agents 0.13.3 → 0.14.1

package/dist/{client-D1kFXo80.js → client-FUizKzj2.js}

@@ -7,7 +7,7 @@ import { z } from "zod";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
-import { ElicitRequestSchema, JSONRPCMessageSchema, PromptListChangedNotificationSchema, ResourceListChangedNotificationSchema, ToolListChangedNotificationSchema } from "@modelcontextprotocol/sdk/types.js";
+import { ElicitRequestSchema, JSONRPCMessageSchema, PromptListChangedNotificationSchema, ResourceListChangedNotificationSchema, ToolListChangedNotificationSchema, isJSONRPCErrorResponse, isJSONRPCResultResponse } from "@modelcontextprotocol/sdk/types.js";
 //#region src/core/events.ts
 function toDisposable(fn) {
 	return { dispose: fn };
@@ -121,8 +121,8 @@ var RPCClientTransport = class {
 var RPCServerTransport = class {
 	constructor(options) {
 		this._started = false;
-		this._pendingResponse = null;
-		this._responseResolver = null;
+		this._pendingRequests = /* @__PURE__ */ new Map();
+		this._pendingContinuations = [];
 		this._timeout = options?.timeout ?? 6e4;
 	}
 	setProtocolVersion(version) {
@@ -138,109 +138,146 @@ var RPCServerTransport = class {
 	async close() {
 		this._started = false;
 		this.onclose?.();
-		if (this._responseResolver) {
-			this._responseResolver();
-			this._responseResolver = null;
+		const error = /* @__PURE__ */ new Error("Transport closed");
+		for (const pending of this._pendingRequests.values()) {
+			clearTimeout(pending.timeoutId);
+			pending.reject(error);
 		}
+		this._pendingRequests.clear();
+		for (const pending of this._pendingContinuations) {
+			clearTimeout(pending.timeoutId);
+			pending.reject(error);
+		}
+		this._pendingContinuations = [];
+	}
+	_makeTimeout(onTimeout) {
+		return setTimeout(onTimeout, this._timeout);
+	}
+	_appendPending(pending, message) {
+		pending.messages.push(message);
+	}
+	_completePending(pending, message) {
+		pending.messages.push(message);
+		clearTimeout(pending.timeoutId);
+		const messages = pending.messages;
+		queueMicrotask(() => {
+			pending.resolve(messages.length === 1 ? messages[0] : messages);
+		});
+	}
+	_completeRequest(key, message) {
+		const pending = this._pendingRequests.get(key);
+		if (!pending) return false;
+		this._pendingRequests.delete(key);
+		this._completePending(pending, message);
+		return true;
+	}
+	_appendRequest(key, message) {
+		const pending = this._pendingRequests.get(key);
+		if (!pending) return false;
+		this._appendPending(pending, message);
+		return true;
 	}
-	async send(message, _options) {
+	_completeContinuation(message) {
+		const pending = this._pendingContinuations.shift();
+		if (!pending) return false;
+		this._completePending(pending, message);
+		return true;
+	}
+	_appendContinuation(message) {
+		const pending = this._pendingContinuations[0];
+		if (!pending) return false;
+		this._appendPending(pending, message);
+		return true;
+	}
+	async send(message, options) {
 		if (!this._started) throw new Error("Transport not started");
-		if (!this._pendingResponse) this._pendingResponse = message;
-		else if (Array.isArray(this._pendingResponse)) this._pendingResponse.push(message);
-		else this._pendingResponse = [this._pendingResponse, message];
-		if (this._responseResolver) {
-			const resolver = this._responseResolver;
-			queueMicrotask(() => resolver());
+		if (isJSONRPCResultResponse(message) || isJSONRPCErrorResponse(message)) {
+			const id = message.id;
+			if (id === void 0) {
+				this.onerror?.(/* @__PURE__ */ new Error(`RPC response missing id: ${JSON.stringify(message)}`));
+				return;
+			}
+			if (this._completeRequest(id.toString(), message)) return;
+			if (this._completeContinuation(message)) return;
+			this.onerror?.(/* @__PURE__ */ new Error(`No pending RPC request found for response: ${JSON.stringify(message)}`));
+			return;
+		}
+		const relatedRequestId = options?.relatedRequestId?.toString();
+		const expectsResponse = "id" in message;
+		if (relatedRequestId) {
+			if (expectsResponse) {
+				if (this._completeRequest(relatedRequestId, message)) return;
+			} else if (this._appendRequest(relatedRequestId, message)) return;
 		}
+		if (expectsResponse) {
+			if (this._completeContinuation(message)) return;
+		} else if (this._appendContinuation(message)) return;
+		this.onerror?.(/* @__PURE__ */ new Error(`No pending RPC request found for message: ${JSON.stringify(message)}`));
 	}
 	/**
 	* @internal Called by McpAgent.handleMcpMessage() — not for external use.
 	*
-	* Wait for the next send() call and return whatever it produces.
+	* Wait for the next unmatched send() call that expects a client response or
+	* completes a resumed tool call.
 	*
-	* Used after resolving an elicitation response: the tool handler is still
-	* running and will eventually call send() with either another elicitation
-	* request or the final tool result. This method captures that send() using
-	* the same _responseResolver / _pendingResponse / timeout mechanism as
-	* handle().
+	* Used after resolving an elicitation response: the original tool call has
+	* already returned the elicitation request to the RPC client, and the resumed
+	* tool handler will eventually send the final tool result. That final response
+	* has the original tool request id, so there is no active handle() waiter left
+	* for id-based routing; this continuation waiter receives it instead.
 	*/
 	async _awaitPendingResponse() {
 		if (!this._started) throw new Error("Transport not started");
-		this._pendingResponse = null;
-		let timeoutId = null;
-		const responsePromise = new Promise((resolve, reject) => {
-			timeoutId = setTimeout(() => {
-				this._responseResolver = null;
-				reject(/* @__PURE__ */ new Error(`Request timeout: No response received within ${this._timeout}ms`));
-			}, this._timeout);
-			this._responseResolver = () => {
-				if (timeoutId) {
-					clearTimeout(timeoutId);
-					timeoutId = null;
-				}
-				this._responseResolver = null;
-				resolve();
+		return await new Promise((resolve, reject) => {
+			const pending = {
+				messages: [],
+				resolve,
+				reject,
+				timeoutId: this._makeTimeout(() => {
+					const index = this._pendingContinuations.indexOf(pending);
+					if (index !== -1) this._pendingContinuations.splice(index, 1);
+					reject(/* @__PURE__ */ new Error(`Request timeout: No response received within ${this._timeout}ms`));
+				})
 			};
+			this._pendingContinuations.push(pending);
 		});
-		try {
-			await responsePromise;
-		} catch (error) {
-			this._pendingResponse = null;
-			this._responseResolver = null;
-			throw error;
-		}
-		const response = this._pendingResponse;
-		this._pendingResponse = null;
-		return response ?? void 0;
 	}
 	async handle(message) {
 		if (!this._started) throw new Error("Transport not started");
 		if (Array.isArray(message)) {
 			validateBatch(message);
-			const responses = [];
-			for (const msg of message) {
-				const response = await this.handle(msg);
-				if (response !== void 0) if (Array.isArray(response)) responses.push(...response);
-				else responses.push(response);
-			}
-			return responses.length === 0 ? void 0 : responses;
+			const flattened = (await Promise.all(message.map((msg) => this.handle(msg)))).flatMap((response) => {
+				if (response === void 0) return [];
+				return Array.isArray(response) ? response : [response];
+			});
+			return flattened.length === 0 ? void 0 : flattened;
 		}
 		try {
 			JSONRPCMessageSchema.parse(message);
 		} catch {
 			return makeInvalidRequestError(typeof message === "object" && message !== null && "id" in message ? message.id : null);
 		}
-		this._pendingResponse = null;
 		if (!("id" in message)) {
 			this.onmessage?.(message);
 			return;
 		}
-		let timeoutId = null;
+		const id = message.id?.toString();
+		if (!id) return makeInvalidRequestError(message.id);
+		if (this._pendingRequests.has(id)) throw new Error(`Duplicate pending RPC request id: ${id}`);
 		const responsePromise = new Promise((resolve, reject) => {
-			timeoutId = setTimeout(() => {
-				this._responseResolver = null;
-				reject(/* @__PURE__ */ new Error(`Request timeout: No response received within ${this._timeout}ms`));
-			}, this._timeout);
-			this._responseResolver = () => {
-				if (timeoutId) {
-					clearTimeout(timeoutId);
-					timeoutId = null;
-				}
-				this._responseResolver = null;
-				resolve();
+			const pending = {
+				messages: [],
+				resolve,
+				reject,
+				timeoutId: this._makeTimeout(() => {
+					this._pendingRequests.delete(id);
+					reject(/* @__PURE__ */ new Error(`Request timeout: No response received within ${this._timeout}ms`));
+				})
 			};
+			this._pendingRequests.set(id, pending);
 		});
 		this.onmessage?.(message);
-		try {
-			await responsePromise;
-		} catch (error) {
-			this._pendingResponse = null;
-			this._responseResolver = null;
-			throw error;
-		}
-		const response = this._pendingResponse;
-		this._pendingResponse = null;
-		return response ?? void 0;
+		return await responsePromise;
 	}
 };
 //#endregion
@@ -364,11 +401,12 @@ var MCPClientConnection = class {
 	/**
 	* Complete OAuth authorization
 	*/
-	async completeAuthorization(code) {
-		if (this.connectionState !== MCPConnectionState.AUTHENTICATING) throw new Error("Connection must be in authenticating state to complete authorization");
+	async completeAuthorization(code, options = {}) {
+		const expectedState = options.alreadyAccepted ? MCPConnectionState.CONNECTING : MCPConnectionState.AUTHENTICATING;
+		if (this.connectionState !== expectedState) throw new Error(`Connection must be in ${expectedState} state to complete authorization`);
+		if (!options.alreadyAccepted) this.connectionState = MCPConnectionState.CONNECTING;
 		try {
 			await this.finishAuthProbe(code);
-			this.connectionState = MCPConnectionState.CONNECTING;
 		} catch (error) {
 			this.connectionState = MCPConnectionState.FAILED;
 			throw error;
@@ -711,6 +749,37 @@ var MCPClientConnection = class {
 //#endregion
 //#region src/mcp/client.ts
 const defaultClientOptions = { jsonSchemaValidator: new CfWorkerJsonSchemaValidator() };
+/** Maximum length of a normalized MCP server id. */
+const MCP_SERVER_ID_MAX_LENGTH = 64;
+/**
+* Normalize a caller-supplied MCP server id into a stable, storage- and
+* tool-name-safe form.
+*
+* The id is surfaced in several places where the character set matters:
+*  - as the primary key in the `cf_agents_mcp_servers` SQLite table
+*  - embedded in AI SDK tool names as `` `tool_${id.replace(/-/g, "")}_${tool}` ``
+*    (tool names must match `/^[A-Za-z0-9_]+$/`)
+*  - as a key on the `mcpConnections` map and OAuth provider storage
+*
+* Rules:
+*  1. Lowercase.
+*  2. Replace any run of disallowed characters with a single `-`.
+*  3. Collapse repeated `-` and trim leading/trailing `-`/`_`.
+*  4. Prefix with `id-` if the result is empty or doesn't start with a letter.
+*  5. Truncate to {@link MCP_SERVER_ID_MAX_LENGTH} characters.
+*
+* @example
+* normalizeServerId("my-supplied-id");  // "my-supplied-id"
+* normalizeServerId("GitHub MCP!");     // "github-mcp"
+* normalizeServerId("42-things");       // "id-42-things"
+*/
+function normalizeServerId(input) {
+	if (typeof input !== "string") throw new TypeError(`normalizeServerId: expected string, got ${typeof input}`);
+	let id = input.toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/-+/g, "-").replace(/^[-_]+|[-_]+$/g, "");
+	if (id.length === 0 || !/^[a-z]/.test(id)) id = `id-${id}`.replace(/-+$/g, "");
+	if (id.length > 64) id = id.slice(0, 64).replace(/-+$/g, "");
+	return id;
+}
 /**
 * Blocked hostname patterns for SSRF protection.
 * Prevents MCP client from connecting to internal/private network addresses
@@ -838,6 +907,69 @@ var MCPClientManager = class {
 	removeServerFromStorage(serverId) {
 		this.sql("DELETE FROM cf_agents_mcp_servers WHERE id = ?", serverId);
 	}
+	/**
+	* Rename a server's id, in-place, across every place the id is used as a
+	* key. Used to JIT-migrate servers that were originally registered under an
+	* auto-generated nanoid to a caller-supplied stable id (see
+	* `Agent.addMcpServer`'s `{ id }` option).
+	*
+	* Migrates:
+	*  - the `cf_agents_mcp_servers` row (primary key)
+	*  - the in-memory `mcpConnections` map key
+	*  - the connection disposables map key
+	*  - the attached `authProvider.serverId`, if any
+	*  - OAuth-related storage keys under `/{clientName}/{oldId}/...`
+	*
+	* Safe to call when no OAuth keys exist (RPC / bearer-token HTTP servers).
+	* If `oldId === newId` this is a no-op. If a row already exists under
+	* `newId`, throws — the caller is expected to have verified uniqueness.
+	*
+	* @internal Exposed for `Agent.addMcpServer` JIT-migration.
+	*/
+	async migrateServerId(oldId, newId, clientName) {
+		if (oldId === newId) return;
+		if (this.sql("SELECT id FROM cf_agents_mcp_servers WHERE id = ?", oldId).length === 0) {
+			this._renameInMemoryConnection(oldId, newId);
+			return;
+		}
+		if (this.sql("SELECT id FROM cf_agents_mcp_servers WHERE id = ?", newId).length > 0) throw new Error(`Cannot migrate MCP server id "${oldId}" → "${newId}": new id is already in use.`);
+		this.sql("UPDATE cf_agents_mcp_servers SET id = ? WHERE id = ?", newId, oldId);
+		const oldPrefix = `/${clientName}/${oldId}/`;
+		const newPrefix = `/${clientName}/${newId}/`;
+		try {
+			const keys = await this._storage.list({ prefix: oldPrefix });
+			if (keys.size > 0) {
+				const writes = {};
+				const deletes = [];
+				for (const [oldKey, value] of keys) {
+					const newKey = newPrefix + oldKey.slice(oldPrefix.length);
+					writes[newKey] = value;
+					deletes.push(oldKey);
+				}
+				await this._storage.put(writes);
+				await this._storage.delete(deletes);
+			}
+		} catch (error) {
+			console.warn(`[MCPClientManager] OAuth key migration ${oldPrefix} → ${newPrefix} failed:`, error);
+		}
+		this._renameInMemoryConnection(oldId, newId);
+		this._onServerStateChanged.fire();
+	}
+	_renameInMemoryConnection(oldId, newId) {
+		if (oldId === newId) return;
+		const conn = this.mcpConnections[oldId];
+		if (conn) {
+			this.mcpConnections[newId] = conn;
+			delete this.mcpConnections[oldId];
+			const authProvider = conn.options.transport.authProvider;
+			if (authProvider) authProvider.serverId = newId;
+		}
+		const disposables = this._connectionDisposables.get(oldId);
+		if (disposables) {
+			this._connectionDisposables.set(newId, disposables);
+			this._connectionDisposables.delete(oldId);
+		}
+	}
 	getServersFromStorage() {
 		return this.sql("SELECT id, name, server_url, client_id, auth_url, callback_url, server_options FROM cf_agents_mcp_servers");
 	}
@@ -900,6 +1032,54 @@ var MCPClientManager = class {
 			authError: error
 		};
 	}
+	isAuthAcceptedConnection(conn) {
+		return conn.connectionState === MCPConnectionState.READY || conn.connectionState === MCPConnectionState.CONNECTED || conn.connectionState === MCPConnectionState.CONNECTING || conn.connectionState === MCPConnectionState.DISCOVERING;
+	}
+	oauthCallbackSuccess(serverId, conn) {
+		this.clearServerAuthUrl(serverId);
+		conn.connectionError = null;
+		return {
+			serverId,
+			authSuccess: true
+		};
+	}
+	async runWithCodeVerifierState(authProvider, state, callback) {
+		if (authProvider.runWithCodeVerifierState) return authProvider.runWithCodeVerifierState(state, callback);
+		return callback();
+	}
+	async consumeStaleOAuthState(serverId, authProvider, state) {
+		try {
+			const stateValidation = await authProvider.checkState(state);
+			if (!stateValidation.valid) {
+				console.warn(`[MCPClientManager] Ignoring stale OAuth callback with invalid state for server "${serverId}": ${stateValidation.error ?? "Invalid state"}`);
+				return;
+			}
+			await authProvider.consumeState(state);
+		} catch (cleanupError) {
+			console.warn(`[MCPClientManager] Failed to clean up stale OAuth callback state for server "${serverId}":`, cleanupError);
+		}
+	}
+	async completeAuthorizationAndCleanupVerifier(serverId, conn, authProvider, state, code) {
+		await this.runWithCodeVerifierState(authProvider, state, async () => {
+			let completeError;
+			let cleanupError;
+			try {
+				await conn.completeAuthorization(code, { alreadyAccepted: true });
+			} catch (error) {
+				completeError = error;
+			}
+			try {
+				await authProvider.deleteCodeVerifier();
+			} catch (deleteError) {
+				cleanupError = deleteError;
+			}
+			if (completeError) {
+				if (cleanupError) console.warn(`[MCPClientManager] Failed to clean up OAuth code verifier for server "${serverId}":`, cleanupError);
+				throw completeError;
+			}
+			if (cleanupError) throw cleanupError;
+		});
+	}
 	/**
 	* Create an auth provider for a server
 	* @internal
@@ -1082,7 +1262,19 @@ var MCPClientManager = class {
 		}
 		await this.mcpConnections[id].init();
 		if (options.reconnect?.oauthCode) try {
-			await this.mcpConnections[id].completeAuthorization(options.reconnect.oauthCode);
+			const authProvider = this.mcpConnections[id].options.transport.authProvider;
+			let completeError;
+			try {
+				await this.mcpConnections[id].completeAuthorization(options.reconnect.oauthCode);
+			} catch (error) {
+				completeError = error;
+			}
+			try {
+				await authProvider?.deleteCodeVerifier();
+			} catch (cleanupError) {
+				console.warn(`[MCPClientManager] Failed to clean up OAuth code verifier for server "${id}":`, cleanupError);
+			}
+			if (completeError) throw completeError;
 			await this.mcpConnections[id].init();
 		} catch (error) {
 			this._onObservabilityEvent.fire({
@@ -1273,11 +1465,13 @@ var MCPClientManager = class {
 		};
 		if (error) return {
 			serverId,
+			state,
 			valid: false,
 			error: errorDescription || error
 		};
 		if (!code) return {
 			serverId,
+			state,
 			valid: false,
 			error: "Unauthorized: no code provided"
 		};
@@ -1301,7 +1495,18 @@ var MCPClientManager = class {
 	async handleCallbackRequest(req) {
 		const validation = this.validateCallbackRequest(req);
 		if (!validation.valid) {
-			if (validation.serverId && this.mcpConnections[validation.serverId]) return this.failConnection(validation.serverId, validation.error);
+			const conn = validation.serverId ? this.mcpConnections[validation.serverId] : void 0;
+			if (validation.serverId && conn) {
+				if (this.isAuthAcceptedConnection(conn)) {
+					const authProvider = conn.options.transport.authProvider;
+					if (validation.state && authProvider) {
+						authProvider.serverId = validation.serverId;
+						await this.consumeStaleOAuthState(validation.serverId, authProvider, validation.state);
+					}
+					return this.oauthCallbackSuccess(validation.serverId, conn);
+				}
+				return this.failConnection(validation.serverId, validation.error);
+			}
 			return {
 				serverId: validation.serverId,
 				authSuccess: false,
@@ -1315,26 +1520,25 @@ var MCPClientManager = class {
 			const authProvider = conn.options.transport.authProvider;
 			authProvider.serverId = serverId;
 			const stateValidation = await authProvider.checkState(state);
-			if (!stateValidation.valid) throw new Error(stateValidation.error || "Invalid state");
-			if (conn.connectionState === MCPConnectionState.READY || conn.connectionState === MCPConnectionState.CONNECTED) {
-				this.clearServerAuthUrl(serverId);
-				return {
-					serverId,
-					authSuccess: true
-				};
+			if (!stateValidation.valid) {
+				if (this.isAuthAcceptedConnection(conn)) {
+					await this.consumeStaleOAuthState(serverId, authProvider, state);
+					return this.oauthCallbackSuccess(serverId, conn);
+				}
+				throw new Error(stateValidation.error || "Invalid state");
+			}
+			if (this.isAuthAcceptedConnection(conn)) {
+				await this.consumeStaleOAuthState(serverId, authProvider, state);
+				return this.oauthCallbackSuccess(serverId, conn);
 			}
 			if (conn.connectionState !== MCPConnectionState.AUTHENTICATING) throw new Error(`Failed to authenticate: the client is in "${conn.connectionState}" state, expected "authenticating"`);
+			conn.connectionState = MCPConnectionState.CONNECTING;
 			await authProvider.consumeState(state);
-			await conn.completeAuthorization(code);
+			await this.completeAuthorizationAndCleanupVerifier(serverId, conn, authProvider, state, code);
 			this.updateStoredSessionId(serverId, conn.sessionId);
-			await authProvider.deleteCodeVerifier();
-			this.clearServerAuthUrl(serverId);
-			conn.connectionError = null;
+			const result = this.oauthCallbackSuccess(serverId, conn);
 			this._onServerStateChanged.fire();
-			return {
-				serverId,
-				authSuccess: true
-			};
+			return result;
 		} catch (err) {
 			const message = err instanceof Error ? err.message : String(err);
 			return this.failConnection(serverId, message);
@@ -1623,6 +1827,6 @@ function getNamespacedData(mcpClients, type) {
 	});
 }
 //#endregion
-export { RPCServerTransport as a, RPCClientTransport as i, getNamespacedData as n, RPC_DO_PREFIX as o, MCPConnectionState as r, DisposableStore as s, MCPClientManager as t };
+export { MCPConnectionState as a, RPC_DO_PREFIX as c, normalizeServerId as i, DisposableStore as l, MCP_SERVER_ID_MAX_LENGTH as n, RPCClientTransport as o, getNamespacedData as r, RPCServerTransport as s, MCPClientManager as t };
 
-//# sourceMappingURL=client-D1kFXo80.js.map
+//# sourceMappingURL=client-FUizKzj2.js.map