sunpeak 0.19.2 → 0.19.4

package/dist/mcp/index.d.ts

@@ -1,6 +1,6 @@
 export { runMCPServer, type MCPServerConfig, type MCPServerHandle } from './server.js';
 export type { SimulationWithDist, AppToolConfig, ToolHandlerExtra, CallToolResult, AuthInfo, ServerConfig, } from './types.js';
-export { createMcpHandler, createHandler, createProductionMcpServer, startProductionHttpServer, setJsonLogging, } from './production-server.js';
+export { createMcpHandler, createHandler, createProductionMcpServer, startProductionHttpServer, setJsonLogging, detectClientFromHeaders, } from './production-server.js';
 export type { ProductionTool, ProductionResource, ProductionServerConfig, HttpServerOptions, AuthFunction, WebAuthFunction, WebHandlerConfig, } from './production-server.js';
 export { resolveDomain, computeClaudeDomain, computeChatGPTDomain, injectResolvedDomain, injectDefaultDomain, } from './resolve-domain.js';
 export type { DomainConfig } from './resolve-domain.js';

package/dist/mcp/index.js

@@ -1,5 +1,5 @@
 import { a as __toESM, i as __toCommonJS, n as __esmMin, r as __exportAll, t as __commonJSMin } from "../chunk-D6g4UhsZ.js";
-import { $ as literal, A as LoggingLevelSchema, B as SUPPORTED_PROTOCOL_VERSIONS, E as ListResourcesRequestSchema, F as ReadResourceRequestSchema, G as assertCompleteRequestResourceTemplate, J as isJSONRPCRequest, K as isInitializeRequest, L as RequestIdSchema, M as McpError, O as ListRootsResultSchema, Q as boolean, R as ResourceLinkSchema, S as ListPromptsRequestSchema, U as ToolSchema, V as SetLevelRequestSchema, W as assertCompleteRequestPrompt, X as _undefined, Y as isJSONRPCResultResponse, Z as array, _ as ImplementationSchema, a as CallToolResultSchema, at as unknown, b as JSONRPCMessageSchema, c as CreateMessageResultSchema, ct as getParseErrorMessage, dt as isZ4Schema, et as number, f as ElicitResultSchema, ft as normalizeObjectSchema, g as GetPromptRequestSchema, h as ErrorCode, ht as safeParseAsync, i as CallToolRequestSchema, it as union, k as ListToolsRequestSchema, l as CreateMessageResultWithToolsSchema, lt as getSchemaDescription, m as EmptyResultSchema, mt as safeParse, n as mergeCapabilities, nt as record, o as CompleteRequestSchema, ot as getLiteralValue, p as EmbeddedResourceSchema, pt as objectFromShape, q as isJSONRPCErrorResponse, r as toJsonSchemaCompat, rt as string, s as ContentBlockSchema, st as getObjectShape, t as Protocol, tt as object, u as CreateTaskResultSchema, ut as isSchemaOptional, v as InitializeRequestSchema, w as ListResourceTemplatesRequestSchema, x as LATEST_PROTOCOL_VERSION, y as InitializedNotificationSchema } from "../protocol-BfAACnv0.js";
+import { A as JSONRPCMessageSchema, C as EmbeddedResourceSchema, D as ImplementationSchema, E as GetPromptRequestSchema, I as ListResourcesRequestSchema, J as RequestIdSchema, K as ReadResourceRequestSchema, M as ListPromptsRequestSchema, O as InitializeRequestSchema, P as ListResourceTemplatesRequestSchema, Q as SetLevelRequestSchema, R as ListRootsResultSchema, S as ElicitResultSchema, T as ErrorCode, U as McpError, V as LoggingLevelSchema, Y as ResourceLinkSchema, Z as SUPPORTED_PROTOCOL_VERSIONS, _ as ContentBlockSchema, a as getObjectShape, at as isJSONRPCRequest, b as CreateTaskResultSchema, c as isSchemaOptional, ct as array, d as objectFromShape, dt as number, et as ToolSchema, f as safeParse, ft as object, g as CompleteRequestSchema, gt as unknown, h as CallToolResultSchema, ht as union, i as getLiteralValue, it as isJSONRPCErrorResponse, j as LATEST_PROTOCOL_VERSION, k as InitializedNotificationSchema, l as isZ4Schema, lt as boolean, m as CallToolRequestSchema, mt as string, n as mergeCapabilities, nt as assertCompleteRequestResourceTemplate, o as getParseErrorMessage, ot as isJSONRPCResultResponse, p as safeParseAsync, pt as record, r as toJsonSchemaCompat, rt as isInitializeRequest, s as getSchemaDescription, st as _undefined, t as Protocol, tt as assertCompleteRequestPrompt, u as normalizeObjectSchema, ut as literal, v as CreateMessageResultSchema, w as EmptyResultSchema, y as CreateMessageResultWithToolsSchema, z as ListToolsRequestSchema } from "../protocol-CRqiPTLT.js";
 import { createServer } from "node:http";
 import { URL as URL$1 } from "node:url";
 import fs from "node:fs";
@@ -8680,12 +8680,12 @@ var StreamableHTTPServerTransport = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.3.2_@modelcontextprotocol+sdk@1.29.0_zod@4.3.6__react-_38e5f6c50a4ca9cf3f1dffc73a60c951/node_modules/@modelcontextprotocol/ext-apps/dist/src/server/index.js
-var M = union([literal("light"), literal("dark")]).describe("Color theme preference for the host environment."), G = union([
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.5.0_@modelcontextprotocol+sdk@1.29.0_zod@4.3.6__react-_f4871531d9cf52c692eb6edc1ee416ef/node_modules/@modelcontextprotocol/ext-apps/dist/src/server/index.js
+var S = union([literal("light"), literal("dark")]).describe("Color theme preference for the host environment."), W = union([
 	literal("inline"),
 	literal("fullscreen"),
 	literal("pip")
-]).describe("Display mode for UI presentation."), r = record(union([
+]).describe("Display mode for UI presentation."), n = record(union([
 	literal("--color-background-primary"),
 	literal("--color-background-secondary"),
 	literal("--color-background-tertiary"),
@@ -8792,7 +8792,7 @@ object({
 	method: literal("ui/notifications/sandbox-proxy-ready"),
 	params: object({})
 });
-var B = object({
+var K = object({
 	connectDomains: array(string()).optional().describe(`Origins for network requests (fetch/XHR/WebSocket).
 
 - Maps to CSP \`connect-src\` directive
@@ -8800,7 +8800,7 @@ var B = object({
 	resourceDomains: array(string()).optional().describe("Origins for static resources (images, scripts, stylesheets, fonts, media).\n\n- Maps to CSP `img-src`, `script-src`, `style-src`, `font-src`, `media-src` directives\n- Wildcard subdomains supported: `https://*.example.com`\n- Empty or omitted → no network resources (secure default)"),
 	frameDomains: array(string()).optional().describe("Origins for nested iframes.\n\n- Maps to CSP `frame-src` directive\n- Empty or omitted → no nested iframes allowed (`frame-src 'none'`)"),
 	baseUriDomains: array(string()).optional().describe("Allowed base URIs for the document.\n\n- Maps to CSP `base-uri` directive\n- Empty or omitted → only same origin allowed (`base-uri 'self'`)")
-}), K = object({
+}), N = object({
 	camera: object({}).optional().describe("Request camera access.\n\nMaps to Permission Policy `camera` feature."),
 	microphone: object({}).optional().describe("Request microphone access.\n\nMaps to Permission Policy `microphone` feature."),
 	geolocation: object({}).optional().describe("Request geolocation access.\n\nMaps to Permission Policy `geolocation` feature."),
@@ -8825,8 +8825,8 @@ object({
 	method: literal("ui/notifications/tool-cancelled"),
 	params: object({ reason: string().optional().describe("Optional reason for the cancellation (e.g., \"user action\", \"timeout\").") })
 });
-var b = object({ fonts: string().optional() }), g = object({
-	variables: r.optional().describe("CSS variables for theming the app."),
+var b = object({ fonts: string().optional() }), C = object({
+	variables: n.optional().describe("CSS variables for theming the app."),
 	css: b.optional().describe("CSS blocks that apps can inject.")
 });
 object({
@@ -8834,7 +8834,7 @@ object({
 	params: object({})
 });
 record(string(), unknown());
-var z$1 = object({
+var q = object({
 	text: object({}).optional().describe("Host supports text content blocks."),
 	image: object({}).optional().describe("Host supports image content blocks."),
 	audio: object({}).optional().describe("Host supports audio content blocks."),
@@ -8846,7 +8846,7 @@ object({
 	method: literal("ui/notifications/request-teardown"),
 	params: object({}).optional()
 });
-var S = object({
+var y = object({
 	experimental: object({}).optional().describe("Experimental features (structure TBD)."),
 	openLinks: object({}).optional().describe("Host supports opening external URLs."),
 	downloadFile: object({}).optional().describe("Host supports file downloads via ui/download-file."),
@@ -8854,23 +8854,23 @@ var S = object({
 	serverResources: object({ listChanged: boolean().optional().describe("Host supports resources/list_changed notifications.") }).optional().describe("Host can proxy resource reads to the MCP server."),
 	logging: object({}).optional().describe("Host accepts log messages."),
 	sandbox: object({
-		permissions: K.optional().describe("Permissions granted by the host (camera, microphone, geolocation)."),
-		csp: B.optional().describe("CSP domains approved by the host.")
+		permissions: N.optional().describe("Permissions granted by the host (camera, microphone, geolocation)."),
+		csp: K.optional().describe("CSP domains approved by the host.")
 	}).optional().describe("Sandbox configuration applied by the host."),
-	updateModelContext: z$1.optional().describe("Host accepts context updates (ui/update-model-context) to be included in the model's context for future turns."),
-	message: z$1.optional().describe("Host supports receiving content messages (ui/message) from the view.")
-}), y = object({
+	updateModelContext: q.optional().describe("Host accepts context updates (ui/update-model-context) to be included in the model's context for future turns."),
+	message: q.optional().describe("Host supports receiving content messages (ui/message) from the view.")
+}), v = object({
 	experimental: object({}).optional().describe("Experimental features (structure TBD)."),
 	tools: object({ listChanged: boolean().optional().describe("App supports tools/list_changed notifications.") }).optional().describe("App exposes MCP-style tools that the host can call."),
-	availableDisplayModes: array(G).optional().describe("Display modes the app supports.")
+	availableDisplayModes: array(W).optional().describe("Display modes the app supports.")
 });
 object({
 	method: literal("ui/notifications/initialized"),
 	params: object({}).optional()
 });
 object({
-	csp: B.optional().describe("Content Security Policy configuration for UI resources."),
-	permissions: K.optional().describe("Sandbox permissions requested by the UI resource."),
+	csp: K.optional().describe("Content Security Policy configuration for UI resources."),
+	permissions: N.optional().describe("Sandbox permissions requested by the UI resource."),
 	domain: string().optional().describe(`Dedicated origin for view sandbox.
 
 Useful when views need stable, dedicated origins for OAuth callbacks, CORS policies, or API key allowlists.
@@ -8890,13 +8890,13 @@ Boolean requesting whether a visible border and background is provided by the ho
 });
 object({
 	method: literal("ui/request-display-mode"),
-	params: object({ mode: G.describe("The display mode being requested.") })
+	params: object({ mode: W.describe("The display mode being requested.") })
 });
-object({ mode: G.describe("The display mode that was actually set. May differ from requested if not supported.") }).passthrough();
-var C = union([literal("model"), literal("app")]).describe("Tool visibility scope - who can access the tool.");
+object({ mode: W.describe("The display mode that was actually set. May differ from requested if not supported.") }).passthrough();
+var f = union([literal("model"), literal("app")]).describe("Tool visibility scope - who can access the tool.");
 object({
 	resourceUri: string().optional(),
-	visibility: array(C).optional().describe(`Who can access this tool. Default: ["model", "app"]
+	visibility: array(f).optional().describe(`Who can access this tool. Default: ["model", "app"]
 - "model": Tool visible to and callable by the agent
 - "app": Tool callable by the app from this server only`)
 });
@@ -8917,8 +8917,8 @@ object({
 	params: object({
 		html: string().describe("HTML content to load into the inner iframe."),
 		sandbox: string().optional().describe("Optional override for the inner iframe's sandbox attribute."),
-		csp: B.optional().describe("CSP configuration from resource metadata."),
-		permissions: K.optional().describe("Sandbox permissions from resource metadata.")
+		csp: K.optional().describe("CSP configuration from resource metadata."),
+		permissions: N.optional().describe("Sandbox permissions from resource metadata.")
 	})
 });
 object({
@@ -8930,10 +8930,10 @@ var E = object({
 		id: RequestIdSchema.optional().describe("JSON-RPC id of the tools/call request."),
 		tool: ToolSchema.describe("Tool definition including name, inputSchema, etc.")
 	}).optional().describe("Metadata of the tool call that instantiated this App."),
-	theme: M.optional().describe("Current color theme preference."),
-	styles: g.optional().describe("Style configuration for theming the app."),
-	displayMode: G.optional().describe("How the UI is currently displayed."),
-	availableDisplayModes: array(G).optional().describe("Display modes the host supports."),
+	theme: S.optional().describe("Current color theme preference."),
+	styles: C.optional().describe("Style configuration for theming the app."),
+	displayMode: W.optional().describe("How the UI is currently displayed."),
+	availableDisplayModes: array(W).optional().describe("Display modes the host supports."),
 	containerDimensions: union([object({ height: number().describe("Fixed container height in pixels.") }), object({ maxHeight: union([number(), _undefined()]).optional().describe("Maximum container height in pixels.") })]).and(union([object({ width: number().describe("Fixed container width in pixels.") }), object({ maxWidth: union([number(), _undefined()]).optional().describe("Maximum container width in pixels.") })])).optional().describe(`Container dimensions. Represents the dimensions of the iframe or other
 container holding the app. Specify either width or maxWidth, and either height or maxHeight.`),
 	locale: string().optional().describe("User's language and region preference in BCP 47 format."),
@@ -8970,45 +8970,45 @@ object({
 	method: literal("ui/initialize"),
 	params: object({
 		appInfo: ImplementationSchema.describe("App identification (name and version)."),
-		appCapabilities: y.describe("Features and capabilities this app provides."),
+		appCapabilities: v.describe("Features and capabilities this app provides."),
 		protocolVersion: string().describe("Protocol version this app supports.")
 	})
 });
 object({
 	protocolVersion: string().describe("Negotiated protocol version string (e.g., \"2025-11-21\")."),
 	hostInfo: ImplementationSchema.describe("Host application identification and version."),
-	hostCapabilities: S.describe("Features and capabilities provided by the host."),
+	hostCapabilities: y.describe("Features and capabilities provided by the host."),
 	hostContext: E.describe("Rich context about the host environment.")
 }).passthrough();
-var U = "ui/resourceUri", f = "text/html;profile=mcp-app";
-function fZ(Z, $, J, X) {
-	let V = J._meta, W = V.ui, L = V[U], D = V;
-	if (W?.resourceUri && !L) D = {
+var M = "ui/resourceUri", u = "text/html;profile=mcp-app";
+function hZ(Z, $, J, X) {
+	let V = J._meta, D = V.ui, G = V[M], L = V;
+	if (D?.resourceUri && !G) L = {
 		...V,
-		[U]: W.resourceUri
+		[M]: D.resourceUri
 	};
-	else if (L && !W?.resourceUri) D = {
+	else if (G && !D?.resourceUri) L = {
 		...V,
 		ui: {
-			...W,
-			resourceUri: L
+			...D,
+			resourceUri: G
 		}
 	};
 	return Z.registerTool($, {
 		...J,
-		_meta: D
+		_meta: L
 	}, X);
 }
-function uZ(Z, $, J, X, V) {
+function mZ(Z, $, J, X, V) {
 	return Z.registerResource($, J, {
-		mimeType: f,
+		mimeType: u,
 		...X
 	}, V);
 }
-var zQ = "io.modelcontextprotocol/ui";
-function dZ(Z) {
+var qQ = "io.modelcontextprotocol/ui";
+function pZ(Z) {
 	if (!Z) return;
-	return Z.extensions?.[zQ];
+	return Z.extensions?.[qQ];
 }
 //#endregion
 //#region src/mcp/resolve-domain.ts
@@ -9323,7 +9323,7 @@ function createAppServer(config, simulations, viteMode) {
 				registeredUriSet.add(uri);
 				const listMeta = viteMode ? injectViteCSP(resourceMeta) : resourceMeta;
 				const handle = mcpServer.registerResource(resourceName, uri, {
-					mimeType: f,
+					mimeType: u,
 					description: resource.description,
 					_meta: listMeta
 				}, async (readUri, extra) => {
@@ -9342,7 +9342,7 @@ function createAppServer(config, simulations, viteMode) {
 					console.log(`[MCP] ReadResource: ${readUri.href} → ${sizeKB}KB${servedVite ? " (vite)" : " (built)"}`);
 					return { contents: [{
 						uri: readUri.href,
-						mimeType: f,
+						mimeType: u,
 						text: content,
 						_meta: readMeta
 					}] };
@@ -9356,7 +9356,7 @@ function createAppServer(config, simulations, viteMode) {
 					...toolMeta.ui?.visibility ? { visibility: toolMeta.ui.visibility } : {}
 				}
 			};
-			const toolHandle = fZ(mcpServer, tool.name, {
+			const toolHandle = hZ(mcpServer, tool.name, {
 				description: tool.description,
 				inputSchema: z.object({}).passthrough(),
 				...simulation.outputSchema ? { outputSchema: simulation.outputSchema } : {},
@@ -9515,6 +9515,11 @@ async function handleMcpRequest(req, res, config, simulations, viteMode) {
 				const extra = parsed.method === "resources/read" ? ` uri=${JSON.stringify(parsed.params?.uri)}` : "";
 				console.log(`[MCP] ← ${parsed.method}${extra}${sidStr}`);
 			}
+			if (process.env.SUNPEAK_LOG_HEADERS) {
+				const headerEntries = {};
+				for (const [key, value] of Object.entries(req.headers)) if (value != null) headerEntries[key] = Array.isArray(value) ? value.join(", ") : value;
+				console.log(`[MCP] Headers: ${JSON.stringify(headerEntries, null, 2)}`);
+			}
 		} catch {
 			res.writeHead(400).end("Invalid JSON");
 			return;
@@ -9559,6 +9564,7 @@ async function handleMcpRequest(req, res, config, simulations, viteMode) {
 				return;
 			}
 			if (error.message?.includes("Server not initialized")) return;
+			if (error.message?.includes("Only one SSE stream")) return;
 			const id = transport.sessionId;
 			console.error(`[MCP] Transport error${id ? ` (${id.substring(0, 8)}...)` : ""}:`, error);
 		};
@@ -9737,6 +9743,20 @@ function log(level, msg, extra) {
 		else console.log(extra ? `${prefix} ${msg} ${JSON.stringify(extra)}` : `${prefix} ${msg}`);
 	}
 }
+/** Build an InternalServerConfig from any handler config + detected client name. */
+function toInternalConfig(config, clientName) {
+	return {
+		name: config.name,
+		version: config.version,
+		serverInfo: config.serverInfo,
+		tools: config.tools,
+		resources: config.resources,
+		serverUrl: config.serverUrl,
+		enableJsonResponse: config.enableJsonResponse,
+		stateless: config.stateless,
+		_clientName: clientName
+	};
+}
 /**
 * Create an MCP server with production tool handlers and pre-built resources.
 *
@@ -9745,6 +9765,7 @@ function log(level, msg, extra) {
 */
 function createProductionMcpServer(config) {
 	const { name = "sunpeak-app", version = "0.1.0", serverInfo, tools, resources, serverUrl } = config;
+	const clientName = config._clientName;
 	const mcpServer = new McpServer({
 		name: serverInfo?.name ?? name,
 		version: serverInfo?.version ?? version,
@@ -9760,23 +9781,9 @@ function createProductionMcpServer(config) {
 		resources: {},
 		tools: {}
 	} });
-	let clientName;
-	mcpServer.server.oninitialized = () => {
-		clientName = mcpServer.server.getClientVersion()?.name;
-		for (const handle of resourceHandles) {
-			const currentMeta = handle.metadata?._meta;
-			const resolved = injectResolvedDomain(currentMeta, clientName) ?? currentMeta;
-			const withDefault = serverUrl ? injectDefaultDomain(resolved, clientName, serverUrl) : resolved;
-			if (withDefault !== resolved) handle.update({ metadata: {
-				...handle.metadata,
-				_meta: withDefault
-			} });
-		}
-	};
 	const resourceByName = /* @__PURE__ */ new Map();
 	for (const res of resources) resourceByName.set(res.name, res);
 	const registeredResources = /* @__PURE__ */ new Set();
-	const resourceHandles = [];
 	let toolCount = 0;
 	for (const tool of tools) {
 		const makeCallback = () => {
@@ -9804,20 +9811,17 @@ function createProductionMcpServer(config) {
 		if (res) {
 			if (!registeredResources.has(res.uri)) {
 				registeredResources.add(res.uri);
-				const handle = uZ(mcpServer, res.name, res.uri, {
+				const resolvedMeta = injectResolvedDomain(res._meta, clientName) ?? res._meta;
+				const finalMeta = serverUrl ? injectDefaultDomain(resolvedMeta, clientName, serverUrl) : resolvedMeta;
+				mZ(mcpServer, res.name, res.uri, {
 					description: res.description,
-					_meta: res._meta
-				}, async () => {
-					const resolved = injectResolvedDomain(res._meta, clientName) ?? res._meta;
-					const readMeta = serverUrl ? injectDefaultDomain(resolved, clientName, serverUrl) : resolved;
-					return { contents: [{
-						uri: res.uri,
-						mimeType: f,
-						text: res.html,
-						_meta: readMeta
-					}] };
-				});
-				resourceHandles.push(handle);
+					_meta: finalMeta
+				}, async () => ({ contents: [{
+					uri: res.uri,
+					mimeType: u,
+					text: res.html,
+					_meta: finalMeta
+				}] }));
 			}
 			const toolConfig = {
 				title: tool.tool.title,
@@ -9833,7 +9837,7 @@ function createProductionMcpServer(config) {
 					}
 				}
 			};
-			fZ(mcpServer, tool.name, toolConfig, makeCallback());
+			hZ(mcpServer, tool.name, toolConfig, makeCallback());
 		} else {
 			const cb = makeCallback();
 			const toolConfig = {
@@ -9860,6 +9864,20 @@ var SESSION_IDLE_TIMEOUT_MS = 300 * 1e3;
 function isJsonRpcMessage(value) {
 	return typeof value === "object" && value !== null && typeof value.method === "string";
 }
+function detectClientFromHeaders(headers) {
+	const get = (name) => {
+		if (headers instanceof Headers) return headers.get(name) ?? void 0;
+		const raw = headers[name];
+		return typeof raw === "string" ? raw : Array.isArray(raw) ? raw[0] : void 0;
+	};
+	const ua = get("user-agent");
+	if (ua) {
+		if (/claude/i.test(ua)) return "claude";
+		if (/openai/i.test(ua)) return "openai-mcp";
+	}
+	if (get("x-anthropic-client")) return "claude";
+	if (get("x-openai-session")) return "openai-mcp";
+}
 var CORS_HEADERS = {
 	"Access-Control-Allow-Origin": "*",
 	"Access-Control-Allow-Methods": "GET, POST, DELETE, OPTIONS",
@@ -9930,25 +9948,14 @@ async function pipeWebResponseToNode(webResponse, res) {
 * ```
 */
 function createMcpHandler(config) {
-	const sessions = /* @__PURE__ */ new Map();
 	const authFn = config.auth;
-	setInterval(() => {
-		const now = Date.now();
-		for (const [id, session] of sessions) if (now - session.lastActivity > SESSION_IDLE_TIMEOUT_MS) {
-			log("info", `Session expired: ${id.substring(0, 8)}...`, {
-				sessionId: id,
-				active: sessions.size - 1
-			});
-			session.server.close();
-		}
-	}, 6e4).unref();
-	return async (req, res) => {
-		if (!req.url) return;
-		if (new URL$1(req.url, `http://${req.headers.host ?? "localhost"}`).pathname !== MCP_PATH) return;
+	async function preamble(req, res) {
+		if (!req.url) return null;
+		if (new URL$1(req.url, `http://${req.headers.host ?? "localhost"}`).pathname !== MCP_PATH) return null;
 		if (req.method === "OPTIONS") {
 			res.writeHead(204, CORS_HEADERS);
 			res.end();
-			return;
+			return null;
 		}
 		let authInfo;
 		if (authFn) {
@@ -9959,7 +9966,7 @@ function createMcpHandler(config) {
 					"WWW-Authenticate": "Bearer"
 				});
 				res.end("Unauthorized");
-				return;
+				return null;
 			}
 			authInfo = result;
 		}
@@ -9982,12 +9989,58 @@ function createMcpHandler(config) {
 					const extra = parsedBody.method === "resources/read" ? ` uri=${JSON.stringify(parsedBody.params?.uri)}` : "";
 					log("info", `← ${parsedBody.method}${extra}${sidStr}`);
 				}
+				if (process.env.SUNPEAK_LOG_HEADERS) {
+					const headerEntries = {};
+					for (const [key, value] of Object.entries(req.headers)) if (value != null) headerEntries[key] = Array.isArray(value) ? value.join(", ") : value;
+					log("info", `Headers: ${JSON.stringify(headerEntries, null, 2)}`);
+				}
 			} catch {
 				res.writeHead(400).end("Invalid JSON");
-				return;
+				return null;
 			}
 		}
-		const webRequest = nodeReqToWebRequest(req);
+		return {
+			authInfo,
+			parsedBody,
+			webRequest: nodeReqToWebRequest(req)
+		};
+	}
+	if (config.stateless) return async (req, res) => {
+		const ctx = await preamble(req, res);
+		if (!ctx) return;
+		if (req.method !== "POST") {
+			res.writeHead(405, CORS_HEADERS);
+			res.end("Method Not Allowed: stateless mode only supports POST");
+			return;
+		}
+		const server = createProductionMcpServer(toInternalConfig(config, detectClientFromHeaders(req.headers)));
+		const transport = new WebStandardStreamableHTTPServerTransport({
+			sessionIdGenerator: void 0,
+			enableJsonResponse: config.enableJsonResponse ?? true
+		});
+		transport.onerror = (error) => {
+			log("error", "Transport error (stateless)", { error: String(error) });
+		};
+		await server.connect(transport);
+		await pipeWebResponseToNode(addCorsHeaders(await transport.handleRequest(ctx.webRequest, {
+			parsedBody: ctx.parsedBody,
+			authInfo: ctx.authInfo
+		})), res);
+	};
+	const sessions = /* @__PURE__ */ new Map();
+	setInterval(() => {
+		const now = Date.now();
+		for (const [id, session] of sessions) if (now - session.lastActivity > SESSION_IDLE_TIMEOUT_MS) {
+			log("info", `Session expired: ${id.substring(0, 8)}...`, {
+				sessionId: id,
+				active: sessions.size - 1
+			});
+			session.server.close();
+		}
+	}, 6e4).unref();
+	return async (req, res) => {
+		const ctx = await preamble(req, res);
+		if (!ctx) return;
 		const sessionId = req.headers["mcp-session-id"];
 		if (sessionId) {
 			const session = sessions.get(sessionId);
@@ -9996,14 +10049,14 @@ function createMcpHandler(config) {
 				return;
 			}
 			session.lastActivity = Date.now();
-			await pipeWebResponseToNode(addCorsHeaders(await session.transport.handleRequest(webRequest, {
-				parsedBody,
-				authInfo
+			await pipeWebResponseToNode(addCorsHeaders(await session.transport.handleRequest(ctx.webRequest, {
+				parsedBody: ctx.parsedBody,
+				authInfo: ctx.authInfo
 			})), res);
 			return;
 		}
 		if (req.method === "POST") {
-			const server = createProductionMcpServer(config);
+			const server = createProductionMcpServer(toInternalConfig(config, detectClientFromHeaders(req.headers)));
 			const transport = new WebStandardStreamableHTTPServerTransport({
 				sessionIdGenerator: () => randomUUID(),
 				enableJsonResponse: config.enableJsonResponse ?? true,
@@ -10044,9 +10097,9 @@ function createMcpHandler(config) {
 				}
 			};
 			await server.connect(transport);
-			await pipeWebResponseToNode(addCorsHeaders(await transport.handleRequest(webRequest, {
-				parsedBody,
-				authInfo
+			await pipeWebResponseToNode(addCorsHeaders(await transport.handleRequest(ctx.webRequest, {
+				parsedBody: ctx.parsedBody,
+				authInfo: ctx.authInfo
 			})), res);
 			return;
 		}
@@ -10084,19 +10137,8 @@ function createMcpHandler(config) {
 * ```
 */
 function createHandler(config) {
-	const sessions = /* @__PURE__ */ new Map();
 	const authFn = config.auth;
-	setInterval(() => {
-		const now = Date.now();
-		for (const [id, session] of sessions) if (now - session.lastActivity > SESSION_IDLE_TIMEOUT_MS) {
-			log("info", `Session expired: ${id.substring(0, 8)}...`, {
-				sessionId: id,
-				active: sessions.size - 1
-			});
-			session.server.close();
-		}
-	}, 6e4).unref();
-	return async (req) => {
+	async function webPreamble(req) {
 		if (req.method === "OPTIONS") return new Response(null, {
 			status: 204,
 			headers: CORS_HEADERS
@@ -10114,31 +10156,75 @@ function createHandler(config) {
 			authInfo = result;
 		}
 		let parsedBody;
-		if (req.method === "POST") try {
-			parsedBody = await req.json();
-		} catch {
-			return new Response("Invalid JSON", { status: 400 });
+		if (req.method === "POST") {
+			try {
+				parsedBody = await req.json();
+			} catch {
+				return new Response("Invalid JSON", { status: 400 });
+			}
+			if (isJsonRpcMessage(parsedBody)) {
+				const sid = req.headers.get("mcp-session-id");
+				const sidStr = sid ? ` (${sid.substring(0, 8)}...)` : "";
+				const extra = parsedBody.method === "resources/read" ? ` uri=${JSON.stringify(parsedBody.params?.uri)}` : "";
+				log("info", `← ${parsedBody.method}${extra}${sidStr}`);
+			}
+			if (typeof globalThis.process !== "undefined" && globalThis.process.env?.SUNPEAK_LOG_HEADERS) {
+				const headerEntries = {};
+				req.headers.forEach((value, key) => {
+					headerEntries[key] = value;
+				});
+				log("info", `Headers: ${JSON.stringify(headerEntries, null, 2)}`);
+			}
+		}
+		return {
+			authInfo,
+			parsedBody
+		};
+	}
+	if (config.stateless) return async (req) => {
+		const ctx = await webPreamble(req);
+		if (ctx instanceof Response) return ctx;
+		if (req.method !== "POST") return addCorsHeaders(new Response("Method Not Allowed: stateless mode only supports POST", { status: 405 }));
+		const server = createProductionMcpServer(toInternalConfig(config, detectClientFromHeaders(req.headers)));
+		const transport = new WebStandardStreamableHTTPServerTransport({
+			sessionIdGenerator: void 0,
+			enableJsonResponse: config.enableJsonResponse ?? true
+		});
+		transport.onerror = (error) => {
+			log("error", "Transport error (stateless)", { error: String(error) });
+		};
+		await server.connect(transport);
+		return addCorsHeaders(await transport.handleRequest(req, {
+			parsedBody: ctx.parsedBody,
+			authInfo: ctx.authInfo
+		}));
+	};
+	const sessions = /* @__PURE__ */ new Map();
+	setInterval(() => {
+		const now = Date.now();
+		for (const [id, session] of sessions) if (now - session.lastActivity > SESSION_IDLE_TIMEOUT_MS) {
+			log("info", `Session expired: ${id.substring(0, 8)}...`, {
+				sessionId: id,
+				active: sessions.size - 1
+			});
+			session.server.close();
 		}
+	}, 6e4).unref();
+	return async (req) => {
+		const ctx = await webPreamble(req);
+		if (ctx instanceof Response) return ctx;
 		const sessionId = req.headers.get("mcp-session-id");
 		if (sessionId) {
 			const session = sessions.get(sessionId);
 			if (!session) return new Response("Unknown session", { status: 404 });
 			session.lastActivity = Date.now();
 			return addCorsHeaders(await session.transport.handleRequest(req, {
-				parsedBody,
-				authInfo
+				parsedBody: ctx.parsedBody,
+				authInfo: ctx.authInfo
 			}));
 		}
 		if (req.method === "POST") {
-			const { name, version, serverInfo, tools, resources, serverUrl } = config;
-			const server = createProductionMcpServer({
-				name,
-				version,
-				serverInfo,
-				tools,
-				resources,
-				serverUrl
-			});
+			const server = createProductionMcpServer(toInternalConfig(config, detectClientFromHeaders(req.headers)));
 			const transport = new WebStandardStreamableHTTPServerTransport({
 				sessionIdGenerator: () => randomUUID(),
 				enableJsonResponse: config.enableJsonResponse ?? true,
@@ -10162,16 +10248,26 @@ function createHandler(config) {
 				}
 			});
 			transport.onerror = (error) => {
-				log("error", "Transport error", { error: String(error) });
+				const id = transport.sessionId;
+				log("error", `Transport error${id ? ` (${id.substring(0, 8)}...)` : ""}`, {
+					sessionId: id,
+					error: String(error)
+				});
 			};
 			transport.onclose = () => {
 				const id = transport.sessionId;
-				if (id && sessions.has(id)) sessions.delete(id);
+				if (id && sessions.has(id)) {
+					sessions.delete(id);
+					log("info", `Session closed: ${id.substring(0, 8)}...`, {
+						sessionId: id,
+						active: sessions.size
+					});
+				}
 			};
 			await server.connect(transport);
 			return addCorsHeaders(await transport.handleRequest(req, {
-				parsedBody,
-				authInfo
+				parsedBody: ctx.parsedBody,
+				authInfo: ctx.authInfo
 			}));
 		}
 		return new Response("Bad Request: session ID required", { status: 400 });
@@ -10295,6 +10391,6 @@ function startProductionHttpServer(config, portOrOptions) {
 	process.on("SIGINT", () => void shutdown());
 }
 //#endregion
-export { zQ as EXTENSION_ID, FAVICON_BASE64, FAVICON_BUFFER, FAVICON_DATA_URI, f as RESOURCE_MIME_TYPE, U as RESOURCE_URI_META_KEY, computeChatGPTDomain, computeClaudeDomain, createHandler, createMcpHandler, createProductionMcpServer, dZ as getUiCapability, injectDefaultDomain, injectResolvedDomain, uZ as registerAppResource, fZ as registerAppTool, resolveDomain, runMCPServer, setJsonLogging, startProductionHttpServer };
+export { qQ as EXTENSION_ID, FAVICON_BASE64, FAVICON_BUFFER, FAVICON_DATA_URI, u as RESOURCE_MIME_TYPE, M as RESOURCE_URI_META_KEY, computeChatGPTDomain, computeClaudeDomain, createHandler, createMcpHandler, createProductionMcpServer, detectClientFromHeaders, pZ as getUiCapability, injectDefaultDomain, injectResolvedDomain, mZ as registerAppResource, hZ as registerAppTool, resolveDomain, runMCPServer, setJsonLogging, startProductionHttpServer };
 
 //# sourceMappingURL=index.js.map