typed-bridge 4.0.3 → 4.0.4

package/dist/bridge/index.js

@@ -138,10 +138,6 @@ const bridgeHandler = (bridge) => async (req, res) => {
             const errorMessage = (keyPath ? keyPath + ': ' : '') + error.issues[0].message;
             return res.status(400).send(errorMessage);
         }
-        // Errors carrying an explicit HTTP status (e.g. HttpError for auth/permission
-        // failures) are expected, so respond with that status without logging as an error.
-        if (typeof error?.status === 'number')
-            return res.status(error.status).json({ error: error.message });
         if (__1.tbConfig.logs.error)
             console.error(`ERROR | ${id} ::`, error);
         return res.status(500).json({ error: error.message });

package/dist/index.d.ts

@@ -1,7 +1,6 @@
 export { Application, default as express, Express, NextFunction, Request, Response, Router } from 'express';
 export { createBridge, onShutdown } from './bridge';
 export { config as tbConfig } from './config';
-export { HttpError, httpError } from './httpError';
 export { createMiddleware } from './middleware';
 export type { Middleware } from './middleware';
 export { mountMCP } from './mcp';

package/dist/index.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.z = exports.TOOL_MODES = exports.isToolMode = exports.handleToolCall = exports.getTools = exports.defineEntry = exports.defineBridge = exports.mountMCP = exports.createMiddleware = exports.httpError = exports.HttpError = exports.tbConfig = exports.onShutdown = exports.createBridge = exports.Router = exports.express = void 0;
+exports.z = exports.TOOL_MODES = exports.isToolMode = exports.handleToolCall = exports.getTools = exports.defineEntry = exports.defineBridge = exports.mountMCP = exports.createMiddleware = exports.tbConfig = exports.onShutdown = exports.createBridge = exports.Router = exports.express = void 0;
 var express_1 = require("express");
 Object.defineProperty(exports, "express", { enumerable: true, get: function () { return __importDefault(express_1).default; } });
 Object.defineProperty(exports, "Router", { enumerable: true, get: function () { return express_1.Router; } });
@@ -12,9 +12,6 @@ Object.defineProperty(exports, "createBridge", { enumerable: true, get: function
 Object.defineProperty(exports, "onShutdown", { enumerable: true, get: function () { return bridge_1.onShutdown; } });
 var config_1 = require("./config");
 Object.defineProperty(exports, "tbConfig", { enumerable: true, get: function () { return config_1.config; } });
-var httpError_1 = require("./httpError");
-Object.defineProperty(exports, "HttpError", { enumerable: true, get: function () { return httpError_1.HttpError; } });
-Object.defineProperty(exports, "httpError", { enumerable: true, get: function () { return httpError_1.httpError; } });
 var middleware_1 = require("./middleware");
 Object.defineProperty(exports, "createMiddleware", { enumerable: true, get: function () { return middleware_1.createMiddleware; } });
 var mcp_1 = require("./mcp");

package/dist/mcp/index.js

@@ -38,12 +38,10 @@ function createMCPServer(bridge, entries, headersRef, toolMode = 'on_demand') {
             return { content: [{ type: 'text', text: JSON.stringify(result) ?? '' }] };
         }
         catch (error) {
-            // Surface the status + message as JSON so the model knows *why* a call was denied
-            // (e.g. a 401 from an auth middleware) instead of seeing an opaque stop.
+            // Surface the error message as JSON so the model knows *why* a call was denied
+            // (e.g. an auth middleware's message) instead of seeing an opaque stop.
             const message = error instanceof Error ? error.message : String(error);
-            const status = typeof error?.status === 'number' ? error.status : undefined;
-            const payload = status ? { status, error: message } : { error: message };
-            return { content: [{ type: 'text', text: JSON.stringify(payload) }], isError: true };
+            return { content: [{ type: 'text', text: JSON.stringify({ error: message }) }], isError: true };
         }
     });
     return server;

package/dist/middleware/index.js

@@ -2,7 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runMiddlewaresForTool = exports.runMiddlewares = exports.createMiddleware = void 0;
 const helpers_1 = require("../helpers");
-const httpError_1 = require("../httpError");
 const middlewares = [];
 const createMiddleware = (pattern, handler) => middlewares.push({ pattern, handler });
 exports.createMiddleware = createMiddleware;
@@ -28,19 +27,17 @@ const runMiddlewares = async (name, req, res) => {
 exports.runMiddlewares = runMiddlewares;
 // A stand-in for the Express response on tool surfaces (MCP / LLM), which have no real
 // HTTP response. A middleware that blocks with `res.status(code).send(msg)` (or `.json`)
-// throws an HttpError carrying that status + message — so the surface can report *why*
-// access was denied as structured JSON, instead of a meaningless silent stop.
+// throws a plain Error carrying that message — so the surface can report *why* access was
+// denied (the message) back to the model, instead of a meaningless silent stop. The status
+// code is irrelevant off HTTP, so it's ignored.
 const createToolRes = () => {
-    const block = (status) => ({
-        send: (body) => {
-            throw new httpError_1.HttpError(status, typeof body === 'string' ? body : JSON.stringify(body));
-        },
-        json: (body) => {
-            throw new httpError_1.HttpError(status, typeof body === 'string' ? body : JSON.stringify(body));
-        }
-    });
+    const fail = (body) => {
+        throw new Error(typeof body === 'string' ? body : JSON.stringify(body));
+    };
     const res = {
-        status: (code) => block(code),
+        status: () => res,
+        send: fail,
+        json: fail,
         setHeader: () => res,
         set: () => res
     };
@@ -51,7 +48,7 @@ const createToolRes = () => {
 // (e.g. `req.path.split('/').pop()`) work identically to HTTP. There is no request body:
 // MCP can forward nothing else, so middlewares must rely on headers/path alone.
 // Blocking via `res.status().send()` throws (caught by the caller and returned as JSON);
-// a bare `{ next: false }` with no response throws a generic 403 so access is still denied.
+// a bare `{ next: false }` with no response throws a generic error so access is still denied.
 const runMiddlewaresForTool = async (name, headers) => {
     // `path` mirrors HTTP's last-segment convention: on HTTP `req.path` is `/bridge/user.fetch`
     // and handlers do `.split('/').pop()`; here it's the bare entry name, which pops to itself.
@@ -59,7 +56,7 @@ const runMiddlewaresForTool = async (name, headers) => {
     const res = createToolRes();
     const { blocked, context } = await (0, exports.runMiddlewares)(name, req, res);
     if (blocked)
-        throw new httpError_1.HttpError(403, 'Access denied');
+        throw new Error('Access denied');
     return context;
 };
 exports.runMiddlewaresForTool = runMiddlewaresForTool;

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "typed-bridge",
     "description": "Type-safe server functions for TypeScript that also expose your backend as an MCP server and LLM tools for AI agents",
-    "version": "4.0.3",
+    "version": "4.0.4",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
     "author": "neilveil",

package/readme.md

@@ -223,7 +223,7 @@ createMiddleware('user.*', async (req, res) => {
 createBridge(bridge, 8080, '/bridge', { entries, mcp: true })
 ```
 
-The resolved context lands in every handler as the second argument, identically for a browser request and an agent's tool call — one security model for humans and AI. When a middleware blocks a tool call, the model receives the **status and message as JSON** (e.g. `{ "status": 401, "error": "Unauthorized" }`) so it knows *why* it was denied. On tool surfaces a middleware sees the request **headers** and the matched entry name as **`req.path`** (so path-based key derivation like `req.path.split('/').pop()` works everywhere) — but no request **body**, since MCP can forward nothing else.
+The resolved context lands in every handler as the second argument, identically for a browser request and an agent's tool call — one security model for humans and AI. When a middleware blocks a tool call, the model receives the **message as JSON** (e.g. `{ "error": "Unauthorized" }`) so it knows *why* it was denied. On tool surfaces a middleware sees the request **headers** and the matched entry name as **`req.path`** (so path-based key derivation like `req.path.split('/').pop()` works everywhere) — but no request **body**, since MCP can forward nothing else.
 
 ### Control how many tools the client sees
 
@@ -292,7 +292,7 @@ const result = await handleToolCall(bridge, entries, toolCall, { headers: req.he
 
 Because you pass `toolMode` explicitly, a single process can run one assistant with `attach_all` and another with `on_demand`. `handleToolCall` needs no mode at all — it dispatches on the tool name (a meta-tool name runs the discovery flow, anything else runs that entry directly), so your loop is written once and never changes when you switch modes.
 
-Your `createMiddleware` chain runs on these tool calls just like it does on HTTP and MCP. Unlike MCP — where the server already holds the client's headers — an LLM loop is your own code, so you pass the request `headers` into `handleToolCall` to drive the chain. The middleware-derived context is merged on top of any `context` you also pass. If a needed header is missing, the matching middleware denies the call (the model receives a JSON `{ status, error }`), exactly as it would over HTTP.
+Your `createMiddleware` chain runs on these tool calls just like it does on HTTP and MCP. Unlike MCP — where the server already holds the client's headers — an LLM loop is your own code, so you pass the request `headers` into `handleToolCall` to drive the chain. The middleware-derived context is merged on top of any `context` you also pass. If a needed header is missing, the matching middleware denies the call (the model receives a JSON `{ error }`), exactly as it would over HTTP.
 
 ### `on_demand` — three tools, discovered as needed (default)
 
@@ -372,7 +372,7 @@ GraphQL is unmatched when clients need to shape their own queries across a compl
 
 ## Middleware when you need it
 
-Pattern based middleware runs before handlers and can inject context. The **same chain runs on all three surfaces** — HTTP requests, MCP tool calls, and LLM tool calls — matched by entry name (e.g. `user.fetch` matches `user.*`). Over HTTP a middleware blocks by writing to `res`; on tool calls that same `res.status(code).send(msg)` is reported back to the model as JSON (`{ status, error }`). On tool surfaces a middleware sees `req.headers` and `req.path` (the matched entry name) but **no `req.body`** and no real `res` for side effects (cookies, custom headers are no-ops), so write auth/context logic against `req.headers` / `req.path`:
+Pattern based middleware runs before handlers and can inject context. The **same chain runs on all three surfaces** — HTTP requests, MCP tool calls, and LLM tool calls — matched by entry name (e.g. `user.fetch` matches `user.*`). Over HTTP a middleware blocks by writing to `res`; on tool calls that same `res.status(code).send(msg)` is reported back to the model as JSON (`{ error }`) — the message reaches the model, the status code (irrelevant off HTTP) is dropped. On tool surfaces a middleware sees `req.headers` and `req.path` (the matched entry name) but **no `req.body`** and no real `res` for side effects (cookies, custom headers are no-ops), so write auth/context logic against `req.headers` / `req.path`:
 
 ```ts
 import { createMiddleware } from 'typed-bridge'

package/dist/httpError.d.ts

@@ -1,5 +0,0 @@
-export declare class HttpError extends Error {
-    status: number;
-    constructor(status: number, message: string);
-}
-export declare const httpError: (status: number, message: string) => HttpError;

package/dist/httpError.js

@@ -1,18 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.httpError = exports.HttpError = void 0;
-// Error carrying an explicit HTTP status code. When thrown from a bridge handler
-// or middleware, createBridge responds with the given status instead of 500.
-// Useful for auth/permission failures (401/403), not-found (404), etc.
-class HttpError extends Error {
-    status;
-    constructor(status, message) {
-        super(message);
-        this.name = 'HttpError';
-        this.status = status;
-    }
-}
-exports.HttpError = HttpError;
-// Convenience constructor for `throw httpError(403, 'Denied')`.
-const httpError = (status, message) => new HttpError(status, message);
-exports.httpError = httpError;