vreko-mcp-server 3.1.1

package/dist/index.js

@@ -0,0 +1,843 @@
+// Vreko MCP Server - Bundled for Fly.io deployment
+
+// src/index.ts
+import { randomUUID } from "crypto";
+import { createServer } from "http";
+import { URL } from "url";
+
+// ../../packages/sentry-privacy/dist/index.js
+import * as Sentry from "@sentry/node";
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var EXTRA_ALLOWLIST = /* @__PURE__ */ new Set([
+  "requestId",
+  "workspaceHash",
+  "sessionId",
+  "tier",
+  "cliVersion",
+  "daemonVersion",
+  "extensionVersion",
+  "platform",
+  "nodeVersion"
+]);
+var BLOCKED_BREADCRUMB_CATEGORIES = /* @__PURE__ */ new Set([
+  "fetch",
+  "xhr",
+  "console"
+]);
+var HOME_PATH_RE = /\/(Users|home)\/[^/]+\//g;
+var GH_TOKEN_RE = /(ghp|gho|ghu|ghs)_[A-Za-z0-9]{36}/g;
+var API_KEY_RE = /sk-[A-Za-z0-9]{32,}/g;
+var MAX_STRING_LEN = 2048;
+function scrubString(value) {
+  if (value.length > MAX_STRING_LEN) {
+    return `[TRUNCATED:${value.length}]`;
+  }
+  return value.replace(HOME_PATH_RE, "/~/").replace(GH_TOKEN_RE, "[REDACTED_GH_TOKEN]").replace(API_KEY_RE, "[REDACTED_API_KEY]");
+}
+__name(scrubString, "scrubString");
+function createNextjsSentryConfig(options) {
+  const { dsn, release, environment, tracesSampleRate, ignoreErrors } = options;
+  const resolvedEnv = resolveDeploymentEnv(environment);
+  return {
+    dsn,
+    environment: resolvedEnv,
+    release: release ?? process.env.VERCEL_GIT_COMMIT_SHA ?? process.env.NEXT_PUBLIC_VERCEL_GIT_COMMIT_SHA ?? process.env.npm_package_version,
+    sendDefaultPii: false,
+    tracesSampleRate: tracesSampleRate ?? (resolvedEnv === "development" ? 1 : 0.1),
+    ignoreErrors: ignoreErrors ?? [
+      "NetworkError",
+      "Failed to fetch",
+      "Load failed",
+      "AbortError"
+    ],
+    beforeSend(event) {
+      const req = event.request;
+      if (req?.headers) {
+        const headers = req.headers;
+        delete headers.authorization;
+        delete headers.cookie;
+        delete headers["x-api-key"];
+      }
+      const user = event.user;
+      if (user?.email) {
+        user.email = "[REDACTED]";
+      }
+      const exception = event.exception;
+      if (exception?.values) {
+        for (const exc of exception.values) {
+          if (exc.value && typeof exc.value === "string") {
+            exc.value = scrubString(exc.value);
+          }
+          const st = exc.stacktrace;
+          if (st?.frames) {
+            for (const frame of st.frames) {
+              if (typeof frame.filename === "string") {
+                frame.filename = scrubString(frame.filename);
+              }
+              if (typeof frame.abs_path === "string") {
+                frame.abs_path = scrubString(frame.abs_path);
+              }
+            }
+          }
+        }
+      }
+      return event;
+    }
+  };
+}
+__name(createNextjsSentryConfig, "createNextjsSentryConfig");
+function resolveDeploymentEnv(override) {
+  if (override) return override;
+  const explicit = process.env.DEPLOYMENT_ENV;
+  if (explicit === "development" || explicit === "staging" || explicit === "production") {
+    return explicit;
+  }
+  if (process.env.VERCEL_ENV === "preview") return "staging";
+  return process.env.NODE_ENV ?? "production";
+}
+__name(resolveDeploymentEnv, "resolveDeploymentEnv");
+function createSentryConfig(options) {
+  const { dsn, surface, workspaceHash, tier, release, environment } = options;
+  const resolvedEnv = resolveDeploymentEnv(environment);
+  return {
+    dsn,
+    environment: resolvedEnv,
+    release: release ?? process.env.GIT_SHA ?? process.env.npm_package_version,
+    sendDefaultPii: false,
+    attachStacktrace: true,
+    // Full sampling in development; reduced in staging/production to limit overhead.
+    tracesSampleRate: resolvedEnv === "development" ? 1 : 0.1,
+    initialScope: {
+      tags: {
+        surface,
+        ...tier ? {
+          tier
+        } : {}
+      },
+      ...workspaceHash ? {
+        user: {
+          id: workspaceHash
+        }
+      } : {}
+    },
+    // Drop auto-capture integrations that can produce breadcrumbs with sensitive data
+    integrations(defaultIntegrations) {
+      return defaultIntegrations.filter((i) => ![
+        "Breadcrumbs",
+        "Console",
+        "Http"
+      ].includes(i.name));
+    },
+    beforeSend(event) {
+      if (event.extra) {
+        const filtered = {};
+        for (const key of EXTRA_ALLOWLIST) {
+          if (key in event.extra) {
+            filtered[key] = event.extra[key];
+          }
+        }
+        event.extra = filtered;
+      }
+      if (event.contexts?.runtime) {
+        event.contexts.runtime.args = void 0;
+      }
+      if (event.request) {
+        event.request.data = void 0;
+      }
+      if (event.breadcrumbs?.values) {
+        const breadcrumbs = event.breadcrumbs.values();
+        for (const crumb of breadcrumbs) {
+          crumb.data = void 0;
+        }
+      }
+      if (event.exception?.values) {
+        for (const exc of event.exception.values) {
+          if (exc.value) {
+            exc.value = scrubString(exc.value);
+          }
+          if (exc.stacktrace?.frames) {
+            for (const frame of exc.stacktrace.frames) {
+              if (frame.filename) {
+                frame.filename = scrubString(frame.filename);
+              }
+              if (frame.abs_path) {
+                frame.abs_path = scrubString(frame.abs_path);
+              }
+            }
+          }
+        }
+      }
+      if (event.message) {
+        event.message = scrubString(event.message);
+      }
+      return event;
+    },
+    beforeBreadcrumb(breadcrumb) {
+      const cat = breadcrumb.category ?? "";
+      if (BLOCKED_BREADCRUMB_CATEGORIES.has(cat)) {
+        const data = breadcrumb.data;
+        if (data?._allow === true) {
+          const { _allow: _, ...rest } = data;
+          breadcrumb.data = rest;
+          return breadcrumb;
+        }
+        return null;
+      }
+      return breadcrumb;
+    }
+  };
+}
+__name(createSentryConfig, "createSentryConfig");
+
+// src/http-client.ts
+import { Agent, setGlobalDispatcher } from "undici";
+var globalAgent = new Agent({
+  connections: 50,
+  keepAliveTimeout: 3e4,
+  keepAliveMaxTimeout: 6e4,
+  pipelining: 1
+});
+setGlobalDispatcher(globalAgent);
+async function fetchWithPooling(input, init) {
+  return fetch(input, init);
+}
+function destroyPools() {
+  void globalAgent.destroy();
+}
+
+// src/utils/logger.ts
+function fmt(level, msg, ctx) {
+  return `[${level}] ${msg}${ctx ? ` ${JSON.stringify(ctx)}` : ""}
+`;
+}
+var logger = {
+  info(msg, ctx) {
+    if (process.env.LOG_LEVEL !== "silent") {
+      process.stdout.write(fmt("INFO", msg, ctx));
+    }
+  },
+  warn(msg, ctx) {
+    process.stderr.write(fmt("WARN", msg, ctx));
+  },
+  error(msg, ctx) {
+    process.stderr.write(fmt("ERROR", msg, ctx));
+  },
+  debug(msg, ctx) {
+    if (process.env.LOG_LEVEL === "debug") {
+      process.stdout.write(fmt("DEBUG", msg, ctx));
+    }
+  }
+};
+
+// src/validation.ts
+var API_URL = process.env.VREKO_API_URL || "https://api.vreko.dev";
+var MAX_BODY_SIZE = 10 * 1024 * 1024;
+var API_KEY_PATTERN = /^sk_(live|test)_[a-zA-Z0-9_-]{32,}$/;
+var WORKSPACE_ID_PATTERN = /^([a-f0-9]{12}|ws_[a-f0-9]{32})$/;
+var WORKSPACE_ID_LENGTHS = [12, 35];
+var DANGEROUS_CHARS = /[;<>|&$`\\]/;
+var PATH_DANGEROUS_CHARS = /[<>|&;$`\\]/;
+function validateApiKey(apiKey) {
+  if (!apiKey || apiKey.trim() === "") {
+    return {
+      valid: false,
+      error: "Missing API key"
+    };
+  }
+  if (!API_KEY_PATTERN.test(apiKey)) {
+    return {
+      valid: false,
+      error: "Invalid API key format. Must start with sk_live_ or sk_test_ followed by at least 32 alphanumeric characters"
+    };
+  }
+  if (DANGEROUS_CHARS.test(apiKey)) {
+    return {
+      valid: false,
+      error: "Invalid API key format. Contains illegal characters"
+    };
+  }
+  return { valid: true };
+}
+async function validateApiKeyWithDatabase(apiKey) {
+  const formatResult = validateApiKey(apiKey);
+  if (!formatResult.valid) {
+    return { valid: false, error: formatResult.error };
+  }
+  try {
+    const response = await fetchWithPooling(`${API_URL}/orpc/auth.verifyApiKey`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        apiKey,
+        // Request MCP tools permission
+        requiredPermissions: {
+          mcp: ["tools"]
+        }
+      })
+    });
+    if (!response.ok) {
+      if (response.status === 401) {
+        return { valid: false, error: "Invalid or expired API key" };
+      }
+      return { valid: false, error: `API verification failed: ${response.status}` };
+    }
+    const result = await response.json();
+    if (!result.valid) {
+      return { valid: false, error: "Invalid API key" };
+    }
+    const permissions = result.permissions || {};
+    const hasPro = permissions.api?.includes("write") || permissions["vreko:snapshot"]?.includes("write");
+    return {
+      valid: true,
+      userId: result.userId,
+      tier: hasPro ? "pro" : "free"
+    };
+  } catch (_error) {
+    return {
+      valid: false,
+      transient: true,
+      error: "auth_service_unavailable"
+    };
+  }
+}
+function validateWorkspaceId(workspaceId) {
+  if (!workspaceId || workspaceId.trim() === "") {
+    return {
+      valid: false,
+      error: "Missing workspace ID"
+    };
+  }
+  if (!WORKSPACE_ID_PATTERN.test(workspaceId)) {
+    return {
+      valid: false,
+      error: "Invalid workspace ID format. Must be 12 lowercase hex characters (unified) or ws_ followed by 32 lowercase hex characters (legacy)"
+    };
+  }
+  if (!WORKSPACE_ID_LENGTHS.includes(workspaceId.length)) {
+    return {
+      valid: false,
+      error: "Invalid workspace ID length"
+    };
+  }
+  if (DANGEROUS_CHARS.test(workspaceId)) {
+    return {
+      valid: false,
+      error: "Invalid workspace ID format. Contains illegal characters"
+    };
+  }
+  return { valid: true };
+}
+function validateWorkspace(workspace) {
+  if (workspace === "default") {
+    return { valid: true };
+  }
+  if (!workspace || workspace.trim() === "") {
+    return {
+      valid: false,
+      error: "Missing workspace parameter"
+    };
+  }
+  if (workspace.includes("..")) {
+    return {
+      valid: false,
+      error: "Invalid workspace path. Path traversal detected"
+    };
+  }
+  if (!workspace.startsWith("/")) {
+    return {
+      valid: false,
+      error: "Invalid workspace path. Must be an absolute path or 'default'"
+    };
+  }
+  if (workspace.includes("\0")) {
+    return {
+      valid: false,
+      error: "Invalid workspace path. Contains null bytes"
+    };
+  }
+  if (PATH_DANGEROUS_CHARS.test(workspace)) {
+    return {
+      valid: false,
+      error: "Invalid workspace path. Contains illegal characters"
+    };
+  }
+  return { valid: true };
+}
+function getAllowedCorsOrigin(requestOrigin, allowedOrigins) {
+  if (allowedOrigins === "*") {
+    return "*";
+  }
+  if (!requestOrigin) {
+    return allowedOrigins.split(",")[0] || null;
+  }
+  const origins = allowedOrigins.split(",").map((o) => o.trim());
+  if (origins.includes(requestOrigin)) {
+    return requestOrigin;
+  }
+  return null;
+}
+function getMaxBodySize() {
+  return MAX_BODY_SIZE;
+}
+
+// src/index.ts
+Sentry.init(
+  createSentryConfig({
+    dsn: process.env.SENTRY_DSN_MCP || process.env.SENTRY_DSN || "",
+    surface: "mcp-proxy"
+  })
+);
+process.once("uncaughtException", (error) => {
+  Sentry.captureException(error, { tags: { component: "uncaughtException" } });
+  logger.error("Uncaught exception", { message: error.message, stack: error.stack });
+  process.exit(1);
+});
+process.once("unhandledRejection", (reason) => {
+  Sentry.captureException(reason instanceof Error ? reason : new Error(String(reason)), {
+    tags: { component: "unhandledRejection" },
+    level: "warning"
+  });
+  logger.warn("Unhandled rejection", { reason: String(reason) });
+});
+var PORT = Number.parseInt(process.env.PORT || "8080", 10);
+var _NODE_ENV = process.env.NODE_ENV || "development";
+var MCP_VERSION = process.env.MCP_VERSION || "2025-03-26";
+var API_URL2 = process.env.VREKO_API_URL || "https://api.vreko.dev";
+var isShuttingDown = false;
+var isReady = false;
+var startTime = Date.now();
+async function proxyToApi(endpoint, method, body, headers) {
+  try {
+    const res = await fetchWithPooling(`${API_URL2}/api/v1/mcp${endpoint}`, {
+      method,
+      headers: { "Content-Type": "application/json", Accept: "application/json, text/event-stream", ...headers },
+      body: body ? JSON.stringify(body) : void 0
+    });
+    const resBody = await res.text();
+    const resHeaders = {
+      /* intentionally empty */
+    };
+    res.headers.forEach((v, k) => {
+      resHeaders[k] = v;
+    });
+    return { status: res.status, body: resBody, headers: resHeaders };
+  } catch (_e) {
+    return {
+      status: 503,
+      body: JSON.stringify({ error: "SERVICE_UNAVAILABLE" }),
+      headers: { "Content-Type": "application/json" }
+    };
+  }
+}
+function setCors(req, res) {
+  const origin = getAllowedCorsOrigin(req.headers.origin, process.env.CORS_ORIGIN || "*");
+  res.setHeader("Access-Control-Allow-Origin", origin || "*");
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
+  res.setHeader(
+    "Access-Control-Allow-Headers",
+    "Content-Type, Authorization, mcp-session-id, x-api-key, x-workspace-id"
+  );
+  res.setHeader("Access-Control-Expose-Headers", "mcp-session-id");
+}
+var server = createServer(async (req, res) => {
+  setCors(req, res);
+  if (req.method === "OPTIONS") {
+    res.writeHead(200);
+    res.end();
+    return;
+  }
+  const nodeEnv = process.env.NODE_ENV || "development";
+  const requestOrigin = req.headers.origin;
+  if (nodeEnv === "production" && requestOrigin) {
+    const allowedOrigins = (process.env.CORS_ORIGIN || "").split(",").map((o) => o.trim()).filter(Boolean);
+    if (allowedOrigins.length > 0 && !allowedOrigins.includes(requestOrigin) && allowedOrigins[0] !== "*") {
+      logger.warn("Blocked request from unauthorized origin", { origin: requestOrigin });
+      res.writeHead(403, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "FORBIDDEN", message: "Origin not allowed" }));
+      return;
+    }
+  }
+  const requestId = randomUUID();
+  const url = new URL(req.url || "", `http://${req.headers.host}`);
+  logger.info("Request", { requestId, method: req.method, path: url.pathname });
+  const maxSize = getMaxBodySize();
+  const chunks = [];
+  let size = 0;
+  let aborted = false;
+  req.on("data", (chunk) => {
+    if (aborted) {
+      return;
+    }
+    size += chunk.length;
+    if (size > maxSize) {
+      aborted = true;
+      res.writeHead(413, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "PAYLOAD_TOO_LARGE" }));
+      req.destroy();
+      return;
+    }
+    chunks.push(chunk);
+  });
+  req.on("end", async () => {
+    if (aborted) {
+      return;
+    }
+    const body = chunks.length === 0 ? "" : Buffer.concat(chunks, size).toString("utf8");
+    try {
+      let result;
+      const path = url.pathname;
+      if (path === "/mcp" && req.method === "GET") {
+        const sessionId = req.headers["mcp-session-id"];
+        if (!sessionId) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "mcp-session-id header required" }));
+          return;
+        }
+        const upstreamHeaders = {
+          "mcp-session-id": sessionId,
+          Accept: "text/event-stream"
+        };
+        if (req.headers["x-api-key"]) {
+          upstreamHeaders["x-api-key"] = req.headers["x-api-key"];
+        }
+        if (req.headers.authorization?.startsWith("Bearer ")) {
+          upstreamHeaders.Authorization = req.headers.authorization;
+        }
+        if (req.headers["x-workspace-path"]) {
+          upstreamHeaders["x-workspace-path"] = req.headers["x-workspace-path"];
+        }
+        try {
+          const upstream = await fetchWithPooling(`${API_URL2}/api/v1/mcp`, {
+            method: "GET",
+            headers: upstreamHeaders
+          });
+          const responseHeaders2 = {};
+          upstream.headers.forEach((v, k) => {
+            responseHeaders2[k] = v;
+          });
+          res.writeHead(upstream.status, responseHeaders2);
+          if (upstream.body) {
+            const reader = upstream.body.getReader();
+            req.on(
+              "close",
+              () => reader.cancel().catch(() => {
+              })
+            );
+            (async () => {
+              try {
+                while (true) {
+                  const { done, value } = await reader.read();
+                  if (done) {
+                    res.end();
+                    break;
+                  }
+                  res.write(value);
+                }
+              } catch (pipeErr) {
+                logger.warn("SSE pipe closed unexpectedly", {
+                  sessionId,
+                  error: pipeErr instanceof Error ? pipeErr.message : String(pipeErr)
+                });
+                Sentry.captureException(
+                  pipeErr instanceof Error ? pipeErr : new Error(String(pipeErr)),
+                  { tags: { component: "sse-pipe" }, extra: { sessionId } }
+                );
+                res.end();
+              }
+            })();
+          } else {
+            res.end();
+          }
+        } catch (sseErr) {
+          logger.warn("SSE upstream connect failed", {
+            sessionId,
+            error: sseErr instanceof Error ? sseErr.message : String(sseErr)
+          });
+          Sentry.captureException(sseErr instanceof Error ? sseErr : new Error(String(sseErr)), {
+            tags: { component: "sse-upstream" },
+            extra: { sessionId }
+          });
+          res.writeHead(503, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "SERVICE_UNAVAILABLE" }));
+        }
+        return;
+      }
+      if (path === "/health" || path === "/health/live") {
+        result = {
+          status: 200,
+          body: JSON.stringify({
+            status: isShuttingDown ? "shutting_down" : "alive",
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            uptime: Math.floor((Date.now() - startTime) / 1e3),
+            version: MCP_VERSION
+          }),
+          headers: { "Content-Type": "application/json" }
+        };
+      } else if (path === "/health/ready") {
+        if (isShuttingDown) {
+          result = {
+            status: 503,
+            body: JSON.stringify({
+              status: "not_ready",
+              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+              message: "Server is shutting down"
+            }),
+            headers: { "Content-Type": "application/json" }
+          };
+        } else {
+          const apiCheck = await proxyToApi("/health", "GET", null, {});
+          const isApiReady = apiCheck.status === 200;
+          if (isApiReady && !isReady) {
+            isReady = true;
+            logger.info("MCP Server recovered  -  API reachable on readiness probe");
+          }
+          result = {
+            status: isApiReady ? 200 : 503,
+            body: JSON.stringify({
+              status: isApiReady ? "ready" : "not_ready",
+              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+              api: isApiReady ? "connected" : "disconnected",
+              uptime: Math.floor((Date.now() - startTime) / 1e3),
+              version: MCP_VERSION
+            }),
+            headers: { "Content-Type": "application/json" }
+          };
+        }
+      } else if (path === "/health/startup") {
+        result = {
+          status: isReady ? 200 : 503,
+          body: JSON.stringify({
+            status: isReady ? "started" : "starting",
+            timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          }),
+          headers: { "Content-Type": "application/json" }
+        };
+      } else if (path === "/mcp") {
+        const sessionId = req.headers["mcp-session-id"];
+        let parsed = {};
+        try {
+          parsed = JSON.parse(body || "{}");
+        } catch {
+          res.writeHead(400);
+          res.end(JSON.stringify({ error: "BAD_REQUEST" }));
+          return;
+        }
+        const workspace = parsed.workspace || url.searchParams.get("workspace") || req.headers["x-workspace-path"] || "default";
+        if (!validateWorkspace(workspace).valid) {
+          res.writeHead(400);
+          res.end(JSON.stringify({ error: "BAD_REQUEST" }));
+          return;
+        }
+        const workspaceId = parsed.workspaceId || req.headers["x-workspace-id"];
+        if (workspaceId && !validateWorkspaceId(workspaceId).valid) {
+          res.writeHead(401);
+          res.end(JSON.stringify({ error: "UNAUTHORIZED" }));
+          return;
+        }
+        const apiKey = req.headers["x-api-key"];
+        if (apiKey) {
+          const validation = await validateApiKeyWithDatabase(apiKey);
+          if (!validation.valid) {
+            if (validation.transient) {
+              res.writeHead(503, { "Content-Type": "application/json" });
+              res.end(
+                JSON.stringify({
+                  jsonrpc: "2.0",
+                  error: {
+                    code: -32003,
+                    message: "Auth service temporarily unavailable",
+                    data: { reason: "auth_service_unavailable", retryable: true }
+                  },
+                  id: parsed?.id ?? null
+                })
+              );
+              return;
+            }
+            const errorResponse = {
+              jsonrpc: "2.0",
+              error: {
+                code: -32001,
+                message: "Unauthorized",
+                data: { reason: validation.error || "key_not_found_or_revoked" }
+              },
+              id: parsed?.id ?? null
+            };
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(JSON.stringify(errorResponse));
+            return;
+          }
+          if (validation.userId) {
+            logger.debug("API key validated", { userId: validation.userId, tier: validation.tier });
+          }
+        }
+        const headers = { "x-workspace-path": workspace };
+        if (sessionId) {
+          headers["mcp-session-id"] = sessionId;
+        }
+        if (workspaceId) {
+          headers["x-workspace-id"] = workspaceId;
+        }
+        if (apiKey) {
+          headers["x-api-key"] = apiKey;
+        }
+        if (req.headers.authorization?.startsWith("Bearer ")) {
+          headers.Authorization = req.headers.authorization;
+        }
+        result = await proxyToApi("", req.method || "POST", parsed, headers);
+      } else if (path === "/auth/link-workspace") {
+        if (req.method !== "POST") {
+          res.writeHead(405);
+          res.end();
+          return;
+        }
+        let parsed = {};
+        try {
+          parsed = JSON.parse(body);
+        } catch {
+          res.writeHead(400);
+          res.end();
+          return;
+        }
+        result = await proxyToApi(
+          "/auth/link-workspace",
+          "POST",
+          parsed,
+          req.headers.authorization ? { Authorization: req.headers.authorization } : {}
+        );
+      } else if (path === "/bridge/push") {
+        if (req.method !== "POST") {
+          res.writeHead(405);
+          res.end();
+          return;
+        }
+        let parsed = {};
+        try {
+          parsed = JSON.parse(body);
+        } catch {
+          res.writeHead(400);
+          res.end();
+          return;
+        }
+        result = await proxyToApi("/bridge/push", "POST", parsed, {});
+      } else if (path === "/bridge/status") {
+        if (req.method !== "GET") {
+          res.writeHead(405);
+          res.end();
+          return;
+        }
+        const wsId = url.searchParams.get("workspaceId");
+        result = await proxyToApi(
+          wsId ? `/bridge/status?workspaceId=${encodeURIComponent(wsId)}` : "/bridge/status",
+          "GET",
+          null,
+          {}
+        );
+      } else if (path === "/capabilities/false-positive") {
+        if (req.method !== "POST") {
+          res.writeHead(405);
+          res.end();
+          return;
+        }
+        let parsed = {};
+        try {
+          parsed = JSON.parse(body);
+        } catch {
+          res.writeHead(400);
+          res.end();
+          return;
+        }
+        result = await proxyToApi("/capabilities/false-positive", "POST", parsed, {});
+      } else if (path === "/capabilities") {
+        if (req.method !== "GET") {
+          res.writeHead(405);
+          res.end();
+          return;
+        }
+        const userId = url.searchParams.get("userId");
+        if (!userId) {
+          res.writeHead(400);
+          res.end(JSON.stringify({ error: "BAD_REQUEST" }));
+          return;
+        }
+        result = await proxyToApi(`/capabilities?userId=${encodeURIComponent(userId)}`, "GET", null, {});
+      } else {
+        res.writeHead(404, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "NOT_FOUND" }));
+        return;
+      }
+      const responseHeaders = {
+        "Content-Type": result.headers["content-type"] || "application/json"
+      };
+      if (result.headers["mcp-session-id"]) {
+        responseHeaders["mcp-session-id"] = result.headers["mcp-session-id"];
+      }
+      res.writeHead(result.status, responseHeaders);
+      res.end(result.body);
+    } catch (e) {
+      logger.error("Error", { requestId, error: String(e) });
+      res.writeHead(500, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "INTERNAL_ERROR" }));
+    }
+  });
+});
+var SHUTDOWN_TIMEOUT_MS = 25e3;
+async function gracefulShutdown(signal) {
+  if (isShuttingDown) {
+    logger.warn("Shutdown already in progress");
+    return;
+  }
+  isShuttingDown = true;
+  logger.info("Shutdown initiated", { signal, pid: process.pid });
+  isReady = false;
+  logger.info("Service marked as not ready");
+  server.closeAllConnections();
+  logger.info("SSE connections closed");
+  logger.info("Waiting for in-flight requests to complete...");
+  await new Promise((resolve) => setTimeout(resolve, 5e3));
+  destroyPools();
+  logger.info("Connection pools destroyed");
+  try {
+    await Sentry.close(2e3);
+  } catch {
+  }
+  logger.info("Closing server...");
+  server.close(() => {
+    logger.info("Server closed, exiting");
+    process.exit(0);
+  });
+  setTimeout(() => {
+    logger.error("Forced exit due to timeout");
+    process.exit(1);
+  }, SHUTDOWN_TIMEOUT_MS);
+}
+process.once("SIGTERM", () => gracefulShutdown("SIGTERM"));
+process.once("SIGINT", () => gracefulShutdown("SIGINT"));
+server.listen(PORT, "0.0.0.0", () => {
+  logger.info("MCP Server started", { port: PORT, host: "0.0.0.0", version: MCP_VERSION, apiUrl: API_URL2 });
+  (async () => {
+    try {
+      const check = await fetchWithPooling(`${API_URL2}/health`, {
+        method: "GET",
+        headers: { Accept: "application/json" }
+      });
+      if (check.ok) {
+        isReady = true;
+        logger.info("MCP Server ready  -  API reachable", { status: check.status });
+      } else {
+        logger.warn("MCP Server started but API not reachable", { status: check.status });
+      }
+    } catch (err) {
+      logger.warn("MCP Server started but API health check failed", {
+        error: err instanceof Error ? err.message : String(err)
+      });
+    }
+  })();
+});
+var index_default = server;
+export {
+  index_default as default
+};
+//# sourceMappingURL=index.js.map