Web Endpoints

HTTP routes (outside /mcp)

All non-MCP routes are handled in src/index.ts L3290-3470 (the fetch function). CORS headers are set on every response (see src/mcp.ts L3-11).

PathMethodQueryReturnsSource
/GETJSON health (name/version/endpoints/tools)L3296
/healthzGETSame as /L3296
/plotGET?d=<base64url-gzipped-json>SVG imageL3300-3317
/pngGET?d=<base64url-gzipped-json>PNG image (resvg + pathified CJK)L3320-3330
/multi_plotGET?spec=<urlencoded-json>SVG subplot gridL3332-3342
/multi_plot.pngGET?spec=<urlencoded-json>PNG subplot gridL3344-3354
/s/{token}GETShort link render (PNG/SVG/HTML)L3356-3366
/force.svgGET?d=<...>Force diagram SVG (simple)L3368-3377
/force-analysis.svgGET?d=<...>Force analysis SVG (rich, axes/components/resultant)L3379-3388
/circuit.svgGET?d=<...>Circuit diagram SVGL3390-3399
/venn.svgGET?d=<...>Venn diagram SVGL3401-3410
/c-memory.svgGET?d=<...>C memory layout SVGL3412-3421
/shape3d.htmlGET?d=<...>Interactive 3D viewer HTMLL3423-3432
/mcpPOSTJSON-RPC 2.0 bodyMCP responseL3434-3468
(anything else)404 not_foundL3434-3436

The ?d= query parameter

All SVG/PNG endpoints accept a gzipped, base64-url encoded JSON spec. The encoding is implemented in src/utils.ts:

  • toCompressedBase64UrlFromJson(value) — compresses with CompressionStream("gzip"), then base64-url encodes. URL-safe (no +, /, =).
  • parseCompressedBase64UrlJson(packed) — reverses the above.

The spec JSON shape is tool-specific (e.g. for /plot: {expr, x_min, x_max, points, title, xlabel, ylabel, annotations}). For /multi_plot, the shape is the MultiPlotResult from buildSubplot.

Short links

When buildShortUrl (src/index.ts L2306) computes a ?d= longer than 3600 chars, it falls back to storing the payload in KV and returning a short URL {origin}/s/{token}. The token is 8 chars of base32. Each token maps to a ShortLinkRecord in KV under short:{token} with TTL 30 days (SHORT_LINK_TTL_SECONDS = 60*60*24*30).

The renderShortLink function (L2383) dispatches based on record.path to the matching renderer: /png uses renderPngResponse, SVG paths return their respective render*Svg functions, /shape3d.html returns the HTML viewer.

CORS

Every response includes access-control-allow-origin: *, access-control-allow-methods: GET, POST, OPTIONS, and access-control-allow-headers: content-type, mcp-session-id. The OPTIONS method returns 204 with the same headers.

Cache headers

All image responses set cache-control: public, max-age=300 (5 minutes). KV writes also expire at 30 days, so a short link won't outlive its KV record.