// JSON-RPC Error Codes
export const ERROR_CODES = {
// Standard JSON-RPC errors
PARSE_ERROR: -32700,
INVALID_REQUEST: -32600,
METHOD_NOT_FOUND: -32601,
INVALID_PARAMS: -32602,
INTERNAL_ERROR: -32603,
// Custom security error codes
SERVER_ERROR: -32000,
UNAUTHORIZED: -32001,
REQUEST_TIMEOUT: -32002,
RATE_LIMIT_EXCEEDED: -32003,
CORS_VIOLATION: -32004,
PAYLOAD_TOO_LARGE: -32005,
VALIDATION_ERROR: -32006,
METHOD_NOT_ALLOWED: -32007,
// JWT-specific error codes
JWT_TOKEN_EXPIRED: -32010,
JWT_TOKEN_MALFORMED: -32011,
JWT_TOKEN_NOT_ACTIVE: -32012,
JWT_INVALID_AUDIENCE: -32013,
JWT_INVALID_ISSUER: -32014,
JWT_INVALID_ALGORITHM: -32015,
JWT_TOKEN_REVOKED: -32016,
JWT_INVALID_CLAIMS: -32017,
// Authorization error codes
USER_NOT_AUTHORIZED: -32020,
} as const
// Security event types
export const SECURITY_EVENT_TYPES = {
CORS_VIOLATION: 'CORS_VIOLATION',
RATE_LIMIT_EXCEEDED: 'RATE_LIMIT_EXCEEDED',
REQUEST_TIMEOUT: 'REQUEST_TIMEOUT',
PAYLOAD_TOO_LARGE: 'PAYLOAD_TOO_LARGE',
AUTHENTICATION_FAILED: 'AUTHENTICATION_FAILED',
INVALID_TOKEN: 'INVALID_TOKEN',
SUSPICIOUS_ACTIVITY: 'SUSPICIOUS_ACTIVITY',
VALIDATION_ERROR: 'VALIDATION_ERROR',
} as const
// HTTP Methods allowed
export const ALLOWED_HTTP_METHODS = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'] as const
// JWT Constants
export const JWT_CONSTANTS = {
ISSUER: 'todoist-mcp',
AUDIENCE: 'todoist-mcp-client',
ALGORITHM: 'HS256',
} as const
// Security headers
export const SECURITY_HEADERS = {
AUTHORIZATION: 'Authorization',
API_KEY: 'X-API-Key',
CONTENT_TYPE: 'Content-Type',
USER_AGENT: 'User-Agent',
} as const
// Default security values
export const SECURITY_DEFAULTS = {
REQUEST_TIMEOUT_MS: 30000,
RATE_LIMIT_WINDOW_MS: 900000, // 15 minutes
RATE_LIMIT_MAX_REQUESTS: 100,
MAX_REQUEST_SIZE: '10mb',
MAX_REQUEST_PAYLOAD_SIZE: 50000, // 50KB
JWT_EXPIRES_IN: '24h',
HSTS_MAX_AGE: 31536000, // 1 year
} as const
