@sassoftware/sas-score-mcp-serverjs 1.0.1-3 → 1.0.1-31

package/src/expressMcpServer.js

@@ -9,6 +9,7 @@ import cors from "cors";
 import bodyParser from "body-parser";
 import selfsigned from "selfsigned";
 import openAPIJson from "./openAPIJson.js";
+import createMcpServer from "./createMcpServer.js";
 
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { randomUUID } from "node:crypto";
@@ -21,7 +22,7 @@ import processHeaders from "./processHeaders.js";
 
 // setup express server
 
-async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
+async function expressMcpServer(_mcpServer, cache, baseAppEnvContext) {
   // setup for change to persistence session
   cache.del("headerCache");
   const app = express();
@@ -50,6 +51,10 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
   const pkceStore = new Map(); // ourState -> { codeVerifier, clientRedirectUri, clientState }
   const codeStore = new Map(); // ourCode   -> { access_token, refresh_token, expires_in }
 
+  // Per-session transports — each initialize creates its own transport
+  const transports = new Map(); // sessionId -> transport
+  cache.set("transports", transports);
+
   app.get('/.well-known/oauth-protected-resource', (req, res) => {
     let payload = {
       resource: `${baseAppEnvContext.mcpHost}/mcp`,
@@ -152,67 +157,54 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
 
   // process mcp endpoint requests
   const handleRequest = async (req, res) => {
-    let transport = null;
-    let transports = cache.get("transports");
     console.error("=========================================================");
     console.error("Processing POST /mcp request");
-    if (transports == null) {
-      console.error("[Error] ***** transports cache is null. This is an error");
-      transports = {};
-      cache.set("transports", transports);
-    }
-
-    console.error("current transports in cache:", Object.keys(transports));
+    console.error("current active sessions:", transports.size);
     try {
 
       let sessionId = req.headers["mcp-session-id"];
       console.error("[Note]Incoming session ID:", sessionId);
       let body = (req.body == null) ? 'no body' : JSON.stringify(req.body);
       console.error('[Note] Payload is ', body);
-      if (/*!sessionId &&*/ isInitializeRequest(req.body)) {
-        // create transport
-        console.error("[Note] Initializing new transport for MCP session...");
-
-        transport = new StreamableHTTPServerTransport({
+     
+      if (isInitializeRequest(req.body)) {
+        console.error("[Note]>>>>>>>>>>>>>>>>>>>>>>>>>  Creating  new MCP server");
+        let mcpServer = await createMcpServer(cache, baseAppEnvContext);
+        // New session — create a dedicated transport
+        console.error("[Note] Initializing new session with fresh transport...");
+        const isInitRequest = req.body?.method === 'initialize';
+
+        const transport = new StreamableHTTPServerTransport({
           sessionIdGenerator: () => randomUUID(),
           enableJsonResponse: true,
-          enableDnsRebindingProtection: true,
-          onsessioninitialized: (sessionId) => {
-            // Store the transport by session ID
-            console.error('Session initialized');
-            console.error("[Note] Transport initialized with ID:", sessionId);
-            transports[sessionId] = transport;
+          onsessioninitialized: (newSessionId) => {
+            console.error("[Note] Session initialized with ID:", newSessionId);
+            transports.set(newSessionId, transport);
+            cache.set("transports", transports);
+            console.error("[Note] Total active sessions:", Object.keys(transports));
           },
         });
-        // Clean up transport when closed
         transport.onclose = () => {
-          if (transport.sessionId && transports[transport.sessionId]) {
-            delete transports[transport.sessionId];
+          if (transport.sessionId) {
+            console.error("[Note] Session closed, removing transport:", transport.sessionId);
+            transports.delete(transport.sessionId);
+            cache.del(transport.sessionId);
           }
         };
-        console.error("[Note] Connecting mcpServer to new transport...");
         await mcpServer.connect(transport);
-
-        // Save transport data and app context for use in tools
-        console.error('[Note] Connected to mcpServer');
-        cache.set("transports", transports);
         console.error("=======================================================");
         return await transport.handleRequest(req, res, req.body);
 
-        // cache transport
-
       } else if (sessionId != null) {
-        console.error('[Note] Incoming session ID:', sessionId);
-        transport = transports[sessionId];
-        console.error("[Note] Found transport:", transport != null);
-        if (transport == null) {
-          // this can happen if client is holding on to old session id 
-          console.error("[Error] No transport found for session ID:", sessionId, "Returning a 404 error with instructions for the user");
-          res.status(404).send(`Invalid or missing session ID ${sessionId}. Please ensure your MCP client is configured to use the correct session ID returned in the 'mcp-session-id' header of the response from the /mcp endpoint.`);
-          return;
+        const transport = transports.get(sessionId);
+        if (!transport) {
+          console.error("[Note] Unknown session ID:", sessionId);
+          return res.status(404).json({ jsonrpc: "2.0", error: { code: -32000, message: "Session not found. Please re-initialize." }, id: null });
         }
+        console.error('[Note] Incoming session ID:', sessionId);
+        console.error("[Note] Using transport for session ID:", sessionId);
 
-        // post the curren session - used to pass _appContext to tools
+        // post the current session - used to pass _appContext to tools
         cache.set("currentId", sessionId);
 
         // get app context for session
@@ -230,7 +222,6 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
           _appContext = Object.assign(_appContext, headerCache);
           cache.set(sessionId, _appContext);
         }
-        console.error("[Note] Using existing transport for session ID:", sessionId);
         console.error("==========================================================");
         await transport.handleRequest(req, res, req.body);
         return;
@@ -260,21 +251,28 @@ async function expressMcpServer(mcpServer, cache, baseAppEnvContext) {
     const sessionId = req.headers["mcp-session-id"];
     console.error("[Note] SessionId:", sessionId);
 
-    let transports = cache.get("transports");
-    let transport = (sessionId == null) ? null : transports[sessionId];
-    console.error("[Note] Transport found:", transport != null);
-    if (!sessionId || transport == null) {
-      res.status(404).send(`[Error] In ${req.method}: Invalid or missing session ID ${sessionId}`);
-      return;
+    if (!sessionId) {
+      console.error("[Note] No session ID on /DELETE — rejecting");
+      return res.status(400).json({ jsonrpc: "2.0", error: { code: -32000, message: "Bad Request: Mcp-Session-Id header is required" }, id: null });
     }
+
+    const transport = transports.get(sessionId);
+    if (!transport) {
+      console.error("[Note] Unknown session ID:", sessionId);
+      return res.status(404).json({ jsonrpc: "2.0", error: { code: -32000, message: "Session not found. Please re-initialize." }, id: null });
+    }
+
     if (req.method === "GET") {
+      console.error("[Note] calling transport.handleRequest for GET /mcp");
       await transport.handleRequest(req, res);
       return;
     }
-    if (req.method === "DELETE" && sessionId != null) {
+    if (req.method === "DELETE") {
       console.error("[Note] Deleting transport and cache for session ID:", sessionId);
-      delete transports[sessionId];
+      transports.delete(sessionId);
       cache.del(sessionId);
+      console.error("[Note] Deleted session ID:", sessionId);
+      console.error("[Note] Total active sessions:", Object.keys(transports));
       res.status(201).send(`[Info] Deleted session ${sessionId}`);
     }
   }

package/src/oauthHandlers/authorize.js

@@ -1,4 +1,7 @@
-//authorize
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import { randomBytes, createHash } from "node:crypto";
 import baseUrl from "./baseUrl.js";
 

package/src/oauthHandlers/baseUrl.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 function baseUrl(appContext) {
     const protocol = appContext.HTTPS === "TRUE" ? "https" : "http";
     //const host = "localhost";

package/src/oauthHandlers/callback.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import baseUrl from "./baseUrl.js";
 import { Agent, fetch as undiciFetch } from "undici";
 import { randomUUID } from "node:crypto";
@@ -75,7 +79,7 @@ async function callback(req, res, pkceStore, codeStore, appContext) {
     // which was part of the payload from the client to /oauth/authorize
     // we trust since it was associated with the valid PKCE state
     console.error("[Note] OAuth callback complete, redirecting to MCP client");
-    console.log(pending.clientRedirectUri.toString())
+    console.error(pending.clientRedirectUri.toString())
     return res.redirect(`${pending.clientRedirectUri}?${redirectParams}`);
   } catch (err) {
     console.error("[Error] OAuth callback handler error:", err);

package/src/oauthHandlers/getMetadata.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import baseUrl from "./baseUrl.js";
 function getMetadata(req, res, appEnvContext) {
     let base = '';

package/src/oauthHandlers/index.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 import authorize from "./authorize.js";
 import callback from "./callback.js";   
 import token from "./token.js";

package/src/oauthHandlers/token.js

@@ -1,3 +1,7 @@
+/*
+ * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
 function token(req, res, appContext, codeStore, cache) {
   console.error("===============================================================");
   console.error("[Note] at /token endpoint");

package/src/openApi.yaml

@@ -1,121 +1,121 @@
-swagger: "2.0"
-info:
-  title: SAS Viya Sample MCP Server API
-  version: "1.0.0"
-  description: API for interacting with the SAS Viya Sample MCP Server.
-host: localhost:8080
-basePath: /
-schemes:
-  - http
-  - https
-consumes:
-  - application/json
-produces:
-  - application/json
-paths:
-  /health:
-    get:
-      summary: Health check
-      description: Returns health and version information.
-      responses:
-        200:
-          description: Health information
-          schema:
-            type: object
-            properties:
-              name:
-                type: string
-              version:
-                type: string
-              description:
-                type: string
-              endpoints:
-                type: object
-              usage:
-                type: string
-  /apiMeta:
-    get:
-      summary: API metadata
-      description: Returns the OpenAPI specification for this server.
-      responses:
-        200:
-          description: OpenAPI document
-          schema:
-            type: object
-  /mcp:
-    options:
-      summary: CORS preflight
-      description: CORS preflight endpoint.
-      responses:
-        204:
-          description: No Content
-    post:
-      summary: MCP request
-      description: Handles MCP JSON-RPC requests.
-      parameters:
-        - name: body
-          in: body
-          required: true
-          schema:
-            type: object
-        - name: Authorization
-          in: header
-          required: false
-          type: string
-          description: Bearer token for authentication
-        - name: X-VIYA-SERVER
-          in: header
-          required: false
-          type: string
-          description: Override VIYA server
-        - name: X-REFRESH-TOKEN
-          in: header
-          required: false
-          type: string
-          description: Refresh token for authentication
-        - name: mcp-session-id
-          in: header
-          required: false
-          type: string
-          description: Session ID
-      responses:
-        200:
-          description: MCP response
-          schema:
-            type: object
-        500:
-          description: Server error
-          schema:
-            type: object
-    get:
-      summary: Get MCP session
-      description: Retrieves information for an MCP session.
-      parameters:
-        - name: mcp-session-id
-          in: header
-          required: true
-          type: string
-          description: Session ID
-      responses:
-        200:
-          description: Session information
-          schema:
-            type: object
-        400:
-          description: Invalid or missing session ID
-    delete:
-      summary: Delete MCP session
-      description: Deletes an MCP session.
-      parameters:
-        - name: mcp-session-id
-          in: header
-          required: true
-          type: string
-          description: Session ID
-      responses:
-        200:
-          description: Session deleted
-          schema:
-            type: object
-        400:
-          description: Invalid or missing session ID
+swagger: "2.0"
+info:
+  title: SAS Viya Sample MCP Server API
+  version: "1.0.0"
+  description: API for interacting with the SAS Viya Sample MCP Server.
+host: localhost:8080
+basePath: /
+schemes:
+  - http
+  - https
+consumes:
+  - application/json
+produces:
+  - application/json
+paths:
+  /health:
+    get:
+      summary: Health check
+      description: Returns health and version information.
+      responses:
+        200:
+          description: Health information
+          schema:
+            type: object
+            properties:
+              name:
+                type: string
+              version:
+                type: string
+              description:
+                type: string
+              endpoints:
+                type: object
+              usage:
+                type: string
+  /apiMeta:
+    get:
+      summary: API metadata
+      description: Returns the OpenAPI specification for this server.
+      responses:
+        200:
+          description: OpenAPI document
+          schema:
+            type: object
+  /mcp:
+    options:
+      summary: CORS preflight
+      description: CORS preflight endpoint.
+      responses:
+        204:
+          description: No Content
+    post:
+      summary: MCP request
+      description: Handles MCP JSON-RPC requests.
+      parameters:
+        - name: body
+          in: body
+          required: true
+          schema:
+            type: object
+        - name: Authorization
+          in: header
+          required: false
+          type: string
+          description: Bearer token for authentication
+        - name: X-VIYA-SERVER
+          in: header
+          required: false
+          type: string
+          description: Override VIYA server
+        - name: X-REFRESH-TOKEN
+          in: header
+          required: false
+          type: string
+          description: Refresh token for authentication
+        - name: mcp-session-id
+          in: header
+          required: false
+          type: string
+          description: Session ID
+      responses:
+        200:
+          description: MCP response
+          schema:
+            type: object
+        500:
+          description: Server error
+          schema:
+            type: object
+    get:
+      summary: Get MCP session
+      description: Retrieves information for an MCP session.
+      parameters:
+        - name: mcp-session-id
+          in: header
+          required: true
+          type: string
+          description: Session ID
+      responses:
+        200:
+          description: Session information
+          schema:
+            type: object
+        400:
+          description: Invalid or missing session ID
+    delete:
+      summary: Delete MCP session
+      description: Deletes an MCP session.
+      parameters:
+        - name: mcp-session-id
+          in: header
+          required: true
+          type: string
+          description: Session ID
+      responses:
+        200:
+          description: Session deleted
+          schema:
+            type: object
+        400:
+          description: Invalid or missing session ID

package/src/processHeaders.js

@@ -1,5 +1,3 @@
-import { start } from "node:repl";
-
 /*
  * Copyright © 2026, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
  * SPDX-License-Identifier: Apache-2.0
@@ -32,20 +30,25 @@ function processHeaders(req, res, next, cache, appContext) {
   const hdr = req.header("Authorization");
   //for now, ignore Authorization if authflow is not bearer
   let token = (hdr != null) ? hdr.slice(7) : null;
-  //console.error("[Note] Authorization token", token);
   debugger;
-  console.log('>>>',appContext.AUTHFLOW);
+  console.error('[Note} AUTHFLOW=',   appContext.AUTHFLOW);
+  console.error("[Note] External authorization :", appContext.AUTHEXTERNAL);
   if (appContext.AUTHFLOW === 'bearer') {
     debugger;
     let startAuth = false;
-    console.error("[Note] appContext.AUTHEXTERNAL:", appContext.AUTHEXTERNAL);
+    
     if (appContext.AUTHEXTERNAL === true) {
       console.error("[Note] Expecting external authorization"); 
       if (token != null) {
         console.error("[Note] Using user supplied token for authorization");
         headerCache.bearerToken = token;
       } else {
-        startAuth = true;
+        console.error("[Note] No Authorization token provided in header for external authorization.");
+        console.error("[Note] Returning 404 since we are configured for external token and no token provided in header.");
+        return res.status(404).json({
+          error: "unauthorized",
+          error_description: "[Error] Missing token for external authorization."
+        });
       }
     } else  if (token == null) {
       console.error("[Note] No Authorization token provided in header.");
@@ -55,7 +58,7 @@ function processHeaders(req, res, next, cache, appContext) {
       let tokenlist = cache.get("tokenlist");
       let tokenData = tokenlist[token];
       if (tokenData == null) {
-        return res.status(403).json({
+        return res.status(401).json({
           error: "unauthorized",
           error_description: "[Error] Expired token. Clear token and try again."
         });

package/src/setupSkills.js

@@ -4,7 +4,7 @@ import path from 'path';
 import os from 'os';
 import { fileURLToPath } from 'url';
 
-function setupSkills(clientName) {
+function setupSkills(clientName,agentFolder) {
     const __dirname = path.dirname(fileURLToPath(import.meta.url));
     // Paths
     let destination;
@@ -13,10 +13,13 @@ function setupSkills(clientName) {
         destination = path.join(process.cwd(), clientName);
         clientName = clientName.slice(1);
     } else {
-        destination = path.join(os.homedir(), '.' + clientName);
+        destination = path.join(os.homedir(), '.' + clientName );
     }
     
-    const source = path.join(__dirname, `../.skills` + '_' + clientName.toLowerCase());
+    if (agentFolder) {
+        destination = path.join(destination, agentFolder);
+    }
+    const source = path.join(__dirname, `../.skills`);
     console.error("==================================================================");
     console.error(`           Copying ${source} to ${destination}...`);
 
@@ -25,22 +28,24 @@ function setupSkills(clientName) {
         if (!fs.existsSync(to)) fs.mkdirSync(to, { recursive: true });;
         fs.readdirSync(from).forEach(element => {
             const fromPath = path.join(from, element);
-            const toPath = path.join(to, element);
+            let  toPath = path.join(to, element);
+            if (clientName === 'claude' && element === 'copilot-instructions.md') {
+                toPath = path.join(to, 'CLAUDE.md');
+            }
             if (fs.lstatSync(fromPath).isFile()) {
                 console.error(`       📄 Copying file: ${element}`);
                 fs.copyFileSync(fromPath, toPath);
             } else if (fs.lstatSync(fromPath).isDirectory()) {
                 console.error(`📂 Copying folder: ${element}`);
-                copyFolderSync(fromPath, toPath) ;
+                copyFolderSync(fromPath, toPath);
             }
         });
     }
-
     function listExpandedFolder(dir, indent = "") {
         const entries = fs.readdirSync(dir, { withFileTypes: true });
 
         for (const entry of entries) {
-            console.log(indent + entry.name);
+            console.error(indent + entry.name);
 
             if (entry.isDirectory()) {
                 listExpandedFolder(path.join(dir, entry.name), indent + "  ");

package/src/toolHelpers/_findJob.js

@@ -0,0 +1,12 @@
+/*
+ * Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import _listJobs from './_listJobs.js';  
+async function _findJob(params) {
+    let r = await _listJobs(params);
+    console.log ("findJob result:" , r);
+    return r;
+}
+export default _findJob;

package/src/toolHelpers/_findJobdef.js

@@ -0,0 +1,10 @@
+/*
+ * Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import _listJobdefs from './_listJobdefs.js';  
+async function _findJobdef(params) {
+    return  await _listJobdefs(params);
+}
+export default _findJobdef;

package/src/toolHelpers/_findLibrary.js

@@ -0,0 +1,10 @@
+/*
+ * Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import _listLibrary from './_listLibrary.js';  
+async function _findLibrary(params) {
+    return  await _listLibrary(params);
+}
+export default _findLibrary;

package/src/toolHelpers/_findModel.js

@@ -0,0 +1,12 @@
+/*
+ * Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import _listModels from './_listModels.js';  
+async function _findModel(params) {
+    let r = await _listModels(params);
+    console.log ("findModel result:" , r);
+    return r;
+}
+export default _findModel;

package/src/toolHelpers/_findTable.js

@@ -0,0 +1,10 @@
+/*
+ * Copyright © 2025, SAS Institute Inc., Cary, NC, USA.  All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import _listTables from './_listTables.js';
+async function _findTable(params) {
+  return await _listTables(params);
+}
+export default _findTable;

package/src/toolHelpers/_listJobs.js

@@ -42,8 +42,9 @@ async function _listJobs(params) {
         names[jname] = {parameters: (value == null) ? {} : value.toJS() };
       }
     });
-
+    console.error('parameters', JSON.stringify(names, null, 2));
     let response  = {jobs: Object.keys(names)};
+    console.error('response', JSON.stringify(response, null, 2));
 
     if (name != null) {
       response = { name: name, parameters: names[name].parameters };

package/src/toolHelpers/_listLibrary.js

@@ -54,7 +54,7 @@ async function _listLibrary(params) {
       if (appControl != null) {
         await deleteSession(appControl);
       }
-      return { isError: true, content: [{ type: 'text', text: JSON.stringify(err) }] };
+      return { isError: true, content: [{ type: 'text', text: (typeof err === 'string') ? err :  JSON.stringify(err) }] };
     }
   }