feat(web): add MCP HTTP endpoint with Streamable HTTP transport (#976)

* feat(web): add MCP HTTP endpoint with Streamable HTTP transport (SOU-263)

- Add /api/mcp route with WebStandardStreamableHTTPServerTransport supporting SSE and JSON responses
- Add Bearer token auth support to getAuthenticatedUser for programmatic MCP clients
- Add session ownership validation to prevent session hijacking (per MCP security spec)
- Extract chat utils to utils.server.ts to fix 'use server' module boundary violations
- Add ask_codebase, search_code, read_file, list_repos, list_commits, list_tree, list_language_models MCP tools
- Add withAuthV2 tests for Bearer token authentication flow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* add method to apiHandler

* changelog

* feedback

* feedback

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Added support a MCP streamable http transport hosted at `/api/mcp`. [#976](https://github.com/sourcebot-dev/sourcebot/pull/976)
+
 ## [4.13.2] - 2026-03-02
 
 ### Changed

packages/web/package.json

@@ -59,6 +59,7 @@
     "@hookform/resolvers": "^3.9.0",
     "@iconify/react": "^5.1.0",
     "@iizukak/codemirror-lang-wgsl": "^0.3.0",
+    "@modelcontextprotocol/sdk": "^1.27.1",
     "@openrouter/ai-sdk-provider": "^2.2.3",
     "@opentelemetry/api-logs": "^0.203.0",
     "@opentelemetry/instrumentation": "^0.203.0",

packages/web/src/app/[domain]/askgh/[owner]/[repo]/page.tsx

@@ -1,13 +1,13 @@
 import { addGithubRepo } from "@/features/workerApi/actions";
-import { isServiceError, unwrapServiceError } from "@/lib/utils";
+import { isServiceError } from "@/lib/utils";
 import { ServiceErrorException } from "@/lib/serviceError";
 import { prisma } from "@/prisma";
 import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
 import { getRepoInfo } from "./api";
 import { CustomSlateEditor } from "@/features/chat/customSlateEditor";
 import { RepoIndexedGuard } from "./components/repoIndexedGuard";
 import { LandingPage } from "./components/landingPage";
-import { getConfiguredLanguageModelsInfo } from "@/features/chat/actions";
+import { getConfiguredLanguageModelsInfo } from "@/features/chat/utils.server";
 import { auth } from "@/auth";
 
 interface PageProps {
@@ -45,8 +45,12 @@ export default async function GitHubRepoPage(props: PageProps) {
         return response.repoId;
     })();
 
-    const repoInfo = await unwrapServiceError(getRepoInfo(repoId));
-    const languageModels = await unwrapServiceError(getConfiguredLanguageModelsInfo());
+    const repoInfo = await getRepoInfo(repoId)
+    const languageModels = await getConfiguredLanguageModelsInfo()
+
+    if (isServiceError(repoInfo)) {
+        throw new ServiceErrorException(repoInfo);
+    }
 
     return (
         <RepoIndexedGuard initialRepoInfo={repoInfo}>

packages/web/src/app/[domain]/browse/layout.tsx

@@ -1,6 +1,6 @@
 import { auth } from "@/auth";
 import { LayoutClient } from "./layoutClient";
-import { getConfiguredLanguageModelsInfo } from "@/features/chat/actions";
+import { getConfiguredLanguageModelsInfo } from "@/features/chat/utils.server";
 
 interface LayoutProps {
     children: React.ReactNode;

packages/web/src/app/[domain]/chat/[id]/page.tsx

@@ -1,5 +1,6 @@
 import { getRepos, getSearchContexts } from '@/actions';
-import { getUserChatHistory, getConfiguredLanguageModelsInfo, getChatInfo, claimAnonymousChats, getSharedWithUsersForChat } from '@/features/chat/actions';
+import { getUserChatHistory, getChatInfo, claimAnonymousChats, getSharedWithUsersForChat } from '@/features/chat/actions';
+import { getConfiguredLanguageModelsInfo } from "@/features/chat/utils.server";
 import { ServiceErrorException } from '@/lib/serviceError';
 import { isServiceError } from '@/lib/utils';
 import { ChatThreadPanel } from './components/chatThreadPanel';

packages/web/src/app/[domain]/chat/page.tsx

@@ -1,6 +1,7 @@
 import { getRepos, getReposStats, getSearchContexts } from "@/actions";
 import { SourcebotLogo } from "@/app/components/sourcebotLogo";
-import { getConfiguredLanguageModelsInfo, getUserChatHistory } from "@/features/chat/actions";
+import { getUserChatHistory } from "@/features/chat/actions";
+import { getConfiguredLanguageModelsInfo } from "@/features/chat/utils.server";
 import { CustomSlateEditor } from "@/features/chat/customSlateEditor";
 import { ServiceErrorException } from "@/lib/serviceError";
 import { isServiceError, measure } from "@/lib/utils";

packages/web/src/app/[domain]/search/page.tsx

@@ -2,7 +2,7 @@ import { env } from "@sourcebot/shared";
 import { SearchLandingPage } from "./components/searchLandingPage";
 import { SearchResultsPage } from "./components/searchResultsPage";
 import { auth } from "@/auth";
-import { getConfiguredLanguageModelsInfo } from "@/features/chat/actions";
+import { getConfiguredLanguageModelsInfo } from "@/features/chat/utils.server";
 
 interface SearchPageProps {
     params: Promise<{ domain: string }>;

packages/web/src/app/api/(server)/chat/blocking/route.ts

@@ -1,23 +1,11 @@
-import { sew } from "@/actions";
-import { _getConfiguredLanguageModelsFull, _getAISDKLanguageModelAndOptions, _updateChatMessages, _generateChatNameFromMessage } from "@/features/chat/actions";
-import { LanguageModelInfo, languageModelInfoSchema, SBChatMessage, SearchScope } from "@/features/chat/types";
-import { convertLLMOutputToPortableMarkdown, getAnswerPartFromAssistantMessage, getLanguageModelKey } from "@/features/chat/utils";
-import { ErrorCode } from "@/lib/errorCodes";
-import { requestBodySchemaValidationError, ServiceError, ServiceErrorException, serviceErrorResponse } from "@/lib/serviceError";
+import { askCodebase } from "@/features/mcp/askCodebase";
+import { languageModelInfoSchema } from "@/features/chat/types";
+import { apiHandler } from "@/lib/apiHandler";
+import { requestBodySchemaValidationError, serviceErrorResponse } from "@/lib/serviceError";
 import { isServiceError } from "@/lib/utils";
-import { withOptionalAuthV2 } from "@/withAuthV2";
-import { ChatVisibility, Prisma } from "@sourcebot/db";
-import { createLogger, env } from "@sourcebot/shared";
-import { randomUUID } from "crypto";
-import { StatusCodes } from "http-status-codes";
+import { ChatVisibility } from "@sourcebot/db";
 import { NextRequest, NextResponse } from "next/server";
 import { z } from "zod";
-import { createMessageStream } from "../route";
-import { InferUIMessageChunk, UITools, UIDataTypes, UIMessage } from "ai";
-import { apiHandler } from "@/lib/apiHandler";
-import { captureEvent } from "@/lib/posthog";
-
-const logger = createLogger('chat-blocking-api');
 
 /**
  * Request schema for the blocking chat API.
@@ -40,22 +28,12 @@ const blockingChatRequestSchema = z.object({
         .describe("The visibility of the chat session. If not provided, defaults to PRIVATE for authenticated users and PUBLIC for anonymous users. Set to PUBLIC to make the chat viewable by anyone with the link. Note: Anonymous users cannot create PRIVATE chats; any PRIVATE request from an unauthenticated user will be ignored and set to PUBLIC."),
 });
 
-/**
- * Response schema for the blocking chat API.
- */
-interface BlockingChatResponse {
-    answer: string;
-    chatId: string;
-    chatUrl: string;
-    languageModel: LanguageModelInfo;
-}
-
 /**
  * POST /api/chat/blocking
- * 
+ *
  * A blocking (non-streaming) chat endpoint designed for MCP and other integrations.
  * Creates a chat session, runs the agent to completion, and returns the final answer.
- * 
+ *
  * The chat session is persisted to the database, allowing users to view the full
  * conversation (including tool calls and reasoning) in the web UI.
  */
@@ -67,202 +45,11 @@ export const POST = apiHandler(async (request: NextRequest) => {
         return serviceErrorResponse(requestBodySchemaValidationError(parsed.error));
     }
 
-    const { query, repos = [], languageModel: requestedLanguageModel, visibility: requestedVisibility } = parsed.data;
-
-    const response: BlockingChatResponse | ServiceError = await sew(() =>
-        withOptionalAuthV2(async ({ org, user, prisma }) => {
-            // Get all configured language models
-            const configuredModels = await _getConfiguredLanguageModelsFull();
-            if (configuredModels.length === 0) {
-                return {
-                    statusCode: StatusCodes.BAD_REQUEST,
-                    errorCode: ErrorCode.INVALID_REQUEST_BODY,
-                    message: "No language models are configured. Please configure at least one language model. See: https://docs.sourcebot.dev/docs/configuration/language-model-providers",
-                } satisfies ServiceError;
-            }
-
-            // Use the requested language model if provided, otherwise default to the first configured model
-            let languageModelConfig = configuredModels[0];
-            if (requestedLanguageModel) {
-                const matchingModel = configuredModels.find(
-                    (m) => getLanguageModelKey(m) === getLanguageModelKey(requestedLanguageModel as LanguageModelInfo)
-                );
-                if (!matchingModel) {
-                    return {
-                        statusCode: StatusCodes.BAD_REQUEST,
-                        errorCode: ErrorCode.INVALID_REQUEST_BODY,
-                        message: `Language model '${requestedLanguageModel.provider}/${requestedLanguageModel.model}' is not configured.`,
-                    } satisfies ServiceError;
-                }
-                languageModelConfig = matchingModel;
-            }
-
-            const { model, providerOptions } = await _getAISDKLanguageModelAndOptions(languageModelConfig);
-            const modelName = languageModelConfig.displayName ?? languageModelConfig.model;
-
-            // Determine visibility: anonymous users cannot create private chats (they would be inaccessible)
-            // Only use requested visibility if user is authenticated, otherwise always use PUBLIC
-            const chatVisibility = (requestedVisibility && user)
-                ? requestedVisibility
-                : (user ? ChatVisibility.PRIVATE : ChatVisibility.PUBLIC);
-
-            // Create a new chat session
-            const chat = await prisma.chat.create({
-                data: {
-                    orgId: org.id,
-                    createdById: user?.id,
-                    visibility: chatVisibility,
-                    messages: [] as unknown as Prisma.InputJsonValue,
-                },
-            });
-
-            await captureEvent('wa_chat_thread_created', {
-                chatId: chat.id,
-                isAnonymous: !user,
-            });
-
-            // Run the agent to completion
-            logger.debug(`Starting blocking agent for chat ${chat.id}`, {
-                chatId: chat.id,
-                query: query.substring(0, 100),
-                model: modelName,
-            });
-
-            // Create the initial user message
-            const userMessage: SBChatMessage = {
-                id: randomUUID(),
-                role: 'user',
-                parts: [{ type: 'text', text: query }],
-            };
-
-            const selectedRepos = (await Promise.all(repos.map(async (repo) => {
-                const repoDB = await prisma.repo.findFirst({
-                    where: {
-                        name: repo,
-                    },
-                });
-
-                if (!repoDB) {
-                    throw new ServiceErrorException({
-                        statusCode: StatusCodes.BAD_REQUEST,
-                        errorCode: ErrorCode.INVALID_REQUEST_BODY,
-                        message: `Repository '${repo}' not found.`,
-                    })
-                }
-
-                return {
-                    type: 'repo',
-                    value: repoDB.name,
-                    name: repoDB.displayName ?? repoDB.name.split('/').pop() ?? repoDB.name,
-                    codeHostType: repoDB.external_codeHostType,
-                } satisfies SearchScope;
-            })));
-
-            // We'll capture the final messages and usage from the stream
-            let finalMessages: SBChatMessage[] = [];
-
-            await captureEvent('wa_chat_message_sent', {
-                chatId: chat.id,
-                messageCount: 1,
-                selectedReposCount: selectedRepos.length,
-                ...(env.EXPERIMENT_ASK_GH_ENABLED === 'true' ? {
-                    selectedRepos: selectedRepos.map(r => r.value)
-                } : {}),
-            });
-
-            const stream = await createMessageStream({
-                chatId: chat.id,
-                messages: [userMessage],
-                metadata: {
-                    selectedSearchScopes: selectedRepos,
-                },
-                selectedRepos: selectedRepos.map(r => r.value),
-                model,
-                modelName,
-                modelProviderOptions: providerOptions,
-                onFinish: async ({ messages }) => {
-                    finalMessages = messages;
-                },
-                onError: (error) => {
-                    if (error instanceof ServiceErrorException) {
-                        throw error;
-                    }
-
-                    const message = error instanceof Error ? error.message : String(error);
-                    throw new ServiceErrorException({
-                        statusCode: StatusCodes.INTERNAL_SERVER_ERROR,
-                        errorCode: ErrorCode.UNEXPECTED_ERROR,
-                        message,
-                    });
-                },
-            })
-
-            const [_, name] = await Promise.all([
-                // Consume the stream fully to trigger onFinish
-                blockStreamUntilFinish(stream),
-                // Generate and update the chat name
-                _generateChatNameFromMessage({
-                    message: query,
-                    languageModelConfig,
-                })
-            ]);
-
-            // Persist the messages to the chat
-            await _updateChatMessages({ chatId: chat.id, messages: finalMessages, prisma });
-
-            // Update the chat name
-            await prisma.chat.update({
-                where: {
-                    id: chat.id,
-                    orgId: org.id,
-                },
-                data: {
-                    name: name,
-                },
-            });
-
-            // Extract the answer text from the assistant message
-            const assistantMessage = finalMessages.find(m => m.role === 'assistant');
-            const answerPart = assistantMessage
-                ? getAnswerPartFromAssistantMessage(assistantMessage, false)
-                : undefined;
-            const answerText = answerPart?.text ?? '';
-
-            // Build the base URL and chat URL
-            const baseUrl = env.AUTH_URL;
-
-            // Convert to portable markdown (replaces @file: references with markdown links)
-            const portableAnswer = convertLLMOutputToPortableMarkdown(answerText, baseUrl);
-            const chatUrl = `${baseUrl}/${org.domain}/chat/${chat.id}`;
-
-            logger.debug(`Completed blocking agent for chat ${chat.id}`, {
-                chatId: chat.id,
-            });
-
-            return {
-                answer: portableAnswer,
-                chatId: chat.id,
-                chatUrl,
-                languageModel: {
-                    provider: languageModelConfig.provider,
-                    model: languageModelConfig.model,
-                    displayName: languageModelConfig.displayName,
-                },
-            } satisfies BlockingChatResponse;
-        })
-    );
+    const response = await askCodebase(parsed.data);
 
     if (isServiceError(response)) {
         return serviceErrorResponse(response);
     }
 
     return NextResponse.json(response);
 });
-
-const blockStreamUntilFinish = async <T extends UIMessage<unknown, UIDataTypes, UITools>>(stream: ReadableStream<InferUIMessageChunk<T>>) => {
-    const reader = stream.getReader();
-    while (true as const) {
-        const { done } = await reader.read();
-        if (done) break;
-    }
-}