npm - @mcphero/vercel - Versions diffs - 1.2.0 → 1.3.0 - Mend

@mcphero/vercel 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,5 +1,5 @@
-> @mcphero/vercel@1.1.7 build /Users/atomic/projects/ai/mcphero/packages/vercel
+> @mcphero/vercel@1.2.0 build /Users/atomic/projects/ai/mcphero/packages/vercel
 > tsup
 CLI Building entry: src/index.ts
@@ -9,9 +9,9 @@ CLI Using tsup config: /Users/atomic/projects/ai/mcphero/packages/vercel/tsup.co
 CLI Target: es2022
 CLI Cleaning output folder
 ESM Build start
-ESM build/index.js     6.46 KB
-ESM build/index.js.map 11.48 KB
-ESM ⚡️ Build success in 7ms
+ESM build/index.js     6.62 KB
+ESM build/index.js.map 12.29 KB
+ESM ⚡️ Build success in 9ms
 DTS Build start
-DTS ⚡️ Build success in 696ms
-DTS build/index.d.ts 593.00 B
+DTS ⚡️ Build success in 666ms
+DTS build/index.d.ts 612.00 B

package/.turbo/turbo-check.log CHANGED Viewed

@@ -1,12 +1,12 @@
-> @mcphero/vercel@1.1.7 check /Users/atomic/projects/ai/mcphero/packages/vercel
+> @mcphero/vercel@1.2.0 check /Users/atomic/projects/ai/mcphero/packages/vercel
 > pnpm lint && pnpm typecheck
-> @mcphero/vercel@1.1.7 lint /Users/atomic/projects/ai/mcphero/packages/vercel
+> @mcphero/vercel@1.2.0 lint /Users/atomic/projects/ai/mcphero/packages/vercel
 > eslint
-> @mcphero/vercel@1.1.7 typecheck /Users/atomic/projects/ai/mcphero/packages/vercel
+> @mcphero/vercel@1.2.0 typecheck /Users/atomic/projects/ai/mcphero/packages/vercel
 > tsc --noEmit

package/.turbo/turbo-lint.log ADDED Viewed

@@ -0,0 +1,5 @@
+> @mcphero/vercel@1.2.0 lint /Users/atomic/projects/ai/mcphero/packages/vercel
+> eslint

package/.turbo/turbo-prepack.log CHANGED Viewed

@@ -1,14 +1,14 @@
-> @mcphero/vercel@1.1.7 prepack /Users/atomic/projects/ai/mcphero/packages/vercel
+> @mcphero/vercel@1.2.0 prepack /Users/atomic/projects/ai/mcphero/packages/vercel
 > pnpm clean && pnpm build
-> @mcphero/vercel@1.1.7 clean /Users/atomic/projects/ai/mcphero/packages/vercel
+> @mcphero/vercel@1.2.0 clean /Users/atomic/projects/ai/mcphero/packages/vercel
 > rimraf build
-> @mcphero/vercel@1.1.7 build /Users/atomic/projects/ai/mcphero/packages/vercel
+> @mcphero/vercel@1.2.0 build /Users/atomic/projects/ai/mcphero/packages/vercel
 > tsup
 [34mCLI[39m Building entry: src/index.ts
@@ -20,7 +20,7 @@
 [34mESM[39m Build start
 [32mESM[39m [1mbuild/index.js     [22m[32m6.46 KB[39m
 [32mESM[39m [1mbuild/index.js.map [22m[32m11.48 KB[39m
-[32mESM[39m ⚡️ Build success in 9ms
+[32mESM[39m ⚡️ Build success in 12ms
 DTS Build start
-DTS ⚡️ Build success in 732ms
+DTS ⚡️ Build success in 868ms
 DTS build/index.d.ts 593.00 B

package/build/index.d.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import { AdapterGenerator } from '@mcphero/core';
 interface VercelAdapterOptions {
     enableJsonResponse?: boolean;
     auth?: AuthConfig;
+    path?: string;
 }
 interface VercelAdapter {
     adapter: AdapterGenerator;

package/build/index.js CHANGED Viewed

@@ -7,11 +7,13 @@ import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/
 import { capitalCase, pascalCase } from "change-case";
 var CORS_HEADERS = {
   "Access-Control-Allow-Origin": "*",
-  "Access-Control-Allow-Methods": "GET, OPTIONS",
+  "Access-Control-Allow-Methods": "GET, POST, DELETE, OPTIONS",
   "Access-Control-Allow-Headers": "*",
   "Access-Control-Max-Age": "86400"
 };
 function vercel(options = {}) {
+  const mcpPath = options.path ?? "/mcp";
+  const callbackPath = options.auth?.callbackPath ?? "/auth/callback";
   let _actions = [];
   let _options = null;
   let _context = null;
@@ -19,73 +21,48 @@ function vercel(options = {}) {
   const _ready = new Promise((resolve) => {
     _readyResolve = resolve;
   });
+  const validPaths = /* @__PURE__ */ new Set([mcpPath]);
+  if (options.auth?.authorizationServers?.length && options.auth.resourceUrl) {
+    validPaths.add("/.well-known/oauth-protected-resource");
+  }
+  if (options.auth?.provider) {
+    validPaths.add("/.well-known/oauth-authorization-server");
+    validPaths.add("/authorize");
+    validPaths.add(callbackPath);
+    validPaths.add("/token");
+    validPaths.add("/register");
+  }
+  const oauthPaths = options.auth?.provider ? {
+    "/.well-known/oauth-authorization-server": ["GET"],
+    "/authorize": ["GET"],
+    [callbackPath]: ["GET"],
+    "/token": ["POST"],
+    "/register": ["POST"]
+  } : null;
   const handleRequest = async (request) => {
-    await _ready;
     const url = new URL(request.url);
-    if (options.auth?.authorizationServers?.length && options.auth.resourceUrl) {
-      if (url.pathname === "/.well-known/oauth-protected-resource" || url.pathname.endsWith("/.well-known/oauth-protected-resource")) {
-        if (request.method === "OPTIONS") {
-          return new Response(null, { status: 200, headers: CORS_HEADERS });
-        }
-        const metadata = generateProtectedResourceMetadata(options.auth.resourceUrl, options.auth.authorizationServers);
-        return new Response(JSON.stringify(metadata), {
-          headers: { ...CORS_HEADERS, "Content-Type": "application/json", "Cache-Control": "max-age=3600" }
-        });
-      }
+    if (!validPaths.has(url.pathname)) {
+      return new Response("Not Found", { status: 404 });
     }
-    if (options.auth?.provider) {
-      const provider = options.auth.provider;
-      const oauthPaths = {
-        "/.well-known/oauth-authorization-server": ["GET"],
-        "/authorize": ["GET"],
-        "/auth/callback": ["GET"],
-        "/token": ["POST"],
-        "/register": ["POST"]
-      };
-      const match = Object.entries(oauthPaths).find(([path]) => url.pathname === path || url.pathname.endsWith(path));
-      if (match) {
-        const [, methods] = match;
-        if (request.method === "OPTIONS") {
-          return new Response(null, { status: 200, headers: CORS_HEADERS });
-        }
+    if (request.method === "OPTIONS") {
+      return new Response(null, { status: 200, headers: CORS_HEADERS });
+    }
+    if (url.pathname === "/.well-known/oauth-protected-resource") {
+      const metadata = generateProtectedResourceMetadata(options.auth.resourceUrl, options.auth.authorizationServers);
+      return new Response(JSON.stringify(metadata), {
+        headers: { ...CORS_HEADERS, "Content-Type": "application/json", "Cache-Control": "max-age=3600" }
+      });
+    }
+    if (oauthPaths) {
+      const methods = oauthPaths[url.pathname];
+      if (methods) {
         if (!methods.includes(request.method)) {
           return new Response("Method not allowed", { status: 405 });
         }
-        const toOAuthReq = async () => {
-          let body;
-          if (request.method === "POST") {
-            const contentType = request.headers.get("content-type") ?? "";
-            const text = await request.text();
-            if (contentType.includes("json")) {
-              body = JSON.parse(text);
-            } else {
-              body = Object.fromEntries(new URLSearchParams(text));
-            }
-          }
-          return {
-            method: request.method,
-            url,
-            headers: Object.fromEntries(request.headers.entries()),
-            body
-          };
-        };
-        const oauthReq = await toOAuthReq();
-        let oauthRes;
-        if (url.pathname.endsWith("/.well-known/oauth-authorization-server")) {
-          oauthRes = provider.metadata();
-        } else if (url.pathname.endsWith("/authorize")) {
-          oauthRes = await provider.authorize(oauthReq);
-        } else if (url.pathname.endsWith("/auth/callback")) {
-          oauthRes = await provider.callback(oauthReq);
-        } else if (url.pathname.endsWith("/token")) {
-          oauthRes = await provider.token(oauthReq);
-        } else {
-          oauthRes = await provider.register(oauthReq);
-        }
-        const responseBody = oauthRes.body ? typeof oauthRes.body === "string" ? oauthRes.body : JSON.stringify(oauthRes.body) : null;
-        return new Response(responseBody, { status: oauthRes.status, headers: oauthRes.headers });
+        return handleOAuth(url, request, options.auth.provider);
       }
     }
+    await _ready;
     let requestContext = _context;
     if (options.auth) {
       const result = await validateToken(request.headers.get("authorization"), options.auth);
@@ -150,6 +127,41 @@ function vercel(options = {}) {
     await server.connect(transport);
     return transport.handleRequest(request);
   };
+  async function handleOAuth(url, request, provider) {
+    const toOAuthReq = async () => {
+      let body;
+      if (request.method === "POST") {
+        const contentType = request.headers.get("content-type") ?? "";
+        const text = await request.text();
+        if (contentType.includes("json")) {
+          body = JSON.parse(text);
+        } else {
+          body = Object.fromEntries(new URLSearchParams(text));
+        }
+      }
+      return {
+        method: request.method,
+        url,
+        headers: Object.fromEntries(request.headers.entries()),
+        body
+      };
+    };
+    const oauthReq = await toOAuthReq();
+    let oauthRes;
+    if (url.pathname === "/.well-known/oauth-authorization-server") {
+      oauthRes = provider.metadata();
+    } else if (url.pathname === "/authorize") {
+      oauthRes = await provider.authorize(oauthReq);
+    } else if (url.pathname === callbackPath) {
+      oauthRes = await provider.callback(oauthReq);
+    } else if (url.pathname === "/token") {
+      oauthRes = await provider.token(oauthReq);
+    } else {
+      oauthRes = await provider.register(oauthReq);
+    }
+    const responseBody = oauthRes.body ? typeof oauthRes.body === "string" ? oauthRes.body : JSON.stringify(oauthRes.body) : null;
+    return new Response(responseBody, { status: oauthRes.status, headers: oauthRes.headers });
+  }
   const adapter = (mcpHeroOptions, baseContext) => {
     _options = mcpHeroOptions;
     _context = baseContext.fork({ adapter: "vercel" });

package/build/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/adapter/vercel.ts"],"sourcesContent":["import { AuthConfig, generateProtectedResourceMetadata, OAuthRequest, validateToken } from '@mcphero/auth'\nimport { Action, AdapterGenerator, MCPHeroContext, MCPHeroOptions, toolResponse } from '@mcphero/core'\nimport { createLogger } from '@mcphero/logger'\nimport { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'\nimport { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'\nimport { capitalCase, pascalCase } from 'change-case'\n\nexport interface VercelAdapterOptions {\n enableJsonResponse?: boolean\n auth?: AuthConfig\n}\n\nexport interface VercelAdapter {\n adapter: AdapterGenerator\n handler: (request: Request) => Promise<Response>\n GET: (request: Request) => Promise<Response>\n POST: (request: Request) => Promise<Response>\n DELETE: (request: Request) => Promise<Response>\n}\n\nconst CORS_HEADERS: Record<string, string> = {\n 'Access-Control-Allow-Origin': '',\n 'Access-Control-Allow-Methods': 'GET, OPTIONS',\n 'Access-Control-Allow-Headers': '',\n 'Access-Control-Max-Age': '86400'\n}\n\nexport function vercel(options: VercelAdapterOptions = {}): VercelAdapter {\n let _actions: Action[] = []\n let _options: MCPHeroOptions \| null = null\n let _context: MCPHeroContext \| null = null\n let _readyResolve: () => void\n const _ready = new Promise<void>((resolve) => {\n _readyResolve = resolve\n })\n\n const handleRequest = async (request: Request): Promise<Response> => {\n await _ready\n\n const url = new URL(request.url)\n\n if (options.auth?.authorizationServers?.length && options.auth.resourceUrl) {\n if (url.pathname === '/.well-known/oauth-protected-resource' \|\| url.pathname.endsWith('/.well-known/oauth-protected-resource')) {\n if (request.method === 'OPTIONS') {\n return new Response(null, { status: 200, headers: CORS_HEADERS })\n }\n const metadata = generateProtectedResourceMetadata(options.auth.resourceUrl, options.auth.authorizationServers)\n return new Response(JSON.stringify(metadata), {\n headers: { ...CORS_HEADERS, 'Content-Type': 'application/json', 'Cache-Control': 'max-age=3600' }\n })\n }\n }\n\n if (options.auth?.provider) {\n const provider = options.auth.provider\n const oauthPaths: Record<string, string[]> = {\n '/.well-known/oauth-authorization-server': ['GET'],\n '/authorize': ['GET'],\n '/auth/callback': ['GET'],\n '/token': ['POST'],\n '/register': ['POST']\n }\n const match = Object.entries(oauthPaths).find(([path]) => url.pathname === path \|\| url.pathname.endsWith(path))\n if (match) {\n const [, methods] = match\n if (request.method === 'OPTIONS') {\n return new Response(null, { status: 200, headers: CORS_HEADERS })\n }\n if (!methods.includes(request.method)) {\n return new Response('Method not allowed', { status: 405 })\n }\n const toOAuthReq = async (): Promise<OAuthRequest> => {\n let body: Record<string, string> \| undefined\n if (request.method === 'POST') {\n const contentType = request.headers.get('content-type') ?? ''\n const text = await request.text()\n if (contentType.includes('json')) {\n body = JSON.parse(text)\n } else {\n body = Object.fromEntries(new URLSearchParams(text))\n }\n }\n return {\n method: request.method,\n url,\n headers: Object.fromEntries(request.headers.entries()),\n body\n }\n }\n const oauthReq = await toOAuthReq()\n let oauthRes\n if (url.pathname.endsWith('/.well-known/oauth-authorization-server')) {\n oauthRes = provider.metadata()\n } else if (url.pathname.endsWith('/authorize')) {\n oauthRes = await provider.authorize(oauthReq)\n } else if (url.pathname.endsWith('/auth/callback')) {\n oauthRes = await provider.callback(oauthReq)\n } else if (url.pathname.endsWith('/token')) {\n oauthRes = await provider.token(oauthReq)\n } else {\n oauthRes = await provider.register(oauthReq)\n }\n const responseBody = oauthRes.body ? (typeof oauthRes.body === 'string' ? oauthRes.body : JSON.stringify(oauthRes.body)) : null\n return new Response(responseBody, { status: oauthRes.status, headers: oauthRes.headers })\n }\n }\n\n let requestContext = _context!\n if (options.auth) {\n const result = await validateToken(request.headers.get('authorization'), options.auth)\n if (result.error) {\n return new Response(JSON.stringify(result.error.body), {\n status: result.error.statusCode,\n headers: result.error.headers\n })\n }\n if (result.auth) {\n requestContext = _context!.fork({ auth: result.auth })\n }\n }\n\n const transport = new WebStandardStreamableHTTPServerTransport({\n sessionIdGenerator: undefined,\n enableJsonResponse: options.enableJsonResponse\n })\n\n const server = new McpServer({\n name: _options!.name,\n description: _options!.description,\n version: _options!.version\n }, {\n capabilities: { tools: {}, logging: {} }\n })\n\n for (const action of _actions) {\n server.registerTool(pascalCase(action.name), {\n title: capitalCase(action.name),\n description: action.description,\n inputSchema: action.input\n }, async (input, extra) => {\n const logger = createLogger({\n stream: process.stderr,\n onLog: (level, data) => {\n extra.sendNotification({ method: 'notifications/message', params: { level, data } })\n },\n onProgress: ({ progress, total, message }) => {\n if (!extra._meta?.progressToken) { return }\n extra.sendNotification({\n method: 'notifications/progress',\n params: {\n progress,\n total,\n message,\n progressToken: extra._meta.progressToken\n }\n })\n }\n })\n return action.run(input, requestContext.fork({ logger, extra })).then((result) => {\n return toolResponse(result)\n }).catch((error) => {\n if (error instanceof Error) {\n return toolResponse({ success: false, name: error.name, message: error.message, stack: error.stack })\n } else {\n return toolResponse({ success: false, name: 'Unknown Error', message: 'An unknown error occured', error })\n }\n })\n })\n }\n\n await server.connect(transport)\n return transport.handleRequest(request)\n }\n\n const adapter: AdapterGenerator = (mcpHeroOptions: MCPHeroOptions, baseContext: MCPHeroContext) => {\n _options = mcpHeroOptions\n _context = baseContext.fork({ adapter: 'vercel' })\n return {\n context: _context,\n start: async (actions) => {\n _actions = actions\n _readyResolve()\n },\n stop: async () => {\n _actions = []\n }\n }\n }\n\n return {\n adapter,\n handler: handleRequest,\n GET: handleRequest,\n POST: handleRequest,\n DELETE: handleRequest\n }\n}\n"],"mappings":";AAAA,SAAqB,mCAAiD,qBAAqB;AAC3F,SAAmE,oBAAoB;AACvF,SAAS,oBAAoB;AAC7B,SAAS,iBAAiB;AAC1B,SAAS,gDAAgD;AACzD,SAAS,aAAa,kBAAkB;AAexC,IAAM,eAAuC;AAAA,EAC3C,+BAA+B;AAAA,EAC/B,gCAAgC;AAAA,EAChC,gCAAgC;AAAA,EAChC,0BAA0B;AAC5B;AAEO,SAAS,OAAO,UAAgC,CAAC,GAAkB;AACxE,MAAI,WAAqB,CAAC;AAC1B,MAAI,WAAkC;AACtC,MAAI,WAAkC;AACtC,MAAI;AACJ,QAAM,SAAS,IAAI,QAAc,CAAC,YAAY;AAC5C,oBAAgB;AAAA,EAClB,CAAC;AAED,QAAM,gBAAgB,OAAO,YAAwC;AACnE,UAAM;AAEN,UAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAE/B,QAAI,QAAQ,MAAM,sBAAsB,UAAU,QAAQ,KAAK,aAAa;AAC1E,UAAI,IAAI,aAAa,2CAA2C,IAAI,SAAS,SAAS,uCAAuC,GAAG;AAC9H,YAAI,QAAQ,WAAW,WAAW;AAChC,iBAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,KAAK,SAAS,aAAa,CAAC;AAAA,QAClE;AACA,cAAM,WAAW,kCAAkC,QAAQ,KAAK,aAAa,QAAQ,KAAK,oBAAoB;AAC9G,eAAO,IAAI,SAAS,KAAK,UAAU,QAAQ,GAAG;AAAA,UAC5C,SAAS,EAAE,GAAG,cAAc,gBAAgB,oBAAoB,iBAAiB,eAAe;AAAA,QAClG,CAAC;AAAA,MACH;AAAA,IACF;AAEA,QAAI,QAAQ,MAAM,UAAU;AAC1B,YAAM,WAAW,QAAQ,KAAK;AAC9B,YAAM,aAAuC;AAAA,QAC3C,2CAA2C,CAAC,KAAK;AAAA,QACjD,cAAc,CAAC,KAAK;AAAA,QACpB,kBAAkB,CAAC,KAAK;AAAA,QACxB,UAAU,CAAC,MAAM;AAAA,QACjB,aAAa,CAAC,MAAM;AAAA,MACtB;AACA,YAAM,QAAQ,OAAO,QAAQ,UAAU,EAAE,KAAK,CAAC,CAAC,IAAI,MAAM,IAAI,aAAa,QAAQ,IAAI,SAAS,SAAS,IAAI,CAAC;AAC9G,UAAI,OAAO;AACT,cAAM,CAAC,EAAE,OAAO,IAAI;AACpB,YAAI,QAAQ,WAAW,WAAW;AAChC,iBAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,KAAK,SAAS,aAAa,CAAC;AAAA,QAClE;AACA,YAAI,CAAC,QAAQ,SAAS,QAAQ,MAAM,GAAG;AACrC,iBAAO,IAAI,SAAS,sBAAsB,EAAE,QAAQ,IAAI,CAAC;AAAA,QAC3D;AACA,cAAM,aAAa,YAAmC;AACpD,cAAI;AACJ,cAAI,QAAQ,WAAW,QAAQ;AAC7B,kBAAM,cAAc,QAAQ,QAAQ,IAAI,cAAc,KAAK;AAC3D,kBAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,gBAAI,YAAY,SAAS,MAAM,GAAG;AAChC,qBAAO,KAAK,MAAM,IAAI;AAAA,YACxB,OAAO;AACL,qBAAO,OAAO,YAAY,IAAI,gBAAgB,IAAI,CAAC;AAAA,YACrD;AAAA,UACF;AACA,iBAAO;AAAA,YACL,QAAQ,QAAQ;AAAA,YAChB;AAAA,YACA,SAAS,OAAO,YAAY,QAAQ,QAAQ,QAAQ,CAAC;AAAA,YACrD;AAAA,UACF;AAAA,QACF;AACA,cAAM,WAAW,MAAM,WAAW;AAClC,YAAI;AACJ,YAAI,IAAI,SAAS,SAAS,yCAAyC,GAAG;AACpE,qBAAW,SAAS,SAAS;AAAA,QAC/B,WAAW,IAAI,SAAS,SAAS,YAAY,GAAG;AAC9C,qBAAW,MAAM,SAAS,UAAU,QAAQ;AAAA,QAC9C,WAAW,IAAI,SAAS,SAAS,gBAAgB,GAAG;AAClD,qBAAW,MAAM,SAAS,SAAS,QAAQ;AAAA,QAC7C,WAAW,IAAI,SAAS,SAAS,QAAQ,GAAG;AAC1C,qBAAW,MAAM,SAAS,MAAM,QAAQ;AAAA,QAC1C,OAAO;AACL,qBAAW,MAAM,SAAS,SAAS,QAAQ;AAAA,QAC7C;AACA,cAAM,eAAe,SAAS,OAAQ,OAAO,SAAS,SAAS,WAAW,SAAS,OAAO,KAAK,UAAU,SAAS,IAAI,IAAK;AAC3H,eAAO,IAAI,SAAS,cAAc,EAAE,QAAQ,SAAS,QAAQ,SAAS,SAAS,QAAQ,CAAC;AAAA,MAC1F;AAAA,IACF;AAEA,QAAI,iBAAiB;AACrB,QAAI,QAAQ,MAAM;AAChB,YAAM,SAAS,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,GAAG,QAAQ,IAAI;AACrF,UAAI,OAAO,OAAO;AAChB,eAAO,IAAI,SAAS,KAAK,UAAU,OAAO,MAAM,IAAI,GAAG;AAAA,UACrD,QAAQ,OAAO,MAAM;AAAA,UACrB,SAAS,OAAO,MAAM;AAAA,QACxB,CAAC;AAAA,MACH;AACA,UAAI,OAAO,MAAM;AACf,yBAAiB,SAAU,KAAK,EAAE,MAAM,OAAO,KAAK,CAAC;AAAA,MACvD;AAAA,IACF;AAEA,UAAM,YAAY,IAAI,yCAAyC;AAAA,MAC7D,oBAAoB;AAAA,MACpB,oBAAoB,QAAQ;AAAA,IAC9B,CAAC;AAED,UAAM,SAAS,IAAI,UAAU;AAAA,MAC3B,MAAM,SAAU;AAAA,MAChB,aAAa,SAAU;AAAA,MACvB,SAAS,SAAU;AAAA,IACrB,GAAG;AAAA,MACD,cAAc,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC,EAAE;AAAA,IACzC,CAAC;AAED,eAAW,UAAU,UAAU;AAC7B,aAAO,aAAa,WAAW,OAAO,IAAI,GAAG;AAAA,QAC3C,OAAO,YAAY,OAAO,IAAI;AAAA,QAC9B,aAAa,OAAO;AAAA,QACpB,aAAa,OAAO;AAAA,MACtB,GAAG,OAAO,OAAO,UAAU;AACzB,cAAM,SAAS,aAAa;AAAA,UAC1B,QAAQ,QAAQ;AAAA,UAChB,OAAO,CAAC,OAAO,SAAS;AACtB,kBAAM,iBAAiB,EAAE,QAAQ,yBAAyB,QAAQ,EAAE,OAAO,KAAK,EAAE,CAAC;AAAA,UACrF;AAAA,UACA,YAAY,CAAC,EAAE,UAAU,OAAO,QAAQ,MAAM;AAC5C,gBAAI,CAAC,MAAM,OAAO,eAAe;AAAE;AAAA,YAAO;AAC1C,kBAAM,iBAAiB;AAAA,cACrB,QAAQ;AAAA,cACR,QAAQ;AAAA,gBACN;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA,eAAe,MAAM,MAAM;AAAA,cAC7B;AAAA,YACF,CAAC;AAAA,UACH;AAAA,QACF,CAAC;AACD,eAAO,OAAO,IAAI,OAAO,eAAe,KAAK,EAAE,QAAQ,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,WAAW;AAChF,iBAAO,aAAa,MAAM;AAAA,QAC5B,CAAC,EAAE,MAAM,CAAC,UAAU;AAClB,cAAI,iBAAiB,OAAO;AAC1B,mBAAO,aAAa,EAAE,SAAS,OAAO,MAAM,MAAM,MAAM,SAAS,MAAM,SAAS,OAAO,MAAM,MAAM,CAAC;AAAA,UACtG,OAAO;AACL,mBAAO,aAAa,EAAE,SAAS,OAAO,MAAM,iBAAiB,SAAS,4BAA4B,MAAM,CAAC;AAAA,UAC3G;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAEA,UAAM,OAAO,QAAQ,SAAS;AAC9B,WAAO,UAAU,cAAc,OAAO;AAAA,EACxC;AAEA,QAAM,UAA4B,CAAC,gBAAgC,gBAAgC;AACjG,eAAW;AACX,eAAW,YAAY,KAAK,EAAE,SAAS,SAAS,CAAC;AACjD,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,OAAO,YAAY;AACxB,mBAAW;AACX,sBAAc;AAAA,MAChB;AAAA,MACA,MAAM,YAAY;AAChB,mBAAW,CAAC;AAAA,MACd;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,SAAS;AAAA,IACT,KAAK;AAAA,IACL,MAAM;AAAA,IACN,QAAQ;AAAA,EACV;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/adapter/vercel.ts"],"sourcesContent":["import { AuthConfig, generateProtectedResourceMetadata, OAuthRequest, validateToken } from '@mcphero/auth'\nimport { Action, AdapterGenerator, MCPHeroContext, MCPHeroOptions, toolResponse } from '@mcphero/core'\nimport { createLogger } from '@mcphero/logger'\nimport { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'\nimport { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'\nimport { capitalCase, pascalCase } from 'change-case'\n\nexport interface VercelAdapterOptions {\n enableJsonResponse?: boolean\n auth?: AuthConfig\n path?: string\n}\n\nexport interface VercelAdapter {\n adapter: AdapterGenerator\n handler: (request: Request) => Promise<Response>\n GET: (request: Request) => Promise<Response>\n POST: (request: Request) => Promise<Response>\n DELETE: (request: Request) => Promise<Response>\n}\n\nconst CORS_HEADERS: Record<string, string> = {\n 'Access-Control-Allow-Origin': '',\n 'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',\n 'Access-Control-Allow-Headers': '',\n 'Access-Control-Max-Age': '86400'\n}\n\nexport function vercel(options: VercelAdapterOptions = {}): VercelAdapter {\n const mcpPath = options.path ?? '/mcp'\n const callbackPath = options.auth?.callbackPath ?? '/auth/callback'\n\n let _actions: Action[] = []\n let _options: MCPHeroOptions \| null = null\n let _context: MCPHeroContext \| null = null\n let _readyResolve: () => void\n const _ready = new Promise<void>((resolve) => {\n _readyResolve = resolve\n })\n\n // Pre-compute valid paths for fast rejection of bogus requests\n const validPaths = new Set<string>([mcpPath])\n if (options.auth?.authorizationServers?.length && options.auth.resourceUrl) {\n validPaths.add('/.well-known/oauth-protected-resource')\n }\n if (options.auth?.provider) {\n validPaths.add('/.well-known/oauth-authorization-server')\n validPaths.add('/authorize')\n validPaths.add(callbackPath)\n validPaths.add('/token')\n validPaths.add('/register')\n }\n\n // OAuth path → allowed methods (built once, not per-request)\n const oauthPaths: Record<string, string[]> \| null = options.auth?.provider\n ? {\n '/.well-known/oauth-authorization-server': ['GET'],\n '/authorize': ['GET'],\n [callbackPath]: ['GET'],\n '/token': ['POST'],\n '/register': ['POST']\n }\n : null\n\n const handleRequest = async (request: Request): Promise<Response> => {\n const url = new URL(request.url)\n\n // Fast rejection — no async work, no allocations for unknown paths\n if (!validPaths.has(url.pathname)) {\n return new Response('Not Found', { status: 404 })\n }\n\n // CORS preflight\n if (request.method === 'OPTIONS') {\n return new Response(null, { status: 200, headers: CORS_HEADERS })\n }\n\n // Protected resource metadata (RFC 9728)\n if (url.pathname === '/.well-known/oauth-protected-resource') {\n const metadata = generateProtectedResourceMetadata(options.auth!.resourceUrl!, options.auth!.authorizationServers!)\n return new Response(JSON.stringify(metadata), {\n headers: { ...CORS_HEADERS, 'Content-Type': 'application/json', 'Cache-Control': 'max-age=3600' }\n })\n }\n\n // OAuth provider routes\n if (oauthPaths) {\n const methods = oauthPaths[url.pathname]\n if (methods) {\n if (!methods.includes(request.method)) {\n return new Response('Method not allowed', { status: 405 })\n }\n return handleOAuth(url, request, options.auth!.provider!)\n }\n }\n\n // MCP transport — wait for mcphero().start() to complete\n await _ready\n\n let requestContext = _context!\n if (options.auth) {\n const result = await validateToken(request.headers.get('authorization'), options.auth)\n if (result.error) {\n return new Response(JSON.stringify(result.error.body), {\n status: result.error.statusCode,\n headers: result.error.headers\n })\n }\n if (result.auth) {\n requestContext = _context!.fork({ auth: result.auth })\n }\n }\n\n const transport = new WebStandardStreamableHTTPServerTransport({\n sessionIdGenerator: undefined,\n enableJsonResponse: options.enableJsonResponse\n })\n\n const server = new McpServer({\n name: _options!.name,\n description: _options!.description,\n version: _options!.version\n }, {\n capabilities: { tools: {}, logging: {} }\n })\n\n for (const action of _actions) {\n server.registerTool(pascalCase(action.name), {\n title: capitalCase(action.name),\n description: action.description,\n inputSchema: action.input\n }, async (input, extra) => {\n const logger = createLogger({\n stream: process.stderr,\n onLog: (level, data) => {\n extra.sendNotification({ method: 'notifications/message', params: { level, data } })\n },\n onProgress: ({ progress, total, message }) => {\n if (!extra._meta?.progressToken) { return }\n extra.sendNotification({\n method: 'notifications/progress',\n params: {\n progress,\n total,\n message,\n progressToken: extra._meta.progressToken\n }\n })\n }\n })\n return action.run(input, requestContext.fork({ logger, extra })).then((result) => {\n return toolResponse(result)\n }).catch((error) => {\n if (error instanceof Error) {\n return toolResponse({ success: false, name: error.name, message: error.message, stack: error.stack })\n } else {\n return toolResponse({ success: false, name: 'Unknown Error', message: 'An unknown error occured', error })\n }\n })\n })\n }\n\n await server.connect(transport)\n return transport.handleRequest(request)\n }\n\n async function handleOAuth(url: URL, request: Request, provider: NonNullable<AuthConfig['provider']>): Promise<Response> {\n const toOAuthReq = async (): Promise<OAuthRequest> => {\n let body: Record<string, string> \| undefined\n if (request.method === 'POST') {\n const contentType = request.headers.get('content-type') ?? ''\n const text = await request.text()\n if (contentType.includes('json')) {\n body = JSON.parse(text)\n } else {\n body = Object.fromEntries(new URLSearchParams(text))\n }\n }\n return {\n method: request.method,\n url,\n headers: Object.fromEntries(request.headers.entries()),\n body\n }\n }\n\n const oauthReq = await toOAuthReq()\n let oauthRes\n if (url.pathname === '/.well-known/oauth-authorization-server') {\n oauthRes = provider.metadata()\n } else if (url.pathname === '/authorize') {\n oauthRes = await provider.authorize(oauthReq)\n } else if (url.pathname === callbackPath) {\n oauthRes = await provider.callback(oauthReq)\n } else if (url.pathname === '/token') {\n oauthRes = await provider.token(oauthReq)\n } else {\n oauthRes = await provider.register(oauthReq)\n }\n\n const responseBody = oauthRes.body ? (typeof oauthRes.body === 'string' ? oauthRes.body : JSON.stringify(oauthRes.body)) : null\n return new Response(responseBody, { status: oauthRes.status, headers: oauthRes.headers })\n }\n\n const adapter: AdapterGenerator = (mcpHeroOptions: MCPHeroOptions, baseContext: MCPHeroContext) => {\n _options = mcpHeroOptions\n _context = baseContext.fork({ adapter: 'vercel' })\n return {\n context: _context,\n start: async (actions) => {\n _actions = actions\n _readyResolve()\n },\n stop: async () => {\n _actions = []\n }\n }\n }\n\n return {\n adapter,\n handler: handleRequest,\n GET: handleRequest,\n POST: handleRequest,\n DELETE: handleRequest\n }\n}\n"],"mappings":";AAAA,SAAqB,mCAAiD,qBAAqB;AAC3F,SAAmE,oBAAoB;AACvF,SAAS,oBAAoB;AAC7B,SAAS,iBAAiB;AAC1B,SAAS,gDAAgD;AACzD,SAAS,aAAa,kBAAkB;AAgBxC,IAAM,eAAuC;AAAA,EAC3C,+BAA+B;AAAA,EAC/B,gCAAgC;AAAA,EAChC,gCAAgC;AAAA,EAChC,0BAA0B;AAC5B;AAEO,SAAS,OAAO,UAAgC,CAAC,GAAkB;AACxE,QAAM,UAAU,QAAQ,QAAQ;AAChC,QAAM,eAAe,QAAQ,MAAM,gBAAgB;AAEnD,MAAI,WAAqB,CAAC;AAC1B,MAAI,WAAkC;AACtC,MAAI,WAAkC;AACtC,MAAI;AACJ,QAAM,SAAS,IAAI,QAAc,CAAC,YAAY;AAC5C,oBAAgB;AAAA,EAClB,CAAC;AAGD,QAAM,aAAa,oBAAI,IAAY,CAAC,OAAO,CAAC;AAC5C,MAAI,QAAQ,MAAM,sBAAsB,UAAU,QAAQ,KAAK,aAAa;AAC1E,eAAW,IAAI,uCAAuC;AAAA,EACxD;AACA,MAAI,QAAQ,MAAM,UAAU;AAC1B,eAAW,IAAI,yCAAyC;AACxD,eAAW,IAAI,YAAY;AAC3B,eAAW,IAAI,YAAY;AAC3B,eAAW,IAAI,QAAQ;AACvB,eAAW,IAAI,WAAW;AAAA,EAC5B;AAGA,QAAM,aAA8C,QAAQ,MAAM,WAC9D;AAAA,IACA,2CAA2C,CAAC,KAAK;AAAA,IACjD,cAAc,CAAC,KAAK;AAAA,IACpB,CAAC,YAAY,GAAG,CAAC,KAAK;AAAA,IACtB,UAAU,CAAC,MAAM;AAAA,IACjB,aAAa,CAAC,MAAM;AAAA,EACtB,IACE;AAEJ,QAAM,gBAAgB,OAAO,YAAwC;AACnE,UAAM,MAAM,IAAI,IAAI,QAAQ,GAAG;AAG/B,QAAI,CAAC,WAAW,IAAI,IAAI,QAAQ,GAAG;AACjC,aAAO,IAAI,SAAS,aAAa,EAAE,QAAQ,IAAI,CAAC;AAAA,IAClD;AAGA,QAAI,QAAQ,WAAW,WAAW;AAChC,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,KAAK,SAAS,aAAa,CAAC;AAAA,IAClE;AAGA,QAAI,IAAI,aAAa,yCAAyC;AAC5D,YAAM,WAAW,kCAAkC,QAAQ,KAAM,aAAc,QAAQ,KAAM,oBAAqB;AAClH,aAAO,IAAI,SAAS,KAAK,UAAU,QAAQ,GAAG;AAAA,QAC5C,SAAS,EAAE,GAAG,cAAc,gBAAgB,oBAAoB,iBAAiB,eAAe;AAAA,MAClG,CAAC;AAAA,IACH;AAGA,QAAI,YAAY;AACd,YAAM,UAAU,WAAW,IAAI,QAAQ;AACvC,UAAI,SAAS;AACX,YAAI,CAAC,QAAQ,SAAS,QAAQ,MAAM,GAAG;AACrC,iBAAO,IAAI,SAAS,sBAAsB,EAAE,QAAQ,IAAI,CAAC;AAAA,QAC3D;AACA,eAAO,YAAY,KAAK,SAAS,QAAQ,KAAM,QAAS;AAAA,MAC1D;AAAA,IACF;AAGA,UAAM;AAEN,QAAI,iBAAiB;AACrB,QAAI,QAAQ,MAAM;AAChB,YAAM,SAAS,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,GAAG,QAAQ,IAAI;AACrF,UAAI,OAAO,OAAO;AAChB,eAAO,IAAI,SAAS,KAAK,UAAU,OAAO,MAAM,IAAI,GAAG;AAAA,UACrD,QAAQ,OAAO,MAAM;AAAA,UACrB,SAAS,OAAO,MAAM;AAAA,QACxB,CAAC;AAAA,MACH;AACA,UAAI,OAAO,MAAM;AACf,yBAAiB,SAAU,KAAK,EAAE,MAAM,OAAO,KAAK,CAAC;AAAA,MACvD;AAAA,IACF;AAEA,UAAM,YAAY,IAAI,yCAAyC;AAAA,MAC7D,oBAAoB;AAAA,MACpB,oBAAoB,QAAQ;AAAA,IAC9B,CAAC;AAED,UAAM,SAAS,IAAI,UAAU;AAAA,MAC3B,MAAM,SAAU;AAAA,MAChB,aAAa,SAAU;AAAA,MACvB,SAAS,SAAU;AAAA,IACrB,GAAG;AAAA,MACD,cAAc,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC,EAAE;AAAA,IACzC,CAAC;AAED,eAAW,UAAU,UAAU;AAC7B,aAAO,aAAa,WAAW,OAAO,IAAI,GAAG;AAAA,QAC3C,OAAO,YAAY,OAAO,IAAI;AAAA,QAC9B,aAAa,OAAO;AAAA,QACpB,aAAa,OAAO;AAAA,MACtB,GAAG,OAAO,OAAO,UAAU;AACzB,cAAM,SAAS,aAAa;AAAA,UAC1B,QAAQ,QAAQ;AAAA,UAChB,OAAO,CAAC,OAAO,SAAS;AACtB,kBAAM,iBAAiB,EAAE,QAAQ,yBAAyB,QAAQ,EAAE,OAAO,KAAK,EAAE,CAAC;AAAA,UACrF;AAAA,UACA,YAAY,CAAC,EAAE,UAAU,OAAO,QAAQ,MAAM;AAC5C,gBAAI,CAAC,MAAM,OAAO,eAAe;AAAE;AAAA,YAAO;AAC1C,kBAAM,iBAAiB;AAAA,cACrB,QAAQ;AAAA,cACR,QAAQ;AAAA,gBACN;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA,eAAe,MAAM,MAAM;AAAA,cAC7B;AAAA,YACF,CAAC;AAAA,UACH;AAAA,QACF,CAAC;AACD,eAAO,OAAO,IAAI,OAAO,eAAe,KAAK,EAAE,QAAQ,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,WAAW;AAChF,iBAAO,aAAa,MAAM;AAAA,QAC5B,CAAC,EAAE,MAAM,CAAC,UAAU;AAClB,cAAI,iBAAiB,OAAO;AAC1B,mBAAO,aAAa,EAAE,SAAS,OAAO,MAAM,MAAM,MAAM,SAAS,MAAM,SAAS,OAAO,MAAM,MAAM,CAAC;AAAA,UACtG,OAAO;AACL,mBAAO,aAAa,EAAE,SAAS,OAAO,MAAM,iBAAiB,SAAS,4BAA4B,MAAM,CAAC;AAAA,UAC3G;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAEA,UAAM,OAAO,QAAQ,SAAS;AAC9B,WAAO,UAAU,cAAc,OAAO;AAAA,EACxC;AAEA,iBAAe,YAAY,KAAU,SAAkB,UAAkE;AACvH,UAAM,aAAa,YAAmC;AACpD,UAAI;AACJ,UAAI,QAAQ,WAAW,QAAQ;AAC7B,cAAM,cAAc,QAAQ,QAAQ,IAAI,cAAc,KAAK;AAC3D,cAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,YAAI,YAAY,SAAS,MAAM,GAAG;AAChC,iBAAO,KAAK,MAAM,IAAI;AAAA,QACxB,OAAO;AACL,iBAAO,OAAO,YAAY,IAAI,gBAAgB,IAAI,CAAC;AAAA,QACrD;AAAA,MACF;AACA,aAAO;AAAA,QACL,QAAQ,QAAQ;AAAA,QAChB;AAAA,QACA,SAAS,OAAO,YAAY,QAAQ,QAAQ,QAAQ,CAAC;AAAA,QACrD;AAAA,MACF;AAAA,IACF;AAEA,UAAM,WAAW,MAAM,WAAW;AAClC,QAAI;AACJ,QAAI,IAAI,aAAa,2CAA2C;AAC9D,iBAAW,SAAS,SAAS;AAAA,IAC/B,WAAW,IAAI,aAAa,cAAc;AACxC,iBAAW,MAAM,SAAS,UAAU,QAAQ;AAAA,IAC9C,WAAW,IAAI,aAAa,cAAc;AACxC,iBAAW,MAAM,SAAS,SAAS,QAAQ;AAAA,IAC7C,WAAW,IAAI,aAAa,UAAU;AACpC,iBAAW,MAAM,SAAS,MAAM,QAAQ;AAAA,IAC1C,OAAO;AACL,iBAAW,MAAM,SAAS,SAAS,QAAQ;AAAA,IAC7C;AAEA,UAAM,eAAe,SAAS,OAAQ,OAAO,SAAS,SAAS,WAAW,SAAS,OAAO,KAAK,UAAU,SAAS,IAAI,IAAK;AAC3H,WAAO,IAAI,SAAS,cAAc,EAAE,QAAQ,SAAS,QAAQ,SAAS,SAAS,QAAQ,CAAC;AAAA,EAC1F;AAEA,QAAM,UAA4B,CAAC,gBAAgC,gBAAgC;AACjG,eAAW;AACX,eAAW,YAAY,KAAK,EAAE,SAAS,SAAS,CAAC;AACjD,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,OAAO,YAAY;AACxB,mBAAW;AACX,sBAAc;AAAA,MAChB;AAAA,MACA,MAAM,YAAY;AAChB,mBAAW,CAAC;AAAA,MACd;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,SAAS;AAAA,IACT,KAAK;AAAA,IACL,MAAM;AAAA,IACN,QAAQ;AAAA,EACV;AACF;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mcphero/vercel",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "MCP Hero Vercel Serverless Adapter",
   "repository": {
     "type": "git",
@@ -14,9 +14,9 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "change-case": "^5.4.4",
     "zod": "^4.3.6",
-    "@mcphero/auth": "1.2.0",
-    "@mcphero/logger": "1.2.0",
-    "@mcphero/core": "1.2.0"
+    "@mcphero/auth": "1.3.0",
+    "@mcphero/logger": "1.3.0",
+    "@mcphero/core": "1.3.0"
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",

package/src/adapter/vercel.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import { capitalCase, pascalCase } from 'change-case'
 export interface VercelAdapterOptions {
   enableJsonResponse?: boolean
   auth?: AuthConfig
+  path?: string
 }
 export interface VercelAdapter {
@@ -20,12 +21,15 @@ export interface VercelAdapter {
 const CORS_HEADERS: Record<string, string> = {
   'Access-Control-Allow-Origin': '*',
-  'Access-Control-Allow-Methods': 'GET, OPTIONS',
+  'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
   'Access-Control-Allow-Headers': '*',
   'Access-Control-Max-Age': '86400'
 }
 export function vercel(options: VercelAdapterOptions = {}): VercelAdapter {
+  const mcpPath = options.path ?? '/mcp'
+  const callbackPath = options.auth?.callbackPath ?? '/auth/callback'
   let _actions: Action[] = []
   let _options: MCPHeroOptions | null = null
   let _context: MCPHeroContext | null = null
@@ -34,77 +38,65 @@ export function vercel(options: VercelAdapterOptions = {}): VercelAdapter {
     _readyResolve = resolve
   })
-  const handleRequest = async (request: Request): Promise<Response> => {
-    await _ready
+  // Pre-compute valid paths for fast rejection of bogus requests
+  const validPaths = new Set<string>([mcpPath])
+  if (options.auth?.authorizationServers?.length && options.auth.resourceUrl) {
+    validPaths.add('/.well-known/oauth-protected-resource')
+  }
+  if (options.auth?.provider) {
+    validPaths.add('/.well-known/oauth-authorization-server')
+    validPaths.add('/authorize')
+    validPaths.add(callbackPath)
+    validPaths.add('/token')
+    validPaths.add('/register')
+  }
+  // OAuth path → allowed methods (built once, not per-request)
+  const oauthPaths: Record<string, string[]> | null = options.auth?.provider
+    ? {
+      '/.well-known/oauth-authorization-server': ['GET'],
+      '/authorize': ['GET'],
+      [callbackPath]: ['GET'],
+      '/token': ['POST'],
+      '/register': ['POST']
+    }
+    : null
+  const handleRequest = async (request: Request): Promise<Response> => {
     const url = new URL(request.url)
-    if (options.auth?.authorizationServers?.length && options.auth.resourceUrl) {
-      if (url.pathname === '/.well-known/oauth-protected-resource' || url.pathname.endsWith('/.well-known/oauth-protected-resource')) {
-        if (request.method === 'OPTIONS') {
-          return new Response(null, { status: 200, headers: CORS_HEADERS })
-        }
-        const metadata = generateProtectedResourceMetadata(options.auth.resourceUrl, options.auth.authorizationServers)
-        return new Response(JSON.stringify(metadata), {
-          headers: { ...CORS_HEADERS, 'Content-Type': 'application/json', 'Cache-Control': 'max-age=3600' }
-        })
-      }
+    // Fast rejection — no async work, no allocations for unknown paths
+    if (!validPaths.has(url.pathname)) {
+      return new Response('Not Found', { status: 404 })
     }
-    if (options.auth?.provider) {
-      const provider = options.auth.provider
-      const oauthPaths: Record<string, string[]> = {
-        '/.well-known/oauth-authorization-server': ['GET'],
-        '/authorize': ['GET'],
-        '/auth/callback': ['GET'],
-        '/token': ['POST'],
-        '/register': ['POST']
-      }
-      const match = Object.entries(oauthPaths).find(([path]) => url.pathname === path || url.pathname.endsWith(path))
-      if (match) {
-        const [, methods] = match
-        if (request.method === 'OPTIONS') {
-          return new Response(null, { status: 200, headers: CORS_HEADERS })
-        }
+    // CORS preflight
+    if (request.method === 'OPTIONS') {
+      return new Response(null, { status: 200, headers: CORS_HEADERS })
+    }
+    // Protected resource metadata (RFC 9728)
+    if (url.pathname === '/.well-known/oauth-protected-resource') {
+      const metadata = generateProtectedResourceMetadata(options.auth!.resourceUrl!, options.auth!.authorizationServers!)
+      return new Response(JSON.stringify(metadata), {
+        headers: { ...CORS_HEADERS, 'Content-Type': 'application/json', 'Cache-Control': 'max-age=3600' }
+      })
+    }
+    // OAuth provider routes
+    if (oauthPaths) {
+      const methods = oauthPaths[url.pathname]
+      if (methods) {
         if (!methods.includes(request.method)) {
           return new Response('Method not allowed', { status: 405 })
         }
-        const toOAuthReq = async (): Promise<OAuthRequest> => {
-          let body: Record<string, string> | undefined
-          if (request.method === 'POST') {
-            const contentType = request.headers.get('content-type') ?? ''
-            const text = await request.text()
-            if (contentType.includes('json')) {
-              body = JSON.parse(text)
-            } else {
-              body = Object.fromEntries(new URLSearchParams(text))
-            }
-          }
-          return {
-            method: request.method,
-            url,
-            headers: Object.fromEntries(request.headers.entries()),
-            body
-          }
-        }
-        const oauthReq = await toOAuthReq()
-        let oauthRes
-        if (url.pathname.endsWith('/.well-known/oauth-authorization-server')) {
-          oauthRes = provider.metadata()
-        } else if (url.pathname.endsWith('/authorize')) {
-          oauthRes = await provider.authorize(oauthReq)
-        } else if (url.pathname.endsWith('/auth/callback')) {
-          oauthRes = await provider.callback(oauthReq)
-        } else if (url.pathname.endsWith('/token')) {
-          oauthRes = await provider.token(oauthReq)
-        } else {
-          oauthRes = await provider.register(oauthReq)
-        }
-        const responseBody = oauthRes.body ? (typeof oauthRes.body === 'string' ? oauthRes.body : JSON.stringify(oauthRes.body)) : null
-        return new Response(responseBody, { status: oauthRes.status, headers: oauthRes.headers })
+        return handleOAuth(url, request, options.auth!.provider!)
       }
     }
+    // MCP transport — wait for mcphero().start() to complete
+    await _ready
     let requestContext = _context!
     if (options.auth) {
       const result = await validateToken(request.headers.get('authorization'), options.auth)
@@ -172,6 +164,44 @@ export function vercel(options: VercelAdapterOptions = {}): VercelAdapter {
     return transport.handleRequest(request)
   }
+  async function handleOAuth(url: URL, request: Request, provider: NonNullable<AuthConfig['provider']>): Promise<Response> {
+    const toOAuthReq = async (): Promise<OAuthRequest> => {
+      let body: Record<string, string> | undefined
+      if (request.method === 'POST') {
+        const contentType = request.headers.get('content-type') ?? ''
+        const text = await request.text()
+        if (contentType.includes('json')) {
+          body = JSON.parse(text)
+        } else {
+          body = Object.fromEntries(new URLSearchParams(text))
+        }
+      }
+      return {
+        method: request.method,
+        url,
+        headers: Object.fromEntries(request.headers.entries()),
+        body
+      }
+    }
+    const oauthReq = await toOAuthReq()
+    let oauthRes
+    if (url.pathname === '/.well-known/oauth-authorization-server') {
+      oauthRes = provider.metadata()
+    } else if (url.pathname === '/authorize') {
+      oauthRes = await provider.authorize(oauthReq)
+    } else if (url.pathname === callbackPath) {
+      oauthRes = await provider.callback(oauthReq)
+    } else if (url.pathname === '/token') {
+      oauthRes = await provider.token(oauthReq)
+    } else {
+      oauthRes = await provider.register(oauthReq)
+    }
+    const responseBody = oauthRes.body ? (typeof oauthRes.body === 'string' ? oauthRes.body : JSON.stringify(oauthRes.body)) : null
+    return new Response(responseBody, { status: oauthRes.status, headers: oauthRes.headers })
+  }
   const adapter: AdapterGenerator = (mcpHeroOptions: MCPHeroOptions, baseContext: MCPHeroContext) => {
     _options = mcpHeroOptions
     _context = baseContext.fork({ adapter: 'vercel' })