@zenalexa/unicli 0.213.1 → 0.213.3

package/dist/mcp/streamable-http/index.js

@@ -0,0 +1,150 @@
+/**
+ * Streamable HTTP transport for the MCP server (spec 2025-11-25).
+ *
+ * Endpoints:
+ *   GET  /mcp    — server capabilities + supported protocol version
+ *   POST /mcp    — JSON-RPC request (response as JSON or SSE per Accept header)
+ *   DELETE /mcp  — terminate session (requires MCP-Session-Id)
+ *   GET /health  — server status + active session count
+ *
+ * Session management via the MCP-Session-Id header; protocol-version
+ * enforcement via MCP-Protocol-Version. CORS validated per request
+ * (no wildcards), DNS-rebinding-safe origin check.
+ *
+ * Every SSE event carries an explicit `id:` so a future replay buffer
+ * can anchor to it. `Last-Event-ID` is accepted for forward-compat
+ * testing but replay is not yet implemented.
+ *
+ * Zero external dependencies — Node.js http + crypto only.
+ *
+ * Module layout (v0.213.3 P3 split):
+ *   ./session.ts      — session state, helpers, types, constants
+ *   ./handle-post.ts  — POST /mcp dispatch (sync + async + SSE)
+ *   ./index.ts        — public `startStreamableHttp` + routing
+ */
+import { createServer, } from "node:http";
+import { VERSION, MCP_PROTOCOL_VERSION } from "../../constants.js";
+import { handleOAuthRoute, createOAuthMiddleware } from "../oauth.js";
+import { handlePost } from "./handle-post.js";
+import { ALLOWED_ORIGINS, HEARTBEAT_MS, PRUNE_INTERVAL_MS, SESSION_TTL_MS, asyncTasks, isOriginAllowed, jsonResponse, pruneStaleSessions, sessions, } from "./session.js";
+// ── DELETE /mcp Handler ────────────────────────────────────────────────────
+function handleDelete(req, res) {
+    const sessionId = req.headers["mcp-session-id"];
+    if (!sessionId || !sessions.has(sessionId)) {
+        jsonResponse(res, 404, {
+            jsonrpc: "2.0",
+            id: null,
+            error: { code: -32600, message: "Invalid or missing MCP-Session-Id" },
+        });
+        return;
+    }
+    sessions.delete(sessionId);
+    res.writeHead(204);
+    res.end();
+}
+// ── OPTIONS preflight ──────────────────────────────────────────────────────
+function handleOptions(req, res) {
+    const origin = req.headers.origin;
+    const allowedOrigin = origin && isOriginAllowed(req) ? origin : "http://localhost";
+    res.writeHead(204, {
+        "Access-Control-Allow-Origin": allowedOrigin,
+        "Access-Control-Allow-Methods": "GET, POST, DELETE, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, MCP-Session-Id, MCP-Protocol-Version, Authorization, Accept, X-MCP-Async",
+        "Access-Control-Expose-Headers": "MCP-Session-Id, MCP-Protocol-Version",
+        "Access-Control-Max-Age": "86400",
+    });
+    res.end();
+}
+// ── Routing ────────────────────────────────────────────────────────────────
+function route(req, res, handler, oauthMiddleware, auth) {
+    const method = req.method ?? "";
+    const pathname = (req.url ?? "/").split("?")[0];
+    if (method === "OPTIONS")
+        return handleOptions(req, res);
+    // OAuth routes — always public when auth is enabled
+    if (auth && handleOAuthRoute(req, res))
+        return;
+    if (method === "GET" && (pathname === "/health" || pathname === "/")) {
+        jsonResponse(res, 200, {
+            status: "ok",
+            transport: "streamable-http",
+            version: VERSION,
+            sessions: sessions.size,
+            protocolVersion: MCP_PROTOCOL_VERSION,
+        });
+        return;
+    }
+    if (pathname === "/mcp") {
+        if (oauthMiddleware?.(req, res))
+            return;
+        if (method === "GET") {
+            jsonResponse(res, 200, {
+                protocolVersion: MCP_PROTOCOL_VERSION,
+                serverInfo: { name: "unicli", version: VERSION },
+                capabilities: {},
+            });
+            return;
+        }
+        if (method === "POST") {
+            handlePost(req, res, handler).catch(() => {
+                if (!res.writableEnded) {
+                    jsonResponse(res, 500, {
+                        jsonrpc: "2.0",
+                        id: null,
+                        error: { code: -32603, message: "Unexpected server error" },
+                    });
+                }
+            });
+            return;
+        }
+        if (method === "DELETE")
+            return handleDelete(req, res);
+    }
+    res.writeHead(404, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Not found" }));
+}
+// ── Public API ─────────────────────────────────────────────────────────────
+/**
+ * Start the MCP Streamable HTTP transport server (spec 2025-11-25).
+ *
+ * Returns the actually-bound port so callers that pass `port: 0` (let
+ * the OS pick a free ephemeral port — used by tests to avoid Windows
+ * TIME_WAIT collisions) get the real port back.
+ */
+export async function startStreamableHttp(port, handler, options) {
+    const oauthMiddleware = options?.auth ? createOAuthMiddleware() : null;
+    const pruneTimer = setInterval(pruneStaleSessions, PRUNE_INTERVAL_MS);
+    pruneTimer.unref();
+    const server = createServer((req, res) => route(req, res, handler, oauthMiddleware, options?.auth));
+    server.on("close", () => {
+        clearInterval(pruneTimer);
+        sessions.clear();
+        asyncTasks.clear();
+    });
+    await new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(port, "127.0.0.1", () => {
+            server.off("error", reject);
+            resolve();
+        });
+    });
+    const addr = server.address();
+    const boundPort = addr && typeof addr === "object" ? addr.port : port;
+    process.stderr.write(`unicli MCP server v${VERSION} — Streamable HTTP transport on http://127.0.0.1:${boundPort}\n` +
+        `  MCP endpoint: GET/POST/DELETE http://127.0.0.1:${boundPort}/mcp\n` +
+        `  Health check: GET             http://127.0.0.1:${boundPort}/health\n` +
+        `  Protocol:     ${MCP_PROTOCOL_VERSION}\n`);
+    return boundPort;
+}
+// Exported for testing. Stable shape: mirrors the pre-split module.
+export const _test = {
+    sessions,
+    asyncTasks,
+    pruneStaleSessions,
+    isOriginAllowed,
+    ALLOWED_ORIGINS,
+    SESSION_TTL_MS,
+    HEARTBEAT_MS,
+    MCP_PROTOCOL_VERSION,
+};
+//# sourceMappingURL=index.js.map

package/dist/mcp/streamable-http/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/mcp/streamable-http/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EACL,YAAY,GAGb,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACtE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EACL,eAAe,EACf,YAAY,EACZ,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,QAAQ,GAGT,MAAM,cAAc,CAAC;AAEtB,8EAA8E;AAE9E,SAAS,YAAY,CAAC,GAAoB,EAAE,GAAmB;IAC7D,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAuB,CAAC;IACtE,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3C,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE;YACrB,OAAO,EAAE,KAAK;YACd,EAAE,EAAE,IAAI;YACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,mCAAmC,EAAE;SACtE,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IACD,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3B,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACnB,GAAG,CAAC,GAAG,EAAE,CAAC;AACZ,CAAC;AAED,8EAA8E;AAE9E,SAAS,aAAa,CAAC,GAAoB,EAAE,GAAmB;IAC9D,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;IAClC,MAAM,aAAa,GACjB,MAAM,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAC/D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;QACjB,6BAA6B,EAAE,aAAa;QAC5C,8BAA8B,EAAE,4BAA4B;QAC5D,8BAA8B,EAC5B,wFAAwF;QAC1F,+BAA+B,EAAE,sCAAsC;QACvE,wBAAwB,EAAE,OAAO;KAClC,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,EAAE,CAAC;AACZ,CAAC;AAED,8EAA8E;AAE9E,SAAS,KAAK,CACZ,GAAoB,EACpB,GAAmB,EACnB,OAAgB,EAChB,eAEQ,EACR,IAAyB;IAEzB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAChC,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEhD,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAEzD,oDAAoD;IACpD,IAAI,IAAI,IAAI,gBAAgB,CAAC,GAAG,EAAE,GAAG,CAAC;QAAE,OAAO;IAE/C,IAAI,MAAM,KAAK,KAAK,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,GAAG,CAAC,EAAE,CAAC;QACrE,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE;YACrB,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,iBAAiB;YAC5B,OAAO,EAAE,OAAO;YAChB,QAAQ,EAAE,QAAQ,CAAC,IAAI;YACvB,eAAe,EAAE,oBAAoB;SACtC,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,IAAI,eAAe,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC;YAAE,OAAO;QAExC,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE;gBACrB,eAAe,EAAE,oBAAoB;gBACrC,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE;gBAChD,YAAY,EAAE,EAAE;aACjB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACvC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;oBACvB,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE;wBACrB,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI;wBACR,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,yBAAyB,EAAE;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ;YAAE,OAAO,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAY,EACZ,OAAgB,EAChB,OAA+B;IAE/B,MAAM,eAAe,GAAG,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAEvE,MAAM,UAAU,GAAG,WAAW,CAAC,kBAAkB,EAAE,iBAAiB,CAAC,CAAC;IACtE,UAAU,CAAC,KAAK,EAAE,CAAC;IAEnB,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CACvC,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,eAAe,EAAE,OAAO,EAAE,IAAI,CAAC,CACzD,CAAC;IAEF,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QACtB,aAAa,CAAC,UAAU,CAAC,CAAC;QAC1B,QAAQ,CAAC,KAAK,EAAE,CAAC;QACjB,UAAU,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE;YACpC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5B,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IAEtE,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,OAAO,oDAAoD,SAAS,IAAI;QAC5F,oDAAoD,SAAS,QAAQ;QACrE,oDAAoD,SAAS,WAAW;QACxE,mBAAmB,oBAAoB,IAAI,CAC9C,CAAC;IAEF,OAAO,SAAS,CAAC;AACnB,CAAC;AAKD,oEAAoE;AACpE,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,QAAQ;IACR,UAAU;IACV,kBAAkB;IAClB,eAAe;IACf,eAAe;IACf,cAAc;IACd,YAAY;IACZ,oBAAoB;CACZ,CAAC"}

package/dist/mcp/streamable-http/session.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Streamable HTTP session + request helpers.
+ *
+ * Owns the module-level `sessions` / `asyncTasks` maps, the helpers that
+ * every POST/DELETE handler shares (CORS, body reading, JSON response),
+ * and origin validation. Kept in a single file so `handle-post.ts` and
+ * `index.ts` can both import from the same SSOT without circular deps.
+ */
+import type { IncomingMessage, ServerResponse } from "node:http";
+export interface JsonRpcRequest {
+    jsonrpc: "2.0";
+    id?: number | string | null;
+    method: string;
+    params?: Record<string, unknown>;
+}
+export interface JsonRpcResponse {
+    jsonrpc: "2.0";
+    id: number | string | null;
+    result?: unknown;
+    error?: {
+        code: number;
+        message: string;
+        data?: unknown;
+    };
+}
+/**
+ * Handler returns `undefined` for JSON-RPC notifications (no `id`). The
+ * widened type (P3 MN1 closeout) matches how `buildHandler` in
+ * `../handler.ts` produces the handler — sync OR async returns are both
+ * legal, `undefined` represents "no response", and the transport awaits
+ * uniformly so the cast-adapt in server.ts is no longer required.
+ */
+export type Handler = (req: JsonRpcRequest) => JsonRpcResponse | undefined | Promise<JsonRpcResponse | undefined>;
+export interface Session {
+    created: number;
+    lastSeen: number;
+    protocolVersion: string;
+}
+export interface AsyncTask {
+    id: string;
+    sessionId: string;
+    status: "running" | "completed" | "failed" | "cancelled";
+    progress?: {
+        current: number;
+        total: number;
+        message?: string;
+    };
+    result?: JsonRpcResponse;
+    error?: string;
+    created: number;
+}
+export interface StreamableHttpOptions {
+    auth?: boolean;
+}
+export declare const MAX_BODY = 1048576;
+export declare const SESSION_TTL_MS = 3600000;
+export declare const PRUNE_INTERVAL_MS = 300000;
+export declare const HEARTBEAT_MS = 30000;
+export declare const ALLOWED_ORIGINS: Set<string>;
+export declare const MAX_SESSIONS = 100;
+export declare const MAX_ASYNC_TASKS = 200;
+/**
+ * Methods that may produce long-running responses — served as SSE when
+ * the client accepts text/event-stream.
+ */
+export declare const STREAMING_METHODS: Set<string>;
+export declare const sessions: Map<string, Session>;
+export declare const asyncTasks: Map<string, AsyncTask>;
+/** CORS headers injected into every response. Uses validated origin, not wildcard. */
+export declare function corsHeaders(req?: IncomingMessage): Record<string, string>;
+/**
+ * Emit a JSON-serializable body with the standard response headers.
+ * Accepts `JsonRpcResponse` or any `Record<string, unknown>` so call sites
+ * can hand over typed responses without `as unknown as Record<…>` casts.
+ */
+export declare function jsonResponse(res: ServerResponse, status: number, body: JsonRpcResponse | Record<string, unknown>, extraHeaders?: Record<string, string>, req?: IncomingMessage): void;
+export declare function readBody(req: IncomingMessage): Promise<string>;
+export declare function pruneStaleSessions(): void;
+/**
+ * Validate Origin header for DNS rebinding protection.
+ * Allow requests with no Origin (non-browser clients) or from localhost.
+ */
+export declare function isOriginAllowed(req: IncomingMessage): boolean;
+export declare function clientAcceptsSSE(req: IncomingMessage): boolean;
+//# sourceMappingURL=session.d.ts.map

package/dist/mcp/streamable-http/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../../src/mcp/streamable-http/session.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAIjE,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CAC3D;AAED;;;;;;GAMG;AACH,MAAM,MAAM,OAAO,GAAG,CACpB,GAAG,EAAE,cAAc,KAChB,eAAe,GAAG,SAAS,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC,CAAC;AAExE,MAAM,WAAW,OAAO;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,GAAG,WAAW,CAAC;IACzD,QAAQ,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAChE,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAID,eAAO,MAAM,QAAQ,UAAY,CAAC;AAClC,eAAO,MAAM,cAAc,UAAY,CAAC;AACxC,eAAO,MAAM,iBAAiB,SAAU,CAAC;AACzC,eAAO,MAAM,YAAY,QAAS,CAAC;AACnC,eAAO,MAAM,eAAe,aAG1B,CAAC;AACH,eAAO,MAAM,YAAY,MAAM,CAAC;AAChC,eAAO,MAAM,eAAe,MAAM,CAAC;AAEnC;;;GAGG;AACH,eAAO,MAAM,iBAAiB,aAA0B,CAAC;AAIzD,eAAO,MAAM,QAAQ,sBAA6B,CAAC;AACnD,eAAO,MAAM,UAAU,wBAA+B,CAAC;AAIvD,sFAAsF;AACtF,wBAAgB,WAAW,CAAC,GAAG,CAAC,EAAE,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAOzE;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAC1B,GAAG,EAAE,cAAc,EACnB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/C,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,GAAG,CAAC,EAAE,eAAe,GACpB,IAAI,CAQN;AAED,wBAAgB,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAgB9D;AAED,wBAAgB,kBAAkB,IAAI,IAAI,CAQzC;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAa7D;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAG9D"}

package/dist/mcp/streamable-http/session.js

@@ -0,0 +1,104 @@
+/**
+ * Streamable HTTP session + request helpers.
+ *
+ * Owns the module-level `sessions` / `asyncTasks` maps, the helpers that
+ * every POST/DELETE handler shares (CORS, body reading, JSON response),
+ * and origin validation. Kept in a single file so `handle-post.ts` and
+ * `index.ts` can both import from the same SSOT without circular deps.
+ */
+// ── Constants ──────────────────────────────────────────────────────────────
+export const MAX_BODY = 1_048_576; // 1 MB
+export const SESSION_TTL_MS = 3_600_000; // 1 hour
+export const PRUNE_INTERVAL_MS = 300_000; // 5 minutes
+export const HEARTBEAT_MS = 30_000;
+export const ALLOWED_ORIGINS = new Set([
+    "http://localhost",
+    "http://127.0.0.1",
+]);
+export const MAX_SESSIONS = 100;
+export const MAX_ASYNC_TASKS = 200;
+/**
+ * Methods that may produce long-running responses — served as SSE when
+ * the client accepts text/event-stream.
+ */
+export const STREAMING_METHODS = new Set(["tools/call"]);
+// ── Module state ───────────────────────────────────────────────────────────
+export const sessions = new Map();
+export const asyncTasks = new Map();
+// ── Helpers ────────────────────────────────────────────────────────────────
+/** CORS headers injected into every response. Uses validated origin, not wildcard. */
+export function corsHeaders(req) {
+    const origin = req?.headers?.origin;
+    const allowed = origin && isOriginAllowed(req) ? origin : "http://localhost";
+    return {
+        "Access-Control-Allow-Origin": allowed,
+        "Access-Control-Expose-Headers": "MCP-Session-Id, MCP-Protocol-Version",
+    };
+}
+/**
+ * Emit a JSON-serializable body with the standard response headers.
+ * Accepts `JsonRpcResponse` or any `Record<string, unknown>` so call sites
+ * can hand over typed responses without `as unknown as Record<…>` casts.
+ */
+export function jsonResponse(res, status, body, extraHeaders, req) {
+    res.writeHead(status, {
+        "Content-Type": "application/json",
+        "Cache-Control": "no-store",
+        ...corsHeaders(req),
+        ...extraHeaders,
+    });
+    res.end(JSON.stringify(body));
+}
+export function readBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        req.on("data", (chunk) => {
+            size += chunk.length;
+            if (size > MAX_BODY) {
+                req.destroy();
+                reject(new Error("Request too large"));
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
+        req.on("error", reject);
+    });
+}
+export function pruneStaleSessions() {
+    const cutoff = Date.now() - SESSION_TTL_MS;
+    for (const [id, session] of sessions) {
+        if (session.lastSeen < cutoff)
+            sessions.delete(id);
+    }
+    for (const [id, task] of asyncTasks) {
+        if (task.created < cutoff)
+            asyncTasks.delete(id);
+    }
+}
+/**
+ * Validate Origin header for DNS rebinding protection.
+ * Allow requests with no Origin (non-browser clients) or from localhost.
+ */
+export function isOriginAllowed(req) {
+    const origin = req.headers.origin;
+    if (!origin)
+        return true; // Non-browser clients omit Origin
+    // Accept any localhost origin regardless of port
+    try {
+        const url = new URL(origin);
+        if (url.hostname === "localhost" || url.hostname === "127.0.0.1") {
+            return true;
+        }
+    }
+    catch {
+        // Malformed origin — reject
+    }
+    return ALLOWED_ORIGINS.has(origin);
+}
+export function clientAcceptsSSE(req) {
+    const accept = req.headers.accept ?? "";
+    return accept.includes("text/event-stream");
+}
+//# sourceMappingURL=session.js.map

package/dist/mcp/streamable-http/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../src/mcp/streamable-http/session.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAmDH,8EAA8E;AAE9E,MAAM,CAAC,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,OAAO;AAC1C,MAAM,CAAC,MAAM,cAAc,GAAG,SAAS,CAAC,CAAC,SAAS;AAClD,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC,CAAC,YAAY;AACtD,MAAM,CAAC,MAAM,YAAY,GAAG,MAAM,CAAC;AACnC,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IACrC,kBAAkB;IAClB,kBAAkB;CACnB,CAAC,CAAC;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,GAAG,CAAC;AAChC,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,CAAC;AAEnC;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;AAEzD,8EAA8E;AAE9E,MAAM,CAAC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;AACnD,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAqB,CAAC;AAEvD,8EAA8E;AAE9E,sFAAsF;AACtF,MAAM,UAAU,WAAW,CAAC,GAAqB;IAC/C,MAAM,MAAM,GAAG,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC;IACpC,MAAM,OAAO,GAAG,MAAM,IAAI,eAAe,CAAC,GAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC;IAC9E,OAAO;QACL,6BAA6B,EAAE,OAAO;QACtC,+BAA+B,EAAE,sCAAsC;KACxE,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAC1B,GAAmB,EACnB,MAAc,EACd,IAA+C,EAC/C,YAAqC,EACrC,GAAqB;IAErB,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE;QACpB,cAAc,EAAE,kBAAkB;QAClC,eAAe,EAAE,UAAU;QAC3B,GAAG,WAAW,CAAC,GAAG,CAAC;QACnB,GAAG,YAAY;KAChB,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,GAAoB;IAC3C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC;YACrB,IAAI,IAAI,GAAG,QAAQ,EAAE,CAAC;gBACpB,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,CAAC;gBACvC,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACtE,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;IAC3C,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,QAAQ,EAAE,CAAC;QACrC,IAAI,OAAO,CAAC,QAAQ,GAAG,MAAM;YAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACrD,CAAC;IACD,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,UAAU,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,OAAO,GAAG,MAAM;YAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAoB;IAClD,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;IAClC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,CAAC,kCAAkC;IAC5D,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,4BAA4B;IAC9B,CAAC;IACD,OAAO,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAoB;IACnD,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IACxC,OAAO,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AAC9C,CAAC"}

package/dist/mcp/streamable-http.d.ts

@@ -1,89 +1,11 @@
 /**
- * Streamable HTTP transport for the MCP server (spec 2025-11-25).
+ * Streamable HTTP transport — compatibility re-export shim.
  *
- * Endpoints:
- *   GET  /mcp  — server capabilities and supported protocol version
- *   POST /mcp  — JSON-RPC request (response as JSON or SSE per Accept header)
- *   DELETE /mcp — terminate session (requires MCP-Session-Id)
- *   GET /health — server status + active session count
- *
- * Session management via MCP-Session-Id header.
- * MCP-Protocol-Version header enforced post-initialization.
- * CORS headers on all responses (not just OPTIONS preflight).
- *
- * Event ID / Last-Event-ID (spec 2025-11-25 §5.3 SSE resumability):
- *   - Every SSE event carries an `id:` line.
- *   - On POST requests with Accept: text/event-stream, the server reads
- *     the `Last-Event-ID` header and logs it so future replay work can
- *     plug into the same path. Full replay lands in v0.213 once the
- *     server maintains a persistent per-session event buffer — today
- *     the current single-response SSE path terminates after one event,
- *     so there is nothing to replay, but a compliant client can still
- *     include the header without breaking.
- *
- * Zero external dependencies — Node.js http + crypto only.
- */
-import { type IncomingMessage } from "node:http";
-interface JsonRpcRequest {
-    jsonrpc: "2.0";
-    id?: number | string | null;
-    method: string;
-    params?: Record<string, unknown>;
-}
-interface JsonRpcResponse {
-    jsonrpc: "2.0";
-    id: number | string | null;
-    result?: unknown;
-    error?: {
-        code: number;
-        message: string;
-        data?: unknown;
-    };
-}
-type Handler = (req: JsonRpcRequest) => JsonRpcResponse | Promise<JsonRpcResponse>;
-interface Session {
-    created: number;
-    lastSeen: number;
-    protocolVersion: string;
-}
-interface AsyncTask {
-    id: string;
-    sessionId: string;
-    status: "running" | "completed" | "failed" | "cancelled";
-    progress?: {
-        current: number;
-        total: number;
-        message?: string;
-    };
-    result?: JsonRpcResponse;
-    error?: string;
-    created: number;
-}
-interface StreamableHttpOptions {
-    auth?: boolean;
-}
-declare function pruneStaleSessions(): void;
-/**
- * Validate Origin header for DNS rebinding protection.
- * Allow requests with no Origin (non-browser clients) or from localhost.
- */
-declare function isOriginAllowed(req: IncomingMessage): boolean;
-/**
- * Start the MCP Streamable HTTP transport server (spec 2025-11-25).
- *
- * GET /mcp returns server capabilities. POST /mcp handles JSON-RPC.
- * DELETE /mcp terminates sessions. GET /health returns server info.
+ * v0.213.3 P3 split the transport into `streamable-http/{session,
+ * handle-post, index}.ts`. This file preserves the old import path
+ * (`./streamable-http.js`) so existing tests and external consumers
+ * keep working without churn. All logic lives in `streamable-http/`.
  */
-export declare function startStreamableHttp(port: number, handler: Handler, options?: StreamableHttpOptions): Promise<number>;
-export declare const _test: {
-    readonly sessions: Map<string, Session>;
-    readonly asyncTasks: Map<string, AsyncTask>;
-    readonly pruneStaleSessions: typeof pruneStaleSessions;
-    readonly isOriginAllowed: typeof isOriginAllowed;
-    readonly ALLOWED_ORIGINS: Set<string>;
-    readonly SESSION_TTL_MS: 3600000;
-    readonly HEARTBEAT_MS: 30000;
-    readonly MCP_PROTOCOL_VERSION: "2025-11-25";
-};
-export {};
+export { startStreamableHttp, _test } from "./streamable-http/index.js";
+export type { Handler, StreamableHttpOptions, } from "./streamable-http/session.js";
 //# sourceMappingURL=streamable-http.d.ts.map

package/dist/mcp/streamable-http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"streamable-http.d.ts","sourceRoot":"","sources":["../../src/mcp/streamable-http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAGH,OAAO,EAEL,KAAK,eAAe,EAErB,MAAM,WAAW,CAAC;AAMnB,UAAU,cAAc;IACtB,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,UAAU,eAAe;IACvB,OAAO,EAAE,KAAK,CAAC;IACf,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC3B,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CAC3D;AAED,KAAK,OAAO,GAAG,CACb,GAAG,EAAE,cAAc,KAChB,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;AAEhD,UAAU,OAAO;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,UAAU,SAAS;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,GAAG,WAAW,CAAC;IACzD,QAAQ,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAChE,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,UAAU,qBAAqB;IAC7B,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAkED,iBAAS,kBAAkB,IAAI,IAAI,CAQlC;AAED;;;GAGG;AACH,iBAAS,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAatD;AA8bD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,OAAO,EAChB,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,MAAM,CAAC,CA8GjB;AAGD,eAAO,MAAM,KAAK;;;;;;;;;CASR,CAAC"}
+{"version":3,"file":"streamable-http.d.ts","sourceRoot":"","sources":["../../src/mcp/streamable-http.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,4BAA4B,CAAC;AACxE,YAAY,EACV,OAAO,EACP,qBAAqB,GACtB,MAAM,8BAA8B,CAAC"}