veryfront 0.1.159 → 0.1.161

package/src/src/mcp/http-transport.ts

@@ -0,0 +1,163 @@
+import * as dntShim from "../../_dnt.shims.js";
+import type { ToolExecutionContext } from "../tool/index.js";
+import { VeryfrontError } from "../security/input-validation/errors.js";
+import { validateContentType } from "../security/input-validation/limits.js";
+import { SessionManager } from "./session.js";
+
+const MAX_REQUEST_BODY_SIZE = 1_048_576; // 1 MB
+const JSON_CONTENT_TYPE = "application/json";
+
+type JSONRPCParams = Record<string, unknown> | unknown[];
+
+interface JSONRPCRequest {
+  jsonrpc: "2.0";
+  id?: string | number;
+  method: string;
+  params?: JSONRPCParams;
+}
+
+interface JSONRPCResponse {
+  jsonrpc: "2.0";
+  id?: string | number;
+  result?: unknown;
+  error?: {
+    code: number;
+    message: string;
+    data?: unknown;
+  };
+}
+
+export interface MCPHTTPTransportDependencies {
+  authEnabled: boolean;
+  getCORSHeaders: (requestOrigin?: string | null) => Record<string, string>;
+  validateAuth: (request: dntShim.Request) => Promise<boolean>;
+  handleRequest: (
+    request: JSONRPCRequest,
+    context?: ToolExecutionContext,
+  ) => Promise<JSONRPCResponse>;
+  extractRequestContext: (request: dntShim.Request) => ToolExecutionContext | undefined;
+  isOriginAllowed: (requestOrigin?: string | null) => boolean;
+  sessionCapabilities: Map<string, Record<string, unknown>>;
+  sessionManager: SessionManager;
+}
+
+function createJSONResponse(body: unknown, init?: dntShim.ResponseInit): dntShim.Response {
+  const headers = new dntShim.Headers(init?.headers);
+  headers.set("Content-Type", JSON_CONTENT_TYPE);
+  return new dntShim.Response(JSON.stringify(body), { ...init, headers });
+}
+
+function createJSONRPCErrorResponse(status: number, code: number, message: string): dntShim.Response {
+  return createJSONResponse(
+    {
+      jsonrpc: "2.0",
+      id: null,
+      error: { code, message },
+    },
+    { status },
+  );
+}
+
+export function createMCPHTTPHandler(
+  dependencies: MCPHTTPTransportDependencies,
+): (request: dntShim.Request) => Promise<dntShim.Response> {
+  const {
+    authEnabled,
+    getCORSHeaders,
+    validateAuth,
+    handleRequest,
+    extractRequestContext,
+    isOriginAllowed,
+    sessionCapabilities,
+    sessionManager,
+  } = dependencies;
+
+  return async (request: dntShim.Request) => {
+    const requestOrigin = request.headers.get("Origin");
+
+    if (request.method === "OPTIONS") {
+      return new dntShim.Response(null, { status: 204, headers: getCORSHeaders(requestOrigin) });
+    }
+
+    if (!isOriginAllowed(requestOrigin)) {
+      return createJSONRPCErrorResponse(403, -32600, "Forbidden: Origin not allowed");
+    }
+
+    if (authEnabled) {
+      const authorized = await validateAuth(request);
+      if (!authorized) return new dntShim.Response("Unauthorized", { status: 401 });
+    }
+
+    if (request.method === "DELETE") {
+      const sessionId = request.headers.get("MCP-Session-Id");
+      if (sessionId) {
+        sessionManager.terminate(sessionId);
+        sessionCapabilities.delete(sessionId);
+      }
+      return new dntShim.Response(null, { status: 200, headers: getCORSHeaders(requestOrigin) });
+    }
+
+    if (request.method !== "POST") {
+      return new dntShim.Response("Method Not Allowed", { status: 405 });
+    }
+
+    const contentLength = request.headers.get("content-length");
+    if (contentLength && Number(contentLength) > MAX_REQUEST_BODY_SIZE) {
+      return createJSONRPCErrorResponse(413, -32600, "Request body too large");
+    }
+
+    try {
+      validateContentType(request, JSON_CONTENT_TYPE);
+    } catch (error) {
+      const message = error instanceof VeryfrontError ? error.message : "Invalid Content-Type";
+      return createJSONRPCErrorResponse(400, -32700, message);
+    }
+
+    let rpcRequest: JSONRPCRequest;
+    try {
+      const bodyText = await request.text();
+      if (bodyText.length > MAX_REQUEST_BODY_SIZE) {
+        return createJSONRPCErrorResponse(413, -32600, "Request body too large");
+      }
+      rpcRequest = JSON.parse(bodyText) as JSONRPCRequest;
+    } catch (_) {
+      return createJSONRPCErrorResponse(400, -32700, "Parse error");
+    }
+
+    const responseHeaders: Record<string, string> = {
+      ...getCORSHeaders(requestOrigin),
+    };
+
+    if (rpcRequest.method === "initialize") {
+      const context = extractRequestContext(request);
+      const rpcResponse = await handleRequest(rpcRequest, context);
+      const clientCaps =
+        ((rpcRequest.params as Record<string, unknown> | undefined)?.capabilities ??
+          {}) as Record<string, unknown>;
+      const sessionId = sessionManager.create();
+      sessionCapabilities.set(sessionId, clientCaps);
+      responseHeaders["MCP-Session-Id"] = sessionId;
+      return createJSONResponse(rpcResponse, { headers: responseHeaders });
+    }
+
+    if (sessionManager.size > 0) {
+      const sessionId = request.headers.get("MCP-Session-Id");
+      if (!sessionId) {
+        return createJSONRPCErrorResponse(400, -32600, "Missing MCP-Session-Id header");
+      }
+      if (!sessionManager.isValid(sessionId)) {
+        return createJSONRPCErrorResponse(404, -32600, "Session not found or expired");
+      }
+    }
+
+    if (rpcRequest.id === undefined) {
+      const context = extractRequestContext(request);
+      await handleRequest(rpcRequest, context);
+      return new dntShim.Response(null, { status: 202, headers: responseHeaders });
+    }
+
+    const context = extractRequestContext(request);
+    const rpcResponse = await handleRequest(rpcRequest, context);
+    return createJSONResponse(rpcResponse, { headers: responseHeaders });
+  };
+}

package/src/src/mcp/server.ts

@@ -9,18 +9,14 @@ import type { MCPServerConfig, ToolListEntry } from "./types.js";
 import { createError, toError } from "../errors/veryfront-error.js";
 import { withSpan } from "../observability/tracing/otlp-setup.js";
 import { VERSION } from "../utils/version.js";
-import { validateContentType } from "../security/input-validation/limits.js";
-import { VeryfrontError } from "../security/input-validation/errors.js";
 import type { IntegrationRuntimeConfig } from "../integrations/types.js";
 import { logger as baseLogger } from "../utils/index.js";
+import { createMCPHTTPHandler } from "./http-transport.js";
 import { SessionManager } from "./session.js";
 import { TaskStore } from "./task-store.js";
 
 const logger = baseLogger.component("mcp-server");
-
-const MAX_REQUEST_BODY_SIZE = 1_048_576; // 1 MB
 const MAX_CONTEXT_HEADER_LENGTH = 255;
-const JSON_CONTENT_TYPE = "application/json";
 const END_USER_ID_PATTERN = /^[a-zA-Z0-9._@-]+$/;
 const PROJECT_ID_PATTERN = /^[a-zA-Z0-9._-]+$/;
 
@@ -55,23 +51,6 @@ function toParamsRecord(params: JSONRPCParams | undefined): Record<string, unkno
   return params;
 }
 
-function createJSONResponse(body: unknown, init?: dntShim.ResponseInit): dntShim.Response {
-  const headers = new dntShim.Headers(init?.headers);
-  headers.set("Content-Type", JSON_CONTENT_TYPE);
-  return new dntShim.Response(JSON.stringify(body), { ...init, headers });
-}
-
-function createJSONRPCErrorResponse(status: number, code: number, message: string): dntShim.Response {
-  return createJSONResponse(
-    {
-      jsonrpc: "2.0",
-      id: null,
-      error: { code, message },
-    },
-    { status },
-  );
-}
-
 function readAllowedHeader(
   request: dntShim.Request,
   headerName: string,
@@ -628,107 +607,20 @@ export class MCPServer {
   }
 
   createHTTPHandler(): (request: dntShim.Request) => Promise<dntShim.Response> {
-    return async (request: dntShim.Request) => {
-      const requestOrigin = request.headers.get("Origin");
-
-      // CORS preflight
-      if (request.method === "OPTIONS") {
-        return new dntShim.Response(null, { status: 204, headers: this.getCORSHeaders(requestOrigin) });
-      }
-
-      // Origin validation (DNS rebinding protection)
-      if (requestOrigin && this.config.cors?.enabled && this.config.cors.origins?.length) {
-        if (!this.config.cors.origins.includes(requestOrigin)) {
-          return createJSONRPCErrorResponse(403, -32600, "Forbidden: Origin not allowed");
-        }
-      }
-
-      // Auth check (applies to all methods including DELETE)
-      if (this.config.auth?.type && this.config.auth.type !== "none") {
-        const authorized = await this.validateAuth(request);
-        if (!authorized) return new dntShim.Response("Unauthorized", { status: 401 });
-      }
-
-      // DELETE = terminate session
-      if (request.method === "DELETE") {
-        const sessionId = request.headers.get("MCP-Session-Id");
-        if (sessionId) {
-          this.sessionManager.terminate(sessionId);
-          this.sessionCapabilities.delete(sessionId);
-        }
-        return new dntShim.Response(null, { status: 200, headers: this.getCORSHeaders(requestOrigin) });
-      }
-
-      // Only POST allowed for JSON-RPC messages
-      if (request.method !== "POST") {
-        return new dntShim.Response("Method Not Allowed", { status: 405 });
-      }
-
-      // Enforce request body size limit (fast path via Content-Length header)
-      const contentLength = request.headers.get("content-length");
-      if (contentLength && Number(contentLength) > MAX_REQUEST_BODY_SIZE) {
-        return createJSONRPCErrorResponse(413, -32600, "Request body too large");
-      }
-
-      try {
-        validateContentType(request, JSON_CONTENT_TYPE);
-      } catch (error) {
-        const message = error instanceof VeryfrontError ? error.message : "Invalid Content-Type";
-        return createJSONRPCErrorResponse(400, -32700, message);
-      }
-
-      let rpcRequest: JSONRPCRequest;
-      try {
-        const bodyText = await request.text();
-        if (bodyText.length > MAX_REQUEST_BODY_SIZE) {
-          return createJSONRPCErrorResponse(413, -32600, "Request body too large");
-        }
-        rpcRequest = JSON.parse(bodyText) as JSONRPCRequest;
-      } catch (_) {
-        // expected: malformed JSON in request body
-        return createJSONRPCErrorResponse(400, -32700, "Parse error");
-      }
-
-      // Session management: initialize creates session, everything else requires it
-      const responseHeaders: Record<string, string> = {
-        ...this.getCORSHeaders(requestOrigin),
-      };
-
-      if (rpcRequest.method === "initialize") {
-        const context = this.extractRequestContext(request);
-        const rpcResponse = await this.handleRequest(rpcRequest, context);
-        const clientCaps =
-          toParamsRecord(rpcRequest.params).capabilities as Record<string, unknown> ??
-            {};
-        const sessionId = this.sessionManager.create();
-        this.sessionCapabilities.set(sessionId, clientCaps);
-        responseHeaders["MCP-Session-Id"] = sessionId;
-        return createJSONResponse(rpcResponse, { headers: responseHeaders });
-      }
-
-      // Post-init: require session ID when sessions are active
-      if (this.sessionManager.size > 0) {
-        const sessionId = request.headers.get("MCP-Session-Id");
-        if (!sessionId) {
-          return createJSONRPCErrorResponse(400, -32600, "Missing MCP-Session-Id header");
-        }
-        if (!this.sessionManager.isValid(sessionId)) {
-          return createJSONRPCErrorResponse(404, -32600, "Session not found or expired");
-        }
-      }
-
-      // Notifications have no id member — return 202 Accepted
-      // Note: id:0 is a valid request ID per JSON-RPC 2.0, so check for undefined
-      if (rpcRequest.id === undefined) {
-        const context = this.extractRequestContext(request);
-        await this.handleRequest(rpcRequest, context);
-        return new dntShim.Response(null, { status: 202, headers: responseHeaders });
-      }
-
-      const context = this.extractRequestContext(request);
-      const rpcResponse = await this.handleRequest(rpcRequest, context);
-      return createJSONResponse(rpcResponse, { headers: responseHeaders });
-    };
+    return createMCPHTTPHandler({
+      authEnabled: Boolean(this.config.auth?.type && this.config.auth.type !== "none"),
+      getCORSHeaders: (requestOrigin) => this.getCORSHeaders(requestOrigin),
+      validateAuth: (request) => this.validateAuth(request),
+      handleRequest: (request, context) => this.handleRequest(request, context),
+      extractRequestContext: (request) => this.extractRequestContext(request),
+      isOriginAllowed: (requestOrigin) =>
+        !requestOrigin ||
+        !this.config.cors?.enabled ||
+        !this.config.cors.origins?.length ||
+        this.config.cors.origins.includes(requestOrigin),
+      sessionCapabilities: this.sessionCapabilities,
+      sessionManager: this.sessionManager,
+    });
   }
 
   private extractRequestContext(request: dntShim.Request): ToolExecutionContext | undefined {

package/src/src/platform/adapters/fs/veryfront/stat-operations.ts

@@ -329,6 +329,7 @@ export class StatOperations extends VeryfrontOperationsBase {
   private buildResolveSearchPatterns(
     normalizedPath: string,
     options?: ResolveFileOptions,
+    knownExtensionFallback: "exact" | "wildcard" = "exact",
   ): string[] {
     const patterns = new Set<string>();
     const pathWithoutExt = stripKnownExtension(normalizedPath, EXTENSION_PRIORITY);
@@ -338,7 +339,9 @@ export class StatOperations extends VeryfrontOperationsBase {
     };
 
     if (EXTENSION_PRIORITY.some((ext) => normalizedPath.endsWith(ext))) {
-      addPattern(normalizedPath);
+      addPattern(
+        knownExtensionFallback === "wildcard" ? `${pathWithoutExt}.*` : normalizedPath,
+      );
       return [...patterns];
     }
 
@@ -366,6 +369,7 @@ export class StatOperations extends VeryfrontOperationsBase {
   private async tryResolveViaApiSearch(
     normalizedPath: string,
     options?: ResolveFileOptions,
+    knownExtensionFallback: "exact" | "wildcard" = "exact",
   ): Promise<string | null | undefined> {
     if (isFrameworkSourcePath(normalizedPath)) {
       logger.debug("Skipping API search for framework path", { normalizedPath });
@@ -377,7 +381,11 @@ export class StatOperations extends VeryfrontOperationsBase {
       return undefined;
     }
 
-    const patterns = this.buildResolveSearchPatterns(normalizedPath, options);
+    const patterns = this.buildResolveSearchPatterns(
+      normalizedPath,
+      options,
+      knownExtensionFallback,
+    );
     let sawSuccessfulSearch = false;
 
     for (const pattern of patterns) {
@@ -573,55 +581,17 @@ export class StatOperations extends VeryfrontOperationsBase {
       return null;
     }
 
-    // NOTE: Removed optimization that skipped API search for paths with extensions.
-    // This was causing layout files and other project files to not be found when
-    // they were missing from the file index (due to cache issues, incomplete fetch, etc.).
-    // The API pattern search is the fallback to ensure files can still be found.
-
-    if (!this.apiSearchCircuitBreaker.canSearch()) {
-      logger.warn("API search circuit breaker open, skipping", { normalizedPath });
-      return null;
+    // NOTE: Keep the post-index API fallback aligned with the pre-index helper for extensionless
+    // paths, while preserving the older wildcard sibling-extension lookup for known-extension
+    // paths. Incomplete file-list snapshots otherwise hide valid files until the cache refreshes.
+    const apiResolved = await this.tryResolveViaApiSearch(normalizedPath, options, "wildcard");
+    if (typeof apiResolved === "string") {
+      this.cache.set(cacheKey, apiResolved);
+      return apiResolved;
     }
-
-    const searchPattern = `${pathWithoutExt}.*`;
-    logger.debug("Searching for file via API", {
-      pattern: searchPattern,
-      normalizedPath,
-    });
-
-    try {
-      const matches = await this.client.searchFiles(searchPattern);
-      this.apiSearchCircuitBreaker.recordSuccess();
-
-      logger.debug("API search result", {
-        pattern: searchPattern,
-        matchCount: matches.length,
-        matches: matches.map((m) => m.path).slice(0, 5),
-      });
-
-      const sortedMatches = sortPathsByExtensionPriority(matches, EXTENSION_PRIORITY);
-      const first = sortedMatches[0];
-      if (first) {
-        logger.debug("resolveFile found via API search", { path: first.path });
-        this.cache.set(cacheKey, first.path);
-        return first.path;
-      }
-    } catch (error) {
-      const result = this.apiSearchCircuitBreaker.recordFailure();
-      if (result.tripped) {
-        logger.warn("API search circuit breaker tripped", {
-          failures: result.failures,
-        });
-      }
-      logger.error("API pattern search failed", { pattern: searchPattern, error });
+    if (apiResolved === null) {
+      this.cache.set(cacheKey, NOT_FOUND_SENTINEL);
     }
-
-    logger.debug("resolveFile not found after API search", {
-      normalizedPath,
-      pathWithoutExt,
-    });
-
-    this.cache.set(cacheKey, NOT_FOUND_SENTINEL);
     return null;
   }
 }

package/src/src/utils/version-constant.ts

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.159";
+export const VERSION = "0.1.161";