@sfranalytics/mcp 0.6.2 → 0.6.3

package/README.md

@@ -1,68 +1,54 @@
 # @sfranalytics/mcp
 
-MCP server for [SFR Analytics](https://www.sfranalytics.com) — single-family rental property data, buyer intelligence, and private lending insights for AI assistants.
+MCP server for [SFR Analytics](https://www.sfranalytics.com) — single-family residential property data, buyer intelligence, and private lending insights for AI assistants.
 
 ## Quick Start
 
 ### Claude Code
 
 ```bash
-claude mcp add sfra -- npx -y @sfranalytics/mcp \
-  --env SFR_API_TOKEN=your-sfr-key \
-  --env PLR_API_TOKEN=your-plr-key
+claude mcp add sfranalytics --transport http https://mcp.sfranalytics.com/mcp \
+  -H "SFR-Api-Token: YOUR_SFR_KEY" \
+  -H "PLR-Api-Token: YOUR_PLR_KEY"
 ```
 
+Provide at least one token header (`SFR-Api-Token` or `PLR-Api-Token`).
+
 ### Claude Desktop
 
+Claude Desktop currently uses stdio transport, so use `npx`:
+
 Add to your `claude_desktop_config.json`:
 
 ```json
 {
   "mcpServers": {
-    "sfra": {
+    "sfranalytics": {
       "command": "npx",
       "args": ["-y", "@sfranalytics/mcp"],
       "env": {
-        "SFR_API_TOKEN": "your-sfr-key",
-        "PLR_API_TOKEN": "your-plr-key"
+        "SFR_API_TOKEN": "YOUR_SFR_KEY",
+        "PLR_API_TOKEN": "YOUR_PLR_KEY"
       }
     }
   }
 }
 ```
 
-### Hosted HTTP Transport
+### Other MCP Clients
 
-Run the MCP server over HTTP:
+Use the hosted streamable HTTP endpoint:
 
-```bash
-npm run dev:http
-```
+- Endpoint: `https://mcp.sfranalytics.com/mcp`
+- Headers: `SFR-Api-Token` and/or `PLR-Api-Token`
 
-Connect from Claude Code:
+### Verify Setup
 
-```bash
-claude mcp add sfra-http --transport http http://localhost:3000/mcp \
-  --header "SFR-Api-Token: your-sfr-key" \
-  --header "PLR-Api-Token: your-plr-key"
-```
+After connecting, ask Claude:
 
-Production endpoint example:
+> Check my SFR Analytics connection
 
-```bash
-claude mcp add sfra-http --transport http https://mcp.sfranalytics.com/mcp \
-  --header "SFR-Api-Token: your-sfr-key" \
-  --header "PLR-Api-Token: your-plr-key"
-```
-
-Notes:
-
-- Provide at least one token header (`SFR-Api-Token` or `PLR-Api-Token`).
-- `MCP_ALLOWED_ORIGINS` controls allowed `Origin` headers.
-- `MCP_ALLOWED_HOSTS` controls allowed `Host` headers (recommended for public deployments).
-- `MCP_STRICT_TOKEN_VALIDATION=true` optionally validates token(s) on each MCP request via upstream auth probes.
-- In strict mode, explicit auth failures return `401`; temporary probe outages return `503`.
-- Raw HTTP clients should send `Accept: application/json, text/event-stream`.
+This calls `sfra_health` and confirms your configured API access.
 
 ## API Keys
 
@@ -102,7 +88,47 @@ Get your API keys at [sfranalytics.com](https://www.sfranalytics.com).
 |------|-------------|
 | `sfra_health` | Connectivity check for configured APIs |
 
-## Configuration
+## Example Prompts
+
+The server includes built-in prompts for common workflows:
+
+- **market-screen** — Find top zip codes by investment criteria
+- **buyer-research** — Research a property investor's portfolio and strategy
+- **property-analysis** — Evaluate a property for SFR investment
+- **lending-overview** — Private lending market overview
+- **borrower-outreach** — Build a targeted borrower outreach list
+
+Prompts are scoped to your configured APIs.
+
+<details>
+<summary>Self-Hosted / Local Development</summary>
+
+### Requirements
+
+- Node.js >= 18.0.0
+- An MCP-compatible client (Claude Code, Claude Desktop, etc.)
+
+### Local stdio (npx)
+
+```bash
+npx -y @sfranalytics/mcp
+```
+
+### Local HTTP server
+
+```bash
+npm run dev:http
+```
+
+Connect from Claude Code:
+
+```bash
+claude mcp add sfranalytics-local --transport http http://localhost:3000/mcp \
+  -H "SFR-Api-Token: YOUR_SFR_KEY" \
+  -H "PLR-Api-Token: YOUR_PLR_KEY"
+```
+
+### Configuration
 
 | Variable | Required | Default | Description |
 |----------|----------|---------|-------------|
@@ -118,24 +144,15 @@ Get your API keys at [sfranalytics.com](https://www.sfranalytics.com).
 | `MCP_STRICT_TOKEN_VALIDATION` | No | `false` | If `true`, validate provided HTTP token(s) on each request using upstream auth probes |
 | `MCP_SFR_TOKEN_PROBE_ADDRESS` | No | `123 Main St, Phoenix, AZ 85004` | Address used for SFR strict-token auth probe |
 
-At least one API token must be provided.
-
-## Example Prompts
-
-The server includes built-in prompts for common workflows:
-
-- **market-screen** — Find top zip codes by investment criteria
-- **buyer-research** — Research a property investor's portfolio and strategy
-- **property-analysis** — Evaluate a property for SFR investment
-- **lending-overview** — Private lending market overview
-- **borrower-outreach** — Build a targeted borrower outreach list
-
-Prompts are scoped to your configured APIs.
+Notes:
 
-## Requirements
+- At least one token is required.
+- `MCP_ALLOWED_ORIGINS` controls allowed `Origin` headers.
+- `MCP_ALLOWED_HOSTS` controls allowed `Host` headers.
+- In strict mode, explicit auth failures return `401`; temporary probe outages return `503`.
+- Raw HTTP clients should send `Accept: application/json, text/event-stream`.
 
-- Node.js >= 18.0.0
-- An MCP-compatible client (Claude Code, Claude Desktop, etc.)
+</details>
 
 ## Support
 

package/dist/analytics/logger.d.ts

@@ -0,0 +1,3 @@
+type AnalyticsEvent = Record<string, unknown>;
+export declare function logEvent(event: AnalyticsEvent): void;
+export {};

package/dist/analytics/logger.js

@@ -0,0 +1,39 @@
+function parseBoolean(input, defaultValue) {
+    if (!input)
+        return defaultValue;
+    const normalized = input.trim().toLowerCase();
+    if (["1", "true", "yes", "on"].includes(normalized))
+        return true;
+    if (["0", "false", "no", "off"].includes(normalized))
+        return false;
+    return defaultValue;
+}
+function parseSampleRate(input) {
+    if (!input)
+        return 1;
+    const parsed = Number(input);
+    if (!Number.isFinite(parsed))
+        return 1;
+    if (parsed <= 0)
+        return 0;
+    if (parsed >= 1)
+        return 1;
+    return parsed;
+}
+const ANALYTICS_ENABLED = parseBoolean(process.env.MCP_ANALYTICS_ENABLED, true);
+const SAMPLE_RATE = parseSampleRate(process.env.MCP_ANALYTICS_SAMPLE_RATE);
+export function logEvent(event) {
+    if (!ANALYTICS_ENABLED)
+        return;
+    if (SAMPLE_RATE <= 0)
+        return;
+    if (SAMPLE_RATE < 1 && Math.random() > SAMPLE_RATE)
+        return;
+    try {
+        process.stderr.write(`${JSON.stringify(event)}\n`);
+    }
+    catch {
+        // Logging must never break tool execution.
+    }
+}
+//# sourceMappingURL=logger.js.map

package/dist/analytics/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/analytics/logger.ts"],"names":[],"mappings":"AAEA,SAAS,YAAY,CAAC,KAAyB,EAAE,YAAqB;IACpE,IAAI,CAAC,KAAK;QAAE,OAAO,YAAY,CAAC;IAChC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IACnE,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,eAAe,CAAC,KAAyB;IAChD,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC;IACrB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,CAAC,CAAC;IACvC,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1B,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,iBAAiB,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,IAAI,CAAC,CAAC;AAChF,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;AAE3E,MAAM,UAAU,QAAQ,CAAC,KAAqB;IAC5C,IAAI,CAAC,iBAAiB;QAAE,OAAO;IAC/B,IAAI,WAAW,IAAI,CAAC;QAAE,OAAO;IAC7B,IAAI,WAAW,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,WAAW;QAAE,OAAO;IAE3D,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACP,2CAA2C;IAC7C,CAAC;AACH,CAAC"}

package/dist/analytics/requestContext.d.ts

@@ -0,0 +1,21 @@
+export type RuntimeMode = "hosted_http" | "stdio";
+export type RequestContext = {
+    requestId: string | null;
+    tokenHash: string | null;
+    tokenHashSfr: string | null;
+    tokenHashPlr: string | null;
+    mode: RuntimeMode;
+    clientIp?: string;
+};
+/**
+ * Compute a token hash for analytics correlation.
+ * If MCP_TOKEN_HASH_PEPPER is configured, use HMAC-SHA256.
+ * Otherwise use plain SHA-256 for backwards compatibility.
+ */
+export declare function computeTokenHash(token: string | null | undefined): string | null;
+export declare function buildTokenHashes(input: {
+    sfrToken?: string | null;
+    plrToken?: string | null;
+}): Pick<RequestContext, "tokenHash" | "tokenHashSfr" | "tokenHashPlr">;
+export declare function runWithRequestContext<T>(ctx: RequestContext, cb: () => T): T;
+export declare function getCtx(): RequestContext | undefined;

package/dist/analytics/requestContext.js

@@ -0,0 +1,39 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+import { createHash, createHmac } from "node:crypto";
+const requestContext = new AsyncLocalStorage();
+function normalizeSecret(input) {
+    if (!input)
+        return null;
+    const trimmed = input.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+/**
+ * Compute a token hash for analytics correlation.
+ * If MCP_TOKEN_HASH_PEPPER is configured, use HMAC-SHA256.
+ * Otherwise use plain SHA-256 for backwards compatibility.
+ */
+export function computeTokenHash(token) {
+    const normalizedToken = normalizeSecret(token);
+    if (!normalizedToken)
+        return null;
+    const pepper = normalizeSecret(process.env.MCP_TOKEN_HASH_PEPPER);
+    if (pepper) {
+        const digest = createHmac("sha256", pepper).update(normalizedToken).digest("hex");
+        return `hmac-sha256:${digest}`;
+    }
+    const digest = createHash("sha256").update(normalizedToken).digest("hex");
+    return `sha256:${digest}`;
+}
+export function buildTokenHashes(input) {
+    const tokenHashSfr = computeTokenHash(input.sfrToken);
+    const tokenHashPlr = computeTokenHash(input.plrToken);
+    const tokenHash = tokenHashSfr ?? tokenHashPlr;
+    return { tokenHash, tokenHashSfr, tokenHashPlr };
+}
+export function runWithRequestContext(ctx, cb) {
+    return requestContext.run(ctx, cb);
+}
+export function getCtx() {
+    return requestContext.getStore();
+}
+//# sourceMappingURL=requestContext.js.map

package/dist/analytics/requestContext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"requestContext.js","sourceRoot":"","sources":["../../src/analytics/requestContext.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAarD,MAAM,cAAc,GAAG,IAAI,iBAAiB,EAAkB,CAAC;AAE/D,SAAS,eAAe,CAAC,KAAgC;IACvD,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAgC;IAC/D,MAAM,eAAe,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAC/C,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAClE,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAClF,OAAO,eAAe,MAAM,EAAE,CAAC;IACjC,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1E,OAAO,UAAU,MAAM,EAAE,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAGhC;IACC,MAAM,YAAY,GAAG,gBAAgB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,gBAAgB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,YAAY,IAAI,YAAY,CAAC;IAC/C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAI,GAAmB,EAAE,EAAW;IACvE,OAAO,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,MAAM;IACpB,OAAO,cAAc,CAAC,QAAQ,EAAE,CAAC;AACnC,CAAC"}

package/dist/analytics/sanitize.d.ts

@@ -0,0 +1 @@
+export declare function sanitizeArgs(args: unknown): Record<string, unknown>;

package/dist/analytics/sanitize.js

@@ -0,0 +1,78 @@
+const MAX_STRING_CHARS = 256;
+const MAX_ARRAY_ITEMS = 20;
+const MAX_OBJECT_KEYS = 100;
+const MAX_DEPTH = 8;
+const REDACTED = "[redacted]";
+const TRUNCATED = "[truncated]";
+const CIRCULAR = "[circular]";
+const KEY_DENYLIST = /ssn|social|address|street|dob|birth|email|phone|token|secret|password|authorization|api[-_]?key/i;
+const EMAIL_PATTERN = /^[^\s@]+@[^\s@]+\.[^\s@]+$/i;
+const PHONE_PATTERN = /^\+?[0-9()\-\s.]{10,}$/;
+const TOKENISH_PATTERN = /^(?:[a-f0-9]{32,}|[A-Za-z0-9+/_\-]{32,})$/;
+function truncateString(value) {
+    if (value.length <= MAX_STRING_CHARS)
+        return value;
+    return value.slice(0, MAX_STRING_CHARS) + TRUNCATED;
+}
+function looksSensitiveValue(value) {
+    const normalized = value.trim();
+    if (!normalized)
+        return false;
+    return EMAIL_PATTERN.test(normalized) || PHONE_PATTERN.test(normalized) || TOKENISH_PATTERN.test(normalized);
+}
+function sanitizeValue(value, keyName, depth, seen) {
+    if (depth > MAX_DEPTH)
+        return TRUNCATED;
+    if (value == null)
+        return value;
+    if (typeof value === "string") {
+        if ((keyName && KEY_DENYLIST.test(keyName)) || looksSensitiveValue(value))
+            return REDACTED;
+        return truncateString(value);
+    }
+    if (typeof value === "number") {
+        return Number.isFinite(value) ? value : String(value);
+    }
+    if (typeof value === "boolean")
+        return value;
+    if (typeof value === "bigint")
+        return value.toString();
+    if (value instanceof Date)
+        return value.toISOString();
+    if (Array.isArray(value)) {
+        const capped = value.slice(0, MAX_ARRAY_ITEMS);
+        const sanitized = capped.map((entry) => sanitizeValue(entry, keyName, depth + 1, seen));
+        if (value.length > MAX_ARRAY_ITEMS)
+            sanitized.push(TRUNCATED);
+        return sanitized;
+    }
+    if (typeof value === "object") {
+        const obj = value;
+        if (seen.has(obj))
+            return CIRCULAR;
+        seen.add(obj);
+        const out = {};
+        const entries = Object.entries(obj).slice(0, MAX_OBJECT_KEYS);
+        for (const [k, v] of entries) {
+            if (KEY_DENYLIST.test(k)) {
+                out[k] = REDACTED;
+                continue;
+            }
+            out[k] = sanitizeValue(v, k, depth + 1, seen);
+        }
+        if (Object.keys(obj).length > MAX_OBJECT_KEYS) {
+            out._truncatedKeys = true;
+        }
+        return out;
+    }
+    return truncateString(String(value));
+}
+export function sanitizeArgs(args) {
+    const seen = new WeakSet();
+    const sanitized = sanitizeValue(args, null, 0, seen);
+    if (sanitized && typeof sanitized === "object" && !Array.isArray(sanitized)) {
+        return sanitized;
+    }
+    return { value: sanitized };
+}
+//# sourceMappingURL=sanitize.js.map

package/dist/analytics/sanitize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/analytics/sanitize.ts"],"names":[],"mappings":"AAAA,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAC7B,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,eAAe,GAAG,GAAG,CAAC;AAC5B,MAAM,SAAS,GAAG,CAAC,CAAC;AAEpB,MAAM,QAAQ,GAAG,YAAY,CAAC;AAC9B,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,QAAQ,GAAG,YAAY,CAAC;AAE9B,MAAM,YAAY,GAAG,kGAAkG,CAAC;AACxH,MAAM,aAAa,GAAG,6BAA6B,CAAC;AACpD,MAAM,aAAa,GAAG,wBAAwB,CAAC;AAC/C,MAAM,gBAAgB,GAAG,2CAA2C,CAAC;AAErE,SAAS,cAAc,CAAC,KAAa;IACnC,IAAI,KAAK,CAAC,MAAM,IAAI,gBAAgB;QAAE,OAAO,KAAK,CAAC;IACnD,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,GAAG,SAAS,CAAC;AACtD,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAC/G,CAAC;AAED,SAAS,aAAa,CACpB,KAAc,EACd,OAAsB,EACtB,KAAa,EACb,IAAqB;IAErB,IAAI,KAAK,GAAG,SAAS;QAAE,OAAO,SAAS,CAAC;IAExC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,KAAK,CAAC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,OAAO,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,mBAAmB,CAAC,KAAK,CAAC;YAAE,OAAO,QAAQ,CAAC;QAC3F,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,QAAQ,EAAE,CAAC;IAEvD,IAAI,KAAK,YAAY,IAAI;QAAE,OAAO,KAAK,CAAC,WAAW,EAAE,CAAC;IAEtD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;QACxF,IAAI,KAAK,CAAC,MAAM,GAAG,eAAe;YAAE,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9D,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,QAAQ,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEd,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;QAC9D,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;gBACzB,GAAG,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC;gBAClB,SAAS;YACX,CAAC;YACD,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;YAC9C,GAAG,CAAC,cAAc,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,IAAa;IACxC,MAAM,IAAI,GAAG,IAAI,OAAO,EAAU,CAAC;IACnC,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;IACrD,IAAI,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5E,OAAO,SAAoC,CAAC;IAC9C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,SAAoB,EAAE,CAAC;AACzC,CAAC"}

package/dist/http.js

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import { randomUUID } from "node:crypto";
 import cors from "cors";
 import rateLimit from "express-rate-limit";
 import { createMcpExpressApp } from "@modelcontextprotocol/sdk/server/express.js";
@@ -7,6 +8,9 @@ import { configFromHeaders } from "./config.js";
 import { createServer } from "./server.js";
 import { ApiError, HttpClient } from "./services/httpClient.js";
 import { VERSION } from "./version.js";
+import { renderLandingPage } from "./landing.js";
+import { buildTokenHashes, runWithRequestContext } from "./analytics/requestContext.js";
+import { logEvent } from "./analytics/logger.js";
 function env(name) {
     const value = process.env[name];
     return value && value.trim().length > 0 ? value.trim() : undefined;
@@ -99,7 +103,20 @@ const mcpLimiter = rateLimit({
     max: 60,
     standardHeaders: true,
     legacyHeaders: false,
-    handler(_req, res) {
+    handler(req, res) {
+        const sfrToken = headerValue(req, "SFR-Api-Token");
+        const plrToken = headerValue(req, "PLR-Api-Token");
+        const hashes = buildTokenHashes({ sfrToken, plrToken });
+        logEvent({
+            v: 1,
+            event: "rate_limited",
+            ts: new Date().toISOString(),
+            token_hash: hashes.tokenHash,
+            token_hash_sfr: hashes.tokenHashSfr,
+            token_hash_plr: hashes.tokenHashPlr,
+            client_ip: req.ip,
+            mode: "hosted_http",
+        });
         res
             .status(429)
             .json(jsonRpcError(-32000, "Rate limit exceeded. Max 60 requests per minute."));
@@ -186,53 +203,149 @@ async function quickTokenCheck(config) {
 app.post("/mcp", async (req, res) => {
     const sfrToken = headerValue(req, "SFR-Api-Token");
     const plrToken = headerValue(req, "PLR-Api-Token");
-    if (!sfrToken && !plrToken) {
-        res
-            .status(401)
-            .json(jsonRpcError(-32001, "Missing API token. Provide SFR-Api-Token and/or PLR-Api-Token."));
-        return;
-    }
-    const config = configFromHeaders({ sfrToken, plrToken });
-    if (strictTokenValidation) {
-        try {
-            const validationResult = await quickTokenCheck(config);
-            if (validationResult === "invalid") {
-                res.status(401).json(jsonRpcError(-32001, "Invalid API token."));
-                return;
+    const requestStartedAt = performance.now();
+    const requestId = randomUUID();
+    const tokenHashes = buildTokenHashes({ sfrToken, plrToken });
+    return runWithRequestContext({
+        requestId,
+        mode: "hosted_http",
+        tokenHash: tokenHashes.tokenHash,
+        tokenHashSfr: tokenHashes.tokenHashSfr,
+        tokenHashPlr: tokenHashes.tokenHashPlr,
+        clientIp: req.ip,
+    }, async () => {
+        res.once("finish", () => {
+            const latencyMs = performance.now() - requestStartedAt;
+            logEvent({
+                v: 1,
+                event: "http_request",
+                ts: new Date().toISOString(),
+                method: req.method,
+                path: req.path,
+                status: res.statusCode,
+                latency_ms: Number(latencyMs.toFixed(1)),
+                token_hash: tokenHashes.tokenHash,
+                token_hash_sfr: tokenHashes.tokenHashSfr,
+                token_hash_plr: tokenHashes.tokenHashPlr,
+                request_id: requestId,
+                mode: "hosted_http",
+                client_ip: req.ip,
+            });
+        });
+        if (!sfrToken && !plrToken) {
+            logEvent({
+                v: 1,
+                event: "auth_failure",
+                ts: new Date().toISOString(),
+                reason: "missing_token",
+                has_sfr_token: false,
+                has_plr_token: false,
+                request_id: requestId,
+                client_ip: req.ip,
+                user_agent: req.get("user-agent") ?? null,
+                mode: "hosted_http",
+            });
+            res
+                .status(401)
+                .json(jsonRpcError(-32001, "Missing API token. Provide SFR-Api-Token and/or PLR-Api-Token."));
+            return;
+        }
+        const config = configFromHeaders({ sfrToken, plrToken });
+        if (strictTokenValidation) {
+            try {
+                const validationResult = await quickTokenCheck(config);
+                if (validationResult === "invalid") {
+                    logEvent({
+                        v: 1,
+                        event: "auth_failure",
+                        ts: new Date().toISOString(),
+                        reason: "invalid_token",
+                        has_sfr_token: !!sfrToken,
+                        has_plr_token: !!plrToken,
+                        token_hash: tokenHashes.tokenHash,
+                        token_hash_sfr: tokenHashes.tokenHashSfr,
+                        token_hash_plr: tokenHashes.tokenHashPlr,
+                        request_id: requestId,
+                        client_ip: req.ip,
+                        mode: "hosted_http",
+                    });
+                    res.status(401).json(jsonRpcError(-32001, "Invalid API token."));
+                    return;
+                }
+                if (validationResult === "unavailable") {
+                    res.status(503).json(jsonRpcError(-32603, "Token validation unavailable. Try again later."));
+                    return;
+                }
             }
-            if (validationResult === "unavailable") {
+            catch (error) {
+                console.error(`Token validation error: ${safeErrorMessage(error)}`);
                 res.status(503).json(jsonRpcError(-32603, "Token validation unavailable. Try again later."));
                 return;
             }
         }
+        const { server, toolNames } = createServer(config);
+        // Log MCP protocol-level events (initialize, tools/list)
+        const rpcMethod = typeof req.body?.method === "string" ? req.body.method : null;
+        if (rpcMethod === "initialize") {
+            const clientInfo = req.body?.params?.clientInfo;
+            logEvent({
+                v: 1,
+                event: "session_start",
+                ts: new Date().toISOString(),
+                token_hash: tokenHashes.tokenHash,
+                token_hash_sfr: tokenHashes.tokenHashSfr,
+                token_hash_plr: tokenHashes.tokenHashPlr,
+                request_id: requestId,
+                has_sfr_token: !!sfrToken,
+                has_plr_token: !!plrToken,
+                client_name: typeof clientInfo?.name === "string" ? clientInfo.name : null,
+                client_version: typeof clientInfo?.version === "string" ? clientInfo.version : null,
+                protocol_version: typeof req.body?.params?.protocolVersion === "string"
+                    ? req.body.params.protocolVersion
+                    : null,
+                user_agent: req.get("user-agent") ?? null,
+                client_ip: req.ip,
+                mode: "hosted_http",
+                tool_names: toolNames,
+                tool_count: toolNames.length,
+            });
+        }
+        if (rpcMethod === "tools/list") {
+            logEvent({
+                v: 1,
+                event: "tool_list",
+                ts: new Date().toISOString(),
+                token_hash: tokenHashes.tokenHash,
+                request_id: requestId,
+                has_sfr_token: !!sfrToken,
+                has_plr_token: !!plrToken,
+                mode: "hosted_http",
+                tool_names: toolNames,
+                tool_count: toolNames.length,
+            });
+        }
+        const transport = new StreamableHTTPServerTransport({
+            sessionIdGenerator: undefined,
+            enableJsonResponse: true,
+        });
+        const cleanup = () => {
+            res.off("close", cleanup);
+            void transport.close().catch(() => { });
+            void server.close().catch(() => { });
+        };
+        res.on("close", cleanup);
+        try {
+            await server.connect(transport);
+            await transport.handleRequest(req, res, req.body);
+        }
         catch (error) {
-            console.error(`Token validation error: ${safeErrorMessage(error)}`);
-            res.status(503).json(jsonRpcError(-32603, "Token validation unavailable. Try again later."));
-            return;
+            console.error(`Error handling MCP request: ${safeErrorMessage(error)}`);
+            if (!res.headersSent) {
+                res.status(500).json(jsonRpcError(-32603, "Internal server error"));
+            }
+            cleanup();
         }
-    }
-    const server = createServer(config);
-    const transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: undefined,
-        enableJsonResponse: true,
     });
-    const cleanup = () => {
-        res.off("close", cleanup);
-        void transport.close().catch(() => { });
-        void server.close().catch(() => { });
-    };
-    res.on("close", cleanup);
-    try {
-        await server.connect(transport);
-        await transport.handleRequest(req, res, req.body);
-    }
-    catch (error) {
-        console.error(`Error handling MCP request: ${safeErrorMessage(error)}`);
-        if (!res.headersSent) {
-            res.status(500).json(jsonRpcError(-32603, "Internal server error"));
-        }
-        cleanup();
-    }
 });
 const methodNotAllowed = (_req, res) => {
     res.status(405).json(jsonRpcError(-32000, "Method not allowed."));
@@ -243,6 +356,46 @@ app.options("/mcp", cors(corsOptions));
 app.get("/health", (_req, res) => {
     res.status(200).json({ ok: true, version: VERSION });
 });
+// — Status dashboard (upstream connectivity checks) —
+const startedAt = Date.now();
+let statusCache = null;
+const STATUS_CACHE_TTL_MS = 30_000;
+async function probeApi(baseUrl) {
+    const start = Date.now();
+    try {
+        await fetch(baseUrl, {
+            method: "HEAD",
+            signal: AbortSignal.timeout(3000),
+        });
+        return { reachable: true, latencyMs: Date.now() - start };
+    }
+    catch {
+        // Any response (even errors) from the host means it's reachable;
+        // only network/timeout failures land here.
+        return { reachable: false, latencyMs: Date.now() - start };
+    }
+}
+app.get("/status", async (_req, res) => {
+    const now = Date.now();
+    if (!statusCache || now - statusCache.timestamp > STATUS_CACHE_TTL_MS) {
+        const sfrUrl = env("SFR_BASE_URL") ?? "https://api.sfranalytics.com";
+        const plrUrl = env("PLR_BASE_URL") ?? "https://radar-api.sfranalytics.com";
+        const [sfr, plr] = await Promise.all([probeApi(sfrUrl), probeApi(plrUrl)]);
+        statusCache = { timestamp: now, sfr, plr };
+    }
+    res.json({
+        ok: true,
+        version: VERSION,
+        uptimeSeconds: Math.floor((now - startedAt) / 1000),
+        startedAt: new Date(startedAt).toISOString(),
+        apis: { sfr: statusCache.sfr, plr: statusCache.plr },
+    });
+});
+// — Landing page —
+const landingHtml = renderLandingPage({ crispWebsiteId: env("CRISP_WEBSITE_ID") });
+app.get("/", (_req, res) => {
+    res.type("html").send(landingHtml);
+});
 const httpServer = app.listen(port, host, () => {
     if (allowedOriginSet.size === 0 && !allowAnyOrigin) {
         console.error("MCP_ALLOWED_ORIGINS not set. Requests with an Origin header will be rejected.");