@nekzus/liop 2.0.1-beta.1 → 2.1.0-alpha.1

package/README.md

@@ -35,11 +35,11 @@ This fundamentally solves the data privacy, bandwidth, and latency challenges of
 | **Logic-Injection-on-Origin** | LLMs send code, not queries. Data never leaves the origin server.                                                                          |
 | **MCP Drop-in Replacement**   | `LiopServer` mirrors the Anthropic MCP `Server` API — tools, resources, and prompts with `Zod` schemas.                             |
 | **Guardian AST**              | Zero-time heuristic inspection blocks sandbox escapes (`require`, `fs`, `eval`, `fetch`, prototype pollution).                     |
-| **WASI Sandbox**              | JavaScript payloads execute inside V8 isolates with CPU fuel limits and no access to Node.js globals.                                      |
-| **PII Shield**                | Multi-layer egress filter with Regional Presets (Email, Credit Card with Luhn, IP, Phone, SSN, IBAN Mod-97, Passport MRZ) and custom keys. |
-| **ZK-Receipts**               | Cryptographic proof (SHA-256 ImageID + HMAC-SHA256 seal) that the returned result was computed honestly from the injected logic.            |
-| **Worker Pool**               | Heavy computation (crypto, sandboxing) dispatched to OS threads via `piscina`, unblocking the V8 event loop.                             |
-| **Cross-AI Adapters**         | Zero-Shot system prompts automatically adapt instructions for Claude (XML-heavy) vs OpenAI/Gemini (JSON-schema).                           |
+| **WASI Sandbox**              | JavaScript payloads execute inside V8 isolates with CPU fuel limits, no Node.js globals, and safe environment isolation (`allowEnv`). |
+| **PII Shield**                | Multi-layer egress filter with Regional Presets, custom keys, and recursive floats sanitization (`sanitizeOutput`). |
+| **ZK-Receipts**               | Cryptographic proof with `output_hash` cross-verification (Replay Mitigation) and balanced-brace proxy extraction. |
+| **Worker Pool**               | Heavy computation (crypto, sandboxing) dispatched to OS threads via `piscina` with background async warmup. |
+| **Cross-AI Adapters**         | Zero-Shot system prompts automatically adapt instructions for Claude (XML-heavy) vs OpenAI/Gemini (JSON-schema). |
 | **MCP Bridge**                | `LiopMcpBridge` adapts any `LiopServer` to the JSON-RPC 2.0 / stdio protocol used by Claude Desktop, Cursor, etc.                      |
 | **Post-Quantum Ready**        | ML-KEM-768 (Kyber) handshake + AES-256-GCM symmetric encryption for transport-layer security.                                              |
 | **P2P Mesh**                  | Kademlia DHT discovery via `libp2p` with TCP + WebSocket + Yamux multiplexing and Noise encryption.                                      |
@@ -245,6 +245,7 @@ new LiopServer(
     };
     auth?: LiopAuthConfig;         // OAuth 2.1 Hybrid authentication config
     tokenSlug?: string;            // Deterministic token resolution slug (e.g., "BANK", "VAULT")
+    allowEnv?: boolean;            // Enable safe host environment propagation (default: false)
   }
 )
 ```
@@ -300,11 +301,11 @@ await bridge.connect();
 │  Layer 1: Guardian AST (Zero-Time Static Analysis)        │
 │  14-function WASI allowlist • 128 import cap • Blocks     │
 │  require, import(), fs, eval, fetch, __proto__            │
-├───────────────────────────────────────────────────────────┤
+├───────────────────────────────────────────────────────────┐
 │  Layer 2: WASI Sandbox (V8 Isolate)                       │
 │  25 poisoned globals (incl. Date, TypedArrays) •          │
 │  CPU Fuel limits • 5s timeout • maxHeapMb (64MB default)  │
-│  Object.freeze() on 11 core prototypes (strict mode)      │
+│  Object.freeze() on 11 core prototypes • allowEnv allowlist │
 ├───────────────────────────────────────────────────────────┤
 │  Layer 3: Taint Analyzer (IFC — Static)                   │
 │  Acorn AST 3-pass analysis blocks PII side-channels:      │
@@ -312,15 +313,16 @@ await bridge.connect();
 ├───────────────────────────────────────────────────────────┤
 │  Layer 4: PII Shield (Egress Filter)                      │
 │  4-stage pipeline: exact key → fuzzy key → pattern        │
-│  validators (Luhn, IBAN Mod-97) → NER (compromise)        │
+│  validators (Luhn, IBAN Mod-97) → NER (compromise) •      │
+│  Recursive In-Memory Numerical Sanitization (4 decimals)  │
 ├───────────────────────────────────────────────────────────┤
 │  Layer 5: Aggregation-First Policy                        │
 │  Blocks raw row export • maxOutputRows (default: 10) •    │
 │  Conditional error: detailed (dev) vs opaque (production) │
 ├───────────────────────────────────────────────────────────┤
-│  Layer 6: ZK-Receipt (Integrity Verification)             │
-│  SHA-256 ImageID + HMAC-SHA256 Seal (Kyber768-derived)    │
-│  Timing-safe verification • LiopMcpBridge auto-verifies   │
+│  Layer 6: ZK-Receipt (Integrity & Replay Mitigation)       │
+│  SHA-256 ImageID + HMAC-SHA256 Seal (Kyber768-derived) •  │
+│  output_hash cross-verification • Balanced-brace extractor │
 └───────────────────────────────────────────────────────────┘
 ```
 
@@ -386,6 +388,32 @@ For maximum host security, the WASI sandbox enforces a poisoned environment that
 - **Poisoned/Disabled**: `Date` (Date.now, parse, etc. throw an exception to prevent timing analysis), `eval`, `Function`, `setTimeout`, `setInterval`, `Buffer`, `ArrayBuffer`, and all `TypedArrays`.
 - **Date Workaround**: To perform date checks, use lexicographical string comparison on ISO 8601 strings (e.g., `record.date >= "2026-01-01"`).
 
+### 🧹 Recursive In-Memory Numerical Sanitization
+
+To mitigate timing channels, statistical differentiation, and floats side-channels, the SDK executes a recursive sanitization pipeline before the PII scanner runs:
+- Positive floating-point numbers are recursively rounded to exactly **4 decimal places**.
+- Negative values are safely clamped to **0** (via `sanitizeOutput()`).
+- This operation runs entirely in-memory and recursively on all fields, preserving data structure immutability without expensive and fragile serialization-deserialization cycles.
+
+### 🌐 Environment Isolation & allowEnv Allowlist
+
+For robust sandboxing, the WASI execution path isolates host environment variables. Propagation can be enabled explicitly:
+```typescript
+const server = new LiopServer(info, {
+  allowEnv: true
+});
+```
+To block arbitrary command execution (e.g., Shellshock) and prevent exposure of host credentials, the SDK filters environment variables through a **strict system allowlist** (`getDefaultEnvironment()`):
+- **Windows Allowlist**: `APPDATA`, `HOMEDRIVE`, `HOMEPATH`, `LOCALAPPDATA`, `PATH`, `PROCESSOR_ARCHITECTURE`, `SYSTEMDRIVE`, `SYSTEMROOT`, `TEMP`, `USERNAME`, `USERPROFILE`, `PROGRAMFILES`.
+- **Unix/Linux Allowlist**: `HOME`, `LOGNAME`, `PATH`, `SHELL`, `TERM`, `USER`.
+Variables starting with shell functions `()` are dropped.
+
+### 🔒 ZK-Receipt Replay & Tampering Mitigation
+
+LIOP ZK-Receipts provide cryptographic evidence that a computation was executed honestly under zero-trust bounds. To defeat **Man-in-the-Middle (MITM) reply tampering and replay attacks** (re-using old signatures on new query data):
+- The verification pipeline computes the SHA-256 hash of the received business output (`expectedOutput`) and strictly asserts its equivalence with `Journal.output_hash` signed inside the ZK-Receipt (via `verifyZkReceipt`).
+- **Balanced-Brace Proxy Extractor**: If the tool call was delegated to a proxied tool (`__liop_proxy_tool`), the verifier invokes an in-process balanced-brace state machine to safely isolate proxy arguments from the response metadata, preventing false validation failures.
+
 ---
 
 ## Logic-Injection-on-Origin Flow

package/dist/bin/agent.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import {j}from'../chunk-L5A64CNT.js';import'../chunk-2MGFSIXN.js';import {g}from'../chunk-VGXNGTIC.js';import'../chunk-SW53FNSN.js';import'../chunk-ANFXJGMP.js';import'../chunk-DBXGYHKY.js';import'../chunk-SB5XJXKV.js';import'../chunk-V5MKJT6S.js';import'../chunk-RWRRBYG4.js';import {a as a$1}from'../chunk-DQ6UW6L7.js';import {a}from'../chunk-S6RJHZV2.js';import'../chunk-4C666HHU.js';import*as l from'fs';import*as w from'os';import*as u from'path';import {multiaddr}from'@multiformats/multiaddr';async function x(t){try{let o=t.endsWith("/health")?t:`${t}/health`,d=await fetch(o,{headers:{Accept:"application/json"},signal:AbortSignal.timeout(1e4)});if(!d.ok)return null;let e=await d.json();if(!e.mesh?.multiaddrs?.length||!e.mesh?.peerId)return null;let p=e.mesh.multiaddrs.find(c=>c.includes("/tcp/")&&!c.includes("/ws")&&!c.includes("/ip4/127.0.0.1/"));if(!p)return null;let r=E()?R(p):p;if(!r||r===p){let c=new URL(t).hostname;r=p.replace(/\/ip4\/[^/]+/,`/ip4/${c}`);}return r?(r+=r.includes("/p2p/")?"":`/p2p/${e.mesh.peerId}`,r):null}catch{return null}}function L(t){let o=t.trim(),d=/\/ip4\/172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}/,e=/\/ip4\/127\.0\.0\.1/,p=/\/ip4\/192\.168\.[0-9]{1,3}\.[0-9]{1,3}/;if(d.test(o)||e.test(o)||p.test(o)){let r="127.0.0.1",c=o.replace(d,`/ip4/${r}`).replace(e,`/ip4/${r}`).replace(p,`/ip4/${r}`);return c!==o&&a.info(`[LIOP-Agent] \u{1F504} Local Routing Hack \u2192 Forced 127.0.0.1: ${c}`),c}return o}function R(t){return t.includes("/ip4/172.20.0.10")?t.replace(/\/ip4\/172\.20\.0\.10\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13001"):t.includes("/ip4/172.20.0.11")?t.replace(/\/ip4\/172\.20\.0\.11\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13003"):t.includes("/ip4/172.20.0.12")?t.replace(/\/ip4\/172\.20\.0\.12\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13004"):t.includes("/ip4/172.20.0.13")?t.replace(/\/ip4\/172\.20\.0\.13\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13005"):t.includes("/ip4/127.0.0.1/tcp/4000")||t.includes("/ip4/127.0.0.1/tcp/3000")?null:t}function D(t){try{let o=new URL(t);return (o.hostname==="127.0.0.1"||o.hostname==="localhost")&&(o.port==="13000"||o.port==="13001")}catch{return  false}}function E(){return process.env.NODE_ENV==="development"||process.env.NODE_ENV==="test"||process.env.LIOP_DOCKER_MAP==="true"||process.env.LIOP_DEV_MODE==="true"||!!process.env.LIOP_NEXUS_URL&&D(process.env.LIOP_NEXUS_URL)}async function M(){if((process.platform==="win32"||process.platform==="darwin")&&!process.execArgv.includes("--use-system-ca")&&!(process.env.NODE_OPTIONS??"").includes("--use-system-ca")){let{spawn:s}=await import('child_process'),n=s(process.execPath,["--use-system-ca",...process.argv.slice(1)],{stdio:"inherit",env:process.env});n.on("exit",a=>process.exit(a??1)),n.on("error",()=>process.exit(1)),await new Promise(()=>{});return}let t=new Date().toISOString();a.info(`[LIOP-Agent] \u{1F680} Version 1.2.0-alpha.9 | Build: ${t}`);let o=u.join(w.homedir(),".liop"),d=u.join(o,"identity.json");l.existsSync(o)||l.mkdirSync(o,{recursive:true});let e=[],p=process.argv.slice(2);if(p.length>0&&(e=p.filter(s=>s.startsWith("/"))),e.length===0){let s=[];if(process.env.LIOP_BOOTSTRAP_FILE){a.warn("LIOP_BOOTSTRAP_FILE is deprecated and will be removed in the next major version. Use LIOP_NEXUS_URL for Auto-Discovery instead.");let n=u.resolve(process.env.LIOP_BOOTSTRAP_FILE);if(l.existsSync(n)){let a=l.readFileSync(n,"utf8").trim();a&&e.push(L(a));}}s.push(process.cwd(),u.join(process.cwd(),"tests/infra/nexus-data"),o,u.join(u.dirname(new URL(import.meta.url).pathname).replace(/^\/([A-Z]:)/,"$1"),"../../tests/infra/nexus-data"));for(let n of s)try{if(l.existsSync(n)){let h=l.readdirSync(n).filter(g=>g.endsWith(".multiaddr"));for(let g of h){let $=u.join(n,g),v=l.readFileSync($,"utf8").trim();if(v){let S=L(v);e.includes(S)||(e.push(S),a.info(`[LIOP-Agent] \u2705 Loaded beacon: ${g} from ${n}`));}}if(e.length>0)break}}catch{}}if(process.env.LIOP_NEXUS_URL){let s=process.env.LIOP_NEXUS_URL;a.info(`[LIOP-Agent] \u{1F310} Running parallel discovery from: ${s} (Sources Found: ${e.length})`);let n=await x(s);if(n){let a$1=L(n);e.includes(a$1)||(e.push(a$1),a.info(`[LIOP-Agent] \u2705 Added bootstrap from URL discovery: ${a$1}`));}}e.length===0&&process.env.LIOP_BOOTSTRAP&&e.push(process.env.LIOP_BOOTSTRAP.trim()),e.length===0&&e.push("/ip4/127.0.0.1/tcp/13001/p2p/12D3KooWD8FUFdnLQzzLFNdicsaTknM5cpD7os9sK9NWVSVABJMD"),e=e.filter(s=>{try{return multiaddr(s),!0}catch{return a.warn(`[LIOP-Agent] Ignoring invalid bootstrap multiaddr: ${s}`),false}}),e.length===0&&(a.info("[LIOP-Agent] No bootstrap nodes configured. Operating in standalone mode."),a.info("[LIOP-Agent] Pass a multiaddr as argument or create 'nexus.multiaddr' file."));let r=new j({name:"@nekzus/liop",version:"1.0.0"});r.enableZeroShotAutonomy();let c=new a$1({identityPath:d,bootstrapNodes:e,addressMapper:E()?R:void 0});await c.start();let f=new g(r,c);f.onToolsChanged=()=>{process.stdout.write(`{"jsonrpc":"2.0","method":"notifications/tools/list_changed"}
+import {j}from'../chunk-KQ5BDO2M.js';import'../chunk-2MGFSIXN.js';import {g}from'../chunk-I46YEWND.js';import'../chunk-PWCXZWSE.js';import'../chunk-ANFXJGMP.js';import'../chunk-DBXGYHKY.js';import'../chunk-SB5XJXKV.js';import'../chunk-V5MKJT6S.js';import'../chunk-RWRRBYG4.js';import {a as a$1}from'../chunk-DQ6UW6L7.js';import {a}from'../chunk-S6RJHZV2.js';import'../chunk-4C666HHU.js';import*as l from'fs';import*as w from'os';import*as u from'path';import {multiaddr}from'@multiformats/multiaddr';async function x(t){try{let o=t.endsWith("/health")?t:`${t}/health`,d=await fetch(o,{headers:{Accept:"application/json"},signal:AbortSignal.timeout(1e4)});if(!d.ok)return null;let e=await d.json();if(!e.mesh?.multiaddrs?.length||!e.mesh?.peerId)return null;let p=e.mesh.multiaddrs.find(c=>c.includes("/tcp/")&&!c.includes("/ws")&&!c.includes("/ip4/127.0.0.1/"));if(!p)return null;let r=E()?R(p):p;if(!r||r===p){let c=new URL(t).hostname;r=p.replace(/\/ip4\/[^/]+/,`/ip4/${c}`);}return r?(r+=r.includes("/p2p/")?"":`/p2p/${e.mesh.peerId}`,r):null}catch{return null}}function L(t){let o=t.trim(),d=/\/ip4\/172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}/,e=/\/ip4\/127\.0\.0\.1/,p=/\/ip4\/192\.168\.[0-9]{1,3}\.[0-9]{1,3}/;if(d.test(o)||e.test(o)||p.test(o)){let r="127.0.0.1",c=o.replace(d,`/ip4/${r}`).replace(e,`/ip4/${r}`).replace(p,`/ip4/${r}`);return c!==o&&a.info(`[LIOP-Agent] \u{1F504} Local Routing Hack \u2192 Forced 127.0.0.1: ${c}`),c}return o}function R(t){return t.includes("/ip4/172.20.0.10")?t.replace(/\/ip4\/172\.20\.0\.10\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13001"):t.includes("/ip4/172.20.0.11")?t.replace(/\/ip4\/172\.20\.0\.11\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13003"):t.includes("/ip4/172.20.0.12")?t.replace(/\/ip4\/172\.20\.0\.12\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13004"):t.includes("/ip4/172.20.0.13")?t.replace(/\/ip4\/172\.20\.0\.13\/tcp\/[0-9]+/,"/ip4/127.0.0.1/tcp/13005"):t.includes("/ip4/127.0.0.1/tcp/4000")||t.includes("/ip4/127.0.0.1/tcp/3000")?null:t}function D(t){try{let o=new URL(t);return (o.hostname==="127.0.0.1"||o.hostname==="localhost")&&(o.port==="13000"||o.port==="13001")}catch{return  false}}function E(){return process.env.NODE_ENV==="development"||process.env.NODE_ENV==="test"||process.env.LIOP_DOCKER_MAP==="true"||process.env.LIOP_DEV_MODE==="true"||!!process.env.LIOP_NEXUS_URL&&D(process.env.LIOP_NEXUS_URL)}async function M(){if((process.platform==="win32"||process.platform==="darwin")&&!process.execArgv.includes("--use-system-ca")&&!(process.env.NODE_OPTIONS??"").includes("--use-system-ca")){let{spawn:s}=await import('child_process'),n=s(process.execPath,["--use-system-ca",...process.argv.slice(1)],{stdio:"inherit",env:process.env});n.on("exit",a=>process.exit(a??1)),n.on("error",()=>process.exit(1)),await new Promise(()=>{});return}let t=new Date().toISOString();a.info(`[LIOP-Agent] \u{1F680} Version 1.2.0-alpha.9 | Build: ${t}`);let o=u.join(w.homedir(),".liop"),d=u.join(o,"identity.json");l.existsSync(o)||l.mkdirSync(o,{recursive:true});let e=[],p=process.argv.slice(2);if(p.length>0&&(e=p.filter(s=>s.startsWith("/"))),e.length===0){let s=[];if(process.env.LIOP_BOOTSTRAP_FILE){a.warn("LIOP_BOOTSTRAP_FILE is deprecated and will be removed in the next major version. Use LIOP_NEXUS_URL for Auto-Discovery instead.");let n=u.resolve(process.env.LIOP_BOOTSTRAP_FILE);if(l.existsSync(n)){let a=l.readFileSync(n,"utf8").trim();a&&e.push(L(a));}}s.push(process.cwd(),u.join(process.cwd(),"tests/infra/nexus-data"),o,u.join(u.dirname(new URL(import.meta.url).pathname).replace(/^\/([A-Z]:)/,"$1"),"../../tests/infra/nexus-data"));for(let n of s)try{if(l.existsSync(n)){let h=l.readdirSync(n).filter(g=>g.endsWith(".multiaddr"));for(let g of h){let $=u.join(n,g),v=l.readFileSync($,"utf8").trim();if(v){let S=L(v);e.includes(S)||(e.push(S),a.info(`[LIOP-Agent] \u2705 Loaded beacon: ${g} from ${n}`));}}if(e.length>0)break}}catch{}}if(process.env.LIOP_NEXUS_URL){let s=process.env.LIOP_NEXUS_URL;a.info(`[LIOP-Agent] \u{1F310} Running parallel discovery from: ${s} (Sources Found: ${e.length})`);let n=await x(s);if(n){let a$1=L(n);e.includes(a$1)||(e.push(a$1),a.info(`[LIOP-Agent] \u2705 Added bootstrap from URL discovery: ${a$1}`));}}e.length===0&&process.env.LIOP_BOOTSTRAP&&e.push(process.env.LIOP_BOOTSTRAP.trim()),e.length===0&&e.push("/ip4/127.0.0.1/tcp/13001/p2p/12D3KooWD8FUFdnLQzzLFNdicsaTknM5cpD7os9sK9NWVSVABJMD"),e=e.filter(s=>{try{return multiaddr(s),!0}catch{return a.warn(`[LIOP-Agent] Ignoring invalid bootstrap multiaddr: ${s}`),false}}),e.length===0&&(a.info("[LIOP-Agent] No bootstrap nodes configured. Operating in standalone mode."),a.info("[LIOP-Agent] Pass a multiaddr as argument or create 'nexus.multiaddr' file."));let r=new j({name:"@nekzus/liop",version:"1.0.0"});r.enableZeroShotAutonomy();let c=new a$1({identityPath:d,bootstrapNodes:e,addressMapper:E()?R:void 0});await c.start();let f=new g(r,c);f.onToolsChanged=()=>{process.stdout.write(`{"jsonrpc":"2.0","method":"notifications/tools/list_changed"}
 `),process.stdout.write(`{"jsonrpc":"2.0","method":"notifications/resources/list_changed"}
 `);},setTimeout(()=>{let s=c.getRoutingTableSize?.()||0;a.info(`[LIOP-Agent] Warm-up complete. Routing Table size: ${s}`),f.refreshManifestCache(true).catch(()=>{});},2e3);let O=1e4,T=12e4,m=O,P=()=>{setTimeout(async()=>{let s=f.getCacheSize();await f.refreshManifestCache(true).catch(()=>{});let n=f.getCacheSize();n!==s?(m=O,a.info(`[LIOP-Agent] Topology change detected (${s} \u2192 ${n}). Resetting poll to ${O/1e3}s.`)):m=Math.min(Math.round(m*1.5),T),P();},m);};P();let I=(await import('readline')).createInterface({input:process.stdin,terminal:false});process.stdout.on("error",s=>{s.code==="EPIPE"&&process.exit(0);}),I.on("line",async s=>{let n=s.trim();if(n)try{let a=JSON.parse(n);if(a.method){let h=await f.dispatch(a);h&&process.stdout.write(`${JSON.stringify(h)}
 `);}}catch{}}),I.on("close",()=>{process.exit(0);}),a.info("[LIOP-Agent] Guarding Claude Desktop via STDIO."),a.info(`[LIOP-Agent] P2P Mesh: Joined (${e.length} bootstraps)`),a.info("[LIOP-Agent] Tool discovery: Dynamic via /liop/manifest/1.0.0"),process.on("SIGINT",async()=>{await c.stop(),process.exit(0);});}M().catch(t=>{a.error(`[LIOP-Agent] Fatal Error: ${t.message}`),process.exit(1);});//# sourceMappingURL=agent.js.map

package/dist/bridge.d.ts

@@ -1,5 +1,5 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-import { L as LiopServer, a as LiopServerOptions } from './index-CL8m1L1d.js';
+import { L as LiopServer, a as LiopServerOptions } from './index-BcuTJtQX.js';
 import 'zod';
 import './mesh.js';
 import './types-DzEXgi4s.js';

package/dist/bridge.js

@@ -1,2 +1,2 @@
-export{b as LiopMcpBridge,a as LiopStreamBridge}from'./chunk-W2QGWRTT.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=bridge.js.map
+export{b as LiopMcpBridge,a as LiopStreamBridge}from'./chunk-7L5ODML2.js';import'./chunk-S6RJHZV2.js';import'./chunk-4C666HHU.js';//# sourceMappingURL=bridge.js.map
 //# sourceMappingURL=bridge.js.map

package/dist/{chunk-W2QGWRTT.js → chunk-7L5ODML2.js}

@@ -1,3 +1,3 @@
-import {a}from'./chunk-S6RJHZV2.js';import {randomUUID}from'crypto';import {serve}from'@hono/node-server';import {Hono}from'hono';import {cors}from'hono/cors';var T=10,y=1800*1e3,R=60*1e3,d=class{constructor(e,r={}){this.options=r;this.app=new Hono,this.bridgeLogic=new p(e),this.activeSessions=new Map,this.maxSessionsPerIp=r.maxSessionsPerIp??T,this.sessionTimeoutMs=r.sessionTimeoutMs??y,this.setupRoutes();}app;httpServer=null;bridgeLogic;activeSessions;evictionTimer=null;maxSessionsPerIp;sessionTimeoutMs;async createSessionTransport(e){let{WebStandardStreamableHTTPServerTransport:r}=await import('@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'),s=new r({sessionIdGenerator:()=>randomUUID(),onsessioninitialized:t=>{this.activeSessions.set(t,{transport:s,lastActivity:Date.now(),clientIp:e}),a.info(`[LIOP-StreamBridge] Session opened: ${t} (IP: ${e})`);}});return s.onmessage=async t=>{if(s.sessionId){let i=this.activeSessions.get(s.sessionId);i&&(i.lastActivity=Date.now());}try{let i=await this.bridgeLogic.handleJsonRpcRequest(t);i!==void 0&&await s.send(i);}catch(i){a.info("[LIOP-StreamBridge] JSON-RPC error:",i.message);}},s.onclose=()=>{s.sessionId&&(this.activeSessions.delete(s.sessionId),a.info(`[LIOP-StreamBridge] Session closed: ${s.sessionId}`));},s}countSessionsByIp(e){let r=0;for(let s of this.activeSessions.values())s.clientIp===e&&r++;return r}getClientIp(e){return e.req.header("x-forwarded-for")?.split(",")[0]?.trim()||e.req.header("x-real-ip")||"unknown"}evictIdleSessions(){let e=Date.now();for(let[r,s]of this.activeSessions)e-s.lastActivity>this.sessionTimeoutMs&&(a.info(`[LIOP-StreamBridge] Evicting idle session: ${r}`),s.transport.close().catch(()=>{}),this.activeSessions.delete(r));}setupRoutes(){this.app.use("*",cors()),process.env.ZERO_TRUST_TOKEN||(process.env.ZERO_TRUST_TOKEN=randomUUID(),a.info("=".repeat(60)),a.info("\u26A0\uFE0F STRICT ZERO-TRUST MODE ENABLED \u26A0\uFE0F"),a.info("No ZERO_TRUST_TOKEN found in environment."),a.info("A secure ephemeral token has been generated for this session:"),a.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`),a.info("=".repeat(60))),this.app.use("/mcp",async(e,r)=>{let s=e.req.header("Authorization");if(!s?.startsWith("Bearer "))return e.json({error:"Unauthorized: LIOP Zero-Trust Policy Enforced"},401);let t=s.slice(7),i=process.env.ZERO_TRUST_TOKEN;if(i&&t===i){await r();return}let n=this.bridgeLogic.getServer()?.jwtValidator;if(n)try{await n.validate(t),await r();return}catch(a$1){return a.info(`[LIOP-StreamBridge] JWT Validation failed: ${a$1.message}`),e.json({error:`Unauthorized: JWT Validation failed - ${a$1.message}`},401)}return a.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token."),e.json({error:"Unauthorized: LIOP Zero-Trust Policy Enforced"},401)}),this.app.all("/mcp",async e=>{let r=e.req.header("mcp-session-id");if(r){let n=this.activeSessions.get(r);if(!n)return e.json({error:"Session not found"},404);n.lastActivity=Date.now();let a$1=await n.transport.handleRequest(e.req.raw);return e.req.method==="DELETE"&&(this.activeSessions.delete(r),a.info(`[LIOP-StreamBridge] Session closed (DELETE): ${r}`)),a$1}let s=this.getClientIp(e),t=this.countSessionsByIp(s);return t>=this.maxSessionsPerIp?(a.info(`[LIOP-StreamBridge] Rate limit hit for IP: ${s} (${t} sessions)`),e.json({error:"Too Many Sessions: Rate limit exceeded"},429)):await(await this.createSessionTransport(s)).handleRequest(e.req.raw)});}async start(e){let r=e??this.options.port??3e3;return this.evictionTimer=setInterval(()=>this.evictIdleSessions(),R),new Promise(s=>{this.httpServer=serve({fetch:this.app.fetch,port:r},t=>{a.info(`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${t.port}/mcp`),s();});})}async stop(){this.evictionTimer&&(clearInterval(this.evictionTimer),this.evictionTimer=null);for(let[e,r]of this.activeSessions)await r.transport.close(),this.activeSessions.delete(e);this.httpServer&&(this.httpServer.close(),a.info("[LIOP-StreamBridge] HTTP ports released."));}};var p=class{constructor(e,r={}){this.options=r;e?.constructor?.name==="LiopServer"?(this.liopServer=e,a.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)")):e?.constructor?.name==="McpServer"?(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)")):(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)"));}liopServer=null;legacyMcpServer=null;async handleJsonRpcRequest(e){let r=e.id,s=e.method,t=e.params;return e.jsonrpc!=="2.0"?this.errorResponse(r,-32600,"Invalid Request"):this.liopServer?this.handleLiopToMcp(r,s,t):this.legacyMcpServer&&this.liopServer?this.handleLiopToMcp(r,s,t):this.errorResponse(r,-32601,"Bridge source not configured")}async handleLiopToMcp(e,r,s){if(!this.liopServer)return null;if(r==="initialize")return this.successResponse(e,{protocolVersion:"2025-11-25",capabilities:{prompts:{},resources:{},tools:{}},serverInfo:this.liopServer.getServerInfo()});if(r!=="notifications/initialized"){if(r==="ping")return this.successResponse(e,{});if(r==="tools/list"){let t=this.liopServer.listTools();return this.successResponse(e,{tools:t})}if(r==="resources/list"){let t=this.liopServer.listResources();return this.successResponse(e,{resources:t})}if(r==="prompts/list"){let t=this.liopServer.listPrompts();return this.successResponse(e,{prompts:t})}if(r==="prompts/get"){if(!s?.name)return this.errorResponse(e,-32602,"Missing prompt name");try{let t=await this.liopServer.getPrompt({name:s.name,arguments:s.arguments});return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="resources/read"){if(!s?.uri)return this.errorResponse(e,-32602,"Missing resource URI");try{let t=await this.liopServer.readResource(s.uri);return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="tools/call"){if(!s?.name)return this.errorResponse(e,-32602,"Missing tool name");let t={name:s.name,arguments:s.arguments||{}};try{let i=await this.liopServer.callTool(t);return (i.isError?!0:await this.verifyZkReceipt(t,i))?this.successResponse(e,i):this.successResponse(e,{content:[{type:"text",text:"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload."}],isError:!0})}catch(i){return this.errorResponse(e,-32e3,i.message)}}return this.errorResponse(e,-32601,"Method not found")}}successResponse(e,r){return {jsonrpc:"2.0",id:e,result:r}}errorResponse(e,r,s){return {jsonrpc:"2.0",id:e,error:{code:r,message:s}}}async verifyZkReceipt(e,r){if(!e.arguments?.payload||typeof e.arguments.payload!="string")return  true;try{let s=e.arguments.payload,t=r.content[0]?.text;if(t&&typeof t=="string")try{let i=JSON.parse(t);if(i.image_id||i.zk_receipt){let{LiopVerifier:n}=await import('./verifier-Z26UC7M4.js');if(!await new n().verifyZkReceipt(Buffer.from(s,"utf-8"),i.image_id,Buffer.from(i.zk_receipt||"","base64")))return !1;i.audit_status="VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge",r.content[0].text=JSON.stringify(i);}}catch{}return !0}catch(s){return a.info("[LIOP-Bridge] ZK-Verifier Failure:",s),false}}async connect(){if(this.legacyMcpServer){let{LiopServer:t}=await import('./server.js');if(this.liopServer=new t(this.options.serverInfo||{name:"liop-bridge",version:"1.0.0"},{security:this.options.security}),this.options.publishToMesh){await this.liopServer.connect();let i=this.legacyMcpServer;if(i._registeredTools)for(let[n,a]of Object.entries(i._registeredTools)){let c=a;this.liopServer.tool(n,c.description||"",c.inputSchema||{},async l=>await c.handler(l));}if(i._registeredResources)for(let[n,a]of Object.entries(i._registeredResources)){let c=a;this.liopServer.resource(c.name,n,c.metadata?.description||"",c.metadata?.mimeType||"application/octet-stream",async()=>(await c.readCallback(new URL(n))).contents[0].text);}}return}let r=(await import('readline')).createInterface({input:process.stdin,output:process.stdout,terminal:false}),s=async()=>{a.info("[LIOP-Bridge] Disconnecting session..."),this.liopServer&&await this.liopServer.close(),process.exit(0);};r.on("close",s),process.on("SIGINT",s),process.on("SIGTERM",s),r.on("line",async t=>{if(t.trim())try{let i=JSON.parse(t),n=await this.handleJsonRpcRequest(i);n&&process.stdout.write(`${JSON.stringify(n)}
-`);}catch(i){a.error(`[LIOP-Bridge] Error: ${i.message}`);}});}getServer(){return this.liopServer}};export{d as a,p as b};//# sourceMappingURL=chunk-W2QGWRTT.js.map
-//# sourceMappingURL=chunk-W2QGWRTT.js.map
+import {a}from'./chunk-S6RJHZV2.js';import {randomUUID}from'crypto';import {serve}from'@hono/node-server';import {Hono}from'hono';import {cors}from'hono/cors';var T=10,y=1800*1e3,R=60*1e3,d=class{constructor(e,r={}){this.options=r;this.app=new Hono,this.bridgeLogic=new p(e),this.activeSessions=new Map,this.maxSessionsPerIp=r.maxSessionsPerIp??T,this.sessionTimeoutMs=r.sessionTimeoutMs??y,this.setupRoutes();}app;httpServer=null;bridgeLogic;activeSessions;evictionTimer=null;maxSessionsPerIp;sessionTimeoutMs;async createSessionTransport(e){let{WebStandardStreamableHTTPServerTransport:r}=await import('@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'),s=new r({sessionIdGenerator:()=>randomUUID(),onsessioninitialized:t=>{this.activeSessions.set(t,{transport:s,lastActivity:Date.now(),clientIp:e}),a.info(`[LIOP-StreamBridge] Session opened: ${t} (IP: ${e})`);}});return s.onmessage=async t=>{if(s.sessionId){let i=this.activeSessions.get(s.sessionId);i&&(i.lastActivity=Date.now());}try{let i=await this.bridgeLogic.handleJsonRpcRequest(t);i!==void 0&&await s.send(i);}catch(i){a.info("[LIOP-StreamBridge] JSON-RPC error:",i.message);}},s.onclose=()=>{s.sessionId&&(this.activeSessions.delete(s.sessionId),a.info(`[LIOP-StreamBridge] Session closed: ${s.sessionId}`));},s}countSessionsByIp(e){let r=0;for(let s of this.activeSessions.values())s.clientIp===e&&r++;return r}getClientIp(e){return e.req.header("x-forwarded-for")?.split(",")[0]?.trim()||e.req.header("x-real-ip")||"unknown"}evictIdleSessions(){let e=Date.now();for(let[r,s]of this.activeSessions)e-s.lastActivity>this.sessionTimeoutMs&&(a.info(`[LIOP-StreamBridge] Evicting idle session: ${r}`),s.transport.close().catch(()=>{}),this.activeSessions.delete(r));}setupRoutes(){this.app.use("*",cors()),process.env.ZERO_TRUST_TOKEN||(process.env.ZERO_TRUST_TOKEN=randomUUID(),a.info("=".repeat(60)),a.info("\u26A0\uFE0F STRICT ZERO-TRUST MODE ENABLED \u26A0\uFE0F"),a.info("No ZERO_TRUST_TOKEN found in environment."),a.info("A secure ephemeral token has been generated for this session:"),a.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`),a.info("=".repeat(60))),this.app.use("/mcp",async(e,r)=>{let s=e.req.header("Authorization");if(!s?.startsWith("Bearer "))return e.json({error:"Unauthorized: LIOP Zero-Trust Policy Enforced"},401);let t=s.slice(7),i=process.env.ZERO_TRUST_TOKEN;if(i&&t===i){await r();return}let n=this.bridgeLogic.getServer()?.jwtValidator;if(n)try{await n.validate(t),await r();return}catch(a$1){return a.info(`[LIOP-StreamBridge] JWT Validation failed: ${a$1.message}`),e.json({error:`Unauthorized: JWT Validation failed - ${a$1.message}`},401)}return a.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token."),e.json({error:"Unauthorized: LIOP Zero-Trust Policy Enforced"},401)}),this.app.all("/mcp",async e=>{let r=e.req.header("mcp-session-id");if(r){let n=this.activeSessions.get(r);if(!n)return e.json({error:"Session not found"},404);n.lastActivity=Date.now();let a$1=await n.transport.handleRequest(e.req.raw);return e.req.method==="DELETE"&&(this.activeSessions.delete(r),a.info(`[LIOP-StreamBridge] Session closed (DELETE): ${r}`)),a$1}let s=this.getClientIp(e),t=this.countSessionsByIp(s);return t>=this.maxSessionsPerIp?(a.info(`[LIOP-StreamBridge] Rate limit hit for IP: ${s} (${t} sessions)`),e.json({error:"Too Many Sessions: Rate limit exceeded"},429)):await(await this.createSessionTransport(s)).handleRequest(e.req.raw)});}async start(e){let r=e??this.options.port??3e3;return this.evictionTimer=setInterval(()=>this.evictIdleSessions(),R),new Promise(s=>{this.httpServer=serve({fetch:this.app.fetch,port:r},t=>{a.info(`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${t.port}/mcp`),s();});})}async stop(){this.evictionTimer&&(clearInterval(this.evictionTimer),this.evictionTimer=null);for(let[e,r]of this.activeSessions)await r.transport.close(),this.activeSessions.delete(e);this.httpServer&&(this.httpServer.close(),a.info("[LIOP-StreamBridge] HTTP ports released."));}};var p=class{constructor(e,r={}){this.options=r;e?.constructor?.name==="LiopServer"?(this.liopServer=e,a.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)")):e?.constructor?.name==="McpServer"?(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)")):(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)"));}liopServer=null;legacyMcpServer=null;async handleJsonRpcRequest(e){let r=e.id,s=e.method,t=e.params;return e.jsonrpc!=="2.0"?this.errorResponse(r,-32600,"Invalid Request"):this.liopServer?this.handleLiopToMcp(r,s,t):this.legacyMcpServer&&this.liopServer?this.handleLiopToMcp(r,s,t):this.errorResponse(r,-32601,"Bridge source not configured")}async handleLiopToMcp(e,r,s){if(!this.liopServer)return null;if(r==="initialize")return this.successResponse(e,{protocolVersion:"2025-11-25",capabilities:{prompts:{},resources:{},tools:{}},serverInfo:this.liopServer.getServerInfo()});if(r!=="notifications/initialized"){if(r==="ping")return this.successResponse(e,{});if(r==="tools/list"){let t=this.liopServer.listTools();return this.successResponse(e,{tools:t})}if(r==="resources/list"){let t=this.liopServer.listResources();return this.successResponse(e,{resources:t})}if(r==="prompts/list"){let t=this.liopServer.listPrompts();return this.successResponse(e,{prompts:t})}if(r==="prompts/get"){if(!s?.name)return this.errorResponse(e,-32602,"Missing prompt name");try{let t=await this.liopServer.getPrompt({name:s.name,arguments:s.arguments});return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="resources/read"){if(!s?.uri)return this.errorResponse(e,-32602,"Missing resource URI");try{let t=await this.liopServer.readResource(s.uri);return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="tools/call"){if(!s?.name)return this.errorResponse(e,-32602,"Missing tool name");let t={name:s.name,arguments:s.arguments||{}};try{let i=await this.liopServer.callTool(t);return (i.isError?!0:await this.verifyZkReceipt(t,i))?this.successResponse(e,i):this.successResponse(e,{content:[{type:"text",text:"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload."}],isError:!0})}catch(i){return this.errorResponse(e,-32e3,i.message)}}return this.errorResponse(e,-32601,"Method not found")}}successResponse(e,r){return {jsonrpc:"2.0",id:e,result:r}}errorResponse(e,r,s){return {jsonrpc:"2.0",id:e,error:{code:r,message:s}}}async verifyZkReceipt(e,r){if(!e.arguments?.payload||typeof e.arguments.payload!="string")return  true;try{let s=e.arguments.payload,t=r.content[0]?.text;if(t&&typeof t=="string")try{let i=JSON.parse(t);if(i.image_id||i.zk_receipt){let{LiopVerifier:n}=await import('./verifier-XU2DB56Z.js');if(!await new n().verifyZkReceipt(Buffer.from(s,"utf-8"),i.image_id,Buffer.from(i.zk_receipt||"","base64"),void 0,i.computation_result))return !1;i.audit_status="VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge",r.content[0].text=JSON.stringify(i);}}catch{}return !0}catch(s){return a.info("[LIOP-Bridge] ZK-Verifier Failure:",s),false}}async connect(){if(this.legacyMcpServer){let{LiopServer:t}=await import('./server.js');if(this.liopServer=new t(this.options.serverInfo||{name:"liop-bridge",version:"1.0.0"},{security:this.options.security}),this.options.publishToMesh){await this.liopServer.connect();let i=this.legacyMcpServer;if(i._registeredTools)for(let[n,a]of Object.entries(i._registeredTools)){let c=a;this.liopServer.tool(n,c.description||"",c.inputSchema||{},async l=>await c.handler(l));}if(i._registeredResources)for(let[n,a]of Object.entries(i._registeredResources)){let c=a;this.liopServer.resource(c.name,n,c.metadata?.description||"",c.metadata?.mimeType||"application/octet-stream",async()=>(await c.readCallback(new URL(n))).contents[0].text);}}return}let r=(await import('readline')).createInterface({input:process.stdin,output:process.stdout,terminal:false}),s=async()=>{a.info("[LIOP-Bridge] Disconnecting session..."),this.liopServer&&await this.liopServer.close(),process.exit(0);};r.on("close",s),process.on("SIGINT",s),process.on("SIGTERM",s),r.on("line",async t=>{if(t.trim())try{let i=JSON.parse(t),n=await this.handleJsonRpcRequest(i);n&&process.stdout.write(`${JSON.stringify(n)}
+`);}catch(i){a.error(`[LIOP-Bridge] Error: ${i.message}`);}});}getServer(){return this.liopServer}};export{d as a,p as b};//# sourceMappingURL=chunk-7L5ODML2.js.map
+//# sourceMappingURL=chunk-7L5ODML2.js.map

package/dist/{chunk-W2QGWRTT.js.map → chunk-7L5ODML2.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/bridge/stream.ts","../src/bridge/index.ts"],"names":["DEFAULT_MAX_SESSIONS_PER_IP","DEFAULT_SESSION_TIMEOUT_MS","EVICTION_INTERVAL_MS","LiopStreamBridge","internalServer","options","Hono","LiopMcpBridge","clientIp","WebStandardStreamableHTTPServerTransport","transport","randomUUID","sessionId","log","message","entry","result","err","ip","count","c","now","cors","next","auth","token","expectedToken","jwtValidator","e","existing","response","currentSessions","port","listenPort","resolve","serve","info","id","source","payload","method","params","tools","resources","prompts","request","code","contentText","data","LiopVerifier","LiopServer","legacy","name","tool","t","args","uri","resource","r","rl","shutdown","line"],"mappings":"+JA6BA,IAAMA,CAAAA,CAA8B,GAC9BC,CAAAA,CAA6B,IAAA,CAAU,GAAA,CACvCC,CAAAA,CAAuB,GAAK,GAAA,CAgBrBC,CAAAA,CAAN,KAAuB,CAS7B,WAAA,CACCC,EACQC,CAAAA,CAAmC,EAAC,CAC3C,CADO,aAAAA,CAAAA,CAER,IAAA,CAAK,IAAM,IAAIC,IAAAA,CACf,KAAK,WAAA,CAAc,IAAIC,CAAAA,CAAcH,CAAc,EACnD,IAAA,CAAK,cAAA,CAAiB,IAAI,GAAA,CAC1B,IAAA,CAAK,iBACJC,CAAAA,CAAQ,gBAAA,EAAoBL,CAAAA,CAC7B,IAAA,CAAK,iBACJK,CAAAA,CAAQ,gBAAA,EAAoBJ,EAE7B,IAAA,CAAK,WAAA,GACN,CArBQ,GAAA,CACA,UAAA,CAA8C,IAAA,CAC9C,YACA,cAAA,CACA,aAAA,CAAuD,KACvD,gBAAA,CACA,gBAAA,CAoBR,MAAc,sBAAA,CACbO,CAAAA,CACoD,CACpD,GAAM,CAAE,wCAAA,CAAAC,CAAyC,EAAI,MAAM,OAC1D,+DACD,CAAA,CACMC,CAAAA,CAAY,IAAID,CAAAA,CAAyC,CAC9D,kBAAA,CAAoB,IAAME,YAAW,CACrC,oBAAA,CAAuBC,GAAsB,CAC5C,IAAA,CAAK,cAAA,CAAe,GAAA,CAAIA,EAAW,CAClC,SAAA,CAAAF,EACA,YAAA,CAAc,IAAA,CAAK,KAAI,CACvB,QAAA,CAAAF,CACD,CAAC,EACDK,CAAAA,CAAI,IAAA,CACH,uCAAuCD,CAAS,CAAA,MAAA,EAASJ,CAAQ,CAAA,CAAA,CAClE,EACD,CACD,CAAC,EAGD,OAAAE,CAAAA,CAAU,UAAY,MAAOI,CAAAA,EAA4B,CAExD,GAAIJ,CAAAA,CAAU,SAAA,CAAW,CACxB,IAAMK,CAAAA,CAAQ,IAAA,CAAK,eAAe,GAAA,CAAIL,CAAAA,CAAU,SAAS,CAAA,CACrDK,CAAAA,GAAOA,CAAAA,CAAM,YAAA,CAAe,KAAK,GAAA,EAAI,EAC1C,CAEA,GAAI,CACH,IAAMC,CAAAA,CAAS,MAAM,IAAA,CAAK,WAAA,CAAY,qBACrCF,CACD,CAAA,CAEIE,IAAW,KAAA,CAAA,EACd,MAAMN,EAAU,IAAA,CAAKM,CAAwB,EAE/C,CAAA,MAASC,EAAc,CACtBJ,CAAAA,CAAI,KAAK,qCAAA,CAAwCI,CAAAA,CAAc,OAAO,EACvE,CACD,CAAA,CAEAP,CAAAA,CAAU,QAAU,IAAM,CACrBA,EAAU,SAAA,GACb,IAAA,CAAK,eAAe,MAAA,CAAOA,CAAAA,CAAU,SAAS,CAAA,CAC9CG,EAAI,IAAA,CAAK,CAAA,oCAAA,EAAuCH,EAAU,SAAS,CAAA,CAAE,GAEvE,CAAA,CAEOA,CACR,CAKQ,iBAAA,CAAkBQ,EAAoB,CAC7C,IAAIC,EAAQ,CAAA,CACZ,IAAA,IAAWJ,KAAS,IAAA,CAAK,cAAA,CAAe,MAAA,EAAO,CAC1CA,EAAM,QAAA,GAAaG,CAAAA,EAAIC,IAE5B,OAAOA,CACR,CAKQ,WAAA,CAAYC,CAAAA,CAET,CACV,OACCA,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,IAChDA,CAAAA,CAAE,GAAA,CAAI,OAAO,WAAW,CAAA,EACxB,SAEF,CAKQ,iBAAA,EAA0B,CACjC,IAAMC,EAAM,IAAA,CAAK,GAAA,GACjB,IAAA,GAAW,CAACT,EAAWG,CAAK,CAAA,GAAK,IAAA,CAAK,cAAA,CACjCM,EAAMN,CAAAA,CAAM,YAAA,CAAe,KAAK,gBAAA,GACnCF,CAAAA,CAAI,KAAK,CAAA,2CAAA,EAA8CD,CAAS,CAAA,CAAE,CAAA,CAClEG,EAAM,SAAA,CAAU,KAAA,GAAQ,KAAA,CAAM,IAAM,CAEpC,CAAC,CAAA,CACD,IAAA,CAAK,cAAA,CAAe,OAAOH,CAAS,CAAA,EAGvC,CAEQ,WAAA,EAAc,CACrB,KAAK,GAAA,CAAI,GAAA,CAAI,GAAA,CAAKU,IAAAA,EAAM,CAAA,CAGnB,OAAA,CAAQ,IAAI,gBAAA,GAChB,OAAA,CAAQ,IAAI,gBAAA,CAAmBX,UAAAA,EAAW,CAC1CE,CAAAA,CAAI,KAAK,GAAA,CAAI,MAAA,CAAO,EAAE,CAAC,CAAA,CACvBA,EAAI,IAAA,CAAK,0DAAsC,CAAA,CAC/CA,CAAAA,CAAI,KAAK,2CAA2C,CAAA,CACpDA,EAAI,IAAA,CAAK,+DAA+D,EACxEA,CAAAA,CAAI,IAAA,CAAK,CAAA,OAAA,EAAU,OAAA,CAAQ,IAAI,gBAAgB,CAAA,CAAE,EACjDA,CAAAA,CAAI,IAAA,CAAK,IAAI,MAAA,CAAO,EAAE,CAAC,CAAA,CAAA,CAIxB,KAAK,GAAA,CAAI,GAAA,CAAI,OAAQ,MAAOO,CAAAA,CAAGG,IAAS,CACvC,IAAMC,CAAAA,CAAOJ,CAAAA,CAAE,IAAI,MAAA,CAAO,eAAe,EACzC,GAAI,CAACI,GAAM,UAAA,CAAW,SAAS,CAAA,CAC9B,OAAOJ,EAAE,IAAA,CACR,CAAE,MAAO,+CAAgD,CAAA,CACzD,GACD,CAAA,CAGD,IAAMK,CAAAA,CAAQD,CAAAA,CAAK,MAAM,CAAC,CAAA,CACpBE,EAAgB,OAAA,CAAQ,GAAA,CAAI,iBAGlC,GAAIA,CAAAA,EAAiBD,CAAAA,GAAUC,CAAAA,CAAe,CAC7C,MAAMH,CAAAA,GACN,MACD,CAGA,IAAMI,CAAAA,CAAe,IAAA,CAAK,WAAA,CAAY,SAAA,IAAa,YAAA,CACnD,GAAIA,EACH,GAAI,CACH,MAAMA,CAAAA,CAAa,QAAA,CAASF,CAAK,CAAA,CACjC,MAAMF,CAAAA,EAAK,CACX,MACD,CAAA,MAASK,GAAAA,CAAY,CACpB,OAAAf,CAAAA,CAAI,IAAA,CACH,CAAA,2CAAA,EAA+Ce,IAAY,OAAO,CAAA,CACnE,EACOR,CAAAA,CAAE,IAAA,CACR,CACC,KAAA,CAAO,CAAA,sCAAA,EAA0CQ,GAAAA,CAAY,OAAO,EACrE,CAAA,CACA,GACD,CACD,CAGD,OAAAf,EAAI,IAAA,CACH,sEACD,CAAA,CACOO,CAAAA,CAAE,KACR,CAAE,KAAA,CAAO,+CAAgD,CAAA,CACzD,GACD,CACD,CAAC,CAAA,CAGD,IAAA,CAAK,GAAA,CAAI,IAAI,MAAA,CAAQ,MAAOA,GAAM,CACjC,IAAMR,EAAYQ,CAAAA,CAAE,GAAA,CAAI,MAAA,CAAO,gBAAgB,EAG/C,GAAIR,CAAAA,CAAW,CACd,IAAMiB,CAAAA,CAAW,KAAK,cAAA,CAAe,GAAA,CAAIjB,CAAS,CAAA,CAClD,GAAI,CAACiB,CAAAA,CACJ,OAAOT,CAAAA,CAAE,IAAA,CAAK,CAAE,KAAA,CAAO,mBAAoB,CAAA,CAAG,GAAG,EAGlDS,CAAAA,CAAS,YAAA,CAAe,KAAK,GAAA,EAAI,CAEjC,IAAMC,GAAAA,CAAW,MAAMD,CAAAA,CAAS,SAAA,CAAU,cAAcT,CAAAA,CAAE,GAAA,CAAI,GAAG,CAAA,CAIjE,OAAIA,EAAE,GAAA,CAAI,MAAA,GAAW,QAAA,GACpB,IAAA,CAAK,eAAe,MAAA,CAAOR,CAAS,EACpCC,CAAAA,CAAI,IAAA,CAAK,gDAAgDD,CAAS,CAAA,CAAE,CAAA,CAAA,CAG9DkB,GACR,CAIA,IAAMtB,CAAAA,CAAW,KAAK,WAAA,CAAYY,CAAC,EAC7BW,CAAAA,CAAkB,IAAA,CAAK,iBAAA,CAAkBvB,CAAQ,EACvD,OAAIuB,CAAAA,EAAmB,KAAK,gBAAA,EAC3BlB,CAAAA,CAAI,KACH,CAAA,2CAAA,EAA8CL,CAAQ,CAAA,EAAA,EAAKuB,CAAe,YAC3E,CAAA,CACOX,CAAAA,CAAE,KAAK,CAAE,KAAA,CAAO,wCAAyC,CAAA,CAAG,GAAG,CAAA,EAIhE,KAAA,CADW,MAAM,IAAA,CAAK,sBAAA,CAAuBZ,CAAQ,CAAA,EACrC,aAAA,CAAcY,EAAE,GAAA,CAAI,GAAG,CAC/C,CAAC,EACF,CAKA,MAAa,MAAMY,CAAAA,CAA8B,CAChD,IAAMC,CAAAA,CAAaD,CAAAA,EAAQ,IAAA,CAAK,OAAA,CAAQ,MAAQ,GAAA,CAGhD,OAAA,IAAA,CAAK,cAAgB,WAAA,CACpB,IAAM,KAAK,iBAAA,EAAkB,CAC7B9B,CACD,CAAA,CAEO,IAAI,OAAA,CAASgC,CAAAA,EAAY,CAC/B,IAAA,CAAK,UAAA,CAAaC,MACjB,CACC,KAAA,CAAO,IAAA,CAAK,GAAA,CAAI,MAChB,IAAA,CAAMF,CACP,EACCG,CAAAA,EAAS,CACTvB,EAAI,IAAA,CACH,CAAA,gEAAA,EAAmEuB,CAAAA,CAAK,IAAI,MAC7E,CAAA,CACAF,CAAAA,GACD,CACD,EACD,CAAC,CACF,CAKA,MAAa,IAAA,EAAsB,CAC9B,IAAA,CAAK,aAAA,GACR,cAAc,IAAA,CAAK,aAAa,EAChC,IAAA,CAAK,aAAA,CAAgB,IAAA,CAAA,CAGtB,IAAA,GAAW,CAACG,CAAAA,CAAItB,CAAK,IAAK,IAAA,CAAK,cAAA,CAC9B,MAAMA,CAAAA,CAAM,SAAA,CAAU,KAAA,EAAM,CAC5B,KAAK,cAAA,CAAe,MAAA,CAAOsB,CAAE,CAAA,CAG1B,IAAA,CAAK,aACR,IAAA,CAAK,UAAA,CAAW,KAAA,EAAM,CACtBxB,EAAI,IAAA,CAAK,0CAA0C,GAErD,CACD,MCvSaN,CAAAA,CAAN,KAAoB,CAG1B,WAAA,CAEC+B,EACQjC,CAAAA,CAA6B,GACpC,CADO,IAAA,CAAA,OAAA,CAAAA,EAIJiC,CAAAA,EAAQ,WAAA,EAAa,IAAA,GAAS,YAAA,EACjC,KAAK,UAAA,CAAaA,CAAAA,CAClBzB,EAAI,IAAA,CAAK,gDAAgD,GAC/CyB,CAAAA,EAAQ,WAAA,EAAa,IAAA,GAAS,WAAA,EACxC,KAAK,eAAA,CAAkBA,CAAAA,CACvBzB,EAAI,IAAA,CAAK,oDAAoD,IAG7D,IAAA,CAAK,eAAA,CAAkByB,CAAAA,CACvBzB,CAAAA,CAAI,KAAK,6DAA6D,CAAA,EAExE,CApBQ,UAAA,CAAgC,IAAA,CAChC,gBAAoC,IAAA,CAyB5C,MAAa,oBAAA,CACZ0B,CAAAA,CACmB,CACnB,IAAMF,CAAAA,CAAKE,EAAQ,EAAA,CACbC,CAAAA,CAASD,EAAQ,MAAA,CACjBE,CAAAA,CAASF,CAAAA,CAAQ,MAAA,CAEvB,OAAIA,CAAAA,CAAQ,OAAA,GAAY,MAChB,IAAA,CAAK,aAAA,CAAcF,EAAI,MAAA,CAAQ,iBAAiB,CAAA,CAIpD,IAAA,CAAK,WACD,IAAA,CAAK,eAAA,CAAgBA,EAAIG,CAAAA,CAAQC,CAAM,EAI3C,IAAA,CAAK,eAAA,EAAmB,IAAA,CAAK,UAAA,CACzB,KAAK,eAAA,CAAgBJ,CAAAA,CAAIG,EAAQC,CAAM,CAAA,CAGxC,KAAK,aAAA,CAAcJ,CAAAA,CAAI,MAAA,CAAQ,8BAA8B,CACrE,CAEA,MAAc,gBACbA,CAAAA,CACAG,CAAAA,CACAC,EACmB,CACnB,GAAI,CAAC,IAAA,CAAK,WAAY,OAAO,IAAA,CAE7B,GAAID,CAAAA,GAAW,YAAA,CACd,OAAO,IAAA,CAAK,eAAA,CAAgBH,CAAAA,CAAI,CAC/B,gBAAiB,YAAA,CACjB,YAAA,CAAc,CACb,OAAA,CAAS,GACT,SAAA,CAAW,EAAC,CACZ,KAAA,CAAO,EACR,CAAA,CACA,WAAY,IAAA,CAAK,UAAA,CAAW,eAC7B,CAAC,CAAA,CAGF,GAAIG,IAAW,2BAAA,CACf,CAAA,GAAIA,IAAW,MAAA,CAAQ,OAAO,KAAK,eAAA,CAAgBH,CAAAA,CAAI,EAAE,EAEzD,GAAIG,CAAAA,GAAW,aAAc,CAC5B,IAAME,EAAQ,IAAA,CAAK,UAAA,CAAW,SAAA,EAAU,CACxC,OAAO,IAAA,CAAK,eAAA,CAAgBL,EAAI,CAAE,KAAA,CAAAK,CAAM,CAAC,CAC1C,CAEA,GAAIF,IAAW,gBAAA,CAAkB,CAChC,IAAMG,CAAAA,CAAY,IAAA,CAAK,WAAW,aAAA,EAAc,CAChD,OAAO,IAAA,CAAK,gBAAgBN,CAAAA,CAAI,CAAE,UAAAM,CAAU,CAAC,CAC9C,CAEA,GAAIH,CAAAA,GAAW,cAAA,CAAgB,CAC9B,IAAMI,CAAAA,CAAU,KAAK,UAAA,CAAW,WAAA,GAChC,OAAO,IAAA,CAAK,eAAA,CAAgBP,CAAAA,CAAI,CAAE,OAAA,CAAAO,CAAQ,CAAC,CAC5C,CAEA,GAAIJ,CAAAA,GAAW,aAAA,CAAe,CAC7B,GAAI,CAACC,CAAAA,EAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,qBAAqB,CAAA,CAE5D,GAAI,CACH,IAAMrB,CAAAA,CAAS,MAAM,IAAA,CAAK,UAAA,CAAW,UAAU,CAC9C,IAAA,CAAMyB,CAAAA,CAAO,IAAA,CACb,UAAWA,CAAAA,CAAO,SACnB,CAAC,CAAA,CACD,OAAO,KAAK,eAAA,CAAgBJ,CAAAA,CAAIrB,CAAM,CACvC,OAASC,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAcoB,EAAI,KAAA,CAASpB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,GAAIuB,IAAW,gBAAA,CAAkB,CAChC,GAAI,CAACC,CAAAA,EAAQ,GAAA,CACZ,OAAO,KAAK,aAAA,CAAcJ,CAAAA,CAAI,OAAQ,sBAAsB,CAAA,CAE7D,GAAI,CACH,IAAMrB,CAAAA,CAAS,MAAM,KAAK,UAAA,CAAW,YAAA,CAAayB,EAAO,GAAa,CAAA,CACtE,OAAO,IAAA,CAAK,eAAA,CAAgBJ,CAAAA,CAAIrB,CAAM,CACvC,CAAA,MAASC,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,cAAcoB,CAAAA,CAAI,KAAA,CAASpB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,GAAIuB,CAAAA,GAAW,YAAA,CAAc,CAC5B,GAAI,CAACC,CAAAA,EAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,mBAAmB,EAE1D,IAAMQ,CAAAA,CAA2B,CAChC,IAAA,CAAMJ,EAAO,IAAA,CACb,SAAA,CAAYA,EAAO,SAAA,EAAyC,EAC7D,CAAA,CAEA,GAAI,CACH,IAAMzB,EAAyB,MAAM,IAAA,CAAK,WAAW,QAAA,CAAS6B,CAAO,EAOrE,OAAA,CAJmB7B,CAAAA,CAAO,OAAA,CACvB,CAAA,CAAA,CACA,MAAM,IAAA,CAAK,eAAA,CAAgB6B,EAAS7B,CAAM,CAAA,EActC,KAAK,eAAA,CAAgBqB,CAAAA,CAAIrB,CAAM,CAAA,CAX9B,KAAK,eAAA,CAAgBqB,CAAAA,CAAI,CAC/B,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,sHACP,CACD,CAAA,CACA,OAAA,CAAS,EACV,CAAC,CAIH,OAASpB,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,cAAcoB,CAAAA,CAAI,KAAA,CAASpB,EAAc,OAAO,CAC7D,CACD,CAEA,OAAO,IAAA,CAAK,aAAA,CAAcoB,EAAI,MAAA,CAAQ,kBAAkB,EACzD,CAEQ,eAAA,CACPA,EACArB,CAAAA,CACC,CACD,OAAO,CAAE,QAAS,KAAA,CAAO,EAAA,CAAAqB,EAAI,MAAA,CAAArB,CAAO,CACrC,CAEQ,aAAA,CAAcqB,CAAAA,CAAqBS,CAAAA,CAAchC,EAAiB,CACzE,OAAO,CAAE,OAAA,CAAS,KAAA,CAAO,GAAAuB,CAAAA,CAAI,KAAA,CAAO,CAAE,IAAA,CAAAS,EAAM,OAAA,CAAAhC,CAAQ,CAAE,CACvD,CAEA,MAAc,eAAA,CACb+B,CAAAA,CACA7B,CAAAA,CACmB,CACnB,GACC,CAAC6B,CAAAA,CAAQ,WAAW,OAAA,EACpB,OAAOA,EAAQ,SAAA,CAAU,OAAA,EAAY,QAAA,CAErC,OAAO,MAGR,GAAI,CACH,IAAMN,CAAAA,CAAUM,CAAAA,CAAQ,UAAU,OAAA,CAC5BE,CAAAA,CAAc/B,CAAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,EAAG,IAAA,CAEvC,GAAI+B,CAAAA,EAAe,OAAOA,GAAgB,QAAA,CACzC,GAAI,CACH,IAAMC,EAAO,IAAA,CAAK,KAAA,CAAMD,CAAW,CAAA,CAEnC,GAAIC,EAAK,QAAA,EAAYA,CAAAA,CAAK,UAAA,CAAY,CAErC,GAAM,CAAE,YAAA,CAAAC,CAAa,CAAA,CAAI,aAAa,wBAAuB,CAAA,CAU7D,GAAI,CANgB,MAHH,IAAIA,CAAAA,GAGc,eAAA,CAClC,MAAA,CAAO,KAAKV,CAAAA,CAAS,OAAO,CAAA,CAC5BS,CAAAA,CAAK,SACL,MAAA,CAAO,IAAA,CAAKA,EAAK,UAAA,EAAc,EAAA,CAAI,QAAQ,CAC5C,CAAA,CAGC,OAAO,CAAA,CAAA,CAGRA,EAAK,YAAA,CACJ,yEAAA,CACDhC,EAAO,OAAA,CAAQ,CAAC,EAAE,IAAA,CAAO,IAAA,CAAK,SAAA,CAAUgC,CAAI,EAC7C,CACD,CAAA,KAAQ,CAER,CAED,OAAO,EACR,CAAA,MAASpB,CAAAA,CAAG,CACX,OAAAf,EAAI,IAAA,CAAK,oCAAA,CAAsCe,CAAC,CAAA,CACzC,KACR,CACD,CAKA,MAAa,OAAA,EAAyB,CAErC,GAAI,IAAA,CAAK,eAAA,CAAiB,CACzB,GAAM,CAAE,WAAAsB,CAAW,CAAA,CAAI,MAAM,OAAO,aAAoB,CAAA,CASxD,GARA,KAAK,UAAA,CAAa,IAAIA,EACrB,IAAA,CAAK,OAAA,CAAQ,UAAA,EAAc,CAC1B,KAAM,aAAA,CACN,OAAA,CAAS,OACV,CAAA,CACA,CAAE,SAAU,IAAA,CAAK,OAAA,CAAQ,QAAS,CACnC,EAEI,IAAA,CAAK,OAAA,CAAQ,cAAe,CAC/B,MAAM,KAAK,UAAA,CAAW,OAAA,EAAQ,CAI9B,IAAMC,EAAS,IAAA,CAAK,eAAA,CAGpB,GAAIA,CAAAA,CAAO,gBAAA,CACV,OAAW,CAACC,CAAAA,CAAMC,CAAI,CAAA,GAAK,OAAO,OAAA,CAAQF,CAAAA,CAAO,gBAAgB,CAAA,CAAG,CAEnE,IAAMG,CAAAA,CAAID,CAAAA,CACV,IAAA,CAAK,UAAA,CAAW,KACfD,CAAAA,CACAE,CAAAA,CAAE,aAAe,EAAA,CACjBA,CAAAA,CAAE,aAAe,EAAC,CAElB,MAAOC,CAAAA,EACC,MAAMD,CAAAA,CAAE,OAAA,CAAQC,CAAI,CAE7B,EACD,CAID,GAAIJ,CAAAA,CAAO,oBAAA,CACV,IAAA,GAAW,CAACK,CAAAA,CAAKC,CAAQ,IAAK,MAAA,CAAO,OAAA,CACpCN,EAAO,oBACR,CAAA,CAAG,CAEF,IAAMO,EAAID,CAAAA,CACV,IAAA,CAAK,WAAW,QAAA,CACfC,CAAAA,CAAE,KACFF,CAAAA,CACAE,CAAAA,CAAE,QAAA,EAAU,WAAA,EAAe,GAC3BA,CAAAA,CAAE,QAAA,EAAU,UAAY,0BAAA,CACxB,SAAA,CACa,MAAMA,CAAAA,CAAE,YAAA,CAAa,IAAI,GAAA,CAAIF,CAAG,CAAC,CAAA,EAClC,SAAS,CAAC,CAAA,CAAE,IAEzB,EACD,CAEF,CACA,MACD,CAIA,IAAMG,CAAAA,CAAAA,CADW,MAAM,OAAO,UAAe,GACzB,eAAA,CAAgB,CACnC,KAAA,CAAO,OAAA,CAAQ,MACf,MAAA,CAAQ,OAAA,CAAQ,OAChB,QAAA,CAAU,KACX,CAAC,CAAA,CAEKC,CAAAA,CAAW,SAAY,CAC5B/C,EAAI,IAAA,CAAK,wCAAwC,EAC7C,IAAA,CAAK,UAAA,EAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAA,EAAM,CACjD,QAAQ,IAAA,CAAK,CAAC,EACf,CAAA,CAEA8C,CAAAA,CAAG,GAAG,OAAA,CAASC,CAAQ,CAAA,CACvB,OAAA,CAAQ,GAAG,QAAA,CAAUA,CAAQ,EAC7B,OAAA,CAAQ,EAAA,CAAG,UAAWA,CAAQ,CAAA,CAE9BD,CAAAA,CAAG,EAAA,CAAG,OAAQ,MAAOE,CAAAA,EAAS,CAC7B,GAAKA,CAAAA,CAAK,MAAK,CACf,GAAI,CACH,IAAMtB,EAAU,IAAA,CAAK,KAAA,CAAMsB,CAAI,CAAA,CACzB/B,CAAAA,CAAW,MAAM,IAAA,CAAK,oBAAA,CAAqBS,CAAO,CAAA,CACpDT,CAAAA,EACH,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,IAAA,CAAK,SAAA,CAAUA,CAAQ,CAAC;AAAA,CAAI,EAEtD,OAASF,CAAAA,CAAY,CACpBf,EAAI,KAAA,CAAM,CAAA,qBAAA,EAAyBe,EAAY,OAAO,CAAA,CAAE,EACzD,CACD,CAAC,EACF,CAEO,SAAA,EAA+B,CACrC,OAAO,IAAA,CAAK,UACb,CACD","file":"chunk-W2QGWRTT.js","sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport { serve } from \"@hono/node-server\";\nimport type { WebStandardStreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\";\nimport type { JSONRPCMessage } from \"@modelcontextprotocol/sdk/types.js\";\nimport { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpBridge } from \"./index.js\";\n\n/**\n * Configuration options for LiopStreamBridge.\n */\nexport interface LiopStreamBridgeOptions {\n\t/** Port to listen on (default: 3000) */\n\tport?: number;\n\t/** Max concurrent sessions per IP (default: 5) */\n\tmaxSessionsPerIp?: number;\n\t/** Session idle timeout in milliseconds (default: 30 min) */\n\tsessionTimeoutMs?: number;\n}\n\n/** Internal metadata for tracked sessions */\ninterface SessionEntry {\n\ttransport: WebStandardStreamableHTTPServerTransport;\n\tlastActivity: number;\n\tclientIp: string;\n}\n\nconst DEFAULT_MAX_SESSIONS_PER_IP = 10;\nconst DEFAULT_SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes\nconst EVICTION_INTERVAL_MS = 60 * 1000; // Check every minute\n\n/**\n * LiopStreamBridge\n *\n * Exposes a LiopServer over a remote HTTP network using the industry-standard\n * MCP Streamable HTTP Transport + Hono JS.\n *\n * Supports concurrent multi-client connections via per-session transport instances (Map pattern).\n * External agents connect using only a URL + Bearer Token (Zero-Trust).\n *\n * Security hardening:\n * - Zero-Trust Bearer Token enforcement\n * - Per-IP rate limiting on session creation\n * - Automatic eviction of idle sessions (TTL)\n */\nexport class LiopStreamBridge {\n\tprivate app: Hono;\n\tprivate httpServer: ReturnType<typeof serve> | null = null;\n\tprivate bridgeLogic: LiopMcpBridge;\n\tprivate activeSessions: Map<string, SessionEntry>;\n\tprivate evictionTimer: ReturnType<typeof setInterval> | null = null;\n\tprivate maxSessionsPerIp: number;\n\tprivate sessionTimeoutMs: number;\n\n\tconstructor(\n\t\tinternalServer: LiopServer,\n\t\tprivate options: LiopStreamBridgeOptions = {},\n\t) {\n\t\tthis.app = new Hono();\n\t\tthis.bridgeLogic = new LiopMcpBridge(internalServer);\n\t\tthis.activeSessions = new Map();\n\t\tthis.maxSessionsPerIp =\n\t\t\toptions.maxSessionsPerIp ?? DEFAULT_MAX_SESSIONS_PER_IP;\n\t\tthis.sessionTimeoutMs =\n\t\t\toptions.sessionTimeoutMs ?? DEFAULT_SESSION_TIMEOUT_MS;\n\n\t\tthis.setupRoutes();\n\t}\n\n\t/**\n\t * Creates a new per-session transport instance and wires it to the LIOPMcpBridge logic.\n\t */\n\tprivate async createSessionTransport(\n\t\tclientIp: string,\n\t): Promise<WebStandardStreamableHTTPServerTransport> {\n\t\tconst { WebStandardStreamableHTTPServerTransport } = await import(\n\t\t\t\"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\"\n\t\t);\n\t\tconst transport = new WebStandardStreamableHTTPServerTransport({\n\t\t\tsessionIdGenerator: () => randomUUID(),\n\t\t\tonsessioninitialized: (sessionId: string) => {\n\t\t\t\tthis.activeSessions.set(sessionId, {\n\t\t\t\t\ttransport,\n\t\t\t\t\tlastActivity: Date.now(),\n\t\t\t\t\tclientIp,\n\t\t\t\t});\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Session opened: ${sessionId} (IP: ${clientIp})`,\n\t\t\t\t);\n\t\t\t},\n\t\t});\n\n\t\t// Wire the transport's incoming messages to the LiopMcpBridge JSON-RPC router\n\t\ttransport.onmessage = async (message: JSONRPCMessage) => {\n\t\t\t// Touch activity timestamp on every message\n\t\t\tif (transport.sessionId) {\n\t\t\t\tconst entry = this.activeSessions.get(transport.sessionId);\n\t\t\t\tif (entry) entry.lastActivity = Date.now();\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\tconst result = await this.bridgeLogic.handleJsonRpcRequest(\n\t\t\t\t\tmessage as unknown as Record<string, unknown>,\n\t\t\t\t);\n\t\t\t\t// Notifications return undefined — no response needed\n\t\t\t\tif (result !== undefined) {\n\t\t\t\t\tawait transport.send(result as JSONRPCMessage);\n\t\t\t\t}\n\t\t\t} catch (err: unknown) {\n\t\t\t\tlog.info(\"[LIOP-StreamBridge] JSON-RPC error:\", (err as Error).message);\n\t\t\t}\n\t\t};\n\n\t\ttransport.onclose = () => {\n\t\t\tif (transport.sessionId) {\n\t\t\t\tthis.activeSessions.delete(transport.sessionId);\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed: ${transport.sessionId}`);\n\t\t\t}\n\t\t};\n\n\t\treturn transport;\n\t}\n\n\t/**\n\t * Returns the number of active sessions for a given IP.\n\t */\n\tprivate countSessionsByIp(ip: string): number {\n\t\tlet count = 0;\n\t\tfor (const entry of this.activeSessions.values()) {\n\t\t\tif (entry.clientIp === ip) count++;\n\t\t}\n\t\treturn count;\n\t}\n\n\t/**\n\t * Extracts client IP from the request (supports X-Forwarded-For for reverse proxies).\n\t */\n\tprivate getClientIp(c: {\n\t\treq: { header: (name: string) => string | undefined };\n\t}): string {\n\t\treturn (\n\t\t\tc.req.header(\"x-forwarded-for\")?.split(\",\")[0]?.trim() ||\n\t\t\tc.req.header(\"x-real-ip\") ||\n\t\t\t\"unknown\"\n\t\t);\n\t}\n\n\t/**\n\t * Evicts sessions that have been idle longer than the configured timeout.\n\t */\n\tprivate evictIdleSessions(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.activeSessions) {\n\t\t\tif (now - entry.lastActivity > this.sessionTimeoutMs) {\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Evicting idle session: ${sessionId}`);\n\t\t\t\tentry.transport.close().catch(() => {\n\t\t\t\t\t/* Swallow close errors */\n\t\t\t\t});\n\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tprivate setupRoutes() {\n\t\tthis.app.use(\"*\", cors());\n\n\t\t// Initialize strict zero-trust token if not provided\n\t\tif (!process.env.ZERO_TRUST_TOKEN) {\n\t\t\tprocess.env.ZERO_TRUST_TOKEN = randomUUID();\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t\tlog.info(\"⚠️ STRICT ZERO-TRUST MODE ENABLED ⚠️\");\n\t\t\tlog.info(\"No ZERO_TRUST_TOKEN found in environment.\");\n\t\t\tlog.info(\"A secure ephemeral token has been generated for this session:\");\n\t\t\tlog.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`);\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t}\n\n\t\t// ZTA (Zero-Trust Architecture) Security Middleware\n\t\tthis.app.use(\"/mcp\", async (c, next) => {\n\t\t\tconst auth = c.req.header(\"Authorization\");\n\t\t\tif (!auth?.startsWith(\"Bearer \")) {\n\t\t\t\treturn c.json(\n\t\t\t\t\t{ error: \"Unauthorized: LIOP Zero-Trust Policy Enforced\" },\n\t\t\t\t\t401,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tconst token = auth.slice(7);\n\t\t\tconst expectedToken = process.env.ZERO_TRUST_TOKEN;\n\n\t\t\t// Check static token fallback first (retrocompatibility)\n\t\t\tif (expectedToken && token === expectedToken) {\n\t\t\t\tawait next();\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\t// Validate with JWT Validator if configured on the server\n\t\t\tconst jwtValidator = this.bridgeLogic.getServer()?.jwtValidator;\n\t\t\tif (jwtValidator) {\n\t\t\t\ttry {\n\t\t\t\t\tawait jwtValidator.validate(token);\n\t\t\t\t\tawait next();\n\t\t\t\t\treturn;\n\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-StreamBridge] JWT Validation failed: ${(e as Error).message}`,\n\t\t\t\t\t);\n\t\t\t\t\treturn c.json(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\terror: `Unauthorized: JWT Validation failed - ${(e as Error).message}`,\n\t\t\t\t\t\t},\n\t\t\t\t\t\t401,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tlog.info(\n\t\t\t\t\"[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.\",\n\t\t\t);\n\t\t\treturn c.json(\n\t\t\t\t{ error: \"Unauthorized: LIOP Zero-Trust Policy Enforced\" },\n\t\t\t\t401,\n\t\t\t);\n\t\t});\n\n\t\t// Multi-Session Streamable HTTP Handler\n\t\tthis.app.all(\"/mcp\", async (c) => {\n\t\t\tconst sessionId = c.req.header(\"mcp-session-id\");\n\n\t\t\t// Route to existing session if session ID is present\n\t\t\tif (sessionId) {\n\t\t\t\tconst existing = this.activeSessions.get(sessionId);\n\t\t\t\tif (!existing) {\n\t\t\t\t\treturn c.json({ error: \"Session not found\" }, 404);\n\t\t\t\t}\n\t\t\t\t// Touch activity on every routed request\n\t\t\t\texisting.lastActivity = Date.now();\n\n\t\t\t\tconst response = await existing.transport.handleRequest(c.req.raw);\n\n\t\t\t\t// If DELETE, the transport closes internally but onclose may not fire.\n\t\t\t\t// Explicitly clean up the session from the Map.\n\t\t\t\tif (c.req.method === \"DELETE\") {\n\t\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed (DELETE): ${sessionId}`);\n\t\t\t\t}\n\n\t\t\t\treturn response;\n\t\t\t}\n\n\t\t\t// No session ID → New client initializing.\n\t\t\t// Rate-limit: enforce max sessions per IP\n\t\t\tconst clientIp = this.getClientIp(c);\n\t\t\tconst currentSessions = this.countSessionsByIp(clientIp);\n\t\t\tif (currentSessions >= this.maxSessionsPerIp) {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Rate limit hit for IP: ${clientIp} (${currentSessions} sessions)`,\n\t\t\t\t);\n\t\t\t\treturn c.json({ error: \"Too Many Sessions: Rate limit exceeded\" }, 429);\n\t\t\t}\n\n\t\t\tconst transport = await this.createSessionTransport(clientIp);\n\t\t\treturn await transport.handleRequest(c.req.raw);\n\t\t});\n\t}\n\n\t/**\n\t * Starts the LiopStreamBridge HTTP server and session eviction timer.\n\t */\n\tpublic async start(port?: number): Promise<void> {\n\t\tconst listenPort = port ?? this.options.port ?? 3000;\n\n\t\t// Start the idle session eviction timer\n\t\tthis.evictionTimer = setInterval(\n\t\t\t() => this.evictIdleSessions(),\n\t\t\tEVICTION_INTERVAL_MS,\n\t\t);\n\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.httpServer = serve(\n\t\t\t\t{\n\t\t\t\t\tfetch: this.app.fetch,\n\t\t\t\t\tport: listenPort,\n\t\t\t\t},\n\t\t\t\t(info) => {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${info.port}/mcp`,\n\t\t\t\t\t);\n\t\t\t\t\tresolve();\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\t/**\n\t * Graceful shutdown — closes all active sessions, stops timers, and releases port.\n\t */\n\tpublic async stop(): Promise<void> {\n\t\tif (this.evictionTimer) {\n\t\t\tclearInterval(this.evictionTimer);\n\t\t\tthis.evictionTimer = null;\n\t\t}\n\n\t\tfor (const [id, entry] of this.activeSessions) {\n\t\t\tawait entry.transport.close();\n\t\t\tthis.activeSessions.delete(id);\n\t\t}\n\n\t\tif (this.httpServer) {\n\t\t\tthis.httpServer.close();\n\t\t\tlog.info(\"[LIOP-StreamBridge] HTTP ports released.\");\n\t\t}\n\t}\n}\n","import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { LiopServer, LiopServerOptions } from \"../server/index.js\";\nimport type { CallToolRequest, CallToolResult } from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\n\nexport interface LiopBridgeOptions {\n\tpublishToMesh?: boolean;\n\tmeshIdentity?: string;\n\tserverInfo?: {\n\t\tname: string;\n\t\tversion: string;\n\t};\n\tsecurity?: LiopServerOptions[\"security\"];\n}\n\n/**\n * LIOP MCP Bridge\n * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,\n * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.\n */\nexport class LiopMcpBridge {\n\tprivate liopServer: LiopServer | null = null;\n\tprivate legacyMcpServer: McpServer | null = null;\n\tconstructor(\n\t\t// biome-ignore lint/suspicious/noExplicitAny: polymorphic source detection\n\t\tsource: LiopServer | McpServer | any,\n\t\tprivate options: LiopBridgeOptions = {},\n\t) {\n\t\t// Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)\n\t\t// We use constructor name check to avoid hard dependency on optional SDK at runtime start\n\t\tif (source?.constructor?.name === \"LiopServer\") {\n\t\t\tthis.liopServer = source as LiopServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)\");\n\t\t} else if (source?.constructor?.name === \"McpServer\") {\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)\");\n\t\t} else {\n\t\t\t// Fallback for inferred legacy MCP servers\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)\");\n\t\t}\n\t}\n\n\t/**\n\t * Handles an incoming standard MCP JSON-RPC 2.0 payload.\n\t * Pipes it to the underlying server (LIOP or Legacy MCP).\n\t */\n\tpublic async handleJsonRpcRequest(\n\t\tpayload: Record<string, unknown>,\n\t): Promise<unknown> {\n\t\tconst id = payload.id as string | number;\n\t\tconst method = payload.method as string;\n\t\tconst params = payload.params as Record<string, unknown> | undefined;\n\n\t\tif (payload.jsonrpc !== \"2.0\") {\n\t\t\treturn this.errorResponse(id, -32600, \"Invalid Request\");\n\t\t}\n\n\t\t// Mode: EXPOSE (Standard behavior used by Claude Desktop)\n\t\tif (this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\t// Mode: WRAP (Redirecting via internal LiopServer after connect())\n\t\tif (this.legacyMcpServer && this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Bridge source not configured\");\n\t}\n\n\tprivate async handleLiopToMcp(\n\t\tid: string | number,\n\t\tmethod: string,\n\t\tparams: Record<string, unknown> | undefined,\n\t): Promise<unknown> {\n\t\tif (!this.liopServer) return null;\n\n\t\tif (method === \"initialize\") {\n\t\t\treturn this.successResponse(id, {\n\t\t\t\tprotocolVersion: \"2025-11-25\",\n\t\t\t\tcapabilities: {\n\t\t\t\t\tprompts: {},\n\t\t\t\t\tresources: {},\n\t\t\t\t\ttools: {},\n\t\t\t\t},\n\t\t\t\tserverInfo: this.liopServer.getServerInfo(),\n\t\t\t});\n\t\t}\n\n\t\tif (method === \"notifications/initialized\") return undefined;\n\t\tif (method === \"ping\") return this.successResponse(id, {});\n\n\t\tif (method === \"tools/list\") {\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\treturn this.successResponse(id, { tools });\n\t\t}\n\n\t\tif (method === \"resources/list\") {\n\t\t\tconst resources = this.liopServer.listResources();\n\t\t\treturn this.successResponse(id, { resources });\n\t\t}\n\n\t\tif (method === \"prompts/list\") {\n\t\t\tconst prompts = this.liopServer.listPrompts();\n\t\t\treturn this.successResponse(id, { prompts });\n\t\t}\n\n\t\tif (method === \"prompts/get\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing prompt name\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.getPrompt({\n\t\t\t\t\tname: params.name as string,\n\t\t\t\t\targuments: params.arguments as Record<string, string> | undefined,\n\t\t\t\t});\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"resources/read\") {\n\t\t\tif (!params?.uri) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing resource URI\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.readResource(params.uri as string);\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"tools/call\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing tool name\");\n\t\t\t}\n\t\t\tconst request: CallToolRequest = {\n\t\t\t\tname: params.name as string,\n\t\t\t\targuments: (params.arguments as Record<string, unknown>) || {},\n\t\t\t};\n\n\t\t\ttry {\n\t\t\t\tconst result: CallToolResult = await this.liopServer.callTool(request);\n\t\t\t\t// If the tool execution returned an error (e.g. policy violation), we bypass\n\t\t\t\t// ZK-Receipt verification because no cryptographic proof is generated for errors.\n\t\t\t\tconst isVerified = result.isError\n\t\t\t\t\t? true\n\t\t\t\t\t: await this.verifyZkReceipt(request, result);\n\n\t\t\t\tif (!isVerified) {\n\t\t\t\t\treturn this.successResponse(id, {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t});\n\t\t\t\t}\n\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Method not found\");\n\t}\n\n\tprivate successResponse(\n\t\tid: string | number | null | undefined,\n\t\tresult: unknown,\n\t) {\n\t\treturn { jsonrpc: \"2.0\", id, result };\n\t}\n\n\tprivate errorResponse(id: string | number, code: number, message: string) {\n\t\treturn { jsonrpc: \"2.0\", id, error: { code, message } };\n\t}\n\n\tprivate async verifyZkReceipt(\n\t\trequest: CallToolRequest,\n\t\tresult: CallToolResult,\n\t): Promise<boolean> {\n\t\tif (\n\t\t\t!request.arguments?.payload ||\n\t\t\ttypeof request.arguments.payload !== \"string\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\ttry {\n\t\t\tconst payload = request.arguments.payload as string;\n\t\t\tconst contentText = result.content[0]?.text;\n\n\t\t\tif (contentText && typeof contentText === \"string\") {\n\t\t\t\ttry {\n\t\t\t\t\tconst data = JSON.parse(contentText);\n\n\t\t\t\t\tif (data.image_id || data.zk_receipt) {\n\t\t\t\t\t\t// 1. Instantiate the Industrial Verifier ( backed by Piscina Worker Pool )\n\t\t\t\t\t\tconst { LiopVerifier } = await import(\"../crypto/verifier.js\");\n\t\t\t\t\t\tconst verifier = new LiopVerifier();\n\n\t\t\t\t\t\t// 2. Delegate the heavy mathematical check (ZK Journal + Seal)\n\t\t\t\t\t\tconst isAuthentic = await verifier.verifyZkReceipt(\n\t\t\t\t\t\t\tBuffer.from(payload, \"utf-8\"),\n\t\t\t\t\t\t\tdata.image_id,\n\t\t\t\t\t\t\tBuffer.from(data.zk_receipt || \"\", \"base64\"),\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (!isAuthentic) {\n\t\t\t\t\t\t\treturn false;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tdata.audit_status =\n\t\t\t\t\t\t\t\"VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge\";\n\t\t\t\t\t\tresult.content[0].text = JSON.stringify(data);\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\t// Output not JSON\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn true;\n\t\t} catch (e) {\n\t\t\tlog.info(\"[LIOP-Bridge] ZK-Verifier Failure:\", e);\n\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Connects the bridge via stdio or Mesh depending on mode.\n\t */\n\tpublic async connect(): Promise<void> {\n\t\t// In WRAP mode, we actually need to create a LiopServer and join the mesh\n\t\tif (this.legacyMcpServer) {\n\t\t\tconst { LiopServer } = await import(\"../server/index.js\");\n\t\t\tthis.liopServer = new LiopServer(\n\t\t\t\tthis.options.serverInfo || {\n\t\t\t\t\tname: \"liop-bridge\",\n\t\t\t\t\tversion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t\t{ security: this.options.security },\n\t\t\t);\n\n\t\t\tif (this.options.publishToMesh) {\n\t\t\t\tawait this.liopServer.connect();\n\n\t\t\t\t// Automatically Bridge Legacy Capabilities to LIOP Mesh\n\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Internal legacy MCP properties are completely opaque and unexported\n\t\t\t\tconst legacy = this.legacyMcpServer as any;\n\n\t\t\t\t// 1. Sync Tools\n\t\t\t\tif (legacy._registeredTools) {\n\t\t\t\t\tfor (const [name, tool] of Object.entries(legacy._registeredTools)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst t = tool as any;\n\t\t\t\t\t\tthis.liopServer.tool(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tt.description || \"\",\n\t\t\t\t\t\t\tt.inputSchema || {},\n\t\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy callback args\n\t\t\t\t\t\t\tasync (args: any) => {\n\t\t\t\t\t\t\t\treturn await t.handler(args);\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// 2. Sync Resources\n\t\t\t\tif (legacy._registeredResources) {\n\t\t\t\t\tfor (const [uri, resource] of Object.entries(\n\t\t\t\t\t\tlegacy._registeredResources,\n\t\t\t\t\t)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst r = resource as any;\n\t\t\t\t\t\tthis.liopServer.resource(\n\t\t\t\t\t\t\tr.name,\n\t\t\t\t\t\t\turi,\n\t\t\t\t\t\t\tr.metadata?.description || \"\",\n\t\t\t\t\t\t\tr.metadata?.mimeType || \"application/octet-stream\",\n\t\t\t\t\t\t\tasync () => {\n\t\t\t\t\t\t\t\tconst res = await r.readCallback(new URL(uri));\n\t\t\t\t\t\t\t\treturn res.contents[0].text;\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\n\t\t// In EXPOSE mode, listen to stdio (Claude Desktop)\n\t\tconst readline = await import(\"node:readline\");\n\t\tconst rl = readline.createInterface({\n\t\t\tinput: process.stdin,\n\t\t\toutput: process.stdout,\n\t\t\tterminal: false,\n\t\t});\n\n\t\tconst shutdown = async () => {\n\t\t\tlog.info(\"[LIOP-Bridge] Disconnecting session...\");\n\t\t\tif (this.liopServer) await this.liopServer.close();\n\t\t\tprocess.exit(0);\n\t\t};\n\n\t\trl.on(\"close\", shutdown);\n\t\tprocess.on(\"SIGINT\", shutdown);\n\t\tprocess.on(\"SIGTERM\", shutdown);\n\n\t\trl.on(\"line\", async (line) => {\n\t\t\tif (!line.trim()) return;\n\t\t\ttry {\n\t\t\t\tconst payload = JSON.parse(line);\n\t\t\t\tconst response = await this.handleJsonRpcRequest(payload);\n\t\t\t\tif (response) {\n\t\t\t\t\tprocess.stdout.write(`${JSON.stringify(response)}\\n`);\n\t\t\t\t}\n\t\t\t} catch (e: unknown) {\n\t\t\t\tlog.error(`[LIOP-Bridge] Error: ${(e as Error).message}`);\n\t\t\t}\n\t\t});\n\t}\n\n\tpublic getServer(): LiopServer | null {\n\t\treturn this.liopServer;\n\t}\n}\n\nexport * from \"./stream.js\";\n"]}
+{"version":3,"sources":["../src/bridge/stream.ts","../src/bridge/index.ts"],"names":["DEFAULT_MAX_SESSIONS_PER_IP","DEFAULT_SESSION_TIMEOUT_MS","EVICTION_INTERVAL_MS","LiopStreamBridge","internalServer","options","Hono","LiopMcpBridge","clientIp","WebStandardStreamableHTTPServerTransport","transport","randomUUID","sessionId","log","message","entry","result","err","ip","count","c","now","cors","next","auth","token","expectedToken","jwtValidator","e","existing","response","currentSessions","port","listenPort","resolve","serve","info","id","source","payload","method","params","tools","resources","prompts","request","code","contentText","data","LiopVerifier","LiopServer","legacy","name","tool","t","args","uri","resource","r","rl","shutdown","line"],"mappings":"+JA6BA,IAAMA,CAAAA,CAA8B,GAC9BC,CAAAA,CAA6B,IAAA,CAAU,GAAA,CACvCC,CAAAA,CAAuB,GAAK,GAAA,CAgBrBC,CAAAA,CAAN,KAAuB,CAS7B,WAAA,CACCC,EACQC,CAAAA,CAAmC,EAAC,CAC3C,CADO,aAAAA,CAAAA,CAER,IAAA,CAAK,IAAM,IAAIC,IAAAA,CACf,KAAK,WAAA,CAAc,IAAIC,CAAAA,CAAcH,CAAc,EACnD,IAAA,CAAK,cAAA,CAAiB,IAAI,GAAA,CAC1B,IAAA,CAAK,iBACJC,CAAAA,CAAQ,gBAAA,EAAoBL,CAAAA,CAC7B,IAAA,CAAK,iBACJK,CAAAA,CAAQ,gBAAA,EAAoBJ,EAE7B,IAAA,CAAK,WAAA,GACN,CArBQ,GAAA,CACA,UAAA,CAA8C,IAAA,CAC9C,YACA,cAAA,CACA,aAAA,CAAuD,KACvD,gBAAA,CACA,gBAAA,CAoBR,MAAc,sBAAA,CACbO,CAAAA,CACoD,CACpD,GAAM,CAAE,wCAAA,CAAAC,CAAyC,EAAI,MAAM,OAC1D,+DACD,CAAA,CACMC,CAAAA,CAAY,IAAID,CAAAA,CAAyC,CAC9D,kBAAA,CAAoB,IAAME,YAAW,CACrC,oBAAA,CAAuBC,GAAsB,CAC5C,IAAA,CAAK,cAAA,CAAe,GAAA,CAAIA,EAAW,CAClC,SAAA,CAAAF,EACA,YAAA,CAAc,IAAA,CAAK,KAAI,CACvB,QAAA,CAAAF,CACD,CAAC,EACDK,CAAAA,CAAI,IAAA,CACH,uCAAuCD,CAAS,CAAA,MAAA,EAASJ,CAAQ,CAAA,CAAA,CAClE,EACD,CACD,CAAC,EAGD,OAAAE,CAAAA,CAAU,UAAY,MAAOI,CAAAA,EAA4B,CAExD,GAAIJ,CAAAA,CAAU,SAAA,CAAW,CACxB,IAAMK,CAAAA,CAAQ,IAAA,CAAK,eAAe,GAAA,CAAIL,CAAAA,CAAU,SAAS,CAAA,CACrDK,CAAAA,GAAOA,CAAAA,CAAM,YAAA,CAAe,KAAK,GAAA,EAAI,EAC1C,CAEA,GAAI,CACH,IAAMC,CAAAA,CAAS,MAAM,IAAA,CAAK,WAAA,CAAY,qBACrCF,CACD,CAAA,CAEIE,IAAW,KAAA,CAAA,EACd,MAAMN,EAAU,IAAA,CAAKM,CAAwB,EAE/C,CAAA,MAASC,EAAc,CACtBJ,CAAAA,CAAI,KAAK,qCAAA,CAAwCI,CAAAA,CAAc,OAAO,EACvE,CACD,CAAA,CAEAP,CAAAA,CAAU,QAAU,IAAM,CACrBA,EAAU,SAAA,GACb,IAAA,CAAK,eAAe,MAAA,CAAOA,CAAAA,CAAU,SAAS,CAAA,CAC9CG,EAAI,IAAA,CAAK,CAAA,oCAAA,EAAuCH,EAAU,SAAS,CAAA,CAAE,GAEvE,CAAA,CAEOA,CACR,CAKQ,iBAAA,CAAkBQ,EAAoB,CAC7C,IAAIC,EAAQ,CAAA,CACZ,IAAA,IAAWJ,KAAS,IAAA,CAAK,cAAA,CAAe,MAAA,EAAO,CAC1CA,EAAM,QAAA,GAAaG,CAAAA,EAAIC,IAE5B,OAAOA,CACR,CAKQ,WAAA,CAAYC,CAAAA,CAET,CACV,OACCA,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,IAChDA,CAAAA,CAAE,GAAA,CAAI,OAAO,WAAW,CAAA,EACxB,SAEF,CAKQ,iBAAA,EAA0B,CACjC,IAAMC,EAAM,IAAA,CAAK,GAAA,GACjB,IAAA,GAAW,CAACT,EAAWG,CAAK,CAAA,GAAK,IAAA,CAAK,cAAA,CACjCM,EAAMN,CAAAA,CAAM,YAAA,CAAe,KAAK,gBAAA,GACnCF,CAAAA,CAAI,KAAK,CAAA,2CAAA,EAA8CD,CAAS,CAAA,CAAE,CAAA,CAClEG,EAAM,SAAA,CAAU,KAAA,GAAQ,KAAA,CAAM,IAAM,CAEpC,CAAC,CAAA,CACD,IAAA,CAAK,cAAA,CAAe,OAAOH,CAAS,CAAA,EAGvC,CAEQ,WAAA,EAAc,CACrB,KAAK,GAAA,CAAI,GAAA,CAAI,GAAA,CAAKU,IAAAA,EAAM,CAAA,CAGnB,OAAA,CAAQ,IAAI,gBAAA,GAChB,OAAA,CAAQ,IAAI,gBAAA,CAAmBX,UAAAA,EAAW,CAC1CE,CAAAA,CAAI,KAAK,GAAA,CAAI,MAAA,CAAO,EAAE,CAAC,CAAA,CACvBA,EAAI,IAAA,CAAK,0DAAsC,CAAA,CAC/CA,CAAAA,CAAI,KAAK,2CAA2C,CAAA,CACpDA,EAAI,IAAA,CAAK,+DAA+D,EACxEA,CAAAA,CAAI,IAAA,CAAK,CAAA,OAAA,EAAU,OAAA,CAAQ,IAAI,gBAAgB,CAAA,CAAE,EACjDA,CAAAA,CAAI,IAAA,CAAK,IAAI,MAAA,CAAO,EAAE,CAAC,CAAA,CAAA,CAIxB,KAAK,GAAA,CAAI,GAAA,CAAI,OAAQ,MAAOO,CAAAA,CAAGG,IAAS,CACvC,IAAMC,EAAOJ,CAAAA,CAAE,GAAA,CAAI,OAAO,eAAe,CAAA,CACzC,GAAI,CAACI,CAAAA,EAAM,WAAW,SAAS,CAAA,CAC9B,OAAOJ,CAAAA,CAAE,KACR,CAAE,KAAA,CAAO,+CAAgD,CAAA,CACzD,GACD,EAGD,IAAMK,CAAAA,CAAQD,CAAAA,CAAK,KAAA,CAAM,CAAC,CAAA,CACpBE,CAAAA,CAAgB,QAAQ,GAAA,CAAI,gBAAA,CAGlC,GAAIA,CAAAA,EAAiBD,CAAAA,GAAUC,CAAAA,CAAe,CAC7C,MAAMH,CAAAA,EAAK,CACX,MACD,CAGA,IAAMI,EAAe,IAAA,CAAK,WAAA,CAAY,SAAA,EAAU,EAAG,aACnD,GAAIA,CAAAA,CACH,GAAI,CACH,MAAMA,EAAa,QAAA,CAASF,CAAK,CAAA,CACjC,MAAMF,GAAK,CACX,MACD,OAASK,GAAAA,CAAY,CACpB,OAAAf,CAAAA,CAAI,IAAA,CACH,CAAA,2CAAA,EAA+Ce,GAAAA,CAAY,OAAO,CAAA,CACnE,CAAA,CACOR,EAAE,IAAA,CACR,CACC,MAAO,CAAA,sCAAA,EAA0CQ,GAAAA,CAAY,OAAO,CAAA,CACrE,EACA,GACD,CACD,CAGD,OAAAf,CAAAA,CAAI,KACH,sEACD,CAAA,CACOO,CAAAA,CAAE,IAAA,CACR,CAAE,KAAA,CAAO,+CAAgD,EACzD,GACD,CACD,CAAC,CAAA,CAGD,IAAA,CAAK,GAAA,CAAI,GAAA,CAAI,OAAQ,MAAOA,CAAAA,EAAM,CACjC,IAAMR,CAAAA,CAAYQ,EAAE,GAAA,CAAI,MAAA,CAAO,gBAAgB,CAAA,CAG/C,GAAIR,CAAAA,CAAW,CACd,IAAMiB,CAAAA,CAAW,IAAA,CAAK,eAAe,GAAA,CAAIjB,CAAS,CAAA,CAClD,GAAI,CAACiB,CAAAA,CACJ,OAAOT,EAAE,IAAA,CAAK,CAAE,MAAO,mBAAoB,CAAA,CAAG,GAAG,CAAA,CAGlDS,EAAS,YAAA,CAAe,IAAA,CAAK,KAAI,CAEjC,IAAMC,IAAW,MAAMD,CAAAA,CAAS,SAAA,CAAU,aAAA,CAAcT,EAAE,GAAA,CAAI,GAAG,EAIjE,OAAIA,CAAAA,CAAE,IAAI,MAAA,GAAW,QAAA,GACpB,IAAA,CAAK,cAAA,CAAe,OAAOR,CAAS,CAAA,CACpCC,EAAI,IAAA,CAAK,CAAA,6CAAA,EAAgDD,CAAS,CAAA,CAAE,CAAA,CAAA,CAG9DkB,GACR,CAIA,IAAMtB,CAAAA,CAAW,IAAA,CAAK,YAAYY,CAAC,CAAA,CAC7BW,EAAkB,IAAA,CAAK,iBAAA,CAAkBvB,CAAQ,CAAA,CACvD,OAAIuB,CAAAA,EAAmB,IAAA,CAAK,kBAC3BlB,CAAAA,CAAI,IAAA,CACH,8CAA8CL,CAAQ,CAAA,EAAA,EAAKuB,CAAe,CAAA,UAAA,CAC3E,EACOX,CAAAA,CAAE,IAAA,CAAK,CAAE,KAAA,CAAO,wCAAyC,EAAG,GAAG,CAAA,EAIhE,KAAA,CADW,MAAM,KAAK,sBAAA,CAAuBZ,CAAQ,GACrC,aAAA,CAAcY,CAAAA,CAAE,IAAI,GAAG,CAC/C,CAAC,EACF,CAKA,MAAa,KAAA,CAAMY,EAA8B,CAChD,IAAMC,EAAaD,CAAAA,EAAQ,IAAA,CAAK,OAAA,CAAQ,IAAA,EAAQ,IAGhD,OAAA,IAAA,CAAK,aAAA,CAAgB,YACpB,IAAM,IAAA,CAAK,mBAAkB,CAC7B9B,CACD,CAAA,CAEO,IAAI,QAASgC,CAAAA,EAAY,CAC/B,KAAK,UAAA,CAAaC,KAAAA,CACjB,CACC,KAAA,CAAO,IAAA,CAAK,GAAA,CAAI,KAAA,CAChB,KAAMF,CACP,CAAA,CACCG,GAAS,CACTvB,CAAAA,CAAI,KACH,CAAA,gEAAA,EAAmEuB,CAAAA,CAAK,IAAI,CAAA,IAAA,CAC7E,EACAF,CAAAA,GACD,CACD,EACD,CAAC,CACF,CAKA,MAAa,IAAA,EAAsB,CAC9B,KAAK,aAAA,GACR,aAAA,CAAc,KAAK,aAAa,CAAA,CAChC,KAAK,aAAA,CAAgB,IAAA,CAAA,CAGtB,IAAA,GAAW,CAACG,EAAItB,CAAK,CAAA,GAAK,KAAK,cAAA,CAC9B,MAAMA,EAAM,SAAA,CAAU,KAAA,EAAM,CAC5B,IAAA,CAAK,eAAe,MAAA,CAAOsB,CAAE,EAG1B,IAAA,CAAK,UAAA,GACR,KAAK,UAAA,CAAW,KAAA,EAAM,CACtBxB,CAAAA,CAAI,KAAK,0CAA0C,CAAA,EAErD,CACD,ECvSO,IAAMN,EAAN,KAAoB,CAG1B,WAAA,CAEC+B,CAAAA,CACQjC,EAA6B,EAAC,CACrC,CADO,IAAA,CAAA,OAAA,CAAAA,CAAAA,CAIJiC,GAAQ,WAAA,EAAa,IAAA,GAAS,YAAA,EACjC,IAAA,CAAK,WAAaA,CAAAA,CAClBzB,CAAAA,CAAI,KAAK,gDAAgD,CAAA,EAC/CyB,GAAQ,WAAA,EAAa,IAAA,GAAS,WAAA,EACxC,IAAA,CAAK,gBAAkBA,CAAAA,CACvBzB,CAAAA,CAAI,KAAK,oDAAoD,CAAA,GAG7D,KAAK,eAAA,CAAkByB,CAAAA,CACvBzB,CAAAA,CAAI,IAAA,CAAK,6DAA6D,CAAA,EAExE,CApBQ,WAAgC,IAAA,CAChC,eAAA,CAAoC,KAyB5C,MAAa,oBAAA,CACZ0B,EACmB,CACnB,IAAMF,EAAKE,CAAAA,CAAQ,EAAA,CACbC,EAASD,CAAAA,CAAQ,MAAA,CACjBE,EAASF,CAAAA,CAAQ,MAAA,CAEvB,OAAIA,CAAAA,CAAQ,UAAY,KAAA,CAChB,IAAA,CAAK,cAAcF,CAAAA,CAAI,MAAA,CAAQ,iBAAiB,CAAA,CAIpD,IAAA,CAAK,UAAA,CACD,IAAA,CAAK,gBAAgBA,CAAAA,CAAIG,CAAAA,CAAQC,CAAM,CAAA,CAI3C,IAAA,CAAK,iBAAmB,IAAA,CAAK,UAAA,CACzB,IAAA,CAAK,eAAA,CAAgBJ,EAAIG,CAAAA,CAAQC,CAAM,EAGxC,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,8BAA8B,CACrE,CAEA,MAAc,eAAA,CACbA,CAAAA,CACAG,EACAC,CAAAA,CACmB,CACnB,GAAI,CAAC,IAAA,CAAK,UAAA,CAAY,OAAO,KAE7B,GAAID,CAAAA,GAAW,aACd,OAAO,IAAA,CAAK,gBAAgBH,CAAAA,CAAI,CAC/B,eAAA,CAAiB,YAAA,CACjB,aAAc,CACb,OAAA,CAAS,EAAC,CACV,SAAA,CAAW,EAAC,CACZ,KAAA,CAAO,EACR,EACA,UAAA,CAAY,IAAA,CAAK,WAAW,aAAA,EAC7B,CAAC,CAAA,CAGF,GAAIG,CAAAA,GAAW,2BAAA,CACf,IAAIA,CAAAA,GAAW,MAAA,CAAQ,OAAO,IAAA,CAAK,eAAA,CAAgBH,EAAI,EAAE,CAAA,CAEzD,GAAIG,IAAW,YAAA,CAAc,CAC5B,IAAME,CAAAA,CAAQ,IAAA,CAAK,WAAW,SAAA,EAAU,CACxC,OAAO,IAAA,CAAK,gBAAgBL,CAAAA,CAAI,CAAE,MAAAK,CAAM,CAAC,CAC1C,CAEA,GAAIF,CAAAA,GAAW,gBAAA,CAAkB,CAChC,IAAMG,CAAAA,CAAY,KAAK,UAAA,CAAW,aAAA,GAClC,OAAO,IAAA,CAAK,eAAA,CAAgBN,CAAAA,CAAI,CAAE,SAAA,CAAAM,CAAU,CAAC,CAC9C,CAEA,GAAIH,CAAAA,GAAW,cAAA,CAAgB,CAC9B,IAAMI,EAAU,IAAA,CAAK,UAAA,CAAW,aAAY,CAC5C,OAAO,KAAK,eAAA,CAAgBP,CAAAA,CAAI,CAAE,OAAA,CAAAO,CAAQ,CAAC,CAC5C,CAEA,GAAIJ,CAAAA,GAAW,cAAe,CAC7B,GAAI,CAACC,CAAAA,EAAQ,KACZ,OAAO,IAAA,CAAK,cAAcJ,CAAAA,CAAI,MAAA,CAAQ,qBAAqB,CAAA,CAE5D,GAAI,CACH,IAAMrB,EAAS,MAAM,IAAA,CAAK,WAAW,SAAA,CAAU,CAC9C,KAAMyB,CAAAA,CAAO,IAAA,CACb,SAAA,CAAWA,CAAAA,CAAO,SACnB,CAAC,CAAA,CACD,OAAO,IAAA,CAAK,eAAA,CAAgBJ,EAAIrB,CAAM,CACvC,CAAA,MAASC,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,cAAcoB,CAAAA,CAAI,KAAA,CAASpB,EAAc,OAAO,CAC7D,CACD,CAEA,GAAIuB,CAAAA,GAAW,gBAAA,CAAkB,CAChC,GAAI,CAACC,GAAQ,GAAA,CACZ,OAAO,IAAA,CAAK,aAAA,CAAcJ,EAAI,MAAA,CAAQ,sBAAsB,EAE7D,GAAI,CACH,IAAMrB,CAAAA,CAAS,MAAM,IAAA,CAAK,UAAA,CAAW,aAAayB,CAAAA,CAAO,GAAa,EACtE,OAAO,IAAA,CAAK,gBAAgBJ,CAAAA,CAAIrB,CAAM,CACvC,CAAA,MAASC,EAAc,CACtB,OAAO,KAAK,aAAA,CAAcoB,CAAAA,CAAI,MAASpB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,GAAIuB,CAAAA,GAAW,aAAc,CAC5B,GAAI,CAACC,CAAAA,EAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,cAAcJ,CAAAA,CAAI,MAAA,CAAQ,mBAAmB,CAAA,CAE1D,IAAMQ,EAA2B,CAChC,IAAA,CAAMJ,CAAAA,CAAO,IAAA,CACb,UAAYA,CAAAA,CAAO,SAAA,EAAyC,EAC7D,CAAA,CAEA,GAAI,CACH,IAAMzB,CAAAA,CAAyB,MAAM,KAAK,UAAA,CAAW,QAAA,CAAS6B,CAAO,CAAA,CAOrE,OAAA,CAJmB7B,EAAO,OAAA,CACvB,CAAA,CAAA,CACA,MAAM,IAAA,CAAK,gBAAgB6B,CAAAA,CAAS7B,CAAM,GActC,IAAA,CAAK,eAAA,CAAgBqB,EAAIrB,CAAM,CAAA,CAX9B,IAAA,CAAK,eAAA,CAAgBqB,EAAI,CAC/B,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CAAM,sHACP,CACD,CAAA,CACA,QAAS,CAAA,CACV,CAAC,CAIH,CAAA,MAASpB,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAcoB,CAAAA,CAAI,MAASpB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,OAAO,IAAA,CAAK,aAAA,CAAcoB,CAAAA,CAAI,MAAA,CAAQ,kBAAkB,CAAA,CACzD,CAEQ,gBACPA,CAAAA,CACArB,CAAAA,CACC,CACD,OAAO,CAAE,QAAS,KAAA,CAAO,EAAA,CAAAqB,EAAI,MAAA,CAAArB,CAAO,CACrC,CAEQ,aAAA,CAAcqB,EAAqBS,CAAAA,CAAchC,CAAAA,CAAiB,CACzE,OAAO,CAAE,OAAA,CAAS,KAAA,CAAO,GAAAuB,CAAAA,CAAI,KAAA,CAAO,CAAE,IAAA,CAAAS,CAAAA,CAAM,OAAA,CAAAhC,CAAQ,CAAE,CACvD,CAEA,MAAc,eAAA,CACb+B,CAAAA,CACA7B,EACmB,CACnB,GACC,CAAC6B,CAAAA,CAAQ,WAAW,OAAA,EACpB,OAAOA,EAAQ,SAAA,CAAU,OAAA,EAAY,SAErC,OAAO,KAAA,CAGR,GAAI,CACH,IAAMN,CAAAA,CAAUM,CAAAA,CAAQ,UAAU,OAAA,CAC5BE,CAAAA,CAAc/B,EAAO,OAAA,CAAQ,CAAC,CAAA,EAAG,IAAA,CAEvC,GAAI+B,CAAAA,EAAe,OAAOA,GAAgB,QAAA,CACzC,GAAI,CACH,IAAMC,CAAAA,CAAO,IAAA,CAAK,KAAA,CAAMD,CAAW,CAAA,CAEnC,GAAIC,EAAK,QAAA,EAAYA,CAAAA,CAAK,WAAY,CAErC,GAAM,CAAE,YAAA,CAAAC,CAAa,CAAA,CAAI,aAAa,wBAAuB,CAAA,CAY7D,GAAI,CARgB,MAHH,IAAIA,CAAAA,GAGc,eAAA,CAClC,MAAA,CAAO,KAAKV,CAAAA,CAAS,OAAO,EAC5BS,CAAAA,CAAK,QAAA,CACL,MAAA,CAAO,IAAA,CAAKA,EAAK,UAAA,EAAc,EAAA,CAAI,QAAQ,CAAA,CAC3C,KAAA,CAAA,CACAA,EAAK,kBACN,CAAA,CAGC,OAAO,CAAA,CAAA,CAGRA,EAAK,YAAA,CACJ,yEAAA,CACDhC,EAAO,OAAA,CAAQ,CAAC,EAAE,IAAA,CAAO,IAAA,CAAK,SAAA,CAAUgC,CAAI,EAC7C,CACD,CAAA,KAAQ,CAER,CAED,OAAO,EACR,CAAA,MAASpB,CAAAA,CAAG,CACX,OAAAf,EAAI,IAAA,CAAK,oCAAA,CAAsCe,CAAC,CAAA,CACzC,KACR,CACD,CAKA,MAAa,OAAA,EAAyB,CAErC,GAAI,IAAA,CAAK,eAAA,CAAiB,CACzB,GAAM,CAAE,WAAAsB,CAAW,CAAA,CAAI,MAAM,OAAO,aAAoB,CAAA,CASxD,GARA,KAAK,UAAA,CAAa,IAAIA,EACrB,IAAA,CAAK,OAAA,CAAQ,UAAA,EAAc,CAC1B,KAAM,aAAA,CACN,OAAA,CAAS,OACV,CAAA,CACA,CAAE,SAAU,IAAA,CAAK,OAAA,CAAQ,QAAS,CACnC,EAEI,IAAA,CAAK,OAAA,CAAQ,cAAe,CAC/B,MAAM,KAAK,UAAA,CAAW,OAAA,EAAQ,CAI9B,IAAMC,EAAS,IAAA,CAAK,eAAA,CAGpB,GAAIA,CAAAA,CAAO,gBAAA,CACV,OAAW,CAACC,CAAAA,CAAMC,CAAI,CAAA,GAAK,OAAO,OAAA,CAAQF,CAAAA,CAAO,gBAAgB,CAAA,CAAG,CAEnE,IAAMG,CAAAA,CAAID,CAAAA,CACV,IAAA,CAAK,UAAA,CAAW,KACfD,CAAAA,CACAE,CAAAA,CAAE,aAAe,EAAA,CACjBA,CAAAA,CAAE,aAAe,EAAC,CAElB,MAAOC,CAAAA,EACC,MAAMD,CAAAA,CAAE,OAAA,CAAQC,CAAI,CAE7B,EACD,CAID,GAAIJ,CAAAA,CAAO,oBAAA,CACV,IAAA,GAAW,CAACK,CAAAA,CAAKC,CAAQ,IAAK,MAAA,CAAO,OAAA,CACpCN,EAAO,oBACR,CAAA,CAAG,CAEF,IAAMO,EAAID,CAAAA,CACV,IAAA,CAAK,WAAW,QAAA,CACfC,CAAAA,CAAE,KACFF,CAAAA,CACAE,CAAAA,CAAE,QAAA,EAAU,WAAA,EAAe,GAC3BA,CAAAA,CAAE,QAAA,EAAU,UAAY,0BAAA,CACxB,SAAA,CACa,MAAMA,CAAAA,CAAE,YAAA,CAAa,IAAI,GAAA,CAAIF,CAAG,CAAC,CAAA,EAClC,SAAS,CAAC,CAAA,CAAE,IAEzB,EACD,CAEF,CACA,MACD,CAIA,IAAMG,CAAAA,CAAAA,CADW,MAAM,OAAO,UAAe,GACzB,eAAA,CAAgB,CACnC,KAAA,CAAO,OAAA,CAAQ,MACf,MAAA,CAAQ,OAAA,CAAQ,OAChB,QAAA,CAAU,KACX,CAAC,CAAA,CAEKC,CAAAA,CAAW,SAAY,CAC5B/C,EAAI,IAAA,CAAK,wCAAwC,EAC7C,IAAA,CAAK,UAAA,EAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAA,EAAM,CACjD,QAAQ,IAAA,CAAK,CAAC,EACf,CAAA,CAEA8C,CAAAA,CAAG,GAAG,OAAA,CAASC,CAAQ,CAAA,CACvB,OAAA,CAAQ,GAAG,QAAA,CAAUA,CAAQ,EAC7B,OAAA,CAAQ,EAAA,CAAG,UAAWA,CAAQ,CAAA,CAE9BD,CAAAA,CAAG,EAAA,CAAG,OAAQ,MAAOE,CAAAA,EAAS,CAC7B,GAAKA,CAAAA,CAAK,MAAK,CACf,GAAI,CACH,IAAMtB,EAAU,IAAA,CAAK,KAAA,CAAMsB,CAAI,CAAA,CACzB/B,CAAAA,CAAW,MAAM,IAAA,CAAK,oBAAA,CAAqBS,CAAO,CAAA,CACpDT,CAAAA,EACH,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,IAAA,CAAK,SAAA,CAAUA,CAAQ,CAAC;AAAA,CAAI,EAEtD,OAASF,CAAAA,CAAY,CACpBf,EAAI,KAAA,CAAM,CAAA,qBAAA,EAAyBe,EAAY,OAAO,CAAA,CAAE,EACzD,CACD,CAAC,EACF,CAEO,SAAA,EAA+B,CACrC,OAAO,IAAA,CAAK,UACb,CACD","file":"chunk-7L5ODML2.js","sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport { serve } from \"@hono/node-server\";\nimport type { WebStandardStreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\";\nimport type { JSONRPCMessage } from \"@modelcontextprotocol/sdk/types.js\";\nimport { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpBridge } from \"./index.js\";\n\n/**\n * Configuration options for LiopStreamBridge.\n */\nexport interface LiopStreamBridgeOptions {\n\t/** Port to listen on (default: 3000) */\n\tport?: number;\n\t/** Max concurrent sessions per IP (default: 5) */\n\tmaxSessionsPerIp?: number;\n\t/** Session idle timeout in milliseconds (default: 30 min) */\n\tsessionTimeoutMs?: number;\n}\n\n/** Internal metadata for tracked sessions */\ninterface SessionEntry {\n\ttransport: WebStandardStreamableHTTPServerTransport;\n\tlastActivity: number;\n\tclientIp: string;\n}\n\nconst DEFAULT_MAX_SESSIONS_PER_IP = 10;\nconst DEFAULT_SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes\nconst EVICTION_INTERVAL_MS = 60 * 1000; // Check every minute\n\n/**\n * LiopStreamBridge\n *\n * Exposes a LiopServer over a remote HTTP network using the industry-standard\n * MCP Streamable HTTP Transport + Hono JS.\n *\n * Supports concurrent multi-client connections via per-session transport instances (Map pattern).\n * External agents connect using only a URL + Bearer Token (Zero-Trust).\n *\n * Security hardening:\n * - Zero-Trust Bearer Token enforcement\n * - Per-IP rate limiting on session creation\n * - Automatic eviction of idle sessions (TTL)\n */\nexport class LiopStreamBridge {\n\tprivate app: Hono;\n\tprivate httpServer: ReturnType<typeof serve> | null = null;\n\tprivate bridgeLogic: LiopMcpBridge;\n\tprivate activeSessions: Map<string, SessionEntry>;\n\tprivate evictionTimer: ReturnType<typeof setInterval> | null = null;\n\tprivate maxSessionsPerIp: number;\n\tprivate sessionTimeoutMs: number;\n\n\tconstructor(\n\t\tinternalServer: LiopServer,\n\t\tprivate options: LiopStreamBridgeOptions = {},\n\t) {\n\t\tthis.app = new Hono();\n\t\tthis.bridgeLogic = new LiopMcpBridge(internalServer);\n\t\tthis.activeSessions = new Map();\n\t\tthis.maxSessionsPerIp =\n\t\t\toptions.maxSessionsPerIp ?? DEFAULT_MAX_SESSIONS_PER_IP;\n\t\tthis.sessionTimeoutMs =\n\t\t\toptions.sessionTimeoutMs ?? DEFAULT_SESSION_TIMEOUT_MS;\n\n\t\tthis.setupRoutes();\n\t}\n\n\t/**\n\t * Creates a new per-session transport instance and wires it to the LIOPMcpBridge logic.\n\t */\n\tprivate async createSessionTransport(\n\t\tclientIp: string,\n\t): Promise<WebStandardStreamableHTTPServerTransport> {\n\t\tconst { WebStandardStreamableHTTPServerTransport } = await import(\n\t\t\t\"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\"\n\t\t);\n\t\tconst transport = new WebStandardStreamableHTTPServerTransport({\n\t\t\tsessionIdGenerator: () => randomUUID(),\n\t\t\tonsessioninitialized: (sessionId: string) => {\n\t\t\t\tthis.activeSessions.set(sessionId, {\n\t\t\t\t\ttransport,\n\t\t\t\t\tlastActivity: Date.now(),\n\t\t\t\t\tclientIp,\n\t\t\t\t});\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Session opened: ${sessionId} (IP: ${clientIp})`,\n\t\t\t\t);\n\t\t\t},\n\t\t});\n\n\t\t// Wire the transport's incoming messages to the LiopMcpBridge JSON-RPC router\n\t\ttransport.onmessage = async (message: JSONRPCMessage) => {\n\t\t\t// Touch activity timestamp on every message\n\t\t\tif (transport.sessionId) {\n\t\t\t\tconst entry = this.activeSessions.get(transport.sessionId);\n\t\t\t\tif (entry) entry.lastActivity = Date.now();\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\tconst result = await this.bridgeLogic.handleJsonRpcRequest(\n\t\t\t\t\tmessage as unknown as Record<string, unknown>,\n\t\t\t\t);\n\t\t\t\t// Notifications return undefined — no response needed\n\t\t\t\tif (result !== undefined) {\n\t\t\t\t\tawait transport.send(result as JSONRPCMessage);\n\t\t\t\t}\n\t\t\t} catch (err: unknown) {\n\t\t\t\tlog.info(\"[LIOP-StreamBridge] JSON-RPC error:\", (err as Error).message);\n\t\t\t}\n\t\t};\n\n\t\ttransport.onclose = () => {\n\t\t\tif (transport.sessionId) {\n\t\t\t\tthis.activeSessions.delete(transport.sessionId);\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed: ${transport.sessionId}`);\n\t\t\t}\n\t\t};\n\n\t\treturn transport;\n\t}\n\n\t/**\n\t * Returns the number of active sessions for a given IP.\n\t */\n\tprivate countSessionsByIp(ip: string): number {\n\t\tlet count = 0;\n\t\tfor (const entry of this.activeSessions.values()) {\n\t\t\tif (entry.clientIp === ip) count++;\n\t\t}\n\t\treturn count;\n\t}\n\n\t/**\n\t * Extracts client IP from the request (supports X-Forwarded-For for reverse proxies).\n\t */\n\tprivate getClientIp(c: {\n\t\treq: { header: (name: string) => string | undefined };\n\t}): string {\n\t\treturn (\n\t\t\tc.req.header(\"x-forwarded-for\")?.split(\",\")[0]?.trim() ||\n\t\t\tc.req.header(\"x-real-ip\") ||\n\t\t\t\"unknown\"\n\t\t);\n\t}\n\n\t/**\n\t * Evicts sessions that have been idle longer than the configured timeout.\n\t */\n\tprivate evictIdleSessions(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.activeSessions) {\n\t\t\tif (now - entry.lastActivity > this.sessionTimeoutMs) {\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Evicting idle session: ${sessionId}`);\n\t\t\t\tentry.transport.close().catch(() => {\n\t\t\t\t\t/* Swallow close errors */\n\t\t\t\t});\n\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tprivate setupRoutes() {\n\t\tthis.app.use(\"*\", cors());\n\n\t\t// Initialize strict zero-trust token if not provided\n\t\tif (!process.env.ZERO_TRUST_TOKEN) {\n\t\t\tprocess.env.ZERO_TRUST_TOKEN = randomUUID();\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t\tlog.info(\"⚠️ STRICT ZERO-TRUST MODE ENABLED ⚠️\");\n\t\t\tlog.info(\"No ZERO_TRUST_TOKEN found in environment.\");\n\t\t\tlog.info(\"A secure ephemeral token has been generated for this session:\");\n\t\t\tlog.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`);\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t}\n\n\t\t// ZTA (Zero-Trust Architecture) Security Middleware\n\t\tthis.app.use(\"/mcp\", async (c, next) => {\n\t\t\tconst auth = c.req.header(\"Authorization\");\n\t\t\tif (!auth?.startsWith(\"Bearer \")) {\n\t\t\t\treturn c.json(\n\t\t\t\t\t{ error: \"Unauthorized: LIOP Zero-Trust Policy Enforced\" },\n\t\t\t\t\t401,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tconst token = auth.slice(7);\n\t\t\tconst expectedToken = process.env.ZERO_TRUST_TOKEN;\n\n\t\t\t// Check static token fallback first (retrocompatibility)\n\t\t\tif (expectedToken && token === expectedToken) {\n\t\t\t\tawait next();\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\t// Validate with JWT Validator if configured on the server\n\t\t\tconst jwtValidator = this.bridgeLogic.getServer()?.jwtValidator;\n\t\t\tif (jwtValidator) {\n\t\t\t\ttry {\n\t\t\t\t\tawait jwtValidator.validate(token);\n\t\t\t\t\tawait next();\n\t\t\t\t\treturn;\n\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-StreamBridge] JWT Validation failed: ${(e as Error).message}`,\n\t\t\t\t\t);\n\t\t\t\t\treturn c.json(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\terror: `Unauthorized: JWT Validation failed - ${(e as Error).message}`,\n\t\t\t\t\t\t},\n\t\t\t\t\t\t401,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tlog.info(\n\t\t\t\t\"[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.\",\n\t\t\t);\n\t\t\treturn c.json(\n\t\t\t\t{ error: \"Unauthorized: LIOP Zero-Trust Policy Enforced\" },\n\t\t\t\t401,\n\t\t\t);\n\t\t});\n\n\t\t// Multi-Session Streamable HTTP Handler\n\t\tthis.app.all(\"/mcp\", async (c) => {\n\t\t\tconst sessionId = c.req.header(\"mcp-session-id\");\n\n\t\t\t// Route to existing session if session ID is present\n\t\t\tif (sessionId) {\n\t\t\t\tconst existing = this.activeSessions.get(sessionId);\n\t\t\t\tif (!existing) {\n\t\t\t\t\treturn c.json({ error: \"Session not found\" }, 404);\n\t\t\t\t}\n\t\t\t\t// Touch activity on every routed request\n\t\t\t\texisting.lastActivity = Date.now();\n\n\t\t\t\tconst response = await existing.transport.handleRequest(c.req.raw);\n\n\t\t\t\t// If DELETE, the transport closes internally but onclose may not fire.\n\t\t\t\t// Explicitly clean up the session from the Map.\n\t\t\t\tif (c.req.method === \"DELETE\") {\n\t\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed (DELETE): ${sessionId}`);\n\t\t\t\t}\n\n\t\t\t\treturn response;\n\t\t\t}\n\n\t\t\t// No session ID → New client initializing.\n\t\t\t// Rate-limit: enforce max sessions per IP\n\t\t\tconst clientIp = this.getClientIp(c);\n\t\t\tconst currentSessions = this.countSessionsByIp(clientIp);\n\t\t\tif (currentSessions >= this.maxSessionsPerIp) {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Rate limit hit for IP: ${clientIp} (${currentSessions} sessions)`,\n\t\t\t\t);\n\t\t\t\treturn c.json({ error: \"Too Many Sessions: Rate limit exceeded\" }, 429);\n\t\t\t}\n\n\t\t\tconst transport = await this.createSessionTransport(clientIp);\n\t\t\treturn await transport.handleRequest(c.req.raw);\n\t\t});\n\t}\n\n\t/**\n\t * Starts the LiopStreamBridge HTTP server and session eviction timer.\n\t */\n\tpublic async start(port?: number): Promise<void> {\n\t\tconst listenPort = port ?? this.options.port ?? 3000;\n\n\t\t// Start the idle session eviction timer\n\t\tthis.evictionTimer = setInterval(\n\t\t\t() => this.evictIdleSessions(),\n\t\t\tEVICTION_INTERVAL_MS,\n\t\t);\n\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.httpServer = serve(\n\t\t\t\t{\n\t\t\t\t\tfetch: this.app.fetch,\n\t\t\t\t\tport: listenPort,\n\t\t\t\t},\n\t\t\t\t(info) => {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${info.port}/mcp`,\n\t\t\t\t\t);\n\t\t\t\t\tresolve();\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\t/**\n\t * Graceful shutdown — closes all active sessions, stops timers, and releases port.\n\t */\n\tpublic async stop(): Promise<void> {\n\t\tif (this.evictionTimer) {\n\t\t\tclearInterval(this.evictionTimer);\n\t\t\tthis.evictionTimer = null;\n\t\t}\n\n\t\tfor (const [id, entry] of this.activeSessions) {\n\t\t\tawait entry.transport.close();\n\t\t\tthis.activeSessions.delete(id);\n\t\t}\n\n\t\tif (this.httpServer) {\n\t\t\tthis.httpServer.close();\n\t\t\tlog.info(\"[LIOP-StreamBridge] HTTP ports released.\");\n\t\t}\n\t}\n}\n","import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { LiopServer, LiopServerOptions } from \"../server/index.js\";\nimport type { CallToolRequest, CallToolResult } from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\n\nexport interface LiopBridgeOptions {\n\tpublishToMesh?: boolean;\n\tmeshIdentity?: string;\n\tserverInfo?: {\n\t\tname: string;\n\t\tversion: string;\n\t};\n\tsecurity?: LiopServerOptions[\"security\"];\n}\n\n/**\n * LIOP MCP Bridge\n * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,\n * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.\n */\nexport class LiopMcpBridge {\n\tprivate liopServer: LiopServer | null = null;\n\tprivate legacyMcpServer: McpServer | null = null;\n\tconstructor(\n\t\t// biome-ignore lint/suspicious/noExplicitAny: polymorphic source detection\n\t\tsource: LiopServer | McpServer | any,\n\t\tprivate options: LiopBridgeOptions = {},\n\t) {\n\t\t// Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)\n\t\t// We use constructor name check to avoid hard dependency on optional SDK at runtime start\n\t\tif (source?.constructor?.name === \"LiopServer\") {\n\t\t\tthis.liopServer = source as LiopServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)\");\n\t\t} else if (source?.constructor?.name === \"McpServer\") {\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)\");\n\t\t} else {\n\t\t\t// Fallback for inferred legacy MCP servers\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)\");\n\t\t}\n\t}\n\n\t/**\n\t * Handles an incoming standard MCP JSON-RPC 2.0 payload.\n\t * Pipes it to the underlying server (LIOP or Legacy MCP).\n\t */\n\tpublic async handleJsonRpcRequest(\n\t\tpayload: Record<string, unknown>,\n\t): Promise<unknown> {\n\t\tconst id = payload.id as string | number;\n\t\tconst method = payload.method as string;\n\t\tconst params = payload.params as Record<string, unknown> | undefined;\n\n\t\tif (payload.jsonrpc !== \"2.0\") {\n\t\t\treturn this.errorResponse(id, -32600, \"Invalid Request\");\n\t\t}\n\n\t\t// Mode: EXPOSE (Standard behavior used by Claude Desktop)\n\t\tif (this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\t// Mode: WRAP (Redirecting via internal LiopServer after connect())\n\t\tif (this.legacyMcpServer && this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Bridge source not configured\");\n\t}\n\n\tprivate async handleLiopToMcp(\n\t\tid: string | number,\n\t\tmethod: string,\n\t\tparams: Record<string, unknown> | undefined,\n\t): Promise<unknown> {\n\t\tif (!this.liopServer) return null;\n\n\t\tif (method === \"initialize\") {\n\t\t\treturn this.successResponse(id, {\n\t\t\t\tprotocolVersion: \"2025-11-25\",\n\t\t\t\tcapabilities: {\n\t\t\t\t\tprompts: {},\n\t\t\t\t\tresources: {},\n\t\t\t\t\ttools: {},\n\t\t\t\t},\n\t\t\t\tserverInfo: this.liopServer.getServerInfo(),\n\t\t\t});\n\t\t}\n\n\t\tif (method === \"notifications/initialized\") return undefined;\n\t\tif (method === \"ping\") return this.successResponse(id, {});\n\n\t\tif (method === \"tools/list\") {\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\treturn this.successResponse(id, { tools });\n\t\t}\n\n\t\tif (method === \"resources/list\") {\n\t\t\tconst resources = this.liopServer.listResources();\n\t\t\treturn this.successResponse(id, { resources });\n\t\t}\n\n\t\tif (method === \"prompts/list\") {\n\t\t\tconst prompts = this.liopServer.listPrompts();\n\t\t\treturn this.successResponse(id, { prompts });\n\t\t}\n\n\t\tif (method === \"prompts/get\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing prompt name\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.getPrompt({\n\t\t\t\t\tname: params.name as string,\n\t\t\t\t\targuments: params.arguments as Record<string, string> | undefined,\n\t\t\t\t});\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"resources/read\") {\n\t\t\tif (!params?.uri) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing resource URI\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.readResource(params.uri as string);\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"tools/call\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing tool name\");\n\t\t\t}\n\t\t\tconst request: CallToolRequest = {\n\t\t\t\tname: params.name as string,\n\t\t\t\targuments: (params.arguments as Record<string, unknown>) || {},\n\t\t\t};\n\n\t\t\ttry {\n\t\t\t\tconst result: CallToolResult = await this.liopServer.callTool(request);\n\t\t\t\t// If the tool execution returned an error (e.g. policy violation), we bypass\n\t\t\t\t// ZK-Receipt verification because no cryptographic proof is generated for errors.\n\t\t\t\tconst isVerified = result.isError\n\t\t\t\t\t? true\n\t\t\t\t\t: await this.verifyZkReceipt(request, result);\n\n\t\t\t\tif (!isVerified) {\n\t\t\t\t\treturn this.successResponse(id, {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t});\n\t\t\t\t}\n\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Method not found\");\n\t}\n\n\tprivate successResponse(\n\t\tid: string | number | null | undefined,\n\t\tresult: unknown,\n\t) {\n\t\treturn { jsonrpc: \"2.0\", id, result };\n\t}\n\n\tprivate errorResponse(id: string | number, code: number, message: string) {\n\t\treturn { jsonrpc: \"2.0\", id, error: { code, message } };\n\t}\n\n\tprivate async verifyZkReceipt(\n\t\trequest: CallToolRequest,\n\t\tresult: CallToolResult,\n\t): Promise<boolean> {\n\t\tif (\n\t\t\t!request.arguments?.payload ||\n\t\t\ttypeof request.arguments.payload !== \"string\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\ttry {\n\t\t\tconst payload = request.arguments.payload as string;\n\t\t\tconst contentText = result.content[0]?.text;\n\n\t\t\tif (contentText && typeof contentText === \"string\") {\n\t\t\t\ttry {\n\t\t\t\t\tconst data = JSON.parse(contentText);\n\n\t\t\t\t\tif (data.image_id || data.zk_receipt) {\n\t\t\t\t\t\t// 1. Instantiate the Industrial Verifier ( backed by Piscina Worker Pool )\n\t\t\t\t\t\tconst { LiopVerifier } = await import(\"../crypto/verifier.js\");\n\t\t\t\t\t\tconst verifier = new LiopVerifier();\n\n\t\t\t\t\t\t// 2. Delegate the heavy mathematical check (ZK Journal + Seal)\n\t\t\t\t\t\tconst isAuthentic = await verifier.verifyZkReceipt(\n\t\t\t\t\t\t\tBuffer.from(payload, \"utf-8\"),\n\t\t\t\t\t\t\tdata.image_id,\n\t\t\t\t\t\t\tBuffer.from(data.zk_receipt || \"\", \"base64\"),\n\t\t\t\t\t\t\tundefined,\n\t\t\t\t\t\t\tdata.computation_result,\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (!isAuthentic) {\n\t\t\t\t\t\t\treturn false;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tdata.audit_status =\n\t\t\t\t\t\t\t\"VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge\";\n\t\t\t\t\t\tresult.content[0].text = JSON.stringify(data);\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\t// Output not JSON\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn true;\n\t\t} catch (e) {\n\t\t\tlog.info(\"[LIOP-Bridge] ZK-Verifier Failure:\", e);\n\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Connects the bridge via stdio or Mesh depending on mode.\n\t */\n\tpublic async connect(): Promise<void> {\n\t\t// In WRAP mode, we actually need to create a LiopServer and join the mesh\n\t\tif (this.legacyMcpServer) {\n\t\t\tconst { LiopServer } = await import(\"../server/index.js\");\n\t\t\tthis.liopServer = new LiopServer(\n\t\t\t\tthis.options.serverInfo || {\n\t\t\t\t\tname: \"liop-bridge\",\n\t\t\t\t\tversion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t\t{ security: this.options.security },\n\t\t\t);\n\n\t\t\tif (this.options.publishToMesh) {\n\t\t\t\tawait this.liopServer.connect();\n\n\t\t\t\t// Automatically Bridge Legacy Capabilities to LIOP Mesh\n\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Internal legacy MCP properties are completely opaque and unexported\n\t\t\t\tconst legacy = this.legacyMcpServer as any;\n\n\t\t\t\t// 1. Sync Tools\n\t\t\t\tif (legacy._registeredTools) {\n\t\t\t\t\tfor (const [name, tool] of Object.entries(legacy._registeredTools)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst t = tool as any;\n\t\t\t\t\t\tthis.liopServer.tool(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tt.description || \"\",\n\t\t\t\t\t\t\tt.inputSchema || {},\n\t\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy callback args\n\t\t\t\t\t\t\tasync (args: any) => {\n\t\t\t\t\t\t\t\treturn await t.handler(args);\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// 2. Sync Resources\n\t\t\t\tif (legacy._registeredResources) {\n\t\t\t\t\tfor (const [uri, resource] of Object.entries(\n\t\t\t\t\t\tlegacy._registeredResources,\n\t\t\t\t\t)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst r = resource as any;\n\t\t\t\t\t\tthis.liopServer.resource(\n\t\t\t\t\t\t\tr.name,\n\t\t\t\t\t\t\turi,\n\t\t\t\t\t\t\tr.metadata?.description || \"\",\n\t\t\t\t\t\t\tr.metadata?.mimeType || \"application/octet-stream\",\n\t\t\t\t\t\t\tasync () => {\n\t\t\t\t\t\t\t\tconst res = await r.readCallback(new URL(uri));\n\t\t\t\t\t\t\t\treturn res.contents[0].text;\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\n\t\t// In EXPOSE mode, listen to stdio (Claude Desktop)\n\t\tconst readline = await import(\"node:readline\");\n\t\tconst rl = readline.createInterface({\n\t\t\tinput: process.stdin,\n\t\t\toutput: process.stdout,\n\t\t\tterminal: false,\n\t\t});\n\n\t\tconst shutdown = async () => {\n\t\t\tlog.info(\"[LIOP-Bridge] Disconnecting session...\");\n\t\t\tif (this.liopServer) await this.liopServer.close();\n\t\t\tprocess.exit(0);\n\t\t};\n\n\t\trl.on(\"close\", shutdown);\n\t\tprocess.on(\"SIGINT\", shutdown);\n\t\tprocess.on(\"SIGTERM\", shutdown);\n\n\t\trl.on(\"line\", async (line) => {\n\t\t\tif (!line.trim()) return;\n\t\t\ttry {\n\t\t\t\tconst payload = JSON.parse(line);\n\t\t\t\tconst response = await this.handleJsonRpcRequest(payload);\n\t\t\t\tif (response) {\n\t\t\t\t\tprocess.stdout.write(`${JSON.stringify(response)}\\n`);\n\t\t\t\t}\n\t\t\t} catch (e: unknown) {\n\t\t\t\tlog.error(`[LIOP-Bridge] Error: ${(e as Error).message}`);\n\t\t\t}\n\t\t});\n\t}\n\n\tpublic getServer(): LiopServer | null {\n\t\treturn this.liopServer;\n\t}\n}\n\nexport * from \"./stream.js\";\n"]}

package/dist/{chunk-YZVCAJJO.js → chunk-GI2LSJYZ.js}

@@ -1,4 +1,4 @@
-import {g}from'./chunk-VGXNGTIC.js';import {b}from'./chunk-SB5XJXKV.js';import {a}from'./chunk-S6RJHZV2.js';import*as v from'http';import*as m from'http2';import*as y from'net';function u(h,t){return {resource:t,authorization_servers:[h],scopes_supported:b,bearer_methods_supported:["header"],resource_documentation:"https://github.com/nekzus/liop"}}var f=class{constructor(t,e=null,i=50051){this.liopServer=t;this.meshNode=e;this.jwtValidator=this.liopServer.jwtValidator,this.oauthProvider=this.liopServer.oauthProvider,this.router=new g(this.liopServer,this.meshNode,i),this.h2Server=m.createServer(),this.setupH2Routes(),this.h1Server=v.createServer(),this.setupH1Routes(),this.netServer=y.createServer(r=>{r.once("data",o=>{let n=o.toString().startsWith("PRI * HTTP/2.0");a.info(`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${n?"HTTP/2 (gRPC)":"HTTP/1.1 (MCP)"}`),n?this.h2Server.emit("connection",r):this.h1Server.emit("connection",r),r.unshift(o);}),r.on("error",o=>a.error(`[LIOP-Gateway] NetServer Socket Error: ${o.message}`));}),this.h1Server.on("error",r=>a.error(`[LIOP-Gateway] H1 Server Error: ${r.message}`)),this.h2Server.on("error",r=>a.error(`[LIOP-Gateway] H2 Server Error: ${r.message}`)),a.info("[LIOP-Gateway] Hybrid adapter initialized.");}netServer;h2Server;h1Server;router;jwtValidator;oauthProvider;setupH2Routes(){this.h2Server.on("stream",(t,e)=>{let i=e["content-type"],r=e[":path"];i==="application/grpc"?this.handleGrpcStream(t):r==="/mcp"&&this.handleMcpH2Stream(t,e);});}setupH1Routes(){this.h1Server.on("request",async(t,e)=>{let i=t.url||"",r=t.method;if(i.startsWith("/oidc")&&this.oauthProvider){let o=typeof this.oauthProvider.callback=="function"?this.oauthProvider.callback():this.oauthProvider,n=t.url;t.url=(n||"").slice(5)||"/";try{return o(t,e)}finally{t.url=n;}}if(r==="GET"&&i==="/.well-known/oauth-protected-resource"){if(this.jwtValidator){let o=u(this.jwtValidator.getIssuer(),this.jwtValidator.getAudience());e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify(o));return}e.writeHead(404),e.end("Not Found");return}if(r==="GET"&&(i==="/"||i==="/mcp"||i==="/health")){if(i==="/health"&&t.headers.accept?.includes("application/json")){let o=this.meshNode?{peerId:this.meshNode.getPeerId()?.toString()||"",multiaddrs:this.meshNode.getMultiaddrs().map(p=>p.toString())}:null,n=this.jwtValidator?.getIssuer(),a=n?n.endsWith("/oidc")?n:`${n}/oidc`:"",d=this.jwtValidator&&n?{issuer:n,jwks_uri:`${a}/jwks`,...this.oauthProvider?{token_endpoint:`${a}/token`}:{}}:void 0;e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify({status:"healthy",node:this.liopServer.getServerInfo(),mesh:o,tools:this.liopServer.listTools().map(p=>p.name),auth:d,timestamp:new Date().toISOString()}));return}e.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),e.end(`
+import {g}from'./chunk-I46YEWND.js';import {b}from'./chunk-SB5XJXKV.js';import {a}from'./chunk-S6RJHZV2.js';import*as v from'http';import*as m from'http2';import*as y from'net';function u(h,t){return {resource:t,authorization_servers:[h],scopes_supported:b,bearer_methods_supported:["header"],resource_documentation:"https://github.com/nekzus/liop"}}var f=class{constructor(t,e=null,i=50051){this.liopServer=t;this.meshNode=e;this.jwtValidator=this.liopServer.jwtValidator,this.oauthProvider=this.liopServer.oauthProvider,this.router=new g(this.liopServer,this.meshNode,i),this.h2Server=m.createServer(),this.setupH2Routes(),this.h1Server=v.createServer(),this.setupH1Routes(),this.netServer=y.createServer(r=>{r.once("data",o=>{let n=o.toString().startsWith("PRI * HTTP/2.0");a.info(`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${n?"HTTP/2 (gRPC)":"HTTP/1.1 (MCP)"}`),n?this.h2Server.emit("connection",r):this.h1Server.emit("connection",r),r.unshift(o);}),r.on("error",o=>a.error(`[LIOP-Gateway] NetServer Socket Error: ${o.message}`));}),this.h1Server.on("error",r=>a.error(`[LIOP-Gateway] H1 Server Error: ${r.message}`)),this.h2Server.on("error",r=>a.error(`[LIOP-Gateway] H2 Server Error: ${r.message}`)),a.info("[LIOP-Gateway] Hybrid adapter initialized.");}netServer;h2Server;h1Server;router;jwtValidator;oauthProvider;setupH2Routes(){this.h2Server.on("stream",(t,e)=>{let i=e["content-type"],r=e[":path"];i==="application/grpc"?this.handleGrpcStream(t):r==="/mcp"&&this.handleMcpH2Stream(t,e);});}setupH1Routes(){this.h1Server.on("request",async(t,e)=>{let i=t.url||"",r=t.method;if(i.startsWith("/oidc")&&this.oauthProvider){let o=typeof this.oauthProvider.callback=="function"?this.oauthProvider.callback():this.oauthProvider,n=t.url;t.url=(n||"").slice(5)||"/";try{return o(t,e)}finally{t.url=n;}}if(r==="GET"&&i==="/.well-known/oauth-protected-resource"){if(this.jwtValidator){let o=u(this.jwtValidator.getIssuer(),this.jwtValidator.getAudience());e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify(o));return}e.writeHead(404),e.end("Not Found");return}if(r==="GET"&&(i==="/"||i==="/mcp"||i==="/health")){if(i==="/health"&&t.headers.accept?.includes("application/json")){let o=this.meshNode?{peerId:this.meshNode.getPeerId()?.toString()||"",multiaddrs:this.meshNode.getMultiaddrs().map(p=>p.toString())}:null,n=this.jwtValidator?.getIssuer(),a=n?n.endsWith("/oidc")?n:`${n}/oidc`:"",d=this.jwtValidator&&n?{issuer:n,jwks_uri:`${a}/jwks`,...this.oauthProvider?{token_endpoint:`${a}/token`}:{}}:void 0;e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify({status:"healthy",node:this.liopServer.getServerInfo(),mesh:o,tools:this.liopServer.listTools().map(p=>p.name),auth:d,timestamp:new Date().toISOString()}));return}e.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),e.end(`
                     <body style="background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0">
                         <div style="background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)">
                             <h1 style="color:#38bdf8;margin-top:0">LIOP Protocol Transformer</h1>
@@ -9,5 +9,5 @@ import {g}from'./chunk-VGXNGTIC.js';import {b}from'./chunk-SB5XJXKV.js';import {
                             </div>
                         </div>
                     </body>
-                `);return}if(i==="/mcp"&&r==="POST"){let o=null;if(this.jwtValidator){let a=t.headers.authorization;if(!a?.startsWith("Bearer ")){e.writeHead(401,{"WWW-Authenticate":'Bearer error="invalid_token", error_description="Missing or malformed Authorization header"',"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Unauthorized"}));return}try{o=await this.jwtValidator.validate(a.slice(7));}catch(d){e.writeHead(401,{"WWW-Authenticate":`Bearer error="invalid_token", error_description="${d.message}"`,"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Invalid token"}));return}}let n="";t.on("data",a=>n+=a.toString()),t.on("end",async()=>{try{let a=JSON.parse(n),d=await this.router.dispatch(a,o);e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify(d));}catch(a$1){a.info(`[LIOP-Gateway] Error processing JSON-RPC payload: ${a$1.message}`),e.writeHead(400),e.end(JSON.stringify({jsonrpc:"2.0",error:{code:-32700,message:"Parse error"}}));}});}else e.writeHead(404),e.end("Not Found");});}handleGrpcStream(t){t.on("data",e=>{let i=e;i&&a.info(`[LIOP-Gateway] Native gRPC Proxy passing ${i.length} bytes`);}),t.respond({":status":200,"content-type":"application/grpc"}),t.end();}handleMcpH2Stream(t,e){let i="";t.on("data",r=>i+=r.toString()),t.on("end",async()=>{try{let r=null;if(this.jwtValidator){let n=e.authorization;if(!n?.startsWith("Bearer ")){t.respond({":status":401,"www-authenticate":'Bearer error="invalid_token", error_description="Missing or malformed Authorization header"',"content-type":"application/json"}),t.end(JSON.stringify({error:"Unauthorized"}));return}try{r=await this.jwtValidator.validate(n.slice(7));}catch(a){t.respond({":status":401,"www-authenticate":`Bearer error="invalid_token", error_description="${a.message}"`,"content-type":"application/json"}),t.end(JSON.stringify({error:"Invalid token"}));return}}let o=await this.router.dispatch(JSON.parse(i),r);o?(t.respond({":status":200,"content-type":"application/json"}),t.end(JSON.stringify(o))):t.close();}catch{t.respond({":status":400}),t.end();}});}async listen(t,e="0.0.0.0"){if(this.meshNode){await this.meshNode.start();let i=this.liopServer.listTools();for(let r of i)await this.meshNode.announceCapability(r.name),a.info(`[LIOP-Gateway] \u{1F4E1} Announced local tool to Mesh: ${r.name}`);}return new Promise((i,r)=>{this.netServer.on("error",o=>{o.code==="EADDRINUSE"?a.info(`[LIOP-Gateway] FATAL: Port ${t} is already in use by another process.`):a.error(`[LIOP-Gateway] Binding Error: ${o.message}`),r(o);}),this.netServer.listen(t,e,()=>{let o=this.netServer.address(),n=typeof o=="string"?o:o?.address||e,a$1=typeof o=="string"?t:o?.port||t;a.info(`[LIOP-Gateway] \u2705 Transformer Mesh Gateway READY and listening on ${n}:${a$1}`),i(a$1);});})}async stop(){this.meshNode&&await this.meshNode.stop(),this.netServer.close(),this.h2Server.close(),this.h1Server.close();}getRouter(){return this.router}};export{u as a,f as b};//# sourceMappingURL=chunk-YZVCAJJO.js.map
-//# sourceMappingURL=chunk-YZVCAJJO.js.map
+                `);return}if(i==="/mcp"&&r==="POST"){let o=null;if(this.jwtValidator){let a=t.headers.authorization;if(!a?.startsWith("Bearer ")){e.writeHead(401,{"WWW-Authenticate":'Bearer error="invalid_token", error_description="Missing or malformed Authorization header"',"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Unauthorized"}));return}try{o=await this.jwtValidator.validate(a.slice(7));}catch(d){e.writeHead(401,{"WWW-Authenticate":`Bearer error="invalid_token", error_description="${d.message}"`,"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Invalid token"}));return}}let n="";t.on("data",a=>n+=a.toString()),t.on("end",async()=>{try{let a=JSON.parse(n),d=await this.router.dispatch(a,o);e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify(d));}catch(a$1){a.info(`[LIOP-Gateway] Error processing JSON-RPC payload: ${a$1.message}`),e.writeHead(400),e.end(JSON.stringify({jsonrpc:"2.0",error:{code:-32700,message:"Parse error"}}));}});}else e.writeHead(404),e.end("Not Found");});}handleGrpcStream(t){t.on("data",e=>{let i=e;i&&a.info(`[LIOP-Gateway] Native gRPC Proxy passing ${i.length} bytes`);}),t.respond({":status":200,"content-type":"application/grpc"}),t.end();}handleMcpH2Stream(t,e){let i="";t.on("data",r=>i+=r.toString()),t.on("end",async()=>{try{let r=null;if(this.jwtValidator){let n=e.authorization;if(!n?.startsWith("Bearer ")){t.respond({":status":401,"www-authenticate":'Bearer error="invalid_token", error_description="Missing or malformed Authorization header"',"content-type":"application/json"}),t.end(JSON.stringify({error:"Unauthorized"}));return}try{r=await this.jwtValidator.validate(n.slice(7));}catch(a){t.respond({":status":401,"www-authenticate":`Bearer error="invalid_token", error_description="${a.message}"`,"content-type":"application/json"}),t.end(JSON.stringify({error:"Invalid token"}));return}}let o=await this.router.dispatch(JSON.parse(i),r);o?(t.respond({":status":200,"content-type":"application/json"}),t.end(JSON.stringify(o))):t.close();}catch{t.respond({":status":400}),t.end();}});}async listen(t,e="0.0.0.0"){if(this.meshNode){await this.meshNode.start();let i=this.liopServer.listTools();for(let r of i)await this.meshNode.announceCapability(r.name),a.info(`[LIOP-Gateway] \u{1F4E1} Announced local tool to Mesh: ${r.name}`);}return new Promise((i,r)=>{this.netServer.on("error",o=>{o.code==="EADDRINUSE"?a.info(`[LIOP-Gateway] FATAL: Port ${t} is already in use by another process.`):a.error(`[LIOP-Gateway] Binding Error: ${o.message}`),r(o);}),this.netServer.listen(t,e,()=>{let o=this.netServer.address(),n=typeof o=="string"?o:o?.address||e,a$1=typeof o=="string"?t:o?.port||t;a.info(`[LIOP-Gateway] \u2705 Transformer Mesh Gateway READY and listening on ${n}:${a$1}`),i(a$1);});})}async stop(){this.meshNode&&await this.meshNode.stop(),this.netServer.close(),this.h2Server.close(),this.h1Server.close();}getRouter(){return this.router}};export{u as a,f as b};//# sourceMappingURL=chunk-GI2LSJYZ.js.map
+//# sourceMappingURL=chunk-GI2LSJYZ.js.map

package/dist/{chunk-YZVCAJJO.js.map → chunk-GI2LSJYZ.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/security/prm.ts","../src/gateway/hybrid.ts"],"names":["buildProtectedResourceMetadata","issuer","audience","LIOP_SCOPES","LiopHybridGateway","liopServer","meshNode","rpcPort","LiopMcpRouter","socket","buffer","isHttp2","log","err","stream","headers","contentType","path","req","res","url","method","callback","originalUrl","prm","meshInfo","m","baseUrl","authInfoResponse","t","authInfo","authHeader","e","body","chunk","jsonRequest","response","data","port","host","tools","tool","resolve","reject","addr","actualHost","assignedPort"],"mappings":"iLAoCO,SAASA,CAAAA,CACfC,CAAAA,CACAC,CAAAA,CAC4B,CAC5B,OAAO,CACN,QAAA,CAAUA,CAAAA,CACV,qBAAA,CAAuB,CAACD,CAAM,CAAA,CAC9B,gBAAA,CAAkBE,CAAAA,CAClB,wBAAA,CAA0B,CAAC,QAAQ,CAAA,CACnC,uBAAwB,gCACzB,CACD,CCjCO,IAAMC,CAAAA,CAAN,KAAwB,CAS9B,WAAA,CACSC,CAAAA,CACAC,CAAAA,CAA4B,IAAA,CACpCC,CAAAA,CAAkB,KAAA,CACjB,CAHO,IAAA,CAAA,UAAA,CAAAF,CAAAA,CACA,IAAA,CAAA,QAAA,CAAAC,CAAAA,CAGR,IAAA,CAAK,YAAA,CAAe,IAAA,CAAK,UAAA,CAAW,YAAA,CACpC,IAAA,CAAK,aAAA,CAAgB,IAAA,CAAK,UAAA,CAAW,aAAA,CAGrC,KAAK,MAAA,CAAS,IAAIE,CAAAA,CAAc,IAAA,CAAK,UAAA,CAAY,IAAA,CAAK,SAAUD,CAAO,CAAA,CAGvE,IAAA,CAAK,QAAA,CAAiB,CAAA,CAAA,YAAA,EAAa,CACnC,KAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,QAAA,CAAgB,CAAA,CAAA,YAAA,EAAa,CAClC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAA,CAAgB,CAAA,CAAA,YAAA,CAAcE,CAAAA,EAAW,CAC7CA,EAAO,IAAA,CAAK,MAAA,CAASC,CAAAA,EAAW,CAC/B,IAAMC,CAAAA,CAAUD,CAAAA,CAAO,QAAA,EAAS,CAAE,UAAA,CAAW,gBAAgB,CAAA,CAC7DE,CAAAA,CAAI,IAAA,CACH,oDAAoDD,CAAAA,CAAU,eAAA,CAAkB,gBAAgB,CAAA,CACjG,CAAA,CACIA,CAAAA,CACH,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcF,CAAM,CAAA,CAEvC,IAAA,CAAK,QAAA,CAAS,KAAK,YAAA,CAAcA,CAAM,CAAA,CAExCA,CAAAA,CAAO,OAAA,CAAQC,CAAM,EACtB,CAAC,CAAA,CACDD,CAAAA,CAAO,EAAA,CAAG,OAAA,CAAUI,CAAAA,EACnBD,EAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAClE,EACD,CAAC,CAAA,CAGD,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,EAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,EACA,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,CAAAA,CAAI,MAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CAEAD,CAAAA,CAAI,IAAA,CAAK,4CAA4C,EACtD,CAvDQ,SAAA,CACA,QAAA,CACA,QAAA,CACA,OACA,YAAA,CAEA,aAAA,CAmDA,aAAA,EAAgB,CACvB,IAAA,CAAK,QAAA,CAAS,GAAG,QAAA,CAAU,CAACE,CAAAA,CAAQC,CAAAA,GAAY,CAC/C,IAAMC,EAAcD,CAAAA,CAAQ,cAAc,CAAA,CACpCE,CAAAA,CAAOF,CAAAA,CAAQ,OAAO,CAAA,CAExBC,CAAAA,GAAgB,kBAAA,CACnB,IAAA,CAAK,gBAAA,CAAiBF,CAAiC,CAAA,CAC7CG,CAAAA,GAAS,QACnB,IAAA,CAAK,iBAAA,CAAkBH,CAAAA,CAAmCC,CAAO,EAEnE,CAAC,EACF,CAEQ,aAAA,EAAgB,CACvB,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,SAAA,CAAW,MAAOG,CAAAA,CAAKC,CAAAA,GAAQ,CAC/C,IAAMC,CAAAA,CAAMF,CAAAA,CAAI,GAAA,EAAO,EAAA,CACjBG,CAAAA,CAASH,CAAAA,CAAI,MAAA,CAGnB,GAAIE,CAAAA,CAAI,UAAA,CAAW,OAAO,CAAA,EAAK,IAAA,CAAK,aAAA,CAAe,CAClD,IAAME,CAAAA,CACL,OAAO,IAAA,CAAK,aAAA,CAAc,QAAA,EAAa,UAAA,CACpC,IAAA,CAAK,aAAA,CAAc,UAAS,CAC5B,IAAA,CAAK,aAAA,CAEHC,CAAAA,CAAcL,CAAAA,CAAI,GAAA,CACxBA,CAAAA,CAAI,GAAA,CAAA,CAAOK,CAAAA,EAAe,EAAA,EAAI,KAAA,CAAM,CAAC,CAAA,EAAK,GAAA,CAC1C,GAAI,CACH,OAAOD,CAAAA,CAASJ,CAAAA,CAAKC,CAAG,CACzB,QAAE,CACDD,CAAAA,CAAI,GAAA,CAAMK,EACX,CACD,CAGA,GAAIF,CAAAA,GAAW,KAAA,EAASD,CAAAA,GAAQ,uCAAA,CAAyC,CACxE,GAAI,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMI,CAAAA,CAAMxB,CAAAA,CACX,IAAA,CAAK,YAAA,CAAa,WAAU,CAC5B,IAAA,CAAK,YAAA,CAAa,WAAA,EACnB,CAAA,CACAmB,EAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,kBAAmB,CAAC,EACzDA,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAUK,CAAG,CAAC,CAAA,CAC3B,MACD,CACAL,CAAAA,CAAI,SAAA,CAAU,GAAG,CAAA,CACjBA,CAAAA,CAAI,IAAI,WAAW,CAAA,CACnB,MACD,CAEA,GACCE,CAAAA,GAAW,KAAA,GACVD,CAAAA,GAAQ,GAAA,EAAOA,CAAAA,GAAQ,MAAA,EAAUA,CAAAA,GAAQ,SAAA,CAAA,CACzC,CACD,GACCA,CAAAA,GAAQ,SAAA,EACRF,CAAAA,CAAI,OAAA,CAAQ,MAAA,EAAQ,QAAA,CAAS,kBAAkB,CAAA,CAC9C,CACD,IAAMO,CAAAA,CAAW,IAAA,CAAK,QAAA,CACnB,CACA,OAAQ,IAAA,CAAK,QAAA,CAAS,SAAA,EAAU,EAAG,QAAA,EAAS,EAAK,GACjD,UAAA,CAAY,IAAA,CAAK,QAAA,CACf,aAAA,EAAc,CACd,GAAA,CAAKC,GAAMA,CAAAA,CAAE,QAAA,EAAU,CAC1B,CAAA,CACC,IAAA,CACGzB,CAAAA,CAAS,IAAA,CAAK,YAAA,EAAc,SAAA,EAAU,CACtC0B,CAAAA,CAAU1B,CAAAA,CACbA,CAAAA,CAAO,SAAS,OAAO,CAAA,CACtBA,CAAAA,CACA,CAAA,EAAGA,CAAM,CAAA,KAAA,CAAA,CACV,GACG2B,CAAAA,CACL,IAAA,CAAK,YAAA,EAAgB3B,CAAAA,CAClB,CACA,MAAA,CAAAA,EACA,QAAA,CAAU,CAAA,EAAG0B,CAAO,CAAA,KAAA,CAAA,CACpB,GAAI,IAAA,CAAK,aAAA,CACN,CACA,cAAA,CAAgB,CAAA,EAAGA,CAAO,CAAA,MAAA,CAC3B,CAAA,CACC,EACJ,CAAA,CACC,MAAA,CAEJR,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,eAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,GAAA,CACH,IAAA,CAAK,UAAU,CACd,MAAA,CAAQ,SAAA,CACR,IAAA,CAAM,IAAA,CAAK,UAAA,CAAW,aAAA,EAAc,CACpC,IAAA,CAAMM,CAAAA,CACN,KAAA,CAAO,IAAA,CAAK,UAAA,CAAW,SAAA,GAAY,GAAA,CAAKI,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CAAA,CACpD,IAAA,CAAMD,CAAAA,CACN,SAAA,CAAW,IAAI,IAAA,EAAK,CAAE,WAAA,EACvB,CAAC,CACF,CAAA,CACA,MACD,CAEAT,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,0BAA2B,CAAC,CAAA,CACjEA,CAAAA,CAAI,GAAA,CAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,CAWK,CAAA,CACb,MACD,CAEA,GAAIC,CAAAA,GAAQ,MAAA,EAAUC,CAAAA,GAAW,MAAA,CAAQ,CACxC,IAAIS,CAAAA,CAA4B,IAAA,CAGhC,GAAI,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,CAAAA,CAAab,CAAAA,CAAI,OAAA,CAAQ,aAAA,CAC/B,GAAI,CAACa,CAAAA,EAAY,UAAA,CAAW,SAAS,CAAA,CAAG,CACvCZ,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAClB,kBAAA,CACC,6FAAA,CACD,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,cAAe,CAAC,CAAC,CAAA,CACjD,MACD,CACA,GAAI,CACHW,CAAAA,CAAW,MAAM,IAAA,CAAK,YAAA,CAAa,QAAA,CAASC,CAAAA,CAAW,KAAA,CAAM,CAAC,CAAC,EAChE,CAAA,MAASC,CAAAA,CAAY,CACpBb,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAClB,kBAAA,CAAoB,CAAA,iDAAA,EAAqDa,CAAAA,CAAY,OAAO,CAAA,CAAA,CAAA,CAC5F,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDb,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,eAAgB,CAAC,CAAC,CAAA,CAClD,MACD,CACD,CAEA,IAAIc,CAAAA,CAAO,EAAA,CACXf,CAAAA,CAAI,EAAA,CAAG,MAAA,CAASgB,CAAAA,EAAWD,CAAAA,EAAQC,CAAAA,CAAM,QAAA,EAAW,CAAA,CACpDhB,CAAAA,CAAI,EAAA,CAAG,KAAA,CAAO,SAAY,CACzB,GAAI,CACH,IAAMiB,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAI,CAAA,CAC7BG,CAAAA,CAAW,MAAM,IAAA,CAAK,MAAA,CAAO,QAAA,CAASD,CAAAA,CAAaL,CAAQ,CAAA,CACjEX,CAAAA,CAAI,UAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAUiB,CAAQ,CAAC,EACjC,CAAA,MAASJ,GAAAA,CAAY,CACpBpB,CAAAA,CAAI,IAAA,CACH,CAAA,kDAAA,EAAsDoB,GAAAA,CAAY,OAAO,CAAA,CAC1E,CAAA,CACAb,CAAAA,CAAI,SAAA,CAAU,GAAG,CAAA,CACjBA,CAAAA,CAAI,GAAA,CACH,IAAA,CAAK,SAAA,CAAU,CACd,OAAA,CAAS,KAAA,CACT,KAAA,CAAO,CAAE,IAAA,CAAM,MAAA,CAAQ,OAAA,CAAS,aAAc,CAC/C,CAAC,CACF,EACD,CACD,CAAC,EACF,CAAA,KACCA,CAAAA,CAAI,SAAA,CAAU,GAAG,CAAA,CACjBA,CAAAA,CAAI,GAAA,CAAI,WAAW,EAErB,CAAC,EACF,CAEQ,gBAAA,CAAiBL,CAAAA,CAAiC,CACzDA,CAAAA,CAAO,EAAA,CAAG,OAASoB,CAAAA,EAAmB,CAErC,IAAMG,CAAAA,CAAOH,CAAAA,CACTG,CAAAA,EACHzB,CAAAA,CAAI,IAAA,CACH,CAAA,yCAAA,EAA4CyB,CAAAA,CAAK,MAAM,CAAA,MAAA,CACxD,EACF,CAAC,CAAA,CACDvB,CAAAA,CAAO,OAAA,CAAQ,CAAE,SAAA,CAAW,GAAA,CAAK,cAAA,CAAgB,kBAAmB,CAAC,CAAA,CACrEA,CAAAA,CAAO,GAAA,GACR,CAEQ,iBAAA,CACPA,CAAAA,CACAC,CAAAA,CACC,CACD,IAAIkB,CAAAA,CAAO,EAAA,CACXnB,CAAAA,CAAO,EAAA,CAAG,MAAA,CAASoB,CAAAA,EAAWD,CAAAA,EAAQC,CAAAA,CAAM,QAAA,EAAW,CAAA,CACvDpB,CAAAA,CAAO,EAAA,CAAG,KAAA,CAAO,SAAY,CAC5B,GAAI,CACH,IAAIgB,CAAAA,CAA4B,IAAA,CAGhC,GAAI,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,CAAAA,CAAahB,CAAAA,CAAQ,aAAA,CAC3B,GAAI,CAACgB,CAAAA,EAAY,WAAW,SAAS,CAAA,CAAG,CACvCjB,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,kBAAA,CACC,6FAAA,CACD,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAO,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,cAAe,CAAC,CAAC,CAAA,CACpD,MACD,CACA,GAAI,CACHgB,CAAAA,CAAW,MAAM,IAAA,CAAK,YAAA,CAAa,QAAA,CAASC,CAAAA,CAAW,KAAA,CAAM,CAAC,CAAC,EAChE,CAAA,MAASC,CAAAA,CAAY,CACpBlB,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,kBAAA,CAAoB,CAAA,iDAAA,EAAqDkB,CAAAA,CAAY,OAAO,CAAA,CAAA,CAAA,CAC5F,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDlB,CAAAA,CAAO,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,eAAgB,CAAC,CAAC,EACrD,MACD,CACD,CAEA,IAAMsB,CAAAA,CAAW,MAAM,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,IAAA,CAAK,KAAA,CAAMH,CAAI,CAAA,CAAGH,CAAQ,CAAA,CAClEM,CAAAA,EACHtB,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAO,GAAA,CAAI,IAAA,CAAK,SAAA,CAAUsB,CAAQ,CAAC,CAAA,EAC7BtB,EAAO,KAAA,GACf,CAAA,KAAa,CACZA,CAAAA,CAAO,OAAA,CAAQ,CAAE,SAAA,CAAW,GAAI,CAAC,CAAA,CACjCA,CAAAA,CAAO,GAAA,GACR,CACD,CAAC,EACF,CAEA,MAAa,MAAA,CAAOwB,CAAAA,CAAcC,CAAAA,CAAe,SAAA,CAA4B,CAC5E,GAAI,IAAA,CAAK,QAAA,CAAU,CAClB,MAAM,IAAA,CAAK,QAAA,CAAS,KAAA,GAGpB,IAAMC,CAAAA,CAAQ,IAAA,CAAK,UAAA,CAAW,SAAA,EAAU,CACxC,IAAA,IAAWC,CAAAA,IAAQD,CAAAA,CAClB,MAAM,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmBC,CAAAA,CAAK,IAAI,CAAA,CAChD7B,CAAAA,CAAI,IAAA,CACH,CAAA,uDAAA,EAAmD6B,CAAAA,CAAK,IAAI,CAAA,CAC7D,EAEF,CACA,OAAO,IAAI,OAAA,CAAQ,CAACC,CAAAA,CAASC,CAAAA,GAAW,CACvC,IAAA,CAAK,SAAA,CAAU,EAAA,CAAG,OAAA,CAAU9B,CAAAA,EAAmC,CAC1DA,CAAAA,CAAI,IAAA,GAAS,YAAA,CAChBD,CAAAA,CAAI,IAAA,CACH,CAAA,2BAAA,EAA8B0B,CAAI,CAAA,sCAAA,CACnC,CAAA,CAEA1B,CAAAA,CAAI,KAAA,CAAM,CAAA,8BAAA,EAAiCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAAA,CAEzD8B,CAAAA,CAAO9B,CAAG,EACX,CAAC,CAAA,CAED,IAAA,CAAK,SAAA,CAAU,MAAA,CAAOyB,CAAAA,CAAMC,CAAAA,CAAM,IAAM,CACvC,IAAMK,CAAAA,CAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAQ,CAC9BC,CAAAA,CACL,OAAOD,CAAAA,EAAS,QAAA,CAAWA,CAAAA,CAAOA,CAAAA,EAAM,OAAA,EAAWL,CAAAA,CAC9CO,GAAAA,CACL,OAAOF,CAAAA,EAAS,QAAA,CAAWN,CAAAA,CAAOM,CAAAA,EAAM,IAAA,EAAQN,CAAAA,CAEjD1B,CAAAA,CAAI,IAAA,CACH,CAAA,sEAAA,EAAoEiC,CAAU,CAAA,CAAA,EAAIC,GAAY,CAAA,CAC/F,CAAA,CACAJ,CAAAA,CAAQI,GAAY,EACrB,CAAC,EACF,CAAC,CACF,CAEA,MAAa,IAAA,EAAO,CACf,IAAA,CAAK,QAAA,EACR,MAAM,IAAA,CAAK,QAAA,CAAS,IAAA,EAAK,CAE1B,IAAA,CAAK,SAAA,CAAU,KAAA,EAAM,CACrB,IAAA,CAAK,QAAA,CAAS,KAAA,EAAM,CACpB,IAAA,CAAK,QAAA,CAAS,KAAA,GACf,CAEO,SAAA,EAA2B,CACjC,OAAO,IAAA,CAAK,MACb,CACD","file":"chunk-YZVCAJJO.js","sourcesContent":["/**\n * LIOP Protected Resource Metadata — RFC 9728\n *\n * Builds the JSON document served at /.well-known/oauth-protected-resource.\n * This enables MCP clients to discover the authorization server and\n * required scopes for accessing LIOP tools and resources.\n *\n * Standards: RFC 9728, MCP Spec 2025-11-25\n */\n\nimport { LIOP_SCOPES } from \"./rbac.js\";\n\n/**\n * RFC 9728 Protected Resource Metadata response.\n *\n * @see https://datatracker.ietf.org/doc/rfc9728\n */\nexport interface ProtectedResourceMetadata {\n\t/** Identifier for the protected resource. */\n\tresource: string;\n\t/** Array of authorization server issuer URLs that can issue tokens for this resource. */\n\tauthorization_servers: string[];\n\t/** OAuth scopes accepted by this resource. */\n\tscopes_supported: readonly string[];\n\t/** Methods of presenting the bearer token (always \"header\" for LIOP). */\n\tbearer_methods_supported: string[];\n\t/** URL to the resource documentation. */\n\tresource_documentation: string;\n}\n\n/**\n * Builds the Protected Resource Metadata document (RFC 9728).\n *\n * @param issuer - OIDC issuer URL of the Nexus authorization server\n * @param audience - JWT audience claim (resource identifier)\n */\nexport function buildProtectedResourceMetadata(\n\tissuer: string,\n\taudience: string,\n): ProtectedResourceMetadata {\n\treturn {\n\t\tresource: audience,\n\t\tauthorization_servers: [issuer],\n\t\tscopes_supported: LIOP_SCOPES,\n\t\tbearer_methods_supported: [\"header\"],\n\t\tresource_documentation: \"https://github.com/nekzus/liop\",\n\t};\n}\n","import * as http from \"node:http\";\nimport * as http2 from \"node:http2\";\nimport * as net from \"node:net\";\nimport type { MeshNode } from \"../mesh/index.js\";\nimport type { AuthInfo, JwtValidator } from \"../security/jwt-validator.js\";\nimport { buildProtectedResourceMetadata } from \"../security/prm.js\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpRouter } from \"./router.js\";\n\n/**\n * LIOP Hybrid Gateway\n * High-level orchestration for connecting MCP (JSON-RPC) clients to the LIOP Mesh.\n */\nexport class LiopHybridGateway {\n\tprivate netServer: net.Server;\n\tprivate h2Server: http2.Http2Server;\n\tprivate h1Server: http.Server;\n\tprivate router: LiopMcpRouter;\n\tprivate jwtValidator?: JwtValidator;\n\t// biome-ignore lint/suspicious/noExplicitAny: oidc-provider is loaded in Phase C\n\tprivate oauthProvider?: any;\n\n\tconstructor(\n\t\tprivate liopServer: LiopServer,\n\t\tprivate meshNode: MeshNode | null = null,\n\t\trpcPort: number = 50051,\n\t) {\n\t\tthis.jwtValidator = this.liopServer.jwtValidator;\n\t\tthis.oauthProvider = this.liopServer.oauthProvider;\n\n\t\t// Initialize the Universal Router\n\t\tthis.router = new LiopMcpRouter(this.liopServer, this.meshNode, rpcPort);\n\n\t\t// Internal HTTP/2 Server (for Native gRPC Proxying)\n\t\tthis.h2Server = http2.createServer();\n\t\tthis.setupH2Routes();\n\n\t\t// Internal HTTP/1 Server (for Browser/MCP)\n\t\tthis.h1Server = http.createServer();\n\t\tthis.setupH1Routes();\n\n\t\t// Primary Multiplexer (L4)\n\t\tthis.netServer = net.createServer((socket) => {\n\t\t\tsocket.once(\"data\", (buffer) => {\n\t\t\t\tconst isHttp2 = buffer.toString().startsWith(\"PRI * HTTP/2.0\");\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${isHttp2 ? \"HTTP/2 (gRPC)\" : \"HTTP/1.1 (MCP)\"}`,\n\t\t\t\t);\n\t\t\t\tif (isHttp2) {\n\t\t\t\t\tthis.h2Server.emit(\"connection\", socket);\n\t\t\t\t} else {\n\t\t\t\t\tthis.h1Server.emit(\"connection\", socket);\n\t\t\t\t}\n\t\t\t\tsocket.unshift(buffer);\n\t\t\t});\n\t\t\tsocket.on(\"error\", (err) =>\n\t\t\t\tlog.error(`[LIOP-Gateway] NetServer Socket Error: ${err.message}`),\n\t\t\t);\n\t\t});\n\n\t\t// Attach error listeners to sub-servers to catch silent failures\n\t\tthis.h1Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H1 Server Error: ${err.message}`),\n\t\t);\n\t\tthis.h2Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H2 Server Error: ${err.message}`),\n\t\t);\n\n\t\tlog.info(\"[LIOP-Gateway] Hybrid adapter initialized.\");\n\t}\n\n\tprivate setupH2Routes() {\n\t\tthis.h2Server.on(\"stream\", (stream, headers) => {\n\t\t\tconst contentType = headers[\"content-type\"] as string;\n\t\t\tconst path = headers[\":path\"] as string;\n\n\t\t\tif (contentType === \"application/grpc\") {\n\t\t\t\tthis.handleGrpcStream(stream as http2.ServerHttp2Stream);\n\t\t\t} else if (path === \"/mcp\") {\n\t\t\t\tthis.handleMcpH2Stream(stream as http2.ServerHttp2Stream, headers);\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate setupH1Routes() {\n\t\tthis.h1Server.on(\"request\", async (req, res) => {\n\t\t\tconst url = req.url || \"\";\n\t\t\tconst method = req.method;\n\n\t\t\t// [SEC] M2M OAuth 2.1 OIDC Authorization Server Router (Phase C proxy)\n\t\t\tif (url.startsWith(\"/oidc\") && this.oauthProvider) {\n\t\t\t\tconst callback =\n\t\t\t\t\ttypeof this.oauthProvider.callback === \"function\"\n\t\t\t\t\t\t? this.oauthProvider.callback()\n\t\t\t\t\t\t: this.oauthProvider;\n\t\t\t\t// Rewrite req.url to strip the '/oidc' prefix before delegating to oidc-provider\n\t\t\t\tconst originalUrl = req.url;\n\t\t\t\treq.url = (originalUrl || \"\").slice(5) || \"/\";\n\t\t\t\ttry {\n\t\t\t\t\treturn callback(req, res);\n\t\t\t\t} finally {\n\t\t\t\t\treq.url = originalUrl;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// [SEC] RFC 9728 Protected Resource Metadata (PRM) Endpoint\n\t\t\tif (method === \"GET\" && url === \"/.well-known/oauth-protected-resource\") {\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst prm = buildProtectedResourceMetadata(\n\t\t\t\t\t\tthis.jwtValidator.getIssuer(),\n\t\t\t\t\t\tthis.jwtValidator.getAudience(),\n\t\t\t\t\t);\n\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\tres.end(JSON.stringify(prm));\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tres.writeHead(404);\n\t\t\t\tres.end(\"Not Found\");\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tmethod === \"GET\" &&\n\t\t\t\t(url === \"/\" || url === \"/mcp\" || url === \"/health\")\n\t\t\t) {\n\t\t\t\tif (\n\t\t\t\t\turl === \"/health\" &&\n\t\t\t\t\treq.headers.accept?.includes(\"application/json\")\n\t\t\t\t) {\n\t\t\t\t\tconst meshInfo = this.meshNode\n\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\tpeerId: this.meshNode.getPeerId()?.toString() || \"\",\n\t\t\t\t\t\t\t\tmultiaddrs: this.meshNode\n\t\t\t\t\t\t\t\t\t.getMultiaddrs()\n\t\t\t\t\t\t\t\t\t.map((m) => m.toString()),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t: null;\n\t\t\t\t\tconst issuer = this.jwtValidator?.getIssuer();\n\t\t\t\t\tconst baseUrl = issuer\n\t\t\t\t\t\t? issuer.endsWith(\"/oidc\")\n\t\t\t\t\t\t\t? issuer\n\t\t\t\t\t\t\t: `${issuer}/oidc`\n\t\t\t\t\t\t: \"\";\n\t\t\t\t\tconst authInfoResponse =\n\t\t\t\t\t\tthis.jwtValidator && issuer\n\t\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\t\tissuer,\n\t\t\t\t\t\t\t\t\tjwks_uri: `${baseUrl}/jwks`,\n\t\t\t\t\t\t\t\t\t...(this.oauthProvider\n\t\t\t\t\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\t\t\t\t\ttoken_endpoint: `${baseUrl}/token`,\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t: {}),\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t: undefined;\n\n\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\tres.end(\n\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\tstatus: \"healthy\",\n\t\t\t\t\t\t\tnode: this.liopServer.getServerInfo(),\n\t\t\t\t\t\t\tmesh: meshInfo,\n\t\t\t\t\t\t\ttools: this.liopServer.listTools().map((t) => t.name),\n\t\t\t\t\t\t\tauth: authInfoResponse,\n\t\t\t\t\t\t\ttimestamp: new Date().toISOString(),\n\t\t\t\t\t\t}),\n\t\t\t\t\t);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tres.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n\t\t\t\tres.end(`\n                    <body style=\"background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0\">\n                        <div style=\"background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)\">\n                            <h1 style=\"color:#38bdf8;margin-top:0\">LIOP Protocol Transformer</h1>\n                            <p style=\"opacity:0.8;font-weight:600\">L4/L7 Transcoding: JSON-RPC &harr; gRPC</p>\n                            <p style=\"opacity:0.6;font-size:14px\">Active Protections: Kyber768 + AES-256-GCM + ZK-Proof Ready</p>\n                            <div style=\"background:#0f172a;padding:15px;border-radius:8px;margin-top:20px;border:1px dashed #334155\">\n                                <code style=\"color:#10b981\">Endpoint: http://localhost:3000/mcp</code>\n                            </div>\n                        </div>\n                    </body>\n                `);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tif (url === \"/mcp\" && method === \"POST\") {\n\t\t\t\tlet authInfo: AuthInfo | null = null;\n\n\t\t\t\t// [SEC] Continuous verification of Bearer token (NIST SP 800-207)\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst authHeader = req.headers.authorization;\n\t\t\t\t\tif (!authHeader?.startsWith(\"Bearer \")) {\n\t\t\t\t\t\tres.writeHead(401, {\n\t\t\t\t\t\t\t\"WWW-Authenticate\":\n\t\t\t\t\t\t\t\t'Bearer error=\"invalid_token\", error_description=\"Missing or malformed Authorization header\"',\n\t\t\t\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tres.end(JSON.stringify({ error: \"Unauthorized\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\ttry {\n\t\t\t\t\t\tauthInfo = await this.jwtValidator.validate(authHeader.slice(7));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tres.writeHead(401, {\n\t\t\t\t\t\t\t\"WWW-Authenticate\": `Bearer error=\"invalid_token\", error_description=\"${(e as Error).message}\"`,\n\t\t\t\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tres.end(JSON.stringify({ error: \"Invalid token\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tlet body = \"\";\n\t\t\t\treq.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\t\t\treq.on(\"end\", async () => {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst jsonRequest = JSON.parse(body);\n\t\t\t\t\t\tconst response = await this.router.dispatch(jsonRequest, authInfo);\n\t\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\t\tres.end(JSON.stringify(response));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-Gateway] Error processing JSON-RPC payload: ${(e as Error).message}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tres.writeHead(400);\n\t\t\t\t\t\tres.end(\n\t\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\t\tjsonrpc: \"2.0\",\n\t\t\t\t\t\t\t\terror: { code: -32700, message: \"Parse error\" },\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tres.writeHead(404);\n\t\t\t\tres.end(\"Not Found\");\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate handleGrpcStream(stream: http2.ServerHttp2Stream) {\n\t\tstream.on(\"data\", (chunk: unknown) => {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Standard gRPC stream data is Buffer\n\t\t\tconst data = chunk as any;\n\t\t\tif (data)\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Native gRPC Proxy passing ${data.length} bytes`,\n\t\t\t\t);\n\t\t});\n\t\tstream.respond({ \":status\": 200, \"content-type\": \"application/grpc\" });\n\t\tstream.end();\n\t}\n\n\tprivate handleMcpH2Stream(\n\t\tstream: http2.ServerHttp2Stream,\n\t\theaders: http2.IncomingHttpHeaders,\n\t) {\n\t\tlet body = \"\";\n\t\tstream.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\tstream.on(\"end\", async () => {\n\t\t\ttry {\n\t\t\t\tlet authInfo: AuthInfo | null = null;\n\n\t\t\t\t// [SEC] Continuous verification of Bearer token over HTTP/2 (NIST SP 800-207)\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst authHeader = headers.authorization as string;\n\t\t\t\t\tif (!authHeader?.startsWith(\"Bearer \")) {\n\t\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\t\":status\": 401,\n\t\t\t\t\t\t\t\"www-authenticate\":\n\t\t\t\t\t\t\t\t'Bearer error=\"invalid_token\", error_description=\"Missing or malformed Authorization header\"',\n\t\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tstream.end(JSON.stringify({ error: \"Unauthorized\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\ttry {\n\t\t\t\t\t\tauthInfo = await this.jwtValidator.validate(authHeader.slice(7));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\t\":status\": 401,\n\t\t\t\t\t\t\t\"www-authenticate\": `Bearer error=\"invalid_token\", error_description=\"${(e as Error).message}\"`,\n\t\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tstream.end(JSON.stringify({ error: \"Invalid token\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tconst response = await this.router.dispatch(JSON.parse(body), authInfo);\n\t\t\t\tif (response) {\n\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\":status\": 200,\n\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t});\n\t\t\t\t\tstream.end(JSON.stringify(response));\n\t\t\t\t} else stream.close();\n\t\t\t} catch (_e) {\n\t\t\t\tstream.respond({ \":status\": 400 });\n\t\t\t\tstream.end();\n\t\t\t}\n\t\t});\n\t}\n\n\tpublic async listen(port: number, host: string = \"0.0.0.0\"): Promise<number> {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.start();\n\n\t\t\t// Announce all local tools to the DHT\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\tfor (const tool of tools) {\n\t\t\t\tawait this.meshNode.announceCapability(tool.name);\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] 📡 Announced local tool to Mesh: ${tool.name}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.netServer.on(\"error\", (err: Error & { code?: string }) => {\n\t\t\t\tif (err.code === \"EADDRINUSE\") {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-Gateway] FATAL: Port ${port} is already in use by another process.`,\n\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\tlog.error(`[LIOP-Gateway] Binding Error: ${err.message}`);\n\t\t\t\t}\n\t\t\t\treject(err);\n\t\t\t});\n\n\t\t\tthis.netServer.listen(port, host, () => {\n\t\t\t\tconst addr = this.netServer.address();\n\t\t\t\tconst actualHost =\n\t\t\t\t\ttypeof addr === \"string\" ? addr : addr?.address || host;\n\t\t\t\tconst assignedPort =\n\t\t\t\t\ttypeof addr === \"string\" ? port : addr?.port || port;\n\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] ✅ Transformer Mesh Gateway READY and listening on ${actualHost}:${assignedPort}`,\n\t\t\t\t);\n\t\t\t\tresolve(assignedPort);\n\t\t\t});\n\t\t});\n\t}\n\n\tpublic async stop() {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t\tthis.netServer.close();\n\t\tthis.h2Server.close();\n\t\tthis.h1Server.close();\n\t}\n\n\tpublic getRouter(): LiopMcpRouter {\n\t\treturn this.router;\n\t}\n}\n"]}
+{"version":3,"sources":["../src/security/prm.ts","../src/gateway/hybrid.ts"],"names":["buildProtectedResourceMetadata","issuer","audience","LIOP_SCOPES","LiopHybridGateway","liopServer","meshNode","rpcPort","LiopMcpRouter","socket","buffer","isHttp2","log","err","stream","headers","contentType","path","req","res","url","method","callback","originalUrl","prm","meshInfo","m","baseUrl","authInfoResponse","t","authInfo","authHeader","e","body","chunk","jsonRequest","response","data","port","host","tools","tool","resolve","reject","addr","actualHost","assignedPort"],"mappings":"iLAoCO,SAASA,CAAAA,CACfC,CAAAA,CACAC,CAAAA,CAC4B,CAC5B,OAAO,CACN,QAAA,CAAUA,CAAAA,CACV,qBAAA,CAAuB,CAACD,CAAM,CAAA,CAC9B,gBAAA,CAAkBE,CAAAA,CAClB,wBAAA,CAA0B,CAAC,QAAQ,CAAA,CACnC,uBAAwB,gCACzB,CACD,CCjCO,IAAMC,CAAAA,CAAN,KAAwB,CAS9B,WAAA,CACSC,CAAAA,CACAC,CAAAA,CAA4B,IAAA,CACpCC,CAAAA,CAAkB,KAAA,CACjB,CAHO,IAAA,CAAA,UAAA,CAAAF,CAAAA,CACA,IAAA,CAAA,QAAA,CAAAC,CAAAA,CAGR,IAAA,CAAK,YAAA,CAAe,IAAA,CAAK,UAAA,CAAW,YAAA,CACpC,IAAA,CAAK,aAAA,CAAgB,IAAA,CAAK,UAAA,CAAW,aAAA,CAGrC,KAAK,MAAA,CAAS,IAAIE,CAAAA,CAAc,IAAA,CAAK,UAAA,CAAY,IAAA,CAAK,SAAUD,CAAO,CAAA,CAGvE,IAAA,CAAK,QAAA,CAAiB,CAAA,CAAA,YAAA,EAAa,CACnC,KAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,QAAA,CAAgB,CAAA,CAAA,YAAA,EAAa,CAClC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAA,CAAgB,CAAA,CAAA,YAAA,CAAcE,CAAAA,EAAW,CAC7CA,EAAO,IAAA,CAAK,MAAA,CAASC,CAAAA,EAAW,CAC/B,IAAMC,CAAAA,CAAUD,CAAAA,CAAO,QAAA,EAAS,CAAE,UAAA,CAAW,gBAAgB,CAAA,CAC7DE,CAAAA,CAAI,IAAA,CACH,oDAAoDD,CAAAA,CAAU,eAAA,CAAkB,gBAAgB,CAAA,CACjG,CAAA,CACIA,CAAAA,CACH,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcF,CAAM,CAAA,CAEvC,IAAA,CAAK,QAAA,CAAS,KAAK,YAAA,CAAcA,CAAM,CAAA,CAExCA,CAAAA,CAAO,OAAA,CAAQC,CAAM,EACtB,CAAC,CAAA,CACDD,CAAAA,CAAO,EAAA,CAAG,OAAA,CAAUI,CAAAA,EACnBD,EAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAClE,EACD,CAAC,CAAA,CAGD,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,EAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,EACA,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,CAAAA,CAAI,MAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CAEAD,CAAAA,CAAI,IAAA,CAAK,4CAA4C,EACtD,CAvDQ,SAAA,CACA,QAAA,CACA,QAAA,CACA,OACA,YAAA,CAEA,aAAA,CAmDA,aAAA,EAAgB,CACvB,IAAA,CAAK,QAAA,CAAS,GAAG,QAAA,CAAU,CAACE,CAAAA,CAAQC,CAAAA,GAAY,CAC/C,IAAMC,EAAcD,CAAAA,CAAQ,cAAc,CAAA,CACpCE,CAAAA,CAAOF,CAAAA,CAAQ,OAAO,CAAA,CAExBC,CAAAA,GAAgB,kBAAA,CACnB,IAAA,CAAK,gBAAA,CAAiBF,CAAiC,CAAA,CAC7CG,CAAAA,GAAS,QACnB,IAAA,CAAK,iBAAA,CAAkBH,CAAAA,CAAmCC,CAAO,EAEnE,CAAC,EACF,CAEQ,aAAA,EAAgB,CACvB,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,SAAA,CAAW,MAAOG,CAAAA,CAAKC,CAAAA,GAAQ,CAC/C,IAAMC,CAAAA,CAAMF,CAAAA,CAAI,GAAA,EAAO,EAAA,CACjBG,CAAAA,CAASH,CAAAA,CAAI,MAAA,CAGnB,GAAIE,CAAAA,CAAI,UAAA,CAAW,OAAO,CAAA,EAAK,IAAA,CAAK,aAAA,CAAe,CAClD,IAAME,CAAAA,CACL,OAAO,IAAA,CAAK,aAAA,CAAc,QAAA,EAAa,UAAA,CACpC,IAAA,CAAK,aAAA,CAAc,UAAS,CAC5B,IAAA,CAAK,aAAA,CAEHC,CAAAA,CAAcL,CAAAA,CAAI,GAAA,CACxBA,CAAAA,CAAI,GAAA,CAAA,CAAOK,CAAAA,EAAe,EAAA,EAAI,KAAA,CAAM,CAAC,CAAA,EAAK,GAAA,CAC1C,GAAI,CACH,OAAOD,CAAAA,CAASJ,CAAAA,CAAKC,CAAG,CACzB,QAAE,CACDD,CAAAA,CAAI,GAAA,CAAMK,EACX,CACD,CAGA,GAAIF,CAAAA,GAAW,KAAA,EAASD,CAAAA,GAAQ,uCAAA,CAAyC,CACxE,GAAI,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMI,CAAAA,CAAMxB,CAAAA,CACX,IAAA,CAAK,YAAA,CAAa,WAAU,CAC5B,IAAA,CAAK,YAAA,CAAa,WAAA,EACnB,CAAA,CACAmB,EAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,kBAAmB,CAAC,EACzDA,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAUK,CAAG,CAAC,CAAA,CAC3B,MACD,CACAL,CAAAA,CAAI,SAAA,CAAU,GAAG,CAAA,CACjBA,CAAAA,CAAI,IAAI,WAAW,CAAA,CACnB,MACD,CAEA,GACCE,CAAAA,GAAW,KAAA,GACVD,CAAAA,GAAQ,GAAA,EAAOA,CAAAA,GAAQ,MAAA,EAAUA,CAAAA,GAAQ,SAAA,CAAA,CACzC,CACD,GACCA,CAAAA,GAAQ,SAAA,EACRF,CAAAA,CAAI,OAAA,CAAQ,MAAA,EAAQ,QAAA,CAAS,kBAAkB,CAAA,CAC9C,CACD,IAAMO,CAAAA,CAAW,IAAA,CAAK,QAAA,CACnB,CACA,OAAQ,IAAA,CAAK,QAAA,CAAS,SAAA,EAAU,EAAG,QAAA,EAAS,EAAK,GACjD,UAAA,CAAY,IAAA,CAAK,QAAA,CACf,aAAA,EAAc,CACd,GAAA,CAAKC,GAAMA,CAAAA,CAAE,QAAA,EAAU,CAC1B,CAAA,CACC,IAAA,CACGzB,CAAAA,CAAS,IAAA,CAAK,YAAA,EAAc,SAAA,EAAU,CACtC0B,CAAAA,CAAU1B,CAAAA,CACbA,CAAAA,CAAO,SAAS,OAAO,CAAA,CACtBA,CAAAA,CACA,CAAA,EAAGA,CAAM,CAAA,KAAA,CAAA,CACV,GACG2B,CAAAA,CACL,IAAA,CAAK,YAAA,EAAgB3B,CAAAA,CAClB,CACA,MAAA,CAAAA,EACA,QAAA,CAAU,CAAA,EAAG0B,CAAO,CAAA,KAAA,CAAA,CACpB,GAAI,IAAA,CAAK,aAAA,CACN,CACA,cAAA,CAAgB,CAAA,EAAGA,CAAO,CAAA,MAAA,CAC3B,CAAA,CACC,EACJ,CAAA,CACC,MAAA,CAEJR,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,eAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,GAAA,CACH,IAAA,CAAK,UAAU,CACd,MAAA,CAAQ,SAAA,CACR,IAAA,CAAM,IAAA,CAAK,UAAA,CAAW,aAAA,EAAc,CACpC,IAAA,CAAMM,CAAAA,CACN,KAAA,CAAO,IAAA,CAAK,UAAA,CAAW,SAAA,GAAY,GAAA,CAAKI,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CAAA,CACpD,IAAA,CAAMD,CAAAA,CACN,SAAA,CAAW,IAAI,IAAA,EAAK,CAAE,WAAA,EACvB,CAAC,CACF,CAAA,CACA,MACD,CAEAT,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,0BAA2B,CAAC,CAAA,CACjEA,CAAAA,CAAI,GAAA,CAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,CAWK,CAAA,CACb,MACD,CAEA,GAAIC,CAAAA,GAAQ,MAAA,EAAUC,CAAAA,GAAW,MAAA,CAAQ,CACxC,IAAIS,CAAAA,CAA4B,IAAA,CAGhC,GAAI,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,CAAAA,CAAab,CAAAA,CAAI,OAAA,CAAQ,aAAA,CAC/B,GAAI,CAACa,CAAAA,EAAY,UAAA,CAAW,SAAS,CAAA,CAAG,CACvCZ,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAClB,kBAAA,CACC,6FAAA,CACD,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,cAAe,CAAC,CAAC,CAAA,CACjD,MACD,CACA,GAAI,CACHW,CAAAA,CAAW,MAAM,IAAA,CAAK,YAAA,CAAa,QAAA,CAASC,CAAAA,CAAW,KAAA,CAAM,CAAC,CAAC,EAChE,CAAA,MAASC,CAAAA,CAAY,CACpBb,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAClB,kBAAA,CAAoB,CAAA,iDAAA,EAAqDa,CAAAA,CAAY,OAAO,CAAA,CAAA,CAAA,CAC5F,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDb,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,eAAgB,CAAC,CAAC,CAAA,CAClD,MACD,CACD,CAEA,IAAIc,CAAAA,CAAO,EAAA,CACXf,CAAAA,CAAI,EAAA,CAAG,MAAA,CAASgB,CAAAA,EAAWD,CAAAA,EAAQC,CAAAA,CAAM,QAAA,EAAW,CAAA,CACpDhB,CAAAA,CAAI,EAAA,CAAG,KAAA,CAAO,SAAY,CACzB,GAAI,CACH,IAAMiB,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAI,CAAA,CAC7BG,CAAAA,CAAW,MAAM,IAAA,CAAK,MAAA,CAAO,QAAA,CAASD,CAAAA,CAAaL,CAAQ,CAAA,CACjEX,CAAAA,CAAI,UAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,GAAA,CAAI,IAAA,CAAK,SAAA,CAAUiB,CAAQ,CAAC,EACjC,CAAA,MAASJ,GAAAA,CAAY,CACpBpB,CAAAA,CAAI,IAAA,CACH,CAAA,kDAAA,EAAsDoB,GAAAA,CAAY,OAAO,CAAA,CAC1E,CAAA,CACAb,CAAAA,CAAI,SAAA,CAAU,GAAG,CAAA,CACjBA,CAAAA,CAAI,GAAA,CACH,IAAA,CAAK,SAAA,CAAU,CACd,OAAA,CAAS,KAAA,CACT,KAAA,CAAO,CAAE,IAAA,CAAM,MAAA,CAAQ,OAAA,CAAS,aAAc,CAC/C,CAAC,CACF,EACD,CACD,CAAC,EACF,CAAA,KACCA,CAAAA,CAAI,SAAA,CAAU,GAAG,CAAA,CACjBA,CAAAA,CAAI,GAAA,CAAI,WAAW,EAErB,CAAC,EACF,CAEQ,gBAAA,CAAiBL,CAAAA,CAAiC,CACzDA,CAAAA,CAAO,EAAA,CAAG,OAASoB,CAAAA,EAAmB,CAErC,IAAMG,CAAAA,CAAOH,CAAAA,CACTG,CAAAA,EACHzB,CAAAA,CAAI,IAAA,CACH,CAAA,yCAAA,EAA4CyB,CAAAA,CAAK,MAAM,CAAA,MAAA,CACxD,EACF,CAAC,CAAA,CACDvB,CAAAA,CAAO,OAAA,CAAQ,CAAE,SAAA,CAAW,GAAA,CAAK,cAAA,CAAgB,kBAAmB,CAAC,CAAA,CACrEA,CAAAA,CAAO,GAAA,GACR,CAEQ,iBAAA,CACPA,CAAAA,CACAC,CAAAA,CACC,CACD,IAAIkB,CAAAA,CAAO,EAAA,CACXnB,CAAAA,CAAO,EAAA,CAAG,MAAA,CAASoB,CAAAA,EAAWD,CAAAA,EAAQC,CAAAA,CAAM,QAAA,EAAW,CAAA,CACvDpB,CAAAA,CAAO,EAAA,CAAG,KAAA,CAAO,SAAY,CAC5B,GAAI,CACH,IAAIgB,CAAAA,CAA4B,IAAA,CAGhC,GAAI,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,CAAAA,CAAahB,CAAAA,CAAQ,aAAA,CAC3B,GAAI,CAACgB,CAAAA,EAAY,WAAW,SAAS,CAAA,CAAG,CACvCjB,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,kBAAA,CACC,6FAAA,CACD,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAO,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,cAAe,CAAC,CAAC,CAAA,CACpD,MACD,CACA,GAAI,CACHgB,CAAAA,CAAW,MAAM,IAAA,CAAK,YAAA,CAAa,QAAA,CAASC,CAAAA,CAAW,KAAA,CAAM,CAAC,CAAC,EAChE,CAAA,MAASC,CAAAA,CAAY,CACpBlB,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,kBAAA,CAAoB,CAAA,iDAAA,EAAqDkB,CAAAA,CAAY,OAAO,CAAA,CAAA,CAAA,CAC5F,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDlB,CAAAA,CAAO,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,CAAE,KAAA,CAAO,eAAgB,CAAC,CAAC,EACrD,MACD,CACD,CAEA,IAAMsB,CAAAA,CAAW,MAAM,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,IAAA,CAAK,KAAA,CAAMH,CAAI,CAAA,CAAGH,CAAQ,CAAA,CAClEM,CAAAA,EACHtB,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAO,GAAA,CAAI,IAAA,CAAK,SAAA,CAAUsB,CAAQ,CAAC,CAAA,EAC7BtB,EAAO,KAAA,GACf,CAAA,KAAa,CACZA,CAAAA,CAAO,OAAA,CAAQ,CAAE,SAAA,CAAW,GAAI,CAAC,CAAA,CACjCA,CAAAA,CAAO,GAAA,GACR,CACD,CAAC,EACF,CAEA,MAAa,MAAA,CAAOwB,CAAAA,CAAcC,CAAAA,CAAe,SAAA,CAA4B,CAC5E,GAAI,IAAA,CAAK,QAAA,CAAU,CAClB,MAAM,IAAA,CAAK,QAAA,CAAS,KAAA,GAGpB,IAAMC,CAAAA,CAAQ,IAAA,CAAK,UAAA,CAAW,SAAA,EAAU,CACxC,IAAA,IAAWC,CAAAA,IAAQD,CAAAA,CAClB,MAAM,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmBC,CAAAA,CAAK,IAAI,CAAA,CAChD7B,CAAAA,CAAI,IAAA,CACH,CAAA,uDAAA,EAAmD6B,CAAAA,CAAK,IAAI,CAAA,CAC7D,EAEF,CACA,OAAO,IAAI,OAAA,CAAQ,CAACC,CAAAA,CAASC,CAAAA,GAAW,CACvC,IAAA,CAAK,SAAA,CAAU,EAAA,CAAG,OAAA,CAAU9B,CAAAA,EAAmC,CAC1DA,CAAAA,CAAI,IAAA,GAAS,YAAA,CAChBD,CAAAA,CAAI,IAAA,CACH,CAAA,2BAAA,EAA8B0B,CAAI,CAAA,sCAAA,CACnC,CAAA,CAEA1B,CAAAA,CAAI,KAAA,CAAM,CAAA,8BAAA,EAAiCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAAA,CAEzD8B,CAAAA,CAAO9B,CAAG,EACX,CAAC,CAAA,CAED,IAAA,CAAK,SAAA,CAAU,MAAA,CAAOyB,CAAAA,CAAMC,CAAAA,CAAM,IAAM,CACvC,IAAMK,CAAAA,CAAO,IAAA,CAAK,SAAA,CAAU,OAAA,EAAQ,CAC9BC,CAAAA,CACL,OAAOD,CAAAA,EAAS,QAAA,CAAWA,CAAAA,CAAOA,CAAAA,EAAM,OAAA,EAAWL,CAAAA,CAC9CO,GAAAA,CACL,OAAOF,CAAAA,EAAS,QAAA,CAAWN,CAAAA,CAAOM,CAAAA,EAAM,IAAA,EAAQN,CAAAA,CAEjD1B,CAAAA,CAAI,IAAA,CACH,CAAA,sEAAA,EAAoEiC,CAAU,CAAA,CAAA,EAAIC,GAAY,CAAA,CAC/F,CAAA,CACAJ,CAAAA,CAAQI,GAAY,EACrB,CAAC,EACF,CAAC,CACF,CAEA,MAAa,IAAA,EAAO,CACf,IAAA,CAAK,QAAA,EACR,MAAM,IAAA,CAAK,QAAA,CAAS,IAAA,EAAK,CAE1B,IAAA,CAAK,SAAA,CAAU,KAAA,EAAM,CACrB,IAAA,CAAK,QAAA,CAAS,KAAA,EAAM,CACpB,IAAA,CAAK,QAAA,CAAS,KAAA,GACf,CAEO,SAAA,EAA2B,CACjC,OAAO,IAAA,CAAK,MACb,CACD","file":"chunk-GI2LSJYZ.js","sourcesContent":["/**\n * LIOP Protected Resource Metadata — RFC 9728\n *\n * Builds the JSON document served at /.well-known/oauth-protected-resource.\n * This enables MCP clients to discover the authorization server and\n * required scopes for accessing LIOP tools and resources.\n *\n * Standards: RFC 9728, MCP Spec 2025-11-25\n */\n\nimport { LIOP_SCOPES } from \"./rbac.js\";\n\n/**\n * RFC 9728 Protected Resource Metadata response.\n *\n * @see https://datatracker.ietf.org/doc/rfc9728\n */\nexport interface ProtectedResourceMetadata {\n\t/** Identifier for the protected resource. */\n\tresource: string;\n\t/** Array of authorization server issuer URLs that can issue tokens for this resource. */\n\tauthorization_servers: string[];\n\t/** OAuth scopes accepted by this resource. */\n\tscopes_supported: readonly string[];\n\t/** Methods of presenting the bearer token (always \"header\" for LIOP). */\n\tbearer_methods_supported: string[];\n\t/** URL to the resource documentation. */\n\tresource_documentation: string;\n}\n\n/**\n * Builds the Protected Resource Metadata document (RFC 9728).\n *\n * @param issuer - OIDC issuer URL of the Nexus authorization server\n * @param audience - JWT audience claim (resource identifier)\n */\nexport function buildProtectedResourceMetadata(\n\tissuer: string,\n\taudience: string,\n): ProtectedResourceMetadata {\n\treturn {\n\t\tresource: audience,\n\t\tauthorization_servers: [issuer],\n\t\tscopes_supported: LIOP_SCOPES,\n\t\tbearer_methods_supported: [\"header\"],\n\t\tresource_documentation: \"https://github.com/nekzus/liop\",\n\t};\n}\n","import * as http from \"node:http\";\nimport * as http2 from \"node:http2\";\nimport * as net from \"node:net\";\nimport type { MeshNode } from \"../mesh/index.js\";\nimport type { AuthInfo, JwtValidator } from \"../security/jwt-validator.js\";\nimport { buildProtectedResourceMetadata } from \"../security/prm.js\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpRouter } from \"./router.js\";\n\n/**\n * LIOP Hybrid Gateway\n * High-level orchestration for connecting MCP (JSON-RPC) clients to the LIOP Mesh.\n */\nexport class LiopHybridGateway {\n\tprivate netServer: net.Server;\n\tprivate h2Server: http2.Http2Server;\n\tprivate h1Server: http.Server;\n\tprivate router: LiopMcpRouter;\n\tprivate jwtValidator?: JwtValidator;\n\t// biome-ignore lint/suspicious/noExplicitAny: oidc-provider is loaded in Phase C\n\tprivate oauthProvider?: any;\n\n\tconstructor(\n\t\tprivate liopServer: LiopServer,\n\t\tprivate meshNode: MeshNode | null = null,\n\t\trpcPort: number = 50051,\n\t) {\n\t\tthis.jwtValidator = this.liopServer.jwtValidator;\n\t\tthis.oauthProvider = this.liopServer.oauthProvider;\n\n\t\t// Initialize the Universal Router\n\t\tthis.router = new LiopMcpRouter(this.liopServer, this.meshNode, rpcPort);\n\n\t\t// Internal HTTP/2 Server (for Native gRPC Proxying)\n\t\tthis.h2Server = http2.createServer();\n\t\tthis.setupH2Routes();\n\n\t\t// Internal HTTP/1 Server (for Browser/MCP)\n\t\tthis.h1Server = http.createServer();\n\t\tthis.setupH1Routes();\n\n\t\t// Primary Multiplexer (L4)\n\t\tthis.netServer = net.createServer((socket) => {\n\t\t\tsocket.once(\"data\", (buffer) => {\n\t\t\t\tconst isHttp2 = buffer.toString().startsWith(\"PRI * HTTP/2.0\");\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${isHttp2 ? \"HTTP/2 (gRPC)\" : \"HTTP/1.1 (MCP)\"}`,\n\t\t\t\t);\n\t\t\t\tif (isHttp2) {\n\t\t\t\t\tthis.h2Server.emit(\"connection\", socket);\n\t\t\t\t} else {\n\t\t\t\t\tthis.h1Server.emit(\"connection\", socket);\n\t\t\t\t}\n\t\t\t\tsocket.unshift(buffer);\n\t\t\t});\n\t\t\tsocket.on(\"error\", (err) =>\n\t\t\t\tlog.error(`[LIOP-Gateway] NetServer Socket Error: ${err.message}`),\n\t\t\t);\n\t\t});\n\n\t\t// Attach error listeners to sub-servers to catch silent failures\n\t\tthis.h1Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H1 Server Error: ${err.message}`),\n\t\t);\n\t\tthis.h2Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H2 Server Error: ${err.message}`),\n\t\t);\n\n\t\tlog.info(\"[LIOP-Gateway] Hybrid adapter initialized.\");\n\t}\n\n\tprivate setupH2Routes() {\n\t\tthis.h2Server.on(\"stream\", (stream, headers) => {\n\t\t\tconst contentType = headers[\"content-type\"] as string;\n\t\t\tconst path = headers[\":path\"] as string;\n\n\t\t\tif (contentType === \"application/grpc\") {\n\t\t\t\tthis.handleGrpcStream(stream as http2.ServerHttp2Stream);\n\t\t\t} else if (path === \"/mcp\") {\n\t\t\t\tthis.handleMcpH2Stream(stream as http2.ServerHttp2Stream, headers);\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate setupH1Routes() {\n\t\tthis.h1Server.on(\"request\", async (req, res) => {\n\t\t\tconst url = req.url || \"\";\n\t\t\tconst method = req.method;\n\n\t\t\t// [SEC] M2M OAuth 2.1 OIDC Authorization Server Router (Phase C proxy)\n\t\t\tif (url.startsWith(\"/oidc\") && this.oauthProvider) {\n\t\t\t\tconst callback =\n\t\t\t\t\ttypeof this.oauthProvider.callback === \"function\"\n\t\t\t\t\t\t? this.oauthProvider.callback()\n\t\t\t\t\t\t: this.oauthProvider;\n\t\t\t\t// Rewrite req.url to strip the '/oidc' prefix before delegating to oidc-provider\n\t\t\t\tconst originalUrl = req.url;\n\t\t\t\treq.url = (originalUrl || \"\").slice(5) || \"/\";\n\t\t\t\ttry {\n\t\t\t\t\treturn callback(req, res);\n\t\t\t\t} finally {\n\t\t\t\t\treq.url = originalUrl;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// [SEC] RFC 9728 Protected Resource Metadata (PRM) Endpoint\n\t\t\tif (method === \"GET\" && url === \"/.well-known/oauth-protected-resource\") {\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst prm = buildProtectedResourceMetadata(\n\t\t\t\t\t\tthis.jwtValidator.getIssuer(),\n\t\t\t\t\t\tthis.jwtValidator.getAudience(),\n\t\t\t\t\t);\n\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\tres.end(JSON.stringify(prm));\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tres.writeHead(404);\n\t\t\t\tres.end(\"Not Found\");\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tmethod === \"GET\" &&\n\t\t\t\t(url === \"/\" || url === \"/mcp\" || url === \"/health\")\n\t\t\t) {\n\t\t\t\tif (\n\t\t\t\t\turl === \"/health\" &&\n\t\t\t\t\treq.headers.accept?.includes(\"application/json\")\n\t\t\t\t) {\n\t\t\t\t\tconst meshInfo = this.meshNode\n\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\tpeerId: this.meshNode.getPeerId()?.toString() || \"\",\n\t\t\t\t\t\t\t\tmultiaddrs: this.meshNode\n\t\t\t\t\t\t\t\t\t.getMultiaddrs()\n\t\t\t\t\t\t\t\t\t.map((m) => m.toString()),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t: null;\n\t\t\t\t\tconst issuer = this.jwtValidator?.getIssuer();\n\t\t\t\t\tconst baseUrl = issuer\n\t\t\t\t\t\t? issuer.endsWith(\"/oidc\")\n\t\t\t\t\t\t\t? issuer\n\t\t\t\t\t\t\t: `${issuer}/oidc`\n\t\t\t\t\t\t: \"\";\n\t\t\t\t\tconst authInfoResponse =\n\t\t\t\t\t\tthis.jwtValidator && issuer\n\t\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\t\tissuer,\n\t\t\t\t\t\t\t\t\tjwks_uri: `${baseUrl}/jwks`,\n\t\t\t\t\t\t\t\t\t...(this.oauthProvider\n\t\t\t\t\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\t\t\t\t\ttoken_endpoint: `${baseUrl}/token`,\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t: {}),\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t: undefined;\n\n\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\tres.end(\n\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\tstatus: \"healthy\",\n\t\t\t\t\t\t\tnode: this.liopServer.getServerInfo(),\n\t\t\t\t\t\t\tmesh: meshInfo,\n\t\t\t\t\t\t\ttools: this.liopServer.listTools().map((t) => t.name),\n\t\t\t\t\t\t\tauth: authInfoResponse,\n\t\t\t\t\t\t\ttimestamp: new Date().toISOString(),\n\t\t\t\t\t\t}),\n\t\t\t\t\t);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tres.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n\t\t\t\tres.end(`\n                    <body style=\"background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0\">\n                        <div style=\"background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)\">\n                            <h1 style=\"color:#38bdf8;margin-top:0\">LIOP Protocol Transformer</h1>\n                            <p style=\"opacity:0.8;font-weight:600\">L4/L7 Transcoding: JSON-RPC &harr; gRPC</p>\n                            <p style=\"opacity:0.6;font-size:14px\">Active Protections: Kyber768 + AES-256-GCM + ZK-Proof Ready</p>\n                            <div style=\"background:#0f172a;padding:15px;border-radius:8px;margin-top:20px;border:1px dashed #334155\">\n                                <code style=\"color:#10b981\">Endpoint: http://localhost:3000/mcp</code>\n                            </div>\n                        </div>\n                    </body>\n                `);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tif (url === \"/mcp\" && method === \"POST\") {\n\t\t\t\tlet authInfo: AuthInfo | null = null;\n\n\t\t\t\t// [SEC] Continuous verification of Bearer token (NIST SP 800-207)\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst authHeader = req.headers.authorization;\n\t\t\t\t\tif (!authHeader?.startsWith(\"Bearer \")) {\n\t\t\t\t\t\tres.writeHead(401, {\n\t\t\t\t\t\t\t\"WWW-Authenticate\":\n\t\t\t\t\t\t\t\t'Bearer error=\"invalid_token\", error_description=\"Missing or malformed Authorization header\"',\n\t\t\t\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tres.end(JSON.stringify({ error: \"Unauthorized\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\ttry {\n\t\t\t\t\t\tauthInfo = await this.jwtValidator.validate(authHeader.slice(7));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tres.writeHead(401, {\n\t\t\t\t\t\t\t\"WWW-Authenticate\": `Bearer error=\"invalid_token\", error_description=\"${(e as Error).message}\"`,\n\t\t\t\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tres.end(JSON.stringify({ error: \"Invalid token\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tlet body = \"\";\n\t\t\t\treq.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\t\t\treq.on(\"end\", async () => {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst jsonRequest = JSON.parse(body);\n\t\t\t\t\t\tconst response = await this.router.dispatch(jsonRequest, authInfo);\n\t\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\t\tres.end(JSON.stringify(response));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-Gateway] Error processing JSON-RPC payload: ${(e as Error).message}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tres.writeHead(400);\n\t\t\t\t\t\tres.end(\n\t\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\t\tjsonrpc: \"2.0\",\n\t\t\t\t\t\t\t\terror: { code: -32700, message: \"Parse error\" },\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tres.writeHead(404);\n\t\t\t\tres.end(\"Not Found\");\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate handleGrpcStream(stream: http2.ServerHttp2Stream) {\n\t\tstream.on(\"data\", (chunk: unknown) => {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Standard gRPC stream data is Buffer\n\t\t\tconst data = chunk as any;\n\t\t\tif (data)\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Native gRPC Proxy passing ${data.length} bytes`,\n\t\t\t\t);\n\t\t});\n\t\tstream.respond({ \":status\": 200, \"content-type\": \"application/grpc\" });\n\t\tstream.end();\n\t}\n\n\tprivate handleMcpH2Stream(\n\t\tstream: http2.ServerHttp2Stream,\n\t\theaders: http2.IncomingHttpHeaders,\n\t) {\n\t\tlet body = \"\";\n\t\tstream.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\tstream.on(\"end\", async () => {\n\t\t\ttry {\n\t\t\t\tlet authInfo: AuthInfo | null = null;\n\n\t\t\t\t// [SEC] Continuous verification of Bearer token over HTTP/2 (NIST SP 800-207)\n\t\t\t\tif (this.jwtValidator) {\n\t\t\t\t\tconst authHeader = headers.authorization as string;\n\t\t\t\t\tif (!authHeader?.startsWith(\"Bearer \")) {\n\t\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\t\":status\": 401,\n\t\t\t\t\t\t\t\"www-authenticate\":\n\t\t\t\t\t\t\t\t'Bearer error=\"invalid_token\", error_description=\"Missing or malformed Authorization header\"',\n\t\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tstream.end(JSON.stringify({ error: \"Unauthorized\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\ttry {\n\t\t\t\t\t\tauthInfo = await this.jwtValidator.validate(authHeader.slice(7));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\t\":status\": 401,\n\t\t\t\t\t\t\t\"www-authenticate\": `Bearer error=\"invalid_token\", error_description=\"${(e as Error).message}\"`,\n\t\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t\t});\n\t\t\t\t\t\tstream.end(JSON.stringify({ error: \"Invalid token\" }));\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tconst response = await this.router.dispatch(JSON.parse(body), authInfo);\n\t\t\t\tif (response) {\n\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\":status\": 200,\n\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t});\n\t\t\t\t\tstream.end(JSON.stringify(response));\n\t\t\t\t} else stream.close();\n\t\t\t} catch (_e) {\n\t\t\t\tstream.respond({ \":status\": 400 });\n\t\t\t\tstream.end();\n\t\t\t}\n\t\t});\n\t}\n\n\tpublic async listen(port: number, host: string = \"0.0.0.0\"): Promise<number> {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.start();\n\n\t\t\t// Announce all local tools to the DHT\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\tfor (const tool of tools) {\n\t\t\t\tawait this.meshNode.announceCapability(tool.name);\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] 📡 Announced local tool to Mesh: ${tool.name}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.netServer.on(\"error\", (err: Error & { code?: string }) => {\n\t\t\t\tif (err.code === \"EADDRINUSE\") {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-Gateway] FATAL: Port ${port} is already in use by another process.`,\n\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\tlog.error(`[LIOP-Gateway] Binding Error: ${err.message}`);\n\t\t\t\t}\n\t\t\t\treject(err);\n\t\t\t});\n\n\t\t\tthis.netServer.listen(port, host, () => {\n\t\t\t\tconst addr = this.netServer.address();\n\t\t\t\tconst actualHost =\n\t\t\t\t\ttypeof addr === \"string\" ? addr : addr?.address || host;\n\t\t\t\tconst assignedPort =\n\t\t\t\t\ttypeof addr === \"string\" ? port : addr?.port || port;\n\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] ✅ Transformer Mesh Gateway READY and listening on ${actualHost}:${assignedPort}`,\n\t\t\t\t);\n\t\t\t\tresolve(assignedPort);\n\t\t\t});\n\t\t});\n\t}\n\n\tpublic async stop() {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t\tthis.netServer.close();\n\t\tthis.h2Server.close();\n\t\tthis.h1Server.close();\n\t}\n\n\tpublic getRouter(): LiopMcpRouter {\n\t\treturn this.router;\n\t}\n}\n"]}