@studiometa/forge-mcp 0.0.1 → 0.1.0

package/dist/handlers/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/handlers/schema.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAsU7C;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAWzD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,UAAU,CAWjD"}

package/dist/handlers/security-rules.d.ts

@@ -0,0 +1,2 @@
+export declare const handleSecurityRules: (action: string, args: import("./types.ts").CommonArgs, ctx: import("./types.ts").HandlerContext) => Promise<import("./types.ts").ToolResult>;
+//# sourceMappingURL=security-rules.d.ts.map

package/dist/handlers/security-rules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-rules.d.ts","sourceRoot":"","sources":["../../src/handlers/security-rules.ts"],"names":[],"mappings":"AAYA,eAAO,MAAM,mBAAmB,+IA8B9B,CAAC"}

package/dist/handlers/servers.d.ts

@@ -0,0 +1,2 @@
+export declare const handleServers: (action: string, args: import("./types.ts").CommonArgs, ctx: import("./types.ts").HandlerContext) => Promise<import("./types.ts").ToolResult>;
+//# sourceMappingURL=servers.d.ts.map

package/dist/handlers/servers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"servers.d.ts","sourceRoot":"","sources":["../../src/handlers/servers.ts"],"names":[],"mappings":"AAcA,eAAO,MAAM,aAAa,+IAwDxB,CAAC"}

package/dist/handlers/sites.d.ts

@@ -0,0 +1,2 @@
+export declare const handleSites: (action: string, args: import("./types.ts").CommonArgs, ctx: import("./types.ts").HandlerContext) => Promise<import("./types.ts").ToolResult>;
+//# sourceMappingURL=sites.d.ts.map

package/dist/handlers/sites.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sites.d.ts","sourceRoot":"","sources":["../../src/handlers/sites.ts"],"names":[],"mappings":"AAQA,eAAO,MAAM,WAAW,+IAsDtB,CAAC"}

package/dist/handlers/ssh-keys.d.ts

@@ -0,0 +1,2 @@
+export declare const handleSshKeys: (action: string, args: import("./types.ts").CommonArgs, ctx: import("./types.ts").HandlerContext) => Promise<import("./types.ts").ToolResult>;
+//# sourceMappingURL=ssh-keys.d.ts.map

package/dist/handlers/ssh-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-keys.d.ts","sourceRoot":"","sources":["../../src/handlers/ssh-keys.ts"],"names":[],"mappings":"AAQA,eAAO,MAAM,aAAa,+IAkCxB,CAAC"}

package/dist/handlers/types.d.ts

@@ -0,0 +1,33 @@
+import type { ExecutorContext } from "@studiometa/forge-core";
+/**
+ * Result from MCP tool handlers.
+ */
+export interface ToolResult {
+    content: Array<{
+        type: "text";
+        text: string;
+    }>;
+    isError?: boolean;
+}
+/**
+ * Handler context — wraps ExecutorContext with MCP-specific options.
+ */
+export interface HandlerContext {
+    executorContext: ExecutorContext;
+    compact: boolean;
+    /** Whether to include contextual hints in get responses (default: false) */
+    includeHints?: boolean;
+}
+/**
+ * Common args present in all tool calls.
+ */
+export interface CommonArgs {
+    resource: string;
+    action: string;
+    id?: string;
+    server_id?: string;
+    site_id?: string;
+    compact?: boolean;
+    [key: string]: unknown;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/handlers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/handlers/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,eAAe,EAAE,eAAe,CAAC;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,4EAA4E;IAC5E,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}

package/dist/handlers/user.d.ts

@@ -0,0 +1,2 @@
+export declare const handleUser: (action: string, args: import("./types.ts").CommonArgs, ctx: import("./types.ts").HandlerContext) => Promise<import("./types.ts").ToolResult>;
+//# sourceMappingURL=user.d.ts.map

package/dist/handlers/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/handlers/user.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,UAAU,+IASrB,CAAC"}

package/dist/handlers/utils.d.ts

@@ -0,0 +1,26 @@
+import type { ToolResult } from "./types.ts";
+import { UserInputError } from "../errors.ts";
+/**
+ * Create a successful JSON result.
+ * Accepts a string or an object (which will be JSON-serialized).
+ */
+export declare function jsonResult(data: string | Record<string, unknown> | unknown): ToolResult;
+/**
+ * Validate an ID-like value (must be alphanumeric/dashes only).
+ * Prevents path traversal via `../` in URL segments.
+ *
+ * @returns true if the value is safe, false otherwise.
+ */
+export declare function sanitizeId(value: string): boolean;
+/**
+ * Create an error result.
+ */
+export declare function errorResult(message: string): ToolResult;
+/**
+ * Create an input error result from a UserInputError or a plain message with an optional suggestion.
+ *
+ * When a UserInputError is passed, its formatted message (including hints) is used.
+ * When a plain string is passed, the optional suggestion is appended.
+ */
+export declare function inputErrorResult(error: UserInputError | string, suggestion?: string): ToolResult;
+//# sourceMappingURL=utils.d.ts.map

package/dist/handlers/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/handlers/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C;;;GAGG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,GAAG,UAAU,CAKvF;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEjD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAKvD;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,UAAU,CAWhG"}

package/dist/hints.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Contextual hints for AI agents.
+ *
+ * After get/list actions, suggests related resources and common next steps
+ * to help agents discover what's available.
+ */
+interface ResourceHint {
+    resource: string;
+    description: string;
+    example: Record<string, unknown>;
+}
+export interface ContextualHints {
+    related_resources?: ResourceHint[];
+    common_actions?: {
+        action: string;
+        example: Record<string, unknown>;
+    }[];
+}
+/**
+ * Hints after getting a server.
+ */
+export declare function getServerHints(serverId: string): ContextualHints;
+/**
+ * Hints after getting a site.
+ */
+export declare function getSiteHints(serverId: string, siteId: string): ContextualHints;
+/**
+ * Hints after getting a database.
+ */
+export declare function getDatabaseHints(serverId: string, databaseId: string): ContextualHints;
+/**
+ * Hints after getting a database user.
+ */
+export declare function getDatabaseUserHints(serverId: string, userId: string): ContextualHints;
+/**
+ * Hints after getting a daemon.
+ */
+export declare function getDaemonHints(serverId: string, daemonId: string): ContextualHints;
+/**
+ * Hints after getting a certificate.
+ */
+export declare function getCertificateHints(serverId: string, siteId: string, certificateId: string): ContextualHints;
+/**
+ * Hints after getting a firewall rule.
+ */
+export declare function getFirewallRuleHints(serverId: string, ruleId: string): ContextualHints;
+/**
+ * Hints after getting an SSH key.
+ */
+export declare function getSshKeyHints(serverId: string, keyId: string): ContextualHints;
+/**
+ * Hints after getting a recipe.
+ */
+export declare function getRecipeHints(recipeId: string): ContextualHints;
+/**
+ * Hints after getting an nginx template.
+ */
+export declare function getNginxTemplateHints(serverId: string, templateId: string): ContextualHints;
+export {};
+//# sourceMappingURL=hints.d.ts.map

package/dist/hints.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hints.d.ts","sourceRoot":"","sources":["../src/hints.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,UAAU,YAAY;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,iBAAiB,CAAC,EAAE,YAAY,EAAE,CAAC;IACnC,cAAc,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,EAAE,CAAC;CACzE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe,CAoChE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,eAAe,CAoC9E;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,eAAe,CAgBtF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,eAAe,CA0BtF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,eAAe,CAoBlF;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,MAAM,GACpB,eAAe,CAqCjB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,eAAe,CAqBtF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,eAAe,CAgB/E;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe,CAoBhE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,eAAe,CA+B3F"}

package/dist/http-BJUKoZdb.js

@@ -0,0 +1,253 @@
+import { a as INSTRUCTIONS, i as executeToolWithCredentials, r as TOOLS, t as VERSION } from "./version-Cw8OGt4r.js";
+import { parseAuthHeader } from "./auth.js";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+import { randomUUID } from "node:crypto";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { createApp, defineEventHandler } from "h3";
+var DEFAULT_TTL = 1800 * 1e3;
+var DEFAULT_SWEEP_INTERVAL = 60 * 1e3;
+var SessionManager = class {
+	sessions = /* @__PURE__ */ new Map();
+	sweepTimer;
+	ttl;
+	constructor(options) {
+		this.ttl = options?.ttl ?? DEFAULT_TTL;
+		if (this.ttl > 0) {
+			const interval = options?.sweepInterval ?? DEFAULT_SWEEP_INTERVAL;
+			this.sweepTimer = setInterval(() => {
+				this.sweep();
+			}, interval);
+			this.sweepTimer.unref();
+		}
+	}
+	/**
+	* Register a session after its ID has been assigned by the transport.
+	*/
+	register(transport, server) {
+		const sessionId = transport.sessionId;
+		if (sessionId) {
+			const now = Date.now();
+			this.sessions.set(sessionId, {
+				transport,
+				server,
+				createdAt: now,
+				lastActiveAt: now
+			});
+		}
+	}
+	/**
+	* Look up a session by its ID and refresh its activity timestamp.
+	*/
+	get(sessionId) {
+		const session = this.sessions.get(sessionId);
+		if (session) session.lastActiveAt = Date.now();
+		return session;
+	}
+	/**
+	* Remove a session and close its transport + server.
+	*/
+	async remove(sessionId) {
+		const session = this.sessions.get(sessionId);
+		if (session) {
+			this.sessions.delete(sessionId);
+			await session.transport.close();
+			await session.server.close();
+		}
+	}
+	/**
+	* Get the number of active sessions.
+	*/
+	get size() {
+		return this.sessions.size;
+	}
+	/**
+	* Sweep expired sessions. Called automatically by the sweep timer.
+	* Returns the number of sessions reaped.
+	*/
+	sweep() {
+		if (this.ttl <= 0) return 0;
+		const now = Date.now();
+		const expired = [];
+		for (const [id, session] of this.sessions) if (now - session.lastActiveAt > this.ttl) expired.push(id);
+		for (const id of expired)
+ /* v8 ignore start */
+		this.remove(id).catch(() => {});
+		return expired.length;
+	}
+	/**
+	* Close all sessions, stop the sweep timer, and clean up.
+	*/
+	async closeAll() {
+		if (this.sweepTimer) {
+			clearInterval(this.sweepTimer);
+			this.sweepTimer = void 0;
+		}
+		const promises = [];
+		for (const [, session] of this.sessions) {
+			promises.push(session.transport.close());
+			promises.push(session.server.close());
+		}
+		await Promise.all(promises);
+		this.sessions.clear();
+	}
+};
+/**
+* Streamable HTTP transport for Forge MCP Server
+*
+* Implements the official MCP Streamable HTTP transport specification (2025-03-26)
+* using the SDK's StreamableHTTPServerTransport.
+*
+* Architecture:
+* - Stateful mode with per-session transport+server pairs (multi-tenant)
+* - Auth via Bearer token → authInfo.token → handler extra.authInfo
+* - Session manager (injected) maps session IDs to transport+server instances
+* - Health/status endpoints handled by h3, MCP endpoint by the SDK transport
+*/
+/**
+* Create a configured MCP Server instance for HTTP transport.
+*
+* Unlike stdio, HTTP mode does NOT include forge_configure/forge_get_config
+* because credentials come from the Authorization header per-request.
+*/
+function createMcpServer() {
+	const server = new Server({
+		name: "forge-mcp",
+		version: VERSION
+	}, {
+		capabilities: { tools: {} },
+		instructions: INSTRUCTIONS
+	});
+	server.setRequestHandler(ListToolsRequestSchema, async () => {
+		return { tools: TOOLS };
+	});
+	server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
+		const { name, arguments: args } = request.params;
+		const token = extra.authInfo?.token;
+		/* v8 ignore start */
+		if (!token) return {
+			content: [{
+				type: "text",
+				text: "Error: Authentication required. No token found in request."
+			}],
+			isError: true
+		};
+		/* v8 ignore stop */
+		try {
+			return await executeToolWithCredentials(
+				name,
+				/* v8 ignore next */
+				args ?? {},
+				{ apiToken: token }
+			);
+		} catch (error) {
+			/* v8 ignore stop */
+			return {
+				content: [{
+					type: "text",
+					text: `Error: ${error instanceof Error ? error.message : String(error)}`
+				}],
+				isError: true
+			};
+		}
+	});
+	return server;
+}
+/**
+* Handle an MCP request using the Streamable HTTP transport.
+*
+* Routes requests based on whether they have a session ID:
+* - No session ID + initialize request → create new session
+* - Has session ID → route to existing session's transport
+*
+* @param req - Node.js IncomingMessage
+* @param res - Node.js ServerResponse
+* @param sessions - Session manager instance (injected)
+*/
+async function handleMcpRequest(req, res, sessions) {
+	const authHeader = req.headers.authorization;
+	const credentials = parseAuthHeader(authHeader);
+	if (!credentials) {
+		res.writeHead(401, { "Content-Type": "application/json" });
+		res.end(JSON.stringify({
+			jsonrpc: "2.0",
+			error: {
+				code: -32001,
+				message: "Authentication required. Provide a Bearer token with your Forge API token."
+			},
+			id: null
+		}));
+		return;
+	}
+	const authenticatedReq = req;
+	authenticatedReq.auth = {
+		token: credentials.apiToken,
+		clientId: "forge-http-client",
+		scopes: []
+	};
+	const sessionId = req.headers["mcp-session-id"];
+	if (sessionId) {
+		const session = sessions.get(sessionId);
+		if (!session) {
+			res.writeHead(404, { "Content-Type": "application/json" });
+			res.end(JSON.stringify({
+				jsonrpc: "2.0",
+				error: {
+					code: -32e3,
+					message: "Session not found. The session may have expired or been terminated."
+				},
+				id: null
+			}));
+			return;
+		}
+		await session.transport.handleRequest(authenticatedReq, res);
+		return;
+	}
+	const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: () => randomUUID() });
+	const server = createMcpServer();
+	await server.connect(transport);
+	transport.onclose = () => {
+		const sid = transport.sessionId;
+		/* v8 ignore start */
+		if (sid) sessions.remove(sid).catch(() => {});
+		/* v8 ignore stop */
+	};
+	await transport.handleRequest(authenticatedReq, res);
+	/* v8 ignore start */
+	if (transport.sessionId) sessions.register(transport, server);
+	else {
+		await transport.close();
+		await server.close();
+	}
+	/* v8 ignore stop */
+}
+/**
+* Create a request handler bound to a SessionManager instance.
+* Convenience factory for server.ts.
+*/
+function createMcpRequestHandler(sessions) {
+	/* v8 ignore start */
+	return (req, res) => handleMcpRequest(req, res, sessions);
+	/* v8 ignore stop */
+}
+/**
+* Create h3 app for health check and service info endpoints.
+* The MCP endpoint is handled separately by handleMcpRequest.
+*/
+function createHealthApp() {
+	const app = createApp();
+	app.get("/", defineEventHandler(() => {
+		return {
+			status: "ok",
+			service: "forge-mcp",
+			version: VERSION
+		};
+	}));
+	app.get("/health", defineEventHandler(() => {
+		return { status: "ok" };
+	}));
+	return app;
+}
+export { SessionManager as a, handleMcpRequest as i, createMcpRequestHandler as n, createMcpServer as r, createHealthApp as t };
+
+//# sourceMappingURL=http-BJUKoZdb.js.map

package/dist/http-BJUKoZdb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-BJUKoZdb.js","names":[],"sources":["../src/sessions.ts","../src/http.ts"],"sourcesContent":["/**\n * Session manager for multi-tenant Streamable HTTP transport.\n *\n * Each MCP client session gets its own transport + server pair.\n * Sessions are identified by UUID and tracked in a Map.\n *\n * Supports automatic TTL-based cleanup of idle sessions to prevent\n * memory leaks from abandoned clients.\n */\n\nimport type { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\nimport type { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\n\n/**\n * A managed session: transport + MCP server pair.\n */\nexport interface ManagedSession {\n  transport: StreamableHTTPServerTransport;\n  server: Server;\n  createdAt: number;\n  lastActiveAt: number;\n}\n\nexport interface SessionManagerOptions {\n  /**\n   * Maximum idle time in milliseconds before a session is reaped.\n   * Default: 30 minutes. Set to 0 to disable automatic cleanup.\n   */\n  ttl?: number;\n\n  /**\n   * How often to check for expired sessions, in milliseconds.\n   * Default: 60 seconds.\n   */\n  sweepInterval?: number;\n}\n\nconst DEFAULT_TTL = 30 * 60 * 1000; // 30 minutes\nconst DEFAULT_SWEEP_INTERVAL = 60 * 1000; // 60 seconds\n\nexport class SessionManager {\n  private sessions = new Map<string, ManagedSession>();\n  private sweepTimer: ReturnType<typeof setInterval> | undefined;\n  private readonly ttl: number;\n\n  constructor(options?: SessionManagerOptions) {\n    this.ttl = options?.ttl ?? DEFAULT_TTL;\n\n    if (this.ttl > 0) {\n      const interval = options?.sweepInterval ?? DEFAULT_SWEEP_INTERVAL;\n      this.sweepTimer = setInterval(() => {\n        this.sweep();\n      }, interval);\n      // Don't keep the process alive just for the sweep timer\n      this.sweepTimer.unref();\n    }\n  }\n\n  /**\n   * Register a session after its ID has been assigned by the transport.\n   */\n  register(transport: StreamableHTTPServerTransport, server: Server): void {\n    const sessionId = transport.sessionId;\n    if (sessionId) {\n      const now = Date.now();\n      this.sessions.set(sessionId, {\n        transport,\n        server,\n        createdAt: now,\n        lastActiveAt: now,\n      });\n    }\n  }\n\n  /**\n   * Look up a session by its ID and refresh its activity timestamp.\n   */\n  get(sessionId: string): ManagedSession | undefined {\n    const session = this.sessions.get(sessionId);\n    if (session) {\n      session.lastActiveAt = Date.now();\n    }\n    return session;\n  }\n\n  /**\n   * Remove a session and close its transport + server.\n   */\n  async remove(sessionId: string): Promise<void> {\n    const session = this.sessions.get(sessionId);\n    if (session) {\n      this.sessions.delete(sessionId);\n      await session.transport.close();\n      await session.server.close();\n    }\n  }\n\n  /**\n   * Get the number of active sessions.\n   */\n  get size(): number {\n    return this.sessions.size;\n  }\n\n  /**\n   * Sweep expired sessions. Called automatically by the sweep timer.\n   * Returns the number of sessions reaped.\n   */\n  sweep(): number {\n    if (this.ttl <= 0) return 0;\n\n    const now = Date.now();\n    const expired: string[] = [];\n\n    for (const [id, session] of this.sessions) {\n      if (now - session.lastActiveAt > this.ttl) {\n        expired.push(id);\n      }\n    }\n\n    for (const id of expired) {\n      // Fire-and-forget cleanup — don't block the sweep\n      /* v8 ignore start */\n      this.remove(id).catch(() => {});\n      /* v8 ignore stop */\n    }\n\n    return expired.length;\n  }\n\n  /**\n   * Close all sessions, stop the sweep timer, and clean up.\n   */\n  async closeAll(): Promise<void> {\n    if (this.sweepTimer) {\n      clearInterval(this.sweepTimer);\n      this.sweepTimer = undefined;\n    }\n\n    const promises: Promise<void>[] = [];\n    for (const [, session] of this.sessions) {\n      promises.push(session.transport.close());\n      promises.push(session.server.close());\n    }\n    await Promise.all(promises);\n    this.sessions.clear();\n  }\n}\n","/**\n * Streamable HTTP transport for Forge MCP Server\n *\n * Implements the official MCP Streamable HTTP transport specification (2025-03-26)\n * using the SDK's StreamableHTTPServerTransport.\n *\n * Architecture:\n * - Stateful mode with per-session transport+server pairs (multi-tenant)\n * - Auth via Bearer token → authInfo.token → handler extra.authInfo\n * - Session manager (injected) maps session IDs to transport+server instances\n * - Health/status endpoints handled by h3, MCP endpoint by the SDK transport\n */\n\nimport { randomUUID } from \"node:crypto\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\n\nimport { Server } from \"@modelcontextprotocol/sdk/server/index.js\";\nimport { StreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/streamableHttp.js\";\nimport { CallToolRequestSchema, ListToolsRequestSchema } from \"@modelcontextprotocol/sdk/types.js\";\nimport { createApp, defineEventHandler, type H3 } from \"h3\";\n\nimport { parseAuthHeader } from \"./auth.ts\";\nimport { executeToolWithCredentials } from \"./handlers/index.ts\";\nimport { INSTRUCTIONS } from \"./instructions.ts\";\nimport { SessionManager } from \"./sessions.ts\";\nimport { TOOLS } from \"./tools.ts\";\nimport { VERSION } from \"./version.ts\";\n\nexport { SessionManager } from \"./sessions.ts\";\n\n/**\n * Create a configured MCP Server instance for HTTP transport.\n *\n * Unlike stdio, HTTP mode does NOT include forge_configure/forge_get_config\n * because credentials come from the Authorization header per-request.\n */\nexport function createMcpServer(): Server {\n  const server = new Server(\n    {\n      name: \"forge-mcp\",\n      version: VERSION,\n    },\n    {\n      capabilities: {\n        tools: {},\n      },\n      instructions: INSTRUCTIONS,\n    },\n  );\n\n  server.setRequestHandler(ListToolsRequestSchema, async () => {\n    return { tools: TOOLS };\n  });\n\n  server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {\n    const { name, arguments: args } = request.params;\n    const token = extra.authInfo?.token;\n\n    /* v8 ignore start */\n    if (!token) {\n      return {\n        content: [\n          {\n            type: \"text\" as const,\n            text: \"Error: Authentication required. No token found in request.\",\n          },\n        ],\n        isError: true,\n      };\n    }\n    /* v8 ignore stop */\n\n    try {\n      const result = await executeToolWithCredentials(\n        name,\n        /* v8 ignore next */ (args as Record<string, unknown>) ?? {},\n        { apiToken: token },\n      );\n      return result as unknown as Record<string, unknown>;\n    } catch (error) {\n      /* v8 ignore start */\n      const message = error instanceof Error ? error.message : String(error);\n      /* v8 ignore stop */\n      return {\n        content: [{ type: \"text\" as const, text: `Error: ${message}` }],\n        isError: true,\n      };\n    }\n  });\n\n  return server;\n}\n\n/**\n * Handle an MCP request using the Streamable HTTP transport.\n *\n * Routes requests based on whether they have a session ID:\n * - No session ID + initialize request → create new session\n * - Has session ID → route to existing session's transport\n *\n * @param req - Node.js IncomingMessage\n * @param res - Node.js ServerResponse\n * @param sessions - Session manager instance (injected)\n */\nexport async function handleMcpRequest(\n  req: IncomingMessage,\n  res: ServerResponse,\n  sessions: SessionManager,\n): Promise<void> {\n  // Extract and validate auth\n  const authHeader = req.headers.authorization;\n  const credentials = parseAuthHeader(authHeader);\n\n  if (!credentials) {\n    res.writeHead(401, { \"Content-Type\": \"application/json\" });\n    res.end(\n      JSON.stringify({\n        jsonrpc: \"2.0\",\n        error: {\n          code: -32001,\n          message: \"Authentication required. Provide a Bearer token with your Forge API token.\",\n        },\n        id: null,\n      }),\n    );\n    return;\n  }\n\n  // Inject auth info for the SDK transport\n  const authenticatedReq = req as IncomingMessage & {\n    auth?: { token: string; clientId: string; scopes: string[] };\n  };\n  authenticatedReq.auth = {\n    token: credentials.apiToken,\n    clientId: \"forge-http-client\",\n    scopes: [],\n  };\n\n  const sessionId = req.headers[\"mcp-session-id\"] as string | undefined;\n\n  if (sessionId) {\n    // Existing session — route to its transport\n    const session = sessions.get(sessionId);\n    if (!session) {\n      res.writeHead(404, { \"Content-Type\": \"application/json\" });\n      res.end(\n        JSON.stringify({\n          jsonrpc: \"2.0\",\n          error: {\n            code: -32000,\n            message: \"Session not found. The session may have expired or been terminated.\",\n          },\n          id: null,\n        }),\n      );\n      return;\n    }\n\n    await session.transport.handleRequest(authenticatedReq, res);\n    return;\n  }\n\n  // No session ID — this should be an initialize request.\n  // Create a new transport + server pair.\n  const transport = new StreamableHTTPServerTransport({\n    sessionIdGenerator: () => randomUUID(),\n  });\n\n  const server = createMcpServer();\n  await server.connect(transport);\n\n  // Set up cleanup on close\n  transport.onclose = () => {\n    const sid = transport.sessionId;\n    /* v8 ignore start */\n    if (sid) {\n      sessions.remove(sid).catch(() => {\n        // Ignore cleanup errors\n      });\n    }\n    /* v8 ignore stop */\n  };\n\n  // Handle the request (this will set transport.sessionId during initialize)\n  await transport.handleRequest(authenticatedReq, res);\n\n  // After handling, register the session if the transport got a session ID\n  /* v8 ignore start */\n  if (transport.sessionId) {\n    sessions.register(transport, server);\n  } else {\n    // No session was created (e.g., invalid request) — clean up\n    await transport.close();\n    await server.close();\n  }\n  /* v8 ignore stop */\n}\n\n/**\n * Create a request handler bound to a SessionManager instance.\n * Convenience factory for server.ts.\n */\nexport function createMcpRequestHandler(\n  sessions: SessionManager,\n): (req: IncomingMessage, res: ServerResponse) => Promise<void> {\n  /* v8 ignore start */\n  return (req, res) => handleMcpRequest(req, res, sessions);\n  /* v8 ignore stop */\n}\n\n/**\n * Create h3 app for health check and service info endpoints.\n * The MCP endpoint is handled separately by handleMcpRequest.\n */\nexport function createHealthApp(): H3 {\n  const app = createApp();\n\n  app.get(\n    \"/\",\n    defineEventHandler(() => {\n      return { status: \"ok\", service: \"forge-mcp\", version: VERSION };\n    }),\n  );\n\n  app.get(\n    \"/health\",\n    defineEventHandler(() => {\n      return { status: \"ok\" };\n    }),\n  );\n\n  return app;\n}\n"],"mappings":";;;;;;;AAqCA,IAAM,cAAc,OAAU;AAC9B,IAAM,yBAAyB,KAAK;AAEpC,IAAa,iBAAb,MAA4B;CAC1B,2BAAmB,IAAI,KAA6B;CACpD;CACA;CAEA,YAAY,SAAiC;AAC3C,OAAK,MAAM,SAAS,OAAO;AAE3B,MAAI,KAAK,MAAM,GAAG;GAChB,MAAM,WAAW,SAAS,iBAAiB;AAC3C,QAAK,aAAa,kBAAkB;AAClC,SAAK,OAAO;MACX,SAAS;AAEZ,QAAK,WAAW,OAAO;;;;;;CAO3B,SAAS,WAA0C,QAAsB;EACvE,MAAM,YAAY,UAAU;AAC5B,MAAI,WAAW;GACb,MAAM,MAAM,KAAK,KAAK;AACtB,QAAK,SAAS,IAAI,WAAW;IAC3B;IACA;IACA,WAAW;IACX,cAAc;IACf,CAAC;;;;;;CAON,IAAI,WAA+C;EACjD,MAAM,UAAU,KAAK,SAAS,IAAI,UAAU;AAC5C,MAAI,QACF,SAAQ,eAAe,KAAK,KAAK;AAEnC,SAAO;;;;;CAMT,MAAM,OAAO,WAAkC;EAC7C,MAAM,UAAU,KAAK,SAAS,IAAI,UAAU;AAC5C,MAAI,SAAS;AACX,QAAK,SAAS,OAAO,UAAU;AAC/B,SAAM,QAAQ,UAAU,OAAO;AAC/B,SAAM,QAAQ,OAAO,OAAO;;;;;;CAOhC,IAAI,OAAe;AACjB,SAAO,KAAK,SAAS;;;;;;CAOvB,QAAgB;AACd,MAAI,KAAK,OAAO,EAAG,QAAO;EAE1B,MAAM,MAAM,KAAK,KAAK;EACtB,MAAM,UAAoB,EAAE;AAE5B,OAAK,MAAM,CAAC,IAAI,YAAY,KAAK,SAC/B,KAAI,MAAM,QAAQ,eAAe,KAAK,IACpC,SAAQ,KAAK,GAAG;AAIpB,OAAK,MAAM,MAAM;;AAGf,OAAK,OAAO,GAAG,CAAC,YAAY,GAAG;AAIjC,SAAO,QAAQ;;;;;CAMjB,MAAM,WAA0B;AAC9B,MAAI,KAAK,YAAY;AACnB,iBAAc,KAAK,WAAW;AAC9B,QAAK,aAAa,KAAA;;EAGpB,MAAM,WAA4B,EAAE;AACpC,OAAK,MAAM,GAAG,YAAY,KAAK,UAAU;AACvC,YAAS,KAAK,QAAQ,UAAU,OAAO,CAAC;AACxC,YAAS,KAAK,QAAQ,OAAO,OAAO,CAAC;;AAEvC,QAAM,QAAQ,IAAI,SAAS;AAC3B,OAAK,SAAS,OAAO;;;;;;;;;;;;;;;;;;;;;AC7GzB,SAAgB,kBAA0B;CACxC,MAAM,SAAS,IAAI,OACjB;EACE,MAAM;EACN,SAAS;EACV,EACD;EACE,cAAc,EACZ,OAAO,EAAE,EACV;EACD,cAAc;EACf,CACF;AAED,QAAO,kBAAkB,wBAAwB,YAAY;AAC3D,SAAO,EAAE,OAAO,OAAO;GACvB;AAEF,QAAO,kBAAkB,uBAAuB,OAAO,SAAS,UAAU;EACxE,MAAM,EAAE,MAAM,WAAW,SAAS,QAAQ;EAC1C,MAAM,QAAQ,MAAM,UAAU;;AAG9B,MAAI,CAAC,MACH,QAAO;GACL,SAAS,CACP;IACE,MAAM;IACN,MAAM;IACP,CACF;GACD,SAAS;GACV;;AAIH,MAAI;AAMF,UALe,MAAM;IACnB;;IACsB,QAAoC,EAAE;IAC5D,EAAE,UAAU,OAAO;IACpB;WAEM,OAAO;;AAId,UAAO;IACL,SAAS,CAAC;KAAE,MAAM;KAAiB,MAAM,UAH3B,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;KAGN,CAAC;IAC/D,SAAS;IACV;;GAEH;AAEF,QAAO;;;;;;;;;;;;;AAcT,eAAsB,iBACpB,KACA,KACA,UACe;CAEf,MAAM,aAAa,IAAI,QAAQ;CAC/B,MAAM,cAAc,gBAAgB,WAAW;AAE/C,KAAI,CAAC,aAAa;AAChB,MAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,MAAI,IACF,KAAK,UAAU;GACb,SAAS;GACT,OAAO;IACL,MAAM;IACN,SAAS;IACV;GACD,IAAI;GACL,CAAC,CACH;AACD;;CAIF,MAAM,mBAAmB;AAGzB,kBAAiB,OAAO;EACtB,OAAO,YAAY;EACnB,UAAU;EACV,QAAQ,EAAE;EACX;CAED,MAAM,YAAY,IAAI,QAAQ;AAE9B,KAAI,WAAW;EAEb,MAAM,UAAU,SAAS,IAAI,UAAU;AACvC,MAAI,CAAC,SAAS;AACZ,OAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,CAAC;AAC1D,OAAI,IACF,KAAK,UAAU;IACb,SAAS;IACT,OAAO;KACL,MAAM;KACN,SAAS;KACV;IACD,IAAI;IACL,CAAC,CACH;AACD;;AAGF,QAAM,QAAQ,UAAU,cAAc,kBAAkB,IAAI;AAC5D;;CAKF,MAAM,YAAY,IAAI,8BAA8B,EAClD,0BAA0B,YAAY,EACvC,CAAC;CAEF,MAAM,SAAS,iBAAiB;AAChC,OAAM,OAAO,QAAQ,UAAU;AAG/B,WAAU,gBAAgB;EACxB,MAAM,MAAM,UAAU;;AAEtB,MAAI,IACF,UAAS,OAAO,IAAI,CAAC,YAAY,GAE/B;;;AAMN,OAAM,UAAU,cAAc,kBAAkB,IAAI;;AAIpD,KAAI,UAAU,UACZ,UAAS,SAAS,WAAW,OAAO;MAC/B;AAEL,QAAM,UAAU,OAAO;AACvB,QAAM,OAAO,OAAO;;;;;;;;AASxB,SAAgB,wBACd,UAC8D;;AAE9D,SAAQ,KAAK,QAAQ,iBAAiB,KAAK,KAAK,SAAS;;;;;;;AAQ3D,SAAgB,kBAAsB;CACpC,MAAM,MAAM,WAAW;AAEvB,KAAI,IACF,KACA,yBAAyB;AACvB,SAAO;GAAE,QAAQ;GAAM,SAAS;GAAa,SAAS;GAAS;GAC/D,CACH;AAED,KAAI,IACF,WACA,yBAAyB;AACvB,SAAO,EAAE,QAAQ,MAAM;GACvB,CACH;AAED,QAAO"}

package/dist/http.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Streamable HTTP transport for Forge MCP Server
+ *
+ * Implements the official MCP Streamable HTTP transport specification (2025-03-26)
+ * using the SDK's StreamableHTTPServerTransport.
+ *
+ * Architecture:
+ * - Stateful mode with per-session transport+server pairs (multi-tenant)
+ * - Auth via Bearer token → authInfo.token → handler extra.authInfo
+ * - Session manager (injected) maps session IDs to transport+server instances
+ * - Health/status endpoints handled by h3, MCP endpoint by the SDK transport
+ */
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { type H3 } from "h3";
+import { SessionManager } from "./sessions.ts";
+export { SessionManager } from "./sessions.ts";
+/**
+ * Create a configured MCP Server instance for HTTP transport.
+ *
+ * Unlike stdio, HTTP mode does NOT include forge_configure/forge_get_config
+ * because credentials come from the Authorization header per-request.
+ */
+export declare function createMcpServer(): Server;
+/**
+ * Handle an MCP request using the Streamable HTTP transport.
+ *
+ * Routes requests based on whether they have a session ID:
+ * - No session ID + initialize request → create new session
+ * - Has session ID → route to existing session's transport
+ *
+ * @param req - Node.js IncomingMessage
+ * @param res - Node.js ServerResponse
+ * @param sessions - Session manager instance (injected)
+ */
+export declare function handleMcpRequest(req: IncomingMessage, res: ServerResponse, sessions: SessionManager): Promise<void>;
+/**
+ * Create a request handler bound to a SessionManager instance.
+ * Convenience factory for server.ts.
+ */
+export declare function createMcpRequestHandler(sessions: SessionManager): (req: IncomingMessage, res: ServerResponse) => Promise<void>;
+/**
+ * Create h3 app for health check and service info endpoints.
+ * The MCP endpoint is handled separately by handleMcpRequest.
+ */
+export declare function createHealthApp(): H3;
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEjE,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AAGnE,OAAO,EAAiC,KAAK,EAAE,EAAE,MAAM,IAAI,CAAC;AAK5D,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAI/C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C;;;;;GAKG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAuDxC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,cAAc,GACvB,OAAO,CAAC,IAAI,CAAC,CAwFf;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,cAAc,GACvB,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,KAAK,OAAO,CAAC,IAAI,CAAC,CAI9D;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,EAAE,CAkBpC"}

package/dist/http.js

@@ -0,0 +1,3 @@
+import "./version-Cw8OGt4r.js";
+import { a as SessionManager, i as handleMcpRequest, n as createMcpRequestHandler, r as createMcpServer, t as createHealthApp } from "./http-BJUKoZdb.js";
+export { SessionManager, createHealthApp, createMcpRequestHandler, createMcpServer, handleMcpRequest };

package/dist/index.d.ts

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+/**
+ * Forge MCP Server — Stdio Transport
+ *
+ * This is the local execution mode using stdio transport.
+ * For remote HTTP deployment, use server.ts instead.
+ *
+ * Usage:
+ *   npx @studiometa/forge-mcp
+ *
+ * Or in Claude Desktop config:
+ *   {
+ *     "mcpServers": {
+ *       "forge": {
+ *         "command": "forge-mcp",
+ *         "env": { "FORGE_API_TOKEN": "your-token" }
+ *       }
+ *     }
+ *   }
+ */
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+/**
+ * Create and configure the MCP server.
+ */
+export declare function createStdioServer(): Server;
+/**
+ * Start the stdio server.
+ */
+export declare function startStdioServer(): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AAQnE;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAkC1C;AAED;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAKtD"}