- Added /mcp endpoint for JSON-RPC requests, supporting POST, GET (SSE notifications), and DELETE (session termination).

- Updated documentation in `MCP_INTEGRATION.md` to reflect new protocol and usage instructions.
- Enhanced session management for improved client-server interaction.

Author: DMontgomery40

TODO.md

@@ -20,6 +20,10 @@ This is a focused, prioritized backlog based on the latest audit.
 - [COMPLETED] Redact sensitive tokens from logs
   - Do not log `pdf_url` tokens
   - Ensure all logs contain job IDs, not secrets
+- [COMPLETED] Streamable HTTP MCP server
+  - Implemented `/mcp` POST/GET/DELETE with `StreamableHTTPServerTransport`
+  - Session management and SSE notifications supported
+  - Docs updated; scripts and Makefile remain valid
 
 ## Medium Priority
 - Skip TIFF generation for Phaxio path

api/mcp_http_server.js

@@ -1,151 +1,113 @@
 #!/usr/bin/env node
 
-// HTTP transport for Faxbot MCP tools
-// Exposes health, capabilities, and tool invocation over HTTP
+// MCP Streamable HTTP transport for Faxbot
+// Implements the standard /mcp POST (requests), GET (SSE notifications), and DELETE (session end)
 
 const express = require('express');
 const helmet = require('helmet');
 const cors = require('cors');
 const morgan = require('morgan');
-const Joi = require('joi');
 require('dotenv').config();
 
+const { StreamableHTTPServerTransport } = require('@modelcontextprotocol/sdk/server/streamableHttp.js');
+const { isInitializeRequest } = require('@modelcontextprotocol/sdk/types.js');
 const { FaxMcpServer } = require('./mcp_server.js');
-const { McpError, ErrorCode } = require('@modelcontextprotocol/sdk/types.js');
 
 const app = express();
 app.use(helmet());
-app.use(cors());
 app.use(express.json({ limit: '10mb' }));
+// Allow browser-based MCP clients to read session header
+app.use(cors({
+  origin: '*',
+  exposedHeaders: ['Mcp-Session-Id'],
+  allowedHeaders: ['Content-Type', 'mcp-session-id'],
+}));
 app.use(morgan('dev'));
 
-// Instantiate the MCP logic holder (but do not start stdio transport)
-const mcp = new FaxMcpServer();
+// Health (optional convenience)
+app.get('/health', (_req, res) => {
+  res.json({ status: 'ok', transport: 'streamable-http', server: 'faxbot-mcp', version: '2.0.0' });
+});
 
-// Tool definitions (keep in sync with mcp_server.js)
-function listTools() {
-  return {
-    tools: [
-      {
-        name: 'send_fax',
-        description:
-          'Send a fax to a recipient using T.38 protocol via Asterisk or cloud provider. Supports PDF and TXT files.',
-        inputSchema: {
-          type: 'object',
-          properties: {
-            to: {
-              type: 'string',
-              description:
-                'The fax number to send to (e.g., "+1234567890" or "555-1234")',
-            },
-            fileContent: {
-              type: 'string',
-              description: 'Base64 encoded file content (PDF or plain text)',
-            },
-            fileName: {
-              type: 'string',
-              description: 'Name of the file being sent (e.g., "document.pdf")',
-            },
-            fileType: {
-              type: 'string',
-              enum: ['pdf', 'txt'],
-              description: 'Type of file being sent (pdf or txt)',
-            },
-          },
-          required: ['to', 'fileContent', 'fileName'],
-        },
-      },
-      {
-        name: 'get_fax_status',
-        description: 'Check the status of a previously sent fax job',
-        inputSchema: {
-          type: 'object',
-          properties: {
-            jobId: {
-              type: 'string',
-              description: 'The job ID returned from send_fax',
-            },
-          },
-          required: ['jobId'],
-        },
-      },
-    ],
+// Session store
+const sessions = Object.create(null); // sessionId -> { transport, server }
+
+// Helper to create a new Faxbot MCP server and connect it to a transport
+async function initServerWithTransport(transport) {
+  const fax = new FaxMcpServer();
+  const server = fax.server; // underlying MCP server instance
+  // Clean up when transport closes
+  transport.onclose = () => {
+    if (transport.sessionId && sessions[transport.sessionId]) {
+      delete sessions[transport.sessionId];
+    }
+    try { server.close(); } catch (_) {}
   };
+  await server.connect(transport);
+  return server;
 }
 
-// Health endpoint
-app.get('/health', (req, res) => {
-  res.json({
-    status: 'ok',
-    transport: 'http',
-    server: 'faxbot-mcp',
-    version: '2.0.0',
-    apiUrl: mcp.apiUrl,
-  });
-});
-
-// Capabilities (tools) endpoint
-app.get('/mcp/capabilities', (req, res) => {
-  res.json(listTools());
-});
-
-// Optional: list tools alias
-app.get('/mcp/tools', (req, res) => {
-  res.json(listTools());
-});
-
-// Tool invocation endpoint
-const callSchema = Joi.object({
-  name: Joi.string().required(),
-  arguments: Joi.object().default({}),
-});
-
-app.post('/mcp/call', async (req, res) => {
-  const { error, value } = callSchema.validate(req.body || {});
-  if (error) {
-    return res.status(400).json({
-      error: { code: 'InvalidParams', message: error.message },
-    });
-  }
-
-  const { name, arguments: args } = value;
-
+// POST /mcp - client->server JSON requests
+app.post('/mcp', async (req, res) => {
   try {
-    switch (name) {
-      case 'send_fax': {
-        const result = await mcp.handleSendFax(args);
-        return res.json(result);
+    const sessionId = req.headers['mcp-session-id'];
+    let session = sessionId ? sessions[sessionId] : undefined;
+
+    if (!session) {
+      // No session: only allow if this is an initialize request
+      if (!isInitializeRequest(req.body)) {
+        return res.status(400).json({
+          jsonrpc: '2.0',
+          error: { code: -32000, message: 'Bad Request: No valid session ID provided' },
+          id: null,
+        });
       }
-      case 'get_fax_status': {
-        const result = await mcp.handleGetFaxStatus(args);
-        return res.json(result);
+      // Create transport with auto session ID
+      const transport = new StreamableHTTPServerTransport({});
+      const server = await initServerWithTransport(transport);
+      // After connect, transport.sessionId should be set
+      if (!transport.sessionId) {
+        return res.status(500).json({ jsonrpc: '2.0', error: { code: -32603, message: 'Failed to initialize session' }, id: null });
       }
-      default:
-        throw new McpError(ErrorCode.MethodNotFound, `Unknown tool: ${name}`);
+      sessions[transport.sessionId] = { transport, server };
+      await transport.handleRequest(req, res, req.body);
+      return;
     }
+
+    // Existing session: forward request
+    await session.transport.handleRequest(req, res, req.body);
   } catch (err) {
-    if (err instanceof McpError) {
-      const code = err.code || ErrorCode.InternalError;
-      const status =
-        code === ErrorCode.InvalidParams
-          ? 400
-          : code === ErrorCode.MethodNotFound
-          ? 404
-          : 500;
-      return res.status(status).json({ error: { code, message: err.message } });
+    console.error('MCP HTTP POST error:', err);
+    if (!res.headersSent) {
+      res.status(500).json({ jsonrpc: '2.0', error: { code: -32603, message: 'Internal server error' }, id: null });
     }
+  }
+});
 
-    console.error('HTTP MCP call error:', err);
-    return res
-      .status(500)
-      .json({ error: { code: 'InternalError', message: 'Unexpected error' } });
+// GET /mcp - SSE notifications
+app.get('/mcp', async (req, res) => {
+  const sessionId = req.headers['mcp-session-id'];
+  const session = sessionId ? sessions[sessionId] : undefined;
+  if (!session) {
+    res.status(400).send('Invalid or missing session ID');
+    return;
   }
+  await session.transport.handleRequest(req, res);
+});
+
+// DELETE /mcp - end session
+app.delete('/mcp', async (req, res) => {
+  const sessionId = req.headers['mcp-session-id'];
+  const session = sessionId ? sessions[sessionId] : undefined;
+  if (!session) {
+    res.status(400).send('Invalid or missing session ID');
+    return;
+  }
+  await session.transport.handleRequest(req, res);
 });
 
 // Start server
 const port = parseInt(process.env.MCP_HTTP_PORT || '3001', 10);
 app.listen(port, () => {
-  console.log(`Faxbot MCP HTTP server listening on http://localhost:${port}`);
-  console.log(`Upstream API: ${mcp.apiUrl}`);
+  console.log(`Faxbot MCP HTTP (streamable) on http://localhost:${port}`);
 });
-

docs/MCP_INTEGRATION.md

@@ -77,24 +77,13 @@ cd api && node setup-mcp.js
 ```
 cd api && npm run start:http
 ```
-- Endpoints:
-  - GET `/health` – liveness
-  - GET `/mcp/capabilities` – tool list
-  - POST `/mcp/call` – invoke tool with JSON body
-- Example request (send fax):
-```
-curl -X POST http://localhost:3001/mcp/call \
-  -H 'Content-Type: application/json' \
-  -d '{
-    "name": "send_fax",
-    "arguments": {
-      "to": "+15551234567",
-      "fileName": "note.txt",
-      "fileType": "txt",
-      "fileContent": "SGVsbG8gV29ybGQh"  
-    }
-  }'
-```
+- Protocol: Streamable HTTP with session management
+  - POST `/mcp` handles JSON-RPC requests. The first request must be an Initialize request if no `Mcp-Session-Id` is provided.
+  - GET `/mcp` establishes an SSE stream for server-to-client notifications. Include `Mcp-Session-Id` header.
+  - DELETE `/mcp` terminates the session. Include `Mcp-Session-Id` header.
+  - CORS: The server exposes `Mcp-Session-Id` and allows `mcp-session-id` header for browser clients.
+
+Note: Streamable HTTP is intended for MCP-aware clients (Claude Desktop, Cursor/Cline, etc.). Manual curl testing requires constructing JSON-RPC requests and handling SSE, which is beyond the scope of this guide.
 
 Docker option (profile `mcp`):
 ```