contractor-license-mcp-server 0.6.4 → 0.8.0

package/README.md

@@ -1,12 +1,12 @@
 # contractor-license-mcp-server
 
-**Real-time contractor license verification across 45 US states.** An [MCP server](https://modelcontextprotocol.io) that lets Claude Desktop, Cursor, and any MCP-compatible AI agent verify a contractor's license, status, expiration, and disciplinary history directly against state licensing board portals.
+**Real-time contractor license verification across all 50 US states + DC, plus 8 major-city contractor licensing portals (Chicago, NYC, Philadelphia, Detroit, Atlanta, Dallas, Las Vegas, Nashville).** An [MCP server](https://modelcontextprotocol.io) that lets Claude Desktop, Claude Code, Cursor, Windsurf, and any MCP-compatible AI agent verify a contractor's license, status, expiration, and disciplinary history directly against licensing board portals.
 
 Send `{state, license_number, trade}` — get back validity, licensee name, expiration date, status, and any disciplinary actions on file. Results are fetched live from official state portals (no stale nightly exports) and cached for 24 hours when active.
 
 ## Why this server
 
-- **45 states** covered via official state licensing board portals, not third-party data aggregators
+- **All 50 US states + DC + 8 major cities** covered via official licensing board portals, not third-party data aggregators
 - **Live lookups** — each verification hits the authoritative portal, so expirations and disciplinary actions are as fresh as the board's own data
 - **Batch verification** — up to 25 licenses per call, run in parallel
 - **Disciplinary history** — returned when the portal exposes it
@@ -14,13 +14,33 @@ Send `{state, license_number, trade}` — get back validity, licensee name, expi
 
 ## Quick start
 
-### Claude Desktop
+### Hosted (recommended)
 
-Add this to your Claude Desktop config:
+No install required. Add this to your Claude Desktop config:
 
 - macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
 - Windows: `%APPDATA%\Claude\claude_desktop_config.json`
 
+```json
+{
+  "mcpServers": {
+    "tradesapi": {
+      "type": "streamable-http",
+      "url": "https://www.tradesapi.com/mcp",
+      "headers": {
+        "Authorization": "Bearer YOUR_API_KEY"
+      }
+    }
+  }
+}
+```
+
+Replace `YOUR_API_KEY` with the key from your dashboard and restart Claude Desktop.
+
+### Local install (alternative)
+
+If you prefer to run the MCP server locally via stdio:
+
 ```json
 {
   "mcpServers": {
@@ -54,15 +74,16 @@ npm install -g contractor-license-mcp-server
 
 ## Tools
 
-### `clv_verify_license`
+### `verify_license`
 
-Verify a single contractor license against a state licensing board portal.
+Verify a single contractor license against the official state (or city) licensing portal.
 
 | Parameter | Required | Description |
 |---|---|---|
 | `state` | yes | Two-letter state code (`CA`, `TX`, `FL`, ...) |
+| `city` | no | Optional city slug to target a municipal portal: `chicago`, `nyc`, `philadelphia`, `detroit`, `atlanta`, `dallas`, `lasvegas`, `nashville`. Lowercase, no spaces. |
 | `license_number` | yes | The license number to verify |
-| `trade` | no | `general`, `electrical`, `plumbing`, `hvac`, `mechanical`, `residential`, or `home_inspection` (defaults to `general`) |
+| `trade` | no | `general`, `electrical`, `plumbing`, `hvac`, `mechanical`, `roofing`, `residential`, ... (defaults to `general`) |
 | `force_refresh` | no | Bypass the 24h cache and re-fetch from the portal |
 | `response_format` | no | `markdown` (default) or `json` |
 
@@ -81,74 +102,45 @@ Verify a single contractor license against a state licensing board portal.
 | Expiration | 05/12/2026               |
 ```
 
-### `clv_batch_verify`
+### `batch_verify`
 
-Verify up to 25 licenses in a single call. Each verification runs independently — partial failures do not block the batch.
+Verify up to 25 licenses in a single call. Each verification runs independently — partial failures do not block the batch. Per-item `city` is supported.
 
 | Parameter | Required | Description |
 |---|---|---|
-| `licenses` | yes | Array of `{ state, license_number, trade }` objects (1–25 items) |
+| `licenses` | yes | Array of `{ state, city?, license_number, trade }` objects (1–25 items) |
 | `response_format` | no | `markdown` (default) or `json` |
 
-### `clv_list_supported_states`
+### `search_by_name`
 
-List all supported states, including portal URLs and available trades. Use this to see which states and trades you can query.
+Fuzzy-match contractors by business or individual name within a single state (or city) database. Costs 2 credits per call.
 
 | Parameter | Required | Description |
 |---|---|---|
+| `state` | yes | Two-letter state code |
+| `city` | no | Optional city slug for municipal databases |
+| `name` | yes | Business or individual name (case-insensitive, partial-match tolerant) |
+| `trade` | no | Trade filter |
+| `limit` | no | Max results (1–50, default 20) |
 | `response_format` | no | `markdown` (default) or `json` |
 
-## Supported states
+Not every state portal supports name search — call `list_supported_states` and check `supports_name_search` per jurisdiction first.
+
+### `list_supported_states`
 
-| Code | State | Trades |
+List every supported jurisdiction with portal URLs, current health, available trades, and registered municipal scrapers nested under each state. Use this to discover what's reachable before constructing other tool calls.
+
+| Parameter | Required | Description |
 |---|---|---|
-| AK | Alaska | general, electrical, mechanical |
-| AL | Alabama | general, electrical, plumbing, hvac, residential |
-| AR | Arkansas | general |
-| AZ | Arizona | general, electrical, plumbing, hvac |
-| CA | California | general, electrical, plumbing, hvac |
-| CO | Colorado | electrical, plumbing |
-| CT | Connecticut | general, electrical, plumbing, hvac |
-| DC | District of Columbia | general |
-| DE | Delaware | electrical, plumbing, hvac |
-| FL | Florida | general, electrical, plumbing, hvac |
-| GA | Georgia | general |
-| HI | Hawaii | general |
-| IA | Iowa | electrical |
-| ID | Idaho | electrical, plumbing, hvac |
-| IL | Illinois | general, electrical, plumbing, hvac |
-| IN | Indiana | plumbing |
-| KY | Kentucky | general, electrical, hvac, plumbing |
-| LA | Louisiana | general |
-| MA | Massachusetts | general, mechanical |
-| MD | Maryland | general, hvac, electrical, plumbing |
-| ME | Maine | electrical, plumbing |
-| MI | Michigan | electrical, plumbing, hvac |
-| MN | Minnesota | general, electrical, plumbing |
-| MS | Mississippi | general |
-| NC | North Carolina | general |
-| ND | North Dakota | general, electrical |
-| NE | Nebraska | general, electrical |
-| NH | New Hampshire | electrical, plumbing |
-| NJ | New Jersey | general, electrical, hvac, plumbing |
-| NM | New Mexico | general, electrical, plumbing, hvac |
-| NV | Nevada | general, electrical, plumbing, hvac |
-| NY | New York | home_inspection |
-| OH | Ohio | general, electrical, plumbing, hvac |
-| OK | Oklahoma | electrical, plumbing, hvac |
-| OR | Oregon | general |
-| PA | Pennsylvania | general, electrical, hvac, plumbing |
-| RI | Rhode Island | general |
-| SC | South Carolina | general, electrical, plumbing, hvac |
-| TN | Tennessee | general, electrical, plumbing |
-| TX | Texas | hvac, electrical, plumbing |
-| UT | Utah | general, electrical, plumbing, hvac |
-| VA | Virginia | general, electrical, plumbing, hvac |
-| VT | Vermont | electrical, plumbing |
-| WA | Washington | general |
-| WV | West Virginia | general, electrical, hvac, plumbing |
-
-Coverage expands continuously. Run `clv_list_supported_states` from your agent for the current list, or see the live state grid at [www.tradesapi.com](https://www.tradesapi.com).
+| `response_format` | no | `markdown` (default) or `json` |
+
+## Coverage
+
+All 50 US states + DC at the state level, plus 8 major-city contractor licensing portals (Chicago, NYC, Philadelphia, Detroit, Atlanta, Dallas, Las Vegas, Nashville).
+
+Run `list_supported_states` from your agent for the live, fetched-fresh-each-call list of supported jurisdictions, available trades per jurisdiction, current portal health, and which states support name search. The MCP package no longer bundles a static state table — what comes back from `list_supported_states` is always current with prod.
+
+You can also see the live state grid at [www.tradesapi.com](https://www.tradesapi.com).
 
 ## Configuration
 
@@ -164,8 +156,8 @@ Each license verification consumes **1 credit**, whether the result is fresh or
 ## Development
 
 ```bash
-git clone https://github.com/Noquarter6/contractor-license-mcp-server.git
-cd contractor-license-mcp-server
+git clone https://github.com/jackunderwood/Contractor-License-Verification.git
+cd Contractor-License-Verification/mcp-server
 npm install
 npm run build
 npm test

package/dist/api.d.ts

@@ -1,4 +1,4 @@
-import type { LicenseResult, SearchResponse } from "./types.js";
+import type { BatchItem, BatchResponse, LicenseResult, SearchResponse, StatesApiResponse } from "./types.js";
 export declare class ApiError extends Error {
     statusCode: number;
     retryAfter?: number | undefined;
@@ -6,14 +6,16 @@ export declare class ApiError extends Error {
 }
 export declare class ApiClient {
     private http;
-    constructor(baseURL: string, apiKey: string);
-    verify(state: string, licenseNumber: string, trade: string): Promise<LicenseResult>;
-    search(state: string, name: string, trade: string, limit: number): Promise<SearchResponse>;
+    constructor(baseURL: string, apiKey: string, extraHeaders?: Record<string, string>);
+    verify(state: string, licenseNumber: string, trade: string, city?: string, forceRefresh?: boolean): Promise<LicenseResult>;
+    batch(items: BatchItem[]): Promise<BatchResponse>;
+    search(state: string, name: string, trade: string, limit: number, city?: string): Promise<SearchResponse>;
     health(): Promise<{
         status: string;
         api: string;
         database: string;
         redis: string;
     }>;
+    states(): Promise<StatesApiResponse>;
     private wrapError;
 }

package/dist/api.js

@@ -11,29 +11,56 @@ export class ApiError extends Error {
 }
 export class ApiClient {
     http;
-    constructor(baseURL, apiKey) {
+    constructor(baseURL, apiKey, extraHeaders = {}) {
+        const headers = { ...extraHeaders };
+        if (apiKey)
+            headers["X-API-Key"] = apiKey;
         this.http = axios.create({
             baseURL,
-            headers: { "X-API-Key": apiKey },
-            timeout: 120_000, // Portal lookups can be slow
+            headers,
+            timeout: 120_000,
         });
     }
-    async verify(state, licenseNumber, trade) {
+    async verify(state, licenseNumber, trade, city, forceRefresh) {
         try {
-            const { data } = await this.http.get("/verify", {
-                params: { state, license: licenseNumber, trade },
-            });
+            const params = { state, license: licenseNumber, trade };
+            if (city)
+                params.city = city;
+            if (forceRefresh)
+                params.fresh = "true";
+            const { data } = await this.http.get("/verify", { params });
             return data;
         }
         catch (err) {
             throw this.wrapError(err);
         }
     }
-    async search(state, name, trade, limit) {
+    async batch(items) {
         try {
-            const { data } = await this.http.get("/search", {
-                params: { state, name, trade, limit },
-            });
+            const body = {
+                licenses: items.map((it) => ({
+                    state: it.state,
+                    ...(it.city ? { city: it.city } : {}),
+                    license: it.license,
+                    trade: it.trade,
+                })),
+            };
+            const { data } = await this.http.post("/batch", body);
+            return {
+                summary: { total: data.total, succeeded: data.succeeded, failed: data.failed },
+                results: data.results,
+            };
+        }
+        catch (err) {
+            throw this.wrapError(err);
+        }
+    }
+    async search(state, name, trade, limit, city) {
+        try {
+            const params = { state, name, trade, limit };
+            if (city)
+                params.city = city;
+            const { data } = await this.http.get("/search", { params });
             return data;
         }
         catch (err) {
@@ -49,6 +76,15 @@ export class ApiClient {
             throw this.wrapError(err);
         }
     }
+    async states() {
+        try {
+            const { data } = await this.http.get("/states");
+            return data;
+        }
+        catch (err) {
+            throw this.wrapError(err);
+        }
+    }
     wrapError(err) {
         if (err.isAxiosError && err.response) {
             const { status, data, headers } = err.response;

package/dist/format.js

@@ -26,23 +26,48 @@ export function formatLicenseResult(result, format) {
     }
     return lines.join("\n");
 }
+function statusIcon(status) {
+    switch (status) {
+        case "healthy":
+            return "OK";
+        case "degraded":
+            return "DEGRADED";
+        case "maintenance":
+            return "MAINTENANCE";
+        default:
+            return "DOWN";
+    }
+}
 export function formatStatesList(states, format) {
+    const allMunis = states.flatMap((s) => s.municipalities ?? []);
     if (format === "json") {
-        return JSON.stringify({ states, total: states.length }, null, 2);
+        return JSON.stringify({
+            total_states: states.length,
+            total_municipalities: allMunis.length,
+            states,
+        }, null, 2);
     }
+    const header = allMunis.length > 0
+        ? `## Supported Jurisdictions (${states.length} states + ${allMunis.length} cities)`
+        : `## Supported States (${states.length} states)`;
     const lines = [
-        `## Supported States (${states.length} states)`,
+        header,
+        "",
+        "### States",
         "",
         "| State | Name | Status | Trades |",
         "|-------|------|--------|--------|",
     ];
     for (const s of states) {
-        const statusIcon = s.status === "healthy"
-            ? "OK"
-            : s.status === "degraded"
-                ? "DEGRADED"
-                : "DOWN";
-        lines.push(`| ${s.code} | ${s.name} | ${statusIcon} | ${s.trades.join(", ")} |`);
+        lines.push(`| ${s.code} | ${s.name} | ${statusIcon(s.status)} | ${s.trades.join(", ")} |`);
+    }
+    if (allMunis.length > 0) {
+        lines.push("", "### Cities (municipal scrapers)", "");
+        lines.push("| Code | City | Parent State | Status | Trades |");
+        lines.push("|------|------|--------------|--------|--------|");
+        for (const m of allMunis) {
+            lines.push(`| ${m.code} | ${m.city} | ${m.parent_state} | ${statusIcon(m.status)} | ${m.trades.join(", ")} |`);
+        }
     }
     return lines.join("\n");
 }

package/dist/http.d.ts

@@ -0,0 +1,9 @@
+export interface AuthResult {
+    /** api_key_id when authenticated via JWT, or undefined when authenticated via raw API key */
+    apiKeyId?: string;
+    /** Raw token (either JWT or raw API key) — used to build ApiClient */
+    token: string;
+    /** True if this was a JWT (and therefore Node uses X-Internal-Secret + X-Api-Key-Id when calling FastAPI) */
+    isJwt: boolean;
+}
+export declare function sessionIdentity(auth: AuthResult): string;

package/dist/http.js

@@ -0,0 +1,274 @@
+import express from "express";
+import cookieParser from "cookie-parser";
+import { createHash, randomUUID } from "node:crypto";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import { ApiClient } from "./api.js";
+import { createServer } from "./server.js";
+import { OAuthProvider } from "./oauth/provider.js";
+import { oauthCallbackRouter } from "./oauth/callback.js";
+import { verifyAccessToken, looksLikeJwt } from "./oauth/jwt.js";
+const API_URL = process.env.CLV_API_URL ?? "http://127.0.0.1:8000";
+const INTERNAL_SECRET = process.env.INTERNAL_SECRET ?? "";
+const PORT = parseInt(process.env.MCP_PORT ?? "3001", 10);
+const ISSUER = process.env.OAUTH_ISSUER ?? "https://www.tradesapi.com";
+const RESOURCE = process.env.OAUTH_RESOURCE ?? "https://www.tradesapi.com/mcp";
+const BASE_URL = process.env.OAUTH_BASE_URL ?? "https://www.tradesapi.com";
+const SESSION_TTL_MS = 30 * 60 * 1000;
+const REAP_INTERVAL_MS = 60 * 1000;
+const sessions = new Map();
+function touchSession(sessionId) {
+    const entry = sessions.get(sessionId);
+    if (entry)
+        entry.lastActivity = Date.now();
+}
+// Keep a handle so future graceful-shutdown logic can clearInterval(reaper).
+const reaper = setInterval(() => {
+    const now = Date.now();
+    for (const [sid, entry] of sessions) {
+        if (now - entry.lastActivity > SESSION_TTL_MS) {
+            entry.transport.close?.();
+            sessions.delete(sid);
+        }
+    }
+}, REAP_INTERVAL_MS);
+void reaper;
+// Fail-fast if critical OAuth env vars are missing/weak in production.
+// FastAPI hard-fails on INTERNAL_SECRET < 32 chars and on every
+// JWT_SECRET rotation key < 32 chars; mirror both checks here so a
+// misconfigured deploy crashes at boot rather than minting weak tokens
+// or 401ing silently.
+if (process.env.NODE_ENV === "production") {
+    if (!INTERNAL_SECRET || INTERNAL_SECRET.length < 32) {
+        console.error("FATAL: INTERNAL_SECRET must be set and >= 32 characters in production");
+        process.exit(1);
+    }
+    const jwtKeys = (process.env.JWT_SECRET ?? "")
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+    if (jwtKeys.length === 0) {
+        console.error("FATAL: JWT_SECRET must be set in production");
+        process.exit(1);
+    }
+    for (const k of jwtKeys) {
+        if (k.length < 32) {
+            console.error("FATAL: every JWT_SECRET rotation key must be >= 32 characters in production");
+            process.exit(1);
+        }
+    }
+}
+const app = express();
+const oauthProvider = new OAuthProvider();
+app.use(cookieParser());
+// Expose Mcp-Session-Id header to browsers (existing behavior)
+app.use((_req, res, next) => {
+    res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");
+    next();
+});
+// ── OAuth endpoints (root-mounted) ─────────────────────────────────────────
+// mcpAuthRouter handles /authorize, /token, /register, /revoke, /.well-known/*
+app.use(mcpAuthRouter({
+    provider: oauthProvider,
+    issuerUrl: new URL(ISSUER),
+    baseUrl: new URL(BASE_URL),
+    resourceServerUrl: new URL(RESOURCE),
+    scopesSupported: ["mcp:tools"],
+    resourceName: "TradesAPI Contractor License Verification",
+}));
+// Custom routes not handled by the SDK
+app.use(oauthCallbackRouter(oauthProvider));
+// JSON body parser for /mcp endpoint (AFTER OAuth; token/register need urlencoded)
+app.use(express.json());
+function extractBearer(req) {
+    const auth = req.headers.authorization;
+    if (!auth?.startsWith("Bearer "))
+        return null;
+    return auth.slice(7);
+}
+function sendUnauthorized(res, reason) {
+    const resourceMeta = `${BASE_URL}/.well-known/oauth-protected-resource/mcp`;
+    res.setHeader("WWW-Authenticate", `Bearer resource_metadata="${resourceMeta}", error="invalid_token", error_description="${reason}"`);
+    res.status(401).json({
+        jsonrpc: "2.0",
+        error: { code: -32001, message: reason },
+        id: null,
+    });
+}
+async function requireAuth(req, res) {
+    const token = extractBearer(req);
+    if (!token) {
+        sendUnauthorized(res, "Missing Authorization: Bearer <token>");
+        return null;
+    }
+    if (looksLikeJwt(token)) {
+        try {
+            // ── DEVIATION: pass ISSUER as 3rd arg (design doc requires iss check;
+            // same fix as Task 9 where jwt.ts's expectedIssuer param was added).
+            const info = await verifyAccessToken(token, RESOURCE, ISSUER);
+            // `sub` is always set by _mintPair (Task 9). Fail loud if it isn't —
+            // falling back to info.clientId would silently promote the OAuth client
+            // (Claude Desktop etc.) into FastAPI's X-Api-Key-Id position.
+            const apiKeyId = info.extra?.sub;
+            if (!apiKeyId) {
+                sendUnauthorized(res, "Invalid or expired access token");
+                return null;
+            }
+            req.auth = info;
+            return { apiKeyId, token, isJwt: true };
+        }
+        catch {
+            // ── DEVIATION: drop `err: any` (tsconfig strict — same fix as Task 6
+            // review). We log nothing here; the WWW-Authenticate error_description
+            // is the user-visible signal. jwt.ts already sanitizes leaked claims.
+            sendUnauthorized(res, "Invalid or expired access token");
+            return null;
+        }
+    }
+    // Raw API key — pass through as before
+    return { token, isJwt: false };
+}
+function buildApiClient(auth) {
+    if (auth.isJwt && auth.apiKeyId) {
+        // JWT-authenticated: use internal headers
+        return new ApiClient(API_URL, "", {
+            "X-Internal-Secret": INTERNAL_SECRET,
+            "X-Api-Key-Id": auth.apiKeyId,
+        });
+    }
+    // Raw API key
+    return new ApiClient(API_URL, auth.token);
+}
+export function sessionIdentity(auth) {
+    if (auth.isJwt && auth.apiKeyId)
+        return auth.apiKeyId;
+    return createHash("sha256").update(auth.token).digest("hex");
+}
+// ── MCP endpoint (POST / GET / DELETE) ─────────────────────────────────────
+app.post("/mcp", async (req, res) => {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return;
+    const sessionId = req.headers["mcp-session-id"];
+    if (sessionId) {
+        const entry = sessions.get(sessionId);
+        if (!entry) {
+            res.status(404).json({
+                jsonrpc: "2.0",
+                error: { code: -32000, message: "Session not found. Send an initialize request to start a new session." },
+                id: null,
+            });
+            return;
+        }
+        // Reject cross-account session hijack: the bearer token's identity must
+        // match the identity the session was initialized with.
+        if (entry.identity !== sessionIdentity(auth)) {
+            res.status(403).json({
+                jsonrpc: "2.0",
+                error: { code: -32002, message: "Session does not match authenticated identity" },
+                id: null,
+            });
+            return;
+        }
+        touchSession(sessionId);
+        await entry.transport.handleRequest(req, res, req.body);
+        return;
+    }
+    if (!isInitializeRequest(req.body)) {
+        res.status(400).json({
+            jsonrpc: "2.0",
+            error: { code: -32600, message: "First request must be an initialize request (no Mcp-Session-Id header found)" },
+            id: null,
+        });
+        return;
+    }
+    const transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        onsessioninitialized: (sid) => {
+            sessions.set(sid, {
+                transport,
+                lastActivity: Date.now(),
+                identity: sessionIdentity(auth),
+            });
+        },
+    });
+    transport.onclose = () => {
+        const sid = transport.sessionId;
+        if (sid)
+            sessions.delete(sid);
+    };
+    const client = buildApiClient(auth);
+    const server = createServer(client);
+    await server.connect(transport);
+    await transport.handleRequest(req, res, req.body);
+});
+app.get("/mcp", async (req, res) => {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return;
+    const sessionId = req.headers["mcp-session-id"];
+    if (!sessionId) {
+        res.status(400).json({
+            jsonrpc: "2.0",
+            error: { code: -32000, message: "Mcp-Session-Id header required for SSE stream" },
+            id: null,
+        });
+        return;
+    }
+    const entry = sessions.get(sessionId);
+    if (!entry) {
+        res.status(404).json({
+            jsonrpc: "2.0",
+            error: { code: -32000, message: "Session not found" },
+            id: null,
+        });
+        return;
+    }
+    // Reject cross-account session hijack: the bearer token's identity must
+    // match the identity the session was initialized with.
+    if (entry.identity !== sessionIdentity(auth)) {
+        res.status(403).json({
+            jsonrpc: "2.0",
+            error: { code: -32002, message: "Session does not match authenticated identity" },
+            id: null,
+        });
+        return;
+    }
+    touchSession(sessionId);
+    await entry.transport.handleRequest(req, res);
+});
+app.delete("/mcp", async (req, res) => {
+    const auth = await requireAuth(req, res);
+    if (!auth)
+        return;
+    const sessionId = req.headers["mcp-session-id"];
+    if (!sessionId) {
+        res.status(400).json({ jsonrpc: "2.0", error: { code: -32000, message: "Mcp-Session-Id header required" }, id: null });
+        return;
+    }
+    const entry = sessions.get(sessionId);
+    if (!entry) {
+        res.status(404).json({ jsonrpc: "2.0", error: { code: -32000, message: "Session not found" }, id: null });
+        return;
+    }
+    // Reject cross-account session hijack: the bearer token's identity must
+    // match the identity the session was initialized with.
+    if (entry.identity !== sessionIdentity(auth)) {
+        res.status(403).json({
+            jsonrpc: "2.0",
+            error: { code: -32002, message: "Session does not match authenticated identity" },
+            id: null,
+        });
+        return;
+    }
+    await entry.transport.handleRequest(req, res);
+});
+app.get("/mcp/health", (_req, res) => {
+    res.json({ status: "ok", sessions: sessions.size });
+});
+app.listen(PORT, () => {
+    console.log(`MCP HTTP server listening on port ${PORT}`);
+    console.log(`API backend: ${API_URL}`);
+    console.log(`OAuth issuer: ${ISSUER}`);
+});