shabaaspay-mcp-server 1.0.1

package/dist/worker.js

@@ -0,0 +1,767 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const policy_js_1 = require("./security/policy.js");
+const webStandardStreamableHttp_js_1 = require("@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js");
+const index_js_1 = require("@modelcontextprotocol/sdk/server/index.js");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+const zod_to_json_schema_1 = require("zod-to-json-schema");
+const index_js_2 = require("./types/index.js");
+const SHABAAS_URLS = {
+    sandbox: 'https://sandbox.example.com',
+    production: 'https://api.example.com',
+};
+// Cache bearer token per worker instance
+let cachedBearer = null;
+let cachedFetchedAt = null;
+let resolvedPolicyCache = null;
+// Shared MCP transport/server for Worker HTTP streamable MCP
+const sharedMcpTransport = new webStandardStreamableHttp_js_1.WebStandardStreamableHTTPServerTransport();
+const sharedMcpServer = new index_js_1.Server({ name: 'shabaaspay-mcp', version: '1.0.1' }, { capabilities: { tools: {} } });
+let mcpHandlersInitialized = false;
+let currentMcpContext = null;
+exports.default = {
+    async fetch(request, env, ctx) {
+        const startTime = Date.now();
+        const requestId = `req_${startTime}_${Math.random().toString(36).slice(2, 8)}`;
+        // CORS preflight
+        if (request.method === 'OPTIONS') {
+            return corsResponse(env);
+        }
+        const url = new URL(request.url);
+        // Health check - no auth required
+        if (url.pathname === '/health') {
+            return jsonResponse({
+                status: 'healthy',
+                version: '1.0.0',
+                environment: env.SHABAAS_ENVIRONMENT,
+                timestamp: new Date().toISOString(),
+                cloudflare: true,
+            }, 200, env);
+        }
+        // List tools - no auth required
+        if (url.pathname === '/tools' && request.method === 'GET') {
+            return listTools(env);
+        }
+        if (url.pathname === '/mcp' && request.method === 'GET') {
+            return listTools(env);
+        }
+        // All other endpoints require authentication + policy
+        const authResult = await authenticate(request, env);
+        if (!authResult.success) {
+            return withRequestId(authResult.response, requestId);
+        }
+        const authToken = authResult.token;
+        const policyLookup = lookupPolicyFromEnv(authToken, env);
+        if (!policyLookup.policy) {
+            logStructured({
+                requestId,
+                clientId: undefined,
+                toolName: undefined,
+                statusCode: 403,
+                latencyMs: Date.now() - startTime,
+                rejection: policyLookup.rejection ?? 'forbidden',
+                path: url.pathname,
+                environment: env.SHABAAS_ENVIRONMENT,
+            });
+            return withRequestId(forbiddenResponse(env), requestId);
+        }
+        const policy = policyLookup.policy;
+        // Route request
+        try {
+            let response;
+            if (url.pathname === '/tools/execute' && request.method === 'POST') {
+                response = await handleToolsExecute(request, env, policy, authToken, requestId, startTime);
+            }
+            else if (url.pathname === '/mcp' && request.method === 'POST') {
+                response = await handleMcp(request, env, policy, authToken, requestId, startTime);
+            }
+            else if (url.pathname.startsWith('/api/')) {
+                // Direct API proxy
+                response = await proxyToShaBaas(request, env);
+            }
+            else {
+                return withRequestId(jsonResponse({
+                    error: 'Not found',
+                    message: `Endpoint ${request.method} ${url.pathname} does not exist`,
+                }, 404, env), requestId);
+            }
+            // Add headers
+            const headers = new Headers(response.headers);
+            headers.set('X-Processing-Time', `${Date.now() - startTime}ms`);
+            headers.set('X-Request-Id', requestId);
+            const wrapped = new Response(response.body, {
+                status: response.status,
+                headers,
+            });
+            logStructured({
+                requestId,
+                clientId: policy.client_id,
+                toolName: undefined,
+                statusCode: response.status,
+                latencyMs: Date.now() - startTime,
+                path: url.pathname,
+                environment: env.SHABAAS_ENVIRONMENT,
+            });
+            return wrapped;
+        }
+        catch (error) {
+            console.error('Error:', error);
+            logStructured({
+                requestId,
+                clientId: undefined,
+                toolName: undefined,
+                statusCode: 500,
+                latencyMs: Date.now() - startTime,
+                rejection: 'internal_error',
+            });
+            return withRequestId(errorResponse('Internal server error', env), requestId);
+        }
+    },
+};
+async function authenticate(request, env) {
+    const authHeader = request.headers.get('Authorization');
+    if (!authHeader) {
+        return {
+            success: false,
+            response: jsonResponse({
+                error: 'Authentication required',
+                message: 'Provide the ShaBaas auth UUID in the Authorization header.',
+                hint: 'Use: Authorization: <your_uuid>',
+            }, 401, env),
+        };
+    }
+    const token = authHeader.replace(/^Bearer\s+/i, '').trim();
+    if (!token) {
+        return {
+            success: false,
+            response: jsonResponse({
+                error: 'Invalid UUID',
+                message: 'Authorization header must contain a UUID for ShaBaas authorization.',
+            }, 403, env),
+        };
+    }
+    return { success: true, token };
+}
+function getClientIdentifier(request) {
+    return request.headers.get('CF-Connecting-IP') ||
+        request.headers.get('X-Forwarded-For') ||
+        'unknown';
+}
+async function listTools(env) {
+    const prod = env.SHABAAS_ENVIRONMENT === 'production';
+    const toolsList = [
+        {
+            name: 'get_payment_agreement',
+            description: 'Retrieve payment agreement details with AI insights',
+            method: 'POST',
+            endpoint: '/tools/execute',
+            example: {
+                tool: 'get_payment_agreement',
+                arguments: { payment_agreement_id: '2882PA20251227045450257' }
+            }
+        },
+        {
+            name: 'create_payment_agreement',
+            description: 'Create a new payment agreement',
+            method: 'POST',
+            endpoint: '/tools/execute',
+        },
+        {
+            name: 'initiate_payment',
+            description: 'Initiate a payment against an agreement',
+            method: 'POST',
+            endpoint: '/tools/execute',
+        },
+        {
+            name: 'get_payment_initiation',
+            description: 'Retrieve payment initiation by ID',
+            method: 'POST',
+            endpoint: '/tools/execute',
+        },
+    ];
+    // Exclude get_auth_token in production
+    if (!prod) {
+        toolsList.push({
+            name: 'get_auth_token',
+            description: 'Get ShaBaas API authorization token',
+            method: 'POST',
+            endpoint: '/tools/execute',
+            example: {
+                tool: 'get_auth_token',
+                arguments: { uuid: 'your-uuid-here' }
+            },
+        });
+    }
+    return jsonResponse({
+        tools: toolsList,
+        direct_api_access: {
+            description: 'You can also call ShaBaas API directly through this proxy',
+            base_url: '/api',
+            example: 'POST /api/public/authorization'
+        }
+    }, 200, env);
+}
+async function executeToolProxy(request, env, policy, authToken, requestId) {
+    const body = await request.json();
+    const { tool, arguments: args } = body;
+    const outcome = await runToolInvocation(tool, args, env, policy, authToken, requestId);
+    return withRequestId(jsonResponse(outcome.body, outcome.status, env), requestId);
+}
+async function getAuthToken(args, baseUrl, env) {
+    try {
+        const uuid = args?.uuid;
+        if (!uuid) {
+            return jsonResponse({
+                error: 'Missing uuid',
+                message: 'Provide the ShaBaas auth UUID in the Authorization header.',
+            }, 400, env);
+        }
+        const token = await getShaBaasBearer(env, baseUrl, uuid);
+        return jsonResponse({
+            success: true,
+            data: { fetched_at: new Date().toISOString() },
+            insights: {
+                status: 'success',
+                message: 'Bearer token fetched successfully and cached inside the worker.',
+            },
+        }, 200, env);
+    }
+    catch (error) {
+        return jsonResponse({
+            error: 'Authorization failed',
+            message: error.message,
+        }, 500, env);
+    }
+}
+async function getPaymentAgreement(args, baseUrl, env, bearer) {
+    if (!args.payment_agreement_id) {
+        return jsonResponse({
+            error: 'Missing payment_agreement_id',
+            message: 'payment_agreement_id is required',
+        }, 400, env);
+    }
+    try {
+        const response = await fetch(`${baseUrl}/api/public/payment_agreement?id=${args.payment_agreement_id}`, {
+            headers: {
+                'Authorization': bearer,
+                'Content-Type': 'application/json',
+            },
+        });
+        const data = (await response.json());
+        // Enrich the response
+        if (response.ok && data.data) {
+            const agreement = data.data;
+            return jsonResponse({
+                success: true,
+                data: agreement,
+                insights: {
+                    status: agreement.status,
+                    canInitiatePayment: agreement.status === 'active',
+                    nextActions: agreement.status === 'active'
+                        ? ['initiate_payment', 'cancel_payment_agreement']
+                        : ['resend_payment_agreement'],
+                    summary: generateSummary(agreement),
+                },
+            }, 200, env);
+        }
+        return jsonResponse(data, response.status, env);
+    }
+    catch (error) {
+        return jsonResponse({
+            error: 'Request failed',
+            message: 'An error occurred',
+        }, 500, env);
+    }
+}
+async function createPaymentAgreement(args, baseUrl, env, bearer) {
+    if (!args.idempotency_key) {
+        return jsonResponse({
+            error: 'Invalid request',
+            message: 'idempotency_key is required',
+        }, 400, env);
+    }
+    try {
+        const response = await fetch(`${baseUrl}/api/public/payment_agreement`, {
+            method: 'POST',
+            headers: {
+                'Authorization': bearer,
+                'Content-Type': 'application/json',
+                'Idempotency-Key': args.idempotency_key,
+            },
+            body: JSON.stringify({
+                maximum_amount: args.maximum_amount,
+                end_date: args.end_date,
+                customer_reference: args.customer_reference,
+            }),
+        });
+        const data = (await response.json());
+        return jsonResponse({
+            success: response.ok,
+            data: data.data,
+            insights: {
+                status: 'pending',
+                message: 'Payment agreement created. Customer must approve it.',
+                nextActions: ['get_payment_agreement', 'resend_payment_agreement'],
+            },
+        }, response.status, env);
+    }
+    catch (error) {
+        return jsonResponse({
+            error: 'Request failed',
+            message: 'An error occurred',
+        }, 500, env);
+    }
+}
+async function initiatePayment(args, baseUrl, env, bearer, requestId) {
+    const amountNum = Number(args.amount);
+    if (!Number.isFinite(amountNum) || amountNum <= 0) {
+        return withRequestId(jsonResponse({ error: 'Invalid amount', message: 'Amount must be greater than zero' }, 400, env), requestId);
+    }
+    if (!args.idempotency_key) {
+        return withRequestId(jsonResponse({ error: 'Invalid request', message: 'idempotency_key is required' }, 400, env), requestId);
+    }
+    try {
+        const response = await fetch(`${baseUrl}/api/public/payment_initiation`, {
+            method: 'POST',
+            headers: {
+                'Authorization': bearer,
+                'Content-Type': 'application/json',
+                'Idempotency-Key': args.idempotency_key,
+            },
+            body: JSON.stringify({
+                payment_initiation: {
+                    payment_agreement_id: args.payment_agreement_id,
+                    amount: amountNum,
+                    description: args.description,
+                },
+            }),
+        });
+        const data = response.ok ? (await response.json()) : undefined;
+        return jsonResponse({
+            success: response.ok,
+            data: data?.data,
+            insights: {
+                status: data?.data?.status || 'unknown',
+                message: response.ok ? 'Payment initiated successfully' : 'Payment initiation failed',
+            },
+        }, response.status, env);
+    }
+    catch (error) {
+        return jsonResponse({
+            error: 'Request failed',
+            message: 'An error occurred',
+        }, 500, env);
+    }
+}
+async function getPaymentInitiation(args, baseUrl, env, bearer) {
+    if (!args.payment_initiation_id) {
+        return jsonResponse({
+            error: 'Missing payment_initiation_id',
+            message: 'payment_initiation_id is required',
+        }, 400, env);
+    }
+    try {
+        const response = await fetch(`${baseUrl}/api/public/payment_initiation?id=${args.payment_initiation_id}`, {
+            headers: {
+                Authorization: bearer,
+                'Content-Type': 'application/json',
+            },
+        });
+        const data = await response.json();
+        return jsonResponse({
+            success: response.ok,
+            data: data?.data,
+            insights: {
+                status: data?.data?.status || 'unknown',
+                canProceed: data?.data?.status === 'acsc',
+                nextActions: ['get_payment_initiation'],
+            },
+        }, response.status, env);
+    }
+    catch (error) {
+        return jsonResponse({
+            error: 'Request failed',
+            message: 'An error occurred',
+        }, 500, env);
+    }
+}
+async function proxyToShaBaas(request, env) {
+    const url = new URL(request.url);
+    const baseUrl = SHABAAS_URLS[env.SHABAAS_ENVIRONMENT];
+    // Forward the request to ShaBaas API
+    const shabaasUrl = `${baseUrl}${url.pathname}${url.search}`;
+    const headers = new Headers(request.headers);
+    headers.set('Host', new URL(baseUrl).host);
+    const response = await fetch(shabaasUrl, {
+        method: request.method,
+        headers,
+        body: request.body,
+    });
+    return new Response(response.body, {
+        status: response.status,
+        headers: corsHeaders(env),
+    });
+}
+function isWriteTool(toolName) {
+    return toolName === 'create_payment_agreement' || toolName === 'initiate_payment';
+}
+function validateWriteConstraints(toolName, args, env, requestId) {
+    if (!isWriteTool(toolName))
+        return undefined;
+    if (!args?.idempotency_key) {
+        return withRequestId(jsonResponse({ error: 'Invalid request', message: 'idempotency_key is required' }, 400, env), requestId);
+    }
+    if (toolName === 'initiate_payment') {
+        const amountNum = Number(args?.amount);
+        if (!Number.isFinite(amountNum) || amountNum <= 0) {
+            return withRequestId(jsonResponse({ error: 'Invalid amount', message: 'Amount must be greater than zero' }, 400, env), requestId);
+        }
+    }
+    return undefined;
+}
+async function runToolInvocation(toolName, args, env, policy, authToken, requestId) {
+    if (!(0, policy_js_1.isToolAllowed)(policy, toolName)) {
+        return {
+            status: 403,
+            body: { error: 'Forbidden', message: 'Tool not permitted' },
+            toolName,
+        };
+    }
+    const precheck = validateWriteConstraints(toolName, args, env, requestId);
+    if (precheck) {
+        return {
+            status: precheck.status,
+            body: JSON.parse(await precheck.clone().text()),
+            toolName,
+        };
+    }
+    const baseUrl = SHABAAS_URLS[env.SHABAAS_ENVIRONMENT];
+    const uuid = args?.uuid || authToken;
+    if (!uuid) {
+        return {
+            status: 401,
+            body: { error: 'Invalid credentials', message: 'UUID is required' },
+            toolName,
+        };
+    }
+    const bearer = await getShaBaasBearer(env, baseUrl, uuid);
+    let resp;
+    switch (toolName) {
+        case 'get_auth_token':
+            if (!(0, policy_js_1.isAdmin)(policy) || env.SHABAAS_ENVIRONMENT === 'production') {
+                return {
+                    status: 403,
+                    body: { error: 'Forbidden', message: 'Tool not permitted' },
+                    toolName,
+                };
+            }
+            resp = await getAuthToken(args, baseUrl, env);
+            break;
+        case 'get_payment_agreement':
+            resp = await getPaymentAgreement(args, baseUrl, env, bearer);
+            break;
+        case 'create_payment_agreement':
+            resp = await createPaymentAgreement(args, baseUrl, env, bearer);
+            break;
+        case 'initiate_payment':
+            resp = await initiatePayment(args, baseUrl, env, bearer, requestId);
+            break;
+        case 'get_payment_initiation':
+            resp = await getPaymentInitiation(args, baseUrl, env, bearer);
+            break;
+        default:
+            return {
+                status: 404,
+                body: { error: 'Unknown tool', message: `Tool "${toolName}" does not exist` },
+                toolName,
+            };
+    }
+    const parsed = await parseResponse(resp);
+    return { status: resp.status, body: parsed, toolName };
+}
+async function parseResponse(resp) {
+    try {
+        const text = await resp.text();
+        return text ? JSON.parse(text) : {};
+    }
+    catch {
+        return { error: 'Invalid response payload' };
+    }
+}
+function generateSummary(agreement) {
+    const parts = [];
+    parts.push(`Payment agreement ${agreement.payment_agreement_id} is ${agreement.status}`);
+    parts.push(`with maximum amount $${agreement.maximum_amount}`);
+    if (agreement.end_date) {
+        parts.push(`expires on ${agreement.end_date}`);
+    }
+    return parts.join(', ') + '.';
+}
+function corsHeaders(env) {
+    const origins = env.ALLOWED_ORIGINS.split(',');
+    const allowOrigin = origins.includes('*') ? '*' : origins[0];
+    return {
+        'Content-Type': 'application/json',
+        'Access-Control-Allow-Origin': allowOrigin,
+        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS, DELETE, PATCH',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+        'Access-Control-Max-Age': '86400',
+    };
+}
+function corsResponse(env) {
+    return new Response(null, {
+        status: 204,
+        headers: corsHeaders(env),
+    });
+}
+function jsonResponse(data, status, env) {
+    return new Response(JSON.stringify(data, null, 2), {
+        status,
+        headers: corsHeaders(env),
+    });
+}
+function errorResponse(message, env) {
+    return jsonResponse({
+        error: 'Internal server error',
+        message,
+    }, 500, env);
+}
+async function handleToolsExecute(request, env, policy, authToken, requestId, startTime) {
+    let body;
+    try {
+        body = await request.json();
+    }
+    catch {
+        return withRequestId(jsonResponse({ error: 'Invalid JSON body', message: 'Provide a valid JSON payload' }, 400, env), requestId);
+    }
+    const { tool, arguments: args } = body || {};
+    if (!tool) {
+        return withRequestId(jsonResponse({ error: 'Invalid request', message: 'tool is required' }, 400, env), requestId);
+    }
+    const outcome = await runToolInvocation(tool, args, env, policy, authToken, requestId);
+    logStructured({
+        requestId,
+        clientId: policy.client_id,
+        toolName: tool,
+        statusCode: outcome.status,
+        latencyMs: Date.now() - startTime,
+        path: '/tools/execute',
+        environment: env.SHABAAS_ENVIRONMENT,
+        rejection: outcome.status >= 400 ? 'tool_error' : undefined,
+    });
+    return withRequestId(jsonResponse(outcome.body, outcome.status, env), requestId);
+}
+async function handleMcp(request, env, policy, authToken, requestId, startTime) {
+    await ensureMcpHandlersInitialized();
+    currentMcpContext = { policy, authToken, requestId, env };
+    try {
+        const mcpResponse = await sharedMcpTransport.handleRequest(request);
+        const headers = new Headers(mcpResponse.headers);
+        const cors = corsHeaders(env);
+        Object.entries(cors).forEach(([k, v]) => headers.set(k, v));
+        headers.set('X-Request-Id', requestId);
+        headers.set('X-Processing-Time', `${Date.now() - startTime}ms`);
+        return new Response(mcpResponse.body, { status: mcpResponse.status, headers });
+    }
+    finally {
+        currentMcpContext = null;
+    }
+}
+function forbiddenResponse(env) {
+    return jsonResponse({
+        error: 'Forbidden',
+        message: 'Access denied',
+    }, 403, env);
+}
+function normalizeBearer(token) {
+    return token.toLowerCase().startsWith('bearer ') ? token : `Bearer ${token}`;
+}
+function withRequestId(resp, requestId) {
+    const headers = new Headers(resp.headers);
+    headers.set('X-Request-Id', requestId);
+    return new Response(resp.body, { status: resp.status, headers });
+}
+function logStructured(entry) {
+    const line = JSON.stringify(entry);
+    if (entry.statusCode >= 400) {
+        console.error(line);
+    }
+    else {
+        console.log(line);
+    }
+}
+async function getShaBaasBearer(env, baseUrl, uuid) {
+    const maxAgeMinutes = Number(env.AUTH_TOKEN_MAX_AGE_MINUTES) || 50;
+    if (cachedBearer && cachedFetchedAt) {
+        const ageMs = Date.now() - cachedFetchedAt;
+        if (ageMs < maxAgeMinutes * 60 * 1000) {
+            return cachedBearer;
+        }
+    }
+    if (!uuid) {
+        throw new Error('Missing ShaBaas auth UUID');
+    }
+    const response = await fetch(`${baseUrl}/api/public/authorization`, {
+        method: 'POST',
+        headers: {
+            'Authorization': uuid,
+            'accept': 'application/json',
+        },
+    });
+    const data = await response.json();
+    if (!response.ok) {
+        throw new Error(data?.message || 'Failed to obtain bearer token');
+    }
+    const rawToken = data?.data?.token ||
+        data?.data?.access_token ||
+        data?.token ||
+        data?.access_token;
+    if (!rawToken || typeof rawToken !== 'string') {
+        throw new Error('Authorization succeeded but no token was returned.');
+    }
+    cachedBearer = normalizeBearer(rawToken);
+    cachedFetchedAt = Date.now();
+    return cachedBearer;
+}
+function buildAllowedToolsList(policy, env) {
+    const allTools = [
+        {
+            name: 'get_payment_agreement',
+            description: 'Retrieve payment agreement details with AI insights',
+            inputSchema: (0, zod_to_json_schema_1.zodToJsonSchema)(index_js_2.GetPaymentAgreementInputSchema),
+        },
+        {
+            name: 'create_payment_agreement',
+            description: 'Create a new payment agreement',
+            inputSchema: (0, zod_to_json_schema_1.zodToJsonSchema)(index_js_2.CreatePaymentAgreementInputSchema),
+        },
+        {
+            name: 'initiate_payment',
+            description: 'Initiate a payment against an agreement',
+            inputSchema: (0, zod_to_json_schema_1.zodToJsonSchema)(index_js_2.InitiatePaymentInputSchema),
+        },
+        {
+            name: 'get_payment_initiation',
+            description: 'Retrieve payment initiation by ID',
+            inputSchema: { type: 'object', properties: { payment_initiation_id: { type: 'string' } } },
+        },
+        ...(env.SHABAAS_ENVIRONMENT === 'production'
+            ? []
+            : [{
+                    name: 'get_auth_token',
+                    description: 'Get ShaBaas API authorization token',
+                    inputSchema: { type: 'object', properties: { uuid: { type: 'string' } } },
+                }]),
+    ];
+    return allTools.filter(t => (0, policy_js_1.isToolAllowed)(policy, t.name));
+}
+function normalizeEnvName(name) {
+    if (!name)
+        return undefined;
+    const lower = name.toLowerCase();
+    if (lower === 'sandbox' || lower === 'staging')
+        return 'sandbox';
+    if (lower === 'production' || lower === 'prod')
+        return 'production';
+    return undefined;
+}
+function resolvePolicyTable(env) {
+    if (resolvedPolicyCache)
+        return resolvedPolicyCache;
+    if (!env.POLICY_TABLE_JSON) {
+        throw new Error('POLICY_TABLE_JSON is not set');
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(env.POLICY_TABLE_JSON);
+    }
+    catch {
+        throw new Error('POLICY_TABLE_JSON is invalid JSON');
+    }
+    const resolved = {};
+    for (const [clientId, policy] of Object.entries(parsed)) {
+        const secretName = policy.uuid_secret;
+        const environment = normalizeEnvName(policy.environment);
+        if (!secretName) {
+            throw new Error(`Missing uuid_secret for client ${clientId}`);
+        }
+        if (!environment) {
+            throw new Error(`Invalid environment for client ${clientId}`);
+        }
+        const uuid = env[secretName];
+        if (!uuid) {
+            throw new Error(`Missing secret ${secretName} for client ${clientId}`);
+        }
+        resolved[uuid] = {
+            client_id: clientId,
+            status: policy.status === 'active' ? 'active' : 'suspended',
+            allowed_tools: Array.isArray(policy.allowed_tools) ? policy.allowed_tools : [],
+            environment,
+            admin: !!policy.admin,
+        };
+    }
+    resolvedPolicyCache = resolved;
+    return resolved;
+}
+function lookupPolicyFromEnv(token, env) {
+    let map;
+    try {
+        map = resolvePolicyTable(env);
+    }
+    catch (err) {
+        return { policy: undefined, rejection: err.message || 'policy_load_failed' };
+    }
+    const policy = map[token];
+    if (!policy)
+        return { policy: undefined, rejection: 'unknown_client' };
+    if (policy.status !== 'active')
+        return { policy: undefined, rejection: 'suspended' };
+    const envNorm = normalizeEnvName(env.SHABAAS_ENVIRONMENT);
+    if (!envNorm || policy.environment !== envNorm) {
+        return { policy: undefined, rejection: 'environment_mismatch' };
+    }
+    return { policy, rejection: undefined };
+}
+async function ensureMcpHandlersInitialized() {
+    if (mcpHandlersInitialized)
+        return;
+    sharedMcpServer.setRequestHandler(types_js_1.ListToolsRequestSchema, async () => {
+        if (!currentMcpContext) {
+            throw new Error('Unauthorized');
+        }
+        const { policy, env } = currentMcpContext;
+        return { tools: buildAllowedToolsList(policy, env) };
+    });
+    sharedMcpServer.setRequestHandler(types_js_1.CallToolRequestSchema, async (reqMessage) => {
+        if (!currentMcpContext) {
+            throw new Error('Unauthorized');
+        }
+        const { policy, authToken, requestId, env } = currentMcpContext;
+        const toolName = reqMessage.params.name;
+        const args = reqMessage.params.arguments ?? {};
+        const outcome = await runToolInvocation(toolName, args, env, policy, authToken, requestId);
+        logStructured({
+            requestId,
+            clientId: policy.client_id,
+            toolName,
+            statusCode: outcome.status,
+            latencyMs: 0,
+            path: '/mcp',
+            environment: env.SHABAAS_ENVIRONMENT,
+            rejection: outcome.status >= 400 ? 'tool_error' : undefined,
+        });
+        if (outcome.status >= 400) {
+            throw new Error(outcome.body?.message || 'Tool execution failed');
+        }
+        return {
+            content: [
+                {
+                    type: 'text',
+                    text: JSON.stringify(outcome.body, null, 2),
+                },
+            ],
+        };
+    });
+    await sharedMcpServer.connect(sharedMcpTransport);
+    mcpHandlersInitialized = true;
+}