@phake/mcp 0.0.3 → 0.0.5

package/dist/index-zhw318hb.js

@@ -0,0 +1,3149 @@
+// src/shared/utils/base64.ts
+function base64Encode(input) {
+  return btoa(input);
+}
+function base64Decode(input) {
+  return atob(input);
+}
+function base64UrlEncode(bytes) {
+  let binary = "";
+  for (let i = 0;i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  base64 += "=".repeat(padLength);
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0;i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function base64UrlEncodeString(input) {
+  return base64UrlEncode(new TextEncoder().encode(input));
+}
+function base64UrlDecodeString(input) {
+  return new TextDecoder().decode(base64UrlDecode(input));
+}
+function base64UrlEncodeJson(obj) {
+  try {
+    return base64UrlEncodeString(JSON.stringify(obj));
+  } catch {
+    return "";
+  }
+}
+function base64UrlDecodeJson(value) {
+  try {
+    return JSON.parse(base64UrlDecodeString(value));
+  } catch {
+    return null;
+  }
+}
+
+// src/shared/crypto/aes-gcm.ts
+var ALGORITHM = "AES-GCM";
+var KEY_LENGTH = 256;
+var IV_LENGTH = 12;
+var TAG_LENGTH = 128;
+async function deriveKey(secret) {
+  const keyBytes = base64UrlDecode(secret);
+  if (keyBytes.length !== 32) {
+    throw new Error(`Invalid key length: expected 32 bytes, got ${keyBytes.length}`);
+  }
+  return crypto.subtle.importKey("raw", keyBytes.buffer, { name: ALGORITHM, length: KEY_LENGTH }, false, ["encrypt", "decrypt"]);
+}
+async function encrypt(plaintext, secret) {
+  const key = await deriveKey(secret);
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const plaintextBytes = new TextEncoder().encode(plaintext);
+  const ciphertext = await crypto.subtle.encrypt({ name: ALGORITHM, iv, tagLength: TAG_LENGTH }, key, plaintextBytes);
+  const combined = new Uint8Array(iv.length + ciphertext.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(ciphertext), iv.length);
+  return base64UrlEncode(combined);
+}
+async function decrypt(ciphertext, secret) {
+  const key = await deriveKey(secret);
+  const combined = base64UrlDecode(ciphertext);
+  if (combined.length < IV_LENGTH + 16) {
+    throw new Error("Invalid ciphertext: too short");
+  }
+  const iv = combined.slice(0, IV_LENGTH);
+  const encrypted = combined.slice(IV_LENGTH);
+  const plaintextBytes = await crypto.subtle.decrypt({ name: ALGORITHM, iv, tagLength: TAG_LENGTH }, key, encrypted);
+  return new TextDecoder().decode(plaintextBytes);
+}
+function generateKey() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  return base64UrlEncode(bytes);
+}
+function createEncryptor(secret) {
+  return {
+    encrypt: (plaintext) => encrypt(plaintext, secret),
+    decrypt: (ciphertext) => decrypt(ciphertext, secret)
+  };
+}
+
+// src/shared/http/cors.ts
+var DEFAULT_CORS = {
+  origin: "*",
+  methods: ["GET", "POST", "DELETE", "OPTIONS"],
+  headers: ["*"],
+  credentials: false,
+  maxAge: 86400
+};
+function withCors(response, options = {}) {
+  const opts = { ...DEFAULT_CORS, ...options };
+  response.headers.set("Access-Control-Allow-Origin", opts.origin ?? "*");
+  response.headers.set("Access-Control-Allow-Methods", (opts.methods ?? []).join(", "));
+  response.headers.set("Access-Control-Allow-Headers", (opts.headers ?? []).join(", "));
+  if (opts.credentials) {
+    response.headers.set("Access-Control-Allow-Credentials", "true");
+  }
+  if (opts.maxAge) {
+    response.headers.set("Access-Control-Max-Age", String(opts.maxAge));
+  }
+  return response;
+}
+function corsPreflightResponse(options = {}) {
+  return withCors(new Response(null, { status: 204 }), options);
+}
+function buildCorsHeaders(options = {}) {
+  const opts = { ...DEFAULT_CORS, ...options };
+  const headers = {
+    "Access-Control-Allow-Origin": opts.origin ?? "*",
+    "Access-Control-Allow-Methods": (opts.methods ?? []).join(", "),
+    "Access-Control-Allow-Headers": (opts.headers ?? []).join(", ")
+  };
+  if (opts.credentials) {
+    headers["Access-Control-Allow-Credentials"] = "true";
+  }
+  if (opts.maxAge) {
+    headers["Access-Control-Max-Age"] = String(opts.maxAge);
+  }
+  return headers;
+}
+
+// src/shared/storage/interface.ts
+var MAX_SESSIONS_PER_API_KEY = 5;
+
+// src/shared/storage/memory.ts
+var DEFAULT_TXN_TTL_MS = 10 * 60 * 1000;
+var DEFAULT_CODE_TTL_MS = 10 * 60 * 1000;
+var DEFAULT_SESSION_TTL_MS = 24 * 60 * 60 * 1000;
+var DEFAULT_RS_TOKEN_TTL_MS = 7 * 24 * 60 * 60 * 1000;
+var MAX_RS_RECORDS = 1e4;
+var MAX_TRANSACTIONS = 1000;
+var MAX_SESSIONS = 1e4;
+var CLEANUP_INTERVAL_MS = 60000;
+function evictOldest(map, maxSize, countToRemove = 1) {
+  if (map.size < maxSize)
+    return;
+  const entries = [...map.entries()].sort((a, b) => {
+    const aTime = a[1].created_at ?? a[1].createdAt ?? 0;
+    const bTime = b[1].created_at ?? b[1].createdAt ?? 0;
+    return aTime - bTime;
+  });
+  for (let i = 0;i < countToRemove && i < entries.length; i++) {
+    map.delete(entries[i][0]);
+  }
+}
+function cleanupExpired(map) {
+  const now = Date.now();
+  let removed = 0;
+  for (const [key, entry] of map) {
+    if (now >= entry.expiresAt) {
+      map.delete(key);
+      removed++;
+    }
+  }
+  return removed;
+}
+
+class MemoryTokenStore {
+  rsAccessMap = new Map;
+  rsRefreshMap = new Map;
+  transactions = new Map;
+  codes = new Map;
+  cleanupIntervalId = null;
+  constructor() {
+    this.startCleanup();
+  }
+  startCleanup() {
+    if (this.cleanupIntervalId)
+      return;
+    this.cleanupIntervalId = setInterval(() => {
+      this.cleanup();
+    }, CLEANUP_INTERVAL_MS);
+    if (typeof this.cleanupIntervalId === "object" && "unref" in this.cleanupIntervalId) {
+      this.cleanupIntervalId.unref();
+    }
+  }
+  stopCleanup() {
+    if (this.cleanupIntervalId) {
+      clearInterval(this.cleanupIntervalId);
+      this.cleanupIntervalId = null;
+    }
+  }
+  cleanup() {
+    const now = Date.now();
+    let tokensRemoved = 0;
+    for (const [key, entry] of this.rsAccessMap) {
+      if (now >= entry.expiresAt) {
+        this.rsAccessMap.delete(key);
+        tokensRemoved++;
+      }
+    }
+    for (const [key, entry] of this.rsRefreshMap) {
+      if (now >= entry.expiresAt) {
+        this.rsRefreshMap.delete(key);
+      }
+    }
+    const transactionsRemoved = cleanupExpired(this.transactions);
+    const codesRemoved = cleanupExpired(this.codes);
+    return {
+      tokens: tokensRemoved,
+      transactions: transactionsRemoved,
+      codes: codesRemoved
+    };
+  }
+  async storeRsMapping(rsAccess, provider, rsRefresh, ttlMs = DEFAULT_RS_TOKEN_TTL_MS) {
+    const now = Date.now();
+    const expiresAt = now + ttlMs;
+    evictOldest(this.rsAccessMap, MAX_RS_RECORDS, 10);
+    if (rsRefresh) {
+      const existing = this.rsRefreshMap.get(rsRefresh);
+      if (existing) {
+        this.rsAccessMap.delete(existing.rs_access_token);
+        existing.rs_access_token = rsAccess;
+        existing.provider = { ...provider };
+        existing.expiresAt = expiresAt;
+        this.rsAccessMap.set(rsAccess, existing);
+        return existing;
+      }
+    }
+    const record = {
+      rs_access_token: rsAccess,
+      rs_refresh_token: rsRefresh ?? crypto.randomUUID(),
+      provider: { ...provider },
+      created_at: now,
+      expiresAt
+    };
+    this.rsAccessMap.set(record.rs_access_token, record);
+    this.rsRefreshMap.set(record.rs_refresh_token, record);
+    return record;
+  }
+  async getByRsAccess(rsAccess) {
+    const entry = this.rsAccessMap.get(rsAccess);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.rsAccessMap.delete(rsAccess);
+      this.rsRefreshMap.delete(entry.rs_refresh_token);
+      return null;
+    }
+    return entry;
+  }
+  async getByRsRefresh(rsRefresh) {
+    const entry = this.rsRefreshMap.get(rsRefresh);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.rsAccessMap.delete(entry.rs_access_token);
+      this.rsRefreshMap.delete(rsRefresh);
+      return null;
+    }
+    return entry;
+  }
+  async updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess, ttlMs = DEFAULT_RS_TOKEN_TTL_MS) {
+    const rec = this.rsRefreshMap.get(rsRefresh);
+    if (!rec)
+      return null;
+    const now = Date.now();
+    if (maybeNewRsAccess) {
+      this.rsAccessMap.delete(rec.rs_access_token);
+      rec.rs_access_token = maybeNewRsAccess;
+      rec.created_at = now;
+    }
+    rec.provider = { ...provider };
+    rec.expiresAt = now + ttlMs;
+    this.rsAccessMap.set(rec.rs_access_token, rec);
+    this.rsRefreshMap.set(rsRefresh, rec);
+    return rec;
+  }
+  async saveTransaction(txnId, txn, ttlSeconds) {
+    const ttlMs = ttlSeconds ? ttlSeconds * 1000 : DEFAULT_TXN_TTL_MS;
+    const now = Date.now();
+    evictOldest(this.transactions, MAX_TRANSACTIONS, 10);
+    this.transactions.set(txnId, {
+      value: txn,
+      expiresAt: now + ttlMs,
+      createdAt: now
+    });
+  }
+  async getTransaction(txnId) {
+    const entry = this.transactions.get(txnId);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.transactions.delete(txnId);
+      return null;
+    }
+    return entry.value;
+  }
+  async deleteTransaction(txnId) {
+    this.transactions.delete(txnId);
+  }
+  async saveCode(code, txnId, ttlSeconds) {
+    const ttlMs = ttlSeconds ? ttlSeconds * 1000 : DEFAULT_CODE_TTL_MS;
+    const now = Date.now();
+    this.codes.set(code, {
+      value: txnId,
+      expiresAt: now + ttlMs,
+      createdAt: now
+    });
+  }
+  async getTxnIdByCode(code) {
+    const entry = this.codes.get(code);
+    if (!entry)
+      return null;
+    if (Date.now() >= entry.expiresAt) {
+      this.codes.delete(code);
+      return null;
+    }
+    return entry.value;
+  }
+  async deleteCode(code) {
+    this.codes.delete(code);
+  }
+  getStats() {
+    return {
+      rsTokens: this.rsAccessMap.size,
+      transactions: this.transactions.size,
+      codes: this.codes.size
+    };
+  }
+}
+
+class MemorySessionStore {
+  sessions = new Map;
+  cleanupIntervalId = null;
+  constructor() {
+    this.startCleanup();
+  }
+  startCleanup() {
+    if (this.cleanupIntervalId)
+      return;
+    this.cleanupIntervalId = setInterval(() => {
+      this.cleanup();
+    }, CLEANUP_INTERVAL_MS);
+    if (typeof this.cleanupIntervalId === "object" && "unref" in this.cleanupIntervalId) {
+      this.cleanupIntervalId.unref();
+    }
+  }
+  stopCleanup() {
+    if (this.cleanupIntervalId) {
+      clearInterval(this.cleanupIntervalId);
+      this.cleanupIntervalId = null;
+    }
+  }
+  cleanup() {
+    const now = Date.now();
+    let removed = 0;
+    for (const [sessionId, session] of this.sessions) {
+      if (now >= session.expiresAt) {
+        this.sessions.delete(sessionId);
+        removed++;
+      }
+    }
+    return removed;
+  }
+  async create(sessionId, apiKey, ttlMs = DEFAULT_SESSION_TTL_MS) {
+    const count = await this.countByApiKey(apiKey);
+    if (count >= MAX_SESSIONS_PER_API_KEY) {
+      await this.deleteOldestByApiKey(apiKey);
+    }
+    if (this.sessions.size >= MAX_SESSIONS) {
+      const oldest = [...this.sessions.entries()].sort((a, b) => a[1].created_at - b[1].created_at)[0];
+      if (oldest) {
+        this.sessions.delete(oldest[0]);
+      }
+    }
+    const now = Date.now();
+    const record = {
+      sessionId,
+      apiKey,
+      created_at: now,
+      last_accessed: now,
+      initialized: false,
+      expiresAt: now + ttlMs
+    };
+    this.sessions.set(sessionId, record);
+    return record;
+  }
+  async get(sessionId) {
+    const session = this.sessions.get(sessionId);
+    if (!session)
+      return null;
+    const now = Date.now();
+    if (now >= session.expiresAt) {
+      this.sessions.delete(sessionId);
+      return null;
+    }
+    session.last_accessed = now;
+    return session;
+  }
+  async update(sessionId, data) {
+    const session = this.sessions.get(sessionId);
+    if (!session)
+      return;
+    const now = Date.now();
+    Object.assign(session, data, { last_accessed: now });
+  }
+  async delete(sessionId) {
+    this.sessions.delete(sessionId);
+  }
+  async getByApiKey(apiKey) {
+    const results = [];
+    const now = Date.now();
+    for (const session of this.sessions.values()) {
+      if (session.apiKey === apiKey && now < session.expiresAt) {
+        results.push(session);
+      }
+    }
+    return results.sort((a, b) => b.last_accessed - a.last_accessed);
+  }
+  async countByApiKey(apiKey) {
+    let count = 0;
+    const now = Date.now();
+    for (const session of this.sessions.values()) {
+      if (session.apiKey === apiKey && now < session.expiresAt) {
+        count++;
+      }
+    }
+    return count;
+  }
+  async deleteOldestByApiKey(apiKey) {
+    let oldest = null;
+    const now = Date.now();
+    for (const session of this.sessions.values()) {
+      if (session.apiKey === apiKey && now < session.expiresAt) {
+        if (!oldest || session.last_accessed < oldest.last_accessed) {
+          oldest = session;
+        }
+      }
+    }
+    if (oldest) {
+      this.sessions.delete(oldest.sessionId);
+    }
+  }
+  async ensure(sessionId, ttlMs = DEFAULT_SESSION_TTL_MS) {
+    const existing = this.sessions.get(sessionId);
+    if (existing) {
+      existing.expiresAt = Date.now() + ttlMs;
+      existing.last_accessed = Date.now();
+      return;
+    }
+    if (this.sessions.size >= MAX_SESSIONS) {
+      const oldest = [...this.sessions.entries()].sort((a, b) => a[1].created_at - b[1].created_at)[0];
+      if (oldest) {
+        this.sessions.delete(oldest[0]);
+      }
+    }
+    const now = Date.now();
+    this.sessions.set(sessionId, {
+      sessionId,
+      created_at: now,
+      last_accessed: now,
+      expiresAt: now + ttlMs
+    });
+  }
+  async put(sessionId, value, ttlMs = DEFAULT_SESSION_TTL_MS) {
+    const now = Date.now();
+    this.sessions.set(sessionId, {
+      ...value,
+      sessionId,
+      last_accessed: value.last_accessed ?? now,
+      expiresAt: now + ttlMs
+    });
+  }
+  getSessionCount() {
+    return this.sessions.size;
+  }
+}
+
+// src/shared/storage/kv.ts
+function ttl(seconds) {
+  return Math.floor(Date.now() / 1000) + seconds;
+}
+function toJson(value) {
+  return JSON.stringify(value);
+}
+function fromJson(value) {
+  if (!value) {
+    return null;
+  }
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+}
+
+class KvTokenStore {
+  kv;
+  encrypt;
+  decrypt;
+  fallback;
+  constructor(kv, options) {
+    this.kv = kv;
+    this.encrypt = options?.encrypt ?? ((s) => s);
+    this.decrypt = options?.decrypt ?? ((s) => s);
+    this.fallback = options?.fallback ?? new MemoryTokenStore;
+  }
+  async putJson(key, value, options) {
+    try {
+      const raw = await this.encrypt(toJson(value));
+      await this.kv.put(key, raw, options);
+    } catch (error) {
+      console.error("[KV] Write failed:", error.message);
+      throw error;
+    }
+  }
+  async getJson(key) {
+    const raw = await this.kv.get(key);
+    if (!raw) {
+      return null;
+    }
+    const plain = await this.decrypt(raw);
+    return fromJson(plain);
+  }
+  async storeRsMapping(rsAccess, provider, rsRefresh) {
+    const rec = {
+      rs_access_token: rsAccess,
+      rs_refresh_token: rsRefresh ?? crypto.randomUUID(),
+      provider: { ...provider },
+      created_at: Date.now()
+    };
+    await this.fallback.storeRsMapping(rsAccess, provider, rsRefresh);
+    try {
+      await Promise.all([
+        this.putJson(`rs:access:${rec.rs_access_token}`, rec),
+        this.putJson(`rs:refresh:${rec.rs_refresh_token}`, rec)
+      ]);
+    } catch (error) {
+      console.warn("[KV] Failed to persist RS mapping (using memory fallback):", error.message);
+    }
+    return rec;
+  }
+  async getByRsAccess(rsAccess) {
+    const rec = await this.getJson(`rs:access:${rsAccess}`);
+    return rec ?? await this.fallback.getByRsAccess(rsAccess);
+  }
+  async getByRsRefresh(rsRefresh) {
+    const rec = await this.getJson(`rs:refresh:${rsRefresh}`);
+    return rec ?? await this.fallback.getByRsRefresh(rsRefresh);
+  }
+  async updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess) {
+    const existing = await this.getJson(`rs:refresh:${rsRefresh}`);
+    if (!existing) {
+      return this.fallback.updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess);
+    }
+    const rsAccessChanged = maybeNewRsAccess && maybeNewRsAccess !== existing.rs_access_token;
+    const next = {
+      rs_access_token: maybeNewRsAccess || existing.rs_access_token,
+      rs_refresh_token: rsRefresh,
+      provider: { ...provider },
+      created_at: Date.now()
+    };
+    await this.fallback.updateByRsRefresh(rsRefresh, provider, maybeNewRsAccess);
+    try {
+      if (rsAccessChanged) {
+        await Promise.all([
+          this.kv.delete(`rs:access:${existing.rs_access_token}`),
+          this.putJson(`rs:access:${next.rs_access_token}`, next),
+          this.putJson(`rs:refresh:${rsRefresh}`, next)
+        ]);
+      } else {
+        await Promise.all([
+          this.putJson(`rs:access:${existing.rs_access_token}`, next),
+          this.putJson(`rs:refresh:${rsRefresh}`, next)
+        ]);
+      }
+    } catch (error) {
+      console.warn("[KV] Failed to update RS mapping (using memory fallback):", error.message);
+    }
+    return next;
+  }
+  async saveTransaction(txnId, txn, ttlSeconds = 600) {
+    await this.fallback.saveTransaction(txnId, txn);
+    try {
+      await this.putJson(`txn:${txnId}`, txn, { expiration: ttl(ttlSeconds) });
+    } catch (error) {
+      console.warn("[KV] Failed to save transaction (using memory):", error.message);
+    }
+  }
+  async getTransaction(txnId) {
+    const txn = await this.getJson(`txn:${txnId}`);
+    return txn ?? await this.fallback.getTransaction(txnId);
+  }
+  async deleteTransaction(txnId) {
+    await this.fallback.deleteTransaction(txnId);
+  }
+  async saveCode(code, txnId, ttlSeconds = 600) {
+    await this.fallback.saveCode(code, txnId);
+    try {
+      await this.putJson(`code:${code}`, { v: txnId }, { expiration: ttl(ttlSeconds) });
+    } catch (error) {
+      console.warn("[KV] Failed to save code (using memory):", error.message);
+    }
+  }
+  async getTxnIdByCode(code) {
+    const obj = await this.getJson(`code:${code}`);
+    return obj?.v ?? await this.fallback.getTxnIdByCode(code);
+  }
+  async deleteCode(code) {
+    await this.fallback.deleteCode(code);
+  }
+}
+var SESSION_KEY_PREFIX = "session:";
+var SESSION_APIKEY_PREFIX = "session:apikey:";
+var SESSION_TTL_SECONDS = 24 * 60 * 60;
+
+class KvSessionStore {
+  kv;
+  encrypt;
+  decrypt;
+  fallback;
+  constructor(kv, options) {
+    this.kv = kv;
+    this.encrypt = options?.encrypt ?? ((s) => s);
+    this.decrypt = options?.decrypt ?? ((s) => s);
+    this.fallback = options?.fallback ?? new MemorySessionStore;
+  }
+  async putSession(sessionId, value) {
+    const raw = await this.encrypt(toJson(value));
+    await this.kv.put(`${SESSION_KEY_PREFIX}${sessionId}`, raw, {
+      expiration: ttl(SESSION_TTL_SECONDS)
+    });
+  }
+  async getSession(sessionId) {
+    const raw = await this.kv.get(`${SESSION_KEY_PREFIX}${sessionId}`);
+    if (!raw) {
+      return this.fallback.get(sessionId);
+    }
+    const plain = await this.decrypt(raw);
+    return fromJson(plain);
+  }
+  async getApiKeySessionIds(apiKey) {
+    const raw = await this.kv.get(`${SESSION_APIKEY_PREFIX}${apiKey}`);
+    if (!raw)
+      return [];
+    return fromJson(raw) ?? [];
+  }
+  async setApiKeySessionIds(apiKey, sessionIds) {
+    if (sessionIds.length === 0) {
+      await this.kv.delete(`${SESSION_APIKEY_PREFIX}${apiKey}`);
+    } else {
+      await this.kv.put(`${SESSION_APIKEY_PREFIX}${apiKey}`, toJson(sessionIds), {
+        expiration: ttl(SESSION_TTL_SECONDS)
+      });
+    }
+  }
+  async create(sessionId, apiKey) {
+    const currentCount = await this.countByApiKey(apiKey);
+    if (currentCount >= MAX_SESSIONS_PER_API_KEY) {
+      await this.deleteOldestByApiKey(apiKey);
+    }
+    const now = Date.now();
+    const record = {
+      apiKey,
+      created_at: now,
+      last_accessed: now,
+      initialized: false
+    };
+    await this.putSession(sessionId, record);
+    await this.fallback.create(sessionId, apiKey);
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    if (!sessionIds.includes(sessionId)) {
+      sessionIds.push(sessionId);
+      await this.setApiKeySessionIds(apiKey, sessionIds);
+    }
+    return record;
+  }
+  async get(sessionId) {
+    const session = await this.getSession(sessionId);
+    if (!session)
+      return null;
+    const now = Date.now();
+    session.last_accessed = now;
+    this.putSession(sessionId, session).catch(() => {});
+    return session;
+  }
+  async update(sessionId, data) {
+    const session = await this.getSession(sessionId);
+    if (!session)
+      return;
+    const updated = {
+      ...session,
+      ...data,
+      last_accessed: Date.now()
+    };
+    await this.putSession(sessionId, updated);
+    await this.fallback.update(sessionId, data);
+  }
+  async delete(sessionId) {
+    const session = await this.getSession(sessionId);
+    await this.kv.delete(`${SESSION_KEY_PREFIX}${sessionId}`);
+    await this.fallback.delete(sessionId);
+    if (session?.apiKey) {
+      const sessionIds = await this.getApiKeySessionIds(session.apiKey);
+      const filtered = sessionIds.filter((id) => id !== sessionId);
+      await this.setApiKeySessionIds(session.apiKey, filtered);
+    }
+  }
+  async getByApiKey(apiKey) {
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    const sessions = [];
+    for (const sessionId of sessionIds) {
+      const session = await this.getSession(sessionId);
+      if (session) {
+        sessions.push(session);
+      }
+    }
+    return sessions.sort((a, b) => b.last_accessed - a.last_accessed);
+  }
+  async countByApiKey(apiKey) {
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    return sessionIds.length;
+  }
+  async deleteOldestByApiKey(apiKey) {
+    const sessions = await this.getByApiKey(apiKey);
+    if (sessions.length === 0)
+      return;
+    const oldest = sessions[sessions.length - 1];
+    const sessionIds = await this.getApiKeySessionIds(apiKey);
+    for (const sessionId of sessionIds) {
+      const session = await this.getSession(sessionId);
+      if (session && session.created_at === oldest.created_at) {
+        await this.delete(sessionId);
+        return;
+      }
+    }
+  }
+  async ensure(sessionId) {
+    const existing = await this.fallback.get(sessionId);
+    if (!existing) {
+      const now = Date.now();
+      await this.fallback.put(sessionId, {
+        created_at: now,
+        last_accessed: now
+      });
+    }
+  }
+  async put(sessionId, value) {
+    await this.putSession(sessionId, value);
+    await this.fallback.put(sessionId, value);
+    if (value.apiKey) {
+      const sessionIds = await this.getApiKeySessionIds(value.apiKey);
+      if (!sessionIds.includes(sessionId)) {
+        sessionIds.push(sessionId);
+        await this.setApiKeySessionIds(value.apiKey, sessionIds);
+      }
+    }
+  }
+}
+
+// src/shared/storage/singleton.ts
+var tokenStoreInstance = null;
+var sessionStoreInstance = null;
+function initializeStorage(tokenStore, sessionStore) {
+  tokenStoreInstance = tokenStore;
+  sessionStoreInstance = sessionStore;
+}
+function getTokenStore() {
+  if (!tokenStoreInstance) {
+    throw new Error("TokenStore not initialized. Call initializeStorage first.");
+  }
+  return tokenStoreInstance;
+}
+function getSessionStore() {
+  if (!sessionStoreInstance) {
+    throw new Error("SessionStore not initialized. Call initializeStorage first.");
+  }
+  return sessionStoreInstance;
+}
+
+// src/shared/utils/logger.ts
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warning: 2,
+  error: 3
+};
+var currentLevel = "info";
+function shouldLog(level) {
+  return LOG_LEVELS[level] >= LOG_LEVELS[currentLevel];
+}
+function formatLog(level, logger, data) {
+  const timestamp = new Date().toISOString();
+  const { message, ...rest } = data;
+  const extra = Object.keys(rest).length > 0 ? ` ${JSON.stringify(rest)}` : "";
+  return `[${timestamp}] ${level.toUpperCase()} [${logger}] ${message}${extra}`;
+}
+function sanitize(data) {
+  const sanitized = { ...data };
+  const sensitiveKeys = [
+    "password",
+    "token",
+    "secret",
+    "key",
+    "authorization",
+    "access_token",
+    "refresh_token"
+  ];
+  for (const key of Object.keys(sanitized)) {
+    if (sensitiveKeys.some((sk) => key.toLowerCase().includes(sk))) {
+      const value = sanitized[key];
+      if (typeof value === "string" && value.length > 8) {
+        sanitized[key] = `${value.substring(0, 8)}...`;
+      } else {
+        sanitized[key] = "[REDACTED]";
+      }
+    }
+  }
+  return sanitized;
+}
+var sharedLogger = {
+  setLevel(level) {
+    currentLevel = level;
+  },
+  debug(logger, data) {
+    if (shouldLog("debug")) {
+      console.log(formatLog("debug", logger, sanitize(data)));
+    }
+  },
+  info(logger, data) {
+    if (shouldLog("info")) {
+      console.log(formatLog("info", logger, sanitize(data)));
+    }
+  },
+  warning(logger, data) {
+    if (shouldLog("warning")) {
+      console.warn(formatLog("warning", logger, sanitize(data)));
+    }
+  },
+  error(logger, data) {
+    if (shouldLog("error")) {
+      console.error(formatLog("error", logger, sanitize(data)));
+    }
+  }
+};
+var logger = sharedLogger;
+
+// src/shared/http/response.ts
+function jsonResponse(data, options = {}) {
+  const { status = 200, headers = {}, cors = true } = options;
+  const response = new Response(JSON.stringify(data), {
+    status,
+    headers: {
+      "Content-Type": "application/json; charset=utf-8",
+      ...headers
+    }
+  });
+  if (cors) {
+    return withCors(response, typeof cors === "object" ? cors : undefined);
+  }
+  return response;
+}
+function textError(message, options = {}) {
+  const { status = 400, cors = true } = options;
+  const response = new Response(message, { status });
+  if (cors) {
+    return withCors(response, typeof cors === "object" ? cors : undefined);
+  }
+  return response;
+}
+function oauthError(error, description, options = {}) {
+  const body = { error };
+  if (description) {
+    body.error_description = description;
+  }
+  return jsonResponse(body, {
+    status: options.status ?? 400,
+    cors: options.cors
+  });
+}
+function redirectResponse(url, status = 302) {
+  return Response.redirect(url, status);
+}
+var JsonRpcErrorCode = {
+  ParseError: -32700,
+  InvalidRequest: -32600,
+  MethodNotFound: -32601,
+  InvalidParams: -32602,
+  InternalError: -32603,
+  ServerError: -32000
+};
+
+// src/shared/utils/cancellation.ts
+class CancellationError extends Error {
+  constructor(message = "Operation was cancelled") {
+    super(message);
+    this.name = "CancellationError";
+  }
+}
+
+class CancellationToken {
+  _isCancelled = false;
+  _listeners = [];
+  get isCancelled() {
+    return this._isCancelled;
+  }
+  cancel() {
+    if (this._isCancelled)
+      return;
+    this._isCancelled = true;
+    this._listeners.forEach((listener) => {
+      try {
+        listener();
+      } catch (error) {
+        console.error("Error in cancellation listener:", error);
+      }
+    });
+    this._listeners.length = 0;
+  }
+  onCancelled(listener) {
+    if (this._isCancelled) {
+      listener();
+      return;
+    }
+    this._listeners.push(listener);
+  }
+  throwIfCancelled() {
+    if (this._isCancelled) {
+      throw new CancellationError;
+    }
+  }
+}
+function createCancellationToken() {
+  return new CancellationToken;
+}
+async function withCancellation(operation, token) {
+  token.throwIfCancelled();
+  return new Promise((resolve, reject) => {
+    let completed = false;
+    token.onCancelled(() => {
+      if (!completed) {
+        completed = true;
+        reject(new CancellationError);
+      }
+    });
+    operation(token).then((result) => {
+      if (!completed) {
+        completed = true;
+        resolve(result);
+      }
+    }).catch((error) => {
+      if (!completed) {
+        completed = true;
+        reject(error);
+      }
+    });
+  });
+}
+
+// src/shared/types/provider.ts
+function toProviderInfo(tokens) {
+  return {
+    accessToken: tokens.access_token,
+    refreshToken: tokens.refresh_token,
+    expiresAt: tokens.expires_at,
+    scopes: tokens.scopes
+  };
+}
+function toProviderTokens(info) {
+  return {
+    access_token: info.accessToken,
+    refresh_token: info.refreshToken,
+    expires_at: info.expiresAt,
+    scopes: info.scopes
+  };
+}
+
+// src/shared/tools/types.ts
+function assertProviderToken(context) {
+  if (!context.providerToken) {
+    throw new Error("Authentication required");
+  }
+}
+function defineTool(def) {
+  return def;
+}
+
+// src/shared/tools/echo.ts
+import { z } from "zod";
+var echoInputSchema = z.object({
+  message: z.string().min(1).describe("Message to echo back"),
+  uppercase: z.boolean().optional().describe("Convert message to uppercase")
+});
+var echoTool = defineTool({
+  name: "echo",
+  title: "Echo",
+  description: "Echo back a message, optionally transformed",
+  inputSchema: echoInputSchema,
+  outputSchema: {
+    echoed: z.string().describe("The echoed message"),
+    length: z.number().describe("Message length")
+  },
+  annotations: {
+    title: "Echo Message",
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: false
+  },
+  handler: async (args) => {
+    const message = args.message;
+    const echoed = args.uppercase ? message.toUpperCase() : message;
+    const result = {
+      echoed,
+      length: echoed.length
+    };
+    return {
+      content: [{ type: "text", text: echoed }],
+      structuredContent: result
+    };
+  }
+});
+
+// src/shared/tools/health.ts
+import { z as z2 } from "zod";
+var healthInputSchema = z2.object({
+  verbose: z2.boolean().optional().describe("Include additional runtime details")
+});
+var healthTool = defineTool({
+  name: "health",
+  title: "Health Check",
+  description: "Check server health, uptime, and runtime information",
+  inputSchema: healthInputSchema,
+  outputSchema: {
+    status: z2.string().describe("Server status"),
+    timestamp: z2.number().describe("Current timestamp"),
+    runtime: z2.string().describe("Runtime environment"),
+    uptime: z2.number().optional().describe("Uptime in seconds (if available)")
+  },
+  annotations: {
+    title: "Server Health Check",
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true,
+    openWorldHint: false
+  },
+  handler: async (args) => {
+    const verbose = Boolean(args.verbose);
+    const g = globalThis;
+    const isWorkers = typeof g.caches !== "undefined" && !("process" in g);
+    const runtime = isWorkers ? "cloudflare-workers" : "node";
+    const result = {
+      status: "ok",
+      timestamp: Date.now(),
+      runtime
+    };
+    if (verbose) {
+      if (!isWorkers && typeof process !== "undefined") {
+        result.uptime = Math.floor(process.uptime());
+        result.nodeVersion = process.version;
+        result.memoryUsage = process.memoryUsage().heapUsed;
+      }
+    }
+    return {
+      content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+      structuredContent: result
+    };
+  }
+});
+
+// src/runtime/node/context.ts
+import { AsyncLocalStorage } from "node:async_hooks";
+var authContextStorage = new AsyncLocalStorage;
+function getCurrentAuthContext() {
+  return authContextStorage.getStore();
+}
+
+class ContextRegistry {
+  contexts = new Map;
+  create(requestId, sessionId, authData) {
+    const context = {
+      sessionId,
+      cancellationToken: createCancellationToken(),
+      requestId,
+      timestamp: Date.now(),
+      authStrategy: authData?.authStrategy,
+      authHeaders: authData?.authHeaders,
+      resolvedHeaders: authData?.resolvedHeaders,
+      rsToken: authData?.rsToken,
+      providerToken: authData?.providerToken,
+      provider: authData?.provider,
+      serviceToken: authData?.serviceToken ?? authData?.providerToken
+    };
+    this.contexts.set(requestId, context);
+    return context;
+  }
+  get(requestId) {
+    return this.contexts.get(requestId);
+  }
+  getCancellationToken(requestId) {
+    return this.contexts.get(requestId)?.cancellationToken;
+  }
+  cancel(requestId, _reason) {
+    const context = this.contexts.get(requestId);
+    if (!context)
+      return false;
+    context.cancellationToken.cancel();
+    return true;
+  }
+  delete(requestId) {
+    return this.contexts.delete(requestId);
+  }
+  deleteBySession(sessionId) {
+    let deleted = 0;
+    for (const [requestId, context] of this.contexts.entries()) {
+      if (context.sessionId === sessionId) {
+        this.contexts.delete(requestId);
+        deleted++;
+      }
+    }
+    if (deleted > 0) {
+      sharedLogger.debug("context_registry", {
+        message: "Cleaned up contexts for session",
+        sessionId,
+        count: deleted
+      });
+    }
+    return deleted;
+  }
+  get size() {
+    return this.contexts.size;
+  }
+  cleanupExpired(maxAgeMs = 10 * 60 * 1000) {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [requestId, context] of this.contexts.entries()) {
+      if (now - context.timestamp > maxAgeMs) {
+        this.contexts.delete(requestId);
+        cleaned++;
+      }
+    }
+    if (cleaned > 0) {
+      sharedLogger.warning("context_registry", {
+        message: "Cleaned up expired contexts (this indicates missing cleanup calls)",
+        count: cleaned,
+        maxAgeMs
+      });
+    }
+    return cleaned;
+  }
+  clear() {
+    this.contexts.clear();
+  }
+}
+var contextRegistry = new ContextRegistry;
+
+// src/shared/tools/registry.ts
+function getSchemaShape(schema) {
+  if ("shape" in schema && typeof schema.shape === "object") {
+    return schema.shape;
+  }
+  if ("_def" in schema && schema._def && typeof schema._def === "object") {
+    const def = schema._def;
+    if (def.schema) {
+      return getSchemaShape(def.schema);
+    }
+    if (def.innerType) {
+      return getSchemaShape(def.innerType);
+    }
+  }
+  return;
+}
+function asRegisteredTool(tool) {
+  return tool;
+}
+var sharedTools = [
+  asRegisteredTool(healthTool),
+  asRegisteredTool(echoTool)
+];
+function getSharedTool(name) {
+  return sharedTools.find((t) => t.name === name);
+}
+function getSharedToolNames() {
+  return sharedTools.map((t) => t.name);
+}
+async function executeSharedTool(name, args, context, tools) {
+  const toolList = tools ?? sharedTools;
+  const tool = toolList.find((t) => t.name === name);
+  if (!tool) {
+    return {
+      content: [{ type: "text", text: `Unknown tool: ${name}` }],
+      isError: true
+    };
+  }
+  try {
+    if (context.signal?.aborted) {
+      return {
+        content: [{ type: "text", text: "Operation was cancelled" }],
+        isError: true
+      };
+    }
+    const parseResult = tool.inputSchema.safeParse(args);
+    if (!parseResult.success) {
+      const errors = parseResult.error.issues.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+      return {
+        content: [{ type: "text", text: `Invalid input: ${errors}` }],
+        isError: true
+      };
+    }
+    const result = await tool.handler(parseResult.data, context);
+    if (tool.outputSchema && !result.isError) {
+      if (!result.structuredContent) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: "Tool with outputSchema must return structuredContent (unless isError is true)"
+            }
+          ],
+          isError: true
+        };
+      }
+    }
+    return result;
+  } catch (error) {
+    if (context.signal?.aborted) {
+      return {
+        content: [{ type: "text", text: "Operation was cancelled" }],
+        isError: true
+      };
+    }
+    return {
+      content: [
+        { type: "text", text: `Tool error: ${error.message}` }
+      ],
+      isError: true
+    };
+  }
+}
+function registerTools(server, contextResolver) {
+  for (const tool of sharedTools) {
+    const inputSchemaShape = getSchemaShape(tool.inputSchema);
+    if (!inputSchemaShape) {
+      logger.error("tools", {
+        message: "Failed to extract schema shape",
+        toolName: tool.name
+      });
+      throw new Error(`Failed to extract schema shape for tool: ${tool.name}`);
+    }
+    server.registerTool(tool.name, {
+      description: tool.description,
+      inputSchema: inputSchemaShape,
+      ...tool.outputSchema && { outputSchema: tool.outputSchema },
+      ...tool.annotations && { annotations: tool.annotations }
+    }, async (args, extra) => {
+      const authContext = extra.requestId && contextResolver ? contextResolver(extra.requestId) : undefined;
+      const ctx = authContext ?? getCurrentAuthContext();
+      const authCtx = ctx;
+      const providerInfo = authCtx?.provider ? toProviderInfo(authCtx.provider) : undefined;
+      const context = {
+        sessionId: extra.sessionId ?? crypto.randomUUID(),
+        signal: extra.signal,
+        meta: {
+          progressToken: extra._meta?.progressToken,
+          requestId: extra.requestId?.toString()
+        },
+        authStrategy: authCtx?.authStrategy,
+        providerToken: authCtx?.providerToken,
+        provider: providerInfo,
+        resolvedHeaders: authCtx?.resolvedHeaders
+      };
+      const result = await executeSharedTool(tool.name, args, context);
+      return result;
+    });
+  }
+  logger.info("tools", { message: `Registered ${sharedTools.length} tools` });
+}
+
+// src/shared/mcp/dispatcher.ts
+import { z as z3 } from "zod";
+
+// src/runtime/node/capabilities.ts
+function buildCapabilities() {
+  return {
+    logging: {},
+    prompts: {
+      listChanged: true
+    },
+    resources: {
+      listChanged: true,
+      subscribe: true
+    },
+    tools: {
+      listChanged: true
+    }
+  };
+}
+
+// src/shared/config/metadata.ts
+var serverMetadata = {
+  title: "MCP Server",
+  version: "0.0.1",
+  instructions: "Use these tools to interact with the server."
+};
+
+// src/shared/mcp/dispatcher.ts
+var LATEST_PROTOCOL_VERSION = "2025-06-18";
+var SUPPORTED_PROTOCOL_VERSIONS = [
+  "2025-06-18",
+  "2025-03-26",
+  "2024-11-05",
+  "2024-10-07"
+];
+var JsonRpcErrorCode2 = {
+  ParseError: -32700,
+  InvalidRequest: -32600,
+  MethodNotFound: -32601,
+  InvalidParams: -32602,
+  InternalError: -32603
+};
+async function handleInitialize(params, ctx) {
+  const clientInfo = params?.clientInfo;
+  const requestedVersion = String(params?.protocolVersion || LATEST_PROTOCOL_VERSION);
+  const protocolVersion = SUPPORTED_PROTOCOL_VERSIONS.includes(requestedVersion) ? requestedVersion : LATEST_PROTOCOL_VERSION;
+  ctx.setSessionState({
+    initialized: false,
+    clientInfo,
+    protocolVersion
+  });
+  sharedLogger.info("mcp_dispatch", {
+    message: "Initialize request",
+    sessionId: ctx.sessionId,
+    clientInfo,
+    requestedVersion,
+    negotiatedVersion: protocolVersion
+  });
+  return {
+    result: {
+      protocolVersion,
+      capabilities: buildCapabilities(),
+      serverInfo: {
+        name: ctx.config.title || serverMetadata.title,
+        version: ctx.config.version || "0.0.1"
+      },
+      instructions: ctx.config.instructions || serverMetadata.instructions
+    }
+  };
+}
+async function handleToolsList(ctx) {
+  const tools = (ctx.tools ?? sharedTools).map((tool) => ({
+    name: tool.name,
+    description: tool.description,
+    inputSchema: z3.toJSONSchema(tool.inputSchema),
+    ...tool.outputSchema && {
+      outputSchema: z3.toJSONSchema(z3.object(tool.outputSchema))
+    },
+    ...tool.annotations && { annotations: tool.annotations }
+  }));
+  return { result: { tools } };
+}
+async function handleToolsCall(params, ctx, requestId) {
+  const toolName = String(params?.name || "");
+  const toolArgs = params?.arguments || {};
+  const meta = params?._meta;
+  const abortController = new AbortController;
+  if (requestId !== undefined && ctx.cancellationRegistry) {
+    ctx.cancellationRegistry.set(requestId, abortController);
+  }
+  const toolContext = {
+    ...ctx.auth,
+    sessionId: ctx.sessionId,
+    signal: abortController.signal,
+    meta: {
+      progressToken: meta?.progressToken,
+      requestId: requestId !== undefined ? String(requestId) : undefined
+    }
+  };
+  sharedLogger.debug("mcp_dispatch", {
+    message: "Calling tool",
+    tool: toolName,
+    sessionId: ctx.sessionId,
+    requestId,
+    hasProviderToken: Boolean(ctx.auth.providerToken)
+  });
+  const toolList = ctx.tools ?? sharedTools;
+  const tool = toolList.find((t) => t.name === toolName);
+  if (tool?.requiresAuth && !ctx.auth.providerToken) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidRequest,
+        message: "Authentication required. Please complete OAuth flow first."
+      }
+    };
+  }
+  try {
+    const result = await executeSharedTool(toolName, toolArgs, toolContext, ctx.tools);
+    return { result };
+  } catch (error) {
+    if (abortController.signal.aborted) {
+      sharedLogger.info("mcp_dispatch", {
+        message: "Tool execution cancelled",
+        tool: toolName,
+        requestId
+      });
+      return {
+        error: {
+          code: JsonRpcErrorCode2.InternalError,
+          message: "Request was cancelled"
+        }
+      };
+    }
+    sharedLogger.error("mcp_dispatch", {
+      message: "Tool execution failed",
+      tool: toolName,
+      error: error.message
+    });
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InternalError,
+        message: `Tool execution failed: ${error.message}`
+      }
+    };
+  } finally {
+    if (requestId !== undefined && ctx.cancellationRegistry) {
+      ctx.cancellationRegistry.delete(requestId);
+    }
+  }
+}
+async function handleResourcesList() {
+  return { result: { resources: [] } };
+}
+async function handleResourcesTemplatesList() {
+  return { result: { resourceTemplates: [] } };
+}
+async function handlePromptsList() {
+  return { result: { prompts: [] } };
+}
+async function handlePing() {
+  return { result: {} };
+}
+var currentLogLevel = "info";
+async function handleLoggingSetLevel(params) {
+  const level = params?.level;
+  const validLevels = [
+    "debug",
+    "info",
+    "notice",
+    "warning",
+    "error",
+    "critical",
+    "alert",
+    "emergency"
+  ];
+  if (!level || !validLevels.includes(level)) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidParams,
+        message: `Invalid log level. Must be one of: ${validLevels.join(", ")}`
+      }
+    };
+  }
+  currentLogLevel = level;
+  sharedLogger.info("mcp_dispatch", {
+    message: "Log level changed",
+    level: currentLogLevel
+  });
+  return { result: {} };
+}
+function getLogLevel() {
+  return currentLogLevel;
+}
+async function dispatchMcpMethod(method, params, ctx, requestId) {
+  if (!method) {
+    return {
+      error: {
+        code: JsonRpcErrorCode2.InvalidRequest,
+        message: "Missing method"
+      }
+    };
+  }
+  switch (method) {
+    case "initialize":
+      return handleInitialize(params, ctx);
+    case "tools/list":
+      return handleToolsList(ctx);
+    case "tools/call":
+      return handleToolsCall(params, ctx, requestId);
+    case "resources/list":
+      return handleResourcesList();
+    case "resources/templates/list":
+      return handleResourcesTemplatesList();
+    case "prompts/list":
+      return handlePromptsList();
+    case "ping":
+      return handlePing();
+    case "logging/setLevel":
+      return handleLoggingSetLevel(params);
+    default:
+      sharedLogger.debug("mcp_dispatch", { message: "Unknown method", method });
+      return {
+        error: {
+          code: JsonRpcErrorCode2.MethodNotFound,
+          message: `Method not found: ${method}`
+        }
+      };
+  }
+}
+function handleMcpNotification(method, params, ctx) {
+  if (method === "notifications/initialized") {
+    const session = ctx.getSessionState();
+    if (session) {
+      ctx.setSessionState({ ...session, initialized: true });
+    }
+    sharedLogger.info("mcp_dispatch", {
+      message: "Client initialized",
+      sessionId: ctx.sessionId
+    });
+    return true;
+  }
+  if (method === "notifications/cancelled") {
+    const cancelParams = params;
+    const requestId = cancelParams?.requestId;
+    if (requestId !== undefined && ctx.cancellationRegistry) {
+      const controller = ctx.cancellationRegistry.get(requestId);
+      if (controller) {
+        sharedLogger.info("mcp_dispatch", {
+          message: "Cancelling request",
+          requestId,
+          reason: cancelParams?.reason,
+          sessionId: ctx.sessionId
+        });
+        controller.abort(cancelParams?.reason ?? "Client requested cancellation");
+        return true;
+      }
+      sharedLogger.debug("mcp_dispatch", {
+        message: "Cancellation request for unknown requestId",
+        requestId,
+        sessionId: ctx.sessionId
+      });
+    }
+    return true;
+  }
+  sharedLogger.debug("mcp_dispatch", {
+    message: "Unhandled notification",
+    method,
+    sessionId: ctx.sessionId
+  });
+  return false;
+}
+
+// src/shared/oauth/refresh.ts
+import * as oauth from "oauth4webapi";
+function buildProviderRefreshConfig(config) {
+  if (!config.PROVIDER_CLIENT_ID || !config.PROVIDER_CLIENT_SECRET || !config.PROVIDER_ACCOUNTS_URL) {
+    return;
+  }
+  return {
+    clientId: config.PROVIDER_CLIENT_ID,
+    clientSecret: config.PROVIDER_CLIENT_SECRET,
+    accountsUrl: config.PROVIDER_ACCOUNTS_URL,
+    tokenEndpointPath: config.OAUTH_TOKEN_URL
+  };
+}
+function buildAuthorizationServer(config) {
+  const tokenEndpoint = config.tokenEndpointPath || "/token";
+  return {
+    issuer: config.accountsUrl,
+    token_endpoint: new URL(tokenEndpoint, config.accountsUrl).toString()
+  };
+}
+async function refreshProviderToken(refreshToken, config) {
+  const authServer = buildAuthorizationServer(config);
+  const client = {
+    client_id: config.clientId,
+    token_endpoint_auth_method: "client_secret_post"
+  };
+  sharedLogger.debug("oauth_refresh", {
+    message: "Refreshing provider token",
+    tokenUrl: authServer.token_endpoint
+  });
+  try {
+    const clientAuth = oauth.ClientSecretPost(config.clientSecret);
+    const response = await oauth.refreshTokenGrantRequest(authServer, client, clientAuth, refreshToken);
+    const result = await oauth.processRefreshTokenResponse(authServer, client, response);
+    const accessToken = result.access_token;
+    if (!accessToken) {
+      return {
+        success: false,
+        error: "No access_token in provider response"
+      };
+    }
+    sharedLogger.info("oauth_refresh", {
+      message: "Provider token refreshed",
+      hasNewRefreshToken: !!result.refresh_token
+    });
+    return {
+      success: true,
+      tokens: {
+        access_token: accessToken,
+        refresh_token: result.refresh_token ?? refreshToken,
+        expires_at: Date.now() + (result.expires_in ?? 3600) * 1000,
+        scopes: (result.scope || "").split(/\s+/).filter(Boolean)
+      }
+    };
+  } catch (error) {
+    if (error instanceof oauth.ResponseBodyError) {
+      sharedLogger.error("oauth_refresh", {
+        message: "Provider refresh failed",
+        error: error.error,
+        description: error.error_description
+      });
+      return {
+        success: false,
+        error: `Provider returned ${error.error}: ${error.error_description || ""}`.trim()
+      };
+    }
+    sharedLogger.error("oauth_refresh", {
+      message: "Token refresh network error",
+      error: error.message
+    });
+    return {
+      success: false,
+      error: `Network error: ${error.message}`
+    };
+  }
+}
+var EXPIRY_BUFFER_MS = 60000;
+var REFRESH_COOLDOWN_MS = 30000;
+var recentlyRefreshed = new Map;
+function shouldSkipRefresh(rsToken) {
+  const lastRefresh = recentlyRefreshed.get(rsToken);
+  if (lastRefresh && Date.now() - lastRefresh < REFRESH_COOLDOWN_MS) {
+    return true;
+  }
+  return false;
+}
+function markRefreshed(rsToken) {
+  recentlyRefreshed.set(rsToken, Date.now());
+  if (recentlyRefreshed.size > 1000) {
+    const now = Date.now();
+    for (const [key, timestamp] of recentlyRefreshed) {
+      if (now - timestamp > REFRESH_COOLDOWN_MS) {
+        recentlyRefreshed.delete(key);
+      }
+    }
+  }
+}
+function isTokenExpiredOrExpiring(expiresAt, bufferMs = EXPIRY_BUFFER_MS) {
+  if (!expiresAt)
+    return false;
+  return Date.now() >= expiresAt - bufferMs;
+}
+async function ensureFreshToken(rsAccessToken, tokenStore, providerConfig) {
+  const record = await tokenStore.getByRsAccess(rsAccessToken);
+  if (!record?.provider?.access_token) {
+    return { accessToken: "", wasRefreshed: false };
+  }
+  if (!isTokenExpiredOrExpiring(record.provider.expires_at)) {
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  if (shouldSkipRefresh(rsAccessToken)) {
+    sharedLogger.debug("oauth_refresh", {
+      message: "Token refresh throttled (recently refreshed in this process)"
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  sharedLogger.info("oauth_refresh", {
+    message: "Token near expiry, attempting refresh",
+    expiresAt: record.provider.expires_at,
+    now: Date.now()
+  });
+  if (!record.provider.refresh_token) {
+    sharedLogger.warning("oauth_refresh", {
+      message: "Token near expiry but no refresh token available"
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  if (!providerConfig) {
+    sharedLogger.warning("oauth_refresh", {
+      message: "Token near expiry but no provider config for refresh"
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  const result = await refreshProviderToken(record.provider.refresh_token, providerConfig);
+  if (!result.success || !result.tokens) {
+    sharedLogger.error("oauth_refresh", {
+      message: "Token refresh failed, using existing token",
+      error: result.error
+    });
+    return { accessToken: record.provider.access_token, wasRefreshed: false };
+  }
+  const providerRefreshRotated = result.tokens.refresh_token !== record.provider.refresh_token;
+  const newRsAccess = providerRefreshRotated ? undefined : record.rs_access_token;
+  try {
+    await tokenStore.updateByRsRefresh(record.rs_refresh_token, result.tokens, newRsAccess);
+    markRefreshed(rsAccessToken);
+    sharedLogger.info("oauth_refresh", {
+      message: "Token store updated with refreshed tokens",
+      rsAccessRotated: providerRefreshRotated
+    });
+    return { accessToken: result.tokens.access_token, wasRefreshed: true };
+  } catch (error) {
+    sharedLogger.error("oauth_refresh", {
+      message: "Failed to update token store",
+      error: error.message
+    });
+    return { accessToken: result.tokens.access_token, wasRefreshed: true };
+  }
+}
+
+// src/shared/mcp/security.ts
+function validateOrigin(headers, isDev) {
+  const origin = headers.get("Origin") || headers.get("origin");
+  if (!origin) {
+    return;
+  }
+  if (isDev) {
+    if (!isLocalhostOrigin(origin)) {
+      throw new Error(`Invalid origin: ${origin}. Only localhost allowed in development`);
+    }
+    return;
+  }
+  if (!isAllowedOrigin(origin)) {
+    throw new Error(`Invalid origin: ${origin}`);
+  }
+}
+var SUPPORTED_PROTOCOL_VERSIONS2 = [
+  "2025-11-25",
+  "2025-06-18",
+  "2025-03-26",
+  "2024-11-05"
+];
+function validateProtocolVersion(headers, _expected) {
+  const header = headers.get("Mcp-Protocol-Version") || headers.get("MCP-Protocol-Version");
+  if (!header) {
+    return;
+  }
+  const clientVersions = header.split(",").map((v) => v.trim()).filter(Boolean);
+  const hasSupported = clientVersions.some((v) => SUPPORTED_PROTOCOL_VERSIONS2.includes(v));
+  if (!hasSupported) {
+    throw new Error(`Unsupported MCP protocol version: ${header}. Supported: ${SUPPORTED_PROTOCOL_VERSIONS2.join(", ")}`);
+  }
+}
+function isLocalhostOrigin(origin) {
+  try {
+    const url = new URL(origin);
+    const hostname = url.hostname.toLowerCase();
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname.startsWith("192.168.") || hostname.startsWith("10.") || hostname.endsWith(".local");
+  } catch {
+    return false;
+  }
+}
+function isAllowedOrigin(_origin) {
+  return true;
+}
+function buildUnauthorizedChallenge(args) {
+  const resourcePath = args.resourcePath || "/.well-known/oauth-protected-resource";
+  const resourceMd = `${args.origin}${resourcePath}?sid=${encodeURIComponent(args.sid)}`;
+  return {
+    status: 401,
+    headers: {
+      "WWW-Authenticate": `Bearer realm="MCP", authorization_uri="${resourceMd}"`,
+      "Mcp-Session-Id": args.sid
+    },
+    body: {
+      jsonrpc: "2.0",
+      error: {
+        code: -32000,
+        message: args.message || "Unauthorized"
+      },
+      id: null
+    }
+  };
+}
+
+// src/shared/oauth/discovery.ts
+function buildAuthorizationServerMetadata(baseUrl, scopes, overrides) {
+  return {
+    issuer: baseUrl,
+    authorization_endpoint: overrides?.authorizationEndpoint || `${baseUrl}/authorize`,
+    token_endpoint: overrides?.tokenEndpoint || `${baseUrl}/token`,
+    revocation_endpoint: overrides?.revocationEndpoint || `${baseUrl}/revoke`,
+    registration_endpoint: `${baseUrl}/register`,
+    response_types_supported: ["code"],
+    grant_types_supported: ["authorization_code", "refresh_token"],
+    code_challenge_methods_supported: ["S256"],
+    token_endpoint_auth_methods_supported: ["none"],
+    scopes_supported: scopes,
+    client_id_metadata_document_supported: overrides?.cimdEnabled ?? true
+  };
+}
+function buildProtectedResourceMetadata(resourceUrl, authorizationServerUrl, sid) {
+  const resource = (() => {
+    if (!sid) {
+      return resourceUrl;
+    }
+    try {
+      const u = new URL(resourceUrl);
+      u.searchParams.set("sid", sid);
+      return u.toString();
+    } catch {
+      return resourceUrl;
+    }
+  })();
+  return {
+    authorization_servers: [authorizationServerUrl],
+    resource
+  };
+}
+
+// src/shared/oauth/discovery-handlers.ts
+function createDiscoveryHandlers(config, strategy) {
+  const scopes = config.OAUTH_SCOPES.split(/\s+/).map((scope) => scope.trim()).filter(Boolean);
+  return {
+    authorizationMetadata: (requestUrl) => {
+      const baseUrl = strategy.resolveAuthBaseUrl(requestUrl, config);
+      return buildAuthorizationServerMetadata(baseUrl, scopes, {
+        authorizationEndpoint: `${baseUrl}/authorize`,
+        tokenEndpoint: `${baseUrl}/token`,
+        revocationEndpoint: `${baseUrl}/revoke`,
+        cimdEnabled: config.CIMD_ENABLED
+      });
+    },
+    protectedResourceMetadata: (requestUrl, sid) => {
+      const resourceBase = strategy.resolveResourceBaseUrl(requestUrl, config);
+      const authorizationServerUrl = config.AUTH_DISCOVERY_URL || strategy.resolveAuthorizationServerUrl(requestUrl, config);
+      return buildProtectedResourceMetadata(resourceBase, authorizationServerUrl, sid);
+    }
+  };
+}
+var workerDiscoveryStrategy = {
+  resolveAuthBaseUrl: (requestUrl) => requestUrl.origin,
+  resolveAuthorizationServerUrl: (requestUrl) => `${requestUrl.origin}/.well-known/oauth-authorization-server`,
+  resolveResourceBaseUrl: (requestUrl) => `${requestUrl.origin}/mcp`
+};
+var nodeDiscoveryStrategy = {
+  resolveAuthBaseUrl: (requestUrl, config) => {
+    const authPort = Number(config.PORT) + 1;
+    return `${requestUrl.protocol}//${requestUrl.hostname}:${authPort}`;
+  },
+  resolveAuthorizationServerUrl: (requestUrl, config) => {
+    const authPort = Number(config.PORT) + 1;
+    return `${requestUrl.protocol}//${requestUrl.hostname}:${authPort}/.well-known/oauth-authorization-server`;
+  },
+  resolveResourceBaseUrl: (requestUrl) => `${requestUrl.protocol}//${requestUrl.host}/mcp`
+};
+
+// src/shared/oauth/ssrf.ts
+var BLOCKED_HOSTS = new Set([
+  "localhost",
+  "127.0.0.1",
+  "::1",
+  "0.0.0.0",
+  "[::1]"
+]);
+var PRIVATE_IP_PATTERNS = [
+  /^10\./,
+  /^172\.(1[6-9]|2\d|3[01])\./,
+  /^192\.168\./,
+  /^169\.254\./,
+  /^fc00:/i,
+  /^fd00:/i,
+  /^fe80:/i
+];
+var BLOCKED_DOMAIN_PATTERNS = [
+  /\.local$/i,
+  /\.internal$/i,
+  /\.localhost$/i,
+  /\.localdomain$/i,
+  /\.corp$/i,
+  /\.lan$/i
+];
+function isPrivateIp(hostname) {
+  for (const pattern of PRIVATE_IP_PATTERNS) {
+    if (pattern.test(hostname)) {
+      return true;
+    }
+  }
+  return false;
+}
+function isBlockedDomain(hostname) {
+  const lower = hostname.toLowerCase();
+  for (const pattern of BLOCKED_DOMAIN_PATTERNS) {
+    if (pattern.test(lower)) {
+      return true;
+    }
+  }
+  return false;
+}
+function checkSsrfSafe(urlString, options) {
+  const requireNonRootPath = options?.requireNonRootPath ?? true;
+  let url;
+  try {
+    url = new URL(urlString);
+  } catch {
+    return { safe: false, reason: "invalid_url" };
+  }
+  if (url.protocol !== "https:") {
+    return { safe: false, reason: "https_required" };
+  }
+  const hostname = url.hostname.toLowerCase();
+  if (BLOCKED_HOSTS.has(hostname)) {
+    return { safe: false, reason: "blocked_host" };
+  }
+  if (isPrivateIp(hostname)) {
+    return { safe: false, reason: "private_ip" };
+  }
+  if (isBlockedDomain(hostname)) {
+    return { safe: false, reason: "internal_domain" };
+  }
+  if (requireNonRootPath && (url.pathname === "/" || url.pathname === "")) {
+    return { safe: false, reason: "root_path_not_allowed" };
+  }
+  return { safe: true };
+}
+function isSsrfSafe(urlString, options) {
+  return checkSsrfSafe(urlString, options).safe;
+}
+function assertSsrfSafe(urlString, options) {
+  const result = checkSsrfSafe(urlString, options);
+  if (result.safe === false) {
+    throw new Error(`ssrf_blocked: ${result.reason}`);
+  }
+}
+
+// src/shared/oauth/cimd.ts
+import { z as z4 } from "zod";
+var ClientMetadataSchema = z4.object({
+  client_id: z4.string().url(),
+  client_name: z4.string().optional(),
+  redirect_uris: z4.array(z4.string().url()),
+  client_uri: z4.string().url().optional(),
+  logo_uri: z4.string().url().optional(),
+  tos_uri: z4.string().url().optional(),
+  policy_uri: z4.string().url().optional(),
+  jwks_uri: z4.string().url().optional(),
+  software_statement: z4.string().optional()
+});
+function isClientIdUrl(clientId) {
+  if (!clientId.startsWith("https://")) {
+    return false;
+  }
+  try {
+    const url = new URL(clientId);
+    return url.pathname !== "/" && url.pathname.length > 1;
+  } catch {
+    return false;
+  }
+}
+function isDomainAllowed(clientIdUrl, allowedDomains) {
+  if (!allowedDomains || allowedDomains.length === 0) {
+    return true;
+  }
+  try {
+    const url = new URL(clientIdUrl);
+    const hostname = url.hostname.toLowerCase();
+    return allowedDomains.some((domain) => {
+      const d = domain.toLowerCase();
+      return hostname === d || hostname.endsWith(`.${d}`);
+    });
+  } catch {
+    return false;
+  }
+}
+async function fetchClientMetadata(clientIdUrl, config) {
+  const timeoutMs = config?.timeoutMs ?? 5000;
+  const maxBytes = config?.maxBytes ?? 65536;
+  const allowedDomains = config?.allowedDomains;
+  sharedLogger.debug("cimd", {
+    message: "Fetching client metadata",
+    url: clientIdUrl
+  });
+  try {
+    assertSsrfSafe(clientIdUrl, { requireNonRootPath: true });
+  } catch (error) {
+    sharedLogger.warning("cimd", {
+      message: "SSRF check failed",
+      url: clientIdUrl,
+      error: error.message
+    });
+    return { success: false, error: error.message };
+  }
+  if (!isDomainAllowed(clientIdUrl, allowedDomains)) {
+    sharedLogger.warning("cimd", {
+      message: "Domain not in allowlist",
+      url: clientIdUrl
+    });
+    return { success: false, error: "domain_not_allowed" };
+  }
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const response = await fetch(clientIdUrl, {
+      signal: controller.signal,
+      headers: {
+        Accept: "application/json",
+        "User-Agent": "MCP-Server/1.0 CIMD-Fetcher"
+      },
+      redirect: "manual"
+    });
+    if (!response.ok) {
+      sharedLogger.warning("cimd", {
+        message: "Fetch failed",
+        url: clientIdUrl,
+        status: response.status
+      });
+      return { success: false, error: `fetch_failed: ${response.status}` };
+    }
+    const contentLength = response.headers.get("content-length");
+    if (contentLength && parseInt(contentLength, 10) > maxBytes) {
+      sharedLogger.warning("cimd", {
+        message: "Response too large",
+        url: clientIdUrl,
+        contentLength
+      });
+      return { success: false, error: "metadata_too_large" };
+    }
+    const contentType = response.headers.get("content-type") || "";
+    if (!contentType.includes("application/json") && !contentType.includes("text/json")) {
+      sharedLogger.warning("cimd", {
+        message: "Invalid content type",
+        url: clientIdUrl,
+        contentType
+      });
+      return { success: false, error: "invalid_content_type" };
+    }
+    const text = await response.text();
+    if (text.length > maxBytes) {
+      return { success: false, error: "metadata_too_large" };
+    }
+    let data;
+    try {
+      data = JSON.parse(text);
+    } catch {
+      return { success: false, error: "invalid_json" };
+    }
+    const parsed = ClientMetadataSchema.safeParse(data);
+    if (!parsed.success) {
+      sharedLogger.warning("cimd", {
+        message: "Invalid metadata schema",
+        url: clientIdUrl,
+        errors: parsed.error.issues
+      });
+      return {
+        success: false,
+        error: `invalid_metadata: ${parsed.error.message}`
+      };
+    }
+    if (parsed.data.client_id !== clientIdUrl) {
+      sharedLogger.warning("cimd", {
+        message: "client_id mismatch",
+        url: clientIdUrl,
+        metadataClientId: parsed.data.client_id
+      });
+      return { success: false, error: "client_id_mismatch" };
+    }
+    sharedLogger.info("cimd", {
+      message: "Client metadata fetched",
+      url: clientIdUrl,
+      clientName: parsed.data.client_name,
+      redirectUrisCount: parsed.data.redirect_uris.length
+    });
+    return { success: true, metadata: parsed.data };
+  } catch (error) {
+    if (error.name === "AbortError") {
+      sharedLogger.warning("cimd", {
+        message: "Fetch timeout",
+        url: clientIdUrl
+      });
+      return { success: false, error: "fetch_timeout" };
+    }
+    sharedLogger.error("cimd", {
+      message: "Fetch error",
+      url: clientIdUrl,
+      error: error.message
+    });
+    return {
+      success: false,
+      error: `fetch_error: ${error.message}`
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+function validateRedirectUri(metadata, redirectUri) {
+  return metadata.redirect_uris.includes(redirectUri);
+}
+
+// src/shared/oauth/flow.ts
+import * as oauth2 from "oauth4webapi";
+function generateOpaqueToken(bytes = 32) {
+  const array = new Uint8Array(bytes);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+function buildAuthorizationServer2(providerConfig) {
+  const authEndpoint = providerConfig.authorizationEndpointPath || "/authorize";
+  const tokenEndpoint = providerConfig.tokenEndpointPath || "/token";
+  return {
+    issuer: providerConfig.accountsUrl,
+    authorization_endpoint: new URL(authEndpoint, providerConfig.accountsUrl).toString(),
+    token_endpoint: new URL(tokenEndpoint, providerConfig.accountsUrl).toString()
+  };
+}
+function buildOAuthClient(providerConfig) {
+  return {
+    client_id: providerConfig.clientId || "",
+    token_endpoint_auth_method: "client_secret_post"
+  };
+}
+function isAllowedRedirect(uri, config, isDev) {
+  try {
+    const allowed = new Set(config.redirectAllowlist.concat([config.redirectUri]).filter(Boolean));
+    const url = new URL(uri);
+    if (isDev) {
+      const loopback = new Set(["localhost", "127.0.0.1", "::1"]);
+      if (loopback.has(url.hostname)) {
+        return true;
+      }
+    }
+    if (config.redirectAllowAll) {
+      return true;
+    }
+    return allowed.has(`${url.protocol}//${url.host}${url.pathname}`) || allowed.has(uri);
+  } catch {
+    return false;
+  }
+}
+async function handleAuthorize(input, store, providerConfig, oauthConfig, options) {
+  if (!input.redirectUri) {
+    throw new Error("invalid_request: redirect_uri is required");
+  }
+  if (!input.codeChallenge || input.codeChallengeMethod !== "S256") {
+    throw new Error("invalid_request: PKCE code_challenge with S256 method is required");
+  }
+  let clientMetadata = null;
+  const cimdEnabled = options.cimd?.enabled ?? true;
+  if (input.clientId && isClientIdUrl(input.clientId)) {
+    if (!cimdEnabled) {
+      sharedLogger.warning("oauth_authorize", {
+        message: "CIMD client_id received but CIMD is disabled",
+        clientId: input.clientId
+      });
+      throw new Error("invalid_client: URL-based client_id not supported");
+    }
+    sharedLogger.debug("oauth_authorize", {
+      message: "CIMD client_id detected, fetching metadata",
+      clientId: input.clientId
+    });
+    const result = await fetchClientMetadata(input.clientId, {
+      timeoutMs: options.cimd?.timeoutMs,
+      maxBytes: options.cimd?.maxBytes,
+      allowedDomains: options.cimd?.allowedDomains
+    });
+    if (result.success === false) {
+      sharedLogger.error("oauth_authorize", {
+        message: "CIMD metadata fetch failed",
+        clientId: input.clientId,
+        error: result.error
+      });
+      throw new Error(`invalid_client: ${result.error}`);
+    }
+    clientMetadata = result.metadata;
+    if (!validateRedirectUri(clientMetadata, input.redirectUri)) {
+      sharedLogger.error("oauth_authorize", {
+        message: "redirect_uri not in client metadata",
+        clientId: input.clientId,
+        redirectUri: input.redirectUri,
+        allowedUris: clientMetadata.redirect_uris
+      });
+      throw new Error("invalid_request: redirect_uri not registered for this client");
+    }
+    sharedLogger.info("oauth_authorize", {
+      message: "CIMD client validated",
+      clientId: input.clientId,
+      clientName: clientMetadata.client_name
+    });
+  }
+  const txnId = generateOpaqueToken(16);
+  await store.saveTransaction(txnId, {
+    codeChallenge: input.codeChallenge,
+    state: input.state,
+    createdAt: Date.now(),
+    scope: input.requestedScope,
+    sid: input.sid,
+    clientRedirectUri: input.redirectUri
+  });
+  sharedLogger.debug("oauth_authorize", {
+    message: "Transaction saved",
+    txnId,
+    redirectUri: input.redirectUri
+  });
+  sharedLogger.debug("oauth_authorize", {
+    message: "Checking provider configuration",
+    hasClientId: !!providerConfig.clientId,
+    hasClientSecret: !!providerConfig.clientSecret
+  });
+  if (providerConfig.clientId && providerConfig.clientSecret) {
+    sharedLogger.info("oauth_authorize", {
+      message: "Using production flow - redirecting to provider"
+    });
+    const authServer = buildAuthorizationServer2(providerConfig);
+    const authorizationEndpoint = authServer.authorization_endpoint;
+    if (!authorizationEndpoint) {
+      throw new Error("Authorization endpoint not configured");
+    }
+    const authUrl = new URL(authorizationEndpoint);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("client_id", providerConfig.clientId);
+    const callbackPath = options.callbackPath || "/oauth/callback";
+    const cb = new URL(callbackPath, options.baseUrl).toString();
+    authUrl.searchParams.set("redirect_uri", cb);
+    const scopeToUse = providerConfig.oauthScopes || input.requestedScope || "";
+    if (scopeToUse) {
+      authUrl.searchParams.set("scope", scopeToUse);
+    }
+    const compositeState = base64UrlEncodeJson({
+      tid: txnId,
+      cs: input.state,
+      cr: input.redirectUri,
+      sid: input.sid
+    }) || txnId;
+    authUrl.searchParams.set("state", compositeState);
+    if (providerConfig.extraAuthParams) {
+      const extraParams = new URLSearchParams(providerConfig.extraAuthParams);
+      for (const [key, value] of extraParams) {
+        authUrl.searchParams.set(key, value);
+      }
+    }
+    sharedLogger.debug("oauth_authorize", {
+      message: "Redirect URL constructed",
+      url: authUrl.origin + authUrl.pathname,
+      hasExtraParams: !!providerConfig.extraAuthParams
+    });
+    return {
+      redirectTo: authUrl.toString(),
+      txnId
+    };
+  }
+  sharedLogger.warning("oauth_authorize", {
+    message: "Missing provider credentials - using dev shortcut"
+  });
+  const code = generateOpaqueToken(16);
+  await store.saveCode(code, txnId);
+  const safe = isAllowedRedirect(input.redirectUri, oauthConfig, options.isDev) ? input.redirectUri : oauthConfig.redirectUri;
+  const redirect = new URL(safe);
+  redirect.searchParams.set("code", code);
+  if (input.state) {
+    redirect.searchParams.set("state", input.state);
+  }
+  return {
+    redirectTo: redirect.toString(),
+    txnId
+  };
+}
+async function handleProviderCallback(input, store, providerConfig, oauthConfig, options) {
+  const decodedObj = base64UrlDecodeJson(input.compositeState);
+  let decoded;
+  if (decodedObj) {
+    decoded = decodedObj;
+    sharedLogger.debug("oauth_callback", {
+      message: "State decoded successfully",
+      decoded
+    });
+  } else {
+    sharedLogger.debug("oauth_callback", {
+      message: "State is not JSON-encoded, treating as raw txnId",
+      compositeState: input.compositeState
+    });
+    decoded = {};
+  }
+  sharedLogger.debug("oauth_callback", {
+    message: "State decoded",
+    compositeState: input.compositeState,
+    decoded
+  });
+  if (!decoded.tid && !input.compositeState) {
+    sharedLogger.error("oauth_callback", {
+      message: "Invalid state parameter",
+      compositeState: input.compositeState
+    });
+    throw new Error("invalid_state");
+  }
+  const txnId = decoded.tid || input.compositeState;
+  const txn = await store.getTransaction(txnId);
+  if (!txn) {
+    sharedLogger.error("oauth_callback", {
+      message: "Transaction not found",
+      txnId,
+      decoded,
+      compositeStateLength: input.compositeState?.length
+    });
+    throw new Error("unknown_txn");
+  }
+  const callbackPath = options.callbackPath || "/oauth/callback";
+  const redirectUri = new URL(callbackPath, options.baseUrl).toString();
+  const authServer = buildAuthorizationServer2(providerConfig);
+  const client = buildOAuthClient(providerConfig);
+  sharedLogger.debug("oauth_callback", {
+    message: "Exchanging code for tokens",
+    tokenUrl: authServer.token_endpoint
+  });
+  const rawParams = new URLSearchParams;
+  rawParams.set("code", input.providerCode);
+  const callbackParams = oauth2.validateAuthResponse(authServer, client, rawParams, oauth2.skipStateCheck);
+  if (!providerConfig.clientSecret) {
+    throw new Error("Server misconfigured: PROVIDER_CLIENT_SECRET is not set");
+  }
+  const clientAuth = oauth2.ClientSecretPost(providerConfig.clientSecret);
+  try {
+    const response = await oauth2.authorizationCodeGrantRequest(authServer, client, clientAuth, callbackParams, redirectUri, oauth2.nopkce);
+    sharedLogger.debug("oauth_callback", {
+      message: "Token response received",
+      status: response.status
+    });
+    const result = await oauth2.processAuthorizationCodeResponse(authServer, client, response);
+    const accessToken = result.access_token;
+    if (!accessToken) {
+      sharedLogger.error("oauth_callback", {
+        message: "No access token in provider response"
+      });
+      throw new Error("provider_no_token");
+    }
+    const expiresIn = result.expires_in ?? 3600;
+    const expiresAt = Date.now() + expiresIn * 1000;
+    const scopes = (result.scope || "").split(/\s+/).filter(Boolean);
+    const providerTokens = {
+      access_token: accessToken,
+      refresh_token: result.refresh_token,
+      expires_at: expiresAt,
+      scopes
+    };
+    sharedLogger.info("oauth_callback", {
+      message: "Provider tokens received",
+      hasRefreshToken: !!result.refresh_token,
+      expiresIn
+    });
+    txn.provider = providerTokens;
+    await store.saveTransaction(txnId, txn);
+    const asCode = generateOpaqueToken(24);
+    await store.saveCode(asCode, txnId);
+    sharedLogger.debug("oauth_callback", {
+      message: "RS code generated"
+    });
+    const safe = txn.clientRedirectUri ?? (decoded.cr && isAllowedRedirect(decoded.cr, oauthConfig, options.isDev) ? decoded.cr : oauthConfig.redirectUri);
+    const redirect = new URL(safe);
+    redirect.searchParams.set("code", asCode);
+    if (decoded.cs) {
+      redirect.searchParams.set("state", decoded.cs);
+    }
+    return {
+      redirectTo: redirect.toString(),
+      txnId,
+      providerTokens
+    };
+  } catch (error) {
+    if (error instanceof oauth2.ResponseBodyError) {
+      sharedLogger.error("oauth_callback", {
+        message: "Provider token error",
+        error: error.error,
+        description: error.error_description
+      });
+      throw new Error(`provider_token_error: ${error.error} ${error.error_description || ""}`.trim());
+    }
+    sharedLogger.error("oauth_callback", {
+      message: "Token fetch failed",
+      error: error.message
+    });
+    throw new Error(`fetch_failed: ${error.message}`);
+  }
+}
+async function handleToken(input, store, providerConfig) {
+  if (input.grant === "refresh_token") {
+    sharedLogger.debug("oauth_token", {
+      message: "Processing refresh_token grant"
+    });
+    const rec = await store.getByRsRefresh(input.refreshToken);
+    if (!rec) {
+      sharedLogger.error("oauth_token", {
+        message: "Invalid refresh token"
+      });
+      throw new Error("invalid_grant");
+    }
+    const now = Date.now();
+    const providerExpiresAt = rec.provider.expires_at ?? 0;
+    const isExpiringSoon = now >= providerExpiresAt - 60000;
+    let provider = rec.provider;
+    if (isExpiringSoon && providerConfig) {
+      sharedLogger.info("oauth_token", {
+        message: "Provider token expired/expiring, refreshing",
+        expiresAt: providerExpiresAt,
+        now
+      });
+      if (!rec.provider.refresh_token) {
+        sharedLogger.error("oauth_token", {
+          message: "No provider refresh token available"
+        });
+        throw new Error("provider_token_expired");
+      }
+      const refreshResult = await refreshProviderToken(rec.provider.refresh_token, {
+        clientId: providerConfig.clientId || "",
+        clientSecret: providerConfig.clientSecret || "",
+        accountsUrl: providerConfig.accountsUrl,
+        tokenEndpointPath: providerConfig.tokenEndpointPath
+      });
+      if (!refreshResult.success || !refreshResult.tokens) {
+        sharedLogger.error("oauth_token", {
+          message: "Provider refresh failed",
+          error: refreshResult.error
+        });
+        throw new Error("provider_refresh_failed");
+      }
+      provider = refreshResult.tokens;
+    }
+    const providerRefreshRotated = provider.refresh_token !== rec.provider.refresh_token;
+    const newAccess = providerRefreshRotated ? generateOpaqueToken(24) : undefined;
+    const updated = await store.updateByRsRefresh(input.refreshToken, provider, newAccess);
+    const expiresIn = provider.expires_at ? Math.max(1, Math.floor((provider.expires_at - Date.now()) / 1000)) : 3600;
+    sharedLogger.info("oauth_token", {
+      message: "Token refreshed successfully",
+      providerRefreshed: isExpiringSoon,
+      rsAccessRotated: providerRefreshRotated
+    });
+    return {
+      access_token: newAccess ?? rec.rs_access_token,
+      refresh_token: input.refreshToken,
+      token_type: "bearer",
+      expires_in: expiresIn,
+      scope: (updated?.provider.scopes || []).join(" ")
+    };
+  }
+  sharedLogger.debug("oauth_token", {
+    message: "Processing authorization_code grant"
+  });
+  const txnId = await store.getTxnIdByCode(input.code);
+  if (!txnId) {
+    sharedLogger.error("oauth_token", {
+      message: "Authorization code not found"
+    });
+    throw new Error("invalid_grant");
+  }
+  const txn = await store.getTransaction(txnId);
+  if (!txn) {
+    sharedLogger.error("oauth_token", {
+      message: "Transaction not found for code"
+    });
+    throw new Error("invalid_grant");
+  }
+  const expected = txn.codeChallenge;
+  const actual = await oauth2.calculatePKCECodeChallenge(input.codeVerifier);
+  if (expected !== actual) {
+    sharedLogger.error("oauth_token", {
+      message: "PKCE verification failed"
+    });
+    throw new Error("invalid_grant");
+  }
+  const rsAccess = generateOpaqueToken(24);
+  const rsRefresh = generateOpaqueToken(24);
+  sharedLogger.debug("oauth_token", {
+    message: "Minting RS tokens",
+    hasProviderTokens: !!txn.provider?.access_token
+  });
+  if (txn.provider?.access_token) {
+    await store.storeRsMapping(rsAccess, txn.provider, rsRefresh);
+    sharedLogger.info("oauth_token", {
+      message: "RS→Provider mapping stored"
+    });
+  } else {
+    sharedLogger.warning("oauth_token", {
+      message: "No provider tokens in transaction - RS mapping not created"
+    });
+  }
+  await store.deleteTransaction(txnId);
+  await store.deleteCode(input.code);
+  sharedLogger.info("oauth_token", {
+    message: "Token exchange completed"
+  });
+  return {
+    access_token: rsAccess,
+    refresh_token: rsRefresh,
+    token_type: "bearer",
+    expires_in: 3600,
+    scope: (txn.provider?.scopes || []).join(" ") || txn.scope || ""
+  };
+}
+
+// src/shared/oauth/endpoints.ts
+async function handleRegister(input, baseUrl, defaultRedirectUri) {
+  const now = Math.floor(Date.now() / 1000);
+  const clientId = generateOpaqueToken(12);
+  const redirectUris = Array.isArray(input.redirect_uris) ? input.redirect_uris : [defaultRedirectUri];
+  const grantTypes = Array.isArray(input.grant_types) ? input.grant_types : ["authorization_code", "refresh_token"];
+  const responseTypes = Array.isArray(input.response_types) ? input.response_types : ["code"];
+  return {
+    client_id: clientId,
+    client_id_issued_at: now,
+    client_secret_expires_at: 0,
+    token_endpoint_auth_method: "none",
+    redirect_uris: redirectUris,
+    grant_types: grantTypes,
+    response_types: responseTypes,
+    registration_client_uri: `${baseUrl}/register/${clientId}`,
+    registration_access_token: generateOpaqueToken(12),
+    ...input.client_name ? { client_name: input.client_name } : {}
+  };
+}
+async function handleRevoke() {
+  return { status: "ok" };
+}
+
+// src/shared/oauth/input-parsers.ts
+function parseAuthorizeInput(url, sessionId) {
+  return {
+    clientId: url.searchParams.get("client_id") ?? undefined,
+    codeChallenge: url.searchParams.get("code_challenge") || "",
+    codeChallengeMethod: url.searchParams.get("code_challenge_method") || "",
+    redirectUri: url.searchParams.get("redirect_uri") || "",
+    requestedScope: url.searchParams.get("scope") ?? undefined,
+    state: url.searchParams.get("state") ?? undefined,
+    sid: url.searchParams.get("sid") || sessionId || undefined
+  };
+}
+function parseCallbackInput(url) {
+  return {
+    code: url.searchParams.get("code"),
+    state: url.searchParams.get("state")
+  };
+}
+async function parseTokenInput(request) {
+  const contentType = request.headers.get("content-type") || "";
+  if (contentType.includes("application/x-www-form-urlencoded")) {
+    const text = await request.text();
+    return new URLSearchParams(text);
+  }
+  const json = await request.json().catch(() => ({}));
+  return new URLSearchParams(json);
+}
+function buildTokenInput(form) {
+  const grant = form.get("grant_type");
+  if (grant === "refresh_token") {
+    const refreshToken = form.get("refresh_token");
+    if (!refreshToken) {
+      return { error: "missing_refresh_token" };
+    }
+    return { grant: "refresh_token", refreshToken };
+  }
+  if (grant === "authorization_code") {
+    const code = form.get("code");
+    const codeVerifier = form.get("code_verifier");
+    if (!code || !codeVerifier) {
+      return { error: "missing_code_or_verifier" };
+    }
+    return { grant: "authorization_code", code, codeVerifier };
+  }
+  return { error: "unsupported_grant_type" };
+}
+function buildProviderConfig(config) {
+  return {
+    clientId: config.PROVIDER_CLIENT_ID,
+    clientSecret: config.PROVIDER_CLIENT_SECRET,
+    accountsUrl: config.PROVIDER_ACCOUNTS_URL || "https://provider.example.com",
+    oauthScopes: config.OAUTH_SCOPES,
+    extraAuthParams: config.OAUTH_EXTRA_AUTH_PARAMS,
+    authorizationEndpointPath: config.OAUTH_AUTHORIZATION_URL,
+    tokenEndpointPath: config.OAUTH_TOKEN_URL
+  };
+}
+function buildOAuthConfig(config) {
+  return {
+    redirectUri: config.OAUTH_REDIRECT_URI,
+    redirectAllowlist: config.OAUTH_REDIRECT_ALLOWLIST,
+    redirectAllowAll: config.OAUTH_REDIRECT_ALLOW_ALL
+  };
+}
+function buildFlowOptions(url, config, overrides = {}) {
+  return {
+    baseUrl: config.BASE_URL ?? url.origin,
+    isDev: config.NODE_ENV === "development",
+    callbackPath: overrides.callbackPath ?? "/oauth/provider-callback",
+    tokenEndpointPath: overrides.tokenEndpointPath ?? "/api/token"
+  };
+}
+
+// src/adapters/http-worker/index.ts
+import { Router } from "itty-router";
+
+// src/adapters/http-worker/security.ts
+async function checkAuthAndChallenge(request, store, config, sid) {
+  try {
+    validateOrigin(request.headers, config.NODE_ENV === "development");
+    validateProtocolVersion(request.headers, config.MCP_PROTOCOL_VERSION);
+  } catch (error) {
+    const challenge = buildUnauthorizedChallenge({
+      origin: new URL(request.url).origin,
+      sid,
+      message: error.message
+    });
+    const resp = new Response(JSON.stringify(challenge.body), {
+      status: challenge.status,
+      headers: {
+        "Content-Type": "application/json",
+        "Mcp-Session-Id": sid,
+        "WWW-Authenticate": challenge.headers["WWW-Authenticate"]
+      }
+    });
+    return withCors(resp);
+  }
+  if (!config.AUTH_ENABLED) {
+    return null;
+  }
+  const authHeader = request.headers.get("Authorization");
+  const apiKeyHeader = request.headers.get("x-api-key") || request.headers.get("x-auth-token");
+  if (!authHeader && !apiKeyHeader) {
+    const origin = new URL(request.url).origin;
+    const challenge = buildUnauthorizedChallenge({ origin, sid });
+    const resp = new Response(JSON.stringify(challenge.body), {
+      status: challenge.status,
+      headers: {
+        "Content-Type": "application/json",
+        "Mcp-Session-Id": sid,
+        "WWW-Authenticate": challenge.headers["WWW-Authenticate"]
+      }
+    });
+    return withCors(resp);
+  }
+  if (config.AUTH_REQUIRE_RS && authHeader) {
+    const match = authHeader.match(/^\s*Bearer\s+(.+)$/i);
+    const bearer = match?.[1];
+    if (bearer) {
+      const record = await store.getByRsAccess(bearer);
+      const hasMapping = !!record?.provider?.access_token;
+      if (!hasMapping && !config.AUTH_ALLOW_DIRECT_BEARER) {
+        const origin = new URL(request.url).origin;
+        const challenge = buildUnauthorizedChallenge({ origin, sid });
+        const resp = new Response(JSON.stringify(challenge.body), {
+          status: challenge.status,
+          headers: {
+            "Content-Type": "application/json",
+            "Mcp-Session-Id": sid,
+            "WWW-Authenticate": challenge.headers["WWW-Authenticate"]
+          }
+        });
+        return withCors(resp);
+      }
+    }
+  }
+  return null;
+}
+
+// src/adapters/http-worker/mcp.handler.ts
+var sessionStateMap = new Map;
+var cancellationRegistryMap = new Map;
+function getCancellationRegistry(sessionId) {
+  let registry = cancellationRegistryMap.get(sessionId);
+  if (!registry) {
+    registry = new Map;
+    cancellationRegistryMap.set(sessionId, registry);
+  }
+  return registry;
+}
+function getJsonRpcMessages(body) {
+  if (!body || typeof body !== "object")
+    return [];
+  if (Array.isArray(body)) {
+    return body.filter((msg) => msg && typeof msg === "object");
+  }
+  return [body];
+}
+function resolveSessionApiKey(headers, config) {
+  const apiKeyHeader = config.API_KEY_HEADER.toLowerCase();
+  const directApiKey = headers.get(apiKeyHeader) || headers.get("x-api-key") || headers.get("x-auth-token");
+  if (directApiKey)
+    return directApiKey;
+  const authHeader = headers.get("authorization") || headers.get("Authorization");
+  if (authHeader) {
+    const match = authHeader.match(/^\s*Bearer\s+(.+)$/i);
+    return match?.[1] ?? authHeader;
+  }
+  if (config.API_KEY)
+    return config.API_KEY;
+  return "public";
+}
+function parseCustomHeaders(value) {
+  if (!value)
+    return {};
+  const headers = {};
+  for (const pair of value.split(",")) {
+    const colonIndex = pair.indexOf(":");
+    if (colonIndex === -1)
+      continue;
+    const key = pair.slice(0, colonIndex).trim();
+    const val = pair.slice(colonIndex + 1).trim();
+    if (key && val) {
+      headers[key.toLowerCase()] = val;
+    }
+  }
+  return headers;
+}
+function buildStaticAuthHeaders(config) {
+  const headers = {};
+  switch (config.AUTH_STRATEGY) {
+    case "api_key":
+      if (config.API_KEY) {
+        headers[config.API_KEY_HEADER.toLowerCase()] = config.API_KEY;
+      }
+      break;
+    case "bearer":
+      if (config.BEARER_TOKEN) {
+        headers.authorization = `Bearer ${config.BEARER_TOKEN}`;
+      }
+      break;
+    case "custom":
+      Object.assign(headers, parseCustomHeaders(config.CUSTOM_HEADERS));
+      break;
+  }
+  return headers;
+}
+function buildProviderRefreshConfig2(config) {
+  if (!config.PROVIDER_CLIENT_ID || !config.PROVIDER_CLIENT_SECRET || !config.PROVIDER_ACCOUNTS_URL) {
+    return;
+  }
+  return {
+    clientId: config.PROVIDER_CLIENT_ID,
+    clientSecret: config.PROVIDER_CLIENT_SECRET,
+    accountsUrl: config.PROVIDER_ACCOUNTS_URL
+  };
+}
+async function resolveAuthContext(request, tokenStore, config) {
+  const rawHeaders = {};
+  request.headers.forEach((value, key) => {
+    rawHeaders[key.toLowerCase()] = value;
+  });
+  const strategy = config.AUTH_STRATEGY;
+  let providerToken;
+  let provider;
+  let resolvedHeaders = { ...rawHeaders };
+  if (strategy === "oauth") {
+    const authHeader = rawHeaders.authorization;
+    const match = authHeader?.match(/^\s*Bearer\s+(.+)$/i);
+    const rsToken = match?.[1];
+    if (rsToken) {
+      try {
+        const providerConfig = buildProviderRefreshConfig2(config);
+        const { accessToken, wasRefreshed } = await ensureFreshToken(rsToken, tokenStore, providerConfig);
+        if (accessToken) {
+          providerToken = accessToken;
+          const record = await tokenStore.getByRsAccess(rsToken);
+          if (record?.provider) {
+            provider = {
+              accessToken: record.provider.access_token,
+              refreshToken: record.provider.refresh_token,
+              expiresAt: record.provider.expires_at,
+              scopes: record.provider.scopes
+            };
+          }
+          resolvedHeaders.authorization = `Bearer ${accessToken}`;
+          if (wasRefreshed) {
+            sharedLogger.info("mcp_handler", {
+              message: "Using proactively refreshed token"
+            });
+          }
+        }
+      } catch (error) {
+        sharedLogger.debug("mcp_handler", {
+          message: "Token resolution failed",
+          error: error.message
+        });
+      }
+    }
+  } else if (strategy === "bearer" || strategy === "api_key" || strategy === "custom") {
+    const staticHeaders = buildStaticAuthHeaders(config);
+    resolvedHeaders = { ...rawHeaders, ...staticHeaders };
+    providerToken = strategy === "bearer" ? config.BEARER_TOKEN : config.API_KEY;
+  }
+  return {
+    sessionId: "",
+    authStrategy: strategy,
+    providerToken,
+    provider,
+    resolvedHeaders,
+    authHeaders: rawHeaders
+  };
+}
+async function handleMcpRequest(request, deps) {
+  const { tokenStore, sessionStore, config } = deps;
+  const body = await request.json().catch(() => ({}));
+  const { method, params, id } = body;
+  const messages = getJsonRpcMessages(body);
+  const isInitialize = messages.some((msg) => msg.method === "initialize");
+  const isInitialized = messages.some((msg) => msg.method === "initialized");
+  const initMessage = messages.find((msg) => msg.method === "initialize");
+  const protocolVersion = typeof initMessage?.params?.protocolVersion === "string" ? (initMessage?.params).protocolVersion : undefined;
+  const incomingSessionId = request.headers.get("Mcp-Session-Id")?.trim();
+  const sessionId = isInitialize ? crypto.randomUUID() : incomingSessionId || crypto.randomUUID();
+  const apiKey = resolveSessionApiKey(request.headers, config);
+  if (!isInitialize && !incomingSessionId) {
+    return jsonResponse({
+      jsonrpc: "2.0",
+      error: {
+        code: -32000,
+        message: "Bad Request: Mcp-Session-Id required"
+      },
+      id: null
+    }, { status: 400 });
+  }
+  if (!isInitialize && incomingSessionId) {
+    let existingSession = null;
+    try {
+      existingSession = await sessionStore.get(incomingSessionId);
+    } catch (error) {
+      sharedLogger.warning("mcp_session", {
+        message: "Session lookup failed",
+        error: error.message
+      });
+    }
+    if (!existingSession) {
+      return withCors(new Response("Invalid session", { status: 404 }));
+    }
+    if (existingSession.apiKey && existingSession.apiKey !== apiKey) {
+      sharedLogger.warning("mcp_session", {
+        message: "Request API key differs from session binding",
+        sessionId: incomingSessionId,
+        originalApiKey: `${existingSession.apiKey.slice(0, 8)}...`,
+        requestApiKey: `${apiKey.slice(0, 8)}...`
+      });
+    }
+  }
+  const challengeResponse = await checkAuthAndChallenge(request, tokenStore, config, sessionId);
+  if (challengeResponse) {
+    return challengeResponse;
+  }
+  const authContext = await resolveAuthContext(request, tokenStore, config);
+  authContext.sessionId = sessionId;
+  if (isInitialize) {
+    try {
+      await sessionStore.create(sessionId, apiKey);
+      if (protocolVersion) {
+        await sessionStore.update(sessionId, { protocolVersion });
+      }
+    } catch (error) {
+      sharedLogger.warning("mcp_session", {
+        message: "Failed to create session record",
+        error: error.message
+      });
+    }
+  }
+  if (isInitialized) {
+    try {
+      await sessionStore.update(sessionId, { initialized: true });
+    } catch (error) {
+      sharedLogger.warning("mcp_session", {
+        message: "Failed to update session initialized flag",
+        error: error.message
+      });
+    }
+  }
+  const cancellationRegistry = getCancellationRegistry(sessionId);
+  const dispatchContext = {
+    sessionId,
+    auth: authContext,
+    config: {
+      title: config.MCP_TITLE,
+      version: config.MCP_VERSION,
+      instructions: config.MCP_INSTRUCTIONS
+    },
+    getSessionState: () => sessionStateMap.get(sessionId),
+    setSessionState: (state) => sessionStateMap.set(sessionId, state),
+    cancellationRegistry,
+    tools: deps.tools
+  };
+  if (!("id" in body) || id === null || id === undefined) {
+    if (method) {
+      handleMcpNotification(method, params, dispatchContext);
+    }
+    return withCors(new Response(null, { status: 202 }));
+  }
+  const result = await dispatchMcpMethod(method, params, dispatchContext, id);
+  const response = jsonResponse({
+    jsonrpc: "2.0",
+    ...result.error ? { error: result.error } : { result: result.result },
+    id
+  });
+  response.headers.set("Mcp-Session-Id", sessionId);
+  return withCors(response);
+}
+function handleMcpGet() {
+  return withCors(new Response("Method Not Allowed", { status: 405 }));
+}
+async function handleMcpDelete(request, deps) {
+  const { sessionStore } = deps;
+  const sessionId = request.headers.get("Mcp-Session-Id")?.trim();
+  if (!sessionId) {
+    return withCors(jsonResponse({
+      jsonrpc: "2.0",
+      error: {
+        code: -32000,
+        message: "Bad Request: Mcp-Session-Id required"
+      },
+      id: null
+    }, { status: 400 }));
+  }
+  let existingSession = null;
+  try {
+    existingSession = await sessionStore.get(sessionId);
+  } catch (error) {
+    sharedLogger.warning("mcp_session", {
+      message: "Session lookup failed on DELETE",
+      error: error.message
+    });
+  }
+  if (!existingSession) {
+    return withCors(new Response("Invalid session", { status: 404 }));
+  }
+  sessionStateMap.delete(sessionId);
+  cancellationRegistryMap.delete(sessionId);
+  try {
+    await sessionStore.delete(sessionId);
+    sharedLogger.info("mcp_session", {
+      message: "Session terminated via DELETE",
+      sessionId
+    });
+  } catch (error) {
+    sharedLogger.warning("mcp_session", {
+      message: "Failed to delete session record",
+      error: error.message
+    });
+  }
+  return withCors(new Response(null, { status: 202 }));
+}
+
+// src/adapters/http-worker/routes.discovery.ts
+function attachDiscoveryRoutes(router, config) {
+  const { authorizationMetadata, protectedResourceMetadata } = createDiscoveryHandlers(config, workerDiscoveryStrategy);
+  router.get("/.well-known/oauth-authorization-server", async (request) => {
+    const metadata = authorizationMetadata(new URL(request.url));
+    return jsonResponse(metadata);
+  });
+  router.get("/.well-known/oauth-protected-resource", async (request) => {
+    const here = new URL(request.url);
+    const sid = here.searchParams.get("sid") ?? undefined;
+    const metadata = protectedResourceMetadata(here, sid);
+    return jsonResponse(metadata);
+  });
+}
+
+// src/adapters/http-worker/routes.oauth.ts
+function attachOAuthRoutes(router, store, config) {
+  const providerConfig = buildProviderConfig(config);
+  const oauthConfig = buildOAuthConfig(config);
+  router.get("/authorize", async (request) => {
+    sharedLogger.info("oauth_workers", { message: "Authorize request received" });
+    try {
+      const url = new URL(request.url);
+      const sessionId = request.headers.get("Mcp-Session-Id") ?? undefined;
+      const input = parseAuthorizeInput(url, sessionId);
+      const options = {
+        ...buildFlowOptions(url, config),
+        cimd: {
+          enabled: config.CIMD_ENABLED,
+          timeoutMs: config.CIMD_FETCH_TIMEOUT_MS,
+          maxBytes: config.CIMD_MAX_RESPONSE_BYTES,
+          allowedDomains: config.CIMD_ALLOWED_DOMAINS
+        }
+      };
+      const result = await handleAuthorize(input, store, providerConfig, oauthConfig, options);
+      sharedLogger.info("oauth_workers", {
+        message: "Authorize redirect",
+        redirectTo: result.redirectTo
+      });
+      return redirectResponse(result.redirectTo);
+    } catch (error) {
+      sharedLogger.error("oauth_workers", {
+        message: "Authorize failed",
+        error: error.message
+      });
+      return textError(error.message || "Authorization failed");
+    }
+  });
+  router.get("/oauth/provider-callback", async (request) => {
+    const url = new URL(request.url);
+    const { code, state } = parseCallbackInput(url);
+    sharedLogger.info("oauth_workers", {
+      message: "Callback request received",
+      hasCode: !!code,
+      hasState: !!state,
+      stateLength: state?.length
+    });
+    try {
+      if (!code || !state) {
+        return textError("invalid_callback: missing code or state");
+      }
+      if (!config.PROVIDER_CLIENT_ID || !config.PROVIDER_CLIENT_SECRET) {
+        sharedLogger.error("oauth_workers", {
+          message: "Missing provider credentials"
+        });
+        return textError("Server misconfigured: Missing provider credentials", {
+          status: 500
+        });
+      }
+      const options = buildFlowOptions(url, config);
+      const result = await handleProviderCallback({ providerCode: code, compositeState: state }, store, providerConfig, oauthConfig, options);
+      sharedLogger.info("oauth_workers", {
+        message: "Callback success",
+        redirectTo: result.redirectTo
+      });
+      return redirectResponse(result.redirectTo);
+    } catch (error) {
+      sharedLogger.error("oauth_workers", {
+        message: "Callback failed",
+        error: error.message
+      });
+      return textError(error.message || "Callback failed", {
+        status: 500
+      });
+    }
+  });
+  router.get("/oauth/callback", async (request) => {
+    const url = new URL(request.url);
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    sharedLogger.info("oauth_workers", {
+      message: "Client callback received",
+      hasCode: !!code,
+      hasState: !!state
+    });
+    return new Response(`<!DOCTYPE html><html><head><title>Authentication Complete</title></head><body>
+<h2>Authentication successful</h2>
+<p>You can close this window and return to your application.</p>
+<script>
+// Some MCP clients read the URL params from the opener window
+if (window.opener) {
+  window.opener.postMessage({ type: 'oauth_callback', code: ${JSON.stringify(code)}, state: ${JSON.stringify(state)} }, '*');
+  window.close();
+}
+</script>
+</body></html>`, { headers: { "content-type": "text/html; charset=utf-8" } });
+  });
+  router.post("/token", async (request) => {
+    sharedLogger.debug("oauth_workers", { message: "Token request received" });
+    try {
+      const form = await parseTokenInput(request);
+      const tokenInput = buildTokenInput(form);
+      if ("error" in tokenInput) {
+        return oauthError(tokenInput.error);
+      }
+      const result = await handleToken(tokenInput, store, providerConfig);
+      sharedLogger.info("oauth_workers", { message: "Token exchange success" });
+      return jsonResponse(result);
+    } catch (error) {
+      sharedLogger.error("oauth_workers", {
+        message: "Token exchange failed",
+        error: error.message
+      });
+      return oauthError(error.message || "invalid_grant");
+    }
+  });
+  router.post("/revoke", async () => {
+    const result = await handleRevoke();
+    return jsonResponse(result);
+  });
+  router.post("/register", async (request) => {
+    try {
+      const body = await request.json().catch(() => ({}));
+      const url = new URL(request.url);
+      sharedLogger.debug("oauth_workers", { message: "Register request" });
+      const result = await handleRegister({
+        redirect_uris: Array.isArray(body.redirect_uris) ? body.redirect_uris : undefined,
+        grant_types: Array.isArray(body.grant_types) ? body.grant_types : undefined,
+        response_types: Array.isArray(body.response_types) ? body.response_types : undefined,
+        client_name: typeof body.client_name === "string" ? body.client_name : undefined
+      }, url.origin, config.OAUTH_REDIRECT_URI);
+      sharedLogger.info("oauth_workers", { message: "Client registered" });
+      return jsonResponse(result, { status: 201 });
+    } catch (error) {
+      return oauthError(error.message);
+    }
+  });
+}
+
+// src/adapters/http-worker/index.ts
+var sharedTokenStore = null;
+var sharedSessionStore = null;
+function initializeWorkerStorage(env, config) {
+  const kvNamespace = env.TOKENS;
+  if (!kvNamespace) {
+    sharedLogger.error("worker_storage", {
+      message: "No KV namespace bound - storage unavailable"
+    });
+    return null;
+  }
+  if (!sharedTokenStore || !sharedSessionStore) {
+    sharedTokenStore = new MemoryTokenStore;
+    sharedSessionStore = new MemorySessionStore;
+  }
+  let encrypt2;
+  let decrypt2;
+  if (env.RS_TOKENS_ENC_KEY) {
+    const encryptor = createEncryptor(env.RS_TOKENS_ENC_KEY);
+    encrypt2 = encryptor.encrypt;
+    decrypt2 = encryptor.decrypt;
+    sharedLogger.debug("worker_storage", { message: "KV encryption enabled" });
+  } else {
+    encrypt2 = async (s) => s;
+    decrypt2 = async (s) => s;
+    if (config.NODE_ENV === "production") {
+      sharedLogger.warning("worker_storage", {
+        message: "RS_TOKENS_ENC_KEY not set! KV data is unencrypted."
+      });
+    }
+  }
+  const tokenStore = new KvTokenStore(kvNamespace, {
+    encrypt: encrypt2,
+    decrypt: decrypt2,
+    fallback: sharedTokenStore
+  });
+  const sessionStore = new KvSessionStore(kvNamespace, {
+    encrypt: encrypt2,
+    decrypt: decrypt2,
+    fallback: sharedSessionStore
+  });
+  initializeStorage(tokenStore, sessionStore);
+  return { tokenStore, sessionStore };
+}
+var MCP_ENDPOINT_PATH = "/mcp";
+function createWorkerRouter(ctx) {
+  const router = Router();
+  const { tokenStore, sessionStore, config, tools } = ctx;
+  router.options("*", () => corsPreflightResponse());
+  attachDiscoveryRoutes(router, config);
+  attachOAuthRoutes(router, tokenStore, config);
+  router.get(MCP_ENDPOINT_PATH, () => handleMcpGet());
+  router.post(MCP_ENDPOINT_PATH, (request) => handleMcpRequest(request, { tokenStore, sessionStore, config, tools }));
+  router.delete(MCP_ENDPOINT_PATH, (request) => handleMcpDelete(request, { tokenStore, sessionStore, config, tools }));
+  router.get("/health", () => withCors(new Response(JSON.stringify({ status: "ok", timestamp: Date.now() }), {
+    headers: { "Content-Type": "application/json" }
+  })));
+  router.all("*", () => withCors(new Response("Not Found", { status: 404 })));
+  return router;
+}
+function shimProcessEnv(env) {
+  const g = globalThis;
+  g.process = g.process || {};
+  g.process.env = {
+    ...g.process.env ?? {},
+    ...env
+  };
+}
+
+export { base64Encode, base64Decode, base64UrlEncode, base64UrlDecode, base64UrlEncodeString, base64UrlDecodeString, base64UrlEncodeJson, base64UrlDecodeJson, encrypt, decrypt, generateKey, createEncryptor, withCors, corsPreflightResponse, buildCorsHeaders, MAX_SESSIONS_PER_API_KEY, MemoryTokenStore, MemorySessionStore, KvTokenStore, KvSessionStore, initializeStorage, getTokenStore, getSessionStore, sharedLogger, logger, JsonRpcErrorCode, CancellationError, CancellationToken, createCancellationToken, withCancellation, toProviderInfo, toProviderTokens, assertProviderToken, defineTool, echoInputSchema, echoTool, healthInputSchema, healthTool, sharedTools, getSharedTool, getSharedToolNames, executeSharedTool, registerTools, LATEST_PROTOCOL_VERSION, SUPPORTED_PROTOCOL_VERSIONS, getLogLevel, dispatchMcpMethod, handleMcpNotification, buildProviderRefreshConfig, refreshProviderToken, isTokenExpiredOrExpiring, ensureFreshToken, validateOrigin, validateProtocolVersion, buildUnauthorizedChallenge, buildAuthorizationServerMetadata, buildProtectedResourceMetadata, createDiscoveryHandlers, workerDiscoveryStrategy, nodeDiscoveryStrategy, checkSsrfSafe, isSsrfSafe, assertSsrfSafe, ClientMetadataSchema, isClientIdUrl, fetchClientMetadata, validateRedirectUri, generateOpaqueToken, handleAuthorize, handleProviderCallback, handleToken, handleRegister, handleRevoke, parseAuthorizeInput, parseCallbackInput, parseTokenInput, buildTokenInput, buildProviderConfig, buildOAuthConfig, buildFlowOptions, initializeWorkerStorage, createWorkerRouter, shimProcessEnv };