arc-1 0.1.0

package/dist/server/http.js

@@ -0,0 +1,328 @@
+/**
+ * HTTP Streamable transport for ARC-1.
+ *
+ * Provides an Express HTTP server that:
+ * - Serves MCP Streamable HTTP protocol on /mcp
+ * - Health check endpoint on /health
+ * - API key authentication via Bearer token
+ * - OIDC/JWT validation via JWKS discovery (Entra ID, etc.)
+ * - XSUAA OAuth proxy for MCP-native clients (Claude Desktop, Cursor)
+ *
+ * When XSUAA auth is enabled, the MCP SDK's mcpAuthRouter installs standard
+ * OAuth endpoints (authorize, token, register, revoke, discovery metadata).
+ *
+ * Design decisions:
+ *
+ * 1. Express is used because the MCP SDK's auth infrastructure (mcpAuthRouter,
+ *    requireBearerAuth) requires Express. Express 5.x is already a transitive
+ *    dependency of the MCP SDK.
+ *
+ * 2. Per-request server pattern: each MCP request gets a fresh Server + Transport.
+ *    This avoids "already connected" errors from concurrent clients.
+ *
+ * 3. Auth is checked BEFORE creating the MCP transport to avoid wasting resources.
+ *
+ * 4. Health endpoint is always unauthenticated — needed for CF health checks.
+ */
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import express from 'express';
+import { logger } from './logger.js';
+import { VERSION } from './server.js';
+// ─── JWKS / JWT types (lazy-loaded from jose) ────────────────────────
+let joseModule = null;
+let jwksClient = null;
+// ─── MCP Request Handler ─────────────────────────────────────────────
+/**
+ * Create an Express handler that processes MCP requests.
+ * Each request gets a fresh Server + Transport pair.
+ */
+function createMcpHandler(serverFactory) {
+    return async (req, res) => {
+        logger.debug('MCP handler invoked', {
+            method: req.method,
+            contentType: req.headers['content-type'],
+            hasBody: !!req.body,
+            bodyMethod: req.body?.method,
+            bodyId: req.body?.id,
+        });
+        try {
+            const server = serverFactory();
+            const transport = new StreamableHTTPServerTransport({
+                sessionIdGenerator: undefined, // Stateless mode
+            });
+            await server.connect(transport);
+            // IMPORTANT: Pass req.body as pre-parsed body (3rd argument).
+            // express.json() middleware (line 91) consumes the raw request stream.
+            // Without this, the MCP SDK's transport tries to re-read the stream,
+            // gets nothing, and returns "Parse error: Invalid JSON" (-32700).
+            // The SDK explicitly supports this pattern — see their docs/comments
+            // in StreamableHTTPServerTransport.handleRequest().
+            await transport.handleRequest(req, res, req.body);
+        }
+        catch (err) {
+            logger.error('MCP request error', { error: err instanceof Error ? err.message : String(err) });
+            if (!res.headersSent) {
+                res.status(500).json({ error: 'Internal server error' });
+            }
+        }
+    };
+}
+/**
+ * Start the HTTP Streamable server.
+ */
+export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
+    const [host, portStr] = config.httpAddr.split(':');
+    const port = Number.parseInt(portStr || '8080', 10);
+    const bindHost = host || '0.0.0.0';
+    const app = express();
+    // Trust first proxy (CF gorouter) — required for express-rate-limit
+    // and correct client IP detection behind CF's reverse proxy.
+    app.set('trust proxy', 1);
+    app.use(express.json());
+    app.use(express.urlencoded({ extended: false }));
+    const mcpHandler = createMcpHandler(serverFactory);
+    // ─── Global Request Logger ──────────────────────────────────
+    // Log every inbound request for debugging OAuth/MCP flows.
+    app.use((req, _res, next) => {
+        logger.debug('HTTP request', {
+            method: req.method,
+            path: req.path,
+            contentType: req.headers['content-type'],
+            userAgent: req.headers['user-agent']?.slice(0, 80),
+            hasAuth: !!req.headers.authorization,
+            ip: req.ip,
+        });
+        next();
+    });
+    // ─── Health Check (always unauthenticated) ───────────────
+    app.get('/health', (_req, res) => {
+        res.json({ status: 'ok', version: VERSION });
+    });
+    // ─── XSUAA OAuth Proxy Mode ──────────────────────────────
+    if (config.xsuaaAuth && xsuaaCredentials) {
+        const { mcpAuthRouter } = await import('@modelcontextprotocol/sdk/server/auth/router.js');
+        const { requireBearerAuth } = await import('@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js');
+        const { createXsuaaOAuthProvider, createChainedTokenVerifier, createXsuaaTokenVerifier } = await import('./xsuaa.js');
+        const { getAppUrl } = await import('../adt/btp.js');
+        // Determine app URL for OAuth metadata
+        const appUrl = getAppUrl() ?? `http://${bindHost}:${port}`;
+        // Create XSUAA provider + chained verifier
+        const { provider } = createXsuaaOAuthProvider(xsuaaCredentials, appUrl);
+        const xsuaaVerifier = createXsuaaTokenVerifier(xsuaaCredentials);
+        const oidcVerifier = config.oidcIssuer ? await createOidcVerifier(config) : undefined;
+        const chainedVerifier = createChainedTokenVerifier(config, xsuaaVerifier, oidcVerifier);
+        const bearerAuth = requireBearerAuth({ verifier: { verifyAccessToken: chainedVerifier } });
+        // ─── OAuth authorize normalization + Copilot Studio MCP workaround ──
+        // Copilot Studio sends MCP JSON-RPC requests to /authorize instead of
+        // /mcp after completing the OAuth flow. When we detect a JSON-RPC body
+        // (has "jsonrpc" field) on POST /authorize, we bypass the OAuth handler
+        // and route directly to bearerAuth + mcpHandler.
+        //
+        // For normal OAuth requests, merge query params into body as fallback
+        // (some clients send POST /authorize with params in query string).
+        app.use('/authorize', (req, res, next) => {
+            // Detect MCP JSON-RPC on /authorize (Copilot Studio quirk)
+            if (req.method === 'POST' && req.body?.jsonrpc) {
+                logger.info('MCP JSON-RPC on /authorize, routing to MCP handler', {
+                    rpcMethod: req.body.method,
+                    id: req.body.id,
+                    userAgent: req.headers['user-agent']?.slice(0, 60),
+                });
+                // Run bearerAuth, then mcpHandler — skip the OAuth authorize handler
+                bearerAuth(req, res, (err) => {
+                    if (err) {
+                        next(err);
+                        return;
+                    }
+                    mcpHandler(req, res);
+                });
+                return;
+            }
+            logger.debug('OAuth authorize request', {
+                method: req.method,
+                contentType: req.headers['content-type'],
+                hasBody: !!req.body,
+                bodyKeys: req.body ? Object.keys(req.body) : [],
+                queryKeys: Object.keys(req.query),
+            });
+            if (req.method === 'POST' && req.query.client_id && (!req.body || !req.body.client_id)) {
+                req.body = { ...req.query, ...(req.body || {}) };
+                logger.debug('OAuth authorize: merged query params into body', {
+                    client_id: req.body.client_id,
+                });
+            }
+            next();
+        });
+        // Install MCP SDK auth router at root (OAuth endpoints + DCR)
+        // resourceServerUrl must point to /mcp so that the protected resource
+        // metadata is served at /.well-known/oauth-protected-resource/mcp
+        // (per RFC 9728). Without this, MCP clients can't discover the
+        // resource endpoint and may send JSON-RPC to the wrong path.
+        app.use(mcpAuthRouter({
+            provider,
+            issuerUrl: new URL(appUrl),
+            baseUrl: new URL(appUrl),
+            resourceServerUrl: new URL(`${appUrl}/mcp`),
+            scopesSupported: ['read', 'write', 'admin'],
+            resourceName: 'ARC-1 SAP MCP Server',
+        }));
+        // Protected MCP endpoint with chained token verification
+        app.all('/mcp', bearerAuth, mcpHandler);
+        logger.info('XSUAA OAuth proxy enabled', {
+            xsappname: xsuaaCredentials.xsappname,
+            appUrl,
+        });
+    }
+    else {
+        // ─── Standard Auth Mode (API key / OIDC) ─────────────────
+        if (config.oidcIssuer) {
+            await initJwks(config.oidcIssuer);
+        }
+        // Auth middleware for standard mode
+        const authMiddleware = async (req, res, next) => {
+            const authResult = await checkAuth(req, config);
+            if (!authResult.ok) {
+                res.status(authResult.status).json({ error: authResult.message });
+                return;
+            }
+            next();
+        };
+        app.all('/mcp', authMiddleware, mcpHandler);
+    }
+    // ─── 404 for anything else ─────────────────────────────────
+    app.use((req, res) => {
+        logger.debug('404 Not Found', { method: req.method, path: req.path, url: req.originalUrl });
+        res.status(404).json({ error: 'Not found. Use /mcp for MCP protocol, /health for health check.' });
+    });
+    // ─── Start listening ───────────────────────────────────────
+    app.listen(port, bindHost, () => {
+        let authMode = 'NONE (open)';
+        if (config.xsuaaAuth && xsuaaCredentials)
+            authMode = 'XSUAA OAuth proxy';
+        else if (config.apiKey && config.oidcIssuer)
+            authMode = 'API key + OIDC';
+        else if (config.apiKey)
+            authMode = 'API key';
+        else if (config.oidcIssuer)
+            authMode = 'OIDC';
+        logger.info('ARC-1 HTTP server started', {
+            addr: `${bindHost}:${port}`,
+            health: `http://${bindHost}:${port}/health`,
+            mcp: `http://${bindHost}:${port}/mcp`,
+            auth: authMode,
+        });
+    });
+}
+// ─── OIDC Verifier Factory ───────────────────────────────────────────
+/**
+ * Create an Entra ID / OIDC token verifier using jose.
+ * Returns a function compatible with the chained verifier.
+ */
+async function createOidcVerifier(config) {
+    await initJwks(config.oidcIssuer);
+    return async (token) => {
+        if (!joseModule || !jwksClient) {
+            throw new Error('OIDC not initialized');
+        }
+        const { payload } = await joseModule.jwtVerify(token, jwksClient, {
+            issuer: config.oidcIssuer,
+            audience: config.oidcAudience,
+        });
+        logger.debug('OIDC JWT validated', { sub: payload.sub, iss: payload.iss });
+        return {
+            token,
+            clientId: payload.azp ?? payload.sub ?? 'oidc-user',
+            scopes: ['read', 'write', 'admin'], // OIDC tokens get full access (scopes managed by OIDC provider)
+            expiresAt: payload.exp,
+            extra: { sub: payload.sub, iss: payload.iss },
+        };
+    };
+}
+/**
+ * Check authentication for standard mode (API key + OIDC).
+ * Used when XSUAA auth is NOT enabled.
+ */
+async function checkAuth(req, config) {
+    // No auth configured — allow all
+    if (!config.apiKey && !config.oidcIssuer) {
+        return { ok: true, status: 200, message: '' };
+    }
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith('Bearer ')) {
+        return {
+            ok: false,
+            status: 401,
+            message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
+        };
+    }
+    const token = authHeader.slice(7);
+    // API Key check
+    if (config.apiKey) {
+        if (token === config.apiKey) {
+            return { ok: true, status: 200, message: '' };
+        }
+        if (!config.oidcIssuer) {
+            return { ok: false, status: 403, message: 'Invalid API key' };
+        }
+    }
+    // OIDC / JWT validation
+    if (config.oidcIssuer) {
+        try {
+            await validateJwt(token, config);
+            return { ok: true, status: 200, message: '' };
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : 'JWT validation failed';
+            logger.debug('JWT validation failed', { error: msg });
+            return { ok: false, status: 403, message: `Authentication failed: ${msg}` };
+        }
+    }
+    return { ok: false, status: 403, message: 'Authentication failed' };
+}
+/**
+ * Initialize JWKS client from OIDC discovery.
+ */
+async function initJwks(issuer) {
+    if (joseModule)
+        return;
+    try {
+        joseModule = await import('jose');
+        const jwksUri = new URL('.well-known/openid-configuration', issuer.endsWith('/') ? issuer : `${issuer}/`);
+        const discoveryResp = await fetch(jwksUri.toString());
+        const discovery = (await discoveryResp.json());
+        if (!discovery.jwks_uri) {
+            throw new Error(`No jwks_uri in OIDC discovery response from ${jwksUri}`);
+        }
+        jwksClient = joseModule.createRemoteJWKSet(new URL(discovery.jwks_uri));
+        logger.info('OIDC JWKS initialized', { issuer, jwksUri: discovery.jwks_uri });
+    }
+    catch (err) {
+        logger.error('Failed to initialize OIDC JWKS', {
+            issuer,
+            error: err instanceof Error ? err.message : String(err),
+        });
+    }
+}
+/**
+ * Validate a JWT token against the configured OIDC issuer.
+ */
+async function validateJwt(token, config) {
+    if (!joseModule || !jwksClient) {
+        if (config.oidcIssuer) {
+            await initJwks(config.oidcIssuer);
+        }
+        if (!joseModule || !jwksClient) {
+            throw new Error('OIDC not initialized — check SAP_OIDC_ISSUER configuration');
+        }
+    }
+    const { payload } = await joseModule.jwtVerify(token, jwksClient, {
+        issuer: config.oidcIssuer,
+        audience: config.oidcAudience,
+    });
+    logger.debug('JWT validated', {
+        sub: payload.sub,
+        iss: payload.iss,
+        exp: payload.exp,
+    });
+}
+//# sourceMappingURL=http.js.map

package/dist/server/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../ts-src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAEnG,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wEAAwE;AAExE,IAAI,UAAU,GAAiC,IAAI,CAAC;AACpD,IAAI,UAAU,GAAgE,IAAI,CAAC;AAEnF,wEAAwE;AAExE;;;GAGG;AACH,SAAS,gBAAgB,CAAC,aAA8B;IACtD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3C,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;YAClC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;YACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;YACnB,UAAU,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM;YAC5B,MAAM,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE;SACrB,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;gBAClD,kBAAkB,EAAE,SAAS,EAAE,iBAAiB;aACjD,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,8DAA8D;YAC9D,uEAAuE;YACvE,qEAAqE;YACrE,kEAAkE;YAClE,qEAAqE;YACrE,oDAAoD;YACpD,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC/F,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,aAA8B,EAC9B,MAAoB,EACpB,gBAAmC;IAEnC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,IAAI,IAAI,SAAS,CAAC;IAEnC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,oEAAoE;IACpE,6DAA6D;IAC7D,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;IAC1B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACxB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAEnD,+DAA+D;IAC/D,2DAA2D;IAC3D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QAC1B,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE;YAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;YACxC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClD,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa;YACpC,EAAE,EAAE,GAAG,CAAC,EAAE;SACX,CAAC,CAAC;QACH,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC/B,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,IAAI,MAAM,CAAC,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,iDAAiD,CAAC,CAAC;QAC1F,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,gEAAgE,CAAC,CAAC;QAC7G,MAAM,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CACrG,YAAY,CACb,CAAC;QACF,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAEpD,uCAAuC;QACvC,MAAM,MAAM,GAAG,SAAS,EAAE,IAAI,UAAU,QAAQ,IAAI,IAAI,EAAE,CAAC;QAE3D,2CAA2C;QAC3C,MAAM,EAAE,QAAQ,EAAE,GAAG,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACxE,MAAM,aAAa,GAAG,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACtF,MAAM,eAAe,GAAG,0BAA0B,CAAC,MAAM,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;QAExF,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,QAAQ,EAAE,EAAE,iBAAiB,EAAE,eAAe,EAAE,EAAE,CAAC,CAAC;QAE3F,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,wEAAwE;QACxE,iDAAiD;QACjD,EAAE;QACF,sEAAsE;QACtE,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACvC,2DAA2D;YAC3D,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;gBAC/C,MAAM,CAAC,IAAI,CAAC,oDAAoD,EAAE;oBAChE,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM;oBAC1B,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE;oBACf,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACnD,CAAC,CAAC;gBACH,qEAAqE;gBACrE,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAa,EAAE,EAAE;oBACrC,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,GAAG,CAAC,CAAC;wBACV,OAAO;oBACT,CAAC;oBACD,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACvB,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;gBACtC,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;gBACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;gBACnB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC/C,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;aAClC,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvF,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;gBACjD,MAAM,CAAC,KAAK,CAAC,gDAAgD,EAAE;oBAC7D,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS;iBAC9B,CAAC,CAAC;YACL,CAAC;YACD,IAAI,EAAE,CAAC;QACT,CAAC,CAAC,CAAC;QAEH,8DAA8D;QAC9D,sEAAsE;QACtE,kEAAkE;QAClE,+DAA+D;QAC/D,6DAA6D;QAC7D,GAAG,CAAC,GAAG,CACL,aAAa,CAAC;YACZ,QAAQ;YACR,SAAS,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC;YAC1B,OAAO,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC;YACxB,iBAAiB,EAAE,IAAI,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC;YAC3C,eAAe,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;YAC3C,YAAY,EAAE,sBAAsB;SACrC,CAAC,CACH,CAAC;QAEF,yDAAyD;QACzD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAExC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACvC,SAAS,EAAE,gBAAgB,CAAC,SAAS;YACrC,MAAM;SACP,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,4DAA4D;QAC5D,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,oCAAoC;QACpC,MAAM,cAAc,GAAG,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;YAC/E,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAChD,IAAI,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC;gBACnB,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClE,OAAO;YACT,CAAC;YACD,IAAI,EAAE,CAAC;QACT,CAAC,CAAC;QAEF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,cAAc,EAAE,UAAU,CAAC,CAAC;IAC9C,CAAC;IAED,8DAA8D;IAC9D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5F,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iEAAiE,EAAE,CAAC,CAAC;IACrG,CAAC,CAAC,CAAC;IAEH,8DAA8D;IAC9D,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE;QAC9B,IAAI,QAAQ,GAAG,aAAa,CAAC;QAC7B,IAAI,MAAM,CAAC,SAAS,IAAI,gBAAgB;YAAE,QAAQ,GAAG,mBAAmB,CAAC;aACpE,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU;YAAE,QAAQ,GAAG,gBAAgB,CAAC;aACpE,IAAI,MAAM,CAAC,MAAM;YAAE,QAAQ,GAAG,SAAS,CAAC;aACxC,IAAI,MAAM,CAAC,UAAU;YAAE,QAAQ,GAAG,MAAM,CAAC;QAE9C,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACvC,IAAI,EAAE,GAAG,QAAQ,IAAI,IAAI,EAAE;YAC3B,MAAM,EAAE,UAAU,QAAQ,IAAI,IAAI,SAAS;YAC3C,GAAG,EAAE,UAAU,QAAQ,IAAI,IAAI,MAAM;YACrC,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,KAAK,UAAU,kBAAkB,CAC/B,MAAoB;IAEpB,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAW,CAAC,CAAC;IAEnC,OAAO,KAAK,EAAE,KAAa,EAAE,EAAE;QAC7B,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE;YAChE,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;SAC9B,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAE3E,OAAO;YACL,KAAK;YACL,QAAQ,EAAG,OAAO,CAAC,GAAc,IAAK,OAAO,CAAC,GAAc,IAAI,WAAW;YAC3E,MAAM,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,gEAAgE;YACpG,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,KAAK,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;SAC9C,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAUD;;;GAGG;AACH,KAAK,UAAU,SAAS,CAAC,GAAY,EAAE,MAAoB;IACzD,iCAAiC;IACjC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAChD,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,mEAAmE;SAC7E,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAElC,gBAAgB;IAChB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,IAAI,KAAK,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;YAC5B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChD,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;QAChE,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;YACzE,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,0BAA0B,GAAG,EAAE,EAAE,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;AACtE,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,QAAQ,CAAC,MAAc;IACpC,IAAI,UAAU;QAAE,OAAO;IAEvB,IAAI,CAAC;QACH,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,kCAAkC,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;QAC1G,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACtD,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAyB,CAAC;QAEvE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,+CAA+C,OAAO,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,UAAU,GAAG,UAAU,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE;YAC7C,MAAM;YACN,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,WAAW,CAAC,KAAa,EAAE,MAAoB;IAC5D,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;QAC/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE;QAChE,MAAM,EAAE,MAAM,CAAC,UAAU;QACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;KAC9B,CAAC,CAAC;IAEH,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE;QAC5B,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;KACjB,CAAC,CAAC;AACL,CAAC"}

package/dist/server/logger.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Logger for ARC-1.
+ *
+ * Critical: ALL output goes to stderr, never stdout.
+ * stdout is reserved for the MCP JSON-RPC stream (stdio transport).
+ * Using console.log() would corrupt the MCP protocol.
+ *
+ * Supports two output formats:
+ * - 'text': human-readable for local development
+ * - 'json': structured for cloud deployments (CF, K8s, Datadog)
+ *
+ * Architecture: the Logger dispatches to registered LogSinks.
+ * StderrSink is always active. FileSink and BTPAuditLogSink are optional.
+ *
+ * The emitAudit() method writes structured audit events to ALL sinks
+ * (file/BTP sinks receive all events regardless of stderr level filter).
+ *
+ * Per OWASP MCP guide and Datadog recommendations, every log entry
+ * includes timestamp and level. Tool call logs include correlation
+ * context (session ID, tool name, duration).
+ */
+import type { AuditEvent } from './audit.js';
+import { type LogFormat as SinkLogFormat } from './sinks/stderr.js';
+import type { LogSink } from './sinks/types.js';
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
+export type LogFormat = SinkLogFormat;
+export interface LogContext {
+    [key: string]: unknown;
+}
+export declare class Logger {
+    private format;
+    private minLevel;
+    private sinks;
+    constructor(format?: LogFormat, verbose?: boolean);
+    /** Add a log sink (file, BTP audit log, etc.) */
+    addSink(sink: LogSink): void;
+    /** Get all registered sinks (for testing) */
+    getSinks(): readonly LogSink[];
+    debug(message: string, context?: LogContext): void;
+    info(message: string, context?: LogContext): void;
+    warn(message: string, context?: LogContext): void;
+    error(message: string, context?: LogContext): void;
+    /**
+     * Emit a structured audit event to all sinks.
+     * Each sink handles its own level filtering.
+     * Automatically attaches requestId from AsyncLocalStorage context.
+     */
+    emitAudit(event: AuditEvent): void;
+    /** Flush all sinks (for graceful shutdown) */
+    flush(): Promise<void>;
+    private write;
+}
+/** Global logger instance — initialized during server startup */
+export declare let logger: Logger;
+/** Initialize the global logger with server configuration */
+export declare function initLogger(format: LogFormat, verbose: boolean): void;
+//# sourceMappingURL=logger.d.ts.map

package/dist/server/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../ts-src/server/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,OAAO,EAAE,KAAK,SAAS,IAAI,aAAa,EAAc,MAAM,mBAAmB,CAAC;AAChF,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAC3D,MAAM,MAAM,SAAS,GAAG,aAAa,CAAC;AAEtC,MAAM,WAAW,UAAU;IACzB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AASD,qBAAa,MAAM;IAKf,OAAO,CAAC,MAAM;IAJhB,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,KAAK,CAAY;gBAGf,MAAM,GAAE,SAAkB,EAClC,OAAO,GAAE,OAAe;IAO1B,iDAAiD;IACjD,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;IAI5B,6CAA6C;IAC7C,QAAQ,IAAI,SAAS,OAAO,EAAE;IAI9B,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,UAAU,GAAG,IAAI;IAIlD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,UAAU,GAAG,IAAI;IAIjD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,UAAU,GAAG,IAAI;IAIjD,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,UAAU,GAAG,IAAI;IAIlD;;;;OAIG;IACH,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAmBlC,8CAA8C;IACxC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B,OAAO,CAAC,KAAK;CAoBd;AAkBD,iEAAiE;AACjE,eAAO,IAAI,MAAM,QAA4B,CAAC;AAE9C,6DAA6D;AAC7D,wBAAgB,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAEpE"}

package/dist/server/logger.js

@@ -0,0 +1,129 @@
+/**
+ * Logger for ARC-1.
+ *
+ * Critical: ALL output goes to stderr, never stdout.
+ * stdout is reserved for the MCP JSON-RPC stream (stdio transport).
+ * Using console.log() would corrupt the MCP protocol.
+ *
+ * Supports two output formats:
+ * - 'text': human-readable for local development
+ * - 'json': structured for cloud deployments (CF, K8s, Datadog)
+ *
+ * Architecture: the Logger dispatches to registered LogSinks.
+ * StderrSink is always active. FileSink and BTPAuditLogSink are optional.
+ *
+ * The emitAudit() method writes structured audit events to ALL sinks
+ * (file/BTP sinks receive all events regardless of stderr level filter).
+ *
+ * Per OWASP MCP guide and Datadog recommendations, every log entry
+ * includes timestamp and level. Tool call logs include correlation
+ * context (session ID, tool name, duration).
+ */
+import { getCurrentContext } from './context.js';
+import { StderrSink } from './sinks/stderr.js';
+const LEVEL_PRIORITY = {
+    debug: 0,
+    info: 1,
+    warn: 2,
+    error: 3,
+};
+export class Logger {
+    format;
+    minLevel;
+    sinks;
+    constructor(format = 'text', verbose = false) {
+        this.format = format;
+        this.minLevel = verbose ? LEVEL_PRIORITY.debug : LEVEL_PRIORITY.info;
+        // Default: stderr only
+        this.sinks = [new StderrSink(format, verbose ? 'debug' : 'info')];
+    }
+    /** Add a log sink (file, BTP audit log, etc.) */
+    addSink(sink) {
+        this.sinks.push(sink);
+    }
+    /** Get all registered sinks (for testing) */
+    getSinks() {
+        return this.sinks;
+    }
+    debug(message, context) {
+        this.write('debug', message, context);
+    }
+    info(message, context) {
+        this.write('info', message, context);
+    }
+    warn(message, context) {
+        this.write('warn', message, context);
+    }
+    error(message, context) {
+        this.write('error', message, context);
+    }
+    /**
+     * Emit a structured audit event to all sinks.
+     * Each sink handles its own level filtering.
+     * Automatically attaches requestId from AsyncLocalStorage context.
+     */
+    emitAudit(event) {
+        // Attach requestId from context if not already set
+        if (!event.requestId) {
+            const ctx = getCurrentContext();
+            if (ctx) {
+                event.requestId = ctx.requestId;
+                if (!event.user && ctx.user)
+                    event.user = ctx.user;
+            }
+        }
+        for (const sink of this.sinks) {
+            try {
+                sink.write(event);
+            }
+            catch {
+                // Sinks must not throw — but if they do, don't crash the server
+            }
+        }
+    }
+    /** Flush all sinks (for graceful shutdown) */
+    async flush() {
+        await Promise.all(this.sinks.map((s) => s.flush?.()));
+    }
+    write(level, message, context) {
+        if (LEVEL_PRIORITY[level] < this.minLevel)
+            return;
+        // Redact sensitive fields from context
+        const safeContext = context ? redactSensitive(context) : undefined;
+        if (this.format === 'json') {
+            const entry = {
+                timestamp: new Date().toISOString(),
+                level,
+                message,
+                ...safeContext,
+            };
+            process.stderr.write(`${JSON.stringify(entry)}\n`);
+        }
+        else {
+            const ts = new Date().toISOString();
+            const ctx = safeContext ? ` ${JSON.stringify(safeContext)}` : '';
+            process.stderr.write(`[${ts}] ${level.toUpperCase()}: ${message}${ctx}\n`);
+        }
+    }
+}
+/** Redact known sensitive fields to prevent credential leakage in logs */
+function redactSensitive(context) {
+    const sensitiveKeys = ['password', 'token', 'cookie', 'authorization', 'secret', 'csrf'];
+    const result = {};
+    for (const [key, value] of Object.entries(context)) {
+        if (sensitiveKeys.some((s) => key.toLowerCase().includes(s))) {
+            result[key] = '[REDACTED]';
+        }
+        else {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+/** Global logger instance — initialized during server startup */
+export let logger = new Logger('text', false);
+/** Initialize the global logger with server configuration */
+export function initLogger(format, verbose) {
+    logger = new Logger(format, verbose);
+}
+//# sourceMappingURL=logger.js.map

package/dist/server/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../ts-src/server/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAmC,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAUhF,MAAM,cAAc,GAA6B;IAC/C,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,CAAC;IACP,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,MAAM,OAAO,MAAM;IAKP;IAJF,QAAQ,CAAS;IACjB,KAAK,CAAY;IAEzB,YACU,SAAoB,MAAM,EAClC,UAAmB,KAAK;QADhB,WAAM,GAAN,MAAM,CAAoB;QAGlC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC;QACrE,uBAAuB;QACvB,IAAI,CAAC,KAAK,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,iDAAiD;IACjD,OAAO,CAAC,IAAa;QACnB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;IAED,6CAA6C;IAC7C,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,OAAoB;QACzC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,OAAoB;QACxC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,OAAoB;QACxC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,OAAoB;QACzC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACH,SAAS,CAAC,KAAiB;QACzB,mDAAmD;QACnD,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YACrB,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;YAChC,IAAI,GAAG,EAAE,CAAC;gBACR,KAAK,CAAC,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC;gBAChC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI;oBAAE,KAAK,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;YACrD,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YACpB,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;YAClE,CAAC;QACH,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,KAAK,CAAC,KAAK;QACT,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAEO,KAAK,CAAC,KAAe,EAAE,OAAe,EAAE,OAAoB;QAClE,IAAI,cAAc,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ;YAAE,OAAO;QAElD,uCAAuC;QACvC,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnE,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG;gBACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,KAAK;gBACL,OAAO;gBACP,GAAG,WAAW;aACf,CAAC;YACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrD,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;YACpC,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,KAAK,OAAO,GAAG,GAAG,IAAI,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;CACF;AAED,0EAA0E;AAC1E,SAAS,eAAe,CAAC,OAAmB;IAC1C,MAAM,aAAa,GAAG,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACzF,MAAM,MAAM,GAAe,EAAE,CAAC;IAE9B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,iEAAiE;AACjE,MAAM,CAAC,IAAI,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAE9C,6DAA6D;AAC7D,MAAM,UAAU,UAAU,CAAC,MAAiB,EAAE,OAAgB;IAC5D,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACvC,CAAC"}

package/dist/server/server.d.ts

@@ -0,0 +1,25 @@
+/**
+ * MCP Server for ARC-1.
+ *
+ * Creates and starts the MCP server with 11 intent-based tools.
+ * Supports two transports:
+ * - stdio (default): for local MCP clients (Claude Desktop, Claude Code, Cursor)
+ * - http-streamable: for remote/containerized deployments
+ */
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import type { BTPConfig, BTPProxyConfig } from '../adt/btp.js';
+import type { ServerConfig } from './types.js';
+/** ARC-1 version */
+export declare const VERSION = "0.1.0";
+/**
+ * Create the MCP server with registered tool handlers.
+ * @param config Server configuration
+ * @param btpProxy Optional BTP connectivity proxy config (resolved at startup)
+ * @param btpConfig Optional BTP service config (for per-user destination lookup)
+ */
+export declare function createServer(config: ServerConfig, btpProxy?: BTPProxyConfig, btpConfig?: BTPConfig): Server;
+/**
+ * Create and start the MCP server.
+ */
+export declare function createAndStartServer(config: ServerConfig): Promise<Server>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../ts-src/server/server.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AAGnE,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAO/D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,oBAAoB;AACpB,eAAO,MAAM,OAAO,UAAU,CAAC;AAoG/B;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,QAAQ,CAAC,EAAE,cAAc,EAAE,SAAS,CAAC,EAAE,SAAS,GAAG,MAAM,CAwF3G;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAkHhF"}