@lovable.dev/mcp-js 0.5.0

package/dist/stacks/tanstack/index.cjs

@@ -0,0 +1,743 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/stacks/tanstack/index.ts
+var tanstack_exports = {};
+__export(tanstack_exports, {
+  createTanStackInvokeToolHandler: () => createTanStackInvokeToolHandler,
+  createTanStackListToolsHandler: () => createTanStackListToolsHandler,
+  createTanStackMcpHandler: () => createTanStackMcpHandler,
+  createTanStackOAuthProtectedResourceMetadataHandler: () => createTanStackOAuthProtectedResourceMetadataHandler
+});
+module.exports = __toCommonJS(tanstack_exports);
+
+// src/protocols/mcp/protocol.ts
+var import_mcp = require("@modelcontextprotocol/sdk/server/mcp.js");
+var import_webStandardStreamableHttp = require("@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js");
+
+// src/core/http.ts
+var JSON_HEADERS = { "Content-Type": "application/json" };
+function headResponse(response) {
+  return new Response(null, { status: response.status, statusText: response.statusText, headers: response.headers });
+}
+function methodNotAllowed(allow) {
+  return new Response(JSON.stringify({ error: "method not allowed" }), {
+    status: 405,
+    headers: { ...JSON_HEADERS, Allow: allow }
+  });
+}
+
+// src/core/promise.ts
+function cachedPromise(load) {
+  let settled = false;
+  let value;
+  return async () => {
+    if (settled)
+      return value;
+    const loaded = await load();
+    settled = true;
+    value = loaded;
+    return loaded;
+  };
+}
+
+// src/core/url.ts
+function trimTrailingSlash(value) {
+  return value.replace(/\/+$/, "");
+}
+function isLocalHTTPHost(hostname) {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]";
+}
+function urlSafetyProblem(url) {
+  const isAllowedHTTP = url.protocol === "http:" && isLocalHTTPHost(url.hostname);
+  if (url.protocol !== "https:" && !isAllowedHTTP) {
+    return "must use https://, except localhost development URLs";
+  }
+  if (url.username || url.password) {
+    return "must not include credentials";
+  }
+  if (url.search || url.hash) {
+    return "must not include query or fragment";
+  }
+  return void 0;
+}
+
+// src/core/validation.ts
+function parseSafeUrl(subject, raw, ErrorClass = Error) {
+  let url;
+  try {
+    url = new URL(raw);
+  } catch {
+    throw new ErrorClass(`${subject} must be an absolute URL`);
+  }
+  const problem = urlSafetyProblem(url);
+  if (problem) {
+    throw new ErrorClass(`${subject} ${problem}`);
+  }
+  return url;
+}
+
+// src/auth/discovery.ts
+var OAuthConfigurationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "OAuthConfigurationError";
+  }
+};
+var METADATA_FETCH_TIMEOUT_MS = 5e3;
+function issuerPath(url) {
+  const path = trimTrailingSlash(url.pathname);
+  return path === "" ? void 0 : path;
+}
+function pathInsertedOAuthMetadataUrls(url, path) {
+  return [
+    `${url.origin}/.well-known/oauth-authorization-server${path}`,
+    `${url.origin}/.well-known/openid-configuration${path}`
+  ];
+}
+function oauthMetadataUrlsForIssuer(issuer) {
+  const normalizedIssuer = trimTrailingSlash(issuer);
+  const url = new URL(normalizedIssuer);
+  const path = issuerPath(url);
+  if (!path) {
+    return [
+      `${normalizedIssuer}/.well-known/oauth-authorization-server`,
+      `${normalizedIssuer}/.well-known/openid-configuration`
+    ];
+  }
+  return [...pathInsertedOAuthMetadataUrls(url, path), `${normalizedIssuer}/.well-known/openid-configuration`];
+}
+async function fetchFirstValidOAuthServerMetadata(metadataUrls, expectedIssuer) {
+  const errors = [];
+  for (const url of metadataUrls) {
+    try {
+      return await fetchOAuthServerMetadata(url, expectedIssuer);
+    } catch (err) {
+      errors.push(`${url}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  throw new Error(`failed to discover OAuth server metadata (${errors.join("; ")})`);
+}
+async function fetchOAuthServerMetadata(url, expectedIssuer) {
+  const response = await fetch(url, { signal: AbortSignal.timeout(METADATA_FETCH_TIMEOUT_MS), redirect: "error" });
+  if (!response.ok) {
+    throw new Error(String(response.status));
+  }
+  const json = await response.json();
+  if (typeof json.issuer !== "string") {
+    throw new Error("missing issuer");
+  }
+  parseSafeUrl("discovered issuer", json.issuer);
+  if (trimTrailingSlash(json.issuer) !== expectedIssuer) {
+    throw new Error("issuer mismatch");
+  }
+  if (typeof json.jwks_uri !== "string") {
+    throw new Error("missing jwks_uri");
+  }
+  parseSafeUrl("discovered jwks_uri", json.jwks_uri);
+  return { issuer: json.issuer, jwks_uri: json.jwks_uri };
+}
+async function fetchIssuerOAuthServerMetadata(issuer) {
+  try {
+    return await fetchFirstValidOAuthServerMetadata(oauthMetadataUrlsForIssuer(issuer), issuer);
+  } catch (err) {
+    throw new OAuthConfigurationError(
+      `OAuth issuer discovery failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function createOAuthDiscoveryResolver(auth) {
+  const configuredIssuer = trimTrailingSlash(auth.issuer);
+  const oauthServerMetadata = cachedPromise(() => fetchIssuerOAuthServerMetadata(configuredIssuer));
+  return {
+    resolveIssuer: async () => configuredIssuer,
+    resolveJwksUri: async () => auth.jwksUri ?? (await oauthServerMetadata()).jwks_uri
+  };
+}
+
+// src/auth/metadata-path.ts
+var OAUTH_PROTECTED_RESOURCE_METADATA_PATH = "/.well-known/oauth-protected-resource";
+
+// src/auth/resource.ts
+function resolveProtectedResource(auth, request, options) {
+  if (auth.resource)
+    return trimTrailingSlash(auth.resource);
+  const path = resolveResourcePath(options.resourcePath, request);
+  const resourceURL = new URL(path, request.url);
+  resourceURL.search = "";
+  resourceURL.hash = "";
+  return trimTrailingSlash(resourceURL.toString());
+}
+function assertResourcePathShape(resourcePath) {
+  if (!resourcePath.startsWith("/") || resourcePath.startsWith("//") || resourcePath.includes("\\") || /(^|\/)\.\.(\/|$)/.test(resourcePath)) {
+    throw new Error(
+      `@lovable.dev/mcp-js: resourcePath must be an absolute path beginning with "/" without ".." segments or backslashes (got ${JSON.stringify(resourcePath)})`
+    );
+  }
+}
+function resolveResourcePath(resourcePath, request) {
+  if (resourcePath === void 0)
+    return new URL(request.url).pathname;
+  assertResourcePathShape(resourcePath);
+  return resourcePath;
+}
+
+// src/auth/verifier.ts
+var import_jose = require("jose");
+
+// src/auth/claims.ts
+function readString(value) {
+  return typeof value === "string" ? value : void 0;
+}
+function splitScopes(value) {
+  if (typeof value === "string")
+    return value.split(/\s+/).filter(Boolean);
+  if (Array.isArray(value))
+    return value.filter((entry) => typeof entry === "string" && entry.length > 0);
+  return [];
+}
+function stringClaim(claims, name) {
+  return readString(claims[name]);
+}
+
+// src/auth/verifier.ts
+var DEFAULT_JWT_ALGORITHMS = ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "EdDSA"];
+var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+var OAuthTokenError = class extends Error {
+  constructor(status, oauthError, message) {
+    super(message);
+    this.status = status;
+    this.oauthError = oauthError;
+    this.name = "OAuthTokenError";
+  }
+};
+function resolveAcceptedAudiences(auth, resource) {
+  return auth.acceptedAudiences ?? [resource];
+}
+function isJwksFetchFailure(err) {
+  if (err instanceof import_jose.errors.JWKSTimeout || err instanceof import_jose.errors.JWKSInvalid)
+    return true;
+  if (!(err instanceof import_jose.errors.JOSEError))
+    return err instanceof Error;
+  return err.code === "ERR_JOSE_GENERIC";
+}
+async function verifyJwtClaims(token, keySet, issuer, audience, auth) {
+  try {
+    const { payload } = await (0, import_jose.jwtVerify)(token, keySet, {
+      // `issuer` is trimmed of any trailing slash; accept both forms so a token whose
+      // `iss` carries the slash the AS publishes still verifies.
+      issuer: [issuer, `${issuer}/`],
+      audience: [...audience],
+      algorithms: auth.algorithms ? [...auth.algorithms] : DEFAULT_JWT_ALGORITHMS,
+      requiredClaims: ["sub", "exp"],
+      clockTolerance: auth.clockToleranceSeconds ?? DEFAULT_CLOCK_TOLERANCE_SECONDS
+    });
+    return payload;
+  } catch (err) {
+    if (isJwksFetchFailure(err)) {
+      throw new OAuthConfigurationError(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    throw err;
+  }
+}
+function assertNonEmptySubject(claims) {
+  const sub = claims["sub"];
+  if (typeof sub !== "string" || sub.trim() === "") {
+    throw new OAuthTokenError(401, "invalid_token", "token subject claim must be a non-empty string");
+  }
+}
+function assertOAuthClientClaim(auth, clientId) {
+  if (auth.requireOAuthClientClaim !== false && !clientId) {
+    throw new OAuthTokenError(401, "invalid_token", "OAuth client claim is required");
+  }
+}
+function makeBearer(token) {
+  return Object.defineProperty({}, "token", { value: token, enumerable: false });
+}
+function buildMcpAuthContext(args) {
+  const { claims } = args;
+  return {
+    type: "oauth",
+    principal: {
+      claims,
+      issuer: args.issuer,
+      resource: args.resource,
+      acceptedAudiences: args.acceptedAudiences,
+      scopes: splitScopes(claims.scope),
+      sub: stringClaim(claims, "sub"),
+      email: stringClaim(claims, "email"),
+      clientId: stringClaim(claims, "client_id") ?? stringClaim(claims, "azp")
+    },
+    bearer: makeBearer(args.token)
+  };
+}
+function createOAuthTokenVerifier(auth, discovery) {
+  const loadRemoteJwksKeySet = cachedPromise(
+    () => discovery.resolveJwksUri().then((jwksURI) => (0, import_jose.createRemoteJWKSet)(new URL(jwksURI)))
+  );
+  return async (token, request, options) => {
+    const resource = resolveProtectedResource(auth, request, options);
+    const issuer = await discovery.resolveIssuer();
+    const acceptedAudiences = resolveAcceptedAudiences(auth, resource);
+    const claims = await verifyJwtClaims(token, await loadRemoteJwksKeySet(), issuer, acceptedAudiences, auth);
+    assertNonEmptySubject(claims);
+    const context = buildMcpAuthContext({ token, claims, issuer, resource, acceptedAudiences });
+    assertOAuthClientClaim(auth, context.principal.clientId);
+    return context;
+  };
+}
+
+// src/auth/authorize.ts
+function quoteAuthenticateParam(value) {
+  const sanitized = value.replace(/[\u0000-\u001F\u007F]/g, "");
+  return `"${sanitized.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+function resolveProtectedResourceMetadataUrl(auth, request) {
+  if (auth.protectedResourceMetadataUrl !== void 0)
+    return auth.protectedResourceMetadataUrl;
+  const base = auth.resource ?? request.url;
+  return new URL(OAUTH_PROTECTED_RESOURCE_METADATA_PATH, base).toString();
+}
+function wwwAuthenticateHeader(auth, request, params = {}) {
+  const values = [
+    `realm=${quoteAuthenticateParam("mcp")}`,
+    `resource_metadata=${quoteAuthenticateParam(resolveProtectedResourceMetadataUrl(auth, request))}`
+  ];
+  if (auth.requiredScopes && auth.requiredScopes.length > 0) {
+    values.push(`scope=${quoteAuthenticateParam(auth.requiredScopes.join(" "))}`);
+  }
+  if (params.error)
+    values.push(`error=${quoteAuthenticateParam(params.error)}`);
+  if (params.errorDescription)
+    values.push(`error_description=${quoteAuthenticateParam(params.errorDescription)}`);
+  return `Bearer ${values.join(", ")}`;
+}
+function challengeResponse(auth, request, status, oauthError, errorDescription) {
+  const headers = new Headers(JSON_HEADERS);
+  headers.set("WWW-Authenticate", wwwAuthenticateHeader(auth, request, { error: oauthError, errorDescription }));
+  headers.set("Cache-Control", "no-store");
+  return new Response(JSON.stringify({ error: status === 403 ? "forbidden" : "unauthorized" }), {
+    status,
+    headers
+  });
+}
+function oauthConfigurationErrorResponse() {
+  return new Response(JSON.stringify({ error: "oauth configuration error" }), {
+    status: 500,
+    headers: { ...JSON_HEADERS, "Cache-Control": "no-store" }
+  });
+}
+function parseBearerToken(request) {
+  const header = request.headers.get("Authorization");
+  if (!header)
+    return void 0;
+  const match = /^Bearer\s+(.+)$/i.exec(header.trim());
+  if (!match)
+    return void 0;
+  const token = match[1].trim();
+  if (token === "" || /\s/.test(token))
+    return void 0;
+  return token;
+}
+function getOAuthRuntime(mcp, options = {}) {
+  if (options.resourcePath !== void 0)
+    assertResourcePathShape(options.resourcePath);
+  const stableOptions = { resourcePath: options.resourcePath };
+  const auth = mcp.auth?.type === "oauth" ? mcp.auth : void 0;
+  if (!auth)
+    return { kind: "unconfigured", options: stableOptions };
+  const discovery = createOAuthDiscoveryResolver(auth);
+  return {
+    kind: "configured",
+    auth,
+    discovery,
+    verify: createOAuthTokenVerifier(auth, discovery),
+    options: stableOptions
+  };
+}
+function assertRestResourceBinding(mcp, options = {}) {
+  const auth = mcp.auth?.type === "oauth" ? mcp.auth : void 0;
+  if (auth && auth.resource === void 0 && options.resourcePath === void 0) {
+    throw new Error(
+      `@lovable.dev/mcp-js: REST companion handlers require auth.resource or a resourcePath so principal.resource binds to the public MCP route, not the internal /.mcp/* request path`
+    );
+  }
+}
+function missingRequiredScopes(auth, scopes) {
+  const requiredScopes = auth.requiredScopes ?? [];
+  if (requiredScopes.length === 0)
+    return [];
+  const granted = new Set(scopes);
+  return requiredScopes.filter((scope) => !granted.has(scope));
+}
+function assertRequiredScopes(auth, context) {
+  if (missingRequiredScopes(auth, context.principal.scopes).length > 0) {
+    throw new OAuthTokenError(403, "insufficient_scope", "Additional OAuth scope is required");
+  }
+}
+function createRequestAuthorizer(mcp, options = {}) {
+  const runtime = getOAuthRuntime(mcp, options);
+  return {
+    async authorize(request) {
+      if (runtime.kind === "unconfigured")
+        return { ok: true };
+      const token = parseBearerToken(request);
+      if (!token)
+        return { ok: false, response: challengeResponse(runtime.auth, request, 401) };
+      try {
+        const auth = await runtime.verify(token, request, runtime.options);
+        assertRequiredScopes(runtime.auth, auth);
+        return { ok: true, auth };
+      } catch (err) {
+        if (err instanceof OAuthConfigurationError) {
+          return { ok: false, response: oauthConfigurationErrorResponse() };
+        }
+        if (err instanceof OAuthTokenError) {
+          return {
+            ok: false,
+            response: challengeResponse(runtime.auth, request, err.status, err.oauthError, err.message)
+          };
+        }
+        return {
+          ok: false,
+          response: challengeResponse(runtime.auth, request, 401, "invalid_token", "Invalid access token")
+        };
+      }
+    }
+  };
+}
+
+// src/auth/context.ts
+var ToolContext = class {
+  #auth;
+  constructor(auth) {
+    this.#auth = auth;
+  }
+  /** Whether the in-flight tool call carries a verified auth context. */
+  isAuthenticated() {
+    return this.#auth !== void 0;
+  }
+  /** The verified bearer token, or `undefined` when unauthenticated. Pass it to downstream APIs; never return or log it. */
+  getToken() {
+    return this.#auth?.bearer.token;
+  }
+  /** The verified user id (the token `sub`), or `undefined`. */
+  getUserId() {
+    return this.#auth?.principal.sub;
+  }
+  /** The verified user email, or `undefined` when absent. */
+  getUserEmail() {
+    return this.#auth?.principal.email;
+  }
+  /** The verified OAuth `client_id`, or `undefined`. */
+  getClientId() {
+    return this.#auth?.principal.clientId;
+  }
+  /** The verified OAuth scopes, or `undefined` when unauthenticated. */
+  getScopes() {
+    return this.#auth?.principal.scopes;
+  }
+  /** The verified token issuer, or `undefined`. */
+  getIssuer() {
+    return this.#auth?.principal.issuer;
+  }
+  /**
+   * The full verified JWT claims, or `undefined`. Use this for app/business
+   * authorization on issuer-specific claims that have no dedicated accessor.
+   */
+  getClaims() {
+    return this.#auth?.principal.claims;
+  }
+};
+
+// src/protocols/mcp/protocol.ts
+function adaptToolToSdkCallback(tool, auth) {
+  return async (first) => {
+    const args = tool.inputSchema ? first ?? {} : {};
+    let result;
+    try {
+      result = await tool.handler(args, new ToolContext(auth));
+    } catch {
+      return { content: [{ type: "text", text: "tool execution failed" }], isError: true };
+    }
+    if (result == null) {
+      return { content: [{ type: "text", text: `tool "${tool.name}" returned no result` }], isError: true };
+    }
+    return { content: result.content ?? [], structuredContent: result.structuredContent, isError: result.isError };
+  };
+}
+function createMcpProtocolHandler(mcp, options = {}) {
+  const authorizer = createRequestAuthorizer(mcp, options);
+  return async (request) => {
+    const authResult = await authorizer.authorize(request);
+    if (!authResult.ok)
+      return authResult.response;
+    try {
+      const server = new import_mcp.McpServer(
+        { name: mcp.name, version: mcp.version, title: mcp.title },
+        { instructions: mcp.instructions }
+      );
+      for (const tool of mcp.tools) {
+        server.registerTool(
+          tool.name,
+          {
+            title: tool.title,
+            description: tool.description,
+            inputSchema: tool.inputSchema,
+            outputSchema: tool.outputSchema,
+            annotations: tool.annotations
+          },
+          adaptToolToSdkCallback(tool, authResult.auth)
+        );
+      }
+      const transport = new import_webStandardStreamableHttp.WebStandardStreamableHTTPServerTransport({
+        sessionIdGenerator: void 0
+      });
+      await server.connect(transport);
+      return await transport.handleRequest(request);
+    } catch {
+      return Response.json(
+        { jsonrpc: "2.0", id: null, error: { code: -32603, message: "internal error" } },
+        { status: 500 }
+      );
+    }
+  };
+}
+
+// src/protocols/oauth-metadata.ts
+var CORS_ORIGIN = { "Access-Control-Allow-Origin": "*" };
+function withCors(response) {
+  response.headers.set("Access-Control-Allow-Origin", "*");
+  return response;
+}
+function notFound() {
+  return new Response(JSON.stringify({ error: "not found" }), {
+    status: 404,
+    // `no-store` so a 404 (OAuth unconfigured) isn't heuristically cached and
+    // then served past a later deploy that enables OAuth and starts returning 200.
+    headers: { ...JSON_HEADERS, ...CORS_ORIGIN, "Cache-Control": "no-store" }
+  });
+}
+async function buildProtectedResourceMetadata(mcp, auth, request, options, discovery) {
+  const issuer = await discovery.resolveIssuer();
+  const body = {
+    resource: resolveProtectedResource(auth, request, options),
+    authorization_servers: [issuer],
+    bearer_methods_supported: ["header"],
+    resource_name: auth.resourceName ?? mcp.title,
+    resource_documentation: auth.resourceDocumentation
+  };
+  if (auth.requiredScopes && auth.requiredScopes.length > 0)
+    body.scopes_supported = auth.requiredScopes;
+  return body;
+}
+function createOAuthProtectedResourceMetadataHandler(mcp, options = {}) {
+  const runtime = getOAuthRuntime(mcp, options);
+  if (runtime.kind === "configured" && runtime.auth.protectedResourceMetadataUrl === void 0 && runtime.auth.resource === void 0 && runtime.options.resourcePath === void 0) {
+    throw new Error(
+      `@lovable.dev/mcp-js: auth.resource or a resourcePath is required so the protected-resource metadata doesn't advertise the well-known URL as the resource`
+    );
+  }
+  return async (request) => {
+    if (runtime.kind !== "configured" || runtime.auth.protectedResourceMetadataUrl !== void 0)
+      return notFound();
+    if (request.method === "OPTIONS") {
+      return new Response(null, {
+        status: 204,
+        headers: { ...CORS_ORIGIN, "Access-Control-Allow-Methods": "GET, HEAD, OPTIONS" }
+      });
+    }
+    if (request.method !== "GET" && request.method !== "HEAD")
+      return withCors(methodNotAllowed("GET, HEAD, OPTIONS"));
+    const headers = {
+      ...JSON_HEADERS,
+      ...CORS_ORIGIN,
+      "Cache-Control": "public, max-age=300",
+      Vary: "Host"
+    };
+    try {
+      const metadata = await buildProtectedResourceMetadata(
+        mcp,
+        runtime.auth,
+        request,
+        runtime.options,
+        runtime.discovery
+      );
+      const response = Response.json(metadata, { headers });
+      return request.method === "HEAD" ? headResponse(response) : response;
+    } catch {
+      const response = withCors(oauthConfigurationErrorResponse());
+      return request.method === "HEAD" ? headResponse(response) : response;
+    }
+  };
+}
+
+// src/protocols/rest/list-tools.ts
+var import_zod_compat = require("@modelcontextprotocol/sdk/server/zod-compat.js");
+var import_zod_json_schema_compat = require("@modelcontextprotocol/sdk/server/zod-json-schema-compat.js");
+function shapeToJsonSchema(shape) {
+  if (!shape)
+    return null;
+  try {
+    return (0, import_zod_json_schema_compat.toJsonSchemaCompat)((0, import_zod_compat.objectFromShape)(shape));
+  } catch {
+    return null;
+  }
+}
+function createListToolsHandler(mcp, options = {}) {
+  assertRestResourceBinding(mcp, options);
+  const authorizer = createRequestAuthorizer(mcp, options);
+  return async (request) => {
+    const authResult = await authorizer.authorize(request);
+    if (!authResult.ok)
+      return authResult.response;
+    if (request.method !== "GET" && request.method !== "HEAD")
+      return methodNotAllowed("GET, HEAD");
+    const body = {
+      server: { name: mcp.name, version: mcp.version, title: mcp.title },
+      tools: mcp.tools.map((tool) => ({
+        name: tool.name,
+        title: tool.title,
+        description: tool.description,
+        annotations: tool.annotations,
+        inputSchema: shapeToJsonSchema(tool.inputSchema),
+        outputSchema: shapeToJsonSchema(tool.outputSchema)
+      }))
+    };
+    const response = Response.json(body);
+    return request.method === "HEAD" ? headResponse(response) : response;
+  };
+}
+
+// src/protocols/rest/invoke-tool.ts
+var import_zod_compat2 = require("@modelcontextprotocol/sdk/server/zod-compat.js");
+var MAX_REFLECTED_TOOL_NAME = 256;
+function safeReflectName(name) {
+  const text = String(name);
+  return text.length > MAX_REFLECTED_TOOL_NAME ? `${text.slice(0, MAX_REFLECTED_TOOL_NAME)}\u2026` : text;
+}
+function isEmptyArgs(value) {
+  if (value == null)
+    return true;
+  if (typeof value !== "object" || Array.isArray(value))
+    return false;
+  return Object.keys(value).length === 0;
+}
+function createInvokeToolHandler(mcp, options = {}) {
+  assertRestResourceBinding(mcp, options);
+  const authorizer = createRequestAuthorizer(mcp, options);
+  return async (request, toolName) => {
+    const authResult = await authorizer.authorize(request);
+    if (!authResult.ok)
+      return authResult.response;
+    if (request.method !== "POST")
+      return methodNotAllowed("POST");
+    const tool = mcp.tools.find((t) => t.name === toolName);
+    if (!tool) {
+      return new Response(JSON.stringify({ error: `unknown tool: ${safeReflectName(toolName)}` }), {
+        status: 404,
+        headers: JSON_HEADERS
+      });
+    }
+    let rawArgs = {};
+    const text = await request.text();
+    if (text) {
+      try {
+        rawArgs = JSON.parse(text);
+      } catch {
+        return new Response(JSON.stringify({ error: "invalid JSON body" }), {
+          status: 400,
+          headers: JSON_HEADERS
+        });
+      }
+    }
+    let args = rawArgs;
+    if (tool.inputSchema) {
+      try {
+        const schema = (0, import_zod_compat2.objectFromShape)(tool.inputSchema);
+        const parsed = await (0, import_zod_compat2.safeParseAsync)(schema, rawArgs);
+        if (!parsed.success) {
+          return new Response(
+            JSON.stringify({
+              error: "validation failed",
+              details: (0, import_zod_compat2.getParseErrorMessage)(parsed.error)
+            }),
+            { status: 400, headers: JSON_HEADERS }
+          );
+        }
+        args = parsed.data;
+      } catch {
+        return new Response(JSON.stringify({ error: "schema error", tool: toolName }), {
+          status: 500,
+          headers: JSON_HEADERS
+        });
+      }
+    } else if (!isEmptyArgs(rawArgs)) {
+      return new Response(JSON.stringify({ error: "tool has no inputSchema; expected empty body" }), {
+        status: 400,
+        headers: JSON_HEADERS
+      });
+    }
+    let result;
+    try {
+      result = await tool.handler(args, new ToolContext(authResult.auth));
+    } catch {
+      return new Response(JSON.stringify({ error: "handler threw", tool: toolName }), {
+        status: 500,
+        headers: JSON_HEADERS
+      });
+    }
+    if (result == null) {
+      return new Response(JSON.stringify({ error: `tool "${toolName}" returned no result` }), {
+        status: 500,
+        headers: JSON_HEADERS
+      });
+    }
+    return Response.json({
+      content: result.content ?? [],
+      structuredContent: result.structuredContent,
+      isError: result.isError
+    });
+  };
+}
+
+// src/stacks/tanstack/handlers.ts
+function createTanStackMcpHandler(mcp, options = {}) {
+  const handler = createMcpProtocolHandler(mcp, options);
+  return ({ request }) => handler(request);
+}
+function createTanStackListToolsHandler(mcp, options = {}) {
+  const handler = createListToolsHandler(mcp, options);
+  return ({ request }) => handler(request);
+}
+function createTanStackInvokeToolHandler(mcp, options = {}) {
+  const handler = createInvokeToolHandler(mcp, options);
+  return ({ request, params }) => handler(request, params.tool);
+}
+function createTanStackOAuthProtectedResourceMetadataHandler(mcp, options = {}) {
+  const handler = createOAuthProtectedResourceMetadataHandler(mcp, options);
+  return ({ request }) => handler(request);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createTanStackInvokeToolHandler,
+  createTanStackListToolsHandler,
+  createTanStackMcpHandler,
+  createTanStackOAuthProtectedResourceMetadataHandler
+});