npm - @thotischner/observability-mcp - Versions diffs - 1.8.1 → 3.0.1 - Mend

@thotischner/observability-mcp 1.8.1 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (204) hide show

package/dist/analysis/history.d.ts +70 -0
package/dist/analysis/history.js +170 -0
package/dist/analysis/history.test.d.ts +1 -0
package/dist/analysis/history.test.js +141 -0
package/dist/audit/log.d.ts +9 -0
package/dist/audit/log.js +20 -0
package/dist/audit/redaction-bypass.d.ts +67 -0
package/dist/audit/redaction-bypass.js +64 -0
package/dist/audit/redaction-bypass.test.d.ts +1 -0
package/dist/audit/redaction-bypass.test.js +72 -0
package/dist/audit/sinks/s3.d.ts +61 -0
package/dist/audit/sinks/s3.js +179 -0
package/dist/audit/sinks/s3.test.d.ts +1 -0
package/dist/audit/sinks/s3.test.js +175 -0
package/dist/audit/sinks/types.d.ts +18 -0
package/dist/audit/sinks/types.js +1 -0
package/dist/audit/sinks/webhook.d.ts +45 -0
package/dist/audit/sinks/webhook.js +111 -0
package/dist/audit/sinks/webhook.test.d.ts +1 -0
package/dist/audit/sinks/webhook.test.js +162 -0
package/dist/auth/credentials.d.ts +11 -0
package/dist/auth/credentials.js +27 -0
package/dist/auth/credentials.test.js +21 -1
package/dist/auth/csrf.d.ts +26 -0
package/dist/auth/csrf.js +128 -0
package/dist/auth/csrf.test.d.ts +1 -0
package/dist/auth/csrf.test.js +143 -0
package/dist/auth/local-users.d.ts +6 -0
package/dist/auth/local-users.js +11 -0
package/dist/auth/local-users.test.js +41 -0
package/dist/auth/middleware.d.ts +7 -6
package/dist/auth/oidc/dcr.d.ts +70 -0
package/dist/auth/oidc/dcr.js +160 -0
package/dist/auth/oidc/dcr.test.d.ts +1 -0
package/dist/auth/oidc/dcr.test.js +109 -0
package/dist/auth/oidc/endpoints.js +44 -0
package/dist/auth/oidc/profiles.d.ts +22 -0
package/dist/auth/oidc/profiles.js +95 -0
package/dist/auth/oidc/profiles.test.d.ts +1 -0
package/dist/auth/oidc/profiles.test.js +51 -0
package/dist/auth/oidc/runtime.d.ts +3 -0
package/dist/auth/oidc/runtime.js +16 -3
package/dist/auth/oidc/runtime.test.js +1 -0
package/dist/auth/policy/batch-dry-run.d.ts +56 -0
package/dist/auth/policy/batch-dry-run.js +144 -0
package/dist/auth/policy/batch-dry-run.test.d.ts +1 -0
package/dist/auth/policy/batch-dry-run.test.js +140 -0
package/dist/auth/policy/engine.d.ts +20 -4
package/dist/auth/policy/engine.js +16 -2
package/dist/auth/policy/loader.d.ts +11 -1
package/dist/auth/policy/loader.js +37 -0
package/dist/auth/policy/loader.test.d.ts +1 -0
package/dist/auth/policy/loader.test.js +86 -0
package/dist/auth/policy/opa.d.ts +5 -5
package/dist/auth/policy/opa.js +25 -14
package/dist/auth/policy/opa.test.js +48 -0
package/dist/auth/rbac.d.ts +23 -1
package/dist/auth/rbac.js +43 -1
package/dist/auth/rbac.test.js +62 -0
package/dist/cli/index.js +3 -0
package/dist/cli/inspector-config.d.ts +9 -0
package/dist/cli/inspector-config.js +28 -0
package/dist/cli/inspector-config.test.d.ts +1 -0
package/dist/cli/inspector-config.test.js +33 -0
package/dist/cli/lib.d.ts +1 -1
package/dist/cli/lib.js +1 -0
package/dist/conformance/mcp-2025-11-25.test.d.ts +1 -0
package/dist/conformance/mcp-2025-11-25.test.js +206 -0
package/dist/connectors/interface.d.ts +5 -1
package/dist/connectors/loader.d.ts +8 -0
package/dist/connectors/loader.js +55 -4
package/dist/connectors/loader.test.d.ts +1 -0
package/dist/connectors/loader.test.js +78 -0
package/dist/connectors/manifest-hooks.test.d.ts +1 -0
package/dist/connectors/manifest-hooks.test.js +206 -0
package/dist/connectors/prometheus.test.js +31 -13
package/dist/connectors/registry.d.ts +13 -0
package/dist/connectors/registry.js +30 -0
package/dist/connectors/registry.test.js +56 -2
package/dist/context.d.ts +32 -0
package/dist/context.js +35 -0
package/dist/context.test.d.ts +1 -0
package/dist/context.test.js +58 -0
package/dist/federation/registry.d.ts +54 -0
package/dist/federation/registry.js +122 -0
package/dist/federation/registry.test.d.ts +1 -0
package/dist/federation/registry.test.js +206 -0
package/dist/federation/upstream.d.ts +86 -0
package/dist/federation/upstream.js +162 -0
package/dist/federation/upstream.test.d.ts +1 -0
package/dist/federation/upstream.test.js +118 -0
package/dist/index.js +1435 -126
package/dist/metrics/self.d.ts +1 -0
package/dist/metrics/self.js +8 -0
package/dist/middleware/ssrfGuard.d.ts +15 -0
package/dist/middleware/ssrfGuard.js +103 -0
package/dist/middleware/ssrfGuard.test.d.ts +1 -0
package/dist/middleware/ssrfGuard.test.js +81 -0
package/dist/observability/otel.d.ts +20 -0
package/dist/observability/otel.js +118 -0
package/dist/observability/otel.test.d.ts +1 -0
package/dist/observability/otel.test.js +56 -0
package/dist/openapi.js +215 -7
package/dist/openapi.test.js +34 -0
package/dist/policy/redact.js +1 -1
package/dist/postmortem/store.d.ts +34 -0
package/dist/postmortem/store.js +113 -0
package/dist/postmortem/store.test.d.ts +1 -0
package/dist/postmortem/store.test.js +118 -0
package/dist/postmortem/synthesizer.d.ts +83 -0
package/dist/postmortem/synthesizer.js +205 -0
package/dist/postmortem/synthesizer.test.d.ts +1 -0
package/dist/postmortem/synthesizer.test.js +141 -0
package/dist/products/loader.d.ts +31 -3
package/dist/products/loader.js +77 -4
package/dist/products/loader.test.js +90 -1
package/dist/quota/charge.d.ts +28 -0
package/dist/quota/charge.js +30 -0
package/dist/quota/charge.test.d.ts +1 -0
package/dist/quota/charge.test.js +83 -0
package/dist/quota/limiter.d.ts +29 -4
package/dist/quota/limiter.js +64 -8
package/dist/quota/limiter.test.js +86 -0
package/dist/scim/compliance.test.d.ts +1 -0
package/dist/scim/compliance.test.js +169 -0
package/dist/scim/factory.test.d.ts +1 -0
package/dist/scim/factory.test.js +54 -0
package/dist/scim/group-role-map.d.ts +4 -0
package/dist/scim/group-role-map.js +33 -0
package/dist/scim/group-role-map.test.d.ts +1 -0
package/dist/scim/group-role-map.test.js +33 -0
package/dist/scim/patch-ops.test.d.ts +1 -0
package/dist/scim/patch-ops.test.js +100 -0
package/dist/scim/redis-store.d.ts +38 -0
package/dist/scim/redis-store.js +178 -0
package/dist/scim/redis-store.test.d.ts +1 -0
package/dist/scim/redis-store.test.js +138 -0
package/dist/scim/routes.d.ts +40 -0
package/dist/scim/routes.js +395 -0
package/dist/scim/store.d.ts +76 -0
package/dist/scim/store.js +196 -0
package/dist/scim/store.test.d.ts +1 -0
package/dist/scim/store.test.js +121 -0
package/dist/scim/types.d.ts +73 -0
package/dist/scim/types.js +29 -0
package/dist/sdk/hook-wrappers.d.ts +39 -0
package/dist/sdk/hook-wrappers.js +113 -0
package/dist/sdk/hook-wrappers.test.d.ts +1 -0
package/dist/sdk/hook-wrappers.test.js +204 -0
package/dist/sdk/hooks.d.ts +77 -0
package/dist/sdk/hooks.js +72 -0
package/dist/sdk/hooks.test.d.ts +1 -0
package/dist/sdk/hooks.test.js +159 -0
package/dist/sdk/index.d.ts +15 -0
package/dist/sdk/index.js +1 -0
package/dist/sdk/manifest-schema.d.ts +17 -0
package/dist/sdk/manifest-schema.js +21 -0
package/dist/tools/context-seam.test.js +6 -1
package/dist/tools/detect-anomalies.d.ts +12 -1
package/dist/tools/detect-anomalies.js +26 -5
package/dist/tools/generate-postmortem.d.ts +35 -0
package/dist/tools/generate-postmortem.js +191 -0
package/dist/tools/get-anomaly-history.d.ts +35 -0
package/dist/tools/get-anomaly-history.js +126 -0
package/dist/tools/get-service-health.d.ts +1 -1
package/dist/tools/get-service-health.js +4 -3
package/dist/tools/list-services.d.ts +1 -1
package/dist/tools/list-services.js +3 -2
package/dist/tools/list-sources.d.ts +1 -1
package/dist/tools/list-sources.js +6 -2
package/dist/tools/query-logs.d.ts +1 -1
package/dist/tools/query-logs.js +2 -2
package/dist/tools/query-metrics.d.ts +1 -1
package/dist/tools/query-metrics.js +19 -6
package/dist/tools/query-traces.d.ts +47 -0
package/dist/tools/query-traces.js +145 -0
package/dist/tools/query-traces.test.d.ts +1 -0
package/dist/tools/query-traces.test.js +110 -0
package/dist/tools/registry-names.d.ts +35 -0
package/dist/tools/registry-names.js +54 -0
package/dist/tools/registry-names.test.d.ts +1 -0
package/dist/tools/registry-names.test.js +61 -0
package/dist/tools/topology.d.ts +3 -3
package/dist/tools/topology.js +33 -11
package/dist/tools/topology.test.js +45 -0
package/dist/topology/merge.d.ts +22 -0
package/dist/topology/merge.js +178 -0
package/dist/topology/merge.test.d.ts +1 -0
package/dist/topology/merge.test.js +110 -0
package/dist/transport/sessionStore.d.ts +66 -0
package/dist/transport/sessionStore.js +138 -0
package/dist/transport/sessionStore.test.d.ts +1 -0
package/dist/transport/sessionStore.test.js +118 -0
package/dist/transport/transportSessionMap.d.ts +70 -0
package/dist/transport/transportSessionMap.js +128 -0
package/dist/transport/transportSessionMap.test.d.ts +1 -0
package/dist/transport/transportSessionMap.test.js +111 -0
package/dist/transport/websocket.d.ts +35 -0
package/dist/transport/websocket.js +133 -0
package/dist/transport/websocket.test.d.ts +1 -0
package/dist/transport/websocket.test.js +124 -0
package/dist/types.d.ts +51 -0
package/dist/ui/index.html +2529 -145
package/package.json +13 -3

package/dist/transport/sessionStore.js ADDED Viewed

@@ -0,0 +1,138 @@
+// Shared session store — abstract backend for any short-lived state
+// the gateway needs to keep across replicas: MCP Streamable HTTP
+// session metadata, OIDC flow state (PKCE verifier, nonce, redirect
+// target), DCR-registered client metadata, federation upstream
+// catalogue cache.
+//
+// Two implementations ship in v2.0:
+//
+//   InMemorySessionStore — the default; preserves the pre-F8 behaviour
+//     (single-replica, ephemeral on restart). No new dep, no new env.
+//
+//   RedisSessionStore — opt-in via OMCP_REDIS_URL. Backs all consumers
+//     with a shared Redis so multi-replica deployments stop losing
+//     sessions on rollouts and so federated upstreams can share a
+//     cache. Driver loaded via dynamic import so the `redis` package
+//     only loads when the store is configured.
+//
+// Consumers MUST treat returns as eventually-consistent across
+// replicas: a get() right after a set() on a different replica may
+// return undefined while replication catches up. Use TTLs for any
+// state that must self-cleanup (the store's `setEx` honours the
+// requested ttl seconds; `set` is no-expiry).
+/** Single-process, in-memory store. Default when OMCP_REDIS_URL is
+ *  unset. Lazy expiry — entries are evicted on the next access. */
+export class InMemorySessionStore {
+    backend = "memory";
+    map = new Map();
+    async get(key) {
+        const entry = this.map.get(key);
+        if (!entry)
+            return undefined;
+        if (entry.expiresAt <= Date.now()) {
+            this.map.delete(key);
+            return undefined;
+        }
+        return entry.value;
+    }
+    async set(key, value) {
+        this.map.set(key, { value, expiresAt: Number.POSITIVE_INFINITY });
+    }
+    async setEx(key, ttlSeconds, value) {
+        this.map.set(key, { value, expiresAt: Date.now() + ttlSeconds * 1000 });
+    }
+    async del(key) {
+        this.map.delete(key);
+    }
+    async keys(prefix) {
+        const out = [];
+        const now = Date.now();
+        for (const [k, v] of this.map) {
+            if (v.expiresAt <= now) {
+                this.map.delete(k);
+                continue;
+            }
+            if (k.startsWith(prefix))
+                out.push(k);
+        }
+        return out;
+    }
+    async close() {
+        this.map.clear();
+    }
+    /** Test-only: introspect size. */
+    size() {
+        return this.map.size;
+    }
+}
+/** Redis-backed store. Constructed lazily via `connectRedisStore` so
+ *  the `redis` driver only loads when actually used. */
+export class RedisSessionStore {
+    backend = "redis";
+    client;
+    prefix;
+    constructor(client, prefix = "omcp:") {
+        this.client = client;
+        this.prefix = prefix;
+    }
+    k(key) {
+        return `${this.prefix}${key}`;
+    }
+    async get(key) {
+        const raw = await this.client.get(this.k(key));
+        if (raw == null)
+            return undefined;
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return undefined;
+        }
+    }
+    async set(key, value) {
+        await this.client.set(this.k(key), JSON.stringify(value));
+    }
+    async setEx(key, ttlSeconds, value) {
+        await this.client.set(this.k(key), JSON.stringify(value), {
+            EX: ttlSeconds,
+        });
+    }
+    async del(key) {
+        await this.client.del(this.k(key));
+    }
+    async keys(prefix) {
+        const found = await this.client.keys(`${this.k(prefix)}*`);
+        return found.map((k) => k.slice(this.prefix.length));
+    }
+    async close() {
+        try {
+            await this.client.quit();
+        }
+        catch {
+            /* socket may already be down */
+        }
+    }
+}
+/**
+ * Resolve the session store from env. Default: InMemorySessionStore.
+ * When OMCP_REDIS_URL is set: load `redis` dynamically, connect, and
+ * return a RedisSessionStore. On any connect failure, log + fall back
+ * to InMemory (the gateway must boot even when Redis is down).
+ */
+export async function resolveSessionStore(env = process.env) {
+    const url = env.OMCP_REDIS_URL?.trim();
+    if (!url)
+        return new InMemorySessionStore();
+    try {
+        const { createClient } = await import("redis");
+        const client = createClient({ url });
+        client.on("error", (err) => console.warn("RedisSessionStore: client error: %s", err instanceof Error ? err.message : String(err)));
+        await client.connect();
+        console.log("RedisSessionStore: connected (url scheme=%s, prefix=%s)", new URL(url).protocol.replace(/:$/, ""), env.OMCP_REDIS_KEY_PREFIX ?? "omcp:");
+        return new RedisSessionStore(client, env.OMCP_REDIS_KEY_PREFIX ?? "omcp:");
+    }
+    catch (err) {
+        console.warn("RedisSessionStore: connect failed, falling back to in-memory store: %s", err instanceof Error ? err.message : String(err));
+        return new InMemorySessionStore();
+    }
+}

package/dist/transport/sessionStore.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/transport/sessionStore.test.js ADDED Viewed

@@ -0,0 +1,118 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { InMemorySessionStore, RedisSessionStore, } from "./sessionStore.js";
+test("InMemorySessionStore: backend identifier is 'memory'", () => {
+    const s = new InMemorySessionStore();
+    assert.equal(s.backend, "memory");
+});
+test("InMemorySessionStore: set + get round-trips JSON-serialisable values", async () => {
+    const s = new InMemorySessionStore();
+    await s.set("k", { a: 1, b: ["x", "y"] });
+    assert.deepEqual(await s.get("k"), { a: 1, b: ["x", "y"] });
+});
+test("InMemorySessionStore: missing key returns undefined", async () => {
+    const s = new InMemorySessionStore();
+    assert.equal(await s.get("nope"), undefined);
+});
+test("InMemorySessionStore: del removes a key", async () => {
+    const s = new InMemorySessionStore();
+    await s.set("k", "v");
+    await s.del("k");
+    assert.equal(await s.get("k"), undefined);
+});
+test("InMemorySessionStore: setEx expires after ttl", async () => {
+    const s = new InMemorySessionStore();
+    await s.setEx("k", 0.05, "soon-gone"); // 50ms
+    assert.equal(await s.get("k"), "soon-gone");
+    await new Promise((r) => setTimeout(r, 80));
+    assert.equal(await s.get("k"), undefined);
+});
+test("InMemorySessionStore: keys(prefix) returns matching keys, drops expired ones", async () => {
+    const s = new InMemorySessionStore();
+    await s.set("oidc:flow:a", 1);
+    await s.set("oidc:flow:b", 2);
+    await s.set("mcp:session:c", 3);
+    await s.setEx("oidc:flow:expired", 0.02, 4);
+    await new Promise((r) => setTimeout(r, 50));
+    const oidc = await s.keys("oidc:flow:");
+    assert.deepEqual(oidc.sort(), ["oidc:flow:a", "oidc:flow:b"]);
+    assert.deepEqual(await s.keys("mcp:"), ["mcp:session:c"]);
+});
+test("InMemorySessionStore: close() clears state", async () => {
+    const s = new InMemorySessionStore();
+    await s.set("k", 1);
+    await s.close();
+    assert.equal(await s.get("k"), undefined);
+    assert.equal(s.size(), 0);
+});
+// FakeRedis: tiny in-memory implementation of the RedisClientLike
+// surface, lets us test RedisSessionStore without a real broker.
+class FakeRedis {
+    store = new Map();
+    quitCalled = false;
+    async get(key) {
+        return this.store.get(key) ?? null;
+    }
+    async set(key, value, _opts) {
+        this.store.set(key, value);
+        return "OK";
+    }
+    async del(key) {
+        return this.store.delete(key) ? 1 : 0;
+    }
+    async keys(pattern) {
+        // FakeRedis only supports prefix*.
+        const prefix = pattern.replace(/\*$/, "");
+        return [...this.store.keys()].filter((k) => k.startsWith(prefix));
+    }
+    async quit() {
+        this.quitCalled = true;
+        return "OK";
+    }
+}
+test("RedisSessionStore: applies prefix on set/get/del/keys", async () => {
+    const fake = new FakeRedis();
+    const s = new RedisSessionStore(fake, "test:");
+    await s.set("k", { hello: "world" });
+    assert.ok(fake.store.has("test:k"));
+    assert.deepEqual(await s.get("k"), { hello: "world" });
+    await s.del("k");
+    assert.equal(await s.get("k"), undefined);
+});
+test("RedisSessionStore: keys() strips the prefix before returning", async () => {
+    const fake = new FakeRedis();
+    const s = new RedisSessionStore(fake, "test:");
+    await s.set("oidc:a", 1);
+    await s.set("oidc:b", 2);
+    const found = await s.keys("oidc:");
+    assert.deepEqual(found.sort(), ["oidc:a", "oidc:b"]);
+});
+test("RedisSessionStore: setEx forwards EX to the driver", async () => {
+    const fake = new FakeRedis();
+    let seenOpts;
+    fake.set = async (key, value, opts) => {
+        seenOpts = opts;
+        fake.store.set(key, value);
+        return "OK";
+    };
+    const s = new RedisSessionStore(fake, "");
+    await s.setEx("k", 30, "v");
+    assert.deepEqual(seenOpts, { EX: 30 });
+});
+test("RedisSessionStore: malformed JSON in store returns undefined", async () => {
+    const fake = new FakeRedis();
+    fake.store.set("test:bad", "not-json{");
+    const s = new RedisSessionStore(fake, "test:");
+    assert.equal(await s.get("bad"), undefined);
+});
+test("RedisSessionStore: close() calls quit()", async () => {
+    const fake = new FakeRedis();
+    const s = new RedisSessionStore(fake, "test:");
+    await s.close();
+    assert.equal(fake.quitCalled, true);
+});
+test("RedisSessionStore: backend identifier is 'redis'", () => {
+    const fake = new FakeRedis();
+    const s = new RedisSessionStore(fake);
+    assert.equal(s.backend, "redis");
+});

package/dist/transport/transportSessionMap.d.ts ADDED Viewed

@@ -0,0 +1,70 @@
+import type { SessionStore } from "./sessionStore.js";
+export interface TransportSessionMeta {
+    /** Stable id of the replica that owns the underlying SDK
+     *  Transport object. Set on creation. */
+    ownerReplica: string;
+    /** Optional virtual-server product slug. Undefined for the
+     *  root /mcp surface. */
+    product?: string;
+    /** Epoch ms — bumped on every successful request. */
+    lastActive: number;
+}
+export interface TransportSessionMap {
+    /** Stable backend identifier (used in /api/info diagnostics). */
+    readonly backend: string;
+    /** True iff there's a metadata entry — does NOT imply a local
+     *  Transport exists. */
+    has(sessionId: string): Promise<boolean>;
+    get(sessionId: string): Promise<TransportSessionMeta | undefined>;
+    set(sessionId: string, meta: TransportSessionMeta, ttlSeconds?: number): Promise<void>;
+    /** Convenience: bump lastActive while preserving the rest. */
+    touch(sessionId: string, ttlSeconds?: number): Promise<void>;
+    delete(sessionId: string): Promise<void>;
+    /** Return every session id this map knows about. Used for the
+     *  cleanup tick. Implementations MAY cap; in-memory returns the
+     *  full set, Redis pages via SCAN under the prefix. */
+    keys(): Promise<string[]>;
+    /** Evict entries with lastActive older than `maxIdleMs`. Returns
+     *  the evicted ids (caller logs / records metrics). */
+    cleanup(maxIdleMs: number): Promise<string[]>;
+}
+export declare class InMemoryTransportSessionMap implements TransportSessionMap {
+    readonly backend = "memory";
+    private readonly map;
+    has(id: string): Promise<boolean>;
+    get(id: string): Promise<TransportSessionMeta | undefined>;
+    set(id: string, meta: TransportSessionMeta): Promise<void>;
+    touch(id: string): Promise<void>;
+    delete(id: string): Promise<void>;
+    keys(): Promise<string[]>;
+    cleanup(maxIdleMs: number): Promise<string[]>;
+}
+/**
+ * Wraps an existing SessionStore so the per-session metadata lives
+ * wherever the SessionStore decided — InMemorySessionStore (no
+ * cross-replica visibility, identical to InMemoryTransportSessionMap
+ * but useful for tests / when a future backend is plugged in) or
+ * RedisSessionStore (cross-replica safe).
+ *
+ * Each entry stored at `<KEY_PREFIX><sessionId>` as JSON.
+ */
+export declare class SessionStoreBackedTransportSessionMap implements TransportSessionMap {
+    readonly backend: string;
+    private readonly store;
+    private readonly defaultTtlSeconds;
+    constructor(store: SessionStore, defaultTtlSeconds?: number);
+    has(id: string): Promise<boolean>;
+    get(id: string): Promise<TransportSessionMeta | undefined>;
+    set(id: string, meta: TransportSessionMeta, ttlSeconds?: number): Promise<void>;
+    touch(id: string, ttlSeconds?: number): Promise<void>;
+    delete(id: string): Promise<void>;
+    keys(): Promise<string[]>;
+    cleanup(maxIdleMs: number): Promise<string[]>;
+}
+/**
+ * Pick the right implementation. When `sessionStore` is the
+ * in-memory default, return InMemoryTransportSessionMap so we
+ * avoid the (synchronous → async) layering tax. Otherwise wrap
+ * the supplied store.
+ */
+export declare function createTransportSessionMap(sessionStore?: SessionStore): TransportSessionMap;

package/dist/transport/transportSessionMap.js ADDED Viewed

@@ -0,0 +1,128 @@
+// Multi-replica-safe MCP transport session metadata.
+//
+// The actual SDK `StreamableHTTPServerTransport` object MUST live in
+// the replica that originated the session — it owns the open HTTP
+// response handles. What CAN be shared across replicas is the
+// per-session metadata (last-active timestamp, virtual-server
+// product slug, owner-replica id). This module promotes that map
+// from a process-local `Map` to a small `TransportSessionMap` KV
+// surface backed by either in-memory state (default) or the existing
+// SessionStore Redis backend (opt-in via OMCP_REDIS_URL).
+//
+// Multi-replica behaviour:
+//   - Replica A creates session S. Writes metadata {ownerReplica:A,
+//     lastActive, product} to the shared map.
+//   - Subsequent request lands on Replica B with the same S header.
+//     B consults the shared map, sees ownerReplica:A, replies 410
+//     so the load balancer rehashes or the client retries.
+//   - This keeps the gateway functional even when sticky ingress
+//     drops the affinity — the worst case is a single 410 retry,
+//     not a silent NEW transport (which today races against the
+//     real one).
+//
+// The TTL on each entry mirrors SESSION_TTL_MS so the map doesn't
+// grow unbounded if a replica disappears without graceful
+// shutdown — TTL-based eviction is the safety net.
+// ---------------------------------------------------------------- in-memory
+export class InMemoryTransportSessionMap {
+    backend = "memory";
+    map = new Map();
+    async has(id) { return this.map.has(id); }
+    async get(id) {
+        return this.map.get(id);
+    }
+    async set(id, meta) {
+        this.map.set(id, meta);
+    }
+    async touch(id) {
+        const cur = this.map.get(id);
+        if (!cur)
+            return;
+        cur.lastActive = Date.now();
+    }
+    async delete(id) { this.map.delete(id); }
+    async keys() { return [...this.map.keys()]; }
+    async cleanup(maxIdleMs) {
+        const now = Date.now();
+        const evicted = [];
+        for (const [id, meta] of this.map) {
+            if (now - meta.lastActive > maxIdleMs) {
+                this.map.delete(id);
+                evicted.push(id);
+            }
+        }
+        return evicted;
+    }
+}
+// ---------------------------------------------------------------- SessionStore-backed
+const KEY_PREFIX = "transport:";
+/**
+ * Wraps an existing SessionStore so the per-session metadata lives
+ * wherever the SessionStore decided — InMemorySessionStore (no
+ * cross-replica visibility, identical to InMemoryTransportSessionMap
+ * but useful for tests / when a future backend is plugged in) or
+ * RedisSessionStore (cross-replica safe).
+ *
+ * Each entry stored at `<KEY_PREFIX><sessionId>` as JSON.
+ */
+export class SessionStoreBackedTransportSessionMap {
+    backend;
+    store;
+    defaultTtlSeconds;
+    constructor(store, defaultTtlSeconds = 30 * 60) {
+        this.store = store;
+        this.backend = `session-store:${store.backend}`;
+        this.defaultTtlSeconds = defaultTtlSeconds;
+    }
+    async has(id) {
+        return (await this.store.get(KEY_PREFIX + id)) !== undefined;
+    }
+    async get(id) {
+        return (await this.store.get(KEY_PREFIX + id)) ?? undefined;
+    }
+    async set(id, meta, ttlSeconds) {
+        await this.store.setEx(KEY_PREFIX + id, ttlSeconds ?? this.defaultTtlSeconds, meta);
+    }
+    async touch(id, ttlSeconds) {
+        const cur = await this.get(id);
+        if (!cur)
+            return;
+        cur.lastActive = Date.now();
+        await this.set(id, cur, ttlSeconds);
+    }
+    async delete(id) {
+        await this.store.del(KEY_PREFIX + id);
+    }
+    async keys() {
+        const raw = await this.store.keys(KEY_PREFIX);
+        return raw.map((k) => k.slice(KEY_PREFIX.length));
+    }
+    async cleanup(maxIdleMs) {
+        const now = Date.now();
+        const ids = await this.keys();
+        const evicted = [];
+        for (const id of ids) {
+            const meta = await this.get(id);
+            if (!meta)
+                continue;
+            if (now - meta.lastActive > maxIdleMs) {
+                await this.delete(id);
+                evicted.push(id);
+            }
+        }
+        return evicted;
+    }
+}
+// ---------------------------------------------------------------- factory
+/**
+ * Pick the right implementation. When `sessionStore` is the
+ * in-memory default, return InMemoryTransportSessionMap so we
+ * avoid the (synchronous → async) layering tax. Otherwise wrap
+ * the supplied store.
+ */
+export function createTransportSessionMap(sessionStore) {
+    if (!sessionStore || sessionStore.backend === "memory") {
+        return new InMemoryTransportSessionMap();
+    }
+    return new SessionStoreBackedTransportSessionMap(sessionStore);
+}

package/dist/transport/transportSessionMap.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/transport/transportSessionMap.test.js ADDED Viewed

@@ -0,0 +1,111 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { InMemoryTransportSessionMap, SessionStoreBackedTransportSessionMap, createTransportSessionMap, } from "./transportSessionMap.js";
+import { InMemorySessionStore } from "./sessionStore.js";
+function meta(p = {}) {
+    return {
+        ownerReplica: p.ownerReplica ?? "replica-A",
+        product: p.product,
+        lastActive: p.lastActive ?? Date.now(),
+    };
+}
+test("InMemoryTransportSessionMap: get/set/has/delete round-trip", async () => {
+    const m = new InMemoryTransportSessionMap();
+    assert.equal(await m.has("s1"), false);
+    await m.set("s1", meta({ product: "checkout" }));
+    assert.equal(await m.has("s1"), true);
+    const got = await m.get("s1");
+    assert.equal(got?.ownerReplica, "replica-A");
+    assert.equal(got?.product, "checkout");
+    await m.delete("s1");
+    assert.equal(await m.has("s1"), false);
+});
+test("InMemoryTransportSessionMap: touch bumps lastActive", async () => {
+    const m = new InMemoryTransportSessionMap();
+    const before = Date.now() - 10_000;
+    await m.set("s1", meta({ lastActive: before }));
+    await new Promise((r) => setTimeout(r, 2));
+    await m.touch("s1");
+    const got = await m.get("s1");
+    assert.ok((got?.lastActive ?? 0) > before);
+});
+test("InMemoryTransportSessionMap: keys + cleanup", async () => {
+    const m = new InMemoryTransportSessionMap();
+    await m.set("fresh", meta({ lastActive: Date.now() }));
+    await m.set("stale", meta({ lastActive: Date.now() - 10_000 }));
+    const all = await m.keys();
+    assert.equal(all.length, 2);
+    const evicted = await m.cleanup(5_000);
+    assert.deepEqual(evicted, ["stale"]);
+    assert.equal(await m.has("stale"), false);
+    assert.equal(await m.has("fresh"), true);
+});
+test("SessionStoreBackedTransportSessionMap: round-trip via SessionStore", async () => {
+    const store = new InMemorySessionStore();
+    const m = new SessionStoreBackedTransportSessionMap(store);
+    await m.set("s1", meta({ product: "p" }));
+    assert.equal(await m.has("s1"), true);
+    const got = await m.get("s1");
+    assert.equal(got?.product, "p");
+    await m.delete("s1");
+    assert.equal(await m.has("s1"), false);
+});
+test("SessionStoreBackedTransportSessionMap: keys excludes the prefix in returned ids", async () => {
+    const store = new InMemorySessionStore();
+    const m = new SessionStoreBackedTransportSessionMap(store);
+    await m.set("alpha", meta());
+    await m.set("beta", meta());
+    const ids = (await m.keys()).sort();
+    assert.deepEqual(ids, ["alpha", "beta"]);
+    // Unrelated keys on the same SessionStore must not pollute the map.
+    await store.set("scim:user:1", { foo: "bar" });
+    const idsAfter = (await m.keys()).sort();
+    assert.deepEqual(idsAfter, ["alpha", "beta"]);
+});
+test("SessionStoreBackedTransportSessionMap: cleanup evicts stale entries", async () => {
+    const store = new InMemorySessionStore();
+    const m = new SessionStoreBackedTransportSessionMap(store);
+    await m.set("fresh", meta({ lastActive: Date.now() }));
+    await m.set("stale", meta({ lastActive: Date.now() - 60_000 }));
+    const evicted = await m.cleanup(30_000);
+    assert.deepEqual(evicted, ["stale"]);
+});
+test("SessionStoreBackedTransportSessionMap: touch is no-op on missing id", async () => {
+    const store = new InMemorySessionStore();
+    const m = new SessionStoreBackedTransportSessionMap(store);
+    await m.touch("ghost");
+    assert.equal(await m.has("ghost"), false);
+});
+test("SessionStoreBackedTransportSessionMap: backend tag exposes underlying store name", () => {
+    const store = new InMemorySessionStore();
+    const m = new SessionStoreBackedTransportSessionMap(store);
+    assert.equal(m.backend, "session-store:memory");
+});
+test("createTransportSessionMap: memory backend returns in-memory impl", () => {
+    const store = new InMemorySessionStore();
+    const m = createTransportSessionMap(store);
+    assert.equal(m.backend, "memory");
+});
+test("createTransportSessionMap: non-memory backend returns wrapper", () => {
+    // Fake a non-memory backend by stubbing the backend tag.
+    const fake = {
+        backend: "redis",
+        async get() { return undefined; },
+        async set() { },
+        async setEx() { },
+        async del() { },
+        async keys() { return []; },
+        async close() { },
+    };
+    const m = createTransportSessionMap(fake);
+    assert.equal(m.backend, "session-store:redis");
+});
+test("createTransportSessionMap: undefined sessionStore → memory impl (back-compat)", () => {
+    const m = createTransportSessionMap();
+    assert.equal(m.backend, "memory");
+});
+test("InMemoryTransportSessionMap.touch: ghost id is no-op", async () => {
+    const m = new InMemoryTransportSessionMap();
+    await m.touch("ghost");
+    assert.equal(await m.has("ghost"), false);
+});

package/dist/transport/websocket.d.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import type { WebSocket } from "ws";
+import type { JSONRPCMessage, MessageExtraInfo, RequestId } from "@modelcontextprotocol/sdk/types.js";
+import type { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
+export declare const PING_INTERVAL_MS = 30000;
+export declare const PING_TIMEOUT_MS = 90000;
+export interface WebSocketTransportOptions {
+    /** Override the generated session id (useful for tests). */
+    sessionId?: string;
+    /** Override heartbeat ping interval; default 30s. */
+    pingIntervalMs?: number;
+    /** Override stale-connection timeout; default 90s. */
+    pingTimeoutMs?: number;
+}
+/**
+ * Per-WS-connection MCP transport. One instance per accepted socket.
+ */
+export declare class WebSocketServerTransport implements Transport {
+    sessionId?: string;
+    onclose?: () => void;
+    onerror?: (error: Error) => void;
+    onmessage?: <T extends JSONRPCMessage>(message: T, extra?: MessageExtraInfo) => void;
+    private ws;
+    private pingTimer?;
+    private lastPongAt;
+    private pingIntervalMs;
+    private pingTimeoutMs;
+    private closed;
+    constructor(ws: WebSocket, opts?: WebSocketTransportOptions);
+    start(): Promise<void>;
+    send(message: JSONRPCMessage, _options?: {
+        relatedRequestId?: RequestId;
+    }): Promise<void>;
+    close(): Promise<void>;
+    private handleClose;
+}