@j0hanz/superfetch 2.2.2 → 2.3.0

package/dist/cache.d.ts

@@ -40,4 +40,3 @@ export declare function registerCachedContentResource(server: McpServer): void;
 export declare function generateSafeFilename(url: string, title?: string, hashFallback?: string, extension?: string): string;
 export declare function handleDownload(res: ServerResponse, namespace: string, hash: string): void;
 export {};
-//# sourceMappingURL=cache.d.ts.map

package/dist/cache.js

@@ -396,43 +396,32 @@ function buildMarkdownContentResponse(uri, content) {
         ],
     };
 }
-function isSingleParam(value) {
-    return typeof value === 'string';
-}
 function parseDownloadParams(namespace, hash) {
-    if (!isSingleParam(namespace) || !isSingleParam(hash))
-        return null;
-    if (!namespace || !hash)
+    const resolvedNamespace = resolveStringParam(namespace);
+    const resolvedHash = resolveStringParam(hash);
+    if (!resolvedNamespace || !resolvedHash)
         return null;
-    if (!isValidNamespace(namespace))
+    if (!isValidNamespace(resolvedNamespace))
         return null;
-    if (!isValidHash(hash))
+    if (!isValidHash(resolvedHash))
         return null;
-    return { namespace, hash };
+    return { namespace: resolvedNamespace, hash: resolvedHash };
 }
 function buildCacheKeyFromParams(params) {
     return `${params.namespace}:${params.hash}`;
 }
+function sendJsonError(res, status, error, code) {
+    res.writeHead(status, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error, code }));
+}
 function respondBadRequest(res, message) {
-    res.writeHead(400, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({
-        error: message,
-        code: 'BAD_REQUEST',
-    }));
+    sendJsonError(res, 400, message, 'BAD_REQUEST');
 }
 function respondNotFound(res) {
-    res.writeHead(404, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({
-        error: 'Content not found or expired',
-        code: 'NOT_FOUND',
-    }));
+    sendJsonError(res, 404, 'Content not found or expired', 'NOT_FOUND');
 }
 function respondServiceUnavailable(res) {
-    res.writeHead(503, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify({
-        error: 'Download service is disabled',
-        code: 'SERVICE_UNAVAILABLE',
-    }));
+    sendJsonError(res, 503, 'Download service is disabled', 'SERVICE_UNAVAILABLE');
 }
 export function generateSafeFilename(url, title, hashFallback, extension = '.md') {
     const fromUrl = extractFilenameFromUrl(url);
@@ -567,4 +556,3 @@ export function handleDownload(res, namespace, hash) {
     logDebug('Serving download', { cacheKey, fileName: payload.fileName });
     sendDownloadPayload(res, payload);
 }
-//# sourceMappingURL=cache.js.map

package/dist/config.d.ts

@@ -89,4 +89,3 @@ export declare const config: {
 };
 export declare function enableHttpMode(): void;
 export {};
-//# sourceMappingURL=config.d.ts.map

package/dist/config.js

@@ -73,6 +73,9 @@ function parseUrlEnv(value, name) {
     }
     return new URL(value);
 }
+function readUrlEnv(name) {
+    return parseUrlEnv(process.env[name], name);
+}
 function parseAllowedHosts(envValue) {
     const hosts = new Set();
     for (const entry of parseList(envValue)) {
@@ -108,16 +111,16 @@ const DEFAULT_TOOL_TIMEOUT_MS = TIMEOUT.DEFAULT_FETCH_TIMEOUT_MS +
     5000;
 function readCoreOAuthUrls() {
     return {
-        issuerUrl: parseUrlEnv(process.env.OAUTH_ISSUER_URL, 'OAUTH_ISSUER_URL'),
-        authorizationUrl: parseUrlEnv(process.env.OAUTH_AUTHORIZATION_URL, 'OAUTH_AUTHORIZATION_URL'),
-        tokenUrl: parseUrlEnv(process.env.OAUTH_TOKEN_URL, 'OAUTH_TOKEN_URL'),
+        issuerUrl: readUrlEnv('OAUTH_ISSUER_URL'),
+        authorizationUrl: readUrlEnv('OAUTH_AUTHORIZATION_URL'),
+        tokenUrl: readUrlEnv('OAUTH_TOKEN_URL'),
     };
 }
 function readOptionalOAuthUrls(baseUrl) {
     return {
-        revocationUrl: parseUrlEnv(process.env.OAUTH_REVOCATION_URL, 'OAUTH_REVOCATION_URL'),
-        registrationUrl: parseUrlEnv(process.env.OAUTH_REGISTRATION_URL, 'OAUTH_REGISTRATION_URL'),
-        introspectionUrl: parseUrlEnv(process.env.OAUTH_INTROSPECTION_URL, 'OAUTH_INTROSPECTION_URL'),
+        revocationUrl: readUrlEnv('OAUTH_REVOCATION_URL'),
+        registrationUrl: readUrlEnv('OAUTH_REGISTRATION_URL'),
+        introspectionUrl: readUrlEnv('OAUTH_INTROSPECTION_URL'),
         resourceUrl: parseUrlEnv(process.env.OAUTH_RESOURCE_URL, 'OAUTH_RESOURCE_URL') ??
             new URL('/mcp', baseUrl),
     };
@@ -271,4 +274,3 @@ export const config = {
 export function enableHttpMode() {
     runtimeState.httpMode = true;
 }
-//# sourceMappingURL=config.js.map

package/dist/crypto.d.ts

@@ -1,3 +1,2 @@
 export declare function timingSafeEqualUtf8(a: string, b: string): boolean;
 export declare function sha256Hex(input: string | Uint8Array): string;
-//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.js

@@ -30,4 +30,3 @@ function hashHex(algorithm, input) {
 export function sha256Hex(input) {
     return hashHex('sha256', input);
 }
-//# sourceMappingURL=crypto.js.map

package/dist/dom-noise-removal.d.ts

@@ -3,4 +3,3 @@
  * Used as a preprocessing step before markdown conversion.
  */
 export declare function removeNoiseFromHtml(html: string, document?: Document, baseUrl?: string): string;
-//# sourceMappingURL=dom-noise-removal.d.ts.map

package/dist/dom-noise-removal.js

@@ -56,6 +56,37 @@ const STRUCTURAL_TAGS = new Set([
     'canvas',
 ]);
 const ALWAYS_NOISE_TAGS = new Set(['nav', 'footer']);
+const BASE_NOISE_SELECTORS = [
+    'nav',
+    'footer',
+    'header[class*="site"]',
+    'header[class*="nav"]',
+    'header[class*="menu"]',
+    '[role="banner"]',
+    '[role="navigation"]',
+    '[role="dialog"]',
+    '[style*="display: none"]',
+    '[style*="display:none"]',
+    '[hidden]',
+    '[aria-hidden="true"]',
+];
+const BASE_NOISE_SELECTOR = BASE_NOISE_SELECTORS.join(',');
+const CANDIDATE_NOISE_SELECTOR = [
+    ...STRUCTURAL_TAGS,
+    ...ALWAYS_NOISE_TAGS,
+    'aside',
+    'header',
+    '[class]',
+    '[id]',
+    '[role]',
+    '[style]',
+].join(',');
+function buildNoiseSelector(extraSelectors) {
+    const extra = extraSelectors.filter((selector) => selector.trim().length > 0);
+    if (extra.length === 0)
+        return BASE_NOISE_SELECTOR;
+    return `${BASE_NOISE_SELECTOR},${extra.join(',')}`;
+}
 const NAVIGATION_ROLES = new Set([
     'navigation',
     'banner',
@@ -309,39 +340,12 @@ function removeNoiseNodes(nodes, shouldCheckNoise = true) {
 function stripNoiseNodes(document) {
     // Pass 1: Trusted selectors (Common noise)
     // We trust these selectors match actual noise, so we skip the expensive isNoiseElement check
-    const baseSelectors = [
-        'nav',
-        'footer',
-        'header[class*="site"]',
-        'header[class*="nav"]',
-        'header[class*="menu"]',
-        '[role="banner"]',
-        '[role="navigation"]',
-        '[role="dialog"]',
-        '[style*="display: none"]',
-        '[style*="display:none"]',
-        '[hidden]',
-        '[aria-hidden="true"]',
-    ];
     // Add user-configured extra selectors
-    const extraSelectors = config.noiseRemoval.extraSelectors.filter((s) => s.trim().length > 0);
-    const targetSelectors = [...baseSelectors, ...extraSelectors].join(',');
-    if (targetSelectors) {
-        const potentialNoiseNodes = document.querySelectorAll(targetSelectors);
-        removeNoiseNodes(potentialNoiseNodes, false);
-    }
+    const targetSelectors = buildNoiseSelector(config.noiseRemoval.extraSelectors);
+    const potentialNoiseNodes = document.querySelectorAll(targetSelectors);
+    removeNoiseNodes(potentialNoiseNodes, false);
     // Second pass: check remaining elements for noise patterns (promo, fixed positioning, etc.)
-    const candidateSelectors = [
-        ...STRUCTURAL_TAGS,
-        ...ALWAYS_NOISE_TAGS,
-        'aside',
-        'header',
-        '[class]',
-        '[id]',
-        '[role]',
-        '[style]',
-    ].join(',');
-    const allElements = document.querySelectorAll(candidateSelectors);
+    const allElements = document.querySelectorAll(CANDIDATE_NOISE_SELECTOR);
     removeNoiseNodes(allElements, true);
 }
 // ─────────────────────────────────────────────────────────────────────────────
@@ -479,4 +483,3 @@ export function removeNoiseFromHtml(html, document, baseUrl) {
         return html;
     }
 }
-//# sourceMappingURL=dom-noise-removal.js.map

package/dist/errors.d.ts

@@ -8,4 +8,3 @@ export declare class FetchError extends Error {
 export declare function getErrorMessage(error: unknown): string;
 export declare function createErrorWithCode(message: string, code: string): NodeJS.ErrnoException;
 export declare function isSystemError(error: unknown): error is NodeJS.ErrnoException;
-//# sourceMappingURL=errors.d.ts.map

package/dist/errors.js

@@ -42,4 +42,3 @@ export function isSystemError(error) {
     const { code } = error;
     return typeof code === 'string';
 }
-//# sourceMappingURL=errors.js.map

package/dist/fetch.d.ts

@@ -38,4 +38,3 @@ export declare function readResponseText(response: Response, url: string, maxByt
 }>;
 export declare function fetchNormalizedUrl(normalizedUrl: string, options?: FetchOptions): Promise<string>;
 export {};
-//# sourceMappingURL=fetch.d.ts.map

package/dist/fetch.js

@@ -503,6 +503,12 @@ function createRateLimitError(url, headerValue) {
 function createHttpError(url, status, statusText) {
     return new FetchError(`HTTP ${status}: ${statusText}`, url, status);
 }
+function createTooManyRedirectsError(url) {
+    return new FetchError('Too many redirects', url);
+}
+function createMissingRedirectLocationError(url) {
+    return new FetchError('Redirect response missing Location header', url);
+}
 function createSizeLimitError(url, maxBytes) {
     return new FetchError(`Response exceeds maximum size of ${maxBytes} bytes`, url);
 }
@@ -534,21 +540,29 @@ function resolveErrorUrl(error, fallback) {
         return requestUrl;
     return fallback;
 }
-function mapFetchError(error, fallbackUrl, timeoutMs) {
-    if (error instanceof FetchError)
-        return error;
-    const url = resolveErrorUrl(error, fallbackUrl);
-    if (isAbortError(error)) {
-        if (isTimeoutError(error)) {
-            return createTimeoutError(url, timeoutMs);
-        }
-        return createCanceledError(url);
+function resolveAbortFetchError(error, url, timeoutMs) {
+    if (!isAbortError(error))
+        return null;
+    if (isTimeoutError(error)) {
+        return createTimeoutError(url, timeoutMs);
     }
+    return createCanceledError(url);
+}
+function resolveUnexpectedFetchError(error, url) {
     if (error instanceof Error) {
         return createNetworkError(url, error.message);
     }
     return createUnknownError(url, 'Unexpected error');
 }
+function mapFetchError(error, fallbackUrl, timeoutMs) {
+    if (error instanceof FetchError)
+        return error;
+    const url = resolveErrorUrl(error, fallbackUrl);
+    const abortError = resolveAbortFetchError(error, url, timeoutMs);
+    if (abortError)
+        return abortError;
+    return resolveUnexpectedFetchError(error, url);
+}
 const fetchChannel = diagnosticsChannel.channel('superfetch.fetch');
 function publishFetchEvent(event) {
     if (!fetchChannel.hasSubscribers)
@@ -713,14 +727,14 @@ function assertRedirectWithinLimit(response, currentUrl, redirectLimit, redirect
     if (redirectCount < redirectLimit)
         return;
     cancelResponseBody(response);
-    throw new FetchError('Too many redirects', currentUrl);
+    throw createTooManyRedirectsError(currentUrl);
 }
 function getRedirectLocation(response, currentUrl) {
     const location = response.headers.get('location');
     if (location)
         return location;
     cancelResponseBody(response);
-    throw new FetchError('Redirect response missing Location header', currentUrl);
+    throw createMissingRedirectLocationError(currentUrl);
 }
 function annotateRedirectError(error, url) {
     if (!isObject(error))
@@ -737,26 +751,26 @@ function resolveRedirectTarget(baseUrl, location) {
     }
     return validateAndNormalizeUrl(resolved.href);
 }
+async function withRedirectErrorContext(url, fn) {
+    try {
+        return await fn();
+    }
+    catch (error) {
+        annotateRedirectError(error, url);
+        throw error;
+    }
+}
 export async function fetchWithRedirects(url, init, maxRedirects) {
     let currentUrl = url;
     const redirectLimit = Math.max(0, maxRedirects);
     for (let redirectCount = 0; redirectCount <= redirectLimit; redirectCount += 1) {
-        const { response, nextUrl } = await performFetchCycleSafely(currentUrl, init, redirectLimit, redirectCount);
+        const { response, nextUrl } = await withRedirectErrorContext(currentUrl, () => performFetchCycle(currentUrl, init, redirectLimit, redirectCount));
         if (!nextUrl) {
             return { response, url: currentUrl };
         }
         currentUrl = nextUrl;
     }
-    throw new FetchError('Too many redirects', currentUrl);
-}
-async function performFetchCycleSafely(currentUrl, init, redirectLimit, redirectCount) {
-    try {
-        return await performFetchCycle(currentUrl, init, redirectLimit, redirectCount);
-    }
-    catch (error) {
-        annotateRedirectError(error, currentUrl);
-        throw error;
-    }
+    throw createTooManyRedirectsError(currentUrl);
 }
 function assertContentLengthWithinLimit(response, url, maxBytes) {
     const contentLengthHeader = response.headers.get('content-length');
@@ -841,15 +855,18 @@ async function readStreamWithLimit(stream, url, maxBytes, signal) {
     finalizeRead(state);
     return { text: state.parts.join(''), size: state.total };
 }
+async function readResponseTextFallback(response, url, maxBytes) {
+    const text = await response.text();
+    const size = Buffer.byteLength(text);
+    if (size > maxBytes) {
+        throw createSizeLimitError(url, maxBytes);
+    }
+    return { text, size };
+}
 export async function readResponseText(response, url, maxBytes, signal) {
     assertContentLengthWithinLimit(response, url, maxBytes);
     if (!response.body) {
-        const text = await response.text();
-        const size = Buffer.byteLength(text);
-        if (size > maxBytes) {
-            throw createSizeLimitError(url, maxBytes);
-        }
-        return { text, size };
+        return readResponseTextFallback(response, url, maxBytes);
     }
     return readStreamWithLimit(response.body, url, maxBytes, signal);
 }
@@ -925,4 +942,3 @@ export async function fetchNormalizedUrl(normalizedUrl, options) {
     const requestInit = buildRequestInit(headers, signal);
     return fetchWithTelemetry(normalizedUrl, requestInit, timeoutMs);
 }
-//# sourceMappingURL=fetch.js.map

package/dist/host-normalization.d.ts

@@ -0,0 +1 @@
+export declare function normalizeHost(value: string): string | null;

package/dist/host-normalization.js

@@ -0,0 +1,47 @@
+import { isIP } from 'node:net';
+export function normalizeHost(value) {
+    const trimmed = value.trim().toLowerCase();
+    if (!trimmed)
+        return null;
+    const first = takeFirstHostValue(trimmed);
+    if (!first)
+        return null;
+    const ipv6 = stripIpv6Brackets(first);
+    if (ipv6)
+        return stripTrailingDots(ipv6);
+    if (isIpV6Literal(first)) {
+        return stripTrailingDots(first);
+    }
+    return stripTrailingDots(stripPortIfPresent(first));
+}
+function takeFirstHostValue(value) {
+    const first = value.split(',')[0];
+    if (!first)
+        return null;
+    const trimmed = first.trim();
+    return trimmed ? trimmed : null;
+}
+function stripIpv6Brackets(value) {
+    if (!value.startsWith('['))
+        return null;
+    const end = value.indexOf(']');
+    if (end === -1)
+        return null;
+    return value.slice(1, end);
+}
+function stripPortIfPresent(value) {
+    const colonIndex = value.indexOf(':');
+    if (colonIndex === -1)
+        return value;
+    return value.slice(0, colonIndex);
+}
+function isIpV6Literal(value) {
+    return isIP(value) === 6;
+}
+function stripTrailingDots(value) {
+    let result = value;
+    while (result.endsWith('.')) {
+        result = result.slice(0, -1);
+    }
+    return result;
+}

package/dist/http-native.d.ts

@@ -3,4 +3,3 @@ export declare function startHttpServer(): Promise<{
     port: number;
     host: string;
 }>;
-//# sourceMappingURL=http-native.d.ts.map

package/dist/http-native.js

@@ -8,10 +8,47 @@ import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import { handleDownload } from './cache.js';
 import { config, enableHttpMode } from './config.js';
 import { timingSafeEqualUtf8 } from './crypto.js';
-import { acceptsEventStream, applyHttpServerTuning, composeCloseHandlers, createSessionStore, createSlotTracker, drainConnectionsOnShutdown, ensureSessionCapacity, isJsonRpcBatchRequest, isMcpRequestBody, normalizeHost, reserveSessionSlot, startSessionCleanupLoop, } from './http-utils.js';
+import { normalizeHost } from './host-normalization.js';
+import { acceptsEventStream, isJsonRpcBatchRequest, isMcpRequestBody, } from './mcp-validator.js';
 import { createMcpServer } from './mcp.js';
 import { logError, logInfo, logWarn } from './observability.js';
+import { applyHttpServerTuning, drainConnectionsOnShutdown, } from './server-tuning.js';
+import { composeCloseHandlers, createSessionStore, createSlotTracker, ensureSessionCapacity, reserveSessionSlot, startSessionCleanupLoop, } from './session.js';
 import { isObject } from './type-guards.js';
+function createTransportAdapter(transportImpl) {
+    const noopOnClose = () => { };
+    const noopOnError = () => { };
+    const noopOnMessage = () => { };
+    let oncloseHandler = noopOnClose;
+    let onerrorHandler = noopOnError;
+    let onmessageHandler = noopOnMessage;
+    return {
+        start: () => transportImpl.start(),
+        send: (message, options) => transportImpl.send(message, options),
+        close: () => transportImpl.close(),
+        get onclose() {
+            return oncloseHandler;
+        },
+        set onclose(handler) {
+            oncloseHandler = handler;
+            transportImpl.onclose = handler;
+        },
+        get onerror() {
+            return onerrorHandler;
+        },
+        set onerror(handler) {
+            onerrorHandler = handler;
+            transportImpl.onerror = handler;
+        },
+        get onmessage() {
+            return onmessageHandler;
+        },
+        set onmessage(handler) {
+            onmessageHandler = handler;
+            transportImpl.onmessage = handler;
+        },
+    };
+}
 function shimResponse(res) {
     const shim = res;
     shim.status = function (code) {
@@ -144,26 +181,26 @@ function resolveOriginHost(origin) {
         return null;
     }
 }
+function rejectHostRequest(res, status, message) {
+    res.status(status).json({ error: message });
+    return false;
+}
 function validateHostAndOrigin(req, res) {
     const host = resolveHostHeader(req);
     if (!host) {
-        res.status(400).json({ error: 'Missing or invalid Host header' });
-        return false;
+        return rejectHostRequest(res, 400, 'Missing or invalid Host header');
     }
     if (!ALLOWED_HOSTS.has(host)) {
-        res.status(403).json({ error: 'Host not allowed' });
-        return false;
+        return rejectHostRequest(res, 403, 'Host not allowed');
     }
     const originHeader = getHeaderValue(req, 'origin');
     if (originHeader) {
         const originHost = resolveOriginHost(originHeader);
         if (!originHost) {
-            res.status(403).json({ error: 'Invalid Origin header' });
-            return false;
+            return rejectHostRequest(res, 403, 'Invalid Origin header');
         }
         if (!ALLOWED_HOSTS.has(originHost)) {
-            res.status(403).json({ error: 'Origin not allowed' });
-            return false;
+            return rejectHostRequest(res, 403, 'Origin not allowed');
         }
     }
     return true;
@@ -318,24 +355,35 @@ async function verifyWithIntrospection(token) {
         throw new InvalidTokenError('Token is inactive');
     return buildIntrospectionAuthInfo(token, payload);
 }
+function resolveBearerToken(authHeader) {
+    const [type, token] = authHeader.split(' ');
+    if (type !== 'Bearer' || !token) {
+        throw new InvalidTokenError('Invalid Authorization header format');
+    }
+    return token;
+}
+function authenticateWithToken(token) {
+    return config.auth.mode === 'oauth'
+        ? verifyWithIntrospection(token)
+        : Promise.resolve(verifyStaticToken(token));
+}
+function authenticateWithApiKey(req) {
+    const apiKey = getHeaderValue(req, 'x-api-key');
+    if (apiKey && config.auth.mode === 'static') {
+        return verifyStaticToken(apiKey);
+    }
+    if (apiKey && config.auth.mode === 'oauth') {
+        throw new InvalidTokenError('X-API-Key not supported for OAuth');
+    }
+    throw new InvalidTokenError('Missing Authorization header');
+}
 async function authenticate(req) {
     const authHeader = req.headers.authorization;
     if (!authHeader) {
-        const apiKey = getHeaderValue(req, 'x-api-key');
-        if (apiKey && config.auth.mode === 'static') {
-            return verifyStaticToken(apiKey);
-        }
-        if (apiKey && config.auth.mode === 'oauth') {
-            throw new InvalidTokenError('X-API-Key not supported for OAuth');
-        }
-        throw new InvalidTokenError('Missing Authorization header');
+        return authenticateWithApiKey(req);
     }
-    const [type, token] = authHeader.split(' ');
-    if (type !== 'Bearer' || !token)
-        throw new InvalidTokenError('Invalid Authorization header format');
-    if (config.auth.mode === 'oauth')
-        return verifyWithIntrospection(token);
-    return verifyStaticToken(token);
+    const token = resolveBearerToken(authHeader);
+    return authenticateWithToken(token);
 }
 // --- MCP Routes ---
 function sendError(res, code, message, status = 400, id = null) {
@@ -394,7 +442,8 @@ async function createNewSession(store, mcpServer, res, requestId) {
             tracker.releaseSlot();
     };
     try {
-        await mcpServer.connect(transportImpl);
+        const transport = createTransportAdapter(transportImpl);
+        await mcpServer.connect(transport);
     }
     catch (err) {
         clearTimeout(initTimeout);
@@ -642,4 +691,3 @@ async function handleRequest(rawReq, rawRes, rateLimiter, ctx) {
     // 5. Routing
     await dispatchRequest(req, res, url, ctx);
 }
-//# sourceMappingURL=http-native.js.map

package/dist/index.d.ts

@@ -1,3 +1,2 @@
 #!/usr/bin/env node
 export {};
-//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -52,4 +52,3 @@ catch (error) {
     process.stderr.write(`Failed to start server: ${message}\n`);
     process.exit(1);
 }
-//# sourceMappingURL=index.js.map