toolception 0.6.1 → 0.6.3

package/dist/index.js

@@ -1,70 +1,71 @@
-var re = Object.defineProperty;
-var j = (o) => {
-  throw TypeError(o);
+var ve = Object.defineProperty;
+var H = (r) => {
+  throw TypeError(r);
 };
-var ie = (o, e, t) => e in o ? re(o, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : o[e] = t;
-var d = (o, e, t) => ie(o, typeof e != "symbol" ? e + "" : e, t), ne = (o, e, t) => e.has(o) || j("Cannot " + t);
-var A = (o, e, t) => e.has(o) ? j("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(o) : e.set(o, t);
-var m = (o, e, t) => (ne(o, e, "access private method"), t);
-import { z as v } from "zod";
-import N from "fastify";
-import D from "@fastify/cors";
-import { randomUUID as S, createHash as ae } from "node:crypto";
-import { StreamableHTTPServerTransport as z } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import { isInitializeRequest as _ } from "@modelcontextprotocol/sdk/types.js";
-const R = {
+var be = (r, e, t) => e in r ? ve(r, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : r[e] = t;
+var d = (r, e, t) => be(r, typeof e != "symbol" ? e + "" : e, t), we = (r, e, t) => e.has(r) || H("Cannot " + t);
+var x = (r, e, t) => e.has(r) ? H("Cannot add the same private member more than once") : e instanceof WeakSet ? e.add(r) : e.set(r, t);
+var m = (r, e, t) => (we(r, e, "access private method"), t);
+import { z as g } from "zod";
+import U from "fastify";
+import J from "@fastify/cors";
+import { randomUUID as S, createHash as Te } from "node:crypto";
+import { StreamableHTTPServerTransport as Q } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest as G } from "@modelcontextprotocol/sdk/types.js";
+const V = {
   dynamic: [
     "dynamic-tool-discovery",
     "dynamicToolDiscovery",
     "DYNAMIC_TOOL_DISCOVERY"
   ],
   toolsets: ["tool-sets", "toolSets", "FMP_TOOL_SETS"]
-};
-class le {
+}, W = ["_meta"];
+class L {
   constructor(e = {}) {
     d(this, "keys");
     this.keys = {
-      dynamic: e.keys?.dynamic ?? R.dynamic,
-      toolsets: e.keys?.toolsets ?? R.toolsets
+      dynamic: e.keys?.dynamic ?? V.dynamic,
+      toolsets: e.keys?.toolsets ?? V.toolsets
+    };
+  }
+  static builder() {
+    const e = {}, t = {
+      keys(s) {
+        return e.keys = s, t;
+      },
+      build() {
+        return new L(e);
+      }
     };
+    return t;
   }
   resolveMode(e, t) {
     return this.isDynamicEnabled(t) ? "DYNAMIC" : this.getToolsetsString(t) ? "STATIC" : this.isDynamicEnabled(e) ? "DYNAMIC" : this.getToolsetsString(e) ? "STATIC" : null;
   }
   parseCommaSeparatedToolSets(e, t) {
     if (!e || typeof e != "string") return [];
-    const s = e.split(",").map((n) => n.trim()).filter((n) => n.length > 0), r = new Set(Object.keys(t)), i = [];
-    for (const n of s)
-      r.has(n) ? i.push(n) : console.warn(
-        `Invalid toolset '${n}' ignored. Available: ${Array.from(
-          r
+    const s = e.split(",").map((i) => i.trim()).filter((i) => i.length > 0), o = new Set(Object.keys(t)), n = [];
+    for (const i of s)
+      o.has(i) ? n.push(i) : console.warn(
+        `Invalid toolset '${i}' ignored. Available: ${Array.from(
+          o
         ).join(", ")}`
       );
-    return i;
+    return n;
   }
   getModulesForToolSets(e, t) {
     const s = /* @__PURE__ */ new Set();
-    for (const r of e) {
-      const i = t[r];
-      i && (i.modules || []).forEach((n) => s.add(n));
+    for (const o of e) {
+      const n = t[o];
+      n && (n.modules || []).forEach((i) => s.add(i));
     }
     return Array.from(s);
   }
   validateToolsetName(e, t) {
     if (!e || typeof e != "string")
-      return {
-        isValid: !1,
-        error: `Invalid toolset name provided. Must be a non-empty string. Available toolsets: ${Object.keys(
-          t
-        ).join(", ")}`
-      };
+      return this.createInvalidNameError(e, t);
     const s = e.trim();
-    return s.length === 0 ? {
-      isValid: !1,
-      error: `Empty toolset name provided. Available toolsets: ${Object.keys(
-        t
-      ).join(", ")}`
-    } : t[s] ? { isValid: !0, sanitized: s } : {
+    return s.length === 0 ? this.createInvalidNameError(s, t) : t[s] ? { isValid: !0, sanitized: s } : {
       isValid: !1,
       error: `Toolset '${s}' not found. Available toolsets: ${Object.keys(
         t
@@ -72,19 +73,32 @@ class le {
     };
   }
   /**
-   * Validates and retrieves modules for a set of toolsets.
-   * Note: A toolset with only direct tools (no modules) is valid and returns an empty modules array.
+   * @param name - The invalid name value
+   * @param catalog - The toolset catalog for listing available options
+   * @returns Validation result with descriptive error message
+   */
+  createInvalidNameError(e, t) {
+    const s = Object.keys(t).join(", ");
+    return !e || typeof e != "string" ? {
+      isValid: !1,
+      error: `Invalid toolset name provided. Must be a non-empty string. Available toolsets: ${s}`
+    } : {
+      isValid: !1,
+      error: `Empty toolset name provided. Available toolsets: ${s}`
+    };
+  }
+  /**
    * @param toolsetNames - Array of toolset names to validate
    * @param catalog - The toolset catalog to validate against
    * @returns Validation result with modules array if valid
    */
   validateToolsetModules(e, t) {
     try {
-      for (const r of e)
-        if (!t[r])
+      for (const o of e)
+        if (!t[o])
           return {
             isValid: !1,
-            error: `Toolset '${r}' not found in catalog`
+            error: `Toolset '${o}' not found in catalog`
           };
       return { isValid: !0, modules: this.getModulesForToolSets(e, t) };
     } catch (s) {
@@ -112,18 +126,31 @@ class le {
       }
   }
 }
-const k = ["_meta"];
-class ce {
+class j {
   constructor(e) {
     d(this, "catalog");
     d(this, "moduleLoaders");
-    for (const t of k)
+    for (const t of W)
       if (t in e.catalog)
         throw new Error(
           `Toolset key '${t}' is reserved for internal use and cannot be used in the catalog`
         );
     this.catalog = e.catalog, this.moduleLoaders = e.moduleLoaders ?? {};
   }
+  static builder() {
+    const e = {}, t = {
+      catalog(s) {
+        return e.catalog = s, t;
+      },
+      moduleLoaders(s) {
+        return e.moduleLoaders = s, t;
+      },
+      build() {
+        return new j(e);
+      }
+    };
+    return t;
+  }
   getAvailableToolsets() {
     return Object.keys(this.catalog);
   }
@@ -144,7 +171,7 @@ class ce {
       error: `Empty toolset name provided. Available toolsets: ${this.getAvailableToolsets().join(
         ", "
       )}`
-    } : k.includes(t) ? {
+    } : W.includes(t) ? {
       isValid: !1,
       error: `Toolset key '${t}' is reserved for internal use`
     } : this.catalog[t] ? { isValid: !0, sanitized: t } : {
@@ -156,35 +183,51 @@ class ce {
   }
   async resolveToolsForToolsets(e, t) {
     const s = [];
-    for (const r of e) {
-      const i = this.catalog[r];
-      if (i && (Array.isArray(i.tools) && i.tools.length > 0 && s.push(...i.tools), Array.isArray(i.modules) && i.modules.length > 0))
-        for (const n of i.modules) {
-          const l = this.moduleLoaders[n];
-          if (l)
-            try {
-              const c = await l(t);
-              Array.isArray(c) && c.length > 0 && s.push(...c);
-            } catch (c) {
-              console.warn(
-                `Module loader '${n}' failed for toolset '${r}':`,
-                c
-              );
-            }
-        }
+    for (const o of e) {
+      const n = this.catalog[o];
+      n && (this.collectDirectTools(n, s), await this.loadModuleTools(n, o, t, s));
     }
     return s;
   }
+  /**
+   * @param def - The toolset definition
+   * @param collected - Mutable array to append direct tools to
+   */
+  collectDirectTools(e, t) {
+    Array.isArray(e.tools) && e.tools.length > 0 && t.push(...e.tools);
+  }
+  /**
+   * @param def - The toolset definition containing module keys
+   * @param toolsetName - The toolset name for error messages
+   * @param context - Optional context passed to module loaders
+   * @param collected - Mutable array to append loaded tools to
+   */
+  async loadModuleTools(e, t, s, o) {
+    if (!(!Array.isArray(e.modules) || e.modules.length === 0))
+      for (const n of e.modules) {
+        const i = this.moduleLoaders[n];
+        if (i)
+          try {
+            const a = await i(s);
+            Array.isArray(a) && a.length > 0 && o.push(...a);
+          } catch (a) {
+            console.warn(
+              `Module loader '${n}' failed for toolset '${t}':`,
+              a
+            );
+          }
+      }
+  }
 }
-class O extends Error {
-  constructor(t, s, r, i) {
+class Y extends Error {
+  constructor(t, s, o, n) {
     super(t);
     d(this, "code");
     d(this, "details");
-    this.name = "ToolingError", this.code = s, this.details = r;
+    this.name = "ToolingError", this.code = s, this.details = o;
   }
 }
-class q {
+class C {
   constructor(e = {}) {
     d(this, "options");
     d(this, "names", /* @__PURE__ */ new Set());
@@ -193,6 +236,17 @@ class q {
       namespaceWithToolset: e.namespaceWithToolset ?? !0
     };
   }
+  static builder() {
+    const e = {}, t = {
+      namespaceWithToolset(s) {
+        return e.namespaceWithToolset = s, t;
+      },
+      build() {
+        return new C(e);
+      }
+    };
+    return t;
+  }
   getSafeName(e, t) {
     return !this.options.namespaceWithToolset || t.startsWith(`${e}.`) ? t : `${e}.${t}`;
   }
@@ -201,7 +255,7 @@ class q {
   }
   add(e) {
     if (this.names.has(e))
-      throw new O(
+      throw new Y(
         `Tool name collision: '${e}' already registered`,
         "E_TOOL_NAME_CONFLICT"
       );
@@ -214,13 +268,13 @@ class q {
   }
   mapAndValidate(e, t) {
     return t.map((s) => {
-      const r = this.getSafeName(e, s.name);
-      if (this.has(r))
-        throw new O(
-          `Tool name collision for '${r}'`,
+      const o = this.getSafeName(e, s.name);
+      if (this.has(o))
+        throw new Y(
+          `Tool name collision for '${o}'`,
           "E_TOOL_NAME_CONFLICT"
         );
-      return { ...s, name: r };
+      return { ...s, name: o };
     });
   }
   list() {
@@ -233,7 +287,7 @@ class q {
     return e;
   }
 }
-class de {
+class N {
   constructor(e) {
     d(this, "server");
     d(this, "resolver");
@@ -242,13 +296,36 @@ class de {
     d(this, "exposurePolicy");
     d(this, "toolRegistry");
     d(this, "activeToolsets", /* @__PURE__ */ new Set());
-    this.server = e.server, this.resolver = e.resolver, this.context = e.context, this.onToolsListChanged = e.onToolsListChanged, this.exposurePolicy = e.exposurePolicy, this.toolRegistry = e.toolRegistry ?? new q({ namespaceWithToolset: !0 });
+    this.server = e.server, this.resolver = e.resolver, this.context = e.context, this.onToolsListChanged = e.onToolsListChanged, this.exposurePolicy = e.exposurePolicy, this.toolRegistry = e.toolRegistry ?? C.builder().namespaceWithToolset(!0).build();
+  }
+  static builder() {
+    const e = {}, t = {
+      server(s) {
+        return e.server = s, t;
+      },
+      resolver(s) {
+        return e.resolver = s, t;
+      },
+      context(s) {
+        return e.context = s, t;
+      },
+      onToolsListChanged(s) {
+        return e.onToolsListChanged = s, t;
+      },
+      exposurePolicy(s) {
+        return e.exposurePolicy = s, t;
+      },
+      toolRegistry(s) {
+        return e.toolRegistry = s, t;
+      },
+      build() {
+        return new N(e);
+      }
+    };
+    return t;
   }
   /**
-   * Sends a tool list change notification if configured.
-   * Logs warnings on failure instead of throwing.
    * @returns Promise that resolves when notification is sent (or skipped)
-   * @private
    */
   async notifyToolsChanged() {
     if (this.onToolsListChanged)
@@ -272,59 +349,81 @@ class de {
   }
   /**
    * Enables a single toolset by name.
-   * Validates the toolset, checks exposure policies, resolves tools, and registers them.
    * @param toolsetName - The name of the toolset to enable
-   * @param skipNotification - If true, skips the tool list change notification (for batch operations)
+   * @param skipNotification - If true, skips the tool list change notification
    * @returns Result object with success status and message
    */
   async enableToolset(e, t = !1) {
-    const s = this.resolver.validateToolsetName(e);
-    if (!s.isValid || !s.sanitized)
-      return {
-        success: !1,
-        message: s.error || "Unknown validation error"
-      };
-    const r = s.sanitized;
-    if (this.activeToolsets.has(r))
-      return {
-        success: !1,
-        message: `Toolset '${r}' is already enabled.`
-      };
-    const i = this.checkExposurePolicy(r);
-    if (!i.allowed)
-      return { success: !1, message: i.message };
-    const n = [];
+    const s = this.validateToolsetForEnable(e);
+    if ("message" in s) return s;
+    const { sanitized: o } = s, n = this.checkExposurePolicy(o);
+    if (!n.allowed)
+      return { success: !1, message: n.message };
+    const i = [];
     try {
-      const l = await this.resolver.resolveToolsForToolsets(
-        [r],
-        this.context
-      );
-      if (l && l.length > 0) {
-        const c = this.toolRegistry.mapAndValidate(
-          r,
-          l
-        );
-        for (const a of c)
-          this.registerSingleTool(a, r), n.push(a.name);
-      }
-      return this.activeToolsets.add(r), t || await this.notifyToolsChanged(), {
-        success: !0,
-        message: `Toolset '${r}' enabled successfully. Registered ${l?.length ?? 0} tools.`
-      };
-    } catch (l) {
-      return n.length > 0 && console.warn(
-        `Partial failure enabling toolset '${r}'. ${n.length} tools were registered but toolset activation failed. Tools remain registered due to MCP limitations: ${n.join(", ")}`
-      ), {
+      const a = await this.resolveAndRegisterTools(o, i);
+      return this.activeToolsets.add(o), t || await this.notifyToolsChanged(), this.buildEnableResult(o, a);
+    } catch (a) {
+      return this.handlePartialFailure(o, i), {
         success: !1,
-        message: `Failed to enable toolset '${r}': ${l instanceof Error ? l.message : "Unknown error"}`
+        message: `Failed to enable toolset '${o}': ${a instanceof Error ? a.message : "Unknown error"}`
       };
     }
   }
   /**
-   * Checks if a toolset is allowed by the exposure policy.
+   * @param toolsetName - The raw toolset name to validate
+   * @returns Error result if invalid, or `{ sanitized }` to continue
+   */
+  validateToolsetForEnable(e) {
+    const t = this.resolver.validateToolsetName(e);
+    return !t.isValid || !t.sanitized ? {
+      success: !1,
+      message: t.error || "Unknown validation error"
+    } : this.activeToolsets.has(t.sanitized) ? {
+      success: !1,
+      message: `Toolset '${t.sanitized}' is already enabled.`
+    } : { sanitized: t.sanitized };
+  }
+  /**
+   * @param sanitized - The validated toolset name
+   * @param registeredTools - Mutable array tracking registered tool names for rollback
+   * @returns The number of tools resolved
+   */
+  async resolveAndRegisterTools(e, t) {
+    const s = await this.resolver.resolveToolsForToolsets(
+      [e],
+      this.context
+    );
+    if (s && s.length > 0) {
+      const o = this.toolRegistry.mapAndValidate(e, s);
+      for (const n of o)
+        this.registerSingleTool(n, e), t.push(n.name);
+    }
+    return s?.length ?? 0;
+  }
+  /**
+   * @param sanitized - The toolset name
+   * @param toolCount - Number of tools registered
+   * @returns Success result object
+   */
+  buildEnableResult(e, t) {
+    return {
+      success: !0,
+      message: `Toolset '${e}' enabled successfully. Registered ${t} tools.`
+    };
+  }
+  /**
+   * @param sanitized - The toolset name that partially failed
+   * @param registeredTools - Tools that were registered before the failure
+   */
+  handlePartialFailure(e, t) {
+    t.length > 0 && console.warn(
+      `Partial failure enabling toolset '${e}'. ${t.length} tools were registered but toolset activation failed. Tools remain registered due to MCP limitations: ${t.join(", ")}`
+    );
+  }
+  /**
    * @param toolsetName - The sanitized toolset name to check
    * @returns Object indicating if allowed and reason message if not
-   * @private
    */
   checkExposurePolicy(e) {
     return this.exposurePolicy?.allowlist && !this.exposurePolicy.allowlist.includes(e) ? {
@@ -342,10 +441,8 @@ class de {
     }) : { allowed: !0, message: "" };
   }
   /**
-   * Registers a single tool with the MCP server.
    * @param tool - The tool definition to register
    * @param toolsetKey - The toolset key for tracking
-   * @private
    */
   registerSingleTool(e, t) {
     e.annotations && Object.keys(e.annotations).length > 0 && e.annotations ? this.server.tool(
@@ -353,27 +450,25 @@ class de {
       e.description,
       e.inputSchema,
       e.annotations,
-      async (r) => await e.handler(r)
+      async (o) => await e.handler(o)
     ) : this.server.tool(
       e.name,
       e.description,
       e.inputSchema,
-      async (r) => await e.handler(r)
+      async (o) => await e.handler(o)
     ), this.toolRegistry.addForToolset(t, e.name);
   }
   /**
-   * Disables a toolset by name.
-   * Note: Due to MCP limitations, tools remain registered but the toolset is marked inactive.
    * @param toolsetName - The name of the toolset to disable
    * @returns Result object with success status and message
    */
   async disableToolset(e) {
     const t = this.resolver.validateToolsetName(e);
     if (!t.isValid || !t.sanitized) {
-      const r = Array.from(this.activeToolsets).join(", ") || "none";
+      const o = Array.from(this.activeToolsets).join(", ") || "none";
       return {
         success: !1,
-        message: `${t.error || "Unknown validation error"} Active toolsets: ${r}`
+        message: `${t.error || "Unknown validation error"} Active toolsets: ${o}`
       };
     }
     const s = t.sanitized;
@@ -397,30 +492,27 @@ class de {
     };
   }
   /**
-   * Enables multiple toolsets in a batch operation.
-   * Sends a single notification after all toolsets are processed.
    * @param toolsetNames - Array of toolset names to enable
    * @returns Result object with overall success status and individual results
    */
   async enableToolsets(e) {
     const t = [];
-    for (const n of e)
+    for (const i of e)
       try {
-        const l = await this.enableToolset(n, !0);
-        t.push({ name: n, ...l });
-      } catch (l) {
+        const a = await this.enableToolset(i, !0);
+        t.push({ name: i, ...a });
+      } catch (a) {
         t.push({
-          name: n,
+          name: i,
           success: !1,
-          message: l instanceof Error ? l.message : "Unknown error",
+          message: a instanceof Error ? a.message : "Unknown error",
           code: "E_INTERNAL"
         });
       }
-    const s = t.every((n) => n.success), r = t.some((n) => n.success), i = s ? "All toolsets enabled" : r ? "Some toolsets failed to enable" : "All toolsets failed to enable";
-    return r && await this.notifyToolsChanged(), { success: s, results: t, message: i };
+    const s = t.every((i) => i.success), o = t.some((i) => i.success), n = s ? "All toolsets enabled" : o ? "Some toolsets failed to enable" : "All toolsets failed to enable";
+    return o && await this.notifyToolsChanged(), { success: s, results: t, message: n };
   }
   /**
-   * Enables all available toolsets in a batch operation.
    * @returns Result object with overall success status and individual results
    */
   async enableAllToolsets() {
@@ -428,104 +520,104 @@ class de {
     return this.enableToolsets(e);
   }
 }
-const b = "_meta";
-function ue(o, e, t, s) {
-  (s?.mode ?? "DYNAMIC") === "DYNAMIC" && (t.addForToolset(b, "enable_toolset"), o.tool(
+const w = "_meta";
+function xe(r, e, t, s) {
+  (s?.mode ?? "DYNAMIC") === "DYNAMIC" && (t.addForToolset(w, "enable_toolset"), r.tool(
     "enable_toolset",
     "Enable a toolset by name",
-    { name: v.string().describe("Toolset name") },
+    { name: g.string().describe("Toolset name") },
     { destructiveHint: !0, idempotentHint: !0 },
-    async (i) => {
-      const n = await e.enableToolset(i.name);
+    async (n) => {
+      const i = await e.enableToolset(n.name);
       return {
-        content: [{ type: "text", text: JSON.stringify(n) }]
+        content: [{ type: "text", text: JSON.stringify(i) }]
       };
     }
-  ), t.addForToolset(b, "disable_toolset"), o.tool(
+  ), t.addForToolset(w, "disable_toolset"), r.tool(
     "disable_toolset",
     "Disable a toolset by name (state only)",
-    { name: v.string().describe("Toolset name") },
+    { name: g.string().describe("Toolset name") },
     { destructiveHint: !0, idempotentHint: !0 },
-    async (i) => {
-      const n = await e.disableToolset(i.name);
+    async (n) => {
+      const i = await e.disableToolset(n.name);
       return {
-        content: [{ type: "text", text: JSON.stringify(n) }]
+        content: [{ type: "text", text: JSON.stringify(i) }]
       };
     }
-  ), t.addForToolset(b, "list_toolsets"), o.tool(
+  ), t.addForToolset(w, "list_toolsets"), r.tool(
     "list_toolsets",
     "List available toolsets with active status and definitions",
     {},
     { readOnlyHint: !0, idempotentHint: !0 },
     async () => {
-      const i = e.getAvailableToolsets(), n = e.getStatus().toolsetToTools, l = i.map((c) => {
-        const a = e.getToolsetDefinition(c);
+      const n = e.getAvailableToolsets(), i = e.getStatus().toolsetToTools, a = n.map((l) => {
+        const c = e.getToolsetDefinition(l);
         return {
-          key: c,
-          active: e.isActive(c),
-          definition: a ? {
-            name: a.name,
-            description: a.description,
-            modules: a.modules ?? [],
-            decisionCriteria: a.decisionCriteria ?? void 0
+          key: l,
+          active: e.isActive(l),
+          definition: c ? {
+            name: c.name,
+            description: c.description,
+            modules: c.modules ?? [],
+            decisionCriteria: c.decisionCriteria ?? void 0
           } : null,
-          tools: n[c] ?? []
+          tools: i[l] ?? []
         };
       });
       return {
         content: [
-          { type: "text", text: JSON.stringify({ toolsets: l }) }
+          { type: "text", text: JSON.stringify({ toolsets: a }) }
         ]
       };
     }
-  ), t.addForToolset(b, "describe_toolset"), o.tool(
+  ), t.addForToolset(w, "describe_toolset"), r.tool(
     "describe_toolset",
     "Describe a toolset with definition, active status and tools",
-    { name: v.string().describe("Toolset name") },
+    { name: g.string().describe("Toolset name") },
     { readOnlyHint: !0, idempotentHint: !0 },
-    async (i) => {
-      const n = e.getToolsetDefinition(i.name), l = e.getStatus().toolsetToTools;
-      if (!n)
+    async (n) => {
+      const i = e.getToolsetDefinition(n.name), a = e.getStatus().toolsetToTools;
+      if (!i)
         return {
           content: [
             {
               type: "text",
-              text: JSON.stringify({ error: `Unknown toolset '${i.name}'` })
+              text: JSON.stringify({ error: `Unknown toolset '${n.name}'` })
             }
           ]
         };
-      const c = {
-        key: i.name,
-        active: e.isActive(i.name),
+      const l = {
+        key: n.name,
+        active: e.isActive(n.name),
         definition: {
-          name: n.name,
-          description: n.description,
-          modules: n.modules ?? [],
-          decisionCriteria: n.decisionCriteria ?? void 0
+          name: i.name,
+          description: i.description,
+          modules: i.modules ?? [],
+          decisionCriteria: i.decisionCriteria ?? void 0
         },
-        tools: l[i.name] ?? []
+        tools: a[n.name] ?? []
       };
       return {
-        content: [{ type: "text", text: JSON.stringify(c) }]
+        content: [{ type: "text", text: JSON.stringify(l) }]
       };
     }
-  )), t.addForToolset(b, "list_tools"), o.tool(
+  )), t.addForToolset(w, "list_tools"), r.tool(
     "list_tools",
     "List currently registered tool names (best effort)",
     {},
     { readOnlyHint: !0, idempotentHint: !0 },
     async () => {
-      const i = e.getStatus(), n = {
-        tools: i.tools,
-        toolsetToTools: i.toolsetToTools
+      const n = e.getStatus(), i = {
+        tools: n.tools,
+        toolsetToTools: n.toolsetToTools
       };
       return {
-        content: [{ type: "text", text: JSON.stringify(n) }]
+        content: [{ type: "text", text: JSON.stringify(i) }]
       };
     }
   );
 }
-class C {
+class A {
   constructor(e) {
     d(this, "mode");
     d(this, "resolver");
@@ -533,32 +625,51 @@ class C {
     d(this, "toolsetValidator");
     d(this, "initPromise");
     d(this, "initError", null);
-    this.toolsetValidator = new le();
+    this.toolsetValidator = L.builder().build();
     const t = e.startup ?? {}, s = this.resolveStartupConfig(t, e.catalog);
-    this.mode = s.mode, this.resolver = new ce({
-      catalog: e.catalog,
-      moduleLoaders: e.moduleLoaders
-    });
-    const r = new q({
-      namespaceWithToolset: e.exposurePolicy?.namespaceToolsWithSetKey ?? !0
-    });
-    this.manager = new de({
-      server: e.server,
-      resolver: this.resolver,
-      context: e.context,
-      onToolsListChanged: e.notifyToolsListChanged,
-      exposurePolicy: e.exposurePolicy,
-      toolRegistry: r
-    }), e.registerMetaTools !== !1 && ue(e.server, this.manager, r, { mode: this.mode });
+    this.mode = s.mode, this.resolver = j.builder().catalog(e.catalog).moduleLoaders(e.moduleLoaders ?? {}).build();
+    const o = C.builder().namespaceWithToolset(
+      e.exposurePolicy?.namespaceToolsWithSetKey ?? !0
+    ).build(), n = N.builder().server(e.server).resolver(this.resolver).context(e.context).toolRegistry(o);
+    e.notifyToolsListChanged && n.onToolsListChanged(e.notifyToolsListChanged), e.exposurePolicy && n.exposurePolicy(e.exposurePolicy), this.manager = n.build(), e.registerMetaTools !== !1 && xe(e.server, this.manager, o, { mode: this.mode });
     const i = s.toolsets;
     this.initPromise = this.initializeToolsets(i);
   }
+  static builder() {
+    const e = {}, t = {
+      server(s) {
+        return e.server = s, t;
+      },
+      catalog(s) {
+        return e.catalog = s, t;
+      },
+      moduleLoaders(s) {
+        return e.moduleLoaders = s, t;
+      },
+      exposurePolicy(s) {
+        return e.exposurePolicy = s, t;
+      },
+      context(s) {
+        return e.context = s, t;
+      },
+      notifyToolsListChanged(s) {
+        return e.notifyToolsListChanged = s, t;
+      },
+      startup(s) {
+        return e.startup = s, t;
+      },
+      registerMetaTools(s) {
+        return e.registerMetaTools = s, t;
+      },
+      build() {
+        return new A(e);
+      }
+    };
+    return t;
+  }
   /**
-   * Initializes toolsets asynchronously during construction.
-   * Stores any errors for later retrieval via ensureReady().
    * @param initial - The toolsets to initialize or "ALL"
    * @returns Promise that resolves when initialization is complete
-   * @private
    */
   async initializeToolsets(e) {
     try {
@@ -567,50 +678,46 @@ class C {
       this.initError = t instanceof Error ? t : new Error(String(t)), console.error("Failed to initialize toolsets:", this.initError);
     }
   }
-  /**
-   * Waits for the orchestrator to be fully initialized.
-   * Call this before using the orchestrator to ensure all toolsets are loaded.
-   * @throws {Error} If initialization failed
-   */
   async ensureReady() {
     if (await this.initPromise, this.initError)
       throw this.initError;
   }
-  /**
-   * Checks if the orchestrator has finished initialization.
-   * Does not throw on error - use ensureReady() for that.
-   * @returns Promise that resolves to true if ready, false if initialization failed
-   */
   async isReady() {
     return await this.initPromise, this.initError === null;
   }
   resolveStartupConfig(e, t) {
-    if (e.mode) {
-      if (e.mode === "DYNAMIC" && e.toolsets)
-        return console.warn("startup.toolsets provided but ignored in DYNAMIC mode"), { mode: "DYNAMIC" };
-      if (e.mode === "STATIC") {
-        if (e.toolsets === "ALL")
-          return { mode: "STATIC", toolsets: "ALL" };
-        const s = Array.isArray(e.toolsets) ? e.toolsets : [], r = [];
-        for (const i of s) {
-          const { isValid: n, sanitized: l, error: c } = this.toolsetValidator.validateToolsetName(i, t);
-          n && l ? r.push(l) : c && console.warn(c);
-        }
-        if (s.length > 0 && r.length === 0)
-          throw new Error(
-            "STATIC mode requires valid toolsets or 'ALL'; none were valid"
-          );
-        return { mode: "STATIC", toolsets: r };
-      }
-      return { mode: e.mode };
+    return e.mode ? this.resolveExplicitMode(e.mode, e.toolsets, t) : this.inferModeFromToolsets(e, t);
+  }
+  /**
+   * @param mode - The explicit mode
+   * @param toolsets - Optional toolsets from startup config
+   * @param catalog - The toolset catalog to validate against
+   * @returns Resolved mode and toolsets
+   */
+  resolveExplicitMode(e, t, s) {
+    if (e === "DYNAMIC" && t)
+      return console.warn("startup.toolsets provided but ignored in DYNAMIC mode"), { mode: "DYNAMIC" };
+    if (e === "STATIC") {
+      if (t === "ALL")
+        return { mode: "STATIC", toolsets: "ALL" };
+      const o = Array.isArray(t) ? t : [], n = this.validateAndCollectToolsets(o, s);
+      if (o.length > 0 && n.length === 0)
+        throw new Error(
+          "STATIC mode requires valid toolsets or 'ALL'; none were valid"
+        );
+      return { mode: "STATIC", toolsets: n };
     }
+    return { mode: e };
+  }
+  /**
+   * @param startup - Startup config without an explicit mode
+   * @param catalog - The toolset catalog to validate against
+   * @returns Inferred mode and toolsets
+   */
+  inferModeFromToolsets(e, t) {
     if (e.toolsets === "ALL") return { mode: "STATIC", toolsets: "ALL" };
     if (Array.isArray(e.toolsets) && e.toolsets.length > 0) {
-      const s = [];
-      for (const r of e.toolsets) {
-        const { isValid: i, sanitized: n, error: l } = this.toolsetValidator.validateToolsetName(r, t);
-        i && n ? s.push(n) : l && console.warn(l);
-      }
+      const s = this.validateAndCollectToolsets(e.toolsets, t);
       if (s.length === 0)
         throw new Error(
           "STATIC mode requires valid toolsets or 'ALL'; none were valid"
@@ -619,6 +726,19 @@ class C {
     }
     return { mode: "DYNAMIC" };
   }
+  /**
+   * @param names - Array of toolset names to validate
+   * @param catalog - The toolset catalog to validate against
+   * @returns Array of valid, sanitized toolset names
+   */
+  validateAndCollectToolsets(e, t) {
+    const s = [];
+    for (const o of e) {
+      const { isValid: n, sanitized: i, error: a } = this.toolsetValidator.validateToolsetName(o, t);
+      n && i ? s.push(i) : a && console.warn(a);
+    }
+    return s;
+  }
   getMode() {
     return this.mode;
   }
@@ -626,10 +746,10 @@ class C {
     return this.manager;
   }
 }
-var x, P;
-class F {
+var T, M;
+const D = class D {
   constructor(e = {}) {
-    A(this, x);
+    x(this, T);
     d(this, "storage", /* @__PURE__ */ new Map());
     d(this, "maxSize");
     d(this, "ttlMs");
@@ -640,6 +760,26 @@ class F {
     const t = e.pruneIntervalMs ?? 1e3 * 60 * 10;
     this.pruneInterval = setInterval(() => this.pruneExpired(), t);
   }
+  static builder() {
+    const e = {}, t = {
+      maxSize(s) {
+        return e.maxSize = s, t;
+      },
+      ttlMs(s) {
+        return e.ttlMs = s, t;
+      },
+      pruneIntervalMs(s) {
+        return e.pruneIntervalMs = s, t;
+      },
+      onEvict(s) {
+        return e.onEvict = s, t;
+      },
+      build() {
+        return new D(e);
+      }
+    };
+    return t;
+  }
   getEntryCount() {
     return this.storage.size;
   }
@@ -659,122 +799,112 @@ class F {
     this.storage.set(e, s);
   }
   /**
-   * Removes an entry from the cache.
-   * Calls the onEvict callback if configured.
    * @param key - The key to remove
    */
   delete(e) {
     const t = this.storage.get(e);
-    t && (this.storage.delete(e), m(this, x, P).call(this, e, t.resource));
+    t && (this.storage.delete(e), m(this, T, M).call(this, e, t.resource));
   }
   /**
-   * Stops the background pruning interval and optionally clears all entries.
    * @param clearEntries - If true, also removes all entries and calls onEvict for each
    */
   stop(e = !1) {
     this.pruneInterval && (clearInterval(this.pruneInterval), this.pruneInterval = void 0), e && this.clear();
   }
-  /**
-   * Clears all entries from the cache.
-   * Calls onEvict for each entry being removed.
-   */
   clear() {
     const e = Array.from(this.storage.entries());
     this.storage.clear();
     for (const [t, s] of e)
-      m(this, x, P).call(this, t, s.resource);
+      m(this, T, M).call(this, t, s.resource);
   }
-  /**
-   * Evicts the least recently used entry from the cache.
-   * @private
-   */
   evictLeastRecentlyUsed() {
     const e = this.storage.keys().next().value;
     e && this.delete(e);
   }
-  /**
-   * Removes all expired entries from the cache.
-   * @private
-   */
   pruneExpired() {
     const e = Date.now(), t = [];
-    for (const [s, r] of this.storage.entries())
-      e - r.lastAccessed > this.ttlMs && t.push(s);
+    for (const [s, o] of this.storage.entries())
+      e - o.lastAccessed > this.ttlMs && t.push(s);
     for (const s of t)
       this.delete(s);
   }
-}
-x = new WeakSet(), /**
- * Safely calls the evict callback, catching and logging any errors.
+};
+T = new WeakSet(), /**
  * @param key - The key being evicted
  * @param resource - The resource being evicted
- * @private
  */
-P = function(e, t) {
+M = function(e, t) {
   if (this.onEvict)
     try {
       const s = this.onEvict(e, t);
-      s instanceof Promise && s.catch((r) => {
-        console.warn(`Error in cache eviction callback for key '${e}':`, r);
+      s instanceof Promise && s.catch((o) => {
+        console.warn(`Error in cache eviction callback for key '${e}':`, o);
       });
     } catch (s) {
       console.warn(`Error in cache eviction callback for key '${e}':`, s);
     }
 };
-function V(o, e, t, s) {
-  const r = ["/mcp", "/healthz", "/tools", "/.well-known/mcp-config"];
-  for (const i of t) {
-    const n = `${e}${i.path}`;
-    if (r.some(
-      (a) => n.startsWith(`${e}${a}`)
+let E = D;
+function rt(r) {
+  return r;
+}
+function ot(r) {
+  return r;
+}
+function Z(r, e, t, s) {
+  const o = ["/mcp", "/healthz", "/tools", "/.well-known/mcp-config"];
+  for (const n of t) {
+    const i = `${e}${n.path}`;
+    if (o.some(
+      (c) => i.startsWith(`${e}${c}`)
     )) {
       console.warn(
-        `Custom endpoint ${i.method} ${i.path} conflicts with built-in MCP endpoint. Skipping registration.`
+        `Custom endpoint ${n.method} ${n.path} conflicts with built-in MCP endpoint. Skipping registration.`
       );
       continue;
     }
-    const c = i.method.toLowerCase();
-    o[c](n, async (a, u) => {
+    const l = n.method.toLowerCase();
+    r[l](i, async (c, u) => {
       try {
-        const h = a.headers["mcp-client-id"]?.trim(), g = h && h.length > 0 ? h : `anon-${S()}`;
-        let w;
-        if (i.bodySchema) {
-          const y = i.bodySchema.safeParse(a.body);
-          if (!y.success)
-            return E(u, "body", y.error);
-          w = y.data;
+        const f = c.headers["mcp-client-id"]?.trim(), v = f && f.length > 0 ? f : `anon-${S()}`;
+        let b;
+        if (n.bodySchema) {
+          const p = n.bodySchema.safeParse(c.body);
+          if (!p.success)
+            return P(u, "body", p.error);
+          b = p.data;
         }
-        let T = {};
-        if (i.querySchema) {
-          const y = i.querySchema.safeParse(a.query);
-          if (!y.success)
-            return E(u, "query", y.error);
-          T = y.data;
+        let F = {};
+        if (n.querySchema) {
+          const p = n.querySchema.safeParse(c.query);
+          if (!p.success)
+            return P(u, "query", p.error);
+          F = p.data;
         }
-        let I = {};
-        if (i.paramsSchema) {
-          const y = i.paramsSchema.safeParse(a.params);
-          if (!y.success)
-            return E(u, "params", y.error);
-          I = y.data;
+        let _ = {};
+        if (n.paramsSchema) {
+          const p = n.paramsSchema.safeParse(c.params);
+          if (!p.success)
+            return P(u, "params", p.error);
+          _ = p.data;
         }
-        const $ = {
-          body: w,
-          query: T,
-          params: I,
-          headers: a.headers,
-          clientId: g
+        const K = {
+          body: b,
+          query: F,
+          params: _,
+          headers: c.headers,
+          clientId: v
         };
         if (s?.contextExtractor) {
-          const y = await s.contextExtractor(a);
-          Object.assign($, y);
+          const p = await s.contextExtractor(c);
+          Object.assign(K, p);
         }
-        const L = await i.handler($);
-        if (i.responseSchema) {
-          const y = i.responseSchema.safeParse(L);
-          return y.success ? y.data : (console.error(
-            `Response validation failed for ${i.method} ${i.path}:`,
-            y.error
+        const B = await n.handler(K);
+        if (n.responseSchema) {
+          const p = n.responseSchema.safeParse(B);
+          return p.success ? p.data : (console.error(
+            `Response validation failed for ${n.method} ${n.path}:`,
+            p.error
           ), u.code(500), {
             error: {
               code: "RESPONSE_VALIDATION_ERROR",
@@ -782,23 +912,23 @@ function V(o, e, t, s) {
             }
           });
         }
-        return L;
-      } catch (h) {
+        return B;
+      } catch (f) {
         return console.error(
-          `Error in custom endpoint ${i.method} ${i.path}:`,
-          h
+          `Error in custom endpoint ${n.method} ${n.path}:`,
+          f
         ), u.code(500), {
           error: {
             code: "INTERNAL_ERROR",
-            message: h instanceof Error ? h.message : "Internal server error"
+            message: f instanceof Error ? f.message : "Internal server error"
           }
         };
       }
     });
   }
 }
-function E(o, e, t) {
-  return o.code(400), {
+function P(r, e, t) {
+  return r.code(400), {
     error: {
       code: "VALIDATION_ERROR",
       message: `Validation failed for ${e}`,
@@ -806,8 +936,9 @@ function E(o, e, t) {
     }
   };
 }
-class he {
-  constructor(e, t, s = {}, r, i, n) {
+const Se = g.string({ message: "Missing required mcp-client-id header" }).trim().min(1, "mcp-client-id header must not be empty");
+class O {
+  constructor(e, t, s = {}, o, n, i) {
     d(this, "options");
     d(this, "defaultManager");
     d(this, "createBundle");
@@ -816,12 +947,12 @@ class he {
     d(this, "app", null);
     d(this, "configSchema");
     // Per-client server bundles and per-client session transports
-    d(this, "clientCache", new F({
+    d(this, "clientCache", new E({
       onEvict: (e, t) => {
         this.cleanupBundle(t);
       }
     }));
-    this.defaultManager = e, this.createBundle = t, this.sessionContextResolver = i, this.baseContext = n, this.options = {
+    this.defaultManager = e, this.createBundle = t, this.sessionContextResolver = n, this.baseContext = i, this.options = {
       host: s.host ?? "0.0.0.0",
       port: s.port ?? 3e3,
       basePath: s.basePath ?? "/",
@@ -829,14 +960,89 @@ class he {
       logger: s.logger ?? !1,
       app: s.app,
       customEndpoints: s.customEndpoints
-    }, this.configSchema = r;
+    }, this.configSchema = o;
+  }
+  static builder() {
+    let e, t;
+    const s = {};
+    let o, n, i;
+    const a = {
+      defaultManager(l) {
+        return e = l, a;
+      },
+      createBundle(l) {
+        return t = l, a;
+      },
+      host(l) {
+        return s.host = l, a;
+      },
+      port(l) {
+        return s.port = l, a;
+      },
+      basePath(l) {
+        return s.basePath = l, a;
+      },
+      cors(l) {
+        return s.cors = l, a;
+      },
+      logger(l) {
+        return s.logger = l, a;
+      },
+      app(l) {
+        return s.app = l, a;
+      },
+      customEndpoints(l) {
+        return s.customEndpoints = l, a;
+      },
+      configSchema(l) {
+        return o = l, a;
+      },
+      sessionContextResolver(l) {
+        return n = l, a;
+      },
+      baseContext(l) {
+        return i = l, a;
+      },
+      build() {
+        return new O(e, t, s, o, n, i);
+      }
+    };
+    return a;
   }
   async start() {
     if (this.app) return;
-    const e = this.options.app ?? N({ logger: this.options.logger });
-    this.options.cors && await e.register(D, { origin: !0 });
-    const t = this.options.basePath.endsWith("/") ? this.options.basePath.slice(0, -1) : this.options.basePath;
-    e.get(`${t}/healthz`, async () => ({ ok: !0 })), e.get(`${t}/tools`, async () => this.defaultManager.getStatus()), e.get(`${t}/.well-known/mcp-config`, async (s, r) => (r.header("Content-Type", "application/schema+json; charset=utf-8"), this.configSchema ?? {
+    const e = this.options.app ?? U({ logger: this.options.logger });
+    this.options.cors && await e.register(J, { origin: !0 });
+    const t = this.normalizeBasePath(this.options.basePath);
+    this.registerHealthEndpoint(e, t), this.registerToolsEndpoint(e, t), this.registerConfigDiscoveryEndpoint(e, t), this.registerMcpPostEndpoint(e, t), this.registerMcpGetEndpoint(e, t), this.registerMcpDeleteEndpoint(e, t), this.options.customEndpoints && this.options.customEndpoints.length > 0 && Z(e, t, this.options.customEndpoints), this.options.app || await e.listen({ host: this.options.host, port: this.options.port }), this.app = e;
+  }
+  /**
+   * @param basePath - The base path to normalize
+   * @returns Normalized base path without trailing slash
+   */
+  normalizeBasePath(e) {
+    return e.endsWith("/") ? e.slice(0, -1) : e;
+  }
+  /**
+   * @param app - Fastify instance
+   * @param base - Base path for routes
+   */
+  registerHealthEndpoint(e, t) {
+    e.get(`${t}/healthz`, async () => ({ ok: !0 }));
+  }
+  /**
+   * @param app - Fastify instance
+   * @param base - Base path for routes
+   */
+  registerToolsEndpoint(e, t) {
+    e.get(`${t}/tools`, async () => this.defaultManager.getStatus());
+  }
+  /**
+   * @param app - Fastify instance
+   * @param base - Base path for routes
+   */
+  registerConfigDiscoveryEndpoint(e, t) {
+    e.get(`${t}/.well-known/mcp-config`, async (s, o) => (o.header("Content-Type", "application/schema+json; charset=utf-8"), this.configSchema ?? {
       $schema: "https://json-schema.org/draft/2020-12/schema",
       title: "MCP Session Configuration",
       description: "Schema for the /mcp endpoint configuration",
@@ -845,76 +1051,102 @@ class he {
       required: [],
       "x-mcp-version": "1.0",
       "x-query-style": "dot+bracket"
-    })), e.post(
+    }));
+  }
+  /**
+   * @param app - Fastify instance
+   * @param base - Base path for routes
+   */
+  registerMcpPostEndpoint(e, t) {
+    e.post(
       `${t}/mcp`,
-      async (s, r) => {
-        const i = s.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : `anon-${S()}`, l = !n.startsWith("anon-"), { cacheKey: c, mergedContext: a } = this.resolveSessionContext(
+      async (s, o) => {
+        const n = Se.safeParse(
+          s.headers["mcp-client-id"]
+        );
+        if (!n.success)
+          return o.code(400), {
+            jsonrpc: "2.0",
+            error: { code: -32600, message: n.error.issues[0].message },
+            id: null
+          };
+        const i = n.data, { cacheKey: a, mergedContext: l } = this.resolveSessionContext(
           s,
-          n
+          i
         );
-        let u = l ? this.clientCache.get(c) : null;
-        if (!u) {
-          const w = this.createBundle(a);
-          u = {
-            server: w.server,
-            orchestrator: w.orchestrator,
+        let c = this.clientCache.get(a);
+        if (!c) {
+          const v = this.createBundle(l);
+          c = {
+            server: v.server,
+            orchestrator: v.orchestrator,
             sessions: /* @__PURE__ */ new Map()
-          }, l && this.clientCache.set(c, u);
+          }, this.clientCache.set(a, c);
         }
-        const h = s.headers["mcp-session-id"];
-        let g;
-        if (h && u.sessions.get(h))
-          g = u.sessions.get(h);
-        else if (!h && _(s.body)) {
-          const w = S();
-          g = new z({
-            sessionIdGenerator: () => w,
-            onsessioninitialized: (T) => {
-              u.sessions.set(T, g);
+        const u = s.headers["mcp-session-id"];
+        let f;
+        if (u && c.sessions.get(u))
+          f = c.sessions.get(u);
+        else if (!u && G(s.body)) {
+          await this.drainExistingSessions(c.sessions), await this.disconnectServer(c.server);
+          const v = S();
+          f = new Q({
+            sessionIdGenerator: () => v,
+            onsessioninitialized: (b) => {
+              c.sessions.set(b, f);
             }
-          });
+          }), f.onclose = () => {
+            f?.sessionId && c.sessions.delete(f.sessionId);
+          };
           try {
-            await u.server.connect(g);
+            await c.server.connect(f);
           } catch {
-            return r.code(500), {
+            return o.code(500), {
               jsonrpc: "2.0",
               error: { code: -32603, message: "Error initializing server." },
               id: null
             };
           }
-          g.onclose = () => {
-            g?.sessionId && u.sessions.delete(g.sessionId);
-          };
         } else
-          return r.code(400), {
+          return o.code(400), {
             jsonrpc: "2.0",
             error: { code: -32e3, message: "Session not found or expired" },
             id: null
           };
-        return await g.handleRequest(
-          s.raw,
-          r.raw,
-          s.body
-        ), r;
+        return await f.handleRequest(s.raw, o.raw, s.body), o;
       }
-    ), e.get(`${t}/mcp`, async (s, r) => {
-      const i = s.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : "";
-      if (!n)
-        return r.code(400), "Missing mcp-client-id";
-      const l = this.clientCache.get(n);
+    );
+  }
+  /**
+   * @param app - Fastify instance
+   * @param base - Base path for routes
+   */
+  registerMcpGetEndpoint(e, t) {
+    e.get(`${t}/mcp`, async (s, o) => {
+      const n = s.headers["mcp-client-id"]?.trim(), i = n && n.length > 0 ? n : "";
+      if (!i)
+        return o.code(400), "Missing mcp-client-id";
+      const { cacheKey: a } = this.resolveSessionContext(s, i), l = this.clientCache.get(a);
       if (!l)
-        return r.code(400), "Invalid or expired client";
+        return o.code(400), "Invalid or expired client";
       const c = s.headers["mcp-session-id"];
       if (!c)
-        return r.code(400), "Missing mcp-session-id";
-      const a = l.sessions.get(c);
-      return a ? (await a.handleRequest(s.raw, r.raw), r) : (r.code(400), "Invalid or expired session ID");
-    }), e.delete(
+        return o.code(400), "Missing mcp-session-id";
+      const u = l.sessions.get(c);
+      return u ? (await u.handleRequest(s.raw, o.raw), o) : (o.code(400), "Invalid or expired session ID");
+    });
+  }
+  /**
+   * @param app - Fastify instance
+   * @param base - Base path for routes
+   */
+  registerMcpDeleteEndpoint(e, t) {
+    e.delete(
       `${t}/mcp`,
-      async (s, r) => {
-        const i = s.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : "", l = s.headers["mcp-session-id"];
-        if (!n || !l)
-          return r.code(400), {
+      async (s, o) => {
+        const n = s.headers["mcp-client-id"]?.trim(), i = n && n.length > 0 ? n : "", a = s.headers["mcp-session-id"];
+        if (!i || !a)
+          return o.code(400), {
             jsonrpc: "2.0",
             error: {
               code: -32600,
@@ -922,59 +1154,79 @@ class he {
             },
             id: null
           };
-        const c = this.clientCache.get(n), a = c?.sessions.get(l);
-        if (!c || !a)
-          return r.code(404), {
+        const { cacheKey: l } = this.resolveSessionContext(s, i), c = this.clientCache.get(l), u = c?.sessions.get(a);
+        if (!c || !u)
+          return o.code(404), {
             jsonrpc: "2.0",
             error: { code: -32e3, message: "Session not found or expired" },
             id: null
           };
         try {
-          if (typeof a.close == "function")
-            try {
-              await a.close();
-            } catch {
-            }
+          await u.close();
+        } catch {
         } finally {
-          a?.sessionId ? c.sessions.delete(a.sessionId) : c.sessions.delete(l);
+          u?.sessionId ? c.sessions.delete(u.sessionId) : c.sessions.delete(a);
         }
-        return r.code(204).send(), r;
+        return o.code(204).send(), o;
       }
-    ), this.options.customEndpoints && this.options.customEndpoints.length > 0 && V(e, t, this.options.customEndpoints), this.options.app || await e.listen({ host: this.options.host, port: this.options.port }), this.app = e;
+    );
   }
-  /**
-   * Stops the Fastify server and cleans up all resources.
-   * Closes all client sessions and clears the cache.
-   */
   async stop() {
     this.app && (this.clientCache.stop(!0), this.options.app || await this.app.close(), this.app = null);
   }
   /**
-   * Cleans up resources associated with a client bundle.
-   * Closes all sessions within the bundle.
+   * Closes all active sessions and clears the session map so the server is
+   * free to accept a new connection. Required for SDK 1.26+, which throws
+   * "Already connected" when `connect()` is called while a transport is
+   * still attached. Handles unclean client disconnects followed by re-init.
+   *
+   * The map is cleared before closing so that `onclose` handlers fired by
+   * `transport.close()` do not attempt double-deletion.
+   *
+   * @param sessions - The client's active session map to drain
+   */
+  async drainExistingSessions(e) {
+    if (e.size === 0) return;
+    const t = Array.from(e.values());
+    e.clear();
+    for (const s of t)
+      try {
+        await s.close();
+      } catch {
+      }
+  }
+  /**
+   * Disconnects the server from its current transport so that `Protocol._transport`
+   * is cleared before a new connection is established.
+   *
+   * `drainExistingSessions` handles same-bundle reconnects (sessions in the map).
+   * This method handles the STATIC-mode cross-client case: a different client's
+   * bundle has an empty sessions map, but the shared server is still attached to
+   * the previous client's transport because `StreamableHTTPClientTransport.close()`
+   * does not send DELETE—it only aborts connections.
+   *
+   * @param server - The MCP server to disconnect from its current transport
+   */
+  async disconnectServer(e) {
+    try {
+      await e.close();
+    } catch {
+    }
+  }
+  /**
    * @param bundle - The client bundle to clean up
-   * @private
    */
   cleanupBundle(e) {
     for (const [t, s] of e.sessions.entries())
-      try {
-        typeof s.close == "function" && s.close().catch((r) => {
-          console.warn(`Error closing session ${t}:`, r);
-        });
-      } catch (r) {
-        console.warn(`Error closing session ${t}:`, r);
-      }
+      s.close().catch((o) => {
+        console.warn(`Error closing session ${t}:`, o);
+      });
     e.sessions.clear();
   }
   /**
-   * Resolves the session context and generates a cache key for the request.
-   * If a session context resolver is configured, it extracts query parameters
-   * and merges session-specific context with the base context.
-   *
    * @param req - The Fastify request
    * @param clientId - The client identifier
    * @returns Object with cache key and merged context
-   * @private
    */
   resolveSessionContext(e, t) {
     if (!this.sessionContextResolver)
@@ -986,45 +1238,38 @@ class he {
       clientId: t,
       headers: this.extractHeaders(e),
       query: this.extractQuery(e)
-    }, r = this.sessionContextResolver.resolve(
+    }, o = this.sessionContextResolver.resolve(
       s,
       this.baseContext
     );
     return {
-      cacheKey: r.cacheKeySuffix === "default" ? t : `${t}:${r.cacheKeySuffix}`,
-      mergedContext: r.context
+      cacheKey: o.cacheKeySuffix === "default" ? t : `${t}:${o.cacheKeySuffix}`,
+      mergedContext: o.context
     };
   }
   /**
-   * Extracts headers from a Fastify request as a Record.
-   * Normalizes header names to lowercase.
-   *
    * @param req - The Fastify request
    * @returns Headers as a string record
-   * @private
    */
   extractHeaders(e) {
     const t = {};
-    for (const [s, r] of Object.entries(e.headers))
-      typeof r == "string" ? t[s.toLowerCase()] = r : Array.isArray(r) && r.length > 0 && (t[s.toLowerCase()] = r[0]);
+    for (const [s, o] of Object.entries(e.headers))
+      typeof o == "string" ? t[s.toLowerCase()] = o : Array.isArray(o) && o.length > 0 && (t[s.toLowerCase()] = o[0]);
     return t;
   }
   /**
-   * Extracts query parameters from a Fastify request as a Record.
-   *
    * @param req - The Fastify request
    * @returns Query parameters as a string record
-   * @private
    */
   extractQuery(e) {
     const t = {}, s = e.query;
     if (s && typeof s == "object")
-      for (const [r, i] of Object.entries(s))
-        typeof i == "string" && (t[r] = i);
+      for (const [o, n] of Object.entries(s))
+        typeof n == "string" && (t[o] = n);
     return t;
   }
 }
-class fe {
+class k {
   constructor(e) {
     d(this, "config");
     d(this, "queryParamName");
@@ -1033,9 +1278,27 @@ class fe {
     d(this, "mergeStrategy");
     this.config = e, this.queryParamName = e.queryParam?.name ?? "config", this.encoding = e.queryParam?.encoding ?? "base64", this.allowedKeys = e.queryParam?.allowedKeys ? new Set(e.queryParam.allowedKeys) : null, this.mergeStrategy = e.merge ?? "shallow";
   }
+  static builder() {
+    const e = {}, t = {
+      enabled(s) {
+        return e.enabled = s, t;
+      },
+      queryParam(s) {
+        return e.queryParam = s, t;
+      },
+      contextResolver(s) {
+        return e.contextResolver = s, t;
+      },
+      merge(s) {
+        return e.merge = s, t;
+      },
+      build() {
+        return new k(e);
+      }
+    };
+    return t;
+  }
   /**
-   * Resolves the session context for a request.
-   *
    * @param request - The request context (clientId, headers, query)
    * @param baseContext - The base context from server configuration
    * @returns The resolved context and cache key suffix
@@ -1047,34 +1310,48 @@ class fe {
         cacheKeySuffix: "default"
       };
     const s = this.parseQueryConfig(e.query);
-    if (this.config.contextResolver)
-      try {
-        return {
-          context: this.config.contextResolver(
-            e,
-            t,
-            s
-          ),
-          cacheKeySuffix: this.generateCacheKeySuffix(s)
-        };
-      } catch {
-        return {
-          context: t,
-          cacheKeySuffix: "default"
-        };
-      }
+    return this.config.contextResolver ? this.resolveWithCustomResolver(e, t, s) : this.resolveWithDefaultMerge(t, s);
+  }
+  /**
+   * @param request - The request context
+   * @param baseContext - The base context from server configuration
+   * @param parsedConfig - The parsed query parameter config
+   * @returns The resolved context and cache key suffix
+   */
+  resolveWithCustomResolver(e, t, s) {
+    const o = this.config.contextResolver;
+    if (!o)
+      return { context: t, cacheKeySuffix: "default" };
+    try {
+      return {
+        context: o(
+          e,
+          t,
+          s
+        ),
+        cacheKeySuffix: this.generateCacheKeySuffix(s)
+      };
+    } catch {
+      return {
+        context: t,
+        cacheKeySuffix: "default"
+      };
+    }
+  }
+  /**
+   * @param baseContext - The base context from server configuration
+   * @param parsedConfig - The parsed query parameter config
+   * @returns The merged context and cache key suffix
+   */
+  resolveWithDefaultMerge(e, t) {
     return {
-      context: this.mergeContexts(t, s),
-      cacheKeySuffix: this.generateCacheKeySuffix(s)
+      context: this.mergeContexts(e, t),
+      cacheKeySuffix: this.generateCacheKeySuffix(t)
     };
   }
   /**
-   * Parses the session config from query parameters.
-   * Returns empty object on parse failure (fail secure).
-   *
    * @param query - Query parameters from the request
    * @returns Parsed and filtered config object
-   * @private
    */
   parseQueryConfig(e) {
     const t = e[this.queryParamName];
@@ -1083,19 +1360,15 @@ class fe {
     try {
       let s;
       this.encoding === "base64" ? s = Buffer.from(t, "base64").toString("utf-8") : s = t;
-      const r = JSON.parse(s);
-      return typeof r != "object" || r === null || Array.isArray(r) ? {} : this.filterAllowedKeys(r);
+      const o = JSON.parse(s);
+      return typeof o != "object" || o === null || Array.isArray(o) ? {} : this.filterAllowedKeys(o);
     } catch {
       return {};
     }
   }
   /**
-   * Filters the parsed config to only include allowed keys.
-   * If no allowedKeys whitelist is configured, returns the full object.
-   *
    * @param parsed - The parsed config object
    * @returns Filtered config with only allowed keys
-   * @private
    */
   filterAllowedKeys(e) {
     if (!this.allowedKeys)
@@ -1106,12 +1379,9 @@ class fe {
     return t;
   }
   /**
-   * Merges the base context with the session config.
-   *
    * @param baseContext - The base context from server configuration
    * @param sessionConfig - The parsed session config
    * @returns Merged context
-   * @private
    */
   mergeContexts(e, t) {
     return Object.keys(t).length === 0 ? e : typeof e != "object" || e === null || Array.isArray(e) ? t : this.mergeStrategy === "deep" ? this.deepMerge(
@@ -1123,73 +1393,65 @@ class fe {
     };
   }
   /**
-   * Performs a deep merge of two objects.
-   * Session config values override base context values.
-   *
    * @param base - The base object
    * @param override - The override object
    * @returns Deep merged object
-   * @private
    */
   deepMerge(e, t) {
     const s = { ...e };
-    for (const [r, i] of Object.entries(t)) {
-      const n = s[r];
-      typeof i == "object" && i !== null && !Array.isArray(i) && typeof n == "object" && n !== null && !Array.isArray(n) ? s[r] = this.deepMerge(
-        n,
-        i
-      ) : s[r] = i;
+    for (const [o, n] of Object.entries(t)) {
+      const i = s[o];
+      typeof n == "object" && n !== null && !Array.isArray(n) && typeof i == "object" && i !== null && !Array.isArray(i) ? s[o] = this.deepMerge(
+        i,
+        n
+      ) : s[o] = n;
     }
     return s;
   }
   /**
-   * Generates a deterministic cache key suffix based on the session config.
-   * Returns 'default' when no session config is present.
-   *
    * @param sessionConfig - The parsed session config
    * @returns Hash string or 'default'
-   * @private
    */
   generateCacheKeySuffix(e) {
     if (Object.keys(e).length === 0)
       return "default";
     const t = Object.keys(e).sort(), s = {};
-    for (const i of t)
-      s[i] = e[i];
-    const r = JSON.stringify(s);
-    return ae("sha256").update(r).digest("hex").slice(0, 16);
+    for (const n of t)
+      s[n] = e[n];
+    const o = JSON.stringify(s);
+    return Te("sha256").update(o).digest("hex").slice(0, 16);
   }
 }
-function K(o) {
-  me(o), ye(o), ge(o), pe(o), ve(o);
+function X(r) {
+  Ee(r), Ce(r), Ae(r), Pe(r), Me(r);
 }
-function me(o) {
-  if (!o || typeof o != "object")
+function Ee(r) {
+  if (!r || typeof r != "object")
     throw new Error(
       "Session context configuration must be an object"
     );
 }
-function ye(o) {
-  if (o.enabled !== void 0 && typeof o.enabled != "boolean")
+function Ce(r) {
+  if (r.enabled !== void 0 && typeof r.enabled != "boolean")
     throw new Error(
-      `enabled must be a boolean, got ${typeof o.enabled}`
+      `enabled must be a boolean, got ${typeof r.enabled}`
     );
 }
-function ge(o) {
-  if (o.queryParam !== void 0) {
-    if (typeof o.queryParam != "object" || o.queryParam === null)
+function Ae(r) {
+  if (r.queryParam !== void 0) {
+    if (typeof r.queryParam != "object" || r.queryParam === null)
       throw new Error("queryParam must be an object");
-    if (o.queryParam.name !== void 0 && (typeof o.queryParam.name != "string" || o.queryParam.name.length === 0))
+    if (r.queryParam.name !== void 0 && (typeof r.queryParam.name != "string" || r.queryParam.name.length === 0))
       throw new Error("queryParam.name must be a non-empty string");
-    if (o.queryParam.encoding !== void 0 && o.queryParam.encoding !== "base64" && o.queryParam.encoding !== "json")
+    if (r.queryParam.encoding !== void 0 && r.queryParam.encoding !== "base64" && r.queryParam.encoding !== "json")
       throw new Error(
-        `Invalid queryParam.encoding: "${o.queryParam.encoding}". Must be "base64" or "json"`
+        `Invalid queryParam.encoding: "${r.queryParam.encoding}". Must be "base64" or "json"`
       );
-    if (o.queryParam.allowedKeys !== void 0) {
-      if (!Array.isArray(o.queryParam.allowedKeys))
+    if (r.queryParam.allowedKeys !== void 0) {
+      if (!Array.isArray(r.queryParam.allowedKeys))
         throw new Error("queryParam.allowedKeys must be an array of strings");
-      for (let e = 0; e < o.queryParam.allowedKeys.length; e++) {
-        const t = o.queryParam.allowedKeys[e];
+      for (let e = 0; e < r.queryParam.allowedKeys.length; e++) {
+        const t = r.queryParam.allowedKeys[e];
         if (typeof t != "string" || t.length === 0)
           throw new Error(
             `queryParam.allowedKeys[${e}] must be a non-empty string`
@@ -1198,172 +1460,244 @@ function ge(o) {
     }
   }
 }
-function pe(o) {
-  if (o.contextResolver !== void 0 && typeof o.contextResolver != "function")
+function Pe(r) {
+  if (r.contextResolver !== void 0 && typeof r.contextResolver != "function")
     throw new Error(
       "contextResolver must be a function: (request, baseContext, parsedQueryConfig?) => unknown"
     );
 }
-function ve(o) {
-  if (o.merge !== void 0 && o.merge !== "shallow" && o.merge !== "deep")
+function Me(r) {
+  if (r.merge !== void 0 && r.merge !== "shallow" && r.merge !== "deep")
     throw new Error(
-      `Invalid merge strategy: "${o.merge}". Must be "shallow" or "deep"`
+      `Invalid merge strategy: "${r.merge}". Must be "shallow" or "deep"`
     );
 }
-const we = v.object({
-  mode: v.enum(["DYNAMIC", "STATIC"]).optional(),
-  toolsets: v.union([v.array(v.string()), v.literal("ALL")]).optional()
+const Ie = g.object({
+  mode: g.enum(["DYNAMIC", "STATIC"]).optional(),
+  toolsets: g.union([g.array(g.string()), g.literal("ALL")]).optional()
 }).strict();
-async function De(o) {
-  if (o.startup)
-    try {
-      we.parse(o.startup);
-    } catch (a) {
-      if (a instanceof v.ZodError) {
-        const u = a.format();
-        throw new Error(
-          `Invalid startup configuration:
-${JSON.stringify(u, null, 2)}
+function $e(r) {
+  try {
+    Ie.parse(r);
+  } catch (e) {
+    if (e instanceof g.ZodError) {
+      const t = e.format();
+      throw new Error(
+        `Invalid startup configuration:
+${JSON.stringify(t, null, 2)}
 
 Hint: Common mistake - use "toolsets" not "initialToolsets"`
-        );
-      }
-      throw a;
+      );
     }
-  const e = o.startup?.mode ?? "DYNAMIC";
-  let t;
-  if (o.sessionContext && (K(o.sessionContext), t = new fe(o.sessionContext), e === "STATIC" && o.sessionContext.enabled !== !1 && console.warn(
-    "sessionContext has limited effect in STATIC mode: all clients share the same server instance with base context. Use DYNAMIC mode for per-session context isolation."
-  )), typeof o.createServer != "function")
-    throw new Error("createMcpServer: `createServer` (factory) is required");
-  const s = o.createServer(), r = (a) => typeof a?.server?.notification == "function", i = (a) => typeof a?.notifyToolsListChanged == "function", n = async (a) => {
+    throw e;
+  }
+}
+function Re() {
+  const r = (t) => typeof t?.server?.notification == "function", e = (t) => typeof t?.notifyToolsListChanged == "function";
+  return async (t) => {
     try {
-      if (r(a)) {
-        await a.server.notification({
+      if (r(t)) {
+        await t.server.notification({
           method: "notifications/tools/list_changed"
         });
         return;
       }
-      i(a) && await a.notifyToolsListChanged();
-    } catch (u) {
-      if ((u instanceof Error ? u.message : String(u)) === "Not connected")
+      e(t) && await t.notifyToolsListChanged();
+    } catch (s) {
+      if ((s instanceof Error ? s.message : String(s)) === "Not connected")
         return;
-      console.warn("Failed to send tools list changed notification:", u);
+      console.warn("Failed to send tools list changed notification:", s);
     }
-  }, l = new C({
-    server: s,
-    catalog: o.catalog,
-    moduleLoaders: o.moduleLoaders,
-    exposurePolicy: o.exposurePolicy,
-    context: o.context,
-    notifyToolsListChanged: async () => n(s),
-    startup: o.startup,
-    registerMetaTools: o.registerMetaTools !== void 0 ? o.registerMetaTools : e === "DYNAMIC"
-  });
-  e === "STATIC" && await l.ensureReady();
-  const c = new he(
-    l.getManager(),
-    (a) => {
-      const u = a ?? o.context;
-      if (e === "STATIC")
-        return { server: s, orchestrator: l };
-      const h = o.createServer(), g = new C({
-        server: h,
-        catalog: o.catalog,
-        moduleLoaders: o.moduleLoaders,
-        exposurePolicy: o.exposurePolicy,
-        context: u,
-        notifyToolsListChanged: async () => n(h),
-        startup: o.startup,
-        registerMetaTools: o.registerMetaTools !== void 0 ? o.registerMetaTools : e === "DYNAMIC"
-      });
-      return { server: h, orchestrator: g };
-    },
-    o.http,
-    o.configSchema,
+  };
+}
+function Le(r, e) {
+  return r !== void 0 ? r : e === "DYNAMIC";
+}
+async function nt(r) {
+  je(r);
+  const e = r.startup?.mode ?? "DYNAMIC", t = Le(r.registerMetaTools, e), s = Ne(r, e), o = Re(), n = r.createServer(), i = ee(
+    n,
+    r,
+    e,
+    t,
+    o
+  );
+  e === "STATIC" && await i.ensureReady();
+  const a = Oe(
+    r,
+    e,
+    n,
+    i,
     t,
-    o.context
+    o
+  ), l = ke(
+    r,
+    i.getManager(),
+    a,
+    s
   );
   return {
-    server: s,
-    start: async () => {
-      await c.start();
-    },
-    close: async () => {
-      await c.stop();
-    }
+    server: n,
+    start: () => l.start(),
+    close: () => l.stop()
+  };
+}
+function je(r) {
+  if (r.startup && $e(r.startup), typeof r.createServer != "function")
+    throw new Error("createMcpServer: `createServer` (factory) is required");
+}
+function Ne(r, e) {
+  if (!r.sessionContext) return;
+  X(r.sessionContext);
+  const t = k.builder().enabled(r.sessionContext.enabled ?? !0).queryParam(r.sessionContext.queryParam).contextResolver(r.sessionContext.contextResolver).merge(r.sessionContext.merge ?? "shallow").build();
+  return e === "STATIC" && r.sessionContext.enabled !== !1 && console.warn(
+    "sessionContext has limited effect in STATIC mode: all clients share the same server instance with base context. Use DYNAMIC mode for per-session context isolation."
+  ), t;
+}
+function ee(r, e, t, s, o, n) {
+  const i = A.builder().server(r).catalog(e.catalog).moduleLoaders(e.moduleLoaders ?? {}).context(n !== void 0 ? n : e.context).notifyToolsListChanged(async () => o(r)).registerMetaTools(s);
+  return e.exposurePolicy && i.exposurePolicy(e.exposurePolicy), e.startup && i.startup(e.startup), i.build();
+}
+function Oe(r, e, t, s, o, n) {
+  return (i) => {
+    if (e === "STATIC")
+      return { server: t, orchestrator: s };
+    const a = i ?? r.context, l = r.createServer(), c = ee(
+      l,
+      r,
+      e,
+      o,
+      n,
+      a
+    );
+    return { server: l, orchestrator: c };
   };
 }
-function Te(o) {
-  be(o), Se(o), xe(o), Ae(o);
+function ke(r, e, t, s) {
+  const o = O.builder().defaultManager(e).createBundle(t).host(r.http?.host ?? "0.0.0.0").port(r.http?.port ?? 3e3).basePath(r.http?.basePath ?? "/").cors(r.http?.cors ?? !0).logger(r.http?.logger ?? !1);
+  return r.http?.app && o.app(r.http.app), r.http?.customEndpoints && o.customEndpoints(r.http.customEndpoints), r.configSchema && o.configSchema(r.configSchema), s && o.sessionContextResolver(s), r.context !== void 0 && o.baseContext(r.context), o.build();
 }
-function be(o) {
-  if (!o || typeof o != "object")
+function De(r) {
+  ze(r), qe(r), Fe(r), _e(r);
+}
+function ze(r) {
+  if (!r || typeof r != "object")
     throw new Error(
       "Permission configuration is required for createPermissionBasedMcpServer"
     );
 }
-function Se(o) {
-  if (!o.source)
+function qe(r) {
+  if (!r.source)
     throw new Error('Permission source must be either "headers" or "config"');
-  if (o.source !== "headers" && o.source !== "config")
+  if (r.source !== "headers" && r.source !== "config")
     throw new Error(
-      `Invalid permission source: "${o.source}". Must be either "headers" or "config"`
+      `Invalid permission source: "${r.source}". Must be either "headers" or "config"`
     );
 }
-function xe(o) {
-  if (o.source === "config" && !o.staticMap && !o.resolver)
+function Fe(r) {
+  if (r.source === "config" && !r.staticMap && !r.resolver)
     throw new Error(
       "Config-based permissions require at least one of: staticMap or resolver function"
     );
 }
-function Ae(o) {
-  if (o.staticMap !== void 0) {
-    if (typeof o.staticMap != "object" || o.staticMap === null)
+function _e(r) {
+  if (r.staticMap !== void 0) {
+    if (typeof r.staticMap != "object" || r.staticMap === null)
       throw new Error(
         "staticMap must be an object mapping client IDs to toolset arrays"
       );
-    Ce(o.staticMap);
+    Ke(r.staticMap);
   }
-  if (o.resolver !== void 0 && typeof o.resolver != "function")
+  if (r.resolver !== void 0 && typeof r.resolver != "function")
     throw new Error(
       "resolver must be a synchronous function: (clientId: string) => string[]"
     );
-  if (o.defaultPermissions !== void 0 && !Array.isArray(o.defaultPermissions))
+  if (r.defaultPermissions !== void 0 && !Array.isArray(r.defaultPermissions))
     throw new Error("defaultPermissions must be an array of toolset names");
-  if (o.headerName !== void 0 && (typeof o.headerName != "string" || o.headerName.length === 0))
+  if (r.headerName !== void 0 && (typeof r.headerName != "string" || r.headerName.length === 0))
     throw new Error("headerName must be a non-empty string");
 }
-function Ce(o) {
-  for (const [e, t] of Object.entries(o))
+function Ke(r) {
+  for (const [e, t] of Object.entries(r))
     if (!Array.isArray(t))
       throw new Error(
         `staticMap value for client "${e}" must be an array of toolset names`
       );
 }
-var p, H, B, Y, U, W;
-class Ee {
-  /**
-   * Creates a new PermissionResolver instance.
-   * @param config - The permission configuration defining how permissions are resolved
-   */
+function Be(r, e) {
+  return async (t) => {
+    const s = e.resolvePermissions(
+      t.clientId,
+      t.headers
+    ), o = r(s), n = o.orchestrator.getManager(), i = [], a = [];
+    if (s.length > 0) {
+      const l = await n.enableToolsets(s);
+      for (const c of l.results)
+        c.success ? i.push(c.name) : (a.push(c.name), console.warn(
+          `Failed to enable toolset '${c.name}' for client '${t.clientId}': ${c.message}`
+        ));
+      if (i.length === 0 && a.length > 0)
+        throw new Error(
+          `All requested toolsets failed to enable for client '${t.clientId}'. Requested: [${s.join(", ")}]. Check that toolset names in permissions match the catalog.`
+        );
+    }
+    return {
+      server: o.server,
+      orchestrator: o.orchestrator,
+      allowedToolsets: i,
+      failedToolsets: a
+    };
+  };
+}
+function He(r) {
+  if (!r) return;
+  const e = {
+    namespaceToolsWithSetKey: r.namespaceToolsWithSetKey
+  };
+  return r.allowlist !== void 0 && console.warn(
+    "Permission-based servers: exposurePolicy.allowlist is ignored. Allowed toolsets are determined by client permissions."
+  ), r.denylist !== void 0 && console.warn(
+    "Permission-based servers: exposurePolicy.denylist is ignored. Use permission configuration to control toolset access."
+  ), r.maxActiveToolsets !== void 0 && console.warn(
+    "Permission-based servers: exposurePolicy.maxActiveToolsets is ignored. Toolset count is determined by client permissions."
+  ), r.onLimitExceeded !== void 0 && console.warn(
+    "Permission-based servers: exposurePolicy.onLimitExceeded is ignored. No toolset limits are enforced."
+  ), e;
+}
+var y, te, se, re, oe, ne;
+const z = class z {
   constructor(e) {
-    A(this, p);
+    x(this, y);
     d(this, "cache", /* @__PURE__ */ new Map());
     d(this, "normalizedHeaderName");
     this.config = e, this.normalizedHeaderName = (e.headerName || "mcp-toolset-permissions").toLowerCase();
   }
+  static builder() {
+    const e = {}, t = {
+      source(s) {
+        return e.source = s, t;
+      },
+      headerName(s) {
+        return e.headerName = s, t;
+      },
+      staticMap(s) {
+        return e.staticMap = s, t;
+      },
+      resolver(s) {
+        return e.resolver = s, t;
+      },
+      defaultPermissions(s) {
+        return e.defaultPermissions = s, t;
+      },
+      build() {
+        return new z(e);
+      }
+    };
+    return t;
+  }
   /**
-   * Resolves permissions for a client based on the configured source.
-   * Results are cached to improve performance for subsequent requests from the same client.
-   * Handles all errors gracefully by returning empty permissions on failure.
-   * 
-   * Note on caching: For header-based permissions, permissions are cached by clientId.
-   * This means subsequent requests from the same client will use cached permissions,
-   * even if headers change. Use invalidateCache(clientId) to force re-resolution.
-   * 
    * @param clientId - The unique identifier for the client
-   * @param headers - Optional request headers (required for header-based permissions)
+   * @param headers - Optional request headers
    * @returns Array of toolset names the client is allowed to access
    */
   resolvePermissions(e, t) {
@@ -1371,48 +1705,37 @@ class Ee {
       return this.cache.get(e);
     let s;
     try {
-      this.config.source === "headers" ? s = m(this, p, H).call(this, t) : s = m(this, p, Y).call(this, e), Array.isArray(s) || (console.warn(
+      this.config.source === "headers" ? s = m(this, y, te).call(this, t) : s = m(this, y, re).call(this, e), Array.isArray(s) || (console.warn(
         `Permission resolution returned non-array for client ${e}, using empty permissions`
       ), s = []), s = s.filter(
-        (r) => typeof r == "string" && r.trim().length > 0
+        (o) => typeof o == "string" && o.trim().length > 0
       );
-    } catch (r) {
+    } catch (o) {
       console.error(
         `Unexpected error resolving permissions for client ${e}:`,
-        r
+        o
       ), s = [];
     }
     return this.cache.set(e, s), s;
   }
   /**
-   * Invalidates cached permissions for a specific client.
-   * Call this when you know a client's permissions have changed.
    * @param clientId - The client ID to invalidate
    */
   invalidateCache(e) {
     this.cache.delete(e);
   }
-  /**
-   * Clears the permission cache.
-   * Useful for cleanup during server shutdown or when permissions need to be refreshed.
-   */
   clearCache() {
     this.cache.clear();
   }
-}
-p = new WeakSet(), /**
- * Parses permissions from request headers.
- * Extracts comma-separated toolset names from the configured header.
- * Handles malformed headers gracefully by returning empty permissions.
- * Uses case-insensitive header lookup per RFC 7230.
+};
+y = new WeakSet(), /**
  * @param headers - Request headers containing permission data
- * @returns Array of toolset names from headers, or empty array if header is missing/malformed
- * @private
+ * @returns Array of toolset names from headers
  */
-H = function(e) {
+te = function(e) {
   if (!e)
     return [];
-  const t = m(this, p, B).call(this, e, this.normalizedHeaderName);
+  const t = m(this, y, se).call(this, e, this.normalizedHeaderName);
   if (!t)
     return [];
   try {
@@ -1424,47 +1747,37 @@ H = function(e) {
     ), [];
   }
 }, /**
- * Finds a header value using case-insensitive key matching.
- * HTTP headers are case-insensitive per RFC 7230.
  * @param headers - The headers object to search
  * @param normalizedKey - The lowercase key to search for
- * @returns The header value if found, undefined otherwise
- * @private
+ * @returns The header value if found
  */
-B = function(e, t) {
+se = function(e, t) {
   if (e[t] !== void 0)
     return e[t];
-  for (const [s, r] of Object.entries(e))
+  for (const [s, o] of Object.entries(e))
     if (s.toLowerCase() === t)
-      return r;
+      return o;
 }, /**
- * Resolves permissions from server-side configuration.
- * Tries resolver function first (if provided), then falls back to static map,
- * and finally to default permissions. Handles errors gracefully.
  * @param clientId - The unique identifier for the client
  * @returns Array of toolset names from configuration
- * @private
  */
-Y = function(e) {
+re = function(e) {
   if (this.config.resolver) {
-    const t = m(this, p, U).call(this, e);
+    const t = m(this, y, oe).call(this, e);
     if (t !== null)
       return t;
   }
   if (this.config.staticMap) {
-    const t = m(this, p, W).call(this, e);
+    const t = m(this, y, ne).call(this, e);
     if (t !== null)
       return t;
   }
   return this.config.defaultPermissions || [];
 }, /**
- * Attempts to resolve permissions using the configured resolver function.
- * Handles errors gracefully and returns null on failure to allow fallback.
  * @param clientId - The unique identifier for the client
- * @returns Array of toolset names if successful, null if resolver fails or returns invalid data
- * @private
+ * @returns Array of toolset names if successful, null if resolver fails
  */
-U = function(e) {
+oe = function(e) {
   try {
     const t = this.config.resolver(e);
     return Array.isArray(t) ? t : (console.warn(
@@ -1477,61 +1790,28 @@ U = function(e) {
     ), null;
   }
 }, /**
- * Looks up permissions in the static map configuration.
- * Returns null if client is not found to allow fallback to defaults.
  * @param clientId - The unique identifier for the client
  * @returns Array of toolset names if found, null if client not in map
- * @private
  */
-W = function(e) {
+ne = function(e) {
   const t = this.config.staticMap[e];
   return t !== void 0 ? Array.isArray(t) ? t : [] : null;
 };
-function Pe(o, e) {
-  return async (t) => {
-    const s = e.resolvePermissions(
-      t.clientId,
-      t.headers
-    ), r = o(s), i = r.orchestrator.getManager(), n = [], l = [];
-    if (s.length > 0) {
-      const c = await i.enableToolsets(s);
-      for (const a of c.results)
-        a.success ? n.push(a.name) : (l.push(a.name), console.warn(
-          `Failed to enable toolset '${a.name}' for client '${t.clientId}': ${a.message}`
-        ));
-      if (n.length === 0 && l.length > 0)
-        throw new Error(
-          `All requested toolsets failed to enable for client '${t.clientId}'. Requested: [${s.join(", ")}]. Check that toolset names in permissions match the catalog.`
-        );
-    }
-    return {
-      server: r.server,
-      orchestrator: r.orchestrator,
-      allowedToolsets: n,
-      failedToolsets: l
-    };
-  };
-}
-var f, J, Q, G, Z, X, ee, te, se, M, oe;
-class Me {
-  /**
-   * Creates a new PermissionAwareFastifyTransport instance.
-   * @param defaultManager - Default tool manager for status endpoints
-   * @param createPermissionAwareBundle - Function to create permission-aware bundles
-   * @param options - Transport configuration options
-   * @param configSchema - Optional JSON schema for configuration discovery
-   */
-  constructor(e, t, s = {}, r) {
-    A(this, f);
+let I = z;
+const Ve = g.string({ message: "Missing required mcp-client-id header" }).trim().min(1, "mcp-client-id header must not be empty");
+var h, ie, ae, le, ce, de, ue, he, fe, me, pe, R, ge;
+const q = class q {
+  constructor(e, t, s = {}, o) {
+    x(this, h);
     d(this, "options");
     d(this, "defaultManager");
     d(this, "createPermissionAwareBundle");
     d(this, "app", null);
     d(this, "configSchema");
     // Per-client server bundles and per-client session transports
-    d(this, "clientCache", new F({
+    d(this, "clientCache", new E({
       onEvict: (e, t) => {
-        m(this, f, J).call(this, t);
+        m(this, h, le).call(this, t);
       }
     }));
     this.defaultManager = e, this.createPermissionAwareBundle = t, this.options = {
@@ -1542,29 +1822,66 @@ class Me {
       logger: s.logger ?? !1,
       app: s.app,
       customEndpoints: s.customEndpoints
-    }, this.configSchema = r;
+    }, this.configSchema = o;
+  }
+  static builder() {
+    let e, t;
+    const s = {};
+    let o;
+    const n = {
+      defaultManager(i) {
+        return e = i, n;
+      },
+      createPermissionAwareBundle(i) {
+        return t = i, n;
+      },
+      host(i) {
+        return s.host = i, n;
+      },
+      port(i) {
+        return s.port = i, n;
+      },
+      basePath(i) {
+        return s.basePath = i, n;
+      },
+      cors(i) {
+        return s.cors = i, n;
+      },
+      logger(i) {
+        return s.logger = i, n;
+      },
+      app(i) {
+        return s.app = i, n;
+      },
+      customEndpoints(i) {
+        return s.customEndpoints = i, n;
+      },
+      configSchema(i) {
+        return o = i, n;
+      },
+      build() {
+        return new q(e, t, s, o);
+      }
+    };
+    return n;
   }
-  /**
-   * Starts the Fastify server and registers all MCP endpoints.
-   * Sets up routes for health checks, tool status, and MCP protocol handling.
-   */
   async start() {
     if (this.app) return;
-    const e = this.options.app ?? N({ logger: this.options.logger });
-    this.options.cors && await e.register(D, { origin: !0 });
-    const t = m(this, f, Q).call(this, this.options.basePath);
-    m(this, f, G).call(this, e, t), m(this, f, Z).call(this, e, t), m(this, f, X).call(this, e, t), m(this, f, ee).call(this, e, t), m(this, f, te).call(this, e, t), m(this, f, se).call(this, e, t), this.options.customEndpoints && this.options.customEndpoints.length > 0 && V(e, t, this.options.customEndpoints, {
+    const e = this.options.app ?? U({ logger: this.options.logger });
+    this.options.cors && await e.register(J, { origin: !0 });
+    const t = m(this, h, ce).call(this, this.options.basePath);
+    m(this, h, de).call(this, e, t), m(this, h, ue).call(this, e, t), m(this, h, he).call(this, e, t), m(this, h, fe).call(this, e, t), m(this, h, me).call(this, e, t), m(this, h, pe).call(this, e, t), this.options.customEndpoints && this.options.customEndpoints.length > 0 && Z(e, t, this.options.customEndpoints, {
       contextExtractor: async (s) => {
-        const r = m(this, f, M).call(this, s);
+        const o = m(this, h, R).call(this, s);
         try {
-          const i = await this.createPermissionAwareBundle(r);
+          const n = await this.createPermissionAwareBundle(o);
           return {
-            allowedToolsets: i.allowedToolsets,
-            failedToolsets: i.failedToolsets
+            allowedToolsets: n.allowedToolsets,
+            failedToolsets: n.failedToolsets
           };
-        } catch (i) {
+        } catch (n) {
           return console.warn(
-            `Permission resolution failed for custom endpoint: ${i}`
+            `Permission resolution failed for custom endpoint: ${n}`
           ), {
             allowedToolsets: [],
             failedToolsets: []
@@ -1573,62 +1890,57 @@ class Me {
       }
     }), this.options.app || await e.listen({ host: this.options.host, port: this.options.port }), this.app = e;
   }
-  /**
-   * Stops the Fastify server and cleans up all resources.
-   * Closes all client sessions and clears the cache.
-   */
   async stop() {
     this.app && (this.clientCache.stop(!0), this.options.app || await this.app.close(), this.app = null);
   }
-}
-f = new WeakSet(), /**
- * Cleans up resources associated with a client bundle.
- * Closes all sessions within the bundle.
+};
+h = new WeakSet(), ie = async function(e) {
+  if (e.size === 0) return;
+  const t = Array.from(e.values());
+  e.clear();
+  for (const s of t)
+    try {
+      await s.close();
+    } catch {
+    }
+}, ae = async function(e) {
+  try {
+    await e.close();
+  } catch {
+  }
+}, /**
  * @param bundle - The client bundle to clean up
- * @private
  */
-J = function(e) {
+le = function(e) {
   for (const [t, s] of e.sessions.entries())
-    try {
-      typeof s.close == "function" && s.close().catch((r) => {
-        console.warn(`Error closing session ${t}:`, r);
-      });
-    } catch (r) {
-      console.warn(`Error closing session ${t}:`, r);
-    }
+    s.close().catch((o) => {
+      console.warn(`Error closing session ${t}:`, o);
+    });
   e.sessions.clear();
 }, /**
- * Normalizes the base path by removing trailing slashes.
  * @param basePath - The base path to normalize
  * @returns Normalized base path without trailing slash
- * @private
  */
-Q = function(e) {
+ce = function(e) {
   return e.endsWith("/") ? e.slice(0, -1) : e;
 }, /**
- * Registers the health check endpoint.
  * @param app - Fastify instance
  * @param base - Base path for routes
- * @private
  */
-G = function(e, t) {
+de = function(e, t) {
   e.get(`${t}/healthz`, async () => ({ ok: !0 }));
 }, /**
- * Registers the tools status endpoint.
  * @param app - Fastify instance
  * @param base - Base path for routes
- * @private
  */
-Z = function(e, t) {
+ue = function(e, t) {
   e.get(`${t}/tools`, async () => this.defaultManager.getStatus());
 }, /**
- * Registers the MCP configuration discovery endpoint.
  * @param app - Fastify instance
  * @param base - Base path for routes
- * @private
  */
-X = function(e, t) {
-  e.get(`${t}/.well-known/mcp-config`, async (s, r) => (r.header("Content-Type", "application/schema+json; charset=utf-8"), this.configSchema ?? {
+he = function(e, t) {
+  e.get(`${t}/.well-known/mcp-config`, async (s, o) => (o.header("Content-Type", "application/schema+json; charset=utf-8"), this.configSchema ?? {
     $schema: "https://json-schema.org/draft/2020-12/schema",
     title: "MCP Session Configuration",
     description: "Schema for the /mcp endpoint configuration",
@@ -1639,108 +1951,106 @@ X = function(e, t) {
     "x-query-style": "dot+bracket"
   }));
 }, /**
- * Registers the POST /mcp endpoint for JSON-RPC requests.
- * Extracts client context, resolves permissions, and handles MCP protocol.
  * @param app - Fastify instance
  * @param base - Base path for routes
- * @private
  */
-ee = function(e, t) {
+fe = function(e, t) {
   e.post(
     `${t}/mcp`,
-    async (s, r) => {
-      const i = m(this, f, M).call(this, s), n = !i.clientId.startsWith("anon-");
-      let l = n ? this.clientCache.get(i.clientId) : null;
-      if (!l)
+    async (s, o) => {
+      const n = Ve.safeParse(
+        s.headers["mcp-client-id"]
+      );
+      if (!n.success)
+        return o.code(400), {
+          jsonrpc: "2.0",
+          error: { code: -32600, message: n.error.issues[0].message },
+          id: null
+        };
+      const i = m(this, h, R).call(this, s);
+      let a = this.clientCache.get(i.clientId);
+      if (!a)
         try {
           const u = await this.createPermissionAwareBundle(i);
           u.failedToolsets.length > 0 && console.warn(
             `Client ${i.clientId} had ${u.failedToolsets.length} toolsets fail to enable: [${u.failedToolsets.join(", ")}]. Successfully enabled: [${u.allowedToolsets.join(", ")}]`
           );
-          const h = u.sessions;
-          l = {
+          const f = u.sessions;
+          a = {
             server: u.server,
             orchestrator: u.orchestrator,
             allowedToolsets: u.allowedToolsets,
             failedToolsets: u.failedToolsets,
-            sessions: h instanceof Map ? h : /* @__PURE__ */ new Map()
-          }, n && this.clientCache.set(i.clientId, l);
+            sessions: f instanceof Map ? f : /* @__PURE__ */ new Map()
+          }, this.clientCache.set(i.clientId, a);
         } catch (u) {
           return console.error(
             `Failed to create permission-aware bundle for client ${i.clientId}:`,
             u
-          ), r.code(403), m(this, f, oe).call(this, "Access denied");
+          ), o.code(403), m(this, h, ge).call(this, "Access denied");
         }
-      const c = s.headers["mcp-session-id"];
-      let a;
-      if (c && l.sessions.get(c))
-        a = l.sessions.get(c);
-      else if (!c && _(s.body)) {
+      const l = s.headers["mcp-session-id"];
+      let c;
+      if (l && a.sessions.get(l))
+        c = a.sessions.get(l);
+      else if (!l && G(s.body)) {
+        await m(this, h, ie).call(this, a.sessions), await m(this, h, ae).call(this, a.server);
         const u = S();
-        a = new z({
+        c = new Q({
           sessionIdGenerator: () => u,
-          onsessioninitialized: (h) => {
-            l.sessions.set(h, a);
+          onsessioninitialized: (f) => {
+            a.sessions.set(f, c);
           }
-        });
+        }), c.onclose = () => {
+          c?.sessionId && a.sessions.delete(c.sessionId);
+        };
         try {
-          await l.server.connect(a);
+          await a.server.connect(c);
         } catch {
-          return r.code(500), {
+          return o.code(500), {
             jsonrpc: "2.0",
             error: { code: -32603, message: "Error initializing server." },
             id: null
           };
         }
-        a.onclose = () => {
-          a?.sessionId && l.sessions.delete(a.sessionId);
-        };
       } else
-        return r.code(400), {
+        return o.code(400), {
           jsonrpc: "2.0",
           error: { code: -32e3, message: "Session not found or expired" },
           id: null
         };
-      return await a.handleRequest(
-        s.raw,
-        r.raw,
-        s.body
-      ), r;
+      return await c.handleRequest(s.raw, o.raw, s.body), o;
     }
   );
 }, /**
- * Registers the GET /mcp endpoint for SSE notifications.
  * @param app - Fastify instance
  * @param base - Base path for routes
- * @private
  */
-te = function(e, t) {
-  e.get(`${t}/mcp`, async (s, r) => {
-    const i = s.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : "";
-    if (!n)
-      return r.code(400), "Missing mcp-client-id";
-    const l = this.clientCache.get(n);
+me = function(e, t) {
+  e.get(`${t}/mcp`, async (s, o) => {
+    const n = s.headers["mcp-client-id"]?.trim(), i = n && n.length > 0 ? n : "";
+    if (!i)
+      return o.code(400), "Missing mcp-client-id";
+    const a = this.clientCache.get(i);
+    if (!a)
+      return o.code(400), "Invalid or expired client";
+    const l = s.headers["mcp-session-id"];
     if (!l)
-      return r.code(400), "Invalid or expired client";
-    const c = s.headers["mcp-session-id"];
-    if (!c)
-      return r.code(400), "Missing mcp-session-id";
-    const a = l.sessions.get(c);
-    return a ? (await a.handleRequest(s.raw, r.raw), r) : (r.code(400), "Invalid or expired session ID");
+      return o.code(400), "Missing mcp-session-id";
+    const c = a.sessions.get(l);
+    return c ? (await c.handleRequest(s.raw, o.raw), o) : (o.code(400), "Invalid or expired session ID");
   });
 }, /**
- * Registers the DELETE /mcp endpoint for session termination.
  * @param app - Fastify instance
  * @param base - Base path for routes
- * @private
  */
-se = function(e, t) {
+pe = function(e, t) {
   e.delete(
     `${t}/mcp`,
-    async (s, r) => {
-      const i = s.headers["mcp-client-id"]?.trim(), n = i && i.length > 0 ? i : "", l = s.headers["mcp-session-id"];
-      if (!n || !l)
-        return r.code(400), {
+    async (s, o) => {
+      const n = s.headers["mcp-client-id"]?.trim(), i = n && n.length > 0 ? n : "", a = s.headers["mcp-session-id"];
+      if (!i || !a)
+        return o.code(400), {
           jsonrpc: "2.0",
           error: {
             code: -32600,
@@ -1748,46 +2058,37 @@ se = function(e, t) {
           },
           id: null
         };
-      const c = this.clientCache.get(n), a = c?.sessions.get(l);
-      if (!c || !a)
-        return r.code(404), {
+      const l = this.clientCache.get(i), c = l?.sessions.get(a);
+      if (!l || !c)
+        return o.code(404), {
           jsonrpc: "2.0",
           error: { code: -32e3, message: "Session not found or expired" },
           id: null
         };
       try {
-        if (typeof a.close == "function")
-          try {
-            await a.close();
-          } catch {
-          }
+        await c.close();
+      } catch {
       } finally {
-        a?.sessionId ? c.sessions.delete(a.sessionId) : c.sessions.delete(l);
+        c?.sessionId ? l.sessions.delete(c.sessionId) : l.sessions.delete(a);
       }
-      return r.code(204).send(), r;
+      return o.code(204).send(), o;
     }
   );
 }, /**
- * Extracts client context from the request.
- * Generates anonymous client ID if not provided in headers.
  * @param req - Fastify request object
  * @returns Client request context with ID and headers
- * @private
  */
-M = function(e) {
-  const t = e.headers["mcp-client-id"]?.trim(), s = t && t.length > 0 ? t : `anon-${S()}`, r = {};
-  for (const [i, n] of Object.entries(e.headers))
-    typeof n == "string" && (r[i] = n);
-  return { clientId: s, headers: r };
+R = function(e) {
+  const t = e.headers["mcp-client-id"]?.trim(), s = t && t.length > 0 ? t : `anon-${S()}`, o = {};
+  for (const [n, i] of Object.entries(e.headers))
+    typeof i == "string" && (o[n] = i);
+  return { clientId: s, headers: o };
 }, /**
- * Creates a safe error response that doesn't expose unauthorized toolset information.
- * Used for permission-related errors to prevent information leakage.
  * @param message - Generic error message to return to client
- * @param code - JSON-RPC error code (default: -32000 for server error)
+ * @param code - JSON-RPC error code
  * @returns JSON-RPC error response object
- * @private
  */
-oe = function(e = "Access denied", t = -32e3) {
+ge = function(e = "Access denied", t = -32e3) {
   return {
     jsonrpc: "2.0",
     error: {
@@ -1797,97 +2098,64 @@ oe = function(e = "Access denied", t = -32e3) {
     id: null
   };
 };
-function Ie(o) {
-  if (!o) return;
-  const e = {
-    namespaceToolsWithSetKey: o.namespaceToolsWithSetKey
+let $ = q;
+async function it(r) {
+  We(r);
+  const e = He(r.exposurePolicy), t = Ye(r), s = r.createServer(), o = ye(s, r, e), n = Be(
+    Ue(r, e),
+    t
+  ), i = Je(r, o.getManager(), n);
+  return {
+    server: s,
+    start: () => i.start(),
+    close: async () => {
+      try {
+        await i.stop();
+      } finally {
+        t.clearCache();
+      }
+    }
   };
-  return o.allowlist !== void 0 && console.warn(
-    "Permission-based servers: exposurePolicy.allowlist is ignored. Allowed toolsets are determined by client permissions."
-  ), o.denylist !== void 0 && console.warn(
-    "Permission-based servers: exposurePolicy.denylist is ignored. Use permission configuration to control toolset access."
-  ), o.maxActiveToolsets !== void 0 && console.warn(
-    "Permission-based servers: exposurePolicy.maxActiveToolsets is ignored. Toolset count is determined by client permissions."
-  ), o.onLimitExceeded !== void 0 && console.warn(
-    "Permission-based servers: exposurePolicy.onLimitExceeded is ignored. No toolset limits are enforced."
-  ), e;
 }
-async function ze(o) {
-  if (!o.permissions)
+function We(r) {
+  if (!r.permissions)
     throw new Error(
       "Permission configuration is required for createPermissionBasedMcpServer. Please provide a 'permissions' field in the options."
     );
-  if (Te(o.permissions), o.sessionContext && (K(o.sessionContext), console.warn(
+  if (De(r.permissions), r.sessionContext && (X(r.sessionContext), console.warn(
     "Session context support for permission-based servers is limited. The base context will be used for module loaders."
-  )), o.startup)
+  )), r.startup)
     throw new Error(
       "Permission-based servers determine toolsets from client permissions. The 'startup' option is not allowed. Remove it from your configuration."
     );
-  if (typeof o.createServer != "function")
+  if (typeof r.createServer != "function")
     throw new Error(
       "createPermissionBasedMcpServer: `createServer` (factory) is required"
     );
-  const e = Ie(
-    o.exposurePolicy
-  ), t = new Ee(o.permissions), s = o.createServer(), r = new C({
-    server: s,
-    catalog: o.catalog,
-    moduleLoaders: o.moduleLoaders,
-    exposurePolicy: e,
-    context: o.context,
-    notifyToolsListChanged: void 0,
-    // No notifications in STATIC mode
-    startup: { mode: "STATIC", toolsets: [] },
-    registerMetaTools: !1
-  }), i = Pe(
-    (l) => {
-      const c = o.createServer(), a = new C({
-        server: c,
-        catalog: o.catalog,
-        moduleLoaders: o.moduleLoaders,
-        exposurePolicy: e,
-        context: o.context,
-        notifyToolsListChanged: void 0,
-        // No notifications in STATIC mode
-        startup: { mode: "STATIC", toolsets: [] },
-        // Empty - we'll enable manually
-        registerMetaTools: !1
-        // No meta-tools - toolsets are fixed per client
-      });
-      return { server: c, orchestrator: a };
-    },
-    t
-  ), n = new Me(
-    r.getManager(),
-    i,
-    o.http,
-    o.configSchema
-  );
-  return {
-    server: s,
-    start: async () => {
-      await n.start();
-    },
-    close: async () => {
-      try {
-        await n.stop();
-      } finally {
-        t.clearCache();
-      }
-    }
-  };
 }
-function _e(o) {
-  return o;
+function Ye(r) {
+  const e = I.builder().source(r.permissions.source).headerName(r.permissions.headerName ?? "mcp-toolset-permissions").staticMap(r.permissions.staticMap ?? {}).defaultPermissions(r.permissions.defaultPermissions ?? []);
+  return r.permissions.resolver && e.resolver(r.permissions.resolver), e.build();
+}
+function ye(r, e, t) {
+  const s = A.builder().server(r).catalog(e.catalog).moduleLoaders(e.moduleLoaders ?? {}).context(e.context).startup({ mode: "STATIC", toolsets: [] }).registerMetaTools(!1);
+  return t && s.exposurePolicy(t), s.build();
+}
+function Ue(r, e) {
+  return (t) => {
+    const s = r.createServer(), o = ye(s, r, e);
+    return { server: s, orchestrator: o };
+  };
 }
-function qe(o) {
-  return o;
+function Je(r, e, t) {
+  const s = $.builder().defaultManager(e).createPermissionAwareBundle(t).host(r.http?.host ?? "0.0.0.0").port(r.http?.port ?? 3e3).basePath(r.http?.basePath ?? "/").cors(r.http?.cors ?? !0).logger(r.http?.logger ?? !1);
+  return r.http?.app && s.app(r.http.app), r.http?.customEndpoints && s.customEndpoints(r.http.customEndpoints), r.configSchema && s.configSchema(r.configSchema), s.build();
 }
 export {
-  fe as SessionContextResolver,
-  De as createMcpServer,
-  ze as createPermissionBasedMcpServer,
-  _e as defineEndpoint,
-  qe as definePermissionAwareEndpoint
+  k as SessionContextResolver,
+  nt as createMcpServer,
+  it as createPermissionBasedMcpServer,
+  rt as defineEndpoint,
+  ot as definePermissionAwareEndpoint
 };
 //# sourceMappingURL=index.js.map