npm - @opentabs-dev/mcp-server - Versions diffs - 0.0.19 - Mend

@opentabs-dev/mcp-server 0.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/dist/audit-disk.d.ts +23 -0
package/dist/audit-disk.d.ts.map +1 -0
package/dist/audit-disk.js +74 -0
package/dist/audit-disk.js.map +1 -0
package/dist/browser-tools/analyze-site/detect-apis.d.ts +36 -0
package/dist/browser-tools/analyze-site/detect-apis.d.ts.map +1 -0
package/dist/browser-tools/analyze-site/detect-apis.js +383 -0
package/dist/browser-tools/analyze-site/detect-apis.js.map +1 -0
package/dist/browser-tools/analyze-site/detect-auth.d.ts +72 -0
package/dist/browser-tools/analyze-site/detect-auth.d.ts.map +1 -0
package/dist/browser-tools/analyze-site/detect-auth.js +384 -0
package/dist/browser-tools/analyze-site/detect-auth.js.map +1 -0
package/dist/browser-tools/analyze-site/detect-dom.d.ts +65 -0
package/dist/browser-tools/analyze-site/detect-dom.d.ts.map +1 -0
package/dist/browser-tools/analyze-site/detect-dom.js +45 -0
package/dist/browser-tools/analyze-site/detect-dom.js.map +1 -0
package/dist/browser-tools/analyze-site/detect-framework.d.ts +48 -0
package/dist/browser-tools/analyze-site/detect-framework.d.ts.map +1 -0
package/dist/browser-tools/analyze-site/detect-framework.js +31 -0
package/dist/browser-tools/analyze-site/detect-framework.js.map +1 -0
package/dist/browser-tools/analyze-site/detect-globals.d.ts +41 -0
package/dist/browser-tools/analyze-site/detect-globals.d.ts.map +1 -0
package/dist/browser-tools/analyze-site/detect-globals.js +42 -0
package/dist/browser-tools/analyze-site/detect-globals.js.map +1 -0
package/dist/browser-tools/analyze-site/detect-storage.d.ts +39 -0
package/dist/browser-tools/analyze-site/detect-storage.d.ts.map +1 -0
package/dist/browser-tools/analyze-site/detect-storage.js +34 -0
package/dist/browser-tools/analyze-site/detect-storage.js.map +1 -0
package/dist/browser-tools/analyze-site/index.d.ts +52 -0
package/dist/browser-tools/analyze-site/index.d.ts.map +1 -0
package/dist/browser-tools/analyze-site/index.js +827 -0
package/dist/browser-tools/analyze-site/index.js.map +1 -0
package/dist/browser-tools/analyze-site.d.ts +17 -0
package/dist/browser-tools/analyze-site.d.ts.map +1 -0
package/dist/browser-tools/analyze-site.js +41 -0
package/dist/browser-tools/analyze-site.js.map +1 -0
package/dist/browser-tools/clear-console-logs.d.ts +9 -0
package/dist/browser-tools/clear-console-logs.d.ts.map +1 -0
package/dist/browser-tools/clear-console-logs.js +16 -0
package/dist/browser-tools/clear-console-logs.js.map +1 -0
package/dist/browser-tools/click-element.d.ts +10 -0
package/dist/browser-tools/click-element.d.ts.map +1 -0
package/dist/browser-tools/click-element.js +22 -0
package/dist/browser-tools/click-element.js.map +1 -0
package/dist/browser-tools/close-tab.d.ts +9 -0
package/dist/browser-tools/close-tab.d.ts.map +1 -0
package/dist/browser-tools/close-tab.js +16 -0
package/dist/browser-tools/close-tab.js.map +1 -0
package/dist/browser-tools/definition.d.ts +26 -0
package/dist/browser-tools/definition.d.ts.map +1 -0
package/dist/browser-tools/definition.js +16 -0
package/dist/browser-tools/definition.js.map +1 -0
package/dist/browser-tools/delete-cookies.d.ts +10 -0
package/dist/browser-tools/delete-cookies.d.ts.map +1 -0
package/dist/browser-tools/delete-cookies.js +19 -0
package/dist/browser-tools/delete-cookies.js.map +1 -0
package/dist/browser-tools/disable-network-capture.d.ts +9 -0
package/dist/browser-tools/disable-network-capture.d.ts.map +1 -0
package/dist/browser-tools/disable-network-capture.js +16 -0
package/dist/browser-tools/disable-network-capture.js.map +1 -0
package/dist/browser-tools/enable-network-capture.d.ts +12 -0
package/dist/browser-tools/enable-network-capture.d.ts.map +1 -0
package/dist/browser-tools/enable-network-capture.js +42 -0
package/dist/browser-tools/enable-network-capture.js.map +1 -0
package/dist/browser-tools/execute-script.d.ts +19 -0
package/dist/browser-tools/execute-script.d.ts.map +1 -0
package/dist/browser-tools/execute-script.js +51 -0
package/dist/browser-tools/execute-script.js.map +1 -0
package/dist/browser-tools/extension-check-adapter.d.ts +11 -0
package/dist/browser-tools/extension-check-adapter.d.ts.map +1 -0
package/dist/browser-tools/extension-check-adapter.js +22 -0
package/dist/browser-tools/extension-check-adapter.js.map +1 -0
package/dist/browser-tools/extension-force-reconnect.d.ts +9 -0
package/dist/browser-tools/extension-force-reconnect.d.ts.map +1 -0
package/dist/browser-tools/extension-force-reconnect.js +19 -0
package/dist/browser-tools/extension-force-reconnect.js.map +1 -0
package/dist/browser-tools/extension-get-logs.d.ts +24 -0
package/dist/browser-tools/extension-get-logs.d.ts.map +1 -0
package/dist/browser-tools/extension-get-logs.js +34 -0
package/dist/browser-tools/extension-get-logs.js.map +1 -0
package/dist/browser-tools/extension-get-side-panel.d.ts +8 -0
package/dist/browser-tools/extension-get-side-panel.d.ts.map +1 -0
package/dist/browser-tools/extension-get-side-panel.js +17 -0
package/dist/browser-tools/extension-get-side-panel.js.map +1 -0
package/dist/browser-tools/extension-get-state.d.ts +9 -0
package/dist/browser-tools/extension-get-state.d.ts.map +1 -0
package/dist/browser-tools/extension-get-state.js +19 -0
package/dist/browser-tools/extension-get-state.js.map +1 -0
package/dist/browser-tools/focus-tab.d.ts +9 -0
package/dist/browser-tools/focus-tab.d.ts.map +1 -0
package/dist/browser-tools/focus-tab.js +17 -0
package/dist/browser-tools/focus-tab.js.map +1 -0
package/dist/browser-tools/get-console-logs.d.ts +18 -0
package/dist/browser-tools/get-console-logs.d.ts.map +1 -0
package/dist/browser-tools/get-console-logs.js +30 -0
package/dist/browser-tools/get-console-logs.js.map +1 -0
package/dist/browser-tools/get-cookies.d.ts +10 -0
package/dist/browser-tools/get-cookies.d.ts.map +1 -0
package/dist/browser-tools/get-cookies.js +23 -0
package/dist/browser-tools/get-cookies.js.map +1 -0
package/dist/browser-tools/get-network-requests.d.ts +10 -0
package/dist/browser-tools/get-network-requests.d.ts.map +1 -0
package/dist/browser-tools/get-network-requests.js +27 -0
package/dist/browser-tools/get-network-requests.js.map +1 -0
package/dist/browser-tools/get-page-html.d.ts +11 -0
package/dist/browser-tools/get-page-html.d.ts.map +1 -0
package/dist/browser-tools/get-page-html.js +32 -0
package/dist/browser-tools/get-page-html.js.map +1 -0
package/dist/browser-tools/get-resource-content.d.ts +11 -0
package/dist/browser-tools/get-resource-content.d.ts.map +1 -0
package/dist/browser-tools/get-resource-content.js +31 -0
package/dist/browser-tools/get-resource-content.js.map +1 -0
package/dist/browser-tools/get-storage.d.ts +14 -0
package/dist/browser-tools/get-storage.d.ts.map +1 -0
package/dist/browser-tools/get-storage.js +28 -0
package/dist/browser-tools/get-storage.js.map +1 -0
package/dist/browser-tools/get-tab-content.d.ts +11 -0
package/dist/browser-tools/get-tab-content.d.ts.map +1 -0
package/dist/browser-tools/get-tab-content.js +29 -0
package/dist/browser-tools/get-tab-content.js.map +1 -0
package/dist/browser-tools/get-tab-info.d.ts +9 -0
package/dist/browser-tools/get-tab-info.d.ts.map +1 -0
package/dist/browser-tools/get-tab-info.js +17 -0
package/dist/browser-tools/get-tab-info.js.map +1 -0
package/dist/browser-tools/handle-dialog.d.ts +14 -0
package/dist/browser-tools/handle-dialog.d.ts.map +1 -0
package/dist/browser-tools/handle-dialog.js +30 -0
package/dist/browser-tools/handle-dialog.js.map +1 -0
package/dist/browser-tools/hover-element.d.ts +11 -0
package/dist/browser-tools/hover-element.d.ts.map +1 -0
package/dist/browser-tools/hover-element.js +24 -0
package/dist/browser-tools/hover-element.js.map +1 -0
package/dist/browser-tools/index.d.ts +7 -0
package/dist/browser-tools/index.d.ts.map +1 -0
package/dist/browser-tools/index.js +81 -0
package/dist/browser-tools/index.js.map +1 -0
package/dist/browser-tools/list-resources.d.ts +10 -0
package/dist/browser-tools/list-resources.d.ts.map +1 -0
package/dist/browser-tools/list-resources.js +29 -0
package/dist/browser-tools/list-resources.js.map +1 -0
package/dist/browser-tools/list-tabs.d.ts +7 -0
package/dist/browser-tools/list-tabs.d.ts.map +1 -0
package/dist/browser-tools/list-tabs.js +16 -0
package/dist/browser-tools/list-tabs.js.map +1 -0
package/dist/browser-tools/navigate-tab.d.ts +10 -0
package/dist/browser-tools/navigate-tab.d.ts.map +1 -0
package/dist/browser-tools/navigate-tab.js +18 -0
package/dist/browser-tools/navigate-tab.js.map +1 -0
package/dist/browser-tools/open-tab.d.ts +9 -0
package/dist/browser-tools/open-tab.d.ts.map +1 -0
package/dist/browser-tools/open-tab.js +18 -0
package/dist/browser-tools/open-tab.js.map +1 -0
package/dist/browser-tools/press-key.d.ts +17 -0
package/dist/browser-tools/press-key.d.ts.map +1 -0
package/dist/browser-tools/press-key.js +43 -0
package/dist/browser-tools/press-key.js.map +1 -0
package/dist/browser-tools/query-elements.d.ts +12 -0
package/dist/browser-tools/query-elements.d.ts.map +1 -0
package/dist/browser-tools/query-elements.js +30 -0
package/dist/browser-tools/query-elements.js.map +1 -0
package/dist/browser-tools/reload-extension.d.ts +13 -0
package/dist/browser-tools/reload-extension.d.ts.map +1 -0
package/dist/browser-tools/reload-extension.js +35 -0
package/dist/browser-tools/reload-extension.js.map +1 -0
package/dist/browser-tools/screenshot-tab.d.ts +9 -0
package/dist/browser-tools/screenshot-tab.d.ts.map +1 -0
package/dist/browser-tools/screenshot-tab.js +22 -0
package/dist/browser-tools/screenshot-tab.js.map +1 -0
package/dist/browser-tools/scroll.d.ts +23 -0
package/dist/browser-tools/scroll.d.ts.map +1 -0
package/dist/browser-tools/scroll.js +56 -0
package/dist/browser-tools/scroll.js.map +1 -0
package/dist/browser-tools/select-option.d.ts +12 -0
package/dist/browser-tools/select-option.d.ts.map +1 -0
package/dist/browser-tools/select-option.js +25 -0
package/dist/browser-tools/select-option.js.map +1 -0
package/dist/browser-tools/set-cookie.d.ts +16 -0
package/dist/browser-tools/set-cookie.d.ts.map +1 -0
package/dist/browser-tools/set-cookie.js +42 -0
package/dist/browser-tools/set-cookie.js.map +1 -0
package/dist/browser-tools/type-text.d.ts +12 -0
package/dist/browser-tools/type-text.d.ts.map +1 -0
package/dist/browser-tools/type-text.js +25 -0
package/dist/browser-tools/type-text.js.map +1 -0
package/dist/browser-tools/url-validation.d.ts +13 -0
package/dist/browser-tools/url-validation.d.ts.map +1 -0
package/dist/browser-tools/url-validation.js +23 -0
package/dist/browser-tools/url-validation.js.map +1 -0
package/dist/browser-tools/wait-for-element.d.ts +12 -0
package/dist/browser-tools/wait-for-element.d.ts.map +1 -0
package/dist/browser-tools/wait-for-element.js +29 -0
package/dist/browser-tools/wait-for-element.js.map +1 -0
package/dist/config.d.ts +99 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +344 -0
package/dist/config.js.map +1 -0
package/dist/dev-mode.d.ts +14 -0
package/dist/dev-mode.d.ts.map +1 -0
package/dist/dev-mode.js +15 -0
package/dist/dev-mode.js.map +1 -0
package/dist/discovery-legacy.d.ts +32 -0
package/dist/discovery-legacy.d.ts.map +1 -0
package/dist/discovery-legacy.js +415 -0
package/dist/discovery-legacy.js.map +1 -0
package/dist/discovery.d.ts +28 -0
package/dist/discovery.d.ts.map +1 -0
package/dist/discovery.js +97 -0
package/dist/discovery.js.map +1 -0
package/dist/extension-install.d.ts +27 -0
package/dist/extension-install.d.ts.map +1 -0
package/dist/extension-install.js +75 -0
package/dist/extension-install.js.map +1 -0
package/dist/extension-protocol.d.ts +130 -0
package/dist/extension-protocol.d.ts.map +1 -0
package/dist/extension-protocol.js +869 -0
package/dist/extension-protocol.js.map +1 -0
package/dist/file-watcher.d.ts +75 -0
package/dist/file-watcher.d.ts.map +1 -0
package/dist/file-watcher.js +616 -0
package/dist/file-watcher.js.map +1 -0
package/dist/http-routes.d.ts +88 -0
package/dist/http-routes.d.ts.map +1 -0
package/dist/http-routes.js +545 -0
package/dist/http-routes.js.map +1 -0
package/dist/index.d.ts +45 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +187 -0
package/dist/index.js.map +1 -0
package/dist/loader.d.ts +100 -0
package/dist/loader.d.ts.map +1 -0
package/dist/loader.js +402 -0
package/dist/loader.js.map +1 -0
package/dist/log-buffer.d.ts +33 -0
package/dist/log-buffer.d.ts.map +1 -0
package/dist/log-buffer.js +64 -0
package/dist/log-buffer.js.map +1 -0
package/dist/logger.d.ts +34 -0
package/dist/logger.d.ts.map +1 -0
package/dist/logger.js +81 -0
package/dist/logger.js.map +1 -0
package/dist/manifest-schema.d.ts +14 -0
package/dist/manifest-schema.d.ts.map +1 -0
package/dist/manifest-schema.js +51 -0
package/dist/manifest-schema.js.map +1 -0
package/dist/mcp-setup.d.ts +131 -0
package/dist/mcp-setup.d.ts.map +1 -0
package/dist/mcp-setup.js +673 -0
package/dist/mcp-setup.js.map +1 -0
package/dist/permissions.d.ts +59 -0
package/dist/permissions.d.ts.map +1 -0
package/dist/permissions.js +141 -0
package/dist/permissions.js.map +1 -0
package/dist/registry.d.ts +78 -0
package/dist/registry.d.ts.map +1 -0
package/dist/registry.js +187 -0
package/dist/registry.js.map +1 -0
package/dist/reload.d.ts +52 -0
package/dist/reload.d.ts.map +1 -0
package/dist/reload.js +326 -0
package/dist/reload.js.map +1 -0
package/dist/resolver.d.ts +53 -0
package/dist/resolver.d.ts.map +1 -0
package/dist/resolver.js +272 -0
package/dist/resolver.js.map +1 -0
package/dist/sanitize-error.d.ts +8 -0
package/dist/sanitize-error.d.ts.map +1 -0
package/dist/sanitize-error.js +25 -0
package/dist/sanitize-error.js.map +1 -0
package/dist/sanitize-tool-output.d.ts +20 -0
package/dist/sanitize-tool-output.d.ts.map +1 -0
package/dist/sanitize-tool-output.js +52 -0
package/dist/sanitize-tool-output.js.map +1 -0
package/dist/sdk-version.d.ts +11 -0
package/dist/sdk-version.d.ts.map +1 -0
package/dist/sdk-version.js +23 -0
package/dist/sdk-version.js.map +1 -0
package/dist/shutdown.d.ts +28 -0
package/dist/shutdown.d.ts.map +1 -0
package/dist/shutdown.js +68 -0
package/dist/shutdown.js.map +1 -0
package/dist/skip-confirmation.d.ts +15 -0
package/dist/skip-confirmation.d.ts.map +1 -0
package/dist/skip-confirmation.js +16 -0
package/dist/skip-confirmation.js.map +1 -0
package/dist/skip-sanitization.d.ts +17 -0
package/dist/skip-sanitization.d.ts.map +1 -0
package/dist/skip-sanitization.js +18 -0
package/dist/skip-sanitization.js.map +1 -0
package/dist/skip-verification.d.ts +11 -0
package/dist/skip-verification.d.ts.map +1 -0
package/dist/skip-verification.js +12 -0
package/dist/skip-verification.js.map +1 -0
package/dist/state.d.ts +290 -0
package/dist/state.d.ts.map +1 -0
package/dist/state.js +111 -0
package/dist/state.js.map +1 -0
package/dist/verify-plugin.d.ts +53 -0
package/dist/verify-plugin.d.ts.map +1 -0
package/dist/verify-plugin.js +123 -0
package/dist/verify-plugin.js.map +1 -0
package/dist/version-check.d.ts +35 -0
package/dist/version-check.d.ts.map +1 -0
package/dist/version-check.js +111 -0
package/dist/version-check.js.map +1 -0
package/dist/version.d.ts +10 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +22 -0
package/dist/version.js.map +1 -0
package/package.json +28 -0

package/dist/http-routes.d.ts ADDED Viewed

@@ -0,0 +1,88 @@
+/**
+ * HTTP and WebSocket route handlers.
+ *
+ * Extracted from index.ts so that the entry point is a thin frozen shell
+ * (Bun.serve() delegate, HotState management, reload orchestration) while
+ * all routing logic lives here and hot-reloads freely.
+ *
+ * Includes sweepStaleSessions() to prevent memory leaks in the sessionServers
+ * array. If an MCP client drops the TCP connection without a proper close
+ * (network partition, OOM kill), the onsessionclosed / transport.onclose
+ * callbacks may never fire, leaving ghost entries. The sweep runs on each
+ * hot reload and removes entries whose transport is no longer in the map.
+ */
+import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
+import type { McpServerInstance } from './mcp-setup.js';
+import type { ServerState } from './state.js';
+import type { WsHandle } from '@opentabs-dev/shared';
+/** Opaque HotState accessor — index.ts injects the getter */
+type GetHotState = () => {
+    reloadCount: number;
+    lastReloadTimestamp: number;
+    lastReloadDurationMs: number;
+} | undefined;
+/** Dependencies injected by index.ts to avoid circular imports */
+interface RouteDeps {
+    state: ServerState;
+    transports: Map<string, WebStandardStreamableHTTPServerTransport>;
+    sessionServers: McpServerInstance[];
+    getHotState: GetHotState;
+}
+/**
+ * Constant-time string comparison using crypto.timingSafeEqual.
+ * Rejects early on length mismatch (length is not secret — only content is).
+ */
+declare const constantTimeEqual: (a: string, b: string) => boolean;
+/**
+ * Check Bearer token in the Authorization header against the server's shared secret.
+ * Returns a 401 Response if authentication fails, or null if authentication succeeds.
+ * When no secret is configured (wsSecret is null), all requests are allowed through.
+ * Uses constant-time comparison to prevent timing side-channel attacks.
+ */
+declare const checkBearerAuth: (req: Request, wsSecret: string | null) => Response | null;
+/**
+ * Check whether a Host header value refers to a localhost address.
+ * Strips the optional port suffix before comparing against the allowed set.
+ * Handles IPv6 bracket notation (e.g., `[::1]:9515`).
+ */
+declare const isLocalhostHost: (hostHeader: string) => boolean;
+/** Hot-reloadable handler functions for the Bun.serve() delegate shell */
+interface HotHandlers {
+    /** HTTP request handler — all routing logic */
+    fetch: (req: Request, bunServer: {
+        upgrade: (req: Request, opts: {
+            data: unknown;
+            headers?: HeadersInit;
+        }) => boolean;
+        timeout: (req: Request, seconds: number) => void;
+    }) => Promise<Response | undefined>;
+    /** Extension WebSocket opened */
+    wsOpen: (ws: WsHandle) => void;
+    /** Extension WebSocket message received */
+    wsMessage: (ws: WsHandle, message: string | ArrayBuffer | Uint8Array) => void;
+    /** Extension WebSocket closed */
+    wsClose: (ws: WsHandle) => void;
+}
+/**
+ * Create all hot-reloadable handler functions.
+ * Called on every module evaluation (first load + hot reloads) to produce
+ * fresh closures over the latest module imports.
+ */
+declare const createHandlers: (deps: RouteDeps) => HotHandlers;
+/**
+ * Remove sessionServers entries whose transport is no longer in the transports
+ * map. This prevents unbounded growth when MCP clients disconnect ungracefully
+ * (network partition, OOM kill) and the onsessionclosed / transport.onclose
+ * callbacks never fire.
+ *
+ * Each session server is tracked in state.sessionTransportIds (a WeakMap keyed
+ * by the McpServerInstance) with the transport session ID it was connected to.
+ * A session is stale if its transport ID is absent from the active transports
+ * map — meaning the transport was cleaned up but the session server was not.
+ *
+ * Called on each hot reload from reload.ts.
+ */
+declare const sweepStaleSessions: (state: ServerState, transports: Map<string, WebStandardStreamableHTTPServerTransport>, sessionServers: McpServerInstance[]) => number;
+export type { HotHandlers };
+export { checkBearerAuth, constantTimeEqual, createHandlers, isLocalhostHost, sweepStaleSessions };
+//# sourceMappingURL=http-routes.d.ts.map

package/dist/http-routes.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"http-routes.d.ts","sourceRoot":"","sources":["../src/http-routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAkBH,OAAO,EAAE,wCAAwC,EAAE,MAAM,+DAA+D,CAAC;AAIzH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,KAAK,EAAc,WAAW,EAAE,MAAM,YAAY,CAAC;AAC1D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAErD,6DAA6D;AAC7D,KAAK,WAAW,GAAG,MAAM;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAC;IAAC,oBAAoB,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAAC;AAExH,kEAAkE;AAClE,UAAU,SAAS;IACjB,KAAK,EAAE,WAAW,CAAC;IACnB,UAAU,EAAE,GAAG,CAAC,MAAM,EAAE,wCAAwC,CAAC,CAAC;IAClE,cAAc,EAAE,iBAAiB,EAAE,CAAC;IACpC,WAAW,EAAE,WAAW,CAAC;CAC1B;AAgCD;;;GAGG;AACH,QAAA,MAAM,iBAAiB,GAAI,GAAG,MAAM,EAAE,GAAG,MAAM,KAAG,OAGjD,CAAC;AAEF;;;;;GAKG;AACH,QAAA,MAAM,eAAe,GAAI,KAAK,OAAO,EAAE,UAAU,MAAM,GAAG,IAAI,KAAG,QAAQ,GAAG,IAQ3E,CAAC;AAKF;;;;GAIG;AACH,QAAA,MAAM,eAAe,GAAI,YAAY,MAAM,KAAG,OAa7C,CAAC;AAicF,0EAA0E;AAC1E,UAAU,WAAW;IACnB,+CAA+C;IAC/C,KAAK,EAAE,CACL,GAAG,EAAE,OAAO,EACZ,SAAS,EAAE;QACT,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE;YAAE,IAAI,EAAE,OAAO,CAAC;YAAC,OAAO,CAAC,EAAE,WAAW,CAAA;SAAE,KAAK,OAAO,CAAC;QACnF,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;KAClD,KACE,OAAO,CAAC,QAAQ,GAAG,SAAS,CAAC,CAAC;IACnC,iCAAiC;IACjC,MAAM,EAAE,CAAC,EAAE,EAAE,QAAQ,KAAK,IAAI,CAAC;IAC/B,2CAA2C;IAC3C,SAAS,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,GAAG,WAAW,GAAG,UAAU,KAAK,IAAI,CAAC;IAC9E,iCAAiC;IACjC,OAAO,EAAE,CAAC,EAAE,EAAE,QAAQ,KAAK,IAAI,CAAC;CACjC;AAED;;;;GAIG;AACH,QAAA,MAAM,cAAc,GAAI,MAAM,SAAS,KAAG,WAQzC,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,QAAA,MAAM,kBAAkB,GACtB,OAAO,WAAW,EAClB,YAAY,GAAG,CAAC,MAAM,EAAE,wCAAwC,CAAC,EACjE,gBAAgB,iBAAiB,EAAE,KAClC,MAqBF,CAAC;AAEF,YAAY,EAAE,WAAW,EAAE,CAAC;AAC5B,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,eAAe,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/http-routes.js ADDED Viewed

@@ -0,0 +1,545 @@
+/**
+ * HTTP and WebSocket route handlers.
+ *
+ * Extracted from index.ts so that the entry point is a thin frozen shell
+ * (Bun.serve() delegate, HotState management, reload orchestration) while
+ * all routing logic lives here and hot-reloads freely.
+ *
+ * Includes sweepStaleSessions() to prevent memory leaks in the sessionServers
+ * array. If an MCP client drops the TCP connection without a proper close
+ * (network partition, OOM kill), the onsessionclosed / transport.onclose
+ * callbacks may never fire, leaving ghost entries. The sweep runs on each
+ * hot reload and removes entries whose transport is no longer in the map.
+ */
+import { saveToolConfig } from './config.js';
+import { isDev } from './dev-mode.js';
+import { handleExtensionMessage, sendSyncFull, sendExtensionReload, rejectAllPendingConfirmations, } from './extension-protocol.js';
+import { getLogCount } from './log-buffer.js';
+import { log } from './logger.js';
+import { createMcpServer, notifyToolListChanged } from './mcp-setup.js';
+import { performConfigReload } from './reload.js';
+import { sanitizeErrorMessage } from './sanitize-error.js';
+import { sdkVersion } from './sdk-version.js';
+import { getNextRequestId, prefixedToolName, STATE_SCHEMA_VERSION } from './state.js';
+import { version } from './version.js';
+import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
+import { timingSafeEqual } from 'node:crypto';
+/** Callbacks for extension protocol → MCP server integration */
+const createMcpCallbacks = (state, sessionServers) => ({
+    onToolConfigChanged: () => {
+        for (const srv of sessionServers) {
+            notifyToolListChanged(srv);
+        }
+    },
+    onToolConfigPersist: () => {
+        saveToolConfig(state, { ...state.toolConfig }).catch(() => {
+            // Error already logged by saveToolConfig
+        });
+    },
+    onPluginLog: entry => {
+        const mcpLevel = entry.level;
+        const logger = `plugin:${entry.plugin}`;
+        const data = entry.data !== undefined ? `${entry.message} ${JSON.stringify(entry.data)}` : entry.message;
+        // Write to console (flows to server.log via start.ts tee pipeline)
+        const levelTag = entry.level.toUpperCase();
+        const dataStr = entry.data !== undefined ? ` ${JSON.stringify(entry.data)}` : '';
+        console.log(`[plugin:${entry.plugin}] ${entry.ts} ${levelTag} ${entry.message}${dataStr}`);
+        for (const srv of sessionServers) {
+            srv.sendLoggingMessage({ level: mcpLevel, logger, data }).catch(() => {
+                // Best-effort — client may have disconnected
+            });
+        }
+    },
+});
+/**
+ * Constant-time string comparison using crypto.timingSafeEqual.
+ * Rejects early on length mismatch (length is not secret — only content is).
+ */
+const constantTimeEqual = (a, b) => {
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+};
+/**
+ * Check Bearer token in the Authorization header against the server's shared secret.
+ * Returns a 401 Response if authentication fails, or null if authentication succeeds.
+ * When no secret is configured (wsSecret is null), all requests are allowed through.
+ * Uses constant-time comparison to prevent timing side-channel attacks.
+ */
+const checkBearerAuth = (req, wsSecret) => {
+    if (!wsSecret)
+        return null;
+    const authHeader = req.headers.get('Authorization');
+    const token = authHeader?.startsWith('Bearer ') ? authHeader.slice(7) : null;
+    if (!token || !constantTimeEqual(token, wsSecret)) {
+        return new Response('Unauthorized', { status: 401 });
+    }
+    return null;
+};
+/** Allowed hostnames for the Host header (DNS rebinding protection) */
+const ALLOWED_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+/**
+ * Check whether a Host header value refers to a localhost address.
+ * Strips the optional port suffix before comparing against the allowed set.
+ * Handles IPv6 bracket notation (e.g., `[::1]:9515`).
+ */
+const isLocalhostHost = (hostHeader) => {
+    let hostname;
+    if (hostHeader.startsWith('[')) {
+        // IPv6 bracket notation: [::1] or [::1]:9515
+        const closeBracket = hostHeader.indexOf(']');
+        if (closeBracket === -1)
+            return false;
+        hostname = hostHeader.slice(1, closeBracket);
+    }
+    else {
+        // IPv4 or hostname: localhost, localhost:9515, 127.0.0.1:9515
+        const colonIdx = hostHeader.lastIndexOf(':');
+        hostname = colonIdx === -1 ? hostHeader : hostHeader.slice(0, colonIdx);
+    }
+    return ALLOWED_HOSTS.has(hostname);
+};
+// --- Rate limiting for administrative endpoints ---
+const endpointCallTimestamps = new Map();
+const checkEndpointRateLimit = (endpoint, maxPerMinute) => {
+    const now = Date.now();
+    const timestamps = (endpointCallTimestamps.get(endpoint) ?? []).filter(t => now - t < 60_000);
+    if (timestamps.length >= maxPerMinute) {
+        endpointCallTimestamps.set(endpoint, timestamps);
+        return false;
+    }
+    timestamps.push(now);
+    endpointCallTimestamps.set(endpoint, timestamps);
+    return true;
+};
+/** Compute aggregate audit statistics from the audit log buffer */
+const computeAuditSummary = (auditLog) => {
+    const totalInvocations = auditLog.length;
+    let successCount = 0;
+    let failureCount = 0;
+    let totalDurationMs = 0;
+    let last24hTotal = 0;
+    let last24hSuccess = 0;
+    let last24hFailure = 0;
+    const cutoff = Date.now() - 86_400_000;
+    for (const entry of auditLog) {
+        if (entry.success) {
+            successCount++;
+        }
+        else {
+            failureCount++;
+        }
+        totalDurationMs += entry.durationMs;
+        if (new Date(entry.timestamp).getTime() >= cutoff) {
+            last24hTotal++;
+            if (entry.success) {
+                last24hSuccess++;
+            }
+            else {
+                last24hFailure++;
+            }
+        }
+    }
+    const avgDurationMs = totalInvocations > 0 ? Math.round((totalDurationMs / totalInvocations) * 10) / 10 : 0;
+    return {
+        totalInvocations,
+        successCount,
+        failureCount,
+        last24h: {
+            total: last24hTotal,
+            success: last24hSuccess,
+            failure: last24hFailure,
+        },
+        avgDurationMs,
+    };
+};
+const createHandleFetch = ({ state, transports, sessionServers, getHotState }) => async (req, bunServer) => {
+    const url = new URL(req.url);
+    // --- Host header validation (DNS rebinding protection) ---
+    // Reject requests with a non-localhost Host header. A DNS rebinding
+    // attack re-maps a malicious domain to 127.0.0.1, so the browser sends
+    // requests to our loopback server with Host: evil.com. Checking the Host
+    // header is the standard mitigation (CVE-2025-66414 class).
+    const hostHeader = req.headers.get('Host');
+    if (!hostHeader || !isLocalhostHost(hostHeader)) {
+        return new Response('Forbidden: invalid Host header', { status: 403 });
+    }
+    // --- CORS protection ---
+    // MCP clients (Claude Code, etc.) don't run in browsers, so legitimate
+    // requests never carry an Origin header. Reject requests with an Origin
+    // header to prevent DNS rebinding attacks from malicious web pages.
+    //
+    // Chrome extension requests carry an Origin of `chrome-extension://...`
+    // and must be allowed through — the extension's background script
+    // fetches /ws-info to obtain the authenticated WebSocket URL.
+    const origin = req.headers.get('Origin');
+    if (origin && !origin.startsWith('chrome-extension://')) {
+        return new Response('Forbidden: browser requests are not allowed', { status: 403 });
+    }
+    // --- WebSocket upgrade for extension ---
+    if (url.pathname === '/ws') {
+        // Authenticate WebSocket connections using a shared secret sent via
+        // the Sec-WebSocket-Protocol header (not URL query params, which leak
+        // into server logs, browser history, and proxy logs).
+        // The client sends protocols: ['opentabs', '<secret>'] and the server
+        // echoes 'opentabs' as the accepted subprotocol.
+        // Uses constant-time comparison to prevent timing side-channel attacks.
+        if (state.wsSecret) {
+            const protocols = req.headers.get('sec-websocket-protocol');
+            const parts = protocols?.split(',').map(p => p.trim()) ?? [];
+            let secretMatched = false;
+            for (const part of parts) {
+                if (constantTimeEqual(part, state.wsSecret)) {
+                    secretMatched = true;
+                }
+            }
+            if (!secretMatched) {
+                return new Response('Unauthorized', { status: 401 });
+            }
+            const upgraded = bunServer.upgrade(req, {
+                data: undefined,
+                headers: { 'sec-websocket-protocol': 'opentabs' },
+            });
+            if (!upgraded) {
+                return new Response('WebSocket upgrade failed', { status: 400 });
+            }
+            return undefined;
+        }
+        const upgraded = bunServer.upgrade(req, { data: undefined });
+        if (!upgraded) {
+            return new Response('WebSocket upgrade failed', { status: 400 });
+        }
+        return undefined;
+    }
+    // --- WebSocket info endpoint (for extension authentication) ---
+    // Returns the WebSocket URL and secret as separate fields. The secret
+    // is sent via the Sec-WebSocket-Protocol header during the upgrade,
+    // keeping it out of URLs, logs, and browser history.
+    //
+    // Requires Bearer auth. The extension bootstraps the secret from
+    // auth.json (bundled in the extension directory at install time)
+    // and uses it for all /ws-info requests.
+    if (url.pathname === '/ws-info' && req.method === 'GET') {
+        const authError = checkBearerAuth(req, state.wsSecret);
+        if (authError)
+            return authError;
+        const wsUrl = `ws://${url.host}/ws`;
+        return Response.json({ wsUrl, wsSecret: state.wsSecret });
+    }
+    // --- Health endpoint ---
+    // Unauthenticated requests get a minimal status response (alive check only).
+    // Authenticated requests get the full response with plugin details, paths, etc.
+    if (url.pathname === '/health' && req.method === 'GET') {
+        const authenticated = checkBearerAuth(req, state.wsSecret) === null;
+        if (!authenticated) {
+            return Response.json({
+                status: 'ok',
+                version,
+                extensionConnected: state.extensionWs !== null,
+            });
+        }
+        const hs = getHotState();
+        const pluginDetails = [...state.registry.plugins.values()].map(p => ({
+            name: p.name,
+            displayName: p.displayName,
+            toolCount: p.tools.length,
+            tools: p.tools.map(t => prefixedToolName(p.name, t.name)),
+            tabState: state.tabMapping.get(p.name)?.state ?? 'closed',
+            source: p.source,
+            sdkVersion: p.sdkVersion ?? null,
+            logBufferSize: getLogCount(p.name),
+            ...(p.iconSvg ? { iconSvg: p.iconSvg } : {}),
+        }));
+        const toolCount = state.registry.toolLookup.size + state.cachedBrowserTools.length;
+        const uptimeSeconds = Math.floor((Date.now() - state.startedAt) / 1000);
+        const pendingPlugins = state.fileWatcherEntries.filter(e => e.pluginName.startsWith('(pending:')).length;
+        const watchedPlugins = state.fileWatcherEntries.length - pendingPlugins;
+        const auditSummary = computeAuditSummary(state.auditLog);
+        const disabledBrowserTools = state.cachedBrowserTools
+            .filter(c => state.browserToolPolicy[c.name] === false)
+            .map(c => c.name);
+        return Response.json({
+            status: 'ok',
+            version,
+            sdkVersion,
+            mode: isDev() ? 'dev' : 'production',
+            extensionConnected: state.extensionWs !== null,
+            mcpClients: transports.size,
+            plugins: state.registry.plugins.size,
+            pluginDetails,
+            failedPlugins: [...state.registry.failures],
+            discoveryErrors: [...state.discoveryErrors],
+            toolCount,
+            disabledBrowserTools,
+            confirmationBypassed: state.skipConfirmation,
+            uptime: uptimeSeconds,
+            reloadCount: hs?.reloadCount ?? 0,
+            lastReloadTimestamp: hs?.lastReloadTimestamp ?? 0,
+            lastReloadDurationMs: hs?.lastReloadDurationMs ?? 0,
+            stateSchemaVersion: STATE_SCHEMA_VERSION,
+            fileWatcher: {
+                watchedPlugins,
+                pendingPlugins,
+                lastPollAt: state.mtimeLastPollAt,
+                pollDetections: state.mtimePollDetections,
+            },
+            auditSummary,
+        });
+    }
+    // --- Audit log endpoint ---
+    if (url.pathname === '/audit' && req.method === 'GET') {
+        const authError = checkBearerAuth(req, state.wsSecret);
+        if (authError)
+            return authError;
+        const limitParam = parseInt(url.searchParams.get('limit') ?? '50', 10);
+        const limit = Math.max(1, Math.min(500, Number.isNaN(limitParam) ? 50 : limitParam));
+        const pluginFilter = url.searchParams.get('plugin');
+        const toolFilter = url.searchParams.get('tool');
+        const successParam = url.searchParams.get('success');
+        const successFilter = successParam === 'true' ? true : successParam === 'false' ? false : undefined;
+        let entries = [...state.auditLog].reverse();
+        if (pluginFilter)
+            entries = entries.filter(e => e.plugin === pluginFilter);
+        if (toolFilter)
+            entries = entries.filter(e => e.tool === toolFilter);
+        if (successFilter !== undefined)
+            entries = entries.filter(e => e.success === successFilter);
+        entries = entries.slice(0, limit);
+        return Response.json(entries);
+    }
+    // --- Config/plugin rediscovery endpoint ---
+    if (url.pathname === '/reload' && req.method === 'POST') {
+        const authError = checkBearerAuth(req, state.wsSecret);
+        if (authError)
+            return authError;
+        if (!checkEndpointRateLimit('/reload', 10)) {
+            return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
+        }
+        try {
+            const result = await performConfigReload(state, sessionServers, transports);
+            return Response.json({
+                ok: true,
+                plugins: result.plugins,
+                durationMs: result.durationMs,
+            });
+        }
+        catch (err) {
+            log.error('Config reload failed:', err);
+            const rawMsg = err instanceof Error ? err.message : String(err);
+            return Response.json({ ok: false, error: sanitizeErrorMessage(rawMsg) }, { status: 500 });
+        }
+    }
+    // --- Extension reload endpoint ---
+    if (url.pathname === '/extension/reload' && req.method === 'POST') {
+        const authError = checkBearerAuth(req, state.wsSecret);
+        if (authError)
+            return authError;
+        if (!checkEndpointRateLimit('/extension/reload', 10)) {
+            return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
+        }
+        if (!state.extensionWs) {
+            return Response.json({ ok: false, error: 'Extension not connected' }, { status: 503 });
+        }
+        const id = getNextRequestId();
+        state.extensionWs.send(JSON.stringify({ jsonrpc: '2.0', method: 'extension.reload', id }));
+        return Response.json({ ok: true, message: 'Reload signal sent to extension' });
+    }
+    // --- MCP Streamable HTTP transport ---
+    if (url.pathname === '/mcp') {
+        const authError = checkBearerAuth(req, state.wsSecret);
+        if (authError)
+            return authError;
+        // Disable Bun's per-connection idle timeout for MCP requests.
+        // Tool dispatches can take up to DISPATCH_TIMEOUT_MS (30s) and the
+        // Streamable HTTP transport holds the response open until the tool
+        // result arrives. The default idle timeout (10s) would close the
+        // connection before long-running dispatches complete.
+        bunServer.timeout(req, 0);
+        const sessionId = req.headers.get('mcp-session-id');
+        if (req.method === 'POST') {
+            // Existing session
+            if (sessionId) {
+                const existingTransport = transports.get(sessionId);
+                if (existingTransport) {
+                    return existingTransport.handleRequest(req);
+                }
+            }
+            // New session — rate-limit session creation to prevent resource exhaustion
+            if (!checkEndpointRateLimit('/mcp-session-create', 5)) {
+                return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
+            }
+            // Check if it's an initialize request
+            const body = await req.json().catch(() => null);
+            if (body && isInitializeRequest(body)) {
+                let sessionServer = null;
+                const removeSession = () => {
+                    if (sessionServer) {
+                        const idx = sessionServers.indexOf(sessionServer);
+                        if (idx !== -1)
+                            sessionServers.splice(idx, 1);
+                        sessionServer = null;
+                    }
+                };
+                const transport = new WebStandardStreamableHTTPServerTransport({
+                    sessionIdGenerator: () => crypto.randomUUID(),
+                    onsessioninitialized: (sid) => {
+                        transports.set(sid, transport);
+                        // Track which transport this session is connected to for stale sweep
+                        if (sessionServer) {
+                            state.sessionTransportIds.set(sessionServer, sid);
+                        }
+                        log.info(`MCP client connected (session: ${sid})`);
+                    },
+                    onsessionclosed: (sid) => {
+                        transports.delete(sid);
+                        removeSession();
+                        log.info(`MCP client disconnected (session: ${sid})`);
+                    },
+                });
+                transport.onclose = () => {
+                    if (transport.sessionId) {
+                        transports.delete(transport.sessionId);
+                    }
+                    removeSession();
+                };
+                try {
+                    sessionServer = await createMcpServer(state);
+                    sessionServers.push(sessionServer);
+                    await sessionServer.connect(transport);
+                    return await transport.handleRequest(req, { parsedBody: body });
+                }
+                catch (err) {
+                    removeSession();
+                    throw err;
+                }
+            }
+            return Response.json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32600,
+                    message: 'Bad Request: missing session or not an initialize request',
+                },
+                id: null,
+            }, { status: 400 });
+        }
+        if (req.method === 'GET') {
+            const getTransport = sessionId ? transports.get(sessionId) : undefined;
+            if (getTransport) {
+                return getTransport.handleRequest(req);
+            }
+            return new Response('Missing or invalid session', { status: 400 });
+        }
+        if (req.method === 'DELETE') {
+            const delTransport = sessionId ? transports.get(sessionId) : undefined;
+            if (delTransport) {
+                return delTransport.handleRequest(req);
+            }
+            return new Response('Missing or invalid session', { status: 400 });
+        }
+        return new Response('Method not allowed', { status: 405 });
+    }
+    return new Response('Not Found', { status: 404 });
+};
+const createHandleWsOpen = (state) => (ws) => {
+    const previousWs = state.extensionWs;
+    // Assign the new WS BEFORE closing the previous one. Bun fires the
+    // close handler synchronously during ws.close(), so if extensionWs
+    // still pointed at the old WS the close handler would see
+    // `state.extensionWs === ws` (true) and reject all pending dispatches
+    // with "Extension disconnected" — even though a new connection is
+    // already taking over.
+    log.info('Extension WebSocket connected');
+    state.extensionWs = ws;
+    if (previousWs && previousWs !== ws) {
+        log.info('Closing previous extension WebSocket (replaced by new connection)');
+        try {
+            previousWs.close(1000, 'Replaced by new connection');
+        }
+        catch {
+            // Already closed
+        }
+    }
+    void sendSyncFull(state).then(() => {
+        // After sync.full completes, check if there's a pending extension reload
+        // (extension files were updated while extension was disconnected).
+        // The delay ensures sync.full is processed before the extension reloads.
+        if (state.pendingExtensionReload) {
+            state.pendingExtensionReload = false;
+            log.info('Sending deferred extension reload (version was updated while extension was disconnected)');
+            setTimeout(() => sendExtensionReload(state), 500);
+        }
+    });
+};
+const createHandleWsMessage = (state, mcpCallbacks) => (ws, message) => {
+    const text = typeof message === 'string' ? message : new TextDecoder().decode(message);
+    handleExtensionMessage(state, text, mcpCallbacks, ws);
+};
+const createHandleWsClose = (state) => (ws) => {
+    log.info('Extension WebSocket disconnected');
+    if (state.extensionWs === ws) {
+        state.extensionWs = null;
+        // Reject all pending confirmations immediately so tool dispatch promises
+        // resolve with an error instead of hanging until confirmation timeout.
+        rejectAllPendingConfirmations(state);
+        // Reject all pending dispatches immediately so MCP clients get a fast
+        // error instead of hanging until the 30-second dispatch timeout fires.
+        if (state.pendingDispatches.size > 0) {
+            log.info(`Rejecting ${state.pendingDispatches.size} pending dispatch(es) due to extension disconnect`);
+            for (const [id, pending] of state.pendingDispatches) {
+                state.pendingDispatches.delete(id);
+                clearTimeout(pending.timerId);
+                pending.reject(new Error('Extension disconnected'));
+            }
+        }
+    }
+};
+/**
+ * Create all hot-reloadable handler functions.
+ * Called on every module evaluation (first load + hot reloads) to produce
+ * fresh closures over the latest module imports.
+ */
+const createHandlers = (deps) => {
+    const mcpCallbacks = createMcpCallbacks(deps.state, deps.sessionServers);
+    return {
+        fetch: createHandleFetch(deps),
+        wsOpen: createHandleWsOpen(deps.state),
+        wsMessage: createHandleWsMessage(deps.state, mcpCallbacks),
+        wsClose: createHandleWsClose(deps.state),
+    };
+};
+/**
+ * Remove sessionServers entries whose transport is no longer in the transports
+ * map. This prevents unbounded growth when MCP clients disconnect ungracefully
+ * (network partition, OOM kill) and the onsessionclosed / transport.onclose
+ * callbacks never fire.
+ *
+ * Each session server is tracked in state.sessionTransportIds (a WeakMap keyed
+ * by the McpServerInstance) with the transport session ID it was connected to.
+ * A session is stale if its transport ID is absent from the active transports
+ * map — meaning the transport was cleaned up but the session server was not.
+ *
+ * Called on each hot reload from reload.ts.
+ */
+const sweepStaleSessions = (state, transports, sessionServers) => {
+    let swept = 0;
+    for (let i = sessionServers.length - 1; i >= 0; i--) {
+        const srv = sessionServers[i];
+        if (!srv)
+            continue;
+        const transportId = state.sessionTransportIds.get(srv);
+        // If we have a recorded transport ID and that transport is gone, the session is stale.
+        // If there is no recorded transport ID, the session may be in-flight (created but
+        // onsessioninitialized hasn't fired yet) — keep it to avoid trimming valid sessions.
+        if (transportId !== undefined && !transports.has(transportId)) {
+            sessionServers.splice(i, 1);
+            swept++;
+        }
+    }
+    if (swept > 0) {
+        log.info(`Swept ${swept} stale MCP session(s) (${transports.size} active transport(s) remain)`);
+    }
+    return swept;
+};
+export { checkBearerAuth, constantTimeEqual, createHandlers, isLocalhostHost, sweepStaleSessions };
+//# sourceMappingURL=http-routes.js.map