@pilot-status/mcp-server 0.1.0

package/dist/lib/config.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Runtime configuration for the Pilot Status MCP server.
+ *
+ * Transport is selected (in priority order) by:
+ *   1. a positional CLI arg or flag: `stdio` | `http` | `--stdio` | `--http`
+ *   2. the `MCP_TRANSPORT` env var (`stdio` | `http`)
+ *   3. default: `stdio`
+ *
+ * The public API base URL defaults to production (`https://pilotstatuss.com`).
+ * The API key is read from `PILOT_STATUS_API_KEY` and is required for stdio
+ * (single-tenant process). In HTTP mode the key is taken per-request from the
+ * incoming `x-api-key` header, falling back to `PILOT_STATUS_API_KEY` if set.
+ *
+ * OAuth 2.1 (claude.ai custom connector): this process is the *resource server*.
+ * It is a "dumb forwarder" — it does NOT verify access tokens. A `Bearer` token
+ * on `POST /mcp` is forwarded verbatim to the public `/v1` API, which validates
+ * it. The authorization server lives in the Pilot Status backend; this server
+ * only advertises it via `GET /.well-known/oauth-protected-resource`:
+ *   - `MCP_RESOURCE_URL` — the public URL of THIS resource server.
+ *   - `PILOT_STATUS_AUTH_SERVER_URL` — the authorization server (the backend).
+ */
+export type McpTransport = "stdio" | "http";
+export interface ResolvedConfig {
+    transport: McpTransport;
+    /** Public API base URL, no trailing slash (e.g. https://pilotstatuss.com). */
+    baseUrl: string;
+    /** Raw `ps_*` API key (stdio default; HTTP fallback). May be undefined in HTTP mode. */
+    apiKey?: string;
+    /** Optional `x-api-key-id` companion header value. */
+    apiKeyId?: string;
+    /** Public URL of THIS MCP resource server (OAuth `resource`), no trailing slash. */
+    resourceUrl: string;
+    /** OAuth authorization server base URL (the Pilot Status backend), no trailing slash. */
+    authServerUrl: string;
+    /** HTTP transport listen port. */
+    port: number;
+    /** HTTP transport bind host. */
+    host: string;
+}
+export declare const DEFAULT_API_URL = "https://pilotstatuss.com";
+export declare const DEFAULT_AUTH_SERVER_URL = "https://pilotstatuss.com";
+export declare const DEFAULT_RESOURCE_URL = "https://mcp.pilotstatuss.com";
+export declare const DEFAULT_HTTP_PORT = 8787;
+export declare const DEFAULT_HTTP_HOST = "0.0.0.0";
+/**
+ * Advisory OAuth scopes advertised in the protected-resource metadata. The
+ * authorization server (Pilot Status backend) is the source of truth; this list
+ * is a hint to clients about the granularity available.
+ */
+export declare const SCOPES_SUPPORTED: readonly ["messages:send", "messages:read", "conversations:read", "numbers:read", "numbers:write", "templates:read", "templates:write", "analytics:read"];
+export declare function resolveConfig(argv?: string[], env?: NodeJS.ProcessEnv): ResolvedConfig;
+export declare const SERVER_NAME = "pilot-status";
+export declare const SERVER_VERSION = "0.1.0";
+//# sourceMappingURL=config.d.ts.map

package/dist/lib/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,CAAC;AAE5C,MAAM,WAAW,cAAc;IAC3B,SAAS,EAAE,YAAY,CAAC;IACxB,8EAA8E;IAC9E,OAAO,EAAE,MAAM,CAAC;IAChB,wFAAwF;IACxF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oFAAoF;IACpF,WAAW,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,aAAa,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;CAChB;AAED,eAAO,MAAM,eAAe,6BAA6B,CAAC;AAC1D,eAAO,MAAM,uBAAuB,6BAA6B,CAAC;AAClE,eAAO,MAAM,oBAAoB,iCAAiC,CAAC;AACnE,eAAO,MAAM,iBAAiB,OAAO,CAAC;AACtC,eAAO,MAAM,iBAAiB,YAAY,CAAC;AAE3C;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,2JASnB,CAAC;AAgBX,wBAAgB,aAAa,CACzB,IAAI,GAAE,MAAM,EAA0B,EACtC,GAAG,GAAE,MAAM,CAAC,UAAwB,GACrC,cAAc,CAyBhB;AAED,eAAO,MAAM,WAAW,iBAAiB,CAAC;AAC1C,eAAO,MAAM,cAAc,UAAU,CAAC"}

package/dist/lib/config.js

@@ -0,0 +1,79 @@
+/**
+ * Runtime configuration for the Pilot Status MCP server.
+ *
+ * Transport is selected (in priority order) by:
+ *   1. a positional CLI arg or flag: `stdio` | `http` | `--stdio` | `--http`
+ *   2. the `MCP_TRANSPORT` env var (`stdio` | `http`)
+ *   3. default: `stdio`
+ *
+ * The public API base URL defaults to production (`https://pilotstatuss.com`).
+ * The API key is read from `PILOT_STATUS_API_KEY` and is required for stdio
+ * (single-tenant process). In HTTP mode the key is taken per-request from the
+ * incoming `x-api-key` header, falling back to `PILOT_STATUS_API_KEY` if set.
+ *
+ * OAuth 2.1 (claude.ai custom connector): this process is the *resource server*.
+ * It is a "dumb forwarder" — it does NOT verify access tokens. A `Bearer` token
+ * on `POST /mcp` is forwarded verbatim to the public `/v1` API, which validates
+ * it. The authorization server lives in the Pilot Status backend; this server
+ * only advertises it via `GET /.well-known/oauth-protected-resource`:
+ *   - `MCP_RESOURCE_URL` — the public URL of THIS resource server.
+ *   - `PILOT_STATUS_AUTH_SERVER_URL` — the authorization server (the backend).
+ */
+export const DEFAULT_API_URL = "https://pilotstatuss.com";
+export const DEFAULT_AUTH_SERVER_URL = "https://pilotstatuss.com";
+export const DEFAULT_RESOURCE_URL = "https://mcp.pilotstatuss.com";
+export const DEFAULT_HTTP_PORT = 8787;
+export const DEFAULT_HTTP_HOST = "0.0.0.0";
+/**
+ * Advisory OAuth scopes advertised in the protected-resource metadata. The
+ * authorization server (Pilot Status backend) is the source of truth; this list
+ * is a hint to clients about the granularity available.
+ */
+export const SCOPES_SUPPORTED = [
+    "messages:send",
+    "messages:read",
+    "conversations:read",
+    "numbers:read",
+    "numbers:write",
+    "templates:read",
+    "templates:write",
+    "analytics:read",
+];
+function stripTrailingSlash(url) {
+    return url.replace(/\/+$/, "");
+}
+function resolveTransport(argv, env) {
+    const flags = argv.map((a) => a.trim().toLowerCase());
+    if (flags.includes("http") || flags.includes("--http"))
+        return "http";
+    if (flags.includes("stdio") || flags.includes("--stdio"))
+        return "stdio";
+    const fromEnv = (env.MCP_TRANSPORT ?? "").trim().toLowerCase();
+    if (fromEnv === "http")
+        return "http";
+    if (fromEnv === "stdio")
+        return "stdio";
+    return "stdio";
+}
+export function resolveConfig(argv = process.argv.slice(2), env = process.env) {
+    const baseUrl = stripTrailingSlash((env.PILOT_STATUS_API_URL ?? "").trim() || DEFAULT_API_URL);
+    const apiKey = (env.PILOT_STATUS_API_KEY ?? "").trim() || undefined;
+    const apiKeyId = (env.PILOT_STATUS_API_KEY_ID ?? "").trim() || undefined;
+    const resourceUrl = stripTrailingSlash((env.MCP_RESOURCE_URL ?? "").trim() || DEFAULT_RESOURCE_URL);
+    const authServerUrl = stripTrailingSlash((env.PILOT_STATUS_AUTH_SERVER_URL ?? "").trim() || DEFAULT_AUTH_SERVER_URL);
+    const port = Number.parseInt(env.PORT ?? "", 10) || DEFAULT_HTTP_PORT;
+    const host = (env.HOST ?? "").trim() || DEFAULT_HTTP_HOST;
+    return {
+        transport: resolveTransport(argv, env),
+        baseUrl,
+        apiKey,
+        apiKeyId,
+        resourceUrl,
+        authServerUrl,
+        port,
+        host,
+    };
+}
+export const SERVER_NAME = "pilot-status";
+export const SERVER_VERSION = "0.1.0";
+//# sourceMappingURL=config.js.map

package/dist/lib/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAsBH,MAAM,CAAC,MAAM,eAAe,GAAG,0BAA0B,CAAC;AAC1D,MAAM,CAAC,MAAM,uBAAuB,GAAG,0BAA0B,CAAC;AAClE,MAAM,CAAC,MAAM,oBAAoB,GAAG,8BAA8B,CAAC;AACnE,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,CAAC;AACtC,MAAM,CAAC,MAAM,iBAAiB,GAAG,SAAS,CAAC;AAE3C;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC5B,eAAe;IACf,eAAe;IACf,oBAAoB;IACpB,cAAc;IACd,eAAe;IACf,gBAAgB;IAChB,iBAAiB;IACjB,gBAAgB;CACV,CAAC;AAEX,SAAS,kBAAkB,CAAC,GAAW;IACnC,OAAO,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAc,EAAE,GAAsB;IAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IACtD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,MAAM,CAAC;IACtE,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,OAAO,CAAC;IACzE,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/D,IAAI,OAAO,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACtC,IAAI,OAAO,KAAK,OAAO;QAAE,OAAO,OAAO,CAAC;IACxC,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,aAAa,CACzB,OAAiB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EACtC,MAAyB,OAAO,CAAC,GAAG;IAEpC,MAAM,OAAO,GAAG,kBAAkB,CAC9B,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,eAAe,CAC7D,CAAC;IACF,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IACpE,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,SAAS,CAAC;IACzE,MAAM,WAAW,GAAG,kBAAkB,CAClC,CAAC,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,oBAAoB,CAC9D,CAAC;IACF,MAAM,aAAa,GAAG,kBAAkB,CACpC,CAAC,GAAG,CAAC,4BAA4B,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,uBAAuB,CAC7E,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,iBAAiB,CAAC;IACtE,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,iBAAiB,CAAC;IAE1D,OAAO;QACH,SAAS,EAAE,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC;QACtC,OAAO;QACP,MAAM;QACN,QAAQ;QACR,WAAW;QACX,aAAa;QACb,IAAI;QACJ,IAAI;KACP,CAAC;AACN,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG,cAAc,CAAC;AAC1C,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC"}

package/dist/lib/http-transport.d.ts

@@ -0,0 +1,42 @@
+import { type IncomingMessage, type Server, type ServerResponse } from "node:http";
+import { type ResolvedConfig } from "./config.js";
+/**
+ * The `WWW-Authenticate` challenge that points the client at this resource
+ * server's protected-resource metadata, kicking off OAuth discovery. The format
+ * is exactly `Bearer resource_metadata="<url>"`.
+ */
+export declare function wwwAuthenticateHeader(config: ResolvedConfig): string;
+/** RFC 9728 protected-resource metadata document for this resource server. */
+export declare function protectedResourceMetadata(config: ResolvedConfig): {
+    resource: string;
+    authorization_servers: string[];
+    bearer_methods_supported: string[];
+    scopes_supported: string[];
+};
+/**
+ * Wrap `res.writeHead` so that, if an upstream bearer-mode 401 was observed
+ * (`isUnauthorized()` returns true) by the time the response is committed, the
+ * status is rewritten to 401 with a `WWW-Authenticate` challenge — relaying the
+ * upstream re-auth requirement to the MCP client. No-op once headers are sent.
+ */
+export declare function applyBearerUnauthorizedInterceptor(res: ServerResponse, isUnauthorized: () => boolean, wwwAuthenticate: string): void;
+/**
+ * Handle a single Streamable-HTTP request in *stateless* mode: a fresh server +
+ * transport per request, no session reuse (sessionIdGenerator: undefined).
+ *
+ * Authentication precedence:
+ *   1. `Authorization: Bearer <token>` → OAuth mode. The token is forwarded
+ *      verbatim to `/v1`; this server does not verify it (dumb forwarder). If
+ *      `/v1` rejects it with 401, the response is relayed as 401 + a
+ *      `WWW-Authenticate` challenge so the client re-authenticates.
+ *   2. `x-api-key` header (or process `PILOT_STATUS_API_KEY` fallback) → API-key
+ *      mode (back-compat).
+ *   3. Neither → 401 + `WWW-Authenticate` pointing at the protected-resource
+ *      metadata, which starts the claude.ai OAuth flow.
+ */
+export declare function handleMcpRequest(req: IncomingMessage, res: ServerResponse, config: ResolvedConfig): Promise<void>;
+/** Create (but do not start) the node:http server for the HTTP transport. */
+export declare function createHttpServer(config: ResolvedConfig): Server;
+/** Start the HTTP transport and resolve once it is listening. */
+export declare function startHttpServer(config: ResolvedConfig): Promise<Server>;
+//# sourceMappingURL=http-transport.d.ts.map

package/dist/lib/http-transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-transport.d.ts","sourceRoot":"","sources":["../../src/lib/http-transport.ts"],"names":[],"mappings":"AAAA,OAAO,EAEH,KAAK,eAAe,EACpB,KAAK,MAAM,EACX,KAAK,cAAc,EACtB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAoB,KAAK,cAAc,EAAE,MAAM,aAAa,CAAC;AA2CpE;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CAEpE;AAED,8EAA8E;AAC9E,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,cAAc,GAAG;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,EAAE,MAAM,EAAE,CAAC;IAChC,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC9B,CAOA;AAED;;;;;GAKG;AACH,wBAAgB,kCAAkC,CAC9C,GAAG,EAAE,cAAc,EACnB,cAAc,EAAE,MAAM,OAAO,EAC7B,eAAe,EAAE,MAAM,GACxB,IAAI,CAuBN;AAwCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CAClC,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,MAAM,EAAE,cAAc,GACvB,OAAO,CAAC,IAAI,CAAC,CAsEf;AAED,6EAA6E;AAC7E,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,cAAc,GAAG,MAAM,CA8C/D;AAED,iEAAiE;AACjE,wBAAgB,eAAe,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAWvE"}

package/dist/lib/http-transport.js

@@ -0,0 +1,228 @@
+import { createServer, } from "node:http";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { buildServer } from "./server.js";
+import { SCOPES_SUPPORTED } from "./config.js";
+const MCP_PATH = "/mcp";
+/** RFC 9728 protected-resource metadata path. */
+const PROTECTED_RESOURCE_METADATA_PATH = "/.well-known/oauth-protected-resource";
+const MAX_BODY_BYTES = 4 * 1024 * 1024; // 4 MiB
+function headerValue(value) {
+    if (Array.isArray(value))
+        return value[0];
+    return value;
+}
+function sendJson(res, status, body, extraHeaders) {
+    const payload = JSON.stringify(body);
+    res.writeHead(status, { "content-type": "application/json", ...extraHeaders });
+    res.end(payload);
+}
+/** Permissive CORS for browser-based MCP clients; safe for a public read API. */
+function applyCors(res) {
+    res.setHeader("access-control-allow-origin", "*");
+    res.setHeader("access-control-allow-methods", "GET, POST, OPTIONS");
+    res.setHeader("access-control-allow-headers", "content-type, authorization, x-api-key, x-api-key-id, x-whatsapp-number-id, mcp-protocol-version, mcp-session-id, last-event-id");
+    // Expose the auth challenge so the OAuth dance can start from the browser.
+    res.setHeader("access-control-expose-headers", "WWW-Authenticate, mcp-session-id");
+}
+/** Extract the token from an `Authorization: Bearer <token>` header. */
+function parseBearer(header) {
+    if (!header)
+        return undefined;
+    const match = /^Bearer\s+(.+)$/i.exec(header.trim());
+    const token = match?.[1]?.trim();
+    return token ? token : undefined;
+}
+/**
+ * The `WWW-Authenticate` challenge that points the client at this resource
+ * server's protected-resource metadata, kicking off OAuth discovery. The format
+ * is exactly `Bearer resource_metadata="<url>"`.
+ */
+export function wwwAuthenticateHeader(config) {
+    return `Bearer resource_metadata="${config.resourceUrl}${PROTECTED_RESOURCE_METADATA_PATH}"`;
+}
+/** RFC 9728 protected-resource metadata document for this resource server. */
+export function protectedResourceMetadata(config) {
+    return {
+        resource: config.resourceUrl,
+        authorization_servers: [config.authServerUrl],
+        bearer_methods_supported: ["header"],
+        scopes_supported: [...SCOPES_SUPPORTED],
+    };
+}
+/**
+ * Wrap `res.writeHead` so that, if an upstream bearer-mode 401 was observed
+ * (`isUnauthorized()` returns true) by the time the response is committed, the
+ * status is rewritten to 401 with a `WWW-Authenticate` challenge — relaying the
+ * upstream re-auth requirement to the MCP client. No-op once headers are sent.
+ */
+export function applyBearerUnauthorizedInterceptor(res, isUnauthorized, wwwAuthenticate) {
+    const original = res.writeHead.bind(res);
+    res.writeHead = ((statusCode, arg2, arg3) => {
+        if (isUnauthorized()) {
+            const headers = arg2 && typeof arg2 === "object"
+                ? { ...arg2 }
+                : arg3 && typeof arg3 === "object"
+                    ? { ...arg3 }
+                    : {};
+            headers["WWW-Authenticate"] = wwwAuthenticate;
+            return original(401, headers);
+        }
+        return original(statusCode, arg2, arg3);
+    });
+}
+/** JSON-RPC error envelope (no session id available in stateless mode). */
+function rpcError(res, status, message) {
+    sendJson(res, status, {
+        jsonrpc: "2.0",
+        error: { code: -32000, message },
+        id: null,
+    });
+}
+async function readJsonBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        req.on("data", (chunk) => {
+            size += chunk.length;
+            if (size > MAX_BODY_BYTES) {
+                reject(new Error("Request body too large"));
+                req.destroy();
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on("end", () => {
+            const raw = Buffer.concat(chunks).toString("utf8");
+            if (!raw.length) {
+                resolve(undefined);
+                return;
+            }
+            try {
+                resolve(JSON.parse(raw));
+            }
+            catch {
+                reject(new Error("Invalid JSON body"));
+            }
+        });
+        req.on("error", reject);
+    });
+}
+/**
+ * Handle a single Streamable-HTTP request in *stateless* mode: a fresh server +
+ * transport per request, no session reuse (sessionIdGenerator: undefined).
+ *
+ * Authentication precedence:
+ *   1. `Authorization: Bearer <token>` → OAuth mode. The token is forwarded
+ *      verbatim to `/v1`; this server does not verify it (dumb forwarder). If
+ *      `/v1` rejects it with 401, the response is relayed as 401 + a
+ *      `WWW-Authenticate` challenge so the client re-authenticates.
+ *   2. `x-api-key` header (or process `PILOT_STATUS_API_KEY` fallback) → API-key
+ *      mode (back-compat).
+ *   3. Neither → 401 + `WWW-Authenticate` pointing at the protected-resource
+ *      metadata, which starts the claude.ai OAuth flow.
+ */
+export async function handleMcpRequest(req, res, config) {
+    const method = (req.method ?? "GET").toUpperCase();
+    // Stateless: only POST carries JSON-RPC messages. GET (SSE) and DELETE
+    // (session teardown) are not supported without sessions.
+    if (method !== "POST") {
+        rpcError(res, 405, "Method not allowed (stateless server accepts POST /mcp).");
+        return;
+    }
+    const bearer = parseBearer(headerValue(req.headers["authorization"]));
+    const apiKey = headerValue(req.headers["x-api-key"]) ?? config.apiKey;
+    const apiKeyId = headerValue(req.headers["x-api-key-id"]) ?? config.apiKeyId;
+    if (!bearer && !apiKey && !apiKeyId) {
+        // No credentials at all → challenge so claude.ai starts the OAuth dance.
+        sendJson(res, 401, {
+            error: "unauthorized",
+            error_description: "Authentication required. Provide an OAuth bearer token or an x-api-key header.",
+            resource_metadata: `${config.resourceUrl}${PROTECTED_RESOURCE_METADATA_PATH}`,
+        }, { "WWW-Authenticate": wwwAuthenticateHeader(config) });
+        return;
+    }
+    let body;
+    try {
+        body = await readJsonBody(req);
+    }
+    catch (err) {
+        rpcError(res, 400, err instanceof Error ? err.message : "Invalid request body");
+        return;
+    }
+    // Track an upstream 401 seen during bearer-mode tool calls so we can rewrite
+    // the committed response into a re-auth challenge.
+    const authState = { unauthorized: false };
+    const server = bearer
+        ? buildServer({
+            baseUrl: config.baseUrl,
+            bearer,
+            onBearerUnauthorized: () => {
+                authState.unauthorized = true;
+            },
+        })
+        : buildServer({ baseUrl: config.baseUrl, apiKey, apiKeyId });
+    if (bearer) {
+        applyBearerUnauthorizedInterceptor(res, () => authState.unauthorized, wwwAuthenticateHeader(config));
+    }
+    const transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: undefined,
+    });
+    res.on("close", () => {
+        void transport.close();
+        void server.close();
+    });
+    await server.connect(transport);
+    await transport.handleRequest(req, res, body);
+}
+/** Create (but do not start) the node:http server for the HTTP transport. */
+export function createHttpServer(config) {
+    return createServer((req, res) => {
+        applyCors(res);
+        const method = (req.method ?? "GET").toUpperCase();
+        const path = (req.url ?? "/").split("?")[0];
+        // CORS preflight.
+        if (method === "OPTIONS") {
+            res.writeHead(204);
+            res.end();
+            return;
+        }
+        // OAuth 2.1 protected-resource metadata (RFC 9728) — discovery entrypoint
+        // for the claude.ai custom connector.
+        if (path === PROTECTED_RESOURCE_METADATA_PATH) {
+            if (method !== "GET" && method !== "HEAD") {
+                sendJson(res, 405, { error: "Method not allowed" });
+                return;
+            }
+            sendJson(res, 200, protectedResourceMetadata(config));
+            return;
+        }
+        if (path === "/health" || path === "/healthz") {
+            sendJson(res, 200, { status: "ok", transport: "http" });
+            return;
+        }
+        if (path !== MCP_PATH) {
+            sendJson(res, 404, { error: "Not found", path });
+            return;
+        }
+        handleMcpRequest(req, res, config).catch((err) => {
+            if (!res.headersSent) {
+                rpcError(res, 500, err instanceof Error ? err.message : "Internal server error");
+            }
+            else {
+                res.end();
+            }
+        });
+    });
+}
+/** Start the HTTP transport and resolve once it is listening. */
+export function startHttpServer(config) {
+    const httpServer = createHttpServer(config);
+    return new Promise((resolve) => {
+        httpServer.listen(config.port, config.host, () => {
+            // stderr — stdout is reserved for the stdio protocol in the other mode.
+            console.error(`[mcp] Pilot Status MCP server (HTTP) listening on http://${config.host}:${config.port}${MCP_PATH}`);
+            resolve(httpServer);
+        });
+    });
+}
+//# sourceMappingURL=http-transport.js.map

package/dist/lib/http-transport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-transport.js","sourceRoot":"","sources":["../../src/lib/http-transport.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,YAAY,GAIf,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAuB,MAAM,aAAa,CAAC;AAEpE,MAAM,QAAQ,GAAG,MAAM,CAAC;AACxB,iDAAiD;AACjD,MAAM,gCAAgC,GAAG,uCAAuC,CAAC;AACjF,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAEhD,SAAS,WAAW,CAAC,KAAoC;IACrD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1C,OAAO,KAAK,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CACb,GAAmB,EACnB,MAAc,EACd,IAAa,EACb,YAAqC;IAErC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACrC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC;IAC/E,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAED,iFAAiF;AACjF,SAAS,SAAS,CAAC,GAAmB;IAClC,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAClD,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,oBAAoB,CAAC,CAAC;IACpE,GAAG,CAAC,SAAS,CACT,8BAA8B,EAC9B,iIAAiI,CACpI,CAAC;IACF,2EAA2E;IAC3E,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,kCAAkC,CAAC,CAAC;AACvF,CAAC;AAED,wEAAwE;AACxE,SAAS,WAAW,CAAC,MAA0B;IAC3C,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;IACjC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACrC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAsB;IACxD,OAAO,6BAA6B,MAAM,CAAC,WAAW,GAAG,gCAAgC,GAAG,CAAC;AACjG,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,yBAAyB,CAAC,MAAsB;IAM5D,OAAO;QACH,QAAQ,EAAE,MAAM,CAAC,WAAW;QAC5B,qBAAqB,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC;QAC7C,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,gBAAgB,EAAE,CAAC,GAAG,gBAAgB,CAAC;KAC1C,CAAC;AACN,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kCAAkC,CAC9C,GAAmB,EACnB,cAA6B,EAC7B,eAAuB;IAEvB,MAAM,QAAQ,GAAG,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxC,GAAkD,CAAC,SAAS,GAAG,CAAC,CAC7D,UAAkB,EAClB,IAAc,EACd,IAAc,EAChB,EAAE;QACA,IAAI,cAAc,EAAE,EAAE,CAAC;YACnB,MAAM,OAAO,GACT,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;gBAC5B,CAAC,CAAC,EAAE,GAAI,IAAgC,EAAE;gBAC1C,CAAC,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;oBAChC,CAAC,CAAC,EAAE,GAAI,IAAgC,EAAE;oBAC1C,CAAC,CAAC,EAAE,CAAC;YACf,OAAO,CAAC,kBAAkB,CAAC,GAAG,eAAe,CAAC;YAC9C,OAAO,QAAQ,CAAC,GAAG,EAAE,OAAiC,CAAC,CAAC;QAC5D,CAAC;QACD,OAAQ,QAAgD,CACpD,UAAU,EACV,IAAI,EACJ,IAAI,CACP,CAAC;IACN,CAAC,CAAgC,CAAC;AACtC,CAAC;AAED,2EAA2E;AAC3E,SAAS,QAAQ,CAAC,GAAmB,EAAE,MAAc,EAAE,OAAe;IAClE,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE;QAClB,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE;QAChC,EAAE,EAAE,IAAI;KACX,CAAC,CAAC;AACP,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAoB;IAC5C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACnC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC7B,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC;YACrB,IAAI,IAAI,GAAG,cAAc,EAAE,CAAC;gBACxB,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;gBAC5C,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO;YACX,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACf,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACnD,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;gBACd,OAAO,CAAC,SAAS,CAAC,CAAC;gBACnB,OAAO;YACX,CAAC;YACD,IAAI,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;YAC7B,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,CAAC;YAC3C,CAAC;QACL,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACP,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAClC,GAAoB,EACpB,GAAmB,EACnB,MAAsB;IAEtB,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IAEnD,uEAAuE;IACvE,yDAAyD;IACzD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACpB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,0DAA0D,CAAC,CAAC;QAC/E,OAAO;IACX,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC;IACtE,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC;IAE7E,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClC,yEAAyE;QACzE,QAAQ,CACJ,GAAG,EACH,GAAG,EACH;YACI,KAAK,EAAE,cAAc;YACrB,iBAAiB,EACb,gFAAgF;YACpF,iBAAiB,EAAE,GAAG,MAAM,CAAC,WAAW,GAAG,gCAAgC,EAAE;SAChF,EACD,EAAE,kBAAkB,EAAE,qBAAqB,CAAC,MAAM,CAAC,EAAE,CACxD,CAAC;QACF,OAAO;IACX,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACD,IAAI,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACX,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC;QAChF,OAAO;IACX,CAAC;IAED,6EAA6E;IAC7E,mDAAmD;IACnD,MAAM,SAAS,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM;QACjB,CAAC,CAAC,WAAW,CAAC;YACR,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM;YACN,oBAAoB,EAAE,GAAG,EAAE;gBACvB,SAAS,CAAC,YAAY,GAAG,IAAI,CAAC;YAClC,CAAC;SACJ,CAAC;QACJ,CAAC,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;IAEjE,IAAI,MAAM,EAAE,CAAC;QACT,kCAAkC,CAC9B,GAAG,EACH,GAAG,EAAE,CAAC,SAAS,CAAC,YAAY,EAC5B,qBAAqB,CAAC,MAAM,CAAC,CAChC,CAAC;IACN,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;QAChD,kBAAkB,EAAE,SAAS;KAChC,CAAC,CAAC;IAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QACjB,KAAK,SAAS,CAAC,KAAK,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;AAClD,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,gBAAgB,CAAC,MAAsB;IACnD,OAAO,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7B,SAAS,CAAC,GAAG,CAAC,CAAC;QACf,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5C,kBAAkB;QAClB,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACvB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACnB,GAAG,CAAC,GAAG,EAAE,CAAC;YACV,OAAO;QACX,CAAC;QAED,0EAA0E;QAC1E,sCAAsC;QACtC,IAAI,IAAI,KAAK,gCAAgC,EAAE,CAAC;YAC5C,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACxC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;gBACpD,OAAO;YACX,CAAC;YACD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,yBAAyB,CAAC,MAAM,CAAC,CAAC,CAAC;YACtD,OAAO;QACX,CAAC;QAED,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;YAC5C,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;YACxD,OAAO;QACX,CAAC;QAED,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACpB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;YACjD,OAAO;QACX,CAAC;QAED,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC7C,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACnB,QAAQ,CACJ,GAAG,EACH,GAAG,EACH,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAC/D,CAAC;YACN,CAAC;iBAAM,CAAC;gBACJ,GAAG,CAAC,GAAG,EAAE,CAAC;YACd,CAAC;QACL,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,eAAe,CAAC,MAAsB;IAClD,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC3B,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;YAC7C,wEAAwE;YACxE,OAAO,CAAC,KAAK,CACT,4DAA4D,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,GAAG,QAAQ,EAAE,CACtG,CAAC;YACF,OAAO,CAAC,UAAU,CAAC,CAAC;QACxB,CAAC,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/lib/register.d.ts

@@ -0,0 +1,28 @@
+import type { ApiClient } from "./api-client.js";
+/**
+ * Minimal structural surface a tool-registry target must satisfy. The real
+ * MCP `McpServer` matches it; tests can pass a lightweight fake to assert
+ * registration without constructing the SDK server (and without importing it).
+ */
+export interface ToolRegistrar {
+    tool(name: string, description: string, paramsSchema: Record<string, unknown>, cb: (args: Record<string, unknown>) => Promise<unknown>): unknown;
+}
+/**
+ * Generic per-call number selector. Number-scoped endpoints normally resolve the
+ * target number from a number-scoped API key. Under an OAuth/tenant token there
+ * is no number scope, so callers pass `whatsappNumberId`; we strip it from the
+ * tool args and attach it as the `x-whatsapp-number-id` request header instead
+ * (see {@link ApiClient.withNumber}). Tools that already declare the field in
+ * their own schema (e.g. `api_keys_create`, where it is a body field) keep it.
+ */
+export declare const NUMBER_SELECTOR_KEY = "whatsappNumberId";
+/** Serialize a thrown error into the text payload of an MCP tool error result. */
+export declare function formatToolError(err: unknown): string;
+/**
+ * Register every tool from the registry onto the given server, wiring each to
+ * the shared {@link ApiClient}. Tool results are returned as JSON text content;
+ * thrown {@link ApiError}s become `isError` results so the model sees the
+ * status/code instead of the connection dropping.
+ */
+export declare function registerTools(server: ToolRegistrar, client: ApiClient): void;
+//# sourceMappingURL=register.d.ts.map

package/dist/lib/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/lib/register.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAIjD;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC1B,IAAI,CACA,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACrC,EAAE,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,GACxD,OAAO,CAAC;CACd;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,mBAAmB,qBAAqB,CAAC;AAYtD,kFAAkF;AAClF,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CASpD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,SAAS,GAAG,IAAI,CA0C5E"}

package/dist/lib/register.js

@@ -0,0 +1,69 @@
+import { z } from "zod";
+import { ApiError } from "./api-client.js";
+import { tools } from "../tools/index.js";
+/**
+ * Generic per-call number selector. Number-scoped endpoints normally resolve the
+ * target number from a number-scoped API key. Under an OAuth/tenant token there
+ * is no number scope, so callers pass `whatsappNumberId`; we strip it from the
+ * tool args and attach it as the `x-whatsapp-number-id` request header instead
+ * (see {@link ApiClient.withNumber}). Tools that already declare the field in
+ * their own schema (e.g. `api_keys_create`, where it is a body field) keep it.
+ */
+export const NUMBER_SELECTOR_KEY = "whatsappNumberId";
+const numberSelectorSchema = z
+    .string()
+    .min(1)
+    .optional()
+    .describe("Target WhatsApp number id for number-scoped endpoints. Required when authenticating " +
+    "with an OAuth/tenant token (sent as the x-whatsapp-number-id header); ignored when the " +
+    "API key is already scoped to a single number.");
+/** Serialize a thrown error into the text payload of an MCP tool error result. */
+export function formatToolError(err) {
+    if (err instanceof ApiError) {
+        return JSON.stringify(err.toJSON(), null, 2);
+    }
+    return JSON.stringify({ error: err instanceof Error ? err.message : String(err) }, null, 2);
+}
+/**
+ * Register every tool from the registry onto the given server, wiring each to
+ * the shared {@link ApiClient}. Tool results are returned as JSON text content;
+ * thrown {@link ApiError}s become `isError` results so the model sees the
+ * status/code instead of the connection dropping.
+ */
+export function registerTools(server, client) {
+    for (const tool of tools) {
+        // The tool owns the field (it is meaningful in the body) → leave args
+        // untouched. Otherwise inject an optional selector that we lift into the
+        // request header and strip from the handler args.
+        const ownsSelector = NUMBER_SELECTOR_KEY in tool.inputSchema;
+        const schema = ownsSelector
+            ? tool.inputSchema
+            : { ...tool.inputSchema, [NUMBER_SELECTOR_KEY]: numberSelectorSchema };
+        server.tool(tool.name, tool.description, schema, async (args) => {
+            try {
+                const incoming = args ?? {};
+                const selector = incoming[NUMBER_SELECTOR_KEY];
+                const scopedClient = typeof selector === "string" && selector.length > 0
+                    ? client.withNumber(selector)
+                    : client;
+                let handlerArgs = incoming;
+                if (!ownsSelector && NUMBER_SELECTOR_KEY in incoming) {
+                    handlerArgs = { ...incoming };
+                    delete handlerArgs[NUMBER_SELECTOR_KEY];
+                }
+                const data = await tool.handler(scopedClient, handlerArgs);
+                const text = typeof data === "string"
+                    ? data
+                    : JSON.stringify(data, null, 2);
+                return { content: [{ type: "text", text }] };
+            }
+            catch (err) {
+                return {
+                    content: [{ type: "text", text: formatToolError(err) }],
+                    isError: true,
+                };
+            }
+        });
+    }
+}
+//# sourceMappingURL=register.js.map

package/dist/lib/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../src/lib/register.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAgB1C;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,kBAAkB,CAAC;AAEtD,MAAM,oBAAoB,GAAG,CAAC;KACzB,MAAM,EAAE;KACR,GAAG,CAAC,CAAC,CAAC;KACN,QAAQ,EAAE;KACV,QAAQ,CACL,sFAAsF;IAClF,yFAAyF;IACzF,+CAA+C,CACtD,CAAC;AAEN,kFAAkF;AAClF,MAAM,UAAU,eAAe,CAAC,GAAY;IACxC,IAAI,GAAG,YAAY,QAAQ,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CACjB,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAC3D,IAAI,EACJ,CAAC,CACJ,CAAC;AACN,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,MAAqB,EAAE,MAAiB;IAClE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACvB,sEAAsE;QACtE,yEAAyE;QACzE,kDAAkD;QAClD,MAAM,YAAY,GAAG,mBAAmB,IAAI,IAAI,CAAC,WAAW,CAAC;QAC7D,MAAM,MAAM,GAAG,YAAY;YACvB,CAAC,CAAC,IAAI,CAAC,WAAW;YAClB,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,mBAAmB,CAAC,EAAE,oBAAoB,EAAE,CAAC;QAE3E,MAAM,CAAC,IAAI,CACP,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,WAAW,EAChB,MAAM,EACN,KAAK,EAAE,IAA6B,EAAE,EAAE;YACpC,IAAI,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC;gBAC5B,MAAM,QAAQ,GAAG,QAAQ,CAAC,mBAAmB,CAAC,CAAC;gBAC/C,MAAM,YAAY,GACd,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;oBAC/C,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC;oBAC7B,CAAC,CAAC,MAAM,CAAC;gBACjB,IAAI,WAAW,GAAG,QAAQ,CAAC;gBAC3B,IAAI,CAAC,YAAY,IAAI,mBAAmB,IAAI,QAAQ,EAAE,CAAC;oBACnD,WAAW,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;oBAC9B,OAAO,WAAW,CAAC,mBAAmB,CAAC,CAAC;gBAC5C,CAAC;gBACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;gBAC3D,MAAM,IAAI,GACN,OAAO,IAAI,KAAK,QAAQ;oBACpB,CAAC,CAAC,IAAI;oBACN,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YACjD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACX,OAAO;oBACH,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvD,OAAO,EAAE,IAAI;iBAChB,CAAC;YACN,CAAC;QACL,CAAC,CACJ,CAAC;IACN,CAAC;AACL,CAAC"}

package/dist/lib/server.d.ts

@@ -0,0 +1,16 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export { registerTools, formatToolError, type ToolRegistrar } from "./register.js";
+export interface BuildServerOptions {
+    baseUrl: string;
+    apiKey?: string;
+    apiKeyId?: string;
+    /** OAuth 2.1 bearer token (forwarded to /v1; takes precedence over apiKey). */
+    bearer?: string;
+    /** Called when an upstream bearer-mode request returns HTTP 401. */
+    onBearerUnauthorized?: () => void;
+    /** Overridable fetch (tests / custom runtimes). */
+    fetchImpl?: typeof fetch;
+}
+/** Build a fully-wired MCP server instance for one connection / request. */
+export declare function buildServer(options: BuildServerOptions): McpServer;
+//# sourceMappingURL=server.d.ts.map

package/dist/lib/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/lib/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAKpE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnF,MAAM,WAAW,kBAAkB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,oBAAoB,CAAC,EAAE,MAAM,IAAI,CAAC;IAClC,mDAAmD;IACnD,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC5B;AAED,4EAA4E;AAC5E,wBAAgB,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,SAAS,CAelE"}

package/dist/lib/server.js

@@ -0,0 +1,23 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { ApiClient } from "./api-client.js";
+import { SERVER_NAME, SERVER_VERSION } from "./config.js";
+import { registerTools } from "./register.js";
+export { registerTools, formatToolError } from "./register.js";
+/** Build a fully-wired MCP server instance for one connection / request. */
+export function buildServer(options) {
+    const client = new ApiClient({
+        baseUrl: options.baseUrl,
+        apiKey: options.apiKey,
+        apiKeyId: options.apiKeyId,
+        bearer: options.bearer,
+        onBearerUnauthorized: options.onBearerUnauthorized,
+        fetchImpl: options.fetchImpl,
+    });
+    const server = new McpServer({
+        name: SERVER_NAME,
+        version: SERVER_VERSION,
+    });
+    registerTools(server, client);
+    return server;
+}
+//# sourceMappingURL=server.js.map

package/dist/lib/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/lib/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAsB,MAAM,eAAe,CAAC;AAElE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAsB,MAAM,eAAe,CAAC;AAcnF,4EAA4E;AAC5E,MAAM,UAAU,WAAW,CAAC,OAA2B;IACnD,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QACzB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,oBAAoB,EAAE,OAAO,CAAC,oBAAoB;QAClD,SAAS,EAAE,OAAO,CAAC,SAAS;KAC/B,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QACzB,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,cAAc;KAC1B,CAAC,CAAC;IACH,aAAa,CAAC,MAAkC,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,MAAM,CAAC;AAClB,CAAC"}

package/dist/tools/analytics.d.ts

@@ -0,0 +1,3 @@
+import { type ToolDef } from "./types.js";
+export declare const analyticsTools: ToolDef[];
+//# sourceMappingURL=analytics.d.ts.map

package/dist/tools/analytics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analytics.d.ts","sourceRoot":"","sources":["../../src/tools/analytics.ts"],"names":[],"mappings":"AACA,OAAO,EAAyB,KAAK,OAAO,EAAE,MAAM,YAAY,CAAC;AAuBjE,eAAO,MAAM,cAAc,EAAE,OAAO,EAAyB,CAAC"}

package/dist/tools/analytics.js

@@ -0,0 +1,22 @@
+import { z } from "zod";
+import { defineTool, pickQuery } from "./types.js";
+const analyticsDashboard = defineTool({
+    name: "analytics_dashboard",
+    description: "Get message analytics (sent/delivered/read/failed series + totals) for the key's WhatsApp " +
+        "number via GET /v1/analytics/dashboard. Number-scoped API key required.",
+    inputSchema: {
+        period: z
+            .enum(["7d", "30d", "90d"])
+            .optional()
+            .describe("Reporting window (default 30d)"),
+        timezone: z
+            .string()
+            .optional()
+            .describe("IANA timezone for day bucketing (default UTC)"),
+    },
+    handler: (client, args) => client.get("/v1/analytics/dashboard", {
+        query: pickQuery(args, ["period", "timezone"]),
+    }),
+});
+export const analyticsTools = [analyticsDashboard];
+//# sourceMappingURL=analytics.js.map

package/dist/tools/analytics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analytics.js","sourceRoot":"","sources":["../../src/tools/analytics.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,SAAS,EAAgB,MAAM,YAAY,CAAC;AAEjE,MAAM,kBAAkB,GAAG,UAAU,CAAC;IAClC,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EACP,4FAA4F;QAC5F,yEAAyE;IAC7E,WAAW,EAAE;QACT,MAAM,EAAE,CAAC;aACJ,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;aAC1B,QAAQ,EAAE;aACV,QAAQ,CAAC,gCAAgC,CAAC;QAC/C,QAAQ,EAAE,CAAC;aACN,MAAM,EAAE;aACR,QAAQ,EAAE;aACV,QAAQ,CAAC,+CAA+C,CAAC;KACjE;IACD,OAAO,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CACtB,MAAM,CAAC,GAAG,CAAC,yBAAyB,EAAE;QAClC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;KACjD,CAAC;CACT,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,cAAc,GAAc,CAAC,kBAAkB,CAAC,CAAC"}

package/dist/tools/api-keys.d.ts

@@ -0,0 +1,3 @@
+import { type ToolDef } from "./types.js";
+export declare const apiKeyTools: ToolDef[];
+//# sourceMappingURL=api-keys.d.ts.map

package/dist/tools/api-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-keys.d.ts","sourceRoot":"","sources":["../../src/tools/api-keys.ts"],"names":[],"mappings":"AACA,OAAO,EAAc,KAAK,OAAO,EAAE,MAAM,YAAY,CAAC;AAqCtD,eAAO,MAAM,WAAW,EAAE,OAAO,EAAiC,CAAC"}