npm - alepha - Versions diffs - 0.20.3 → 0.20.4 - Mend

alepha 0.20.3 → 0.20.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/dist/api/audits/index.d.ts.map +1 -1
package/dist/api/files/index.d.ts.map +1 -1
package/dist/api/jobs/index.d.ts +14 -14
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/keys/index.d.ts +4 -4
package/dist/api/organizations/index.d.ts.map +1 -1
package/dist/api/parameters/index.d.ts +8 -3
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/parameters/index.js +20 -4
package/dist/api/parameters/index.js.map +1 -1
package/dist/api/payments/index.d.ts.map +1 -1
package/dist/api/users/index.browser.js +6 -0
package/dist/api/users/index.browser.js.map +1 -1
package/dist/api/users/index.d.ts +5037 -139
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +58 -10
package/dist/api/users/index.js.map +1 -1
package/dist/bucket/index.d.ts +77 -107
package/dist/bucket/index.d.ts.map +1 -1
package/dist/bucket/index.js +148 -4
package/dist/bucket/index.js.map +1 -1
package/dist/bucket/index.workerd.js +7 -1
package/dist/bucket/index.workerd.js.map +1 -1
package/dist/cache/core/index.d.ts +26 -0
package/dist/cache/core/index.d.ts.map +1 -1
package/dist/cache/core/index.js +11 -1
package/dist/cache/core/index.js.map +1 -1
package/dist/cache/core/index.workerd.js +11 -1
package/dist/cache/core/index.workerd.js.map +1 -1
package/dist/cli/config/index.d.ts +7 -5
package/dist/cli/config/index.d.ts.map +1 -1
package/dist/cli/config/index.js +2 -3
package/dist/cli/config/index.js.map +1 -1
package/dist/cli/core/index.d.ts +420 -13
package/dist/cli/core/index.d.ts.map +1 -1
package/dist/cli/core/index.js +22 -511
package/dist/cli/core/index.js.map +1 -1
package/dist/cli/devtools/index.d.ts +4 -8
package/dist/cli/devtools/index.d.ts.map +1 -1
package/dist/cli/devtools/index.js +13 -15
package/dist/cli/devtools/index.js.map +1 -1
package/dist/cli/platform/index.d.ts +10 -13
package/dist/cli/platform/index.d.ts.map +1 -1
package/dist/cli/platform/index.js +18 -15
package/dist/cli/platform/index.js.map +1 -1
package/dist/cli/vendor/index.d.ts +10 -13
package/dist/cli/vendor/index.d.ts.map +1 -1
package/dist/cli/vendor/index.js +16 -13
package/dist/cli/vendor/index.js.map +1 -1
package/dist/core/index.browser.js +27 -3
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +6 -3
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +27 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +27 -3
package/dist/core/index.native.js.map +1 -1
package/dist/core/index.workerd.js +27 -3
package/dist/core/index.workerd.js.map +1 -1
package/dist/datetime/index.d.ts +69 -10
package/dist/datetime/index.d.ts.map +1 -1
package/dist/datetime/index.js +135 -13
package/dist/datetime/index.js.map +1 -1
package/dist/email/smtp/index.js +10636 -2
package/dist/email/smtp/index.js.map +1 -1
package/dist/fake/index.d.ts +8085 -4
package/dist/fake/index.d.ts.map +1 -1
package/dist/fake/index.js +33554 -3
package/dist/fake/index.js.map +1 -1
package/dist/lock/core/index.d.ts +30 -2
package/dist/lock/core/index.d.ts.map +1 -1
package/dist/lock/core/index.js +35 -12
package/dist/lock/core/index.js.map +1 -1
package/dist/mcp/index.d.ts +238 -31
package/dist/mcp/index.d.ts.map +1 -1
package/dist/mcp/index.js +198 -71
package/dist/mcp/index.js.map +1 -1
package/dist/orm/core/index.browser.js +1 -1
package/dist/orm/core/index.browser.js.map +1 -1
package/dist/orm/core/index.bun.js +4 -3
package/dist/orm/core/index.bun.js.map +1 -1
package/dist/orm/core/index.d.ts +4877 -9
package/dist/orm/core/index.d.ts.map +1 -1
package/dist/orm/core/index.js +4 -3
package/dist/orm/core/index.js.map +1 -1
package/dist/orm/postgres/index.d.ts +608 -1
package/dist/orm/postgres/index.d.ts.map +1 -1
package/dist/react/core/index.d.ts +102 -1
package/dist/react/core/index.d.ts.map +1 -1
package/dist/react/core/index.js +65 -1
package/dist/react/core/index.js.map +1 -1
package/dist/react/form/index.d.ts +6 -0
package/dist/react/form/index.d.ts.map +1 -1
package/dist/react/form/index.js +7 -7
package/dist/react/form/index.js.map +1 -1
package/dist/react/i18n/index.d.ts +7 -1
package/dist/react/i18n/index.d.ts.map +1 -1
package/dist/react/i18n/index.js +6 -0
package/dist/react/i18n/index.js.map +1 -1
package/dist/react/router/index.browser.js +20 -2
package/dist/react/router/index.browser.js.map +1 -1
package/dist/react/router/index.d.ts +36 -4
package/dist/react/router/index.d.ts.map +1 -1
package/dist/react/router/index.js +20 -2
package/dist/react/router/index.js.map +1 -1
package/dist/react/testing/chunk-6Ep1yQYe.js +16 -0
package/dist/react/testing/index.d.ts +411 -1
package/dist/react/testing/index.d.ts.map +1 -1
package/dist/react/testing/index.js +12293 -13
package/dist/react/testing/index.js.map +1 -1
package/dist/react/ui/index.d.ts +195 -1
package/dist/react/ui/index.d.ts.map +1 -1
package/dist/react/ui/index.js +61 -1
package/dist/react/ui/index.js.map +1 -1
package/dist/scheduler/index.d.ts +84 -3
package/dist/scheduler/index.d.ts.map +1 -1
package/dist/scheduler/index.js +390 -1
package/dist/scheduler/index.js.map +1 -1
package/dist/scheduler/index.workerd.js +390 -1
package/dist/scheduler/index.workerd.js.map +1 -1
package/dist/security/index.d.ts +325 -2
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js +1361 -2
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.d.ts +1054 -1
package/dist/server/auth/index.d.ts.map +1 -1
package/dist/server/auth/index.js +1223 -1
package/dist/server/auth/index.js.map +1 -1
package/dist/server/core/index.browser.js +10 -3
package/dist/server/core/index.browser.js.map +1 -1
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js +28 -5
package/dist/server/core/index.js.map +1 -1
package/dist/server/metrics/index.d.ts +514 -1
package/dist/server/metrics/index.d.ts.map +1 -1
package/dist/server/metrics/index.js +4374 -4
package/dist/server/metrics/index.js.map +1 -1
package/dist/server/swagger/index.d.ts.map +1 -1
package/dist/server/swagger/index.js +3 -4
package/dist/server/swagger/index.js.map +1 -1
package/dist/websocket/index.browser.js +11 -5
package/dist/websocket/index.browser.js.map +1 -1
package/dist/websocket/index.d.ts +3 -1
package/dist/websocket/index.d.ts.map +1 -1
package/dist/websocket/index.js +21 -6
package/dist/websocket/index.js.map +1 -1
package/package.json +671 -263
package/src/api/parameters/services/ParameterProvider.ts +21 -4
package/src/api/users/__tests__/SessionService.spec.ts +99 -0
package/src/api/users/__tests__/UserJobs.spec.ts +67 -0
package/src/api/users/atoms/realmAuthSettingsAtom.ts +15 -0
package/src/api/users/entities/sessions.ts +6 -0
package/src/api/users/jobs/UserJobs.ts +44 -17
package/src/api/users/providers/RealmProvider.ts +4 -0
package/src/api/users/services/SessionService.ts +27 -0
package/src/bucket/__tests__/NodeS3BucketProvider.spec.ts +74 -0
package/src/bucket/index.ts +19 -2
package/src/bucket/primitives/$bucket.ts +9 -1
package/src/bucket/providers/CloudflareR2Provider.ts +2 -137
package/src/bucket/providers/NodeS3BucketProvider.ts +218 -0
package/src/cache/core/index.ts +29 -0
package/src/cache/core/primitives/$cache.ts +14 -1
package/src/cli/config/defineConfig.ts +13 -15
package/src/cli/core/__tests__/init.spec.ts +6 -7
package/src/cli/core/services/ProjectScaffolder.ts +18 -14
package/src/cli/core/tasks/BuildCloudflareTask.ts +5 -0
package/src/cli/core/templates/agentMd.ts +2 -10
package/src/cli/core/templates/saasAdminLayoutTsx.ts +3 -3
package/src/cli/devtools/index.ts +12 -26
package/src/cli/platform/index.ts +15 -24
package/src/cli/vendor/atoms/vendorOptions.ts +1 -1
package/src/cli/vendor/index.ts +14 -23
package/src/core/Alepha.ts +11 -1
package/src/core/helpers/ref.ts +18 -0
package/src/core/index.shared.ts +1 -0
package/src/core/providers/SchemaValidator.ts +9 -1
package/src/core/providers/TypeProvider.ts +1 -2
package/src/datetime/REFACTORING.md +118 -0
package/src/datetime/providers/DateTimeProvider.ts +203 -24
package/src/lock/core/index.ts +31 -0
package/src/lock/core/primitives/$lock.ts +14 -1
package/src/mcp/__tests__/jsonrpc.spec.ts +1 -1
package/src/mcp/helpers/jsonrpc.ts +26 -1
package/src/mcp/index.ts +10 -5
package/src/mcp/interfaces/McpTypes.ts +83 -6
package/src/mcp/primitives/$prompt.ts +18 -1
package/src/mcp/primitives/$resource.ts +18 -1
package/src/mcp/primitives/$tool.ts +83 -7
package/src/mcp/providers/McpServerProvider.ts +74 -16
package/src/mcp/transports/StreamableHttpMcpTransport.ts +226 -0
package/src/orm/REFACTORING.md +330 -0
package/src/orm/core/primitives/$transactional.ts +11 -0
package/src/orm/core/schemas/updateSchema.ts +1 -1
package/src/orm/core/services/PgRelationManager.ts +4 -2
package/src/react/core/__tests__/useQuery.browser.spec.tsx +86 -0
package/src/react/core/hooks/useQuery.ts +153 -0
package/src/react/core/index.ts +1 -0
package/src/react/form/services/FormModel.ts +15 -6
package/src/react/form/services/parseField.ts +8 -0
package/src/react/i18n/providers/I18nProvider.ts +8 -2
package/src/react/router/__tests__/$page.spec.tsx +0 -16
package/src/react/router/__tests__/ssr.spec.tsx +339 -0
package/src/react/router/primitives/$page.ts +28 -4
package/src/react/router/providers/ReactPageProvider.ts +27 -9
package/src/react/ui/atoms/uiThemeListAtom.ts +36 -0
package/src/react/ui/index.ts +6 -0
package/src/react/ui/services/SchemaControl.ts +209 -0
package/src/security/primitives/$issuer.ts +6 -3
package/src/server/core/__tests__/ServerRouterProvider-serializationError.spec.ts +75 -0
package/src/server/core/__tests__/ServerRouterProvider-validationError.spec.ts +306 -0
package/src/server/core/errors/ValidationError.ts +13 -1
package/src/server/core/primitives/$action.ts +16 -5
package/src/server/core/providers/ServerRouterProvider.ts +26 -4
package/src/server/swagger/providers/ServerSwaggerProvider.ts +5 -7
package/src/websocket/providers/NodeWebSocketServerProvider.ts +10 -4
package/src/websocket/services/WebSocketClient.ts +11 -5
package/src/mcp/transports/SseMcpTransport.ts +0 -182

package/dist/mcp/index.js CHANGED Viewed

@@ -1,9 +1,25 @@
-import { $atom, $inject, $module, $state, Alepha, AlephaError, KIND, Primitive, createPrimitive, t } from "alepha";
+import { $atom, $inject, $module, $state, Alepha, AlephaError, KIND, Primitive, TypeBoxError, createPrimitive, t } from "alepha";
 import { $logger } from "alepha/logger";
 import { $route } from "alepha/server";
 //#region ../../src/mcp/helpers/jsonrpc.ts
 const JSONRPC_VERSION = "2.0";
-const MCP_PROTOCOL_VERSION = "2024-11-05";
+/**
+* The latest MCP protocol revision Alepha targets.
+* See {@link SUPPORTED_PROTOCOL_VERSIONS} for the full negotiation list.
+*/
+const MCP_PROTOCOL_VERSION = "2025-11-25";
+/**
+* Protocol versions Alepha will accept during `initialize` negotiation,
+* highest preference first. The server echoes back whichever version the
+* client requested if it appears here, otherwise picks the first entry.
+*/
+const SUPPORTED_PROTOCOL_VERSIONS = [
+	"2025-11-25",
+	"2025-06-18",
+	"2025-03-26",
+	"2024-11-05"
+];
+const isSupportedProtocolVersion = (v) => typeof v === "string" && SUPPORTED_PROTOCOL_VERSIONS.includes(v);
 const JsonRpcErrorCodes = {
 	PARSE_ERROR: -32700,
 	INVALID_REQUEST: -32600,
@@ -170,6 +186,18 @@ var McpServerProvider = class {
 	resources = /* @__PURE__ */ new Map();
 	prompts = /* @__PURE__ */ new Map();
 	initialized = false;
+	/**
+	* Protocol version negotiated with the client during `initialize`.
+	* Used by transports to validate the `MCP-Protocol-Version` header on
+	* subsequent HTTP requests (per spec 2025-06-18+).
+	*/
+	negotiatedVersion = MCP_PROTOCOL_VERSION;
+	/**
+	* Server identity returned during `initialize`. Consumers may override
+	* fields directly (e.g. `mcpServer.serverInfo = { name: "roadmap-mcp",
+	* version: "0.20.3", description: "..." }`) — the `description` field
+	* is supported per spec 2025-11-25 (minor change #2).
+	*/
 	serverInfo = {
 		name: "alepha-mcp",
 		version: "1.0.0"
@@ -298,13 +326,17 @@ var McpServerProvider = class {
 		}
 	}
 	handleInitialize(params) {
+		const requested = params.protocolVersion;
+		const negotiated = isSupportedProtocolVersion(requested) ? requested : SUPPORTED_PROTOCOL_VERSIONS[0];
 		this.log.info("MCP client initializing", {
 			clientInfo: params.clientInfo,
-			protocolVersion: params.protocolVersion
+			requestedProtocolVersion: requested,
+			negotiatedProtocolVersion: negotiated
 		});
 		this.initialized = true;
+		this.negotiatedVersion = negotiated;
 		return {
-			protocolVersion: MCP_PROTOCOL_VERSION,
+			protocolVersion: negotiated,
 			capabilities: this.getCapabilities(),
 			serverInfo: this.serverInfo
 		};
@@ -322,11 +354,28 @@ var McpServerProvider = class {
 		if (!tool) throw new McpToolNotFoundError(name);
 		try {
 			const result = await tool.execute(args, context);
-			return { content: [{
+			const callResult = { content: [{
 				type: "text",
 				text: typeof result === "string" ? result : JSON.stringify(result ?? null)
 			}] };
+			if (tool.hasOutputSchema() && result !== void 0) callResult.structuredContent = result;
+			return callResult;
 		} catch (error) {
+			if (error instanceof TypeBoxError) {
+				const path = error.value?.path || "/";
+				const message = error.value?.message || error.message;
+				return {
+					content: [{
+						type: "text",
+						text: `Validation error at ${path}: ${message}`
+					}],
+					structuredContent: { errors: [{
+						path,
+						message
+					}] },
+					isError: true
+				};
+			}
 			return {
 				content: [{
 					type: "text",
@@ -456,11 +505,14 @@ var PromptPrimitive = class extends Primitive {
 	* Convert the prompt to an MCP prompt descriptor for protocol messages.
 	*/
 	toDescriptor() {
-		return {
+		const descriptor = {
 			name: this.name,
 			description: this.description,
 			arguments: this.options.args ? this.schemaToArguments(this.options.args) : []
 		};
+		if (this.options.title) descriptor.title = this.options.title;
+		if (this.options.icons && this.options.icons.length > 0) descriptor.icons = this.options.icons;
+		return descriptor;
 	}
 	/**
 	* Convert a TypeBox schema to an array of prompt arguments.
@@ -561,12 +613,15 @@ var ResourcePrimitive = class extends Primitive {
 	* Convert the resource to an MCP resource descriptor for protocol messages.
 	*/
 	toDescriptor() {
-		return {
+		const descriptor = {
 			uri: this.uri,
 			name: this.name,
 			description: this.description,
 			mimeType: this.mimeType
 		};
+		if (this.options.title) descriptor.title = this.options.title;
+		if (this.options.icons && this.options.icons.length > 0) descriptor.icons = this.options.icons;
+		return descriptor;
 	}
 };
 $resource[KIND] = ResourcePrimitive;
@@ -633,6 +688,14 @@ var ToolPrimitive = class extends Primitive {
 	get description() {
 		return this.options.description;
 	}
+	/**
+	* Whether the tool declared a result schema. When true, `tools/call`
+	* responses include `structuredContent` populated with the validated
+	* result (spec 2025-06-18).
+	*/
+	hasOutputSchema() {
+		return !!this.options.schema?.result;
+	}
 	onInit() {
 		this.mcpServer.registerTool(this);
 	}
@@ -655,33 +718,57 @@ var ToolPrimitive = class extends Primitive {
 	}
 	/**
 	* Convert the tool to an MCP tool descriptor for protocol messages.
+	*
+	* Emits the spec 2025-11-25 surface: `title`, `annotations`, `icons`,
+	* and (when `schema.result` is defined) `outputSchema` so the server
+	* can populate `structuredContent` on call results.
 	*/
 	toDescriptor() {
-		return {
+		const inputSchema = this.options.schema?.params ? this.schemaToJsonSchema(this.options.schema.params) : {
+			type: "object",
+			properties: {},
+			required: []
+		};
+		const descriptor = {
 			name: this.name,
 			description: this.description,
-			inputSchema: this.options.schema?.params ? this.schemaToJsonSchema(this.options.schema.params) : {
+			inputSchema
+		};
+		if (this.options.title) descriptor.title = this.options.title;
+		if (this.options.annotations) descriptor.annotations = this.options.annotations;
+		if (this.options.icons && this.options.icons.length > 0) descriptor.icons = this.options.icons;
+		if (this.options.schema?.result) {
+			const out = this.propertyToJsonSchema(this.options.schema.result);
+			descriptor.outputSchema = typeof out === "object" && out !== null && "type" in out ? out : {
 				type: "object",
 				properties: {},
 				required: []
-			}
-		};
+			};
+		}
+		return descriptor;
 	}
 	/**
 	* Convert a TypeBox schema to JSON Schema format.
+	*
+	* Emits the 2020-12 dialect annotation at the root (spec 2025-11-25 /
+	* SEP-1613 — JSON Schema 2020-12 is the default dialect for MCP).
+	* The TypeBox shapes Alepha emits today are already 2020-12-compatible;
+	* this is just the dialect declaration.
 	*/
-	schemaToJsonSchema(schema) {
+	schemaToJsonSchema(schema, options) {
 		const properties = {};
 		const required = [];
 		for (const [key, propSchema] of Object.entries(schema.properties)) {
 			properties[key] = this.propertyToJsonSchema(propSchema);
 			if (!t.schema.isOptional(propSchema)) required.push(key);
 		}
-		return {
+		const result = {
 			type: "object",
 			properties,
 			required
 		};
+		if (options?.root !== false) result.$schema = "https://json-schema.org/draft/2020-12/schema";
+		return result;
 	}
 	/**
 	* Convert a single property schema to JSON Schema format.
@@ -707,7 +794,7 @@ var ToolPrimitive = class extends Primitive {
 		else if (t.schema.isArray(schema)) {
 			result.type = "array";
 			if ("items" in schema) result.items = this.propertyToJsonSchema(schema.items);
-		} else if (t.schema.isObject(schema)) Object.assign(result, this.schemaToJsonSchema(schema));
+		} else if (t.schema.isObject(schema)) Object.assign(result, this.schemaToJsonSchema(schema, { root: false }));
 		else if (t.schema.isUnsafe(schema) || t.schema.isOptional(schema)) {
 			const schemaAny = schema;
 			if (schemaAny.type === "string") {
@@ -726,32 +813,59 @@ var ToolPrimitive = class extends Primitive {
 };
 $tool[KIND] = ToolPrimitive;
 //#endregion
-//#region ../../src/mcp/transports/SseMcpTransport.ts
-const mcpSseOptions = $atom({
-	name: "alepha.mcp.sse.options",
-	description: "Configuration options for the MCP SSE transport.",
-	schema: t.object({
-	/**
-	* Path for the MCP SSE endpoint.
-	*/
-path: t.text({ default: "/mcp" }) }),
-	default: { path: "/mcp" }
+//#region ../../src/mcp/transports/StreamableHttpMcpTransport.ts
+const mcpStreamableHttpOptions = $atom({
+	name: "alepha.mcp.streamableHttp.options",
+	description: "Configuration options for the MCP Streamable HTTP transport.",
+	schema: t.object({
+		/**
+		* Path for the MCP endpoint. Single endpoint for both requests and
+		* (optional) server-streamed responses, per spec 2025-03-26+.
+		*/
+		path: t.text({ default: "/mcp" }),
+		/**
+		* Allow-list of `Origin` header values accepted on incoming requests.
+		* Empty array (default) means "allow any". When set, browser-originated
+		* requests with a non-matching `Origin` are rejected with 403 Forbidden,
+		* blocking DNS-rebinding attacks against localhost MCP servers.
+		*
+		* Server-to-server callers (no `Origin` header) are always allowed.
+		*
+		* Spec 2025-11-25, PR #1439.
+		*/
+		allowedOrigins: t.array(t.text(), { default: [] })
+	}),
+	default: {
+		path: "/mcp",
+		allowedOrigins: []
+	}
 });
+const mcpSseOptions = mcpStreamableHttpOptions;
 /**
-* SSE (Server-Sent Events) transport for MCP communication.
+* Streamable HTTP transport for MCP communication.
+*
+* Implements the 2025-03-26+ Streamable HTTP transport: a single `/mcp`
+* endpoint that accepts JSON-RPC over POST and returns either
+* `application/json` (single response, the default) or
+* `text/event-stream` (when the server wants to stream multiple messages).
 *
-* This transport uses HTTP with SSE for server-to-client messages
-* and POST requests for client-to-server messages.
+* Designed for serverless deployment (Cloudflare Workers, etc.) — there is
+* no long-lived GET stream. GET on the endpoint returns 405 Method Not
+* Allowed; clients that want server-initiated push must rely on the POST
+* response stream when the server upgrades to SSE for that particular call.
 *
-* Endpoints:
-* - GET /mcp - SSE stream for server events
-* - POST /mcp - JSON-RPC request endpoint
+* Spec compliance:
+* - 2025-06-18: validates `MCP-Protocol-Version` header on every request
+*   after `initialize` against the version negotiated and stored on
+*   `McpServerProvider`.
+* - 2025-11-25: rejects requests with a non-allow-listed `Origin` header
+*   (PR #1439). See {@link mcpStreamableHttpOptions.allowedOrigins}.
 *
 * @example
 * ```ts
 * import { Alepha, run } from "alepha";
 * import { AlephaServer } from "alepha/server";
-* import { AlephaMcp, AlephaMcpSse } from "alepha/mcp";
+* import { AlephaMcp, StreamableHttpMcpTransport } from "alepha/mcp";
 *
 * class MyTools {
 *   // ... tool definitions
@@ -761,50 +875,36 @@ path: t.text({ default: "/mcp" }) }),
 *   Alepha.create()
 *     .with(AlephaServer)
 *     .with(AlephaMcp)
-*     .with(AlephaMcpSse)
+*     .with(StreamableHttpMcpTransport)
 *     .with(MyTools)
 * );
 * ```
 */
-var SseMcpTransport = class {
+var StreamableHttpMcpTransport = class {
 	log = $logger();
-	options = $state(mcpSseOptions);
+	options = $state(mcpStreamableHttpOptions);
 	mcpServer = $inject(McpServerProvider);
 	/**
-	* SSE endpoint for server-to-client messages.
-	*
-	* Returns a text/event-stream response with server capabilities
-	* and keeps the connection open for notifications.
+	* GET on the MCP endpoint is not supported in this transport. Returning
+	* 405 (rather than serving the legacy two-endpoint SSE pattern) is the
+	* spec-allowed response for servers that don't offer server-initiated
+	* push outside of an active POST.
 	*/
-	sse = $route({
+	notAllowed = $route({
 		method: "GET",
 		path: this.options.path,
-		handler: async (request) => {
-			this.log.debug("MCP SSE connection established");
-			const encoder = new TextEncoder();
-			const stream = new ReadableStream({
-				start: (controller) => {
-					const endpointEvent = this.formatSseEvent("endpoint", `${this.options.path}`);
-					controller.enqueue(encoder.encode(endpointEvent));
-					const capabilitiesNotification = createNotification("notifications/capabilities", { capabilities: this.mcpServer.getCapabilities() });
-					const capabilitiesEvent = this.formatSseEvent("message", JSON.stringify(capabilitiesNotification));
-					controller.enqueue(encoder.encode(capabilitiesEvent));
-				},
-				cancel: () => {
-					this.log.debug("MCP SSE connection closed");
-				}
-			});
-			request.reply.status = 200;
-			request.reply.headers = {
-				"content-type": "text/event-stream",
-				"cache-control": "no-cache",
-				connection: "keep-alive"
-			};
-			request.reply.body = stream;
+		handler: (request) => {
+			request.reply.status = 405;
+			request.reply.headers.allow = "POST";
+			request.reply.headers["content-type"] = "application/json";
+			request.reply.body = JSON.stringify({ error: "Method Not Allowed. Use POST for MCP messages." });
 		}
 	});
 	/**
 	* POST endpoint for client-to-server JSON-RPC messages.
+	* Returns `application/json` for single responses; tools that need to
+	* stream progress would upgrade to `text/event-stream` (deferred until a
+	* concrete need exists).
 	*/
 	message = $route({
 		method: "POST",
@@ -812,13 +912,40 @@ var SseMcpTransport = class {
 		schema: { body: t.json() },
 		handler: async (request) => {
 			try {
+				const originRaw = request.headers.origin;
+				const origin = Array.isArray(originRaw) ? originRaw[0] : originRaw;
+				if (origin && this.options.allowedOrigins.length > 0 && !this.options.allowedOrigins.includes(origin)) {
+					this.log.warn("Rejected MCP request with non-allowed Origin", {
+						origin,
+						allowed: this.options.allowedOrigins
+					});
+					request.reply.status = 403;
+					request.reply.headers["content-type"] = "application/json";
+					request.reply.body = JSON.stringify({ error: "Forbidden: Origin not allowed" });
+					return;
+				}
 				const body = typeof request.body === "string" ? request.body : JSON.stringify(request.body);
 				this.log.debug("MCP request body", {
 					body,
 					bodyType: typeof request.body
 				});
 				const rpcRequest = parseMessage(body);
-				const context = { headers: { ...request.headers } };
+				const headers = { ...request.headers };
+				if (rpcRequest.method !== "initialize") {
+					const headerRaw = headers["mcp-protocol-version"];
+					const headerVersion = Array.isArray(headerRaw) ? headerRaw[0] : headerRaw;
+					if (headerVersion && headerVersion !== this.mcpServer.negotiatedVersion) {
+						this.log.warn("MCP-Protocol-Version header mismatch", {
+							header: headerVersion,
+							negotiated: this.mcpServer.negotiatedVersion
+						});
+						request.reply.status = 400;
+						request.reply.headers["content-type"] = "application/json";
+						request.reply.body = JSON.stringify({ error: `MCP-Protocol-Version mismatch: expected ${this.mcpServer.negotiatedVersion}, got ${headerVersion}` });
+						return;
+					}
+				}
+				const context = { headers };
 				const response = await this.mcpServer.handleMessage(rpcRequest, context);
 				if (response) {
 					request.reply.headers["content-type"] = "application/json";
@@ -837,13 +964,13 @@ var SseMcpTransport = class {
 			}
 		}
 	});
-	/**
-	* Format a message as an SSE event.
-	*/
-	formatSseEvent(event, data) {
-		return `event: ${event}\ndata: ${data}\n\n`;
-	}
 };
+/**
+* @deprecated Use {@link StreamableHttpMcpTransport}. The 2024-11-05
+* two-endpoint HTTP+SSE pattern was replaced by Streamable HTTP in spec
+* 2025-03-26. This alias is preserved for one release to ease migration.
+*/
+const SseMcpTransport = StreamableHttpMcpTransport;
 //#endregion
 //#region ../../src/mcp/index.ts
 /**
@@ -854,7 +981,7 @@ var SseMcpTransport = class {
 * - MCP tool definitions
 * - MCP prompt definitions
 * - JSON-RPC protocol
-* - SSE and Stdio transports
+* - Streamable HTTP transport (spec 2025-03-26+)
 *
 * @module alepha.mcp
 */
@@ -866,9 +993,9 @@ const AlephaMcp = $module({
 		$prompt
 	],
 	services: [McpServerProvider],
-	variants: [SseMcpTransport]
+	variants: [StreamableHttpMcpTransport]
 });
 //#endregion
-export { $prompt, $resource, $tool, AlephaMcp, JSONRPC_VERSION, JsonRpcErrorCodes, JsonRpcParseError, MCP_PROTOCOL_VERSION, McpError, McpErrorCodes, McpForbiddenError, McpInvalidParamsError, McpMethodNotFoundError, McpPromptNotFoundError, McpResourceNotFoundError, McpServerProvider, McpToolNotFoundError, McpUnauthorizedError, PromptPrimitive, ResourcePrimitive, SseMcpTransport, ToolPrimitive, createErrorResponse, createInternalError, createInvalidParamsError, createInvalidRequestError, createMethodNotFoundError, createNotification, createParseError, createResponse, isNotification, isValidJsonRpcRequest, mcpSseOptions, parseMessage };
+export { $prompt, $resource, $tool, AlephaMcp, JSONRPC_VERSION, JsonRpcErrorCodes, JsonRpcParseError, MCP_PROTOCOL_VERSION, McpError, McpErrorCodes, McpForbiddenError, McpInvalidParamsError, McpMethodNotFoundError, McpPromptNotFoundError, McpResourceNotFoundError, McpServerProvider, McpToolNotFoundError, McpUnauthorizedError, PromptPrimitive, ResourcePrimitive, SUPPORTED_PROTOCOL_VERSIONS, SseMcpTransport, StreamableHttpMcpTransport, ToolPrimitive, createErrorResponse, createInternalError, createInvalidParamsError, createInvalidRequestError, createMethodNotFoundError, createNotification, createParseError, createResponse, isNotification, isSupportedProtocolVersion, isValidJsonRpcRequest, mcpSseOptions, mcpStreamableHttpOptions, parseMessage };
 //# sourceMappingURL=index.js.map