@j0hanz/superfetch 2.5.3 → 2.7.0

package/dist/http-native.js

@@ -1,28 +1,33 @@
+import { Buffer } from 'node:buffer';
 import { randomUUID } from 'node:crypto';
 import { createServer, } from 'node:http';
+import { isIP } from 'node:net';
+import { freemem, hostname, totalmem } from 'node:os';
+import { monitorEventLoopDelay, performance } from 'node:perf_hooks';
+import process from 'node:process';
+import { Writable } from 'node:stream';
+import { pipeline } from 'node:stream/promises';
 import { setInterval as setIntervalPromise } from 'node:timers/promises';
-import { URL, URLSearchParams } from 'node:url';
 import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import { keys as cacheKeys, handleDownload } from './cache.js';
 import { config, enableHttpMode, serverVersion } from './config.js';
-import { timingSafeEqualUtf8 } from './crypto.js';
+import { sha256Hex, timingSafeEqualUtf8 } from './crypto.js';
 import { normalizeHost } from './host-normalization.js';
+import { createDefaultBlockList, normalizeIpForBlockList, } from './ip-blocklist.js';
 import { acceptsEventStream, isJsonRpcBatchRequest, isMcpRequestBody, } from './mcp-validator.js';
 import { createMcpServer } from './mcp.js';
-import { logError, logInfo, logWarn } from './observability.js';
+import { logError, logInfo, logWarn, runWithRequestContext, } from './observability.js';
 import { applyHttpServerTuning, drainConnectionsOnShutdown, } from './server-tuning.js';
 import { composeCloseHandlers, createSessionStore, createSlotTracker, ensureSessionCapacity, reserveSessionSlot, startSessionCleanupLoop, } from './session.js';
 import { getTransformPoolStats } from './transform.js';
 import { isObject } from './type-guards.js';
-/* -------------------------------------------------------------------------------------------------
- * Transport adaptation
- * ------------------------------------------------------------------------------------------------- */
 function createTransportAdapter(transportImpl) {
     const noopOnClose = () => { };
     const noopOnError = () => { };
     const noopOnMessage = () => { };
+    const baseOnClose = transportImpl.onclose;
     let oncloseHandler = noopOnClose;
     let onerrorHandler = noopOnError;
     let onmessageHandler = noopOnMessage;
@@ -35,7 +40,7 @@ function createTransportAdapter(transportImpl) {
         },
         set onclose(handler) {
             oncloseHandler = handler;
-            transportImpl.onclose = handler;
+            transportImpl.onclose = composeCloseHandlers(baseOnClose, handler);
         },
         get onerror() {
             return onerrorHandler;
@@ -53,111 +58,313 @@ function createTransportAdapter(transportImpl) {
         },
     };
 }
-function shimResponse(res) {
-    const shim = res;
-    shim.status = function (code) {
-        this.statusCode = code;
-        return this;
+function sendJson(res, status, body) {
+    res.statusCode = status;
+    res.setHeader('Content-Type', 'application/json; charset=utf-8');
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('Cache-Control', 'no-store');
+    res.end(JSON.stringify(body));
+}
+function sendText(res, status, body) {
+    res.statusCode = status;
+    res.setHeader('Content-Type', 'text/plain; charset=utf-8');
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('Cache-Control', 'no-store');
+    res.end(body);
+}
+function sendEmpty(res, status) {
+    res.statusCode = status;
+    res.setHeader('Content-Length', '0');
+    res.end();
+}
+function drainRequest(req) {
+    if (req.readableEnded)
+        return;
+    try {
+        req.resume();
+    }
+    catch {
+        // Best-effort only.
+    }
+}
+function createRequestAbortSignal(req) {
+    const controller = new AbortController();
+    let cleanedUp = false;
+    const abortRequest = () => {
+        if (cleanedUp)
+            return;
+        if (!controller.signal.aborted)
+            controller.abort();
     };
-    shim.json = function (body) {
-        this.setHeader('Content-Type', 'application/json');
-        this.end(JSON.stringify(body));
-        return this;
+    if (req.destroyed) {
+        abortRequest();
+        return {
+            signal: controller.signal,
+            cleanup: () => {
+                cleanedUp = true;
+            },
+        };
+    }
+    const onAborted = () => {
+        abortRequest();
     };
-    shim.send = function (body) {
-        this.end(body);
-        return this;
+    const onClose = () => {
+        abortRequest();
     };
-    shim.sendStatus = function (code) {
-        this.statusCode = code;
-        this.end();
-        return this;
+    const onError = () => {
+        abortRequest();
     };
-    return shim;
+    req.once('aborted', onAborted);
+    req.once('close', onClose);
+    req.once('error', onError);
+    return {
+        signal: controller.signal,
+        cleanup: () => {
+            cleanedUp = true;
+            req.removeListener('aborted', onAborted);
+            req.removeListener('close', onClose);
+            req.removeListener('error', onError);
+        },
+    };
+}
+function normalizeRemoteAddress(address) {
+    if (!address)
+        return null;
+    const trimmed = address.trim();
+    if (!trimmed)
+        return null;
+    const zoneIndex = trimmed.indexOf('%');
+    const withoutZone = zoneIndex > 0 ? trimmed.slice(0, zoneIndex) : trimmed;
+    const normalized = withoutZone.toLowerCase();
+    if (normalized.startsWith('::ffff:')) {
+        const mapped = normalized.slice('::ffff:'.length);
+        if (isIP(mapped) === 4)
+            return mapped;
+    }
+    if (isIP(normalized))
+        return normalized;
+    return trimmed;
 }
-/* -------------------------------------------------------------------------------------------------
- * Request parsing helpers
- * ------------------------------------------------------------------------------------------------- */
+function registerInboundBlockList(server) {
+    if (!config.server.http.blockPrivateConnections)
+        return;
+    const blockList = createDefaultBlockList();
+    server.on('connection', (socket) => {
+        const remoteAddress = normalizeRemoteAddress(socket.remoteAddress);
+        if (!remoteAddress)
+            return;
+        const normalized = normalizeIpForBlockList(remoteAddress);
+        if (!normalized)
+            return;
+        if (blockList.check(normalized.ip, normalized.family)) {
+            logWarn('Blocked inbound connection', {
+                remoteAddress: normalized.ip,
+                family: normalized.family,
+            });
+            socket.destroy();
+        }
+    });
+}
+function getHeaderValue(req, name) {
+    const val = req.headers[name];
+    if (!val)
+        return null;
+    if (Array.isArray(val))
+        return val[0] ?? null;
+    return val;
+}
+function getMcpSessionId(req) {
+    return (getHeaderValue(req, 'mcp-session-id') ??
+        getHeaderValue(req, 'x-mcp-session-id'));
+}
+function buildRequestContext(req, res, signal) {
+    let url;
+    try {
+        url = new URL(req.url ?? '', 'http://localhost');
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid request URL' });
+        return null;
+    }
+    return {
+        req,
+        res,
+        url,
+        method: req.method,
+        ip: normalizeRemoteAddress(req.socket.remoteAddress),
+        body: undefined,
+        ...(signal ? { signal } : {}),
+    };
+}
+async function closeTransportBestEffort(transport, context) {
+    try {
+        await transport.close();
+    }
+    catch (error) {
+        logWarn('Transport close failed', { context, error });
+    }
+}
+class JsonBodyError extends Error {
+    kind;
+    constructor(kind, message) {
+        super(message);
+        this.name = 'JsonBodyError';
+        this.kind = kind;
+    }
+}
+const DEFAULT_BODY_LIMIT_BYTES = 1024 * 1024;
 class JsonBodyReader {
-    async read(req, limit = 1024 * 1024) {
-        const contentType = req.headers['content-type'];
+    async read(req, limit = DEFAULT_BODY_LIMIT_BYTES, signal) {
+        const contentType = getHeaderValue(req, 'content-type');
         if (!contentType?.includes('application/json'))
             return undefined;
-        return new Promise((resolve, reject) => {
-            let size = 0;
-            const chunks = [];
-            req.on('data', (chunk) => {
-                size += chunk.length;
-                if (size > limit) {
+        const contentLengthHeader = getHeaderValue(req, 'content-length');
+        if (contentLengthHeader) {
+            const contentLength = Number.parseInt(contentLengthHeader, 10);
+            if (Number.isFinite(contentLength) && contentLength > limit) {
+                try {
                     req.destroy();
-                    reject(new Error('Payload too large'));
-                    return;
                 }
-                chunks.push(chunk);
-            });
-            req.on('end', () => {
+                catch {
+                    // Best-effort only.
+                }
+                throw new JsonBodyError('payload-too-large', 'Payload too large');
+            }
+        }
+        if (signal?.aborted || req.destroyed) {
+            throw new JsonBodyError('read-failed', 'Request aborted');
+        }
+        const body = await this.readBody(req, limit, signal);
+        if (!body)
+            return undefined;
+        try {
+            return JSON.parse(body);
+        }
+        catch (err) {
+            throw new JsonBodyError('invalid-json', err instanceof Error ? err.message : String(err));
+        }
+    }
+    async readBody(req, limit, signal) {
+        const abortListener = this.attachAbortListener(req, signal);
+        try {
+            const { chunks, size } = await this.collectChunks(req, limit, signal);
+            if (chunks.length === 0)
+                return undefined;
+            return Buffer.concat(chunks, size).toString('utf8');
+        }
+        finally {
+            this.detachAbortListener(signal, abortListener);
+        }
+    }
+    attachAbortListener(req, signal) {
+        if (!signal)
+            return null;
+        const listener = () => {
+            try {
+                req.destroy();
+            }
+            catch {
+                // Best-effort only.
+            }
+        };
+        if (signal.aborted) {
+            listener();
+        }
+        else {
+            signal.addEventListener('abort', listener, { once: true });
+        }
+        return listener;
+    }
+    detachAbortListener(signal, listener) {
+        if (!signal || !listener)
+            return;
+        try {
+            signal.removeEventListener('abort', listener);
+        }
+        catch {
+            // Best-effort cleanup.
+        }
+    }
+    async collectChunks(req, limit, signal) {
+        let size = 0;
+        const chunks = [];
+        const sink = new Writable({
+            write: (chunk, _encoding, callback) => {
                 try {
-                    const body = Buffer.concat(chunks).toString();
-                    if (!body) {
-                        resolve(undefined);
+                    if (signal?.aborted || req.destroyed) {
+                        callback(new JsonBodyError('read-failed', 'Request aborted'));
+                        return;
+                    }
+                    const buf = this.normalizeChunk(chunk);
+                    size += buf.length;
+                    if (size > limit) {
+                        req.destroy();
+                        callback(new JsonBodyError('payload-too-large', 'Payload too large'));
                         return;
                     }
-                    resolve(JSON.parse(body));
+                    chunks.push(buf);
+                    callback();
                 }
                 catch (err) {
-                    reject(err instanceof Error ? err : new Error(String(err)));
+                    callback(err instanceof Error ? err : new Error(String(err)));
                 }
-            });
-            req.on('error', (err) => {
-                reject(err instanceof Error ? err : new Error(String(err)));
-            });
+            },
         });
+        try {
+            if (signal?.aborted || req.destroyed) {
+                throw new JsonBodyError('read-failed', 'Request aborted');
+            }
+            await pipeline(req, sink, signal ? { signal } : undefined);
+            return { chunks, size };
+        }
+        catch (err) {
+            if (err instanceof JsonBodyError)
+                throw err;
+            if (signal?.aborted || req.destroyed) {
+                throw new JsonBodyError('read-failed', 'Request aborted');
+            }
+            throw new JsonBodyError('read-failed', err instanceof Error ? err.message : String(err));
+        }
+    }
+    normalizeChunk(chunk) {
+        if (Buffer.isBuffer(chunk))
+            return chunk;
+        if (typeof chunk === 'string')
+            return Buffer.from(chunk, 'utf8');
+        return Buffer.from(chunk.buffer, chunk.byteOffset, chunk.byteLength);
     }
 }
 const jsonBodyReader = new JsonBodyReader();
-function parseQuery(url) {
-    const query = {};
-    for (const [key, value] of url.searchParams) {
-        const existing = query[key];
-        if (existing) {
-            if (Array.isArray(existing))
-                existing.push(value);
-            else
-                query[key] = [existing, value];
+class CorsPolicy {
+    handle(ctx) {
+        const { req, res } = ctx;
+        const origin = getHeaderValue(req, 'origin');
+        if (origin) {
+            res.setHeader('Access-Control-Allow-Origin', origin);
+            res.setHeader('Vary', 'Origin');
         }
         else {
-            query[key] = value;
+            res.setHeader('Access-Control-Allow-Origin', '*');
         }
-    }
-    return query;
-}
-function getHeaderValue(req, name) {
-    const val = req.headers[name.toLowerCase()];
-    if (!val)
-        return null;
-    if (Array.isArray(val))
-        return val[0] ?? null;
-    return val;
-}
-/* -------------------------------------------------------------------------------------------------
- * CORS & Host/Origin policy
- * ------------------------------------------------------------------------------------------------- */
-class CorsPolicy {
-    handle(req, res) {
-        res.setHeader('Access-Control-Allow-Origin', '*');
         res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, DELETE');
-        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key, MCP-Protocol-Version, X-MCP-Session-ID');
-        if (req.method === 'OPTIONS') {
-            res.writeHead(204);
-            res.end();
-            return true;
-        }
-        return false;
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-API-Key, MCP-Protocol-Version, MCP-Session-ID, X-MCP-Session-ID, Last-Event-ID');
+        if (req.method !== 'OPTIONS')
+            return false;
+        sendEmpty(res, 204);
+        return true;
     }
 }
 const corsPolicy = new CorsPolicy();
 const LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
 const WILDCARD_HOSTS = new Set(['0.0.0.0', '::']);
+function hasConstantTimeMatch(candidates, input) {
+    // Avoid leaking match index via early-return.
+    let matched = 0;
+    for (const candidate of candidates) {
+        matched |= timingSafeEqualUtf8(candidate, input) ? 1 : 0;
+    }
+    return matched === 1;
+}
 function isWildcardHost(host) {
     return WILDCARD_HOSTS.has(host);
 }
@@ -176,20 +383,21 @@ function buildAllowedHosts() {
 }
 const ALLOWED_HOSTS = buildAllowedHosts();
 class HostOriginPolicy {
-    validate(req, res) {
+    validate(ctx) {
+        const { req, res } = ctx;
         const host = this.resolveHostHeader(req);
         if (!host)
             return this.reject(res, 400, 'Missing or invalid Host header');
         if (!ALLOWED_HOSTS.has(host))
             return this.reject(res, 403, 'Host not allowed');
         const originHeader = getHeaderValue(req, 'origin');
-        if (originHeader) {
-            const originHost = this.resolveOriginHost(originHeader);
-            if (!originHost)
-                return this.reject(res, 403, 'Invalid Origin header');
-            if (!ALLOWED_HOSTS.has(originHost))
-                return this.reject(res, 403, 'Origin not allowed');
-        }
+        if (!originHeader)
+            return true;
+        const originHost = this.resolveOriginHost(originHeader);
+        if (!originHost)
+            return this.reject(res, 403, 'Invalid Origin header');
+        if (!ALLOWED_HOSTS.has(originHost))
+            return this.reject(res, 403, 'Origin not allowed');
         return true;
     }
     resolveHostHeader(req) {
@@ -210,14 +418,11 @@ class HostOriginPolicy {
         }
     }
     reject(res, status, message) {
-        res.status(status).json({ error: message });
+        sendJson(res, status, { error: message });
         return false;
     }
 }
 const hostOriginPolicy = new HostOriginPolicy();
-/* -------------------------------------------------------------------------------------------------
- * HTTP mode configuration assertions
- * ------------------------------------------------------------------------------------------------- */
 function assertHttpModeConfiguration() {
     const configuredHost = normalizeHost(config.server.host);
     const isLoopback = configuredHost !== null && LOOPBACK_HOSTS.has(configuredHost);
@@ -248,12 +453,7 @@ class RateLimiter {
         void (async () => {
             try {
                 for await (const getNow of interval) {
-                    const now = getNow();
-                    for (const [key, entry] of this.store.entries()) {
-                        if (now - entry.lastAccessed > this.options.windowMs * 2) {
-                            this.store.delete(key);
-                        }
-                    }
+                    this.cleanupEntries(getNow());
                 }
             }
             catch (err) {
@@ -263,13 +463,32 @@ class RateLimiter {
             }
         })();
     }
-    check(req, res) {
-        if (!this.options.enabled || req.method === 'OPTIONS')
+    cleanupEntries(now) {
+        const maxIdle = this.options.windowMs * 2;
+        for (const [key, entry] of this.store.entries()) {
+            if (now - entry.lastAccessed > maxIdle) {
+                this.store.delete(key);
+            }
+        }
+    }
+    check(ctx) {
+        if (!this.options.enabled || ctx.method === 'OPTIONS')
             return true;
-        const key = req.ip ?? 'unknown';
+        const key = ctx.ip ?? 'unknown';
         const now = Date.now();
         let entry = this.store.get(key);
-        if (!entry || now > entry.resetTime) {
+        if (entry) {
+            if (now > entry.resetTime) {
+                entry.count = 1;
+                entry.resetTime = now + this.options.windowMs;
+                entry.lastAccessed = now;
+            }
+            else {
+                entry.count += 1;
+                entry.lastAccessed = now;
+            }
+        }
+        else {
             entry = {
                 count: 1,
                 resetTime: now + this.options.windowMs,
@@ -277,14 +496,10 @@ class RateLimiter {
             };
             this.store.set(key, entry);
         }
-        else {
-            entry.count += 1;
-            entry.lastAccessed = now;
-        }
         if (entry.count > this.options.maxRequests) {
             const retryAfter = Math.max(1, Math.ceil((entry.resetTime - now) / 1000));
-            res.setHeader('Retry-After', String(retryAfter));
-            res.status(429).json({ error: 'Rate limit exceeded', retryAfter });
+            ctx.res.setHeader('Retry-After', String(retryAfter));
+            sendJson(ctx.res, 429, { error: 'Rate limit exceeded', retryAfter });
             return false;
         }
         return true;
@@ -296,22 +511,20 @@ class RateLimiter {
 function createRateLimitManagerImpl(options) {
     return new RateLimiter(options);
 }
-/* -------------------------------------------------------------------------------------------------
- * Auth (static + OAuth introspection)
- * ------------------------------------------------------------------------------------------------- */
 const STATIC_TOKEN_TTL_SECONDS = 60 * 60 * 24;
 class AuthService {
-    async authenticate(req) {
-        const authHeader = req.headers.authorization;
+    staticTokenDigests = config.auth.staticTokens.map((token) => sha256Hex(token));
+    async authenticate(req, signal) {
+        const authHeader = getHeaderValue(req, 'authorization');
         if (!authHeader) {
             return this.authenticateWithApiKey(req);
         }
         const token = this.resolveBearerToken(authHeader);
-        return this.authenticateWithToken(token);
+        return this.authenticateWithToken(token, signal);
     }
-    authenticateWithToken(token) {
+    authenticateWithToken(token, signal) {
         return config.auth.mode === 'oauth'
-            ? this.verifyWithIntrospection(token)
+            ? this.verifyWithIntrospection(token, signal)
             : Promise.resolve(this.verifyStaticToken(token));
     }
     authenticateWithApiKey(req) {
@@ -325,8 +538,11 @@ class AuthService {
         throw new InvalidTokenError('Missing Authorization header');
     }
     resolveBearerToken(authHeader) {
-        const [type, token] = authHeader.split(' ');
-        if (type !== 'Bearer' || !token) {
+        if (!authHeader.startsWith('Bearer ')) {
+            throw new InvalidTokenError('Invalid Authorization header format');
+        }
+        const token = authHeader.substring(7);
+        if (!token) {
             throw new InvalidTokenError('Invalid Authorization header format');
         }
         return token;
@@ -341,10 +557,11 @@ class AuthService {
         };
     }
     verifyStaticToken(token) {
-        if (config.auth.staticTokens.length === 0) {
+        if (this.staticTokenDigests.length === 0) {
             throw new InvalidTokenError('No static tokens configured');
         }
-        const matched = config.auth.staticTokens.some((candidate) => timingSafeEqualUtf8(candidate, token));
+        const tokenDigest = sha256Hex(token);
+        const matched = hasConstantTimeMatch(this.staticTokenDigests, tokenDigest);
         if (!matched)
             throw new InvalidTokenError('Invalid token');
         return this.buildStaticAuthInfo(token);
@@ -355,8 +572,9 @@ class AuthService {
         return clean.href;
     }
     buildBasicAuthHeader(clientId, clientSecret) {
+        // Base64 is only an encoding for header transport; it is NOT encryption.
         const credentials = `${clientId}:${clientSecret ?? ''}`;
-        return `Basic ${Buffer.from(credentials).toString('base64')}`;
+        return `Basic ${Buffer.from(credentials, 'utf8').toString('base64')}`;
     }
     buildIntrospectionRequest(token, resourceUrl, clientId, clientSecret) {
         const body = new URLSearchParams({
@@ -367,19 +585,26 @@ class AuthService {
         const headers = {
             'content-type': 'application/x-www-form-urlencoded',
         };
-        if (clientId)
+        if (clientId) {
             headers.authorization = this.buildBasicAuthHeader(clientId, clientSecret);
+        }
         return { body, headers };
     }
-    async requestIntrospection(url, request, timeoutMs) {
+    async requestIntrospection(url, request, timeoutMs, signal) {
+        const timeoutSignal = AbortSignal.timeout(timeoutMs);
+        const combinedSignal = signal
+            ? AbortSignal.any([signal, timeoutSignal])
+            : timeoutSignal;
         const response = await fetch(url, {
             method: 'POST',
             headers: request.headers,
             body: request.body,
-            signal: AbortSignal.timeout(timeoutMs),
+            signal: combinedSignal,
         });
         if (!response.ok) {
-            await response.body?.cancel();
+            if (response.body) {
+                await response.body.cancel();
+            }
             throw new ServerError(`Token introspection failed: ${response.status}`);
         }
         return response.json();
@@ -397,12 +622,12 @@ class AuthService {
             info.expiresAt = expiresAt;
         return info;
     }
-    async verifyWithIntrospection(token) {
+    async verifyWithIntrospection(token, signal) {
         if (!config.auth.introspectionUrl) {
             throw new ServerError('Introspection not configured');
         }
         const req = this.buildIntrospectionRequest(token, config.auth.resourceUrl, config.auth.clientId, config.auth.clientSecret);
-        const payload = await this.requestIntrospection(config.auth.introspectionUrl, req, config.auth.introspectionTimeoutMs);
+        const payload = await this.requestIntrospection(config.auth.introspectionUrl, req, config.auth.introspectionTimeoutMs, signal);
         if (!isObject(payload) || payload.active !== true) {
             throw new InvalidTokenError('Token is inactive');
         }
@@ -410,11 +635,47 @@ class AuthService {
     }
 }
 const authService = new AuthService();
-/* -------------------------------------------------------------------------------------------------
- * MCP routing + session gateway
- * ------------------------------------------------------------------------------------------------- */
+const EVENT_LOOP_DELAY_RESOLUTION_MS = 20;
+const eventLoopDelay = monitorEventLoopDelay({
+    resolution: EVENT_LOOP_DELAY_RESOLUTION_MS,
+});
+let lastEventLoopUtilization = performance.eventLoopUtilization();
+function roundTo(value, precision) {
+    const factor = 10 ** precision;
+    return Math.round(value * factor) / factor;
+}
+function formatEventLoopUtilization(snapshot) {
+    return {
+        utilization: roundTo(snapshot.utilization, 4),
+        activeMs: Math.round(snapshot.active),
+        idleMs: Math.round(snapshot.idle),
+    };
+}
+function toMs(valueNs) {
+    return roundTo(valueNs / 1_000_000, 3);
+}
+function getEventLoopStats() {
+    const current = performance.eventLoopUtilization();
+    const delta = performance.eventLoopUtilization(current, lastEventLoopUtilization);
+    lastEventLoopUtilization = current;
+    return {
+        utilization: {
+            total: formatEventLoopUtilization(current),
+            sinceLast: formatEventLoopUtilization(delta),
+        },
+        delay: {
+            minMs: toMs(eventLoopDelay.min),
+            maxMs: toMs(eventLoopDelay.max),
+            meanMs: toMs(eventLoopDelay.mean),
+            stddevMs: toMs(eventLoopDelay.stddev),
+            p50Ms: toMs(eventLoopDelay.percentile(50)),
+            p95Ms: toMs(eventLoopDelay.percentile(95)),
+            p99Ms: toMs(eventLoopDelay.percentile(99)),
+        },
+    };
+}
 function sendError(res, code, message, status = 400, id = null) {
-    res.status(status).json({
+    sendJson(res, status, {
         jsonrpc: '2.0',
         error: { code, message },
         id,
@@ -433,6 +694,15 @@ function ensureMcpProtocolVersion(req, res) {
     }
     return true;
 }
+function buildAuthFingerprint(auth) {
+    if (!auth)
+        return null;
+    const safeClientId = typeof auth.clientId === 'string' ? auth.clientId : '';
+    const safeToken = typeof auth.token === 'string' ? auth.token : '';
+    if (!safeClientId && !safeToken)
+        return null;
+    return sha256Hex(`${safeClientId}:${safeToken}`);
+}
 class McpSessionGateway {
     store;
     mcpServer;
@@ -440,56 +710,56 @@ class McpSessionGateway {
         this.store = store;
         this.mcpServer = mcpServer;
     }
-    async handlePost(req, res) {
-        if (!ensureMcpProtocolVersion(req, res))
+    async handlePost(ctx) {
+        if (!ensureMcpProtocolVersion(ctx.req, ctx.res))
             return;
-        const { body } = req;
+        const { body } = ctx;
         if (isJsonRpcBatchRequest(body)) {
-            sendError(res, -32600, 'Batch requests not supported');
+            sendError(ctx.res, -32600, 'Batch requests not supported');
             return;
         }
         if (!isMcpRequestBody(body)) {
-            sendError(res, -32600, 'Invalid request body');
+            sendError(ctx.res, -32600, 'Invalid request body');
             return;
         }
         const requestId = body.id ?? null;
         logInfo('[MCP POST]', {
             method: body.method,
             id: body.id,
-            sessionId: getHeaderValue(req, 'mcp-session-id'),
+            sessionId: getMcpSessionId(ctx.req),
         });
-        const transport = await this.getOrCreateTransport(req, res, requestId);
+        const transport = await this.getOrCreateTransport(ctx, requestId);
         if (!transport)
             return;
-        await transport.handleRequest(req, res, body);
+        await transport.handleRequest(ctx.req, ctx.res, body);
     }
-    async handleGet(req, res) {
-        if (!ensureMcpProtocolVersion(req, res))
+    async handleGet(ctx) {
+        if (!ensureMcpProtocolVersion(ctx.req, ctx.res))
             return;
-        const sessionId = getHeaderValue(req, 'mcp-session-id');
+        const sessionId = getMcpSessionId(ctx.req);
         if (!sessionId) {
-            sendError(res, -32600, 'Missing session ID');
+            sendError(ctx.res, -32600, 'Missing session ID');
             return;
         }
         const session = this.store.get(sessionId);
         if (!session) {
-            sendError(res, -32600, 'Session not found', 404);
+            sendError(ctx.res, -32600, 'Session not found', 404);
             return;
         }
-        const acceptHeader = getHeaderValue(req, 'accept');
+        const acceptHeader = getHeaderValue(ctx.req, 'accept');
         if (!acceptsEventStream(acceptHeader)) {
-            res.status(405).json({ error: 'Method Not Allowed' });
+            sendJson(ctx.res, 405, { error: 'Method Not Allowed' });
             return;
         }
         this.store.touch(sessionId);
-        await session.transport.handleRequest(req, res);
+        await session.transport.handleRequest(ctx.req, ctx.res);
     }
-    async handleDelete(req, res) {
-        if (!ensureMcpProtocolVersion(req, res))
+    async handleDelete(ctx) {
+        if (!ensureMcpProtocolVersion(ctx.req, ctx.res))
             return;
-        const sessionId = getHeaderValue(req, 'mcp-session-id');
+        const sessionId = getMcpSessionId(ctx.req);
         if (!sessionId) {
-            sendError(res, -32600, 'Missing session ID');
+            sendError(ctx.res, -32600, 'Missing session ID');
             return;
         }
         const session = this.store.get(sessionId);
@@ -497,46 +767,41 @@ class McpSessionGateway {
             await session.transport.close();
             this.store.remove(sessionId);
         }
-        res.status(200).send('Session closed');
+        sendText(ctx.res, 200, 'Session closed');
     }
-    async getOrCreateTransport(req, res, requestId) {
-        const sessionId = getHeaderValue(req, 'mcp-session-id');
+    async getOrCreateTransport(ctx, requestId) {
+        const sessionId = getMcpSessionId(ctx.req);
         if (sessionId) {
-            const session = this.store.get(sessionId);
-            if (!session) {
-                sendError(res, -32600, 'Session not found', 404, requestId);
-                return null;
-            }
-            this.store.touch(sessionId);
-            return session.transport;
+            const fingerprint = buildAuthFingerprint(ctx.auth);
+            return this.getExistingTransport(sessionId, fingerprint, ctx.res, requestId);
         }
-        if (!isInitializeRequest(req.body)) {
-            sendError(res, -32600, 'Missing session ID', 400, requestId);
+        if (!isInitializeRequest(ctx.body)) {
+            sendError(ctx.res, -32600, 'Missing session ID', 400, requestId);
             return null;
         }
-        return this.createNewSession(res, requestId);
+        return this.createNewSession(ctx, requestId);
     }
-    async createNewSession(res, requestId) {
-        const allowed = ensureSessionCapacity({
-            store: this.store,
-            maxSessions: config.server.maxSessions,
-            evictOldest: (s) => {
-                const evicted = s.evictOldest();
-                if (evicted) {
-                    void evicted.transport.close().catch(() => { });
-                    return true;
-                }
-                return false;
-            },
-        });
-        if (!allowed) {
-            sendError(res, -32000, 'Server busy', 503, requestId);
+    getExistingTransport(sessionId, authFingerprint, res, requestId) {
+        const session = this.store.get(sessionId);
+        if (!session) {
+            sendError(res, -32600, 'Session not found', 404, requestId);
             return null;
         }
-        if (!reserveSessionSlot(this.store, config.server.maxSessions)) {
-            sendError(res, -32000, 'Server busy', 503, requestId);
+        if (!authFingerprint || session.authFingerprint !== authFingerprint) {
+            sendError(res, -32600, 'Session not found', 404, requestId);
             return null;
         }
+        this.store.touch(sessionId);
+        return session.transport;
+    }
+    async createNewSession(ctx, requestId) {
+        const authFingerprint = buildAuthFingerprint(ctx.auth);
+        if (!authFingerprint) {
+            sendError(ctx.res, -32603, 'Missing auth context', 500, requestId);
+            return null;
+        }
+        if (!this.reserveCapacity(ctx.res, requestId))
+            return null;
         const tracker = createSlotTracker(this.store);
         const transportImpl = new StreamableHTTPServerTransport({
             sessionIdGenerator: () => randomUUID(),
@@ -544,9 +809,10 @@ class McpSessionGateway {
         const initTimeout = setTimeout(() => {
             if (!tracker.isInitialized()) {
                 tracker.releaseSlot();
-                void transportImpl.close().catch(() => { });
+                void closeTransportBestEffort(transportImpl, 'session-init-timeout');
             }
         }, config.server.sessionInitTimeoutMs);
+        initTimeout.unref();
         transportImpl.onclose = () => {
             clearTimeout(initTimeout);
             if (!tracker.isInitialized())
@@ -559,7 +825,7 @@ class McpSessionGateway {
         catch (err) {
             clearTimeout(initTimeout);
             tracker.releaseSlot();
-            void transportImpl.close().catch(() => { });
+            void closeTransportBestEffort(transportImpl, 'session-connect-failed');
             throw err;
         }
         const newSessionId = transportImpl.sessionId;
@@ -573,16 +839,37 @@ class McpSessionGateway {
             createdAt: Date.now(),
             lastSeen: Date.now(),
             protocolInitialized: false,
+            authFingerprint,
         });
         transportImpl.onclose = composeCloseHandlers(transportImpl.onclose, () => {
             this.store.remove(newSessionId);
         });
         return transportImpl;
     }
+    reserveCapacity(res, requestId) {
+        const allowed = ensureSessionCapacity({
+            store: this.store,
+            maxSessions: config.server.maxSessions,
+            evictOldest: (store) => {
+                const evicted = store.evictOldest();
+                if (evicted) {
+                    void closeTransportBestEffort(evicted.transport, 'session-eviction');
+                    return true;
+                }
+                return false;
+            },
+        });
+        if (!allowed) {
+            sendError(res, -32000, 'Server busy', 503, requestId);
+            return false;
+        }
+        if (!reserveSessionSlot(this.store, config.server.maxSessions)) {
+            sendError(res, -32000, 'Server busy', 503, requestId);
+            return false;
+        }
+        return true;
+    }
 }
-/* -------------------------------------------------------------------------------------------------
- * Downloads + dispatcher
- * ------------------------------------------------------------------------------------------------- */
 function checkDownloadRoute(path) {
     const downloadMatch = /^\/mcp\/downloads\/([^/]+)\/([^/]+)$/.exec(path);
     if (!downloadMatch)
@@ -600,48 +887,61 @@ class HttpDispatcher {
         this.store = store;
         this.mcpGateway = mcpGateway;
     }
-    async dispatch(req, res, url) {
-        const { pathname: path } = url;
-        const { method } = req;
+    async dispatch(ctx) {
         try {
-            // 1) Health endpoint bypasses auth (preserve existing behavior)
-            if (method === 'GET' && path === '/health') {
-                this.handleHealthCheck(res);
+            if (ctx.method === 'GET' && ctx.url.pathname === '/health') {
+                this.handleHealthCheck(ctx.res);
                 return;
             }
-            // 2) Auth required for everything else (preserve existing behavior)
-            if (!(await this.authenticateRequest(req, res)))
+            const auth = await this.authenticateRequest(ctx);
+            if (!auth)
                 return;
-            // 3) Downloads
-            if (method === 'GET') {
-                const download = checkDownloadRoute(path);
+            const authCtx = { ...ctx, auth };
+            if (ctx.method === 'GET') {
+                const download = checkDownloadRoute(ctx.url.pathname);
                 if (download) {
-                    handleDownload(res, download.namespace, download.hash);
+                    handleDownload(ctx.res, download.namespace, download.hash);
                     return;
                 }
             }
-            // 4) MCP routes
-            if (path === '/mcp') {
-                if (await this.handleMcpRoutes(req, res, method)) {
+            if (ctx.url.pathname === '/mcp') {
+                const handled = await this.handleMcpRoutes(authCtx);
+                if (handled)
                     return;
-                }
             }
-            res.status(404).json({ error: 'Not Found' });
+            sendJson(ctx.res, 404, { error: 'Not Found' });
         }
         catch (err) {
-            logError('Request failed', err instanceof Error ? err : new Error(String(err)));
-            if (!res.writableEnded) {
-                res.status(500).json({ error: 'Internal Server Error' });
+            const error = err instanceof Error ? err : new Error(String(err));
+            logError('Request failed', error);
+            if (!ctx.res.writableEnded) {
+                sendJson(ctx.res, 500, { error: 'Internal Server Error' });
             }
         }
     }
     handleHealthCheck(res) {
         const poolStats = getTransformPoolStats();
-        res.status(200).json({
+        res.setHeader('Cache-Control', 'no-store');
+        sendJson(res, 200, {
             status: 'ok',
             version: serverVersion,
             uptime: Math.floor(process.uptime()),
             timestamp: new Date().toISOString(),
+            os: {
+                hostname: hostname(),
+                platform: process.platform,
+                arch: process.arch,
+                memoryFree: freemem(),
+                memoryTotal: totalmem(),
+            },
+            process: {
+                pid: process.pid,
+                ppid: process.ppid,
+                memory: process.memoryUsage(),
+                cpu: process.cpuUsage(),
+                resource: process.resourceUsage(),
+            },
+            perf: getEventLoopStats(),
             stats: {
                 activeSessions: this.store.size(),
                 cacheKeys: cacheKeys().length,
@@ -653,37 +953,33 @@ class HttpDispatcher {
             },
         });
     }
-    async handleMcpRoutes(req, res, method) {
-        if (method === 'POST') {
-            await this.mcpGateway.handlePost(req, res);
-            return true;
-        }
-        if (method === 'GET') {
-            await this.mcpGateway.handleGet(req, res);
-            return true;
-        }
-        if (method === 'DELETE') {
-            await this.mcpGateway.handleDelete(req, res);
-            return true;
+    async handleMcpRoutes(ctx) {
+        switch (ctx.method) {
+            case 'POST':
+                await this.mcpGateway.handlePost(ctx);
+                return true;
+            case 'GET':
+                await this.mcpGateway.handleGet(ctx);
+                return true;
+            case 'DELETE':
+                await this.mcpGateway.handleDelete(ctx);
+                return true;
+            default:
+                return false;
         }
-        return false;
     }
-    async authenticateRequest(req, res) {
+    async authenticateRequest(ctx) {
         try {
-            req.auth = await authService.authenticate(req);
-            return true;
+            return await authService.authenticate(ctx.req, ctx.signal);
         }
         catch (err) {
-            res.status(401).json({
+            sendJson(ctx.res, 401, {
                 error: err instanceof Error ? err.message : 'Unauthorized',
             });
-            return false;
+            return null;
         }
     }
 }
-/* -------------------------------------------------------------------------------------------------
- * Request pipeline (order is part of behavior)
- * ------------------------------------------------------------------------------------------------- */
 class HttpRequestPipeline {
     rateLimiter;
     dispatcher;
@@ -692,40 +988,110 @@ class HttpRequestPipeline {
         this.dispatcher = dispatcher;
     }
     async handle(rawReq, rawRes) {
-        const res = shimResponse(rawRes);
-        const req = rawReq;
-        // 1. Basic setup
-        const url = new URL(req.url ?? '', 'http://localhost');
-        req.query = parseQuery(url);
-        if (req.socket.remoteAddress)
-            req.ip = req.socket.remoteAddress;
-        req.params = {};
-        // 2. Host/Origin + CORS (preserve exact order)
-        if (!hostOriginPolicy.validate(req, res))
-            return;
-        if (corsPolicy.handle(req, res))
-            return;
-        // 3. Body parsing
+        const requestId = getHeaderValue(rawReq, 'x-request-id') ?? randomUUID();
+        const sessionId = getMcpSessionId(rawReq) ?? undefined;
+        const { signal, cleanup } = createRequestAbortSignal(rawReq);
         try {
-            req.body = await jsonBodyReader.read(req);
+            await runWithRequestContext({
+                requestId,
+                operationId: requestId,
+                ...(sessionId ? { sessionId } : {}),
+            }, async () => {
+                const ctx = buildRequestContext(rawReq, rawRes, signal);
+                if (!ctx) {
+                    drainRequest(rawReq);
+                    return;
+                }
+                if (!hostOriginPolicy.validate(ctx)) {
+                    drainRequest(rawReq);
+                    return;
+                }
+                if (corsPolicy.handle(ctx)) {
+                    drainRequest(rawReq);
+                    return;
+                }
+                if (!this.rateLimiter.check(ctx)) {
+                    drainRequest(rawReq);
+                    return;
+                }
+                try {
+                    ctx.body = await jsonBodyReader.read(ctx.req, DEFAULT_BODY_LIMIT_BYTES, ctx.signal);
+                }
+                catch {
+                    if (ctx.url.pathname === '/mcp' && ctx.method === 'POST') {
+                        sendError(ctx.res, -32700, 'Parse error', 400, null);
+                    }
+                    else {
+                        sendJson(ctx.res, 400, {
+                            error: 'Invalid JSON or Payload too large',
+                        });
+                    }
+                    drainRequest(rawReq);
+                    return;
+                }
+                await this.dispatcher.dispatch(ctx);
+            });
         }
-        catch {
-            res.status(400).json({ error: 'Invalid JSON or Payload too large' });
-            return;
+        finally {
+            cleanup();
         }
-        // 4. Rate limit
-        if (!this.rateLimiter.check(req, res))
-            return;
-        // 5. Dispatch
-        await this.dispatcher.dispatch(req, res, url);
     }
 }
-/* -------------------------------------------------------------------------------------------------
- * Server lifecycle
- * ------------------------------------------------------------------------------------------------- */
+function handlePipelineError(error, res) {
+    logError('Request pipeline failed', error instanceof Error ? error : new Error(String(error)));
+    if (res.writableEnded)
+        return;
+    if (!res.headersSent) {
+        sendJson(res, 500, { error: 'Internal Server Error' });
+        return;
+    }
+    res.end();
+}
+async function listen(server, host, port) {
+    await new Promise((resolve, reject) => {
+        function onError(err) {
+            server.off('error', onError);
+            reject(err);
+        }
+        server.once('error', onError);
+        server.listen(port, host, () => {
+            server.off('error', onError);
+            resolve();
+        });
+    });
+}
+function resolveListeningPort(server, fallback) {
+    const addr = server.address();
+    if (addr && typeof addr === 'object')
+        return addr.port;
+    return fallback;
+}
+function createShutdownHandler(options) {
+    return async (signal) => {
+        logInfo(`Stopping HTTP server (${signal})...`);
+        options.rateLimiter.stop();
+        options.sessionCleanup.abort();
+        drainConnectionsOnShutdown(options.server);
+        eventLoopDelay.disable();
+        const sessions = options.sessionStore.clear();
+        await Promise.all(sessions.map((session) => closeTransportBestEffort(session.transport, 'shutdown-session-close')));
+        await new Promise((resolve, reject) => {
+            options.server.close((err) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+        await options.mcpServer.close();
+    };
+}
 export async function startHttpServer() {
     assertHttpModeConfiguration();
     enableHttpMode();
+    lastEventLoopUtilization = performance.eventLoopUtilization();
+    eventLoopDelay.reset();
+    eventLoopDelay.enable();
     const mcpServer = await createMcpServer();
     const rateLimiter = createRateLimitManagerImpl(config.rateLimit);
     const sessionStore = createSessionStore(config.server.sessionTtlMs);
@@ -734,37 +1100,29 @@ export async function startHttpServer() {
     const dispatcher = new HttpDispatcher(sessionStore, mcpGateway);
     const pipeline = new HttpRequestPipeline(rateLimiter, dispatcher);
     const server = createServer((req, res) => {
-        void pipeline.handle(req, res);
+        void pipeline.handle(req, res).catch((error) => {
+            handlePipelineError(error, res);
+        });
     });
+    registerInboundBlockList(server);
     applyHttpServerTuning(server);
-    await new Promise((resolve, reject) => {
-        server.listen(config.server.port, config.server.host, () => {
-            resolve();
-        });
-        server.on('error', reject);
+    await listen(server, config.server.host, config.server.port);
+    const port = resolveListeningPort(server, config.server.port);
+    logInfo(`HTTP server listening on port ${port}`, {
+        platform: process.platform,
+        arch: process.arch,
+        hostname: hostname(),
+        nodeVersion: process.version,
     });
-    const addr = server.address();
-    const port = typeof addr === 'object' && addr ? addr.port : config.server.port;
-    logInfo(`HTTP server listening on port ${port}`);
     return {
         port,
         host: config.server.host,
-        shutdown: async (signal) => {
-            logInfo(`Stopping HTTP server (${signal})...`);
-            rateLimiter.stop();
-            sessionCleanup.abort();
-            drainConnectionsOnShutdown(server);
-            const sessions = sessionStore.clear();
-            await Promise.all(sessions.map(async (s) => {
-                try {
-                    await s.transport.close();
-                }
-                catch {
-                    /* ignore */
-                }
-            }));
-            server.close();
-            await mcpServer.close();
-        },
+        shutdown: createShutdownHandler({
+            server,
+            rateLimiter,
+            sessionCleanup,
+            sessionStore,
+            mcpServer,
+        }),
     };
 }