fdic-mcp-server 1.29.0 → 1.30.1

package/dist/server.js

@@ -47,7 +47,7 @@ var import_types = require("@modelcontextprotocol/sdk/types.js");
 var import_express2 = __toESM(require("express"));
 
 // src/constants.ts
-var VERSION = true ? "1.29.0" : process.env.npm_package_version ?? "0.0.0-dev";
+var VERSION = true ? "1.30.1" : process.env.npm_package_version ?? "0.0.0-dev";
 var FDIC_API_BASE_URL = "https://banks.data.fdic.gov/api";
 var CHARACTER_LIMIT = 5e4;
 var DEFAULT_FDIC_MAX_RESPONSE_BYTES = 5 * 1024 * 1024;
@@ -88,6 +88,42 @@ var RateLimiter = class {
     return true;
   }
 };
+var ConcurrentLimiter = class {
+  maxConcurrent;
+  active = /* @__PURE__ */ new Map();
+  constructor(maxConcurrent) {
+    this.maxConcurrent = maxConcurrent;
+  }
+  acquire(key) {
+    const current = this.active.get(key) ?? 0;
+    if (current >= this.maxConcurrent) {
+      return void 0;
+    }
+    this.active.set(key, current + 1);
+    let released = false;
+    return () => {
+      if (released) {
+        return;
+      }
+      released = true;
+      const latest = this.active.get(key) ?? 0;
+      if (latest <= 1) {
+        this.active.delete(key);
+        return;
+      }
+      this.active.set(key, latest - 1);
+    };
+  }
+};
+
+// src/requestIdentity.ts
+function getRequestIp(req) {
+  const forwarded = req.get("x-forwarded-for");
+  if (forwarded) {
+    return forwarded.split(",")[0]?.trim() || req.ip || "unknown";
+  }
+  return req.ip || "unknown";
+}
 
 // src/chat.ts
 var CHAT_SYSTEM_PROMPT = `You are a demo assistant for the FDIC BankFind MCP Server. You help users
@@ -210,13 +246,6 @@ function mapMessagesToContents(messages) {
     parts: [{ text: message.content }]
   }));
 }
-function getRequestIp(req) {
-  const forwarded = req.get("x-forwarded-for");
-  if (forwarded) {
-    return forwarded.split(",")[0]?.trim() || req.ip || "unknown";
-  }
-  return req.ip || "unknown";
-}
 function getResponseParts(response) {
   return response.candidates?.[0]?.content?.parts ?? [];
 }
@@ -38750,8 +38779,542 @@ NOTE: Requires FRED_API_KEY environment variable for reliable data access. Degra
   );
 }
 
-// src/tools/chatgptRetrieval.ts
+// src/tools/qbpLite.ts
 var import_zod21 = require("zod");
+var QBP_LITE_FETCH_LIMIT = 1e4;
+var QBP_LITE_FIELDS = [
+  "CERT",
+  "NAME",
+  "REPDTE",
+  "CB",
+  "SPECGRP",
+  "SPECGRPDESC",
+  "ASSET",
+  "DEP",
+  "DEPDOM",
+  "NETINC",
+  "ROA",
+  "ROE",
+  "NIMY",
+  "ERNAST",
+  "LNLSNET",
+  "LNRE",
+  "LNCI",
+  "LNCON",
+  "LNCRCD",
+  "LNAG",
+  "SC",
+  "EQTOT",
+  "NCLNLSR",
+  "NTLNLSR",
+  "RBC",
+  "RBC1AAJ",
+  "IDT1RWAJR",
+  "RBCT1",
+  "RBCT1C",
+  "RBCT1CER",
+  "RBCRWAJ",
+  "RWAJ",
+  "RWAJT",
+  "P3RER",
+  "P3CIR",
+  "P3CONR",
+  "P3CRCDR",
+  "P3AGR",
+  "NTRER",
+  "NTCIR",
+  "NTCONR",
+  "NTCRCDR",
+  "NTAGR"
+].join(",");
+var QbpLiteSchema = import_zod21.z.object({
+  repdte: import_zod21.z.string().regex(/^\d{8}$/).optional().describe(
+    "Quarter-end Report Date (REPDTE) in YYYYMMDD format. If omitted, the tool searches backward from the latest likely published quarter until data is found."
+  ),
+  trend_quarters: import_zod21.z.number().int().min(8).max(40).default(20).describe(
+    "Number of quarterly observations to return for trend charts, including the current quarter. Default 20 quarters."
+  ),
+  include_community_banks: import_zod21.z.boolean().default(true).describe(
+    "Include a compact community-bank-vs-industry comparison using the public community-bank flag."
+  )
+});
+var EXECUTIVE_METRICS = [
+  {
+    id: "institution_count",
+    label: "Number of institutions reporting",
+    unit: "count"
+  },
+  { id: "total_assets", label: "Total assets", unit: "$thousands" },
+  {
+    id: "total_loans_and_leases",
+    label: "Total loans and leases",
+    unit: "$thousands"
+  },
+  { id: "domestic_deposits", label: "Domestic deposits", unit: "$thousands" },
+  { id: "net_income", label: "Net income", unit: "$thousands" },
+  { id: "roa_pct", label: "Return on assets", unit: "percent" },
+  { id: "roe_pct", label: "Return on equity", unit: "percent" },
+  { id: "net_interest_margin_pct", label: "Net interest margin", unit: "percent" },
+  { id: "noncurrent_loans_pct", label: "Noncurrent loans to loans", unit: "percent" },
+  { id: "net_chargeoffs_pct", label: "Net charge-offs to loans", unit: "percent" },
+  { id: "leverage_ratio_pct", label: "Core capital (leverage) ratio", unit: "percent" }
+];
+function sumField(records, field) {
+  let total = 0;
+  let seen = false;
+  for (const record of records) {
+    const value = asNumber(record[field]);
+    if (value !== null) {
+      total += value;
+      seen = true;
+    }
+  }
+  return seen ? total : null;
+}
+function weightedAverage(records, valueField, weightField) {
+  let weightedSum = 0;
+  let weightSum = 0;
+  for (const record of records) {
+    const value = asNumber(record[valueField]);
+    const weight = asNumber(record[weightField]);
+    if (value !== null && weight !== null && weight > 0) {
+      weightedSum += value * weight;
+      weightSum += weight;
+    }
+  }
+  return weightSum > 0 ? weightedSum / weightSum : null;
+}
+function pctChange2(current, prior) {
+  if (current === null || prior === null || prior === 0) return null;
+  return (current - prior) / prior * 100;
+}
+function change2(current, prior) {
+  if (current === null || prior === null) return null;
+  return current - prior;
+}
+function dividePct(numerator, denominator) {
+  if (numerator === null || denominator === null || denominator === 0) return null;
+  return numerator / denominator * 100;
+}
+function sumRatioPct(records, numeratorField, denominatorField) {
+  return dividePct(sumField(records, numeratorField), sumField(records, denominatorField));
+}
+function aggregateFinancialRecords(records) {
+  const totalAssets = sumField(records, "ASSET");
+  const totalLoans = sumField(records, "LNLSNET");
+  const equityCapital = sumField(records, "EQTOT");
+  return {
+    institution_count: records.length,
+    total_assets: totalAssets,
+    total_loans_and_leases: totalLoans,
+    domestic_deposits: sumField(records, "DEPDOM"),
+    total_deposits: sumField(records, "DEP"),
+    securities: sumField(records, "SC"),
+    equity_capital: equityCapital,
+    net_income: sumField(records, "NETINC"),
+    roa_pct: weightedAverage(records, "ROA", "ASSET"),
+    roe_pct: weightedAverage(records, "ROE", "EQTOT"),
+    net_interest_margin_pct: weightedAverage(records, "NIMY", "ERNAST"),
+    noncurrent_loans_pct: weightedAverage(records, "NCLNLSR", "LNLSNET"),
+    net_chargeoffs_pct: weightedAverage(records, "NTLNLSR", "LNLSNET"),
+    leverage_ratio_pct: weightedAverage(records, "RBC1AAJ", "ASSET"),
+    common_equity_tier1_ratio_pct: sumRatioPct(records, "RBCT1C", "RWAJ") ?? weightedAverage(records, "RBCT1CER", "RWAJ"),
+    tier1_risk_based_ratio_pct: sumRatioPct(records, "RBCT1", "RWAJ") ?? weightedAverage(records, "IDT1RWAJR", "RWAJ"),
+    total_risk_based_ratio_pct: sumRatioPct(records, "RBC", "RWAJT") ?? weightedAverage(records, "RBCRWAJ", "RWAJT")
+  };
+}
+function buildExecutiveSnapshot(current, priorQuarter, yearAgo) {
+  return EXECUTIVE_METRICS.map(({ id, label, unit }) => {
+    const currentValue = current[id];
+    const priorValue = priorQuarter?.[id] ?? null;
+    const yearAgoValue = yearAgo?.[id] ?? null;
+    return {
+      id,
+      label,
+      unit,
+      change_unit: unit === "percent" ? "percentage_points" : unit,
+      current: currentValue,
+      prior_quarter_change: change2(currentValue, priorValue),
+      prior_quarter_change_pct: unit === "percent" ? null : pctChange2(currentValue, priorValue),
+      year_over_year_change: change2(currentValue, yearAgoValue),
+      year_over_year_change_pct: unit === "percent" ? null : pctChange2(currentValue, yearAgoValue)
+    };
+  });
+}
+function isCommunityBank(record) {
+  const value = record.CB;
+  return value === 1 || value === "1";
+}
+function assetSizeGroup(asset) {
+  if (asset === null) return "Unknown";
+  if (asset < 1e5) return "Assets < $100 Million";
+  if (asset < 1e6) return "Assets $100 Million - $1 Billion";
+  if (asset < 1e7) return "Assets $1 Billion - $10 Billion";
+  if (asset < 25e7) return "Assets $10 Billion - $250 Billion";
+  return "Assets > $250 Billion";
+}
+function buildSeriesPoint(repdte, records) {
+  const metrics = aggregateFinancialRecords(records);
+  return {
+    repdte,
+    ...metrics
+  };
+}
+function buildAssetSizeNimSeries(groupedRecords) {
+  const rows = [];
+  for (const [repdte, records] of groupedRecords) {
+    const groups = /* @__PURE__ */ new Map();
+    for (const record of records) {
+      const group = assetSizeGroup(asNumber(record.ASSET));
+      const groupRecords = groups.get(group);
+      if (groupRecords) {
+        groupRecords.push(record);
+      } else {
+        groups.set(group, [record]);
+      }
+    }
+    rows.push({
+      repdte,
+      group: "Industry",
+      institution_count: records.length,
+      total_assets: sumField(records, "ASSET"),
+      net_interest_margin_pct: weightedAverage(records, "NIMY", "ERNAST")
+    });
+    for (const [group, groupRecords] of groups) {
+      rows.push({
+        repdte,
+        group,
+        institution_count: groupRecords.length,
+        total_assets: sumField(groupRecords, "ASSET"),
+        net_interest_margin_pct: weightedAverage(groupRecords, "NIMY", "ERNAST")
+      });
+    }
+  }
+  return rows;
+}
+function buildLoanAndDepositSeries(series) {
+  const byDate = new Map(series.map((point) => [point.repdte, point]));
+  return series.map((point) => {
+    const priorQuarter = getPriorQuarterDates(point.repdte, 1)[0];
+    const yearAgo = getReportDateOneYearPrior(point.repdte);
+    const priorPoint = byDate.get(priorQuarter);
+    const yearAgoPoint = byDate.get(yearAgo);
+    return {
+      repdte: point.repdte,
+      total_loans_and_leases: point.total_loans_and_leases,
+      quarterly_loan_change: change2(
+        point.total_loans_and_leases,
+        priorPoint?.total_loans_and_leases ?? null
+      ),
+      loan_growth_12_month_pct: pctChange2(
+        point.total_loans_and_leases,
+        yearAgoPoint?.total_loans_and_leases ?? null
+      ),
+      domestic_deposits: point.domestic_deposits,
+      quarterly_domestic_deposit_change: change2(
+        point.domestic_deposits,
+        priorPoint?.domestic_deposits ?? null
+      ),
+      domestic_deposit_growth_12_month_pct: pctChange2(
+        point.domestic_deposits,
+        yearAgoPoint?.domestic_deposits ?? null
+      )
+    };
+  });
+}
+function buildPortfolioPerformance(records) {
+  const portfolios = [
+    {
+      id: "real_estate",
+      label: "Real estate loans",
+      balanceField: "LNRE",
+      noncurrentRateField: "P3RER",
+      chargeoffRateField: "NTRER"
+    },
+    {
+      id: "commercial_industrial",
+      label: "Commercial and industrial loans",
+      balanceField: "LNCI",
+      noncurrentRateField: "P3CIR",
+      chargeoffRateField: "NTCIR"
+    },
+    {
+      id: "consumer",
+      label: "Consumer loans",
+      balanceField: "LNCON",
+      noncurrentRateField: "P3CONR",
+      chargeoffRateField: "NTCONR"
+    },
+    {
+      id: "credit_card",
+      label: "Credit card loans",
+      balanceField: "LNCRCD",
+      noncurrentRateField: "P3CRCDR",
+      chargeoffRateField: "NTCRCDR"
+    },
+    {
+      id: "farm",
+      label: "Farm loans",
+      balanceField: "LNAG",
+      noncurrentRateField: "P3AGR",
+      chargeoffRateField: "NTAGR"
+    }
+  ];
+  return portfolios.map((portfolio) => ({
+    id: portfolio.id,
+    label: portfolio.label,
+    balance: sumField(records, portfolio.balanceField),
+    balance_share_of_total_loans_pct: dividePct(
+      sumField(records, portfolio.balanceField),
+      sumField(records, "LNLSNET")
+    ),
+    noncurrent_rate_pct: weightedAverage(
+      records,
+      portfolio.noncurrentRateField,
+      portfolio.balanceField
+    ),
+    net_chargeoff_rate_pct: weightedAverage(
+      records,
+      portfolio.chargeoffRateField,
+      portfolio.balanceField
+    )
+  }));
+}
+function buildCommunityComparison(groupedRecords) {
+  const rows = [];
+  for (const [repdte, records] of groupedRecords) {
+    for (const [group, groupRecords] of [
+      ["Industry", records],
+      ["Community Banks", records.filter(isCommunityBank)]
+    ]) {
+      const metrics = aggregateFinancialRecords(groupRecords);
+      rows.push({
+        repdte,
+        group,
+        institution_count: metrics.institution_count,
+        total_assets: metrics.total_assets,
+        total_loans_and_leases: metrics.total_loans_and_leases,
+        domestic_deposits: metrics.domestic_deposits,
+        net_income: metrics.net_income,
+        roa_pct: metrics.roa_pct,
+        net_interest_margin_pct: metrics.net_interest_margin_pct,
+        noncurrent_loans_pct: metrics.noncurrent_loans_pct,
+        net_chargeoffs_pct: metrics.net_chargeoffs_pct
+      });
+    }
+  }
+  return rows;
+}
+function buildTruncationWarning2(repdte, returnedCount, totalCount, limit = QBP_LITE_FETCH_LIMIT) {
+  if (returnedCount >= limit && totalCount > limit) {
+    return `REPDTE ${repdte}: results truncated at ${limit.toLocaleString()} of ${totalCount.toLocaleString()} institutions.`;
+  }
+  return null;
+}
+async function fetchRecordsForRepdte(repdte) {
+  const response = await queryEndpoint(ENDPOINTS.FINANCIALS, {
+    filters: `REPDTE:${repdte}`,
+    fields: QBP_LITE_FIELDS,
+    limit: QBP_LITE_FETCH_LIMIT,
+    sort_by: "CERT",
+    sort_order: "ASC"
+  });
+  const records = extractRecords(response);
+  return {
+    records,
+    total: response.meta.total,
+    truncationWarning: buildTruncationWarning2(
+      repdte,
+      records.length,
+      response.meta.total
+    )
+  };
+}
+async function hasFinancialData(repdte) {
+  const response = await queryEndpoint(ENDPOINTS.FINANCIALS, {
+    filters: `REPDTE:${repdte}`,
+    fields: "CERT,REPDTE",
+    limit: 1
+  });
+  return response.meta.total > 0;
+}
+async function resolveReportDate(params) {
+  if (params.repdte) {
+    const validationError = validateQuarterEndDate(params.repdte, "repdte");
+    if (validationError) {
+      throw new Error(validationError);
+    }
+    return params.repdte;
+  }
+  const candidates = [getDefaultReportDate(), ...getPriorQuarterDates(getDefaultReportDate(), 7)];
+  for (const candidate of candidates) {
+    if (await hasFinancialData(candidate)) {
+      return candidate;
+    }
+  }
+  throw new Error("No BankFind financial data found in the latest eight expected reporting quarters.");
+}
+async function buildQbpLiteData(params) {
+  const trendQuarters = params.trend_quarters ?? 20;
+  const includeCommunityBanks = params.include_community_banks ?? true;
+  const repdte = await resolveReportDate(params);
+  const priorQuarterRepdte = getPriorQuarterDates(repdte, 1)[0];
+  const yearAgoRepdte = getReportDateOneYearPrior(repdte);
+  const trendDates = [...getPriorQuarterDates(repdte, trendQuarters - 1)].reverse();
+  const requiredDates = [.../* @__PURE__ */ new Set([...trendDates, repdte, priorQuarterRepdte, yearAgoRepdte])].sort();
+  const recordsByDate = /* @__PURE__ */ new Map();
+  const warnings = [];
+  await mapWithConcurrency(requiredDates, 4, async (date) => {
+    const { records, truncationWarning } = await fetchRecordsForRepdte(date);
+    recordsByDate.set(date, records);
+    if (records.length === 0) {
+      warnings.push(`No financial records found for REPDTE ${date}.`);
+    }
+    if (truncationWarning) {
+      warnings.push(truncationWarning);
+    }
+  });
+  const currentRecords = recordsByDate.get(repdte) ?? [];
+  if (currentRecords.length === 0) {
+    throw new Error(`No financial records found for current REPDTE ${repdte}.`);
+  }
+  const trendRecords = new Map(
+    [...trendDates, repdte].filter((date) => (recordsByDate.get(date)?.length ?? 0) > 0).map((date) => [date, recordsByDate.get(date) ?? []])
+  );
+  const trendSeries = [...trendRecords.entries()].map(
+    ([date, records]) => buildSeriesPoint(date, records)
+  );
+  const current = aggregateFinancialRecords(currentRecords);
+  const priorQuarter = recordsByDate.has(priorQuarterRepdte) ? aggregateFinancialRecords(recordsByDate.get(priorQuarterRepdte) ?? []) : null;
+  const yearAgo = recordsByDate.has(yearAgoRepdte) ? aggregateFinancialRecords(recordsByDate.get(yearAgoRepdte) ?? []) : null;
+  return {
+    report: {
+      title: "QBP Lite: FDIC-Insured Institutions",
+      repdte,
+      prior_quarter_repdte: priorQuarterRepdte,
+      year_ago_repdte: yearAgoRepdte,
+      trend_start_repdte: trendSeries[0]?.repdte ?? repdte,
+      trend_end_repdte: repdte
+    },
+    executive_snapshot: buildExecutiveSnapshot(current, priorQuarter, yearAgo),
+    charts: {
+      quarterly_net_income_and_roa: trendSeries.map((point) => ({
+        repdte: point.repdte,
+        net_income: point.net_income,
+        roa_pct: point.roa_pct
+      })),
+      net_interest_margin_by_asset_size: buildAssetSizeNimSeries(trendRecords),
+      loans_and_deposits: buildLoanAndDepositSeries(trendSeries),
+      credit_quality: trendSeries.map((point) => ({
+        repdte: point.repdte,
+        noncurrent_loans_pct: point.noncurrent_loans_pct,
+        net_chargeoffs_pct: point.net_chargeoffs_pct
+      })),
+      loan_performance_by_portfolio: buildPortfolioPerformance(currentRecords),
+      capital_ratios: trendSeries.map((point) => ({
+        repdte: point.repdte,
+        leverage_ratio_pct: point.leverage_ratio_pct,
+        common_equity_tier1_ratio_pct: point.common_equity_tier1_ratio_pct,
+        tier1_risk_based_ratio_pct: point.tier1_risk_based_ratio_pct,
+        total_risk_based_ratio_pct: point.total_risk_based_ratio_pct
+      })),
+      community_banks_vs_industry: includeCommunityBanks ? buildCommunityComparison(trendRecords) : []
+    },
+    data_notes: {
+      source_dataset: "FDIC BankFind financials endpoint",
+      date_field: "REPDTE",
+      dollar_units: "Thousands of dollars unless converted by the client.",
+      aggregation_notes: [
+        "Dollar fields are summed across reporting institutions.",
+        "ROA, ROE, credit-quality ratios, and leverage ratio are weighted using the closest available public denominator field.",
+        "Leverage ratio is asset-weighted using period-end ASSET as a proxy for average assets because the average-asset denominator is not exposed as a separate public BankFind field.",
+        "Net interest margin is weighted by earning assets.",
+        "Risk-based capital ratios are calculated from summed public capital-dollar and risk-weighted-asset fields when available, with public ratio fields used only as a fallback.",
+        "The report uses public quarterly Call Report-derived BankFind data; it is not an official FDIC QBP publication."
+      ],
+      known_exclusions: [
+        "Official Problem Bank List counts are excluded because they depend on confidential CAMELS ratings.",
+        "Deposit Insurance Fund balance, reserve ratio, assessments earned, and fund income or expense are excluded because they are DIF accounting data rather than BankFind institution financials.",
+        "Assessment-rate distribution data is excluded because public BankFind financials do not provide institution assessment-rate ranges.",
+        "Community-bank merger-adjusted prior-period series are excluded; community-bank comparisons use the public CB flag available in BankFind records."
+      ],
+      warnings
+    }
+  };
+}
+function formatMetricValue2(value, unit) {
+  if (value === null) return "n/a";
+  if (unit === "percent") return `${value.toFixed(2)}%`;
+  return Math.round(value).toLocaleString();
+}
+function formatChangeValue(value, unit) {
+  if (value === null) return "n/a";
+  if (unit === "percentage_points") return `${value.toFixed(2)} ppts`;
+  return Math.round(value).toLocaleString();
+}
+function formatQbpLiteText(data) {
+  const lines = [
+    `${data.report.title}`,
+    `Quarter ended: ${data.report.repdte}`,
+    `Prior quarter: ${data.report.prior_quarter_repdte} | Year ago: ${data.report.year_ago_repdte}`,
+    "",
+    "Executive Snapshot"
+  ];
+  for (const metric of data.executive_snapshot) {
+    const current = formatMetricValue2(metric.current, metric.unit);
+    const qoq = formatChangeValue(
+      metric.prior_quarter_change,
+      metric.change_unit
+    );
+    const yoy = formatChangeValue(
+      metric.year_over_year_change,
+      metric.change_unit
+    );
+    lines.push(`- ${metric.label}: ${current}; QoQ change ${qoq}; YoY change ${yoy}`);
+  }
+  lines.push(
+    "",
+    "Chart-ready datasets included: quarterly_net_income_and_roa, net_interest_margin_by_asset_size, loans_and_deposits, credit_quality, loan_performance_by_portfolio, capital_ratios, community_banks_vs_industry.",
+    "",
+    "Known exclusions: official Problem Bank List counts, DIF accounting, assessment-rate distributions, and merger-adjusted community-bank prior-period series."
+  );
+  return truncateIfNeeded(
+    lines.join("\n"),
+    CHARACTER_LIMIT,
+    "Use structuredContent for the complete QBP Lite dataset."
+  );
+}
+function registerQbpLiteTools(server) {
+  server.registerTool(
+    "fdic_qbp_lite_data",
+    {
+      title: "Generate QBP Lite Data Bundle",
+      description: "Build chart-ready data for a concise QBP Lite report from reproducible public BankFind quarterly financials. Includes executive snapshot metrics, trend series, community-bank comparison data, source notes, and explicit exclusions for non-public or non-BankFind QBP items.",
+      inputSchema: QbpLiteSchema,
+      outputSchema: FdicAnalysisOutputSchema,
+      annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: true
+      }
+    },
+    async (params) => {
+      try {
+        const data = await buildQbpLiteData(params);
+        return {
+          content: [{ type: "text", text: formatQbpLiteText(data) }],
+          structuredContent: data
+        };
+      } catch (err) {
+        return formatToolError(err);
+      }
+    }
+  );
+}
+
+// src/tools/chatgptRetrieval.ts
+var import_zod22 = require("zod");
 
 // src/tools/shared/chatgptUrls.ts
 var FDIC_BANKFIND_BASE_URL = "https://banks.data.fdic.gov/bankfind-suite";
@@ -38771,11 +39334,11 @@ function getBranchCitationUrl() {
 }
 
 // src/tools/chatgptRetrieval.ts
-var SearchInputSchema = import_zod21.z.object({
-  query: import_zod21.z.string().min(1).describe("Natural-language search query.")
+var SearchInputSchema = import_zod22.z.object({
+  query: import_zod22.z.string().min(1).describe("Natural-language search query.")
 });
-var FetchInputSchema = import_zod21.z.object({
-  id: import_zod21.z.string().min(1).describe(
+var FetchInputSchema = import_zod22.z.object({
+  id: import_zod22.z.string().min(1).describe(
     "Retrieval item id, such as institution:<CERT>, failure:<CERT>, branch:<UNINUM>, or schema:<endpoint>."
   )
 });
@@ -39213,7 +39776,7 @@ function registerChatGptRetrievalTools(server, options = {}) {
 }
 
 // src/tools/chatgptBankDeepDive.ts
-var import_zod22 = require("zod");
+var import_zod23 = require("zod");
 
 // src/resources/chatgptAppResources.ts
 var BANK_DEEP_DIVE_WIDGET_URI = "ui://widget/fdic-bank-deep-dive-v1.html";
@@ -39474,9 +40037,9 @@ function registerChatGptAppResources(server) {
 }
 
 // src/tools/chatgptBankDeepDive.ts
-var BankDeepDiveInputSchema = import_zod22.z.object({
-  cert: import_zod22.z.number().int().positive().describe("FDIC Certificate Number of the institution to render."),
-  repdte: import_zod22.z.string().regex(/^\d{8}$/).optional().describe(
+var BankDeepDiveInputSchema = import_zod23.z.object({
+  cert: import_zod23.z.number().int().positive().describe("FDIC Certificate Number of the institution to render."),
+  repdte: import_zod23.z.string().regex(/^\d{8}$/).optional().describe(
     "Quarter-end report date in YYYYMMDD format. Defaults to the most recent likely published quarter."
   )
 });
@@ -39775,28 +40338,28 @@ function registerSchemaResources(server) {
 }
 
 // src/prompts/workflows.ts
-var import_zod23 = require("zod");
+var import_zod24 = require("zod");
 var BankDeepDiveArgs = {
-  bank: import_zod23.z.string().min(1).describe("Bank name or FDIC Certificate Number (CERT)."),
-  repdte: import_zod23.z.string().regex(/^\d{8}$/).optional().describe(
+  bank: import_zod24.z.string().min(1).describe("Bank name or FDIC Certificate Number (CERT)."),
+  repdte: import_zod24.z.string().regex(/^\d{8}$/).optional().describe(
     "Optional quarter-end report date in YYYYMMDD format (0331, 0630, 0930, or 1231)."
   )
 };
 var FailureForensicsArgs = {
-  bank: import_zod23.z.string().min(1).describe("Failed bank name or FDIC Certificate Number (CERT)."),
-  lookback_quarters: import_zod23.z.string().regex(/^\d+$/).optional().describe(
+  bank: import_zod24.z.string().min(1).describe("Failed bank name or FDIC Certificate Number (CERT)."),
+  lookback_quarters: import_zod24.z.string().regex(/^\d+$/).optional().describe(
     "Number of pre-failure quarters to reconstruct (default 12 if omitted)."
   )
 };
 var PortfolioSurveillanceArgs = {
-  scope: import_zod23.z.string().min(1).describe(
+  scope: import_zod24.z.string().min(1).describe(
     "Universe to screen \u2014 e.g., 'state:NC', 'asset_min:1000000,asset_max:10000000', or a comma-separated CERT list ('certs:3511,29846,...')."
   ),
-  repdte: import_zod23.z.string().regex(/^\d{8}$/).optional().describe("Optional quarter-end report date in YYYYMMDD format.")
+  repdte: import_zod24.z.string().regex(/^\d{8}$/).optional().describe("Optional quarter-end report date in YYYYMMDD format.")
 };
 var ExaminerOverlayArgs = {
-  bank: import_zod23.z.string().min(1).describe("Bank name or FDIC Certificate Number (CERT)."),
-  qualitative_notes: import_zod23.z.string().optional().describe(
+  bank: import_zod24.z.string().min(1).describe("Bank name or FDIC Certificate Number (CERT)."),
+  qualitative_notes: import_zod24.z.string().optional().describe(
     "Optional qualitative analyst inputs (management quality, governance, exam findings) to overlay onto the public proxy assessment."
   )
 };
@@ -39969,6 +40532,7 @@ function createServer(options = {}) {
     registerFranchiseFootprintTools(server);
     registerHoldingCompanyProfileTools(server);
     registerRegionalContextTools(server);
+    registerQbpLiteTools(server);
   }
   if (profile.chatgptCanonical || profile.chatgptAliases) {
     registerChatGptRetrievalTools(server, {
@@ -40020,6 +40584,21 @@ function parseAllowedOrigins(rawOrigins, port) {
 }
 var DEFAULT_SESSION_IDLE_TIMEOUT_MS = 30 * 60 * 1e3;
 var DEFAULT_SESSION_SWEEP_INTERVAL_MS = 5 * 60 * 1e3;
+var DEFAULT_MCP_RATE_LIMIT_MAX_REQUESTS = 120;
+var DEFAULT_MCP_RATE_LIMIT_WINDOW_MS = 6e4;
+var DEFAULT_MCP_STREAM_RATE_LIMIT_MAX_REQUESTS = 2;
+var DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS = 60 * 60 * 1e3;
+var DEFAULT_MCP_MAX_CONCURRENT_STREAMS_PER_IP = 1;
+function parsePositiveInteger(rawValue, fallback, name) {
+  if (rawValue === void 0 || rawValue.trim().length === 0) {
+    return fallback;
+  }
+  const value = Number.parseInt(rawValue, 10);
+  if (!Number.isInteger(value) || value < 1) {
+    throw new Error(`${name} must be a positive integer. Received: ${rawValue}`);
+  }
+  return value;
+}
 async function closeSession(sessions, sessionId) {
   const session = sessions.get(sessionId);
   if (!session) {
@@ -40055,6 +40634,17 @@ function sendInvalidSessionResponse(res) {
     id: null
   });
 }
+function sendMcpRateLimitResponse(res, retryAfterSeconds) {
+  res.setHeader("Retry-After", String(retryAfterSeconds));
+  res.status(429).json({
+    jsonrpc: "2.0",
+    error: {
+      code: -32e3,
+      message: "Rate limit exceeded. Try again shortly."
+    },
+    id: null
+  });
+}
 function createApp(options = {}) {
   const app = (0, import_express2.default)();
   const serverFactory = options.serverFactory ?? (() => createServer());
@@ -40065,6 +40655,29 @@ function createApp(options = {}) {
   const sessionIdleTimeoutMs = options.sessionIdleTimeoutMs ?? DEFAULT_SESSION_IDLE_TIMEOUT_MS;
   const sessionSweepIntervalMs = options.sessionSweepIntervalMs ?? DEFAULT_SESSION_SWEEP_INTERVAL_MS;
   const stateless = options.stateless ?? process.env.FDIC_MCP_STATELESS_HTTP === "true";
+  const mcpRateLimiter = options.mcpRateLimiter ?? new RateLimiter({
+    maxRequests: parsePositiveInteger(
+      process.env.MCP_RATE_LIMIT_MAX_REQUESTS_PER_MINUTE,
+      DEFAULT_MCP_RATE_LIMIT_MAX_REQUESTS,
+      "MCP_RATE_LIMIT_MAX_REQUESTS_PER_MINUTE"
+    ),
+    windowMs: DEFAULT_MCP_RATE_LIMIT_WINDOW_MS
+  });
+  const mcpStreamRateLimiter = options.mcpStreamRateLimiter ?? new RateLimiter({
+    maxRequests: parsePositiveInteger(
+      process.env.MCP_STREAM_RATE_LIMIT_MAX_REQUESTS_PER_HOUR,
+      DEFAULT_MCP_STREAM_RATE_LIMIT_MAX_REQUESTS,
+      "MCP_STREAM_RATE_LIMIT_MAX_REQUESTS_PER_HOUR"
+    ),
+    windowMs: DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS
+  });
+  const mcpStreamConcurrentLimiter = options.mcpStreamConcurrentLimiter ?? new ConcurrentLimiter(
+    parsePositiveInteger(
+      process.env.MCP_MAX_CONCURRENT_STREAMS_PER_IP,
+      DEFAULT_MCP_MAX_CONCURRENT_STREAMS_PER_IP,
+      "MCP_MAX_CONCURRENT_STREAMS_PER_IP"
+    )
+  );
   app.use(import_express2.default.json());
   if (!stateless) {
     const sessionSweepTimer = setInterval(() => {
@@ -40077,6 +40690,31 @@ function createApp(options = {}) {
     res.json({ status: "ok", server: "fdic-mcp-server", version: VERSION });
   });
   app.all("/mcp", async (req, res) => {
+    const requestIp = getRequestIp(req);
+    if (!mcpRateLimiter.check(requestIp)) {
+      sendMcpRateLimitResponse(
+        res,
+        Math.ceil(DEFAULT_MCP_RATE_LIMIT_WINDOW_MS / 1e3)
+      );
+      return;
+    }
+    if (req.method === "GET") {
+      const releaseStream = mcpStreamConcurrentLimiter.acquire(requestIp);
+      if (!releaseStream) {
+        sendMcpRateLimitResponse(res, 60);
+        return;
+      }
+      if (!mcpStreamRateLimiter.check(requestIp)) {
+        releaseStream();
+        sendMcpRateLimitResponse(
+          res,
+          Math.ceil(DEFAULT_MCP_STREAM_RATE_LIMIT_WINDOW_MS / 1e3)
+        );
+        return;
+      }
+      res.once("close", releaseStream);
+      res.once("finish", releaseStream);
+    }
     if (stateless) {
       let server;
       let transport;