@decocms/runtime 1.0.0-alpha.23 → 1.0.0-alpha.25

package/package.json

@@ -1,24 +1,22 @@
 {
   "name": "@decocms/runtime",
-  "version": "1.0.0-alpha.23",
+  "version": "1.0.0-alpha.25",
   "type": "module",
   "dependencies": {
     "@cloudflare/workers-types": "^4.20250617.0",
     "@deco/mcp": "npm:@jsr/deco__mcp@0.5.5",
-    "@decocms/bindings": "1.0.1-alpha.12",
+    "@decocms/bindings": "1.0.1-alpha.16",
     "@modelcontextprotocol/sdk": "1.20.2",
     "@ai-sdk/provider": "^2.0.0",
     "hono": "^4.10.7",
     "jose": "^6.0.11",
     "zod": "^3.25.76",
-    "zod-from-json-schema": "^0.0.5",
     "zod-to-json-schema": "3.25.0"
   },
   "exports": {
     ".": "./src/index.ts",
     "./proxy": "./src/proxy.ts",
     "./client": "./src/client.ts",
-    "./mcp-client": "./src/mcp-client.ts",
     "./bindings": "./src/bindings/index.ts",
     "./asset-server": "./src/asset-server/index.ts",
     "./tools": "./src/tools.ts"
@@ -33,4 +31,4 @@
   "publishConfig": {
     "access": "public"
   }
-}
+}

package/src/index.ts

@@ -83,6 +83,7 @@ export interface RequestContext<TSchema extends z.ZodTypeAny = any> {
   state: z.infer<TSchema>;
   token: string;
   meshUrl: string;
+  authorization?: string | null;
   ensureAuthenticated: (options?: {
     workspaceHint?: string;
   }) => User | undefined;
@@ -159,14 +160,19 @@ export const withBindings = <TEnv>({
   tokenOrContext,
   url,
   bindings: inlineBindings,
+  authToken,
 }: {
   env: TEnv;
   server: MCPServer<TEnv, any>;
+  // token is x-mesh-token
   tokenOrContext?: string | RequestContext;
+  // authToken is the authorization header
+  authToken?: string | null;
   url?: string;
   bindings?: Binding[];
 }): TEnv => {
   const env = _env as DefaultEnv<any>;
+  const authorization = authToken ? authToken.split(" ")[1] : undefined;
 
   let context;
   if (typeof tokenOrContext === "string") {
@@ -180,6 +186,7 @@ export const withBindings = <TEnv>({
       }) ?? {};
 
     context = {
+      authorization,
       state: decoded.state ?? metadata.state,
       token: tokenOrContext,
       meshUrl: (decoded.meshUrl as string) ?? metadata.meshUrl,
@@ -197,6 +204,7 @@ export const withBindings = <TEnv>({
         connectionId?: string;
       }) ?? {};
     const appName = decoded.appName as string | undefined;
+    context.authorization ??= authorization;
     context.callerApp = appName;
     context.connectionId ??=
       (decoded.connectionId as string) ?? metadata.connectionId;
@@ -204,6 +212,7 @@ export const withBindings = <TEnv>({
   } else {
     context = {
       state: {},
+      authorization,
       token: undefined,
       meshUrl: undefined,
       connectionId: undefined,
@@ -254,13 +263,31 @@ export const withRuntime = <TEnv, TSchema extends z.ZodTypeAny = never>(
         return oauthHandlers.handleProtectedResourceMetadata(req);
       }
 
+      // Authorization server metadata (RFC8414)
+      if (url.pathname === "/.well-known/oauth-authorization-server") {
+        return oauthHandlers.handleAuthorizationServerMetadata(req);
+      }
+
+      // Authorization endpoint - redirects to external OAuth provider
+      if (url.pathname === "/authorize") {
+        return oauthHandlers.handleAuthorize(req);
+      }
+
       // OAuth callback - receives code from external OAuth provider
       if (url.pathname === "/oauth/callback") {
         return oauthHandlers.handleOAuthCallback(req);
       }
 
+      // Token endpoint - exchanges code for tokens
+      if (url.pathname === "/token" && req.method === "POST") {
+        return oauthHandlers.handleToken(req);
+      }
+
       // Dynamic client registration (RFC7591)
-      if (url.pathname === "/mcp/register" && req.method === "POST") {
+      if (
+        (url.pathname === "/register" || url.pathname === "/mcp/register") &&
+        req.method === "POST"
+      ) {
         return oauthHandlers.handleClientRegistration(req);
       }
     }
@@ -312,6 +339,7 @@ export const withRuntime = <TEnv, TSchema extends z.ZodTypeAny = never>(
       }
 
       const bindings = withBindings({
+        authToken: req.headers.get("authorization") ?? null,
         env,
         server,
         bindings: userFns.bindings,

package/src/oauth.ts

@@ -29,14 +29,52 @@ function isValidRedirectUri(uri: string): boolean {
   }
 }
 
+/**
+ * Encode data as base64url JSON
+ */
+function encodeState<T>(data: T): string {
+  return btoa(JSON.stringify(data))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
+/**
+ * Decode base64url JSON data
+ */
+function decodeState<T>(encoded: string): T | null {
+  try {
+    const base64 = encoded.replace(/-/g, "+").replace(/_/g, "/");
+    return JSON.parse(atob(base64)) as T;
+  } catch {
+    return null;
+  }
+}
+
+interface PendingAuthState {
+  redirectUri: string;
+  clientState?: string;
+  codeChallenge?: string;
+  codeChallengeMethod?: string;
+}
+
+interface CodePayload {
+  accessToken: string;
+  tokenType: string;
+  codeChallenge?: string;
+  codeChallengeMethod?: string;
+}
+
 /**
  * Create OAuth endpoint handlers for MCP servers
+ * The MCP server acts as an OAuth Authorization Server proxy
+ * Stateless implementation - no persistence required
  * Per MCP Authorization spec: https://modelcontextprotocol.io/specification/draft/basic/authorization
  */
 export function createOAuthHandlers(oauth: OAuthConfig) {
   /**
    * Build OAuth 2.0 Protected Resource Metadata (RFC9728)
-   * Per MCP spec, this MUST point to the external authorization server
+   * Points to THIS server as the authorization server
    */
   const handleProtectedResourceMetadata = (req: Request): Response => {
     const url = new URL(req.url);
@@ -44,7 +82,8 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
 
     return Response.json({
       resource: resourceUrl,
-      authorization_servers: [oauth.authorizationServer],
+      // Point to ourselves - we are the authorization server proxy
+      authorization_servers: [url.origin],
       scopes_supported: ["*"],
       bearer_methods_supported: ["header"],
       resource_signing_alg_values_supported: ["RS256", "none"],
@@ -52,55 +91,273 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
   };
 
   /**
-   * Handle OAuth callback - receives code from external OAuth provider
+   * Build OAuth 2.0 Authorization Server Metadata (RFC8414)
+   * Exposes our endpoints for authorization, token exchange, and registration
+   */
+  const handleAuthorizationServerMetadata = (req: Request): Response => {
+    const url = new URL(req.url);
+    const baseUrl = url.origin;
+
+    return Response.json({
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/authorize`,
+      token_endpoint: `${baseUrl}/token`,
+      registration_endpoint: `${baseUrl}/register`,
+      scopes_supported: ["*"],
+      response_types_supported: ["code"],
+      response_modes_supported: ["query"],
+      grant_types_supported: ["authorization_code", "refresh_token"],
+      token_endpoint_auth_methods_supported: ["none", "client_secret_post"],
+      code_challenge_methods_supported: ["S256", "plain"],
+    });
+  };
+
+  /**
+   * Handle authorization request - redirects to external OAuth provider
+   * Stateless: encodes all needed info in the state parameter
+   */
+  const handleAuthorize = (req: Request): Response => {
+    const url = new URL(req.url);
+    const redirectUri = url.searchParams.get("redirect_uri");
+    const responseType = url.searchParams.get("response_type");
+    const clientState = url.searchParams.get("state");
+    const codeChallenge = url.searchParams.get("code_challenge");
+    const codeChallengeMethod = url.searchParams.get("code_challenge_method");
+
+    // Validate required params
+    if (!redirectUri) {
+      return Response.json(
+        {
+          error: "invalid_request",
+          error_description: "redirect_uri required",
+        },
+        { status: 400 },
+      );
+    }
+
+    if (responseType !== "code") {
+      return Response.json(
+        {
+          error: "unsupported_response_type",
+          error_description: "Only 'code' is supported",
+        },
+        { status: 400 },
+      );
+    }
+
+    // Encode pending auth state
+    const pendingState: PendingAuthState = {
+      redirectUri,
+      clientState: clientState ?? undefined,
+      codeChallenge: codeChallenge ?? undefined,
+      codeChallengeMethod: codeChallengeMethod ?? undefined,
+    };
+    const encodedState = encodeState(pendingState);
+
+    // Build callback URL pointing to our internal callback
+    const callbackUrl = new URL(`${url.origin}/oauth/callback`);
+    callbackUrl.searchParams.set("state", encodedState);
+
+    // Get the external authorization URL from the config
+    const externalAuthUrl = oauth.authorizationUrl(callbackUrl.toString());
+
+    // Redirect to external OAuth provider
+    return Response.redirect(externalAuthUrl, 302);
+  };
+
+  /**
+   * Handle OAuth callback from external provider
+   * Stateless: decodes state to get redirect info, encodes token in code
    */
   const handleOAuthCallback = async (req: Request): Promise<Response> => {
     const url = new URL(req.url);
     const code = url.searchParams.get("code");
-    const codeVerifier = url.searchParams.get("code_verifier") ?? undefined;
-    const codeChallengeMethod = url.searchParams.get("code_challenge_method") as
-      | "S256"
-      | "plain"
-      | undefined;
+    const encodedState = url.searchParams.get("state");
+    const error = url.searchParams.get("error");
+
+    // Decode state
+    const pending = encodedState
+      ? decodeState<PendingAuthState>(encodedState)
+      : null;
 
-    if (!code) {
+    if (error) {
+      const errorDescription =
+        url.searchParams.get("error_description") ?? "Authorization failed";
+      if (pending?.redirectUri) {
+        const redirectUrl = new URL(pending.redirectUri);
+        redirectUrl.searchParams.set("error", error);
+        redirectUrl.searchParams.set("error_description", errorDescription);
+        if (pending.clientState)
+          redirectUrl.searchParams.set("state", pending.clientState);
+        return Response.redirect(redirectUrl.toString(), 302);
+      }
+      return Response.json(
+        { error, error_description: errorDescription },
+        { status: 400 },
+      );
+    }
+
+    if (!code || !pending) {
       return Response.json(
         {
           error: "invalid_request",
-          error_description: "Missing code parameter",
+          error_description: "Missing code or state",
         },
         { status: 400 },
       );
     }
 
     try {
-      const oauthParams: OAuthParams = {
-        code,
-        code_verifier: codeVerifier,
-        code_challenge_method: codeChallengeMethod,
-      };
+      // Exchange code with external provider
+      const oauthParams: OAuthParams = { code };
       const tokenResponse = await oauth.exchangeCode(oauthParams);
 
-      return Response.json(tokenResponse, {
-        headers: {
-          "Cache-Control": "no-store",
-          Pragma: "no-cache",
+      // Encode the token in our own code (stateless)
+      const codePayload: CodePayload = {
+        accessToken: tokenResponse.access_token,
+        tokenType: tokenResponse.token_type,
+        codeChallenge: pending.codeChallenge,
+        codeChallengeMethod: pending.codeChallengeMethod,
+      };
+      const ourCode = encodeState(codePayload);
+
+      // Redirect back to client with our code
+      const redirectUrl = new URL(pending.redirectUri);
+      redirectUrl.searchParams.set("code", ourCode);
+      if (pending.clientState) {
+        redirectUrl.searchParams.set("state", pending.clientState);
+      }
+
+      return Response.redirect(redirectUrl.toString(), 302);
+    } catch (err) {
+      console.error("OAuth callback error:", err);
+
+      // Redirect back to client with error
+      const redirectUrl = new URL(pending.redirectUri);
+      redirectUrl.searchParams.set("error", "server_error");
+      redirectUrl.searchParams.set(
+        "error_description",
+        "Failed to exchange authorization code",
+      );
+      if (pending.clientState)
+        redirectUrl.searchParams.set("state", pending.clientState);
+
+      return Response.redirect(redirectUrl.toString(), 302);
+    }
+  };
+
+  /**
+   * Handle token exchange - decodes our code to get the actual token
+   * Stateless: token is encoded in the code
+   */
+  const handleToken = async (req: Request): Promise<Response> => {
+    try {
+      const contentType = req.headers.get("content-type") ?? "";
+      let body: Record<string, string>;
+
+      if (contentType.includes("application/x-www-form-urlencoded")) {
+        const formData = await req.formData();
+        body = Object.fromEntries(formData.entries()) as Record<string, string>;
+      } else {
+        body = await req.json();
+      }
+
+      const { code, code_verifier, grant_type } = body;
+
+      if (grant_type !== "authorization_code") {
+        return Response.json(
+          {
+            error: "unsupported_grant_type",
+            error_description: "Only authorization_code supported",
+          },
+          { status: 400 },
+        );
+      }
+
+      if (!code) {
+        return Response.json(
+          { error: "invalid_request", error_description: "code is required" },
+          { status: 400 },
+        );
+      }
+
+      // Decode the code to get the token
+      const payload = decodeState<CodePayload>(code);
+      if (!payload || !payload.accessToken) {
+        return Response.json(
+          {
+            error: "invalid_grant",
+            error_description: "Invalid or expired code",
+          },
+          { status: 400 },
+        );
+      }
+
+      // Verify PKCE if code challenge was provided
+      if (payload.codeChallenge) {
+        if (!code_verifier) {
+          return Response.json(
+            {
+              error: "invalid_grant",
+              error_description: "code_verifier required",
+            },
+            { status: 400 },
+          );
+        }
+
+        // Verify the code verifier
+        let computedChallenge: string;
+        if (payload.codeChallengeMethod === "S256") {
+          const encoder = new TextEncoder();
+          const data = encoder.encode(code_verifier);
+          const hash = await crypto.subtle.digest("SHA-256", data);
+          computedChallenge = btoa(String.fromCharCode(...new Uint8Array(hash)))
+            .replace(/\+/g, "-")
+            .replace(/\//g, "_")
+            .replace(/=+$/, "");
+        } else {
+          computedChallenge = code_verifier;
+        }
+
+        if (computedChallenge !== payload.codeChallenge) {
+          return Response.json(
+            {
+              error: "invalid_grant",
+              error_description: "Invalid code_verifier",
+            },
+            { status: 400 },
+          );
+        }
+      }
+
+      // Return the actual token
+      return Response.json(
+        {
+          access_token: payload.accessToken,
+          token_type: payload.tokenType,
         },
-      });
-    } catch (error) {
-      console.error("OAuth code exchange error:", error);
+        {
+          headers: {
+            "Cache-Control": "no-store",
+            Pragma: "no-cache",
+          },
+        },
+      );
+    } catch (err) {
+      console.error("Token exchange error:", err);
       return Response.json(
         {
-          error: "invalid_grant",
-          error_description: "Failed to exchange authorization code",
+          error: "server_error",
+          error_description: "Failed to process token request",
         },
-        { status: 400 },
+        { status: 500 },
       );
     }
   };
 
   /**
    * Handle dynamic client registration (RFC7591)
+   * Stateless: just generates a client_id and returns it, no storage needed
    */
   const handleClientRegistration = async (req: Request): Promise<Response> => {
     try {
@@ -111,6 +368,7 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
         response_types?: string[];
         token_endpoint_auth_method?: string;
         scope?: string;
+        client_uri?: string;
       };
 
       // Validate redirect URIs
@@ -170,8 +428,8 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
           Pragma: "no-cache",
         },
       });
-    } catch (error) {
-      console.error("Client registration error:", error);
+    } catch (err) {
+      console.error("Client registration error:", err);
       return Response.json(
         {
           error: "invalid_client_metadata",
@@ -221,7 +479,10 @@ export function createOAuthHandlers(oauth: OAuthConfig) {
 
   return {
     handleProtectedResourceMetadata,
+    handleAuthorizationServerMetadata,
+    handleAuthorize,
     handleOAuthCallback,
+    handleToken,
     handleClientRegistration,
     createUnauthorizedResponse,
     hasAuth,

package/src/proxy.ts

@@ -1,157 +1 @@
-/* oxlint-disable no-explicit-any */
-import { convertJsonSchemaToZod } from "zod-from-json-schema";
-import { MCPConnection } from "./connection.ts";
-import { createServerClient } from "./mcp-client.ts";
-import type { CreateStubAPIOptions } from "./mcp.ts";
-
-const safeParse = (content: string) => {
-  try {
-    return JSON.parse(content as string);
-  } catch {
-    return content;
-  }
-};
-
-const toolsMap = new Map<
-  string,
-  Promise<
-    Array<{
-      name: string;
-      inputSchema: any;
-      outputSchema?: any;
-      description: string;
-    }>
-  >
->();
-
-/**
- * The base fetcher used to fetch the MCP from API.
- */
-export function createMCPClientProxy<T extends Record<string, unknown>>(
-  options: CreateStubAPIOptions,
-): T {
-  const connection: MCPConnection = options.connection;
-
-  return new Proxy<T>({} as T, {
-    get(_, name) {
-      if (name === "toJSON") {
-        return null;
-      }
-      if (typeof name !== "string") {
-        throw new Error("Name must be a string");
-      }
-      async function callToolFn(args: unknown) {
-        const debugId = options?.debugId?.();
-        const extraHeaders = debugId
-          ? { "x-trace-debug-id": debugId }
-          : undefined;
-
-        // Create a connection with the tool name in the URL path for better logging
-        // Only modify connections that have a URL property (HTTP, SSE, Websocket)
-        // Use automatic detection based on URL, with optional override
-
-        const { client, callStreamableTool } = await createServerClient(
-          { connection },
-          undefined,
-          extraHeaders,
-        );
-
-        if (options?.streamable?.[String(name)]) {
-          return callStreamableTool(String(name), args);
-        }
-
-        const { structuredContent, isError, content } = await client.callTool(
-          {
-            name: String(name),
-            arguments: args as Record<string, unknown>,
-          },
-          undefined,
-          {
-            timeout: 3000000,
-          },
-        );
-
-        if (isError) {
-          // @ts-expect-error - content is not typed
-          const maybeErrorMessage = content?.[0]?.text;
-          const error =
-            typeof maybeErrorMessage === "string"
-              ? safeParse(maybeErrorMessage)
-              : null;
-
-          const throwableError =
-            error?.code && typeof options?.getErrorByStatusCode === "function"
-              ? options.getErrorByStatusCode(
-                  error.code,
-                  error.message,
-                  error.traceId,
-                )
-              : null;
-
-          if (throwableError) {
-            throw throwableError;
-          }
-
-          throw new Error(
-            `Tool ${String(name)} returned an error: ${JSON.stringify(
-              structuredContent ?? content,
-            )}`,
-          );
-        }
-        return structuredContent;
-      }
-
-      const listToolsFn = async () => {
-        const { client } = await createServerClient({ connection });
-        const { tools } = await client.listTools();
-
-        return tools as {
-          name: string;
-          inputSchema: any;
-          outputSchema?: any;
-          description: string;
-        }[];
-      };
-
-      async function listToolsOnce() {
-        const conn = connection;
-        const key = JSON.stringify(conn);
-
-        try {
-          if (!toolsMap.has(key)) {
-            toolsMap.set(key, listToolsFn());
-          }
-
-          return await toolsMap.get(key)!;
-        } catch (error) {
-          console.error("Failed to list tools", error);
-
-          toolsMap.delete(key);
-          return;
-        }
-      }
-      callToolFn.asTool = async () => {
-        const tools = (await listToolsOnce()) ?? [];
-        const tool = tools.find((t) => t.name === name);
-        if (!tool) {
-          throw new Error(`Tool ${name} not found`);
-        }
-
-        return {
-          ...tool,
-          id: tool.name,
-          inputSchema: tool.inputSchema
-            ? convertJsonSchemaToZod(tool.inputSchema)
-            : undefined,
-          outputSchema: tool.outputSchema
-            ? convertJsonSchemaToZod(tool.outputSchema)
-            : undefined,
-          execute: (input: any) => {
-            return callToolFn(input.context);
-          },
-        };
-      };
-      return callToolFn;
-    },
-  });
-}
+export * from "@decocms/bindings/client";

package/src/http-client-transport.ts

@@ -1 +0,0 @@
-export { HTTPClientTransport } from "@decocms/bindings/client";

package/src/mcp-client.ts

@@ -1,139 +0,0 @@
-import {
-  Client as BaseClient,
-  ClientOptions,
-} from "@modelcontextprotocol/sdk/client/index.js";
-import {
-  SSEClientTransport,
-  SSEClientTransportOptions,
-} from "@modelcontextprotocol/sdk/client/sse.js";
-import { WebSocketClientTransport } from "@modelcontextprotocol/sdk/client/websocket.js";
-import { RequestOptions } from "@modelcontextprotocol/sdk/shared/protocol.js";
-import {
-  Implementation,
-  ListToolsRequest,
-  ListToolsResultSchema,
-} from "@modelcontextprotocol/sdk/types.js";
-import { MCPConnection } from "./connection.ts";
-import { HTTPClientTransport } from "./http-client-transport.ts";
-
-/**
- * WARNNING: This is a hack to prevent schema compilation errors.
- * More info at: https://github.com/modelcontextprotocol/typescript-sdk/issues/923
- *
- * Make sure to keep this updated with the right version of the SDK.
- * https://github.com/modelcontextprotocol/typescript-sdk/blob/bf817939917277a4c59f2e19e7b44b8dd7ff140c/src/client/index.ts#L480
- */
-class Client extends BaseClient {
-  constructor(_clientInfo: Implementation, options?: ClientOptions) {
-    super(_clientInfo, options);
-  }
-
-  override async listTools(
-    params?: ListToolsRequest["params"],
-    options?: RequestOptions,
-  ) {
-    const result = await this.request(
-      { method: "tools/list", params },
-      ListToolsResultSchema,
-      options,
-    );
-
-    return result;
-  }
-}
-
-export interface ServerClient {
-  client: Client;
-  callStreamableTool: (tool: string, args: unknown) => Promise<Response>;
-}
-export const createServerClient = async (
-  mcpServer: { connection: MCPConnection; name?: string },
-  signal?: AbortSignal,
-  extraHeaders?: Record<string, string>,
-): Promise<ServerClient> => {
-  const transport = createTransport(mcpServer.connection, signal, extraHeaders);
-
-  if (!transport) {
-    throw new Error("Unknown MCP connection type");
-  }
-
-  const client = new Client({
-    name: mcpServer?.name ?? "MCP Client",
-    version: "1.0.0",
-  });
-
-  await client.connect(transport);
-
-  return {
-    client,
-    callStreamableTool: (tool, args) => {
-      if (mcpServer.connection.type !== "HTTP") {
-        throw new Error("HTTP connection required");
-      }
-      return fetch(mcpServer.connection.url + `/call-tool/${tool}`, {
-        method: "POST",
-        redirect: "manual",
-        body: JSON.stringify(args),
-        headers: {
-          ...extraHeaders,
-          Authorization: `Bearer ${mcpServer.connection.token}`,
-        },
-      });
-    },
-  };
-};
-
-export const createTransport = (
-  connection: MCPConnection,
-  signal?: AbortSignal,
-  extraHeaders?: Record<string, string>,
-) => {
-  if (connection.type === "Websocket") {
-    return new WebSocketClientTransport(new URL(connection.url));
-  }
-
-  if (connection.type !== "SSE" && connection.type !== "HTTP") {
-    return null;
-  }
-
-  const authHeaders: Record<string, string> = connection.token
-    ? { authorization: `Bearer ${connection.token}` }
-    : {};
-
-  const headers: Record<string, string> = {
-    ...authHeaders,
-    ...(extraHeaders ?? {}),
-    ...("headers" in connection ? connection.headers || {} : {}),
-  };
-
-  if (connection.type === "SSE") {
-    const config: SSEClientTransportOptions = {
-      requestInit: { headers, signal },
-    };
-
-    if (connection.token) {
-      config.eventSourceInit = {
-        fetch: (req, init) => {
-          return fetch(req, {
-            ...init,
-            headers: {
-              ...headers,
-              Accept: "text/event-stream",
-            },
-            signal,
-          });
-        },
-      };
-    }
-
-    return new SSEClientTransport(new URL(connection.url), config);
-  }
-  return new HTTPClientTransport(new URL(connection.url), {
-    requestInit: {
-      headers,
-      signal,
-      // @ts-ignore - this is a valid option for fetch
-      credentials: "include",
-    },
-  });
-};