@open-loyalty/mcp-server 1.12.0 → 1.13.0

package/dist/config.d.ts

@@ -13,15 +13,6 @@ declare const ConfigSchema: z.ZodObject<{
     defaultStoreCode?: string | undefined;
 }>;
 export type Config = z.infer<typeof ConfigSchema>;
-/**
- * Runs a function with a request-scoped config override (OAuth mode).
- * This is thread-safe - concurrent requests each have their own isolated config.
- */
-export declare function runWithConfig<T>(override: {
-    apiUrl: string;
-    apiToken: string;
-    storeCode: string;
-}, fn: () => T | Promise<T>): T | Promise<T>;
 /**
  * Gets the store code, falling back to default from config if not provided.
  * Throws a clear error if no store code is available from either source.

package/dist/config.js

@@ -1,25 +1,10 @@
 import { z } from "zod";
-import { AsyncLocalStorage } from "async_hooks";
 const ConfigSchema = z.object({
     apiUrl: z.string().url(),
     apiToken: z.string().min(1),
     defaultStoreCode: z.string().min(1).optional(),
 });
 let config = null;
-// Request-scoped config storage using AsyncLocalStorage (thread-safe for concurrent requests)
-const configStorage = new AsyncLocalStorage();
-/**
- * Runs a function with a request-scoped config override (OAuth mode).
- * This is thread-safe - concurrent requests each have their own isolated config.
- */
-export function runWithConfig(override, fn) {
-    const requestConfig = {
-        apiUrl: override.apiUrl,
-        apiToken: override.apiToken,
-        defaultStoreCode: override.storeCode,
-    };
-    return configStorage.run(requestConfig, fn);
-}
 /**
  * Gets the store code, falling back to default from config if not provided.
  * Throws a clear error if no store code is available from either source.
@@ -38,17 +23,9 @@ export function getStoreCode(storeCode) {
 export function isConfigured() {
     if (config)
         return true;
-    const requestConfig = configStorage.getStore();
-    if (requestConfig)
-        return true;
     return !!(process.env.OPENLOYALTY_API_URL && process.env.OPENLOYALTY_API_TOKEN);
 }
 export function getConfig() {
-    // Return request-scoped config if set (OAuth mode)
-    const requestConfig = configStorage.getStore();
-    if (requestConfig) {
-        return requestConfig;
-    }
     if (config) {
         return config;
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-loyalty/mcp-server",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "type": "module",
   "description": "MCP server for Open Loyalty API - enables AI agents to manage loyalty programs, members, points, rewards, and transactions",
   "author": "Marcin Dyguda <md@openloyalty.io>",
@@ -17,8 +17,7 @@
   ],
   "main": "dist/index.js",
   "bin": {
-    "openloyalty-mcp": "./dist/index.js",
-    "openloyalty-mcp-http": "./dist/http.js"
+    "openloyalty-mcp": "./dist/index.js"
   },
   "files": [
     "dist",
@@ -31,9 +30,7 @@
     "dev:ui": "node scripts/build-ui.mjs --watch",
     "prepublishOnly": "npm run build",
     "start": "node dist/index.js",
-    "start:http": "node dist/http.js",
     "dev": "tsx src/index.ts",
-    "dev:http": "tsx src/http.ts",
     "typecheck": "tsc --noEmit",
     "test": "vitest",
     "test:run": "vitest run",
@@ -47,19 +44,12 @@
     "@modelcontextprotocol/ext-apps": "^1.0.1",
     "@modelcontextprotocol/sdk": "^1.0.0",
     "axios": "^1.6.0",
-    "cors": "^2.8.5",
     "dotenv": "^17.2.3",
-    "express": "^5.2.1",
-    "express-rate-limit": "^8.2.1",
     "form-data": "^4.0.0",
-    "helmet": "^8.1.0",
-    "ioredis": "^5.9.2",
     "zod": "^3.22.0"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.2",
-    "@types/cors": "^2.8.19",
-    "@types/express": "^5.0.6",
     "@types/node": "^20.10.0",
     "@vitest/coverage-v8": "^4.0.17",
     "axios-mock-adapter": "^2.1.0",

package/dist/auth/provider.d.ts

@@ -1,33 +0,0 @@
-import type { OAuthServerProvider } from "@modelcontextprotocol/sdk/server/auth/provider.js";
-/**
- * Open Loyalty API credentials stored per-client
- */
-export interface OpenLoyaltyConfig {
-    apiUrl: string;
-    apiToken: string;
-    storeCode: string;
-}
-/**
- * Creates the OAuth server provider
- */
-export declare function createOAuthProvider(issuerUrl: string): OAuthServerProvider;
-/**
- * Completes authorization after form submission
- */
-export declare function completeAuthorization(sessionId: string, config: OpenLoyaltyConfig): Promise<{
-    redirectUrl: string;
-} | {
-    error: string;
-}>;
-/**
- * Gets the Open Loyalty config for a client
- */
-export declare function getClientConfig(clientId: string): Promise<OpenLoyaltyConfig | undefined>;
-/**
- * Validates Open Loyalty credentials
- * Uses the member list endpoint to validate both API token and store code
- */
-export declare function validateOpenLoyaltyCredentials(config: OpenLoyaltyConfig): Promise<{
-    valid: boolean;
-    error?: string;
-}>;

package/dist/auth/provider.js

@@ -1,383 +0,0 @@
-import crypto from "crypto";
-import { getStorage, KEYS } from "./storage.js";
-// Expiration times
-const AUTH_CODE_TTL_MS = 10 * 60 * 1000; // 10 minutes
-const ACCESS_TOKEN_TTL_MS = 60 * 60 * 1000; // 1 hour
-const CLIENT_TTL_MS = 365 * 24 * 60 * 60 * 1000; // 1 year
-const CONFIG_TTL_MS = 365 * 24 * 60 * 60 * 1000; // 1 year
-/**
- * Storage-backed OAuth clients store
- */
-class StorageClientsStore {
-    async getClient(clientId) {
-        const storage = getStorage();
-        const client = await storage.get(KEYS.client(clientId));
-        return client ?? undefined;
-    }
-    async registerClient(client) {
-        const storage = getStorage();
-        const clientId = crypto.randomBytes(16).toString("hex");
-        const clientIdIssuedAt = Math.floor(Date.now() / 1000);
-        const fullClient = {
-            ...client,
-            client_id: clientId,
-            client_id_issued_at: clientIdIssuedAt,
-        };
-        await storage.set(KEYS.client(clientId), fullClient, CLIENT_TTL_MS);
-        return fullClient;
-    }
-}
-/**
- * Creates the OAuth server provider
- */
-export function createOAuthProvider(issuerUrl) {
-    const clientsStore = new StorageClientsStore();
-    return {
-        get clientsStore() {
-            return clientsStore;
-        },
-        /**
-         * Handles authorization by showing a configuration form
-         */
-        async authorize(client, params, res) {
-            const storage = getStorage();
-            // Generate session ID to track this authorization flow
-            const sessionId = crypto.randomBytes(16).toString("hex");
-            // Store the pending authorization
-            const sessionData = {
-                clientId: client.client_id,
-                redirectUri: params.redirectUri,
-                codeChallenge: params.codeChallenge,
-                state: params.state,
-                scope: params.scopes?.join(" "),
-                expiresAt: Date.now() + AUTH_CODE_TTL_MS,
-            };
-            await storage.set(KEYS.session(sessionId), sessionData, AUTH_CODE_TTL_MS);
-            // Render the configuration form
-            const html = renderAuthorizationForm({
-                sessionId,
-                state: params.state,
-                clientName: client.client_name || "ChatGPT",
-                issuerUrl,
-            });
-            res.setHeader("Content-Type", "text/html");
-            res.send(html);
-        },
-        /**
-         * Returns the code challenge for a given authorization code
-         */
-        async challengeForAuthorizationCode(_client, authorizationCode) {
-            const storage = getStorage();
-            const codeData = await storage.get(KEYS.authCode(authorizationCode));
-            if (!codeData || codeData.expiresAt < Date.now()) {
-                await storage.delete(KEYS.authCode(authorizationCode));
-                throw new Error("Authorization code not found or expired");
-            }
-            return codeData.codeChallenge;
-        },
-        /**
-         * Exchanges authorization code for tokens
-         */
-        async exchangeAuthorizationCode(client, authorizationCode) {
-            const storage = getStorage();
-            const codeData = await storage.get(KEYS.authCode(authorizationCode));
-            if (!codeData || codeData.expiresAt < Date.now()) {
-                await storage.delete(KEYS.authCode(authorizationCode));
-                throw new Error("Authorization code not found or expired");
-            }
-            if (codeData.clientId !== client.client_id) {
-                throw new Error("Authorization code was not issued to this client");
-            }
-            // Delete the code (one-time use)
-            await storage.delete(KEYS.authCode(authorizationCode));
-            // Store the client config if provided
-            if (codeData.pendingConfig) {
-                await storage.set(KEYS.config(client.client_id), codeData.pendingConfig, CONFIG_TTL_MS);
-            }
-            // Generate access token
-            const accessToken = crypto.randomBytes(32).toString("hex");
-            const expiresAt = Date.now() + ACCESS_TOKEN_TTL_MS;
-            const tokenData = {
-                clientId: client.client_id,
-                scope: codeData.scope,
-                expiresAt,
-            };
-            await storage.set(KEYS.token(accessToken), tokenData, ACCESS_TOKEN_TTL_MS);
-            return {
-                access_token: accessToken,
-                token_type: "Bearer",
-                expires_in: Math.floor(ACCESS_TOKEN_TTL_MS / 1000),
-                scope: codeData.scope,
-            };
-        },
-        /**
-         * Exchanges refresh token (not supported)
-         */
-        async exchangeRefreshToken() {
-            throw new Error("Refresh tokens are not supported");
-        },
-        /**
-         * Verifies an access token
-         */
-        async verifyAccessToken(token) {
-            const storage = getStorage();
-            const tokenData = await storage.get(KEYS.token(token));
-            if (!tokenData) {
-                throw new Error("Invalid access token");
-            }
-            if (tokenData.expiresAt < Date.now()) {
-                await storage.delete(KEYS.token(token));
-                throw new Error("Access token has expired");
-            }
-            return {
-                token,
-                clientId: tokenData.clientId,
-                scopes: tokenData.scope ? tokenData.scope.split(" ") : [],
-                expiresAt: Math.floor(tokenData.expiresAt / 1000),
-            };
-        },
-    };
-}
-/**
- * Completes authorization after form submission
- */
-export async function completeAuthorization(sessionId, config) {
-    const storage = getStorage();
-    const sessionData = await storage.get(KEYS.session(sessionId));
-    if (!sessionData || sessionData.expiresAt < Date.now()) {
-        await storage.delete(KEYS.session(sessionId));
-        return { error: "Session expired. Please start the authorization process again." };
-    }
-    // Delete session
-    await storage.delete(KEYS.session(sessionId));
-    // Generate authorization code
-    const authorizationCode = crypto.randomBytes(32).toString("hex");
-    // Store with pending config
-    const codeData = {
-        ...sessionData,
-        pendingConfig: config,
-        expiresAt: Date.now() + AUTH_CODE_TTL_MS,
-    };
-    await storage.set(KEYS.authCode(authorizationCode), codeData, AUTH_CODE_TTL_MS);
-    // Build redirect URL
-    const redirectUrl = new URL(sessionData.redirectUri);
-    redirectUrl.searchParams.set("code", authorizationCode);
-    if (sessionData.state) {
-        redirectUrl.searchParams.set("state", sessionData.state);
-    }
-    return { redirectUrl: redirectUrl.toString() };
-}
-/**
- * Gets the Open Loyalty config for a client
- */
-export async function getClientConfig(clientId) {
-    const storage = getStorage();
-    const config = await storage.get(KEYS.config(clientId));
-    return config ?? undefined;
-}
-/**
- * Validates Open Loyalty credentials
- * Uses the member list endpoint to validate both API token and store code
- */
-export async function validateOpenLoyaltyCredentials(config) {
-    try {
-        // Use member list endpoint with limit=1 to validate credentials
-        // This validates both the API token and the store code existence
-        const response = await fetch(`${config.apiUrl}/${config.storeCode}/member?_itemsOnPage=1`, {
-            method: "GET",
-            headers: {
-                "Content-Type": "application/json",
-                "X-AUTH-TOKEN": config.apiToken,
-            },
-        });
-        if (response.status === 401) {
-            return { valid: false, error: "Invalid API token" };
-        }
-        if (response.status === 403) {
-            return { valid: false, error: "API token does not have required permissions" };
-        }
-        if (response.status === 404) {
-            return { valid: false, error: "Store code not found or invalid API URL" };
-        }
-        if (!response.ok) {
-            return { valid: false, error: `API returned status ${response.status}` };
-        }
-        return { valid: true };
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : "Unknown error";
-        return { valid: false, error: `Failed to connect: ${message}` };
-    }
-}
-/**
- * Renders the authorization form HTML
- */
-function renderAuthorizationForm(params) {
-    const { sessionId, state, clientName, issuerUrl } = params;
-    return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Connect to Open Loyalty</title>
-  <style>
-    * { box-sizing: border-box; }
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-      min-height: 100vh;
-      margin: 0;
-      padding: 20px;
-      display: flex;
-      justify-content: center;
-      align-items: center;
-    }
-    .container {
-      background: white;
-      border-radius: 16px;
-      box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
-      padding: 40px;
-      width: 100%;
-      max-width: 420px;
-    }
-    h1 {
-      color: #1a1a2e;
-      font-size: 24px;
-      text-align: center;
-      margin: 0 0 8px 0;
-    }
-    .subtitle {
-      color: #6b7280;
-      text-align: center;
-      font-size: 14px;
-      margin-bottom: 32px;
-    }
-    .client-name { color: #667eea; font-weight: 500; }
-    .form-group { margin-bottom: 20px; }
-    label {
-      display: block;
-      color: #374151;
-      font-size: 14px;
-      font-weight: 500;
-      margin-bottom: 6px;
-    }
-    input {
-      width: 100%;
-      padding: 12px 16px;
-      border: 2px solid #e5e7eb;
-      border-radius: 8px;
-      font-size: 14px;
-    }
-    input:focus {
-      outline: none;
-      border-color: #667eea;
-    }
-    .help-text { color: #6b7280; font-size: 12px; margin-top: 4px; }
-    button {
-      width: 100%;
-      padding: 14px 24px;
-      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-      color: white;
-      border: none;
-      border-radius: 8px;
-      font-size: 16px;
-      font-weight: 600;
-      cursor: pointer;
-    }
-    button:hover { opacity: 0.9; }
-    button:disabled { opacity: 0.7; cursor: not-allowed; }
-    .error { background: #fef2f2; border: 1px solid #fecaca; color: #dc2626; padding: 12px; border-radius: 8px; margin-bottom: 20px; display: none; }
-    .error.visible { display: block; }
-  </style>
-</head>
-<body>
-  <div class="container">
-    <h1>Connect to Open Loyalty</h1>
-    <p class="subtitle">
-      <span class="client-name">${escapeHtml(clientName)}</span> wants to access your Open Loyalty account
-    </p>
-
-    <div id="error" class="error"></div>
-
-    <form id="authForm">
-      <input type="hidden" name="session_id" value="${escapeHtml(sessionId)}">
-      ${state ? `<input type="hidden" name="state" value="${escapeHtml(state)}">` : ""}
-
-      <div class="form-group">
-        <label for="apiUrl">API URL</label>
-        <input type="url" id="apiUrl" name="api_url" placeholder="https://api.openloyalty.io" required>
-        <p class="help-text">Your Open Loyalty API endpoint</p>
-      </div>
-
-      <div class="form-group">
-        <label for="apiToken">API Token</label>
-        <input type="password" id="apiToken" name="api_token" required>
-        <p class="help-text">From your Open Loyalty admin panel</p>
-      </div>
-
-      <div class="form-group">
-        <label for="storeCode">Store Code</label>
-        <input type="text" id="storeCode" name="store_code" value="default" required>
-        <p class="help-text">Usually "default"</p>
-      </div>
-
-      <button type="submit" id="submitBtn">Connect Account</button>
-    </form>
-  </div>
-
-  <script>
-    const form = document.getElementById('authForm');
-    const errorEl = document.getElementById('error');
-    const submitBtn = document.getElementById('submitBtn');
-
-    form.addEventListener('submit', async (e) => {
-      e.preventDefault();
-      errorEl.classList.remove('visible');
-      submitBtn.disabled = true;
-      submitBtn.textContent = 'Connecting...';
-
-      try {
-        const formData = new FormData(form);
-        const response = await fetch('${issuerUrl}/authorize/submit', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({
-            session_id: formData.get('session_id'),
-            state: formData.get('state'),
-            api_url: formData.get('api_url'),
-            api_token: formData.get('api_token'),
-            store_code: formData.get('store_code'),
-          }),
-        });
-
-        const result = await response.json();
-
-        if (result.redirect_url) {
-          window.location.href = result.redirect_url;
-        } else if (result.error) {
-          errorEl.textContent = result.error;
-          errorEl.classList.add('visible');
-          submitBtn.disabled = false;
-          submitBtn.textContent = 'Connect Account';
-        }
-      } catch (err) {
-        errorEl.textContent = 'Connection failed. Please try again.';
-        errorEl.classList.add('visible');
-        submitBtn.disabled = false;
-        submitBtn.textContent = 'Connect Account';
-      }
-    });
-  </script>
-</body>
-</html>`;
-}
-function escapeHtml(text) {
-    const escapes = {
-        "&": "&amp;",
-        "<": "&lt;",
-        ">": "&gt;",
-        '"': "&quot;",
-        "'": "&#39;",
-    };
-    return text.replace(/[&<>"']/g, (c) => escapes[c]);
-}

package/dist/auth/storage.d.ts

@@ -1,16 +0,0 @@
-export interface StorageBackend {
-    get<T>(key: string): Promise<T | null>;
-    set<T>(key: string, value: T, ttlMs?: number): Promise<void>;
-    delete(key: string): Promise<void>;
-}
-/**
- * Get the storage backend (Redis if available, otherwise in-memory)
- */
-export declare function getStorage(): StorageBackend;
-export declare const KEYS: {
-    client: (id: string) => string;
-    authCode: (code: string) => string;
-    session: (id: string) => string;
-    token: (token: string) => string;
-    config: (clientId: string) => string;
-};

package/dist/auth/storage.js

@@ -1,120 +0,0 @@
-/**
- * Storage abstraction for OAuth data
- * Uses Redis if REDIS_URL is set, otherwise falls back to in-memory storage
- */
-import { Redis } from "ioredis";
-/**
- * In-memory storage for local development
- * Includes periodic cleanup to prevent memory leaks from expired entries
- */
-class InMemoryStorage {
-    data = new Map();
-    cleanupInterval;
-    constructor() {
-        // Periodic cleanup every 5 minutes to remove expired entries
-        this.cleanupInterval = setInterval(() => this.cleanup(), 5 * 60 * 1000);
-        this.cleanupInterval.unref(); // Don't prevent process exit
-    }
-    cleanup() {
-        const now = Date.now();
-        for (const [key, entry] of this.data) {
-            if (entry.expiresAt && entry.expiresAt < now) {
-                this.data.delete(key);
-            }
-        }
-    }
-    async get(key) {
-        const entry = this.data.get(key);
-        if (!entry)
-            return null;
-        if (entry.expiresAt && entry.expiresAt < Date.now()) {
-            this.data.delete(key);
-            return null;
-        }
-        return entry.value;
-    }
-    async set(key, value, ttlMs) {
-        this.data.set(key, {
-            value,
-            expiresAt: ttlMs ? Date.now() + ttlMs : undefined,
-        });
-    }
-    async delete(key) {
-        this.data.delete(key);
-    }
-    /**
-     * Close the storage and clean up resources
-     */
-    close() {
-        clearInterval(this.cleanupInterval);
-        this.data.clear();
-    }
-}
-/**
- * Redis storage for production
- */
-class RedisStorage {
-    client;
-    constructor(redisUrl) {
-        this.client = new Redis(redisUrl, {
-            maxRetriesPerRequest: 3,
-            retryStrategy: (times) => Math.min(times * 100, 3000),
-        });
-        this.client.on("error", (err) => {
-            console.error("Redis connection error:", err.message);
-        });
-        this.client.on("connect", () => {
-            console.log("Connected to Redis");
-        });
-    }
-    async get(key) {
-        const data = await this.client.get(key);
-        if (!data)
-            return null;
-        try {
-            return JSON.parse(data);
-        }
-        catch {
-            return null;
-        }
-    }
-    async set(key, value, ttlMs) {
-        const data = JSON.stringify(value);
-        if (ttlMs) {
-            await this.client.set(key, data, "PX", ttlMs);
-        }
-        else {
-            await this.client.set(key, data);
-        }
-    }
-    async delete(key) {
-        await this.client.del(key);
-    }
-}
-// Singleton storage instance
-let storage = null;
-/**
- * Get the storage backend (Redis if available, otherwise in-memory)
- */
-export function getStorage() {
-    if (storage)
-        return storage;
-    const redisUrl = process.env.REDIS_URL;
-    if (redisUrl) {
-        console.log("Using Redis for OAuth storage");
-        storage = new RedisStorage(redisUrl);
-    }
-    else {
-        console.log("Using in-memory storage for OAuth (set REDIS_URL for persistence)");
-        storage = new InMemoryStorage();
-    }
-    return storage;
-}
-// Storage key prefixes
-export const KEYS = {
-    client: (id) => `oauth:client:${id}`,
-    authCode: (code) => `oauth:code:${code}`,
-    session: (id) => `oauth:session:${id}`,
-    token: (token) => `oauth:token:${token}`,
-    config: (clientId) => `oauth:config:${clientId}`,
-};

package/dist/http.d.ts

@@ -1,2 +0,0 @@
-#!/usr/bin/env node
-import "dotenv/config";

package/dist/http.js

@@ -1,319 +0,0 @@
-#!/usr/bin/env node
-import "dotenv/config";
-import express from "express";
-import cors from "cors";
-import helmet from "helmet";
-import rateLimit from "express-rate-limit";
-import { randomUUID } from "crypto";
-import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
-import { createServer, SERVER_INSTRUCTIONS } from "./server.js";
-import { getConfig, runWithConfig } from "./config.js";
-import { createOAuthProvider, completeAuthorization, validateOpenLoyaltyCredentials, getClientConfig, } from "./auth/provider.js";
-// Check if OAuth mode is enabled
-const OAUTH_ENABLED = process.env.OAUTH_ENABLED === "true";
-const BASE_URL = process.env.BASE_URL || `http://localhost:${process.env.PORT || 3000}`;
-// In non-OAuth mode, validate config on startup
-if (!OAUTH_ENABLED) {
-    try {
-        getConfig();
-    }
-    catch (error) {
-        console.error("Configuration error:", error instanceof Error ? error.message : error);
-        process.exit(1);
-    }
-}
-const app = express();
-// CORS configuration - defaults to "*" for MCP clients, configurable for enterprise
-const CORS_ORIGIN = process.env.CORS_ORIGIN || "*";
-app.use(cors({
-    origin: CORS_ORIGIN,
-    methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-    allowedHeaders: ["Content-Type", "Authorization", "MCP-Session-Id", "MCP-Protocol-Version"],
-    exposedHeaders: ["MCP-Session-Id"],
-}));
-// Security headers
-app.use(helmet({
-    contentSecurityPolicy: {
-        directives: {
-            defaultSrc: ["'self'"],
-            scriptSrc: ["'self'"],
-            styleSrc: ["'self'", "'unsafe-inline'"], // Allow inline styles for OAuth form
-            imgSrc: ["'self'", "data:"],
-            connectSrc: ["'self'"],
-            fontSrc: ["'self'"],
-            objectSrc: ["'none'"],
-            frameAncestors: ["'none'"],
-        },
-    },
-    crossOriginEmbedderPolicy: false, // Disable for CORS compatibility
-    crossOriginResourcePolicy: { policy: "cross-origin" }, // Allow cross-origin for API
-}));
-// Rate limiting - global limit
-const globalLimiter = rateLimit({
-    windowMs: 15 * 60 * 1000, // 15 minutes
-    max: 100, // 100 requests per window
-    standardHeaders: true,
-    legacyHeaders: false,
-    message: { error: "Too many requests, please try again later." },
-});
-// Stricter rate limiting for auth endpoints (brute-force protection)
-const authLimiter = rateLimit({
-    windowMs: 60 * 1000, // 1 minute
-    max: 10, // 10 requests per minute
-    standardHeaders: true,
-    legacyHeaders: false,
-    message: { error: "Too many authentication attempts, please try again later." },
-});
-app.use(globalLimiter);
-// Body size limit to prevent DoS via large payloads (10MB generous for CSV imports)
-const BODY_LIMIT = process.env.BODY_LIMIT || "10mb";
-app.use(express.json({ limit: BODY_LIMIT }));
-// Store transports by session ID for stateful connections
-const transports = new Map();
-// Session TTL management to prevent memory leaks
-const SESSION_TTL_MS = parseInt(process.env.SESSION_TTL_MS || String(30 * 60 * 1000), 10); // Default: 30 minutes
-const SESSION_CLEANUP_INTERVAL_MS = parseInt(process.env.SESSION_CLEANUP_INTERVAL_MS || String(60 * 1000), 10); // Default: 1 minute
-const MAX_SESSIONS = parseInt(process.env.MAX_SESSIONS || "10000", 10); // Default: 10,000 sessions
-const sessionLastActivity = new Map();
-/**
- * Evict oldest sessions when limit is reached to prevent memory exhaustion
- */
-function evictOldestSessions() {
-    if (transports.size < MAX_SESSIONS)
-        return;
-    // Evict oldest 10% of sessions
-    const evictCount = Math.max(1, Math.floor(MAX_SESSIONS * 0.1));
-    const sortedSessions = [...sessionLastActivity.entries()]
-        .sort((a, b) => a[1] - b[1])
-        .slice(0, evictCount);
-    for (const [sessionId] of sortedSessions) {
-        const transport = transports.get(sessionId);
-        if (transport) {
-            try {
-                transport.close();
-            }
-            catch {
-                // Ignore close errors during eviction
-            }
-        }
-        transports.delete(sessionId);
-        sessionLastActivity.delete(sessionId);
-    }
-    console.warn(`Session limit reached (${MAX_SESSIONS}). Evicted ${sortedSessions.length} oldest sessions.`);
-}
-// Periodic cleanup of abandoned sessions
-const cleanupInterval = setInterval(() => {
-    const now = Date.now();
-    for (const [sessionId, lastActivity] of sessionLastActivity) {
-        if (now - lastActivity > SESSION_TTL_MS) {
-            const transport = transports.get(sessionId);
-            if (transport) {
-                transport.close();
-                transports.delete(sessionId);
-            }
-            sessionLastActivity.delete(sessionId);
-        }
-    }
-}, SESSION_CLEANUP_INTERVAL_MS);
-// Prevent cleanup interval from keeping the process alive
-cleanupInterval.unref();
-// Health check endpoint
-app.get("/health", (_req, res) => {
-    res.json({ status: "ok", server: "openloyalty-mcp", oauth: OAUTH_ENABLED });
-});
-// OAuth mode setup
-if (OAUTH_ENABLED) {
-    const provider = createOAuthProvider(BASE_URL);
-    // Apply stricter rate limiting to auth endpoints
-    app.use("/authorize", authLimiter);
-    app.use("/token", authLimiter);
-    app.use("/register", authLimiter);
-    // Add MCP SDK auth router (handles /.well-known/*, /authorize, /token, /register)
-    app.use(mcpAuthRouter({
-        provider,
-        issuerUrl: new URL(BASE_URL),
-        baseUrl: new URL(BASE_URL),
-        serviceDocumentationUrl: new URL("https://github.com/OpenLoyalty/openloyalty-mcp"),
-    }));
-    // Authorization form submission endpoint (also rate limited via /authorize prefix)
-    app.post("/authorize/submit", async (req, res) => {
-        const { session_id, api_url, api_token, store_code } = req.body;
-        if (!session_id || !api_url || !api_token || !store_code) {
-            res.status(400).json({ error: "Missing required fields" });
-            return;
-        }
-        const config = {
-            apiUrl: api_url.replace(/\/$/, ""),
-            apiToken: api_token,
-            storeCode: store_code,
-        };
-        // Validate credentials
-        const validation = await validateOpenLoyaltyCredentials(config);
-        if (!validation.valid) {
-            res.status(400).json({ error: validation.error });
-            return;
-        }
-        // Complete authorization
-        const result = await completeAuthorization(session_id, config);
-        if ("error" in result) {
-            res.status(400).json({ error: result.error });
-            return;
-        }
-        res.json({ redirect_url: result.redirectUrl });
-    });
-    // Auth middleware for /mcp endpoint
-    const authMiddleware = async (req, res, next) => {
-        const authHeader = req.headers.authorization;
-        if (!authHeader || !authHeader.startsWith("Bearer ")) {
-            res.status(401).json({ error: "Missing or invalid Authorization header" });
-            return;
-        }
-        const token = authHeader.slice(7);
-        try {
-            const authInfo = await provider.verifyAccessToken(token);
-            // Get client's Open Loyalty config
-            const config = await getClientConfig(authInfo.clientId);
-            if (!config) {
-                res.status(401).json({ error: "Open Loyalty not configured. Please re-authorize." });
-                return;
-            }
-            // Store config on request for use with runWithConfig() in handler
-            // This is thread-safe because each request has its own req object
-            req.oauthConfig = config;
-            req.clientId = authInfo.clientId;
-            next();
-        }
-        catch (error) {
-            res.status(401).json({
-                error: error instanceof Error ? error.message : "Authentication failed",
-            });
-        }
-    };
-    // Apply auth middleware to /mcp
-    app.use("/mcp", authMiddleware);
-}
-// Helper to handle MCP request processing
-async function handleMcpRequest(req, res) {
-    const sessionId = req.headers["mcp-session-id"];
-    // Handle GET requests for SSE streams
-    if (req.method === "GET") {
-        if (!sessionId || !transports.has(sessionId)) {
-            res.status(400).json({ error: "Invalid or missing session ID for SSE stream" });
-            return;
-        }
-        const transport = transports.get(sessionId);
-        // Update last activity for TTL tracking
-        sessionLastActivity.set(sessionId, Date.now());
-        await transport.handleRequest(req, res);
-        return;
-    }
-    // Handle DELETE requests for session cleanup
-    if (req.method === "DELETE") {
-        if (sessionId && transports.has(sessionId)) {
-            const transport = transports.get(sessionId);
-            await transport.close();
-            transports.delete(sessionId);
-            sessionLastActivity.delete(sessionId);
-            res.status(204).send();
-        }
-        else {
-            res.status(404).json({ error: "Session not found" });
-        }
-        return;
-    }
-    // Handle POST requests
-    if (req.method === "POST") {
-        // Check if this is an initialization request (no session ID)
-        if (!sessionId) {
-            // Evict oldest sessions if limit reached (DoS protection)
-            evictOldestSessions();
-            // Create new session
-            const newSessionId = randomUUID();
-            const transport = new StreamableHTTPServerTransport({
-                sessionIdGenerator: () => newSessionId,
-            });
-            // Create and connect server
-            const server = createServer();
-            await server.connect(transport);
-            // Store transport for future requests
-            transports.set(newSessionId, transport);
-            sessionLastActivity.set(newSessionId, Date.now());
-            // Clean up on close
-            transport.onclose = () => {
-                transports.delete(newSessionId);
-                sessionLastActivity.delete(newSessionId);
-            };
-            // Handle the request
-            await transport.handleRequest(req, res, req.body);
-            return;
-        }
-        // Existing session - route to stored transport
-        const transport = transports.get(sessionId);
-        if (!transport) {
-            res.status(404).json({ error: "Session not found. Initialize a new session first." });
-            return;
-        }
-        // Update last activity for TTL tracking
-        sessionLastActivity.set(sessionId, Date.now());
-        await transport.handleRequest(req, res, req.body);
-        return;
-    }
-    // Unsupported method
-    res.status(405).json({ error: "Method not allowed" });
-}
-// MCP endpoint - handles both initialization and messages
-app.all("/mcp", async (req, res) => {
-    // In OAuth mode, wrap request handling with runWithConfig for thread-safe config
-    if (OAUTH_ENABLED) {
-        const oauthConfig = req.oauthConfig;
-        if (oauthConfig) {
-            // Use runWithConfig for thread-safe, request-scoped config
-            await runWithConfig(oauthConfig, () => handleMcpRequest(req, res));
-            return;
-        }
-    }
-    // Non-OAuth mode or no config - use environment config
-    await handleMcpRequest(req, res);
-});
-// Server info endpoint
-app.get("/", (_req, res) => {
-    const endpoints = {
-        mcp: "/mcp",
-        health: "/health",
-    };
-    if (OAUTH_ENABLED) {
-        endpoints.authorize = "/authorize";
-        endpoints.token = "/token";
-        endpoints.register = "/register";
-        endpoints.oauth_metadata = "/.well-known/oauth-authorization-server";
-    }
-    res.json({
-        name: "Open Loyalty MCP Server",
-        version: "1.0.0",
-        transport: "streamable-http",
-        oauth: OAUTH_ENABLED,
-        endpoints,
-        instructions: SERVER_INSTRUCTIONS.slice(0, 500) + "...",
-    });
-});
-const PORT = parseInt(process.env.MCP_HTTP_PORT || process.env.PORT || "3000", 10);
-app.listen(PORT, () => {
-    console.log(`Open Loyalty MCP HTTP Server running on port ${PORT}`);
-    console.log(`  - MCP endpoint: http://localhost:${PORT}/mcp`);
-    console.log(`  - Health check: http://localhost:${PORT}/health`);
-    console.log(`  - Server info:  http://localhost:${PORT}/`);
-    if (OAUTH_ENABLED) {
-        console.log("");
-        console.log("OAuth 2.1 enabled:");
-        console.log(`  - Authorize:    ${BASE_URL}/authorize`);
-        console.log(`  - Token:        ${BASE_URL}/token`);
-        console.log(`  - Register:     ${BASE_URL}/register`);
-        console.log(`  - Metadata:     ${BASE_URL}/.well-known/oauth-authorization-server`);
-    }
-    else {
-        console.log("");
-        console.log("OAuth disabled. Using environment variables for API credentials.");
-        console.log("Set OAUTH_ENABLED=true and BASE_URL for OAuth mode.");
-    }
-});