npm - @j0hanz/superfetch - Versions diffs - 2.4.3 → 2.4.5 - Mend

@j0hanz/superfetch 2.4.3 → 2.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/cache.d.ts +8 -8
package/dist/cache.js +277 -264
package/dist/config.d.ts +1 -0
package/dist/config.js +1 -0
package/dist/crypto.js +4 -3
package/dist/dom-noise-removal.js +355 -297
package/dist/fetch.d.ts +13 -7
package/dist/fetch.js +636 -690
package/dist/http-native.js +535 -474
package/dist/instructions.md +38 -27
package/dist/language-detection.js +190 -153
package/dist/markdown-cleanup.js +171 -158
package/dist/mcp.js +183 -2
package/dist/resources.d.ts +2 -0
package/dist/resources.js +44 -0
package/dist/session.js +144 -105
package/dist/tasks.d.ts +37 -0
package/dist/tasks.js +66 -0
package/dist/tools.d.ts +8 -12
package/dist/tools.js +196 -147
package/dist/transform.d.ts +3 -1
package/dist/transform.js +680 -778
package/package.json +6 -6

package/dist/http-native.js CHANGED Viewed

@@ -16,6 +16,9 @@ import { applyHttpServerTuning, drainConnectionsOnShutdown, } from './server-tun
 import { composeCloseHandlers, createSessionStore, createSlotTracker, ensureSessionCapacity, reserveSessionSlot, startSessionCleanupLoop, } from './session.js';
 import { getTransformPoolStats } from './transform.js';
 import { isObject } from './type-guards.js';
+/* -------------------------------------------------------------------------------------------------
+ * Transport adaptation
+ * ------------------------------------------------------------------------------------------------- */
 function createTransportAdapter(transportImpl) {
     const noopOnClose = () => { };
     const noopOnError = () => { };
@@ -72,52 +75,55 @@ function shimResponse(res) {
     };
     return shim;
 }
-// --- Body Parsing ---
-async function readJsonBody(req, limit = 1024 * 1024) {
-    const contentType = req.headers['content-type'];
-    if (!contentType?.includes('application/json'))
-        return undefined;
-    return new Promise((resolve, reject) => {
-        let size = 0;
-        const chunks = [];
-        req.on('data', (chunk) => {
-            size += chunk.length;
-            if (size > limit) {
-                req.destroy();
-                reject(new Error('Payload too large'));
-                return;
-            }
-            chunks.push(chunk);
-        });
-        req.on('end', () => {
-            try {
-                const body = Buffer.concat(chunks).toString();
-                if (!body) {
-                    resolve(undefined);
+/* -------------------------------------------------------------------------------------------------
+ * Request parsing helpers
+ * ------------------------------------------------------------------------------------------------- */
+class JsonBodyReader {
+    async read(req, limit = 1024 * 1024) {
+        const contentType = req.headers['content-type'];
+        if (!contentType?.includes('application/json'))
+            return undefined;
+        return new Promise((resolve, reject) => {
+            let size = 0;
+            const chunks = [];
+            req.on('data', (chunk) => {
+                size += chunk.length;
+                if (size > limit) {
+                    req.destroy();
+                    reject(new Error('Payload too large'));
                     return;
                 }
-                resolve(JSON.parse(body));
-            }
-            catch (err) {
+                chunks.push(chunk);
+            });
+            req.on('end', () => {
+                try {
+                    const body = Buffer.concat(chunks).toString();
+                    if (!body) {
+                        resolve(undefined);
+                        return;
+                    }
+                    resolve(JSON.parse(body));
+                }
+                catch (err) {
+                    reject(err instanceof Error ? err : new Error(String(err)));
+                }
+            });
+            req.on('error', (err) => {
                 reject(err instanceof Error ? err : new Error(String(err)));
-            }
-        });
-        req.on('error', (err) => {
-            reject(err instanceof Error ? err : new Error(String(err)));
+            });
         });
-    });
+    }
 }
+const jsonBodyReader = new JsonBodyReader();
 function parseQuery(url) {
     const query = {};
     for (const [key, value] of url.searchParams) {
         const existing = query[key];
         if (existing) {
-            if (Array.isArray(existing)) {
+            if (Array.isArray(existing))
                 existing.push(value);
-            }
-            else {
+            else
                 query[key] = [existing, value];
-            }
         }
         else {
             query[key] = value;
@@ -125,18 +131,6 @@ function parseQuery(url) {
     }
     return query;
 }
-// --- CORS & Headers ---
-function handleCors(req, res) {
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, DELETE');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key, MCP-Protocol-Version, X-MCP-Session-ID');
-    if (req.method === 'OPTIONS') {
-        res.writeHead(204);
-        res.end();
-        return true;
-    }
-    return false;
-}
 function getHeaderValue(req, name) {
     const val = req.headers[name.toLowerCase()];
     if (!val)
@@ -145,6 +139,23 @@ function getHeaderValue(req, name) {
         return val[0] ?? null;
     return val;
 }
+/* -------------------------------------------------------------------------------------------------
+ * CORS & Host/Origin policy
+ * ------------------------------------------------------------------------------------------------- */
+class CorsPolicy {
+    handle(req, res) {
+        res.setHeader('Access-Control-Allow-Origin', '*');
+        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, DELETE');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key, MCP-Protocol-Version, X-MCP-Session-ID');
+        if (req.method === 'OPTIONS') {
+            res.writeHead(204);
+            res.end();
+            return true;
+        }
+        return false;
+    }
+}
+const corsPolicy = new CorsPolicy();
 const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
 const WILDCARD_HOSTS = new Set(['0.0.0.0', '::']);
 function isWildcardHost(host) {
@@ -158,54 +169,55 @@ function buildAllowedHosts() {
     }
     for (const host of config.security.allowedHosts) {
         const normalized = normalizeHost(host);
-        if (normalized) {
+        if (normalized)
             allowed.add(normalized);
-        }
     }
     return allowed;
 }
 const ALLOWED_HOSTS = buildAllowedHosts();
-function resolveHostHeader(req) {
-    const host = getHeaderValue(req, 'host');
-    if (!host)
-        return null;
-    return normalizeHost(host);
-}
-function resolveOriginHost(origin) {
-    if (origin === 'null')
-        return null;
-    try {
-        const parsed = new URL(origin);
-        return normalizeHost(parsed.host);
-    }
-    catch {
-        return null;
-    }
-}
-function rejectHostRequest(res, status, message) {
-    res.status(status).json({ error: message });
-    return false;
-}
-function validateHostAndOrigin(req, res) {
-    const host = resolveHostHeader(req);
-    if (!host) {
-        return rejectHostRequest(res, 400, 'Missing or invalid Host header');
+class HostOriginPolicy {
+    validate(req, res) {
+        const host = this.resolveHostHeader(req);
+        if (!host)
+            return this.reject(res, 400, 'Missing or invalid Host header');
+        if (!ALLOWED_HOSTS.has(host))
+            return this.reject(res, 403, 'Host not allowed');
+        const originHeader = getHeaderValue(req, 'origin');
+        if (originHeader) {
+            const originHost = this.resolveOriginHost(originHeader);
+            if (!originHost)
+                return this.reject(res, 403, 'Invalid Origin header');
+            if (!ALLOWED_HOSTS.has(originHost))
+                return this.reject(res, 403, 'Origin not allowed');
+        }
+        return true;
     }
-    if (!ALLOWED_HOSTS.has(host)) {
-        return rejectHostRequest(res, 403, 'Host not allowed');
+    resolveHostHeader(req) {
+        const host = getHeaderValue(req, 'host');
+        if (!host)
+            return null;
+        return normalizeHost(host);
     }
-    const originHeader = getHeaderValue(req, 'origin');
-    if (originHeader) {
-        const originHost = resolveOriginHost(originHeader);
-        if (!originHost) {
-            return rejectHostRequest(res, 403, 'Invalid Origin header');
+    resolveOriginHost(origin) {
+        if (origin === 'null')
+            return null;
+        try {
+            const parsed = new URL(origin);
+            return normalizeHost(parsed.host);
         }
-        if (!ALLOWED_HOSTS.has(originHost)) {
-            return rejectHostRequest(res, 403, 'Origin not allowed');
+        catch {
+            return null;
         }
     }
-    return true;
+    reject(res, status, message) {
+        res.status(status).json({ error: message });
+        return false;
+    }
 }
+const hostOriginPolicy = new HostOriginPolicy();
+/* -------------------------------------------------------------------------------------------------
+ * HTTP mode configuration assertions
+ * ------------------------------------------------------------------------------------------------- */
 function assertHttpModeConfiguration() {
     const configuredHost = normalizeHost(config.server.host);
     const isLoopback = configuredHost !== null && LOOPBACK_HOSTS.has(configuredHost);
@@ -223,170 +235,184 @@ function assertHttpModeConfiguration() {
 function isAbortError(error) {
     return error instanceof Error && error.name === 'AbortError';
 }
-function createRateLimitManagerImpl(options) {
-    const store = new Map();
-    const cleanup = new AbortController();
-    const interval = setIntervalPromise(options.cleanupIntervalMs, Date.now, {
-        signal: cleanup.signal,
-        ref: false,
-    });
-    void (async () => {
-        try {
-            for await (const getNow of interval) {
-                const now = getNow();
-                for (const [key, entry] of store.entries()) {
-                    if (now - entry.lastAccessed > options.windowMs * 2) {
-                        store.delete(key);
+class RateLimiter {
+    options;
+    store = new Map();
+    cleanup = new AbortController();
+    constructor(options) {
+        this.options = options;
+        this.startCleanupLoop();
+    }
+    startCleanupLoop() {
+        const interval = setIntervalPromise(this.options.cleanupIntervalMs, Date.now, { signal: this.cleanup.signal, ref: false });
+        void (async () => {
+            try {
+                for await (const getNow of interval) {
+                    const now = getNow();
+                    for (const [key, entry] of this.store.entries()) {
+                        if (now - entry.lastAccessed > this.options.windowMs * 2) {
+                            this.store.delete(key);
+                        }
                     }
                 }
             }
-        }
-        catch (err) {
-            if (!isAbortError(err))
-                logWarn('Rate limit cleanup failed', { error: err });
-        }
-    })();
-    return {
-        check: (req, res) => {
-            if (!options.enabled || req.method === 'OPTIONS')
-                return true;
-            const key = req.ip ?? 'unknown';
-            const now = Date.now();
-            let entry = store.get(key);
-            if (!entry || now > entry.resetTime) {
-                entry = {
-                    count: 1,
-                    resetTime: now + options.windowMs,
-                    lastAccessed: now,
-                };
-                store.set(key, entry);
-            }
-            else {
-                entry.count++;
-                entry.lastAccessed = now;
-            }
-            if (entry.count > options.maxRequests) {
-                const retryAfter = Math.max(1, Math.ceil((entry.resetTime - now) / 1000));
-                res.setHeader('Retry-After', String(retryAfter));
-                res.status(429).json({ error: 'Rate limit exceeded', retryAfter });
-                return false;
+            catch (err) {
+                if (!isAbortError(err)) {
+                    logWarn('Rate limit cleanup failed', { error: err });
+                }
             }
-            return true;
-        },
-        stop: () => {
-            cleanup.abort();
-        },
-    };
-}
-// --- Auth ---
-const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
-function buildStaticAuthInfo(token) {
-    return {
-        token,
-        clientId: 'static-token',
-        scopes: config.auth.requiredScopes,
-        expiresAt: Math.floor(Date.now() / 1000) + STATIC_TOKEN_TTL_SECONDS,
-        resource: config.auth.resourceUrl,
-    };
-}
-function verifyStaticToken(token) {
-    if (config.auth.staticTokens.length === 0) {
-        throw new InvalidTokenError('No static tokens configured');
-    }
-    const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
-    if (!matched)
-        throw new InvalidTokenError('Invalid token');
-    return buildStaticAuthInfo(token);
-}
-function stripHash(url) {
-    const clean = new URL(url);
-    clean.hash = '';
-    return clean.href;
-}
-function buildBasicAuthHeader(clientId, clientSecret) {
-    const credentials = `${clientId}:${clientSecret ?? ''}`;
-    return `Basic ${Buffer.from(credentials).toString('base64')}`;
-}
-function buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
-    const body = new URLSearchParams({
-        token,
-        token_type_hint: 'access_token',
-        resource: stripHash(resourceUrl),
-    }).toString();
-    const headers = {
-        'content-type': 'application/x-www-form-urlencoded',
-    };
-    if (clientId)
-        headers.authorization = buildBasicAuthHeader(clientId, clientSecret);
-    return { body, headers };
-}
-async function requestIntrospection(url, request, timeoutMs) {
-    const response = await fetch(url, {
-        method: 'POST',
-        headers: request.headers,
-        body: request.body,
-        signal: AbortSignal.timeout(timeoutMs),
-    });
-    if (!response.ok) {
-        await response.body?.cancel();
-        throw new ServerError(`Token introspection failed: ${response.status}`);
+        })();
     }
-    return response.json();
-}
-function buildIntrospectionAuthInfo(token, payload) {
-    const expiresAt = typeof payload.exp === 'number' ? payload.exp : undefined;
-    const clientId = typeof payload.client_id === 'string' ? payload.client_id : 'unknown';
-    const info = {
-        token,
-        clientId,
-        scopes: typeof payload.scope === 'string' ? payload.scope.split(' ') : [],
-        resource: config.auth.resourceUrl,
-    };
-    if (expiresAt !== undefined) {
-        info.expiresAt = expiresAt;
+    check(req, res) {
+        if (!this.options.enabled || req.method === 'OPTIONS')
+            return true;
+        const key = req.ip ?? 'unknown';
+        const now = Date.now();
+        let entry = this.store.get(key);
+        if (!entry || now > entry.resetTime) {
+            entry = {
+                count: 1,
+                resetTime: now + this.options.windowMs,
+                lastAccessed: now,
+            };
+            this.store.set(key, entry);
+        }
+        else {
+            entry.count += 1;
+            entry.lastAccessed = now;
+        }
+        if (entry.count > this.options.maxRequests) {
+            const retryAfter = Math.max(1, Math.ceil((entry.resetTime - now) / 1000));
+            res.setHeader('Retry-After', String(retryAfter));
+            res.status(429).json({ error: 'Rate limit exceeded', retryAfter });
+            return false;
+        }
+        return true;
     }
-    return info;
-}
-async function verifyWithIntrospection(token) {
-    if (!config.auth.introspectionUrl)
-        throw new ServerError('Introspection not configured');
-    const req = buildIntrospectionRequest(token, config.auth.resourceUrl, config.auth.clientId, config.auth.clientSecret);
-    const payload = await requestIntrospection(config.auth.introspectionUrl, req, config.auth.introspectionTimeoutMs);
-    if (!isObject(payload) || payload.active !== true)
-        throw new InvalidTokenError('Token is inactive');
-    return buildIntrospectionAuthInfo(token, payload);
-}
-function resolveBearerToken(authHeader) {
-    const [type, token] = authHeader.split(' ');
-    if (type !== 'Bearer' || !token) {
-        throw new InvalidTokenError('Invalid Authorization header format');
+    stop() {
+        this.cleanup.abort();
     }
-    return token;
 }
-function authenticateWithToken(token) {
-    return config.auth.mode === 'oauth'
-        ? verifyWithIntrospection(token)
-        : Promise.resolve(verifyStaticToken(token));
+function createRateLimitManagerImpl(options) {
+    return new RateLimiter(options);
 }
-function authenticateWithApiKey(req) {
-    const apiKey = getHeaderValue(req, 'x-api-key');
-    if (apiKey && config.auth.mode === 'static') {
-        return verifyStaticToken(apiKey);
-    }
-    if (apiKey && config.auth.mode === 'oauth') {
-        throw new InvalidTokenError('X-API-Key not supported for OAuth');
+/* -------------------------------------------------------------------------------------------------
+ * Auth (static + OAuth introspection)
+ * ------------------------------------------------------------------------------------------------- */
+const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
+class AuthService {
+    async authenticate(req) {
+        const authHeader = req.headers.authorization;
+        if (!authHeader) {
+            return this.authenticateWithApiKey(req);
+        }
+        const token = this.resolveBearerToken(authHeader);
+        return this.authenticateWithToken(token);
+    }
+    authenticateWithToken(token) {
+        return config.auth.mode === 'oauth'
+            ? this.verifyWithIntrospection(token)
+            : Promise.resolve(this.verifyStaticToken(token));
+    }
+    authenticateWithApiKey(req) {
+        const apiKey = getHeaderValue(req, 'x-api-key');
+        if (apiKey && config.auth.mode === 'static') {
+            return this.verifyStaticToken(apiKey);
+        }
+        if (apiKey && config.auth.mode === 'oauth') {
+            throw new InvalidTokenError('X-API-Key not supported for OAuth');
+        }
+        throw new InvalidTokenError('Missing Authorization header');
     }
-    throw new InvalidTokenError('Missing Authorization header');
-}
-async function authenticate(req) {
-    const authHeader = req.headers.authorization;
-    if (!authHeader) {
-        return authenticateWithApiKey(req);
+    resolveBearerToken(authHeader) {
+        const [type, token] = authHeader.split(' ');
+        if (type !== 'Bearer' || !token) {
+            throw new InvalidTokenError('Invalid Authorization header format');
+        }
+        return token;
+    }
+    buildStaticAuthInfo(token) {
+        return {
+            token,
+            clientId: 'static-token',
+            scopes: config.auth.requiredScopes,
+            expiresAt: Math.floor(Date.now() / 1000) + STATIC_TOKEN_TTL_SECONDS,
+            resource: config.auth.resourceUrl,
+        };
+    }
+    verifyStaticToken(token) {
+        if (config.auth.staticTokens.length === 0) {
+            throw new InvalidTokenError('No static tokens configured');
+        }
+        const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
+        if (!matched)
+            throw new InvalidTokenError('Invalid token');
+        return this.buildStaticAuthInfo(token);
+    }
+    stripHash(url) {
+        const clean = new URL(url);
+        clean.hash = '';
+        return clean.href;
+    }
+    buildBasicAuthHeader(clientId, clientSecret) {
+        const credentials = `${clientId}:${clientSecret ?? ''}`;
+        return `Basic ${Buffer.from(credentials).toString('base64')}`;
+    }
+    buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
+        const body = new URLSearchParams({
+            token,
+            token_type_hint: 'access_token',
+            resource: this.stripHash(resourceUrl),
+        }).toString();
+        const headers = {
+            'content-type': 'application/x-www-form-urlencoded',
+        };
+        if (clientId)
+            headers.authorization = this.buildBasicAuthHeader(clientId, clientSecret);
+        return { body, headers };
+    }
+    async requestIntrospection(url, request, timeoutMs) {
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: request.headers,
+            body: request.body,
+            signal: AbortSignal.timeout(timeoutMs),
+        });
+        if (!response.ok) {
+            await response.body?.cancel();
+            throw new ServerError(`Token introspection failed: ${response.status}`);
+        }
+        return response.json();
+    }
+    buildIntrospectionAuthInfo(token, payload) {
+        const expiresAt = typeof payload.exp === 'number' ? payload.exp : undefined;
+        const clientId = typeof payload.client_id === 'string' ? payload.client_id : 'unknown';
+        const info = {
+            token,
+            clientId,
+            scopes: typeof payload.scope === 'string' ? payload.scope.split(' ') : [],
+            resource: config.auth.resourceUrl,
+        };
+        if (expiresAt !== undefined)
+            info.expiresAt = expiresAt;
+        return info;
+    }
+    async verifyWithIntrospection(token) {
+        if (!config.auth.introspectionUrl) {
+            throw new ServerError('Introspection not configured');
+        }
+        const req = this.buildIntrospectionRequest(token, config.auth.resourceUrl, config.auth.clientId, config.auth.clientSecret);
+        const payload = await this.requestIntrospection(config.auth.introspectionUrl, req, config.auth.introspectionTimeoutMs);
+        if (!isObject(payload) || payload.active !== true) {
+            throw new InvalidTokenError('Token is inactive');
+        }
+        return this.buildIntrospectionAuthInfo(token, payload);
     }
-    const token = resolveBearerToken(authHeader);
-    return authenticateWithToken(token);
 }
-// --- MCP Routes ---
+const authService = new AuthService();
+/* -------------------------------------------------------------------------------------------------
+ * MCP routing + session gateway
+ * ------------------------------------------------------------------------------------------------- */
 function sendError(res, code, message, status = 400, id = null) {
     res.status(status).json({
         jsonrpc: '2.0',
@@ -394,245 +420,309 @@ function sendError(res, code, message, status = 400, id = null) {
         id,
     });
 }
+const MCP_PROTOCOL_VERSION = '2025-11-25';
 function ensureMcpProtocolVersion(req, res) {
     const version = getHeaderValue(req, 'mcp-protocol-version');
     if (!version) {
         sendError(res, -32600, 'Missing MCP-Protocol-Version header');
         return false;
     }
-    if (version !== '2025-11-25') {
+    if (version !== MCP_PROTOCOL_VERSION) {
         sendError(res, -32600, `Unsupported MCP-Protocol-Version: ${version}`);
         return false;
     }
     return true;
 }
-async function createNewSession(store, mcpServer, res, requestId) {
-    const allowed = ensureSessionCapacity({
-        store,
-        maxSessions: config.server.maxSessions,
-        evictOldest: (s) => {
-            const evicted = s.evictOldest();
-            if (evicted) {
-                void evicted.transport.close().catch(() => { });
-                return true;
-            }
-            return false;
-        },
-    });
-    if (!allowed) {
-        sendError(res, -32000, 'Server busy', 503, requestId);
-        return null;
-    }
-    if (!reserveSessionSlot(store, config.server.maxSessions)) {
-        sendError(res, -32000, 'Server busy', 503, requestId);
-        return null;
+class McpSessionGateway {
+    store;
+    mcpServer;
+    constructor(store, mcpServer) {
+        this.store = store;
+        this.mcpServer = mcpServer;
     }
-    const tracker = createSlotTracker(store);
-    const transportImpl = new StreamableHTTPServerTransport({
-        sessionIdGenerator: () => randomUUID(),
-    });
-    const initTimeout = setTimeout(() => {
-        if (!tracker.isInitialized()) {
-            tracker.releaseSlot();
-            void transportImpl.close().catch(() => { });
+    async handlePost(req, res) {
+        if (!ensureMcpProtocolVersion(req, res))
+            return;
+        const { body } = req;
+        if (isJsonRpcBatchRequest(body)) {
+            sendError(res, -32600, 'Batch requests not supported');
+            return;
         }
-    }, config.server.sessionInitTimeoutMs);
-    transportImpl.onclose = () => {
-        clearTimeout(initTimeout);
-        if (!tracker.isInitialized())
-            tracker.releaseSlot();
-    };
-    try {
-        const transport = createTransportAdapter(transportImpl);
-        await mcpServer.connect(transport);
+        if (!isMcpRequestBody(body)) {
+            sendError(res, -32600, 'Invalid request body');
+            return;
+        }
+        const requestId = body.id ?? null;
+        logInfo('[MCP POST]', {
+            method: body.method,
+            id: body.id,
+            sessionId: getHeaderValue(req, 'mcp-session-id'),
+        });
+        const transport = await this.getOrCreateTransport(req, res, requestId);
+        if (!transport)
+            return;
+        await transport.handleRequest(req, res, body);
     }
-    catch (err) {
-        clearTimeout(initTimeout);
-        tracker.releaseSlot();
-        void transportImpl.close().catch(() => { });
-        throw err;
-    }
-    const newSessionId = transportImpl.sessionId;
-    if (!newSessionId) {
-        throw new ServerError('Failed to generate session ID');
-    }
-    tracker.markInitialized();
-    tracker.releaseSlot();
-    store.set(newSessionId, {
-        transport: transportImpl,
-        createdAt: Date.now(),
-        lastSeen: Date.now(),
-        protocolInitialized: false,
-    });
-    transportImpl.onclose = composeCloseHandlers(transportImpl.onclose, () => {
-        store.remove(newSessionId);
-    });
-    return transportImpl;
-}
-async function getOrCreateTransport(req, res, store, mcpServer, requestId) {
-    const sessionId = getHeaderValue(req, 'mcp-session-id');
-    if (sessionId) {
-        const session = store.get(sessionId);
+    async handleGet(req, res) {
+        if (!ensureMcpProtocolVersion(req, res))
+            return;
+        const sessionId = getHeaderValue(req, 'mcp-session-id');
+        if (!sessionId) {
+            sendError(res, -32600, 'Missing session ID');
+            return;
+        }
+        const session = this.store.get(sessionId);
         if (!session) {
-            sendError(res, -32600, 'Session not found', 404, requestId);
-            return null;
+            sendError(res, -32600, 'Session not found', 404);
+            return;
         }
-        store.touch(sessionId);
-        return session.transport;
-    }
-    if (!isInitializeRequest(req.body)) {
-        sendError(res, -32600, 'Missing session ID', 400, requestId);
-        return null;
-    }
-    return createNewSession(store, mcpServer, res, requestId);
-}
-async function handleMcpPost(req, res, store, mcpServer) {
-    if (!ensureMcpProtocolVersion(req, res))
-        return;
-    const { body } = req;
-    if (isJsonRpcBatchRequest(body)) {
-        sendError(res, -32600, 'Batch requests not supported');
-        return;
-    }
-    if (!isMcpRequestBody(body)) {
-        sendError(res, -32600, 'Invalid request body');
-        return;
-    }
-    const requestId = body.id ?? null;
-    logInfo('[MCP POST]', {
-        method: body.method,
-        id: body.id,
-        sessionId: getHeaderValue(req, 'mcp-session-id'),
-    });
-    const transport = await getOrCreateTransport(req, res, store, mcpServer, requestId);
-    if (!transport)
-        return;
-    await transport.handleRequest(req, res, body);
-}
-async function handleMcpGet(req, res, store) {
-    if (!ensureMcpProtocolVersion(req, res))
-        return;
-    const sessionId = getHeaderValue(req, 'mcp-session-id');
-    if (!sessionId) {
-        sendError(res, -32600, 'Missing session ID');
-        return;
-    }
-    const session = store.get(sessionId);
-    if (!session) {
-        sendError(res, -32600, 'Session not found', 404);
-        return;
-    }
-    const acceptHeader = getHeaderValue(req, 'accept');
-    if (!acceptsEventStream(acceptHeader)) {
-        res.status(406).json({ error: 'Not Acceptable' });
-        return;
-    }
-    store.touch(sessionId);
-    await session.transport.handleRequest(req, res);
-}
-async function handleMcpDelete(req, res, store) {
-    if (!ensureMcpProtocolVersion(req, res))
-        return;
-    const sessionId = getHeaderValue(req, 'mcp-session-id');
-    if (!sessionId) {
-        sendError(res, -32600, 'Missing session ID');
-        return;
-    }
-    const session = store.get(sessionId);
-    if (session) {
-        await session.transport.close();
-        store.remove(sessionId);
-    }
-    res.status(200).send('Session closed');
-}
-// --- Dispatch ---
-async function routeMcpRequest(req, res, url, ctx) {
-    const { pathname: path } = url;
-    const { method } = req;
-    if (path !== '/mcp')
-        return false;
-    if (method === 'POST') {
-        await handleMcpPost(req, res, ctx.store, ctx.mcpServer);
-        return true;
-    }
-    if (method === 'GET') {
-        await handleMcpGet(req, res, ctx.store);
-        return true;
+        const acceptHeader = getHeaderValue(req, 'accept');
+        if (!acceptsEventStream(acceptHeader)) {
+            res.status(406).json({ error: 'Not Acceptable' });
+            return;
+        }
+        this.store.touch(sessionId);
+        await session.transport.handleRequest(req, res);
     }
-    if (method === 'DELETE') {
-        await handleMcpDelete(req, res, ctx.store);
-        return true;
+    async handleDelete(req, res) {
+        if (!ensureMcpProtocolVersion(req, res))
+            return;
+        const sessionId = getHeaderValue(req, 'mcp-session-id');
+        if (!sessionId) {
+            sendError(res, -32600, 'Missing session ID');
+            return;
+        }
+        const session = this.store.get(sessionId);
+        if (session) {
+            await session.transport.close();
+            this.store.remove(sessionId);
+        }
+        res.status(200).send('Session closed');
+    }
+    async getOrCreateTransport(req, res, requestId) {
+        const sessionId = getHeaderValue(req, 'mcp-session-id');
+        if (sessionId) {
+            const session = this.store.get(sessionId);
+            if (!session) {
+                sendError(res, -32600, 'Session not found', 404, requestId);
+                return null;
+            }
+            this.store.touch(sessionId);
+            return session.transport;
+        }
+        if (!isInitializeRequest(req.body)) {
+            sendError(res, -32600, 'Missing session ID', 400, requestId);
+            return null;
+        }
+        return this.createNewSession(res, requestId);
+    }
+    async createNewSession(res, requestId) {
+        const allowed = ensureSessionCapacity({
+            store: this.store,
+            maxSessions: config.server.maxSessions,
+            evictOldest: (s) => {
+                const evicted = s.evictOldest();
+                if (evicted) {
+                    void evicted.transport.close().catch(() => { });
+                    return true;
+                }
+                return false;
+            },
+        });
+        if (!allowed) {
+            sendError(res, -32000, 'Server busy', 503, requestId);
+            return null;
+        }
+        if (!reserveSessionSlot(this.store, config.server.maxSessions)) {
+            sendError(res, -32000, 'Server busy', 503, requestId);
+            return null;
+        }
+        const tracker = createSlotTracker(this.store);
+        const transportImpl = new StreamableHTTPServerTransport({
+            sessionIdGenerator: () => randomUUID(),
+        });
+        const initTimeout = setTimeout(() => {
+            if (!tracker.isInitialized()) {
+                tracker.releaseSlot();
+                void transportImpl.close().catch(() => { });
+            }
+        }, config.server.sessionInitTimeoutMs);
+        transportImpl.onclose = () => {
+            clearTimeout(initTimeout);
+            if (!tracker.isInitialized())
+                tracker.releaseSlot();
+        };
+        try {
+            const transport = createTransportAdapter(transportImpl);
+            await this.mcpServer.connect(transport);
+        }
+        catch (err) {
+            clearTimeout(initTimeout);
+            tracker.releaseSlot();
+            void transportImpl.close().catch(() => { });
+            throw err;
+        }
+        const newSessionId = transportImpl.sessionId;
+        if (!newSessionId) {
+            throw new ServerError('Failed to generate session ID');
+        }
+        tracker.markInitialized();
+        tracker.releaseSlot();
+        this.store.set(newSessionId, {
+            transport: transportImpl,
+            createdAt: Date.now(),
+            lastSeen: Date.now(),
+            protocolInitialized: false,
+        });
+        transportImpl.onclose = composeCloseHandlers(transportImpl.onclose, () => {
+            this.store.remove(newSessionId);
+        });
+        return transportImpl;
     }
-    return false;
 }
+/* -------------------------------------------------------------------------------------------------
+ * Downloads + dispatcher
+ * ------------------------------------------------------------------------------------------------- */
 function checkDownloadRoute(path) {
     const downloadMatch = /^\/mcp\/downloads\/([^/]+)\/([^/]+)$/.exec(path);
-    if (downloadMatch) {
-        const namespace = downloadMatch[1];
-        const hash = downloadMatch[2];
-        if (namespace && hash) {
-            return { namespace, hash };
+    if (!downloadMatch)
+        return null;
+    const namespace = downloadMatch[1];
+    const hash = downloadMatch[2];
+    if (!namespace || !hash)
+        return null;
+    return { namespace, hash };
+}
+class HttpDispatcher {
+    store;
+    mcpGateway;
+    constructor(store, mcpGateway) {
+        this.store = store;
+        this.mcpGateway = mcpGateway;
+    }
+    async dispatch(req, res, url) {
+        const { pathname: path } = url;
+        const { method } = req;
+        try {
+            // 1) Health endpoint bypasses auth (preserve existing behavior)
+            if (method === 'GET' && path === '/health') {
+                this.handleHealthCheck(res);
+                return;
+            }
+            // 2) Auth required for everything else (preserve existing behavior)
+            if (!(await this.authenticateRequest(req, res)))
+                return;
+            // 3) Downloads
+            if (method === 'GET') {
+                const download = checkDownloadRoute(path);
+                if (download) {
+                    handleDownload(res, download.namespace, download.hash);
+                    return;
+                }
+            }
+            // 4) MCP routes
+            if (path === '/mcp') {
+                if (await this.handleMcpRoutes(req, res, method)) {
+                    return;
+                }
+            }
+            res.status(404).json({ error: 'Not Found' });
+        }
+        catch (err) {
+            logError('Request failed', err instanceof Error ? err : new Error(String(err)));
+            if (!res.writableEnded) {
+                res.status(500).json({ error: 'Internal Server Error' });
+            }
         }
     }
-    return null;
-}
-async function dispatchRequest(req, res, url, ctx) {
-    const { pathname: path } = url;
-    const { method } = req;
-    try {
-        if (method === 'GET' && path === '/health') {
-            const poolStats = getTransformPoolStats();
-            res.status(200).json({
-                status: 'ok',
-                version: serverVersion,
-                uptime: Math.floor(process.uptime()),
-                timestamp: new Date().toISOString(),
-                stats: {
-                    activeSessions: ctx.store.size(),
-                    cacheKeys: cacheKeys().length,
-                    workerPool: poolStats ?? {
-                        queueDepth: 0,
-                        activeWorkers: 0,
-                        capacity: 0,
-                    },
+    handleHealthCheck(res) {
+        const poolStats = getTransformPoolStats();
+        res.status(200).json({
+            status: 'ok',
+            version: serverVersion,
+            uptime: Math.floor(process.uptime()),
+            timestamp: new Date().toISOString(),
+            stats: {
+                activeSessions: this.store.size(),
+                cacheKeys: cacheKeys().length,
+                workerPool: poolStats ?? {
+                    queueDepth: 0,
+                    activeWorkers: 0,
+                    capacity: 0,
                 },
-            });
-            return;
-        }
-        if (!(await authenticateRequest(req, res))) {
-            return;
+            },
+        });
+    }
+    async handleMcpRoutes(req, res, method) {
+        if (method === 'POST') {
+            await this.mcpGateway.handlePost(req, res);
+            return true;
         }
         if (method === 'GET') {
-            const download = checkDownloadRoute(path);
-            if (download) {
-                handleDownload(res, download.namespace, download.hash);
-                return;
-            }
+            await this.mcpGateway.handleGet(req, res);
+            return true;
         }
-        if (await routeMcpRequest(req, res, url, ctx))
-            return;
-        res.status(404).json({ error: 'Not Found' });
+        if (method === 'DELETE') {
+            await this.mcpGateway.handleDelete(req, res);
+            return true;
+        }
+        return false;
     }
-    catch (err) {
-        logError('Request failed', err instanceof Error ? err : new Error(String(err)));
-        if (!res.writableEnded) {
-            res.status(500).json({ error: 'Internal Server Error' });
+    async authenticateRequest(req, res) {
+        try {
+            req.auth = await authService.authenticate(req);
+            return true;
+        }
+        catch (err) {
+            res.status(401).json({
+                error: err instanceof Error ? err.message : 'Unauthorized',
+            });
+            return false;
         }
     }
 }
-async function authenticateRequest(req, res) {
-    try {
-        req.auth = await authenticate(req);
-        return true;
-    }
-    catch (err) {
-        res
-            .status(401)
-            .json({ error: err instanceof Error ? err.message : 'Unauthorized' });
-        return false;
+/* -------------------------------------------------------------------------------------------------
+ * Request pipeline (order is part of behavior)
+ * ------------------------------------------------------------------------------------------------- */
+class HttpRequestPipeline {
+    rateLimiter;
+    dispatcher;
+    constructor(rateLimiter, dispatcher) {
+        this.rateLimiter = rateLimiter;
+        this.dispatcher = dispatcher;
+    }
+    async handle(rawReq, rawRes) {
+        const res = shimResponse(rawRes);
+        const req = rawReq;
+        // 1. Basic setup
+        const url = new URL(req.url ?? '', 'http://localhost');
+        req.query = parseQuery(url);
+        if (req.socket.remoteAddress)
+            req.ip = req.socket.remoteAddress;
+        req.params = {};
+        // 2. Host/Origin + CORS (preserve exact order)
+        if (!hostOriginPolicy.validate(req, res))
+            return;
+        if (corsPolicy.handle(req, res))
+            return;
+        // 3. Body parsing
+        try {
+            req.body = await jsonBodyReader.read(req);
+        }
+        catch {
+            res.status(400).json({ error: 'Invalid JSON or Payload too large' });
+            return;
+        }
+        // 4. Rate limit
+        if (!this.rateLimiter.check(req, res))
+            return;
+        // 5. Dispatch
+        await this.dispatcher.dispatch(req, res, url);
     }
 }
-// --- Main ---
+/* -------------------------------------------------------------------------------------------------
+ * Server lifecycle
+ * ------------------------------------------------------------------------------------------------- */
 export async function startHttpServer() {
     assertHttpModeConfiguration();
     enableHttpMode();
@@ -640,11 +730,11 @@ export async function startHttpServer() {
     const rateLimiter = createRateLimitManagerImpl(config.rateLimit);
     const sessionStore = createSessionStore(config.server.sessionTtlMs);
     const sessionCleanup = startSessionCleanupLoop(sessionStore, config.server.sessionTtlMs);
+    const mcpGateway = new McpSessionGateway(sessionStore, mcpServer);
+    const dispatcher = new HttpDispatcher(sessionStore, mcpGateway);
+    const pipeline = new HttpRequestPipeline(rateLimiter, dispatcher);
     const server = createServer((req, res) => {
-        void handleRequest(req, res, rateLimiter, {
-            store: sessionStore,
-            mcpServer,
-        });
+        void pipeline.handle(req, res);
     });
     applyHttpServerTuning(server);
     await new Promise((resolve, reject) => {
@@ -678,32 +768,3 @@ export async function startHttpServer() {
         },
     };
 }
-async function handleRequest(rawReq, rawRes, rateLimiter, ctx) {
-    const res = shimResponse(rawRes);
-    const req = rawReq;
-    // 1. Basic Setup
-    const url = new URL(req.url ?? '', 'http://localhost');
-    req.query = parseQuery(url);
-    if (req.socket.remoteAddress) {
-        req.ip = req.socket.remoteAddress;
-    }
-    req.params = {};
-    // 2. CORS
-    if (!validateHostAndOrigin(req, res))
-        return;
-    if (handleCors(req, res))
-        return;
-    // 3. Body Parsing
-    try {
-        req.body = await readJsonBody(req);
-    }
-    catch {
-        res.status(400).json({ error: 'Invalid JSON or Payload too large' });
-        return;
-    }
-    // 4. Rate Limit
-    if (!rateLimiter.check(req, res))
-        return;
-    // 5. Routing
-    await dispatchRequest(req, res, url, ctx);
-}