@atxp/common 0.2.22 → 0.3.0

package/dist/index.js

@@ -1,12 +1,887 @@
-export * from './jwt.js';
-export * from './logger.js';
-export * from './memoryOAuthDb.js';
-export * from './oAuthResource.js';
-export * from './paymentRequiredError.js';
-export * from './servers.js';
-export * from './types.js';
-export * from './utils.js';
-export * from './mcpJson.js';
-export * from './sseParser.js';
-export * from './platform/index.js';
-//# sourceMappingURL=index.js.map
+import { SignJWT } from 'jose';
+import * as oauth from 'oauth4webapi';
+import { McpError, isJSONRPCError, isJSONRPCResponse, JSONRPCMessageSchema } from '@modelcontextprotocol/sdk/types.js';
+import { ZodError } from 'zod';
+
+// TODO: revisit this
+const ISSUER = 'atxp.ai';
+const AUDIENCE = 'https://auth.atxp.ai';
+/**
+ * Generate a JWT using the jose library and EdDSA (Ed25519) private key.
+ * @param walletId - The subject (public key, wallet address, etc.)
+ * @param privateKey - Ed25519 private key as a CryptoKey or Uint8Array
+ * @param paymentIds - Optional array of payment IDs to include in the payload
+ * @returns JWT string
+ */
+const generateJWT = async (walletId, privateKey, paymentRequestId, codeChallenge) => {
+    const payload = {
+        code_challenge: codeChallenge,
+    };
+    if (paymentRequestId)
+        payload.payment_request_id = paymentRequestId;
+    if (codeChallenge)
+        payload.code_challenge = codeChallenge;
+    return await new SignJWT(payload)
+        .setProtectedHeader({ alg: 'EdDSA', typ: 'JWT' })
+        .setIssuedAt()
+        .setIssuer(ISSUER)
+        .setAudience(AUDIENCE)
+        .setSubject(walletId)
+        .setExpirationTime('2m')
+        .sign(privateKey);
+};
+
+/**
+ * Exhaustiveness check for switch statements.
+ * This function should never be called at runtime.
+ * It's used to ensure all cases of a union type or enum are handled.
+ *
+ * @param value - The value that should have been handled by all cases
+ * @param message - Optional error message
+ * @throws {Error} Always throws an error indicating unhandled case
+ */
+function assertNever(value, message) {
+    const errorMessage = message || `Unhandled case: ${JSON.stringify(value)}`;
+    throw new Error(errorMessage);
+}
+/**
+ * Type-safe way to check if a value is one of the enum values.
+ *
+ * @param enumObj - The enum object
+ * @param value - The value to check
+ * @returns True if the value is a valid enum value
+ */
+function isEnumValue(enumObj, value) {
+    return Object.values(enumObj).includes(value);
+}
+
+const DEFAULT_AUTHORIZATION_SERVER = 'https://auth.atxp.ai';
+var LogLevel;
+(function (LogLevel) {
+    LogLevel[LogLevel["DEBUG"] = 0] = "DEBUG";
+    LogLevel[LogLevel["INFO"] = 1] = "INFO";
+    LogLevel[LogLevel["WARN"] = 2] = "WARN";
+    LogLevel[LogLevel["ERROR"] = 3] = "ERROR";
+})(LogLevel || (LogLevel = {}));
+
+/* eslint-disable no-console */
+class ConsoleLogger {
+    constructor({ prefix = '[atxp]', level = LogLevel.INFO } = {}) {
+        this.debug = (message) => {
+            this.log(LogLevel.DEBUG, message);
+        };
+        this.info = (message) => {
+            this.log(LogLevel.INFO, message);
+        };
+        this.warn = (message) => {
+            this.log(LogLevel.WARN, message);
+        };
+        this.error = (message) => {
+            this.log(LogLevel.ERROR, message);
+        };
+        this.prefix = prefix;
+        this._level = level;
+    }
+    get level() {
+        return this._level;
+    }
+    set level(level) {
+        this._level = level;
+    }
+    log(level, message) {
+        if (level >= this._level) {
+            const consoleMethod = this.getConsoleMethod(level);
+            consoleMethod(`${this.prefix} ${message}`);
+        }
+    }
+    getConsoleMethod(level) {
+        switch (level) {
+            case LogLevel.DEBUG: return console.debug.bind(console);
+            case LogLevel.INFO: return console.info.bind(console);
+            case LogLevel.WARN: return console.warn.bind(console);
+            case LogLevel.ERROR: return console.error.bind(console);
+            default: return assertNever(level, `Unknown log level: ${level}`);
+        }
+    }
+}
+
+class MemoryOAuthDb {
+    constructor(config = {}) {
+        this.clientCredentials = new Map();
+        this.pkceValues = new Map(); // key: `${userId}:${state}`
+        this.accessTokens = new Map(); // key: `${userId}:${url}`
+        this.logger = config.logger || new ConsoleLogger({ prefix: '[memory-oauth-db]', level: LogLevel.INFO });
+        this.logger.info(`Initialized in-memory OAuth database (instance: ${Math.random().toString(36).substr(2, 9)})`);
+    }
+    // OAuthResourceDb methods
+    async getClientCredentials(serverUrl) {
+        const credentials = this.clientCredentials.get(serverUrl) || null;
+        if (credentials) {
+            this.logger.debug(`Getting client credentials for server: ${serverUrl} (cached)`);
+        }
+        else {
+            this.logger.info(`Getting client credentials for server: ${serverUrl} (not cached)`);
+            this.logger.debug(`Available keys in cache: ${Array.from(this.clientCredentials.keys()).join(', ')}`);
+        }
+        return credentials;
+    }
+    async saveClientCredentials(serverUrl, credentials) {
+        this.logger.info(`Saving client credentials for server: ${serverUrl}`);
+        this.logger.debug(`Client credentials: clientId=${credentials.clientId}`);
+        this.clientCredentials.set(serverUrl, credentials);
+    }
+    // OAuthDb methods
+    async getPKCEValues(userId, state) {
+        const key = `${userId}:${state}`;
+        this.logger.info(`Getting PKCE values for user: ${userId}, state: ${state}`);
+        return this.pkceValues.get(key) || null;
+    }
+    async savePKCEValues(userId, state, values) {
+        const key = `${userId}:${state}`;
+        this.logger.info(`Saving PKCE values for user: ${userId}, state: ${state}`);
+        this.pkceValues.set(key, values);
+    }
+    async getAccessToken(userId, url) {
+        const key = `${userId}:${url}`;
+        this.logger.info(`Getting access token for user: ${userId}, url: ${url}`);
+        const token = this.accessTokens.get(key);
+        if (!token) {
+            this.logger.debug(`No cached token found for key: ${key}`);
+            return null;
+        }
+        // Check if token has expired
+        if (token.expiresAt && token.expiresAt < Date.now()) {
+            this.logger.info(`Access token expired for user: ${userId}, url: ${url}`);
+            this.accessTokens.delete(key);
+            return null;
+        }
+        this.logger.debug(`Found valid cached token for user: ${userId}, url: ${url}`);
+        return token;
+    }
+    async saveAccessToken(userId, url, token) {
+        const key = `${userId}:${url}`;
+        const existingToken = this.accessTokens.get(key);
+        if (existingToken) {
+            this.logger.debug(`Updating access token for user: ${userId}, url: ${url}`);
+        }
+        else {
+            this.logger.info(`Saving new access token for user: ${userId}, url: ${url}`);
+        }
+        this.accessTokens.set(key, token);
+    }
+    async close() {
+        this.logger.info('Closing in-memory OAuth database');
+        this.clientCredentials.clear();
+        this.pkceValues.clear();
+        this.accessTokens.clear();
+    }
+    // Utility methods for debugging/monitoring
+    getStats() {
+        return {
+            clientCredentials: this.clientCredentials.size,
+            pkceValues: this.pkceValues.size,
+            accessTokens: this.accessTokens.size
+        };
+    }
+    // Clean up expired tokens periodically
+    cleanupExpiredTokens() {
+        const now = Date.now();
+        let cleaned = 0;
+        for (const [key, token] of this.accessTokens.entries()) {
+            if (token.expiresAt && token.expiresAt < now) {
+                this.accessTokens.delete(key);
+                cleaned++;
+            }
+        }
+        if (cleaned > 0) {
+            this.logger.info(`Cleaned up ${cleaned} expired access tokens`);
+        }
+        return cleaned;
+    }
+}
+
+/* eslint-disable @typescript-eslint/no-explicit-any */
+class OAuthResourceClient {
+    constructor({ db, callbackUrl = 'http://localhost:3000/unused-dummy-global-callback', isPublic = false, sideChannelFetch = fetch, strict = false, allowInsecureRequests = process.env.NODE_ENV === 'development', clientName = 'Token Introspection Client', logger = new ConsoleLogger() }) {
+        // In-memory lock to prevent concurrent client registrations
+        this.registrationLocks = new Map();
+        this.introspectToken = async (authorizationServerUrl, token, additionalParameters) => {
+            // Don't use getAuthorizationServer here, because we're not using the resource server url
+            const authorizationServer = await this.authorizationServerFromUrl(new URL(authorizationServerUrl));
+            // When introspecting a token, the "resource" server that we want credentials for is the auth server
+            let clientCredentials = await this.getClientCredentials(authorizationServer);
+            // Create a client for token introspection
+            let client = {
+                client_id: clientCredentials.clientId,
+                token_endpoint_auth_method: 'client_secret_basic'
+            };
+            // Create client authentication method
+            let clientAuth = oauth.ClientSecretBasic(clientCredentials.clientSecret);
+            // Use oauth4webapi's built-in token introspection
+            let introspectionResponse = await oauth.introspectionRequest(authorizationServer, client, clientAuth, token, {
+                additionalParameters,
+                [oauth.customFetch]: this.sideChannelFetch,
+                [oauth.allowInsecureRequests]: this.allowInsecureRequests
+            });
+            if (introspectionResponse.status === 403 || introspectionResponse.status === 401) {
+                this.logger.info(`Bad response status doing token introspection: ${introspectionResponse.statusText}. Could be due to bad client credentials - trying to re-register`);
+                clientCredentials = await this.registerClient(authorizationServer);
+                client = {
+                    client_id: clientCredentials.clientId,
+                    token_endpoint_auth_method: 'client_secret_basic'
+                };
+                clientAuth = oauth.ClientSecretBasic(clientCredentials.clientSecret);
+                introspectionResponse = await oauth.introspectionRequest(authorizationServer, client, clientAuth, token, {
+                    additionalParameters,
+                    [oauth.customFetch]: this.sideChannelFetch,
+                    [oauth.allowInsecureRequests]: this.allowInsecureRequests
+                });
+            }
+            if (introspectionResponse.status !== 200) {
+                throw new Error(`Token introspection failed with status ${introspectionResponse.status}: ${introspectionResponse.statusText}`);
+            }
+            // Process the introspection response
+            const tokenData = await oauth.processIntrospectionResponse(authorizationServer, client, introspectionResponse);
+            return {
+                active: tokenData.active,
+                scope: tokenData.scope,
+                sub: tokenData.sub,
+                aud: tokenData.aud
+            };
+        };
+        this.getAuthorizationServer = async (resourceServerUrl) => {
+            resourceServerUrl = this.normalizeResourceServerUrl(resourceServerUrl);
+            try {
+                const resourceUrl = new URL(resourceServerUrl);
+                const prmResponse = await oauth.resourceDiscoveryRequest(resourceUrl, {
+                    [oauth.customFetch]: this.sideChannelFetch,
+                    [oauth.allowInsecureRequests]: this.allowInsecureRequests
+                });
+                const fallbackToRsAs = !this.strict && prmResponse.status === 404;
+                let authServer = undefined;
+                if (!fallbackToRsAs) {
+                    const resourceServer = await oauth.processResourceDiscoveryResponse(resourceUrl, prmResponse);
+                    authServer = resourceServer.authorization_servers?.[0];
+                }
+                else {
+                    // Some older servers serve OAuth metadata from the MCP server instead of PRM data, 
+                    // so if the PRM data isn't found, we'll try to get the AS metadata from the MCP server
+                    this.logger.info('Protected Resource Metadata document not found, looking for OAuth metadata on resource server');
+                    // Trim off the path - OAuth metadata is also singular for a server and served from the root
+                    const rsUrl = new URL(resourceServerUrl);
+                    const rsAsUrl = rsUrl.protocol + '//' + rsUrl.host + '/.well-known/oauth-authorization-server';
+                    // Don't use oauth4webapi for this, because these servers might be specifiying an issuer that is not
+                    // themselves (in order to use a separate AS by just hosting the OAuth metadata on the MCP server)
+                    //   This is against the OAuth spec, but some servers do it anyway
+                    const rsAsResponse = await this.sideChannelFetch(rsAsUrl);
+                    if (rsAsResponse.status === 200) {
+                        const rsAsBody = await rsAsResponse.json();
+                        authServer = rsAsBody.issuer;
+                    }
+                }
+                if (!authServer) {
+                    throw new Error('No authorization_servers found in protected resource metadata');
+                }
+                const authServerUrl = new URL(authServer);
+                const res = await this.authorizationServerFromUrl(authServerUrl);
+                return res;
+            }
+            catch (error) {
+                this.logger.warn(`Error fetching authorization server configuration: ${error}`);
+                this.logger.warn(error.stack || '');
+                throw error;
+            }
+        };
+        this.authorizationServerFromUrl = async (authServerUrl) => {
+            try {
+                // Explicitly throw for a tricky edge case to trigger tests
+                if (authServerUrl.toString().includes('/.well-known/oauth-protected-resource')) {
+                    throw new Error('Authorization server URL is a PRM URL, which is not supported. It must be an AS URL.');
+                }
+                // Now, get the authorization server metadata
+                const response = await oauth.discoveryRequest(authServerUrl, {
+                    algorithm: 'oauth2',
+                    [oauth.customFetch]: this.sideChannelFetch,
+                    [oauth.allowInsecureRequests]: this.allowInsecureRequests
+                });
+                const authorizationServer = await oauth.processDiscoveryResponse(authServerUrl, response);
+                return authorizationServer;
+            }
+            catch (error) {
+                this.logger.warn(`Error fetching authorization server configuration: ${error}`);
+                throw error;
+            }
+        };
+        this.normalizeResourceServerUrl = (resourceServerUrl) => {
+            // the url might be EITHER:
+            // 1. the PRM URL (when it's received from the www-authenticate header or a PRM response conforming to RFC 9728)
+            // 2. the resource url itself (when we're using the resource url itself)
+            // We standardize on the resource url itself, so that we can store it in the DB and all the rest of the plumbing 
+            // doesn't have to worry about the difference between the two.
+            const res = resourceServerUrl.replace('/.well-known/oauth-protected-resource', '');
+            return res;
+        };
+        this.getRegistrationMetadata = async () => {
+            // Create client metadata for registration
+            const clientMetadata = {
+                redirect_uris: [this.callbackUrl],
+                // We shouldn't actually need any response_types for this client either, but
+                // the OAuth spec requires us to provide a response_type
+                response_types: ['code'],
+                grant_types: ['authorization_code', 'client_credentials'],
+                token_endpoint_auth_method: 'client_secret_basic',
+                client_name: this.clientName,
+            };
+            return clientMetadata;
+        };
+        this.registerClient = async (authorizationServer) => {
+            this.logger.info(`Registering client with authorization server for ${this.callbackUrl}`);
+            if (!authorizationServer.registration_endpoint) {
+                throw new Error('Authorization server does not support dynamic client registration');
+            }
+            const clientMetadata = await this.getRegistrationMetadata();
+            let registeredClient;
+            try {
+                // Make the registration request
+                const response = await oauth.dynamicClientRegistrationRequest(authorizationServer, clientMetadata, {
+                    [oauth.customFetch]: this.sideChannelFetch,
+                    [oauth.allowInsecureRequests]: this.allowInsecureRequests
+                });
+                // Process the registration response
+                registeredClient = await oauth.processDynamicClientRegistrationResponse(response);
+            }
+            catch (error) {
+                this.logger.warn(`Client registration failure error_details: ${JSON.stringify(error.cause?.error_details)}`);
+                throw error;
+            }
+            this.logger.info(`Successfully registered client with ID: ${registeredClient.client_id}`);
+            // Create client credentials from the registration response
+            const credentials = {
+                clientId: registeredClient.client_id,
+                clientSecret: registeredClient.client_secret?.toString() || '', // Public client has no secret
+                redirectUri: this.callbackUrl
+            };
+            // Save the credentials in the database
+            await this.db.saveClientCredentials(authorizationServer.issuer, credentials);
+            return credentials;
+        };
+        this.getClientCredentials = async (authorizationServer) => {
+            let credentials = await this.db.getClientCredentials(authorizationServer.issuer);
+            // If no credentials found, register a new client
+            if (!credentials) {
+                // Check if there's already a registration in progress for this issuer
+                const lockKey = authorizationServer.issuer;
+                const existingLock = this.registrationLocks.get(lockKey);
+                if (existingLock) {
+                    this.logger.debug(`Waiting for existing client registration for issuer: ${lockKey}`);
+                    return await existingLock;
+                }
+                // Create a new registration promise and store it as a lock      
+                try {
+                    const registrationPromise = this.registerClient(authorizationServer);
+                    this.registrationLocks.set(lockKey, registrationPromise);
+                    credentials = await registrationPromise;
+                    return credentials;
+                }
+                finally {
+                    // Always clean up the lock when done
+                    this.registrationLocks.delete(lockKey);
+                }
+            }
+            return credentials;
+        };
+        this.makeOAuthClientAndAuth = (credentials) => {
+            // Create the client configuration
+            const client = {
+                client_id: credentials.clientId,
+                token_endpoint_auth_method: 'none'
+            };
+            let clientAuth = oauth.None();
+            // If the client has a secret, that means it was registered as a confidential client
+            // In that case, we should auth to the token endpoint using the client secret as well.
+            // In either case (public or confidential), we're also using PKCE
+            if (credentials.clientSecret) {
+                client.token_endpoint_auth_method = 'client_secret_post';
+                // Create the client authentication method
+                clientAuth = oauth.ClientSecretPost(credentials.clientSecret);
+            }
+            return [client, clientAuth];
+        };
+        // Default values above are appropriate for a global client used directly. Subclasses should override these,
+        // because things like the callbackUrl will actually be important for them
+        this.db = db;
+        this.callbackUrl = callbackUrl;
+        this.isPublic = isPublic;
+        this.sideChannelFetch = sideChannelFetch;
+        this.strict = strict;
+        this.allowInsecureRequests = allowInsecureRequests;
+        this.clientName = clientName;
+        this.logger = logger;
+    }
+}
+OAuthResourceClient.trimToPath = (url) => {
+    try {
+        const urlObj = new URL(url);
+        return `${urlObj.origin}${urlObj.pathname}`;
+    }
+    catch (error) {
+        // If the URL is invalid, try to construct a valid one
+        if (!url.startsWith('http://') && !url.startsWith('https://')) {
+            return `https://${url}`;
+        }
+        throw error;
+    }
+};
+OAuthResourceClient.getParentPath = (url) => {
+    const urlObj = new URL(url);
+    urlObj.pathname = urlObj.pathname.replace(/\/[^/]+$/, '');
+    const res = urlObj.toString();
+    return res === url ? null : res;
+};
+
+const PAYMENT_REQUIRED_ERROR_CODE = -30402; // Payment required
+// Do NOT modify this message. It is used by clients to identify an ATXP payment required error
+// in an MCP response. Changing it will break back-compatability.
+const PAYMENT_REQUIRED_PREAMBLE = 'Payment via ATXP is required. ';
+function paymentRequiredError(server, paymentRequestId, chargeAmount) {
+    const serverUrl = new URL(server);
+    server = serverUrl.origin;
+    const paymentRequestUrl = `${server}/payment-request/${paymentRequestId}`;
+    const data = { paymentRequestId, paymentRequestUrl, chargeAmount };
+    const amountText = chargeAmount ? ` You will be charged ${chargeAmount.toString()}.` : '';
+    return new McpError(PAYMENT_REQUIRED_ERROR_CODE, `${PAYMENT_REQUIRED_PREAMBLE}${amountText} Please pay at: ${paymentRequestUrl} and then try again.`, data);
+}
+
+const Servers = {
+    browse: 'https://browse.mcp.novellum.ai',
+    filestore: 'https://filestore.mcp.novellum.ai',
+    database: 'https://database.mcp.novellum.ai',
+    code: 'https://code.mcp.novellum.ai',
+    search: 'https://search.mcp.novellum.ai',
+    crawl: 'https://crawl.mcp.novellum.ai',
+    video: 'https://video.mcp.novellum.ai',
+    image: 'https://image.mcp.novellum.ai',
+    music: 'https://music.mcp.novellum.ai',
+    research: 'https://research.mcp.novellum.ai',
+    shop: 'https://shop.mcp.novellum.ai'
+};
+
+/**
+ * Parses SSE (Server-Sent Events) formatted text into individual messages
+ * @param sseText - The raw SSE text to parse
+ * @returns Array of parsed SSE messages
+ */
+function parseSSEMessages(sseText) {
+    const messages = [];
+    const lines = sseText.split('\n');
+    let currentMessage = {};
+    for (const line of lines) {
+        const trimmedLine = line.trim();
+        // Empty line indicates end of message
+        if (trimmedLine === '') {
+            if (currentMessage.data !== undefined) {
+                messages.push(currentMessage);
+                currentMessage = {};
+            }
+            continue;
+        }
+        // Parse field: value format
+        const colonIndex = trimmedLine.indexOf(':');
+        if (colonIndex === -1) {
+            continue; // Skip malformed lines
+        }
+        const field = trimmedLine.substring(0, colonIndex);
+        const value = trimmedLine.substring(colonIndex + 1);
+        let retryValue;
+        switch (field) {
+            case 'event':
+                currentMessage.event = value;
+                break;
+            case 'data':
+                // SSE spec allows multiple data fields to be concatenated
+                currentMessage.data = currentMessage.data ? currentMessage.data + '\n' + value : value;
+                break;
+            case 'id':
+                currentMessage.id = value;
+                break;
+            case 'retry':
+                retryValue = parseInt(value, 10);
+                if (!isNaN(retryValue)) {
+                    currentMessage.retry = retryValue;
+                }
+                break;
+        }
+    }
+    // Don't forget the last message if it doesn't end with an empty line
+    if (currentMessage.data !== undefined) {
+        messages.push(currentMessage);
+    }
+    return messages;
+}
+/**
+ * Extracts JSON-RPC messages from SSE data fields
+ * @param sseMessages - Array of SSE messages
+ * @param logger - Optional logger for debugging
+ * @returns Array of parsed JSON objects from SSE data fields
+ */
+function extractJSONFromSSE(sseMessages, logger) {
+    const jsonMessages = [];
+    for (const sseMessage of sseMessages) {
+        try {
+            if (sseMessage.data) {
+                const parsed = JSON.parse(sseMessage.data);
+                jsonMessages.push(parsed);
+            }
+        }
+        catch (error) {
+            logger?.warn(`Failed to parse SSE data as JSON: ${sseMessage.data}`);
+            logger?.debug(`Parse error: ${error}`);
+        }
+    }
+    return jsonMessages;
+}
+/**
+ * Determines if a response body appears to be SSE formatted
+ * @param body - The response body to check
+ * @returns true if the body appears to be SSE formatted
+ */
+function isSSEResponse(body) {
+    if (typeof body !== 'string') {
+        return false;
+    }
+    const lines = body.split('\n');
+    for (const line of lines) {
+        const trimmedLine = line.trim();
+        if (trimmedLine === '')
+            continue;
+        // Check for SSE field format (field: value)
+        const colonIndex = trimmedLine.indexOf(':');
+        if (colonIndex === -1)
+            continue;
+        const field = trimmedLine.substring(0, colonIndex);
+        if (['event', 'data', 'id', 'retry'].includes(field)) {
+            return true;
+        }
+    }
+    return false;
+}
+
+function parsePaymentRequests(message) {
+    const res = [];
+    // Handle MCP protocol-level errors. These have an explicit error code that we can check for
+    if (isJSONRPCError(message)) {
+        // Explicitly throw payment required errors that result in MCP protocol-level errors
+        const rpcError = message;
+        if (rpcError.error.code === PAYMENT_REQUIRED_ERROR_CODE) {
+            const paymentRequestUrl = rpcError.error.data?.paymentRequestUrl;
+            const dataPr = _parsePaymentRequestFromString(paymentRequestUrl);
+            if (dataPr) {
+                res.push(dataPr);
+            }
+            else {
+                const pr = _parsePaymentRequestFromString(rpcError.error.message);
+                if (pr) {
+                    res.push(pr);
+                }
+            }
+        }
+        // Elicitation - required errors
+        // Current draft of elicitation-required error code as per
+        // https://github.com/modelcontextprotocol/modelcontextprotocol/pull/887
+        if (rpcError.error.code === -32604) {
+            const elicitations = rpcError.error.data?.elicitations || [];
+            for (const elicitation of elicitations) {
+                if (elicitation?.mode === 'url') {
+                    const pr = _parsePaymentRequestFromString(elicitation?.url);
+                    if (pr) {
+                        res.push(pr);
+                    }
+                }
+            }
+        }
+    }
+    // TODO: Ensure that ATXP errors only come back as MCP protocol-level errors.
+    // Handle MCP tool application-level errors. For these, the error message is serialized into a normal 
+    // tool response with the isError flag set
+    if (isJSONRPCResponse(message)) {
+        const toolResult = message.result;
+        if (toolResult.isError) {
+            for (const content of toolResult.content) {
+                if (content.type === 'text') {
+                    const text = content.text;
+                    if (text.includes(PAYMENT_REQUIRED_PREAMBLE) && text.includes(PAYMENT_REQUIRED_ERROR_CODE.toString())) {
+                        const pr = _parsePaymentRequestFromString(text);
+                        if (pr) {
+                            res.push(pr);
+                        }
+                    }
+                }
+            }
+        }
+    }
+    return res;
+}
+function _parsePaymentRequestFromString(text) {
+    if (!text) {
+        return null;
+    }
+    const paymentRequestUrl = /(http[^ ]+)\/payment-request\/([^ ]+)/.exec(text);
+    if (paymentRequestUrl) {
+        const id = paymentRequestUrl[2];
+        const url = paymentRequestUrl[0];
+        return { url, id };
+    }
+    return null;
+}
+async function parseMcpMessages(json, logger) {
+    let messages = [];
+    try {
+        // Check if the response is SSE formatted
+        if (typeof json === 'string' && isSSEResponse(json)) {
+            logger?.debug('Detected SSE-formatted response, parsing SSE messages');
+            const sseMessages = parseSSEMessages(json);
+            const jsonMessages = extractJSONFromSSE(sseMessages, logger);
+            // Process each JSON message from SSE
+            for (const jsonMsg of jsonMessages) {
+                try {
+                    if (Array.isArray(jsonMsg)) {
+                        // Handle batch messages from SSE
+                        const batchMessages = jsonMsg.map(msg => JSONRPCMessageSchema.parse(msg));
+                        messages.push(...batchMessages);
+                    }
+                    else {
+                        // Handle single message from SSE
+                        const message = JSONRPCMessageSchema.parse(jsonMsg);
+                        messages.push(message);
+                    }
+                }
+                catch (parseError) {
+                    if (parseError instanceof ZodError) {
+                        logger?.warn(`Invalid JSON-RPC message format in SSE data`);
+                        logger?.debug(parseError.message);
+                    }
+                    else {
+                        logger?.error(`Unexpected error parsing JSON-RPC message from SSE: ${parseError}`);
+                    }
+                }
+            }
+        }
+        else {
+            // Handle regular JSON responses
+            if (Array.isArray(json)) {
+                messages = json.map(msg => JSONRPCMessageSchema.parse(msg));
+            }
+            else {
+                messages = [JSONRPCMessageSchema.parse(json)];
+            }
+        }
+    }
+    catch (error) {
+        // If Zod validation fails, log the error and return empty array
+        if (error instanceof ZodError) {
+            logger?.warn(`Invalid JSON-RPC message format`);
+            logger?.debug(error.message);
+        }
+        else {
+            logger?.error(`Unexpected error parsing JSON-RPC messages: ${error}`);
+        }
+    }
+    return messages;
+}
+
+/* eslint-disable @typescript-eslint/no-explicit-any */
+// Platform detection - supports both Expo and bare React Native
+function getIsReactNative() {
+    const nav = (typeof navigator !== 'undefined' ? navigator : (typeof global !== 'undefined' ? global.navigator : undefined));
+    return !!nav && nav.product === 'ReactNative';
+}
+const isNode = typeof process !== 'undefined' && !!process.versions?.node;
+const isBrowser = typeof window !== 'undefined' && typeof document !== 'undefined';
+const isNextJS = typeof process !== 'undefined' && process.env.NEXT_RUNTIME !== undefined;
+const isWebEnvironment = isBrowser || isNextJS;
+// Helper to load modules in both CommonJS and ESM environments
+function loadModule(moduleId) {
+    try {
+        // First try standard require if available (CommonJS environment)
+        if (typeof require !== 'undefined') {
+            // eslint-disable-next-line @typescript-eslint/no-require-imports
+            return require(moduleId);
+        }
+        // Check if we're in a Node.js environment where createRequire might be available
+        if (typeof process !== 'undefined' && process.versions && process.versions.node) {
+            try {
+                const { createRequire } = eval('require')('module');
+                const require = createRequire(import.meta.url || 'file:///dummy');
+                return require(moduleId);
+            }
+            catch {
+                // Fall through to eval require
+            }
+        }
+        // Fall back to eval('require') to prevent bundler static analysis
+        const requireFunc = (0, eval)('require');
+        return requireFunc(moduleId);
+    }
+    catch {
+        throw new Error(`Failed to load module "${moduleId}" synchronously. In ESM environments, please ensure the module is pre-loaded or use MemoryOAuthDb instead.`);
+    }
+}
+// Async version for cases where we can fall back to dynamic import
+async function loadModuleAsync(moduleId) {
+    try {
+        // Try synchronous loading first
+        return loadModule(moduleId);
+    }
+    catch {
+        // Fall back to dynamic import for ESM
+        try {
+            return await import(moduleId);
+        }
+        catch (e) {
+            throw new Error(`Failed to load module "${moduleId}": ${e instanceof Error ? e.message : 'Module loading not available in this environment'}`);
+        }
+    }
+}
+// Apply URL polyfill for React Native/Expo
+if (getIsReactNative()) {
+    loadModule('react-native-url-polyfill/auto');
+}
+// React Native safe fetch that prevents body consumption issues
+const createReactNativeSafeFetch = (originalFetch) => {
+    return async (url, init) => {
+        const response = await originalFetch(url, init);
+        // For non-2xx responses or responses we know won't have JSON bodies, return as-is
+        if (!response.ok || response.status === 204) {
+            return response;
+        }
+        // Pre-read the body to avoid consumption issues
+        const contentType = response.headers.get('content-type');
+        if (contentType && contentType.includes('application/json')) {
+            try {
+                const bodyText = await response.text();
+                // Create a new Response with the pre-read body
+                return new Response(bodyText, {
+                    status: response.status,
+                    statusText: response.statusText,
+                    headers: response.headers
+                });
+            }
+            catch {
+                // If reading fails, return original response
+                return response;
+            }
+        }
+        return response;
+    };
+};
+// Platform factory functions
+function createReactNativeCrypto() {
+    let expoCrypto;
+    try {
+        expoCrypto = loadModule('expo-crypto');
+    }
+    catch {
+        throw new Error('React Native detected but expo-crypto package is required. ' +
+            'Please install it: npm install expo-crypto');
+    }
+    return {
+        digest: async (data) => {
+            const hash = await expoCrypto.digestStringAsync(expoCrypto.CryptoDigestAlgorithm.SHA256, new TextDecoder().decode(data));
+            return new Uint8Array(Buffer.from(hash, 'hex'));
+        },
+        randomUUID: () => expoCrypto.randomUUID(),
+        toHex: (data) => Array.from(data).map(b => b.toString(16).padStart(2, '0')).join(''),
+    };
+}
+function createBrowserCrypto() {
+    return {
+        digest: async (data) => {
+            if (typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.subtle) {
+                const hashBuffer = await globalThis.crypto.subtle.digest('SHA-256', data);
+                return new Uint8Array(hashBuffer);
+            }
+            throw new Error('Web Crypto API not available in this browser environment');
+        },
+        randomUUID: () => {
+            if (typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.randomUUID) {
+                return globalThis.crypto.randomUUID();
+            }
+            // Fallback UUID generation for older browsers
+            return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
+                const r = Math.random() * 16 | 0;
+                const v = c === 'x' ? r : (r & 0x3 | 0x8);
+                return v.toString(16);
+            });
+        },
+        toHex: (data) => Array.from(data).map(b => b.toString(16).padStart(2, '0')).join(''),
+    };
+}
+function createNodeCrypto() {
+    let cryptoModule = null;
+    return {
+        digest: async (data) => {
+            // Prefer Web Crypto API if available (works in Node.js 16+ and browsers)
+            if (typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.subtle) {
+                try {
+                    const hashBuffer = await globalThis.crypto.subtle.digest('SHA-256', data);
+                    return new Uint8Array(hashBuffer);
+                }
+                catch {
+                    // Fall through to Node.js crypto
+                }
+            }
+            // Fall back to Node.js crypto module
+            if (!cryptoModule) {
+                // Try node:crypto first, then fallback to crypto
+                try {
+                    cryptoModule = await loadModuleAsync('node:crypto');
+                }
+                catch {
+                    cryptoModule = await loadModuleAsync('crypto');
+                }
+            }
+            return new Uint8Array(cryptoModule.createHash('sha256').update(data).digest());
+        },
+        randomUUID: () => {
+            // Prefer Web Crypto API if available (works in Node.js 16+ and browsers)
+            if (typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.randomUUID) {
+                return globalThis.crypto.randomUUID();
+            }
+            // Try Node.js crypto module if available (CommonJS environments)
+            try {
+                // Try node:crypto first, then fallback to crypto
+                let crypto;
+                try {
+                    crypto = loadModule('node:crypto');
+                }
+                catch {
+                    crypto = loadModule('crypto');
+                }
+                return crypto.randomUUID();
+            }
+            catch {
+                // Fallback to Math.random() based UUID generation (RFC 4122 compliant)
+                return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
+                    const r = Math.random() * 16 | 0;
+                    const v = c === 'x' ? r : (r & 0x3 | 0x8);
+                    return v.toString(16);
+                });
+            }
+        },
+        toHex: (data) => Array.from(data).map(b => b.toString(16).padStart(2, '0')).join(''),
+    };
+}
+// Export platform-specific implementations
+let crypto;
+if (getIsReactNative()) {
+    crypto = createReactNativeCrypto();
+}
+else if (isWebEnvironment) {
+    crypto = createBrowserCrypto();
+}
+else {
+    crypto = createNodeCrypto();
+}
+
+export { ConsoleLogger, DEFAULT_AUTHORIZATION_SERVER, LogLevel, MemoryOAuthDb, OAuthResourceClient, PAYMENT_REQUIRED_ERROR_CODE, PAYMENT_REQUIRED_PREAMBLE, Servers, assertNever, createReactNativeSafeFetch, crypto, extractJSONFromSSE, generateJWT, getIsReactNative, isBrowser, isEnumValue, isNextJS, isNode, isSSEResponse, isWebEnvironment, parseMcpMessages, parsePaymentRequests, parseSSEMessages, paymentRequiredError };
+//# sourceMappingURL=index.js.map