npm - @opentabs-dev/mcp-server - Versions diffs - 0.0.22 → 0.0.25 - Mend

@opentabs-dev/mcp-server 0.0.22 → 0.0.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/dist/adapter-files.d.ts +53 -0
package/dist/adapter-files.d.ts.map +1 -0
package/dist/adapter-files.js +176 -0
package/dist/adapter-files.js.map +1 -0
package/dist/audit-disk.d.ts.map +1 -1
package/dist/audit-disk.js +5 -6
package/dist/audit-disk.js.map +1 -1
package/dist/browser-tool-names.d.ts +14 -0
package/dist/browser-tool-names.d.ts.map +1 -0
package/dist/browser-tool-names.js +52 -0
package/dist/browser-tool-names.js.map +1 -0
package/dist/browser-tools/analyze-site/detect-auth.d.ts.map +1 -1
package/dist/browser-tools/analyze-site/detect-auth.js +2 -1
package/dist/browser-tools/analyze-site/detect-auth.js.map +1 -1
package/dist/browser-tools/analyze-site/index.d.ts.map +1 -1
package/dist/browser-tools/analyze-site/index.js +111 -15
package/dist/browser-tools/analyze-site/index.js.map +1 -1
package/dist/browser-tools/execute-script.js +1 -1
package/dist/browser-tools/execute-script.js.map +1 -1
package/dist/browser-tools/extension-get-logs.d.ts +2 -2
package/dist/browser-tools/focus-tab.js +1 -1
package/dist/browser-tools/focus-tab.js.map +1 -1
package/dist/browser-tools/get-console-logs.d.ts +2 -2
package/dist/browser-tools/index.d.ts +4 -0
package/dist/browser-tools/index.d.ts.map +1 -1
package/dist/browser-tools/index.js +19 -0
package/dist/browser-tools/index.js.map +1 -1
package/dist/browser-tools/select-option.d.ts.map +1 -1
package/dist/browser-tools/select-option.js +11 -6
package/dist/browser-tools/select-option.js.map +1 -1
package/dist/config.d.ts +13 -16
package/dist/config.d.ts.map +1 -1
package/dist/config.js +43 -109
package/dist/config.js.map +1 -1
package/dist/discovery.d.ts.map +1 -1
package/dist/discovery.js +9 -12
package/dist/discovery.js.map +1 -1
package/dist/extension-handlers.d.ts +102 -0
package/dist/extension-handlers.d.ts.map +1 -0
package/dist/extension-handlers.js +443 -0
package/dist/extension-handlers.js.map +1 -0
package/dist/extension-protocol.d.ts +6 -38
package/dist/extension-protocol.d.ts.map +1 -1
package/dist/extension-protocol.js +47 -535
package/dist/extension-protocol.js.map +1 -1
package/dist/file-watcher.d.ts.map +1 -1
package/dist/file-watcher.js +106 -104
package/dist/file-watcher.js.map +1 -1
package/dist/http-routes.d.ts +9 -7
package/dist/http-routes.d.ts.map +1 -1
package/dist/http-routes.js +275 -265
package/dist/http-routes.js.map +1 -1
package/dist/index.js +17 -10
package/dist/index.js.map +1 -1
package/dist/loader.d.ts +14 -3
package/dist/loader.d.ts.map +1 -1
package/dist/loader.js +42 -22
package/dist/loader.js.map +1 -1
package/dist/log-buffer.d.ts.map +1 -1
package/dist/log-buffer.js +17 -6
package/dist/log-buffer.js.map +1 -1
package/dist/logger.d.ts.map +1 -1
package/dist/logger.js +5 -2
package/dist/logger.js.map +1 -1
package/dist/mcp-setup.d.ts +3 -18
package/dist/mcp-setup.d.ts.map +1 -1
package/dist/mcp-setup.js +13 -407
package/dist/mcp-setup.js.map +1 -1
package/dist/mcp-tool-dispatch.d.ts +51 -0
package/dist/mcp-tool-dispatch.d.ts.map +1 -0
package/dist/mcp-tool-dispatch.js +410 -0
package/dist/mcp-tool-dispatch.js.map +1 -0
package/dist/plugin-management.d.ts +123 -0
package/dist/plugin-management.d.ts.map +1 -0
package/dist/plugin-management.js +340 -0
package/dist/plugin-management.js.map +1 -0
package/dist/registry.d.ts +2 -13
package/dist/registry.d.ts.map +1 -1
package/dist/registry.js +2 -24
package/dist/registry.js.map +1 -1
package/dist/reload.d.ts.map +1 -1
package/dist/reload.js +13 -2
package/dist/reload.js.map +1 -1
package/dist/resolver.d.ts.map +1 -1
package/dist/resolver.js +33 -25
package/dist/resolver.js.map +1 -1
package/dist/state.d.ts +30 -21
package/dist/state.d.ts.map +1 -1
package/dist/state.js +14 -10
package/dist/state.js.map +1 -1
package/dist/version-check.d.ts.map +1 -1
package/dist/version-check.js +36 -14
package/dist/version-check.js.map +1 -1
package/package.json +2 -2

package/dist/http-routes.js CHANGED Viewed

@@ -24,9 +24,10 @@ import { getNextRequestId, prefixedToolName, STATE_SCHEMA_VERSION } from './stat
 import { version } from './version.js';
 import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';
 import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
+import { toErrorMessage } from '@opentabs-dev/shared';
 import { timingSafeEqual } from 'node:crypto';
 /** Callbacks for extension protocol → MCP server integration */
-const createMcpCallbacks = (state, sessionServers) => ({
+const createMcpCallbacks = (state, sessionServers, transports) => ({
     onToolConfigChanged: () => {
         for (const srv of sessionServers) {
             notifyToolListChanged(srv);
@@ -51,6 +52,7 @@ const createMcpCallbacks = (state, sessionServers) => ({
             });
         }
     },
+    onReload: () => performConfigReload(state, sessionServers, transports),
 });
 /**
  * Constant-time string comparison using crypto.timingSafeEqual.
@@ -78,7 +80,7 @@ const checkBearerAuth = (req, wsSecret) => {
     return null;
 };
 /** Allowed hostnames for the Host header (DNS rebinding protection) */
-const ALLOWED_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+const ALLOWED_HOSTS = new Set(['localhost', '127.0.0.1', '::1', '::ffff:127.0.0.1']);
 /**
  * Check whether a Host header value refers to a localhost address.
  * Strips the optional port suffix before comparing against the allowed set.
@@ -101,16 +103,15 @@ const isLocalhostHost = (hostHeader) => {
     return ALLOWED_HOSTS.has(hostname);
 };
 // --- Rate limiting for administrative endpoints ---
-const endpointCallTimestamps = new Map();
-const checkEndpointRateLimit = (endpoint, maxPerMinute) => {
+const checkEndpointRateLimit = (state, endpoint, maxPerMinute) => {
     const now = Date.now();
-    const timestamps = (endpointCallTimestamps.get(endpoint) ?? []).filter(t => now - t < 60_000);
+    const timestamps = (state.endpointCallTimestamps.get(endpoint) ?? []).filter(t => now - t < 60_000);
     if (timestamps.length >= maxPerMinute) {
-        endpointCallTimestamps.set(endpoint, timestamps);
+        state.endpointCallTimestamps.set(endpoint, timestamps);
         return false;
     }
     timestamps.push(now);
-    endpointCallTimestamps.set(endpoint, timestamps);
+    state.endpointCallTimestamps.set(endpoint, timestamps);
     return true;
 };
 /** Compute aggregate audit statistics from the audit log buffer */
@@ -154,291 +155,300 @@ const computeAuditSummary = (auditLog) => {
         avgDurationMs,
     };
 };
-const createHandleFetch = ({ state, transports, sessionServers, getHotState }) => async (req, bunServer) => {
-    const url = new URL(req.url);
-    // --- Host header validation (DNS rebinding protection) ---
-    // Reject requests with a non-localhost Host header. A DNS rebinding
-    // attack re-maps a malicious domain to 127.0.0.1, so the browser sends
-    // requests to our loopback server with Host: evil.com. Checking the Host
-    // header is the standard mitigation (CVE-2025-66414 class).
-    const hostHeader = req.headers.get('Host');
-    if (!hostHeader || !isLocalhostHost(hostHeader)) {
-        return new Response('Forbidden: invalid Host header', { status: 403 });
-    }
-    // --- CORS protection ---
-    // MCP clients (Claude Code, etc.) don't run in browsers, so legitimate
-    // requests never carry an Origin header. Reject requests with an Origin
-    // header to prevent DNS rebinding attacks from malicious web pages.
-    //
-    // Chrome extension requests carry an Origin of `chrome-extension://...`
-    // and must be allowed through — the extension's background script
-    // fetches /ws-info to obtain the authenticated WebSocket URL.
-    const origin = req.headers.get('Origin');
-    if (origin && !origin.startsWith('chrome-extension://')) {
-        return new Response('Forbidden: browser requests are not allowed', { status: 403 });
-    }
-    // --- WebSocket upgrade for extension ---
-    if (url.pathname === '/ws') {
-        // Authenticate WebSocket connections using a shared secret sent via
-        // the Sec-WebSocket-Protocol header (not URL query params, which leak
-        // into server logs, browser history, and proxy logs).
-        // The client sends protocols: ['opentabs', '<secret>'] and the server
-        // echoes 'opentabs' as the accepted subprotocol.
-        // Uses constant-time comparison to prevent timing side-channel attacks.
-        if (state.wsSecret) {
-            const protocols = req.headers.get('sec-websocket-protocol');
-            const parts = protocols?.split(',').map(p => p.trim()) ?? [];
-            let secretMatched = false;
-            for (const part of parts) {
-                if (constantTimeEqual(part, state.wsSecret)) {
-                    secretMatched = true;
-                }
+// --- Extracted route handlers ---
+// Each handles a single route (or route group) and receives only the
+// dependencies it needs. The router in createHandleFetch delegates to these.
+/** WebSocket upgrade for extension connections (/ws) */
+const handleWsUpgrade = (req, bunServer, state) => {
+    // Authenticate WebSocket connections using a shared secret sent via
+    // the Sec-WebSocket-Protocol header (not URL query params, which leak
+    // into server logs, browser history, and proxy logs).
+    // The client sends protocols: ['opentabs', '<secret>'] and the server
+    // echoes 'opentabs' as the accepted subprotocol.
+    // Uses constant-time comparison to prevent timing side-channel attacks.
+    if (state.wsSecret) {
+        const protocols = req.headers.get('sec-websocket-protocol');
+        const parts = protocols?.split(',').map(p => p.trim()) ?? [];
+        let secretMatched = false;
+        for (const part of parts) {
+            if (constantTimeEqual(part, state.wsSecret)) {
+                secretMatched = true;
             }
-            if (!secretMatched) {
-                return new Response('Unauthorized', { status: 401 });
-            }
-            const upgraded = bunServer.upgrade(req, {
-                data: undefined,
-                headers: { 'sec-websocket-protocol': 'opentabs' },
-            });
-            if (!upgraded) {
-                return new Response('WebSocket upgrade failed', { status: 400 });
-            }
-            return undefined;
         }
-        const upgraded = bunServer.upgrade(req, { data: undefined });
+        if (!secretMatched) {
+            return new Response('Unauthorized', { status: 401 });
+        }
+        const upgraded = bunServer.upgrade(req, {
+            data: undefined,
+            headers: { 'sec-websocket-protocol': 'opentabs' },
+        });
         if (!upgraded) {
             return new Response('WebSocket upgrade failed', { status: 400 });
         }
         return undefined;
     }
-    // --- WebSocket info endpoint (for extension authentication) ---
-    // Returns the WebSocket URL and secret as separate fields. The secret
-    // is sent via the Sec-WebSocket-Protocol header during the upgrade,
-    // keeping it out of URLs, logs, and browser history.
-    //
-    // Requires Bearer auth. The extension bootstraps the secret from
-    // auth.json (bundled in the extension directory at install time)
-    // and uses it for all /ws-info requests.
-    if (url.pathname === '/ws-info' && req.method === 'GET') {
-        const authError = checkBearerAuth(req, state.wsSecret);
-        if (authError)
-            return authError;
-        const wsUrl = `ws://${url.host}/ws`;
-        return Response.json({ wsUrl, wsSecret: state.wsSecret });
+    const upgraded = bunServer.upgrade(req, { data: undefined });
+    if (!upgraded) {
+        return new Response('WebSocket upgrade failed', { status: 400 });
     }
-    // --- Health endpoint ---
-    // Unauthenticated requests get a minimal status response (alive check only).
-    // Authenticated requests get the full response with plugin details, paths, etc.
-    if (url.pathname === '/health' && req.method === 'GET') {
-        const authenticated = checkBearerAuth(req, state.wsSecret) === null;
-        if (!authenticated) {
-            return Response.json({
-                status: 'ok',
-                version,
-                extensionConnected: state.extensionWs !== null,
-            });
-        }
-        const hs = getHotState();
-        const pluginDetails = [...state.registry.plugins.values()].map(p => ({
-            name: p.name,
-            displayName: p.displayName,
-            toolCount: p.tools.length,
-            tools: p.tools.map(t => prefixedToolName(p.name, t.name)),
-            tabState: state.tabMapping.get(p.name)?.state ?? 'closed',
-            source: p.source,
-            sdkVersion: p.sdkVersion ?? null,
-            logBufferSize: getLogCount(p.name),
-            ...(p.iconSvg ? { iconSvg: p.iconSvg } : {}),
-        }));
-        const toolCount = state.registry.toolLookup.size + state.cachedBrowserTools.length;
-        const uptimeSeconds = Math.floor((Date.now() - state.startedAt) / 1000);
-        const pendingPlugins = state.fileWatcherEntries.filter(e => e.pluginName.startsWith('(pending:')).length;
-        const watchedPlugins = state.fileWatcherEntries.length - pendingPlugins;
-        const auditSummary = computeAuditSummary(state.auditLog);
-        const disabledBrowserTools = state.cachedBrowserTools
-            .filter(c => state.browserToolPolicy[c.name] === false)
-            .map(c => c.name);
+    return undefined;
+};
+/** WebSocket info endpoint for extension authentication (GET /ws-info) */
+const handleWsInfo = (req, url, state) => {
+    const authError = checkBearerAuth(req, state.wsSecret);
+    if (authError)
+        return authError;
+    const wsUrl = `ws://${url.host}/ws`;
+    return Response.json({ wsUrl, ...(state.wsSecret ? { wsSecret: state.wsSecret } : {}) });
+};
+/** Health endpoint (GET /health) */
+const handleHealth = (req, state, transports, getHotState) => {
+    const authenticated = checkBearerAuth(req, state.wsSecret) === null;
+    if (!authenticated) {
         return Response.json({
             status: 'ok',
             version,
-            sdkVersion,
-            mode: isDev() ? 'dev' : 'production',
             extensionConnected: state.extensionWs !== null,
-            mcpClients: transports.size,
-            plugins: state.registry.plugins.size,
-            pluginDetails,
-            failedPlugins: [...state.registry.failures],
-            discoveryErrors: [...state.discoveryErrors],
-            toolCount,
-            disabledBrowserTools,
-            confirmationBypassed: state.skipConfirmation,
-            uptime: uptimeSeconds,
-            reloadCount: hs?.reloadCount ?? 0,
-            lastReloadTimestamp: hs?.lastReloadTimestamp ?? 0,
-            lastReloadDurationMs: hs?.lastReloadDurationMs ?? 0,
-            stateSchemaVersion: STATE_SCHEMA_VERSION,
-            fileWatcher: {
-                watchedPlugins,
-                pendingPlugins,
-                lastPollAt: state.mtimeLastPollAt,
-                pollDetections: state.mtimePollDetections,
-            },
-            auditSummary,
         });
     }
-    // --- Audit log endpoint ---
-    if (url.pathname === '/audit' && req.method === 'GET') {
-        const authError = checkBearerAuth(req, state.wsSecret);
-        if (authError)
-            return authError;
-        const limitParam = parseInt(url.searchParams.get('limit') ?? '50', 10);
-        const limit = Math.max(1, Math.min(500, Number.isNaN(limitParam) ? 50 : limitParam));
-        const pluginFilter = url.searchParams.get('plugin');
-        const toolFilter = url.searchParams.get('tool');
-        const successParam = url.searchParams.get('success');
-        const successFilter = successParam === 'true' ? true : successParam === 'false' ? false : undefined;
-        let entries = [...state.auditLog].reverse();
-        if (pluginFilter)
-            entries = entries.filter(e => e.plugin === pluginFilter);
-        if (toolFilter)
-            entries = entries.filter(e => e.tool === toolFilter);
-        if (successFilter !== undefined)
-            entries = entries.filter(e => e.success === successFilter);
-        entries = entries.slice(0, limit);
-        return Response.json(entries);
+    const hs = getHotState();
+    const pluginDetails = [...state.registry.plugins.values()].map(p => ({
+        name: p.name,
+        displayName: p.displayName,
+        toolCount: p.tools.length,
+        tools: p.tools.map(t => prefixedToolName(p.name, t.name)),
+        tabState: state.tabMapping.get(p.name)?.state ?? 'closed',
+        source: p.source,
+        sdkVersion: p.sdkVersion ?? null,
+        logBufferSize: getLogCount(p.name),
+        ...(p.iconSvg ? { iconSvg: p.iconSvg } : {}),
+    }));
+    const toolCount = state.registry.toolLookup.size + state.cachedBrowserTools.length;
+    const uptimeSeconds = Math.floor((Date.now() - state.startedAt) / 1000);
+    const pendingPlugins = state.fileWatching.entries.filter(e => e.pluginName.startsWith('(pending:')).length;
+    const watchedPlugins = state.fileWatching.entries.length - pendingPlugins;
+    const auditSummary = computeAuditSummary(state.auditLog);
+    const disabledBrowserTools = state.cachedBrowserTools
+        .filter(c => state.browserToolPolicy[c.name] === false)
+        .map(c => c.name);
+    return Response.json({
+        status: 'ok',
+        version,
+        sdkVersion,
+        mode: isDev() ? 'dev' : 'production',
+        extensionConnected: state.extensionWs !== null,
+        mcpClients: transports.size,
+        plugins: state.registry.plugins.size,
+        pluginDetails,
+        failedPlugins: [...state.registry.failures],
+        discoveryErrors: [...state.discoveryErrors],
+        toolCount,
+        disabledBrowserTools,
+        confirmationBypassed: state.skipConfirmation,
+        uptime: uptimeSeconds,
+        reloadCount: hs?.reloadCount ?? 0,
+        lastReloadTimestamp: hs?.lastReloadTimestamp ?? 0,
+        lastReloadDurationMs: hs?.lastReloadDurationMs ?? 0,
+        stateSchemaVersion: STATE_SCHEMA_VERSION,
+        fileWatcher: {
+            watchedPlugins,
+            pendingPlugins,
+            lastPollAt: state.fileWatching.mtimeLastPollAt,
+            pollDetections: state.fileWatching.mtimePollDetections,
+        },
+        auditSummary,
+    });
+};
+/** Audit log endpoint (GET /audit) */
+const handleAudit = (url, state, req) => {
+    const authError = checkBearerAuth(req, state.wsSecret);
+    if (authError)
+        return authError;
+    const limitParam = parseInt(url.searchParams.get('limit') ?? '50', 10);
+    const limit = Math.max(1, Math.min(500, Number.isNaN(limitParam) ? 50 : limitParam));
+    const pluginFilter = url.searchParams.get('plugin');
+    const toolFilter = url.searchParams.get('tool');
+    const successParam = url.searchParams.get('success');
+    const successFilter = successParam === 'true' ? true : successParam === 'false' ? false : undefined;
+    let entries = [...state.auditLog].reverse();
+    if (pluginFilter)
+        entries = entries.filter(e => e.plugin === pluginFilter);
+    if (toolFilter)
+        entries = entries.filter(e => e.tool === toolFilter);
+    if (successFilter !== undefined)
+        entries = entries.filter(e => e.success === successFilter);
+    entries = entries.slice(0, limit);
+    return Response.json(entries);
+};
+/** Config/plugin rediscovery endpoint (POST /reload) */
+const handleReload = async (req, state, sessionServers, transports) => {
+    const authError = checkBearerAuth(req, state.wsSecret);
+    if (authError)
+        return authError;
+    if (!checkEndpointRateLimit(state, '/reload', 10)) {
+        return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
     }
-    // --- Config/plugin rediscovery endpoint ---
-    if (url.pathname === '/reload' && req.method === 'POST') {
-        const authError = checkBearerAuth(req, state.wsSecret);
-        if (authError)
-            return authError;
-        if (!checkEndpointRateLimit('/reload', 10)) {
-            return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
-        }
-        try {
-            const result = await performConfigReload(state, sessionServers, transports);
-            return Response.json({
-                ok: true,
-                plugins: result.plugins,
-                durationMs: result.durationMs,
-            });
-        }
-        catch (err) {
-            log.error('Config reload failed:', err);
-            const rawMsg = err instanceof Error ? err.message : String(err);
-            return Response.json({ ok: false, error: sanitizeErrorMessage(rawMsg) }, { status: 500 });
-        }
+    try {
+        const result = await performConfigReload(state, sessionServers, transports);
+        return Response.json({
+            ok: true,
+            plugins: result.plugins,
+            durationMs: result.durationMs,
+        });
     }
-    // --- Extension reload endpoint ---
-    if (url.pathname === '/extension/reload' && req.method === 'POST') {
-        const authError = checkBearerAuth(req, state.wsSecret);
-        if (authError)
-            return authError;
-        if (!checkEndpointRateLimit('/extension/reload', 10)) {
-            return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
+    catch (err) {
+        log.error('Config reload failed:', err);
+        const rawMsg = toErrorMessage(err);
+        return Response.json({ ok: false, error: sanitizeErrorMessage(rawMsg) }, { status: 500 });
+    }
+};
+/** Extension reload endpoint (POST /extension/reload) */
+const handleExtensionReload = (req, state) => {
+    const authError = checkBearerAuth(req, state.wsSecret);
+    if (authError)
+        return authError;
+    if (!checkEndpointRateLimit(state, '/extension/reload', 10)) {
+        return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
+    }
+    if (!state.extensionWs) {
+        return Response.json({ ok: false, error: 'Extension not connected' }, { status: 503 });
+    }
+    const id = getNextRequestId();
+    state.extensionWs.send(JSON.stringify({ jsonrpc: '2.0', method: 'extension.reload', id }));
+    return Response.json({ ok: true, message: 'Reload signal sent to extension' });
+};
+/** MCP Streamable HTTP transport (/mcp — POST/GET/DELETE) */
+const handleMcp = async (req, bunServer, state, transports, sessionServers) => {
+    const authError = checkBearerAuth(req, state.wsSecret);
+    if (authError)
+        return authError;
+    // Disable Bun's per-connection idle timeout for MCP requests.
+    // Tool dispatches can take up to DISPATCH_TIMEOUT_MS (30s) and the
+    // Streamable HTTP transport holds the response open until the tool
+    // result arrives. The default idle timeout (10s) would close the
+    // connection before long-running dispatches complete.
+    bunServer.timeout(req, 0);
+    const sessionId = req.headers.get('mcp-session-id');
+    if (req.method === 'POST') {
+        // Existing session
+        if (sessionId) {
+            const existingTransport = transports.get(sessionId);
+            if (existingTransport) {
+                return existingTransport.handleRequest(req);
+            }
         }
-        if (!state.extensionWs) {
-            return Response.json({ ok: false, error: 'Extension not connected' }, { status: 503 });
+        // New session — rate-limit session creation to prevent resource exhaustion
+        if (!checkEndpointRateLimit(state, '/mcp-session-create', 5)) {
+            return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
         }
-        const id = getNextRequestId();
-        state.extensionWs.send(JSON.stringify({ jsonrpc: '2.0', method: 'extension.reload', id }));
-        return Response.json({ ok: true, message: 'Reload signal sent to extension' });
-    }
-    // --- MCP Streamable HTTP transport ---
-    if (url.pathname === '/mcp') {
-        const authError = checkBearerAuth(req, state.wsSecret);
-        if (authError)
-            return authError;
-        // Disable Bun's per-connection idle timeout for MCP requests.
-        // Tool dispatches can take up to DISPATCH_TIMEOUT_MS (30s) and the
-        // Streamable HTTP transport holds the response open until the tool
-        // result arrives. The default idle timeout (10s) would close the
-        // connection before long-running dispatches complete.
-        bunServer.timeout(req, 0);
-        const sessionId = req.headers.get('mcp-session-id');
-        if (req.method === 'POST') {
-            // Existing session
-            if (sessionId) {
-                const existingTransport = transports.get(sessionId);
-                if (existingTransport) {
-                    return existingTransport.handleRequest(req);
+        // Check if it's an initialize request
+        const body = await req.json().catch(() => null);
+        if (body && isInitializeRequest(body)) {
+            let sessionServer = null;
+            const removeSession = () => {
+                if (sessionServer) {
+                    const idx = sessionServers.indexOf(sessionServer);
+                    if (idx !== -1)
+                        sessionServers.splice(idx, 1);
+                    sessionServer = null;
                 }
-            }
-            // New session — rate-limit session creation to prevent resource exhaustion
-            if (!checkEndpointRateLimit('/mcp-session-create', 5)) {
-                return new Response('Too Many Requests', { status: 429, headers: { 'Retry-After': '60' } });
-            }
-            // Check if it's an initialize request
-            const body = await req.json().catch(() => null);
-            if (body && isInitializeRequest(body)) {
-                let sessionServer = null;
-                const removeSession = () => {
+            };
+            const transport = new WebStandardStreamableHTTPServerTransport({
+                sessionIdGenerator: () => crypto.randomUUID(),
+                onsessioninitialized: (sid) => {
+                    transports.set(sid, transport);
+                    // Track which transport this session is connected to for stale sweep
                     if (sessionServer) {
-                        const idx = sessionServers.indexOf(sessionServer);
-                        if (idx !== -1)
-                            sessionServers.splice(idx, 1);
-                        sessionServer = null;
-                    }
-                };
-                const transport = new WebStandardStreamableHTTPServerTransport({
-                    sessionIdGenerator: () => crypto.randomUUID(),
-                    onsessioninitialized: (sid) => {
-                        transports.set(sid, transport);
-                        // Track which transport this session is connected to for stale sweep
-                        if (sessionServer) {
-                            state.sessionTransportIds.set(sessionServer, sid);
-                        }
-                        log.info(`MCP client connected (session: ${sid})`);
-                    },
-                    onsessionclosed: (sid) => {
-                        transports.delete(sid);
-                        removeSession();
-                        log.info(`MCP client disconnected (session: ${sid})`);
-                    },
-                });
-                transport.onclose = () => {
-                    if (transport.sessionId) {
-                        transports.delete(transport.sessionId);
+                        state.sessionTransportIds.set(sessionServer, sid);
                     }
+                    log.info(`MCP client connected (session: ${sid})`);
+                },
+                onsessionclosed: (sid) => {
+                    transports.delete(sid);
                     removeSession();
-                };
-                try {
-                    sessionServer = await createMcpServer(state);
-                    sessionServers.push(sessionServer);
-                    await sessionServer.connect(transport);
-                    return await transport.handleRequest(req, { parsedBody: body });
-                }
-                catch (err) {
-                    removeSession();
-                    throw err;
+                    log.info(`MCP client disconnected (session: ${sid})`);
+                },
+            });
+            transport.onclose = () => {
+                if (transport.sessionId) {
+                    transports.delete(transport.sessionId);
                 }
+                removeSession();
+            };
+            try {
+                sessionServer = await createMcpServer(state);
+                sessionServers.push(sessionServer);
+                await sessionServer.connect(transport);
+                return await transport.handleRequest(req, { parsedBody: body });
             }
-            return Response.json({
-                jsonrpc: '2.0',
-                error: {
-                    code: -32600,
-                    message: 'Bad Request: missing session or not an initialize request',
-                },
-                id: null,
-            }, { status: 400 });
-        }
-        if (req.method === 'GET') {
-            const getTransport = sessionId ? transports.get(sessionId) : undefined;
-            if (getTransport) {
-                return getTransport.handleRequest(req);
+            catch (err) {
+                removeSession();
+                throw err;
             }
-            return new Response('Missing or invalid session', { status: 400 });
         }
-        if (req.method === 'DELETE') {
-            const delTransport = sessionId ? transports.get(sessionId) : undefined;
-            if (delTransport) {
-                return delTransport.handleRequest(req);
-            }
-            return new Response('Missing or invalid session', { status: 400 });
+        return Response.json({
+            jsonrpc: '2.0',
+            error: {
+                code: -32600,
+                message: 'Bad Request: missing session or not an initialize request',
+            },
+            id: null,
+        }, { status: 400 });
+    }
+    if (req.method === 'GET') {
+        const getTransport = sessionId ? transports.get(sessionId) : undefined;
+        if (getTransport) {
+            return getTransport.handleRequest(req);
+        }
+        return new Response('Missing or invalid session', { status: 400 });
+    }
+    if (req.method === 'DELETE') {
+        const delTransport = sessionId ? transports.get(sessionId) : undefined;
+        if (delTransport) {
+            return delTransport.handleRequest(req);
         }
-        return new Response('Method not allowed', { status: 405 });
+        return new Response('Missing or invalid session', { status: 400 });
+    }
+    return new Response('Method not allowed', { status: 405 });
+};
+// --- Main router ---
+const createHandleFetch = ({ state, transports, sessionServers, getHotState }) => async (req, bunServer) => {
+    const url = new URL(req.url);
+    // --- Host header validation (DNS rebinding protection) ---
+    // Reject requests with a non-localhost Host header. A DNS rebinding
+    // attack re-maps a malicious domain to 127.0.0.1, so the browser sends
+    // requests to our loopback server with Host: evil.com. Checking the Host
+    // header is the standard mitigation (CVE-2025-66414 class).
+    const hostHeader = req.headers.get('Host');
+    if (!hostHeader || !isLocalhostHost(hostHeader)) {
+        return new Response('Forbidden: invalid Host header', { status: 403 });
+    }
+    // --- CORS protection ---
+    // MCP clients (Claude Code, etc.) don't run in browsers, so legitimate
+    // requests never carry an Origin header. Reject requests with an Origin
+    // header to prevent DNS rebinding attacks from malicious web pages.
+    //
+    // Chrome extension requests carry an Origin of `chrome-extension://...`
+    // and must be allowed through — the extension's background script
+    // fetches /ws-info to obtain the authenticated WebSocket URL.
+    const origin = req.headers.get('Origin');
+    if (origin && !origin.startsWith('chrome-extension://')) {
+        return new Response('Forbidden: browser requests are not allowed', { status: 403 });
     }
+    if (url.pathname === '/ws')
+        return handleWsUpgrade(req, bunServer, state);
+    if (url.pathname === '/ws-info' && req.method === 'GET')
+        return handleWsInfo(req, url, state);
+    if (url.pathname === '/health' && req.method === 'GET')
+        return handleHealth(req, state, transports, getHotState);
+    if (url.pathname === '/audit' && req.method === 'GET')
+        return handleAudit(url, state, req);
+    if (url.pathname === '/reload' && req.method === 'POST')
+        return handleReload(req, state, sessionServers, transports);
+    if (url.pathname === '/extension/reload' && req.method === 'POST')
+        return handleExtensionReload(req, state);
+    if (url.pathname === '/mcp')
+        return handleMcp(req, bunServer, state, transports, sessionServers);
     return new Response('Not Found', { status: 404 });
 };
 const createHandleWsOpen = (state) => (ws) => {
@@ -500,7 +510,7 @@ const createHandleWsClose = (state) => (ws) => {
  * fresh closures over the latest module imports.
  */
 const createHandlers = (deps) => {
-    const mcpCallbacks = createMcpCallbacks(deps.state, deps.sessionServers);
+    const mcpCallbacks = createMcpCallbacks(deps.state, deps.sessionServers, deps.transports);
     return {
         fetch: createHandleFetch(deps),
         wsOpen: createHandleWsOpen(deps.state),