@matthesketh/utopia-ai 0.7.1 → 0.8.1

package/dist/adapters/anthropic.cjs

@@ -46,6 +46,9 @@ function anthropicAdapter(config) {
         '@matthesketh/utopia-ai: "@anthropic-ai/sdk" package is required for the Anthropic adapter. Install it with: npm install @anthropic-ai/sdk'
       );
     }
+    if (config.baseURL && !/^https?:$/.test(new URL(config.baseURL).protocol)) {
+      throw new Error(`Anthropic baseURL must be http(s): ${config.baseURL}`);
+    }
     client = new AnthropicCtor({
       apiKey: config.apiKey,
       ...config.baseURL ? { baseURL: config.baseURL } : {}

package/dist/adapters/anthropic.d.cts

@@ -1,4 +1,4 @@
-import { b as AnthropicConfig, A as AIAdapter } from '../types-FSnS43LM.cjs';
+import { b as AnthropicConfig, A as AIAdapter } from '../types-BcCKlL06.cjs';
 
 /**
  * Create an Anthropic adapter.

package/dist/adapters/anthropic.d.ts

@@ -1,4 +1,4 @@
-import { b as AnthropicConfig, A as AIAdapter } from '../types-FSnS43LM.js';
+import { b as AnthropicConfig, A as AIAdapter } from '../types-BcCKlL06.js';
 
 /**
  * Create an Anthropic adapter.

package/dist/adapters/anthropic.js

@@ -12,6 +12,9 @@ function anthropicAdapter(config) {
         '@matthesketh/utopia-ai: "@anthropic-ai/sdk" package is required for the Anthropic adapter. Install it with: npm install @anthropic-ai/sdk'
       );
     }
+    if (config.baseURL && !/^https?:$/.test(new URL(config.baseURL).protocol)) {
+      throw new Error(`Anthropic baseURL must be http(s): ${config.baseURL}`);
+    }
     client = new AnthropicCtor({
       apiKey: config.apiKey,
       ...config.baseURL ? { baseURL: config.baseURL } : {}

package/dist/adapters/google.d.cts

@@ -1,4 +1,4 @@
-import { G as GoogleConfig, A as AIAdapter } from '../types-FSnS43LM.cjs';
+import { G as GoogleConfig, A as AIAdapter } from '../types-BcCKlL06.cjs';
 
 /**
  * Create a Google Gemini adapter.

package/dist/adapters/google.d.ts

@@ -1,4 +1,4 @@
-import { G as GoogleConfig, A as AIAdapter } from '../types-FSnS43LM.js';
+import { G as GoogleConfig, A as AIAdapter } from '../types-BcCKlL06.js';
 
 /**
  * Create a Google Gemini adapter.

package/dist/adapters/ollama.cjs

@@ -25,9 +25,18 @@ __export(ollama_exports, {
 });
 module.exports = __toCommonJS(ollama_exports);
 var TRAILING_SLASH_RE = /\/$/;
+var MAX_STREAM_BUFFER = 1024 * 1024;
+function resolveBaseURL(raw) {
+  const baseURL = (raw ?? "http://localhost:11434").replace(TRAILING_SLASH_RE, "");
+  const protocol = new URL(baseURL).protocol;
+  if (protocol !== "http:" && protocol !== "https:") {
+    throw new Error(`Ollama baseURL must be http(s): ${baseURL}`);
+  }
+  return baseURL;
+}
 var ollamaToolCallCounter = 0;
 function ollamaAdapter(config = {}) {
-  const baseURL = (config.baseURL ?? "http://localhost:11434").replace(TRAILING_SLASH_RE, "");
+  const baseURL = resolveBaseURL(config.baseURL);
   return {
     async chat(request) {
       const model = request.model ?? config.defaultModel ?? "llama3.2";
@@ -109,6 +118,9 @@ function ollamaAdapter(config = {}) {
         const { done, value } = await reader.read();
         if (done) break;
         buffer += decoder.decode(value, { stream: true });
+        if (buffer.length > MAX_STREAM_BUFFER) {
+          throw new Error("Ollama stream exceeded maximum buffer size without a line delimiter");
+        }
         const lines = buffer.split("\n");
         buffer = lines.pop() ?? "";
         for (const line of lines) {

package/dist/adapters/ollama.d.cts

@@ -1,6 +1,6 @@
-import { O as OllamaConfig, A as AIAdapter } from '../types-FSnS43LM.cjs';
+import { O as OllamaConfig, A as AIAdapter } from '../types-BcCKlL06.cjs';
 
-/** Matches a trailing slash for URL normalization. */
+/** matches a trailing slash for URL normalization. */
 declare const TRAILING_SLASH_RE: RegExp;
 /**
  * Create an Ollama adapter for local models.

package/dist/adapters/ollama.d.ts

@@ -1,6 +1,6 @@
-import { O as OllamaConfig, A as AIAdapter } from '../types-FSnS43LM.js';
+import { O as OllamaConfig, A as AIAdapter } from '../types-BcCKlL06.js';
 
-/** Matches a trailing slash for URL normalization. */
+/** matches a trailing slash for URL normalization. */
 declare const TRAILING_SLASH_RE: RegExp;
 /**
  * Create an Ollama adapter for local models.

package/dist/adapters/ollama.js

@@ -1,8 +1,17 @@
 // src/adapters/ollama.ts
 var TRAILING_SLASH_RE = /\/$/;
+var MAX_STREAM_BUFFER = 1024 * 1024;
+function resolveBaseURL(raw) {
+  const baseURL = (raw ?? "http://localhost:11434").replace(TRAILING_SLASH_RE, "");
+  const protocol = new URL(baseURL).protocol;
+  if (protocol !== "http:" && protocol !== "https:") {
+    throw new Error(`Ollama baseURL must be http(s): ${baseURL}`);
+  }
+  return baseURL;
+}
 var ollamaToolCallCounter = 0;
 function ollamaAdapter(config = {}) {
-  const baseURL = (config.baseURL ?? "http://localhost:11434").replace(TRAILING_SLASH_RE, "");
+  const baseURL = resolveBaseURL(config.baseURL);
   return {
     async chat(request) {
       const model = request.model ?? config.defaultModel ?? "llama3.2";
@@ -84,6 +93,9 @@ function ollamaAdapter(config = {}) {
         const { done, value } = await reader.read();
         if (done) break;
         buffer += decoder.decode(value, { stream: true });
+        if (buffer.length > MAX_STREAM_BUFFER) {
+          throw new Error("Ollama stream exceeded maximum buffer size without a line delimiter");
+        }
         const lines = buffer.split("\n");
         buffer = lines.pop() ?? "";
         for (const line of lines) {

package/dist/adapters/openai.cjs

@@ -46,6 +46,9 @@ function openaiAdapter(config) {
         '@matthesketh/utopia-ai: "openai" package is required for the OpenAI adapter. Install it with: npm install openai'
       );
     }
+    if (config.baseURL && !/^https?:$/.test(new URL(config.baseURL).protocol)) {
+      throw new Error(`OpenAI baseURL must be http(s): ${config.baseURL}`);
+    }
     client = new OpenAICtor({
       apiKey: config.apiKey,
       baseURL: config.baseURL,

package/dist/adapters/openai.d.cts

@@ -1,4 +1,4 @@
-import { h as OpenAIConfig, A as AIAdapter } from '../types-FSnS43LM.cjs';
+import { h as OpenAIConfig, A as AIAdapter } from '../types-BcCKlL06.cjs';
 
 /**
  * Create an OpenAI adapter.

package/dist/adapters/openai.d.ts

@@ -1,4 +1,4 @@
-import { h as OpenAIConfig, A as AIAdapter } from '../types-FSnS43LM.js';
+import { h as OpenAIConfig, A as AIAdapter } from '../types-BcCKlL06.js';
 
 /**
  * Create an OpenAI adapter.

package/dist/adapters/openai.js

@@ -12,6 +12,9 @@ function openaiAdapter(config) {
         '@matthesketh/utopia-ai: "openai" package is required for the OpenAI adapter. Install it with: npm install openai'
       );
     }
+    if (config.baseURL && !/^https?:$/.test(new URL(config.baseURL).protocol)) {
+      throw new Error(`OpenAI baseURL must be http(s): ${config.baseURL}`);
+    }
     client = new OpenAICtor({
       apiKey: config.apiKey,
       baseURL: config.baseURL,

package/dist/ai-B65XFWfZ.d.ts

@@ -0,0 +1,66 @@
+import { d as ChatRequest, e as ChatResponse, C as ChatChunk, E as EmbeddingRequest, f as EmbeddingResponse, c as ChatMessage, l as ToolDefinition, j as ToolCall, a as AIHooks, R as RetryConfig, A as AIAdapter } from './types-BcCKlL06.js';
+
+interface AI {
+    /** Send a chat completion request. */
+    chat(request: ChatRequest): Promise<ChatResponse>;
+    /** Stream a chat completion. */
+    stream(request: ChatRequest): AsyncIterable<ChatChunk>;
+    /** Generate embeddings. */
+    embeddings(request: EmbeddingRequest): Promise<EmbeddingResponse>;
+    /**
+     * Run a tool-calling loop: send messages, execute tool calls via the
+     * provided handlers, append results, and repeat until the model stops
+     * calling tools.
+     */
+    run(options: RunOptions): Promise<ChatResponse>;
+}
+interface ToolHandler {
+    definition: ToolDefinition;
+    handler: (args: Record<string, unknown>) => Promise<unknown> | unknown;
+}
+interface RunOptions {
+    messages: ChatMessage[];
+    tools: ToolHandler[];
+    model?: string;
+    temperature?: number;
+    maxTokens?: number;
+    maxRounds?: number;
+    onToolCall?: (call: ToolCall, result: unknown) => void;
+    extra?: Record<string, unknown>;
+}
+interface CreateAIOptions {
+    hooks?: AIHooks;
+    retry?: RetryConfig;
+}
+/**
+ * Create an AI instance with the given adapter.
+ *
+ * Usage:
+ * ```ts
+ * import { createAI } from '@matthesketh/utopia-ai';
+ * import { openaiAdapter } from '@matthesketh/utopia-ai/openai';
+ *
+ * const ai = createAI(openaiAdapter({ apiKey: process.env.OPENAI_API_KEY }));
+ *
+ * const res = await ai.chat({
+ *   messages: [{ role: 'user', content: 'Hello!' }],
+ * });
+ *
+ * // Streaming
+ * for await (const chunk of ai.stream({ messages })) {
+ *   process.stdout.write(chunk.delta);
+ * }
+ *
+ * // Agentic tool loop
+ * const result = await ai.run({
+ *   messages: [{ role: 'user', content: 'What is the weather?' }],
+ *   tools: [{
+ *     definition: { name: 'get_weather', description: '...', parameters: { type: 'object', properties: {} } },
+ *     handler: async ({ city }) => ({ temp: 72 }),
+ *   }],
+ * });
+ * ```
+ */
+declare function createAI(adapter: AIAdapter, options?: CreateAIOptions): AI;
+
+export { type AI as A, type CreateAIOptions as C, type RunOptions as R, type ToolHandler as T, createAI as c };

package/dist/ai-KmtRQe5L.d.ts

@@ -1,4 +1,4 @@
-import { d as ChatRequest, e as ChatResponse, C as ChatChunk, E as EmbeddingRequest, f as EmbeddingResponse, c as ChatMessage, l as ToolDefinition, j as ToolCall, a as AIHooks, R as RetryConfig, A as AIAdapter } from './types-FSnS43LM.js';
+import { d as ChatRequest, e as ChatResponse, C as ChatChunk, E as EmbeddingRequest, f as EmbeddingResponse, c as ChatMessage, l as ToolDefinition, j as ToolCall, a as AIHooks, R as RetryConfig, A as AIAdapter } from './types-FSnS43LM';
 
 interface AI {
     /** Send a chat completion request. */

package/dist/ai-dyp9MfTz.d.cts

@@ -0,0 +1,66 @@
+import { d as ChatRequest, e as ChatResponse, C as ChatChunk, E as EmbeddingRequest, f as EmbeddingResponse, c as ChatMessage, l as ToolDefinition, j as ToolCall, a as AIHooks, R as RetryConfig, A as AIAdapter } from './types-BcCKlL06.cjs';
+
+interface AI {
+    /** Send a chat completion request. */
+    chat(request: ChatRequest): Promise<ChatResponse>;
+    /** Stream a chat completion. */
+    stream(request: ChatRequest): AsyncIterable<ChatChunk>;
+    /** Generate embeddings. */
+    embeddings(request: EmbeddingRequest): Promise<EmbeddingResponse>;
+    /**
+     * Run a tool-calling loop: send messages, execute tool calls via the
+     * provided handlers, append results, and repeat until the model stops
+     * calling tools.
+     */
+    run(options: RunOptions): Promise<ChatResponse>;
+}
+interface ToolHandler {
+    definition: ToolDefinition;
+    handler: (args: Record<string, unknown>) => Promise<unknown> | unknown;
+}
+interface RunOptions {
+    messages: ChatMessage[];
+    tools: ToolHandler[];
+    model?: string;
+    temperature?: number;
+    maxTokens?: number;
+    maxRounds?: number;
+    onToolCall?: (call: ToolCall, result: unknown) => void;
+    extra?: Record<string, unknown>;
+}
+interface CreateAIOptions {
+    hooks?: AIHooks;
+    retry?: RetryConfig;
+}
+/**
+ * Create an AI instance with the given adapter.
+ *
+ * Usage:
+ * ```ts
+ * import { createAI } from '@matthesketh/utopia-ai';
+ * import { openaiAdapter } from '@matthesketh/utopia-ai/openai';
+ *
+ * const ai = createAI(openaiAdapter({ apiKey: process.env.OPENAI_API_KEY }));
+ *
+ * const res = await ai.chat({
+ *   messages: [{ role: 'user', content: 'Hello!' }],
+ * });
+ *
+ * // Streaming
+ * for await (const chunk of ai.stream({ messages })) {
+ *   process.stdout.write(chunk.delta);
+ * }
+ *
+ * // Agentic tool loop
+ * const result = await ai.run({
+ *   messages: [{ role: 'user', content: 'What is the weather?' }],
+ *   tools: [{
+ *     definition: { name: 'get_weather', description: '...', parameters: { type: 'object', properties: {} } },
+ *     handler: async ({ city }) => ({ temp: 72 }),
+ *   }],
+ * });
+ * ```
+ */
+declare function createAI(adapter: AIAdapter, options?: CreateAIOptions): AI;
+
+export { type AI as A, type CreateAIOptions as C, type RunOptions as R, type ToolHandler as T, createAI as c };

package/dist/index.cjs

@@ -209,6 +209,7 @@ async function* chatToStream(adapter, request) {
 }
 
 // src/streaming.ts
+var MAX_SSE_BUFFER = 1024 * 1024;
 async function streamSSE(res, stream, options) {
   res.writeHead(200, {
     "Content-Type": "text/event-stream",
@@ -247,6 +248,9 @@ async function* parseSSEStream(response) {
       const { done, value } = await reader.read();
       if (done) break;
       buffer += decoder.decode(value, { stream: true });
+      if (buffer.length > MAX_SSE_BUFFER) {
+        throw new Error("SSE stream exceeded maximum buffer size without a line delimiter");
+      }
       const lines = buffer.split("\n");
       buffer = lines.pop() ?? "";
       for (const line of lines) {

package/dist/index.d.cts

@@ -1,7 +1,7 @@
-export { A as AI, C as CreateAIOptions, R as RunOptions, T as ToolHandler, c as createAI } from './ai-B2NkPypc.cjs';
+export { A as AI, C as CreateAIOptions, R as RunOptions, T as ToolHandler, c as createAI } from './ai-dyp9MfTz.cjs';
 import { ServerResponse } from 'node:http';
-import { C as ChatChunk } from './types-FSnS43LM.cjs';
-export { A as AIAdapter, a as AIHooks, b as AnthropicConfig, c as ChatMessage, d as ChatRequest, e as ChatResponse, E as EmbeddingRequest, f as EmbeddingResponse, G as GoogleConfig, I as ImageContent, J as JsonSchema, M as MessageContent, g as MessageRole, O as OllamaConfig, h as OpenAIConfig, R as RetryConfig, T as TextContent, i as TokenUsage, j as ToolCall, k as ToolCallContent, l as ToolDefinition, m as ToolResultContent } from './types-FSnS43LM.cjs';
+import { C as ChatChunk } from './types-BcCKlL06.cjs';
+export { A as AIAdapter, a as AIHooks, b as AnthropicConfig, c as ChatMessage, d as ChatRequest, e as ChatResponse, E as EmbeddingRequest, f as EmbeddingResponse, G as GoogleConfig, I as ImageContent, J as JsonSchema, M as MessageContent, g as MessageRole, O as OllamaConfig, h as OpenAIConfig, R as RetryConfig, T as TextContent, i as TokenUsage, j as ToolCall, k as ToolCallContent, l as ToolDefinition, m as ToolResultContent } from './types-BcCKlL06.cjs';
 
 /**
  * Stream AI chat chunks as Server-Sent Events (SSE).

package/dist/index.d.ts

@@ -1,7 +1,7 @@
-export { A as AI, C as CreateAIOptions, R as RunOptions, T as ToolHandler, c as createAI } from './ai-VMRaOOak.js';
+export { A as AI, C as CreateAIOptions, R as RunOptions, T as ToolHandler, c as createAI } from './ai-B65XFWfZ.js';
 import { ServerResponse } from 'node:http';
-import { C as ChatChunk } from './types-FSnS43LM.js';
-export { A as AIAdapter, a as AIHooks, b as AnthropicConfig, c as ChatMessage, d as ChatRequest, e as ChatResponse, E as EmbeddingRequest, f as EmbeddingResponse, G as GoogleConfig, I as ImageContent, J as JsonSchema, M as MessageContent, g as MessageRole, O as OllamaConfig, h as OpenAIConfig, R as RetryConfig, T as TextContent, i as TokenUsage, j as ToolCall, k as ToolCallContent, l as ToolDefinition, m as ToolResultContent } from './types-FSnS43LM.js';
+import { C as ChatChunk } from './types-BcCKlL06.js';
+export { A as AIAdapter, a as AIHooks, b as AnthropicConfig, c as ChatMessage, d as ChatRequest, e as ChatResponse, E as EmbeddingRequest, f as EmbeddingResponse, G as GoogleConfig, I as ImageContent, J as JsonSchema, M as MessageContent, g as MessageRole, O as OllamaConfig, h as OpenAIConfig, R as RetryConfig, T as TextContent, i as TokenUsage, j as ToolCall, k as ToolCallContent, l as ToolDefinition, m as ToolResultContent } from './types-BcCKlL06.js';
 
 /**
  * Stream AI chat chunks as Server-Sent Events (SSE).

package/dist/index.js

@@ -180,6 +180,7 @@ async function* chatToStream(adapter, request) {
 }
 
 // src/streaming.ts
+var MAX_SSE_BUFFER = 1024 * 1024;
 async function streamSSE(res, stream, options) {
   res.writeHead(200, {
     "Content-Type": "text/event-stream",
@@ -218,6 +219,9 @@ async function* parseSSEStream(response) {
       const { done, value } = await reader.read();
       if (done) break;
       buffer += decoder.decode(value, { stream: true });
+      if (buffer.length > MAX_SSE_BUFFER) {
+        throw new Error("SSE stream exceeded maximum buffer size without a line delimiter");
+      }
       const lines = buffer.split("\n");
       buffer = lines.pop() ?? "";
       for (const line of lines) {

package/dist/mcp/index.cjs

@@ -58,14 +58,17 @@ function createMCPServer(config) {
       return { jsonrpc: "2.0", id: request.id, result };
     } catch (err) {
       const rpcErr = err;
+      if (typeof rpcErr.code === "number") {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          error: { code: rpcErr.code, message: rpcErr.message ?? "Error", data: rpcErr.data }
+        };
+      }
       return {
         jsonrpc: "2.0",
         id: request.id,
-        error: {
-          code: rpcErr.code ?? -32603,
-          message: rpcErr.message ?? "Internal error",
-          data: rpcErr.data
-        }
+        error: { code: -32603, message: "Internal error" }
       };
     }
   }
@@ -93,12 +96,22 @@ function createMCPServer(config) {
           }))
         };
       case "tools/call": {
-        const params = request.params;
-        const tool = toolMap.get(params.name);
+        const params = asParamsObject(request.params, "tools/call");
+        const name = params.name;
+        if (typeof name !== "string") {
+          throw makeError(-32602, 'tools/call requires a string "name"');
+        }
+        const tool = toolMap.get(name);
         if (!tool) {
-          throw makeError(-32602, `Unknown tool: ${params.name}`);
+          throw makeError(-32602, `Unknown tool: ${name}`);
         }
-        return tool.handler(params.arguments ?? {});
+        const args = params.arguments ?? {};
+        if (typeof args !== "object" || args === null || Array.isArray(args)) {
+          throw makeError(-32602, "tool arguments must be an object");
+        }
+        const argRecord = args;
+        validateAgainstSchema(tool.definition.inputSchema, argRecord, name);
+        return tool.handler(argRecord);
       }
       case "resources/list":
         return {
@@ -110,12 +123,16 @@ function createMCPServer(config) {
           }))
         };
       case "resources/read": {
-        const params = request.params;
-        const resource = findResource(params.uri);
+        const params = asParamsObject(request.params, "resources/read");
+        const uri = params.uri;
+        if (typeof uri !== "string") {
+          throw makeError(-32602, 'resources/read requires a string "uri"');
+        }
+        const resource = findResource(uri);
         if (!resource) {
-          throw makeError(-32602, `Unknown resource: ${params.uri}`);
+          throw makeError(-32602, `Unknown resource: ${uri}`);
         }
-        const content = await resource.handler(params.uri);
+        const content = await resource.handler(uri);
         return { contents: [content] };
       }
       case "prompts/list":
@@ -127,12 +144,17 @@ function createMCPServer(config) {
           }))
         };
       case "prompts/get": {
-        const params = request.params;
-        const prompt = promptMap.get(params.name);
+        const params = asParamsObject(request.params, "prompts/get");
+        const name = params.name;
+        if (typeof name !== "string") {
+          throw makeError(-32602, 'prompts/get requires a string "name"');
+        }
+        const prompt = promptMap.get(name);
         if (!prompt) {
-          throw makeError(-32602, `Unknown prompt: ${params.name}`);
+          throw makeError(-32602, `Unknown prompt: ${name}`);
         }
-        return prompt.handler(params.arguments ?? {});
+        const args = params.arguments ?? {};
+        return prompt.handler(args);
       }
       case "ping":
         return {};
@@ -159,10 +181,46 @@ function matchesTemplate(pattern, uri) {
 function makeError(code, message) {
   return { code, message };
 }
+function asParamsObject(params, ctx) {
+  if (params === null || typeof params !== "object" || Array.isArray(params)) {
+    throw makeError(-32602, `Invalid params for ${ctx}: expected an object`);
+  }
+  return params;
+}
+function validateAgainstSchema(schema, args, toolName) {
+  if (!schema || typeof schema !== "object") return;
+  const s = schema;
+  if (Array.isArray(s.required)) {
+    for (const key of s.required) {
+      if (typeof key === "string" && !(key in args)) {
+        throw makeError(-32602, `Missing required argument "${key}" for tool "${toolName}"`);
+      }
+    }
+  }
+  if (s.properties && typeof s.properties === "object") {
+    for (const [key, prop] of Object.entries(s.properties)) {
+      const value = args[key];
+      if (value === void 0 || value === null) continue;
+      const expected = prop?.type;
+      if (!expected) continue;
+      const ok = expected === "number" || expected === "integer" ? typeof value === "number" : expected === "array" ? Array.isArray(value) : expected === "object" ? typeof value === "object" && !Array.isArray(value) : typeof value === expected;
+      if (!ok) {
+        throw makeError(
+          -32602,
+          `Argument "${key}" for tool "${toolName}" must be of type ${expected}`
+        );
+      }
+    }
+  }
+}
 
 // src/mcp/client.ts
 function createMCPClient(config) {
   let requestId = 0;
+  const parsedUrl = new URL(config.url);
+  if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+    throw new Error(`MCP client URL must be http(s): ${config.url}`);
+  }
   async function rpc(method, params) {
     const request = {
       jsonrpc: "2.0",
@@ -177,6 +235,10 @@ function createMCPClient(config) {
         ...config.headers
       },
       body: JSON.stringify(request),
+      // never follow redirects: a 3xx to another host would otherwise re-send
+      // config.headers (often a bearer token) to that host, leaking the
+      // credential and enabling an ssrf pivot.
+      redirect: "error",
       signal: AbortSignal.timeout(3e4)
     });
     if (!response.ok) {
@@ -250,6 +312,8 @@ function createMCPClient(config) {
 // src/mcp/handler.ts
 function createMCPHandler(server, options) {
   const corsOrigin = options?.corsOrigin;
+  const allowedOrigins = options?.allowedOrigins;
+  const authorize = options?.authorize;
   return async (req, res) => {
     if (corsOrigin) {
       res.setHeader("Access-Control-Allow-Origin", corsOrigin);
@@ -261,6 +325,31 @@ function createMCPHandler(server, options) {
       res.end();
       return;
     }
+    const origin = req.headers.origin;
+    if (allowedOrigins && origin !== void 0 && !allowedOrigins.includes(origin)) {
+      res.writeHead(403, { "Content-Type": "text/plain" });
+      res.end("Forbidden");
+      return;
+    }
+    if (authorize) {
+      let allowed = false;
+      try {
+        allowed = await authorize(req);
+      } catch {
+        allowed = false;
+      }
+      if (!allowed) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: null,
+            error: { code: -32600, message: "Unauthorized" }
+          })
+        );
+        return;
+      }
+    }
     const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
     if (url.pathname.endsWith("/sse") && req.method === "GET") {
       handleSSE(server, req, res);

package/dist/mcp/index.d.cts

@@ -1,5 +1,5 @@
-import { J as JsonSchema } from '../types-FSnS43LM.cjs';
-import { T as ToolHandler } from '../ai-B2NkPypc.cjs';
+import { J as JsonSchema } from '../types-BcCKlL06.cjs';
+import { T as ToolHandler } from '../ai-dyp9MfTz.cjs';
 import { IncomingMessage, ServerResponse } from 'node:http';
 
 interface JsonRpcRequest {
@@ -174,6 +174,19 @@ declare function createMCPClient(config: MCPClientConfig): MCPClient;
 
 interface MCPHandlerOptions {
     corsOrigin?: string;
+    /**
+     * allow-list of permitted `Origin` header values. when set, any request
+     * carrying an `Origin` not in the list is rejected with 403. this is the
+     * primary defence against dns-rebinding attacks on a locally-bound server.
+     */
+    allowedOrigins?: string[];
+    /**
+     * authorisation gate run before any request is dispatched to the server.
+     * return false (or throw) to reject with 401. an mcp server exposes tool
+     * execution, so it must not be reachable on a network without an authz
+     * check — there is intentionally no default-allow for remote callers.
+     */
+    authorize?: (req: IncomingMessage) => boolean | Promise<boolean>;
 }
 /**
  * Create a Node.js HTTP handler for an MCP server.

package/dist/mcp/index.d.ts

@@ -1,5 +1,5 @@
-import { J as JsonSchema } from '../types-FSnS43LM.js';
-import { T as ToolHandler } from '../ai-VMRaOOak.js';
+import { J as JsonSchema } from '../types-BcCKlL06.js';
+import { T as ToolHandler } from '../ai-B65XFWfZ.js';
 import { IncomingMessage, ServerResponse } from 'node:http';
 
 interface JsonRpcRequest {
@@ -174,6 +174,19 @@ declare function createMCPClient(config: MCPClientConfig): MCPClient;
 
 interface MCPHandlerOptions {
     corsOrigin?: string;
+    /**
+     * allow-list of permitted `Origin` header values. when set, any request
+     * carrying an `Origin` not in the list is rejected with 403. this is the
+     * primary defence against dns-rebinding attacks on a locally-bound server.
+     */
+    allowedOrigins?: string[];
+    /**
+     * authorisation gate run before any request is dispatched to the server.
+     * return false (or throw) to reject with 401. an mcp server exposes tool
+     * execution, so it must not be reachable on a network without an authz
+     * check — there is intentionally no default-allow for remote callers.
+     */
+    authorize?: (req: IncomingMessage) => boolean | Promise<boolean>;
 }
 /**
  * Create a Node.js HTTP handler for an MCP server.

package/dist/mcp/index.js

@@ -30,14 +30,17 @@ function createMCPServer(config) {
       return { jsonrpc: "2.0", id: request.id, result };
     } catch (err) {
       const rpcErr = err;
+      if (typeof rpcErr.code === "number") {
+        return {
+          jsonrpc: "2.0",
+          id: request.id,
+          error: { code: rpcErr.code, message: rpcErr.message ?? "Error", data: rpcErr.data }
+        };
+      }
       return {
         jsonrpc: "2.0",
         id: request.id,
-        error: {
-          code: rpcErr.code ?? -32603,
-          message: rpcErr.message ?? "Internal error",
-          data: rpcErr.data
-        }
+        error: { code: -32603, message: "Internal error" }
       };
     }
   }
@@ -65,12 +68,22 @@ function createMCPServer(config) {
           }))
         };
       case "tools/call": {
-        const params = request.params;
-        const tool = toolMap.get(params.name);
+        const params = asParamsObject(request.params, "tools/call");
+        const name = params.name;
+        if (typeof name !== "string") {
+          throw makeError(-32602, 'tools/call requires a string "name"');
+        }
+        const tool = toolMap.get(name);
         if (!tool) {
-          throw makeError(-32602, `Unknown tool: ${params.name}`);
+          throw makeError(-32602, `Unknown tool: ${name}`);
         }
-        return tool.handler(params.arguments ?? {});
+        const args = params.arguments ?? {};
+        if (typeof args !== "object" || args === null || Array.isArray(args)) {
+          throw makeError(-32602, "tool arguments must be an object");
+        }
+        const argRecord = args;
+        validateAgainstSchema(tool.definition.inputSchema, argRecord, name);
+        return tool.handler(argRecord);
       }
       case "resources/list":
         return {
@@ -82,12 +95,16 @@ function createMCPServer(config) {
           }))
         };
       case "resources/read": {
-        const params = request.params;
-        const resource = findResource(params.uri);
+        const params = asParamsObject(request.params, "resources/read");
+        const uri = params.uri;
+        if (typeof uri !== "string") {
+          throw makeError(-32602, 'resources/read requires a string "uri"');
+        }
+        const resource = findResource(uri);
         if (!resource) {
-          throw makeError(-32602, `Unknown resource: ${params.uri}`);
+          throw makeError(-32602, `Unknown resource: ${uri}`);
         }
-        const content = await resource.handler(params.uri);
+        const content = await resource.handler(uri);
         return { contents: [content] };
       }
       case "prompts/list":
@@ -99,12 +116,17 @@ function createMCPServer(config) {
           }))
         };
       case "prompts/get": {
-        const params = request.params;
-        const prompt = promptMap.get(params.name);
+        const params = asParamsObject(request.params, "prompts/get");
+        const name = params.name;
+        if (typeof name !== "string") {
+          throw makeError(-32602, 'prompts/get requires a string "name"');
+        }
+        const prompt = promptMap.get(name);
         if (!prompt) {
-          throw makeError(-32602, `Unknown prompt: ${params.name}`);
+          throw makeError(-32602, `Unknown prompt: ${name}`);
         }
-        return prompt.handler(params.arguments ?? {});
+        const args = params.arguments ?? {};
+        return prompt.handler(args);
       }
       case "ping":
         return {};
@@ -131,10 +153,46 @@ function matchesTemplate(pattern, uri) {
 function makeError(code, message) {
   return { code, message };
 }
+function asParamsObject(params, ctx) {
+  if (params === null || typeof params !== "object" || Array.isArray(params)) {
+    throw makeError(-32602, `Invalid params for ${ctx}: expected an object`);
+  }
+  return params;
+}
+function validateAgainstSchema(schema, args, toolName) {
+  if (!schema || typeof schema !== "object") return;
+  const s = schema;
+  if (Array.isArray(s.required)) {
+    for (const key of s.required) {
+      if (typeof key === "string" && !(key in args)) {
+        throw makeError(-32602, `Missing required argument "${key}" for tool "${toolName}"`);
+      }
+    }
+  }
+  if (s.properties && typeof s.properties === "object") {
+    for (const [key, prop] of Object.entries(s.properties)) {
+      const value = args[key];
+      if (value === void 0 || value === null) continue;
+      const expected = prop?.type;
+      if (!expected) continue;
+      const ok = expected === "number" || expected === "integer" ? typeof value === "number" : expected === "array" ? Array.isArray(value) : expected === "object" ? typeof value === "object" && !Array.isArray(value) : typeof value === expected;
+      if (!ok) {
+        throw makeError(
+          -32602,
+          `Argument "${key}" for tool "${toolName}" must be of type ${expected}`
+        );
+      }
+    }
+  }
+}
 
 // src/mcp/client.ts
 function createMCPClient(config) {
   let requestId = 0;
+  const parsedUrl = new URL(config.url);
+  if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+    throw new Error(`MCP client URL must be http(s): ${config.url}`);
+  }
   async function rpc(method, params) {
     const request = {
       jsonrpc: "2.0",
@@ -149,6 +207,10 @@ function createMCPClient(config) {
         ...config.headers
       },
       body: JSON.stringify(request),
+      // never follow redirects: a 3xx to another host would otherwise re-send
+      // config.headers (often a bearer token) to that host, leaking the
+      // credential and enabling an ssrf pivot.
+      redirect: "error",
       signal: AbortSignal.timeout(3e4)
     });
     if (!response.ok) {
@@ -222,6 +284,8 @@ function createMCPClient(config) {
 // src/mcp/handler.ts
 function createMCPHandler(server, options) {
   const corsOrigin = options?.corsOrigin;
+  const allowedOrigins = options?.allowedOrigins;
+  const authorize = options?.authorize;
   return async (req, res) => {
     if (corsOrigin) {
       res.setHeader("Access-Control-Allow-Origin", corsOrigin);
@@ -233,6 +297,31 @@ function createMCPHandler(server, options) {
       res.end();
       return;
     }
+    const origin = req.headers.origin;
+    if (allowedOrigins && origin !== void 0 && !allowedOrigins.includes(origin)) {
+      res.writeHead(403, { "Content-Type": "text/plain" });
+      res.end("Forbidden");
+      return;
+    }
+    if (authorize) {
+      let allowed = false;
+      try {
+        allowed = await authorize(req);
+      } catch {
+        allowed = false;
+      }
+      if (!allowed) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: null,
+            error: { code: -32600, message: "Unauthorized" }
+          })
+        );
+        return;
+      }
+    }
     const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
     if (url.pathname.endsWith("/sse") && req.method === "GET") {
       handleSSE(server, req, res);

package/dist/types-BcCKlL06.d.cts

@@ -0,0 +1,157 @@
+type MessageRole = 'system' | 'user' | 'assistant' | 'tool';
+interface TextContent {
+    type: 'text';
+    text: string;
+}
+interface ImageContent {
+    type: 'image';
+    /** Base64-encoded image data or a URL. */
+    source: string;
+    mediaType?: string;
+}
+interface ToolCallContent {
+    type: 'tool_call';
+    id: string;
+    name: string;
+    arguments: Record<string, unknown>;
+}
+interface ToolResultContent {
+    type: 'tool_result';
+    id: string;
+    content: string;
+    isError?: boolean;
+}
+type MessageContent = string | TextContent | ImageContent | ToolCallContent | ToolResultContent;
+interface ChatMessage {
+    role: MessageRole;
+    content: MessageContent | MessageContent[];
+    name?: string;
+}
+interface ToolDefinition {
+    name: string;
+    description: string;
+    parameters: JsonSchema;
+}
+interface JsonSchema {
+    type: string;
+    properties?: Record<string, JsonSchema & {
+        description?: string;
+    }>;
+    required?: string[];
+    items?: JsonSchema;
+    enum?: unknown[];
+    description?: string;
+    [key: string]: unknown;
+}
+interface ChatRequest {
+    messages: ChatMessage[];
+    model?: string;
+    temperature?: number;
+    maxTokens?: number;
+    topP?: number;
+    stop?: string[];
+    tools?: ToolDefinition[];
+    toolChoice?: 'auto' | 'none' | 'required' | {
+        name: string;
+    };
+    /** Adapter-specific options passed through untouched. */
+    extra?: Record<string, unknown>;
+}
+interface ToolCall {
+    id: string;
+    name: string;
+    arguments: Record<string, unknown>;
+}
+interface ChatResponse {
+    content: string;
+    toolCalls?: ToolCall[];
+    finishReason: 'stop' | 'tool_calls' | 'length' | 'error';
+    usage?: TokenUsage;
+    /** Raw response from the provider for advanced use cases. */
+    raw?: unknown;
+}
+interface TokenUsage {
+    promptTokens: number;
+    completionTokens: number;
+    totalTokens: number;
+}
+interface ChatChunk {
+    /** Incremental text delta. */
+    delta: string;
+    /** Incremental tool call delta (partial). */
+    toolCallDelta?: Partial<ToolCall> & {
+        index?: number;
+    };
+    /** Set on the final chunk. */
+    finishReason?: ChatResponse['finishReason'];
+    /** Set on the final chunk. */
+    usage?: TokenUsage;
+}
+interface EmbeddingRequest {
+    input: string | string[];
+    model?: string;
+    /** Adapter-specific options. */
+    extra?: Record<string, unknown>;
+}
+interface EmbeddingResponse {
+    embeddings: number[][];
+    usage?: {
+        totalTokens: number;
+    };
+    raw?: unknown;
+}
+interface AIAdapter {
+    /** Send a chat completion request. */
+    chat(request: ChatRequest): Promise<ChatResponse>;
+    /** Stream a chat completion. Adapters may omit this (falls back to chat). */
+    stream?(request: ChatRequest): AsyncIterable<ChatChunk>;
+    /** Generate embeddings. Optional capability. */
+    embeddings?(request: EmbeddingRequest): Promise<EmbeddingResponse>;
+}
+interface OpenAIConfig {
+    apiKey: string;
+    baseURL?: string;
+    organization?: string;
+    defaultModel?: string;
+}
+interface AnthropicConfig {
+    apiKey: string;
+    baseURL?: string;
+    defaultModel?: string;
+}
+interface GoogleConfig {
+    apiKey: string;
+    defaultModel?: string;
+}
+interface OllamaConfig {
+    baseURL?: string;
+    defaultModel?: string;
+}
+interface AIHooks {
+    /** Called before every chat request. Can modify the request. */
+    onBeforeChat?: (request: ChatRequest) => ChatRequest | Promise<ChatRequest>;
+    /** Called after every chat response. Can modify the response. */
+    onAfterChat?: (response: ChatResponse, request: ChatRequest) => ChatResponse | Promise<ChatResponse>;
+    /**
+     * Called on any adapter error.
+     *
+     * `context.request` carries the full prompt (and any provider error may
+     * originate from the underlying SDK and reference request metadata), so do
+     * not forward these verbatim to an untrusted or shared log sink — redact or
+     * summarise first.
+     */
+    onError?: (error: Error, context: {
+        method: string;
+        request?: ChatRequest;
+    }) => void;
+}
+interface RetryConfig {
+    /** Max number of retries (default: 0 = no retry). */
+    maxRetries?: number;
+    /** Base delay in ms (default: 1000). Doubles on each attempt (exponential backoff). */
+    baseDelay?: number;
+    /** Whether to retry on this error. Default: retries on network errors and 429/500+ status codes. */
+    shouldRetry?: (error: Error) => boolean;
+}
+
+export type { AIAdapter as A, ChatChunk as C, EmbeddingRequest as E, GoogleConfig as G, ImageContent as I, JsonSchema as J, MessageContent as M, OllamaConfig as O, RetryConfig as R, TextContent as T, AIHooks as a, AnthropicConfig as b, ChatMessage as c, ChatRequest as d, ChatResponse as e, EmbeddingResponse as f, MessageRole as g, OpenAIConfig as h, TokenUsage as i, ToolCall as j, ToolCallContent as k, ToolDefinition as l, ToolResultContent as m };

package/dist/types-BcCKlL06.d.ts

@@ -0,0 +1,157 @@
+type MessageRole = 'system' | 'user' | 'assistant' | 'tool';
+interface TextContent {
+    type: 'text';
+    text: string;
+}
+interface ImageContent {
+    type: 'image';
+    /** Base64-encoded image data or a URL. */
+    source: string;
+    mediaType?: string;
+}
+interface ToolCallContent {
+    type: 'tool_call';
+    id: string;
+    name: string;
+    arguments: Record<string, unknown>;
+}
+interface ToolResultContent {
+    type: 'tool_result';
+    id: string;
+    content: string;
+    isError?: boolean;
+}
+type MessageContent = string | TextContent | ImageContent | ToolCallContent | ToolResultContent;
+interface ChatMessage {
+    role: MessageRole;
+    content: MessageContent | MessageContent[];
+    name?: string;
+}
+interface ToolDefinition {
+    name: string;
+    description: string;
+    parameters: JsonSchema;
+}
+interface JsonSchema {
+    type: string;
+    properties?: Record<string, JsonSchema & {
+        description?: string;
+    }>;
+    required?: string[];
+    items?: JsonSchema;
+    enum?: unknown[];
+    description?: string;
+    [key: string]: unknown;
+}
+interface ChatRequest {
+    messages: ChatMessage[];
+    model?: string;
+    temperature?: number;
+    maxTokens?: number;
+    topP?: number;
+    stop?: string[];
+    tools?: ToolDefinition[];
+    toolChoice?: 'auto' | 'none' | 'required' | {
+        name: string;
+    };
+    /** Adapter-specific options passed through untouched. */
+    extra?: Record<string, unknown>;
+}
+interface ToolCall {
+    id: string;
+    name: string;
+    arguments: Record<string, unknown>;
+}
+interface ChatResponse {
+    content: string;
+    toolCalls?: ToolCall[];
+    finishReason: 'stop' | 'tool_calls' | 'length' | 'error';
+    usage?: TokenUsage;
+    /** Raw response from the provider for advanced use cases. */
+    raw?: unknown;
+}
+interface TokenUsage {
+    promptTokens: number;
+    completionTokens: number;
+    totalTokens: number;
+}
+interface ChatChunk {
+    /** Incremental text delta. */
+    delta: string;
+    /** Incremental tool call delta (partial). */
+    toolCallDelta?: Partial<ToolCall> & {
+        index?: number;
+    };
+    /** Set on the final chunk. */
+    finishReason?: ChatResponse['finishReason'];
+    /** Set on the final chunk. */
+    usage?: TokenUsage;
+}
+interface EmbeddingRequest {
+    input: string | string[];
+    model?: string;
+    /** Adapter-specific options. */
+    extra?: Record<string, unknown>;
+}
+interface EmbeddingResponse {
+    embeddings: number[][];
+    usage?: {
+        totalTokens: number;
+    };
+    raw?: unknown;
+}
+interface AIAdapter {
+    /** Send a chat completion request. */
+    chat(request: ChatRequest): Promise<ChatResponse>;
+    /** Stream a chat completion. Adapters may omit this (falls back to chat). */
+    stream?(request: ChatRequest): AsyncIterable<ChatChunk>;
+    /** Generate embeddings. Optional capability. */
+    embeddings?(request: EmbeddingRequest): Promise<EmbeddingResponse>;
+}
+interface OpenAIConfig {
+    apiKey: string;
+    baseURL?: string;
+    organization?: string;
+    defaultModel?: string;
+}
+interface AnthropicConfig {
+    apiKey: string;
+    baseURL?: string;
+    defaultModel?: string;
+}
+interface GoogleConfig {
+    apiKey: string;
+    defaultModel?: string;
+}
+interface OllamaConfig {
+    baseURL?: string;
+    defaultModel?: string;
+}
+interface AIHooks {
+    /** Called before every chat request. Can modify the request. */
+    onBeforeChat?: (request: ChatRequest) => ChatRequest | Promise<ChatRequest>;
+    /** Called after every chat response. Can modify the response. */
+    onAfterChat?: (response: ChatResponse, request: ChatRequest) => ChatResponse | Promise<ChatResponse>;
+    /**
+     * Called on any adapter error.
+     *
+     * `context.request` carries the full prompt (and any provider error may
+     * originate from the underlying SDK and reference request metadata), so do
+     * not forward these verbatim to an untrusted or shared log sink — redact or
+     * summarise first.
+     */
+    onError?: (error: Error, context: {
+        method: string;
+        request?: ChatRequest;
+    }) => void;
+}
+interface RetryConfig {
+    /** Max number of retries (default: 0 = no retry). */
+    maxRetries?: number;
+    /** Base delay in ms (default: 1000). Doubles on each attempt (exponential backoff). */
+    baseDelay?: number;
+    /** Whether to retry on this error. Default: retries on network errors and 429/500+ status codes. */
+    shouldRetry?: (error: Error) => boolean;
+}
+
+export type { AIAdapter as A, ChatChunk as C, EmbeddingRequest as E, GoogleConfig as G, ImageContent as I, JsonSchema as J, MessageContent as M, OllamaConfig as O, RetryConfig as R, TextContent as T, AIHooks as a, AnthropicConfig as b, ChatMessage as c, ChatRequest as d, ChatResponse as e, EmbeddingResponse as f, MessageRole as g, OpenAIConfig as h, TokenUsage as i, ToolCall as j, ToolCallContent as k, ToolDefinition as l, ToolResultContent as m };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@matthesketh/utopia-ai",
-  "version": "0.7.1",
+  "version": "0.8.1",
   "description": "AI adapters and MCP support for UtopiaJS",
   "type": "module",
   "license": "MIT",