fa-mcp-sdk 0.4.142 → 0.11.2

package/dist/core/mcp/tool-limits.js

@@ -0,0 +1,115 @@
+import { McpError } from '@modelcontextprotocol/sdk/types.js';
+import { appConfig } from '../bootstrap/init-config.js';
+import { MCP_ERROR_CODES } from '../errors/specific-errors.js';
+/**
+ * Race a tool invocation against `mcp.limits.toolTimeoutMs`. On expiry the returned promise
+ * rejects with an SDK `McpError` carrying code `-32004` (standard §14 / Appendix B). The
+ * pending tool promise is left running — Node.js cannot synchronously abort user code —
+ * but the server-side timer is cleared so we don't leak handles. The HTTP-level transport
+ * layer in `server-http.ts` runs its own race so the response status becomes 504.
+ */
+export async function withToolTimeout(toolName, exec) {
+    const timeoutMs = appConfig.mcp.limits.toolTimeoutMs;
+    let timer;
+    const timeoutPromise = new Promise((_resolve, reject) => {
+        timer = setTimeout(() => {
+            reject(new McpError(MCP_ERROR_CODES.TIMEOUT, `Tool '${toolName}' exceeded ${timeoutMs} ms timeout`, {
+                reason: 'tool_timeout',
+                retryAfter: 0,
+            }));
+        }, timeoutMs);
+        if (typeof timer.unref === 'function') {
+            timer.unref();
+        }
+    });
+    try {
+        return await Promise.race([exec(), timeoutPromise]);
+    }
+    finally {
+        if (timer) {
+            clearTimeout(timer);
+        }
+    }
+}
+const TRUNCATION_TAIL = '\n…[truncated]';
+/**
+ * Trim a tool response so its serialized payload stays under `mcp.limits.maxToolResultBytes`
+ * (standard §12.2 / §14). Truncation is signalled BOTH in the textual content and in the
+ * structured payload so the client cannot silently miss it.
+ *
+ * - For `content[].text` entries: the offending entry is cut to fit the budget and suffixed
+ *   with an explicit `…[truncated]` marker.
+ * - For `structuredContent`: a sibling `truncated: true` field is set when the JSON exceeds
+ *   the budget, and the payload is replaced with a minimal sentinel object so the response
+ *   still fits the wire frame.
+ */
+export function truncateToolResponse(response) {
+    const maxBytes = appConfig.mcp.limits.maxToolResultBytes;
+    if (!response || maxBytes <= 0) {
+        return response;
+    }
+    // Structured response branch.
+    if ('structuredContent' in response) {
+        const structured = response;
+        let serialized;
+        try {
+            serialized = JSON.stringify(structured.structuredContent ?? null);
+        }
+        catch {
+            return response;
+        }
+        if (Buffer.byteLength(serialized, 'utf8') <= maxBytes) {
+            return response;
+        }
+        const replacement = {
+            truncated: true,
+            reason: 'max_tool_result_bytes_exceeded',
+            maxBytes,
+            originalBytes: Buffer.byteLength(serialized, 'utf8'),
+        };
+        return {
+            ...structured,
+            structuredContent: replacement,
+        };
+    }
+    // Text content branch.
+    if ('content' in response && Array.isArray(response.content)) {
+        const sizes = response.content.map((p) => (p && p.type === 'text' ? Buffer.byteLength(p.text ?? '', 'utf8') : 0));
+        const total = sizes.reduce((a, b) => a + b, 0);
+        if (total <= maxBytes) {
+            return response;
+        }
+        let budget = maxBytes;
+        const newContent = [];
+        let truncatedFlag = false;
+        for (const part of response.content) {
+            if (!part || part.type !== 'text') {
+                newContent.push(part);
+                continue;
+            }
+            const bytes = Buffer.byteLength(part.text ?? '', 'utf8');
+            if (bytes <= budget) {
+                newContent.push(part);
+                budget -= bytes;
+                continue;
+            }
+            truncatedFlag = true;
+            const sliceBytes = Math.max(0, budget - Buffer.byteLength(TRUNCATION_TAIL, 'utf8'));
+            const buf = Buffer.from(part.text ?? '', 'utf8')
+                .subarray(0, sliceBytes)
+                .toString('utf8');
+            newContent.push({ type: 'text', text: `${buf}${TRUNCATION_TAIL}` });
+            budget = 0;
+        }
+        if (truncatedFlag) {
+            return {
+                ...response,
+                content: newContent,
+                structuredContent: { truncated: true, reason: 'max_tool_result_bytes_exceeded', maxBytes },
+            };
+        }
+        return { ...response, content: newContent };
+    }
+    return response;
+}
+//# sourceMappingURL=tool-limits.js.map

package/dist/core/mcp/tool-limits.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-limits.js","sourceRoot":"","sources":["../../../src/core/mcp/tool-limits.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oCAAoC,CAAC;AAE9D,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAG/D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAI,QAAgB,EAAE,IAAsB;IAC/E,MAAM,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC;IACrD,IAAI,KAAiC,CAAC;IACtC,MAAM,cAAc,GAAG,IAAI,OAAO,CAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE;QAC7D,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YACtB,MAAM,CACJ,IAAI,QAAQ,CAAC,eAAe,CAAC,OAAO,EAAE,SAAS,QAAQ,cAAc,SAAS,aAAa,EAAE;gBAC3F,MAAM,EAAE,cAAc;gBACtB,UAAU,EAAE,CAAC;aACd,CAAC,CACH,CAAC;QACJ,CAAC,EAAE,SAAS,CAAC,CAAC;QACd,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YACtC,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,CAAC;QACH,OAAO,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IACtD,CAAC;YAAS,CAAC;QACT,IAAI,KAAK,EAAE,CAAC;YACV,YAAY,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,eAAe,GAAG,gBAAgB,CAAC;AAEzC;;;;;;;;;;GAUG;AACH,MAAM,UAAU,oBAAoB,CAAI,QAAiC;IACvE,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC;IACzD,IAAI,CAAC,QAAQ,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAC/B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8BAA8B;IAC9B,IAAI,mBAAmB,IAAI,QAAQ,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,QAA+C,CAAC;QACnE,IAAI,UAAkB,CAAC;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,iBAAiB,IAAI,IAAI,CAAC,CAAC;QACpE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACtD,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,MAAM,WAAW,GAAQ;YACvB,SAAS,EAAE,IAAI;YACf,MAAM,EAAE,gCAAgC;YACxC,QAAQ;YACR,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC;SACrD,CAAC;QACF,OAAO;YACL,GAAG,UAAU;YACb,iBAAiB,EAAE,WAAW;SAC/B,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,IAAI,SAAS,IAAI,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7D,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAClH,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/C,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;YACtB,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,MAAM,GAAG,QAAQ,CAAC;QACtB,MAAM,UAAU,GAA4B,EAAE,CAAC;QAC/C,IAAI,aAAa,GAAG,KAAK,CAAC;QAC1B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACpC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;gBAClC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtB,SAAS;YACX,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;YACzD,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;gBACpB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC;gBAChB,SAAS;YACX,CAAC;YACD,aAAa,GAAG,IAAI,CAAC;YACrB,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;YACpF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,EAAE,MAAM,CAAC;iBAC7C,QAAQ,CAAC,CAAC,EAAE,UAAU,CAAC;iBACvB,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpB,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,GAAG,GAAG,eAAe,EAAE,EAAE,CAAC,CAAC;YACpE,MAAM,GAAG,CAAC,CAAC;QACb,CAAC;QAED,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO;gBACL,GAAI,QAAgB;gBACpB,OAAO,EAAE,UAAU;gBACnB,iBAAiB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,gCAAgC,EAAE,QAAQ,EAAE;aAChE,CAAC;QAC/B,CAAC;QACD,OAAO,EAAE,GAAI,QAAgB,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;IACvD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/core/mcp/validate-tool-args.d.ts

@@ -0,0 +1,16 @@
+import { Tool } from '@modelcontextprotocol/sdk/types.js';
+export interface IValidationFailure {
+    field: string;
+    reason: string;
+}
+export declare function validateToolInput(tool: Tool, args: unknown): {
+    valid: true;
+} | ({
+    valid: false;
+} & IValidationFailure);
+export declare function validateToolOutput(tool: Tool, structuredContent: unknown): {
+    valid: true;
+} | ({
+    valid: false;
+} & IValidationFailure);
+//# sourceMappingURL=validate-tool-args.d.ts.map

package/dist/core/mcp/validate-tool-args.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-tool-args.d.ts","sourceRoot":"","sources":["../../../src/core/mcp/validate-tool-args.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAyB1D,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAiBD,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,IAAI,EACV,IAAI,EAAE,OAAO,GACZ;IAAE,KAAK,EAAE,IAAI,CAAA;CAAE,GAAG,CAAC;IAAE,KAAK,EAAE,KAAK,CAAA;CAAE,GAAG,kBAAkB,CAAC,CAc3D;AAED,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,IAAI,EACV,iBAAiB,EAAE,OAAO,GACzB;IAAE,KAAK,EAAE,IAAI,CAAA;CAAE,GAAG,CAAC;IAAE,KAAK,EAAE,KAAK,CAAA;CAAE,GAAG,kBAAkB,CAAC,CAc3D"}

package/dist/core/mcp/validate-tool-args.js

@@ -0,0 +1,67 @@
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+const ajv = new Ajv2020({ allErrors: false, strict: false, useDefaults: false });
+addFormats(ajv);
+const inputCache = new WeakMap();
+const outputCache = new WeakMap();
+function compile(schema, cache) {
+    if (!schema || typeof schema !== 'object') {
+        return undefined;
+    }
+    const cached = cache.get(schema);
+    if (cached) {
+        return cached;
+    }
+    try {
+        const validate = ajv.compile(schema);
+        cache.set(schema, validate);
+        return validate;
+    }
+    catch {
+        return undefined;
+    }
+}
+function firstError(errors) {
+    const e = errors?.[0];
+    if (!e) {
+        return { field: '', reason: 'schema_violation' };
+    }
+    const fieldFromParams = e.params?.missingProperty ||
+        e.params?.additionalProperty ||
+        e.params?.propertyName ||
+        '';
+    const path = e.instancePath || '';
+    const field = fieldFromParams ? (path ? `${path}/${fieldFromParams}` : fieldFromParams) : path || 'root';
+    return { field, reason: e.message || e.keyword || 'schema_violation' };
+}
+export function validateToolInput(tool, args) {
+    const schema = tool.inputSchema;
+    if (!schema || typeof schema !== 'object') {
+        return { valid: true };
+    }
+    const validate = compile(schema, inputCache);
+    if (!validate) {
+        return { valid: true };
+    }
+    const ok = validate(args ?? {});
+    if (ok) {
+        return { valid: true };
+    }
+    return { valid: false, ...firstError(validate.errors) };
+}
+export function validateToolOutput(tool, structuredContent) {
+    const schema = tool.outputSchema;
+    if (!schema || typeof schema !== 'object') {
+        return { valid: true };
+    }
+    const validate = compile(schema, outputCache);
+    if (!validate) {
+        return { valid: true };
+    }
+    const ok = validate(structuredContent ?? null);
+    if (ok) {
+        return { valid: true };
+    }
+    return { valid: false, ...firstError(validate.errors) };
+}
+//# sourceMappingURL=validate-tool-args.js.map

package/dist/core/mcp/validate-tool-args.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-tool-args.js","sourceRoot":"","sources":["../../../src/core/mcp/validate-tool-args.ts"],"names":[],"mappings":"AAAA,OAAO,OAA0C,MAAM,kBAAkB,CAAC;AAC1E,OAAO,UAAU,MAAM,aAAa,CAAC;AAGrC,MAAM,GAAG,GAAG,IAAI,OAAO,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;AACjF,UAAU,CAAC,GAAU,CAAC,CAAC;AAEvB,MAAM,UAAU,GAAG,IAAI,OAAO,EAA4B,CAAC;AAC3D,MAAM,WAAW,GAAG,IAAI,OAAO,EAA4B,CAAC;AAE5D,SAAS,OAAO,CAAC,MAAc,EAAE,KAAwC;IACvE,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,MAAa,CAAC,CAAC;QAC5C,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC5B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAOD,SAAS,UAAU,CAAC,MAAwC;IAC1D,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;IACtB,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACnD,CAAC;IACD,MAAM,eAAe,GAClB,CAAC,CAAC,MAAc,EAAE,eAAe;QACjC,CAAC,CAAC,MAAc,EAAE,kBAAkB;QACpC,CAAC,CAAC,MAAc,EAAE,YAAY;QAC/B,EAAE,CAAC;IACL,MAAM,IAAI,GAAG,CAAC,CAAC,YAAY,IAAI,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC;IACzG,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,IAAI,kBAAkB,EAAE,CAAC;AACzE,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,IAAU,EACV,IAAa;IAEb,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC;IAChC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAgB,EAAE,UAAU,CAAC,CAAC;IACvD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAChC,IAAI,EAAE,EAAE,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,IAAU,EACV,iBAA0B;IAE1B,MAAM,MAAM,GAAI,IAAY,CAAC,YAAY,CAAC;IAC1C,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAgB,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,MAAM,EAAE,GAAG,QAAQ,CAAC,iBAAiB,IAAI,IAAI,CAAC,CAAC;IAC/C,IAAI,EAAE,EAAE,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;AAC1D,CAAC"}

package/dist/core/mcp/validate-tool-names.d.ts

@@ -0,0 +1,11 @@
+import { Tool } from '@modelcontextprotocol/sdk/types.js';
+/**
+ * Standard §9.1 — corporate rule: tool names are ASCII snake_case, 1..63 chars.
+ */
+export declare const TOOL_NAME_RE: RegExp;
+/**
+ * Throws on the first name that violates the rule. Memoizes the validated array reference
+ * so static `tools` arrays pay the cost only once per process.
+ */
+export declare function assertToolNames(tools: Tool[]): void;
+//# sourceMappingURL=validate-tool-names.d.ts.map

package/dist/core/mcp/validate-tool-names.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-tool-names.d.ts","sourceRoot":"","sources":["../../../src/core/mcp/validate-tool-names.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE1D;;GAEG;AACH,eAAO,MAAM,YAAY,QAA2B,CAAC;AAIrD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,IAAI,CAcnD"}

package/dist/core/mcp/validate-tool-names.js

@@ -0,0 +1,23 @@
+/**
+ * Standard §9.1 — corporate rule: tool names are ASCII snake_case, 1..63 chars.
+ */
+export const TOOL_NAME_RE = /^[a-z][a-z0-9_]{0,62}$/;
+const validatedRefs = new WeakSet();
+/**
+ * Throws on the first name that violates the rule. Memoizes the validated array reference
+ * so static `tools` arrays pay the cost only once per process.
+ */
+export function assertToolNames(tools) {
+    if (!Array.isArray(tools) || validatedRefs.has(tools)) {
+        return;
+    }
+    for (const tool of tools) {
+        const name = tool?.name;
+        if (typeof name !== 'string' || !TOOL_NAME_RE.test(name)) {
+            throw new Error(`Tool name "${name}" violates standard §9.1: ` +
+                `must match /^[a-z][a-z0-9_]{0,62}$/ (snake_case, ASCII, 1..63 chars).`);
+        }
+    }
+    validatedRefs.add(tools);
+}
+//# sourceMappingURL=validate-tool-names.js.map

package/dist/core/mcp/validate-tool-names.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-tool-names.js","sourceRoot":"","sources":["../../../src/core/mcp/validate-tool-names.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,wBAAwB,CAAC;AAErD,MAAM,aAAa,GAAG,IAAI,OAAO,EAAU,CAAC;AAE5C;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACtD,OAAO;IACT,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAI,IAAY,EAAE,IAAI,CAAC;QACjC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CACb,cAAc,IAAI,4BAA4B;gBAC5C,uEAAuE,CAC1E,CAAC;QACJ,CAAC;IACH,CAAC;IACD,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC"}

package/dist/core/metrics/metrics.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Standard §15.3 — Prometheus exposition for MCP-server operability.
+ *
+ * Off by default; enabled via `webServer.metrics.enabled = true`. When active, a single
+ * `prom-client` registry holds every series the SDK emits. Process-level metrics (GC, heap,
+ * uptime) are added conditionally — they add ≈30 series, so projects scraping multiple SDK
+ * instances can shed them by setting `webServer.metrics.includeProcessMetrics = false`.
+ *
+ * All metrics use snake_case names; cardinality is bounded by tool name / scope so the
+ * SDK never explodes a Prometheus instance even when run with hundreds of tools.
+ */
+import { Counter, Gauge, Histogram, Registry } from 'prom-client';
+export interface IMcpMetrics {
+    toolCalls: Counter<'tool' | 'status'>;
+    toolDuration: Histogram<'tool'>;
+    authFailures: Counter<'reason'>;
+    rateLimitHits: Counter<'scope'>;
+    httpRequests: Counter<'method' | 'path' | 'status'>;
+    concurrentCalls: Gauge<'subject'>;
+    payloadBytes: Histogram<never>;
+    resultBytes: Histogram<never>;
+    /** Standard §8.7 — task lifecycle transitions by status (created/completed/failed/cancelled). */
+    tasks: Counter<'status'>;
+}
+export type ToolCallStatus = 'ok' | 'error' | 'timeout' | 'rate_limited' | 'invalid_params' | 'internal_error';
+export type RateLimitScope = 'subject' | 'ip' | 'concurrent';
+/**
+ * Lazy initialization — `initMetrics` is called from `server-http.ts` only when metrics are
+ * enabled. Subsequent calls are no-ops, so tests can re-import without leaking series.
+ */
+export declare function initMetrics(): IMcpMetrics;
+/**
+ * Safe accessor for places that may run before `initMetrics` (e.g. tool execution paths that
+ * run regardless of HTTP / stdio mode). Returns `undefined` when metrics are disabled — call
+ * sites should use optional chaining: `getMetrics()?.toolCalls.inc(...)`.
+ */
+export declare function getMetrics(): IMcpMetrics | undefined;
+export declare function isMetricsEnabled(): boolean;
+export declare function getMetricsRegistry(): Registry;
+/**
+ * The default global `register` is left alone so apps that already export their own metrics
+ * via prom-client keep working. The SDK only writes to its private registry.
+ */
+export declare function getGlobalPromRegister(): Registry;
+//# sourceMappingURL=metrics.d.ts.map

package/dist/core/metrics/metrics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics.d.ts","sourceRoot":"","sources":["../../../src/core/metrics/metrics.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAyB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAY,QAAQ,EAAE,MAAM,aAAa,CAAC;AAOnG,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,OAAO,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IACtC,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChC,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAChC,YAAY,EAAE,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC,CAAC;IACpD,eAAe,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAClC,YAAY,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;IAC9B,iGAAiG;IACjG,KAAK,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC1B;AAOD,MAAM,MAAM,cAAc,GAAG,IAAI,GAAG,OAAO,GAAG,SAAS,GAAG,cAAc,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;AAE/G,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,IAAI,GAAG,YAAY,CAAC;AAU7D;;;GAGG;AACH,wBAAgB,WAAW,IAAI,WAAW,CAqEzC;AAED;;;;GAIG;AACH,wBAAgB,UAAU,IAAI,WAAW,GAAG,SAAS,CAEpD;AAED,wBAAgB,gBAAgB,IAAI,OAAO,CAE1C;AAED,wBAAgB,kBAAkB,IAAI,QAAQ,CAE7C;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,QAAQ,CAEhD"}

package/dist/core/metrics/metrics.js

@@ -0,0 +1,119 @@
+/**
+ * Standard §15.3 — Prometheus exposition for MCP-server operability.
+ *
+ * Off by default; enabled via `webServer.metrics.enabled = true`. When active, a single
+ * `prom-client` registry holds every series the SDK emits. Process-level metrics (GC, heap,
+ * uptime) are added conditionally — they add ≈30 series, so projects scraping multiple SDK
+ * instances can shed them by setting `webServer.metrics.includeProcessMetrics = false`.
+ *
+ * All metrics use snake_case names; cardinality is bounded by tool name / scope so the
+ * SDK never explodes a Prometheus instance even when run with hundreds of tools.
+ */
+import { collectDefaultMetrics, Counter, Gauge, Histogram, register, Registry } from 'prom-client';
+import { appConfig } from '../bootstrap/init-config.js';
+let registry;
+let initialized = false;
+let metrics;
+const DURATION_BUCKETS = [0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 30];
+const BYTES_BUCKETS = [256, 1024, 4096, 16_384, 65_536, 262_144, 1_048_576, 10_485_760];
+function ensureRegistry() {
+    if (registry) {
+        return registry;
+    }
+    registry = new Registry();
+    return registry;
+}
+/**
+ * Lazy initialization — `initMetrics` is called from `server-http.ts` only when metrics are
+ * enabled. Subsequent calls are no-ops, so tests can re-import without leaking series.
+ */
+export function initMetrics() {
+    if (metrics) {
+        return metrics;
+    }
+    const reg = ensureRegistry();
+    if (appConfig.webServer.metrics?.includeProcessMetrics !== false) {
+        collectDefaultMetrics({ register: reg });
+    }
+    metrics = {
+        toolCalls: new Counter({
+            name: 'mcp_tool_calls_total',
+            help: 'Number of MCP tools/call invocations by tool name and final status.',
+            labelNames: ['tool', 'status'],
+            registers: [reg],
+        }),
+        toolDuration: new Histogram({
+            name: 'mcp_tool_duration_seconds',
+            help: 'Wall-clock duration of MCP tools/call invocations.',
+            labelNames: ['tool'],
+            buckets: DURATION_BUCKETS,
+            registers: [reg],
+        }),
+        authFailures: new Counter({
+            name: 'mcp_auth_failures_total',
+            help: 'Number of authentication failures by reason.',
+            labelNames: ['reason'],
+            registers: [reg],
+        }),
+        rateLimitHits: new Counter({
+            name: 'mcp_rate_limit_hits_total',
+            help: 'Number of rate-limit rejections by enforcement scope.',
+            labelNames: ['scope'],
+            registers: [reg],
+        }),
+        httpRequests: new Counter({
+            name: 'mcp_http_requests_total',
+            help: 'Number of HTTP requests by method, route and final status code.',
+            labelNames: ['method', 'path', 'status'],
+            registers: [reg],
+        }),
+        concurrentCalls: new Gauge({
+            name: 'mcp_concurrent_calls',
+            help: 'In-flight MCP tools/call invocations by JWT subject.',
+            labelNames: ['subject'],
+            registers: [reg],
+        }),
+        payloadBytes: new Histogram({
+            name: 'mcp_payload_bytes',
+            help: 'Size of incoming MCP request payloads in bytes.',
+            buckets: BYTES_BUCKETS,
+            registers: [reg],
+        }),
+        resultBytes: new Histogram({
+            name: 'mcp_result_bytes',
+            help: 'Size of serialized MCP tool results in bytes.',
+            buckets: BYTES_BUCKETS,
+            registers: [reg],
+        }),
+        tasks: new Counter({
+            name: 'mcp_tasks_total',
+            help: 'Number of task lifecycle transitions by status.',
+            labelNames: ['status'],
+            registers: [reg],
+        }),
+    };
+    initialized = true;
+    return metrics;
+}
+/**
+ * Safe accessor for places that may run before `initMetrics` (e.g. tool execution paths that
+ * run regardless of HTTP / stdio mode). Returns `undefined` when metrics are disabled — call
+ * sites should use optional chaining: `getMetrics()?.toolCalls.inc(...)`.
+ */
+export function getMetrics() {
+    return metrics;
+}
+export function isMetricsEnabled() {
+    return initialized && appConfig.webServer.metrics?.enabled === true;
+}
+export function getMetricsRegistry() {
+    return ensureRegistry();
+}
+/**
+ * The default global `register` is left alone so apps that already export their own metrics
+ * via prom-client keep working. The SDK only writes to its private registry.
+ */
+export function getGlobalPromRegister() {
+    return register;
+}
+//# sourceMappingURL=metrics.js.map

package/dist/core/metrics/metrics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics.js","sourceRoot":"","sources":["../../../src/core/metrics/metrics.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,qBAAqB,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEnG,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAExD,IAAI,QAA8B,CAAC;AACnC,IAAI,WAAW,GAAG,KAAK,CAAC;AAexB,IAAI,OAAgC,CAAC;AAErC,MAAM,gBAAgB,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;AACnE,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AAMxF,SAAS,cAAc;IACrB,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;IAC1B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;IAE7B,IAAI,SAAS,CAAC,SAAS,CAAC,OAAO,EAAE,qBAAqB,KAAK,KAAK,EAAE,CAAC;QACjE,qBAAqB,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,GAAG;QACR,SAAS,EAAE,IAAI,OAAO,CAAC;YACrB,IAAI,EAAE,sBAAsB;YAC5B,IAAI,EAAE,qEAAqE;YAC3E,UAAU,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAU;YACvC,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,YAAY,EAAE,IAAI,SAAS,CAAC;YAC1B,IAAI,EAAE,2BAA2B;YACjC,IAAI,EAAE,oDAAoD;YAC1D,UAAU,EAAE,CAAC,MAAM,CAAU;YAC7B,OAAO,EAAE,gBAAgB;YACzB,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,YAAY,EAAE,IAAI,OAAO,CAAC;YACxB,IAAI,EAAE,yBAAyB;YAC/B,IAAI,EAAE,8CAA8C;YACpD,UAAU,EAAE,CAAC,QAAQ,CAAU;YAC/B,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,aAAa,EAAE,IAAI,OAAO,CAAC;YACzB,IAAI,EAAE,2BAA2B;YACjC,IAAI,EAAE,uDAAuD;YAC7D,UAAU,EAAE,CAAC,OAAO,CAAU;YAC9B,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,YAAY,EAAE,IAAI,OAAO,CAAC;YACxB,IAAI,EAAE,yBAAyB;YAC/B,IAAI,EAAE,iEAAiE;YACvE,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAU;YACjD,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,eAAe,EAAE,IAAI,KAAK,CAAC;YACzB,IAAI,EAAE,sBAAsB;YAC5B,IAAI,EAAE,sDAAsD;YAC5D,UAAU,EAAE,CAAC,SAAS,CAAU;YAChC,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,YAAY,EAAE,IAAI,SAAS,CAAC;YAC1B,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,iDAAiD;YACvD,OAAO,EAAE,aAAa;YACtB,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,WAAW,EAAE,IAAI,SAAS,CAAC;YACzB,IAAI,EAAE,kBAAkB;YACxB,IAAI,EAAE,+CAA+C;YACrD,OAAO,EAAE,aAAa;YACtB,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;QACF,KAAK,EAAE,IAAI,OAAO,CAAC;YACjB,IAAI,EAAE,iBAAiB;YACvB,IAAI,EAAE,iDAAiD;YACvD,UAAU,EAAE,CAAC,QAAQ,CAAU;YAC/B,SAAS,EAAE,CAAC,GAAG,CAAC;SACjB,CAAC;KACH,CAAC;IACF,WAAW,GAAG,IAAI,CAAC;IACnB,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,WAAW,IAAI,SAAS,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,cAAc,EAAE,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/core/utils/mask-sensitive.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Standard §12.2 — optional helper for masking personal / sensitive data in tool results.
+ *
+ * The standard requires that sensitive data be protected according to the domain policy
+ * (masking, filtering). That responsibility stays with the server: the SDK does not know the
+ * domain model and cannot decide what counts as sensitive. This utility is a reusable building
+ * block so a server need not re-implement masking from scratch — it is NOT wired into the
+ * `tools/call` path automatically. Call it explicitly inside a tool handler before returning.
+ *
+ * Masking is driven purely by explicit rules (field names, regular expressions). It performs no
+ * heuristic PII detection.
+ */
+export interface IMaskRules {
+    /**
+     * Field names whose values are fully masked wherever they occur in the object tree
+     * (e.g. `['password', 'token', 'ssn']`). Matched case-insensitively.
+     */
+    fieldNames?: string[];
+    /**
+     * Regular expressions matched against string values at any depth. Every match is replaced
+     * (e.g. card numbers, e-mail addresses). Use a global flag to replace all occurrences within a
+     * single string; without it only the first occurrence is replaced.
+     */
+    patterns?: RegExp[];
+    /**
+     * Replacement applied when a rule fires. A string replaces the whole matched value (for
+     * `fieldNames`) or the matched substring (for `patterns`); default `'***'`. A function receives
+     * the original value and returns the masked form — useful for partial masking such as
+     * `4111********1111`.
+     */
+    replacement?: string | ((original: string) => string);
+}
+/**
+ * Recursively masks sensitive data in `value` according to `rules`, returning a new value.
+ * The input is never mutated. Strings, arrays and plain objects are walked; other primitives
+ * (numbers, booleans, null, undefined) are returned as-is. Field-name masking replaces the entire
+ * value of a matching key regardless of its type.
+ *
+ * @example
+ * maskSensitive({ password: 'p', name: 'a' }, { fieldNames: ['password'] });
+ * // → { password: '***', name: 'a' }
+ */
+export declare function maskSensitive<T>(value: T, rules: IMaskRules): T;
+//# sourceMappingURL=mask-sensitive.d.ts.map

package/dist/core/utils/mask-sensitive.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask-sensitive.d.ts","sourceRoot":"","sources":["../../../src/core/utils/mask-sensitive.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC;CACvD;AAmBD;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,UAAU,GAAG,CAAC,CA2B/D"}

package/dist/core/utils/mask-sensitive.js

@@ -0,0 +1,64 @@
+/**
+ * Standard §12.2 — optional helper for masking personal / sensitive data in tool results.
+ *
+ * The standard requires that sensitive data be protected according to the domain policy
+ * (masking, filtering). That responsibility stays with the server: the SDK does not know the
+ * domain model and cannot decide what counts as sensitive. This utility is a reusable building
+ * block so a server need not re-implement masking from scratch — it is NOT wired into the
+ * `tools/call` path automatically. Call it explicitly inside a tool handler before returning.
+ *
+ * Masking is driven purely by explicit rules (field names, regular expressions). It performs no
+ * heuristic PII detection.
+ */
+const DEFAULT_REPLACEMENT = '***';
+function applyReplacement(original, replacement) {
+    if (typeof replacement === 'function') {
+        return replacement(original);
+    }
+    return replacement ?? DEFAULT_REPLACEMENT;
+}
+function maskString(value, patterns, replacement) {
+    let out = value;
+    for (const re of patterns) {
+        out = out.replace(re, (match) => applyReplacement(match, replacement));
+    }
+    return out;
+}
+/**
+ * Recursively masks sensitive data in `value` according to `rules`, returning a new value.
+ * The input is never mutated. Strings, arrays and plain objects are walked; other primitives
+ * (numbers, booleans, null, undefined) are returned as-is. Field-name masking replaces the entire
+ * value of a matching key regardless of its type.
+ *
+ * @example
+ * maskSensitive({ password: 'p', name: 'a' }, { fieldNames: ['password'] });
+ * // → { password: '***', name: 'a' }
+ */
+export function maskSensitive(value, rules) {
+    const fieldNames = new Set((rules.fieldNames ?? []).map((n) => n.toLowerCase()));
+    const patterns = rules.patterns ?? [];
+    const { replacement } = rules;
+    const walk = (node) => {
+        if (typeof node === 'string') {
+            return patterns.length > 0 ? maskString(node, patterns, replacement) : node;
+        }
+        if (Array.isArray(node)) {
+            return node.map((item) => walk(item));
+        }
+        if (node && typeof node === 'object') {
+            const result = {};
+            for (const [key, val] of Object.entries(node)) {
+                if (fieldNames.has(key.toLowerCase())) {
+                    result[key] = applyReplacement(typeof val === 'string' ? val : String(val), replacement);
+                }
+                else {
+                    result[key] = walk(val);
+                }
+            }
+            return result;
+        }
+        return node;
+    };
+    return walk(value);
+}
+//# sourceMappingURL=mask-sensitive.js.map

package/dist/core/utils/mask-sensitive.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mask-sensitive.js","sourceRoot":"","sources":["../../../src/core/utils/mask-sensitive.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAuBH,MAAM,mBAAmB,GAAG,KAAK,CAAC;AAElC,SAAS,gBAAgB,CAAC,QAAgB,EAAE,WAAsC;IAChF,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE,CAAC;QACtC,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,WAAW,IAAI,mBAAmB,CAAC;AAC5C,CAAC;AAED,SAAS,UAAU,CAAC,KAAa,EAAE,QAAkB,EAAE,WAAsC;IAC3F,IAAI,GAAG,GAAG,KAAK,CAAC;IAChB,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;QAC1B,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,aAAa,CAAI,KAAQ,EAAE,KAAiB;IAC1D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;IACtC,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;IAE9B,MAAM,IAAI,GAAG,CAAC,IAAa,EAAW,EAAE;QACtC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC9E,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9C,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBACtC,MAAM,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,WAAW,CAAC,CAAC;gBAC3F,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1B,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;IAEF,OAAO,IAAI,CAAC,KAAK,CAAM,CAAC;AAC1B,CAAC"}

package/dist/core/utils/testing/McpHttpClient.d.ts

@@ -1,38 +1,13 @@
-import { BaseMcpClient } from './BaseMcpClient.js';
-type Json = any;
+import { McpStreamableHttpClient } from './McpStreamableHttpClient.js';
 /**
- * MCP Simple HTTP Client
+ * @deprecated Use {@link McpStreamableHttpClient}.
  *
- * Uses simple POST requests instead of streaming HTTP for compatibility
- * with the current server implementation
+ * The original plain-POST client (one-shot `POST /mcp`, `Accept: application/json`, no session) is
+ * incompatible with the server's official `StreamableHTTPServerTransport`, which requires
+ * `Accept: application/json, text/event-stream` and an `Mcp-Session-Id` round-trip. This is now a
+ * thin alias over {@link McpStreamableHttpClient}, which speaks the correct protocol. The public
+ * API (`initialize`, `listTools`, `callTool`, …) is unchanged.
  */
-export declare class McpHttpClient extends BaseMcpClient {
-    private readonly baseURL;
-    private readonly endpointPath;
-    serverInfo?: {
-        name: string;
-        version: string;
-    };
-    capabilities?: any;
-    protocolVersion?: string;
-    constructor(baseURL: string, options?: {
-        endpointPath?: string;
-        headers?: Record<string, string>;
-        requestTimeoutMs?: number;
-    });
-    initialize(params?: {
-        protocolVersion?: string;
-        capabilities?: any;
-        clientInfo?: {
-            name: string;
-            version: string;
-        };
-    }): Promise<any>;
-    close(): Promise<void>;
-    private sendHttpRequest;
-    notify(method: string, params?: Json): void;
-    sendRpc<T = any>(method: string, params?: Json): Promise<T>;
-    protected sendRequest(method: string, params: any): Promise<any>;
+export declare class McpHttpClient extends McpStreamableHttpClient {
 }
-export {};
 //# sourceMappingURL=McpHttpClient.d.ts.map

package/dist/core/utils/testing/McpHttpClient.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"McpHttpClient.d.ts","sourceRoot":"","sources":["../../../../src/core/utils/testing/McpHttpClient.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAInD,KAAK,IAAI,GAAG,GAAG,CAAC;AA6BhB;;;;;GAKG;AACH,qBAAa,aAAc,SAAQ,aAAa;IAC9C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IAE/B,UAAU,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/C,YAAY,CAAC,EAAE,GAAG,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;gBAG9B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QACR,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B;IAOY,UAAU,CACvB,MAAM,GAAE;QACN,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,YAAY,CAAC,EAAE,GAAG,CAAC;QACnB,UAAU,CAAC,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC;KAC3C;IAYO,KAAK;YAIN,eAAe;IAqB7B,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,IAAI;IAQ9B,OAAO,CAAC,CAAC,GAAG,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC;cAwBxC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;CAGhF"}
+{"version":3,"file":"McpHttpClient.d.ts","sourceRoot":"","sources":["../../../../src/core/utils/testing/McpHttpClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AAEvE;;;;;;;;GAQG;AACH,qBAAa,aAAc,SAAQ,uBAAuB;CAAG"}