toolception 0.4.0 → 0.5.0

package/dist/index.js

@@ -1,16 +1,16 @@
-var A = (r) => {
+var P = (r) => {
   throw TypeError(r);
 };
-var W = (r, e, s) => e.has(r) || A("Cannot " + s);
-var y = (r, e, s) => e.has(r) ? A("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, s);
-var u = (r, e, s) => (W(r, e, "access private method"), s);
-import { z as w } from "zod";
-import M from "fastify";
-import x from "@fastify/cors";
-import { randomUUID as v } from "node:crypto";
-import { StreamableHTTPServerTransport as E } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import { isInitializeRequest as I } from "@modelcontextprotocol/sdk/types.js";
-const S = {
+var ee = (r, e, s) => e.has(r) || P("Cannot " + s);
+var T = (r, e, s) => e.has(r) ? P("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, s);
+var f = (r, e, s) => (ee(r, e, "access private method"), s);
+import { z as b } from "zod";
+import N from "fastify";
+import j from "@fastify/cors";
+import { randomUUID as y } from "node:crypto";
+import { StreamableHTTPServerTransport as k } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest as D } from "@modelcontextprotocol/sdk/types.js";
+const L = {
   dynamic: [
     "dynamic-tool-discovery",
     "dynamicToolDiscovery",
@@ -18,11 +18,11 @@ const S = {
   ],
   toolsets: ["tool-sets", "toolSets", "FMP_TOOL_SETS"]
 };
-class q {
+class se {
   constructor(e = {}) {
     this.keys = {
-      dynamic: e.keys?.dynamic ?? S.dynamic,
-      toolsets: e.keys?.toolsets ?? S.toolsets
+      dynamic: e.keys?.dynamic ?? L.dynamic,
+      toolsets: e.keys?.toolsets ?? L.toolsets
     };
   }
   resolveMode(e, s) {
@@ -109,7 +109,7 @@ class q {
       }
   }
 }
-class J {
+class te {
   constructor(e) {
     this.catalog = e.catalog, this.moduleLoaders = e.moduleLoaders ?? {};
   }
@@ -162,12 +162,12 @@ class J {
     return t;
   }
 }
-class C extends Error {
+class R extends Error {
   constructor(e, s, t, o) {
     super(e), this.name = "ToolingError", this.code = s, this.details = t;
   }
 }
-class P {
+class z {
   constructor(e = {}) {
     this.names = /* @__PURE__ */ new Set(), this.toolsetToNames = /* @__PURE__ */ new Map(), this.options = {
       namespaceWithToolset: e.namespaceWithToolset ?? !0
@@ -181,7 +181,7 @@ class P {
   }
   add(e) {
     if (this.names.has(e))
-      throw new C(
+      throw new R(
         `Tool name collision: '${e}' already registered`,
         "E_TOOL_NAME_CONFLICT"
       );
@@ -196,7 +196,7 @@ class P {
     return s.map((t) => {
       const o = this.getSafeName(e, t.name);
       if (this.has(o))
-        throw new C(
+        throw new R(
           `Tool name collision for '${o}'`,
           "E_TOOL_NAME_CONFLICT"
         );
@@ -213,9 +213,9 @@ class P {
     return e;
   }
 }
-class G {
+class oe {
   constructor(e) {
-    this.activeToolsets = /* @__PURE__ */ new Set(), this.server = e.server, this.resolver = e.resolver, this.context = e.context, this.onToolsListChanged = e.onToolsListChanged, this.exposurePolicy = e.exposurePolicy, this.toolRegistry = e.toolRegistry ?? new P({ namespaceWithToolset: !0 });
+    this.activeToolsets = /* @__PURE__ */ new Set(), this.server = e.server, this.resolver = e.resolver, this.context = e.context, this.onToolsListChanged = e.onToolsListChanged, this.exposurePolicy = e.exposurePolicy, this.toolRegistry = e.toolRegistry ?? new z({ namespaceWithToolset: !0 });
   }
   /**
    * Sends a tool list change notification if configured.
@@ -395,11 +395,11 @@ class G {
     return this.enableToolsets(e);
   }
 }
-function K(r, e, s) {
+function re(r, e, s) {
   (s?.mode ?? "DYNAMIC") === "DYNAMIC" && (r.tool(
     "enable_toolset",
     "Enable a toolset by name",
-    { name: w.string().describe("Toolset name") },
+    { name: b.string().describe("Toolset name") },
     async (o) => {
       const i = await e.enableToolset(o.name);
       return {
@@ -409,7 +409,7 @@ function K(r, e, s) {
   ), r.tool(
     "disable_toolset",
     "Disable a toolset by name (state only)",
-    { name: w.string().describe("Toolset name") },
+    { name: b.string().describe("Toolset name") },
     async (o) => {
       const i = await e.disableToolset(o.name);
       return {
@@ -444,7 +444,7 @@ function K(r, e, s) {
   ), r.tool(
     "describe_toolset",
     "Describe a toolset with definition, active status and tools",
-    { name: w.string().describe("Toolset name") },
+    { name: b.string().describe("Toolset name") },
     async (o) => {
       const i = e.getToolsetDefinition(o.name), n = e.getStatus().toolsetToTools;
       if (!i)
@@ -486,25 +486,25 @@ function K(r, e, s) {
     }
   );
 }
-class T {
+class w {
   constructor(e) {
-    this.initError = null, this.toolsetValidator = new q();
+    this.initError = null, this.toolsetValidator = new se();
     const s = e.startup ?? {}, t = this.resolveStartupConfig(s, e.catalog);
-    this.mode = t.mode, this.resolver = new J({
+    this.mode = t.mode, this.resolver = new te({
       catalog: e.catalog,
       moduleLoaders: e.moduleLoaders
     });
-    const o = new P({
+    const o = new z({
       namespaceWithToolset: e.exposurePolicy?.namespaceToolsWithSetKey ?? !0
     });
-    this.manager = new G({
+    this.manager = new oe({
       server: e.server,
       resolver: this.resolver,
       context: e.context,
       onToolsListChanged: e.notifyToolsListChanged,
       exposurePolicy: e.exposurePolicy,
       toolRegistry: o
-    }), e.registerMetaTools !== !1 && K(e.server, this.manager, { mode: this.mode });
+    }), e.registerMetaTools !== !1 && re(e.server, this.manager, { mode: this.mode });
     const i = t.toolsets;
     this.initPromise = this.initializeToolsets(i);
   }
@@ -581,10 +581,10 @@ class T {
     return this.manager;
   }
 }
-var p, b;
-class $ {
+var v, S;
+class O {
   constructor(e = {}) {
-    y(this, p);
+    T(this, v);
     this.storage = /* @__PURE__ */ new Map(), this.maxSize = e.maxSize ?? 1e3, this.ttlMs = e.ttlMs ?? 1e3 * 60 * 60, this.onEvict = e.onEvict;
     const s = e.pruneIntervalMs ?? 1e3 * 60 * 10;
     this.pruneInterval = setInterval(() => this.pruneExpired(), s);
@@ -614,7 +614,7 @@ class $ {
    */
   delete(e) {
     const s = this.storage.get(e);
-    s && (this.storage.delete(e), u(this, p, b).call(this, e, s.resource));
+    s && (this.storage.delete(e), f(this, v, S).call(this, e, s.resource));
   }
   /**
    * Stops the background pruning interval and optionally clears all entries.
@@ -631,7 +631,7 @@ class $ {
     const e = Array.from(this.storage.entries());
     this.storage.clear();
     for (const [s, t] of e)
-      u(this, p, b).call(this, s, t.resource);
+      f(this, v, S).call(this, s, t.resource);
   }
   /**
    * Evicts the least recently used entry from the cache.
@@ -653,13 +653,13 @@ class $ {
       this.delete(t);
   }
 }
-p = new WeakSet(), /**
+v = new WeakSet(), /**
  * Safely calls the evict callback, catching and logging any errors.
  * @param key - The key being evicted
  * @param resource - The resource being evicted
  * @private
  */
-b = function(e, s) {
+S = function(e, s) {
   if (this.onEvict)
     try {
       const t = this.onEvict(e, s);
@@ -670,9 +670,94 @@ b = function(e, s) {
       console.warn(`Error in cache eviction callback for key '${e}':`, t);
     }
 };
-class Q {
+function V(r, e, s, t) {
+  const o = ["/mcp", "/healthz", "/tools", "/.well-known/mcp-config"];
+  for (const i of s) {
+    const n = `${e}${i.path}`;
+    if (o.some(
+      (c) => n.startsWith(`${e}${c}`)
+    )) {
+      console.warn(
+        `Custom endpoint ${i.method} ${i.path} conflicts with built-in MCP endpoint. Skipping registration.`
+      );
+      continue;
+    }
+    const a = i.method.toLowerCase();
+    r[a](n, async (c, d) => {
+      try {
+        const u = c.headers["mcp-client-id"]?.trim(), p = u && u.length > 0 ? u : `anon-${y()}`;
+        let C;
+        if (i.bodySchema) {
+          const m = i.bodySchema.safeParse(c.body);
+          if (!m.success)
+            return A(d, "body", m.error);
+          C = m.data;
+        }
+        let x = {};
+        if (i.querySchema) {
+          const m = i.querySchema.safeParse(c.query);
+          if (!m.success)
+            return A(d, "query", m.error);
+          x = m.data;
+        }
+        let I = {};
+        if (i.paramsSchema) {
+          const m = i.paramsSchema.safeParse(c.params);
+          if (!m.success)
+            return A(d, "params", m.error);
+          I = m.data;
+        }
+        const M = {
+          body: C,
+          query: x,
+          params: I,
+          headers: c.headers,
+          clientId: p
+        };
+        if (t?.contextExtractor) {
+          const m = await t.contextExtractor(c);
+          Object.assign(M, m);
+        }
+        const $ = await i.handler(M);
+        if (i.responseSchema) {
+          const m = i.responseSchema.safeParse($);
+          return m.success ? m.data : (console.error(
+            `Response validation failed for ${i.method} ${i.path}:`,
+            m.error
+          ), d.code(500), {
+            error: {
+              code: "RESPONSE_VALIDATION_ERROR",
+              message: "Internal server error: invalid response format"
+            }
+          });
+        }
+        return $;
+      } catch (u) {
+        return console.error(
+          `Error in custom endpoint ${i.method} ${i.path}:`,
+          u
+        ), d.code(500), {
+          error: {
+            code: "INTERNAL_ERROR",
+            message: u instanceof Error ? u.message : "Internal server error"
+          }
+        };
+      }
+    });
+  }
+}
+function A(r, e, s) {
+  return r.code(400), {
+    error: {
+      code: "VALIDATION_ERROR",
+      message: `Validation failed for ${e}`,
+      details: s.errors
+    }
+  };
+}
+class ie {
   constructor(e, s, t = {}, o) {
-    this.app = null, this.clientCache = new $({
+    this.app = null, this.clientCache = new O({
       onEvict: (i, n) => {
         this.cleanupBundle(n);
       }
@@ -682,13 +767,14 @@ class Q {
       basePath: t.basePath ?? "/",
       cors: t.cors ?? !0,
       logger: t.logger ?? !1,
-      app: t.app
+      app: t.app,
+      customEndpoints: t.customEndpoints
     }, this.configSchema = o;
   }
   async start() {
     if (this.app) return;
-    const e = this.options.app ?? M({ logger: this.options.logger });
-    this.options.cors && await e.register(x, { origin: !0 });
+    const e = this.options.app ?? N({ logger: this.options.logger });
+    this.options.cors && await e.register(j, { origin: !0 });
     const s = this.options.basePath.endsWith("/") ? this.options.basePath.slice(0, -1) : this.options.basePath;
     e.get(`${s}/healthz`, async () => ({ ok: !0 })), e.get(`${s}/tools`, async () => this.defaultManager.getStatus()), e.get(`${s}/.well-known/mcp-config`, async (t, o) => (o.header("Content-Type", "application/schema+json; charset=utf-8"), this.configSchema ?? {
       $schema: "https://json-schema.org/draft/2020-12/schema",
@@ -702,26 +788,26 @@ class Q {
     })), e.post(
       `${s}/mcp`,
       async (t, o) => {
-        const i = t.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : `anon-${v()}`, l = !n.startsWith("anon-");
+        const i = t.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : `anon-${y()}`, l = !n.startsWith("anon-");
         let a = l ? this.clientCache.get(n) : null;
         if (!a) {
-          const m = this.createBundle(), g = m.sessions;
+          const u = this.createBundle(), p = u.sessions;
           a = {
-            server: m.server,
-            orchestrator: m.orchestrator,
-            sessions: g instanceof Map ? g : /* @__PURE__ */ new Map()
+            server: u.server,
+            orchestrator: u.orchestrator,
+            sessions: p instanceof Map ? p : /* @__PURE__ */ new Map()
           }, l && this.clientCache.set(n, a);
         }
         const c = t.headers["mcp-session-id"];
         let d;
         if (c && a.sessions.get(c))
           d = a.sessions.get(c);
-        else if (!c && I(t.body)) {
-          const m = v();
-          d = new E({
-            sessionIdGenerator: () => m,
-            onsessioninitialized: (g) => {
-              a.sessions.set(g, d);
+        else if (!c && D(t.body)) {
+          const u = y();
+          d = new k({
+            sessionIdGenerator: () => u,
+            onsessioninitialized: (p) => {
+              a.sessions.set(p, d);
             }
           });
           try {
@@ -791,7 +877,7 @@ class Q {
         }
         return o.code(204).send(), o;
       }
-    ), this.options.app || await e.listen({ host: this.options.host, port: this.options.port }), this.app = e;
+    ), this.options.customEndpoints && this.options.customEndpoints.length > 0 && V(e, s, this.options.customEndpoints), this.options.app || await e.listen({ host: this.options.host, port: this.options.port }), this.app = e;
   }
   /**
    * Stops the Fastify server and cleans up all resources.
@@ -818,7 +904,7 @@ class Q {
     e.sessions.clear();
   }
 }
-async function ge(r) {
+async function Se(r) {
   const e = r.startup?.mode ?? "DYNAMIC";
   if (typeof r.createServer != "function")
     throw new Error("createMcpServer: `createServer` (factory) is required");
@@ -832,9 +918,11 @@ async function ge(r) {
       }
       o(a) && await a.notifyToolsListChanged();
     } catch (c) {
+      if ((c instanceof Error ? c.message : String(c)) === "Not connected")
+        return;
       console.warn("Failed to send tools list changed notification:", c);
     }
-  }, n = new T({
+  }, n = new w({
     server: s,
     catalog: r.catalog,
     moduleLoaders: r.moduleLoaders,
@@ -843,12 +931,12 @@ async function ge(r) {
     notifyToolsListChanged: async () => i(s),
     startup: r.startup,
     registerMetaTools: r.registerMetaTools !== void 0 ? r.registerMetaTools : e === "DYNAMIC"
-  }), l = new Q(
+  }), l = new ie(
     n.getManager(),
     () => {
       if (e === "STATIC")
         return { server: s, orchestrator: n };
-      const a = r.createServer(), c = new T({
+      const a = r.createServer(), c = new w({
         server: a,
         catalog: r.catalog,
         moduleLoaders: r.moduleLoaders,
@@ -873,16 +961,16 @@ async function ge(r) {
     }
   };
 }
-function X(r) {
-  Z(r), ee(r), se(r), te(r);
+function ne(r) {
+  ae(r), le(r), ce(r), de(r);
 }
-function Z(r) {
+function ae(r) {
   if (!r || typeof r != "object")
     throw new Error(
       "Permission configuration is required for createPermissionBasedMcpServer"
     );
 }
-function ee(r) {
+function le(r) {
   if (!r.source)
     throw new Error('Permission source must be either "headers" or "config"');
   if (r.source !== "headers" && r.source !== "config")
@@ -890,19 +978,19 @@ function ee(r) {
       `Invalid permission source: "${r.source}". Must be either "headers" or "config"`
     );
 }
-function se(r) {
+function ce(r) {
   if (r.source === "config" && !r.staticMap && !r.resolver)
     throw new Error(
       "Config-based permissions require at least one of: staticMap or resolver function"
     );
 }
-function te(r) {
+function de(r) {
   if (r.staticMap !== void 0) {
     if (typeof r.staticMap != "object" || r.staticMap === null)
       throw new Error(
         "staticMap must be an object mapping client IDs to toolset arrays"
       );
-    oe(r.staticMap);
+    he(r.staticMap);
   }
   if (r.resolver !== void 0 && typeof r.resolver != "function")
     throw new Error(
@@ -913,21 +1001,21 @@ function te(r) {
   if (r.headerName !== void 0 && (typeof r.headerName != "string" || r.headerName.length === 0))
     throw new Error("headerName must be a non-empty string");
 }
-function oe(r) {
+function he(r) {
   for (const [e, s] of Object.entries(r))
     if (!Array.isArray(s))
       throw new Error(
         `staticMap value for client "${e}" must be an array of toolset names`
       );
 }
-var f, L, j, N, k, D;
-class re {
+var g, F, _, B, H, W;
+class ue {
   /**
    * Creates a new PermissionResolver instance.
    * @param config - The permission configuration defining how permissions are resolved
    */
   constructor(e) {
-    y(this, f);
+    T(this, g);
     this.config = e, this.cache = /* @__PURE__ */ new Map(), this.normalizedHeaderName = (e.headerName || "mcp-toolset-permissions").toLowerCase();
   }
   /**
@@ -948,7 +1036,7 @@ class re {
       return this.cache.get(e);
     let t;
     try {
-      this.config.source === "headers" ? t = u(this, f, L).call(this, s) : t = u(this, f, N).call(this, e), Array.isArray(t) || (console.warn(
+      this.config.source === "headers" ? t = f(this, g, F).call(this, s) : t = f(this, g, B).call(this, e), Array.isArray(t) || (console.warn(
         `Permission resolution returned non-array for client ${e}, using empty permissions`
       ), t = []), t = t.filter(
         (o) => typeof o == "string" && o.trim().length > 0
@@ -977,7 +1065,7 @@ class re {
     this.cache.clear();
   }
 }
-f = new WeakSet(), /**
+g = new WeakSet(), /**
  * Parses permissions from request headers.
  * Extracts comma-separated toolset names from the configured header.
  * Handles malformed headers gracefully by returning empty permissions.
@@ -986,10 +1074,10 @@ f = new WeakSet(), /**
  * @returns Array of toolset names from headers, or empty array if header is missing/malformed
  * @private
  */
-L = function(e) {
+F = function(e) {
   if (!e)
     return [];
-  const s = u(this, f, j).call(this, e, this.normalizedHeaderName);
+  const s = f(this, g, _).call(this, e, this.normalizedHeaderName);
   if (!s)
     return [];
   try {
@@ -1008,7 +1096,7 @@ L = function(e) {
  * @returns The header value if found, undefined otherwise
  * @private
  */
-j = function(e, s) {
+_ = function(e, s) {
   if (e[s] !== void 0)
     return e[s];
   for (const [t, o] of Object.entries(e))
@@ -1022,14 +1110,14 @@ j = function(e, s) {
  * @returns Array of toolset names from configuration
  * @private
  */
-N = function(e) {
+B = function(e) {
   if (this.config.resolver) {
-    const s = u(this, f, k).call(this, e);
+    const s = f(this, g, H).call(this, e);
     if (s !== null)
       return s;
   }
   if (this.config.staticMap) {
-    const s = u(this, f, D).call(this, e);
+    const s = f(this, g, W).call(this, e);
     if (s !== null)
       return s;
   }
@@ -1041,7 +1129,7 @@ N = function(e) {
  * @returns Array of toolset names if successful, null if resolver fails or returns invalid data
  * @private
  */
-k = function(e) {
+H = function(e) {
   try {
     const s = this.config.resolver(e);
     return Array.isArray(s) ? s : (console.warn(
@@ -1060,11 +1148,11 @@ k = function(e) {
  * @returns Array of toolset names if found, null if client not in map
  * @private
  */
-D = function(e) {
+W = function(e) {
   const s = this.config.staticMap[e];
   return s !== void 0 ? Array.isArray(s) ? s : [] : null;
 };
-function ie(r, e) {
+function fe(r, e) {
   return async (s) => {
     const t = e.resolvePermissions(
       s.clientId,
@@ -1089,8 +1177,8 @@ function ie(r, e) {
     };
   };
 }
-var h, z, R, O, F, V, _, B, Y, H, U;
-class ne {
+var h, Y, U, q, J, G, K, Q, X, E, Z;
+class me {
   /**
    * Creates a new PermissionAwareFastifyTransport instance.
    * @param defaultManager - Default tool manager for status endpoints
@@ -1099,10 +1187,10 @@ class ne {
    * @param configSchema - Optional JSON schema for configuration discovery
    */
   constructor(e, s, t = {}, o) {
-    y(this, h);
-    this.app = null, this.clientCache = new $({
+    T(this, h);
+    this.app = null, this.clientCache = new O({
       onEvict: (i, n) => {
-        u(this, h, z).call(this, n);
+        f(this, h, Y).call(this, n);
       }
     }), this.defaultManager = e, this.createPermissionAwareBundle = s, this.options = {
       host: t.host ?? "0.0.0.0",
@@ -1110,7 +1198,8 @@ class ne {
       basePath: t.basePath ?? "/",
       cors: t.cors ?? !0,
       logger: t.logger ?? !1,
-      app: t.app
+      app: t.app,
+      customEndpoints: t.customEndpoints
     }, this.configSchema = o;
   }
   /**
@@ -1119,10 +1208,28 @@ class ne {
    */
   async start() {
     if (this.app) return;
-    const e = this.options.app ?? M({ logger: this.options.logger });
-    this.options.cors && await e.register(x, { origin: !0 });
-    const s = u(this, h, R).call(this, this.options.basePath);
-    u(this, h, O).call(this, e, s), u(this, h, F).call(this, e, s), u(this, h, V).call(this, e, s), u(this, h, _).call(this, e, s), u(this, h, B).call(this, e, s), u(this, h, Y).call(this, e, s), this.options.app || await e.listen({ host: this.options.host, port: this.options.port }), this.app = e;
+    const e = this.options.app ?? N({ logger: this.options.logger });
+    this.options.cors && await e.register(j, { origin: !0 });
+    const s = f(this, h, U).call(this, this.options.basePath);
+    f(this, h, q).call(this, e, s), f(this, h, J).call(this, e, s), f(this, h, G).call(this, e, s), f(this, h, K).call(this, e, s), f(this, h, Q).call(this, e, s), f(this, h, X).call(this, e, s), this.options.customEndpoints && this.options.customEndpoints.length > 0 && V(e, s, this.options.customEndpoints, {
+      contextExtractor: async (t) => {
+        const o = f(this, h, E).call(this, t);
+        try {
+          const i = await this.createPermissionAwareBundle(o);
+          return {
+            allowedToolsets: i.allowedToolsets,
+            failedToolsets: i.failedToolsets
+          };
+        } catch (i) {
+          return console.warn(
+            `Permission resolution failed for custom endpoint: ${i}`
+          ), {
+            allowedToolsets: [],
+            failedToolsets: []
+          };
+        }
+      }
+    }), this.options.app || await e.listen({ host: this.options.host, port: this.options.port }), this.app = e;
   }
   /**
    * Stops the Fastify server and cleans up all resources.
@@ -1138,7 +1245,7 @@ h = new WeakSet(), /**
  * @param bundle - The client bundle to clean up
  * @private
  */
-z = function(e) {
+Y = function(e) {
   for (const [s, t] of e.sessions.entries())
     try {
       typeof t.close == "function" && t.close().catch((o) => {
@@ -1154,7 +1261,7 @@ z = function(e) {
  * @returns Normalized base path without trailing slash
  * @private
  */
-R = function(e) {
+U = function(e) {
   return e.endsWith("/") ? e.slice(0, -1) : e;
 }, /**
  * Registers the health check endpoint.
@@ -1162,7 +1269,7 @@ R = function(e) {
  * @param base - Base path for routes
  * @private
  */
-O = function(e, s) {
+q = function(e, s) {
   e.get(`${s}/healthz`, async () => ({ ok: !0 }));
 }, /**
  * Registers the tools status endpoint.
@@ -1170,7 +1277,7 @@ O = function(e, s) {
  * @param base - Base path for routes
  * @private
  */
-F = function(e, s) {
+J = function(e, s) {
   e.get(`${s}/tools`, async () => this.defaultManager.getStatus());
 }, /**
  * Registers the MCP configuration discovery endpoint.
@@ -1178,7 +1285,7 @@ F = function(e, s) {
  * @param base - Base path for routes
  * @private
  */
-V = function(e, s) {
+G = function(e, s) {
   e.get(`${s}/.well-known/mcp-config`, async (t, o) => (o.header("Content-Type", "application/schema+json; charset=utf-8"), this.configSchema ?? {
     $schema: "https://json-schema.org/draft/2020-12/schema",
     title: "MCP Session Configuration",
@@ -1196,11 +1303,11 @@ V = function(e, s) {
  * @param base - Base path for routes
  * @private
  */
-_ = function(e, s) {
+K = function(e, s) {
   e.post(
     `${s}/mcp`,
     async (t, o) => {
-      const i = u(this, h, H).call(this, t), n = !i.clientId.startsWith("anon-");
+      const i = f(this, h, E).call(this, t), n = !i.clientId.startsWith("anon-");
       let l = n ? this.clientCache.get(i.clientId) : null;
       if (!l)
         try {
@@ -1208,30 +1315,30 @@ _ = function(e, s) {
           d.failedToolsets.length > 0 && console.warn(
             `Client ${i.clientId} had ${d.failedToolsets.length} toolsets fail to enable: [${d.failedToolsets.join(", ")}]. Successfully enabled: [${d.allowedToolsets.join(", ")}]`
           );
-          const m = d.sessions;
+          const u = d.sessions;
           l = {
             server: d.server,
             orchestrator: d.orchestrator,
             allowedToolsets: d.allowedToolsets,
             failedToolsets: d.failedToolsets,
-            sessions: m instanceof Map ? m : /* @__PURE__ */ new Map()
+            sessions: u instanceof Map ? u : /* @__PURE__ */ new Map()
           }, n && this.clientCache.set(i.clientId, l);
         } catch (d) {
           return console.error(
             `Failed to create permission-aware bundle for client ${i.clientId}:`,
             d
-          ), o.code(403), u(this, h, U).call(this, "Access denied");
+          ), o.code(403), f(this, h, Z).call(this, "Access denied");
         }
       const a = t.headers["mcp-session-id"];
       let c;
       if (a && l.sessions.get(a))
         c = l.sessions.get(a);
-      else if (!a && I(t.body)) {
-        const d = v();
-        c = new E({
+      else if (!a && D(t.body)) {
+        const d = y();
+        c = new k({
           sessionIdGenerator: () => d,
-          onsessioninitialized: (m) => {
-            l.sessions.set(m, c);
+          onsessioninitialized: (u) => {
+            l.sessions.set(u, c);
           }
         });
         try {
@@ -1265,7 +1372,7 @@ _ = function(e, s) {
  * @param base - Base path for routes
  * @private
  */
-B = function(e, s) {
+Q = function(e, s) {
   e.get(`${s}/mcp`, async (t, o) => {
     const i = t.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : "";
     if (!n)
@@ -1285,7 +1392,7 @@ B = function(e, s) {
  * @param base - Base path for routes
  * @private
  */
-Y = function(e, s) {
+X = function(e, s) {
   e.delete(
     `${s}/mcp`,
     async (t, o) => {
@@ -1325,8 +1432,8 @@ Y = function(e, s) {
  * @returns Client request context with ID and headers
  * @private
  */
-H = function(e) {
-  const s = e.headers["mcp-client-id"]?.trim(), t = s && s.length > 0 ? s : `anon-${v()}`, o = {};
+E = function(e) {
+  const s = e.headers["mcp-client-id"]?.trim(), t = s && s.length > 0 ? s : `anon-${y()}`, o = {};
   for (const [i, n] of Object.entries(e.headers))
     typeof n == "string" && (o[i] = n);
   return { clientId: t, headers: o };
@@ -1338,7 +1445,7 @@ H = function(e) {
  * @returns JSON-RPC error response object
  * @private
  */
-U = function(e = "Access denied", s = -32e3) {
+Z = function(e = "Access denied", s = -32e3) {
   return {
     jsonrpc: "2.0",
     error: {
@@ -1348,7 +1455,7 @@ U = function(e = "Access denied", s = -32e3) {
     id: null
   };
 };
-function ae(r) {
+function ge(r) {
   if (!r) return;
   const e = {
     namespaceToolsWithSetKey: r.namespaceToolsWithSetKey
@@ -1363,12 +1470,12 @@ function ae(r) {
     "Permission-based servers: exposurePolicy.onLimitExceeded is ignored. No toolset limits are enforced."
   ), e;
 }
-async function pe(r) {
+async function Ee(r) {
   if (!r.permissions)
     throw new Error(
       "Permission configuration is required for createPermissionBasedMcpServer. Please provide a 'permissions' field in the options."
     );
-  if (X(r.permissions), r.startup)
+  if (ne(r.permissions), r.startup)
     throw new Error(
       "Permission-based servers determine toolsets from client permissions. The 'startup' option is not allowed. Remove it from your configuration."
     );
@@ -1376,9 +1483,9 @@ async function pe(r) {
     throw new Error(
       "createPermissionBasedMcpServer: `createServer` (factory) is required"
     );
-  const e = ae(
+  const e = ge(
     r.exposurePolicy
-  ), s = new re(r.permissions), t = r.createServer(), o = new T({
+  ), s = new ue(r.permissions), t = r.createServer(), o = new w({
     server: t,
     catalog: r.catalog,
     moduleLoaders: r.moduleLoaders,
@@ -1388,9 +1495,9 @@ async function pe(r) {
     // No notifications in STATIC mode
     startup: { mode: "STATIC", toolsets: [] },
     registerMetaTools: !1
-  }), i = ie(
+  }), i = fe(
     (l) => {
-      const a = r.createServer(), c = new T({
+      const a = r.createServer(), c = new w({
         server: a,
         catalog: r.catalog,
         moduleLoaders: r.moduleLoaders,
@@ -1406,7 +1513,7 @@ async function pe(r) {
       return { server: a, orchestrator: c };
     },
     s
-  ), n = new ne(
+  ), n = new me(
     o.getManager(),
     i,
     r.http,
@@ -1426,8 +1533,16 @@ async function pe(r) {
     }
   };
 }
+function Ce(r) {
+  return r;
+}
+function xe(r) {
+  return r;
+}
 export {
-  ge as createMcpServer,
-  pe as createPermissionBasedMcpServer
+  Se as createMcpServer,
+  Ee as createPermissionBasedMcpServer,
+  Ce as defineEndpoint,
+  xe as definePermissionAwareEndpoint
 };
 //# sourceMappingURL=index.js.map