@phake/mcp 0.0.2 → 0.0.4

package/dist/{index-sbqy8kgq.js → index-ctd3bknx.js}

@@ -1,19 +1,92 @@
-// @bun
-import {
-  MAX_SESSIONS_PER_API_KEY,
-  MemorySessionStore,
-  MemoryTokenStore,
-  base64UrlDecodeJson,
-  base64UrlEncode,
-  base64UrlEncodeJson,
-  buildCapabilities,
-  createEncryptor,
-  executeSharedTool,
-  exports_external,
-  sharedLogger,
-  sharedTools,
-  zodToJsonSchema
-} from "./index-4f4xvtt9.js";
+// src/shared/utils/base64.ts
+function base64Encode(input) {
+  return btoa(input);
+}
+function base64Decode(input) {
+  return atob(input);
+}
+function base64UrlEncode(bytes) {
+  let binary = "";
+  for (let i = 0;i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  base64 += "=".repeat(padLength);
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0;i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function base64UrlEncodeString(input) {
+  return base64UrlEncode(new TextEncoder().encode(input));
+}
+function base64UrlDecodeString(input) {
+  return new TextDecoder().decode(base64UrlDecode(input));
+}
+function base64UrlEncodeJson(obj) {
+  try {
+    return base64UrlEncodeString(JSON.stringify(obj));
+  } catch {
+    return "";
+  }
+}
+function base64UrlDecodeJson(value) {
+  try {
+    return JSON.parse(base64UrlDecodeString(value));
+  } catch {
+    return null;
+  }
+}
+
+// src/shared/crypto/aes-gcm.ts
+var ALGORITHM = "AES-GCM";
+var KEY_LENGTH = 256;
+var IV_LENGTH = 12;
+var TAG_LENGTH = 128;
+async function deriveKey(secret) {
+  const keyBytes = base64UrlDecode(secret);
+  if (keyBytes.length !== 32) {
+    throw new Error(`Invalid key length: expected 32 bytes, got ${keyBytes.length}`);
+  }
+  return crypto.subtle.importKey("raw", keyBytes.buffer, { name: ALGORITHM, length: KEY_LENGTH }, false, ["encrypt", "decrypt"]);
+}
+async function encrypt(plaintext, secret) {
+  const key = await deriveKey(secret);
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const plaintextBytes = new TextEncoder().encode(plaintext);
+  const ciphertext = await crypto.subtle.encrypt({ name: ALGORITHM, iv, tagLength: TAG_LENGTH }, key, plaintextBytes);
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+  return base64UrlEncode(combined);
+}
+async function decrypt(ciphertext, secret) {
+  const key = await deriveKey(secret);
+  const combined = base64UrlDecode(ciphertext);
+  if (combined.length < IV_LENGTH + 16) {
+    throw new Error("Invalid ciphertext: too short");
+  }
+  const iv = combined.slice(0, IV_LENGTH);
+  const encrypted = combined.slice(IV_LENGTH);
+  const plaintextBytes = await crypto.subtle.decrypt({ name: ALGORITHM, iv, tagLength: TAG_LENGTH }, key, encrypted);
+  return new TextDecoder().decode(plaintextBytes);
+}
+function generateKey() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  return base64UrlEncode(bytes);
+}
+function createEncryptor(secret) {
+  return {
+    encrypt: (plaintext) => encrypt(plaintext, secret),
+    decrypt: (ciphertext) => decrypt(ciphertext, secret)
+  };
+}
 
 // src/shared/http/cors.ts
 var DEFAULT_CORS = {
@@ -55,6 +128,354 @@ function buildCorsHeaders(options = {}) {
   return headers;
 }
 
+// src/shared/storage/interface.ts
+var MAX_SESSIONS_PER_API_KEY = 5;
+
+// src/shared/storage/memory.ts
+var DEFAULT_TXN_TTL_MS = 10 * 60 * 1000;
+var DEFAULT_CODE_TTL_MS = 10 * 60 * 1000;
+var DEFAULT_SESSION_TTL_MS = 24 * 60 * 60 * 1000;
+var DEFAULT_RS_TOKEN_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+var MAX_RS_RECORDS = 1e4;
+var MAX_TRANSACTIONS = 1000;
+var MAX_SESSIONS = 1e4;
+var CLEANUP_INTERVAL_MS = 60000;
+function evictOldest(map, maxSize, countToRemove = 1) {
+  if (map.size < maxSize)
+    return;
+  const entries = [...map.entries()].sort((a, b) => {
+    const aTime = a[1].created_at ?? a[1].createdAt ?? 0;
+    const bTime = b[1].created_at ?? b[1].createdAt ?? 0;
+    return aTime - bTime;
+  });
+  for (let i = 0;i < countToRemove && i < entries.length; i++) {
+    map.delete(entries[i][0]);
+  }
+}
+function cleanupExpired(map) {
+  const now = Date.now();
+  let removed = 0;
+  for (const [key, entry] of map) {
+    if (now >= entry.expiresAt) {
+      map.delete(key);
+      removed++;
+    }
+  }
+  return removed;
+}
+
+class MemoryTokenStore {
+  rsAccessMap = new Map;
+  rsRefreshMap = new Map;
+  transactions = new Map;
+  codes = new Map;
+  cleanupIntervalId = null;
+  constructor() {
+    this.startCleanup();
+  }
+  startCleanup() {
+    if (this.cleanupIntervalId)
+      return;
+    this.cleanupIntervalId = setInterval(() => {
+      this.cleanup();
+    }, CLEANUP_INTERVAL_MS);
+    if (typeof this.cleanupIntervalId === "object" && "unref" in this.cleanupIntervalId) {
+      this.cleanupIntervalId.unref();
+    }
+  }
+  stopCleanup() {
+    if (this.cleanupIntervalId) {
+      clearInterval(this.cleanupIntervalId);
+      this.cleanupIntervalId = null;
+    }
+  }
+  cleanup() {
+    const now = Date.now();
+    let tokensRemoved = 0;
+    for (const [key, entry] of this.rsAccessMap) {
+      if (now >= entry.expiresAt) {
+        this.rsAccessMap.delete(key);
+        tokensRemoved++;
+      }
+    }
+    for (const [key, entry] of this.rsRefreshMap) {
+      if (now >= entry.expiresAt) {
+        this.rsRefreshMap.delete(key);
+      }
+    }
+    const transactionsRemoved = cleanupExpired(this.transactions);
+    const codesRemoved = cleanupExpired(this.codes);
+    return {
+      tokens: tokensRemoved,
+      transactions: transactionsRemoved,
+      codes: codesRemoved
+    };
+  }
+  async storeRsMapping(rsAccess, provider, rsRefresh, ttlMs = DEFAULT_RS_TOKEN_TTL_MS) {
+    const now = Date.now();
+    const expiresAt = now + ttlMs;
+    evictOldest(this.rsAccessMap, MAX_RS_RECORDS, 10);
+    if (rsRefresh) {
+      const existing = this.rsRefreshMap.get(rsRefresh);
+      if (existing) {
+        this.rsAccessMap.delete(existing.rs_access_token);
+        existing.rs_access_token = rsAccess;
+        existing.provider = { ...provider };
+        existing.expiresAt = expiresAt;
+        this.rsAccessMap.set(rsAccess, existing);
+        return existing;
+      }
+    }
+    const record = {
+      rs_access_token: rsAccess,
+      rs_refresh_token: rsRefresh ?? crypto.randomUUID(),
+      provider: { ...provider },
+      created_at: now,
+      expiresAt
+    };
+    this.rsAccessMap.set(record.rs_access_token, record);
+    this.rsRefreshMap.set(record.rs_refresh_token, record);
+    return record;
+  }
+  async getByRsAccess(rsAccess) {
+    const entry = this.rsAccessMap.get(rsAccess);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.rsAccessMap.delete(rsAccess);
+      this.rsRefreshMap.delete(entry.rs_refresh_token);
+      return null;
+    }
+    return entry;
+  }
+  async getByRsRefresh(rsRefresh) {
+    const entry = this.rsRefreshMap.get(rsRefresh);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.rsAccessMap.delete(entry.rs_access_token);
+      this.rsRefreshMap.delete(rsRefresh);
+      return null;
+    }
+    return entry;
+  }
+  async updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess, ttlMs = DEFAULT_RS_TOKEN_TTL_MS) {
+    const rec = this.rsRefreshMap.get(rsRefresh);
+    if (!rec)
+      return null;
+    const now = Date.now();
+    if (maybeNewRsAccess) {
+      this.rsAccessMap.delete(rec.rs_access_token);
+      rec.rs_access_token = maybeNewRsAccess;
+      rec.created_at = now;
+    }
+    rec.provider = { ...provider };
+    rec.expiresAt = now + ttlMs;
+    this.rsAccessMap.set(rec.rs_access_token, rec);
+    this.rsRefreshMap.set(rsRefresh, rec);
+    return rec;
+  }
+  async saveTransaction(txnId, txn, ttlSeconds) {
+    const ttlMs = ttlSeconds ? ttlSeconds * 1000 : DEFAULT_TXN_TTL_MS;
+    const now = Date.now();
+    evictOldest(this.transactions, MAX_TRANSACTIONS, 10);
+    this.transactions.set(txnId, {
+      value: txn,
+      expiresAt: now + ttlMs,
+      createdAt: now
+    });
+  }
+  async getTransaction(txnId) {
+    const entry = this.transactions.get(txnId);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.transactions.delete(txnId);
+      return null;
+    }
+    return entry.value;
+  }
+  async deleteTransaction(txnId) {
+    this.transactions.delete(txnId);
+  }
+  async saveCode(code, txnId, ttlSeconds) {
+    const ttlMs = ttlSeconds ? ttlSeconds * 1000 : DEFAULT_CODE_TTL_MS;
+    const now = Date.now();
+    this.codes.set(code, {
+      value: txnId,
+      expiresAt: now + ttlMs,
+      createdAt: now
+    });
+  }
+  async getTxnIdByCode(code) {
+    const entry = this.codes.get(code);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.codes.delete(code);
+      return null;
+    }
+    return entry.value;
+  }
+  async deleteCode(code) {
+    this.codes.delete(code);
+  }
+  getStats() {
+    return {
+      rsTokens: this.rsAccessMap.size,
+      transactions: this.transactions.size,
+      codes: this.codes.size
+    };
+  }
+}
+
+class MemorySessionStore {
+  sessions = new Map;
+  cleanupIntervalId = null;
+  constructor() {
+    this.startCleanup();
+  }
+  startCleanup() {
+    if (this.cleanupIntervalId)
+      return;
+    this.cleanupIntervalId = setInterval(() => {
+      this.cleanup();
+    }, CLEANUP_INTERVAL_MS);
+    if (typeof this.cleanupIntervalId === "object" && "unref" in this.cleanupIntervalId) {
+      this.cleanupIntervalId.unref();
+    }
+  }
+  stopCleanup() {
+    if (this.cleanupIntervalId) {
+      clearInterval(this.cleanupIntervalId);
+      this.cleanupIntervalId = null;
+    }
+  }
+  cleanup() {
+    const now = Date.now();
+    let removed = 0;
+    for (const [sessionId, session] of this.sessions) {
+      if (now >= session.expiresAt) {
+        this.sessions.delete(sessionId);
+        removed++;
+      }
+    }
+    return removed;
+  }
+  async create(sessionId, apiKey, ttlMs = DEFAULT_SESSION_TTL_MS) {
+    const count = await this.countByApiKey(apiKey);
+    if (count >= MAX_SESSIONS_PER_API_KEY) {
+      await this.deleteOldestByApiKey(apiKey);
+    }
+    if (this.sessions.size >= MAX_SESSIONS) {
+      const oldest = [...this.sessions.entries()].sort((a, b) => a[1].created_at - b[1].created_at)[0];
+      if (oldest) {
+        this.sessions.delete(oldest[0]);
+      }
+    }
+    const now = Date.now();
+    const record = {
+      sessionId,
+      apiKey,
+      created_at: now,
+      last_accessed: now,
+      initialized: false,
+      expiresAt: now + ttlMs
+    };
+    this.sessions.set(sessionId, record);
+    return record;
+  }
+  async get(sessionId) {
+    const session = this.sessions.get(sessionId);
+    if (!session)
+      return null;
+    const now = Date.now();
+    if (now >= session.expiresAt) {
+      this.sessions.delete(sessionId);
+      return null;
+    }
+    session.last_accessed = now;
+    return session;
+  }
+  async update(sessionId, data) {
+    const session = this.sessions.get(sessionId);
+    if (!session)
+      return;
+    const now = Date.now();
+    Object.assign(session, data, { last_accessed: now });
+  }
+  async delete(sessionId) {
+    this.sessions.delete(sessionId);
+  }
+  async getByApiKey(apiKey) {
+    const results = [];
+    const now = Date.now();
+    for (const session of this.sessions.values()) {
+      if (session.apiKey === apiKey && now < session.expiresAt) {
+        results.push(session);
+      }
+    }
+    return results.sort((a, b) => b.last_accessed - a.last_accessed);
+  }
+  async countByApiKey(apiKey) {
+    let count = 0;
+    const now = Date.now();
+    for (const session of this.sessions.values()) {
+      if (session.apiKey === apiKey && now < session.expiresAt) {
+        count++;
+      }
+    }
+    return count;
+  }
+  async deleteOldestByApiKey(apiKey) {
+    let oldest = null;
+    const now = Date.now();
+    for (const session of this.sessions.values()) {
+      if (session.apiKey === apiKey && now < session.expiresAt) {
+        if (!oldest || session.last_accessed < oldest.last_accessed) {
+          oldest = session;
+        }
+      }
+    }
+    if (oldest) {
+      this.sessions.delete(oldest.sessionId);
+    }
+  }
+  async ensure(sessionId, ttlMs = DEFAULT_SESSION_TTL_MS) {
+    const existing = this.sessions.get(sessionId);
+    if (existing) {
+      existing.expiresAt = Date.now() + ttlMs;
+      existing.last_accessed = Date.now();
+      return;
+    }
+    if (this.sessions.size >= MAX_SESSIONS) {
+      const oldest = [...this.sessions.entries()].sort((a, b) => a[1].created_at - b[1].created_at)[0];
+      if (oldest) {
+        this.sessions.delete(oldest[0]);
+      }
+    }
+    const now = Date.now();
+    this.sessions.set(sessionId, {
+      sessionId,
+      created_at: now,
+      last_accessed: now,
+      expiresAt: now + ttlMs
+    });
+  }
+  async put(sessionId, value, ttlMs = DEFAULT_SESSION_TTL_MS) {
+    const now = Date.now();
+    this.sessions.set(sessionId, {
+      ...value,
+      sessionId,
+      last_accessed: value.last_accessed ?? now,
+      expiresAt: now + ttlMs
+    });
+  }
+  getSessionCount() {
+    return this.sessions.size;
+  }
+}
+
 // src/shared/storage/kv.ts
 function ttl(seconds) {
   return Math.floor(Date.now() / 1000) + seconds;
@@ -357,6 +778,73 @@ function getSessionStore() {
   return sessionStoreInstance;
 }
 
+// src/shared/utils/logger.ts
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warning: 2,
+  error: 3
+};
+var currentLevel = "info";
+function shouldLog(level) {
+  return LOG_LEVELS[level] >= LOG_LEVELS[currentLevel];
+}
+function formatLog(level, logger, data) {
+  const timestamp = new Date().toISOString();
+  const { message, ...rest } = data;
+  const extra = Object.keys(rest).length > 0 ? ` ${JSON.stringify(rest)}` : "";
+  return `[${timestamp}] ${level.toUpperCase()} [${logger}] ${message}${extra}`;
+}
+function sanitize(data) {
+  const sanitized = { ...data };
+  const sensitiveKeys = [
+    "password",
+    "token",
+    "secret",
+    "key",
+    "authorization",
+    "access_token",
+    "refresh_token"
+  ];
+  for (const key of Object.keys(sanitized)) {
+    if (sensitiveKeys.some((sk) => key.toLowerCase().includes(sk))) {
+      const value = sanitized[key];
+      if (typeof value === "string" && value.length > 8) {
+        sanitized[key] = `${value.substring(0, 8)}...`;
+      } else {
+        sanitized[key] = "[REDACTED]";
+      }
+    }
+  }
+  return sanitized;
+}
+var sharedLogger = {
+  setLevel(level) {
+    currentLevel = level;
+  },
+  debug(logger, data) {
+    if (shouldLog("debug")) {
+      console.log(formatLog("debug", logger, sanitize(data)));
+    }
+  },
+  info(logger, data) {
+    if (shouldLog("info")) {
+      console.log(formatLog("info", logger, sanitize(data)));
+    }
+  },
+  warning(logger, data) {
+    if (shouldLog("warning")) {
+      console.warn(formatLog("warning", logger, sanitize(data)));
+    }
+  },
+  error(logger, data) {
+    if (shouldLog("error")) {
+      console.error(formatLog("error", logger, sanitize(data)));
+    }
+  }
+};
+var logger = sharedLogger;
+
 // src/shared/http/response.ts
 function jsonResponse(data, options = {}) {
   const { status = 200, headers = {}, cors = true } = options;
@@ -402,1442 +890,667 @@ var JsonRpcErrorCode = {
   ServerError: -32000
 };
 
-// src/shared/config/metadata.ts
-var serverMetadata = {
-  title: "MCP Server",
-  version: "0.0.1",
-  instructions: "Use these tools to interact with the server."
-};
+// src/shared/utils/cancellation.ts
+class CancellationError extends Error {
+  constructor(message = "Operation was cancelled") {
+    super(message);
+    this.name = "CancellationError";
+  }
+}
 
-// src/shared/mcp/dispatcher.ts
-var LATEST_PROTOCOL_VERSION = "2025-06-18";
-var SUPPORTED_PROTOCOL_VERSIONS = [
-  "2025-06-18",
-  "2025-03-26",
-  "2024-11-05",
-  "2024-10-07"
-];
-var JsonRpcErrorCode2 = {
-  ParseError: -32700,
-  InvalidRequest: -32600,
-  MethodNotFound: -32601,
-  InvalidParams: -32602,
-  InternalError: -32603
-};
-async function handleInitialize(params, ctx) {
-  const clientInfo = params?.clientInfo;
-  const requestedVersion = String(params?.protocolVersion || LATEST_PROTOCOL_VERSION);
-  const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion) ? requestedVersion : LATEST_PROTOCOL_VERSION;
-  ctx.setSessionState({
-    initialized: false,
-    clientInfo,
-    protocolVersion
-  });
-  sharedLogger.info("mcp_dispatch", {
-    message: "Initialize request",
-    sessionId: ctx.sessionId,
-    clientInfo,
-    requestedVersion,
-    negotiatedVersion: protocolVersion
+class CancellationToken {
+  _isCancelled = false;
+  _listeners = [];
+  get isCancelled() {
+    return this._isCancelled;
+  }
+  cancel() {
+    if (this._isCancelled)
+      return;
+    this._isCancelled = true;
+    this._listeners.forEach((listener) => {
+      try {
+        listener();
+      } catch (error) {
+        console.error("Error in cancellation listener:", error);
+      }
+    });
+    this._listeners.length = 0;
+  }
+  onCancelled(listener) {
+    if (this._isCancelled) {
+      listener();
+      return;
+    }
+    this._listeners.push(listener);
+  }
+  throwIfCancelled() {
+    if (this._isCancelled) {
+      throw new CancellationError;
+    }
+  }
+}
+function createCancellationToken() {
+  return new CancellationToken;
+}
+async function withCancellation(operation, token) {
+  token.throwIfCancelled();
+  return new Promise((resolve, reject) => {
+    let completed = false;
+    token.onCancelled(() => {
+      if (!completed) {
+        completed = true;
+        reject(new CancellationError);
+      }
+    });
+    operation(token).then((result) => {
+      if (!completed) {
+        completed = true;
+        resolve(result);
+      }
+    }).catch((error) => {
+      if (!completed) {
+        completed = true;
+        reject(error);
+      }
+    });
   });
+}
+
+// src/shared/types/provider.ts
+function toProviderInfo(tokens) {
   return {
-    result: {
-      protocolVersion,
-      capabilities: buildCapabilities(),
-      serverInfo: {
-        name: ctx.config.title || serverMetadata.title,
-        version: ctx.config.version || "0.0.1"
-      },
-      instructions: ctx.config.instructions || serverMetadata.instructions
-    }
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token,
+    expiresAt: tokens.expires_at,
+    scopes: tokens.scopes
   };
 }
-async function handleToolsList(ctx) {
-  const tools = (ctx.tools ?? sharedTools).map((tool) => ({
-    name: tool.name,
-    description: tool.description,
-    inputSchema: zodToJsonSchema(tool.inputSchema),
-    ...tool.outputSchema && {
-      outputSchema: zodToJsonSchema(exports_external.object(tool.outputSchema))
-    },
-    ...tool.annotations && { annotations: tool.annotations }
-  }));
-  return { result: { tools } };
+function toProviderTokens(info) {
+  return {
+    access_token: info.accessToken,
+    refresh_token: info.refreshToken,
+    expires_at: info.expiresAt,
+    scopes: info.scopes
+  };
 }
-async function handleToolsCall(params, ctx, requestId) {
-  const toolName = String(params?.name || "");
-  const toolArgs = params?.arguments || {};
-  const meta = params?._meta;
-  const abortController = new AbortController;
-  if (requestId !== undefined && ctx.cancellationRegistry) {
-    ctx.cancellationRegistry.set(requestId, abortController);
+
+// src/shared/tools/types.ts
+function assertProviderToken(context) {
+  if (!context.providerToken) {
+    throw new Error("Authentication required");
   }
-  const toolContext = {
-    ...ctx.auth,
-    sessionId: ctx.sessionId,
-    signal: abortController.signal,
-    meta: {
-      progressToken: meta?.progressToken,
-      requestId: requestId !== undefined ? String(requestId) : undefined
-    }
-  };
-  sharedLogger.debug("mcp_dispatch", {
-    message: "Calling tool",
-    tool: toolName,
-    sessionId: ctx.sessionId,
-    requestId,
-    hasProviderToken: Boolean(ctx.auth.providerToken)
-  });
-  const toolList = ctx.tools ?? sharedTools;
-  const tool = toolList.find((t) => t.name === toolName);
-  if (tool?.requiresAuth && !ctx.auth.providerToken) {
+}
+function defineTool(def) {
+  return def;
+}
+
+// src/shared/tools/echo.ts
+import { z } from "zod";
+var echoInputSchema = z.object({
+  message: z.string().min(1).describe("Message to echo back"),
+  uppercase: z.boolean().optional().describe("Convert message to uppercase")
+});
+var echoTool = defineTool({
+  name: "echo",
+  title: "Echo",
+  description: "Echo back a message, optionally transformed",
+  inputSchema: echoInputSchema,
+  outputSchema: {
+    echoed: z.string().describe("The echoed message"),
+    length: z.number().describe("Message length")
+  },
+  annotations: {
+    title: "Echo Message",
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: false
+  },
+  handler: async (args) => {
+    const message = args.message;
+    const echoed = args.uppercase ? message.toUpperCase() : message;
+    const result = {
+      echoed,
+      length: echoed.length
+    };
     return {
-      error: {
-        code: JsonRpcErrorCode2.InvalidRequest,
-        message: "Authentication required. Please complete OAuth flow first."
-      }
+      content: [{ type: "text", text: echoed }],
+      structuredContent: result
     };
   }
-  try {
-    const result = await executeSharedTool(toolName, toolArgs, toolContext, ctx.tools);
-    return { result };
-  } catch (error) {
-    if (abortController.signal.aborted) {
-      sharedLogger.info("mcp_dispatch", {
-        message: "Tool execution cancelled",
-        tool: toolName,
-        requestId
-      });
-      return {
-        error: {
-          code: JsonRpcErrorCode2.InternalError,
-          message: "Request was cancelled"
-        }
-      };
-    }
-    sharedLogger.error("mcp_dispatch", {
-      message: "Tool execution failed",
-      tool: toolName,
-      error: error.message
-    });
-    return {
-      error: {
-        code: JsonRpcErrorCode2.InternalError,
-        message: `Tool execution failed: ${error.message}`
-      }
+});
+
+// src/shared/tools/health.ts
+import { z as z2 } from "zod";
+var healthInputSchema = z2.object({
+  verbose: z2.boolean().optional().describe("Include additional runtime details")
+});
+var healthTool = defineTool({
+  name: "health",
+  title: "Health Check",
+  description: "Check server health, uptime, and runtime information",
+  inputSchema: healthInputSchema,
+  outputSchema: {
+    status: z2.string().describe("Server status"),
+    timestamp: z2.number().describe("Current timestamp"),
+    runtime: z2.string().describe("Runtime environment"),
+    uptime: z2.number().optional().describe("Uptime in seconds (if available)")
+  },
+  annotations: {
+    title: "Server Health Check",
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: false
+  },
+  handler: async (args) => {
+    const verbose = Boolean(args.verbose);
+    const g = globalThis;
+    const isWorkers = typeof g.caches !== "undefined" && !("process" in g);
+    const runtime = isWorkers ? "cloudflare-workers" : "node";
+    const result = {
+      status: "ok",
+      timestamp: Date.now(),
+      runtime
     };
-  } finally {
-    if (requestId !== undefined && ctx.cancellationRegistry) {
-      ctx.cancellationRegistry.delete(requestId);
+    if (verbose) {
+      if (!isWorkers && typeof process !== "undefined") {
+        result.uptime = Math.floor(process.uptime());
+        result.nodeVersion = process.version;
+        result.memoryUsage = process.memoryUsage().heapUsed;
+      }
     }
-  }
-}
-async function handleResourcesList() {
-  return { result: { resources: [] } };
-}
-async function handleResourcesTemplatesList() {
-  return { result: { resourceTemplates: [] } };
-}
-async function handlePromptsList() {
-  return { result: { prompts: [] } };
-}
-async function handlePing() {
-  return { result: {} };
-}
-var currentLogLevel = "info";
-async function handleLoggingSetLevel(params) {
-  const level = params?.level;
-  const validLevels = [
-    "debug",
-    "info",
-    "notice",
-    "warning",
-    "error",
-    "critical",
-    "alert",
-    "emergency"
-  ];
-  if (!level || !validLevels.includes(level)) {
     return {
-      error: {
-        code: JsonRpcErrorCode2.InvalidParams,
-        message: `Invalid log level. Must be one of: ${validLevels.join(", ")}`
-      }
+      content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+      structuredContent: result
     };
   }
-  currentLogLevel = level;
-  sharedLogger.info("mcp_dispatch", {
-    message: "Log level changed",
-    level: currentLogLevel
-  });
-  return { result: {} };
-}
-function getLogLevel() {
-  return currentLogLevel;
+});
+
+// src/runtime/node/context.ts
+import { AsyncLocalStorage } from "node:async_hooks";
+var authContextStorage = new AsyncLocalStorage;
+function getCurrentAuthContext() {
+  return authContextStorage.getStore();
 }
-async function dispatchMcpMethod(method, params, ctx, requestId) {
-  if (!method) {
-    return {
-      error: {
-        code: JsonRpcErrorCode2.InvalidRequest,
-        message: "Missing method"
-      }
+
+class ContextRegistry {
+  contexts = new Map;
+  create(requestId, sessionId, authData) {
+    const context = {
+      sessionId,
+      cancellationToken: createCancellationToken(),
+      requestId,
+      timestamp: Date.now(),
+      authStrategy: authData?.authStrategy,
+      authHeaders: authData?.authHeaders,
+      resolvedHeaders: authData?.resolvedHeaders,
+      rsToken: authData?.rsToken,
+      providerToken: authData?.providerToken,
+      provider: authData?.provider,
+      serviceToken: authData?.serviceToken ?? authData?.providerToken
     };
+    this.contexts.set(requestId, context);
+    return context;
   }
-  switch (method) {
-    case "initialize":
-      return handleInitialize(params, ctx);
-    case "tools/list":
-      return handleToolsList(ctx);
-    case "tools/call":
-      return handleToolsCall(params, ctx, requestId);
-    case "resources/list":
-      return handleResourcesList();
-    case "resources/templates/list":
-      return handleResourcesTemplatesList();
-    case "prompts/list":
-      return handlePromptsList();
-    case "ping":
-      return handlePing();
-    case "logging/setLevel":
-      return handleLoggingSetLevel(params);
-    default:
-      sharedLogger.debug("mcp_dispatch", { message: "Unknown method", method });
-      return {
-        error: {
-          code: JsonRpcErrorCode2.MethodNotFound,
-          message: `Method not found: ${method}`
-        }
-      };
+  get(requestId) {
+    return this.contexts.get(requestId);
   }
-}
-function handleMcpNotification(method, params, ctx) {
-  if (method === "notifications/initialized") {
-    const session = ctx.getSessionState();
-    if (session) {
-      ctx.setSessionState({ ...session, initialized: true });
-    }
-    sharedLogger.info("mcp_dispatch", {
-      message: "Client initialized",
-      sessionId: ctx.sessionId
-    });
+  getCancellationToken(requestId) {
+    return this.contexts.get(requestId)?.cancellationToken;
+  }
+  cancel(requestId, _reason) {
+    const context = this.contexts.get(requestId);
+    if (!context)
+      return false;
+    context.cancellationToken.cancel();
     return true;
   }
-  if (method === "notifications/cancelled") {
-    const cancelParams = params;
-    const requestId = cancelParams?.requestId;
-    if (requestId !== undefined && ctx.cancellationRegistry) {
-      const controller = ctx.cancellationRegistry.get(requestId);
-      if (controller) {
-        sharedLogger.info("mcp_dispatch", {
-          message: "Cancelling request",
-          requestId,
-          reason: cancelParams?.reason,
-          sessionId: ctx.sessionId
-        });
-        controller.abort(cancelParams?.reason ?? "Client requested cancellation");
-        return true;
+  delete(requestId) {
+    return this.contexts.delete(requestId);
+  }
+  deleteBySession(sessionId) {
+    let deleted = 0;
+    for (const [requestId, context] of this.contexts.entries()) {
+      if (context.sessionId === sessionId) {
+        this.contexts.delete(requestId);
+        deleted++;
       }
-      sharedLogger.debug("mcp_dispatch", {
-        message: "Cancellation request for unknown requestId",
-        requestId,
-        sessionId: ctx.sessionId
+    }
+    if (deleted > 0) {
+      sharedLogger.debug("context_registry", {
+        message: "Cleaned up contexts for session",
+        sessionId,
+        count: deleted
       });
     }
-    return true;
+    return deleted;
   }
-  sharedLogger.debug("mcp_dispatch", {
-    message: "Unhandled notification",
-    method,
-    sessionId: ctx.sessionId
-  });
-  return false;
-}
-
-// node_modules/oauth4webapi/build/index.js
-var USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
-  const NAME = "oauth4webapi";
-  const VERSION = "v3.8.5";
-  USER_AGENT = `${NAME}/${VERSION}`;
-}
-function looseInstanceOf(input, expected) {
-  if (input == null) {
-    return false;
-  }
-  try {
-    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
-  } catch {
-    return false;
+  get size() {
+    return this.contexts.size;
   }
-}
-var ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
-var ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
-function CodedTypeError(message, code, cause) {
-  const err = new TypeError(message, { cause });
-  Object.assign(err, { code });
-  return err;
-}
-var allowInsecureRequests = Symbol();
-var clockSkew = Symbol();
-var clockTolerance = Symbol();
-var customFetch = Symbol();
-var modifyAssertion = Symbol();
-var jweDecrypt = Symbol();
-var jwksCache = Symbol();
-var encoder = new TextEncoder;
-var decoder = new TextDecoder;
-function buf(input) {
-  if (typeof input === "string") {
-    return encoder.encode(input);
-  }
-  return decoder.decode(input);
-}
-var encodeBase64Url;
-if (Uint8Array.prototype.toBase64) {
-  encodeBase64Url = (input) => {
-    if (input instanceof ArrayBuffer) {
-      input = new Uint8Array(input);
-    }
-    return input.toBase64({ alphabet: "base64url", omitPadding: true });
-  };
-} else {
-  const CHUNK_SIZE = 32768;
-  encodeBase64Url = (input) => {
-    if (input instanceof ArrayBuffer) {
-      input = new Uint8Array(input);
-    }
-    const arr = [];
-    for (let i = 0;i < input.byteLength; i += CHUNK_SIZE) {
-      arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
-    }
-    return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-  };
-}
-var decodeBase64Url;
-if (Uint8Array.fromBase64) {
-  decodeBase64Url = (input) => {
-    try {
-      return Uint8Array.fromBase64(input, { alphabet: "base64url" });
-    } catch (cause) {
-      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
-    }
-  };
-} else {
-  decodeBase64Url = (input) => {
-    try {
-      const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
-      const bytes = new Uint8Array(binary.length);
-      for (let i = 0;i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
+  cleanupExpired(maxAgeMs = 10 * 60 * 1000) {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [requestId, context] of this.contexts.entries()) {
+      if (now - context.timestamp > maxAgeMs) {
+        this.contexts.delete(requestId);
+        cleaned++;
       }
-      return bytes;
-    } catch (cause) {
-      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
     }
-  };
-}
-function b64u(input) {
-  if (typeof input === "string") {
-    return decodeBase64Url(input);
+    if (cleaned > 0) {
+      sharedLogger.warning("context_registry", {
+        message: "Cleaned up expired contexts (this indicates missing cleanup calls)",
+        count: cleaned,
+        maxAgeMs
+      });
+    }
+    return cleaned;
   }
-  return encodeBase64Url(input);
-}
-
-class UnsupportedOperationError extends Error {
-  code;
-  constructor(message, options) {
-    super(message, options);
-    this.name = this.constructor.name;
-    this.code = UNSUPPORTED_OPERATION;
-    Error.captureStackTrace?.(this, this.constructor);
+  clear() {
+    this.contexts.clear();
   }
 }
+var contextRegistry = new ContextRegistry;
 
-class OperationProcessingError extends Error {
-  code;
-  constructor(message, options) {
-    super(message, options);
-    this.name = this.constructor.name;
-    if (options?.code) {
-      this.code = options?.code;
-    }
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-}
-function OPE(message, code, cause) {
-  return new OperationProcessingError(message, { code, cause });
-}
-async function calculateJwkThumbprint(jwk) {
-  let components;
-  switch (jwk.kty) {
-    case "EC":
-      components = {
-        crv: jwk.crv,
-        kty: jwk.kty,
-        x: jwk.x,
-        y: jwk.y
-      };
-      break;
-    case "OKP":
-      components = {
-        crv: jwk.crv,
-        kty: jwk.kty,
-        x: jwk.x
-      };
-      break;
-    case "AKP":
-      components = {
-        alg: jwk.alg,
-        kty: jwk.kty,
-        pub: jwk.pub
-      };
-      break;
-    case "RSA":
-      components = {
-        e: jwk.e,
-        kty: jwk.kty,
-        n: jwk.n
-      };
-      break;
-    default:
-      throw new UnsupportedOperationError("unsupported JWK key type", { cause: jwk });
+// src/shared/tools/registry.ts
+function getSchemaShape(schema) {
+  if ("shape" in schema && typeof schema.shape === "object") {
+    return schema.shape;
   }
-  return b64u(await crypto.subtle.digest("SHA-256", buf(JSON.stringify(components))));
-}
-function assertCryptoKey(key, it) {
-  if (!(key instanceof CryptoKey)) {
-    throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);
+  if ("_def" in schema && schema._def && typeof schema._def === "object") {
+    const def = schema._def;
+    if (def.schema) {
+      return getSchemaShape(def.schema);
+    }
+    if (def.innerType) {
+      return getSchemaShape(def.innerType);
+    }
   }
+  return;
 }
-function assertPrivateKey(key, it) {
-  assertCryptoKey(key, it);
-  if (key.type !== "private") {
-    throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);
-  }
+function asRegisteredTool(tool) {
+  return tool;
 }
-function assertPublicKey(key, it) {
-  assertCryptoKey(key, it);
-  if (key.type !== "public") {
-    throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);
-  }
+var sharedTools = [
+  asRegisteredTool(healthTool),
+  asRegisteredTool(echoTool)
+];
+function getSharedTool(name) {
+  return sharedTools.find((t) => t.name === name);
 }
-function isJsonObject(input) {
-  if (input === null || typeof input !== "object" || Array.isArray(input)) {
-    return false;
-  }
-  return true;
+function getSharedToolNames() {
+  return sharedTools.map((t) => t.name);
 }
-function prepareHeaders(input) {
-  if (looseInstanceOf(input, Headers)) {
-    input = Object.fromEntries(input.entries());
-  }
-  const headers = new Headers(input ?? {});
-  if (USER_AGENT && !headers.has("user-agent")) {
-    headers.set("user-agent", USER_AGENT);
-  }
-  if (headers.has("authorization")) {
-    throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE);
-  }
-  return headers;
-}
-function signal(url, value) {
-  if (value !== undefined) {
-    if (typeof value === "function") {
-      value = value(url.href);
-    }
-    if (!(value instanceof AbortSignal)) {
-      throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);
-    }
-    return value;
+async function executeSharedTool(name, args, context, tools) {
+  const toolList = tools ?? sharedTools;
+  const tool = toolList.find((t) => t.name === name);
+  if (!tool) {
+    return {
+      content: [{ type: "text", text: `Unknown tool: ${name}` }],
+      isError: true
+    };
   }
-  return;
-}
-function assertNumber(input, allow0, it, code, cause) {
   try {
-    if (typeof input !== "number" || !Number.isFinite(input)) {
-      throw CodedTypeError(`${it} must be a number`, ERR_INVALID_ARG_TYPE, cause);
-    }
-    if (input > 0)
-      return;
-    if (allow0) {
-      if (input !== 0) {
-        throw CodedTypeError(`${it} must be a non-negative number`, ERR_INVALID_ARG_VALUE, cause);
-      }
-      return;
-    }
-    throw CodedTypeError(`${it} must be a positive number`, ERR_INVALID_ARG_VALUE, cause);
-  } catch (err) {
-    if (code) {
-      throw OPE(err.message, code, cause);
+    if (context.signal?.aborted) {
+      return {
+        content: [{ type: "text", text: "Operation was cancelled" }],
+        isError: true
+      };
     }
-    throw err;
-  }
-}
-function assertString(input, it, code, cause) {
-  try {
-    if (typeof input !== "string") {
-      throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);
+    const parseResult = tool.inputSchema.safeParse(args);
+    if (!parseResult.success) {
+      const errors = parseResult.error.issues.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+      return {
+        content: [{ type: "text", text: `Invalid input: ${errors}` }],
+        isError: true
+      };
     }
-    if (input.length === 0) {
-      throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
+    const result = await tool.handler(parseResult.data, context);
+    if (tool.outputSchema && !result.isError) {
+      if (!result.structuredContent) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: "Tool with outputSchema must return structuredContent (unless isError is true)"
+            }
+          ],
+          isError: true
+        };
+      }
     }
-  } catch (err) {
-    if (code) {
-      throw OPE(err.message, code, cause);
+    return result;
+  } catch (error) {
+    if (context.signal?.aborted) {
+      return {
+        content: [{ type: "text", text: "Operation was cancelled" }],
+        isError: true
+      };
     }
-    throw err;
-  }
-}
-function assertApplicationJson(response) {
-  assertContentType(response, "application/json");
-}
-function notJson(response, ...types) {
-  let msg = '"response" content-type must be ';
-  if (types.length > 2) {
-    const last = types.pop();
-    msg += `${types.join(", ")}, or ${last}`;
-  } else if (types.length === 2) {
-    msg += `${types[0]} or ${types[1]}`;
-  } else {
-    msg += types[0];
-  }
-  return OPE(msg, RESPONSE_IS_NOT_JSON, response);
-}
-function assertContentType(response, contentType) {
-  if (getContentType(response) !== contentType) {
-    throw notJson(response, contentType);
-  }
-}
-function randomBytes() {
-  return b64u(crypto.getRandomValues(new Uint8Array(32)));
-}
-async function calculatePKCECodeChallenge(codeVerifier) {
-  assertString(codeVerifier, "codeVerifier");
-  return b64u(await crypto.subtle.digest("SHA-256", buf(codeVerifier)));
-}
-function psAlg(key) {
-  switch (key.algorithm.hash.name) {
-    case "SHA-256":
-      return "PS256";
-    case "SHA-384":
-      return "PS384";
-    case "SHA-512":
-      return "PS512";
-    default:
-      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
-        cause: key
-      });
+    return {
+      content: [
+        { type: "text", text: `Tool error: ${error.message}` }
+      ],
+      isError: true
+    };
   }
 }
-function rsAlg(key) {
-  switch (key.algorithm.hash.name) {
-    case "SHA-256":
-      return "RS256";
-    case "SHA-384":
-      return "RS384";
-    case "SHA-512":
-      return "RS512";
-    default:
-      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
-        cause: key
+function registerTools(server, contextResolver) {
+  for (const tool of sharedTools) {
+    const inputSchemaShape = getSchemaShape(tool.inputSchema);
+    if (!inputSchemaShape) {
+      logger.error("tools", {
+        message: "Failed to extract schema shape",
+        toolName: tool.name
       });
+      throw new Error(`Failed to extract schema shape for tool: ${tool.name}`);
+    }
+    server.registerTool(tool.name, {
+      description: tool.description,
+      inputSchema: inputSchemaShape,
+      ...tool.outputSchema && { outputSchema: tool.outputSchema },
+      ...tool.annotations && { annotations: tool.annotations }
+    }, async (args, extra) => {
+      const authContext = extra.requestId && contextResolver ? contextResolver(extra.requestId) : undefined;
+      const ctx = authContext ?? getCurrentAuthContext();
+      const authCtx = ctx;
+      const providerInfo = authCtx?.provider ? toProviderInfo(authCtx.provider) : undefined;
+      const context = {
+        sessionId: extra.sessionId ?? crypto.randomUUID(),
+        signal: extra.signal,
+        meta: {
+          progressToken: extra._meta?.progressToken,
+          requestId: extra.requestId?.toString()
+        },
+        authStrategy: authCtx?.authStrategy,
+        providerToken: authCtx?.providerToken,
+        provider: providerInfo,
+        resolvedHeaders: authCtx?.resolvedHeaders
+      };
+      const result = await executeSharedTool(tool.name, args, context);
+      return result;
+    });
   }
+  logger.info("tools", { message: `Registered ${sharedTools.length} tools` });
 }
-function esAlg(key) {
-  switch (key.algorithm.namedCurve) {
-    case "P-256":
-      return "ES256";
-    case "P-384":
-      return "ES384";
-    case "P-521":
-      return "ES512";
-    default:
-      throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve", { cause: key });
-  }
-}
-function keyToJws(key) {
-  switch (key.algorithm.name) {
-    case "RSA-PSS":
-      return psAlg(key);
-    case "RSASSA-PKCS1-v1_5":
-      return rsAlg(key);
-    case "ECDSA":
-      return esAlg(key);
-    case "Ed25519":
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-      return key.algorithm.name;
-    case "EdDSA":
-      return "Ed25519";
-    default:
-      throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
-  }
-}
-function getClockSkew(client) {
-  const skew = client?.[clockSkew];
-  return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
-}
-function getClockTolerance(client) {
-  const tolerance = client?.[clockTolerance];
-  return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
-}
-function epochTime() {
-  return Math.floor(Date.now() / 1000);
-}
-function assertAs(as) {
-  if (typeof as !== "object" || as === null) {
-    throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE);
-  }
-  assertString(as.issuer, '"as.issuer"');
-}
-function assertClient(client) {
-  if (typeof client !== "object" || client === null) {
-    throw CodedTypeError('"client" must be an object', ERR_INVALID_ARG_TYPE);
-  }
-  assertString(client.client_id, '"client.client_id"');
-}
-function ClientSecretPost(clientSecret) {
-  assertString(clientSecret, '"clientSecret"');
-  return (_as, client, body, _headers) => {
-    body.set("client_id", client.client_id);
-    body.set("client_secret", clientSecret);
+
+// src/shared/mcp/dispatcher.ts
+import { z as z3 } from "zod";
+import { zodToJsonSchema } from "zod-to-json-schema";
+
+// src/runtime/node/capabilities.ts
+function buildCapabilities() {
+  return {
+    logging: {},
+    prompts: {
+      listChanged: true
+    },
+    resources: {
+      listChanged: true,
+      subscribe: true
+    },
+    tools: {
+      listChanged: true
+    }
   };
 }
-async function signJwt(header, payload, key) {
-  if (!key.usages.includes("sign")) {
-    throw CodedTypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"', ERR_INVALID_ARG_VALUE);
-  }
-  const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;
-  const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
-  return `${input}.${signature}`;
-}
-var jwkCache;
-async function getSetPublicJwkCache(key, alg) {
-  const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey("jwk", key);
-  const jwk = { kty, e, n, x, y, crv, pub };
-  if (kty === "AKP")
-    jwk.alg = alg;
-  jwkCache.set(key, jwk);
-  return jwk;
-}
-async function publicJwk(key, alg) {
-  jwkCache ||= new WeakMap;
-  return jwkCache.get(key) || getSetPublicJwkCache(key, alg);
-}
-var URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
-  try {
-    return new URL(url, base);
-  } catch {
-    return null;
-  }
+
+// src/shared/config/metadata.ts
+var serverMetadata = {
+  title: "MCP Server",
+  version: "0.0.1",
+  instructions: "Use these tools to interact with the server."
 };
-function checkProtocol(url, enforceHttps) {
-  if (enforceHttps && url.protocol !== "https:") {
-    throw OPE("only requests to HTTPS are allowed", HTTP_REQUEST_FORBIDDEN, url);
-  }
-  if (url.protocol !== "https:" && url.protocol !== "http:") {
-    throw OPE("only HTTP and HTTPS requests are allowed", REQUEST_PROTOCOL_FORBIDDEN, url);
-  }
-}
-function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
-  let url;
-  if (typeof value !== "string" || !(url = URLParse(value))) {
-    throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
-  }
-  checkProtocol(url, enforceHttps);
-  return url;
-}
-function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
-  if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
-    return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
-  }
-  return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
-}
-class DPoPHandler {
-  #header;
-  #privateKey;
-  #publicKey;
-  #clockSkew;
-  #modifyAssertion;
-  #map;
-  #jkt;
-  constructor(client, keyPair, options) {
-    assertPrivateKey(keyPair?.privateKey, '"DPoP.privateKey"');
-    assertPublicKey(keyPair?.publicKey, '"DPoP.publicKey"');
-    if (!keyPair.publicKey.extractable) {
-      throw CodedTypeError('"DPoP.publicKey.extractable" must be true', ERR_INVALID_ARG_VALUE);
-    }
-    this.#modifyAssertion = options?.[modifyAssertion];
-    this.#clockSkew = getClockSkew(client);
-    this.#privateKey = keyPair.privateKey;
-    this.#publicKey = keyPair.publicKey;
-    branded.add(this);
-  }
-  #get(key) {
-    this.#map ||= new Map;
-    let item = this.#map.get(key);
-    if (item) {
-      this.#map.delete(key);
-      this.#map.set(key, item);
-    }
-    return item;
-  }
-  #set(key, val) {
-    this.#map ||= new Map;
-    this.#map.delete(key);
-    if (this.#map.size === 100) {
-      this.#map.delete(this.#map.keys().next().value);
-    }
-    this.#map.set(key, val);
-  }
-  async calculateThumbprint() {
-    if (!this.#jkt) {
-      const jwk = await crypto.subtle.exportKey("jwk", this.#publicKey);
-      this.#jkt ||= await calculateJwkThumbprint(jwk);
-    }
-    return this.#jkt;
-  }
-  async addProof(url, headers, htm, accessToken) {
-    const alg = keyToJws(this.#privateKey);
-    this.#header ||= {
-      alg,
-      typ: "dpop+jwt",
-      jwk: await publicJwk(this.#publicKey, alg)
-    };
-    const nonce = this.#get(url.origin);
-    const now = epochTime() + this.#clockSkew;
-    const payload = {
-      iat: now,
-      jti: randomBytes(),
-      htm,
-      nonce,
-      htu: `${url.origin}${url.pathname}`,
-      ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : undefined
-    };
-    this.#modifyAssertion?.(this.#header, payload);
-    headers.set("dpop", await signJwt(this.#header, payload, this.#privateKey));
-  }
-  cacheNonce(response, url) {
-    try {
-      const nonce = response.headers.get("dpop-nonce");
-      if (nonce) {
-        this.#set(url.origin, nonce);
-      }
-    } catch {}
-  }
-}
-class ResponseBodyError extends Error {
-  cause;
-  code;
-  error;
-  status;
-  error_description;
-  response;
-  constructor(message, options) {
-    super(message, options);
-    this.name = this.constructor.name;
-    this.code = RESPONSE_BODY_ERROR;
-    this.cause = options.cause;
-    this.error = options.cause.error;
-    this.status = options.response.status;
-    this.error_description = options.cause.error_description;
-    Object.defineProperty(this, "response", { enumerable: false, value: options.response });
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-}
 
-class AuthorizationResponseError extends Error {
-  cause;
-  code;
-  error;
-  error_description;
-  constructor(message, options) {
-    super(message, options);
-    this.name = this.constructor.name;
-    this.code = AUTHORIZATION_RESPONSE_ERROR;
-    this.cause = options.cause;
-    this.error = options.cause.get("error");
-    this.error_description = options.cause.get("error_description") ?? undefined;
-    Error.captureStackTrace?.(this, this.constructor);
-  }
+// src/shared/mcp/dispatcher.ts
+var LATEST_PROTOCOL_VERSION = "2025-06-18";
+var SUPPORTED_PROTOCOL_VERSIONS = [
+  "2025-06-18",
+  "2025-03-26",
+  "2024-11-05",
+  "2024-10-07"
+];
+var JsonRpcErrorCode2 = {
+  ParseError: -32700,
+  InvalidRequest: -32600,
+  MethodNotFound: -32601,
+  InvalidParams: -32602,
+  InternalError: -32603
+};
+async function handleInitialize(params, ctx) {
+  const clientInfo = params?.clientInfo;
+  const requestedVersion = String(params?.protocolVersion || LATEST_PROTOCOL_VERSION);
+  const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion) ? requestedVersion : LATEST_PROTOCOL_VERSION;
+  ctx.setSessionState({
+    initialized: false,
+    clientInfo,
+    protocolVersion
+  });
+  sharedLogger.info("mcp_dispatch", {
+    message: "Initialize request",
+    sessionId: ctx.sessionId,
+    clientInfo,
+    requestedVersion,
+    negotiatedVersion: protocolVersion
+  });
+  return {
+    result: {
+      protocolVersion,
+      capabilities: buildCapabilities(),
+      serverInfo: {
+        name: ctx.config.title || serverMetadata.title,
+        version: ctx.config.version || "0.0.1"
+      },
+      instructions: ctx.config.instructions || serverMetadata.instructions
+    }
+  };
 }
-
-class WWWAuthenticateChallengeError extends Error {
-  cause;
-  code;
-  response;
-  status;
-  constructor(message, options) {
-    super(message, options);
-    this.name = this.constructor.name;
-    this.code = WWW_AUTHENTICATE_CHALLENGE;
-    this.cause = options.cause;
-    this.status = options.response.status;
-    this.response = options.response;
-    Object.defineProperty(this, "response", { enumerable: false });
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-}
-var tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
-var token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}";
-var quotedMatch = '"((?:[^"\\\\]|\\\\[\\s\\S])*)"';
-var quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*" + quotedMatch;
-var paramMatcher = "(" + tokenMatch + ")\\s*=\\s*(" + tokenMatch + ")";
-var schemeRE = new RegExp("^[,\\s]*(" + tokenMatch + ")");
-var quotedParamRE = new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
-var unquotedParamRE = new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
-var token68ParamRE = new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
-function parseWwwAuthenticateChallenges(response) {
-  if (!looseInstanceOf(response, Response)) {
-    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
-  }
-  const header = response.headers.get("www-authenticate");
-  if (header === null) {
-    return;
+async function handleToolsList(ctx) {
+  const tools = (ctx.tools ?? sharedTools).map((tool) => ({
+    name: tool.name,
+    description: tool.description,
+    inputSchema: zodToJsonSchema(tool.inputSchema),
+    ...tool.outputSchema && {
+      outputSchema: zodToJsonSchema(z3.object(tool.outputSchema))
+    },
+    ...tool.annotations && { annotations: tool.annotations }
+  }));
+  return { result: { tools } };
+}
+async function handleToolsCall(params, ctx, requestId) {
+  const toolName = String(params?.name || "");
+  const toolArgs = params?.arguments || {};
+  const meta = params?._meta;
+  const abortController = new AbortController;
+  if (requestId !== undefined && ctx.cancellationRegistry) {
+    ctx.cancellationRegistry.set(requestId, abortController);
   }
-  const challenges = [];
-  let rest = header;
-  while (rest) {
-    let match = rest.match(schemeRE);
-    const scheme = match?.["1"].toLowerCase();
-    if (!scheme) {
-      return;
-    }
-    const afterScheme = rest.substring(match[0].length);
-    if (afterScheme && !afterScheme.match(/^[\s,]/)) {
-      return;
-    }
-    const spaceMatch = afterScheme.match(/^\s+(.*)$/);
-    const hasParameters = !!spaceMatch;
-    rest = spaceMatch ? spaceMatch[1] : undefined;
-    const parameters = {};
-    let token68;
-    if (hasParameters) {
-      while (rest) {
-        let key;
-        let value;
-        if (match = rest.match(quotedParamRE)) {
-          [, key, value, rest] = match;
-          if (value.includes("\\")) {
-            try {
-              value = JSON.parse(`"${value}"`);
-            } catch {}
-          }
-          parameters[key.toLowerCase()] = value;
-          continue;
-        }
-        if (match = rest.match(unquotedParamRE)) {
-          [, key, value, rest] = match;
-          parameters[key.toLowerCase()] = value;
-          continue;
-        }
-        if (match = rest.match(token68ParamRE)) {
-          if (Object.keys(parameters).length) {
-            break;
-          }
-          [, token68, rest] = match;
-          break;
-        }
-        return;
-      }
-    } else {
-      rest = afterScheme || undefined;
-    }
-    const challenge = { scheme, parameters };
-    if (token68) {
-      challenge.token68 = token68;
+  const toolContext = {
+    ...ctx.auth,
+    sessionId: ctx.sessionId,
+    signal: abortController.signal,
+    meta: {
+      progressToken: meta?.progressToken,
+      requestId: requestId !== undefined ? String(requestId) : undefined
     }
-    challenges.push(challenge);
-  }
-  if (!challenges.length) {
-    return;
-  }
-  return challenges;
-}
-async function parseOAuthResponseErrorBody(response) {
-  if (response.status > 399 && response.status < 500) {
-    assertReadableResponse(response);
-    assertApplicationJson(response);
-    try {
-      const json = await response.clone().json();
-      if (isJsonObject(json) && typeof json.error === "string" && json.error.length) {
-        return json;
+  };
+  sharedLogger.debug("mcp_dispatch", {
+    message: "Calling tool",
+    tool: toolName,
+    sessionId: ctx.sessionId,
+    requestId,
+    hasProviderToken: Boolean(ctx.auth.providerToken)
+  });
+  const toolList = ctx.tools ?? sharedTools;
+  const tool = toolList.find((t) => t.name === toolName);
+  if (tool?.requiresAuth && !ctx.auth.providerToken) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidRequest,
+        message: "Authentication required. Please complete OAuth flow first."
       }
-    } catch {}
+    };
   }
-  return;
-}
-async function checkOAuthBodyError(response, expected, label) {
-  if (response.status !== expected) {
-    checkAuthenticationChallenges(response);
-    let err;
-    if (err = await parseOAuthResponseErrorBody(response)) {
-      await response.body?.cancel();
-      throw new ResponseBodyError("server responded with an error in the response body", {
-        cause: err,
-        response
+  try {
+    const result = await executeSharedTool(toolName, toolArgs, toolContext, ctx.tools);
+    return { result };
+  } catch (error) {
+    if (abortController.signal.aborted) {
+      sharedLogger.info("mcp_dispatch", {
+        message: "Tool execution cancelled",
+        tool: toolName,
+        requestId
       });
+      return {
+        error: {
+          code: JsonRpcErrorCode2.InternalError,
+          message: "Request was cancelled"
+        }
+      };
     }
-    throw OPE(`"response" is not a conform ${label} response (unexpected HTTP status code)`, RESPONSE_IS_NOT_CONFORM, response);
-  }
-}
-function assertDPoP(option) {
-  if (!branded.has(option)) {
-    throw CodedTypeError('"options.DPoP" is not a valid DPoPHandle', ERR_INVALID_ARG_VALUE);
-  }
-}
-var skipSubjectCheck = Symbol();
-function getContentType(input) {
-  return input.headers.get("content-type")?.split(";")[0];
-}
-async function authenticatedRequest(as, client, clientAuthentication, url, body, headers, options) {
-  await clientAuthentication(as, client, body, headers);
-  headers.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8");
-  return (options?.[customFetch] || fetch)(url.href, {
-    body,
-    headers: Object.fromEntries(headers.entries()),
-    method: "POST",
-    redirect: "manual",
-    signal: signal(url, options?.signal)
-  });
-}
-async function tokenEndpointRequest(as, client, clientAuthentication, grantType, parameters, options) {
-  const url = resolveEndpoint(as, "token_endpoint", client.use_mtls_endpoint_aliases, options?.[allowInsecureRequests] !== true);
-  parameters.set("grant_type", grantType);
-  const headers = prepareHeaders(options?.headers);
-  headers.set("accept", "application/json");
-  if (options?.DPoP !== undefined) {
-    assertDPoP(options.DPoP);
-    await options.DPoP.addProof(url, headers, "POST");
-  }
-  const response = await authenticatedRequest(as, client, clientAuthentication, url, parameters, headers, options);
-  options?.DPoP?.cacheNonce(response, url);
-  return response;
-}
-async function refreshTokenGrantRequest(as, client, clientAuthentication, refreshToken, options) {
-  assertAs(as);
-  assertClient(client);
-  assertString(refreshToken, '"refreshToken"');
-  const parameters = new URLSearchParams(options?.additionalParameters);
-  parameters.set("refresh_token", refreshToken);
-  return tokenEndpointRequest(as, client, clientAuthentication, "refresh_token", parameters, options);
-}
-var idTokenClaims = new WeakMap;
-var jwtRefs = new WeakMap;
-function getValidatedIdTokenClaims(ref) {
-  if (!ref.id_token) {
-    return;
-  }
-  const claims = idTokenClaims.get(ref);
-  if (!claims) {
-    throw CodedTypeError('"ref" was already garbage collected or did not resolve from the proper sources', ERR_INVALID_ARG_VALUE);
-  }
-  return claims;
-}
-async function processGenericAccessTokenResponse(as, client, response, additionalRequiredIdTokenClaims, decryptFn, recognizedTokenTypes) {
-  assertAs(as);
-  assertClient(client);
-  if (!looseInstanceOf(response, Response)) {
-    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
-  }
-  await checkOAuthBodyError(response, 200, "Token Endpoint");
-  assertReadableResponse(response);
-  const json = await getResponseJsonBody(response);
-  assertString(json.access_token, '"response" body "access_token" property', INVALID_RESPONSE, {
-    body: json
-  });
-  assertString(json.token_type, '"response" body "token_type" property', INVALID_RESPONSE, {
-    body: json
-  });
-  json.token_type = json.token_type.toLowerCase();
-  if (json.expires_in !== undefined) {
-    let expiresIn = typeof json.expires_in !== "number" ? parseFloat(json.expires_in) : json.expires_in;
-    assertNumber(expiresIn, true, '"response" body "expires_in" property', INVALID_RESPONSE, {
-      body: json
-    });
-    json.expires_in = expiresIn;
-  }
-  if (json.refresh_token !== undefined) {
-    assertString(json.refresh_token, '"response" body "refresh_token" property', INVALID_RESPONSE, {
-      body: json
-    });
-  }
-  if (json.scope !== undefined && typeof json.scope !== "string") {
-    throw OPE('"response" body "scope" property must be a string', INVALID_RESPONSE, { body: json });
-  }
-  if (json.id_token !== undefined) {
-    assertString(json.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
-      body: json
+    sharedLogger.error("mcp_dispatch", {
+      message: "Tool execution failed",
+      tool: toolName,
+      error: error.message
     });
-    const requiredClaims = ["aud", "exp", "iat", "iss", "sub"];
-    if (client.require_auth_time === true) {
-      requiredClaims.push("auth_time");
-    }
-    if (client.default_max_age !== undefined) {
-      assertNumber(client.default_max_age, true, '"client.default_max_age"');
-      requiredClaims.push("auth_time");
-    }
-    if (additionalRequiredIdTokenClaims?.length) {
-      requiredClaims.push(...additionalRequiredIdTokenClaims);
-    }
-    const { claims, jwt } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported, "RS256"), getClockSkew(client), getClockTolerance(client), decryptFn).then(validatePresence.bind(undefined, requiredClaims)).then(validateIssuer.bind(undefined, as)).then(validateAudience.bind(undefined, client.client_id));
-    if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
-      if (claims.azp === undefined) {
-        throw OPE('ID Token "aud" (audience) claim includes additional untrusted audiences', JWT_CLAIM_COMPARISON, { claims, claim: "aud" });
-      }
-      if (claims.azp !== client.client_id) {
-        throw OPE('unexpected ID Token "azp" (authorized party) claim value', JWT_CLAIM_COMPARISON, { expected: client.client_id, claims, claim: "azp" });
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InternalError,
+        message: `Tool execution failed: ${error.message}`
       }
+    };
+  } finally {
+    if (requestId !== undefined && ctx.cancellationRegistry) {
+      ctx.cancellationRegistry.delete(requestId);
     }
-    if (claims.auth_time !== undefined) {
-      assertNumber(claims.auth_time, true, 'ID Token "auth_time" (authentication time)', INVALID_RESPONSE, { claims });
-    }
-    jwtRefs.set(response, jwt);
-    idTokenClaims.set(json, claims);
-  }
-  if (recognizedTokenTypes?.[json.token_type] !== undefined) {
-    recognizedTokenTypes[json.token_type](response, json);
-  } else if (json.token_type !== "dpop" && json.token_type !== "bearer") {
-    throw new UnsupportedOperationError("unsupported `token_type` value", { cause: { body: json } });
-  }
-  return json;
-}
-function checkAuthenticationChallenges(response) {
-  let challenges;
-  if (challenges = parseWwwAuthenticateChallenges(response)) {
-    throw new WWWAuthenticateChallengeError("server responded with a challenge in the WWW-Authenticate HTTP Header", { cause: challenges, response });
   }
 }
-async function processRefreshTokenResponse(as, client, response, options) {
-  return processGenericAccessTokenResponse(as, client, response, undefined, options?.[jweDecrypt], options?.recognizedTokenTypes);
+async function handleResourcesList() {
+  return { result: { resources: [] } };
 }
-function validateAudience(expected, result) {
-  if (Array.isArray(result.claims.aud)) {
-    if (!result.claims.aud.includes(expected)) {
-      throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
-        expected,
-        claims: result.claims,
-        claim: "aud"
-      });
-    }
-  } else if (result.claims.aud !== expected) {
-    throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
-      expected,
-      claims: result.claims,
-      claim: "aud"
-    });
-  }
-  return result;
+async function handleResourcesTemplatesList() {
+  return { result: { resourceTemplates: [] } };
 }
-function validateIssuer(as, result) {
-  const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
-  if (result.claims.iss !== expected) {
-    throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, {
-      expected,
-      claims: result.claims,
-      claim: "iss"
-    });
-  }
-  return result;
-}
-var branded = new WeakSet;
-function brand(searchParams) {
-  branded.add(searchParams);
-  return searchParams;
-}
-var nopkce = Symbol();
-async function authorizationCodeGrantRequest(as, client, clientAuthentication, callbackParameters, redirectUri, codeVerifier, options) {
-  assertAs(as);
-  assertClient(client);
-  if (!branded.has(callbackParameters)) {
-    throw CodedTypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()', ERR_INVALID_ARG_VALUE);
-  }
-  assertString(redirectUri, '"redirectUri"');
-  const code = getURLSearchParameter(callbackParameters, "code");
-  if (!code) {
-    throw OPE('no authorization code in "callbackParameters"', INVALID_RESPONSE);
-  }
-  const parameters = new URLSearchParams(options?.additionalParameters);
-  parameters.set("redirect_uri", redirectUri);
-  parameters.set("code", code);
-  if (codeVerifier !== nopkce) {
-    assertString(codeVerifier, '"codeVerifier"');
-    parameters.set("code_verifier", codeVerifier);
-  }
-  return tokenEndpointRequest(as, client, clientAuthentication, "authorization_code", parameters, options);
-}
-var jwtClaimNames = {
-  aud: "audience",
-  c_hash: "code hash",
-  client_id: "client id",
-  exp: "expiration time",
-  iat: "issued at",
-  iss: "issuer",
-  jti: "jwt id",
-  nonce: "nonce",
-  s_hash: "state hash",
-  sub: "subject",
-  ath: "access token hash",
-  htm: "http method",
-  htu: "http uri",
-  cnf: "confirmation",
-  auth_time: "authentication time"
-};
-function validatePresence(required, result) {
-  for (const claim of required) {
-    if (result.claims[claim] === undefined) {
-      throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {
-        claims: result.claims
-      });
-    }
-  }
-  return result;
+async function handlePromptsList() {
+  return { result: { prompts: [] } };
 }
-var expectNoNonce = Symbol();
-var skipAuthTimeCheck = Symbol();
-async function processAuthorizationCodeResponse(as, client, response, options) {
-  if (typeof options?.expectedNonce === "string" || typeof options?.maxAge === "number" || options?.requireIdToken) {
-    return processAuthorizationCodeOpenIDResponse(as, client, response, options.expectedNonce, options.maxAge, options[jweDecrypt], options.recognizedTokenTypes);
-  }
-  return processAuthorizationCodeOAuth2Response(as, client, response, options?.[jweDecrypt], options?.recognizedTokenTypes);
+async function handlePing() {
+  return { result: {} };
 }
-async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, decryptFn, recognizedTokenTypes) {
-  const additionalRequiredClaims = [];
-  switch (expectedNonce) {
-    case undefined:
-      expectedNonce = expectNoNonce;
-      break;
-    case expectNoNonce:
-      break;
-    default:
-      assertString(expectedNonce, '"expectedNonce" argument');
-      additionalRequiredClaims.push("nonce");
-  }
-  maxAge ??= client.default_max_age;
-  switch (maxAge) {
-    case undefined:
-      maxAge = skipAuthTimeCheck;
-      break;
-    case skipAuthTimeCheck:
-      break;
-    default:
-      assertNumber(maxAge, true, '"maxAge" argument');
-      additionalRequiredClaims.push("auth_time");
+var currentLogLevel = "info";
+async function handleLoggingSetLevel(params) {
+  const level = params?.level;
+  const validLevels = [
+    "debug",
+    "info",
+    "notice",
+    "warning",
+    "error",
+    "critical",
+    "alert",
+    "emergency"
+  ];
+  if (!level || !validLevels.includes(level)) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidParams,
+        message: `Invalid log level. Must be one of: ${validLevels.join(", ")}`
+      }
+    };
   }
-  const result = await processGenericAccessTokenResponse(as, client, response, additionalRequiredClaims, decryptFn, recognizedTokenTypes);
-  assertString(result.id_token, '"response" body "id_token" property', INVALID_RESPONSE, {
-    body: result
+  currentLogLevel = level;
+  sharedLogger.info("mcp_dispatch", {
+    message: "Log level changed",
+    level: currentLogLevel
   });
-  const claims = getValidatedIdTokenClaims(result);
-  if (maxAge !== skipAuthTimeCheck) {
-    const now = epochTime() + getClockSkew(client);
-    const tolerance = getClockTolerance(client);
-    if (claims.auth_time + maxAge < now - tolerance) {
-      throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: "auth_time" });
-    }
-  }
-  if (expectedNonce === expectNoNonce) {
-    if (claims.nonce !== undefined) {
-      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-        expected: undefined,
-        claims,
-        claim: "nonce"
-      });
-    }
-  } else if (claims.nonce !== expectedNonce) {
-    throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-      expected: expectedNonce,
-      claims,
-      claim: "nonce"
-    });
-  }
-  return result;
-}
-async function processAuthorizationCodeOAuth2Response(as, client, response, decryptFn, recognizedTokenTypes) {
-  const result = await processGenericAccessTokenResponse(as, client, response, undefined, decryptFn, recognizedTokenTypes);
-  const claims = getValidatedIdTokenClaims(result);
-  if (claims) {
-    if (client.default_max_age !== undefined) {
-      assertNumber(client.default_max_age, true, '"client.default_max_age"');
-      const now = epochTime() + getClockSkew(client);
-      const tolerance = getClockTolerance(client);
-      if (claims.auth_time + client.default_max_age < now - tolerance) {
-        throw OPE("too much time has elapsed since the last End-User authentication", JWT_TIMESTAMP_CHECK, { claims, now, tolerance, claim: "auth_time" });
+  return { result: {} };
+}
+function getLogLevel() {
+  return currentLogLevel;
+}
+async function dispatchMcpMethod(method, params, ctx, requestId) {
+  if (!method) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidRequest,
+        message: "Missing method"
       }
-    }
-    if (claims.nonce !== undefined) {
-      throw OPE('unexpected ID Token "nonce" claim value', JWT_CLAIM_COMPARISON, {
-        expected: undefined,
-        claims,
-        claim: "nonce"
-      });
-    }
-  }
-  return result;
-}
-var WWW_AUTHENTICATE_CHALLENGE = "OAUTH_WWW_AUTHENTICATE_CHALLENGE";
-var RESPONSE_BODY_ERROR = "OAUTH_RESPONSE_BODY_ERROR";
-var UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
-var AUTHORIZATION_RESPONSE_ERROR = "OAUTH_AUTHORIZATION_RESPONSE_ERROR";
-var PARSE_ERROR = "OAUTH_PARSE_ERROR";
-var INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE";
-var RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON";
-var RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM";
-var HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN";
-var REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
-var JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
-var JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
-var MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA";
-var INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA";
-function assertReadableResponse(response) {
-  if (response.bodyUsed) {
-    throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
-  }
-}
-function checkRsaKeyAlgorithm(key) {
-  const { algorithm } = key;
-  if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
-    throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {
-      cause: key
-    });
+    };
   }
-}
-function ecdsaHashName(key) {
-  const { algorithm } = key;
-  switch (algorithm.namedCurve) {
-    case "P-256":
-      return "SHA-256";
-    case "P-384":
-      return "SHA-384";
-    case "P-521":
-      return "SHA-512";
+  switch (method) {
+    case "initialize":
+      return handleInitialize(params, ctx);
+    case "tools/list":
+      return handleToolsList(ctx);
+    case "tools/call":
+      return handleToolsCall(params, ctx, requestId);
+    case "resources/list":
+      return handleResourcesList();
+    case "resources/templates/list":
+      return handleResourcesTemplatesList();
+    case "prompts/list":
+      return handlePromptsList();
+    case "ping":
+      return handlePing();
+    case "logging/setLevel":
+      return handleLoggingSetLevel(params);
     default:
-      throw new UnsupportedOperationError("unsupported ECDSA namedCurve", { cause: key });
-  }
-}
-function keyToSubtle(key) {
-  switch (key.algorithm.name) {
-    case "ECDSA":
+      sharedLogger.debug("mcp_dispatch", { message: "Unknown method", method });
       return {
-        name: key.algorithm.name,
-        hash: ecdsaHashName(key)
+        error: {
+          code: JsonRpcErrorCode2.MethodNotFound,
+          message: `Method not found: ${method}`
+        }
       };
-    case "RSA-PSS": {
-      checkRsaKeyAlgorithm(key);
-      switch (key.algorithm.hash.name) {
-        case "SHA-256":
-        case "SHA-384":
-        case "SHA-512":
-          return {
-            name: key.algorithm.name,
-            saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3
-          };
-        default:
-          throw new UnsupportedOperationError("unsupported RSA-PSS hash name", { cause: key });
-      }
-    }
-    case "RSASSA-PKCS1-v1_5":
-      checkRsaKeyAlgorithm(key);
-      return key.algorithm.name;
-    case "ML-DSA-44":
-    case "ML-DSA-65":
-    case "ML-DSA-87":
-    case "Ed25519":
-      return key.algorithm.name;
-  }
-  throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
-}
-async function validateJwt(jws, checkAlg, clockSkew2, clockTolerance2, decryptJwt) {
-  let { 0: protectedHeader, 1: payload, length } = jws.split(".");
-  if (length === 5) {
-    if (decryptJwt !== undefined) {
-      jws = await decryptJwt(jws);
-      ({ 0: protectedHeader, 1: payload, length } = jws.split("."));
-    } else {
-      throw new UnsupportedOperationError("JWE decryption is not configured", { cause: jws });
-    }
-  }
-  if (length !== 3) {
-    throw OPE("Invalid JWT", INVALID_RESPONSE, jws);
-  }
-  let header;
-  try {
-    header = JSON.parse(buf(b64u(protectedHeader)));
-  } catch (cause) {
-    throw OPE("failed to parse JWT Header body as base64url encoded JSON", PARSE_ERROR, cause);
-  }
-  if (!isJsonObject(header)) {
-    throw OPE("JWT Header must be a top level object", INVALID_RESPONSE, jws);
-  }
-  checkAlg(header);
-  if (header.crit !== undefined) {
-    throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', {
-      cause: { header }
-    });
-  }
-  let claims;
-  try {
-    claims = JSON.parse(buf(b64u(payload)));
-  } catch (cause) {
-    throw OPE("failed to parse JWT Payload body as base64url encoded JSON", PARSE_ERROR, cause);
-  }
-  if (!isJsonObject(claims)) {
-    throw OPE("JWT Payload must be a top level object", INVALID_RESPONSE, jws);
-  }
-  const now = epochTime() + clockSkew2;
-  if (claims.exp !== undefined) {
-    if (typeof claims.exp !== "number") {
-      throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, { claims });
-    }
-    if (claims.exp <= now - clockTolerance2) {
-      throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance2, claim: "exp" });
-    }
   }
-  if (claims.iat !== undefined) {
-    if (typeof claims.iat !== "number") {
-      throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, { claims });
-    }
-  }
-  if (claims.iss !== undefined) {
-    if (typeof claims.iss !== "string") {
-      throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, { claims });
-    }
-  }
-  if (claims.nbf !== undefined) {
-    if (typeof claims.nbf !== "number") {
-      throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, { claims });
-    }
-    if (claims.nbf > now + clockTolerance2) {
-      throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, {
-        claims,
-        now,
-        tolerance: clockTolerance2,
-        claim: "nbf"
-      });
-    }
-  }
-  if (claims.aud !== undefined) {
-    if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) {
-      throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, { claims });
-    }
-  }
-  return { header, claims, jwt: jws };
 }
-function checkSigningAlgorithm(client, issuer, fallback, header) {
-  if (client !== undefined) {
-    if (typeof client === "string" ? header.alg !== client : !client.includes(header.alg)) {
-      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
-        header,
-        expected: client,
-        reason: "client configuration"
-      });
-    }
-    return;
-  }
-  if (Array.isArray(issuer)) {
-    if (!issuer.includes(header.alg)) {
-      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
-        header,
-        expected: issuer,
-        reason: "authorization server metadata"
-      });
-    }
-    return;
-  }
-  if (fallback !== undefined) {
-    if (typeof fallback === "string" ? header.alg !== fallback : typeof fallback === "function" ? !fallback(header.alg) : !fallback.includes(header.alg)) {
-      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
-        header,
-        expected: fallback,
-        reason: "default value"
-      });
+function handleMcpNotification(method, params, ctx) {
+  if (method === "notifications/initialized") {
+    const session = ctx.getSessionState();
+    if (session) {
+      ctx.setSessionState({ ...session, initialized: true });
     }
-    return;
-  }
-  throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, { client, issuer, fallback });
-}
-function getURLSearchParameter(parameters, name) {
-  const { 0: value, length } = parameters.getAll(name);
-  if (length > 1) {
-    throw OPE(`"${name}" parameter must be provided only once`, INVALID_RESPONSE);
-  }
-  return value;
-}
-var skipStateCheck = Symbol();
-var expectNoState = Symbol();
-function validateAuthResponse(as, client, parameters, expectedState) {
-  assertAs(as);
-  assertClient(client);
-  if (parameters instanceof URL) {
-    parameters = parameters.searchParams;
-  }
-  if (!(parameters instanceof URLSearchParams)) {
-    throw CodedTypeError('"parameters" must be an instance of URLSearchParams, or URL', ERR_INVALID_ARG_TYPE);
-  }
-  if (getURLSearchParameter(parameters, "response")) {
-    throw OPE('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()', INVALID_RESPONSE, { parameters });
-  }
-  const iss = getURLSearchParameter(parameters, "iss");
-  const state = getURLSearchParameter(parameters, "state");
-  if (!iss && as.authorization_response_iss_parameter_supported) {
-    throw OPE('response parameter "iss" (issuer) missing', INVALID_RESPONSE, { parameters });
-  }
-  if (iss && iss !== as.issuer) {
-    throw OPE('unexpected "iss" (issuer) response parameter value', INVALID_RESPONSE, {
-      expected: as.issuer,
-      parameters
+    sharedLogger.info("mcp_dispatch", {
+      message: "Client initialized",
+      sessionId: ctx.sessionId
     });
+    return true;
   }
-  switch (expectedState) {
-    case undefined:
-    case expectNoState:
-      if (state !== undefined) {
-        throw OPE('unexpected "state" response parameter encountered', INVALID_RESPONSE, {
-          expected: undefined,
-          parameters
+  if (method === "notifications/cancelled") {
+    const cancelParams = params;
+    const requestId = cancelParams?.requestId;
+    if (requestId !== undefined && ctx.cancellationRegistry) {
+      const controller = ctx.cancellationRegistry.get(requestId);
+      if (controller) {
+        sharedLogger.info("mcp_dispatch", {
+          message: "Cancelling request",
+          requestId,
+          reason: cancelParams?.reason,
+          sessionId: ctx.sessionId
         });
+        controller.abort(cancelParams?.reason ?? "Client requested cancellation");
+        return true;
       }
-      break;
-    case skipStateCheck:
-      break;
-    default:
-      assertString(expectedState, '"expectedState" argument');
-      if (state !== expectedState) {
-        throw OPE(state === undefined ? 'response parameter "state" missing' : 'unexpected "state" response parameter value', INVALID_RESPONSE, { expected: expectedState, parameters });
-      }
-  }
-  const error = getURLSearchParameter(parameters, "error");
-  if (error) {
-    throw new AuthorizationResponseError("authorization response from the server is an error", {
-      cause: parameters
-    });
-  }
-  const id_token = getURLSearchParameter(parameters, "id_token");
-  const token = getURLSearchParameter(parameters, "token");
-  if (id_token !== undefined || token !== undefined) {
-    throw new UnsupportedOperationError("implicit and hybrid flows are not supported");
-  }
-  return brand(new URLSearchParams(parameters));
-}
-async function getResponseJsonBody(response, check = assertApplicationJson) {
-  let json;
-  try {
-    json = await response.json();
-  } catch (cause) {
-    check(response);
-    throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause);
-  }
-  if (!isJsonObject(json)) {
-    throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json });
+      sharedLogger.debug("mcp_dispatch", {
+        message: "Cancellation request for unknown requestId",
+        requestId,
+        sessionId: ctx.sessionId
+      });
+    }
+    return true;
   }
-  return json;
+  sharedLogger.debug("mcp_dispatch", {
+    message: "Unhandled notification",
+    method,
+    sessionId: ctx.sessionId
+  });
+  return false;
 }
-var _nodiscoverycheck = Symbol();
-var _expectedIssuer = Symbol();
 
 // src/shared/oauth/refresh.ts
+import * as oauth from "oauth4webapi";
 function buildProviderRefreshConfig(config) {
   if (!config.PROVIDER_CLIENT_ID || !config.PROVIDER_CLIENT_SECRET || !config.PROVIDER_ACCOUNTS_URL) {
     return;
@@ -1867,9 +1580,9 @@ async function refreshProviderToken(refreshToken, config) {
     tokenUrl: authServer.token_endpoint
   });
   try {
-    const clientAuth = ClientSecretPost(config.clientSecret);
-    const response = await refreshTokenGrantRequest(authServer, client, clientAuth, refreshToken);
-    const result = await processRefreshTokenResponse(authServer, client, response);
+    const clientAuth = oauth.ClientSecretPost(config.clientSecret);
+    const response = await oauth.refreshTokenGrantRequest(authServer, client, clientAuth, refreshToken);
+    const result = await oauth.processRefreshTokenResponse(authServer, client, response);
     const accessToken = result.access_token;
     if (!accessToken) {
       return {
@@ -1891,7 +1604,7 @@ async function refreshProviderToken(refreshToken, config) {
       }
     };
   } catch (error) {
-    if (error instanceof ResponseBodyError) {
+    if (error instanceof oauth.ResponseBodyError) {
       sharedLogger.error("oauth_refresh", {
         message: "Provider refresh failed",
         error: error.error,
@@ -2212,16 +1925,17 @@ function assertSsrfSafe(urlString, options) {
 }
 
 // src/shared/oauth/cimd.ts
-var ClientMetadataSchema = exports_external.object({
-  client_id: exports_external.string().url(),
-  client_name: exports_external.string().optional(),
-  redirect_uris: exports_external.array(exports_external.string().url()),
-  client_uri: exports_external.string().url().optional(),
-  logo_uri: exports_external.string().url().optional(),
-  tos_uri: exports_external.string().url().optional(),
-  policy_uri: exports_external.string().url().optional(),
-  jwks_uri: exports_external.string().url().optional(),
-  software_statement: exports_external.string().optional()
+import { z as z4 } from "zod";
+var ClientMetadataSchema = z4.object({
+  client_id: z4.string().url(),
+  client_name: z4.string().optional(),
+  redirect_uris: z4.array(z4.string().url()),
+  client_uri: z4.string().url().optional(),
+  logo_uri: z4.string().url().optional(),
+  tos_uri: z4.string().url().optional(),
+  policy_uri: z4.string().url().optional(),
+  jwks_uri: z4.string().url().optional(),
+  software_statement: z4.string().optional()
 });
 function isClientIdUrl(clientId) {
   if (!clientId.startsWith("https://")) {
@@ -2374,6 +2088,7 @@ function validateRedirectUri(metadata, redirectUri) {
 }
 
 // src/shared/oauth/flow.ts
+import * as oauth2 from "oauth4webapi";
 function generateOpaqueToken(bytes = 32) {
   const array = new Uint8Array(bytes);
   crypto.getRandomValues(array);
@@ -2588,18 +2303,18 @@ async function handleProviderCallback(input, store, providerConfig, oauthConfig,
   });
   const rawParams = new URLSearchParams;
   rawParams.set("code", input.providerCode);
-  const callbackParams = validateAuthResponse(authServer, client, rawParams, skipStateCheck);
+  const callbackParams = oauth2.validateAuthResponse(authServer, client, rawParams, oauth2.skipStateCheck);
   if (!providerConfig.clientSecret) {
     throw new Error("Server misconfigured: PROVIDER_CLIENT_SECRET is not set");
   }
-  const clientAuth = ClientSecretPost(providerConfig.clientSecret);
+  const clientAuth = oauth2.ClientSecretPost(providerConfig.clientSecret);
   try {
-    const response = await authorizationCodeGrantRequest(authServer, client, clientAuth, callbackParams, redirectUri, nopkce);
+    const response = await oauth2.authorizationCodeGrantRequest(authServer, client, clientAuth, callbackParams, redirectUri, oauth2.nopkce);
     sharedLogger.debug("oauth_callback", {
       message: "Token response received",
       status: response.status
     });
-    const result = await processAuthorizationCodeResponse(authServer, client, response);
+    const result = await oauth2.processAuthorizationCodeResponse(authServer, client, response);
     const accessToken = result.access_token;
     if (!accessToken) {
       sharedLogger.error("oauth_callback", {
@@ -2640,7 +2355,7 @@ async function handleProviderCallback(input, store, providerConfig, oauthConfig,
       providerTokens
     };
   } catch (error) {
-    if (error instanceof ResponseBodyError) {
+    if (error instanceof oauth2.ResponseBodyError) {
       sharedLogger.error("oauth_callback", {
         message: "Provider token error",
         error: error.error,
@@ -2733,7 +2448,7 @@ async function handleToken(input, store, providerConfig) {
     throw new Error("invalid_grant");
   }
   const expected = txn.codeChallenge;
-  const actual = await calculatePKCECodeChallenge(input.codeVerifier);
+  const actual = await oauth2.calculatePKCECodeChallenge(input.codeVerifier);
   if (expected !== actual) {
     sharedLogger.error("oauth_token", {
       message: "PKCE verification failed"
@@ -2749,7 +2464,7 @@ async function handleToken(input, store, providerConfig) {
   if (txn.provider?.access_token) {
     await store.storeRsMapping(rsAccess, txn.provider, rsRefresh);
     sharedLogger.info("oauth_token", {
-      message: "RS\u2192Provider mapping stored"
+      message: "RS→Provider mapping stored"
     });
   } else {
     sharedLogger.warning("oauth_token", {
@@ -2867,51 +2582,8 @@ function buildFlowOptions(url, config, overrides = {}) {
   };
 }
 
-// node_modules/itty-router/index.mjs
-var t = ({ base: e = "", routes: t2 = [], ...o } = {}) => ({ __proto__: new Proxy({}, { get: (o2, r, a, s) => (o3, ...n) => t2.push([r.toUpperCase?.(), RegExp(`^${(s = (e + o3).replace(/\/+(\/|$)/g, "$1")).replace(/(\/?\.?):(\w+)\+/g, "($1(?<$2>*))").replace(/(\/?\.?):(\w+)/g, "($1(?<$2>[^$1/]+?))").replace(/\./g, "\\.").replace(/(\/?)\*/g, "($1.*)?")}/*$`), n, s]) && a }), routes: t2, ...o, async fetch(e2, ...r) {
-  let a, s, n = new URL(e2.url), c = e2.query = { __proto__: null };
-  for (let [e3, t3] of n.searchParams)
-    c[e3] = c[e3] ? [].concat(c[e3], t3) : t3;
-  e:
-    try {
-      for (let t3 of o.before || [])
-        if ((a = await t3(e2.proxy ?? e2, ...r)) != null)
-          break e;
-      t:
-        for (let [o2, c2, l, i] of t2)
-          if ((o2 == e2.method || o2 == "ALL") && (s = n.pathname.match(c2))) {
-            e2.params = s.groups || {}, e2.route = i;
-            for (let t3 of l)
-              if ((a = await t3(e2.proxy ?? e2, ...r)) != null)
-                break t;
-          }
-    } catch (t3) {
-      if (!o.catch)
-        throw t3;
-      a = await o.catch(t3, e2.proxy ?? e2, ...r);
-    }
-  try {
-    for (let t3 of o.finally || [])
-      a = await t3(a, e2.proxy ?? e2, ...r) ?? a;
-  } catch (t3) {
-    if (!o.catch)
-      throw t3;
-    a = await o.catch(t3, e2.proxy ?? e2, ...r);
-  }
-  return a;
-} });
-var o = (e = "text/plain; charset=utf-8", t2) => (o2, r = {}) => {
-  if (o2 === undefined || o2 instanceof Response)
-    return o2;
-  const a = new Response(t2?.(o2) ?? o2, r.url ? undefined : r);
-  return a.headers.set("content-type", e), a;
-};
-var r = o("application/json; charset=utf-8", JSON.stringify);
-var p = o("text/plain; charset=utf-8", String);
-var f = o("text/html");
-var u = o("image/jpeg");
-var h = o("image/png");
-var g = o("image/webp");
+// src/adapters/http-worker/index.ts
+import { Router } from "itty-router";
 
 // src/adapters/http-worker/security.ts
 async function checkAuthAndChallenge(request, store, config, sid) {
@@ -3421,16 +3093,16 @@ function initializeWorkerStorage(env, config) {
     sharedTokenStore = new MemoryTokenStore;
     sharedSessionStore = new MemorySessionStore;
   }
-  let encrypt;
-  let decrypt;
+  let encrypt2;
+  let decrypt2;
   if (env.RS_TOKENS_ENC_KEY) {
     const encryptor = createEncryptor(env.RS_TOKENS_ENC_KEY);
-    encrypt = encryptor.encrypt;
-    decrypt = encryptor.decrypt;
+    encrypt2 = encryptor.encrypt;
+    decrypt2 = encryptor.decrypt;
     sharedLogger.debug("worker_storage", { message: "KV encryption enabled" });
   } else {
-    encrypt = async (s) => s;
-    decrypt = async (s) => s;
+    encrypt2 = async (s) => s;
+    decrypt2 = async (s) => s;
     if (config.NODE_ENV === "production") {
       sharedLogger.warning("worker_storage", {
         message: "RS_TOKENS_ENC_KEY not set! KV data is unencrypted."
@@ -3438,13 +3110,13 @@ function initializeWorkerStorage(env, config) {
     }
   }
   const tokenStore = new KvTokenStore(kvNamespace, {
-    encrypt,
-    decrypt,
+    encrypt: encrypt2,
+    decrypt: decrypt2,
     fallback: sharedTokenStore
   });
   const sessionStore = new KvSessionStore(kvNamespace, {
-    encrypt,
-    decrypt,
+    encrypt: encrypt2,
+    decrypt: decrypt2,
     fallback: sharedSessionStore
   });
   initializeStorage(tokenStore, sessionStore);
@@ -3452,7 +3124,7 @@ function initializeWorkerStorage(env, config) {
 }
 var MCP_ENDPOINT_PATH = "/mcp";
 function createWorkerRouter(ctx) {
-  const router = t();
+  const router = Router();
   const { tokenStore, sessionStore, config, tools } = ctx;
   router.options("*", () => corsPreflightResponse());
   attachDiscoveryRoutes(router, config);
@@ -3467,12 +3139,12 @@ function createWorkerRouter(ctx) {
   return router;
 }
 function shimProcessEnv(env) {
-  const g2 = globalThis;
-  g2.process = g2.process || {};
-  g2.process.env = {
-    ...g2.process.env ?? {},
+  const g = globalThis;
+  g.process = g.process || {};
+  g.process.env = {
+    ...g.process.env ?? {},
     ...env
   };
 }
 
-export { withCors, corsPreflightResponse, buildCorsHeaders, KvTokenStore, KvSessionStore, initializeStorage, getTokenStore, getSessionStore, JsonRpcErrorCode, LATEST_PROTOCOL_VERSION, SUPPORTED_PROTOCOL_VERSIONS, getLogLevel, dispatchMcpMethod, handleMcpNotification, buildProviderRefreshConfig, refreshProviderToken, isTokenExpiredOrExpiring, ensureFreshToken, validateOrigin, validateProtocolVersion, buildUnauthorizedChallenge, buildAuthorizationServerMetadata, buildProtectedResourceMetadata, createDiscoveryHandlers, workerDiscoveryStrategy, nodeDiscoveryStrategy, checkSsrfSafe, isSsrfSafe, assertSsrfSafe, ClientMetadataSchema, isClientIdUrl, fetchClientMetadata, validateRedirectUri, generateOpaqueToken, handleAuthorize, handleProviderCallback, handleToken, handleRegister, handleRevoke, parseAuthorizeInput, parseCallbackInput, parseTokenInput, buildTokenInput, buildProviderConfig, buildOAuthConfig, buildFlowOptions, initializeWorkerStorage, createWorkerRouter, shimProcessEnv };
+export { base64Encode, base64Decode, base64UrlEncode, base64UrlDecode, base64UrlEncodeString, base64UrlDecodeString, base64UrlEncodeJson, base64UrlDecodeJson, encrypt, decrypt, generateKey, createEncryptor, withCors, corsPreflightResponse, buildCorsHeaders, MAX_SESSIONS_PER_API_KEY, MemoryTokenStore, MemorySessionStore, KvTokenStore, KvSessionStore, initializeStorage, getTokenStore, getSessionStore, sharedLogger, logger, JsonRpcErrorCode, CancellationError, CancellationToken, createCancellationToken, withCancellation, toProviderInfo, toProviderTokens, assertProviderToken, defineTool, echoInputSchema, echoTool, healthInputSchema, healthTool, sharedTools, getSharedTool, getSharedToolNames, executeSharedTool, registerTools, LATEST_PROTOCOL_VERSION, SUPPORTED_PROTOCOL_VERSIONS, getLogLevel, dispatchMcpMethod, handleMcpNotification, buildProviderRefreshConfig, refreshProviderToken, isTokenExpiredOrExpiring, ensureFreshToken, validateOrigin, validateProtocolVersion, buildUnauthorizedChallenge, buildAuthorizationServerMetadata, buildProtectedResourceMetadata, createDiscoveryHandlers, workerDiscoveryStrategy, nodeDiscoveryStrategy, checkSsrfSafe, isSsrfSafe, assertSsrfSafe, ClientMetadataSchema, isClientIdUrl, fetchClientMetadata, validateRedirectUri, generateOpaqueToken, handleAuthorize, handleProviderCallback, handleToken, handleRegister, handleRevoke, parseAuthorizeInput, parseCallbackInput, parseTokenInput, buildTokenInput, buildProviderConfig, buildOAuthConfig, buildFlowOptions, initializeWorkerStorage, createWorkerRouter, shimProcessEnv };