorDetails(fetchError);
-    const response = {
-        error: {
-            message: getFetchErrorMessage(fetchError),
-            code: getErrorCode(fetchError),
-            statusCode: getStatusCode(fetchError),
-            ...(details && { details }),
-        },
-    };
-    return response;
-}
-export function errorHandler(err, req, res, next) {
-    if (res.headersSent) {
-        next(err);
-        return;
-    }
-    const fetchError = err instanceof FetchError ? err : null;
-    const statusCode = getStatusCode(fetchError);
-    logError(`HTTP ${statusCode}: ${err.message} - ${req.method} ${req.path}`, err);
-    setRetryAfterHeader(res, fetchError);
-    res.status(statusCode).json(buildErrorResponse(fetchError));
-}
-export function normalizeHost(value) {
-    const trimmed = value.trim().toLowerCase();
-    if (!trimmed)
-        return null;
-    const first = takeFirstHostValue(trimmed);
-    if (!first)
-        return null;
-    const ipv6 = stripIpv6Brackets(first);
-    if (ipv6)
-        return ipv6;
-    if (isIpV6Literal(first)) {
-        return first;
-    }
-    return stripPortIfPresent(first);
-}
-function takeFirstHostValue(value) {
-    const first = value.split(',')[0];
-    if (!first)
-        return null;
-    const trimmed = first.trim();
-    return trimmed ? trimmed : null;
-}
-function stripIpv6Brackets(value) {
-    if (!value.startsWith('['))
-        return null;
-    const end = value.indexOf(']');
-    if (end === -1)
-        return null;
-    return value.slice(1, end);
-}
-function stripPortIfPresent(value) {
-    const colonIndex = value.indexOf(':');
-    if (colonIndex === -1)
-        return value;
-    return value.slice(0, colonIndex);
-}
-function isIpV6Literal(value) {
-    return isIP(value) === 6;
-}
-const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
-function getNonEmptyStringHeader(value) {
-    if (typeof value !== 'string')
-        return null;
-    const trimmed = value.trim();
-    return trimmed === '' ? null : trimmed;
-}
-function respondHostNotAllowed(res) {
-    res.status(403).json({
-        error: 'Host not allowed',
-        code: 'HOST_NOT_ALLOWED',
-    });
-}
-function respondOriginNotAllowed(res) {
-    res.status(403).json({
-        error: 'Origin not allowed',
-        code: 'ORIGIN_NOT_ALLOWED',
-    });
-}
-function tryParseOriginHostname(originHeader) {
-    try {
-        return new URL(originHeader).hostname.toLowerCase();
-    }
-    catch {
-        return null;
-    }
-}
-function isWildcardHost(host) {
-    return host === '0.0.0.0' || host === '::';
-}
-function addLoopbackHosts(allowedHosts) {
-    for (const host of LOOPBACK_HOSTS) {
-        allowedHosts.add(host);
-    }
-}
-function addConfiguredHost(allowedHosts) {
-    const configuredHost = normalizeHost(config.server.host);
-    if (!configuredHost)
-        return;
-    if (isWildcardHost(configuredHost))
-        return;
-    allowedHosts.add(configuredHost);
-}
-function addExplicitAllowedHosts(allowedHosts) {
-    for (const host of config.security.allowedHosts) {
-        const normalized = normalizeHost(host);
-        if (!normalized) {
-            logDebug('Ignoring invalid allowed host entry', { host });
-            continue;
-        }
-        allowedHosts.add(normalized);
-    }
-}
-function buildAllowedHosts() {
-    const allowedHosts = new Set();
-    addLoopbackHosts(allowedHosts);
-    addConfiguredHost(allowedHosts);
-    addExplicitAllowedHosts(allowedHosts);
-    return allowedHosts;
-}
-function createHostValidationMiddleware() {
-    const allowedHosts = buildAllowedHosts();
-    return (req, res, next) => {
-        const hostHeader = typeof req.headers.host === 'string' ? req.headers.host : '';
-        const normalized = normalizeHost(hostHeader);
-        if (!normalized || !allowedHosts.has(normalized)) {
-            respondHostNotAllowed(res);
-            return;
-        }
-        next();
-    };
-}
-function createOriginValidationMiddleware() {
-    const allowedHosts = buildAllowedHosts();
-    return (req, res, next) => {
-        const originHeader = getNonEmptyStringHeader(req.headers.origin);
-        if (!originHeader) {
-            next();
-            return;
-        }
-        const originHostname = tryParseOriginHostname(originHeader);
-        if (!originHostname || !allowedHosts.has(originHostname)) {
-            respondOriginNotAllowed(res);
-            return;
-        }
-        next();
-    };
-}
-function createJsonParseErrorHandler() {
-    return (err, _req, res, next) => {
-        if (err instanceof SyntaxError && 'body' in err) {
-            res.status(400).json({
-                jsonrpc: '2.0',
-                error: {
-                    code: -32700,
-                    message: 'Parse error: Invalid JSON',
-                },
-                id: null,
-            });
-            return;
-        }
-        next();
-    };
-}
-function createContextMiddleware() {
-    return (req, _res, next) => {
-        const requestId = randomUUID();
-        const sessionId = getSessionId(req);
-        const context = sessionId === undefined
-            ? { requestId, operationId: requestId }
-            : { requestId, operationId: requestId, sessionId };
-        runWithRequestContext(context, () => {
-            next();
-        });
-    };
-}
-function registerHealthRoute(app) {
-    app.get('/health', (_req, res) => {
-        res.json({
-            status: 'healthy',
-            name: config.server.name,
-            version: config.server.version,
-            uptime: process.uptime(),
-        });
-    });
-}
-export function attachBaseMiddleware(options) {
-    const { app, jsonParser, rateLimitMiddleware, corsMiddleware } = options;
-    app.use(createHostValidationMiddleware());
-    app.use(createOriginValidationMiddleware());
-    app.use(jsonParser);
-    app.use(createContextMiddleware());
-    app.use(createJsonParseErrorHandler());
-    app.use(corsMiddleware);
-    app.use('/mcp', rateLimitMiddleware);
-    registerHealthRoute(app);
-}
-export function createCorsMiddleware() {
-    return (req, res, next) => {
-        if (req.method === 'OPTIONS') {
-            res.sendStatus(200);
-            return;
-        }
-        next();
-    };
-}
-function parseScopes(value) {
-    if (typeof value === 'string') {
-        return value
-            .split(' ')
-            .map((scope) => scope.trim())
-            .filter((scope) => scope.length > 0);
-    }
-    if (Array.isArray(value)) {
-        return value.filter((scope) => typeof scope === 'string');
-    }
-    return [];
-}
-function parseResourceUrl(value) {
-    if (typeof value !== 'string')
-        return undefined;
-    if (!URL.canParse(value))
-        return undefined;
-    return new URL(value);
-}
-function parseAudResource(aud) {
-    if (typeof aud === 'string') {
-        return parseResourceUrl(aud);
-    }
-    if (Array.isArray(aud)) {
-        for (const entry of aud) {
-            const parsed = parseResourceUrl(entry);
-            if (parsed)
-                return parsed;
-        }
-    }
-    return undefined;
-}
-function extractResource(data) {
-    const resource = parseResourceUrl(data.resource);
-    if (resource)
-        return resource;
-    return parseAudResource(data.aud);
-}
-function extractScopes(data) {
-    if (data.scope !== undefined) {
-        return parseScopes(data.scope);
-    }
-    if (data.scopes !== undefined) {
-        return parseScopes(data.scopes);
-    }
-    if (data.scp !== undefined) {
-        return parseScopes(data.scp);
-    }
-    return [];
-}
-function readExpiresAt(data) {
-    const expiresAt = typeof data.exp === 'number' ? data.exp : Number.NaN;
-    if (!Number.isFinite(expiresAt)) {
-        throw new InvalidTokenError('Token has no expiration time');
-    }
-    return expiresAt;
-}
-function resolveClientId(data) {
-    if (typeof data.client_id === 'string')
-        return data.client_id;
-    if (typeof data.cid === 'string')
-        return data.cid;
-    if (typeof data.sub === 'string')
-        return data.sub;
-    return 'unknown';
-}
-function stripHash(url) {
-    const copy = new URL(url.href);
-    copy.hash = '';
-    return copy.href;
-}
-function ensureResourceMatch(resource) {
-    if (!resource) {
-        throw new InvalidTokenError('Token resource mismatch');
-    }
-    if (stripHash(resource) !== stripHash(config.auth.resourceUrl)) {
-        throw new InvalidTokenError('Token resource mismatch');
-    }
-    return resource;
-}
-function buildIntrospectionAuthInfo(token, data) {
-    const resource = ensureResourceMatch(extractResource(data));
-    return {
-        token,
-        clientId: resolveClientId(data),
-        scopes: extractScopes(data),
-        expiresAt: readExpiresAt(data),
-        resource,
-        extra: data,
-    };
-}
-function buildBasicAuthHeader(clientId, clientSecret) {
-    const secret = clientSecret ?? '';
-    const basic = Buffer.from(`${clientId}:${secret}`, 'utf8').toString('base64');
-    return `Basic ${basic}`;
-}
-function buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
-    const body = new URLSearchParams({
-        token,
-        token_type_hint: 'access_token',
-        resource: stripHash(resourceUrl),
-    }).toString();
-    const headers = {
-        'content-type': 'application/x-www-form-urlencoded',
-    };
-    if (clientId) {
-        headers.authorization = buildBasicAuthHeader(clientId, clientSecret);
-    }
-    return { body, headers };
-}
-async function requestIntrospection(introspectionUrl, request, timeoutMs) {
-    const response = await fetch(introspectionUrl, {
-        method: 'POST',
-        headers: request.headers,
-        body: request.body,
-        signal: AbortSignal.timeout(timeoutMs),
-    });
-    if (!response.ok) {
-        await response.body?.cancel();
-        throw new ServerError(`Token introspection failed: ${response.status}`);
-    }
-    return response.json();
-}
-function parseIntrospectionPayload(payload) {
-    if (!isRecord(payload) || Array.isArray(payload)) {
-        throw new ServerError('Invalid introspection response');
-    }
-    if (payload.active !== true) {
-        throw new InvalidTokenError('Token is inactive');
-    }
-    return payload;
-}
-async function verifyWithIntrospection(token) {
-    const { auth } = config;
-    if (!auth.introspectionUrl) {
-        throw new ServerError('Token introspection is not configured');
-    }
-    const request = buildIntrospectionRequest(token, auth.resourceUrl, auth.clientId, auth.clientSecret);
-    const payload = await requestIntrospection(auth.introspectionUrl, request, auth.introspectionTimeoutMs);
-    return buildIntrospectionAuthInfo(token, parseIntrospectionPayload(payload));
-}
-const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
-function buildStaticAuthInfo(token) {
-    return {
-        token,
-        clientId: 'static-token',
-        scopes: config.auth.requiredScopes,
-        expiresAt: Math.floor(Date.now() / 1000) + STATIC_TOKEN_TTL_SECONDS,
-        resource: config.auth.resourceUrl,
-    };
-}
-function verifyStaticToken(token) {
-    if (config.auth.staticTokens.length === 0) {
-        throw new InvalidTokenError('No static tokens configured');
-    }
-    const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
-    if (!matched) {
-        throw new InvalidTokenError('Invalid token');
-    }
-    return buildStaticAuthInfo(token);
-}
-function normalizeHeaderValue(header) {
-    return Array.isArray(header) ? header[0] : header;
-}
-function getApiKeyHeader(req) {
-    const apiKeyHeader = normalizeHeaderValue(req.headers['x-api-key']);
-    return apiKeyHeader ? apiKeyHeader.trim() : null;
-}
-function createLegacyApiKeyMiddleware() {
-    return (req, _res, next) => {
-        if (config.auth.mode !== 'static') {
-            next();
-            return;
-        }
-        if (!req.headers.authorization) {
-            const apiKey = getApiKeyHeader(req);
-            if (apiKey) {
-                req.headers.authorization = `Bearer ${apiKey}`;
-            }
-        }
-        next();
-    };
-}
-async function verifyAccessToken(token) {
-    if (config.auth.mode === 'oauth') {
-        return verifyWithIntrospection(token);
-    }
-    return verifyStaticToken(token);
-}
-function resolveMetadataUrl() {
-    if (config.auth.mode !== 'oauth')
-        return null;
-    return getOAuthProtectedResourceMetadataUrl(new URL(config.auth.resourceUrl));
-}
-function resolveOptionalScopes(requiredScopes) {
-    return requiredScopes.length > 0 ? [...requiredScopes] : undefined;
-}
-function resolveOAuthMetadataParams(authConfig) {
-    const { issuerUrl, authorizationUrl, tokenUrl, revocationUrl, registrationUrl, requiredScopes, } = authConfig;
-    if (!issuerUrl || !authorizationUrl || !tokenUrl)
-        return null;
-    return {
-        issuerUrl,
-        authorizationUrl,
-        tokenUrl,
-        revocationUrl,
-        registrationUrl,
-        requiredScopes,
-    };
-}
-function buildBaseOAuthMetadata(params) {
-    return {
-        issuer: params.issuerUrl.href,
-        authorization_endpoint: params.authorizationUrl.href,
-        response_types_supported: ['code'],
-        code_challenge_methods_supported: ['S256'],
-        token_endpoint: params.tokenUrl.href,
-        token_endpoint_auth_methods_supported: ['client_secret_post', 'none'],
-        grant_types_supported: ['authorization_code', 'refresh_token'],
-    };
-}
-function applyOptionalScopes(metadata, requiredScopes) {
-    const scopesSupported = resolveOptionalScopes(requiredScopes);
-    if (scopesSupported !== undefined) {
-        metadata.scopes_supported = scopesSupported;
-    }
-}
-function applyOptionalEndpoint(metadata, key, url) {
-    if (!url)
-        return;
-    metadata[key] = url.href;
-}
-function buildOAuthMetadata(params) {
-    const oauthMetadata = buildBaseOAuthMetadata(params);
-    applyOptionalScopes(oauthMetadata, params.requiredScopes);
-    applyOptionalEndpoint(oauthMetadata, 'revocation_endpoint', params.revocationUrl);
-    applyOptionalEndpoint(oauthMetadata, 'registration_endpoint', params.registrationUrl);
-    return oauthMetadata;
-}
-function createAuthMiddleware() {
-    const metadataUrl = resolveMetadataUrl();
-    const authHandler = requireBearerAuth({
-        verifier: { verifyAccessToken },
-        requiredScopes: config.auth.requiredScopes,
-        ...(metadataUrl ? { resourceMetadataUrl: metadataUrl } : {}),
-    });
-    const legacyHandler = createLegacyApiKeyMiddleware();
-    return (req, res, next) => {
-        legacyHandler(req, res, () => {
-            authHandler(req, res, next);
-        });
-    };
-}
-function createAuthMetadataRouter() {
-    if (config.auth.mode !== 'oauth')
-        return null;
-    const oauthMetadataParams = resolveOAuthMetadataParams(config.auth);
-    if (!oauthMetadataParams)
-        return null;
-    return mcpAuthMetadataRouter({
-        oauthMetadata: buildOAuthMetadata(oauthMetadataParams),
-        resourceServerUrl: config.auth.resourceUrl,
-        scopesSupported: config.auth.requiredScopes,
-        resourceName: config.server.name,
-    });
-}
-function sendJsonRpcError(res, code, message, status = 400, id = null) {
-    res.status(status).json({
-        jsonrpc: '2.0',
-        error: {
-            code,
-            message,
-        },
-        id,
-    });
-}
-function sendJsonRpcErrorOrNoContent(res, code, message, status, id) {
-    if (id === null) {
-        res.sendStatus(204);
-        return;
-    }
-    sendJsonRpcError(res, code, message, status, id ?? null);
-}
-function getSessionId(req) {
-    const header = req.headers['mcp-session-id'];
-    return Array.isArray(header) ? header[0] : header;
-}
-export function createSessionStore(sessionTtlMs) {
-    const sessions = new Map();
-    return {
-        get: (sessionId) => sessions.get(sessionId),
-        touch: (sessionId) => {
-            touchSession(sessions, sessionId);
-        },
-        set: (sessionId, entry) => {
-            sessions.set(sessionId, entry);
-        },
-        remove: (sessionId) => removeSession(sessions, sessionId),
-        size: () => sessions.size,
-        clear: () => clearSessions(sessions),
-        evictExpired: () => evictExpiredSessions(sessions, sessionTtlMs),
-        evictOldest: () => evictOldestSession(sessions),
-    };
-}
-function touchSession(sessions, sessionId) {
-    const session = sessions.get(sessionId);
-    if (session) {
-        session.lastSeen = Date.now();
-        sessions.delete(sessionId);
-        sessions.set(sessionId, session);
-    }
-}
-function removeSession(sessions, sessionId) {
-    const session = sessions.get(sessionId);
-    sessions.delete(sessionId);
-    return session;
-}
-function clearSessions(sessions) {
-    const entries = Array.from(sessions.values());
-    sessions.clear();
-    return entries;
-}
-function evictExpiredSessions(sessions, sessionTtlMs) {
-    const now = Date.now();
-    const evicted = [];
-    for (const [id, session] of sessions.entries()) {
-        if (now - session.lastSeen > sessionTtlMs) {
-            sessions.delete(id);
-            evicted.push(session);
-        }
-    }
-    return evicted;
-}
-function evictOldestSession(sessions) {
-    const oldestEntry = sessions.keys().next();
-    if (oldestEntry.done)
-        return undefined;
-    const oldestId = oldestEntry.value;
-    const session = sessions.get(oldestId);
-    sessions.delete(oldestId);
-    return session;
-}
-let inFlightSessions = 0;
-export function reserveSessionSlot(store, maxSessions) {
-    if (store.size() + inFlightSessions >= maxSessions) {
-        return false;
-    }
-    inFlightSessions += 1;
-    return true;
-}
-function releaseSessionSlot() {
-    if (inFlightSessions > 0) {
-        inFlightSessions -= 1;
-    }
-}
-export function createSlotTracker() {
-    let slotReleased = false;
-    let initialized = false;
-    return {
-        releaseSlot: () => {
-            if (slotReleased)
-                return;
-            slotReleased = true;
-            releaseSessionSlot();
-        },
-        markInitialized: () => {
-            initialized = true;
-        },
-        isInitialized: () => initialized,
-    };
-}
-function isServerAtCapacity(store, maxSessions) {
-    return store.size() + inFlightSessions >= maxSessions;
-}
-function tryEvictSlot(store, maxSessions, evictOldest) {
-    const currentSize = store.size();
-    const canFreeSlot = currentSize >= maxSessions &&
-        currentSize - 1 + inFlightSessions < maxSessions;
-    return canFreeSlot && evictOldest(store);
-}
-export function ensureSessionCapacity({ store, maxSessions, res, evictOldest, requestId, }) {
-    if (!isServerAtCapacity(store, maxSessions)) {
-        return true;
-    }
-    if (tryEvictSlot(store, maxSessions, evictOldest)) {
-        return !isServerAtCapacity(store, maxSessions);
-    }
-    respondServerBusy(res, requestId);
-    return false;
-}
-function respondServerBusy(res, requestId) {
-    sendJsonRpcErrorOrNoContent(res, -32000, 'Server busy: maximum sessions reached', 503, requestId);
-}
-function respondBadRequest(res, id) {
-    sendJsonRpcErrorOrNoContent(res, -32000, 'Bad Request: Missing session ID or not an initialize request', 400, id);
-}
-function respondSessionNotInitialized(res, requestId) {
-    sendJsonRpcErrorOrNoContent(res, -32000, 'Bad Request: Session not initialized', 400, requestId);
-}
-function isNotificationMethod(method) {
-    return method.startsWith('notifications/');
-}
-function isAllowedBeforeInitialized(method) {
-    return (method === 'initialize' ||
-        method === 'notifications/initialized' ||
-        method === 'ping');
-}
-function createTimeoutController() {
-    let initTimeout = null;
-    return {
-        clear: () => {
-            if (!initTimeout)
-                return;
-            clearTimeout(initTimeout);
-            initTimeout = null;
-        },
-        set: (timeout) => {
-            initTimeout = timeout;
-        },
-    };
-}
-function createTransportAdapter(transport) {
-    const adapter = buildTransportAdapter(transport);
-    attachTransportAccessors(adapter, transport);
-    return adapter;
-}
-function buildTransportAdapter(transport) {
-    return {
-        start: () => transport.start(),
-        send: (message, options) => transport.send(message, options),
-        close: () => transport.close(),
-    };
-}
-function createAccessorDescriptor(getter, setter) {
-    return {
-        get: getter,
-        ...(setter ? { set: setter } : {}),
-        enumerable: true,
-        configurable: true,
-    };
-}
-export function composeCloseHandlers(first, second) {
-    if (!first)
-        return second;
-    if (!second)
-        return first;
-    return () => {
-        try {
-            first();
-        }
-        finally {
-            second();
-        }
-    };
-}
-function createOnCloseDescriptor(transport) {
-    return createAccessorDescriptor(() => transport.onclose, (handler) => {
-        transport.onclose = handler;
-    });
-}
-function createOnErrorDescriptor(transport) {
-    return createAccessorDescriptor(() => transport.onerror, (handler) => {
-        transport.onerror = handler;
-    });
-}
-function createOnMessageDescriptor(transport) {
-    return createAccessorDescriptor(() => transport.onmessage, (handler) => {
-        transport.onmessage = handler;
-    });
-}
-function attachTransportAccessors(adapter, transport) {
-    Object.defineProperties(adapter, {
-        onclose: createOnCloseDescriptor(transport),
-        onerror: createOnErrorDescriptor(transport),
-        onmessage: createOnMessageDescriptor(transport),
-        sessionId: createAccessorDescriptor(() => transport.sessionId),
-    });
-}
-function startSessionInitTimeout({ transport, tracker, clearInitTimeout, timeoutMs, }) {
-    if (timeoutMs <= 0)
-        return null;
-    const timeout = setTimeout(() => {
-        clearInitTimeout();
-        if (tracker.isInitialized())
-            return;
-        tracker.releaseSlot();
-        void transport.close().catch((error) => {
-            logWarn('Failed to close stalled session', {
-                error: getErrorMessage(error),
-            });
-        });
-        logWarn('Session initialization timed out', { timeoutMs });
-    }, timeoutMs);
-    timeout.unref();
-    return timeout;
-}
-function createSessionTransport({ tracker, timeoutController, }) {
-    const transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: () => randomUUID(),
-    });
-    transport.onclose = () => {
-        timeoutController.clear();
-        if (!tracker.isInitialized()) {
-            tracker.releaseSlot();
-        }
-    };
-    timeoutController.set(startSessionInitTimeout({
-        transport,
-        tracker,
-        clearInitTimeout: timeoutController.clear,
-        timeoutMs: config.server.sessionInitTimeoutMs,
-    }));
-    return transport;
-}
-async function connectTransportOrThrow({ transport, clearInitTimeout, releaseSlot, }) {
-    const mcpServer = createMcpServer();
-    const transportAdapter = createTransportAdapter(transport);
-    const oncloseBeforeConnect = transport.onclose;
-    try {
-        await mcpServer.connect(transportAdapter);
-        if (oncloseBeforeConnect && transport.onclose !== oncloseBeforeConnect) {
-            transport.onclose = composeCloseHandlers(transport.onclose, oncloseBeforeConnect);
-        }
-    }
-    catch (error) {
-        clearInitTimeout();
-        releaseSlot();
-        void transport.close().catch((closeError) => {
-            logWarn('Failed to close transport after connect error', {
-                error: getErrorMessage(closeError),
-            });
-        });
-        logError('Failed to initialize MCP session', error instanceof Error ? error : undefined);
-        throw error;
-    }
-    return mcpServer;
-}
-function evictExpiredSessionsWithClose(store) {
-    const evicted = store.evictExpired();
-    for (const session of evicted) {
-        void session.transport.close().catch((error) => {
-            logWarn('Failed to close expired session', {
-                error: getErrorMessage(error),
-            });
-        });
-    }
-    return evicted.length;
-}
-function evictOldestSessionWithClose(store) {
-    const session = store.evictOldest();
-    if (!session)
-        return false;
-    void session.transport.close().catch((error) => {
-        logWarn('Failed to close evicted session', {
-            error: getErrorMessage(error),
-        });
-    });
-    return true;
-}
-function reserveSessionIfPossible({ options, res, requestId, }) {
-    const capacityArgs = {
-        store: options.sessionStore,
-        maxSessions: options.maxSessions,
-        res,
-        evictOldest: evictOldestSessionWithClose,
-        ...(requestId !== undefined ? { requestId } : {}),
-    };
-    if (!ensureSessionCapacity(capacityArgs)) {
-        return false;
-    }
-    if (!reserveSessionSlot(options.sessionStore, options.maxSessions)) {
-        respondServerBusy(res);
-        return false;
-    }
-    return true;
-}
-function resolveExistingSessionTransport(store, sessionId, res, requestId, method) {
-    const existingSession = store.get(sessionId);
-    if (existingSession) {
-        if (!existingSession.protocolInitialized &&
-            !isAllowedBeforeInitialized(method)) {
-            respondSessionNotInitialized(res, requestId);
-            return null;
-        }
-        store.touch(sessionId);
-        return existingSession.transport;
-    }
-    // Client supplied a session id but it doesn't exist; Streamable HTTP: invalid session IDs => 404.
-    sendJsonRpcErrorOrNoContent(res, -32600, 'Session not found', 404, requestId);
-    return null;
-}
-function createSessionContext() {
-    const tracker = createSlotTracker();
-    const timeoutController = createTimeoutController();
-    const transport = createSessionTransport({ tracker, timeoutController });
-    return { tracker, timeoutController, transport };
-}
-function attachSessionInitializedHandler(server, store, sessionId) {
-    const previousInitialized = server.server.oninitialized;
-    server.server.oninitialized = () => {
-        const entry = store.get(sessionId);
-        if (entry) {
-            entry.protocolInitialized = true;
-        }
-        previousInitialized?.();
-    };
-}
-function finalizeSessionIfValid({ store, transport, mcpServer, tracker, clearInitTimeout, res, requestId, }) {
-    const { sessionId } = transport;
-    if (typeof sessionId !== 'string') {
-        clearInitTimeout();
-        tracker.releaseSlot();
-        respondBadRequest(res, requestId ?? null);
-        return false;
-    }
-    finalizeSession({
-        store,
-        transport,
-        sessionId,
-        mcpServer,
-        tracker,
-        clearInitTimeout,
-    });
-    return true;
-}
-function finalizeSession({ store, transport, sessionId, mcpServer, tracker, clearInitTimeout, }) {
-    clearInitTimeout();
-    tracker.markInitialized();
-    tracker.releaseSlot();
-    const now = Date.now();
-    store.set(sessionId, {
-        transport,
-        createdAt: now,
-        lastSeen: now,
-        protocolInitialized: false,
-    });
-    attachSessionInitializedHandler(mcpServer, store, sessionId);
-    const previousOnClose = transport.onclose;
-    transport.onclose = composeCloseHandlers(previousOnClose, () => {
-        store.remove(sessionId);
-        logInfo('Session closed');
-    });
-    logInfo('Session initialized');
-}
-async function createAndConnectTransport({ options, res, requestId, }) {
-    const reserveArgs = {
-        options,
-        res,
-        ...(requestId !== undefined ? { requestId } : {}),
-    };
-    if (!reserveSessionIfPossible(reserveArgs))
-        return null;
-    const { tracker, timeoutController, transport } = createSessionContext();
-    const mcpServer = await connectTransportOrThrow({
-        transport,
-        clearInitTimeout: timeoutController.clear,
-        releaseSlot: tracker.releaseSlot,
-    });
-    if (!finalizeSessionIfValid({
-        store: options.sessionStore,
-        transport,
-        mcpServer,
-        tracker,
-        clearInitTimeout: timeoutController.clear,
-        res,
-        ...(requestId !== undefined ? { requestId } : {}),
-    })) {
-        return null;
-    }
-    return transport;
-}
-export async function resolveTransportForPost({ res, body, sessionId, options, }) {
-    const requestId = body.id ?? null;
-    if (sessionId) {
-        return resolveExistingSessionTransport(options.sessionStore, sessionId, res, requestId, body.method);
-    }
-    if (!isInitializeRequest(body)) {
-        respondBadRequest(res, requestId);
-        return null;
-    }
-    evictExpiredSessionsWithClose(options.sessionStore);
-    return createAndConnectTransport({ options, res, requestId });
-}
-function startSessionCleanupLoop(store, sessionTtlMs) {
-    const controller = new AbortController();
-    void runSessionCleanupLoop(store, sessionTtlMs, controller.signal).catch(handleSessionCleanupError);
-    return controller;
-}
-async function runSessionCleanupLoop(store, sessionTtlMs, signal) {
-    const intervalMs = getCleanupIntervalMs(sessionTtlMs);
-    for await (const getNow of setIntervalPromise(intervalMs, Date.now, {
-        signal,
-        ref: false,
-    })) {
-        handleSessionEvictions(store, getNow());
-    }
-}
-function getCleanupIntervalMs(sessionTtlMs) {
-    return Math.min(Math.max(Math.floor(sessionTtlMs / 2), 10000), 60000);
-}
-function isAbortError(error) {
-    return error instanceof Error && error.name === 'AbortError';
-}
-function handleSessionEvictions(store, now) {
-    const evicted = evictExpiredSessionsWithClose(store);
-    if (evicted > 0) {
-        logInfo('Expired sessions evicted', {
-            evicted,
-            timestamp: new Date(now).toISOString(),
-        });
-    }
-}
-function handleSessionCleanupError(error) {
-    if (isAbortError(error)) {
-        return;
-    }
-    logWarn('Session cleanup loop failed', {
-        error: error instanceof Error ? error.message : 'Unknown error',
-    });
-}
-const paramsSchema = z.looseObject({});
-const mcpRequestSchema = z.looseObject({
-    jsonrpc: z.literal('2.0'),
-    method: z.string().min(1),
-    id: z.union([z.string(), z.number(), z.null()]).optional(),
-    params: paramsSchema.optional(),
-});
-function wrapAsync(fn) {
-    return (req, res, next) => {
-        Promise.resolve(fn(req, res)).catch(next);
-    };
-}
-export function isJsonRpcBatchRequest(body) {
-    return Array.isArray(body);
-}
-export function isMcpRequestBody(body) {
-    return mcpRequestSchema.safeParse(body).success;
-}
-function respondInvalidRequestBody(res) {
-    sendJsonRpcError(res, -32600, 'Invalid Request: Malformed request body', 400);
-}
-function respondMissingSession(res) {
-    sendJsonRpcError(res, -32600, 'Missing mcp-session-id header', 400);
-}
-function respondSessionNotFound(res) {
-    sendJsonRpcError(res, -32600, 'Session not found', 404);
-}
-function validatePostPayload(payload, res) {
-    if (isJsonRpcBatchRequest(payload)) {
-        sendJsonRpcError(res, -32600, 'Batch requests are not supported', 400);
-        return null;
-    }
-    if (!isMcpRequestBody(payload)) {
-        respondInvalidRequestBody(res);
-        return null;
-    }
-    return payload;
-}
-function ensureRequestHasId(body, res) {
-    if (body.id !== undefined || isNotificationMethod(body.method)) {
-        return true;
-    }
-    sendJsonRpcError(res, -32600, `Invalid Request: ${body.method} requires id`, 400, null);
-    return false;
-}
-function logPostRequest(body, sessionId, options) {
-    logInfo('[MCP POST]', {
-        method: body.method,
-        id: body.id,
-        isInitialize: body.method === 'initialize',
-        sessionCount: options.sessionStore.size(),
-    });
-}
-async function handleTransportRequest(transport, req, res, body) {
-    try {
-        await dispatchTransportRequest(transport, req, res, body);
-    }
-    catch (error) {
-        logError('MCP request handling failed', error instanceof Error ? error : undefined);
-        handleTransportError(res, body?.id ?? null);
-    }
-}
-function handleTransportError(res, id) {
-    if (res.headersSent)
-        return;
-    sendJsonRpcError(res, -32603, 'Internal error', 500, id);
-}
-function dispatchTransportRequest(transport, req, res, body) {
-    return body
-        ? transport.handleRequest(req, res, body)
-        : transport.handleRequest(req, res);
-}
-function resolveSessionTransport(sessionId, options, res) {
-    const { sessionStore } = options;
-    if (!sessionId) {
-        respondMissingSession(res);
-        return null;
-    }
-    const session = sessionStore.get(sessionId);
-    if (!session) {
-        respondSessionNotFound(res);
-        return null;
-    }
-    sessionStore.touch(sessionId);
-    return session.transport;
-}
-const MCP_PROTOCOL_VERSION_HEADER = 'mcp-protocol-version';
-const MCP_PROTOCOL_VERSIONS = {
-    supported: new Set(['2025-11-25']),
-};
-function getHeaderValue(req, headerNameLower) {
-    const value = req.headers[headerNameLower];
-    if (typeof value === 'string')
-        return value;
-    if (Array.isArray(value))
-        return value[0] ?? null;
-    return null;
-}
-export function ensureMcpProtocolVersionHeader(req, res) {
-    const raw = getHeaderValue(req, MCP_PROTOCOL_VERSION_HEADER);
-    const version = raw?.trim();
-    if (!version) {
-        sendJsonRpcError(res, -32600, 'Missing required MCP-Protocol-Version header', 400);
-        return false;
-    }
-    if (!MCP_PROTOCOL_VERSIONS.supported.has(version)) {
-        sendJsonRpcError(res, -32600, `Unsupported MCP-Protocol-Version: ${version}`, 400);
-        return false;
-    }
-    return true;
-}
-function closeSessionIfPresent(req, options) {
-    const sessionId = getSessionId(req);
-    if (!sessionId)
-        return;
-    const session = options.sessionStore.get(sessionId);
-    if (!session)
-        return;
-    logWarn('Closing session due to protocol version mismatch', { sessionId });
-    void session.transport.close().catch((error) => {
-        logWarn('Failed to close session after protocol version mismatch', {
-            sessionId,
-            error: getErrorMessage(error),
-        });
-    });
-}
-function getAcceptHeader(req) {
-    const value = req.headers.accept;
-    if (typeof value === 'string')
-        return value;
-    return '';
-}
-function setAcceptHeader(req, value) {
-    req.headers.accept = value;
-    const { rawHeaders } = req;
-    if (!Array.isArray(rawHeaders))
-        return;
-    for (let i = 0; i + 1 < rawHeaders.length; i += 2) {
-        const key = rawHeaders[i];
-        if (typeof key === 'string' && key.toLowerCase() === 'accept') {
-            rawHeaders[i + 1] = value;
-            return;
-        }
-    }
-    rawHeaders.push('Accept', value);
-}
-function hasToken(header, token) {
-    return header
-        .split(',')
-        .map((part) => part.trim().toLowerCase())
-        .some((part) => part === token || part.startsWith(`${token};`));
-}
-export function ensurePostAcceptHeader(req) {
-    const accept = getAcceptHeader(req);
-    // Some clients send */* or omit Accept; the SDK transport is picky.
-    if (!accept || hasToken(accept, '*/*')) {
-        setAcceptHeader(req, 'application/json, text/event-stream');
-        return;
-    }
-    const hasJson = hasToken(accept, 'application/json');
-    const hasSse = hasToken(accept, 'text/event-stream');
-    if (!hasJson || !hasSse) {
-        setAcceptHeader(req, 'application/json, text/event-stream');
-    }
-}
-export function acceptsEventStream(req) {
-    const accept = getAcceptHeader(req);
-    if (!accept)
-        return false;
-    return hasToken(accept, 'text/event-stream');
-}
-async function handlePost(req, res, options) {
-    ensurePostAcceptHeader(req);
-    if (!ensureMcpProtocolVersionHeader(req, res)) {
-        closeSessionIfPresent(req, options);
-        return;
-    }
-    const sessionId = getSessionId(req);
-    const payload = validatePostPayload(req.body, res);
-    if (!payload)
-        return;
-    if (!ensureRequestHasId(payload, res))
-        return;
-    logPostRequest(payload, sessionId, options);
-    const transport = await resolveTransportForPost({
-        res,
-        body: payload,
-        sessionId,
-        options,
-    });
-    if (!transport)
-        return;
-    await handleTransportRequest(transport, req, res, payload);
-}
-async function handleGet(req, res, options) {
-    if (!ensureMcpProtocolVersionHeader(req, res)) {
-        closeSessionIfPresent(req, options);
-        return;
-    }
-    if (!acceptsEventStream(req)) {
-        res.status(406).json({
-            error: 'Not Acceptable',
-            code: 'ACCEPT_NOT_SUPPORTED',
-        });
-        return;
-    }
-    const transport = resolveSessionTransport(getSessionId(req), options, res);
-    if (!transport)
-        return;
-    await handleTransportRequest(transport, req, res);
-}
-async function handleDelete(req, res, options) {
-    if (!ensureMcpProtocolVersionHeader(req, res)) {
-        closeSessionIfPresent(req, options);
-        return;
-    }
-    const transport = resolveSessionTransport(getSessionId(req), options, res);
-    if (!transport)
-        return;
-    await handleTransportRequest(transport, req, res);
-}
-function registerMcpRoutes(app, options) {
-    app.post('/mcp', wrapAsync((req, res) => handlePost(req, res, options)));
-    app.get('/mcp', wrapAsync((req, res) => handleGet(req, res, options)));
-    app.delete('/mcp', wrapAsync((req, res) => handleDelete(req, res, options)));
-}
-export function applyHttpServerTuning(server) {
-    const { headersTimeoutMs, requestTimeoutMs, keepAliveTimeoutMs } = config.server.http;
-    if (headersTimeoutMs !== undefined) {
-        server.headersTimeout = headersTimeoutMs;
-    }
-    if (requestTimeoutMs !== undefined) {
-        server.requestTimeout = requestTimeoutMs;
-    }
-    if (keepAliveTimeoutMs !== undefined) {
-        server.keepAliveTimeout = keepAliveTimeoutMs;
-    }
-    if (headersTimeoutMs !== undefined ||
-        requestTimeoutMs !== undefined ||
-        keepAliveTimeoutMs !== undefined) {
-        logDebug('Applied HTTP server tuning', {
-            headersTimeoutMs,
-            requestTimeoutMs,
-            keepAliveTimeoutMs,
-        });
-    }
-}
-export function drainConnectionsOnShutdown(server) {
-    const { shutdownCloseAllConnections, shutdownCloseIdleConnections } = config.server.http;
-    if (shutdownCloseAllConnections) {
-        if (typeof server.closeAllConnections === 'function') {
-            server.closeAllConnections();
-            logDebug('Closed all HTTP connections during shutdown');
-        }
-        else {
-            logDebug('HTTP server does not support closeAllConnections()');
-        }
-        return;
-    }
-    if (shutdownCloseIdleConnections) {
-        if (typeof server.closeIdleConnections === 'function') {
-            server.closeIdleConnections();
-            logDebug('Closed idle HTTP connections during shutdown');
-        }
-        else {
-            logDebug('HTTP server does not support closeIdleConnections()');
-        }
-    }
-}
-//# sourceMappingURL=http.js.map