@cyanheads/mcp-ts-core 0.8.19 → 0.8.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/CLAUDE.md +4 -2
  2. package/changelog/0.8.x/0.8.20.md +26 -0
  3. package/dist/config/index.d.ts +3 -0
  4. package/dist/config/index.d.ts.map +1 -1
  5. package/dist/config/index.js +11 -0
  6. package/dist/config/index.js.map +1 -1
  7. package/dist/logs/combined.log +7 -6
  8. package/dist/logs/error.log +5 -4
  9. package/dist/mcp-server/transports/auth/authFactory.d.ts.map +1 -1
  10. package/dist/mcp-server/transports/auth/authFactory.js +4 -1
  11. package/dist/mcp-server/transports/auth/authFactory.js.map +1 -1
  12. package/dist/mcp-server/transports/auth/lib/authUtils.d.ts +3 -0
  13. package/dist/mcp-server/transports/auth/lib/authUtils.d.ts.map +1 -1
  14. package/dist/mcp-server/transports/auth/lib/authUtils.js +7 -0
  15. package/dist/mcp-server/transports/auth/lib/authUtils.js.map +1 -1
  16. package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts +4 -0
  17. package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts.map +1 -1
  18. package/dist/mcp-server/transports/auth/lib/checkScopes.js +7 -0
  19. package/dist/mcp-server/transports/auth/lib/checkScopes.js.map +1 -1
  20. package/dist/mcp-server/transports/auth/lib/claimParser.d.ts +5 -1
  21. package/dist/mcp-server/transports/auth/lib/claimParser.d.ts.map +1 -1
  22. package/dist/mcp-server/transports/auth/lib/claimParser.js +24 -8
  23. package/dist/mcp-server/transports/auth/lib/claimParser.js.map +1 -1
  24. package/package.json +3 -3
  25. package/skills/api-auth/SKILL.md +37 -3
  26. package/skills/api-config/SKILL.md +2 -1
  27. package/skills/security-pass/SKILL.md +3 -2
  28. package/skills/tool-defs-analysis/SKILL.md +2 -2
package/CLAUDE.md CHANGED
@@ -1,7 +1,7 @@
1
1
  # Developer Protocol
2
2
 
3
3
  **Package:** `@cyanheads/mcp-ts-core`
4
- **Version:** 0.8.19
4
+ **Version:** 0.8.20
5
5
  **Engines:** Bun ≥1.3.0, Node ≥24.0.0
6
6
  **MCP SDK:** `@modelcontextprotocol/sdk` ^1.29.0
7
7
  **Zod:** ^4.4.3
@@ -439,6 +439,8 @@ Pick one convention per server and stay consistent. Verbs are typically `read`,
439
439
 
440
440
  **Modes** (`MCP_AUTH_MODE`): `none` (default) | `jwt` (local secret via `MCP_AUTH_SECRET_KEY`) | `oauth` (JWKS via `OAUTH_ISSUER_URL`, `OAUTH_AUDIENCE`). See `api-auth` skill for claims, CORS, and detailed config.
441
441
 
442
+ **Granted scopes** are unioned from `scp`, `scope`, and `mcp_tool_scopes` JWT claims. The `mcp_tool_scopes` custom claim is the supported escape hatch for OIDC providers (Authentik, Keycloak < 26.5, Zitadel) that ignore property mappings overriding `scope` in `authorization_code` flow. For deployments where no custom claim can be injected, `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` bypasses both `withRequiredScopes` and `checkScopes` after the auth-context presence check (signature/audience/issuer/expiry validation intact). A `WARNING` is logged at startup whenever the bypass is active.
443
+
442
444
  ---
443
445
 
444
446
  ## Configuration
@@ -450,7 +452,7 @@ Managed by `@cyanheads/mcp-ts-core`. Validated via Zod. Precedence: `createApp()
450
452
  | Category | Key Variables |
451
453
  |:---------|:-------------|
452
454
  | Transport | `MCP_TRANSPORT_TYPE` (`stdio`\|`http`), `MCP_HTTP_PORT`, `MCP_HTTP_HOST`, `MCP_HTTP_ENDPOINT_PATH` |
453
- | Auth | `MCP_AUTH_MODE`, `MCP_AUTH_SECRET_KEY`, `OAUTH_*` |
455
+ | Auth | `MCP_AUTH_MODE`, `MCP_AUTH_SECRET_KEY`, `MCP_AUTH_DISABLE_SCOPE_CHECKS`, `OAUTH_*` |
454
456
  | Storage | `STORAGE_PROVIDER_TYPE` (`in-memory`\|`filesystem`\|`supabase`\|`cloudflare-r2`\|`cloudflare-kv`\|`cloudflare-d1`) |
455
457
  | LLM | `OPENROUTER_API_KEY`, `OPENROUTER_APP_URL/NAME`, `LLM_DEFAULT_*` |
456
458
  | Telemetry | `OTEL_ENABLED`, `OTEL_SERVICE_NAME/VERSION`, `OTEL_EXPORTER_OTLP_*` |
package/changelog/0.8.x/0.8.20.md ADDED
@@ -0,0 +1,26 @@
1
+ ---
2
+ summary: "`mcp_tool_scopes` claim union + `MCP_AUTH_DISABLE_SCOPE_CHECKS` bypass ([#128](https://github.com/cyanheads/mcp-ts-core/issues/128)) — operator escape hatches for OIDC providers that can't inject scopes into `scope`."
3
+ breaking: false
4
+ security: false
5
+ ---
6
+
7
+ # 0.8.20 — 2026-05-09
8
+
9
+ Two operator escape hatches for the standard OIDC reality. Authentik, Keycloak < 26.5, and Zitadel issue `authorization_code` tokens whose `scope` claim is fixed at `openid email profile offline_access` — property mappings can't override it, so per-tool scopes can't be injected the standard way. The framework now reads granted scopes from a 3-claim union (`scp` + `scope` + new `mcp_tool_scopes`), and ships an explicit bypass for deployments where no claim-injection path exists at all.
10
+
11
+ ## Added
12
+
13
+ - **`mcp_tool_scopes` JWT claim** ([#128](https://github.com/cyanheads/mcp-ts-core/issues/128)) — operator-defined custom claim parsed alongside `scp` and `scope`. Accepts space-delimited string (`"tool:foo:read tool:bar:write"`) or array form. Empty-string entries are dropped; arrays containing any non-string entry cause the claim to be ignored entirely. Documented in the `api-auth` skill as the OIDC operator setup path.
14
+ - **`MCP_AUTH_DISABLE_SCOPE_CHECKS` env var** (`mcpAuthDisableScopeChecks`, default `false`) — when `true`, bypasses both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes` (runtime-computed scopes inside handlers, including tenant patterns like `team:${input.teamId}:write`) after the auth-context presence check. Token signature, audience, issuer, and expiry validation remain intact. `authFactory` logs a `WARNING` whenever the bypass is active under a non-`none` auth mode. Combine with server-side ACLs — without an in-handler ACL, every authenticated user effectively has every scope.
15
+ - **`extractStringScopes` helper** in `claimParser.ts` — shared parser for the three claim sites; handles both array and space-delimited string forms, drops empty-string array entries, ignores arrays with non-string members.
16
+
17
+ ## Changed
18
+
19
+ - **Granted scopes are now a union of `scp`, `scope`, and `mcp_tool_scopes`** — previously `scp` took precedence and `scope` was only read as a fallback. Operator-visible behavior change for tokens that populate both `scp` and `scope`: those tokens now receive the union of both claims. The Okta-only and OIDC-only cases (the common shapes) are unaffected.
20
+ - **`authFactory`** — OAuth-mode startup log upgraded from `debug` to `info` with claim-resolution guidance and a pointer to the bypass flag for ops without claim-injection control.
21
+ - **`tool-defs-analysis` skill** 1.0 → 1.1 ([#127](https://github.com/cyanheads/mcp-ts-core/issues/127)) — drops "or env vars" from the recovery-hints smell list. Env var names are actionable: the agent can name the var the user must set or rotate. Internal class names and file paths remain smells.
22
+ - **Skill bumps:** `api-auth` 1.0 → 1.1 (claims mapping table, OIDC operator setup section, bypass flag docs), `api-config` 1.3 → 1.4 (env-var table row), `security-pass` 1.3 → 1.4 (Axis 2 check item: bypass-in-production warning).
23
+
24
+ ## Fixed
25
+
26
+ - **`extractStringScopes` no longer leaks empty-string entries** through array-form claims. Pre-change array handling preserved `['', 'real-scope']` as-is, leaving an empty entry in the granted set. Practical exploitability was bounded (required scopes are non-empty static strings, so `Set.has('')` returned `false`), but the inconsistency vs. the string-path's `.trim()` check is now closed.
package/dist/config/index.d.ts CHANGED
@@ -61,6 +61,7 @@ declare const ConfigSchema: z.ZodObject<{
61
61
  oauth: "oauth";
62
62
  none: "none";
63
63
  }>>>;
64
+ mcpAuthDisableScopeChecks: z.ZodDefault<z.ZodPreprocess<z.ZodBoolean>>;
64
65
  oauthIssuerUrl: z.ZodOptional<z.ZodURL>;
65
66
  oauthJwksUri: z.ZodOptional<z.ZodURL>;
66
67
  oauthAudience: z.ZodOptional<z.ZodString>;
@@ -189,6 +190,7 @@ declare const parseConfig: (envOverrides?: Record<string, string | undefined>) =
189
190
  mcpHeartbeatIntervalMs: number;
190
191
  mcpHeartbeatMissThreshold: number;
191
192
  mcpAuthMode: "jwt" | "oauth" | "none";
193
+ mcpAuthDisableScopeChecks: boolean;
192
194
  oauthJwksCooldownMs: number;
193
195
  oauthJwksTimeoutMs: number;
194
196
  devMcpAuthBypass: boolean;
@@ -317,6 +319,7 @@ declare const config: {
317
319
  mcpHeartbeatIntervalMs: number;
318
320
  mcpHeartbeatMissThreshold: number;
319
321
  mcpAuthMode: "jwt" | "oauth" | "none";
322
+ mcpAuthDisableScopeChecks: boolean;
320
323
  oauthJwksCooldownMs: number;
321
324
  oauthJwksTimeoutMs: number;
322
325
  devMcpAuthBypass: boolean;
package/dist/config/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAcxB,wEAAwE;AACxE,eAAO,MAAM,cAAc,2BAA2B,CAAC;AACvD,eAAO,MAAM,iBAAiB,QAAkC,CAAC;AA4CjE,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0Ud,CAAC;AAGL,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkMrE,CAAC;AAIF;;;;;;;;GAQG;AACH,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,KAAG,IAExE,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuBV,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAcxB,wEAAwE;AACxE,eAAO,MAAM,cAAc,2BAA2B,CAAC;AACvD,eAAO,MAAM,iBAAiB,QAAkC,CAAC;AA4CjE,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoVd,CAAC;AAGL,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmMrE,CAAC;AAIF;;;;;;;;GAQG;AACH,QAAA,MAAM,WAAW,GAAI,eAAe,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,KAAG,IAExE,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuBV,CAAC;AAEH;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAErD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}
package/dist/config/index.js CHANGED
@@ -145,6 +145,16 @@ const ConfigSchema = z
145
145
  mcpJwtExpectedIssuer: z.string().optional(),
146
146
  mcpJwtExpectedAudience: z.string().optional(),
147
147
  mcpAuthMode: z.preprocess(emptyStringAsUndefined, z.enum(['jwt', 'oauth', 'none']).default('none')),
148
+ /**
149
+ * Bypass per-request scope enforcement when `MCP_AUTH_MODE` is `jwt` or `oauth`.
150
+ * When `true`, both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes`
151
+ * (runtime-computed scopes inside handlers, including tenant isolation patterns
152
+ * like `team:${input.teamId}:write`) early-return after the auth-context presence
153
+ * check. Signature, audience, issuer, and expiry validation remain intact. Combine
154
+ * with server-side ACLs — without an in-handler ACL, every authenticated user
155
+ * effectively has every scope.
156
+ */
157
+ mcpAuthDisableScopeChecks: envBoolean.default(false),
148
158
  oauthIssuerUrl: z.url().optional(),
149
159
  oauthJwksUri: z.url().optional(),
150
160
  oauthAudience: z.string().optional(),
@@ -400,6 +410,7 @@ const parseConfig = (envOverrides) => {
400
410
  mcpJwtExpectedIssuer: env.MCP_JWT_EXPECTED_ISSUER,
401
411
  mcpJwtExpectedAudience: env.MCP_JWT_EXPECTED_AUDIENCE,
402
412
  mcpAuthMode: env.MCP_AUTH_MODE,
413
+ mcpAuthDisableScopeChecks: env.MCP_AUTH_DISABLE_SCOPE_CHECKS,
403
414
  oauthIssuerUrl: env.OAUTH_ISSUER_URL,
404
415
  oauthJwksUri: env.OAUTH_JWKS_URI,
405
416
  oauthAudience: env.OAUTH_AUDIENCE,
package/dist/config/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,WAAW,MAAM,oBAAoB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAQ3D,MAAM,YAAY,GAAG,WAA8B,CAAC;AAEpD,wEAAwE;AACxE,MAAM,CAAC,MAAM,cAAc,GAAG,wBAAwB,CAAC;AACvD,MAAM,CAAC,MAAM,iBAAiB,GAAG,YAAY,CAAC,OAAO,IAAI,OAAO,CAAC;AAEjE;;;;GAIG;AACH,IAAI,YAAY,GAA2B,IAAI,CAAC;AAChD,SAAS,sBAAsB;IAC7B,IAAI,YAAY,KAAK,IAAI;QAAE,OAAO,YAAY,CAAC;IAC/C,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAC1D,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC5D,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ;YAAE,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QACrE,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;YAAE,GAAG,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;IAC7E,CAAC;IACD,YAAY,GAAG,GAAG,CAAC;IACnB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8DAA8D;AAC9D,6EAA6E;AAC7E,wDAAwD;AACxD,IAAI,aAAa,GAAG,KAAK,CAAC;AAE1B,2BAA2B;AAC3B,MAAM,sBAAsB,GAAG,CAAC,GAAY,EAAE,EAAE;IAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjD,OAAO;IACT,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC,CAAC;AAEF,4EAA4E;AAC5E,MAAM,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;IACtC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IAChF,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;AAEhB,4BAA4B;AAC5B,MAAM,YAAY,GAAG,CAAC;KACnB,MAAM,CAAC;IACN,yDAAyD;IACzD,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,gCAAgC;IAC3D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,mCAAmC;IACjE,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;IACpF,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,oCAAoC;IAC9E,QAAQ,EAAE,CAAC;SACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,0DAA0D;YAC1D,MAAM,QAAQ,GAA2B;gBACvC,IAAI,EAAE,SAAS;gBACf,GAAG,EAAE,OAAO;gBACZ,WAAW,EAAE,MAAM;gBACnB,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,OAAO;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAClF;SACA,OAAO,CAAC,OAAO,CAAC;IACnB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,sCAAsC;IACvE;;;;;;;OAOG;IACH,kBAAkB,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;IAC7C,WAAW,EAAE,CAAC;SACX,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,MAAM,QAAQ,GAA2B;gBACvC,GAAG,EAAE,aAAa;gBAClB,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,SAAS;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC,CACjD;SACA,OAAO,CAAC,aAAa,CAAC;IACzB,gBAAgB,EAAE,CAAC,CAAC,UAAU,CAC5B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAC3C;IACD,cAAc,EAAE,CAAC,CAAC,UAAU,CAC1B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC1D;IACD,oBAAoB,EAAE,CAAC,CAAC,UAAU,CAChC,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAC5D;IACD,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAC9D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/C;;;;;;;;OAQG;IACH,YAAY,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACtE,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACpD,uBAAuB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACtD,gCAAgC,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;IACtE,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,yBAAyB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9D,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACjD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3C,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,WAAW,EAAE,CAAC,CAAC,UAAU,CACvB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CACjD;IACD,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClC,YAAY,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,YAAY;IACrE,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,YAAY;IAClE,2BAA2B,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IAC/E,gBAAgB,EAAE,CAAC;SAChB,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE;YAAE,OAAO,KAAK,CAAC;QAClE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAC7C,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IACvC,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;SACd,OAAO,CAAC,KAAK,CAAC;IACjB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC5C,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAuB,CAAC;IAC7D,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE;IAC7B,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC;IAC5E,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,UAAU,EAAE,CAAC;SACV,MAAM,CAAC;QACN,gBAAgB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACpC,QAAQ,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC5B,aAAa,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACjC,SAAS,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC7B,uBAAuB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC3C,yBAAyB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC1D,CAAC;SACD,QAAQ,EAAE;IACb,QAAQ,EAAE,CAAC;SACR,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE;QACZ,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACtC,CAAC;SACD,QAAQ,EAAE;IACb,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,YAAY,EAAE,CAAC;aACZ,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,EAAE,EAAE,YAAY;iBACjB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC;YACL,WAAW;YACX,YAAY;YACZ,UAAU;YACV,eAAe;YACf,eAAe;YACf,eAAe;SAChB,CAAC,CACH;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,sEAAsE;KACzH,CAAC;IACF,iDAAiD;IACjD,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,YAAY,EAAE,CAAC,CAAC,UAAU,CACxB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC3C;QACD;;;WAGG;QACH,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QAC7D;;;;WAIG;QACH,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC;QACvD,+DAA+D;QAC/D,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,gDAAgD;QAChD,KAAK,EAAE,CAAC,CAAC,MAAM;aACZ,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC/B,8DAA8D;QAC9D,aAAa,EAAE,CAAC,CAAC,MAAM;aACpB,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACnC,0EAA0E;QAC1E,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3D,6CAA6C;QAC7C,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACzD,2EAA2E;QAC3E,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KACvD,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,KAAK,EAAE;QACzC,OAAO,EACL,wIAAwI;QAC1I,IAAI,EAAE,CAAC,eAAe,CAAC;KACxB,CAAC;IACJ,yCAAyC;IACzC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,SAAS,EAAE,CAAC;aACT,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,MAAM,EAAE,WAAW;oBACnB,UAAU,EAAE,SAAS;iBACtB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,CACjC;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KACtD,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC;QACtB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;QAClC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE;QAC1B,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAClC,eAAe,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACnC,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,QAAQ,EAAE,CAAC;aACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,OAAO;oBACZ,OAAO,EAAE,MAAM;oBACf,WAAW,EAAE,MAAM;iBACpB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YAC9C,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CACrE;aACA,OAAO,CAAC,MAAM,CAAC;KACnB,CAAC;IACF,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;YACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;QACb,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;YAC9D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,4EAA4E;IAC5E,IAAI,IAAI,CAAC,WAAW,KAAK,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC/D,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;YAC1B,OAAO,EACL,+GAA+G;SAClH,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAC9E,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EACL,+GAA+G;aAClH,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC7C,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EAAE,kEAAkE;aAC5E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,8CAA8C;IAC9C,IAAI,IAAI,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,gBAAgB,CAAC;gBACxB,OAAO,EAAE,wDAAwD;aAClE,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,eAAe,CAAC;gBACvB,OAAO,EAAE,sDAAsD;aAChE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,wBAAwB;AACxB,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAE,EAAE;IACxE,kFAAkF;IAClF,IAAI,CAAC,aAAa,IAAI,WAAW,CAAC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/B,aAAa,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC7E,MAAM,WAAW,GAAG,sBAAsB,EAAE,CAAC;IAE7C,MAAM,SAAS,GAAG;QAChB,GAAG,EAAE;YACH,IAAI,EAAE,GAAG,CAAC,YAAY,IAAI,WAAW,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI;YAC/D,OAAO,EAAE,GAAG,CAAC,eAAe,IAAI,WAAW,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO;YAC3E,WAAW,EAAE,GAAG,CAAC,mBAAmB,IAAI,WAAW,CAAC,WAAW,IAAI,YAAY,CAAC,WAAW;SAC5F;QACD,QAAQ,EAAE,GAAG,CAAC,aAAa;QAC3B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,kBAAkB,EAAE,GAAG,CAAC,oBAAoB;QAC5C,WAAW,EAAE,GAAG,CAAC,QAAQ;QACzB,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,qBAAqB,EAAE,GAAG,CAAC,yBAAyB;QACpD,uBAAuB,EAAE,GAAG,CAAC,4BAA4B;QACzD,gCAAgC,EAAE,GAAG,CAAC,qCAAqC;QAC3E,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,yBAAyB,EAAE,GAAG,CAAC,4BAA4B;QAC3D,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,GAAG,CAAC;aACnD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC;QAClB,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,oBAAoB,EAAE,GAAG,CAAC,uBAAuB;QACjD,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,aAAa,EAAE,GAAG,CAAC,cAAc;QACjC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,kBAAkB,EAAE,GAAG,CAAC,qBAAqB;QAC7C,2BAA2B,EAAE,GAAG,CAAC,8BAA8B;QAC/D,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,YAAY,EAAE,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACjE,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;QAC1C,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,eAAe,EAAE,GAAG,CAAC,iBAAiB;QACtC,qBAAqB,EAAE,GAAG,CAAC,uBAAuB;QAClD,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,UAAU,EACR,GAAG,CAAC,6BAA6B,IAAI,GAAG,CAAC,qBAAqB;YAC5D,CAAC,CAAC;gBACE,gBAAgB,EAAE,GAAG,CAAC,6BAA6B;gBACnD,QAAQ,EAAE,GAAG,CAAC,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,0BAA0B;gBAC7C,SAAS,EAAE,GAAG,CAAC,sBAAsB;gBACrC,uBAAuB,EAAE,GAAG,CAAC,qCAAqC;gBAClE,yBAAyB,EAAE,GAAG,CAAC,wCAAwC,EAAE,KAAK,CAAC,GAAG,CAAC;qBAChF,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;qBACxB,MAAM,CAAC,OAAO,CAAC;aACnB;YACH,CAAC,CAAC,SAAS;QACf,QAAQ,EACN,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,iBAAiB;YACvC,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,YAAY;gBACrB,OAAO,EAAE,GAAG,CAAC,iBAAiB;gBAC9B,cAAc,EAAE,GAAG,CAAC,yBAAyB;aAC9C;YACH,CAAC,CAAC,SAAS;QACf,OAAO,EAAE;YACP,YAAY,EAAE,GAAG,CAAC,qBAAqB;YACvC,cAAc,EAAE,GAAG,CAAC,uBAAuB;SAC5C;QACD,MAAM,EAAE;YACN,YAAY,EAAE,GAAG,CAAC,oBAAoB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,cAAc,EAAE,GAAG,CAAC,kBAAkB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,KAAK,EAAE,GAAG,CAAC,aAAa;YACxB,aAAa,EAAE,GAAG,CAAC,sBAAsB;YACzC,iBAAiB,EAAE,GAAG,CAAC,0BAA0B;YACjD,eAAe,EAAE,GAAG,CAAC,wBAAwB;YAC7C,eAAe,EAAE,GAAG,CAAC,wBAAwB;SAC9C;QACD,KAAK,EAAE;YACL,SAAS,EAAE,GAAG,CAAC,eAAe;YAC9B,QAAQ,EAAE,GAAG,CAAC,oBAAoB;YAClC,YAAY,EAAE,GAAG,CAAC,yBAAyB;SAC5C;QACD,aAAa,EAAE;YACb,OAAO,EAAE,GAAG,CAAC,YAAY;YACzB,WAAW,EAAE,GAAG,CAAC,iBAAiB;YAClC,cAAc,EAAE,GAAG,CAAC,oBAAoB;YACxC,cAAc,EAAE,GAAG,CAAC,kCAAkC;YACtD,eAAe,EAAE,GAAG,CAAC,mCAAmC;YACxD,aAAa,EAAE,GAAG,CAAC,uBAAuB;YAC1C,QAAQ,EAAE,GAAG,CAAC,cAAc;SAC7B;QACD,MAAM,EACJ,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,kBAAkB;YAC9C,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;gBACb,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;aACd;YACH,CAAC,CAAC,SAAS;QACf,qEAAqE;QACrE,aAAa,EAAE,GAAG,CAAC,eAAe;QAClC,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;KAC3C,CAAC;IAEF,oEAAoE;IACpE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAEjD,uEAAuE;IACvE,MAAM,cAAc,GAAG;QACrB,GAAG,SAAS;QACZ,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,WAAW,CAAC,MAAM;YAC1B,CAAC,CAAC,CAAC,GAAG,EAAE;gBACJ,kFAAkF;gBAClF,6DAA6D;gBAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;gBAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC5C,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,IAAI,MAAM,CAAC;gBAC7C,IAAI,UAAU,CAAC,OAAO,CAAC;oBAAE,OAAO,OAAO,CAAC;gBACxC,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7B,CAAC,CAAC,EAAE;YACN,CAAC,CAAC,SAAS;QACb,aAAa,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI;QACpD,gBAAgB,EAAE,GAAG,CAAC,kBAAkB,IAAI,SAAS,CAAC,OAAO;QAC7D,oBAAoB,EAAE,GAAG,CAAC,sBAAsB,IAAI,SAAS,CAAC,WAAW;QACzE,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,8CAA8C;QAC1F,aAAa,EAAE;YACb,GAAG,SAAS,CAAC,aAAa;YAC1B,WAAW,EAAE,GAAG,CAAC,iBAAiB,IAAI,SAAS,CAAC,IAAI;YACpD,cAAc,EAAE,GAAG,CAAC,oBAAoB,IAAI,SAAS,CAAC,OAAO;SAC9D;QACD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,IAAI,SAAS,CAAC,IAAI;KAC7D,CAAC;IAEF,MAAM,YAAY,GAAG,YAAY,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAE5D,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;QAC1B,6DAA6D;QAC7D,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,KAAK,CACX,yEAAyE,EACzE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW,CACzC,CAAC;QACJ,CAAC;QACD,oDAAoD;QACpD,MAAM,kBAAkB,CAAC,oCAAoC,EAAE;YAC7D,gBAAgB,EAAE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC;AAC3B,CAAC,CAAC;AAEF,IAAI,OAA8B,CAAC;AAEnC;;;;;;;;GAQG;AACH,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAQ,EAAE;IAC9E,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,EAAe,EAAE;IACxC,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAQ,OAA4C,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC;IACD,GAAG;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,cAAc;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IACD,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,IAAI,IAAI,OAAO,CAAC;IACzB,CAAC;IACD,OAAO;QACL,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IACD,wBAAwB,CAAC,OAAO,EAAE,IAAI;QACpC,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,wBAAwB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACxD,CAAC;CACF,CAAC,CAAC;AAOH,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,WAAW,MAAM,oBAAoB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAQ3D,MAAM,YAAY,GAAG,WAA8B,CAAC;AAEpD,wEAAwE;AACxE,MAAM,CAAC,MAAM,cAAc,GAAG,wBAAwB,CAAC;AACvD,MAAM,CAAC,MAAM,iBAAiB,GAAG,YAAY,CAAC,OAAO,IAAI,OAAO,CAAC;AAEjE;;;;GAIG;AACH,IAAI,YAAY,GAA2B,IAAI,CAAC;AAChD,SAAS,sBAAsB;IAC7B,IAAI,YAAY,KAAK,IAAI;QAAE,OAAO,YAAY,CAAC;IAC/C,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAC1D,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC5D,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ;YAAE,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QACrE,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ;YAAE,GAAG,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;IAC7E,CAAC;IACD,YAAY,GAAG,GAAG,CAAC;IACnB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8DAA8D;AAC9D,6EAA6E;AAC7E,wDAAwD;AACxD,IAAI,aAAa,GAAG,KAAK,CAAC;AAE1B,2BAA2B;AAC3B,MAAM,sBAAsB,GAAG,CAAC,GAAY,EAAE,EAAE;IAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjD,OAAO;IACT,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC,CAAC;AAEF,4EAA4E;AAC5E,MAAM,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;IACtC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IAChF,OAAO,GAAG,CAAC;AACb,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;AAEhB,4BAA4B;AAC5B,MAAM,YAAY,GAAG,CAAC;KACnB,MAAM,CAAC;IACN,yDAAyD;IACzD,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACnC,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,gCAAgC;IAC3D,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,mCAAmC;IACjE,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;IACpF,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,oCAAoC;IAC9E,QAAQ,EAAE,CAAC;SACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,0DAA0D;YAC1D,MAAM,QAAQ,GAA2B;gBACvC,IAAI,EAAE,SAAS;gBACf,GAAG,EAAE,OAAO;gBACZ,WAAW,EAAE,MAAM;gBACnB,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,OAAO;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAClF;SACA,OAAO,CAAC,OAAO,CAAC;IACnB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,sCAAsC;IACvE;;;;;;;OAOG;IACH,kBAAkB,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;IAC7C,WAAW,EAAE,CAAC;SACX,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;QACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,MAAM,QAAQ,GAA2B;gBACvC,GAAG,EAAE,aAAa;gBAClB,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,SAAS;aAChB,CAAC;YACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAClC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC,CACjD;SACA,OAAO,CAAC,aAAa,CAAC;IACzB,gBAAgB,EAAE,CAAC,CAAC,UAAU,CAC5B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAC3C;IACD,cAAc,EAAE,CAAC,CAAC,UAAU,CAC1B,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC1D;IACD,oBAAoB,EAAE,CAAC,CAAC,UAAU,CAChC,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAC5D;IACD,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAC9D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/C;;;;;;;;OAQG;IACH,YAAY,EAAE,CAAC,CAAC,UAAU,CAAC,sBAAsB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACtE,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACpD,uBAAuB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IACtD,gCAAgC,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;IACtE,sBAAsB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3D,yBAAyB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9D,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACjD,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,oBAAoB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3C,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,WAAW,EAAE,CAAC,CAAC,UAAU,CACvB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CACjD;IACD;;;;;;;;OAQG;IACH,yBAAyB,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;IACpD,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAClC,YAAY,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,YAAY;IACrE,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,YAAY;IAClE,2BAA2B,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IAC/E,gBAAgB,EAAE,CAAC;SAChB,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE;YAAE,OAAO,KAAK,CAAC;QAClE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAC7C,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IACvC,CAAC,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;SACd,OAAO,CAAC,KAAK,CAAC;IACjB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC5C,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAuB,CAAC;IAC7D,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE;IAC7B,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACvC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC;IAC5E,qBAAqB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,mBAAmB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,UAAU,EAAE,CAAC;SACV,MAAM,CAAC;QACN,gBAAgB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACpC,QAAQ,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC5B,aAAa,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACjC,SAAS,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC7B,uBAAuB,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAC3C,yBAAyB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC1D,CAAC;SACD,QAAQ,EAAE;IACb,QAAQ,EAAE,CAAC;SACR,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE;QACZ,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACtC,CAAC;SACD,QAAQ,EAAE;IACb,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,YAAY,EAAE,CAAC;aACZ,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,EAAE,EAAE,YAAY;iBACjB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC;YACL,WAAW;YACX,YAAY;YACZ,UAAU;YACV,eAAe;YACf,eAAe;YACf,eAAe;SAChB,CAAC,CACH;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,sEAAsE;KACzH,CAAC;IACF,iDAAiD;IACjD,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,YAAY,EAAE,CAAC,CAAC,UAAU,CACxB,sBAAsB,EACtB,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAC3C;QACD;;;WAGG;QACH,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QAC7D;;;;WAIG;QACH,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC;QACvD,+DAA+D;QAC/D,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,gDAAgD;QAChD,KAAK,EAAE,CAAC,CAAC,MAAM;aACZ,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC/B,8DAA8D;QAC9D,aAAa,EAAE,CAAC,CAAC,MAAM;aACpB,MAAM,EAAE;aACR,GAAG,CAAC,IAAI,CAAC;aACT,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACnC,0EAA0E;QAC1E,iBAAiB,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QAC3D,6CAA6C;QAC7C,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACzD,2EAA2E;QAC3E,eAAe,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KACvD,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,KAAK,EAAE;QACzC,OAAO,EACL,wIAAwI;QAC1I,IAAI,EAAE,CAAC,eAAe,CAAC;KACxB,CAAC;IACJ,yCAAyC;IACzC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC;QACd,SAAS,EAAE,CAAC;aACT,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,WAAW;oBAChB,MAAM,EAAE,WAAW;oBACnB,UAAU,EAAE,SAAS;iBACtB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;YAClC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,CACjC;aACA,OAAO,CAAC,WAAW,CAAC;QACvB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5C,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KACtD,CAAC;IACF,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC;QACtB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;QAClC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE;QAC1B,cAAc,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAClC,eAAe,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QACnC,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC3D,QAAQ,EAAE,CAAC;aACR,UAAU,CACT,CAAC,GAAG,EAAE,EAAE;YACN,MAAM,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAA2B;oBACvC,GAAG,EAAE,OAAO;oBACZ,OAAO,EAAE,MAAM;oBACf,WAAW,EAAE,MAAM;iBACpB,CAAC;gBACF,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YAC9C,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EACD,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CACrE;aACA,OAAO,CAAC,MAAM,CAAC;KACnB,CAAC;IACF,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;YACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;QACb,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;YAC9D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YAC7B,OAAO,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAC3B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;YACrC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;SACtC,CAAC;aACD,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACzB,4EAA4E;IAC5E,IAAI,IAAI,CAAC,WAAW,KAAK,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC/D,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;YAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;YAC1B,OAAO,EACL,+GAA+G;SAClH,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAC9E,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC3B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EACL,+GAA+G;aAClH,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC7C,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,kBAAkB,CAAC;gBAC1B,OAAO,EAAE,kEAAkE;aAC5E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,8CAA8C;IAC9C,IAAI,IAAI,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,gBAAgB,CAAC;gBACxB,OAAO,EAAE,wDAAwD;aAClE,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,IAAI,EAAE,CAAC,eAAe,CAAC;gBACvB,OAAO,EAAE,sDAAsD;aAChE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,wBAAwB;AACxB,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAE,EAAE;IACxE,kFAAkF;IAClF,IAAI,CAAC,aAAa,IAAI,WAAW,CAAC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/B,aAAa,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC7E,MAAM,WAAW,GAAG,sBAAsB,EAAE,CAAC;IAE7C,MAAM,SAAS,GAAG;QAChB,GAAG,EAAE;YACH,IAAI,EAAE,GAAG,CAAC,YAAY,IAAI,WAAW,CAAC,IAAI,IAAI,YAAY,CAAC,IAAI;YAC/D,OAAO,EAAE,GAAG,CAAC,eAAe,IAAI,WAAW,CAAC,OAAO,IAAI,YAAY,CAAC,OAAO;YAC3E,WAAW,EAAE,GAAG,CAAC,mBAAmB,IAAI,WAAW,CAAC,WAAW,IAAI,YAAY,CAAC,WAAW;SAC5F;QACD,QAAQ,EAAE,GAAG,CAAC,aAAa;QAC3B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,kBAAkB,EAAE,GAAG,CAAC,oBAAoB;QAC5C,WAAW,EAAE,GAAG,CAAC,QAAQ;QACzB,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,qBAAqB,EAAE,GAAG,CAAC,yBAAyB;QACpD,uBAAuB,EAAE,GAAG,CAAC,4BAA4B;QACzD,gCAAgC,EAAE,GAAG,CAAC,qCAAqC;QAC3E,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,yBAAyB,EAAE,GAAG,CAAC,4BAA4B;QAC3D,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,KAAK,CAAC,GAAG,CAAC;aACnD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC;QAClB,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,oBAAoB,EAAE,GAAG,CAAC,uBAAuB;QACjD,sBAAsB,EAAE,GAAG,CAAC,yBAAyB;QACrD,WAAW,EAAE,GAAG,CAAC,aAAa;QAC9B,yBAAyB,EAAE,GAAG,CAAC,6BAA6B;QAC5D,cAAc,EAAE,GAAG,CAAC,gBAAgB;QACpC,YAAY,EAAE,GAAG,CAAC,cAAc;QAChC,aAAa,EAAE,GAAG,CAAC,cAAc;QACjC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,kBAAkB,EAAE,GAAG,CAAC,qBAAqB;QAC7C,2BAA2B,EAAE,GAAG,CAAC,8BAA8B;QAC/D,gBAAgB,EAAE,GAAG,CAAC,mBAAmB;QACzC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,YAAY,EAAE,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACjE,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;QAC1C,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,eAAe,EAAE,GAAG,CAAC,iBAAiB;QACtC,qBAAqB,EAAE,GAAG,CAAC,uBAAuB;QAClD,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,mBAAmB,EAAE,GAAG,CAAC,sBAAsB;QAC/C,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,cAAc,EAAE,GAAG,CAAC,iBAAiB;QACrC,UAAU,EACR,GAAG,CAAC,6BAA6B,IAAI,GAAG,CAAC,qBAAqB;YAC5D,CAAC,CAAC;gBACE,gBAAgB,EAAE,GAAG,CAAC,6BAA6B;gBACnD,QAAQ,EAAE,GAAG,CAAC,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,0BAA0B;gBAC7C,SAAS,EAAE,GAAG,CAAC,sBAAsB;gBACrC,uBAAuB,EAAE,GAAG,CAAC,qCAAqC;gBAClE,yBAAyB,EAAE,GAAG,CAAC,wCAAwC,EAAE,KAAK,CAAC,GAAG,CAAC;qBAChF,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;qBACxB,MAAM,CAAC,OAAO,CAAC;aACnB;YACH,CAAC,CAAC,SAAS;QACf,QAAQ,EACN,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,iBAAiB;YACvC,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,YAAY;gBACrB,OAAO,EAAE,GAAG,CAAC,iBAAiB;gBAC9B,cAAc,EAAE,GAAG,CAAC,yBAAyB;aAC9C;YACH,CAAC,CAAC,SAAS;QACf,OAAO,EAAE;YACP,YAAY,EAAE,GAAG,CAAC,qBAAqB;YACvC,cAAc,EAAE,GAAG,CAAC,uBAAuB;SAC5C;QACD,MAAM,EAAE;YACN,YAAY,EAAE,GAAG,CAAC,oBAAoB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,cAAc,EAAE,GAAG,CAAC,kBAAkB;YACtC,oBAAoB,EAAE,GAAG,CAAC,8BAA8B;YACxD,KAAK,EAAE,GAAG,CAAC,aAAa;YACxB,aAAa,EAAE,GAAG,CAAC,sBAAsB;YACzC,iBAAiB,EAAE,GAAG,CAAC,0BAA0B;YACjD,eAAe,EAAE,GAAG,CAAC,wBAAwB;YAC7C,eAAe,EAAE,GAAG,CAAC,wBAAwB;SAC9C;QACD,KAAK,EAAE;YACL,SAAS,EAAE,GAAG,CAAC,eAAe;YAC9B,QAAQ,EAAE,GAAG,CAAC,oBAAoB;YAClC,YAAY,EAAE,GAAG,CAAC,yBAAyB;SAC5C;QACD,aAAa,EAAE;YACb,OAAO,EAAE,GAAG,CAAC,YAAY;YACzB,WAAW,EAAE,GAAG,CAAC,iBAAiB;YAClC,cAAc,EAAE,GAAG,CAAC,oBAAoB;YACxC,cAAc,EAAE,GAAG,CAAC,kCAAkC;YACtD,eAAe,EAAE,GAAG,CAAC,mCAAmC;YACxD,aAAa,EAAE,GAAG,CAAC,uBAAuB;YAC1C,QAAQ,EAAE,GAAG,CAAC,cAAc;SAC7B;QACD,MAAM,EACJ,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,kBAAkB;YAC9C,CAAC,CAAC;gBACE,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;gBACb,GAAG,EAAE,GAAG,CAAC,kBAAkB;oBACzB,CAAC,CAAC;wBACE,OAAO,EAAE,GAAG,CAAC,kBAAkB;wBAC/B,QAAQ,EAAE,GAAG,CAAC,mBAAmB;wBACjC,MAAM,EAAE,GAAG,CAAC,kBAAkB;wBAC9B,OAAO,EAAE,GAAG,CAAC,mBAAmB;wBAChC,cAAc,EAAE,GAAG,CAAC,2BAA2B;wBAC/C,OAAO,EAAE,GAAG,CAAC,kBAAkB;qBAChC;oBACH,CAAC,CAAC,SAAS;aACd;YACH,CAAC,CAAC,SAAS;QACf,qEAAqE;QACrE,aAAa,EAAE,GAAG,CAAC,eAAe;QAClC,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;QACxC,oBAAoB,EAAE,GAAG,CAAC,sBAAsB;QAChD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB;KAC3C,CAAC;IAEF,oEAAoE;IACpE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;QACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAChC,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAEjD,uEAAuE;IACvE,MAAM,cAAc,GAAG;QACrB,GAAG,SAAS;QACZ,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,WAAW,CAAC,MAAM;YAC1B,CAAC,CAAC,CAAC,GAAG,EAAE;gBACJ,kFAAkF;gBAClF,6DAA6D;gBAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;gBAClE,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC5C,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,IAAI,MAAM,CAAC;gBAC7C,IAAI,UAAU,CAAC,OAAO,CAAC;oBAAE,OAAO,OAAO,CAAC;gBACxC,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7B,CAAC,CAAC,EAAE;YACN,CAAC,CAAC,SAAS;QACb,aAAa,EAAE,GAAG,CAAC,eAAe,IAAI,SAAS,CAAC,IAAI;QACpD,gBAAgB,EAAE,GAAG,CAAC,kBAAkB,IAAI,SAAS,CAAC,OAAO;QAC7D,oBAAoB,EAAE,GAAG,CAAC,sBAAsB,IAAI,SAAS,CAAC,WAAW;QACzE,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,EAAE,8CAA8C;QAC1F,aAAa,EAAE;YACb,GAAG,SAAS,CAAC,aAAa;YAC1B,WAAW,EAAE,GAAG,CAAC,iBAAiB,IAAI,SAAS,CAAC,IAAI;YACpD,cAAc,EAAE,GAAG,CAAC,oBAAoB,IAAI,SAAS,CAAC,OAAO;SAC9D;QACD,iBAAiB,EAAE,GAAG,CAAC,mBAAmB,IAAI,SAAS,CAAC,IAAI;KAC7D,CAAC;IAEF,MAAM,YAAY,GAAG,YAAY,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAE5D,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;QAC1B,6DAA6D;QAC7D,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACzB,OAAO,CAAC,KAAK,CACX,yEAAyE,EACzE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW,CACzC,CAAC;QACJ,CAAC;QACD,oDAAoD;QACpD,MAAM,kBAAkB,CAAC,oCAAoC,EAAE;YAC7D,gBAAgB,EAAE,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,WAAW;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC;AAC3B,CAAC,CAAC;AAEF,IAAI,OAA8B,CAAC;AAEnC;;;;;;;;GAQG;AACH,MAAM,WAAW,GAAG,CAAC,YAAiD,EAAQ,EAAE;IAC9E,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,EAAe,EAAE;IACxC,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAQ,OAA4C,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC;IACD,GAAG;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,cAAc;QACZ,OAAO,KAAK,CAAC;IACf,CAAC;IACD,GAAG,CAAC,OAAO,EAAE,IAAI;QACf,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,IAAI,IAAI,OAAO,CAAC;IACzB,CAAC;IACD,OAAO;QACL,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IACD,wBAAwB,CAAC,OAAO,EAAE,IAAI;QACpC,OAAO,KAAK,WAAW,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,wBAAwB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACxD,CAAC;CACF,CAAC,CAAC;AAOH,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC"}
package/dist/logs/combined.log CHANGED
@@ -1,6 +1,7 @@
1
- {"level":40,"time":1778235929533,"env":"testing","version":"0.8.19","pid":78428,"transport":"http","requestId":"Q8627-MFEM4","timestamp":"2026-05-08T10:25:29.532Z","operation":"TransportManager.start","component":"HttpTransportSetup","msg":"MCP_ALLOWED_ORIGINS is not set — CORS is wildcard for CLI clients; browser Origin headers are restricted to loopback. Set MCP_ALLOWED_ORIGINS for production deployments accepting remote browser origins."}
2
- {"level":40,"time":1778235931406,"env":"testing","version":"0.8.19","pid":78428,"transport":"http","requestId":"Q8627-MFEM4","timestamp":"2026-05-08T10:25:29.532Z","operation":"TransportManager.start","component":"HttpTransportSetup","sessionId":"not-a-real-session-1778235931406","msg":"Session validation failed - invalid or hijacked session"}
3
- {"level":50,"time":1778235936218,"env":"testing","version":"0.0.0-test","pid":78583,"requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:61:15)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
4
- {"level":50,"time":1778235937205,"env":"testing","version":"0.8.19","pid":78590,"requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
5
- {"level":50,"time":1778235937222,"env":"testing","version":"0.8.19","pid":78590,"requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:56:11)\n at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
6
- {"level":50,"time":1778235937225,"env":"testing","version":"0.8.19","pid":78590,"requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
1
+ {"level":40,"time":1778322012047,"env":"testing","version":"0.8.20","pid":6706,"transport":"http","requestId":"3SC4Y-NFFKI","timestamp":"2026-05-09T10:20:12.046Z","operation":"TransportManager.start","component":"HttpTransportSetup","msg":"MCP_ALLOWED_ORIGINS is not set — CORS is wildcard for CLI clients; browser Origin headers are restricted to loopback. Set MCP_ALLOWED_ORIGINS for production deployments accepting remote browser origins."}
2
+ {"level":40,"time":1778322013773,"env":"testing","version":"0.8.20","pid":6706,"transport":"http","requestId":"3SC4Y-NFFKI","timestamp":"2026-05-09T10:20:12.046Z","operation":"TransportManager.start","component":"HttpTransportSetup","sessionId":"not-a-real-session-1778322013773","msg":"Session validation failed - invalid or hijacked session"}
3
+ {"level":50,"time":1778322017528,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
4
+ {"level":50,"time":1778322017536,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
5
+ {"level":50,"time":1778322018932,"env":"testing","version":"0.8.20","pid":6818,"requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
6
+ {"level":50,"time":1778322018947,"env":"testing","version":"0.8.20","pid":6818,"requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:72:11)\n at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
7
+ {"level":50,"time":1778322018951,"env":"testing","version":"0.8.20","pid":6818,"requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
package/dist/logs/error.log CHANGED
@@ -1,4 +1,5 @@
1
- {"level":50,"time":1778235936218,"env":"testing","version":"0.0.0-test","pid":78583,"requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"4b3d45f04700813199bd658614b7755a161937d0cc1af8148285dc3ab3570631","toolName":"scoped_echo","requestId":"IF69M-6JUK9","timestamp":"2026-05-08T10:25:36.217Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:61:15)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
2
- {"level":50,"time":1778235937205,"env":"testing","version":"0.8.19","pid":78590,"requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"5EPAW-MLFXN","timestamp":"2026-05-08T10:25:37.204Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
3
- {"level":50,"time":1778235937222,"env":"testing","version":"0.8.19","pid":78590,"requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"GJ6K8-V54G5","timestamp":"2026-05-08T10:25:37.222Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:56:11)\n at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
4
- {"level":50,"time":1778235937225,"env":"testing","version":"0.8.19","pid":78590,"requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"8DTH5-7ODPW","timestamp":"2026-05-08T10:25:37.225Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
1
+ {"level":50,"time":1778322017528,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"fbf35dbc4858a178fa50c132fb2262d87a2117a91c00febea446323e361a2f4e","toolName":"scoped_echo","requestId":"QU3EF-R5RW8","timestamp":"2026-05-09T10:20:17.527Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["tool:other:read"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
2
+ {"level":50,"time":1778322017536,"env":"testing","version":"0.0.0-test","pid":6811,"requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","operation":"HandleToolRequest","critical":false,"errorCode":-32005,"originalErrorType":"McpError","finalErrorType":"McpError","sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","tenantId":"authz-tenant","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"errorData":{"sessionId":"8524d804175256c1ed1df4262471fe076057d9f389249c9c82489f52149b4ae4","toolName":"scoped_echo","requestId":"X42HI-7PFB1","timestamp":"2026-05-09T10:20:17.536Z","tenantId":"authz-tenant","operation":"HandleToolRequest","auth":{"sub":"authz-user","scopes":["openid","email","profile","offline_access"],"clientId":"authz-client","tenantId":"authz-tenant","token":"[REDACTED]"},"originalErrorName":"McpError","originalMessage":"Insufficient permissions.","originalStack":"McpError: Insufficient permissions.\n at forbidden (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:84:58)\n at withRequiredScopes (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/authUtils.js:68:15)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:146:17)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Insufficient permissions.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/tools/utils/toolHandlerFactory.js:182:26)\n at executeToolHandler (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:231:34)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/node_modules/@modelcontextprotocol/sdk/dist/esm/server/mcp.js:126:43)\n at processTicksAndRejections (native:7:39)","msg":"Error in tool:scoped_echo: Insufficient permissions."}
3
+ {"level":50,"time":1778322018932,"env":"testing","version":"0.8.20","pid":6818,"requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"99V9S-HO67U","timestamp":"2026-05-09T10:20:18.932Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
4
+ {"level":50,"time":1778322018947,"env":"testing","version":"0.8.20","pid":6818,"requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"POST","errorData":{"path":"/mcp","method":"POST","requestId":"IVQGQ-3ZJW4","timestamp":"2026-05-09T10:20:18.947Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Token has expired.","originalStack":"McpError: Token has expired.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at handleJoseVerifyError (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/lib/claimParser.js:72:11)\n at verify (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/strategies/jwtStrategy.js:91:13)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Token has expired.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Token has expired."}
5
+ {"level":50,"time":1778322018951,"env":"testing","version":"0.8.20","pid":6818,"requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","critical":false,"errorCode":-32006,"originalErrorType":"McpError","finalErrorType":"McpError","path":"/mcp","method":"GET","errorData":{"path":"/mcp","method":"GET","requestId":"ETG8Y-2LE4J","timestamp":"2026-05-09T10:20:18.951Z","operation":"httpErrorHandler","originalErrorName":"McpError","originalMessage":"Missing or invalid Authorization header. Bearer scheme required.","originalStack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at unauthorized (/Users/casey/Developer/github/mcp-ts-core/dist/types-global/errors.js:86:61)\n at authMiddleware (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/auth/authMiddleware.js:64:19)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpTransport.js:232:22)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:22:23)\n at cors2 (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/middleware/cors/index.js:79:11)\n at processTicksAndRejections (native:7:39)"},"stack":"McpError: Missing or invalid Authorization header. Bearer scheme required.\n at handleError (/Users/casey/Developer/github/mcp-ts-core/dist/utils/internal/error-handler/errorHandler.js:170:23)\n at <anonymous> (/Users/casey/Developer/github/mcp-ts-core/dist/mcp-server/transports/http/httpErrorHandler.js:59:39)\n at dispatch (/Users/casey/Developer/github/mcp-ts-core/node_modules/hono/dist/compose.js:26:25)\n at processTicksAndRejections (native:7:39)","msg":"Error in httpTransport: Missing or invalid Authorization header. Bearer scheme required."}
package/dist/mcp-server/transports/auth/authFactory.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authFactory.d.ts","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yDAAyD,CAAC;AAM5F;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,IAAI,YAAY,GAAG,IAAI,CAuBxD"}
1
+ {"version":3,"file":"authFactory.d.ts","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yDAAyD,CAAC;AAM5F;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,IAAI,YAAY,GAAG,IAAI,CAiCxD"}
package/dist/mcp-server/transports/auth/authFactory.js CHANGED
@@ -23,12 +23,15 @@ export function createAuthStrategy() {
23
23
  authMode: config.mcpAuthMode,
24
24
  });
25
25
  logger.info('Creating authentication strategy...', context);
26
+ if (config.mcpAuthDisableScopeChecks && config.mcpAuthMode !== 'none') {
27
+ logger.warning('MCP_AUTH_DISABLE_SCOPE_CHECKS=true — per-tool and runtime scope enforcement is bypassed for every request. Token signature, audience, issuer, and expiry validation are still applied. Combine with server-side ACLs to avoid granting every authenticated user every tool.', context);
28
+ }
26
29
  switch (config.mcpAuthMode) {
27
30
  case 'jwt':
28
31
  logger.debug('Creating JWT strategy.', context);
29
32
  return new JwtStrategy(config, logger);
30
33
  case 'oauth':
31
- logger.debug('Creating OAuth strategy.', context);
34
+ logger.info('OAuth mode active. Granted scopes are read from `scp` (array), `scope` (space-delimited), and `mcp_tool_scopes` (custom claim, for OIDC providers that cannot inject scopes into `scope` during authorization_code flow — Authentik, Keycloak <26.5, Zitadel). To bypass per-tool enforcement entirely, set MCP_AUTH_DISABLE_SCOPE_CHECKS=true (combine with server-side ACLs).', context);
32
35
  return new OauthStrategy(config, logger);
33
36
  case 'none':
34
37
  logger.info("Authentication is disabled ('none' mode).", context);
package/dist/mcp-server/transports/auth/authFactory.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authFactory.js","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,WAAW,EAAE,MAAM,wDAAwD,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,0DAA0D,CAAC;AACzF,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAE3E;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,OAAO,GAAG,qBAAqB,CAAC,oBAAoB,CAAC;QACzD,SAAS,EAAE,oBAAoB;QAC/B,QAAQ,EAAE,MAAM,CAAC,WAAW;KAC7B,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE,OAAO,CAAC,CAAC;IAE5D,QAAQ,MAAM,CAAC,WAAW,EAAE,CAAC;QAC3B,KAAK,KAAK;YACR,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAC;YAChD,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,KAAK,OAAO;YACV,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,OAAO,CAAC,CAAC;YAClD,OAAO,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,KAAK,MAAM;YACT,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,OAAO,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC,CAAC,oBAAoB;QACnC;YACE,mEAAmE;YACnE,mEAAmE;YACnE,MAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YACpF,MAAM,IAAI,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"authFactory.js","sourceRoot":"","sources":["../../../../src/mcp-server/transports/auth/authFactory.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,WAAW,EAAE,MAAM,wDAAwD,CAAC;AACrF,OAAO,EAAE,aAAa,EAAE,MAAM,0DAA0D,CAAC;AACzF,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAE3E;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,OAAO,GAAG,qBAAqB,CAAC,oBAAoB,CAAC;QACzD,SAAS,EAAE,oBAAoB;QAC/B,QAAQ,EAAE,MAAM,CAAC,WAAW;KAC7B,CAAC,CAAC;IACH,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE,OAAO,CAAC,CAAC;IAE5D,IAAI,MAAM,CAAC,yBAAyB,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QACtE,MAAM,CAAC,OAAO,CACZ,6QAA6Q,EAC7Q,OAAO,CACR,CAAC;IACJ,CAAC;IAED,QAAQ,MAAM,CAAC,WAAW,EAAE,CAAC;QAC3B,KAAK,KAAK;YACR,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAC;YAChD,OAAO,IAAI,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,KAAK,OAAO;YACV,MAAM,CAAC,IAAI,CACT,iXAAiX,EACjX,OAAO,CACR,CAAC;YACF,OAAO,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,KAAK,MAAM;YACT,MAAM,CAAC,IAAI,CAAC,2CAA2C,EAAE,OAAO,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC,CAAC,oBAAoB;QACnC;YACE,mEAAmE;YACnE,mEAAmE;YACnE,MAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YACpF,MAAM,IAAI,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC"}
package/dist/mcp-server/transports/auth/lib/authUtils.d.ts CHANGED
@@ -8,6 +8,9 @@ import { type RequestContext } from '../../../../utils/internal/requestContext.j
8
8
  * Checks if the current authentication context contains all the specified scopes.
9
9
  * When auth is disabled (`MCP_AUTH_MODE=none`), scope checks are skipped.
10
10
  * When auth is enabled and the auth context is missing, fails closed with Unauthorized.
11
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, scope enforcement is bypassed after the
12
+ * auth-context presence check; signature, audience, issuer, and expiry validation
13
+ * remain intact.
11
14
  *
12
15
  * @param requiredScopes - An array of scope strings that are mandatory for the operation.
13
16
  * @param parentContext - Optional parent request context for trace correlation.
package/dist/mcp-server/transports/auth/lib/authUtils.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authUtils.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,EAAE,KAAK,cAAc,EAAyB,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE,EAAE,aAAa,CAAC,EAAE,cAAc,GAAG,IAAI,CA0DjG"}
1
+ {"version":3,"file":"authUtils.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,EAAE,KAAK,cAAc,EAAyB,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,EAAE,EAAE,aAAa,CAAC,EAAE,cAAc,GAAG,IAAI,CAkEjG"}
package/dist/mcp-server/transports/auth/lib/authUtils.js CHANGED
@@ -12,6 +12,9 @@ import { requestContextService } from '../../../../utils/internal/requestContext
12
12
  * Checks if the current authentication context contains all the specified scopes.
13
13
  * When auth is disabled (`MCP_AUTH_MODE=none`), scope checks are skipped.
14
14
  * When auth is enabled and the auth context is missing, fails closed with Unauthorized.
15
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, scope enforcement is bypassed after the
16
+ * auth-context presence check; signature, audience, issuer, and expiry validation
17
+ * remain intact.
15
18
  *
16
19
  * @param requiredScopes - An array of scope strings that are mandatory for the operation.
17
20
  * @param parentContext - Optional parent request context for trace correlation.
@@ -40,6 +43,10 @@ export function withRequiredScopes(requiredScopes, parentContext) {
40
43
  logger.warning('Auth enabled but no authentication context found. Denying request.', initialContext);
41
44
  throw unauthorized('Authentication required but no auth context was established.', initialContext);
42
45
  }
46
+ if (config.mcpAuthDisableScopeChecks) {
47
+ logger.debug('Scope enforcement bypassed (MCP_AUTH_DISABLE_SCOPE_CHECKS=true).', initialContext);
48
+ return;
49
+ }
43
50
  logger.debug('Performing scope authorization check.', initialContext);
44
51
  const { scopes: grantedScopes, clientId, subject } = store.authInfo;
45
52
  const grantedScopeSet = new Set(grantedScopes);
package/dist/mcp-server/transports/auth/lib/authUtils.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authUtils.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,iDAAiD,CAAC;AAC9E,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAuB,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAAC,cAAwB,EAAE,aAA8B;IACzF,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC;YACE,GAAG,aAAa;YAChB,SAAS,EAAE,yBAAyB;YACpC,cAAc;SACf;QACH,CAAC,CAAC,qBAAqB,CAAC,oBAAoB,CAAC;YACzC,SAAS,EAAE,yBAAyB;YACpC,iBAAiB,EAAE,EAAE,cAAc,EAAE;SACtC,CAAC,CAAC;IAEP,wFAAwF;IACxF,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,2DAA2D,EAAE,cAAc,CAAC,CAAC;QAC1F,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAErC,uDAAuD;IACvD,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;QACrB,MAAM,CAAC,OAAO,CACZ,oEAAoE,EACpE,cAAc,CACf,CAAC;QACF,MAAM,YAAY,CAChB,8DAA8D,EAC9D,cAAc,CACf,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,cAAc,CAAC,CAAC;IAEtE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,MAAM,YAAY,GAAG;QACnB,GAAG,cAAc;QACjB,aAAa;QACb,QAAQ;QACR,OAAO;KACR,CAAC;IAEF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,+EAA+E;QAC/E,MAAM,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAC/D,GAAG,YAAY;YACf,aAAa;SACd,CAAC,CAAC;QACH,2FAA2F;QAC3F,mGAAmG;QACnG,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,YAAY,CAAC,CAAC;AAChE,CAAC"}
1
+ {"version":3,"file":"authUtils.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/authUtils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,MAAM,iDAAiD,CAAC;AAC9E,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAuB,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAEhG;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,cAAwB,EAAE,aAA8B;IACzF,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC;YACE,GAAG,aAAa;YAChB,SAAS,EAAE,yBAAyB;YACpC,cAAc;SACf;QACH,CAAC,CAAC,qBAAqB,CAAC,oBAAoB,CAAC;YACzC,SAAS,EAAE,yBAAyB;YACpC,iBAAiB,EAAE,EAAE,cAAc,EAAE;SACtC,CAAC,CAAC;IAEP,wFAAwF;IACxF,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,2DAA2D,EAAE,cAAc,CAAC,CAAC;QAC1F,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC;IAErC,uDAAuD;IACvD,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,CAAC;QACrB,MAAM,CAAC,OAAO,CACZ,oEAAoE,EACpE,cAAc,CACf,CAAC;QACF,MAAM,YAAY,CAChB,8DAA8D,EAC9D,cAAc,CACf,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,yBAAyB,EAAE,CAAC;QACrC,MAAM,CAAC,KAAK,CACV,kEAAkE,EAClE,cAAc,CACf,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,cAAc,CAAC,CAAC;IAEtE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC;IACpE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,MAAM,YAAY,GAAG;QACnB,GAAG,cAAc;QACjB,aAAa;QACb,QAAQ;QACR,OAAO;KACR,CAAC;IAEF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,+EAA+E;QAC/E,MAAM,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAC/D,GAAG,YAAY;YACf,aAAa;SACd,CAAC,CAAC;QACH,2FAA2F;QAC3F,mGAAmG;QACnG,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,YAAY,CAAC,CAAC;AAChE,CAAC"}
package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts CHANGED
@@ -10,6 +10,10 @@ import type { Context } from '../../../../core/context.js';
10
10
  * directly from `ctx.auth`. Throws `McpError(Forbidden)` if scopes are
11
11
  * insufficient. No-ops when auth is disabled (`MCP_AUTH_MODE=none`).
12
12
  * Throws `Unauthorized` when auth is enabled but `ctx.auth` is absent.
13
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, returns silently after the
14
+ * `ctx.auth` presence check — bypassing scope enforcement for runtime-computed
15
+ * patterns (e.g. tenant isolation) while keeping every other token validation
16
+ * intact.
13
17
  *
14
18
  * @example
15
19
  * ```ts
package/dist/mcp-server/transports/auth/lib/checkScopes.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"checkScopes.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAGjD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,CAqBxE"}
1
+ {"version":3,"file":"checkScopes.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAGjD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,CAyBxE"}
package/dist/mcp-server/transports/auth/lib/checkScopes.js CHANGED
@@ -11,6 +11,10 @@ import { forbidden, unauthorized } from '../../../../types-global/errors.js';
11
11
  * directly from `ctx.auth`. Throws `McpError(Forbidden)` if scopes are
12
12
  * insufficient. No-ops when auth is disabled (`MCP_AUTH_MODE=none`).
13
13
  * Throws `Unauthorized` when auth is enabled but `ctx.auth` is absent.
14
+ * When `MCP_AUTH_DISABLE_SCOPE_CHECKS=true`, returns silently after the
15
+ * `ctx.auth` presence check — bypassing scope enforcement for runtime-computed
16
+ * patterns (e.g. tenant isolation) while keeping every other token validation
17
+ * intact.
14
18
  *
15
19
  * @example
16
20
  * ```ts
@@ -29,6 +33,9 @@ export function checkScopes(ctx, requiredScopes) {
29
33
  if (!ctx.auth) {
30
34
  throw unauthorized('Authentication required but no auth context was established.');
31
35
  }
36
+ if (config.mcpAuthDisableScopeChecks) {
37
+ return;
38
+ }
32
39
  const grantedScopeSet = new Set(ctx.auth.scopes);
33
40
  const missingScopes = requiredScopes.filter((scope) => !grantedScopeSet.has(scope));
34
41
  if (missingScopes.length > 0) {
package/dist/mcp-server/transports/auth/lib/checkScopes.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"checkScopes.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAEnE;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY,EAAE,cAAwB;IAChE,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,YAAY,CAAC,8DAA8D,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,gFAAgF;QAChF,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAChE,cAAc;YACd,aAAa;SACd,CAAC,CAAC;QACH,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"checkScopes.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/checkScopes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAE3C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAEnE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY,EAAE,cAAwB;IAChE,IAAI,MAAM,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;QAClC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,YAAY,CAAC,8DAA8D,CAAC,CAAC;IACrF,CAAC;IAED,IAAI,MAAM,CAAC,yBAAyB,EAAE,CAAC;QACrC,OAAO;IACT,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAEpF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,gFAAgF;QAChF,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,gDAAgD,EAAE;YAChE,cAAc;YACd,aAAa;SACd,CAAC,CAAC;QACH,MAAM,SAAS,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC"}
package/dist/mcp-server/transports/auth/lib/claimParser.d.ts CHANGED
@@ -12,7 +12,11 @@ import type { AuthInfo } from '../../../../mcp-server/transports/auth/lib/authTy
12
12
  *
13
13
  * Claim resolution order:
14
14
  * - **clientId**: `cid` (Okta) → `client_id` (OAuth 2.1 standard)
15
- * - **scopes**: `scp` (Okta, array) `scope` (standard, space-delimited string)
15
+ * - **scopes**: union of `scp` (Okta, array), `scope` (standard, space-delimited string),
16
+ * and `mcp_tool_scopes` (custom claim for OIDC providers that cannot inject scopes
17
+ * into `scope` during the `authorization_code` flow — Authentik, Keycloak < 26.5,
18
+ * Zitadel). Operators add a property mapping returning
19
+ * `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}` (string or array form accepted).
16
20
  * - **subject**: `sub` (standard)
17
21
  * - **tenantId**: `tid` (Azure AD / custom)
18
22
  * - **expiresAt**: `exp` (standard, seconds since epoch)
package/dist/mcp-server/transports/auth/lib/claimParser.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"claimParser.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+CAA+C,CAAC;AAG9E;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,QAAQ,CA+BpF;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,GAAG,KAAK,CAOpF"}
1
+ {"version":3,"file":"claimParser.d.ts","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,+CAA+C,CAAC;AAkB9E;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,QAAQ,CA8BpF;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,GAAG,KAAK,CAOpF"}
package/dist/mcp-server/transports/auth/lib/claimParser.js CHANGED
@@ -1,10 +1,28 @@
1
1
  import { McpError, unauthorized } from '../../../../types-global/errors.js';
2
+ /**
3
+ * Extracts a list of scope strings from a JWT claim value, accepting both
4
+ * array and space-delimited string forms. Non-string array entries cause
5
+ * the claim to be ignored entirely. Empty-string entries are dropped.
6
+ */
7
+ function extractStringScopes(value) {
8
+ if (Array.isArray(value) && value.every((s) => typeof s === 'string')) {
9
+ return value.filter((s) => s.length > 0);
10
+ }
11
+ if (typeof value === 'string' && value.trim()) {
12
+ return value.split(' ').filter(Boolean);
13
+ }
14
+ return [];
15
+ }
2
16
  /**
3
17
  * Builds an {@link AuthInfo} from a raw token string and decoded JWT payload.
4
18
  *
5
19
  * Claim resolution order:
6
20
  * - **clientId**: `cid` (Okta) → `client_id` (OAuth 2.1 standard)
7
- * - **scopes**: `scp` (Okta, array) `scope` (standard, space-delimited string)
21
+ * - **scopes**: union of `scp` (Okta, array), `scope` (standard, space-delimited string),
22
+ * and `mcp_tool_scopes` (custom claim for OIDC providers that cannot inject scopes
23
+ * into `scope` during the `authorization_code` flow — Authentik, Keycloak < 26.5,
24
+ * Zitadel). Operators add a property mapping returning
25
+ * `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}` (string or array form accepted).
8
26
  * - **subject**: `sub` (standard)
9
27
  * - **tenantId**: `tid` (Azure AD / custom)
10
28
  * - **expiresAt**: `exp` (standard, seconds since epoch)
@@ -20,13 +38,11 @@ export function buildAuthInfoFromClaims(token, payload) {
20
38
  if (!clientId) {
21
39
  throw unauthorized("Invalid token: missing 'cid' or 'client_id' claim.");
22
40
  }
23
- let scopes = [];
24
- if (Array.isArray(payload.scp) && payload.scp.every((s) => typeof s === 'string')) {
25
- scopes = payload.scp;
26
- }
27
- else if (typeof payload.scope === 'string' && payload.scope.trim()) {
28
- scopes = payload.scope.split(' ').filter(Boolean);
29
- }
41
+ const scopes = [
42
+ ...extractStringScopes(payload.scp),
43
+ ...extractStringScopes(payload.scope),
44
+ ...extractStringScopes(payload.mcp_tool_scopes),
45
+ ];
30
46
  if (scopes.length === 0) {
31
47
  throw unauthorized('Token must contain valid, non-empty scopes.');
32
48
  }
package/dist/mcp-server/transports/auth/lib/claimParser.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"claimParser.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAa,EAAE,OAAmB;IACxE,MAAM,QAAQ,GACZ,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAC7B,CAAC,CAAC,OAAO,CAAC,GAAG;QACb,CAAC,CAAC,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACrC,CAAC,CAAC,OAAO,CAAC,SAAS;YACnB,CAAC,CAAC,SAAS,CAAC;IAElB,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,YAAY,CAAC,oDAAoD,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,MAAM,GAAa,EAAE,CAAC;IAC1B,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QAClF,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IACvB,CAAC;SAAM,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QACrE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,CAAC,6CAA6C,CAAC,CAAC;IACpE,CAAC;IAED,OAAO;QACL,KAAK;QACL,QAAQ;QACR,MAAM;QACN,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACnE,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,eAAuB;IAC3E,IAAI,KAAK,YAAY,QAAQ;QAAE,MAAM,KAAK,CAAC;IAE3C,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,eAAe,CAAC;IAEjG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;AAC9B,CAAC"}
1
+ {"version":3,"file":"claimParser.js","sourceRoot":"","sources":["../../../../../src/mcp-server/transports/auth/lib/claimParser.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,KAAc;IACzC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACtE,OAAQ,KAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAa,EAAE,OAAmB;IACxE,MAAM,QAAQ,GACZ,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;QAC7B,CAAC,CAAC,OAAO,CAAC,GAAG;QACb,CAAC,CAAC,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACrC,CAAC,CAAC,OAAO,CAAC,SAAS;YACnB,CAAC,CAAC,SAAS,CAAC;IAElB,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,YAAY,CAAC,oDAAoD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,MAAM,GAAG;QACb,GAAG,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC;QACnC,GAAG,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;QACrC,GAAG,mBAAmB,CAAC,OAAO,CAAC,eAAe,CAAC;KAChD,CAAC;IAEF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,CAAC,6CAA6C,CAAC,CAAC;IACpE,CAAC;IAED,OAAO;QACL,KAAK;QACL,QAAQ;QACR,MAAM;QACN,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACjE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACnE,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,eAAuB;IAC3E,IAAI,KAAK,YAAY,QAAQ;QAAE,MAAM,KAAK,CAAC;IAE3C,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,eAAe,CAAC;IAEjG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;AAC9B,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cyanheads/mcp-ts-core",
3
- "version": "0.8.19",
3
+ "version": "0.8.20",
4
4
  "mcpName": "io.github.cyanheads/mcp-ts-core",
5
5
  "description": "Agent-native TypeScript framework for building MCP servers. Declarative definitions with auth, multi-backend storage, OpenTelemetry, and first-class support for Bun/Node/Cloudflare Workers.",
6
6
  "main": "dist/core/index.js",
@@ -166,7 +166,7 @@
166
166
  "devDependencies": {
167
167
  "@biomejs/biome": "2.4.14",
168
168
  "@cloudflare/vitest-pool-workers": "^0.16.3",
169
- "@cloudflare/workers-types": "^4.20260508.1",
169
+ "@cloudflare/workers-types": "^4.20260509.1",
170
170
  "@duckdb/node-api": "^1.5.2-r.1",
171
171
  "@hono/otel": "^1.1.2",
172
172
  "@opentelemetry/exporter-metrics-otlp-http": "^0.217.0",
@@ -178,7 +178,7 @@
178
178
  "@opentelemetry/sdk-node": "^0.217.0",
179
179
  "@opentelemetry/sdk-trace-node": "^2.7.1",
180
180
  "@opentelemetry/semantic-conventions": "^1.40.0",
181
- "@supabase/supabase-js": "^2.105.3",
181
+ "@supabase/supabase-js": "^2.105.4",
182
182
  "@types/bun": "^1.3.13",
183
183
  "@types/js-yaml": "^4.0.9",
184
184
  "@types/node": "^25.6.2",
package/skills/api-auth/SKILL.md CHANGED
@@ -4,7 +4,7 @@ description: >
4
4
  Authentication, authorization, and multi-tenancy patterns for `@cyanheads/mcp-ts-core`. Use when implementing auth scopes on tools/resources, configuring auth modes (none/jwt/oauth), working with JWT/OAuth env vars, or understanding how tenantId flows through ctx.state.
5
5
  metadata:
6
6
  author: cyanheads
7
- version: "1.0"
7
+ version: "1.1"
8
8
  audience: external
9
9
  type: reference
10
10
  ---
@@ -94,10 +94,44 @@ Set via `MCP_AUTH_MODE` environment variable.
94
94
  | Claim | JWT Field | Purpose |
95
95
  |:------|:----------|:--------|
96
96
  | `clientId` | `cid` / `client_id` | Identifies the calling client |
97
- | `scopes` | `scp` / `scope` | Space-separated list of granted scopes |
97
+ | `scopes` | union of `scp`, `scope`, `mcp_tool_scopes` | Granted scope list (see below) |
98
98
  | `sub` | `sub` | Subject (user or service identity) |
99
99
  | `tenantId` | `tid` | Tenant identifier — drives `ctx.state` scoping |
100
100
 
101
+ `scopes` is the **union** of three claims, in this order:
102
+
103
+ | Claim | Form | Source |
104
+ |:------|:-----|:-------|
105
+ | `scp` | array of strings | Okta-style |
106
+ | `scope` | space-delimited string | OAuth 2.1 / OIDC standard |
107
+ | `mcp_tool_scopes` | array of strings **or** space-delimited string | Custom claim for OIDC providers that cannot inject scopes into `scope` during the `authorization_code` flow (Authentik, Keycloak < 26.5, Zitadel) |
108
+
109
+ Auth0/Okta-style providers that already populate `scp` or `scope` need no migration. Other deployments add a property mapping returning `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}` — the framework unions it into `ctx.auth.scopes` alongside the standard claims. Hardcoded claim name; deployments whose IdP cannot emit `mcp_tool_scopes` use the bypass flag below.
110
+
111
+ ### OIDC operator setup (Authentik / Keycloak / Zitadel)
112
+
113
+ Standard OIDC providers compute the JWT `scope` claim from what the OAuth client requested at the authorization endpoint and ignore property mappings that try to override `scope` in the `authorization_code` flow. Property mappings that inject **other** claim names work fine. To grant per-tool scopes to a Claude.ai or ChatGPT custom connector that doesn't expose scope customization, configure your IdP to return the per-tool scopes under `mcp_tool_scopes` instead of overriding `scope`.
114
+
115
+ | Provider | Where to configure |
116
+ |:---------|:--------------------|
117
+ | Authentik | Customization → Property Mappings → new "Scope Mapping" returning `{"mcp_tool_scopes": "tool:foo:read tool:bar:write"}`; bind to the OAuth2/OpenID provider |
118
+ | Keycloak (< 26.5) | Client → Client Scopes → Mappers → new "Hardcoded claim" or "Script Mapper" emitting `mcp_tool_scopes` |
119
+ | Zitadel | Project → Roles + Action returning `{"mcp_tool_scopes": "..."}` from a pre-token script |
120
+
121
+ Keycloak ≥ 26.5 ships native MCP integration support; check its release notes before falling back to a custom claim.
122
+
123
+ ### Bypass flag
124
+
125
+ For environments where no custom claim can be injected (managed services, restricted IdPs), set `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` to bypass scope enforcement entirely.
126
+
127
+ | Variable | Default | Effect |
128
+ |:---------|:--------|:-------|
129
+ | `MCP_AUTH_DISABLE_SCOPE_CHECKS` | `false` | When `true`, both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes` (runtime-computed scopes inside handlers) early-return after the auth-context presence check. Token signature, audience, issuer, and expiry validation remain intact. |
130
+
131
+ The flag bypasses **both** declared `auth: [...]` enforcement and runtime `checkScopes` calls — including tenant isolation patterns like `team:${input.teamId}:write`. Naming is deliberate: this disables all scope checks, not just per-tool ones. Applies to `MCP_AUTH_MODE=jwt` and `MCP_AUTH_MODE=oauth` (no effect under `none`).
132
+
133
+ A `WARNING`-level log is emitted at startup whenever the flag is active so operators don't lose track of it. Combine with server-side ACLs (path filters, allowlists, tenant rules) — without an in-handler ACL, every authenticated user effectively has every scope.
134
+
101
135
  ---
102
136
 
103
137
  ## Endpoints
@@ -160,7 +194,7 @@ Available on `ctx.auth` inside handlers (when auth is enabled):
160
194
  ```ts
161
195
  interface AuthContext {
162
196
  clientId: string; // Required — 'cid' or 'client_id' JWT claim
163
- scopes: string[]; // Required — derived from 'scp' or 'scope' claim
197
+ scopes: string[]; // Required — union of 'scp', 'scope', and 'mcp_tool_scopes' claims
164
198
  sub: string; // Required — 'sub' claim; falls back to clientId when absent
165
199
  token: string; // Required — raw JWT or OAuth bearer token string
166
200
  tenantId?: string; // Optional — 'tid' claim; present only for multi-tenant tokens
package/skills/api-config/SKILL.md CHANGED
@@ -4,7 +4,7 @@ description: >
4
4
  Reference for core and server configuration in `@cyanheads/mcp-ts-core`. Covers env var tables with defaults, priority order, server-specific Zod schema pattern, and Workers lazy-parsing requirement.
5
5
  metadata:
6
6
  author: cyanheads
7
- version: "1.3"
7
+ version: "1.4"
8
8
  audience: external
9
9
  type: reference
10
10
  ---
@@ -68,6 +68,7 @@ Managed by `@cyanheads/mcp-ts-core`. Validated via Zod from environment variable
68
68
  |:--------|:-----------------|:--------|:------|
69
69
  | `MCP_AUTH_MODE` | `mcpAuthMode` | `none` | `none` \| `jwt` \| `oauth` |
70
70
  | `MCP_AUTH_SECRET_KEY` | `mcpAuthSecretKey` | — | Required for `jwt` mode; min 32 chars |
71
+ | `MCP_AUTH_DISABLE_SCOPE_CHECKS` | `mcpAuthDisableScopeChecks` | `false` | When `true`, bypasses both `withRequiredScopes` (declared `auth: [...]`) and `checkScopes` (runtime/tenant scopes). Token validation (sig/aud/iss/exp) intact. Logs a `WARNING` at startup. See `api-auth` skill. |
71
72
  | `OAUTH_ISSUER_URL` | `oauthIssuerUrl` | — | Required for `oauth` mode |
72
73
  | `OAUTH_AUDIENCE` | `oauthAudience` | — | Required for `oauth` mode |
73
74
  | `OAUTH_JWKS_URI` | `oauthJwksUri` | — | Override JWKS endpoint (otherwise derived from issuer) |
package/skills/security-pass/SKILL.md CHANGED
@@ -4,7 +4,7 @@ description: >
4
4
  Review an MCP server for common security gaps: LLM-facing surfaces as injection vector (tools, resources, prompts, descriptions), scope blast radius, destructive ops without consent, upstream auth shape, input sinks (URL / path / roots / shell / sampling / schema strictness / ReDoS), tenant isolation, leakage through errors and telemetry, unbounded resources, and HTTP-mode deployment surface. Use before a release, after a batch of handler changes, or when the user asks for a security review, audit, or hardening pass. Produces grouped findings and a numbered options list.
5
5
  metadata:
6
6
  author: cyanheads
7
- version: "1.3"
7
+ version: "1.4"
8
8
  audience: external
9
9
  type: audit
10
10
  ---
@@ -104,8 +104,9 @@ grep -rn "auth: \[" src/mcp-server/tools/definitions/
104
104
  - Tools with `['admin']`, `['*']`, or `[]`?
105
105
  - A single scope covering two capabilities that should be separated (read vs write)?
106
106
  - Read-only tools never require write scopes?
107
+ - `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` set in production? When on, both `withRequiredScopes` and `checkScopes` early-return — every authenticated user gets every tool, and runtime tenant patterns like `team:${input.teamId}:write` no longer guard. Acceptable only when paired with a real server-side ACL (path filter, allowlist, upstream API enforcement).
107
108
 
108
- **Smell:** every tool shares the same scope string.
109
+ **Smell:** every tool shares the same scope string. Or: `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` set without a documented compensating ACL — confirm the deployment relies on a meaningful access control layer below the framework before approving.
109
110
 
110
111
  #### Axis 3 — Destructive ops without elicit
111
112
 
package/skills/tool-defs-analysis/SKILL.md CHANGED
@@ -4,7 +4,7 @@ description: >
4
4
  Read-only audit of MCP definition language across an existing surface — tools, resources, prompts. Walks every definition file and checks 10 categories the LLM reads to decide whether and how to call: voice & tense, internal leaks, audience leaks, defaults, recovery hints, output descriptions, cross-references, sparsity, examples, structure. Produces grouped findings with file:line citations and a numbered options list. Use during polish, after a refactor, or before a release. Complements `field-test` (behavior testing) and `security-pass` (security audit).
5
5
  metadata:
6
6
  author: cyanheads
7
- version: "1.0"
7
+ version: "1.1"
8
8
  audience: external
9
9
  type: audit
10
10
  ---
@@ -105,7 +105,7 @@ Prior art: #74. Field-test catches this in its leak audit; this skill is the mor
105
105
 
106
106
  **Check:** the hint directs the *agent* to its next action, not the developer to debugging. "Call `pubmed_search` with a narrower query" beats "Verify the configuration is correct" or "Internal error".
107
107
 
108
- **Smell:** "Check the logs", "See documentation", "Contact admin", "Try again later" (with no condition), generic non-actionable text, hints that name internal classes, files, or env vars.
108
+ **Smell:** "Check the logs", "See documentation", "Contact admin", "Try again later" (with no condition), generic non-actionable text, hints that name internal classes or files.
109
109
 
110
110
  #### 6. Output descriptions
111
111