sprinklr-mcp 0.1.0

package/.env.example

@@ -0,0 +1,27 @@
+# =====================================================================
+# Sprinklr MCP Server Configuration
+# Copy to .env and fill in all values. NEVER commit .env to git.
+# =====================================================================
+
+# --- Sprinklr API Credentials ---
+# Environment: prod, prod2, prod3, prod4, prod8, etc.
+SPRINKLR_ENV=prod4
+
+# From Developer Tools in Sprinklr (Manage API Key/Token)
+SPRINKLR_API_KEY=
+SPRINKLR_API_SECRET=
+
+# From OAuth flow
+SPRINKLR_ACCESS_TOKEN=
+SPRINKLR_REFRESH_TOKEN=
+
+# Must match what you set during app creation
+SPRINKLR_REDIRECT_URI=https://www.google.com
+
+# --- Server Configuration ---
+# Public URL where this server is hosted (needed for OAuth metadata)
+# Example: https://sprinklr-mcp-xxxx.up.railway.app
+SERVER_URL=
+
+# Port (Railway/Render auto-assign via PORT env var)
+PORT=3000

package/README.md

@@ -0,0 +1,270 @@
+# Sprinklr MCP Server
+
+An open-source [MCP](https://modelcontextprotocol.io/) server that gives AI assistants **read-only** access to your Sprinklr data. Works with Claude, ChatGPT, Copilot, Cursor, or any MCP-compatible client.
+
+**How it works:** You deploy this server with your Sprinklr API credentials. Your AI assistant connects to it via MCP and can query reports, search cases, and call any read-only Sprinklr API endpoint --- using your existing permissions. No new access surface, no data leaves your infrastructure.
+
+## Table of Contents
+
+- [Quick Start](#quick-start)
+- [What You Can Do](#what-you-can-do)
+- [Deployment](#deployment)
+- [Full Setup Guide](#full-setup-guide)
+- [Token Lifecycle](#token-lifecycle)
+- [Security](#security)
+- [Troubleshooting](#troubleshooting)
+- [Contributing](#contributing)
+- [Links](#links)
+
+## Quick Start
+
+### Option A: npm package (fastest)
+
+```bash
+npm install -g sprinklr-mcp
+```
+
+Create a `.env` file in your working directory with your Sprinklr credentials (see [`.env.example`](.env.example) for the template), then run:
+
+```bash
+sprinklr-mcp
+```
+
+> **Do not pass credentials as inline environment variables.** They will be saved in your shell history.
+
+### Option B: Clone and configure
+
+```bash
+git clone https://github.com/daiict218/sprinklr-mcp.git
+cd sprinklr-mcp
+npm install
+cp .env.example .env        # fill in your Sprinklr credentials
+npm test                     # verify connectivity
+npm start                    # server runs on port 3000
+```
+
+Then connect your AI client:
+
+| Client | How |
+|--------|-----|
+| **Claude.ai** | Settings > Connectors > Add custom connector > `https://your-url/sse` |
+| **Claude Desktop** | Add to config: `{"mcpServers":{"sprinklr":{"url":"http://localhost:3000/sse"}}}` |
+| **Cursor / Others** | Point to `/sse` (SSE) or `/mcp` (Streamable HTTP) |
+
+**Need Sprinklr API credentials?** See [Full Setup Guide](#full-setup-guide) below.
+
+## What You Can Do
+
+| Tool | Description |
+|------|-------------|
+| `sprinklr_report` | Run any reporting dashboard query via API v2 payload |
+| `sprinklr_search_cases` | Search CARE tickets by text, case number, or status |
+| `sprinklr_raw_api` | GET any Sprinklr v2 endpoint (scoped by your token's permissions) |
+| `sprinklr_me` | Check authenticated user profile / verify connectivity |
+| `sprinklr_token_status` | Check connection status and tenant info |
+
+**Example:** Open a Sprinklr dashboard > click three dots on a widget > **"Generate API v2 Payload"** > copy the JSON > ask your AI assistant: *"Pull this reporting data: {paste payload}"*
+
+## Deployment
+
+Deploy to any Node.js host (Render, Railway, Fly.io, AWS, on-prem). Set all env vars from `.env` and run `npm start`.
+
+For Render free tier, set `SERVER_URL` to your Render URL --- the server self-pings every 14 minutes to prevent spin-down.
+
+**Cost model:** You deploy, you authenticate, you pay for your own LLM subscription. Zero cost on Sprinklr's side.
+
+**Note:** This server has no built-in auth --- deploy on a private network or behind a reverse proxy. See [Security](#security).
+
+---
+
+## Full Setup Guide
+
+### Prerequisites
+
+- Node.js 18+
+- Sprinklr account with API access
+- Admin or platform-level role to create developer apps
+
+### Step 1: Find Your Sprinklr Environment
+
+Each Sprinklr instance runs on a specific environment. Your API keys and tokens are tied to that environment and cannot be used across others.
+
+1. Log into Sprinklr in your browser
+2. Open browser DevTools (**F12** or right-click > **Inspect**)
+3. Press **Ctrl+F** (Windows) or **Cmd+F** (Mac) to search
+4. Search for `sentry-environment`
+5. The value (e.g., `prod4`) is your environment
+
+Common environments: `prod`, `prod2`, `prod3`, `prod4`, `prod8`.
+
+**Note:** The `prod` environment has **no path prefix** in API URLs. All others include the environment name in the path.
+
+### Step 2: Create a Sprinklr Developer App
+
+1. Open Sprinklr > **All Settings** > **Manage Customer** > **Developer Apps**
+2. Click **"+ Create App"** and fill in the details
+3. Set the **Callback URL** to `https://www.google.com` (or any URL you control)
+
+Alternatively, use the [Developer Portal](https://dev.sprinklr.com): register, go to **Apps** > **+ New App** > fill in the form.
+
+### Step 3: Generate API Key and Secret
+
+1. In **Developer Apps**, find your app > **three dots** > **"Manage API Key/Token"**
+2. Click **"+ API Key"**
+3. **Copy both the API Key and Secret immediately** --- the Secret is only shown once
+
+If you lose the Secret, you must generate a new pair.
+
+### Step 4: Ensure Required Permissions
+
+The authorizing user needs **Generate Token** and **Generate API v2 Payload** permissions. These are managed in **All Settings > Platform Setup > Governance Console > Workspace/Global Roles**.
+
+### Step 5: Generate OAuth Tokens
+
+#### Step 5a: Get an Authorization Code
+
+Open this URL in your browser (must be logged into Sprinklr):
+
+```
+https://api2.sprinklr.com/{ENV}/oauth/authorize?client_id={YOUR_API_KEY}&response_type=code&redirect_uri=https://www.google.com
+```
+
+For `prod`, omit `{ENV}/`. The `redirect_uri` must exactly match your app's Callback URL.
+
+The browser redirects to `https://www.google.com/?code=XXXXX`. Copy the `code` value.
+
+**Codes expire in 10 minutes** --- proceed immediately.
+
+#### Step 5b: Exchange the Code for Tokens
+
+```bash
+curl -s -X POST "https://api2.sprinklr.com/{ENV}/oauth/token" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "client_id={YOUR_API_KEY}" \
+  -d "client_secret={YOUR_API_SECRET}" \
+  -d "code={YOUR_CODE}" \
+  -d "grant_type=authorization_code" \
+  -d "redirect_uri=https://www.google.com"
+```
+
+Returns `access_token` and `refresh_token`. Save both.
+
+**Alternative:** Generate tokens directly from the Sprinklr UI via **Developer Apps > Your App > Manage API Key/Token > Generate Token**.
+
+### Step 6: Clone and Configure
+
+```bash
+git clone https://github.com/daiict218/sprinklr-mcp.git
+cd sprinklr-mcp
+npm install
+cp .env.example .env
+```
+
+Fill in your `.env` with values from the previous steps. See `.env.example` for the template.
+
+### Step 7: Test and Start
+
+```bash
+npm test   # verify Sprinklr connectivity
+npm start  # start the server on port 3000
+```
+
+Endpoints:
+- **SSE:** `GET /sse` + `POST /messages` (Claude.ai connectors)
+- **Streamable HTTP:** `POST/GET/DELETE /mcp`
+- **Health:** `GET /health`
+
+## Token Lifecycle
+
+| Token | Expiry | Notes |
+|-------|--------|-------|
+| Authorization code | 10 minutes | One-time use |
+| Access token | ~30 days | Tied to environment |
+| Refresh token | No expiry | **Single-use** --- each refresh invalidates the old one |
+
+The server auto-refreshes on 401, but stores new tokens **in memory only**. If the server restarts, it re-reads from env vars. Update your env vars after a refresh, or re-run the OAuth flow if tokens go stale.
+
+**One token per API key.** If multiple instances share an API key, one refreshing will invalidate the others. Use separate API keys per instance.
+
+## Security
+
+### Architecture
+
+This MCP server is built entirely on top of Sprinklr's existing public REST APIs. It does not create any new access surface, bypass any Sprinklr access controls, or touch internal systems. Every request goes through Sprinklr's standard API gateway with the same authentication, authorization, and rate limiting that applies to any direct API consumer.
+
+Because of this:
+
+- **No Sprinklr security review required.** This is equivalent to a customer using Sprinklr APIs directly --- same endpoints, same credentials, same access controls.
+- **Customer security teams should review.** As with any API integration, the deploying organization should review the connector as part of their standard security process.
+
+### Deployment Model
+
+The intended deployment model keeps all sensitive data within the customer's own infrastructure:
+
+1. **Customer deploys the server** on their own infrastructure (Render, Railway, AWS, on-prem).
+2. **Customer authenticates with their own Sprinklr credentials.** No credentials are shared with or stored by Sprinklr.
+3. **LLM costs sit with the customer** --- they use their own Claude, ChatGPT, or Copilot subscription.
+
+Sprinklr publishes the open-source connector code. Customers deploy, authenticate, and run it themselves. Zero infrastructure or AI cost on Sprinklr's side.
+
+### Important: No Built-in Authentication
+
+This server does not authenticate incoming MCP client connections. Anyone who can reach the server URL can invoke all tools using the configured Sprinklr credentials. This is by design for simplicity --- the server is intended to run on **private networks, localhost, or behind a reverse proxy with authentication**.
+
+**Do not expose this server to the public internet without adding an authentication layer** (e.g., reverse proxy with OAuth, VPN, or firewall rules).
+
+### Protections
+
+- **Read-only enforcement:** PUT, DELETE, and PATCH are blocked at the API client level. POST is allowlisted only for `/reports/query` and `/case/search`.
+- **SSRF prevention:** All endpoints must start with `/` and are validated against protocol injection (`://`) and path traversal (`..`). Requests always target the configured Sprinklr API domain.
+- **Session expiry:** Inactive MCP sessions are cleaned up after 30 minutes.
+- **No credentials in code:** All secrets are loaded from environment variables. `.env` is gitignored.
+- **Token auto-refresh:** On 401 responses, the server refreshes the access token and stores the new refresh token for subsequent rotations.
+- **Sanitized errors:** Sprinklr API error details are logged server-side only. Clients receive only the HTTP status code, not internal response bodies.
+- **`sprinklr_raw_api` scope:** This tool allows GET requests to any Sprinklr v2 endpoint. Access is intentionally broad to support diverse use cases. The Sprinklr token's own permission scope limits what data is accessible.
+
+### Token Storage
+
+Tokens are stored **in memory only**. This is a deliberate design choice --- it avoids writing credentials to disk and keeps the attack surface minimal. The tradeoff: if the server restarts, it falls back to the tokens in your environment variables. Update your env vars after a refresh if needed, or re-run the OAuth flow.
+
+See [Token Lifecycle](#token-lifecycle) for details on expiry and single-use refresh tokens.
+
+## Troubleshooting
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| "Invalid APIKey/ClientID" (401) | API Key doesn't match environment | Verify key belongs to correct environment bundle |
+| "Unauthorized" (401) | Access token expired | Server auto-refreshes, or re-run OAuth flow |
+| "invalid_grant" | Auth code expired/used/redirect mismatch | Get a fresh code, exchange within 10 minutes |
+| Refresh token fails | Already used (single-use) | Re-run full OAuth flow |
+| "Developer Over Rate" (403) | Hit 1,000 calls/hour limit | Wait, or contact Sprinklr Success Manager |
+
+## Contributing
+
+Contributions are welcome. Please open an issue first to discuss what you'd like to change.
+
+1. Fork the repo
+2. Create a branch (`git checkout -b feature/your-feature`)
+3. Make your changes
+4. Test locally (`npm test && npm start`)
+5. Open a PR against `main`
+
+**Guidelines:**
+- Keep changes focused --- one concern per PR
+- Follow the existing code style (ES modules, arrow functions)
+- All PRs are reviewed before merge
+- All PRs must target `main` --- direct pushes are blocked
+
+**Adding new read-only endpoints:** Add the POST path to `ALLOWED_POST_ENDPOINTS` in `server.mjs`. GET endpoints work automatically via `sprinklr_raw_api`.
+
+## Links
+
+- [Sprinklr Developer Portal](https://dev.sprinklr.com)
+- [OAuth 2.0 Guide](https://dev.sprinklr.com/oauth-2-0-for-customers)
+- [API Key Generation](https://dev.sprinklr.com/api-key-and-secret-generation)
+- [Authorization Troubleshooting](https://dev.sprinklr.com/authorization-troubleshooting)
+- [REST API Error Codes](https://dev.sprinklr.com/rest-api-error-and-status-codes)
+
+## License
+
+ISC

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "sprinklr-mcp",
+  "version": "0.1.0",
+  "description": "Open-source MCP server for Sprinklr API",
+  "type": "module",
+  "main": "server.mjs",
+  "bin": {
+    "sprinklr-mcp": "./server.mjs"
+  },
+  "files": [
+    "server.mjs",
+    "README.md",
+    ".env.example"
+  ],
+  "scripts": {
+    "start": "node server.mjs",
+    "test": "node test.mjs"
+  },
+  "keywords": [
+    "mcp",
+    "sprinklr",
+    "model-context-protocol",
+    "claude",
+    "ai",
+    "chatgpt",
+    "copilot",
+    "api"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/daiict218/sprinklr-mcp.git"
+  },
+  "homepage": "https://github.com/daiict218/sprinklr-mcp",
+  "engines": {
+    "node": ">=18"
+  },
+  "author": "Ajay Gaur",
+  "license": "ISC",
+  "dependencies": {
+    "@modelcontextprotocol/express": "^2.0.0-alpha.2",
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "dotenv": "^17.4.0",
+    "express": "^5.2.1",
+    "express-rate-limit": "^8.3.2",
+    "helmet": "^8.1.0",
+    "zod": "^4.3.6"
+  }
+}

package/server.mjs

@@ -0,0 +1,384 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { createMcpExpressApp } from "@modelcontextprotocol/express";
+import { randomUUID } from "node:crypto";
+import { z } from "zod";
+import dotenv from "dotenv";
+import helmet from "helmet";
+import rateLimit from "express-rate-limit";
+
+dotenv.config();
+
+const SPRINKLR_ENV = process.env.SPRINKLR_ENV || "prod4";
+const SPRINKLR_BASE_URL = `https://api2.sprinklr.com/${SPRINKLR_ENV}/api/v2`;
+const SPRINKLR_OAUTH_URL = `https://api2.sprinklr.com/${SPRINKLR_ENV}/oauth`;
+const API_KEY = process.env.SPRINKLR_API_KEY;
+const API_SECRET = process.env.SPRINKLR_API_SECRET;
+let ACCESS_TOKEN = process.env.SPRINKLR_ACCESS_TOKEN;
+let REFRESH_TOKEN = process.env.SPRINKLR_REFRESH_TOKEN;
+const REDIRECT_URI = process.env.SPRINKLR_REDIRECT_URI || "https://www.google.com";
+const PORT = parseInt(process.env.PORT || "3000", 10);
+const SERVER_URL = process.env.SERVER_URL || "";
+
+if (!API_KEY || !ACCESS_TOKEN) {
+  console.error("ERROR: SPRINKLR_API_KEY and SPRINKLR_ACCESS_TOKEN required");
+  process.exit(1);
+}
+
+if (REFRESH_TOKEN && !API_SECRET) {
+  console.error("ERROR: SPRINKLR_API_SECRET is required when SPRINKLR_REFRESH_TOKEN is set (needed for token refresh)");
+  process.exit(1);
+}
+
+if (!REFRESH_TOKEN) {
+  console.warn("WARN: SPRINKLR_REFRESH_TOKEN not set — token auto-refresh is disabled. Server will stop working when the access token expires.");
+}
+
+// =====================================================================
+// LOGGING
+// =====================================================================
+
+function log(msg, data = {}) {
+  console.log(`[${new Date().toISOString()}] ${msg}`, Object.keys(data).length ? JSON.stringify(data) : "");
+}
+
+// =====================================================================
+// READ-ONLY ENFORCEMENT
+// =====================================================================
+
+const BLOCKED_METHODS = new Set(["PUT", "DELETE", "PATCH"]);
+const ALLOWED_POST_ENDPOINTS = ["/reports/query", "/case/search"];
+
+function isReadOnlyRequest(method, endpoint) {
+  const m = (method || "GET").toUpperCase();
+  if (m === "GET") return true;
+  if (BLOCKED_METHODS.has(m)) return false;
+  if (m === "POST") return ALLOWED_POST_ENDPOINTS.some((a) => endpoint.endsWith(a));
+  return false;
+}
+
+// =====================================================================
+// SPRINKLR API CLIENT
+// =====================================================================
+
+async function sprinklrFetch(endpoint, options = {}) {
+  const { method = "GET", body = null, retried = false } = options;
+
+  if (!endpoint.startsWith("/")) {
+    throw new Error(`BLOCKED: endpoint must start with '/'. Got: ${endpoint}`);
+  }
+  if (endpoint.includes("://") || endpoint.includes("..")) {
+    throw new Error(`BLOCKED: endpoint contains forbidden sequence. Got: ${endpoint}`);
+  }
+
+  if (!isReadOnlyRequest(method, endpoint)) {
+    throw new Error(`BLOCKED: ${method} ${endpoint} not permitted.`);
+  }
+
+  const headers = { Authorization: `Bearer ${ACCESS_TOKEN}`, key: API_KEY, "Content-Type": "application/json" };
+  const fetchOptions = { method, headers };
+  if (body) fetchOptions.body = JSON.stringify(body);
+
+  const url = `${SPRINKLR_BASE_URL}${endpoint}`;
+  const response = await fetch(url, fetchOptions);
+
+  if (response.status === 401 && !retried && REFRESH_TOKEN) {
+    log("Sprinklr token expired, refreshing...");
+    const refreshed = await refreshAccessToken();
+    if (refreshed) return sprinklrFetch(endpoint, { ...options, retried: true });
+  }
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    log("Sprinklr API error", { status: response.status, body: errorText });
+    throw new Error(`Sprinklr API returned HTTP ${response.status}`);
+  }
+  return response.json();
+}
+
+async function refreshAccessToken() {
+  try {
+    const response = await fetch(`${SPRINKLR_OAUTH_URL}/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        client_id: API_KEY, client_secret: API_SECRET,
+        refresh_token: REFRESH_TOKEN, grant_type: "refresh_token", redirect_uri: REDIRECT_URI,
+      }),
+    });
+    if (!response.ok) return false;
+    const data = await response.json();
+    ACCESS_TOKEN = data.access_token;
+    if (data.refresh_token) REFRESH_TOKEN = data.refresh_token;
+    log("Sprinklr token refreshed");
+    return true;
+  } catch { return false; }
+}
+
+// =====================================================================
+// MCP TOOLS (READ-ONLY)
+// =====================================================================
+
+function createSprinklrMcpServer() {
+  const server = new McpServer({ name: "sprinklr-mcp", version: "0.1.0" });
+
+  server.tool("sprinklr_me", "Get authenticated user profile from Sprinklr. Verifies connectivity.", {}, async () => {
+    log("Tool: sprinklr_me");
+    try {
+      const result = await sprinklrFetch("/me");
+      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    } catch (err) {
+      return { content: [{ type: "text", text: `Error: ${err.message}` }], isError: true };
+    }
+  });
+
+  server.tool("sprinklr_report", "Execute Sprinklr Reporting API v2 query from dashboard payload.", {
+    payload: z.string().describe("Full reporting API v2 payload as JSON string from 'Generate API v2 Payload'."),
+    page_size: z.number().optional().describe("Rows per page. Default 100."),
+  }, async ({ payload, page_size }) => {
+    log("Tool: sprinklr_report");
+    try {
+      let p;
+      try { p = JSON.parse(payload); } catch {
+        return { content: [{ type: "text", text: "Error: invalid JSON payload." }], isError: true };
+      }
+      if (page_size) p.pageSize = page_size;
+      const result = await sprinklrFetch("/reports/query", { method: "POST", body: p });
+      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    } catch (err) {
+      return { content: [{ type: "text", text: `Error: ${err.message}` }], isError: true };
+    }
+  });
+
+  server.tool("sprinklr_search_cases", "Search CARE tickets in Sprinklr. Read-only.", {
+    query: z.string().optional().describe("Free text search"),
+    case_number: z.string().regex(/^[A-Za-z]+-\d+$/).optional().describe("Case number e.g. CARE-96832"),
+    status: z.string().optional().describe("OPEN, IN_PROGRESS, CLOSED"),
+    page_size: z.number().optional().describe("Results. Default 20."),
+  }, async ({ query, case_number, status, page_size }) => {
+    log("Tool: sprinklr_search_cases", { case_number });
+    try {
+      if (case_number) {
+        const result = await sprinklrFetch(`/case/${case_number}`);
+        return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+      }
+      const sp = { page: 0, pageSize: page_size || 20, sort: { key: "createdTime", order: "DESC" } };
+      if (query) sp.query = query;
+      if (status) sp.filter = { status: [status] };
+      const result = await sprinklrFetch("/case/search", { method: "POST", body: sp });
+      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    } catch (err) {
+      return { content: [{ type: "text", text: `Error: ${err.message}` }], isError: true };
+    }
+  });
+
+  server.tool("sprinklr_raw_api", "Read-only GET to any Sprinklr v2 endpoint. Access is scoped by the Sprinklr token's permissions.", {
+    endpoint: z.string().describe("API path e.g. '/campaign/list'. GET only. Must start with '/'."),
+  }, async ({ endpoint }) => {
+    log("Tool: sprinklr_raw_api", { endpoint });
+    try {
+      const result = await sprinklrFetch(endpoint, { method: "GET" });
+      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+    } catch (err) {
+      return { content: [{ type: "text", text: `Error: ${err.message}` }], isError: true };
+    }
+  });
+
+  server.tool("sprinklr_token_status", "Check Sprinklr connectivity and tenant info.", {}, async () => {
+    log("Tool: sprinklr_token_status");
+    try {
+      const me = await sprinklrFetch("/me");
+      return { content: [{ type: "text", text: JSON.stringify({ status: "connected", environment: SPRINKLR_ENV, user: { id: me.id, email: me.email, displayName: me.displayName, clientId: me.clientId } }, null, 2) }] };
+    } catch (err) {
+      return { content: [{ type: "text", text: JSON.stringify({ status: "disconnected", error: err.message }, null, 2) }], isError: true };
+    }
+  });
+
+  return server;
+}
+
+// =====================================================================
+// EXPRESS + TRANSPORTS
+// =====================================================================
+
+const app = createMcpExpressApp({ host: "0.0.0.0" });
+app.set("trust proxy", 1);
+
+// --- Security headers (tuned for API server, not browser app) ---
+app.use(helmet({
+  contentSecurityPolicy: false,
+  crossOriginResourcePolicy: false,
+  crossOriginOpenerPolicy: false,
+}));
+
+// --- Rate limiting ---
+const globalLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // 100 requests per 15 min per IP
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: "Too many requests, please try again later." },
+});
+
+const mcpLimiter = rateLimit({
+  windowMs: 60 * 1000, // 1 minute
+  max: 30, // 30 requests per minute per IP
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: "Too many MCP requests, please try again later." },
+});
+
+app.use(globalLimiter);
+app.use("/mcp", mcpLimiter);
+app.use("/messages", mcpLimiter);
+app.use("/sse", mcpLimiter);
+
+// Log EVERY incoming request for debugging
+app.use((req, res, next) => {
+  log("REQUEST", { method: req.method, path: req.path, headers: { accept: req.headers.accept, "content-type": req.headers["content-type"], "mcp-session-id": req.headers["mcp-session-id"] } });
+  next();
+});
+
+// --- Streamable HTTP transport ---
+const transports = {};
+
+setInterval(() => {
+  const now = Date.now();
+  for (const [sid, e] of Object.entries(transports)) {
+    if (now > e.lastActivity + 30 * 60 * 1000) delete transports[sid];
+  }
+}, 60000);
+
+app.post("/mcp", async (req, res) => {
+  try {
+    const sessionId = req.headers["mcp-session-id"];
+    if (sessionId && transports[sessionId]) {
+      transports[sessionId].lastActivity = Date.now();
+      await transports[sessionId].transport.handleRequest(req, res, req.body);
+      return;
+    }
+
+    log("Creating new MCP session");
+    const server = createSprinklrMcpServer();
+    const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: () => randomUUID() });
+    transport.onclose = () => { const sid = transport.sessionId; if (sid) delete transports[sid]; };
+    await server.connect(transport);
+    if (transport.sessionId) {
+      transports[transport.sessionId] = { transport, lastActivity: Date.now() };
+      log("Session created", { sessionId: transport.sessionId });
+    }
+    await transport.handleRequest(req, res, req.body);
+  } catch (err) {
+    log("ERROR in POST /mcp", { error: err.message, stack: err.stack });
+    if (!res.headersSent) res.status(500).json({ error: err.message });
+  }
+});
+
+app.get("/mcp", async (req, res) => {
+  try {
+    const sessionId = req.headers["mcp-session-id"];
+    if (sessionId && transports[sessionId]) {
+      transports[sessionId].lastActivity = Date.now();
+      await transports[sessionId].transport.handleRequest(req, res);
+      return;
+    }
+    res.status(400).json({ error: "No session." });
+  } catch (err) {
+    log("ERROR in GET /mcp", { error: err.message });
+    if (!res.headersSent) res.status(500).json({ error: err.message });
+  }
+});
+
+app.delete("/mcp", async (req, res) => {
+  try {
+    const sessionId = req.headers["mcp-session-id"];
+    if (sessionId && transports[sessionId]) {
+      await transports[sessionId].transport.handleRequest(req, res, req.body);
+      delete transports[sessionId];
+      return;
+    }
+    res.status(404).json({ error: "Session not found" });
+  } catch (err) {
+    log("ERROR in DELETE /mcp", { error: err.message });
+    if (!res.headersSent) res.status(500).json({ error: err.message });
+  }
+});
+
+// --- SSE transport (fallback for Claude.ai compatibility) ---
+const sseTransports = {};
+
+setInterval(() => {
+  const now = Date.now();
+  for (const [sid, transport] of Object.entries(sseTransports)) {
+    if (transport._lastActivity && now > transport._lastActivity + 30 * 60 * 1000) {
+      transport.close?.();
+      delete sseTransports[sid];
+    }
+  }
+}, 60000);
+
+app.get("/sse", async (req, res) => {
+  try {
+    log("SSE connection requested");
+    const transport = new SSEServerTransport("/messages", res);
+    const server = createSprinklrMcpServer();
+    transport._lastActivity = Date.now();
+    sseTransports[transport.sessionId] = transport;
+    transport.onclose = () => { delete sseTransports[transport.sessionId]; };
+    await server.connect(transport);
+    log("SSE session created", { sessionId: transport.sessionId });
+  } catch (err) {
+    log("ERROR in GET /sse", { error: err.message });
+    if (!res.headersSent) res.status(500).json({ error: err.message });
+  }
+});
+
+app.post("/messages", async (req, res) => {
+  try {
+    const sessionId = req.query.sessionId;
+    log("SSE message received", { sessionId });
+    const transport = sseTransports[sessionId];
+    if (transport) {
+      transport._lastActivity = Date.now();
+      await transport.handlePostMessage(req, res, req.body);
+    } else {
+      res.status(404).json({ error: "SSE session not found" });
+    }
+  } catch (err) {
+    log("ERROR in POST /messages", { error: err.message });
+    if (!res.headersSent) res.status(500).json({ error: err.message });
+  }
+});
+
+// --- Health ---
+app.get("/health", (req, res) => {
+  res.json({ status: "ok", server: "sprinklr-mcp", version: "0.1.0", read_only: true, transports: ["streamable-http", "sse"] });
+});
+
+app.use((req, res) => {
+  log("404", { method: req.method, path: req.path });
+  res.status(404).json({ error: "not_found" });
+});
+
+// --- Self-ping to prevent Render free tier spin-down ---
+if (SERVER_URL) {
+  setInterval(() => {
+    fetch(`${SERVER_URL}/health`).catch(() => {});
+  }, 14 * 60 * 1000);
+  log("Self-ping enabled", { url: SERVER_URL, interval: "14 min" });
+}
+
+// --- Start ---
+app.listen(PORT, "0.0.0.0", () => {
+  log("=== Sprinklr MCP Server Started ===");
+  log(`Environment: ${SPRINKLR_ENV}`);
+  log(`Port: ${PORT}`);
+  log(`Streamable HTTP: POST/GET/DELETE /mcp`);
+  log(`SSE: GET /sse + POST /messages`);
+  log(`Health: GET /health`);
+  log(`Auth: None (deploy behind a reverse proxy or on a private network)`);
+  log(`Read-only: Yes`);
+  log("===================================");
+});