fa-mcp-sdk 0.4.141 → 0.11.2

package/config/_local.yaml

@@ -252,6 +252,16 @@ mcp:
     maxRequests: 100
     #> Rate limit window length in milliseconds (1 minute)
     windowMs: 60000
+    scope: subject
+    maxConcurrentPerSubject: 16
+  #> Hard ceilings enforced by the HTTP transport (standard §14).
+  limits:
+    #> Max accepted JSON / urlencoded request body, bytes. Default 1 MiB.
+    maxPayloadBytes: 1048576
+    #> Max serialized tool result, bytes. Default 10 MiB.
+    maxToolResultBytes: 10485760
+    #> Per-tool execution timeout, milliseconds. Default 30 s.
+    toolTimeoutMs: 30000
   #> Tool listing and response behavior
   tools:
     #> Response format configuration.
@@ -267,6 +277,36 @@ mcp:
     logFile: ''
     #> Register built-in MCP App / test helper tools. Default: false.
     builtinTools: false
+  #> Standard §8.4 — server-side pagination. See default.yaml for full documentation.
+  pagination:
+    pageSize: 100
+  #> Standard §11.5 — optional MAY resource capabilities.
+  resources:
+    subscribeEnabled: false
+    templatesEnabled: false
+  #> Standard §15.2 + §8.2 — MCP `logging` capability.
+  logging:
+    enabled: true
+    defaultLevel: info
+    maxBodyBytes: 4096
+  #> Standard §8.6 — notifications/progress throttle.
+  progress:
+    throttleMs: 100
+  #> Standard §8.2 (MAY) — completion/complete capability. Off by default; see default.yaml.
+  completions:
+    enabled: false
+  #> Standard §8.7 (MAY) — task-augmented execution. Off by default; see default.yaml.
+  tasks:
+    enabled: false
+    defaultTtlMs: 3600000
+    minTtlMs: 0
+    maxTtlMs: 86400000
+    pollIntervalMs: 1000
+    maxTasks: 1000
+  #> Standard §6 (MAY) — Streamable HTTP SSE stream resumability via Last-Event-ID. Off by default.
+  sse:
+    resumability: false
+    maxStoredEvents: 1000
 
 #> Swagger / OpenAPI documentation settings
 swagger:
@@ -288,8 +328,10 @@ uiColor:
 
 #> HTTP server hosting MCP, admin panel, agent tester, swagger and health endpoints
 webServer:
-  #> Bind address for the HTTP server
-  host: '0.0.0.0'
+  #> Bind address for the HTTP server.
+  #> Default: '127.0.0.1' — loopback only (safer default, standard §6).
+  #> Set to '0.0.0.0' explicitly to listen on every interface.
+  host: '127.0.0.1'
   #> TCP port for the HTTP server
   port: {{port}}
   #> Array of hosts that CORS skips
@@ -315,17 +357,13 @@ webServer:
     permanentServerTokens: [ 'token' ]
 
     #> ========================================================================
-    #> JWT TOKEN — standard signed JWT (HS256)
-    #> Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
-    #> The verifier also temporarily accepts pre-migration legacy tokens
-    #> (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
-    #> CPU cost: Medium — signature verification + JSON parsing
-    #>
-    #> To enable this authentication, you need to set auth.enabled = true and set
-    #> encryptKey to at least 8 characters (used as the HS256 signing secret).
+    #> JWT TOKEN
+    #> See config/default.yaml for full mode documentation. Modes:
+    #>   legacyAesCtr (default) | embedded | localKey | remoteJwks
     #> ========================================================================
     jwtToken:
-      #> HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
+      mode: legacyAesCtr
+      #> HS256 signing secret — used ONLY by legacyAesCtr mode (minimum 8 chars).
       encryptKey: {{webServer.auth.token.encryptKey}}
       #> If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
       checkMCPName: {{webServer.auth.token.checkMCPName}}
@@ -335,6 +373,19 @@ webServer:
       #> Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
       issuer: ''
 
+      #> -------- Modes embedded / localKey / remoteJwks --------
+      algorithm: ES256
+      keyStoragePath: './keys'
+      publicKeyPath: ''
+      privateKeyPath: ''
+      jwksUri: ''
+      expectedIssuer: ''
+      expectedAudience: ''
+      jwksCacheTtl: 600
+      jwksCooldown: 30
+      clockSkew: 30
+      defaultTtl: 1800
+
     #> ========================================================================
     #> Basic Authentication — Base64 encoded username:password
     #> CPU cost: Medium — Base64 decoding + string comparison
@@ -367,3 +418,14 @@ webServer:
   #> Requires valid Authorization header (any method configured in webServer.auth).
   #> ========================================================================
   genJwtApiEnable: false
+
+  tokenCheck:
+    allowQueryToken: false
+
+  trustProxy: false
+
+  #> Standard §15.3 — Prometheus metrics endpoint (opt-in).
+  metrics:
+    enabled: false
+    path: '/metrics'
+    includeProcessMetrics: true

package/config/custom-environment-variables.yaml

@@ -43,6 +43,20 @@ mcp:
   rateLimit:
     maxRequests: MCP_RATE_LIMIT_MAX_REQUESTS
     windowMs: MCP_RATE_LIMIT_WINDOW_MS
+    scope: MCP_RATE_LIMIT_SCOPE
+    maxConcurrentPerSubject:
+      __name: MCP_RATE_LIMIT_MAX_CONCURRENT_PER_SUBJECT
+      __format: number
+  limits:
+    maxPayloadBytes:
+      __name: MCP_LIMITS_MAX_PAYLOAD_BYTES
+      __format: number
+    maxToolResultBytes:
+      __name: MCP_LIMITS_MAX_TOOL_RESULT_BYTES
+      __format: number
+    toolTimeoutMs:
+      __name: MCP_LIMITS_TOOL_TIMEOUT_MS
+      __format: number
   tools:
     answerAs: MCP_TOOLS_ANSWER_AS
     hideAnnotations: MCP_TOOLS_HIDE_ANNOTATIONS
@@ -51,6 +65,59 @@ mcp:
     builtinTools:
       __name: MCP_DEBUG_BUILTIN_TOOLS
       __format: boolean
+  pagination:
+    pageSize:
+      __name: MCP_PAGINATION_PAGE_SIZE
+      __format: number
+  resources:
+    subscribeEnabled:
+      __name: MCP_RESOURCES_SUBSCRIBE_ENABLED
+      __format: boolean
+    templatesEnabled:
+      __name: MCP_RESOURCES_TEMPLATES_ENABLED
+      __format: boolean
+  logging:
+    enabled:
+      __name: MCP_LOGGING_ENABLED
+      __format: boolean
+    defaultLevel: MCP_LOGGING_DEFAULT_LEVEL
+    maxBodyBytes:
+      __name: MCP_LOGGING_MAX_BODY_BYTES
+      __format: number
+  progress:
+    throttleMs:
+      __name: MCP_PROGRESS_THROTTLE_MS
+      __format: number
+  completions:
+    enabled:
+      __name: MCP_COMPLETIONS_ENABLED
+      __format: boolean
+  tasks:
+    enabled:
+      __name: MCP_TASKS_ENABLED
+      __format: boolean
+    defaultTtlMs:
+      __name: MCP_TASKS_DEFAULT_TTL_MS
+      __format: number
+    minTtlMs:
+      __name: MCP_TASKS_MIN_TTL_MS
+      __format: number
+    maxTtlMs:
+      __name: MCP_TASKS_MAX_TTL_MS
+      __format: number
+    pollIntervalMs:
+      __name: MCP_TASKS_POLL_INTERVAL_MS
+      __format: number
+    maxTasks:
+      __name: MCP_TASKS_MAX_TASKS
+      __format: number
+  sse:
+    resumability:
+      __name: MCP_SSE_RESUMABILITY
+      __format: boolean
+    maxStoredEvents:
+      __name: MCP_SSE_MAX_STORED_EVENTS
+      __format: number
 
 uiColor:
   primary: UI_COLOR_PRIMARY
@@ -62,11 +129,46 @@ webServer:
     enabled: WS_AUTH_ENABLED
     permanentServerTokens: WS_SERVER_TOKENS # comma separated list
     jwtToken:
+      mode: WS_JWT_MODE                      # legacyAesCtr | embedded | localKey | remoteJwks
       encryptKey: WS_TOKEN_ENCRYPT_KEY
       checkMCPName: WS_CHECK_MC_NAME
       isCheckIP: WS_JWT_CHECK_IP
       issuer: WS_JWT_ISSUER
+      algorithm: WS_JWT_ALGORITHM            # ES256 | RS256
+      keyStoragePath: WS_JWT_KEY_STORAGE_PATH
+      publicKeyPath: WS_JWT_PUBLIC_KEY_PATH
+      privateKeyPath: WS_JWT_PRIVATE_KEY_PATH
+      jwksUri: WS_JWT_JWKS_URI
+      expectedIssuer: WS_JWT_EXPECTED_ISSUER
+      expectedAudience: WS_JWT_EXPECTED_AUDIENCE
+      jwksCacheTtl:
+        __name: WS_JWT_JWKS_CACHE_TTL
+        __format: number
+      jwksCooldown:
+        __name: WS_JWT_JWKS_COOLDOWN
+        __format: number
+      clockSkew:
+        __name: WS_JWT_CLOCK_SKEW
+        __format: number
+      defaultTtl:
+        __name: WS_JWT_DEFAULT_TTL
+        __format: number
     basic:
       username: WS_AUTH_BASIC_USERNAME
       password: WS_AUTH_BASIC_PASSWORD
   genJwtApiEnable: WS_GEN_JWT_API_ENABLE
+  tokenCheck:
+    allowQueryToken:
+      __name: WS_TOKEN_CHECK_ALLOW_QUERY
+      __format: boolean
+  trustProxy:
+    __name: WS_TRUST_PROXY
+    __format: boolean
+  metrics:
+    enabled:
+      __name: WS_METRICS_ENABLED
+      __format: boolean
+    path: WS_METRICS_PATH
+    includeProcessMetrics:
+      __name: WS_METRICS_INCLUDE_PROCESS
+      __format: boolean

package/config/default.yaml

@@ -249,6 +249,23 @@ mcp:
     maxRequests: 100
     #> Rate limit window length in milliseconds (1 minute)
     windowMs: 60000
+    #> Standard §14 — 'subject' counts requests per JWT `sub` (fallback to IP when no JWT).
+    #> 'ip' = legacy behavior. Default: 'subject'.
+    scope: subject
+    #> Max simultaneous in-flight tools/call requests per subject. Excess → -32003 / 429 + Retry-After.
+    maxConcurrentPerSubject: 16
+  #> Hard ceilings enforced by the HTTP transport (standard §14).
+  #> Concrete servers MAY raise or lower these values without patching SDK code.
+  limits:
+    #> Max accepted JSON / urlencoded request body, bytes. Default 1 MiB.
+    #> Bodies above this limit are rejected with JSON-RPC code -32005 / HTTP 413.
+    maxPayloadBytes: 1048576
+    #> Max serialized tool result, bytes. Default 10 MiB.
+    #> Responses above this limit are truncated with an explicit `truncated: true` marker.
+    maxToolResultBytes: 10485760
+    #> Per-tool execution timeout, milliseconds. Default 30 s.
+    #> Exceeded calls return JSON-RPC code -32004 / HTTP 504.
+    toolTimeoutMs: 30000
   #> Tool listing and response behavior
   tools:
     #> Response format configuration.
@@ -273,6 +290,69 @@ mcp:
     #> only callable from MCP App widgets (app.callServerTool(...)) or test
     #> clients. Default: false.
     builtinTools: false
+  #> Standard §8.4 — server-side pagination for tools/list, prompts/list, resources/list.
+  pagination:
+    #> Items per page. Default 100.
+    pageSize: 100
+  #> Standard §11.5 — optional MAY resource capabilities. Off by default.
+  resources:
+    #> Enable resources/subscribe + notifications/resources/updated. Only turn on
+    #> when the project has dynamic resources; static resource sets do not benefit.
+    subscribeEnabled: false
+    #> Enable resources/templates/list (returns empty array if no templates configured).
+    templatesEnabled: false
+  #> Standard §15.2 + §8.2 — MCP `logging` capability. When enabled (default), the server
+  #> advertises `logging: {}` on initialize and accepts `logging/setLevel` to throttle
+  #> notifications/message emissions.
+  logging:
+    #> Set false to suppress the capability (compat tests against older clients).
+    enabled: true
+    #> Initial severity threshold (Syslog ladder). Levels: debug | info | notice | warning |
+    #> error | critical | alert | emergency. Default: info.
+    defaultLevel: info
+    #> Max serialized `data` payload in bytes. Anything longer is truncated. Default: 4096.
+    maxBodyBytes: 4096
+  #> Standard §8.6 — `notifications/progress` throttling. Minimum gap between successive
+  #> emissions for a single progressToken. Default 100 ms (10 events/s).
+  progress:
+    throttleMs: 100
+  #> Standard §8.2 (MAY) — `completion/complete` capability (argument autocompletion).
+  #> Off by default. Even when enabled, the capability is advertised only if the project also
+  #> supplies a `completionProvider` in McpServerData — otherwise there is nothing to serve.
+  completions:
+    #> Set true (and provide completionProvider) to advertise `completions: {}` and accept
+    #> completion/complete requests. Default: false.
+    enabled: false
+  #> Standard §8.7 (MAY) — task-augmented execution (long-running / pollable tool calls). Off by
+  #> default. When enabled, the server advertises the `tasks` capability and accepts tasks/list,
+  #> tasks/get, tasks/result, tasks/cancel. Long-running tools opt in per-tool via
+  #> `execution.taskSupport` in their declaration. The default store keeps tasks in process memory
+  #> only and does not survive a restart.
+  tasks:
+    #> Set true to advertise `tasks` capability and accept the task lifecycle methods. Default false.
+    enabled: false
+    #> Default retention of a finished task, milliseconds, from creation. A client-requested ttl is
+    #> clamped to [minTtlMs, maxTtlMs]. Default 3600000 (1 hour).
+    defaultTtlMs: 3600000
+    #> Lower bound a client-requested ttl is clamped to, milliseconds. Default 0 (no floor).
+    minTtlMs: 0
+    #> Hard upper bound on retention, milliseconds. Default 86400000 (24 hours).
+    maxTtlMs: 86400000
+    #> Recommended poll interval suggested to the client in every task object, milliseconds.
+    #> Default 1000.
+    pollIntervalMs: 1000
+    #> Max number of simultaneously retained tasks across all subjects. Oldest finished tasks are
+    #> evicted first when the cap is reached. Default 1000.
+    maxTasks: 1000
+  #> Standard §6 (MAY) — Streamable HTTP SSE stream resumability via the `Last-Event-ID` header.
+  #> Off by default. When enabled, the server keeps recent SSE events in process memory so a
+  #> reconnecting client can replay missed messages. The buffer is in-memory only: it is lost on
+  #> restart and does not span multiple server instances.
+  sse:
+    #> Set true to attach the in-memory EventStore to the Streamable HTTP transport. Default false.
+    resumability: false
+    #> Max number of events retained per process for replay. Default 1000.
+    maxStoredEvents: 1000
 
 #> Swagger / OpenAPI documentation settings
 swagger:
@@ -294,8 +374,10 @@ uiColor:
 
 #> HTTP server hosting MCP, admin panel, agent tester, swagger and health endpoints
 webServer:
-  #> Bind address for the HTTP server
-  host: '0.0.0.0'
+  #> Bind address for the HTTP server.
+  #> Default: '127.0.0.1' — loopback only (safer default, standard §6).
+  #> Set to '0.0.0.0' explicitly to listen on every interface (containers, public-facing deployments).
+  host: '127.0.0.1'
   #> TCP port for the HTTP server
   port: {{port}}
   #> Array of hosts that CORS skips
@@ -321,17 +403,25 @@ webServer:
     permanentServerTokens: [ 'token' ]
 
     #> ========================================================================
-    #> JWT TOKEN — standard signed JWT (HS256)
-    #> Tokens issued by this SDK are standard 3-segment JWTs `header.payload.signature`.
-    #> The verifier also temporarily accepts pre-migration legacy tokens
-    #> (`<expire_ms>.<hex>` AES-256-CTR format) for backward compatibility.
+    #> JWT TOKEN
+    #> Four operating modes:
+    #>   legacyAesCtr (default) — HS256 issue + legacy AES-CTR read. Uses `encryptKey`
+    #>                            below. Backward-compatible behavior — no migration needed.
+    #>   embedded               — ES256/RS256 with built-in IdP. Server auto-generates a
+    #>                            keypair into `keyStoragePath` on first start, publishes
+    #>                            JWKS at /.well-known/jwks.json, and exposes
+    #>                            POST /oauth/token (grant_type=password). For dev / demo.
+    #>   localKey               — ES256/RS256 verify against a public key on disk
+    #>                            (`publicKeyPath`). Issuance requires `privateKeyPath`.
+    #>   remoteJwks             — Production: verify against a remote IdP's JWKS endpoint
+    #>                            (`jwksUri`). This server does NOT issue tokens —
+    #>                            obtain them from the IdP.
     #> CPU cost: Medium — signature verification + JSON parsing
-    #>
-    #> To enable this authentication, you need to set auth.enabled = true and set
-    #> encryptKey to at least 8 characters (used as the HS256 signing secret).
     #> ========================================================================
     jwtToken:
-      #> HS256 signing secret used to sign/verify tokens for this MCP (minimum 8 chars)
+      #> Operating mode (see above). Default: legacyAesCtr (preserves existing behavior).
+      mode: legacyAesCtr
+      #> HS256 signing secret — used ONLY by legacyAesCtr mode (minimum 8 chars).
       encryptKey: '***'
       #> If webServer.auth.enabled and the parameter true, the service name and the service specified in the token will be checked
       checkMCPName: true
@@ -339,9 +429,38 @@ webServer:
       #> the client IP will be checked against the allowed list in the token
       isCheckIP: false
       #> Optional JWT `iss` claim. When non-empty, the generator stamps it and the verifier requires it.
-      #> Leave empty to skip issuer enforcement.
+      #> Leave empty to skip issuer enforcement. Used by legacyAesCtr mode.
       issuer: ''
 
+      #> -------- Settings below apply ONLY to modes embedded / localKey / remoteJwks --------
+
+      #> Asymmetric signing algorithm. ES256 (ECDSA P-256) recommended — smaller tokens, faster.
+      algorithm: ES256
+      #> Directory for embedded keypair (private.pem + public.pem). Auto-generated on first run.
+      #> Used only in mode=embedded. Default: ./keys
+      keyStoragePath: './keys'
+      #> Path to public key PEM. Used only in mode=localKey.
+      publicKeyPath: ''
+      #> Path to private key PEM. Optional — when set, allows local issuance via
+      #> generate-jwt.js and POST /gen-jwt. Used in mode=localKey.
+      privateKeyPath: ''
+      #> Remote JWKS endpoint URL. Used only in mode=remoteJwks.
+      #> Example: https://idp.example.com/.well-known/jwks.json
+      jwksUri: ''
+      #> Expected `iss` claim. Required match in modes embedded/localKey/remoteJwks.
+      #> In embedded mode auto-derived from request origin if empty.
+      expectedIssuer: ''
+      #> Expected `aud` claim. Defaults to appConfig.name when empty.
+      expectedAudience: ''
+      #> JWKS in-memory cache TTL (seconds). Default: 600 (10 min).
+      jwksCacheTtl: 600
+      #> Minimum interval between repeat JWKS fetches when kid is missing (seconds). Default: 30.
+      jwksCooldown: 30
+      #> Allowed clock skew for exp/nbf checks (seconds). Default: 30. Max enforced: 60 (standard Прил. A.1).
+      clockSkew: 30
+      #> Default TTL (seconds) for tokens issued by embedded /oauth/token endpoint. Default: 1800 (30 min).
+      defaultTtl: 1800
+
     #> ========================================================================
     #> Basic Authentication — Base64 encoded username:password
     #> CPU cost: Medium — Base64 decoding + string comparison
@@ -374,3 +493,37 @@ webServer:
   #> Requires valid Authorization header (any method configured in webServer.auth).
   #> ========================================================================
   genJwtApiEnable: false
+
+  #> ========================================================================
+  #> TOKEN CHECK ENDPOINT (/ct)
+  #> Standard §7.1 forbids passing secrets in URL query strings (logs / referrers).
+  #> By default only POST /ct with JSON body { "t": "<token>" } is accepted.
+  #> GET /ct?t=<token> is disabled and returns HTTP 405.
+  #> ========================================================================
+  tokenCheck:
+    #> Allow legacy GET /ct?t=<token> form. Ignored when NODE_ENV=production.
+    #> Default: false (compliant with standard §7.1).
+    allowQueryToken: false
+
+  #> ========================================================================
+  #> Trust proxy (used by /.well-known/openid-configuration etc. to derive issuer
+  #> from X-Forwarded-Proto / X-Forwarded-Host). Set true behind HTTPS reverse proxy.
+  #> ========================================================================
+  trustProxy: false
+
+  #> ========================================================================
+  #> Standard §15.3 — Prometheus metrics endpoint.
+  #> Opt-in. Endpoint is PUBLIC (no auth) — protect via network policy / reverse proxy
+  #> when the server is reachable from the network.
+  #> Metrics exposed: mcp_tool_calls_total, mcp_tool_duration_seconds,
+  #> mcp_auth_failures_total, mcp_rate_limit_hits_total, mcp_http_requests_total,
+  #> mcp_concurrent_calls, mcp_payload_bytes, mcp_result_bytes + Node.js process metrics.
+  #> ========================================================================
+  metrics:
+    #> Set true to mount the metrics endpoint. Default: false.
+    enabled: false
+    #> URL path. Default: /metrics.
+    path: '/metrics'
+    #> Include Node.js process metrics (GC, heap, uptime). Default: true. Disable to shed
+    #> ~30 default series when scraping many SDK instances.
+    includeProcessMetrics: true

package/config/local.yaml

@@ -52,25 +52,25 @@ consul:
     prod: aitr01
     dev: aite01
 
-db:
-  postgres:
-    dbs:
-      main:
-        label: 'znayka_dev on DEV-1'
-        host: 127.0.0.1
-        database: znayka_dev
-        port: 5432
-        password: Glaui46X49
-        user: znayka_dev
-        powerPassword: mCyDLHUZhbyj
-        powerUser: postgres
-        usedExtensions:
-          - pgvector
-        ssh:
-          host: MSK-AITE01-AP01
-          port: 22
-          username: root
-          privateKey: 'C:\Users\vv\.ssh\id_rsa_finam_vvmakarov'
+#db:
+#  postgres:
+#    dbs:
+#      main:
+#        label: 'znayka_dev on DEV-1'
+#        host: 127.0.0.1
+#        database: znayka_dev
+#        port: 5432
+#        password: Glaui46X49
+#        user: znayka_dev
+#        powerPassword: mCyDLHUZhbyj
+#        powerUser: postgres
+#        usedExtensions:
+#          - pgvector
+#        ssh:
+#          host: MSK-AITE01-AP01
+#          port: 22
+#          username: root
+#          privateKey: 'C:\Users\vv\.ssh\id_rsa_finam_vvmakarov'
 
 homePage:
   helpLink:
@@ -99,6 +99,7 @@ webServer:
     enabled: true
     permanentServerTokens: [ 'test-token' ]
     jwtToken:
+      mode: legacyAesCtr
       encryptKey: '66666666-7777-8888-9999-000000000000'
       checkMCPName: true
       isCheckIP: false

package/dist/core/_types_/config.d.ts

@@ -16,10 +16,22 @@ interface IWebServerConfig {
                 password: string;
             };
             jwtToken: {
+                mode?: 'legacyAesCtr' | 'embedded' | 'localKey' | 'remoteJwks';
                 encryptKey: string;
                 checkMCPName: boolean;
                 isCheckIP: boolean;
                 issuer?: string;
+                algorithm?: 'ES256' | 'RS256';
+                keyStoragePath?: string;
+                publicKeyPath?: string;
+                privateKeyPath?: string;
+                jwksUri?: string;
+                expectedIssuer?: string;
+                expectedAudience?: string;
+                jwksCacheTtl?: number;
+                jwksCooldown?: number;
+                clockSkew?: number;
+                defaultTtl?: number;
             };
             permanentServerTokens: string[];
             revoked?: {
@@ -31,6 +43,15 @@ interface IWebServerConfig {
             };
         };
         genJwtApiEnable: boolean;
+        tokenCheck?: {
+            allowQueryToken?: boolean;
+        };
+        trustProxy?: boolean | string | number;
+        metrics?: {
+            enabled?: boolean;
+            path?: string;
+            includeProcessMetrics?: boolean;
+        };
     };
 }
 interface IAdminPanelConfig {
@@ -52,12 +73,110 @@ interface IMCPConfig {
         rateLimit: {
             maxRequests: number;
             windowMs: number;
+            scope?: 'subject' | 'ip';
+            maxConcurrentPerSubject?: number;
+        };
+        /**
+         * Hard ceilings enforced by the HTTP transport. Standard §14 defines the defaults;
+         * concrete servers MAY raise or lower them via `config/*.yaml`.
+         */
+        limits: {
+            /** Max accepted JSON / urlencoded request body, bytes. Default 1 MiB (1_048_576). */
+            maxPayloadBytes: number;
+            /** Max serialized tool result, bytes. Anything above is truncated with explicit markers. */
+            maxToolResultBytes: number;
+            /** Per-tool execution timeout, milliseconds. */
+            toolTimeoutMs: number;
         };
         transportType: 'stdio' | 'http';
         tools: {
             answerAs: 'text' | 'structuredContent';
             hideAnnotations: boolean;
         };
+        /**
+         * Standard §8.4 — server-side pagination for `tools/list`, `prompts/list`, `resources/list`.
+         * Cursor is opaque base64(offset); page is sorted stably by `name` / `uri`.
+         */
+        pagination?: {
+            /** Items per page. Default 100. */
+            pageSize?: number;
+        };
+        /**
+         * Standard §11.5 — optional MAY capabilities. Off by default.
+         */
+        resources?: {
+            /** Enable `resources/subscribe` + `notifications/resources/updated`. */
+            subscribeEnabled?: boolean;
+            /** Enable `resources/templates/list`. */
+            templatesEnabled?: boolean;
+        };
+        /**
+         * Standard §15.2 + §8.2 — MCP `logging` capability. When enabled, the server declares
+         * `logging: {}` on initialize and accepts `logging/setLevel` to throttle emissions.
+         */
+        logging?: {
+            /** Default `true`. Set to `false` to suppress `logging` capability advertisement. */
+            enabled?: boolean;
+            /** Initial severity threshold. Syslog ladder; default `info`. */
+            defaultLevel?: 'debug' | 'info' | 'notice' | 'warning' | 'error' | 'critical' | 'alert' | 'emergency';
+            /** Max serialized `data` payload, bytes. Anything above is truncated. Default 4096. */
+            maxBodyBytes?: number;
+        };
+        /**
+         * Standard §8.6 — `notifications/progress` server-side throttling.
+         */
+        progress?: {
+            /** Minimum gap between successive progress emissions, milliseconds. Default 100 (10 events/s). */
+            throttleMs?: number;
+        };
+        /**
+         * Standard §8.2 (MAY) — `completion/complete` capability. Off by default. Even when enabled,
+         * the capability is advertised only if `McpServerData.completionProvider` is also supplied.
+         */
+        completions?: {
+            /** Default `false`. Set `true` (plus a `completionProvider`) to advertise `completions: {}`. */
+            enabled?: boolean;
+        };
+        /**
+         * Standard §8.7 (MAY) — task-augmented execution. Off by default. When enabled, the server
+         * advertises the `tasks` capability and accepts the task lifecycle methods (`tasks/list`,
+         * `tasks/get`, `tasks/result`, `tasks/cancel`). Individual long-running tools opt in via
+         * `execution.taskSupport` in their declaration (§9.1). The default task store keeps records in
+         * process memory only — it does not survive a restart.
+         */
+        tasks?: {
+            /** Default `false`. Set `true` to advertise `tasks` capability and accept task methods. */
+            enabled?: boolean;
+            /**
+             * Default retention of a finished task, milliseconds, measured from creation. A client may
+             * request a different `ttl`; the server clamps it to `[minTtlMs ?? 0, maxTtlMs]`.
+             * Default 3_600_000 (1 hour).
+             */
+            defaultTtlMs?: number;
+            /** Lower bound a client-requested `ttl` is clamped to, milliseconds. Default 0 (no floor). */
+            minTtlMs?: number;
+            /** Hard upper bound on retention, milliseconds. Default 86_400_000 (24 hours). */
+            maxTtlMs?: number;
+            /** Recommended poll interval suggested to the client in every task object. Default 1000. */
+            pollIntervalMs?: number;
+            /**
+             * Max number of simultaneously retained tasks across all subjects. When the cap is reached,
+             * the oldest finished tasks are evicted first. Default 1000.
+             */
+            maxTasks?: number;
+        };
+        /**
+         * Standard §6 (MAY) — Streamable HTTP SSE stream resumability via the `Last-Event-ID` header.
+         * Off by default. When enabled, the server wires an in-memory `EventStore` into the transport
+         * so a reconnecting client can replay the messages it missed. The store lives in process memory
+         * only — it does not survive a restart and does not span multiple server instances.
+         */
+        sse?: {
+            /** Default `false`. Set `true` to attach the in-memory EventStore to the Streamable HTTP transport. */
+            resumability?: boolean;
+            /** Max number of events retained per process for replay. Default 1000. */
+            maxStoredEvents?: number;
+        };
         /**
          * Debug & diagnostics. All keys are optional and disabled by default — the
          * stderr `DEBUG=mcp:*` stream keeps working independently of this section.