webcake-storefront-mcp 1.0.1

package/dist/builder/guide.js

@@ -0,0 +1,64 @@
+// Generation guide injected into builder tools so an AI agent understands the BuilderX
+// page model well enough to author pages that actually render.
+export const BUILD_GUIDE = `# BuilderX page authoring guide
+
+## Page shape
+A page's content is a single JSON object: \`{ "sections": [ <section>, ... ] }\`.
+- Save it via build_page (new page) or update_page_source (existing page).
+- A page is a vertical STACK of sections (top → bottom). Sections are the only valid
+  top-level children of \`sections\`.
+
+## Node shape (every element)
+\`\`\`
+{
+  "id": "TEXT-ab12cd34",        // unique per page; prefix = TYPE-, see factories
+  "type": "text",                // one of the catalog types (list_elements)
+  "name": "",
+  "specials": { ... },           // CONTENT + behaviour (text, src, field_name, ...)
+  "runtime": { "style": {}, "config": {} },  // STYLE (css) + LAYOUT (grid/position)
+  "children": [ ... ],           // only for container types
+  "events": [ ... ],             // click/hover actions
+  "bindings": [ ... ]            // dataset bindings (product/category/blog fields)
+}
+\`\`\`
+Never hand-write a node from scratch — call new_element / new_section so the factory
+fills the correct defaults, then edit specials/style.
+
+## Layout = CSS grid (NOT absolute top/left)
+This is the key difference from landing-page builders. A section/container positions its
+children with a grid:
+- container \`runtime.config\`: \`grid: "1xN"\`, \`columns: [{unit:'fr',value:1}]\`,
+  \`rows: [{unit:'min/max', min:{unit:'px',absValue:H}, max:{unit:'max-c'}}, ...]\`.
+- each child \`runtime.config\`: \`columnStart/columnEnd\`, \`rowStart/rowEnd\` (1-based grid
+  lines), \`constraintX\` (['left'|'right'|'centerLeft']), \`constraintY\` (['top'|'bottom'|'centerTop']).
+new_section does this for you: pass children and they are stacked one row each. To build
+multi-column layouts, nest a container child and give it its own grid.
+
+## Styling
+- \`runtime.style\` holds CSS-ish props: width/height (numbers = px), color, background,
+  fontSize ("16px"), fontWeight, textAlign, border*, boxShadow, etc.
+- \`runtime.config.heightUnit\`: "auto" lets content set height (default for text/image).
+- Colours as hex or rgba(). Use the site theme colours where possible.
+
+## Responsive breakpoints
+Override style/config per breakpoint by adding a key on the node: \`bp1\`, \`tablet\`,
+\`laptop\` → \`{ style: {...}, config: {...} }\`. Desktop values live in \`runtime\`.
+Breakpoint widths: large_desktop 1920, desktop 1280, laptop 992, tablet 640.
+
+## Content & data
+- Text: \`specials.text\` (HTML allowed), \`specials.tag\` ("h1".."p").
+- Image: \`runtime.config.src\` (URL). Use search_images / upload before referencing.
+- Form: wrap inputs in a \`form\`; set \`form.specials.type\`
+  (form_order | form_login | form_signup | form_discount | order_tracking). Each input
+  needs \`specials.field_name\`.
+- Dataset elements (text-dataset, image-dataset, grid-product...) use \`bindings\` to pull
+  product/category/blog data — leave bindings to dataset-driven pages.
+
+## Workflow (do this every time)
+1. Intake: confirm goal, brand, colours, sections wanted (ask 3-5 questions if unclear).
+2. list_elements / get_element to pick the right component types.
+3. Build sections with new_section (or new_element for one node), fill content.
+4. validate_page — fix every error and review warnings.
+5. build_page with dry_run:true first → review → dry_run:false to persist.
+6. For existing pages, prefer surgical edits (update_page_element) over full rewrites.
+Always keep Vietnamese text with full diacritics; reply in the user's language.`;

package/dist/builder/page.js

@@ -0,0 +1,149 @@
+// Page-level helpers: skeleton, grid composition, id hygiene, and validation.
+//
+// A BuilderX page source is `{ sections: [ <section node>, ... ] }`. Sections lay out
+// their children in a CSS grid driven by runtime.config (grid / columns / rows) and each
+// child's runtime.config (columnStart/End, rowStart/End, constraintX/Y). The helpers here
+// produce that structure the same way the builder does, so generated pages render.
+import { buildElement, isKnownType, ELEMENT_TYPES } from "./catalog.js";
+import { randomString } from "./factory.js";
+/** Walk every node in a source tree (depth-first). Return false from fn to stop. */
+export function walk(source, fn) {
+    const sections = source && Array.isArray(source.sections) ? source.sections : [];
+    const visit = (node) => {
+        if (!node)
+            return true;
+        if (fn(node) === false)
+            return false;
+        for (const child of node.children || []) {
+            if (visit(child) === false)
+                return false;
+        }
+        return true;
+    };
+    for (const s of sections) {
+        if (visit(s) === false)
+            return;
+    }
+}
+/** Empty but valid page source. */
+export function newPageSkeleton() {
+    return { sections: [] };
+}
+const typePrefix = (type) => ({ rectangle: "RECT", "grid-category": "GRID-CATE", "slider-category": "SLIDER-CATE" }[type] ||
+    type.toUpperCase());
+/** Re-id every node in a subtree so a cloned/template node can't collide with existing ids. */
+export function reassignIds(node) {
+    if (!node || typeof node !== "object")
+        return node;
+    if (node.type)
+        node.id = `${typePrefix(node.type)}-${randomString(8)}`;
+    for (const child of node.children || [])
+        reassignIds(child);
+    return node;
+}
+/**
+ * Lay children out vertically inside a section/container using a single-column grid —
+ * the same shape the builder emits. `children` are placed top-to-bottom, one grid row each.
+ */
+export function stackChildren(container, children) {
+    const rows = children.map((child) => {
+        const h = (child.runtime && child.runtime.style && child.runtime.style.height) || 50;
+        return { unit: "min/max", min: { unit: "px", absValue: h }, max: { unit: "max-c" } };
+    });
+    container.runtime = container.runtime || {};
+    container.runtime.config = {
+        ...(container.runtime.config || {}),
+        grid: `1x${children.length || 1}`,
+        columns: [{ unit: "fr", value: 1 }],
+        rows: rows.length ? rows : [{ unit: "min/max", min: { unit: "px", absValue: 50 }, max: { unit: "max-c" } }],
+        heightUnit: "auto",
+    };
+    children.forEach((child, i) => {
+        child.runtime = child.runtime || {};
+        child.runtime.config = {
+            ...(child.runtime.config || {}),
+            columnStart: 1,
+            columnEnd: 2,
+            rowStart: i + 1,
+            rowEnd: i + 2,
+            constraintX: (child.runtime.config && child.runtime.config.constraintX) || ["centerLeft"],
+            constraintY: (child.runtime.config && child.runtime.config.constraintY) || ["top"],
+            loaded: true,
+        };
+    });
+    container.children = children;
+    return container;
+}
+/**
+ * Build a ready-to-place section from a list of child specs.
+ * Each spec: { type, opts?, children? } where children is a nested array of specs.
+ */
+export function buildSection(childSpecs = [], sectionOpts = {}) {
+    const section = buildElement("section", sectionOpts);
+    const children = childSpecs.map((spec) => buildFromSpec(spec));
+    stackChildren(section, children);
+    return section;
+}
+function buildFromSpec(spec) {
+    if (!spec || !spec.type) {
+        throw new Error("Each element spec must have a 'type'.");
+    }
+    const node = buildElement(spec.type, spec.opts || {});
+    if (Array.isArray(spec.children) && spec.children.length) {
+        const kids = spec.children.map((c) => buildFromSpec(c));
+        stackChildren(node, kids);
+    }
+    return node;
+}
+/** Validate a page source. Errors block a save; warnings are fixable design issues. */
+export function validatePage(source) {
+    const errors = [];
+    const warnings = [];
+    if (!source || typeof source !== "object" || !Array.isArray(source.sections)) {
+        return { valid: false, errors: ["Source must be an object shaped { sections: [...] }."] };
+    }
+    const ids = new Set();
+    const allIds = new Set();
+    let total = 0;
+    const typeCounts = {};
+    // First pass: collect ids + flag duplicates / unknown types / missing fields.
+    walk(source, (node) => {
+        total++;
+        const type = node.type || "(missing)";
+        typeCounts[type] = (typeCounts[type] || 0) + 1;
+        if (!node.id)
+            errors.push(`A ${type} node is missing an id.`);
+        else if (ids.has(node.id))
+            errors.push(`Duplicate element id "${node.id}".`);
+        else
+            ids.add(node.id);
+        if (node.id)
+            allIds.add(node.id);
+        if (!node.type)
+            errors.push(`A node (id ${node.id || "?"}) is missing a type.`);
+        else if (!isKnownType(node.type))
+            warnings.push(`Unknown element type "${node.type}" (id ${node.id}).`);
+        // Form fields should carry a field_name so submissions map to data.
+        if (/^(input|email|phone-number|text-area|select|address|password)$/.test(node.type || "")) {
+            const fn = node.specials && node.specials.field_name;
+            if (!fn)
+                warnings.push(`Form field "${node.id}" (${node.type}) has no specials.field_name.`);
+        }
+    });
+    // Second pass: event targets must point at an element that exists in the page.
+    walk(source, (node) => {
+        for (const ev of node.events || []) {
+            const target = ev.open_page_id ? null : ev.target || ev.target_id;
+            if (target && !allIds.has(target)) {
+                warnings.push(`Event on "${node.id}" targets missing element "${target}".`);
+            }
+        }
+    });
+    return {
+        valid: errors.length === 0,
+        ...(errors.length ? { errors } : {}),
+        ...(warnings.length ? { warnings } : {}),
+        stats: { sections: source.sections.length, total_elements: total, element_types: typeCounts },
+    };
+}
+export { ELEMENT_TYPES };

package/dist/config.js

@@ -0,0 +1,97 @@
+// Central resolution of connection settings for every entry path (stdio, install,
+// login, remote HTTP). Precedence: explicit overrides > environment variables >
+// saved config in the local SQLite db.
+import { WebcakeCmsApi } from "./api.js";
+import { getSavedConfig } from "./tools/context.js";
+// Per-environment endpoints so you can switch with `--env <name>` / WEBCAKE_ENV
+// instead of setting WEBCAKE_API_URL / WEBCAKE_APP_URL by hand. Default is prod.
+export const ENVIRONMENTS = {
+    local: {
+        apiUrl: "http://localhost:24679",
+        appUrl: "http://localhost:5173",
+        preview: { kind: "path", base: "http://demo.localhost:24679" },
+    },
+    staging: {
+        apiUrl: "https://api.staging.storecake.io",
+        appUrl: "https://staging.webcake.io",
+        preview: { kind: "path", base: "https://staging2.webcake.me" },
+    },
+    prod: {
+        apiUrl: "https://api.storefront.webcake.io",
+        appUrl: "https://webcake.io",
+        preview: { kind: "subdomain", suffix: "webcake.me" },
+    },
+};
+export const DEFAULT_ENV = "prod";
+/** Map a resolved API base back to its named environment (so the preview rule can be
+ *  picked without threading the env around). Falls back to the default env. */
+export function envFromApiUrl(apiUrl) {
+    const normalized = (apiUrl || "").replace(/\/$/, "");
+    for (const [name, p] of Object.entries(ENVIRONMENTS)) {
+        if (p.apiUrl === normalized)
+            return name;
+    }
+    return DEFAULT_ENV;
+}
+/** Resolve a site's public preview/live URL: a custom domain if set, otherwise the
+ *  per-environment rule. Returns null if it can't be determined. */
+export async function resolvePreviewUrl(api) {
+    let site;
+    try {
+        const res = await api.getSite();
+        site = (res && res.data) || res;
+    }
+    catch {
+        return null;
+    }
+    if (!site)
+        return null;
+    const custom = site.primary_domain && site.primary_domain.domain;
+    if (custom)
+        return `https://${custom}`;
+    const rule = ENVIRONMENTS[envFromApiUrl(api.baseUrl)].preview;
+    if (rule.kind === "subdomain") {
+        const slug = site.site_slug && site.site_slug.slug;
+        return slug ? `https://${slug}.${rule.suffix}` : null;
+    }
+    return `${rule.base}/${api.siteId}`;
+}
+export function resolveEnv(name) {
+    if (!name)
+        return undefined;
+    return ENVIRONMENTS[name];
+}
+/** Resolve effective settings from overrides, env vars, named env preset, and saved config.
+ *
+ * Precedence for the URLs: explicit override → explicit env var → named-env preset
+ * (only when WEBCAKE_ENV / --env is set) → saved config (from `login`) → prod default.
+ * So with zero config you hit prod; `--env local` flips to localhost for testing; an
+ * explicit WEBCAKE_API_URL still wins; and a logged-in saved URL is respected. */
+export function resolveSettings(overrides = {}) {
+    const saved = getSavedConfig();
+    const envName = overrides.env ?? process.env.WEBCAKE_ENV;
+    const preset = resolveEnv(envName); // undefined unless an env was explicitly named
+    const apiUrl = overrides.apiUrl ||
+        process.env.WEBCAKE_API_URL ||
+        preset?.apiUrl ||
+        saved.api_url ||
+        ENVIRONMENTS[DEFAULT_ENV].apiUrl;
+    const appUrl = overrides.appUrl ||
+        process.env.WEBCAKE_APP_URL ||
+        preset?.appUrl ||
+        ENVIRONMENTS[DEFAULT_ENV].appUrl;
+    const token = overrides.token || process.env.WEBCAKE_TOKEN || saved.token || "";
+    const siteId = overrides.siteId || process.env.WEBCAKE_SITE_ID || saved.site_id || "";
+    const sessionId = overrides.sessionId || process.env.WEBCAKE_SESSION_ID || saved.session_id || "";
+    return { apiUrl, appUrl, token, siteId, sessionId, env: envName };
+}
+/** Build a WebcakeCmsApi client from resolved settings. */
+export function makeApi(overrides = {}) {
+    const s = resolveSettings(overrides);
+    return new WebcakeCmsApi({
+        baseUrl: s.apiUrl,
+        token: s.token,
+        siteId: s.siteId,
+        sessionId: s.sessionId,
+    });
+}

package/dist/db.js

@@ -0,0 +1,96 @@
+import Database from "better-sqlite3";
+import { mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+// Persist in a stable home directory so saved config survives `npx` (where the
+// package lives in an ephemeral cache dir) and rebuilds.
+const CONFIG_DIR = process.env.WEBCAKE_CONFIG_DIR || join(homedir(), ".webcake-storefront-mcp");
+mkdirSync(CONFIG_DIR, { recursive: true });
+const DB_PATH = join(CONFIG_DIR, "webcake-mcp.db");
+const db = new Database(DB_PATH);
+// WAL mode for better concurrent reads
+db.pragma("journal_mode = WAL");
+// ── Schema ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS config (
+    key   TEXT PRIMARY KEY,
+    value TEXT NOT NULL
+  );
+`);
+// ── Simple key-value helpers ──
+const stmtGet = db.prepare("SELECT value FROM config WHERE key = ?");
+const stmtSet = db.prepare("INSERT OR REPLACE INTO config (key, value) VALUES (?, ?)");
+const stmtDel = db.prepare("DELETE FROM config WHERE key = ?");
+const stmtAll = db.prepare("SELECT key, value FROM config");
+export function getConfig(key) {
+    const row = stmtGet.get(key);
+    return row ? row.value : null;
+}
+export function setConfig(key, value) {
+    stmtSet.run(key, String(value));
+}
+export function delConfig(key) {
+    stmtDel.run(key);
+}
+export function getAllConfig() {
+    const rows = stmtAll.all();
+    const result = {};
+    for (const row of rows)
+        result[row.key] = row.value;
+    return result;
+}
+// ── Image alt cache ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS image_alt_cache (
+    url_key    TEXT PRIMARY KEY,
+    url        TEXT NOT NULL,
+    alt        TEXT NOT NULL,
+    source     TEXT,
+    updated_at INTEGER NOT NULL
+  );
+`);
+const stmtAltGet = db.prepare("SELECT url_key, url, alt, source, updated_at FROM image_alt_cache WHERE url_key = ?");
+const stmtAltSet = db.prepare(`
+  INSERT INTO image_alt_cache (url_key, url, alt, source, updated_at)
+  VALUES (@url_key, @url, @alt, @source, @updated_at)
+  ON CONFLICT(url_key) DO UPDATE SET
+    url = excluded.url,
+    alt = excluded.alt,
+    source = excluded.source,
+    updated_at = excluded.updated_at
+`);
+const stmtAltList = db.prepare("SELECT url_key, url, alt, source, updated_at FROM image_alt_cache ORDER BY updated_at DESC LIMIT ? OFFSET ?");
+const stmtAltCount = db.prepare("SELECT COUNT(*) AS n FROM image_alt_cache");
+export function getImageAlt(urlKey) {
+    return stmtAltGet.get(urlKey) || null;
+}
+export function getImageAlts(urlKeys) {
+    const out = new Map();
+    for (const k of urlKeys) {
+        const row = stmtAltGet.get(k);
+        if (row)
+            out.set(k, row);
+    }
+    return out;
+}
+export function setImageAlt({ url_key, url, alt, source = "ai" }) {
+    stmtAltSet.run({ url_key, url, alt, source, updated_at: Date.now() });
+}
+export const setImageAlts = db.transaction((items) => {
+    for (const it of items) {
+        stmtAltSet.run({
+            url_key: it.url_key,
+            url: it.url,
+            alt: it.alt,
+            source: it.source || "ai",
+            updated_at: Date.now(),
+        });
+    }
+});
+export function listImageAlts(limit = 100, offset = 0) {
+    return stmtAltList.all(limit, offset);
+}
+export function countImageAlts() {
+    return stmtAltCount.get().n;
+}
+export default db;

package/dist/guides.js

@@ -0,0 +1,93 @@
+export const HTTP_FUNCTION_GUIDE = `
+# HTTP Function Guide
+
+## Syntax
+export const [method]_[FunctionName] = (request) => { return result; }
+- Method: lowercase (get, post, put, patch, delete)
+- FunctionName: PascalCase
+- Examples: get_Products, post_CreateOrder, delete_RemoveItem
+
+## Request object
+- request.params    — query params or body params
+- request.customer  — logged-in customer { id, name, email, first_name, last_name, phone_number, avatar }
+- request.account   — admin account { id, name, email, first_name, last_name, phone_number, avatar }
+- request.data      — full request params (including query string)
+
+## API endpoint after deploy
+GET/POST/PUT/PATCH /api/v1/{site_id}/_functions/{FunctionName}
+
+## webcake-data (Database SDK, built-in, no config needed)
+import { DBConnection } from 'webcake-data';
+const db = new DBConnection();
+const Model = db.model('table_name');
+
+### CRUD
+- Model.create({ field: value })
+- Model.insertMany([...])
+- Model.find(filter).sort().limit().skip().select().exec()
+- Model.findOne(filter, { select, sort, populate })
+- Model.findById(id)
+- Model.updateOne(filter, update)
+- Model.findByIdAndUpdate(id, update)
+- Model.updateMany(filter, update)
+- Model.deleteOne(filter)
+- Model.findByIdAndDelete(id)
+- Model.deleteMany(filter)
+- Model.countDocuments(filter)
+- Model.exists(filter)
+
+### QueryBuilder
+Model.find().where('age').gte(25).lte(40).in('role', ['admin']).like('email', '%@ex.com').sort({ age: -1 }).limit(20).skip(10).select('name email').exec()
+
+### Populate (joins)
+Model.find().populate({ field: 'posts', table: 'posts', referenceField: 'user_id', select: 'title', where: {}, sort: {}, limit: 5 }).exec()
+
+### Operators
+where, eq, ne, gt, gte, lt, lte, in, nin, between, like, sort, limit, skip, select, populate
+
+## Built-in Modules
+- import { findArticleById, findArticle, createArticle, updateArticleById, deleteArticleById } from '@webcake/article'
+- import { findCustomerById, findCustomerByPhone, findCustomerByEmail } from '@webcake/customer'
+- import { addBonus } from '@webcake/promotion'
+- import { getAccessToken } from '@webcake/token'
+- import { sendMail } from '@webcake/app/automation'
+All module functions take (request, ...args) and auto-use global token/site_id.
+
+## Sandbox Globals (no import needed)
+- fetch(url, options) — HTTP requests
+- URLSearchParams — URL query building
+- console.log/warn/error — logging (captured in debug mode)
+- global.domain, global.siteId, global.token, global.headers
+
+## Cron Jobs (jobs_config JSON)
+{ "jobs": [{ "functionLocation": "backend/http_function", "functionName": "myFunc", "executionConfig": { "cronExpression": "0 2 * * *" } }] }
+`;
+export const CUSTOM_CODE_GUIDE = `
+# Custom Code Guide
+
+Custom code is stored in site settings (applies to entire site, not per page).
+
+## Injection points
+- code_before_head: HTML/script inserted before </head> (meta tags, external CSS, tracking scripts)
+- code_before_body: HTML/script inserted before </body> (DOM-ready JS, widgets)
+- code_custom_css: Custom CSS (auto-wrapped in <style>)
+- code_custom_javascript: Custom JavaScript
+
+## webcake-fn (call HTTP functions from frontend)
+Add CDN to code_before_head:
+<script src="https://cdn.jsdelivr.net/npm/webcake-fn/dist/webcake-fn.umd.min.js"></script>
+
+Then use window.api in code_custom_javascript or code_before_body:
+- api.get_Products({ category: 'shoes' })
+- api.post_CreateOrder({ items: [...] })
+- Method lowercase + FunctionName matching backend export
+
+## Available globals
+- window.pubsub.subscribe(event, callback) / window.pubsub.publish(event, data)
+- window.useNotification(type, { title, message }) — type: 'success' | 'error' | 'warning'
+- window.resizeLink(url, width, height) — returns { webp, cdn }
+- window.SITE_DATA, window.DATA_ORDER — site context
+
+## Error handling
+try { const r = await api.post_X(params); } catch (e) { window.useNotification('error', { title: 'Error', message: e.message }); }
+`;

package/dist/http.js

@@ -0,0 +1,120 @@
+// Remote MCP over Streamable-HTTP. Each client session carries its own credentials,
+// supplied per-request via headers (x-webcake-jwt / x-webcake-site-id / x-webcake-api-url)
+// or query params (?jwt=&site_id=&api_url=) for clients that can't set custom headers.
+import { createServer as createHttpServer } from "node:http";
+import { randomUUID } from "node:crypto";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { createServer } from "./server.js";
+import { makeApi } from "./config.js";
+const MCP_PATH = "/mcp";
+const QUERY_TO_HEADER = {
+    jwt: "x-webcake-jwt",
+    token: "x-webcake-jwt",
+    site_id: "x-webcake-site-id",
+    api_url: "x-webcake-api-url",
+    session_id: "x-webcake-session-id",
+    env: "x-webcake-env",
+};
+function header(req, name) {
+    const v = req.headers[name];
+    return Array.isArray(v) ? v[0] : v;
+}
+/** Copy recognised query params onto request headers so downstream reads are uniform. */
+function applyQueryAuth(req) {
+    const q = (req.url ?? "").indexOf("?");
+    if (q === -1)
+        return;
+    const params = new URLSearchParams((req.url ?? "").slice(q + 1));
+    for (const [param, head] of Object.entries(QUERY_TO_HEADER)) {
+        const value = params.get(param);
+        if (value && req.headers[head] == null)
+            req.headers[head] = value;
+    }
+}
+function apiFromRequest(req) {
+    return makeApi({
+        token: header(req, "x-webcake-jwt"),
+        siteId: header(req, "x-webcake-site-id"),
+        apiUrl: header(req, "x-webcake-api-url"),
+        sessionId: header(req, "x-webcake-session-id"),
+        env: header(req, "x-webcake-env"),
+    });
+}
+function readBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        req.on("data", (c) => chunks.push(c));
+        req.on("end", () => {
+            const raw = Buffer.concat(chunks).toString("utf-8");
+            if (!raw)
+                return resolve(undefined);
+            try {
+                resolve(JSON.parse(raw));
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+        req.on("error", reject);
+    });
+}
+function rpcError(res, status, message) {
+    res.writeHead(status, { "content-type": "application/json" });
+    res.end(JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message }, id: null }));
+}
+export async function startHttpServer(port) {
+    const transports = new Map();
+    const httpServer = createHttpServer(async (req, res) => {
+        const path = (req.url ?? "").split("?")[0];
+        if (path === "/health") {
+            res.writeHead(200, { "content-type": "application/json" });
+            res.end(JSON.stringify({ ok: true }));
+            return;
+        }
+        if (path !== MCP_PATH) {
+            return rpcError(res, 404, `Not found. Send MCP requests to ${MCP_PATH}.`);
+        }
+        applyQueryAuth(req);
+        const sidHeader = header(req, "mcp-session-id");
+        try {
+            // Reuse an existing session.
+            if (sidHeader && transports.has(sidHeader)) {
+                const transport = transports.get(sidHeader);
+                const body = req.method === "POST" ? await readBody(req) : undefined;
+                await transport.handleRequest(req, res, body);
+                return;
+            }
+            // New session: must be an initialize POST.
+            if (req.method === "POST") {
+                const body = await readBody(req);
+                if (!sidHeader && isInitializeRequest(body)) {
+                    const transport = new StreamableHTTPServerTransport({
+                        sessionIdGenerator: () => randomUUID(),
+                        onsessioninitialized: (id) => {
+                            transports.set(id, transport);
+                        },
+                    });
+                    transport.onclose = () => {
+                        if (transport.sessionId)
+                            transports.delete(transport.sessionId);
+                    };
+                    const api = apiFromRequest(req);
+                    const server = createServer(api);
+                    await server.connect(transport);
+                    await transport.handleRequest(req, res, body);
+                    return;
+                }
+                return rpcError(res, 400, "Bad Request: send an initialize request first (no valid mcp-session-id).");
+            }
+            return rpcError(res, 400, "Bad Request: missing or unknown mcp-session-id.");
+        }
+        catch (e) {
+            const msg = e instanceof Error ? e.message : String(e);
+            if (!res.headersSent)
+                rpcError(res, 500, msg);
+        }
+    });
+    await new Promise((resolve) => httpServer.listen(port, resolve));
+    console.error(`[webcake-storefront] Streamable-HTTP MCP ready on http://localhost:${port}${MCP_PATH}`);
+}