npm - @cyanheads/mcp-ts-core - Versions diffs - 0.8.19 → 0.8.20 - Mend

@cyanheads/mcp-ts-core 0.8.19 → 0.8.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/CLAUDE.md CHANGED Viewed

@@ -1,7 +1,7 @@
 # Developer Protocol
 **Package:** `@cyanheads/mcp-ts-core`
-**Version:** 0.8.19
+**Version:** 0.8.20
 **Engines:** Bun ≥1.3.0, Node ≥24.0.0
 **MCP SDK:** `@modelcontextprotocol/sdk` ^1.29.0
 **Zod:** ^4.4.3
@@ -439,6 +439,8 @@ Pick one convention per server and stay consistent. Verbs are typically `read`,
 **Modes** (`MCP_AUTH_MODE`): `none` (default) | `jwt` (local secret via `MCP_AUTH_SECRET_KEY`) | `oauth` (JWKS via `OAUTH_ISSUER_URL`, `OAUTH_AUDIENCE`). See `api-auth` skill for claims, CORS, and detailed config.
+**Granted scopes** are unioned from `scp`, `scope`, and `mcp_tool_scopes` JWT claims. The `mcp_tool_scopes` custom claim is the supported escape hatch for OIDC providers (Authentik, Keycloak < 26.5, Zitadel) that ignore property mappings overriding `scope` in `authorization_code` flow. For deployments where no custom claim can be injected, `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` bypasses both `withRequiredScopes` and `checkScopes` after the auth-context presence check (signature/audience/issuer/expiry validation intact). A `WARNING` is logged at startup whenever the bypass is active.
 ---
 ## Configuration
@@ -450,7 +452,7 @@ Managed by `@cyanheads/mcp-ts-core`. Validated via Zod. Precedence: `createApp()
 | Category | Key Variables |
 |:---------|:-------------|
 | Transport | `MCP_TRANSPORT_TYPE` (`stdio`\|`http`), `MCP_HTTP_PORT`, `MCP_HTTP_HOST`, `MCP_HTTP_ENDPOINT_PATH` |
-| Auth | `MCP_AUTH_MODE`, `MCP_AUTH_SECRET_KEY`, `OAUTH_*` |
+| Auth | `MCP_AUTH_MODE`, `MCP_AUTH_SECRET_KEY`, `MCP_AUTH_DISABLE_SCOPE_CHECKS`, `OAUTH_*` |
 | Storage | `STORAGE_PROVIDER_TYPE` (`in-memory`\|`filesystem`\|`supabase`\|`cloudflare-r2`\|`cloudflare-kv`\|`cloudflare-d1`) |
 | LLM | `OPENROUTER_API_KEY`, `OPENROUTER_APP_URL/NAME`, `LLM_DEFAULT_*` |
 | Telemetry | `OTEL_ENABLED`, `OTEL_SERVICE_NAME/VERSION`, `OTEL_EXPORTER_OTLP_*` |

package/changelog/0.8.x/0.8.20.md ADDED Viewed

@@ -0,0 +1,26 @@
+---
+summary: "`mcp_tool_scopes` claim union + `MCP_AUTH_DISABLE_SCOPE_CHECKS` bypass ([#128](https://github.com/cyanheads/mcp-ts-core/issues/128)) — operator escape hatches for OIDC providers that can't inject scopes into `scope`."
+breaking: false
+security: false
+---
+# 0.8.20 — 2026-05-09
+Two operator escape hatches for the standard OIDC reality. Authentik, Keycloak < 26.5, and Zitadel issue `authorization_code` tokens whose `scope` claim is fixed at `openid email profile offline_access` — property mappings can't override it, so per-tool scopes can't be injected the standard way. The framework now reads granted scopes from a 3-claim union (`scp` + `scope` + new `mcp_tool_scopes`), and ships an explicit bypass for deployments where no claim-injection path exists at all.
+## Added
+- **`mcp_tool_scopes` JWT claim** ([#128](https://github.com/cyanheads/mcp-ts-core/issues/128)) — operator-defined custom claim parsed alongside `scp` and `scope`. Accepts space-delimited string (`"tool:foo:read tool:bar:write"`) or array form. Empty-string entries are dropped; arrays containing any non-string entry cause the claim to be ignored entirely. Documented in the `api-auth` skill as the OIDC operator setup path.
+- **`MCP_AUTH_DISABLE_SCOPE_CHECKS` env var** (`mcpAuthDisableScopeChecks`, default `false`) — when `true`, bypasses both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes` (runtime-computed scopes inside handlers, including tenant patterns like `team:${input.teamId}:write`) after the auth-context presence check. Token signature, audience, issuer, and expiry validation remain intact. `authFactory` logs a `WARNING` whenever the bypass is active under a non-`none` auth mode. Combine with server-side ACLs — without an in-handler ACL, every authenticated user effectively has every scope.
+- **`extractStringScopes` helper** in `claimParser.ts` — shared parser for the three claim sites; handles both array and space-delimited string forms, drops empty-string array entries, ignores arrays with non-string members.
+## Changed
+- **Granted scopes are now a union of `scp`, `scope`, and `mcp_tool_scopes`** — previously `scp` took precedence and `scope` was only read as a fallback. Operator-visible behavior change for tokens that populate both `scp` and `scope`: those tokens now receive the union of both claims. The Okta-only and OIDC-only cases (the common shapes) are unaffected.
+- **`authFactory`** — OAuth-mode startup log upgraded from `debug` to `info` with claim-resolution guidance and a pointer to the bypass flag for ops without claim-injection control.
+- **`tool-defs-analysis` skill** 1.0 → 1.1 ([#127](https://github.com/cyanheads/mcp-ts-core/issues/127)) — drops "or env vars" from the recovery-hints smell list. Env var names are actionable: the agent can name the var the user must set or rotate. Internal class names and file paths remain smells.
+- **Skill bumps:** `api-auth` 1.0 → 1.1 (claims mapping table, OIDC operator setup section, bypass flag docs), `api-config` 1.3 → 1.4 (env-var table row), `security-pass` 1.3 → 1.4 (Axis 2 check item: bypass-in-production warning).
+## Fixed
+- **`extractStringScopes` no longer leaks empty-string entries** through array-form claims. Pre-change array handling preserved `['', 'real-scope']` as-is, leaving an empty entry in the granted set. Practical exploitability was bounded (required scopes are non-empty static strings, so `Set.has('')` returned `false`), but the inconsistency vs. the string-path's `.trim()` check is now closed.

package/dist/config/index.d.ts CHANGED Viewed

@@ -61,6 +61,7 @@ declare const ConfigSchema: z.ZodObject<{
         oauth: "oauth";
         none: "none";
     }>>>;
+    mcpAuthDisableScopeChecks: z.ZodDefault<z.ZodPreprocess<z.ZodBoolean>>;
     oauthIssuerUrl: z.ZodOptional<z.ZodURL>;
     oauthJwksUri: z.ZodOptional<z.ZodURL>;
     oauthAudience: z.ZodOptional<z.ZodString>;
@@ -189,6 +190,7 @@ declare const parseConfig: (envOverrides?: Record<string, string | undefined>) =
     mcpHeartbeatIntervalMs: number;
     mcpHeartbeatMissThreshold: number;
     mcpAuthMode: "jwt" | "oauth" | "none";
+    mcpAuthDisableScopeChecks: boolean;
     oauthJwksCooldownMs: number;
     oauthJwksTimeoutMs: number;
     devMcpAuthBypass: boolean;
@@ -317,6 +319,7 @@ declare const config: {
     mcpHeartbeatIntervalMs: number;
     mcpHeartbeatMissThreshold: number;
     mcpAuthMode: "jwt" | "oauth" | "none";
+    mcpAuthDisableScopeChecks: boolean;
     oauthJwksCooldownMs: number;
     oauthJwksTimeoutMs: number;
     devMcpAuthBypass: boolean;

package/dist/config/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAcxB,wEAAwE;AACxE,eAAO,MAAM,cAAc,2BAA2B,CAAC;AACvD,eAAO,MAAM,iBAAiB,QAAkC,CAAC;AA4CjE,QAAA,MAAM,YAAY~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0Ud~~,CAAC;AAGL,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkMrE~~,CAAC;AAIF;;;;;;;;GAQG;AACH,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,KAAG,IAExE,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,MAAM~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~CAuBV,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAcxB,wEAAwE;AACxE,eAAO,MAAM,cAAc,2BAA2B,CAAC;AACvD,eAAO,MAAM,iBAAiB,QAAkC,CAAC;AA4CjE,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoVd,CAAC;AAGL,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmMrE,CAAC;AAIF;;;;;;;;GAQG;AACH,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,KAAG,IAExE,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuBV,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}

package/dist/config/index.js CHANGED Viewed

@@ -145,6 +145,16 @@ const ConfigSchema = z
     mcpJwtExpectedIssuer: z.string().optional(),
     mcpJwtExpectedAudience: z.string().optional(),
     mcpAuthMode: z.preprocess(emptyStringAsUndefined, z.enum(['jwt', 'oauth', 'none']).default('none')),
+    /**
+     * Bypass per-request scope enforcement when `MCP_AUTH_MODE` is `jwt` or `oauth`.
+     * When `true`, both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes`
+     * (runtime-computed scopes inside handlers, including tenant isolation patterns
+     * like `team:${input.teamId}:write`) early-return after the auth-context presence
+     * check. Signature, audience, issuer, and expiry validation remain intact. Combine
+     * with server-side ACLs — without an in-handler ACL, every authenticated user
+     * effectively has every scope.
+     */
+    mcpAuthDisableScopeChecks: envBoolean.default(false),
     oauthIssuerUrl: z.url().optional(),
     oauthJwksUri: z.url().optional(),
     oauthAudience: z.string().optional(),
@@ -400,6 +410,7 @@ const parseConfig = (envOverrides) => {
         mcpJwtExpectedIssuer: env.MCP_JWT_EXPECTED_ISSUER,
         mcpJwtExpectedAudience: env.MCP_JWT_EXPECTED_AUDIENCE,
         mcpAuthMode: env.MCP_AUTH_MODE,
+        mcpAuthDisableScopeChecks: env.MCP_AUTH_DISABLE_SCOPE_CHECKS,
         oauthIssuerUrl: env.OAUTH_ISSUER_URL,
         oauthJwksUri: env.OAUTH_JWKS_URI,
         oauthAudience: env.OAUTH_AUDIENCE,

package/dist/config/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,WAAW,MAAM,oBAAoB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAQ3D,MAAM,YAAY,GAAG,WAA8B,CAAC;AAEpD,wEAAwE;AACxE,MAAM,CAAC,MAAM,cAAc,GAAG,wBAAwB,CAAC;AACvD,MAAM,CAAC,MAAM,iBAAiB,GAAG,YAAY,CAAC,OAAO,IAAI,OAAO,CAAC;AAEjE;;;;GAIG;AACH,IAAI,YAAY,GAA2B,IAAI,CAAC;AAChD,SAAS,sBAAsB;IAC7B,IAAI,YAAY,KAAK,IAAI;QAAE,OAAO,YAAY,CAAC;IAC/C,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAC1D,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC5D,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ;YAAE,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QACrE,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;YAAE,GAAG,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;IAC7E,CAAC;IACD,YAAY,GAAG,GAAG,CAAC;IACnB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8DAA8D;AAC9D,6EAA6E;AAC7E,wDAAwD;AACxD,IAAI,aAAa,GAAG,KAAK,CAAC;AAE1B,2BAA2B;AAC3B,MAAM,sBAAsB,GAAG,CAAC,GAAY,EAAE,EAAE;IAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjD,OAAO;IACT,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC,CAAC;AAEF,4EAA4E;AAC5E,MAAM,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;IACtC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IAChF,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;AAEhB,4BAA4B;AAC5B,MAAM,YAAY,GAAG,CAAC;KACnB,MAAM,CAAC;IACN,yDAAyD;IACzD,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,gCAAgC;IAC3D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,mCAAmC;IACjE,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;IACpF,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,oCAAoC;IAC9E,QAAQ,EAAE,CAAC;SACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,0DAA0D;YAC1D,MAAM,QAAQ,GAA2B;gBACvC,IAAI,EAAE,SAAS;gBACf,GAAG,EAAE,OAAO;gBACZ,WAAW,EAAE,MAAM;gBACnB,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,OAAO;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAClF;SACA,OAAO,CAAC,OAAO,CAAC;IACnB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,sCAAsC;IACvE;;;;;;;OAOG;IACH,kBAAkB,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;IAC7C,WAAW,EAAE,CAAC;SACX,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,MAAM,QAAQ,GAA2B;gBACvC,GAAG,EAAE,aAAa;gBAClB,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,SAAS;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC,CACjD;SACA,OAAO,CAAC,aAAa,CAAC;IACzB,gBAAgB,EAAE,CAAC,CAAC,UAAU,CAC5B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAC3C;IACD,cAAc,EAAE,CAAC,CAAC,UAAU,CAC1B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC1D;IACD,oBAAoB,EAAE,CAAC,CAAC,UAAU,CAChC,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAC5D;IACD,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAC9D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/C;;;;;;;;OAQG;IACH,YAAY,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACtE,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACpD,uBAAuB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACtD,gCAAgC,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;IACtE,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,yBAAyB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9D,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACjD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3C,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,WAAW,EAAE,CAAC,CAAC,UAAU,CACvB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CACjD;IACD,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClC,YAAY,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,YAAY;IACrE,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,YAAY;IAClE,2BAA2B,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IAC/E,gBAAgB,EAAE,CAAC;SAChB,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE;YAAE,OAAO,KAAK,CAAC;QAClE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAC7C,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IACvC,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;SACd,OAAO,CAAC,KAAK,CAAC;IACjB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC5C,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAuB,CAAC;IAC7D,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE;IAC7B,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC;IAC5E,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,UAAU,EAAE,CAAC;SACV,MAAM,CAAC;QACN,gBAAgB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACpC,QAAQ,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC5B,aAAa,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACjC,SAAS,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC7B,uBAAuB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC3C,yBAAyB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC1D,CAAC;SACD,QAAQ,EAAE;IACb,QAAQ,EAAE,CAAC;SACR,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE;QACZ,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACtC,CAAC;SACD,QAAQ,EAAE;IACb,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,YAAY,EAAE,CAAC;aACZ,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,EAAE,EAAE,YAAY;iBACjB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC;YACL,WAAW;YACX,YAAY;YACZ,UAAU;YACV,eAAe;YACf,eAAe;YACf,eAAe;SAChB,CAAC,CACH;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,sEAAsE;KACzH,CAAC;IACF,iDAAiD;IACjD,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,YAAY,EAAE,CAAC,CAAC,UAAU,CACxB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC3C;QACD;;;WAGG;QACH,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QAC7D;;;;WAIG;QACH,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC;QACvD,+DAA+D;QAC/D,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,gDAAgD;QAChD,KAAK,EAAE,CAAC,CAAC,MAAM;aACZ,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC/B,8DAA8D;QAC9D,aAAa,EAAE,CAAC,CAAC,MAAM;aACpB,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACnC,0EAA0E;QAC1E,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3D,6CAA6C;QAC7C,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACzD,2EAA2E;QAC3E,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KACvD,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,KAAK,EAAE;QACzC,OAAO,EACL,wIAAwI;QAC1I,IAAI,EAAE,CAAC,eAAe,CAAC;KACxB,CAAC;IACJ,yCAAyC;IACzC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,SAAS,EAAE,CAAC;aACT,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,MAAM,EAAE,WAAW;oBACnB,UAAU,EAAE,SAAS;iBACtB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,CACjC;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KACtD,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC;QACtB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;QAClC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE;QAC1B,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAClC,eAAe,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACnC,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,QAAQ,EAAE,CAAC;aACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,OAAO;oBACZ,OAAO,EAAE,MAAM;oBACf,WAAW,EAAE,MAAM;iBACpB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YAC9C,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CACrE;aACA,OAAO,CAAC,MAAM,CAAC;KACnB,CAAC;IACF,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;YACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;QACb,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;YAC9D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,4EAA4E;IAC5E,IAAI,IAAI,CAAC,WAAW,KAAK,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC/D,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;YAC1B,OAAO,EACL,+GAA+G;SAClH,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAC9E,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EACL,+GAA+G;aAClH,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC7C,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EAAE,kEAAkE;aAC5E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,8CAA8C;IAC9C,IAAI,IAAI,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,gBAAgB,CAAC;gBACxB,OAAO,EAAE,wDAAwD;aAClE,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,eAAe,CAAC;gBACvB,OAAO,EAAE,sDAAsD;aAChE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,wBAAwB;AACxB,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAE,EAAE;IACxE,kFAAkF;IAClF,IAAI,CAAC,aAAa,IAAI,WAAW,CAAC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/B,aAAa,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC7E,MAAM,WAAW,GAAG,sBAAsB,EAAE,CAAC;IAE7C,MAAM,SAAS,GAAG;QAChB,GAAG,EAAE;YACH,IAAI,EAAE,GAAG,CAAC,YAAY,IAAI,WAAW,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI;YAC/D,OAAO,EAAE,GAAG,CAAC,eAAe,IAAI,WAAW,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO;YAC3E,WAAW,EAAE,GAAG,CAAC,mBAAmB,IAAI,WAAW,CAAC,WAAW,IAAI,YAAY,CAAC,WAAW;SAC5F;QACD,QAAQ,EAAE,GAAG,CAAC,aAAa;QAC3B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,kBAAkB,EAAE,GAAG,CAAC,oBAAoB;QAC5C,WAAW,EAAE,GAAG,CAAC,QAAQ;QACzB,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,qBAAqB,EAAE,GAAG,CAAC,yBAAyB;QACpD,uBAAuB,EAAE,GAAG,CAAC,4BAA4B;QACzD,gCAAgC,EAAE,GAAG,CAAC,qCAAqC;QAC3E,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,yBAAyB,EAAE,GAAG,CAAC,4BAA4B;QAC3D,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,GAAG,CAAC;aACnD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC;QAClB,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,oBAAoB,EAAE,GAAG,CAAC,uBAAuB;QACjD,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,aAAa,EAAE,GAAG,CAAC,cAAc;QACjC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,kBAAkB,EAAE,GAAG,CAAC,qBAAqB;QAC7C,2BAA2B,EAAE,GAAG,CAAC,8BAA8B;QAC/D,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,YAAY,EAAE,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACjE,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;QAC1C,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,eAAe,EAAE,GAAG,CAAC,iBAAiB;QACtC,qBAAqB,EAAE,GAAG,CAAC,uBAAuB;QAClD,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,UAAU,EACR,GAAG,CAAC,6BAA6B,IAAI,GAAG,CAAC,qBAAqB;YAC5D,CAAC,CAAC;gBACE,gBAAgB,EAAE,GAAG,CAAC,6BAA6B;gBACnD,QAAQ,EAAE,GAAG,CAAC,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,0BAA0B;gBAC7C,SAAS,EAAE,GAAG,CAAC,sBAAsB;gBACrC,uBAAuB,EAAE,GAAG,CAAC,qCAAqC;gBAClE,yBAAyB,EAAE,GAAG,CAAC,wCAAwC,EAAE,KAAK,CAAC,GAAG,CAAC;qBAChF,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;qBACxB,MAAM,CAAC,OAAO,CAAC;aACnB;YACH,CAAC,CAAC,SAAS;QACf,QAAQ,EACN,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,iBAAiB;YACvC,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,YAAY;gBACrB,OAAO,EAAE,GAAG,CAAC,iBAAiB;gBAC9B,cAAc,EAAE,GAAG,CAAC,yBAAyB;aAC9C;YACH,CAAC,CAAC,SAAS;QACf,OAAO,EAAE;YACP,YAAY,EAAE,GAAG,CAAC,qBAAqB;YACvC,cAAc,EAAE,GAAG,CAAC,uBAAuB;SAC5C;QACD,MAAM,EAAE;YACN,YAAY,EAAE,GAAG,CAAC,oBAAoB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,cAAc,EAAE,GAAG,CAAC,kBAAkB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,KAAK,EAAE,GAAG,CAAC,aAAa;YACxB,aAAa,EAAE,GAAG,CAAC,sBAAsB;YACzC,iBAAiB,EAAE,GAAG,CAAC,0BAA0B;YACjD,eAAe,EAAE,GAAG,CAAC,wBAAwB;YAC7C,eAAe,EAAE,GAAG,CAAC,wBAAwB;SAC9C;QACD,KAAK,EAAE;YACL,SAAS,EAAE,GAAG,CAAC,eAAe;YAC9B,QAAQ,EAAE,GAAG,CAAC,oBAAoB;YAClC,YAAY,EAAE,GAAG,CAAC,yBAAyB;SAC5C;QACD,aAAa,EAAE;YACb,OAAO,EAAE,GAAG,CAAC,YAAY;YACzB,WAAW,EAAE,GAAG,CAAC,iBAAiB;YAClC,cAAc,EAAE,GAAG,CAAC,oBAAoB;YACxC,cAAc,EAAE,GAAG,CAAC,kCAAkC;YACtD,eAAe,EAAE,GAAG,CAAC,mCAAmC;YACxD,aAAa,EAAE,GAAG,CAAC,uBAAuB;YAC1C,QAAQ,EAAE,GAAG,CAAC,cAAc;SAC7B;QACD,MAAM,EACJ,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,kBAAkB;YAC9C,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;gBACb,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;aACd;YACH,CAAC,CAAC,SAAS;QACf,qEAAqE;QACrE,aAAa,EAAE,GAAG,CAAC,eAAe;QAClC,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;KAC3C,CAAC;IAEF,oEAAoE;IACpE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAEjD,uEAAuE;IACvE,MAAM,cAAc,GAAG;QACrB,GAAG,SAAS;QACZ,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,WAAW,CAAC,MAAM;YAC1B,CAAC,CAAC,CAAC,GAAG,EAAE;gBACJ,kFAAkF;gBAClF,6DAA6D;gBAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;gBAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC5C,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,IAAI,MAAM,CAAC;gBAC7C,IAAI,UAAU,CAAC,OAAO,CAAC;oBAAE,OAAO,OAAO,CAAC;gBACxC,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7B,CAAC,CAAC,EAAE;YACN,CAAC,CAAC,SAAS;QACb,aAAa,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI;QACpD,gBAAgB,EAAE,GAAG,CAAC,kBAAkB,IAAI,SAAS,CAAC,OAAO;QAC7D,oBAAoB,EAAE,GAAG,CAAC,sBAAsB,IAAI,SAAS,CAAC,WAAW;QACzE,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,8CAA8C;QAC1F,aAAa,EAAE;YACb,GAAG,SAAS,CAAC,aAAa;YAC1B,WAAW,EAAE,GAAG,CAAC,iBAAiB,IAAI,SAAS,CAAC,IAAI;YACpD,cAAc,EAAE,GAAG,CAAC,oBAAoB,IAAI,SAAS,CAAC,OAAO;SAC9D;QACD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,IAAI,SAAS,CAAC,IAAI;KAC7D,CAAC;IAEF,MAAM,YAAY,GAAG,YAAY,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAE5D,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;QAC1B,6DAA6D;QAC7D,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,KAAK,CACX,yEAAyE,EACzE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW,CACzC,CAAC;QACJ,CAAC;QACD,oDAAoD;QACpD,MAAM,kBAAkB,CAAC,oCAAoC,EAAE;YAC7D,gBAAgB,EAAE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC;AAC3B,CAAC,CAAC;AAEF,IAAI,OAA8B,CAAC;AAEnC;;;;;;;;GAQG;AACH,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAQ,EAAE;IAC9E,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,EAAe,EAAE;IACxC,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAQ,OAA4C,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC;IACD,GAAG;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,cAAc;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IACD,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,IAAI,IAAI,OAAO,CAAC;IACzB,CAAC;IACD,OAAO;QACL,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IACD,wBAAwB,CAAC,OAAO,EAAE,IAAI;QACpC,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,wBAAwB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACxD,CAAC;CACF,CAAC,CAAC;AAOH,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,WAAW,MAAM,oBAAoB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAQ3D,MAAM,YAAY,GAAG,WAA8B,CAAC;AAEpD,wEAAwE;AACxE,MAAM,CAAC,MAAM,cAAc,GAAG,wBAAwB,CAAC;AACvD,MAAM,CAAC,MAAM,iBAAiB,GAAG,YAAY,CAAC,OAAO,IAAI,OAAO,CAAC;AAEjE;;;;GAIG;AACH,IAAI,YAAY,GAA2B,IAAI,CAAC;AAChD,SAAS,sBAAsB;IAC7B,IAAI,YAAY,KAAK,IAAI;QAAE,OAAO,YAAY,CAAC;IAC/C,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAC1D,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC5D,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ;YAAE,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QACrE,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;YAAE,GAAG,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;IAC7E,CAAC;IACD,YAAY,GAAG,GAAG,CAAC;IACnB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8DAA8D;AAC9D,6EAA6E;AAC7E,wDAAwD;AACxD,IAAI,aAAa,GAAG,KAAK,CAAC;AAE1B,2BAA2B;AAC3B,MAAM,sBAAsB,GAAG,CAAC,GAAY,EAAE,EAAE;IAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjD,OAAO;IACT,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC,CAAC;AAEF,4EAA4E;AAC5E,MAAM,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;IACtC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IAChF,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;AAEhB,4BAA4B;AAC5B,MAAM,YAAY,GAAG,CAAC;KACnB,MAAM,CAAC;IACN,yDAAyD;IACzD,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,gCAAgC;IAC3D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,mCAAmC;IACjE,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;IACpF,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,oCAAoC;IAC9E,QAAQ,EAAE,CAAC;SACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,0DAA0D;YAC1D,MAAM,QAAQ,GAA2B;gBACvC,IAAI,EAAE,SAAS;gBACf,GAAG,EAAE,OAAO;gBACZ,WAAW,EAAE,MAAM;gBACnB,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,OAAO;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAClF;SACA,OAAO,CAAC,OAAO,CAAC;IACnB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,sCAAsC;IACvE;;;;;;;OAOG;IACH,kBAAkB,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;IAC7C,WAAW,EAAE,CAAC;SACX,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,MAAM,QAAQ,GAA2B;gBACvC,GAAG,EAAE,aAAa;gBAClB,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,SAAS;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC,CACjD;SACA,OAAO,CAAC,aAAa,CAAC;IACzB,gBAAgB,EAAE,CAAC,CAAC,UAAU,CAC5B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAC3C;IACD,cAAc,EAAE,CAAC,CAAC,UAAU,CAC1B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC1D;IACD,oBAAoB,EAAE,CAAC,CAAC,UAAU,CAChC,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAC5D;IACD,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAC9D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/C;;;;;;;;OAQG;IACH,YAAY,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACtE,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACpD,uBAAuB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACtD,gCAAgC,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;IACtE,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,yBAAyB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9D,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACjD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3C,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,WAAW,EAAE,CAAC,CAAC,UAAU,CACvB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CACjD;IACD;;;;;;;;OAQG;IACH,yBAAyB,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;IACpD,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClC,YAAY,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,YAAY;IACrE,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,YAAY;IAClE,2BAA2B,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IAC/E,gBAAgB,EAAE,CAAC;SAChB,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE;YAAE,OAAO,KAAK,CAAC;QAClE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAC7C,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IACvC,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;SACd,OAAO,CAAC,KAAK,CAAC;IACjB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC5C,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAuB,CAAC;IAC7D,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE;IAC7B,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC;IAC5E,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,UAAU,EAAE,CAAC;SACV,MAAM,CAAC;QACN,gBAAgB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACpC,QAAQ,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC5B,aAAa,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACjC,SAAS,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC7B,uBAAuB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC3C,yBAAyB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC1D,CAAC;SACD,QAAQ,EAAE;IACb,QAAQ,EAAE,CAAC;SACR,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE;QACZ,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACtC,CAAC;SACD,QAAQ,EAAE;IACb,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,YAAY,EAAE,CAAC;aACZ,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,EAAE,EAAE,YAAY;iBACjB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC;YACL,WAAW;YACX,YAAY;YACZ,UAAU;YACV,eAAe;YACf,eAAe;YACf,eAAe;SAChB,CAAC,CACH;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,sEAAsE;KACzH,CAAC;IACF,iDAAiD;IACjD,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,YAAY,EAAE,CAAC,CAAC,UAAU,CACxB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC3C;QACD;;;WAGG;QACH,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QAC7D;;;;WAIG;QACH,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC;QACvD,+DAA+D;QAC/D,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,gDAAgD;QAChD,KAAK,EAAE,CAAC,CAAC,MAAM;aACZ,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC/B,8DAA8D;QAC9D,aAAa,EAAE,CAAC,CAAC,MAAM;aACpB,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACnC,0EAA0E;QAC1E,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3D,6CAA6C;QAC7C,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACzD,2EAA2E;QAC3E,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KACvD,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,KAAK,EAAE;QACzC,OAAO,EACL,wIAAwI;QAC1I,IAAI,EAAE,CAAC,eAAe,CAAC;KACxB,CAAC;IACJ,yCAAyC;IACzC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,SAAS,EAAE,CAAC;aACT,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,MAAM,EAAE,WAAW;oBACnB,UAAU,EAAE,SAAS;iBACtB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,CACjC;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KACtD,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC;QACtB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;QAClC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE;QAC1B,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAClC,eAAe,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACnC,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,QAAQ,EAAE,CAAC;aACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,OAAO;oBACZ,OAAO,EAAE,MAAM;oBACf,WAAW,EAAE,MAAM;iBACpB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YAC9C,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CACrE;aACA,OAAO,CAAC,MAAM,CAAC;KACnB,CAAC;IACF,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;YACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;QACb,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;YAC9D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,4EAA4E;IAC5E,IAAI,IAAI,CAAC,WAAW,KAAK,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC/D,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;YAC1B,OAAO,EACL,+GAA+G;SAClH,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAC9E,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EACL,+GAA+G;aAClH,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC7C,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EAAE,kEAAkE;aAC5E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,8CAA8C;IAC9C,IAAI,IAAI,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,gBAAgB,CAAC;gBACxB,OAAO,EAAE,wDAAwD;aAClE,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,eAAe,CAAC;gBACvB,OAAO,EAAE,sDAAsD;aAChE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,wBAAwB;AACxB,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAE,EAAE;IACxE,kFAAkF;IAClF,IAAI,CAAC,aAAa,IAAI,WAAW,CAAC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/B,aAAa,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC7E,MAAM,WAAW,GAAG,sBAAsB,EAAE,CAAC;IAE7C,MAAM,SAAS,GAAG;QAChB,GAAG,EAAE;YACH,IAAI,EAAE,GAAG,CAAC,YAAY,IAAI,WAAW,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI;YAC/D,OAAO,EAAE,GAAG,CAAC,eAAe,IAAI,WAAW,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO;YAC3E,WAAW,EAAE,GAAG,CAAC,mBAAmB,IAAI,WAAW,CAAC,WAAW,IAAI,YAAY,CAAC,WAAW;SAC5F;QACD,QAAQ,EAAE,GAAG,CAAC,aAAa;QAC3B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,kBAAkB,EAAE,GAAG,CAAC,oBAAoB;QAC5C,WAAW,EAAE,GAAG,CAAC,QAAQ;QACzB,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,qBAAqB,EAAE,GAAG,CAAC,yBAAyB;QACpD,uBAAuB,EAAE,GAAG,CAAC,4BAA4B;QACzD,gCAAgC,EAAE,GAAG,CAAC,qCAAqC;QAC3E,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,yBAAyB,EAAE,GAAG,CAAC,4BAA4B;QAC3D,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,GAAG,CAAC;aACnD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC;QAClB,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,oBAAoB,EAAE,GAAG,CAAC,uBAAuB;QACjD,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,yBAAyB,EAAE,GAAG,CAAC,6BAA6B;QAC5D,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,aAAa,EAAE,GAAG,CAAC,cAAc;QACjC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,kBAAkB,EAAE,GAAG,CAAC,qBAAqB;QAC7C,2BAA2B,EAAE,GAAG,CAAC,8BAA8B;QAC/D,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,YAAY,EAAE,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACjE,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;QAC1C,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,eAAe,EAAE,GAAG,CAAC,iBAAiB;QACtC,qBAAqB,EAAE,GAAG,CAAC,uBAAuB;QAClD,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,UAAU,EACR,GAAG,CAAC,6BAA6B,IAAI,GAAG,CAAC,qBAAqB;YAC5D,CAAC,CAAC;gBACE,gBAAgB,EAAE,GAAG,CAAC,6BAA6B;gBACnD,QAAQ,EAAE,GAAG,CAAC,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,0BAA0B;gBAC7C,SAAS,EAAE,GAAG,CAAC,sBAAsB;gBACrC,uBAAuB,EAAE,GAAG,CAAC,qCAAqC;gBAClE,yBAAyB,EAAE,GAAG,CAAC,wCAAwC,EAAE,KAAK,CAAC,GAAG,CAAC;qBAChF,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;qBACxB,MAAM,CAAC,OAAO,CAAC;aACnB;YACH,CAAC,CAAC,SAAS;QACf,QAAQ,EACN,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,iBAAiB;YACvC,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,YAAY;gBACrB,OAAO,EAAE,GAAG,CAAC,iBAAiB;gBAC9B,cAAc,EAAE,GAAG,CAAC,yBAAyB;aAC9C;YACH,CAAC,CAAC,SAAS;QACf,OAAO,EAAE;YACP,YAAY,EAAE,GAAG,CAAC,qBAAqB;YACvC,cAAc,EAAE,GAAG,CAAC,uBAAuB;SAC5C;QACD,MAAM,EAAE;YACN,YAAY,EAAE,GAAG,CAAC,oBAAoB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,cAAc,EAAE,GAAG,CAAC,kBAAkB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,KAAK,EAAE,GAAG,CAAC,aAAa;YACxB,aAAa,EAAE,GAAG,CAAC,sBAAsB;YACzC,iBAAiB,EAAE,GAAG,CAAC,0BAA0B;YACjD,eAAe,EAAE,GAAG,CAAC,wBAAwB;YAC7C,eAAe,EAAE,GAAG,CAAC,wBAAwB;SAC9C;QACD,KAAK,EAAE;YACL,SAAS,EAAE,GAAG,CAAC,eAAe;YAC9B,QAAQ,EAAE,GAAG,CAAC,oBAAoB;YAClC,YAAY,EAAE,GAAG,CAAC,yBAAyB;SAC5C;QACD,aAAa,EAAE;YACb,OAAO,EAAE,GAAG,CAAC,YAAY;YACzB,WAAW,EAAE,GAAG,CAAC,iBAAiB;YAClC,cAAc,EAAE,GAAG,CAAC,oBAAoB;YACxC,cAAc,EAAE,GAAG,CAAC,kCAAkC;YACtD,eAAe,EAAE,GAAG,CAAC,mCAAmC;YACxD,aAAa,EAAE,GAAG,CAAC,uBAAuB;YAC1C,QAAQ,EAAE,GAAG,CAAC,cAAc;SAC7B;QACD,MAAM,EACJ,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,kBAAkB;YAC9C,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;gBACb,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;aACd;YACH,CAAC,CAAC,SAAS;QACf,qEAAqE;QACrE,aAAa,EAAE,GAAG,CAAC,eAAe;QAClC,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;KAC3C,CAAC;IAEF,oEAAoE;IACpE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAEjD,uEAAuE;IACvE,MAAM,cAAc,GAAG;QACrB,GAAG,SAAS;QACZ,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,WAAW,CAAC,MAAM;YAC1B,CAAC,CAAC,CAAC,GAAG,EAAE;gBACJ,kFAAkF;gBAClF,6DAA6D;gBAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;gBAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC5C,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,IAAI,MAAM,CAAC;gBAC7C,IAAI,UAAU,CAAC,OAAO,CAAC;oBAAE,OAAO,OAAO,CAAC;gBACxC,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7B,CAAC,CAAC,EAAE;YACN,CAAC,CAAC,SAAS;QACb,aAAa,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI;QACpD,gBAAgB,EAAE,GAAG,CAAC,kBAAkB,IAAI,SAAS,CAAC,OAAO;QAC7D,oBAAoB,EAAE,GAAG,CAAC,sBAAsB,IAAI,SAAS,CAAC,WAAW;QACzE,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,8CAA8C;QAC1F,aAAa,EAAE;YACb,GAAG,SAAS,CAAC,aAAa;YAC1B,WAAW,EAAE,GAAG,CAAC,iBAAiB,IAAI,SAAS,CAAC,IAAI;YACpD,cAAc,EAAE,GAAG,CAAC,oBAAoB,IAAI,SAAS,CAAC,OAAO;SAC9D;QACD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,IAAI,SAAS,CAAC,IAAI;KAC7D,CAAC;IAEF,MAAM,YAAY,GAAG,YAAY,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAE5D,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;QAC1B,6DAA6D;QAC7D,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,KAAK,CACX,yEAAyE,EACzE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW,CACzC,CAAC;QACJ,CAAC;QACD,oDAAoD;QACpD,MAAM,kBAAkB,CAAC,oCAAoC,EAAE;YAC7D,gBAAgB,EAAE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC;AAC3B,CAAC,CAAC;AAEF,IAAI,OAA8B,CAAC;AAEnC;;;;;;;;GAQG;AACH,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAQ,EAAE;IAC9E,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,EAAe,EAAE;IACxC,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAQ,OAA4C,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC;IACD,GAAG;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,cAAc;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IACD,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,IAAI,IAAI,OAAO,CAAC;IACzB,CAAC;IACD,OAAO;QACL,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IACD,wBAAwB,CAAC,OAAO,EAAE,IAAI;QACpC,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,wBAAwB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACxD,CAAC;CACF,CAAC,CAAC;AAOH,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}

package/dist/logs/combined.log CHANGED Viewed

@@ -1,6 +1,7 @@
-{"level":40,"time":1778235929533,"env":"testing","version":"0.8.19","pid":78428,"transport":"http","requestId":"Q8627-MFEM4","timestamp":"2026-05-08T10:25:29.532Z","operation":"TransportManager.start","component":"HttpTransportSetup","msg":"MCP_ALLOWED_ORIGINS is not set — CORS is wildcard for CLI clients; browser Origin headers are restricted to loopback. Set MCP_ALLOWED_ORIGINS for production deployments accepting remote browser origins."}
-{"level":40,"time":1778235931406,"env":"testing","version":"0.8.19","pid":78428,"transport":"http","requestId":"Q8627-MFEM4","timestamp":"2026-05-08T10:25:29.532Z","operation":"TransportManager.start","component":"HttpTransportSetup","sessionId":"not-a-real-session-1778235931406","msg":"Session validation failed - invalid or hijacked session"}
-{"level":50,"time":1778235936218,"env":"testing","version":"0.0.0-test","pid":78583,"requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:61:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
-{"level":50,"time":1778235937205,"env":"testing","version":"0.8.19","pid":78590,"requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
-{"level":50,"time":1778235937222,"env":"testing","version":"0.8.19","pid":78590,"requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:56:11)\n    at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
-{"level":50,"time":1778235937225,"env":"testing","version":"0.8.19","pid":78590,"requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
+{"level":40,"time":1778322012047,"env":"testing","version":"0.8.20","pid":6706,"transport":"http","requestId":"3SC4Y-NFFKI","timestamp":"2026-05-09T10:20:12.046Z","operation":"TransportManager.start","component":"HttpTransportSetup","msg":"MCP_ALLOWED_ORIGINS is not set — CORS is wildcard for CLI clients; browser Origin headers are restricted to loopback. Set MCP_ALLOWED_ORIGINS for production deployments accepting remote browser origins."}
+{"level":40,"time":1778322013773,"env":"testing","version":"0.8.20","pid":6706,"transport":"http","requestId":"3SC4Y-NFFKI","timestamp":"2026-05-09T10:20:12.046Z","operation":"TransportManager.start","component":"HttpTransportSetup","sessionId":"not-a-real-session-1778322013773","msg":"Session validation failed - invalid or hijacked session"}
+{"level":50,"time":1778322017528,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1778322017536,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1778322018932,"env":"testing","version":"0.8.20","pid":6818,"requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
+{"level":50,"time":1778322018947,"env":"testing","version":"0.8.20","pid":6818,"requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:72:11)\n    at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
+{"level":50,"time":1778322018951,"env":"testing","version":"0.8.20","pid":6818,"requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}

package/dist/logs/error.log CHANGED Viewed

@@ -1,4 +1,5 @@
-{"level":50,"time":1778235936218,"env":"testing","version":"0.0.0-test","pid":78583,"requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:61:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
-{"level":50,"time":1778235937205,"env":"testing","version":"0.8.19","pid":78590,"requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
-{"level":50,"time":1778235937222,"env":"testing","version":"0.8.19","pid":78590,"requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:56:11)\n    at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
-{"level":50,"time":1778235937225,"env":"testing","version":"0.8.19","pid":78590,"requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
+{"level":50,"time":1778322017528,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1778322017536,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n    at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n    at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n    at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n    at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
+{"level":50,"time":1778322018932,"env":"testing","version":"0.8.20","pid":6818,"requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
+{"level":50,"time":1778322018947,"env":"testing","version":"0.8.20","pid":6818,"requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:72:11)\n    at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
+{"level":50,"time":1778322018951,"env":"testing","version":"0.8.20","pid":6818,"requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n    at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n    at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n    at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n    at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n    at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n    at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n    at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}

package/dist/mcp-server/transports/auth/authFactory.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authFactory.d.ts","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yDAAyD,CAAC;AAM5F;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,IAAI,YAAY,GAAG,IAAI,~~CAuBxD~~"}
1	+ {"version":3,"file":"authFactory.d.ts","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yDAAyD,CAAC;AAM5F;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,IAAI,YAAY,GAAG,IAAI,CAiCxD"}

package/dist/mcp-server/transports/auth/authFactory.js CHANGED Viewed

@@ -23,12 +23,15 @@ export function createAuthStrategy() {
         authMode: config.mcpAuthMode,
     });
     logger.info('Creating authentication strategy...', context);
+    if (config.mcpAuthDisableScopeChecks && config.mcpAuthMode !== 'none') {
+        logger.warning('MCP_AUTH_DISABLE_SCOPE_CHECKS=true — per-tool and runtime scope enforcement is bypassed for every request. Token signature, audience, issuer, and expiry validation are still applied. Combine with server-side ACLs to avoid granting every authenticated user every tool.', context);
+    }
     switch (config.mcpAuthMode) {
         case 'jwt':
             logger.debug('Creating JWT strategy.', context);
             return new JwtStrategy(config, logger);
         case 'oauth':
-            logger.debug('Creating OAuth strategy.', context);
+            logger.info('OAuth mode active. Granted scopes are read from `scp` (array), `scope` (space-delimited), and `mcp_tool_scopes` (custom claim, for OIDC providers that cannot inject scopes into `scope` during authorization_code flow — Authentik, Keycloak <26.5, Zitadel). To bypass per-tool enforcement entirely, set MCP_AUTH_DISABLE_SCOPE_CHECKS=true (combine with server-side ACLs).', context);
             return new OauthStrategy(config, logger);
         case 'none':
             logger.info("Authentication is disabled ('none' mode).", context);

package/dist/mcp-server/transports/auth/authFactory.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authFactory.js","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,WAAW,EAAE,MAAM,wDAAwD,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,0DAA0D,CAAC;AACzF,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAE3E;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,OAAO,GAAG,qBAAqB,CAAC,oBAAoB,CAAC;QACzD,SAAS,EAAE,oBAAoB;QAC/B,QAAQ,EAAE,MAAM,CAAC,WAAW;KAC7B,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE,OAAO,CAAC,CAAC;IAE5D,QAAQ,MAAM,CAAC,WAAW,EAAE,CAAC;QAC3B,KAAK,KAAK;YACR,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAC;YAChD,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,KAAK,OAAO;YACV,MAAM,CAAC,~~KAAK~~,~~CAAC~~,~~0BAA0B~~,~~EAAE~~,OAAO,~~CAAC~~,CAAC;~~YAClD~~,OAAO,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,KAAK,MAAM;YACT,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,OAAO,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC,CAAC,oBAAoB;QACnC;YACE,mEAAmE;YACnE,mEAAmE;YACnE,MAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YACpF,MAAM,IAAI,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC"}
1	+ {"version":3,"file":"authFactory.js","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,WAAW,EAAE,MAAM,wDAAwD,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,0DAA0D,CAAC;AACzF,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAE3E;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,OAAO,GAAG,qBAAqB,CAAC,oBAAoB,CAAC;QACzD,SAAS,EAAE,oBAAoB;QAC/B,QAAQ,EAAE,MAAM,CAAC,WAAW;KAC7B,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE,OAAO,CAAC,CAAC;IAE5D,IAAI,MAAM,CAAC,yBAAyB,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QACtE,MAAM,CAAC,OAAO,CACZ,6QAA6Q,EAC7Q,OAAO,CACR,CAAC;IACJ,CAAC;IAED,QAAQ,MAAM,CAAC,WAAW,EAAE,CAAC;QAC3B,KAAK,KAAK;YACR,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAC;YAChD,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,KAAK,OAAO;YACV,MAAM,CAAC,IAAI,CACT,iXAAiX,EACjX,OAAO,CACR,CAAC;YACF,OAAO,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,KAAK,MAAM;YACT,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,OAAO,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC,CAAC,oBAAoB;QACnC;YACE,mEAAmE;YACnE,mEAAmE;YACnE,MAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YACpF,MAAM,IAAI,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC"}

package/dist/mcp-server/transports/auth/lib/authUtils.d.ts CHANGED Viewed

@@ -8,6 +8,9 @@ import { type RequestContext } from '../../../../utils/internal/requestContext.j
  * Checks if the current authentication context contains all the specified scopes.
  * When auth is disabled (`MCP_AUTH_MODE=none`), scope checks are skipped.
  * When auth is enabled and the auth context is missing, fails closed with Unauthorized.
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, scope enforcement is bypassed after the
+ * auth-context presence check; signature, audience, issuer, and expiry validation
+ * remain intact.
  *
  * @param requiredScopes - An array of scope strings that are mandatory for the operation.
  * @param parentContext - Optional parent request context for trace correlation.

package/dist/mcp-server/transports/auth/lib/authUtils.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authUtils.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,EAAE,KAAK,cAAc,EAAyB,MAAM,oCAAoC,CAAC;AAEhG~~;;;;;;;;;GASG~~;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE,EAAE,aAAa,CAAC,EAAE,cAAc,GAAG,IAAI,~~CA0DjG~~"}
1	+ {"version":3,"file":"authUtils.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,EAAE,KAAK,cAAc,EAAyB,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE,EAAE,aAAa,CAAC,EAAE,cAAc,GAAG,IAAI,CAkEjG"}

package/dist/mcp-server/transports/auth/lib/authUtils.js CHANGED Viewed

@@ -12,6 +12,9 @@ import { requestContextService } from '../../../../utils/internal/requestContext
  * Checks if the current authentication context contains all the specified scopes.
  * When auth is disabled (`MCP_AUTH_MODE=none`), scope checks are skipped.
  * When auth is enabled and the auth context is missing, fails closed with Unauthorized.
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, scope enforcement is bypassed after the
+ * auth-context presence check; signature, audience, issuer, and expiry validation
+ * remain intact.
  *
  * @param requiredScopes - An array of scope strings that are mandatory for the operation.
  * @param parentContext - Optional parent request context for trace correlation.
@@ -40,6 +43,10 @@ export function withRequiredScopes(requiredScopes, parentContext) {
         logger.warning('Auth enabled but no authentication context found. Denying request.', initialContext);
         throw unauthorized('Authentication required but no auth context was established.', initialContext);
     }
+    if (config.mcpAuthDisableScopeChecks) {
+        logger.debug('Scope enforcement bypassed (MCP_AUTH_DISABLE_SCOPE_CHECKS=true).', initialContext);
+        return;
+    }
     logger.debug('Performing scope authorization check.', initialContext);
     const { scopes: grantedScopes, clientId, subject } = store.authInfo;
     const grantedScopeSet = new Set(grantedScopes);

package/dist/mcp-server/transports/auth/lib/authUtils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"authUtils.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,iDAAiD,CAAC;AAC9E,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAuB,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAEhG~~;;;;;;;;;GASG~~;AACH,MAAM,UAAU,kBAAkB,CAAC,cAAwB,EAAE,aAA8B;IACzF,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC;YACE,GAAG,aAAa;YAChB,SAAS,EAAE,yBAAyB;YACpC,cAAc;SACf;QACH,CAAC,CAAC,qBAAqB,CAAC,oBAAoB,CAAC;YACzC,SAAS,EAAE,yBAAyB;YACpC,iBAAiB,EAAE,EAAE,cAAc,EAAE;SACtC,CAAC,CAAC;IAEP,wFAAwF;IACxF,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,2DAA2D,EAAE,cAAc,CAAC,CAAC;QAC1F,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAErC,uDAAuD;IACvD,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;QACrB,MAAM,CAAC,OAAO,CACZ,oEAAoE,EACpE,cAAc,CACf,CAAC;QACF,MAAM,YAAY,CAChB,8DAA8D,EAC9D,cAAc,CACf,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,cAAc,CAAC,CAAC;IAEtE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,MAAM,YAAY,GAAG;QACnB,GAAG,cAAc;QACjB,aAAa;QACb,QAAQ;QACR,OAAO;KACR,CAAC;IAEF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,+EAA+E;QAC/E,MAAM,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAC/D,GAAG,YAAY;YACf,aAAa;SACd,CAAC,CAAC;QACH,2FAA2F;QAC3F,mGAAmG;QACnG,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,YAAY,CAAC,CAAC;AAChE,CAAC"}
1	+ {"version":3,"file":"authUtils.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,iDAAiD,CAAC;AAC9E,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAuB,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,cAAwB,EAAE,aAA8B;IACzF,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC;YACE,GAAG,aAAa;YAChB,SAAS,EAAE,yBAAyB;YACpC,cAAc;SACf;QACH,CAAC,CAAC,qBAAqB,CAAC,oBAAoB,CAAC;YACzC,SAAS,EAAE,yBAAyB;YACpC,iBAAiB,EAAE,EAAE,cAAc,EAAE;SACtC,CAAC,CAAC;IAEP,wFAAwF;IACxF,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,2DAA2D,EAAE,cAAc,CAAC,CAAC;QAC1F,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAErC,uDAAuD;IACvD,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;QACrB,MAAM,CAAC,OAAO,CACZ,oEAAoE,EACpE,cAAc,CACf,CAAC;QACF,MAAM,YAAY,CAChB,8DAA8D,EAC9D,cAAc,CACf,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,yBAAyB,EAAE,CAAC;QACrC,MAAM,CAAC,KAAK,CACV,kEAAkE,EAClE,cAAc,CACf,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,cAAc,CAAC,CAAC;IAEtE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,MAAM,YAAY,GAAG;QACnB,GAAG,cAAc;QACjB,aAAa;QACb,QAAQ;QACR,OAAO;KACR,CAAC;IAEF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,+EAA+E;QAC/E,MAAM,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAC/D,GAAG,YAAY;YACf,aAAa;SACd,CAAC,CAAC;QACH,2FAA2F;QAC3F,mGAAmG;QACnG,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,YAAY,CAAC,CAAC;AAChE,CAAC"}

package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts CHANGED Viewed

@@ -10,6 +10,10 @@ import type { Context } from '../../../../core/context.js';
  * directly from `ctx.auth`. Throws `McpError(Forbidden)` if scopes are
  * insufficient. No-ops when auth is disabled (`MCP_AUTH_MODE=none`).
  * Throws `Unauthorized` when auth is enabled but `ctx.auth` is absent.
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, returns silently after the
+ * `ctx.auth` presence check — bypassing scope enforcement for runtime-computed
+ * patterns (e.g. tenant isolation) while keeping every other token validation
+ * intact.
  *
  * @example
  * ```ts

package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"checkScopes.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAGjD~~;;;;;;;;;;;;;;;GAeG~~;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,~~CAqBxE~~"}
1	+ {"version":3,"file":"checkScopes.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAGjD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,CAyBxE"}

package/dist/mcp-server/transports/auth/lib/checkScopes.js CHANGED Viewed

@@ -11,6 +11,10 @@ import { forbidden, unauthorized } from '../../../../types-global/errors.js';
  * directly from `ctx.auth`. Throws `McpError(Forbidden)` if scopes are
  * insufficient. No-ops when auth is disabled (`MCP_AUTH_MODE=none`).
  * Throws `Unauthorized` when auth is enabled but `ctx.auth` is absent.
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, returns silently after the
+ * `ctx.auth` presence check — bypassing scope enforcement for runtime-computed
+ * patterns (e.g. tenant isolation) while keeping every other token validation
+ * intact.
  *
  * @example
  * ```ts
@@ -29,6 +33,9 @@ export function checkScopes(ctx, requiredScopes) {
     if (!ctx.auth) {
         throw unauthorized('Authentication required but no auth context was established.');
     }
+    if (config.mcpAuthDisableScopeChecks) {
+        return;
+    }
     const grantedScopeSet = new Set(ctx.auth.scopes);
     const missingScopes = requiredScopes.filter((scope) => !grantedScopeSet.has(scope));
     if (missingScopes.length > 0) {

package/dist/mcp-server/transports/auth/lib/checkScopes.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"checkScopes.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAEnE~~;;;;;;;;;;;;;;;GAeG~~;AACH,MAAM,UAAU,WAAW,CAAC,GAAY,EAAE,cAAwB;IAChE,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,YAAY,CAAC,8DAA8D,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,gFAAgF;QAChF,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAChE,cAAc;YACd,aAAa;SACd,CAAC,CAAC;QACH,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC"}
1	+ {"version":3,"file":"checkScopes.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAEnE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY,EAAE,cAAwB;IAChE,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,YAAY,CAAC,8DAA8D,CAAC,CAAC;IACrF,CAAC;IAED,IAAI,MAAM,CAAC,yBAAyB,EAAE,CAAC;QACrC,OAAO;IACT,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,gFAAgF;QAChF,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAChE,cAAc;YACd,aAAa;SACd,CAAC,CAAC;QACH,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC"}

package/dist/mcp-server/transports/auth/lib/claimParser.d.ts CHANGED Viewed

@@ -12,7 +12,11 @@ import type { AuthInfo } from '../../../../mcp-server/transports/auth/lib/authTy
  *
  * Claim resolution order:
  * - **clientId**: `cid` (Okta) → `client_id` (OAuth 2.1 standard)
- * - **scopes**: `scp` (Okta, array) → `scope` (standard, space-delimited string)
+ * - **scopes**: union of `scp` (Okta, array), `scope` (standard, space-delimited string),
+ *   and `mcp_tool_scopes` (custom claim for OIDC providers that cannot inject scopes
+ *   into `scope` during the `authorization_code` flow — Authentik, Keycloak < 26.5,
+ *   Zitadel). Operators add a property mapping returning
+ *   `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}` (string or array form accepted).
  * - **subject**: `sub` (standard)
  * - **tenantId**: `tid` (Azure AD / custom)
  * - **expiresAt**: `exp` (standard, seconds since epoch)

package/dist/mcp-server/transports/auth/lib/claimParser.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"claimParser.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+CAA+C,CAAC;~~AAG9E;;;;;;;;;;;GAWG~~;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,QAAQ,~~CA+BpF~~;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,GAAG,KAAK,CAOpF"}
1	+ {"version":3,"file":"claimParser.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+CAA+C,CAAC;AAkB9E;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,QAAQ,CA8BpF;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,GAAG,KAAK,CAOpF"}

package/dist/mcp-server/transports/auth/lib/claimParser.js CHANGED Viewed

@@ -1,10 +1,28 @@
 import { McpError, unauthorized } from '../../../../types-global/errors.js';
+/**
+ * Extracts a list of scope strings from a JWT claim value, accepting both
+ * array and space-delimited string forms. Non-string array entries cause
+ * the claim to be ignored entirely. Empty-string entries are dropped.
+ */
+function extractStringScopes(value) {
+    if (Array.isArray(value) && value.every((s) => typeof s === 'string')) {
+        return value.filter((s) => s.length > 0);
+    }
+    if (typeof value === 'string' && value.trim()) {
+        return value.split(' ').filter(Boolean);
+    }
+    return [];
+}
 /**
  * Builds an {@link AuthInfo} from a raw token string and decoded JWT payload.
  *
  * Claim resolution order:
  * - **clientId**: `cid` (Okta) → `client_id` (OAuth 2.1 standard)
- * - **scopes**: `scp` (Okta, array) → `scope` (standard, space-delimited string)
+ * - **scopes**: union of `scp` (Okta, array), `scope` (standard, space-delimited string),
+ *   and `mcp_tool_scopes` (custom claim for OIDC providers that cannot inject scopes
+ *   into `scope` during the `authorization_code` flow — Authentik, Keycloak < 26.5,
+ *   Zitadel). Operators add a property mapping returning
+ *   `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}` (string or array form accepted).
  * - **subject**: `sub` (standard)
  * - **tenantId**: `tid` (Azure AD / custom)
  * - **expiresAt**: `exp` (standard, seconds since epoch)
@@ -20,13 +38,11 @@ export function buildAuthInfoFromClaims(token, payload) {
     if (!clientId) {
         throw unauthorized("Invalid token: missing 'cid' or 'client_id' claim.");
     }
-    let scopes = [];
-    if (Array.isArray(payload.scp) && payload.scp.every((s) => typeof s === 'string')) {
-        scopes = payload.scp;
-    }
-    else if (typeof payload.scope === 'string' && payload.scope.trim()) {
-        scopes = payload.scope.split(' ').filter(Boolean);
-    }
+    const scopes = [
+        ...extractStringScopes(payload.scp),
+        ...extractStringScopes(payload.scope),
+        ...extractStringScopes(payload.mcp_tool_scopes),
+    ];
     if (scopes.length === 0) {
         throw unauthorized('Token must contain valid, non-empty scopes.');
     }

package/dist/mcp-server/transports/auth/lib/claimParser.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"claimParser.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAElE~~;;;;;;;;;;;GAWG~~;AACH,~~MAAM~~,~~UAAU~~,~~uBAAuB,~~CAAC,~~KAAa,EAAE,OAAmB~~;~~IACxE~~,~~MAAM~~,~~QAAQ~~,~~GACZ~~,OAAO,~~OAAO~~,CAAC,~~GAAG~~,KAAK,~~QAAQ;QAC7B~~,CAAC,CAAC,~~OAAO,~~CAAC,~~GAAG;QACb~~,~~CAAC~~,CAAC,OAAO,~~OAAO,~~CAAC,~~SAAS,~~KAAK,QAAQ~~;YACrC~~,CAAC,~~CAAC~~,~~OAAO,~~CAAC~~,SAAS~~;~~YACnB~~,~~CAAC~~,CAAC,~~SAAS~~,CAAC~~;IAElB~~,~~IAAI~~,CAAC,~~QAAQ~~,EAAE,CAAC~~;QACd~~,MAAM,~~YAAY~~,CAAC,~~oDAAoD,~~CAAC,CAAC;~~IAC3E~~,CAAC;~~IAED~~,IAAI,~~MAAM~~,~~GAAa~~,~~EAAE~~,~~CAAC;IAC1B~~,IAAI,KAAK,CAAC,~~OAAO~~,CAAC,OAAO,CAAC,~~GAAG~~,CAAC,~~IAAI~~,~~OAAO~~,CAAC,~~GAAG~~,CAAC,~~KAAK~~,CAAC,CAAC,CAAC,~~EAAE~~,EAAE,CAAC,~~OAAO,~~CAAC,~~KAAK~~,~~QAAQ~~,CAAC,EAAE,~~CAAC~~;~~QAClF~~,MAAM,~~GAAG~~,OAAO,CAAC,GAAG,~~CAAC~~;~~IACvB~~,CAAC;~~SAAM~~,~~IAAI~~,OAAO,OAAO,CAAC,~~KAAK~~,KAAK,QAAQ,~~IAAI~~,OAAO,CAAC,~~KAAK~~,CAAC,IAAI,~~EAAE~~,EAAE,CAAC;~~QACrE~~,MAAM,GAAG,~~OAAO~~,CAAC,~~KAAK~~,CAAC,~~KAAK~~,CAAC,GAAG,CAAC,CAAC,~~MAAM~~,CAAC,OAAO,CAAC,CAAC;~~IACpD~~,CAAC;~~IAED~~,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,CAAC,6CAA6C,CAAC,CAAC;IACpE,CAAC;IAED,OAAO;QACL,KAAK;QACL,QAAQ;QACR,MAAM;QACN,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACnE,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,eAAuB;IAC3E,IAAI,KAAK,YAAY,QAAQ;QAAE,MAAM,KAAK,CAAC;IAE3C,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,eAAe,CAAC;IAEjG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;AAC9B,CAAC"}
1	+ {"version":3,"file":"claimParser.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,KAAc;IACzC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACtE,OAAQ,KAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAa,EAAE,OAAmB;IACxE,MAAM,QAAQ,GACZ,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAC7B,CAAC,CAAC,OAAO,CAAC,GAAG;QACb,CAAC,CAAC,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACrC,CAAC,CAAC,OAAO,CAAC,SAAS;YACnB,CAAC,CAAC,SAAS,CAAC;IAElB,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,YAAY,CAAC,oDAAoD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,MAAM,GAAG;QACb,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC;QACnC,GAAG,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;QACrC,GAAG,mBAAmB,CAAC,OAAO,CAAC,eAAe,CAAC;KAChD,CAAC;IAEF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,CAAC,6CAA6C,CAAC,CAAC;IACpE,CAAC;IAED,OAAO;QACL,KAAK;QACL,QAAQ;QACR,MAAM;QACN,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACnE,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,eAAuB;IAC3E,IAAI,KAAK,YAAY,QAAQ;QAAE,MAAM,KAAK,CAAC;IAE3C,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,eAAe,CAAC;IAEjG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;AAC9B,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/mcp-ts-core",
-  "version": "0.8.19",
+  "version": "0.8.20",
   "mcpName": "io.github.cyanheads/mcp-ts-core",
   "description": "Agent-native TypeScript framework for building MCP servers. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.",
   "main": "dist/core/index.js",
@@ -166,7 +166,7 @@
   "devDependencies": {
     "@biomejs/biome": "2.4.14",
     "@cloudflare/vitest-pool-workers": "^0.16.3",
-    "@cloudflare/workers-types": "^4.20260508.1",
+    "@cloudflare/workers-types": "^4.20260509.1",
     "@duckdb/node-api": "^1.5.2-r.1",
     "@hono/otel": "^1.1.2",
     "@opentelemetry/exporter-metrics-otlp-http": "^0.217.0",
@@ -178,7 +178,7 @@
     "@opentelemetry/sdk-node": "^0.217.0",
     "@opentelemetry/sdk-trace-node": "^2.7.1",
     "@opentelemetry/semantic-conventions": "^1.40.0",
-    "@supabase/supabase-js": "^2.105.3",
+    "@supabase/supabase-js": "^2.105.4",
     "@types/bun": "^1.3.13",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^25.6.2",

package/skills/api-auth/SKILL.md CHANGED Viewed

@@ -4,7 +4,7 @@ description: >
   Authentication, authorization, and multi-tenancy patterns for `@cyanheads/mcp-ts-core`. Use when implementing auth scopes on tools/resources, configuring auth modes (none/jwt/oauth), working with JWT/OAuth env vars, or understanding how tenantId flows through ctx.state.
 metadata:
   author: cyanheads
-  version: "1.0"
+  version: "1.1"
   audience: external
   type: reference
 ---
@@ -94,10 +94,44 @@ Set via `MCP_AUTH_MODE` environment variable.
 | Claim | JWT Field | Purpose |
 |:------|:----------|:--------|
 | `clientId` | `cid` / `client_id` | Identifies the calling client |
-| `scopes` | `scp` / `scope` | Space-separated list of granted scopes |
+| `scopes` | union of `scp`, `scope`, `mcp_tool_scopes` | Granted scope list (see below) |
 | `sub` | `sub` | Subject (user or service identity) |
 | `tenantId` | `tid` | Tenant identifier — drives `ctx.state` scoping |
+`scopes` is the **union** of three claims, in this order:
+| Claim | Form | Source |
+|:------|:-----|:-------|
+| `scp` | array of strings | Okta-style |
+| `scope` | space-delimited string | OAuth 2.1 / OIDC standard |
+| `mcp_tool_scopes` | array of strings **or** space-delimited string | Custom claim for OIDC providers that cannot inject scopes into `scope` during the `authorization_code` flow (Authentik, Keycloak < 26.5, Zitadel) |
+Auth0/Okta-style providers that already populate `scp` or `scope` need no migration. Other deployments add a property mapping returning `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}` — the framework unions it into `ctx.auth.scopes` alongside the standard claims. Hardcoded claim name; deployments whose IdP cannot emit `mcp_tool_scopes` use the bypass flag below.
+### OIDC operator setup (Authentik / Keycloak / Zitadel)
+Standard OIDC providers compute the JWT `scope` claim from what the OAuth client requested at the authorization endpoint and ignore property mappings that try to override `scope` in the `authorization_code` flow. Property mappings that inject **other** claim names work fine. To grant per-tool scopes to a Claude.ai or ChatGPT custom connector that doesn't expose scope customization, configure your IdP to return the per-tool scopes under `mcp_tool_scopes` instead of overriding `scope`.
+| Provider | Where to configure |
+|:---------|:--------------------|
+| Authentik | Customization → Property Mappings → new "Scope Mapping" returning `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}`; bind to the OAuth2/OpenID provider |
+| Keycloak (< 26.5) | Client → Client Scopes → Mappers → new "Hardcoded claim" or "Script Mapper" emitting `mcp_tool_scopes` |
+| Zitadel | Project → Roles + Action returning `{"mcp_tool_scopes": "..."}` from a pre-token script |
+Keycloak ≥ 26.5 ships native MCP integration support; check its release notes before falling back to a custom claim.
+### Bypass flag
+For environments where no custom claim can be injected (managed services, restricted IdPs), set `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` to bypass scope enforcement entirely.
+| Variable | Default | Effect |
+|:---------|:--------|:-------|
+| `MCP_AUTH_DISABLE_SCOPE_CHECKS` | `false` | When `true`, both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes` (runtime-computed scopes inside handlers) early-return after the auth-context presence check. Token signature, audience, issuer, and expiry validation remain intact. |
+The flag bypasses **both** declared `auth: [...]` enforcement and runtime `checkScopes` calls — including tenant isolation patterns like `team:${input.teamId}:write`. Naming is deliberate: this disables all scope checks, not just per-tool ones. Applies to `MCP_AUTH_MODE=jwt` and `MCP_AUTH_MODE=oauth` (no effect under `none`).
+A `WARNING`-level log is emitted at startup whenever the flag is active so operators don't lose track of it. Combine with server-side ACLs (path filters, allowlists, tenant rules) — without an in-handler ACL, every authenticated user effectively has every scope.
 ---
 ## Endpoints
@@ -160,7 +194,7 @@ Available on `ctx.auth` inside handlers (when auth is enabled):
 ```ts
 interface AuthContext {
   clientId: string;        // Required — 'cid' or 'client_id' JWT claim
-  scopes: string[];        // Required — derived from 'scp' or 'scope' claim
+  scopes: string[];        // Required — union of 'scp', 'scope', and 'mcp_tool_scopes' claims
   sub: string;             // Required — 'sub' claim; falls back to clientId when absent
   token: string;           // Required — raw JWT or OAuth bearer token string
   tenantId?: string;       // Optional — 'tid' claim; present only for multi-tenant tokens

package/skills/api-config/SKILL.md CHANGED Viewed

@@ -4,7 +4,7 @@ description: >
   Reference for core and server configuration in `@cyanheads/mcp-ts-core`. Covers env var tables with defaults, priority order, server-specific Zod schema pattern, and Workers lazy-parsing requirement.
 metadata:
   author: cyanheads
-  version: "1.3"
+  version: "1.4"
   audience: external
   type: reference
 ---
@@ -68,6 +68,7 @@ Managed by `@cyanheads/mcp-ts-core`. Validated via Zod from environment variable
 |:--------|:-----------------|:--------|:------|
 | `MCP_AUTH_MODE` | `mcpAuthMode` | `none` | `none` \| `jwt` \| `oauth` |
 | `MCP_AUTH_SECRET_KEY` | `mcpAuthSecretKey` | — | Required for `jwt` mode; min 32 chars |
+| `MCP_AUTH_DISABLE_SCOPE_CHECKS` | `mcpAuthDisableScopeChecks` | `false` | When `true`, bypasses both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes` (runtime/tenant scopes). Token validation (sig/aud/iss/exp) intact. Logs a `WARNING` at startup. See `api-auth` skill. |
 | `OAUTH_ISSUER_URL` | `oauthIssuerUrl` | — | Required for `oauth` mode |
 | `OAUTH_AUDIENCE` | `oauthAudience` | — | Required for `oauth` mode |
 | `OAUTH_JWKS_URI` | `oauthJwksUri` | — | Override JWKS endpoint (otherwise derived from issuer) |

package/skills/security-pass/SKILL.md CHANGED Viewed

@@ -4,7 +4,7 @@ description: >
   Review an MCP server for common security gaps: LLM-facing surfaces as injection vector (tools, resources, prompts, descriptions), scope blast radius, destructive ops without consent, upstream auth shape, input sinks (URL / path / roots / shell / sampling / schema strictness / ReDoS), tenant isolation, leakage through errors and telemetry, unbounded resources, and HTTP-mode deployment surface. Use before a release, after a batch of handler changes, or when the user asks for a security review, audit, or hardening pass. Produces grouped findings and a numbered options list.
 metadata:
   author: cyanheads
-  version: "1.3"
+  version: "1.4"
   audience: external
   type: audit
 ---
@@ -104,8 +104,9 @@ grep -rn "auth: \[" src/mcp-server/tools/definitions/
 - Tools with `['admin']`, `['*']`, or `[]`?
 - A single scope covering two capabilities that should be separated (read vs write)?
 - Read-only tools never require write scopes?
+- `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` set in production? When on, both `withRequiredScopes` and `checkScopes` early-return — every authenticated user gets every tool, and runtime tenant patterns like `team:${input.teamId}:write` no longer guard. Acceptable only when paired with a real server-side ACL (path filter, allowlist, upstream API enforcement).
-**Smell:** every tool shares the same scope string.
+**Smell:** every tool shares the same scope string. Or: `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` set without a documented compensating ACL — confirm the deployment relies on a meaningful access control layer below the framework before approving.
 #### Axis 3 — Destructive ops without elicit

package/skills/tool-defs-analysis/SKILL.md CHANGED Viewed

@@ -4,7 +4,7 @@ description: >
   Read-only audit of MCP definition language across an existing surface — tools, resources, prompts. Walks every definition file and checks 10 categories the LLM reads to decide whether and how to call: voice & tense, internal leaks, audience leaks, defaults, recovery hints, output descriptions, cross-references, sparsity, examples, structure. Produces grouped findings with file:line citations and a numbered options list. Use during polish, after a refactor, or before a release. Complements `field-test` (behavior testing) and `security-pass` (security audit).
 metadata:
   author: cyanheads
-  version: "1.0"
+  version: "1.1"
   audience: external
   type: audit
 ---
@@ -105,7 +105,7 @@ Prior art: #74. Field-test catches this in its leak audit; this skill is the mor
 **Check:** the hint directs the *agent* to its next action, not the developer to debugging. "Call `pubmed_search` with a narrower query" beats "Verify the configuration is correct" or "Internal error".
-**Smell:** "Check the logs", "See documentation", "Contact admin", "Try again later" (with no condition), generic non-actionable text, hints that name internal classes, files, or env vars.
+**Smell:** "Check the logs", "See documentation", "Contact admin", "Try again later" (with no condition), generic non-actionable text, hints that name internal classes or files.
 #### 6. Output descriptions