poe-code 3.0.301 → 3.0.302

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "poe-code",
-  "version": "3.0.301",
+  "version": "3.0.302",
   "description": "CLI tool to configure Poe API for developer workflows.",
   "type": "module",
   "main": "./dist/index.js",

package/packages/tiny-http-mcp-server/dist/auth.js

@@ -66,6 +66,19 @@ function formatScope(scope) {
     }
     return scope.join(" ");
 }
+function hasBearerTokenWhitespace(value) {
+    for (const character of value) {
+        if (character === " "
+            || character === "\t"
+            || character === "\n"
+            || character === "\r"
+            || character === "\f"
+            || character === "\v") {
+            return true;
+        }
+    }
+    return false;
+}
 function readBearerToken(req) {
     const authorization = readSingleHeaderValue(req.headers.authorization);
     if (authorization === undefined || authorization.length === 0) {
@@ -80,7 +93,7 @@ function readBearerToken(req) {
     }
     const scheme = authorization.slice(0, separatorIndex);
     const token = authorization.slice(separatorIndex + 1).trim();
-    if (scheme.toLowerCase() !== "bearer" || token.length === 0 || token.includes(" ")) {
+    if (scheme.toLowerCase() !== "bearer" || token.length === 0 || hasBearerTokenWhitespace(token)) {
         return {
             kind: "malformed",
             errorDescription: "malformed bearer token",
@@ -153,7 +166,14 @@ function toRequestAuthInfo(verifiedToken, resource) {
     };
 }
 export function getProtectedResourceMetadataUrl(req, protectedResourcePath, trustedProxy = false) {
-    return new URL(`${PROTECTED_RESOURCE_METADATA_PATH}${normalizeProtectedResourcePath(protectedResourcePath)}`, `${getRequestProtocol(req, trustedProxy)}://${getRequestHost(req, trustedProxy)}`).toString();
+    const path = `${PROTECTED_RESOURCE_METADATA_PATH}${normalizeProtectedResourcePath(protectedResourcePath)}`;
+    const protocol = getRequestProtocol(req, trustedProxy);
+    try {
+        return new URL(path, `${protocol}://${getRequestHost(req, trustedProxy)}`).toString();
+    }
+    catch {
+        return new URL(path, `${protocol}://127.0.0.1`).toString();
+    }
 }
 export function createBearerChallenge(req, options = {}, protectedResourcePath, trustedProxy = false) {
     const parts = [

package/packages/tiny-http-mcp-server/dist/cli.js

@@ -73,7 +73,7 @@ function parsePort(value) {
     if (value === undefined) {
         return 3000;
     }
-    const port = Number(value);
+    const port = parseDecimalInteger(value, "--port");
     if (!Number.isInteger(port) || port < 0 || port > 65535) {
         throw new Error("--port must be an integer between 0 and 65535.");
     }
@@ -95,11 +95,24 @@ function parseOrigin(value, flagName) {
         throw new Error(`${flagName} must be an absolute URL.`);
     }
 }
+function parseDecimalInteger(value, flagName) {
+    const trimmed = value.trim();
+    if (trimmed.length === 0) {
+        throw new Error(`${flagName} must be an integer.`);
+    }
+    for (const character of trimmed) {
+        const codePoint = character.codePointAt(0);
+        if (codePoint === undefined || codePoint < 48 || codePoint > 57) {
+            throw new Error(`${flagName} must be an integer.`);
+        }
+    }
+    return Number(trimmed);
+}
 function parseOptionalInteger(value, flagName, minimum) {
     if (value === undefined) {
         return undefined;
     }
-    const parsed = Number(value);
+    const parsed = parseDecimalInteger(value, flagName);
     if (!Number.isInteger(parsed) || parsed < minimum) {
         throw new Error(`${flagName} must be an integer greater than or equal to ${minimum}.`);
     }
@@ -116,6 +129,23 @@ function hasConfiguredOAuthFlag(values) {
         values["oauth-verifier-export"],
     ].some((value) => value !== undefined);
 }
+function parseRepeatableStrings(value, flagName) {
+    if (!Array.isArray(value) || value.length === 0) {
+        return undefined;
+    }
+    const normalized = [];
+    for (const item of value) {
+        if (typeof item !== "string") {
+            throw new Error(`${flagName} must be provided as a string.`);
+        }
+        const trimmed = item.trim();
+        if (trimmed.length === 0) {
+            throw new Error(`${flagName} must not be blank.`);
+        }
+        normalized.push(trimmed);
+    }
+    return normalized;
+}
 function parseCliOAuthOptions(values) {
     const resource = values["oauth-resource"];
     const authorizationServers = values["oauth-authorization-server"];
@@ -134,21 +164,15 @@ function parseCliOAuthOptions(values) {
     if (typeof verifierModule !== "string" || verifierModule.length === 0) {
         throw new Error("--oauth-verifier-module is required when --oauth-resource is set.");
     }
-    const supportedScopes = values["oauth-supported-scope"];
-    const requiredScopes = values["oauth-required-scope"];
-    const bearerMethods = values["oauth-bearer-method"];
+    const supportedScopes = parseRepeatableStrings(values["oauth-supported-scope"], "--oauth-supported-scope");
+    const requiredScopes = parseRepeatableStrings(values["oauth-required-scope"], "--oauth-required-scope");
+    const bearerMethods = parseRepeatableStrings(values["oauth-bearer-method"], "--oauth-bearer-method");
     return {
         resource: parseAbsoluteUrl(resource, "--oauth-resource"),
         authorizationServers: authorizationServers.map((value) => parseAbsoluteUrl(value, "--oauth-authorization-server")),
-        ...(Array.isArray(requiredScopes) && requiredScopes.length > 0
-            ? { requiredScopes: [...requiredScopes] }
-            : {}),
-        ...(Array.isArray(supportedScopes) && supportedScopes.length > 0
-            ? { scopesSupported: [...supportedScopes] }
-            : {}),
-        ...(Array.isArray(bearerMethods) && bearerMethods.length > 0
-            ? { bearerMethodsSupported: [...bearerMethods] }
-            : {}),
+        ...(requiredScopes === undefined ? {} : { requiredScopes }),
+        ...(supportedScopes === undefined ? {} : { scopesSupported: supportedScopes }),
+        ...(bearerMethods === undefined ? {} : { bearerMethodsSupported: bearerMethods }),
         verifierModule,
         verifierExport: typeof verifierExport === "string" && verifierExport.length > 0
             ? verifierExport

package/packages/tiny-http-mcp-server/dist/http-transport.d.ts

@@ -134,6 +134,7 @@ export declare class StreamableHttpTransport {
     private acceptsHost;
     private normalizeHost;
     private acceptsConfiguredResponse;
+    private acceptsResponseType;
     private isValidNewSessionId;
     private isRequest;
     private isToolCallOk;

package/packages/tiny-http-mcp-server/dist/http-transport.js

@@ -8,6 +8,15 @@ const ALLOWED_METHODS = "POST, GET, DELETE, OPTIONS";
 const MCP_SESSION_ID_HEADER = "Mcp-Session-Id";
 const LOCAL_HOSTS = ["localhost", "127.0.0.1", "::1"];
 const DEFAULT_ALLOWED_HEADERS = "Accept, Authorization, Content-Type, Mcp-Session-Id, MCP-Protocol-Version";
+function validateOptionalIntegerOption(name, value, minimum) {
+    if (value === undefined) {
+        return undefined;
+    }
+    if (!Number.isInteger(value) || value < minimum) {
+        throw new Error(`${name} must be an integer greater than or equal to ${minimum}.`);
+    }
+    return value;
+}
 export class StreamableHttpTransport {
     server;
     runWithRequestContext;
@@ -44,13 +53,14 @@ export class StreamableHttpTransport {
         this.enableJsonResponse = options.enableJsonResponse ?? false;
         this.allowedOrigins = new Set(options.allowedOrigins ?? []);
         this.allowedHosts = new Set((options.allowedHosts ?? LOCAL_HOSTS).map((host) => this.normalizeHost(host)));
-        this.maxRequestBytes = options.maxRequestBytes;
-        this.maxBatchSize = options.maxBatchSize;
-        this.maxSessions = options.maxSessions;
-        this.sessionTtlMs = options.sessionTtlMs;
-        this.maxStreamsPerSession = options.maxStreamsPerSession;
-        this.maxSseEventHistory = options.maxSseEventHistory ?? 100;
-        this.maxConcurrentToolCalls = options.maxConcurrentToolCalls;
+        this.maxRequestBytes = validateOptionalIntegerOption("maxRequestBytes", options.maxRequestBytes, 1);
+        this.maxBatchSize = validateOptionalIntegerOption("maxBatchSize", options.maxBatchSize, 1);
+        this.maxSessions = validateOptionalIntegerOption("maxSessions", options.maxSessions, 1);
+        this.sessionTtlMs = validateOptionalIntegerOption("sessionTtlMs", options.sessionTtlMs, 1);
+        this.maxStreamsPerSession = validateOptionalIntegerOption("maxStreamsPerSession", options.maxStreamsPerSession, 1);
+        this.maxSseEventHistory =
+            validateOptionalIntegerOption("maxSseEventHistory", options.maxSseEventHistory, 0) ?? 100;
+        this.maxConcurrentToolCalls = validateOptionalIntegerOption("maxConcurrentToolCalls", options.maxConcurrentToolCalls, 1);
         this.sessionStore = options.sessionStore ?? createSessionStore();
         this.requestIdGenerator =
             options.requestIdGenerator ?? (() => `req-${this.nextRequestId++}`);
@@ -328,6 +338,10 @@ export class StreamableHttpTransport {
             });
             return;
         }
+        if (!this.acceptsResponseType(req, "text/event-stream")) {
+            this.respondWithStatus(res, 406);
+            return;
+        }
         const sessionId = this.readSessionId(req);
         if (sessionId === undefined) {
             this.respondWithStatus(res, 400);
@@ -673,11 +687,14 @@ export class StreamableHttpTransport {
             : normalized;
     }
     acceptsConfiguredResponse(req) {
+        const expectedType = this.enableJsonResponse ? "application/json" : "text/event-stream";
+        return this.acceptsResponseType(req, expectedType);
+    }
+    acceptsResponseType(req, expectedType) {
         const accept = req.headers.accept;
         if (accept === undefined) {
             return true;
         }
-        const expectedType = this.enableJsonResponse ? "application/json" : "text/event-stream";
         const value = Array.isArray(accept) ? accept.join(",") : accept;
         return value
             .split(",")