@phake/mcp 0.0.1

package/dist/index-sbqy8kgq.js

@@ -0,0 +1,3478 @@
+// @bun
+import {
+  MAX_SESSIONS_PER_API_KEY,
+  MemorySessionStore,
+  MemoryTokenStore,
+  base64UrlDecodeJson,
+  base64UrlEncode,
+  base64UrlEncodeJson,
+  buildCapabilities,
+  createEncryptor,
+  executeSharedTool,
+  exports_external,
+  sharedLogger,
+  sharedTools,
+  zodToJsonSchema
+} from "./index-4f4xvtt9.js";
+
+// src/shared/http/cors.ts
+var DEFAULT_CORS = {
+  origin: "*",
+  methods: ["GET", "POST", "DELETE", "OPTIONS"],
+  headers: ["*"],
+  credentials: false,
+  maxAge: 86400
+};
+function withCors(response, options = {}) {
+  const opts = { ...DEFAULT_CORS, ...options };
+  response.headers.set("Access-Control-Allow-Origin", opts.origin ?? "*");
+  response.headers.set("Access-Control-Allow-Methods", (opts.methods ?? []).join(", "));
+  response.headers.set("Access-Control-Allow-Headers", (opts.headers ?? []).join(", "));
+  if (opts.credentials) {
+    response.headers.set("Access-Control-Allow-Credentials", "true");
+  }
+  if (opts.maxAge) {
+    response.headers.set("Access-Control-Max-Age", String(opts.maxAge));
+  }
+  return response;
+}
+function corsPreflightResponse(options = {}) {
+  return withCors(new Response(null, { status: 204 }), options);
+}
+function buildCorsHeaders(options = {}) {
+  const opts = { ...DEFAULT_CORS, ...options };
+  const headers = {
+    "Access-Control-Allow-Origin": opts.origin ?? "*",
+    "Access-Control-Allow-Methods": (opts.methods ?? []).join(", "),
+    "Access-Control-Allow-Headers": (opts.headers ?? []).join(", ")
+  };
+  if (opts.credentials) {
+    headers["Access-Control-Allow-Credentials"] = "true";
+  }
+  if (opts.maxAge) {
+    headers["Access-Control-Max-Age"] = String(opts.maxAge);
+  }
+  return headers;
+}
+
+// src/shared/storage/kv.ts
+function ttl(seconds) {
+  return Math.floor(Date.now() / 1000) + seconds;
+}
+function toJson(value) {
+  return JSON.stringify(value);
+}
+function fromJson(value) {
+  if (!value) {
+    return null;
+  }
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+}
+
+class KvTokenStore {
+  kv;
+  encrypt;
+  decrypt;
+  fallback;
+  constructor(kv, options) {
+    this.kv = kv;
+    this.encrypt = options?.encrypt ?? ((s) => s);
+    this.decrypt = options?.decrypt ?? ((s) => s);
+    this.fallback = options?.fallback ?? new MemoryTokenStore;
+  }
+  async putJson(key, value, options) {
+    try {
+      const raw = await this.encrypt(toJson(value));
+      await this.kv.put(key, raw, options);
+    } catch (error) {
+      console.error("[KV] Write failed:", error.message);
+      throw error;
+    }
+  }
+  async getJson(key) {
+    const raw = await this.kv.get(key);
+    if (!raw) {
+      return null;
+    }
+    const plain = await this.decrypt(raw);
+    return fromJson(plain);
+  }
+  async storeRsMapping(rsAccess, provider, rsRefresh) {
+    const rec = {
+      rs_access_token: rsAccess,
+      rs_refresh_token: rsRefresh ?? crypto.randomUUID(),
+      provider: { ...provider },
+      created_at: Date.now()
+    };
+    await this.fallback.storeRsMapping(rsAccess, provider, rsRefresh);
+    try {
+      await Promise.all([
+        this.putJson(`rs:access:${rec.rs_access_token}`, rec),
+        this.putJson(`rs:refresh:${rec.rs_refresh_token}`, rec)
+      ]);
+    } catch (error) {
+      console.warn("[KV] Failed to persist RS mapping (using memory fallback):", error.message);
+    }
+    return rec;
+  }
+  async getByRsAccess(rsAccess) {
+    const rec = await this.getJson(`rs:access:${rsAccess}`);
+    return rec ?? await this.fallback.getByRsAccess(rsAccess);
+  }
+  async getByRsRefresh(rsRefresh) {
+    const rec = await this.getJson(`rs:refresh:${rsRefresh}`);
+    return rec ?? await this.fallback.getByRsRefresh(rsRefresh);
+  }
+  async updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess) {
+    const existing = await this.getJson(`rs:refresh:${rsRefresh}`);
+    if (!existing) {
+      return this.fallback.updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess);
+    }
+    const rsAccessChanged = maybeNewRsAccess && maybeNewRsAccess !== existing.rs_access_token;
+    const next = {
+      rs_access_token: maybeNewRsAccess || existing.rs_access_token,
+      rs_refresh_token: rsRefresh,
+      provider: { ...provider },
+      created_at: Date.now()
+    };
+    await this.fallback.updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess);
+    try {
+      if (rsAccessChanged) {
+        await Promise.all([
+          this.kv.delete(`rs:access:${existing.rs_access_token}`),
+          this.putJson(`rs:access:${next.rs_access_token}`, next),
+          this.putJson(`rs:refresh:${rsRefresh}`, next)
+        ]);
+      } else {
+        await Promise.all([
+          this.putJson(`rs:access:${existing.rs_access_token}`, next),
+          this.putJson(`rs:refresh:${rsRefresh}`, next)
+        ]);
+      }
+    } catch (error) {
+      console.warn("[KV] Failed to update RS mapping (using memory fallback):", error.message);
+    }
+    return next;
+  }
+  async saveTransaction(txnId, txn, ttlSeconds = 600) {
+    await this.fallback.saveTransaction(txnId, txn);
+    try {
+      await this.putJson(`txn:${txnId}`, txn, { expiration: ttl(ttlSeconds) });
+    } catch (error) {
+      console.warn("[KV] Failed to save transaction (using memory):", error.message);
+    }
+  }
+  async getTransaction(txnId) {
+    const txn = await this.getJson(`txn:${txnId}`);
+    return txn ?? await this.fallback.getTransaction(txnId);
+  }
+  async deleteTransaction(txnId) {
+    await this.fallback.deleteTransaction(txnId);
+  }
+  async saveCode(code, txnId, ttlSeconds = 600) {
+    await this.fallback.saveCode(code, txnId);
+    try {
+      await this.putJson(`code:${code}`, { v: txnId }, { expiration: ttl(ttlSeconds) });
+    } catch (error) {
+      console.warn("[KV] Failed to save code (using memory):", error.message);
+    }
+  }
+  async getTxnIdByCode(code) {
+    const obj = await this.getJson(`code:${code}`);
+    return obj?.v ?? await this.fallback.getTxnIdByCode(code);
+  }
+  async deleteCode(code) {
+    await this.fallback.deleteCode(code);
+  }
+}
+var SESSION_KEY_PREFIX = "session:";
+var SESSION_APIKEY_PREFIX = "session:apikey:";
+var SESSION_TTL_SECONDS = 24 * 60 * 60;
+
+class KvSessionStore {
+  kv;
+  encrypt;
+  decrypt;
+  fallback;
+  constructor(kv, options) {
+    this.kv = kv;
+    this.encrypt = options?.encrypt ?? ((s) => s);
+    this.decrypt = options?.decrypt ?? ((s) => s);
+    this.fallback = options?.fallback ?? new MemorySessionStore;
+  }
+  async putSession(sessionId, value) {
+    const raw = await this.encrypt(toJson(value));
+    await this.kv.put(`${SESSION_KEY_PREFIX}${sessionId}`, raw, {
+      expiration: ttl(SESSION_TTL_SECONDS)
+    });
+  }
+  async getSession(sessionId) {
+    const raw = await this.kv.get(`${SESSION_KEY_PREFIX}${sessionId}`);
+    if (!raw) {
+      return this.fallback.get(sessionId);
+    }
+    const plain = await this.decrypt(raw);
+    return fromJson(plain);
+  }
+  async getApiKeySessionIds(apiKey) {
+    const raw = await this.kv.get(`${SESSION_APIKEY_PREFIX}${apiKey}`);
+    if (!raw)
+      return [];
+    return fromJson(raw) ?? [];
+  }
+  async setApiKeySessionIds(apiKey, sessionIds) {
+    if (sessionIds.length === 0) {
+      await this.kv.delete(`${SESSION_APIKEY_PREFIX}${apiKey}`);
+    } else {
+      await this.kv.put(`${SESSION_APIKEY_PREFIX}${apiKey}`, toJson(sessionIds), {
+        expiration: ttl(SESSION_TTL_SECONDS)
+      });
+    }
+  }
+  async create(sessionId, apiKey) {
+    const currentCount = await this.countByApiKey(apiKey);
+    if (currentCount >= MAX_SESSIONS_PER_API_KEY) {
+      await this.deleteOldestByApiKey(apiKey);
+    }
+    const now = Date.now();
+    const record = {
+      apiKey,
+      created_at: now,
+      last_accessed: now,
+      initialized: false
+    };
+    await this.putSession(sessionId, record);
+    await this.fallback.create(sessionId, apiKey);
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    if (!sessionIds.includes(sessionId)) {
+      sessionIds.push(sessionId);
+      await this.setApiKeySessionIds(apiKey, sessionIds);
+    }
+    return record;
+  }
+  async get(sessionId) {
+    const session = await this.getSession(sessionId);
+    if (!session)
+      return null;
+    const now = Date.now();
+    session.last_accessed = now;
+    this.putSession(sessionId, session).catch(() => {});
+    return session;
+  }
+  async update(sessionId, data) {
+    const session = await this.getSession(sessionId);
+    if (!session)
+      return;
+    const updated = {
+      ...session,
+      ...data,
+      last_accessed: Date.now()
+    };
+    await this.putSession(sessionId, updated);
+    await this.fallback.update(sessionId, data);
+  }
+  async delete(sessionId) {
+    const session = await this.getSession(sessionId);
+    await this.kv.delete(`${SESSION_KEY_PREFIX}${sessionId}`);
+    await this.fallback.delete(sessionId);
+    if (session?.apiKey) {
+      const sessionIds = await this.getApiKeySessionIds(session.apiKey);
+      const filtered = sessionIds.filter((id) => id !== sessionId);
+      await this.setApiKeySessionIds(session.apiKey, filtered);
+    }
+  }
+  async getByApiKey(apiKey) {
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    const sessions = [];
+    for (const sessionId of sessionIds) {
+      const session = await this.getSession(sessionId);
+      if (session) {
+        sessions.push(session);
+      }
+    }
+    return sessions.sort((a, b) => b.last_accessed - a.last_accessed);
+  }
+  async countByApiKey(apiKey) {
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    return sessionIds.length;
+  }
+  async deleteOldestByApiKey(apiKey) {
+    const sessions = await this.getByApiKey(apiKey);
+    if (sessions.length === 0)
+      return;
+    const oldest = sessions[sessions.length - 1];
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    for (const sessionId of sessionIds) {
+      const session = await this.getSession(sessionId);
+      if (session && session.created_at === oldest.created_at) {
+        await this.delete(sessionId);
+        return;
+      }
+    }
+  }
+  async ensure(sessionId) {
+    const existing = await this.fallback.get(sessionId);
+    if (!existing) {
+      const now = Date.now();
+      await this.fallback.put(sessionId, {
+        created_at: now,
+        last_accessed: now
+      });
+    }
+  }
+  async put(sessionId, value) {
+    await this.putSession(sessionId, value);
+    await this.fallback.put(sessionId, value);
+    if (value.apiKey) {
+      const sessionIds = await this.getApiKeySessionIds(value.apiKey);
+      if (!sessionIds.includes(sessionId)) {
+        sessionIds.push(sessionId);
+        await this.setApiKeySessionIds(value.apiKey, sessionIds);
+      }
+    }
+  }
+}
+
+// src/shared/storage/singleton.ts
+var tokenStoreInstance = null;
+var sessionStoreInstance = null;
+function initializeStorage(tokenStore, sessionStore) {
+  tokenStoreInstance = tokenStore;
+  sessionStoreInstance = sessionStore;
+}
+function getTokenStore() {
+  if (!tokenStoreInstance) {
+    throw new Error("TokenStore not initialized. Call initializeStorage first.");
+  }
+  return tokenStoreInstance;
+}
+function getSessionStore() {
+  if (!sessionStoreInstance) {
+    throw new Error("SessionStore not initialized. Call initializeStorage first.");
+  }
+  return sessionStoreInstance;
+}
+
+// src/shared/http/response.ts
+function jsonResponse(data, options = {}) {
+  const { status = 200, headers = {}, cors = true } = options;
+  const response = new Response(JSON.stringify(data), {
+    status,
+    headers: {
+      "Content-Type": "application/json; charset=utf-8",
+      ...headers
+    }
+  });
+  if (cors) {
+    return withCors(response, typeof cors === "object" ? cors : undefined);
+  }
+  return response;
+}
+function textError(message, options = {}) {
+  const { status = 400, cors = true } = options;
+  const response = new Response(message, { status });
+  if (cors) {
+    return withCors(response, typeof cors === "object" ? cors : undefined);
+  }
+  return response;
+}
+function oauthError(error, description, options = {}) {
+  const body = { error };
+  if (description) {
+    body.error_description = description;
+  }
+  return jsonResponse(body, {
+    status: options.status ?? 400,
+    cors: options.cors
+  });
+}
+function redirectResponse(url, status = 302) {
+  return Response.redirect(url, status);
+}
+var JsonRpcErrorCode = {
+  ParseError: -32700,
+  InvalidRequest: -32600,
+  MethodNotFound: -32601,
+  InvalidParams: -32602,
+  InternalError: -32603,
+  ServerError: -32000
+};
+
+// src/shared/config/metadata.ts
+var serverMetadata = {
+  title: "MCP Server",
+  version: "0.0.1",
+  instructions: "Use these tools to interact with the server."
+};
+
+// src/shared/mcp/dispatcher.ts
+var LATEST_PROTOCOL_VERSION = "2025-06-18";
+var SUPPORTED_PROTOCOL_VERSIONS = [
+  "2025-06-18",
+  "2025-03-26",
+  "2024-11-05",
+  "2024-10-07"
+];
+var JsonRpcErrorCode2 = {
+  ParseError: -32700,
+  InvalidRequest: -32600,
+  MethodNotFound: -32601,
+  InvalidParams: -32602,
+  InternalError: -32603
+};
+async function handleInitialize(params, ctx) {
+  const clientInfo = params?.clientInfo;
+  const requestedVersion = String(params?.protocolVersion || LATEST_PROTOCOL_VERSION);
+  const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion) ? requestedVersion : LATEST_PROTOCOL_VERSION;
+  ctx.setSessionState({
+    initialized: false,
+    clientInfo,
+    protocolVersion
+  });
+  sharedLogger.info("mcp_dispatch", {
+    message: "Initialize request",
+    sessionId: ctx.sessionId,
+    clientInfo,
+    requestedVersion,
+    negotiatedVersion: protocolVersion
+  });
+  return {
+    result: {
+      protocolVersion,
+      capabilities: buildCapabilities(),
+      serverInfo: {
+        name: ctx.config.title || serverMetadata.title,
+        version: ctx.config.version || "0.0.1"
+      },
+      instructions: ctx.config.instructions || serverMetadata.instructions
+    }
+  };
+}
+async function handleToolsList(ctx) {
+  const tools = (ctx.tools ?? sharedTools).map((tool) => ({
+    name: tool.name,
+    description: tool.description,
+    inputSchema: zodToJsonSchema(tool.inputSchema),
+    ...tool.outputSchema && {
+      outputSchema: zodToJsonSchema(exports_external.object(tool.outputSchema))
+    },
+    ...tool.annotations && { annotations: tool.annotations }
+  }));
+  return { result: { tools } };
+}
+async function handleToolsCall(params, ctx, requestId) {
+  const toolName = String(params?.name || "");
+  const toolArgs = params?.arguments || {};
+  const meta = params?._meta;
+  const abortController = new AbortController;
+  if (requestId !== undefined && ctx.cancellationRegistry) {
+    ctx.cancellationRegistry.set(requestId, abortController);
+  }
+  const toolContext = {
+    ...ctx.auth,
+    sessionId: ctx.sessionId,
+    signal: abortController.signal,
+    meta: {
+      progressToken: meta?.progressToken,
+      requestId: requestId !== undefined ? String(requestId) : undefined
+    }
+  };
+  sharedLogger.debug("mcp_dispatch", {
+    message: "Calling tool",
+    tool: toolName,
+    sessionId: ctx.sessionId,
+    requestId,
+    hasProviderToken: Boolean(ctx.auth.providerToken)
+  });
+  const toolList = ctx.tools ?? sharedTools;
+  const tool = toolList.find((t) => t.name === toolName);
+  if (tool?.requiresAuth && !ctx.auth.providerToken) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidRequest,
+        message: "Authentication required. Please complete OAuth flow first."
+      }
+    };
+  }
+  try {
+    const result = await executeSharedTool(toolName, toolArgs, toolContext, ctx.tools);
+    return { result };
+  } catch (error) {
+    if (abortController.signal.aborted) {
+      sharedLogger.info("mcp_dispatch", {
+        message: "Tool execution cancelled",
+        tool: toolName,
+        requestId
+      });
+      return {
+        error: {
+          code: JsonRpcErrorCode2.InternalError,
+          message: "Request was cancelled"
+        }
+      };
+    }
+    sharedLogger.error("mcp_dispatch", {
+      message: "Tool execution failed",
+      tool: toolName,
+      error: error.message
+    });
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InternalError,
+        message: `Tool execution failed: ${error.message}`
+      }
+    };
+  } finally {
+    if (requestId !== undefined && ctx.cancellationRegistry) {
+      ctx.cancellationRegistry.delete(requestId);
+    }
+  }
+}
+async function handleResourcesList() {
+  return { result: { resources: [] } };
+}
+async function handleResourcesTemplatesList() {
+  return { result: { resourceTemplates: [] } };
+}
+async function handlePromptsList() {
+  return { result: { prompts: [] } };
+}
+async function handlePing() {
+  return { result: {} };
+}
+var currentLogLevel = "info";
+async function handleLoggingSetLevel(params) {
+  const level = params?.level;
+  const validLevels = [
+    "debug",
+    "info",
+    "notice",
+    "warning",
+    "error",
+    "critical",
+    "alert",
+    "emergency"
+  ];
+  if (!level || !validLevels.includes(level)) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidParams,
+        message: `Invalid log level. Must be one of: ${validLevels.join(", ")}`
+      }
+    };
+  }
+  currentLogLevel = level;
+  sharedLogger.info("mcp_dispatch", {
+    message: "Log level changed",
+    level: currentLogLevel
+  });
+  return { result: {} };
+}
+function getLogLevel() {
+  return currentLogLevel;
+}
+async function dispatchMcpMethod(method, params, ctx, requestId) {
+  if (!method) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidRequest,
+        message: "Missing method"
+      }
+    };
+  }
+  switch (method) {
+    case "initialize":
+      return handleInitialize(params, ctx);
+    case "tools/list":
+      return handleToolsList(ctx);
+    case "tools/call":
+      return handleToolsCall(params, ctx, requestId);
+    case "resources/list":
+      return handleResourcesList();
+    case "resources/templates/list":
+      return handleResourcesTemplatesList();
+    case "prompts/list":
+      return handlePromptsList();
+    case "ping":
+      return handlePing();
+    case "logging/setLevel":
+      return handleLoggingSetLevel(params);
+    default:
+      sharedLogger.debug("mcp_dispatch", { message: "Unknown method", method });
+      return {
+        error: {
+          code: JsonRpcErrorCode2.MethodNotFound,
+          message: `Method not found: ${method}`
+        }
+      };
+  }
+}
+function handleMcpNotification(method, params, ctx) {
+  if (method === "notifications/initialized") {
+    const session = ctx.getSessionState();
+    if (session) {
+      ctx.setSessionState({ ...session, initialized: true });
+    }
+    sharedLogger.info("mcp_dispatch", {
+      message: "Client initialized",
+      sessionId: ctx.sessionId
+    });
+    return true;
+  }
+  if (method === "notifications/cancelled") {
+    const cancelParams = params;
+    const requestId = cancelParams?.requestId;
+    if (requestId !== undefined && ctx.cancellationRegistry) {
+      const controller = ctx.cancellationRegistry.get(requestId);
+      if (controller) {
+        sharedLogger.info("mcp_dispatch", {
+          message: "Cancelling request",
+          requestId,
+          reason: cancelParams?.reason,
+          sessionId: ctx.sessionId
+        });
+        controller.abort(cancelParams?.reason ?? "Client requested cancellation");
+        return true;
+      }
+      sharedLogger.debug("mcp_dispatch", {
+        message: "Cancellation request for unknown requestId",
+        requestId,
+        sessionId: ctx.sessionId
+      });
+    }
+    return true;
+  }
+  sharedLogger.debug("mcp_dispatch", {
+    message: "Unhandled notification",
+    method,
+    sessionId: ctx.sessionId
+  });
+  return false;
+}
+
+// node_modules/oauth4webapi/build/index.js
+var USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+  const NAME = "oauth4webapi";
+  const VERSION = "v3.8.5";
+  USER_AGENT = `${NAME}/${VERSION}`;
+}
+function looseInstanceOf(input, expected) {
+  if (input == null) {
+    return false;
+  }
+  try {
+    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
+  } catch {
+    return false;
+  }
+}
+var ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
+var ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
+function CodedTypeError(message, code, cause) {
+  const err = new TypeError(message, { cause });
+  Object.assign(err, { code });
+  return err;
+}
+var allowInsecureRequests = Symbol();
+var clockSkew = Symbol();
+var clockTolerance = Symbol();
+var customFetch = Symbol();
+var modifyAssertion = Symbol();
+var jweDecrypt = Symbol();
+var jwksCache = Symbol();
+var encoder = new TextEncoder;
+var decoder = new TextDecoder;
+function buf(input) {
+  if (typeof input === "string") {
+    return encoder.encode(input);
+  }
+  return decoder.decode(input);
+}
+var encodeBase64Url;
+if (Uint8Array.prototype.toBase64) {
+  encodeBase64Url = (input) => {
+    if (input instanceof ArrayBuffer) {
+      input = new Uint8Array(input);
+    }
+    return input.toBase64({ alphabet: "base64url", omitPadding: true });
+  };
+} else {
+  const CHUNK_SIZE = 32768;
+  encodeBase64Url = (input) => {
+    if (input instanceof ArrayBuffer) {
+      input = new Uint8Array(input);
+    }
+    const arr = [];
+    for (let i = 0;i < input.byteLength; i += CHUNK_SIZE) {
+      arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+    }
+    return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  };
+}
+var decodeBase64Url;
+if (Uint8Array.fromBase64) {
+  decodeBase64Url = (input) => {
+    try {
+      return Uint8Array.fromBase64(input, { alphabet: "base64url" });
+    } catch (cause) {
+      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
+    }
+  };
+} else {
+  decodeBase64Url = (input) => {
+    try {
+      const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0;i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    } catch (cause) {
+      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
+    }
+  };
+}
+function b64u(input) {
+  if (typeof input === "string") {
+    return decodeBase64Url(input);
+  }
+  return encodeBase64Url(input);
+}
+
+class UnsupportedOperationError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = UNSUPPORTED_OPERATION;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+
+class OperationProcessingError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    if (options?.code) {
+      this.code = options?.code;
+    }
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+function OPE(message, code, cause) {
+  return new OperationProcessingError(message, { code, cause });
+}
+async function calculateJwkThumbprint(jwk) {
+  let components;
+  switch (jwk.kty) {
+    case "EC":
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+        y: jwk.y
+      };
+      break;
+    case "OKP":
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x
+      };
+      break;
+    case "AKP":
+      components = {
+        alg: jwk.alg,
+        kty: jwk.kty,
+        pub: jwk.pub
+      };
+      break;
+    case "RSA":
+      components = {
+        e: jwk.e,
+        kty: jwk.kty,
+        n: jwk.n
+      };
+      break;
+    default:
+      throw new UnsupportedOperationError("unsupported JWK key type", { cause: jwk });
+  }
+  return b64u(await crypto.subtle.digest("SHA-256", buf(JSON.stringify(components))));
+}
+function assertCryptoKey(key, it) {
+  if (!(key instanceof CryptoKey)) {
+    throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);
+  }
+}
+function assertPrivateKey(key, it) {
+  assertCryptoKey(key, it);
+  if (key.type !== "private") {
+    throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);
+  }
+}
+function assertPublicKey(key, it) {
+  assertCryptoKey(key, it);
+  if (key.type !== "public") {
+    throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);
+  }
+}
+function isJsonObject(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    return false;
+  }
+  return true;
+}
+function prepareHeaders(input) {
+  if (looseInstanceOf(input, Headers)) {
+    input = Object.fromEntries(input.entries());
+  }
+  const headers = new Headers(input ?? {});
+  if (USER_AGENT && !headers.has("user-agent")) {
+    headers.set("user-agent", USER_AGENT);
+  }
+  if (headers.has("authorization")) {
+    throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE);
+  }
+  return headers;
+}
+function signal(url, value) {
+  if (value !== undefined) {
+    if (typeof value === "function") {
+      value = value(url.href);
+    }
+    if (!(value instanceof AbortSignal)) {
+      throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);
+    }
+    return value;
+  }
+  return;
+}
+function assertNumber(input, allow0, it, code, cause) {
+  try {
+    if (typeof input !== "number" || !Number.isFinite(input)) {
+      throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause);
+    }
+    if (input > 0)
+      return;
+    if (allow0) {
+      if (input !== 0) {
+        throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause);
+      }
+      return;
+    }
+    throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause);
+  } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
+    throw err;
+  }
+}
+function assertString(input, it, code, cause) {
+  try {
+    if (typeof input !== "string") {
+      throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);
+    }
+    if (input.length === 0) {
+      throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
+    }
+  } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
+    throw err;
+  }
+}
+function assertApplicationJson(response) {
+  assertContentType(response, "application/json");
+}
+function notJson(response, ...types) {
+  let msg = '"response" content-type must be ';
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `${types.join(", ")}, or ${last}`;
+  } else if (types.length === 2) {
+    msg += `${types[0]} or ${types[1]}`;
+  } else {
+    msg += types[0];
+  }
+  return OPE(msg, RESPONSE_IS_NOT_JSON, response);
+}
+function assertContentType(response, contentType) {
+  if (getContentType(response) !== contentType) {
+    throw notJson(response, contentType);
+  }
+}
+function randomBytes() {
+  return b64u(crypto.getRandomValues(new Uint8Array(32)));
+}
+async function calculatePKCECodeChallenge(codeVerifier) {
+  assertString(codeVerifier, "codeVerifier");
+  return b64u(await crypto.subtle.digest("SHA-256", buf(codeVerifier)));
+}
+function psAlg(key) {
+  switch (key.algorithm.hash.name) {
+    case "SHA-256":
+      return "PS256";
+    case "SHA-384":
+      return "PS384";
+    case "SHA-512":
+      return "PS512";
+    default:
+      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
+        cause: key
+      });
+  }
+}
+function rsAlg(key) {
+  switch (key.algorithm.hash.name) {
+    case "SHA-256":
+      return "RS256";
+    case "SHA-384":
+      return "RS384";
+    case "SHA-512":
+      return "RS512";
+    default:
+      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
+        cause: key
+      });
+  }
+}
+function esAlg(key) {
+  switch (key.algorithm.namedCurve) {
+    case "P-256":
+      return "ES256";
+    case "P-384":
+      return "ES384";
+    case "P-521":
+      return "ES512";
+    default:
+      throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve", { cause: key });
+  }
+}
+function keyToJws(key) {
+  switch (key.algorithm.name) {
+    case "RSA-PSS":
+      return psAlg(key);
+    case "RSASSA-PKCS1-v1_5":
+      return rsAlg(key);
+    case "ECDSA":
+      return esAlg(key);
+    case "Ed25519":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return key.algorithm.name;
+    case "EdDSA":
+      return "Ed25519";
+    default:
+      throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
+  }
+}
+function getClockSkew(client) {
+  const skew = client?.[clockSkew];
+  return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
+}
+function getClockTolerance(client) {
+  const tolerance = client?.[clockTolerance];
+  return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
+}
+function epochTime() {
+  return Math.floor(Date.now() / 1000);
+}
+function assertAs(as) {
+  if (typeof as !== "object" || as === null) {
+    throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(as.issuer, '"as.issuer"');
+}
+function assertClient(client) {
+  if (typeof client !== "object" || client === null) {
+    throw CodedTypeError('"client" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(client.client_id, '"client.client_id"');
+}
+function ClientSecretPost(clientSecret) {
+  assertString(clientSecret, '"clientSecret"');
+  return (_as, client, body, _headers) => {
+    body.set("client_id", client.client_id);
+    body.set("client_secret", clientSecret);
+  };
+}
+async function signJwt(header, payload, key) {
+  if (!key.usages.includes("sign")) {
+    throw CodedTypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"', ERR_INVALID_ARG_VALUE);
+  }
+  const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;
+  const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
+  return `${input}.${signature}`;
+}
+var jwkCache;
+async function getSetPublicJwkCache(key, alg) {
+  const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey("jwk", key);
+  const jwk = { kty, e, n, x, y, crv, pub };
+  if (kty === "AKP")
+    jwk.alg = alg;
+  jwkCache.set(key, jwk);
+  return jwk;
+}
+async function publicJwk(key, alg) {
+  jwkCache ||= new WeakMap;
+  return jwkCache.get(key) || getSetPublicJwkCache(key, alg);
+}
+var URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
+  try {
+    return new URL(url, base);
+  } catch {
+    return null;
+  }
+};
+function checkProtocol(url, enforceHttps) {
+  if (enforceHttps && url.protocol !== "https:") {
+    throw OPE("only requests to HTTPS are allowed", HTTP_REQUEST_FORBIDDEN, url);
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw OPE("only HTTP and HTTPS requests are allowed", REQUEST_PROTOCOL_FORBIDDEN, url);
+  }
+}
+function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
+  let url;
+  if (typeof value !== "string" || !(url = URLParse(value))) {
+    throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
+  }
+  checkProtocol(url, enforceHttps);
+  return url;
+}
+function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
+  if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
+    return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
+  }
+  return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
+}
+class DPoPHandler {
+  #header;
+  #privateKey;
+  #publicKey;
+  #clockSkew;
+  #modifyAssertion;
+  #map;
+  #jkt;
+  constructor(client, keyPair, options) {
+    assertPrivateKey(keyPair?.privateKey, '"DPoP.privateKey"');
+    assertPublicKey(keyPair?.publicKey, '"DPoP.publicKey"');
+    if (!keyPair.publicKey.extractable) {
+      throw CodedTypeError('"DPoP.publicKey.extractable" must be true', ERR_INVALID_ARG_VALUE);
+    }
+    this.#modifyAssertion = options?.[modifyAssertion];
+    this.#clockSkew = getClockSkew(client);
+    this.#privateKey = keyPair.privateKey;
+    this.#publicKey = keyPair.publicKey;
+    branded.add(this);
+  }
+  #get(key) {
+    this.#map ||= new Map;
+    let item = this.#map.get(key);
+    if (item) {
+      this.#map.delete(key);
+      this.#map.set(key, item);
+    }
+    return item;
+  }
+  #set(key, val) {
+    this.#map ||= new Map;
+    this.#map.delete(key);
+    if (this.#map.size === 100) {
+      this.#map.delete(this.#map.keys().next().value);
+    }
+    this.#map.set(key, val);
+  }
+  async calculateThumbprint() {
+    if (!this.#jkt) {
+      const jwk = await crypto.subtle.exportKey("jwk", this.#publicKey);
+      this.#jkt ||= await calculateJwkThumbprint(jwk);
+    }
+    return this.#jkt;
+  }
+  async addProof(url, headers, htm, accessToken) {
+    const alg = keyToJws(this.#privateKey);
+    this.#header ||= {
+      alg,
+      typ: "dpop+jwt",
+      jwk: await publicJwk(this.#publicKey, alg)
+    };
+    const nonce = this.#get(url.origin);
+    const now = epochTime() + this.#clockSkew;
+    const payload = {
+      iat: now,
+      jti: randomBytes(),
+      htm,
+      nonce,
+      htu: `${url.origin}${url.pathname}`,
+      ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : undefined
+    };
+    this.#modifyAssertion?.(this.#header, payload);
+    headers.set("dpop", await signJwt(this.#header, payload, this.#privateKey));
+  }
+  cacheNonce(response, url) {
+    try {
+      const nonce = response.headers.get("dpop-nonce");
+      if (nonce) {
+        this.#set(url.origin, nonce);
+      }
+    } catch {}
+  }
+}
+class ResponseBodyError extends Error {
+  cause;
+  code;
+  error;
+  status;
+  error_description;
+  response;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = RESPONSE_BODY_ERROR;
+    this.cause = options.cause;
+    this.error = options.cause.error;
+    this.status = options.response.status;
+    this.error_description = options.cause.error_description;
+    Object.defineProperty(this, "response", { enumerable: false, value: options.response });
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+
+class AuthorizationResponseError extends Error {
+  cause;
+  code;
+  error;
+  error_description;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = AUTHORIZATION_RESPONSE_ERROR;
+    this.cause = options.cause;
+    this.error = options.cause.get("error");
+    this.error_description = options.cause.get("error_description") ?? undefined;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+
+class WWWAuthenticateChallengeError extends Error {
+  cause;
+  code;
+  response;
+  status;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = WWW_AUTHENTICATE_CHALLENGE;
+    this.cause = options.cause;
+    this.status = options.response.status;
+    this.response = options.response;
+    Object.defineProperty(this, "response", { enumerable: false });
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+var tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+var token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}";
+var quotedMatch = '"((?:[^"\\\\]|\\\\[\\s\\S])*)"';
+var quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*" + quotedMatch;
+var paramMatcher = "(" + tokenMatch + ")\\s*=\\s*(" + tokenMatch + ")";
+var schemeRE = new RegExp("^[,\\s]*(" + tokenMatch + ")");
+var quotedParamRE = new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
+var unquotedParamRE = new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
+var token68ParamRE = new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
+function parseWwwAuthenticateChallenges(response) {
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  const header = response.headers.get("www-authenticate");
+  if (header === null) {
+    return;
+  }
+  const challenges = [];
+  let rest = header;
+  while (rest) {
+    let match = rest.match(schemeRE);
+    const scheme = match?.["1"].toLowerCase();
+    if (!scheme) {
+      return;
+    }
+    const afterScheme = rest.substring(match[0].length);
+    if (afterScheme && !afterScheme.match(/^[\s,]/)) {
+      return;
+    }
+    const spaceMatch = afterScheme.match(/^\s+(.*)$/);
+    const hasParameters = !!spaceMatch;
+    rest = spaceMatch ? spaceMatch[1] : undefined;
+    const parameters = {};
+    let token68;
+    if (hasParameters) {
+      while (rest) {
+        let key;
+        let value;
+        if (match = rest.match(quotedParamRE)) {
+          [, key, value, rest] = match;
+          if (value.includes("\\")) {
+            try {
+              value = JSON.parse(`"${value}"`);
+            } catch {}
+          }
+          parameters[key.toLowerCase()] = value;
+          continue;
+        }
+        if (match = rest.match(unquotedParamRE)) {
+          [, key, value, rest] = match;
+          parameters[key.toLowerCase()] = value;
+          continue;
+        }
+        if (match = rest.match(token68ParamRE)) {
+          if (Object.keys(parameters).length) {
+            break;
+          }
+          [, token68, rest] = match;
+          break;
+        }
+        return;
+      }
+    } else {
+      rest = afterScheme || undefined;
+    }
+    const challenge = { scheme, parameters };
+    if (token68) {
+      challenge.token68 = token68;
+    }
+    challenges.push(challenge);
+  }
+  if (!challenges.length) {
+    return;
+  }
+  return challenges;
+}
+async function parseOAuthResponseErrorBody(response) {
+  if (response.status > 399 && response.status < 500) {
+    assertReadableResponse(response);
+    assertApplicationJson(response);
+    try {
+      const json = await response.clone().json();
+      if (isJsonObject(json) && typeof json.error === "string" && json.error.length) {
+        return json;
+      }
+    } catch {}
+  }
+  return;
+}
+async function checkOAuthBodyError(response, expected, label) {
+  if (response.status !== expected) {
+    checkAuthenticationChallenges(response);
+    let err;
+    if (err = await parseOAuthResponseErrorBody(response)) {
+      await response.body?.cancel();
+      throw new ResponseBodyError("server responded with an error in the response body", {
+        cause: err,
+        response
+      });
+    }
+    throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
+  }
+}
+function assertDPoP(option) {
+  if (!branded.has(option)) {
+    throw CodedTypeError('"options.DPoP" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE);
+  }
+}
+var skipSubjectCheck = Symbol();
+function getContentType(input) {
+  return input.headers.get("content-type")?.split(";")[0];
+}
+async function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) {
+  await clientAuthentication(as, client, body, headers);
+  headers.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8");
+  return (options?.[customFetch] || fetch)(url.href, {
+    body,
+    headers: Object.fromEntries(headers.entries()),
+    method: "POST",
+    redirect: "manual",
+    signal: signal(url, options?.signal)
+  });
+}
+async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
+  const url = resolveEndpoint(as, "token_endpoint", client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
+  parameters.set("grant_type", grantType);
+  const headers = prepareHeaders(options?.headers);
+  headers.set("accept", "application/json");
+  if (options?.DPoP !== undefined) {
+    assertDPoP(options.DPoP);
+    await options.DPoP.addProof(url, headers, "POST");
+  }
+  const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options);
+  options?.DPoP?.cacheNonce(response, url);
+  return response;
+}
+async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {
+  assertAs(as);
+  assertClient(client);
+  assertString(refreshToken, '"refreshToken"');
+  const parameters = new URLSearchParams(options?.additionalParameters);
+  parameters.set("refresh_token", refreshToken);
+  return tokenEndpointRequest(as, client, clientAuthentication, "refresh_token", parameters, options);
+}
+var idTokenClaims = new WeakMap;
+var jwtRefs = new WeakMap;
+function getValidatedIdTokenClaims(ref) {
+  if (!ref.id_token) {
+    return;
+  }
+  const claims = idTokenClaims.get(ref);
+  if (!claims) {
+    throw CodedTypeError('"ref" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);
+  }
+  return claims;
+}
+async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
+  assertAs(as);
+  assertClient(client);
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  await checkOAuthBodyError(response, 200, "Token Endpoint");
+  assertReadableResponse(response);
+  const json = await getResponseJsonBody(response);
+  assertString(json.access_token, '"response" body "access_token" property', INVALID_RESPONSE, {
+    body: json
+  });
+  assertString(json.token_type, '"response" body "token_type" property', INVALID_RESPONSE, {
+    body: json
+  });
+  json.token_type = json.token_type.toLowerCase();
+  if (json.expires_in !== undefined) {
+    let expiresIn = typeof json.expires_in !== "number" ? parseFloat(json.expires_in) : json.expires_in;
+    assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
+      body: json
+    });
+    json.expires_in = expiresIn;
+  }
+  if (json.refresh_token !== undefined) {
+    assertString(json.refresh_token, '"response" body "refresh_token" property', INVALID_RESPONSE, {
+      body: json
+    });
+  }
+  if (json.scope !== undefined && typeof json.scope !== "string") {
+    throw OPE('"response" body "scope" property must be a string', INVALID_RESPONSE, { body: json });
+  }
+  if (json.id_token !== undefined) {
+    assertString(json.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
+      body: json
+    });
+    const requiredClaims = ["aud", "exp", "iat", "iss", "sub"];
+    if (client.require_auth_time === true) {
+      requiredClaims.push("auth_time");
+    }
+    if (client.default_max_age !== undefined) {
+      assertNumber(client.default_max_age, true, '"client.default_max_age"');
+      requiredClaims.push("auth_time");
+    }
+    if (additionalRequiredIdTokenClaims?.length) {
+      requiredClaims.push(...additionalRequiredIdTokenClaims);
+    }
+    const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, "RS256"), getClockSkew(client), getClockTolerance(client), decryptFn).then(validatePresence.bind(undefined, requiredClaims)).then(validateIssuer.bind(undefined, as)).then(validateAudience.bind(undefined, client.client_id));
+    if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+      if (claims.azp === undefined) {
+        throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: "aud" });
+      }
+      if (claims.azp !== client.client_id) {
+        throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, { expected: client.client_id, claims, claim: "azp" });
+      }
+    }
+    if (claims.auth_time !== undefined) {
+      assertNumber(claims.auth_time, true, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, { claims });
+    }
+    jwtRefs.set(response, jwt);
+    idTokenClaims.set(json, claims);
+  }
+  if (recognizedTokenTypes?.[json.token_type] !== undefined) {
+    recognizedTokenTypes[json.token_type](response, json);
+  } else if (json.token_type !== "dpop" && json.token_type !== "bearer") {
+    throw new UnsupportedOperationError("unsupported `token_type` value", { cause: { body: json } });
+  }
+  return json;
+}
+function checkAuthenticationChallenges(response) {
+  let challenges;
+  if (challenges = parseWwwAuthenticateChallenges(response)) {
+    throw new WWWAuthenticateChallengeError("server responded with a challenge in the WWW-Authenticate HTTP Header", { cause: challenges, response });
+  }
+}
+async function processRefreshTokenResponse(as, client, response, options) {
+  return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+function validateAudience(expected, result) {
+  if (Array.isArray(result.claims.aud)) {
+    if (!result.claims.aud.includes(expected)) {
+      throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: result.claims,
+        claim: "aud"
+      });
+    }
+  } else if (result.claims.aud !== expected) {
+    throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: "aud"
+    });
+  }
+  return result;
+}
+function validateIssuer(as, result) {
+  const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
+  if (result.claims.iss !== expected) {
+    throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: "iss"
+    });
+  }
+  return result;
+}
+var branded = new WeakSet;
+function brand(searchParams) {
+  branded.add(searchParams);
+  return searchParams;
+}
+var nopkce = Symbol();
+async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
+  assertAs(as);
+  assertClient(client);
+  if (!branded.has(callbackParameters)) {
+    throw CodedTypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);
+  }
+  assertString(redirectUri, '"redirectUri"');
+  const code = getURLSearchParameter(callbackParameters, "code");
+  if (!code) {
+    throw OPE('no authorization code in "callbackParameters"', INVALID_RESPONSE);
+  }
+  const parameters = new URLSearchParams(options?.additionalParameters);
+  parameters.set("redirect_uri", redirectUri);
+  parameters.set("code", code);
+  if (codeVerifier !== nopkce) {
+    assertString(codeVerifier, '"codeVerifier"');
+    parameters.set("code_verifier", codeVerifier);
+  }
+  return tokenEndpointRequest(as, client, clientAuthentication, "authorization_code", parameters, options);
+}
+var jwtClaimNames = {
+  aud: "audience",
+  c_hash: "code hash",
+  client_id: "client id",
+  exp: "expiration time",
+  iat: "issued at",
+  iss: "issuer",
+  jti: "jwt id",
+  nonce: "nonce",
+  s_hash: "state hash",
+  sub: "subject",
+  ath: "access token hash",
+  htm: "http method",
+  htu: "http uri",
+  cnf: "confirmation",
+  auth_time: "authentication time"
+};
+function validatePresence(required, result) {
+  for (const claim of required) {
+    if (result.claims[claim] === undefined) {
+      throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {
+        claims: result.claims
+      });
+    }
+  }
+  return result;
+}
+var expectNoNonce = Symbol();
+var skipAuthTimeCheck = Symbol();
+async function processAuthorizationCodeResponse(as, client, response, options) {
+  if (typeof options?.expectedNonce === "string" || typeof options?.maxAge === "number" || options?.requireIdToken) {
+    return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
+  }
+  return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
+}
+async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
+  const additionalRequiredClaims = [];
+  switch (expectedNonce) {
+    case undefined:
+      expectedNonce = expectNoNonce;
+      break;
+    case expectNoNonce:
+      break;
+    default:
+      assertString(expectedNonce, '"expectedNonce" argument');
+      additionalRequiredClaims.push("nonce");
+  }
+  maxAge ??= client.default_max_age;
+  switch (maxAge) {
+    case undefined:
+      maxAge = skipAuthTimeCheck;
+      break;
+    case skipAuthTimeCheck:
+      break;
+    default:
+      assertNumber(maxAge, true, '"maxAge" argument');
+      additionalRequiredClaims.push("auth_time");
+  }
+  const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
+  assertString(result.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
+    body: result
+  });
+  const claims = getValidatedIdTokenClaims(result);
+  if (maxAge !== skipAuthTimeCheck) {
+    const now = epochTime() + getClockSkew(client);
+    const tolerance = getClockTolerance(client);
+    if (claims.auth_time + maxAge < now - tolerance) {
+      throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: "auth_time" });
+    }
+  }
+  if (expectedNonce === expectNoNonce) {
+    if (claims.nonce !== undefined) {
+      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+        expected: undefined,
+        claims,
+        claim: "nonce"
+      });
+    }
+  } else if (claims.nonce !== expectedNonce) {
+    throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+      expected: expectedNonce,
+      claims,
+      claim: "nonce"
+    });
+  }
+  return result;
+}
+async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
+  const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);
+  const claims = getValidatedIdTokenClaims(result);
+  if (claims) {
+    if (client.default_max_age !== undefined) {
+      assertNumber(client.default_max_age, true, '"client.default_max_age"');
+      const now = epochTime() + getClockSkew(client);
+      const tolerance = getClockTolerance(client);
+      if (claims.auth_time + client.default_max_age < now - tolerance) {
+        throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: "auth_time" });
+      }
+    }
+    if (claims.nonce !== undefined) {
+      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
+        expected: undefined,
+        claims,
+        claim: "nonce"
+      });
+    }
+  }
+  return result;
+}
+var WWW_AUTHENTICATE_CHALLENGE = "OAUTH_WWW_AUTHENTICATE_CHALLENGE";
+var RESPONSE_BODY_ERROR = "OAUTH_RESPONSE_BODY_ERROR";
+var UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
+var AUTHORIZATION_RESPONSE_ERROR = "OAUTH_AUTHORIZATION_RESPONSE_ERROR";
+var PARSE_ERROR = "OAUTH_PARSE_ERROR";
+var INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE";
+var RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON";
+var RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM";
+var HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN";
+var REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
+var JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
+var JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
+var MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA";
+var INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA";
+function assertReadableResponse(response) {
+  if (response.bodyUsed) {
+    throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
+  }
+}
+function checkRsaKeyAlgorithm(key) {
+  const { algorithm } = key;
+  if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
+    throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {
+      cause: key
+    });
+  }
+}
+function ecdsaHashName(key) {
+  const { algorithm } = key;
+  switch (algorithm.namedCurve) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new UnsupportedOperationError("unsupported ECDSA namedCurve", { cause: key });
+  }
+}
+function keyToSubtle(key) {
+  switch (key.algorithm.name) {
+    case "ECDSA":
+      return {
+        name: key.algorithm.name,
+        hash: ecdsaHashName(key)
+      };
+    case "RSA-PSS": {
+      checkRsaKeyAlgorithm(key);
+      switch (key.algorithm.hash.name) {
+        case "SHA-256":
+        case "SHA-384":
+        case "SHA-512":
+          return {
+            name: key.algorithm.name,
+            saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3
+          };
+        default:
+          throw new UnsupportedOperationError("unsupported RSA-PSS hash name", { cause: key });
+      }
+    }
+    case "RSASSA-PKCS1-v1_5":
+      checkRsaKeyAlgorithm(key);
+      return key.algorithm.name;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+    case "Ed25519":
+      return key.algorithm.name;
+  }
+  throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
+}
+async function validateJwt(jws, checkAlg, clockSkew2, clockTolerance2, decryptJwt) {
+  let { 0: protectedHeader, 1: payload, length } = jws.split(".");
+  if (length === 5) {
+    if (decryptJwt !== undefined) {
+      jws = await decryptJwt(jws);
+      ({ 0: protectedHeader, 1: payload, length } = jws.split("."));
+    } else {
+      throw new UnsupportedOperationError("JWE decryption is not configured", { cause: jws });
+    }
+  }
+  if (length !== 3) {
+    throw OPE("Invalid JWT", INVALID_RESPONSE, jws);
+  }
+  let header;
+  try {
+    header = JSON.parse(buf(b64u(protectedHeader)));
+  } catch (cause) {
+    throw OPE("failed to parse JWT Header body as base64url encoded JSON", PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(header)) {
+    throw OPE("JWT Header must be a top level object", INVALID_RESPONSE, jws);
+  }
+  checkAlg(header);
+  if (header.crit !== undefined) {
+    throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', {
+      cause: { header }
+    });
+  }
+  let claims;
+  try {
+    claims = JSON.parse(buf(b64u(payload)));
+  } catch (cause) {
+    throw OPE("failed to parse JWT Payload body as base64url encoded JSON", PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(claims)) {
+    throw OPE("JWT Payload must be a top level object", INVALID_RESPONSE, jws);
+  }
+  const now = epochTime() + clockSkew2;
+  if (claims.exp !== undefined) {
+    if (typeof claims.exp !== "number") {
+      throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, { claims });
+    }
+    if (claims.exp <= now - clockTolerance2) {
+      throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance2, claim: "exp" });
+    }
+  }
+  if (claims.iat !== undefined) {
+    if (typeof claims.iat !== "number") {
+      throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  if (claims.iss !== undefined) {
+    if (typeof claims.iss !== "string") {
+      throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  if (claims.nbf !== undefined) {
+    if (typeof claims.nbf !== "number") {
+      throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, { claims });
+    }
+    if (claims.nbf > now + clockTolerance2) {
+      throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance: clockTolerance2,
+        claim: "nbf"
+      });
+    }
+  }
+  if (claims.aud !== undefined) {
+    if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) {
+      throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  return { header, claims, jwt: jws };
+}
+function checkSigningAlgorithm(client, issuer, fallback, header) {
+  if (client !== undefined) {
+    if (typeof client === "string" ? header.alg !== client : !client.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: client,
+        reason: "client configuration"
+      });
+    }
+    return;
+  }
+  if (Array.isArray(issuer)) {
+    if (!issuer.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: issuer,
+        reason: "authorization server metadata"
+      });
+    }
+    return;
+  }
+  if (fallback !== undefined) {
+    if (typeof fallback === "string" ? header.alg !== fallback : typeof fallback === "function" ? !fallback(header.alg) : !fallback.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: fallback,
+        reason: "default value"
+      });
+    }
+    return;
+  }
+  throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, { client, issuer, fallback });
+}
+function getURLSearchParameter(parameters, name) {
+  const { 0: value, length } = parameters.getAll(name);
+  if (length > 1) {
+    throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
+  }
+  return value;
+}
+var skipStateCheck = Symbol();
+var expectNoState = Symbol();
+function validateAuthResponse(as, client, parameters, expectedState) {
+  assertAs(as);
+  assertClient(client);
+  if (parameters instanceof URL) {
+    parameters = parameters.searchParams;
+  }
+  if (!(parameters instanceof URLSearchParams)) {
+    throw CodedTypeError('"parameters" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);
+  }
+  if (getURLSearchParameter(parameters, "response")) {
+    throw OPE('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', INVALID_RESPONSE, { parameters });
+  }
+  const iss = getURLSearchParameter(parameters, "iss");
+  const state = getURLSearchParameter(parameters, "state");
+  if (!iss && as.authorization_response_iss_parameter_supported) {
+    throw OPE('response parameter "iss" (issuer) missing', INVALID_RESPONSE, { parameters });
+  }
+  if (iss && iss !== as.issuer) {
+    throw OPE('unexpected "iss" (issuer) response parameter value', INVALID_RESPONSE, {
+      expected: as.issuer,
+      parameters
+    });
+  }
+  switch (expectedState) {
+    case undefined:
+    case expectNoState:
+      if (state !== undefined) {
+        throw OPE('unexpected "state" response parameter encountered', INVALID_RESPONSE, {
+          expected: undefined,
+          parameters
+        });
+      }
+      break;
+    case skipStateCheck:
+      break;
+    default:
+      assertString(expectedState, '"expectedState" argument');
+      if (state !== expectedState) {
+        throw OPE(state === undefined ? 'response parameter "state" missing' : 'unexpected "state" response parameter value', INVALID_RESPONSE, { expected: expectedState, parameters });
+      }
+  }
+  const error = getURLSearchParameter(parameters, "error");
+  if (error) {
+    throw new AuthorizationResponseError("authorization response from the server is an error", {
+      cause: parameters
+    });
+  }
+  const id_token = getURLSearchParameter(parameters, "id_token");
+  const token = getURLSearchParameter(parameters, "token");
+  if (id_token !== undefined || token !== undefined) {
+    throw new UnsupportedOperationError("implicit and hybrid flows are not supported");
+  }
+  return brand(new URLSearchParams(parameters));
+}
+async function getResponseJsonBody(response, check = assertApplicationJson) {
+  let json;
+  try {
+    json = await response.json();
+  } catch (cause) {
+    check(response);
+    throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(json)) {
+    throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json });
+  }
+  return json;
+}
+var _nodiscoverycheck = Symbol();
+var _expectedIssuer = Symbol();
+
+// src/shared/oauth/refresh.ts
+function buildProviderRefreshConfig(config) {
+  if (!config.PROVIDER_CLIENT_ID || !config.PROVIDER_CLIENT_SECRET || !config.PROVIDER_ACCOUNTS_URL) {
+    return;
+  }
+  return {
+    clientId: config.PROVIDER_CLIENT_ID,
+    clientSecret: config.PROVIDER_CLIENT_SECRET,
+    accountsUrl: config.PROVIDER_ACCOUNTS_URL,
+    tokenEndpointPath: config.OAUTH_TOKEN_URL
+  };
+}
+function buildAuthorizationServer(config) {
+  const tokenEndpoint = config.tokenEndpointPath || "/token";
+  return {
+    issuer: config.accountsUrl,
+    token_endpoint: new URL(tokenEndpoint, config.accountsUrl).toString()
+  };
+}
+async function refreshProviderToken(refreshToken, config) {
+  const authServer = buildAuthorizationServer(config);
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: "client_secret_post"
+  };
+  sharedLogger.debug("oauth_refresh", {
+    message: "Refreshing provider token",
+    tokenUrl: authServer.token_endpoint
+  });
+  try {
+    const clientAuth = ClientSecretPost(config.clientSecret);
+    const response = await refreshTokenGrantRequest(authServer, client, clientAuth, refreshToken);
+    const result = await processRefreshTokenResponse(authServer, client, response);
+    const accessToken = result.access_token;
+    if (!accessToken) {
+      return {
+        success: false,
+        error: "No access_token in provider response"
+      };
+    }
+    sharedLogger.info("oauth_refresh", {
+      message: "Provider token refreshed",
+      hasNewRefreshToken: !!result.refresh_token
+    });
+    return {
+      success: true,
+      tokens: {
+        access_token: accessToken,
+        refresh_token: result.refresh_token ?? refreshToken,
+        expires_at: Date.now() + (result.expires_in ?? 3600) * 1000,
+        scopes: (result.scope || "").split(/\s+/).filter(Boolean)
+      }
+    };
+  } catch (error) {
+    if (error instanceof ResponseBodyError) {
+      sharedLogger.error("oauth_refresh", {
+        message: "Provider refresh failed",
+        error: error.error,
+        description: error.error_description
+      });
+      return {
+        success: false,
+        error: `Provider returned ${error.error}: ${error.error_description || ""}`.trim()
+      };
+    }
+    sharedLogger.error("oauth_refresh", {
+      message: "Token refresh network error",
+      error: error.message
+    });
+    return {
+      success: false,
+      error: `Network error: ${error.message}`
+    };
+  }
+}
+var EXPIRY_BUFFER_MS = 60000;
+var REFRESH_COOLDOWN_MS = 30000;
+var recentlyRefreshed = new Map;
+function shouldSkipRefresh(rsToken) {
+  const lastRefresh = recentlyRefreshed.get(rsToken);
+  if (lastRefresh && Date.now() - lastRefresh < REFRESH_COOLDOWN_MS) {
+    return true;
+  }
+  return false;
+}
+function markRefreshed(rsToken) {
+  recentlyRefreshed.set(rsToken, Date.now());
+  if (recentlyRefreshed.size > 1000) {
+    const now = Date.now();
+    for (const [key, timestamp] of recentlyRefreshed) {
+      if (now - timestamp > REFRESH_COOLDOWN_MS) {
+        recentlyRefreshed.delete(key);
+      }
+    }
+  }
+}
+function isTokenExpiredOrExpiring(expiresAt, bufferMs = EXPIRY_BUFFER_MS) {
+  if (!expiresAt)
+    return false;
+  return Date.now() >= expiresAt - bufferMs;
+}
+async function ensureFreshToken(rsAccessToken, tokenStore, providerConfig) {
+  const record = await tokenStore.getByRsAccess(rsAccessToken);
+  if (!record?.provider?.access_token) {
+    return { accessToken: "", wasRefreshed: false };
+  }
+  if (!isTokenExpiredOrExpiring(record.provider.expires_at)) {
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  if (shouldSkipRefresh(rsAccessToken)) {
+    sharedLogger.debug("oauth_refresh", {
+      message: "Token refresh throttled (recently refreshed in this process)"
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  sharedLogger.info("oauth_refresh", {
+    message: "Token near expiry, attempting refresh",
+    expiresAt: record.provider.expires_at,
+    now: Date.now()
+  });
+  if (!record.provider.refresh_token) {
+    sharedLogger.warning("oauth_refresh", {
+      message: "Token near expiry but no refresh token available"
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  if (!providerConfig) {
+    sharedLogger.warning("oauth_refresh", {
+      message: "Token near expiry but no provider config for refresh"
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  const result = await refreshProviderToken(record.provider.refresh_token, providerConfig);
+  if (!result.success || !result.tokens) {
+    sharedLogger.error("oauth_refresh", {
+      message: "Token refresh failed, using existing token",
+      error: result.error
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  const providerRefreshRotated = result.tokens.refresh_token !== record.provider.refresh_token;
+  const newRsAccess = providerRefreshRotated ? undefined : record.rs_access_token;
+  try {
+    await tokenStore.updateByRsRefresh(record.rs_refresh_token, result.tokens, newRsAccess);
+    markRefreshed(rsAccessToken);
+    sharedLogger.info("oauth_refresh", {
+      message: "Token store updated with refreshed tokens",
+      rsAccessRotated: providerRefreshRotated
+    });
+    return { accessToken: result.tokens.access_token, wasRefreshed: true };
+  } catch (error) {
+    sharedLogger.error("oauth_refresh", {
+      message: "Failed to update token store",
+      error: error.message
+    });
+    return { accessToken: result.tokens.access_token, wasRefreshed: true };
+  }
+}
+
+// src/shared/mcp/security.ts
+function validateOrigin(headers, isDev) {
+  const origin = headers.get("Origin") || headers.get("origin");
+  if (!origin) {
+    return;
+  }
+  if (isDev) {
+    if (!isLocalhostOrigin(origin)) {
+      throw new Error(`Invalid origin: ${origin}. Only localhost allowed in development`);
+    }
+    return;
+  }
+  if (!isAllowedOrigin(origin)) {
+    throw new Error(`Invalid origin: ${origin}`);
+  }
+}
+var SUPPORTED_PROTOCOL_VERSIONS2 = [
+  "2025-11-25",
+  "2025-06-18",
+  "2025-03-26",
+  "2024-11-05"
+];
+function validateProtocolVersion(headers, _expected) {
+  const header = headers.get("Mcp-Protocol-Version") || headers.get("MCP-Protocol-Version");
+  if (!header) {
+    return;
+  }
+  const clientVersions = header.split(",").map((v) => v.trim()).filter(Boolean);
+  const hasSupported = clientVersions.some((v) => SUPPORTED_PROTOCOL_VERSIONS2.includes(v));
+  if (!hasSupported) {
+    throw new Error(`Unsupported MCP protocol version: ${header}. Supported: ${SUPPORTED_PROTOCOL_VERSIONS2.join(", ")}`);
+  }
+}
+function isLocalhostOrigin(origin) {
+  try {
+    const url = new URL(origin);
+    const hostname = url.hostname.toLowerCase();
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname.startsWith("192.168.") || hostname.startsWith("10.") || hostname.endsWith(".local");
+  } catch {
+    return false;
+  }
+}
+function isAllowedOrigin(_origin) {
+  return true;
+}
+function buildUnauthorizedChallenge(args) {
+  const resourcePath = args.resourcePath || "/.well-known/oauth-protected-resource";
+  const resourceMd = `${args.origin}${resourcePath}?sid=${encodeURIComponent(args.sid)}`;
+  return {
+    status: 401,
+    headers: {
+      "WWW-Authenticate": `Bearer realm="MCP", authorization_uri="${resourceMd}"`,
+      "Mcp-Session-Id": args.sid
+    },
+    body: {
+      jsonrpc: "2.0",
+      error: {
+        code: -32000,
+        message: args.message || "Unauthorized"
+      },
+      id: null
+    }
+  };
+}
+
+// src/shared/oauth/discovery.ts
+function buildAuthorizationServerMetadata(baseUrl, scopes, overrides) {
+  return {
+    issuer: baseUrl,
+    authorization_endpoint: overrides?.authorizationEndpoint || `${baseUrl}/authorize`,
+    token_endpoint: overrides?.tokenEndpoint || `${baseUrl}/token`,
+    revocation_endpoint: overrides?.revocationEndpoint || `${baseUrl}/revoke`,
+    registration_endpoint: `${baseUrl}/register`,
+    response_types_supported: ["code"],
+    grant_types_supported: ["authorization_code", "refresh_token"],
+    code_challenge_methods_supported: ["S256"],
+    token_endpoint_auth_methods_supported: ["none"],
+    scopes_supported: scopes,
+    client_id_metadata_document_supported: overrides?.cimdEnabled ?? true
+  };
+}
+function buildProtectedResourceMetadata(resourceUrl, authorizationServerUrl, sid) {
+  const resource = (() => {
+    if (!sid) {
+      return resourceUrl;
+    }
+    try {
+      const u = new URL(resourceUrl);
+      u.searchParams.set("sid", sid);
+      return u.toString();
+    } catch {
+      return resourceUrl;
+    }
+  })();
+  return {
+    authorization_servers: [authorizationServerUrl],
+    resource
+  };
+}
+
+// src/shared/oauth/discovery-handlers.ts
+function createDiscoveryHandlers(config, strategy) {
+  const scopes = config.OAUTH_SCOPES.split(/\s+/).map((scope) => scope.trim()).filter(Boolean);
+  return {
+    authorizationMetadata: (requestUrl) => {
+      const baseUrl = strategy.resolveAuthBaseUrl(requestUrl, config);
+      return buildAuthorizationServerMetadata(baseUrl, scopes, {
+        authorizationEndpoint: `${baseUrl}/authorize`,
+        tokenEndpoint: `${baseUrl}/token`,
+        revocationEndpoint: `${baseUrl}/revoke`,
+        cimdEnabled: config.CIMD_ENABLED
+      });
+    },
+    protectedResourceMetadata: (requestUrl, sid) => {
+      const resourceBase = strategy.resolveResourceBaseUrl(requestUrl, config);
+      const authorizationServerUrl = config.AUTH_DISCOVERY_URL || strategy.resolveAuthorizationServerUrl(requestUrl, config);
+      return buildProtectedResourceMetadata(resourceBase, authorizationServerUrl, sid);
+    }
+  };
+}
+var workerDiscoveryStrategy = {
+  resolveAuthBaseUrl: (requestUrl) => requestUrl.origin,
+  resolveAuthorizationServerUrl: (requestUrl) => `${requestUrl.origin}/.well-known/oauth-authorization-server`,
+  resolveResourceBaseUrl: (requestUrl) => `${requestUrl.origin}/mcp`
+};
+var nodeDiscoveryStrategy = {
+  resolveAuthBaseUrl: (requestUrl, config) => {
+    const authPort = Number(config.PORT) + 1;
+    return `${requestUrl.protocol}//${requestUrl.hostname}:${authPort}`;
+  },
+  resolveAuthorizationServerUrl: (requestUrl, config) => {
+    const authPort = Number(config.PORT) + 1;
+    return `${requestUrl.protocol}//${requestUrl.hostname}:${authPort}/.well-known/oauth-authorization-server`;
+  },
+  resolveResourceBaseUrl: (requestUrl) => `${requestUrl.protocol}//${requestUrl.host}/mcp`
+};
+
+// src/shared/oauth/ssrf.ts
+var BLOCKED_HOSTS = new Set([
+  "localhost",
+  "127.0.0.1",
+  "::1",
+  "0.0.0.0",
+  "[::1]"
+]);
+var PRIVATE_IP_PATTERNS = [
+  /^10\./,
+  /^172\.(1[6-9]|2\d|3[01])\./,
+  /^192\.168\./,
+  /^169\.254\./,
+  /^fc00:/i,
+  /^fd00:/i,
+  /^fe80:/i
+];
+var BLOCKED_DOMAIN_PATTERNS = [
+  /\.local$/i,
+  /\.internal$/i,
+  /\.localhost$/i,
+  /\.localdomain$/i,
+  /\.corp$/i,
+  /\.lan$/i
+];
+function isPrivateIp(hostname) {
+  for (const pattern of PRIVATE_IP_PATTERNS) {
+    if (pattern.test(hostname)) {
+      return true;
+    }
+  }
+  return false;
+}
+function isBlockedDomain(hostname) {
+  const lower = hostname.toLowerCase();
+  for (const pattern of BLOCKED_DOMAIN_PATTERNS) {
+    if (pattern.test(lower)) {
+      return true;
+    }
+  }
+  return false;
+}
+function checkSsrfSafe(urlString, options) {
+  const requireNonRootPath = options?.requireNonRootPath ?? true;
+  let url;
+  try {
+    url = new URL(urlString);
+  } catch {
+    return { safe: false, reason: "invalid_url" };
+  }
+  if (url.protocol !== "https:") {
+    return { safe: false, reason: "https_required" };
+  }
+  const hostname = url.hostname.toLowerCase();
+  if (BLOCKED_HOSTS.has(hostname)) {
+    return { safe: false, reason: "blocked_host" };
+  }
+  if (isPrivateIp(hostname)) {
+    return { safe: false, reason: "private_ip" };
+  }
+  if (isBlockedDomain(hostname)) {
+    return { safe: false, reason: "internal_domain" };
+  }
+  if (requireNonRootPath && (url.pathname === "/" || url.pathname === "")) {
+    return { safe: false, reason: "root_path_not_allowed" };
+  }
+  return { safe: true };
+}
+function isSsrfSafe(urlString, options) {
+  return checkSsrfSafe(urlString, options).safe;
+}
+function assertSsrfSafe(urlString, options) {
+  const result = checkSsrfSafe(urlString, options);
+  if (result.safe === false) {
+    throw new Error(`ssrf_blocked: ${result.reason}`);
+  }
+}
+
+// src/shared/oauth/cimd.ts
+var ClientMetadataSchema = exports_external.object({
+  client_id: exports_external.string().url(),
+  client_name: exports_external.string().optional(),
+  redirect_uris: exports_external.array(exports_external.string().url()),
+  client_uri: exports_external.string().url().optional(),
+  logo_uri: exports_external.string().url().optional(),
+  tos_uri: exports_external.string().url().optional(),
+  policy_uri: exports_external.string().url().optional(),
+  jwks_uri: exports_external.string().url().optional(),
+  software_statement: exports_external.string().optional()
+});
+function isClientIdUrl(clientId) {
+  if (!clientId.startsWith("https://")) {
+    return false;
+  }
+  try {
+    const url = new URL(clientId);
+    return url.pathname !== "/" && url.pathname.length > 1;
+  } catch {
+    return false;
+  }
+}
+function isDomainAllowed(clientIdUrl, allowedDomains) {
+  if (!allowedDomains || allowedDomains.length === 0) {
+    return true;
+  }
+  try {
+    const url = new URL(clientIdUrl);
+    const hostname = url.hostname.toLowerCase();
+    return allowedDomains.some((domain) => {
+      const d = domain.toLowerCase();
+      return hostname === d || hostname.endsWith(`.${d}`);
+    });
+  } catch {
+    return false;
+  }
+}
+async function fetchClientMetadata(clientIdUrl, config) {
+  const timeoutMs = config?.timeoutMs ?? 5000;
+  const maxBytes = config?.maxBytes ?? 65536;
+  const allowedDomains = config?.allowedDomains;
+  sharedLogger.debug("cimd", {
+    message: "Fetching client metadata",
+    url: clientIdUrl
+  });
+  try {
+    assertSsrfSafe(clientIdUrl, { requireNonRootPath: true });
+  } catch (error) {
+    sharedLogger.warning("cimd", {
+      message: "SSRF check failed",
+      url: clientIdUrl,
+      error: error.message
+    });
+    return { success: false, error: error.message };
+  }
+  if (!isDomainAllowed(clientIdUrl, allowedDomains)) {
+    sharedLogger.warning("cimd", {
+      message: "Domain not in allowlist",
+      url: clientIdUrl
+    });
+    return { success: false, error: "domain_not_allowed" };
+  }
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(clientIdUrl, {
+      signal: controller.signal,
+      headers: {
+        Accept: "application/json",
+        "User-Agent": "MCP-Server/1.0 CIMD-Fetcher"
+      },
+      redirect: "manual"
+    });
+    if (!response.ok) {
+      sharedLogger.warning("cimd", {
+        message: "Fetch failed",
+        url: clientIdUrl,
+        status: response.status
+      });
+      return { success: false, error: `fetch_failed: ${response.status}` };
+    }
+    const contentLength = response.headers.get("content-length");
+    if (contentLength && parseInt(contentLength, 10) > maxBytes) {
+      sharedLogger.warning("cimd", {
+        message: "Response too large",
+        url: clientIdUrl,
+        contentLength
+      });
+      return { success: false, error: "metadata_too_large" };
+    }
+    const contentType = response.headers.get("content-type") || "";
+    if (!contentType.includes("application/json") && !contentType.includes("text/json")) {
+      sharedLogger.warning("cimd", {
+        message: "Invalid content type",
+        url: clientIdUrl,
+        contentType
+      });
+      return { success: false, error: "invalid_content_type" };
+    }
+    const text = await response.text();
+    if (text.length > maxBytes) {
+      return { success: false, error: "metadata_too_large" };
+    }
+    let data;
+    try {
+      data = JSON.parse(text);
+    } catch {
+      return { success: false, error: "invalid_json" };
+    }
+    const parsed = ClientMetadataSchema.safeParse(data);
+    if (!parsed.success) {
+      sharedLogger.warning("cimd", {
+        message: "Invalid metadata schema",
+        url: clientIdUrl,
+        errors: parsed.error.issues
+      });
+      return {
+        success: false,
+        error: `invalid_metadata: ${parsed.error.message}`
+      };
+    }
+    if (parsed.data.client_id !== clientIdUrl) {
+      sharedLogger.warning("cimd", {
+        message: "client_id mismatch",
+        url: clientIdUrl,
+        metadataClientId: parsed.data.client_id
+      });
+      return { success: false, error: "client_id_mismatch" };
+    }
+    sharedLogger.info("cimd", {
+      message: "Client metadata fetched",
+      url: clientIdUrl,
+      clientName: parsed.data.client_name,
+      redirectUrisCount: parsed.data.redirect_uris.length
+    });
+    return { success: true, metadata: parsed.data };
+  } catch (error) {
+    if (error.name === "AbortError") {
+      sharedLogger.warning("cimd", {
+        message: "Fetch timeout",
+        url: clientIdUrl
+      });
+      return { success: false, error: "fetch_timeout" };
+    }
+    sharedLogger.error("cimd", {
+      message: "Fetch error",
+      url: clientIdUrl,
+      error: error.message
+    });
+    return {
+      success: false,
+      error: `fetch_error: ${error.message}`
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+function validateRedirectUri(metadata, redirectUri) {
+  return metadata.redirect_uris.includes(redirectUri);
+}
+
+// src/shared/oauth/flow.ts
+function generateOpaqueToken(bytes = 32) {
+  const array = new Uint8Array(bytes);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+function buildAuthorizationServer2(providerConfig) {
+  const authEndpoint = providerConfig.authorizationEndpointPath || "/authorize";
+  const tokenEndpoint = providerConfig.tokenEndpointPath || "/token";
+  return {
+    issuer: providerConfig.accountsUrl,
+    authorization_endpoint: new URL(authEndpoint, providerConfig.accountsUrl).toString(),
+    token_endpoint: new URL(tokenEndpoint, providerConfig.accountsUrl).toString()
+  };
+}
+function buildOAuthClient(providerConfig) {
+  return {
+    client_id: providerConfig.clientId || "",
+    token_endpoint_auth_method: "client_secret_post"
+  };
+}
+function isAllowedRedirect(uri, config, isDev) {
+  try {
+    const allowed = new Set(config.redirectAllowlist.concat([config.redirectUri]).filter(Boolean));
+    const url = new URL(uri);
+    if (isDev) {
+      const loopback = new Set(["localhost", "127.0.0.1", "::1"]);
+      if (loopback.has(url.hostname)) {
+        return true;
+      }
+    }
+    if (config.redirectAllowAll) {
+      return true;
+    }
+    return allowed.has(`${url.protocol}//${url.host}${url.pathname}`) || allowed.has(uri);
+  } catch {
+    return false;
+  }
+}
+async function handleAuthorize(input, store, providerConfig, oauthConfig, options) {
+  if (!input.redirectUri) {
+    throw new Error("invalid_request: redirect_uri is required");
+  }
+  if (!input.codeChallenge || input.codeChallengeMethod !== "S256") {
+    throw new Error("invalid_request: PKCE code_challenge with S256 method is required");
+  }
+  let clientMetadata = null;
+  const cimdEnabled = options.cimd?.enabled ?? true;
+  if (input.clientId && isClientIdUrl(input.clientId)) {
+    if (!cimdEnabled) {
+      sharedLogger.warning("oauth_authorize", {
+        message: "CIMD client_id received but CIMD is disabled",
+        clientId: input.clientId
+      });
+      throw new Error("invalid_client: URL-based client_id not supported");
+    }
+    sharedLogger.debug("oauth_authorize", {
+      message: "CIMD client_id detected, fetching metadata",
+      clientId: input.clientId
+    });
+    const result = await fetchClientMetadata(input.clientId, {
+      timeoutMs: options.cimd?.timeoutMs,
+      maxBytes: options.cimd?.maxBytes,
+      allowedDomains: options.cimd?.allowedDomains
+    });
+    if (result.success === false) {
+      sharedLogger.error("oauth_authorize", {
+        message: "CIMD metadata fetch failed",
+        clientId: input.clientId,
+        error: result.error
+      });
+      throw new Error(`invalid_client: ${result.error}`);
+    }
+    clientMetadata = result.metadata;
+    if (!validateRedirectUri(clientMetadata, input.redirectUri)) {
+      sharedLogger.error("oauth_authorize", {
+        message: "redirect_uri not in client metadata",
+        clientId: input.clientId,
+        redirectUri: input.redirectUri,
+        allowedUris: clientMetadata.redirect_uris
+      });
+      throw new Error("invalid_request: redirect_uri not registered for this client");
+    }
+    sharedLogger.info("oauth_authorize", {
+      message: "CIMD client validated",
+      clientId: input.clientId,
+      clientName: clientMetadata.client_name
+    });
+  }
+  const txnId = generateOpaqueToken(16);
+  await store.saveTransaction(txnId, {
+    codeChallenge: input.codeChallenge,
+    state: input.state,
+    createdAt: Date.now(),
+    scope: input.requestedScope,
+    sid: input.sid,
+    clientRedirectUri: input.redirectUri
+  });
+  sharedLogger.debug("oauth_authorize", {
+    message: "Transaction saved",
+    txnId,
+    redirectUri: input.redirectUri
+  });
+  sharedLogger.debug("oauth_authorize", {
+    message: "Checking provider configuration",
+    hasClientId: !!providerConfig.clientId,
+    hasClientSecret: !!providerConfig.clientSecret
+  });
+  if (providerConfig.clientId && providerConfig.clientSecret) {
+    sharedLogger.info("oauth_authorize", {
+      message: "Using production flow - redirecting to provider"
+    });
+    const authServer = buildAuthorizationServer2(providerConfig);
+    const authorizationEndpoint = authServer.authorization_endpoint;
+    if (!authorizationEndpoint) {
+      throw new Error("Authorization endpoint not configured");
+    }
+    const authUrl = new URL(authorizationEndpoint);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("client_id", providerConfig.clientId);
+    const callbackPath = options.callbackPath || "/oauth/callback";
+    const cb = new URL(callbackPath, options.baseUrl).toString();
+    authUrl.searchParams.set("redirect_uri", cb);
+    const scopeToUse = providerConfig.oauthScopes || input.requestedScope || "";
+    if (scopeToUse) {
+      authUrl.searchParams.set("scope", scopeToUse);
+    }
+    const compositeState = base64UrlEncodeJson({
+      tid: txnId,
+      cs: input.state,
+      cr: input.redirectUri,
+      sid: input.sid
+    }) || txnId;
+    authUrl.searchParams.set("state", compositeState);
+    if (providerConfig.extraAuthParams) {
+      const extraParams = new URLSearchParams(providerConfig.extraAuthParams);
+      for (const [key, value] of extraParams) {
+        authUrl.searchParams.set(key, value);
+      }
+    }
+    sharedLogger.debug("oauth_authorize", {
+      message: "Redirect URL constructed",
+      url: authUrl.origin + authUrl.pathname,
+      hasExtraParams: !!providerConfig.extraAuthParams
+    });
+    return {
+      redirectTo: authUrl.toString(),
+      txnId
+    };
+  }
+  sharedLogger.warning("oauth_authorize", {
+    message: "Missing provider credentials - using dev shortcut"
+  });
+  const code = generateOpaqueToken(16);
+  await store.saveCode(code, txnId);
+  const safe = isAllowedRedirect(input.redirectUri, oauthConfig, options.isDev) ? input.redirectUri : oauthConfig.redirectUri;
+  const redirect = new URL(safe);
+  redirect.searchParams.set("code", code);
+  if (input.state) {
+    redirect.searchParams.set("state", input.state);
+  }
+  return {
+    redirectTo: redirect.toString(),
+    txnId
+  };
+}
+async function handleProviderCallback(input, store, providerConfig, oauthConfig, options) {
+  const decodedObj = base64UrlDecodeJson(input.compositeState);
+  let decoded;
+  if (decodedObj) {
+    decoded = decodedObj;
+    sharedLogger.debug("oauth_callback", {
+      message: "State decoded successfully",
+      decoded
+    });
+  } else {
+    sharedLogger.debug("oauth_callback", {
+      message: "State is not JSON-encoded, treating as raw txnId",
+      compositeState: input.compositeState
+    });
+    decoded = {};
+  }
+  sharedLogger.debug("oauth_callback", {
+    message: "State decoded",
+    compositeState: input.compositeState,
+    decoded
+  });
+  if (!decoded.tid && !input.compositeState) {
+    sharedLogger.error("oauth_callback", {
+      message: "Invalid state parameter",
+      compositeState: input.compositeState
+    });
+    throw new Error("invalid_state");
+  }
+  const txnId = decoded.tid || input.compositeState;
+  const txn = await store.getTransaction(txnId);
+  if (!txn) {
+    sharedLogger.error("oauth_callback", {
+      message: "Transaction not found",
+      txnId,
+      decoded,
+      compositeStateLength: input.compositeState?.length
+    });
+    throw new Error("unknown_txn");
+  }
+  const callbackPath = options.callbackPath || "/oauth/callback";
+  const redirectUri = new URL(callbackPath, options.baseUrl).toString();
+  const authServer = buildAuthorizationServer2(providerConfig);
+  const client = buildOAuthClient(providerConfig);
+  sharedLogger.debug("oauth_callback", {
+    message: "Exchanging code for tokens",
+    tokenUrl: authServer.token_endpoint
+  });
+  const rawParams = new URLSearchParams;
+  rawParams.set("code", input.providerCode);
+  const callbackParams = validateAuthResponse(authServer, client, rawParams, skipStateCheck);
+  if (!providerConfig.clientSecret) {
+    throw new Error("Server misconfigured: PROVIDER_CLIENT_SECRET is not set");
+  }
+  const clientAuth = ClientSecretPost(providerConfig.clientSecret);
+  try {
+    const response = await authorizationCodeGrantRequest(authServer, client, clientAuth, callbackParams, redirectUri, nopkce);
+    sharedLogger.debug("oauth_callback", {
+      message: "Token response received",
+      status: response.status
+    });
+    const result = await processAuthorizationCodeResponse(authServer, client, response);
+    const accessToken = result.access_token;
+    if (!accessToken) {
+      sharedLogger.error("oauth_callback", {
+        message: "No access token in provider response"
+      });
+      throw new Error("provider_no_token");
+    }
+    const expiresIn = result.expires_in ?? 3600;
+    const expiresAt = Date.now() + expiresIn * 1000;
+    const scopes = (result.scope || "").split(/\s+/).filter(Boolean);
+    const providerTokens = {
+      access_token: accessToken,
+      refresh_token: result.refresh_token,
+      expires_at: expiresAt,
+      scopes
+    };
+    sharedLogger.info("oauth_callback", {
+      message: "Provider tokens received",
+      hasRefreshToken: !!result.refresh_token,
+      expiresIn
+    });
+    txn.provider = providerTokens;
+    await store.saveTransaction(txnId, txn);
+    const asCode = generateOpaqueToken(24);
+    await store.saveCode(asCode, txnId);
+    sharedLogger.debug("oauth_callback", {
+      message: "RS code generated"
+    });
+    const safe = txn.clientRedirectUri ?? (decoded.cr && isAllowedRedirect(decoded.cr, oauthConfig, options.isDev) ? decoded.cr : oauthConfig.redirectUri);
+    const redirect = new URL(safe);
+    redirect.searchParams.set("code", asCode);
+    if (decoded.cs) {
+      redirect.searchParams.set("state", decoded.cs);
+    }
+    return {
+      redirectTo: redirect.toString(),
+      txnId,
+      providerTokens
+    };
+  } catch (error) {
+    if (error instanceof ResponseBodyError) {
+      sharedLogger.error("oauth_callback", {
+        message: "Provider token error",
+        error: error.error,
+        description: error.error_description
+      });
+      throw new Error(`provider_token_error: ${error.error} ${error.error_description || ""}`.trim());
+    }
+    sharedLogger.error("oauth_callback", {
+      message: "Token fetch failed",
+      error: error.message
+    });
+    throw new Error(`fetch_failed: ${error.message}`);
+  }
+}
+async function handleToken(input, store, providerConfig) {
+  if (input.grant === "refresh_token") {
+    sharedLogger.debug("oauth_token", {
+      message: "Processing refresh_token grant"
+    });
+    const rec = await store.getByRsRefresh(input.refreshToken);
+    if (!rec) {
+      sharedLogger.error("oauth_token", {
+        message: "Invalid refresh token"
+      });
+      throw new Error("invalid_grant");
+    }
+    const now = Date.now();
+    const providerExpiresAt = rec.provider.expires_at ?? 0;
+    const isExpiringSoon = now >= providerExpiresAt - 60000;
+    let provider = rec.provider;
+    if (isExpiringSoon && providerConfig) {
+      sharedLogger.info("oauth_token", {
+        message: "Provider token expired/expiring, refreshing",
+        expiresAt: providerExpiresAt,
+        now
+      });
+      if (!rec.provider.refresh_token) {
+        sharedLogger.error("oauth_token", {
+          message: "No provider refresh token available"
+        });
+        throw new Error("provider_token_expired");
+      }
+      const refreshResult = await refreshProviderToken(rec.provider.refresh_token, {
+        clientId: providerConfig.clientId || "",
+        clientSecret: providerConfig.clientSecret || "",
+        accountsUrl: providerConfig.accountsUrl,
+        tokenEndpointPath: providerConfig.tokenEndpointPath
+      });
+      if (!refreshResult.success || !refreshResult.tokens) {
+        sharedLogger.error("oauth_token", {
+          message: "Provider refresh failed",
+          error: refreshResult.error
+        });
+        throw new Error("provider_refresh_failed");
+      }
+      provider = refreshResult.tokens;
+    }
+    const providerRefreshRotated = provider.refresh_token !== rec.provider.refresh_token;
+    const newAccess = providerRefreshRotated ? generateOpaqueToken(24) : undefined;
+    const updated = await store.updateByRsRefresh(input.refreshToken, provider, newAccess);
+    const expiresIn = provider.expires_at ? Math.max(1, Math.floor((provider.expires_at - Date.now()) / 1000)) : 3600;
+    sharedLogger.info("oauth_token", {
+      message: "Token refreshed successfully",
+      providerRefreshed: isExpiringSoon,
+      rsAccessRotated: providerRefreshRotated
+    });
+    return {
+      access_token: newAccess ?? rec.rs_access_token,
+      refresh_token: input.refreshToken,
+      token_type: "bearer",
+      expires_in: expiresIn,
+      scope: (updated?.provider.scopes || []).join(" ")
+    };
+  }
+  sharedLogger.debug("oauth_token", {
+    message: "Processing authorization_code grant"
+  });
+  const txnId = await store.getTxnIdByCode(input.code);
+  if (!txnId) {
+    sharedLogger.error("oauth_token", {
+      message: "Authorization code not found"
+    });
+    throw new Error("invalid_grant");
+  }
+  const txn = await store.getTransaction(txnId);
+  if (!txn) {
+    sharedLogger.error("oauth_token", {
+      message: "Transaction not found for code"
+    });
+    throw new Error("invalid_grant");
+  }
+  const expected = txn.codeChallenge;
+  const actual = await calculatePKCECodeChallenge(input.codeVerifier);
+  if (expected !== actual) {
+    sharedLogger.error("oauth_token", {
+      message: "PKCE verification failed"
+    });
+    throw new Error("invalid_grant");
+  }
+  const rsAccess = generateOpaqueToken(24);
+  const rsRefresh = generateOpaqueToken(24);
+  sharedLogger.debug("oauth_token", {
+    message: "Minting RS tokens",
+    hasProviderTokens: !!txn.provider?.access_token
+  });
+  if (txn.provider?.access_token) {
+    await store.storeRsMapping(rsAccess, txn.provider, rsRefresh);
+    sharedLogger.info("oauth_token", {
+      message: "RS\u2192Provider mapping stored"
+    });
+  } else {
+    sharedLogger.warning("oauth_token", {
+      message: "No provider tokens in transaction - RS mapping not created"
+    });
+  }
+  await store.deleteTransaction(txnId);
+  await store.deleteCode(input.code);
+  sharedLogger.info("oauth_token", {
+    message: "Token exchange completed"
+  });
+  return {
+    access_token: rsAccess,
+    refresh_token: rsRefresh,
+    token_type: "bearer",
+    expires_in: 3600,
+    scope: (txn.provider?.scopes || []).join(" ") || txn.scope || ""
+  };
+}
+
+// src/shared/oauth/endpoints.ts
+async function handleRegister(input, baseUrl, defaultRedirectUri) {
+  const now = Math.floor(Date.now() / 1000);
+  const clientId = generateOpaqueToken(12);
+  const redirectUris = Array.isArray(input.redirect_uris) ? input.redirect_uris : [defaultRedirectUri];
+  const grantTypes = Array.isArray(input.grant_types) ? input.grant_types : ["authorization_code", "refresh_token"];
+  const responseTypes = Array.isArray(input.response_types) ? input.response_types : ["code"];
+  return {
+    client_id: clientId,
+    client_id_issued_at: now,
+    client_secret_expires_at: 0,
+    token_endpoint_auth_method: "none",
+    redirect_uris: redirectUris,
+    grant_types: grantTypes,
+    response_types: responseTypes,
+    registration_client_uri: `${baseUrl}/register/${clientId}`,
+    registration_access_token: generateOpaqueToken(12),
+    ...input.client_name ? { client_name: input.client_name } : {}
+  };
+}
+async function handleRevoke() {
+  return { status: "ok" };
+}
+
+// src/shared/oauth/input-parsers.ts
+function parseAuthorizeInput(url, sessionId) {
+  return {
+    clientId: url.searchParams.get("client_id") ?? undefined,
+    codeChallenge: url.searchParams.get("code_challenge") || "",
+    codeChallengeMethod: url.searchParams.get("code_challenge_method") || "",
+    redirectUri: url.searchParams.get("redirect_uri") || "",
+    requestedScope: url.searchParams.get("scope") ?? undefined,
+    state: url.searchParams.get("state") ?? undefined,
+    sid: url.searchParams.get("sid") || sessionId || undefined
+  };
+}
+function parseCallbackInput(url) {
+  return {
+    code: url.searchParams.get("code"),
+    state: url.searchParams.get("state")
+  };
+}
+async function parseTokenInput(request) {
+  const contentType = request.headers.get("content-type") || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    const text = await request.text();
+    return new URLSearchParams(text);
+  }
+  const json = await request.json().catch(() => ({}));
+  return new URLSearchParams(json);
+}
+function buildTokenInput(form) {
+  const grant = form.get("grant_type");
+  if (grant === "refresh_token") {
+    const refreshToken = form.get("refresh_token");
+    if (!refreshToken) {
+      return { error: "missing_refresh_token" };
+    }
+    return { grant: "refresh_token", refreshToken };
+  }
+  if (grant === "authorization_code") {
+    const code = form.get("code");
+    const codeVerifier = form.get("code_verifier");
+    if (!code || !codeVerifier) {
+      return { error: "missing_code_or_verifier" };
+    }
+    return { grant: "authorization_code", code, codeVerifier };
+  }
+  return { error: "unsupported_grant_type" };
+}
+function buildProviderConfig(config) {
+  return {
+    clientId: config.PROVIDER_CLIENT_ID,
+    clientSecret: config.PROVIDER_CLIENT_SECRET,
+    accountsUrl: config.PROVIDER_ACCOUNTS_URL || "https://provider.example.com",
+    oauthScopes: config.OAUTH_SCOPES,
+    extraAuthParams: config.OAUTH_EXTRA_AUTH_PARAMS,
+    authorizationEndpointPath: config.OAUTH_AUTHORIZATION_URL,
+    tokenEndpointPath: config.OAUTH_TOKEN_URL
+  };
+}
+function buildOAuthConfig(config) {
+  return {
+    redirectUri: config.OAUTH_REDIRECT_URI,
+    redirectAllowlist: config.OAUTH_REDIRECT_ALLOWLIST,
+    redirectAllowAll: config.OAUTH_REDIRECT_ALLOW_ALL
+  };
+}
+function buildFlowOptions(url, config, overrides = {}) {
+  return {
+    baseUrl: config.BASE_URL ?? url.origin,
+    isDev: config.NODE_ENV === "development",
+    callbackPath: overrides.callbackPath ?? "/oauth/provider-callback",
+    tokenEndpointPath: overrides.tokenEndpointPath ?? "/api/token"
+  };
+}
+
+// node_modules/itty-router/index.mjs
+var t = ({ base: e = "", routes: t2 = [], ...o } = {}) => ({ __proto__: new Proxy({}, { get: (o2, r, a, s) => (o3, ...n) => t2.push([r.toUpperCase?.(), RegExp(`^${(s = (e + o3).replace(/\/+(\/|$)/g, "$1")).replace(/(\/?\.?):(\w+)\+/g, "($1(?<$2>*))").replace(/(\/?\.?):(\w+)/g, "($1(?<$2>[^$1/]+?))").replace(/\./g, "\\.").replace(/(\/?)\*/g, "($1.*)?")}/*$`), n, s]) && a }), routes: t2, ...o, async fetch(e2, ...r) {
+  let a, s, n = new URL(e2.url), c = e2.query = { __proto__: null };
+  for (let [e3, t3] of n.searchParams)
+    c[e3] = c[e3] ? [].concat(c[e3], t3) : t3;
+  e:
+    try {
+      for (let t3 of o.before || [])
+        if ((a = await t3(e2.proxy ?? e2, ...r)) != null)
+          break e;
+      t:
+        for (let [o2, c2, l, i] of t2)
+          if ((o2 == e2.method || o2 == "ALL") && (s = n.pathname.match(c2))) {
+            e2.params = s.groups || {}, e2.route = i;
+            for (let t3 of l)
+              if ((a = await t3(e2.proxy ?? e2, ...r)) != null)
+                break t;
+          }
+    } catch (t3) {
+      if (!o.catch)
+        throw t3;
+      a = await o.catch(t3, e2.proxy ?? e2, ...r);
+    }
+  try {
+    for (let t3 of o.finally || [])
+      a = await t3(a, e2.proxy ?? e2, ...r) ?? a;
+  } catch (t3) {
+    if (!o.catch)
+      throw t3;
+    a = await o.catch(t3, e2.proxy ?? e2, ...r);
+  }
+  return a;
+} });
+var o = (e = "text/plain; charset=utf-8", t2) => (o2, r = {}) => {
+  if (o2 === undefined || o2 instanceof Response)
+    return o2;
+  const a = new Response(t2?.(o2) ?? o2, r.url ? undefined : r);
+  return a.headers.set("content-type", e), a;
+};
+var r = o("application/json; charset=utf-8", JSON.stringify);
+var p = o("text/plain; charset=utf-8", String);
+var f = o("text/html");
+var u = o("image/jpeg");
+var h = o("image/png");
+var g = o("image/webp");
+
+// src/adapters/http-worker/security.ts
+async function checkAuthAndChallenge(request, store, config, sid) {
+  try {
+    validateOrigin(request.headers, config.NODE_ENV === "development");
+    validateProtocolVersion(request.headers, config.MCP_PROTOCOL_VERSION);
+  } catch (error) {
+    const challenge = buildUnauthorizedChallenge({
+      origin: new URL(request.url).origin,
+      sid,
+      message: error.message
+    });
+    const resp = new Response(JSON.stringify(challenge.body), {
+      status: challenge.status,
+      headers: {
+        "Content-Type": "application/json",
+        "Mcp-Session-Id": sid,
+        "WWW-Authenticate": challenge.headers["WWW-Authenticate"]
+      }
+    });
+    return withCors(resp);
+  }
+  if (!config.AUTH_ENABLED) {
+    return null;
+  }
+  const authHeader = request.headers.get("Authorization");
+  const apiKeyHeader = request.headers.get("x-api-key") || request.headers.get("x-auth-token");
+  if (!authHeader && !apiKeyHeader) {
+    const origin = new URL(request.url).origin;
+    const challenge = buildUnauthorizedChallenge({ origin, sid });
+    const resp = new Response(JSON.stringify(challenge.body), {
+      status: challenge.status,
+      headers: {
+        "Content-Type": "application/json",
+        "Mcp-Session-Id": sid,
+        "WWW-Authenticate": challenge.headers["WWW-Authenticate"]
+      }
+    });
+    return withCors(resp);
+  }
+  if (config.AUTH_REQUIRE_RS && authHeader) {
+    const match = authHeader.match(/^\s*Bearer\s+(.+)$/i);
+    const bearer = match?.[1];
+    if (bearer) {
+      const record = await store.getByRsAccess(bearer);
+      const hasMapping = !!record?.provider?.access_token;
+      if (!hasMapping && !config.AUTH_ALLOW_DIRECT_BEARER) {
+        const origin = new URL(request.url).origin;
+        const challenge = buildUnauthorizedChallenge({ origin, sid });
+        const resp = new Response(JSON.stringify(challenge.body), {
+          status: challenge.status,
+          headers: {
+            "Content-Type": "application/json",
+            "Mcp-Session-Id": sid,
+            "WWW-Authenticate": challenge.headers["WWW-Authenticate"]
+          }
+        });
+        return withCors(resp);
+      }
+    }
+  }
+  return null;
+}
+
+// src/adapters/http-worker/mcp.handler.ts
+var sessionStateMap = new Map;
+var cancellationRegistryMap = new Map;
+function getCancellationRegistry(sessionId) {
+  let registry = cancellationRegistryMap.get(sessionId);
+  if (!registry) {
+    registry = new Map;
+    cancellationRegistryMap.set(sessionId, registry);
+  }
+  return registry;
+}
+function getJsonRpcMessages(body) {
+  if (!body || typeof body !== "object")
+    return [];
+  if (Array.isArray(body)) {
+    return body.filter((msg) => msg && typeof msg === "object");
+  }
+  return [body];
+}
+function resolveSessionApiKey(headers, config) {
+  const apiKeyHeader = config.API_KEY_HEADER.toLowerCase();
+  const directApiKey = headers.get(apiKeyHeader) || headers.get("x-api-key") || headers.get("x-auth-token");
+  if (directApiKey)
+    return directApiKey;
+  const authHeader = headers.get("authorization") || headers.get("Authorization");
+  if (authHeader) {
+    const match = authHeader.match(/^\s*Bearer\s+(.+)$/i);
+    return match?.[1] ?? authHeader;
+  }
+  if (config.API_KEY)
+    return config.API_KEY;
+  return "public";
+}
+function parseCustomHeaders(value) {
+  if (!value)
+    return {};
+  const headers = {};
+  for (const pair of value.split(",")) {
+    const colonIndex = pair.indexOf(":");
+    if (colonIndex === -1)
+      continue;
+    const key = pair.slice(0, colonIndex).trim();
+    const val = pair.slice(colonIndex + 1).trim();
+    if (key && val) {
+      headers[key.toLowerCase()] = val;
+    }
+  }
+  return headers;
+}
+function buildStaticAuthHeaders(config) {
+  const headers = {};
+  switch (config.AUTH_STRATEGY) {
+    case "api_key":
+      if (config.API_KEY) {
+        headers[config.API_KEY_HEADER.toLowerCase()] = config.API_KEY;
+      }
+      break;
+    case "bearer":
+      if (config.BEARER_TOKEN) {
+        headers.authorization = `Bearer ${config.BEARER_TOKEN}`;
+      }
+      break;
+    case "custom":
+      Object.assign(headers, parseCustomHeaders(config.CUSTOM_HEADERS));
+      break;
+  }
+  return headers;
+}
+function buildProviderRefreshConfig2(config) {
+  if (!config.PROVIDER_CLIENT_ID || !config.PROVIDER_CLIENT_SECRET || !config.PROVIDER_ACCOUNTS_URL) {
+    return;
+  }
+  return {
+    clientId: config.PROVIDER_CLIENT_ID,
+    clientSecret: config.PROVIDER_CLIENT_SECRET,
+    accountsUrl: config.PROVIDER_ACCOUNTS_URL
+  };
+}
+async function resolveAuthContext(request, tokenStore, config) {
+  const rawHeaders = {};
+  request.headers.forEach((value, key) => {
+    rawHeaders[key.toLowerCase()] = value;
+  });
+  const strategy = config.AUTH_STRATEGY;
+  let providerToken;
+  let provider;
+  let resolvedHeaders = { ...rawHeaders };
+  if (strategy === "oauth") {
+    const authHeader = rawHeaders.authorization;
+    const match = authHeader?.match(/^\s*Bearer\s+(.+)$/i);
+    const rsToken = match?.[1];
+    if (rsToken) {
+      try {
+        const providerConfig = buildProviderRefreshConfig2(config);
+        const { accessToken, wasRefreshed } = await ensureFreshToken(rsToken, tokenStore, providerConfig);
+        if (accessToken) {
+          providerToken = accessToken;
+          const record = await tokenStore.getByRsAccess(rsToken);
+          if (record?.provider) {
+            provider = {
+              accessToken: record.provider.access_token,
+              refreshToken: record.provider.refresh_token,
+              expiresAt: record.provider.expires_at,
+              scopes: record.provider.scopes
+            };
+          }
+          resolvedHeaders.authorization = `Bearer ${accessToken}`;
+          if (wasRefreshed) {
+            sharedLogger.info("mcp_handler", {
+              message: "Using proactively refreshed token"
+            });
+          }
+        }
+      } catch (error) {
+        sharedLogger.debug("mcp_handler", {
+          message: "Token resolution failed",
+          error: error.message
+        });
+      }
+    }
+  } else if (strategy === "bearer" || strategy === "api_key" || strategy === "custom") {
+    const staticHeaders = buildStaticAuthHeaders(config);
+    resolvedHeaders = { ...rawHeaders, ...staticHeaders };
+    providerToken = strategy === "bearer" ? config.BEARER_TOKEN : config.API_KEY;
+  }
+  return {
+    sessionId: "",
+    authStrategy: strategy,
+    providerToken,
+    provider,
+    resolvedHeaders,
+    authHeaders: rawHeaders
+  };
+}
+async function handleMcpRequest(request, deps) {
+  const { tokenStore, sessionStore, config } = deps;
+  const body = await request.json().catch(() => ({}));
+  const { method, params, id } = body;
+  const messages = getJsonRpcMessages(body);
+  const isInitialize = messages.some((msg) => msg.method === "initialize");
+  const isInitialized = messages.some((msg) => msg.method === "initialized");
+  const initMessage = messages.find((msg) => msg.method === "initialize");
+  const protocolVersion = typeof initMessage?.params?.protocolVersion === "string" ? (initMessage?.params).protocolVersion : undefined;
+  const incomingSessionId = request.headers.get("Mcp-Session-Id")?.trim();
+  const sessionId = isInitialize ? crypto.randomUUID() : incomingSessionId || crypto.randomUUID();
+  const apiKey = resolveSessionApiKey(request.headers, config);
+  if (!isInitialize && !incomingSessionId) {
+    return jsonResponse({
+      jsonrpc: "2.0",
+      error: {
+        code: -32000,
+        message: "Bad Request: Mcp-Session-Id required"
+      },
+      id: null
+    }, { status: 400 });
+  }
+  if (!isInitialize && incomingSessionId) {
+    let existingSession = null;
+    try {
+      existingSession = await sessionStore.get(incomingSessionId);
+    } catch (error) {
+      sharedLogger.warning("mcp_session", {
+        message: "Session lookup failed",
+        error: error.message
+      });
+    }
+    if (!existingSession) {
+      return withCors(new Response("Invalid session", { status: 404 }));
+    }
+    if (existingSession.apiKey && existingSession.apiKey !== apiKey) {
+      sharedLogger.warning("mcp_session", {
+        message: "Request API key differs from session binding",
+        sessionId: incomingSessionId,
+        originalApiKey: `${existingSession.apiKey.slice(0, 8)}...`,
+        requestApiKey: `${apiKey.slice(0, 8)}...`
+      });
+    }
+  }
+  const challengeResponse = await checkAuthAndChallenge(request, tokenStore, config, sessionId);
+  if (challengeResponse) {
+    return challengeResponse;
+  }
+  const authContext = await resolveAuthContext(request, tokenStore, config);
+  authContext.sessionId = sessionId;
+  if (isInitialize) {
+    try {
+      await sessionStore.create(sessionId, apiKey);
+      if (protocolVersion) {
+        await sessionStore.update(sessionId, { protocolVersion });
+      }
+    } catch (error) {
+      sharedLogger.warning("mcp_session", {
+        message: "Failed to create session record",
+        error: error.message
+      });
+    }
+  }
+  if (isInitialized) {
+    try {
+      await sessionStore.update(sessionId, { initialized: true });
+    } catch (error) {
+      sharedLogger.warning("mcp_session", {
+        message: "Failed to update session initialized flag",
+        error: error.message
+      });
+    }
+  }
+  const cancellationRegistry = getCancellationRegistry(sessionId);
+  const dispatchContext = {
+    sessionId,
+    auth: authContext,
+    config: {
+      title: config.MCP_TITLE,
+      version: config.MCP_VERSION,
+      instructions: config.MCP_INSTRUCTIONS
+    },
+    getSessionState: () => sessionStateMap.get(sessionId),
+    setSessionState: (state) => sessionStateMap.set(sessionId, state),
+    cancellationRegistry,
+    tools: deps.tools
+  };
+  if (!("id" in body) || id === null || id === undefined) {
+    if (method) {
+      handleMcpNotification(method, params, dispatchContext);
+    }
+    return withCors(new Response(null, { status: 202 }));
+  }
+  const result = await dispatchMcpMethod(method, params, dispatchContext, id);
+  const response = jsonResponse({
+    jsonrpc: "2.0",
+    ...result.error ? { error: result.error } : { result: result.result },
+    id
+  });
+  response.headers.set("Mcp-Session-Id", sessionId);
+  return withCors(response);
+}
+function handleMcpGet() {
+  return withCors(new Response("Method Not Allowed", { status: 405 }));
+}
+async function handleMcpDelete(request, deps) {
+  const { sessionStore } = deps;
+  const sessionId = request.headers.get("Mcp-Session-Id")?.trim();
+  if (!sessionId) {
+    return withCors(jsonResponse({
+      jsonrpc: "2.0",
+      error: {
+        code: -32000,
+        message: "Bad Request: Mcp-Session-Id required"
+      },
+      id: null
+    }, { status: 400 }));
+  }
+  let existingSession = null;
+  try {
+    existingSession = await sessionStore.get(sessionId);
+  } catch (error) {
+    sharedLogger.warning("mcp_session", {
+      message: "Session lookup failed on DELETE",
+      error: error.message
+    });
+  }
+  if (!existingSession) {
+    return withCors(new Response("Invalid session", { status: 404 }));
+  }
+  sessionStateMap.delete(sessionId);
+  cancellationRegistryMap.delete(sessionId);
+  try {
+    await sessionStore.delete(sessionId);
+    sharedLogger.info("mcp_session", {
+      message: "Session terminated via DELETE",
+      sessionId
+    });
+  } catch (error) {
+    sharedLogger.warning("mcp_session", {
+      message: "Failed to delete session record",
+      error: error.message
+    });
+  }
+  return withCors(new Response(null, { status: 202 }));
+}
+
+// src/adapters/http-worker/routes.discovery.ts
+function attachDiscoveryRoutes(router, config) {
+  const { authorizationMetadata, protectedResourceMetadata } = createDiscoveryHandlers(config, workerDiscoveryStrategy);
+  router.get("/.well-known/oauth-authorization-server", async (request) => {
+    const metadata = authorizationMetadata(new URL(request.url));
+    return jsonResponse(metadata);
+  });
+  router.get("/.well-known/oauth-protected-resource", async (request) => {
+    const here = new URL(request.url);
+    const sid = here.searchParams.get("sid") ?? undefined;
+    const metadata = protectedResourceMetadata(here, sid);
+    return jsonResponse(metadata);
+  });
+}
+
+// src/adapters/http-worker/routes.oauth.ts
+function attachOAuthRoutes(router, store, config) {
+  const providerConfig = buildProviderConfig(config);
+  const oauthConfig = buildOAuthConfig(config);
+  router.get("/authorize", async (request) => {
+    sharedLogger.info("oauth_workers", { message: "Authorize request received" });
+    try {
+      const url = new URL(request.url);
+      const sessionId = request.headers.get("Mcp-Session-Id") ?? undefined;
+      const input = parseAuthorizeInput(url, sessionId);
+      const options = {
+        ...buildFlowOptions(url, config),
+        cimd: {
+          enabled: config.CIMD_ENABLED,
+          timeoutMs: config.CIMD_FETCH_TIMEOUT_MS,
+          maxBytes: config.CIMD_MAX_RESPONSE_BYTES,
+          allowedDomains: config.CIMD_ALLOWED_DOMAINS
+        }
+      };
+      const result = await handleAuthorize(input, store, providerConfig, oauthConfig, options);
+      sharedLogger.info("oauth_workers", {
+        message: "Authorize redirect",
+        redirectTo: result.redirectTo
+      });
+      return redirectResponse(result.redirectTo);
+    } catch (error) {
+      sharedLogger.error("oauth_workers", {
+        message: "Authorize failed",
+        error: error.message
+      });
+      return textError(error.message || "Authorization failed");
+    }
+  });
+  router.get("/oauth/provider-callback", async (request) => {
+    const url = new URL(request.url);
+    const { code, state } = parseCallbackInput(url);
+    sharedLogger.info("oauth_workers", {
+      message: "Callback request received",
+      hasCode: !!code,
+      hasState: !!state,
+      stateLength: state?.length
+    });
+    try {
+      if (!code || !state) {
+        return textError("invalid_callback: missing code or state");
+      }
+      if (!config.PROVIDER_CLIENT_ID || !config.PROVIDER_CLIENT_SECRET) {
+        sharedLogger.error("oauth_workers", {
+          message: "Missing provider credentials"
+        });
+        return textError("Server misconfigured: Missing provider credentials", {
+          status: 500
+        });
+      }
+      const options = buildFlowOptions(url, config);
+      const result = await handleProviderCallback({ providerCode: code, compositeState: state }, store, providerConfig, oauthConfig, options);
+      sharedLogger.info("oauth_workers", {
+        message: "Callback success",
+        redirectTo: result.redirectTo
+      });
+      return redirectResponse(result.redirectTo);
+    } catch (error) {
+      sharedLogger.error("oauth_workers", {
+        message: "Callback failed",
+        error: error.message
+      });
+      return textError(error.message || "Callback failed", {
+        status: 500
+      });
+    }
+  });
+  router.get("/oauth/callback", async (request) => {
+    const url = new URL(request.url);
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    sharedLogger.info("oauth_workers", {
+      message: "Client callback received",
+      hasCode: !!code,
+      hasState: !!state
+    });
+    return new Response(`<!DOCTYPE html><html><head><title>Authentication Complete</title></head><body>
+<h2>Authentication successful</h2>
+<p>You can close this window and return to your application.</p>
+<script>
+// Some MCP clients read the URL params from the opener window
+if (window.opener) {
+  window.opener.postMessage({ type: 'oauth_callback', code: ${JSON.stringify(code)}, state: ${JSON.stringify(state)} }, '*');
+  window.close();
+}
+</script>
+</body></html>`, { headers: { "content-type": "text/html; charset=utf-8" } });
+  });
+  router.post("/token", async (request) => {
+    sharedLogger.debug("oauth_workers", { message: "Token request received" });
+    try {
+      const form = await parseTokenInput(request);
+      const tokenInput = buildTokenInput(form);
+      if ("error" in tokenInput) {
+        return oauthError(tokenInput.error);
+      }
+      const result = await handleToken(tokenInput, store, providerConfig);
+      sharedLogger.info("oauth_workers", { message: "Token exchange success" });
+      return jsonResponse(result);
+    } catch (error) {
+      sharedLogger.error("oauth_workers", {
+        message: "Token exchange failed",
+        error: error.message
+      });
+      return oauthError(error.message || "invalid_grant");
+    }
+  });
+  router.post("/revoke", async () => {
+    const result = await handleRevoke();
+    return jsonResponse(result);
+  });
+  router.post("/register", async (request) => {
+    try {
+      const body = await request.json().catch(() => ({}));
+      const url = new URL(request.url);
+      sharedLogger.debug("oauth_workers", { message: "Register request" });
+      const result = await handleRegister({
+        redirect_uris: Array.isArray(body.redirect_uris) ? body.redirect_uris : undefined,
+        grant_types: Array.isArray(body.grant_types) ? body.grant_types : undefined,
+        response_types: Array.isArray(body.response_types) ? body.response_types : undefined,
+        client_name: typeof body.client_name === "string" ? body.client_name : undefined
+      }, url.origin, config.OAUTH_REDIRECT_URI);
+      sharedLogger.info("oauth_workers", { message: "Client registered" });
+      return jsonResponse(result, { status: 201 });
+    } catch (error) {
+      return oauthError(error.message);
+    }
+  });
+}
+
+// src/adapters/http-worker/index.ts
+var sharedTokenStore = null;
+var sharedSessionStore = null;
+function initializeWorkerStorage(env, config) {
+  const kvNamespace = env.TOKENS;
+  if (!kvNamespace) {
+    sharedLogger.error("worker_storage", {
+      message: "No KV namespace bound - storage unavailable"
+    });
+    return null;
+  }
+  if (!sharedTokenStore || !sharedSessionStore) {
+    sharedTokenStore = new MemoryTokenStore;
+    sharedSessionStore = new MemorySessionStore;
+  }
+  let encrypt;
+  let decrypt;
+  if (env.RS_TOKENS_ENC_KEY) {
+    const encryptor = createEncryptor(env.RS_TOKENS_ENC_KEY);
+    encrypt = encryptor.encrypt;
+    decrypt = encryptor.decrypt;
+    sharedLogger.debug("worker_storage", { message: "KV encryption enabled" });
+  } else {
+    encrypt = async (s) => s;
+    decrypt = async (s) => s;
+    if (config.NODE_ENV === "production") {
+      sharedLogger.warning("worker_storage", {
+        message: "RS_TOKENS_ENC_KEY not set! KV data is unencrypted."
+      });
+    }
+  }
+  const tokenStore = new KvTokenStore(kvNamespace, {
+    encrypt,
+    decrypt,
+    fallback: sharedTokenStore
+  });
+  const sessionStore = new KvSessionStore(kvNamespace, {
+    encrypt,
+    decrypt,
+    fallback: sharedSessionStore
+  });
+  initializeStorage(tokenStore, sessionStore);
+  return { tokenStore, sessionStore };
+}
+var MCP_ENDPOINT_PATH = "/mcp";
+function createWorkerRouter(ctx) {
+  const router = t();
+  const { tokenStore, sessionStore, config, tools } = ctx;
+  router.options("*", () => corsPreflightResponse());
+  attachDiscoveryRoutes(router, config);
+  attachOAuthRoutes(router, tokenStore, config);
+  router.get(MCP_ENDPOINT_PATH, () => handleMcpGet());
+  router.post(MCP_ENDPOINT_PATH, (request) => handleMcpRequest(request, { tokenStore, sessionStore, config, tools }));
+  router.delete(MCP_ENDPOINT_PATH, (request) => handleMcpDelete(request, { tokenStore, sessionStore, config, tools }));
+  router.get("/health", () => withCors(new Response(JSON.stringify({ status: "ok", timestamp: Date.now() }), {
+    headers: { "Content-Type": "application/json" }
+  })));
+  router.all("*", () => withCors(new Response("Not Found", { status: 404 })));
+  return router;
+}
+function shimProcessEnv(env) {
+  const g2 = globalThis;
+  g2.process = g2.process || {};
+  g2.process.env = {
+    ...g2.process.env ?? {},
+    ...env
+  };
+}
+
+export { withCors, corsPreflightResponse, buildCorsHeaders, KvTokenStore, KvSessionStore, initializeStorage, getTokenStore, getSessionStore, JsonRpcErrorCode, LATEST_PROTOCOL_VERSION, SUPPORTED_PROTOCOL_VERSIONS, getLogLevel, dispatchMcpMethod, handleMcpNotification, buildProviderRefreshConfig, refreshProviderToken, isTokenExpiredOrExpiring, ensureFreshToken, validateOrigin, validateProtocolVersion, buildUnauthorizedChallenge, buildAuthorizationServerMetadata, buildProtectedResourceMetadata, createDiscoveryHandlers, workerDiscoveryStrategy, nodeDiscoveryStrategy, checkSsrfSafe, isSsrfSafe, assertSsrfSafe, ClientMetadataSchema, isClientIdUrl, fetchClientMetadata, validateRedirectUri, generateOpaqueToken, handleAuthorize, handleProviderCallback, handleToken, handleRegister, handleRevoke, parseAuthorizeInput, parseCallbackInput, parseTokenInput, buildTokenInput, buildProviderConfig, buildOAuthConfig, buildFlowOptions, initializeWorkerStorage, createWorkerRouter, shimProcessEnv };