feat(core, server): introduce ResourceTemplateMatcher for enhanced URI matching

- Added `ResourceTemplateMatcher` interface and its implementation `SimpleUriResourceTemplateMatcher` to improve URI matching specificity and safety.
- Replaced usage of `UriTemplate` and `UriTemplateMatcher` with `ResourceTemplateMatcher` in `RegisteredResourceTemplate`.
- Updated `ServerOptions` to include a configurable `ResourceTemplateMatcherFactory`, defaulting to `SimpleUriResourceTemplateMatcher.factory`.
- Enhanced resource registration logic to utilize matchers for improved URI matching robustness.
- Improved template selection logic by prioritizing specificity, variable minimization, and registration order.

Author: kpavlov

kotlin-sdk-core/api/kotlin-sdk-core.api

@@ -4732,3 +4732,36 @@ public final class io/modelcontextprotocol/kotlin/sdk/types/WithMeta$DefaultImpl
 	public static fun get_meta (Lio/modelcontextprotocol/kotlin/sdk/types/WithMeta;)Lkotlinx/serialization/json/JsonObject;
 }
 
+public final class io/modelcontextprotocol/kotlin/sdk/utils/MatchResult {
+	public fun <init> (Ljava/util/Map;I)V
+	public fun equals (Ljava/lang/Object;)Z
+	public final fun getScore ()I
+	public final fun getVariables ()Ljava/util/Map;
+	public fun hashCode ()I
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class io/modelcontextprotocol/kotlin/sdk/utils/PathSegmentTemplateMatcher : io/modelcontextprotocol/kotlin/sdk/utils/ResourceTemplateMatcher {
+	public static final field Companion Lio/modelcontextprotocol/kotlin/sdk/utils/PathSegmentTemplateMatcher$Companion;
+	public fun <init> (Lio/modelcontextprotocol/kotlin/sdk/types/ResourceTemplate;)V
+	public fun <init> (Lio/modelcontextprotocol/kotlin/sdk/types/ResourceTemplate;I)V
+	public fun <init> (Lio/modelcontextprotocol/kotlin/sdk/types/ResourceTemplate;II)V
+	public synthetic fun <init> (Lio/modelcontextprotocol/kotlin/sdk/types/ResourceTemplate;IIILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public static final fun getFactory ()Lio/modelcontextprotocol/kotlin/sdk/utils/ResourceTemplateMatcherFactory;
+	public fun getResourceTemplate ()Lio/modelcontextprotocol/kotlin/sdk/types/ResourceTemplate;
+	public fun match (Ljava/lang/String;)Lio/modelcontextprotocol/kotlin/sdk/utils/MatchResult;
+}
+
+public final class io/modelcontextprotocol/kotlin/sdk/utils/PathSegmentTemplateMatcher$Companion {
+	public final fun getFactory ()Lio/modelcontextprotocol/kotlin/sdk/utils/ResourceTemplateMatcherFactory;
+}
+
+public abstract interface class io/modelcontextprotocol/kotlin/sdk/utils/ResourceTemplateMatcher {
+	public abstract fun getResourceTemplate ()Lio/modelcontextprotocol/kotlin/sdk/types/ResourceTemplate;
+	public abstract fun match (Ljava/lang/String;)Lio/modelcontextprotocol/kotlin/sdk/utils/MatchResult;
+}
+
+public abstract interface class io/modelcontextprotocol/kotlin/sdk/utils/ResourceTemplateMatcherFactory {
+	public abstract fun create (Lio/modelcontextprotocol/kotlin/sdk/types/ResourceTemplate;)Lio/modelcontextprotocol/kotlin/sdk/utils/ResourceTemplateMatcher;
+}
+

kotlin-sdk-core/src/commonMain/kotlin/io/modelcontextprotocol/kotlin/sdk/utils/PathSegmentTemplateMatcher.kt

@@ -0,0 +1,157 @@
+package io.modelcontextprotocol.kotlin.sdk.utils
+
+import io.github.oshai.kotlinlogging.KotlinLogging
+import io.ktor.http.decodeURLPart
+import io.modelcontextprotocol.kotlin.sdk.types.ResourceTemplate
+import kotlinx.collections.immutable.toImmutableMap
+import kotlin.jvm.JvmOverloads
+import kotlin.jvm.JvmStatic
+
+// Max URL/path length to prevent DoS or unexpected large payloads.
+private const val MAX_URL_LENGTH = 2048
+
+// Max template/uri depth to prevent overly nested or complex templates.
+private const val MAX_DEPTH = 50
+
+// Literal segments are more specific than variable captures.
+private const val LITERAL_MATCH_SCORE = 2
+private const val VARIABLE_MATCH_SCORE = 1
+
+/**
+ * A [ResourceTemplateMatcher] that matches resource URIs against an RFC 6570 Level 1
+ * URI template by splitting both the URI and the template on `/` and comparing each
+ * segment in order.
+ *
+ * ### Supported template syntax
+ *
+ * Only RFC 6570 **Level 1** is supported: simple `{variable}` expressions where the
+ * entire path segment is a single variable. Operator expressions (`{+var}`, `{#var}`,
+ * `{.var}`, `{/var}`, etc.) and multi-variable expressions (`{a,b}`) are **not**
+ * recognized — segments containing them are treated as literals.
+ *
+ * ### Matching rules
+ *
+ * - The URI and template must have the same number of `/`-delimited segments.
+ * - Literal segments must match exactly (after percent-decoding the URI segment).
+ * - `{variable}` segments capture the percent-decoded URI segment value.
+ * - Query strings and fragments (`?`, `#`) are **not** stripped — they become part of
+ *   the captured variable value for the segment that contains them.
+ *
+ * ### Specificity scoring
+ *
+ * When multiple templates match the same URI, each matched literal segment contributes
+ * 2 points and each variable capture contributes 1 point. The highest-scoring match wins.
+ *
+ * ### Safety limits
+ *
+ * - URIs longer than [maxUriLength] characters are rejected.
+ * - Templates and URIs with more than [maxDepth] segments are rejected.
+ *
+ * ### Security contract for handler authors
+ *
+ * Values in [MatchResult.variables] are attacker-controlled strings extracted from
+ * the incoming URI. They are percent-decoded (one pass only) before being returned.
+ * Handlers **must** treat them as untrusted input and validate or sanitize them
+ * before using them to construct file paths, database queries, downstream URLs, or
+ * any other security-sensitive operation.
+ *
+ * In particular:
+ * - A decoded value may contain `/`, `..`, null bytes (`\u0000`), `?`, or `#`.
+ * - `%252F` in the URI becomes `%2F` in the variable — exactly one decode pass is applied.
+ *
+ * ### Platform limitations
+ *
+ * Dot-segment normalization (resolving `..` and `.` in the URI path) is performed
+ * on JVM and JS targets using the platform-native URI parser. On native and WASM targets
+ * no normalizer is available, so dot-segment traversal is **not** mitigated at this
+ * layer — handlers on those targets must normalize paths themselves.
+ *
+ * @param resourceTemplate The resource template to match against. Must follow RFC 6570 Level 1 syntax.
+ * @param maxUriLength Maximum allowed length for incoming URIs. Defaults to 2048.
+ * @param maxDepth Maximum allowed segment count for the template/uri. Defaults to 50.
+ *
+ * @property resourceTemplate The resource template against which resource URIs will be matched.
+ */
+public class PathSegmentTemplateMatcher @JvmOverloads constructor(
+    override val resourceTemplate: ResourceTemplate,
+    private val maxDepth: Int = MAX_DEPTH,
+    private val maxUriLength: Int = MAX_URL_LENGTH,
+) : ResourceTemplateMatcher {
+
+    public companion object {
+        /**
+         * A [ResourceTemplateMatcherFactory] that creates [PathSegmentTemplateMatcher] instances
+         * with default limits. Pass this to [io.modelcontextprotocol.kotlin.sdk.server.ServerOptions]
+         * to use path-segment matching, or supply a custom factory to override the matching strategy.
+         */
+        @JvmStatic
+        public val factory: ResourceTemplateMatcherFactory = ResourceTemplateMatcherFactory {
+            PathSegmentTemplateMatcher(it)
+        }
+
+        @JvmStatic
+        private val logger = KotlinLogging.logger {}
+    }
+
+    private val templateParts: List<String>
+
+    // Maps segment index to variable name; indices absent from this map are literal segments.
+    private val variableIndices: Map<Int, String>
+
+    init {
+        val template = resourceTemplate.uriTemplate
+        require(template.isNotBlank()) { "Resource template cannot be blank" }
+        templateParts = template.trim('/').split("/")
+        require(templateParts.size <= maxDepth) {
+            "Template is too complex (max depth=$maxDepth)"
+        }
+
+        val vars = mutableMapOf<Int, String>()
+        for (i in templateParts.indices) {
+            val segment = templateParts[i]
+            if (segment.startsWith("{") && segment.endsWith("}")) {
+                val name = segment.removeSurrounding("{", "}").trim()
+                require(name.isNotEmpty()) { "Invalid variable name in template: $segment" }
+                vars[i] = name
+            }
+        }
+        variableIndices = vars.toImmutableMap()
+    }
+
+    @Suppress("ReturnCount")
+    override fun match(resourceUri: String): MatchResult? {
+        if (resourceUri.length > maxUriLength) {
+            logger.debug { "URL is too long (max=$maxUriLength)" }
+            return null
+        }
+
+        // Resolve dot-segments (e.g. /a/../b → /a/b) before splitting.
+        // Prevents traversal attacks on JVM/JS; no-op on native/WASM targets.
+        val normalized = normalizeUri(resourceUri)
+
+        val urlParts = normalized.trim('/').split("/")
+        if (urlParts.size > maxDepth) {
+            logger.debug { "URI has too many segments (max=$maxDepth)" }
+            return null
+        }
+        if (urlParts.size != templateParts.size) return null
+
+        val variables = mutableMapOf<String, String>()
+        var score = 0
+
+        for (i in templateParts.indices) {
+            val urlSegment = urlParts[i].decodeURLPart()
+            val variableName = variableIndices[i]
+            if (variableName != null) {
+                variables[variableName] = urlSegment
+                score += VARIABLE_MATCH_SCORE
+            } else if (templateParts[i] == urlSegment) {
+                score += LITERAL_MATCH_SCORE
+            } else {
+                return null
+            }
+        }
+
+        return MatchResult(variables = variables.toImmutableMap(), score = score)
+    }
+}

kotlin-sdk-core/src/commonMain/kotlin/io/modelcontextprotocol/kotlin/sdk/utils/ResourceTemplateMatcher.kt

@@ -0,0 +1,67 @@
+package io.modelcontextprotocol.kotlin.sdk.utils
+
+import io.modelcontextprotocol.kotlin.sdk.types.ResourceTemplate
+
+/**
+ * Represents the result of a successful template match.
+ *
+ * A higher [score] indicates a more specific match. Implementations must ensure that
+ * literal segment matches contribute more to the score than variable captures, so that
+ * a fully literal template (e.g., `users/profile`) always outscores a parameterized
+ * template (e.g., `users/{id}`) for the same URI.
+ *
+ * @property variables A mapping of variable names in the template to their matched values in the URL.
+ * @property score A non-negative measure of match specificity — higher means more literal segments matched.
+ */
+public class MatchResult(public val variables: Map<String, String>, public val score: Int) {
+    override fun equals(other: Any?): Boolean {
+        if (this === other) return true
+        if (other !is MatchResult) return false
+        return score == other.score && variables == other.variables
+    }
+
+    override fun hashCode(): Int = 31 * variables.hashCode() + score
+
+    override fun toString(): String = "MatchResult(variables=$variables, score=$score)"
+}
+
+/**
+ * Matches resource URIs against a [ResourceTemplate].
+ *
+ * Implementations parse a URI template once at construction time and then match
+ * candidate URIs against that template via [match]. The returned [MatchResult.score]
+ * must reflect match specificity so that a selection algorithm can prefer the most
+ * specific template when multiple templates match the same URI.
+ */
+public interface ResourceTemplateMatcher {
+
+    public val resourceTemplate: ResourceTemplate
+
+    /**
+     * Matches a given resource URI against the defined resource template.
+     *
+     * @param resourceUri The resource URI to be matched.
+     * @return A [MatchResult] containing the mapping of variables and a match score
+     *      if the URI matches the template, or null if no match is found.
+     */
+    public fun match(resourceUri: String): MatchResult?
+}
+
+/**
+ * Factory interface for creating instances of [ResourceTemplateMatcher].
+ *
+ * A [ResourceTemplateMatcher] is used to match resource URIs against a given
+ * [ResourceTemplate], which adheres to the RFC 6570 URI Template specification.
+ * This factory abstracts the creation process of a matcher, allowing different
+ * implementations to define custom matching logic or safeguards (e.g., security
+ * measures or restrictions on template complexity).
+ */
+public fun interface ResourceTemplateMatcherFactory {
+    /**
+     * Creates a resource template matcher for the given resource template.
+     *
+     * @param resourceTemplate The resource template to create a matcher for.
+     * @return A [ResourceTemplateMatcher] instance that can match URIs against the provided template.
+     */
+    public fun create(resourceTemplate: ResourceTemplate): ResourceTemplateMatcher
+}

kotlin-sdk-core/src/commonMain/kotlin/io/modelcontextprotocol/kotlin/sdk/utils/UriUtils.kt

@@ -0,0 +1,16 @@
+package io.modelcontextprotocol.kotlin.sdk.utils
+
+/**
+ * Normalizes [uri] by resolving dot-segments (`/a/b/../c` → `/a/c`) using the
+ * platform-native URI parser.
+ *
+ * On JVM uses [java.net.URI.normalize]. On JS uses the browser/Node.js `URL` API.
+ * On native and WASM targets [uri] is returned unchanged — no platform normalizer
+ * is available, so callers on those targets do not receive dot-segment resolution.
+ *
+ * Returns [uri] unchanged if it cannot be parsed or normalized.
+ *
+ * **Security note**: call this before splitting a URI into segments to prevent
+ * dot-segment traversal attacks (e.g. `public/../private/secret`).
+ */
+internal expect fun normalizeUri(uri: String): String