@directus/api 35.2.0 → 36.0.0-rc.1

package/dist/services/graphql/schema/parse-query.js

@@ -65,6 +65,14 @@ async function getQuery(rawQuery, schema, selections, variableValues, accountabi
 					for (const subSelection of selection.selectionSet.selections) {
 						if (subSelection.kind !== "Field") continue;
 						if (subSelection.name.value.startsWith("__")) continue;
+						if (subSelection.name.value === "json" && subSelection.arguments?.length) {
+							const pathArg = subSelection.arguments.find((a) => a.name.value === "path");
+							if (pathArg) {
+								const pathValue = parseArgs([pathArg], variableValues).path;
+								children.push(`json(${rootField}, ${pathValue})`);
+								continue;
+							}
+						}
 						children.push(`${subSelection.name.value}(${rootField})`);
 					}
 				} else children = await parseFields(selection.selectionSet.selections, currentAlias ?? current, childCollection, selection.kind === "Field" ? selection.name.value : void 0);

package/dist/services/graphql/schema/read.js

@@ -6,6 +6,7 @@ import { GraphQLGeoJSON } from "../types/geojson.js";
 import { GraphQLHash } from "../types/hash.js";
 import { getGraphQLType } from "../../../utils/get-graphql-type.js";
 import { resolveQuery } from "../resolvers/query.js";
+import { GraphQLJsonFilter } from "../types/json-filter.js";
 import { GraphQLStringOrFloat } from "../types/string-or-float.js";
 import { getTypes } from "./get-types.js";
 import { SYSTEM_DENY_LIST } from "./index.js";
@@ -154,6 +155,14 @@ async function getReadableTypes(gql, schemaComposer, schema, inconsistentFields)
 			_nempty: { type: GraphQLBoolean }
 		}
 	});
+	const JsonFilterOperators = schemaComposer.createInputTC({
+		name: "json_filter_operators",
+		fields: {
+			_json: { type: GraphQLJsonFilter },
+			_null: { type: GraphQLBoolean },
+			_nnull: { type: GraphQLBoolean }
+		}
+	});
 	const CountFunctionFilterOperators = schemaComposer.createInputTC({
 		name: "count_function_filter_operators",
 		fields: { count: { type: NumberFilterOperators } }
@@ -213,6 +222,9 @@ async function getReadableTypes(gql, schemaComposer, schema, inconsistentFields)
 					case GraphQLDate:
 						filterOperatorType = DateFilterOperators;
 						break;
+					case GraphQLJSON:
+						filterOperatorType = JsonFilterOperators;
+						break;
 					case GraphQLGeoJSON:
 						filterOperatorType = GeometryFilterOperators;
 						break;

package/dist/services/graphql/types/json-filter.js

@@ -0,0 +1,30 @@
+import { GraphQLScalarType } from "graphql";
+import { GraphQLJSON } from "graphql-compose";
+
+//#region src/services/graphql/types/json-filter.ts
+function validateJsonFilterValue(value) {
+	if (typeof value !== "object" || value === null || Array.isArray(value)) throw new Error("json filter value must be a plain object mapping JSON path keys to filter operators");
+	for (const [key, operatorObj] of Object.entries(value)) if (key.trim().length === 0) throw new Error("json filter: keys must not be empty");
+	else if (key === "_or" || key === "_and") {
+		if (!Array.isArray(operatorObj)) throw new Error(`json filter: "${key}" must be an array of filter objects`);
+	} else if (typeof operatorObj !== "object" || operatorObj === null || Array.isArray(operatorObj)) throw new Error(`json filter: "${key}" must be a filter operator object (e.g. { "_eq": "value" })`);
+	return value;
+}
+/**
+* A scalar representing a JSON filter value: a plain object mapping JSON path keys
+* to filter operator objects (e.g. { "color": { "_eq": "red" }, "size": { "_gt": 5 } }).
+*/
+const GraphQLJsonFilter = new GraphQLScalarType({
+	...GraphQLJSON,
+	name: "GraphQLJsonFilter",
+	description: "A JSON filter value: a plain object mapping JSON path keys to filter operators (e.g. { \"key\": { \"_eq\": \"value\" } })",
+	parseValue(value) {
+		return validateJsonFilterValue(value);
+	},
+	parseLiteral(ast, variables) {
+		return validateJsonFilterValue(GraphQLJSON.parseLiteral(ast, variables));
+	}
+});
+
+//#endregion
+export { GraphQLJsonFilter };

package/dist/services/index.js

@@ -4,22 +4,22 @@ import { ItemsService } from "./items.js";
 import { FilesService } from "./files.js";
 import { FoldersService } from "./folders.js";
 import { AssetsService } from "./assets.js";
-import { RelationsService } from "./relations.js";
-import { FieldsService, systemFieldUpdateSchema } from "./fields.js";
-import { CollectionsService } from "./collections.js";
-import { ActivityService } from "./activity.js";
 import { AccessService } from "./access.js";
+import { ActivityService } from "./activity.js";
 import { MailService } from "./mail/index.js";
+import { RelationsService } from "./relations.js";
+import { FlowsService } from "./flows.js";
+import { RevisionsService } from "./revisions.js";
 import { ExtensionReadError, ExtensionsService } from "./extensions.js";
 import { SettingsService } from "./settings.js";
 import { UsersService } from "./users.js";
 import { NotificationsService } from "./notifications.js";
 import { ExportService, ImportService, createErrorTracker, getHeadingsForCsvExport } from "./import-export.js";
-import { RevisionsService } from "./revisions.js";
 import { TFAService } from "./tfa.js";
 import { AuthenticationService } from "./authentication.js";
 import { CommentsService } from "./comments.js";
 import { DashboardsService } from "./dashboards.js";
+import { FieldsService, systemFieldUpdateSchema } from "./fields.js";
 import { DeploymentProjectsService } from "./deployment-projects.js";
 import { DeploymentRunsService } from "./deployment-runs.js";
 import { DeploymentService } from "./deployment.js";
@@ -39,7 +39,7 @@ import { SharesService } from "./shares.js";
 import { TranslationsService } from "./translations.js";
 import { VersionsService } from "./versions.js";
 import { WebSocketService } from "./websocket.js";
-import { FlowsService } from "./flows.js";
+import { CollectionsService } from "./collections.js";
 
 //#region src/services/index.ts
 var services_exports = /* @__PURE__ */ __export({

package/dist/services/items.js

@@ -13,13 +13,13 @@ import { runAst } from "../database/run-ast/run-ast.js";
 import { processPayload } from "../permissions/modules/process-payload/process-payload.js";
 import { shouldClearCache } from "../utils/should-clear-cache.js";
 import { validateKeys } from "../utils/validate-keys.js";
-import { validateUserCountIntegrity } from "../utils/validate-user-count-integrity.js";
+import { captureSeatCount, validateUserCountIntegrity } from "../utils/validate-user-count-integrity.js";
 import { handleVersion } from "../utils/versioning/handle-version.js";
 import { useEnv } from "@directus/env";
 import { ErrorCode, ForbiddenError, InvalidPayloadError, isDirectusError } from "@directus/errors";
 import { getRelationsForCollection } from "@directus/utils";
 import { assign, clone, cloneDeep, difference, omit, pick, without } from "lodash-es";
-import { Action } from "@directus/constants";
+import { Action, isPublishedVersionKey } from "@directus/constants";
 import { isSystemCollection } from "@directus/system-data";
 
 //#region src/services/items.ts
@@ -86,6 +86,7 @@ var ItemsService = class ItemsService {
 	async createOne(data, opts = {}) {
 		if (!opts.mutationTracker) opts.mutationTracker = this.createMutationTracker();
 		if (!opts.bypassLimits) opts.mutationTracker.trackMutations(1);
+		if (this.collection === "directus_users") opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
 		const primaryKeyField = this.schema.collections[this.collection].primary;
 		const fields = Object.keys(this.schema.collections[this.collection].fields);
 		const aliases = Object.values(this.schema.collections[this.collection].fields).filter((field) => field.alias === true).map((field) => field.field);
@@ -99,6 +100,7 @@ var ItemsService = class ItemsService {
 		* update tree
 		*/
 		const primaryKey = await transaction(this.knex, async (trx) => {
+			const previousSeatCount = await captureSeatCount(trx, opts.userIntegrityCheckFlags);
 			const payloadAfterHooks = opts.emitEvents !== false ? await emitter_default.emitFilter(this.eventScope === "items" ? ["items.create", `${this.collection}.items.create`] : `${this.eventScope}.create`, payload, { collection: this.collection }, {
 				database: trx,
 				schema: this.schema,
@@ -159,7 +161,8 @@ var ItemsService = class ItemsService {
 			if (userIntegrityCheckFlags) if (opts.onRequireUserIntegrityCheck) opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
 			else await validateUserCountIntegrity({
 				flags: userIntegrityCheckFlags,
-				knex: trx
+				knex: trx,
+				previousSeatCount
 			});
 			if (opts.skipTracking !== true && this.accountability && this.schema.collections[this.collection].accountability !== null) {
 				const { ActivityService } = await import("./activity.js");
@@ -232,7 +235,9 @@ var ItemsService = class ItemsService {
 	*/
 	async createMany(data, opts = {}) {
 		if (!opts.mutationTracker) opts.mutationTracker = this.createMutationTracker();
+		if (this.collection === "directus_users") opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
 		const { primaryKeys, nestedActionEvents } = await transaction(this.knex, async (knex) => {
+			const previousSeatCount = await captureSeatCount(knex, opts.userIntegrityCheckFlags);
 			const service = this.fork({ knex });
 			let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
 			const primaryKeys$1 = [];
@@ -255,7 +260,8 @@ var ItemsService = class ItemsService {
 			if (userIntegrityCheckFlags) if (opts.onRequireUserIntegrityCheck) opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
 			else await validateUserCountIntegrity({
 				flags: userIntegrityCheckFlags,
-				knex
+				knex,
+				previousSeatCount
 			});
 			return {
 				primaryKeys: primaryKeys$1,
@@ -271,6 +277,7 @@ var ItemsService = class ItemsService {
 	* Get items by query.
 	*/
 	async readByQuery(query, opts) {
+		if (query.version && !isPublishedVersionKey(query.version)) return await handleVersion(this, opts?.key ?? null, query, opts);
 		const updatedQuery = opts?.emitEvents !== false ? await emitter_default.emitFilter(this.eventScope === "items" ? ["items.query", `${this.collection}.items.query`] : `${this.eventScope}.query`, query, { collection: this.collection }, {
 			database: this.knex,
 			schema: this.schema,
@@ -325,9 +332,10 @@ var ItemsService = class ItemsService {
 		const primaryKeyField = this.schema.collections[this.collection].primary;
 		validateKeys(this.schema, this.collection, primaryKeyField, key);
 		const queryWithKey = assign({}, query, { filter: assign({}, query.filter, { [primaryKeyField]: { _eq: key } }) });
-		let results = [];
-		if (query.version && query.version !== "main") results = [await handleVersion(this, key, queryWithKey, opts)];
-		else results = await this.readByQuery(queryWithKey, opts);
+		const results = await this.readByQuery(queryWithKey, {
+			...opts,
+			key
+		});
 		if (results.length === 0) throw new ForbiddenError();
 		return results[0];
 	}
@@ -373,6 +381,7 @@ var ItemsService = class ItemsService {
 		const keys = [];
 		try {
 			await transaction(this.knex, async (knex) => {
+				const previousSeatCount = await captureSeatCount(knex, opts.userIntegrityCheckFlags);
 				const service = this.fork({ knex });
 				let userIntegrityCheckFlags = opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None;
 				for (const index in data) {
@@ -390,7 +399,8 @@ var ItemsService = class ItemsService {
 				if (userIntegrityCheckFlags) if (opts.onRequireUserIntegrityCheck) opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
 				else await validateUserCountIntegrity({
 					flags: userIntegrityCheckFlags,
-					knex
+					knex,
+					previousSeatCount
 				});
 			});
 		} finally {
@@ -404,6 +414,7 @@ var ItemsService = class ItemsService {
 	async updateMany(keys, data, opts = {}) {
 		if (!opts.mutationTracker) opts.mutationTracker = this.createMutationTracker();
 		if (!opts.bypassLimits) opts.mutationTracker.trackMutations(keys.length);
+		if (this.collection === "directus_users" && data["status"] === "active") opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
 		const primaryKeyField = this.schema.collections[this.collection].primary;
 		validateKeys(this.schema, this.collection, primaryKeyField, keys);
 		const fields = Object.keys(this.schema.collections[this.collection].fields);
@@ -441,6 +452,7 @@ var ItemsService = class ItemsService {
 		}) : payloadAfterHooks;
 		if (opts.preMutationError) throw opts.preMutationError;
 		await transaction(this.knex, async (trx) => {
+			const previousSeatCount = await captureSeatCount(trx, opts.userIntegrityCheckFlags);
 			const payloadService = new PayloadService(this.collection, {
 				accountability: this.accountability,
 				knex: trx,
@@ -470,7 +482,8 @@ var ItemsService = class ItemsService {
 			if (userIntegrityCheckFlags) if (opts?.onRequireUserIntegrityCheck) opts.onRequireUserIntegrityCheck(userIntegrityCheckFlags);
 			else await validateUserCountIntegrity({
 				flags: userIntegrityCheckFlags,
-				knex: trx
+				knex: trx,
+				previousSeatCount
 			});
 			if (opts.skipTracking !== true && this.accountability && this.schema.collections[this.collection].accountability !== null) {
 				const { ActivityService } = await import("./activity.js");
@@ -622,11 +635,13 @@ var ItemsService = class ItemsService {
 		});
 		if (opts.preMutationError) throw opts.preMutationError;
 		await transaction(this.knex, async (trx) => {
+			const previousSeatCount = await captureSeatCount(trx, opts.userIntegrityCheckFlags);
 			await trx(this.collection).whereIn(primaryKeyField, keysAfterHooks).delete();
 			if (opts.userIntegrityCheckFlags) if (opts.onRequireUserIntegrityCheck) opts.onRequireUserIntegrityCheck(opts.userIntegrityCheckFlags);
 			else await validateUserCountIntegrity({
 				flags: opts.userIntegrityCheckFlags,
-				knex: trx
+				knex: trx,
+				previousSeatCount
 			});
 			if (opts.skipTracking !== true && this.accountability && this.schema.collections[this.collection].accountability !== null) {
 				const { ActivityService } = await import("./activity.js");
@@ -670,12 +685,15 @@ var ItemsService = class ItemsService {
 	async readSingleton(query, opts) {
 		query = clone(query);
 		query.limit = 1;
-		let record;
-		if (query.version && query.version !== "main") {
+		if (query.version && !isPublishedVersionKey(query.version)) {
 			const primaryKeyField = this.schema.collections[this.collection].primary;
 			const key = (await this.knex.select(primaryKeyField).from(this.collection).first())?.[primaryKeyField];
-			if (key) record = await handleVersion(this, key, query, opts);
-		} else record = (await this.readByQuery(query, opts))[0];
+			opts = {
+				...opts,
+				key
+			};
+		}
+		const record = (await this.readByQuery(query, opts))[0];
 		if (!record) {
 			let fields = Object.entries(this.schema.collections[this.collection].fields);
 			const defaults = {};

package/dist/services/mcp-oauth/cimd.js

@@ -0,0 +1,307 @@
+import { useLogger } from "../../logger/index.js";
+import { getAxios } from "../../request/index.js";
+import { OAuthError } from "./types/error.js";
+import { CimdEgressError, createCimdLookup } from "./utils/cimd-egress.js";
+import { validateRedirectUri } from "./utils/redirect.js";
+import { useEnv } from "@directus/env";
+import { isIP } from "node:net";
+import { performance } from "node:perf_hooks";
+
+//#region src/services/mcp-oauth/cimd.ts
+const MIN_TTL_MS = 3e5;
+const MAX_TTL_MS = 864e5;
+const DEFAULT_TTL_MS = 36e5;
+const MAX_CLIENT_NAME_LENGTH = 200;
+const MAX_URL_LENGTH = 255;
+const DEFAULT_BLOCKED_TLDS = [
+	"test",
+	"localhost",
+	"invalid",
+	"example",
+	"local",
+	"onion"
+];
+/**
+* Forbidden shared-secret auth methods per draft-ietf-oauth-client-id-metadata-document-01 Section 4.1:
+* "the token_endpoint_auth_method property MUST NOT include client_secret_post, client_secret_basic,
+* client_secret_jwt, or any other method based around a shared symmetric secret."
+*/
+const FORBIDDEN_AUTH_METHODS = new Set([
+	"client_secret_basic",
+	"client_secret_post",
+	"client_secret_jwt"
+]);
+/**
+* Detect whether a client_id is a CIMD URL or a DCR-registered ID.
+* Returns 'cimd' for valid CIMD URLs, 'dcr' for anything else that should go to DB lookup,
+* or null if it looks like a CIMD URL but fails validation.
+*/
+function detectClientIdType(clientId) {
+	if (clientId.startsWith("https://") || useEnv()["MCP_OAUTH_CIMD_ALLOW_HTTP"] && clientId.startsWith("http://")) return isValidCimdClientId(clientId) ? "cimd" : null;
+	return "dcr";
+}
+/**
+* Strict CIMD client_id URL validation with debug logging on each rejection.
+*/
+function isValidCimdClientId(input) {
+	const logger = useLogger();
+	const env = useEnv();
+	let url;
+	try {
+		url = new URL(input);
+	} catch {
+		logger.debug({
+			client_id: input,
+			reason: "unparseable URL"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	const allowHttp = env["MCP_OAUTH_CIMD_ALLOW_HTTP"];
+	if (url.protocol !== "https:" && !(allowHttp && url.protocol === "http:")) {
+		logger.debug({
+			client_id: input,
+			reason: "not HTTPS"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	if (url.pathname === "/") {
+		logger.debug({
+			client_id: input,
+			reason: "root path"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	if (url.search) {
+		logger.debug({
+			client_id: input,
+			reason: "query string present"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	if (url.hash) {
+		logger.debug({
+			client_id: input,
+			reason: "fragment present"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	if (url.username || url.password) {
+		logger.debug({
+			client_id: input,
+			reason: "credentials in URL"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	if (/(?:^|\/)\.\.?(?:\/|$)/.test(url.pathname)) {
+		logger.debug({
+			client_id: input,
+			reason: "dot segments in path"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	const hostname = url.hostname.replace(/\.$/, "").toLowerCase();
+	if (isIP(hostname.replace(/^\[|\]$/g, ""))) {
+		logger.debug({
+			client_id: input,
+			reason: "IP address hostname"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	const envTlds = env["MCP_OAUTH_CIMD_BLOCKED_TLDS"];
+	const suffixes = (envTlds.length > 0 ? envTlds : DEFAULT_BLOCKED_TLDS).map((t) => `.${t.toLowerCase()}`);
+	for (const suffix of suffixes) if (hostname === suffix.slice(1) || hostname.endsWith(suffix)) {
+		logger.debug({
+			client_id: input,
+			reason: `blocked TLD: ${suffix}`
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	if (input.length > MAX_URL_LENGTH) {
+		logger.debug({
+			client_id: input,
+			reason: "URL too long"
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	if (url.href !== input) {
+		logger.debug({
+			client_id: input,
+			reason: `non-canonical (${url.href})`
+		}, "CIMD client_id rejected");
+		return false;
+	}
+	return true;
+}
+/** Read allowed domains from env, filtering empty strings. */
+function getAllowedDomains() {
+	return useEnv()["MCP_OAUTH_CIMD_ALLOWED_DOMAINS"].filter((s) => s !== "");
+}
+/**
+* Parse Cache-Control and Expires headers per RFC 9111.
+* Returns TTL in milliseconds, clamped to [5min, 24h]. Default: 1h.
+*/
+function resolveCacheTtl(headers) {
+	const cc = headers["cache-control"];
+	if (cc) {
+		const directives = cc.split(",").map((d) => d.trim());
+		for (const directive of directives) {
+			const eqIdx = directive.indexOf("=");
+			const name = (eqIdx === -1 ? directive : directive.slice(0, eqIdx)).toLowerCase();
+			if (name === "no-store" && eqIdx === -1) return 0;
+			if (name === "no-cache" && eqIdx === -1) return 0;
+		}
+		for (const directive of directives) {
+			const eqIdx = directive.indexOf("=");
+			if (eqIdx === -1) continue;
+			if (directive.slice(0, eqIdx).toLowerCase() === "max-age") {
+				const seconds = parseInt(directive.slice(eqIdx + 1), 10);
+				if (!isNaN(seconds)) {
+					const ms = seconds * 1e3;
+					return Math.min(MAX_TTL_MS, Math.max(MIN_TTL_MS, ms));
+				}
+			}
+		}
+	}
+	const expires = headers["expires"];
+	if (expires) {
+		const expiresMs = new Date(expires).getTime();
+		if (!isNaN(expiresMs)) {
+			const delta = expiresMs - Date.now();
+			if (delta <= 0) return 0;
+			return Math.min(MAX_TTL_MS, Math.max(MIN_TTL_MS, delta));
+		}
+	}
+	return DEFAULT_TTL_MS;
+}
+/** Validate a URI is HTTPS. Used for optional metadata fields (client_uri, logo_uri, etc.). */
+function validateOptionalHttpsUri(value, field) {
+	if (typeof value !== "string") throw new OAuthError(400, "invalid_client_metadata", `${field} must be a string`);
+	try {
+		if (new URL(value).protocol !== "https:") throw new OAuthError(400, "invalid_client_metadata", `${field} must use HTTPS`);
+	} catch (err) {
+		if (err instanceof OAuthError) throw err;
+		throw new OAuthError(400, "invalid_client_metadata", `${field} is not a valid URL`);
+	}
+}
+const CONTENT_TYPE_JSON_RE = /^application\/(?:json|[\w.-]+\+json)(?:\s*;|$)/i;
+/**
+* Fetch and validate a CIMD metadata document.
+* When `etag` is provided, sends If-None-Match and accepts 304.
+*/
+async function fetchCimdMetadata(clientId, etag) {
+	const logger = useLogger();
+	const axios = await getAxios();
+	let url;
+	try {
+		url = new URL(clientId);
+	} catch {
+		logger.debug({
+			client_id: clientId,
+			reason: "unparseable URL"
+		}, "CIMD metadata fetch rejected");
+		throw new OAuthError(400, "invalid_client_metadata", "Failed to fetch client metadata document");
+	}
+	if (isIP(url.hostname.replace(/^\[|\]$/g, ""))) {
+		logger.debug({
+			client_id: clientId,
+			reason: "IP address hostname"
+		}, "CIMD metadata fetch rejected");
+		throw new OAuthError(400, "invalid_client_metadata", "Failed to fetch client metadata document");
+	}
+	const headers = {};
+	if (etag) headers["If-None-Match"] = etag;
+	let response;
+	try {
+		const requestConfig = {
+			headers,
+			lookup: createCimdLookup({ deadlineAt: performance.now() + 3e3 }),
+			maxRedirects: 0,
+			maxContentLength: 5120,
+			proxy: false,
+			timeout: 3e3,
+			responseType: "json",
+			validateStatus: (s) => s === 200 || (etag ? s === 304 : false)
+		};
+		response = await axios.get(clientId, requestConfig);
+	} catch (err) {
+		if (err instanceof CimdEgressError) {
+			const reason = err.reason;
+			logger.debug({
+				client_id: clientId,
+				...typeof reason === "string" ? { reason } : {}
+			}, "CIMD metadata fetch rejected");
+			throw new OAuthError(400, "invalid_client_metadata", "Failed to fetch client metadata document");
+		}
+		logger.debug({
+			client_id: clientId,
+			error: err?.message
+		}, "CIMD metadata fetch failed");
+		throw new OAuthError(400, "invalid_client_metadata", "Failed to fetch client metadata document");
+	}
+	if (response.status === 304) {
+		const respHeaders = response.headers;
+		return {
+			notModified: true,
+			ttlMs: !!respHeaders["cache-control"] ? resolveCacheTtl(respHeaders) : null
+		};
+	}
+	const contentType = response.headers["content-type"];
+	if (!contentType || !CONTENT_TYPE_JSON_RE.test(contentType)) throw new OAuthError(400, "invalid_client_metadata", "Client metadata document must be JSON");
+	const doc = response.data;
+	if (!doc || typeof doc !== "object") throw new OAuthError(400, "invalid_client_metadata", "Client metadata document must be a JSON object");
+	if (doc.client_id !== clientId) {
+		logger.debug({
+			client_id: clientId,
+			doc_client_id: doc.client_id
+		}, "CIMD client_id mismatch");
+		throw new OAuthError(400, "invalid_client_metadata", "client_id in document does not match fetch URL");
+	}
+	if (!doc.client_name || typeof doc.client_name !== "string" || doc.client_name.trim().length === 0) throw new OAuthError(400, "invalid_client_metadata", "client_name is required");
+	if (doc.client_name.length > MAX_CLIENT_NAME_LENGTH) throw new OAuthError(400, "invalid_client_metadata", `client_name must not exceed ${MAX_CLIENT_NAME_LENGTH} characters`);
+	if (!Array.isArray(doc.redirect_uris) || doc.redirect_uris.length === 0) throw new OAuthError(400, "invalid_client_metadata", "redirect_uris is required and must be a non-empty array");
+	for (const uri of doc.redirect_uris) try {
+		validateRedirectUri(uri);
+	} catch (err) {
+		if (err instanceof OAuthError) throw err;
+		throw new OAuthError(400, "invalid_redirect_uri", "Invalid redirect URI in metadata document");
+	}
+	if ("client_secret" in doc) throw new OAuthError(400, "invalid_client_metadata", "CIMD documents must not contain client_secret");
+	if ("client_secret_expires_at" in doc) throw new OAuthError(400, "invalid_client_metadata", "CIMD documents must not contain client_secret_expires_at");
+	if (doc.grant_types !== void 0 && !Array.isArray(doc.grant_types)) throw new OAuthError(400, "invalid_client_metadata", "grant_types must be an array");
+	const grantTypes = doc.grant_types ?? ["authorization_code"];
+	if (!grantTypes.includes("authorization_code")) throw new OAuthError(400, "invalid_client_metadata", "grant_types must include authorization_code");
+	if (doc.response_types !== void 0) {
+		if (!Array.isArray(doc.response_types) || doc.response_types.length !== 1 || doc.response_types[0] !== "code") throw new OAuthError(400, "invalid_client_metadata", "response_types must be [\"code\"] if present");
+	}
+	if (doc.token_endpoint_auth_method !== void 0 && typeof doc.token_endpoint_auth_method !== "string") throw new OAuthError(400, "invalid_client_metadata", "token_endpoint_auth_method must be a string");
+	const authMethod = doc.token_endpoint_auth_method ?? "none";
+	if (FORBIDDEN_AUTH_METHODS.has(authMethod)) throw new OAuthError(400, "invalid_client_metadata", "Shared-secret authentication methods are forbidden for CIMD");
+	if (authMethod !== "none") throw new OAuthError(400, "invalid_client_metadata", `Unsupported token_endpoint_auth_method: ${authMethod}`);
+	for (const field of [
+		"client_uri",
+		"logo_uri",
+		"tos_uri",
+		"policy_uri"
+	]) if (doc[field] !== void 0) validateOptionalHttpsUri(doc[field], field);
+	const responseHeaders = response.headers;
+	return {
+		notModified: false,
+		metadata: {
+			client_id: doc.client_id,
+			client_name: doc.client_name,
+			redirect_uris: doc.redirect_uris,
+			grant_types: grantTypes,
+			response_types: doc.response_types,
+			token_endpoint_auth_method: authMethod,
+			...doc.client_uri && { client_uri: doc.client_uri },
+			...doc.logo_uri && { logo_uri: doc.logo_uri },
+			...doc.tos_uri && { tos_uri: doc.tos_uri },
+			...doc.policy_uri && { policy_uri: doc.policy_uri }
+		},
+		etag: responseHeaders["etag"] ?? null,
+		ttlMs: resolveCacheTtl(responseHeaders)
+	};
+}
+
+//#endregion
+export { detectClientIdType, fetchCimdMetadata, getAllowedDomains, isValidCimdClientId, resolveCacheTtl };