@query-farm/vgi-rpc 0.3.3 → 0.4.0

package/dist/index.js

@@ -50,6 +50,48 @@ var init_zstd = __esm(() => {
   isBun = typeof globalThis.Bun !== "undefined";
 });
 
+// src/errors.ts
+class RpcError extends Error {
+  errorType;
+  errorMessage;
+  remoteTraceback;
+  constructor(errorType, errorMessage, remoteTraceback) {
+    super(`${errorType}: ${errorMessage}`);
+    this.errorType = errorType;
+    this.errorMessage = errorMessage;
+    this.remoteTraceback = remoteTraceback;
+    this.name = "RpcError";
+  }
+}
+
+class VersionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "VersionError";
+  }
+}
+
+// src/auth.ts
+class AuthContext {
+  domain;
+  authenticated;
+  principal;
+  claims;
+  constructor(domain, authenticated, principal, claims = {}) {
+    this.domain = domain;
+    this.authenticated = authenticated;
+    this.principal = principal;
+    this.claims = claims;
+  }
+  static anonymous() {
+    return new AuthContext("", false, null);
+  }
+  requireAuthenticated() {
+    if (!this.authenticated) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
+  }
+}
 // src/constants.ts
 var RPC_METHOD_KEY = "vgi_rpc.method";
 var LOG_LEVEL_KEY = "vgi_rpc.log_level";
@@ -66,17 +108,55 @@ var DESCRIBE_METHOD_NAME = "__describe__";
 var STATE_KEY = "vgi_rpc.stream_state#b64";
 
 // src/http/common.ts
-import {
-  RecordBatchReader,
-  RecordBatchStreamWriter
-} from "@query-farm/apache-arrow";
+import { RecordBatchReader, RecordBatchStreamWriter } from "@query-farm/apache-arrow";
 
 // src/util/conform.ts
-import { RecordBatch, Struct, makeData } from "@query-farm/apache-arrow";
+import {
+  makeData,
+  RecordBatch,
+  Struct,
+  Type,
+  vectorFromArray
+} from "@query-farm/apache-arrow";
+function needsValueCast(src, dst) {
+  if (src.typeId === dst.typeId)
+    return false;
+  if (src.constructor === dst.constructor)
+    return false;
+  return true;
+}
+function isNumeric(t) {
+  return t.typeId === Type.Int || t.typeId === Type.Float;
+}
 function conformBatchToSchema(batch, schema) {
   if (batch.numRows === 0)
     return batch;
-  const children = schema.fields.map((f, i) => batch.data.children[i].clone(f.type));
+  if (batch.schema.fields.length !== schema.fields.length) {
+    throw new TypeError(`Field count mismatch: expected ${schema.fields.length}, got ${batch.schema.fields.length}`);
+  }
+  for (let i = 0;i < schema.fields.length; i++) {
+    if (batch.schema.fields[i].name !== schema.fields[i].name) {
+      throw new TypeError(`Field name mismatch at index ${i}: expected '${schema.fields[i].name}', got '${batch.schema.fields[i].name}'`);
+    }
+  }
+  const children = schema.fields.map((f, i) => {
+    const srcChild = batch.data.children[i];
+    const srcType = srcChild.type;
+    const dstType = f.type;
+    if (!needsValueCast(srcType, dstType)) {
+      return srcChild.clone(dstType);
+    }
+    if (isNumeric(srcType) && isNumeric(dstType)) {
+      const col = batch.getChildAt(i);
+      const values = [];
+      for (let r = 0;r < batch.numRows; r++) {
+        const v = col.get(r);
+        values.push(typeof v === "bigint" ? Number(v) : v);
+      }
+      return vectorFromArray(values, dstType).data[0];
+    }
+    return srcChild.clone(dstType);
+  });
   const structType = new Struct(schema.fields);
   const data = makeData({
     type: structType,
@@ -142,30 +222,9 @@ import {
   RecordBatchReader as RecordBatchReader3,
   Struct as Struct2,
   Utf8,
-  vectorFromArray
+  vectorFromArray as vectorFromArray2
 } from "@query-farm/apache-arrow";
 
-// src/errors.ts
-class RpcError extends Error {
-  errorType;
-  errorMessage;
-  remoteTraceback;
-  constructor(errorType, errorMessage, remoteTraceback) {
-    super(`${errorType}: ${errorMessage}`);
-    this.errorType = errorType;
-    this.errorMessage = errorMessage;
-    this.remoteTraceback = remoteTraceback;
-    this.name = "RpcError";
-  }
-}
-
-class VersionError extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "VersionError";
-  }
-}
-
 // src/wire/reader.ts
 import { RecordBatchReader as RecordBatchReader2 } from "@query-farm/apache-arrow";
 
@@ -297,7 +356,7 @@ function buildRequestIpc(schema, params, method) {
   }
   const children = schema.fields.map((f) => {
     const val = coerceForArrow(f.type, params[f.name]);
-    return vectorFromArray([val], f.type).data[0];
+    return vectorFromArray2([val], f.type).data[0];
   });
   const structType = new Struct2(schema.fields);
   const data = makeData2({
@@ -451,18 +510,25 @@ async function httpIntrospect(baseUrl, options) {
   const prefix = options?.prefix ?? "/vgi";
   const emptySchema = new ArrowSchema([]);
   const body = buildRequestIpc(emptySchema, {}, DESCRIBE_METHOD_NAME);
+  const headers = { "Content-Type": ARROW_CONTENT_TYPE };
+  if (options?.authorization) {
+    headers.Authorization = options.authorization;
+  }
   const response = await fetch(`${baseUrl}${prefix}/${DESCRIBE_METHOD_NAME}`, {
     method: "POST",
-    headers: { "Content-Type": ARROW_CONTENT_TYPE },
+    headers,
     body
   });
+  if (response.status === 401) {
+    throw new RpcError("AuthenticationError", "Authentication required", "");
+  }
   const responseBody = new Uint8Array(await response.arrayBuffer());
   const { batches } = await readResponseBatches(responseBody);
   return parseDescribeResponse(batches);
 }
 
 // src/client/stream.ts
-import { Field, makeData as makeData3, RecordBatch as RecordBatch3, Schema, Struct as Struct3, vectorFromArray as vectorFromArray2 } from "@query-farm/apache-arrow";
+import { Field, makeData as makeData3, RecordBatch as RecordBatch3, Schema, Struct as Struct3, vectorFromArray as vectorFromArray3 } from "@query-farm/apache-arrow";
 class HttpStreamSession {
   _baseUrl;
   _prefix;
@@ -477,6 +543,7 @@ class HttpStreamSession {
   _compressionLevel;
   _compressFn;
   _decompressFn;
+  _authorization;
   constructor(opts) {
     this._baseUrl = opts.baseUrl;
     this._prefix = opts.prefix;
@@ -491,6 +558,7 @@ class HttpStreamSession {
     this._compressionLevel = opts.compressionLevel;
     this._compressFn = opts.compressFn;
     this._decompressFn = opts.decompressFn;
+    this._authorization = opts.authorization;
   }
   get header() {
     return this._header;
@@ -503,6 +571,9 @@ class HttpStreamSession {
       headers["Content-Encoding"] = "zstd";
       headers["Accept-Encoding"] = "zstd";
     }
+    if (this._authorization) {
+      headers.Authorization = this._authorization;
+    }
     return headers;
   }
   _prepareBody(content) {
@@ -546,7 +617,7 @@ class HttpStreamSession {
     const inputSchema = new Schema(fields);
     const children = inputSchema.fields.map((f) => {
       const values = input.map((row) => row[f.name]);
-      return vectorFromArray2(values, f.type).data[0];
+      return vectorFromArray3(values, f.type).data[0];
     });
     const structType = new Struct3(inputSchema.fields);
     const data = makeData3({
@@ -567,6 +638,9 @@ class HttpStreamSession {
       headers: this._buildHeaders(),
       body: this._prepareBody(body)
     });
+    if (resp.status === 401) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
     const responseBody = await this._readResponse(resp);
     const { batches: responseBatches } = await readResponseBatches(responseBody);
     let resultRows = [];
@@ -652,6 +726,9 @@ class HttpStreamSession {
       headers: this._buildHeaders(),
       body: this._prepareBody(body)
     });
+    if (resp.status === 401) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
     return this._readResponse(resp);
   }
   close() {}
@@ -662,6 +739,7 @@ function httpConnect(baseUrl, options) {
   const prefix = (options?.prefix ?? "/vgi").replace(/\/+$/, "");
   const onLog = options?.onLog;
   const compressionLevel = options?.compressionLevel;
+  const authorization = options?.authorization;
   let methodCache = null;
   let compressFn;
   let decompressFn;
@@ -684,6 +762,9 @@ function httpConnect(baseUrl, options) {
       headers["Content-Encoding"] = "zstd";
       headers["Accept-Encoding"] = "zstd";
     }
+    if (authorization) {
+      headers.Authorization = authorization;
+    }
     return headers;
   }
   function prepareBody(content) {
@@ -692,6 +773,11 @@ function httpConnect(baseUrl, options) {
     }
     return content;
   }
+  function checkAuth(resp) {
+    if (resp.status === 401) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
+  }
   async function readResponse(resp) {
     let body = new Uint8Array(await resp.arrayBuffer());
     if (resp.headers.get("Content-Encoding") === "zstd" && decompressFn) {
@@ -702,7 +788,7 @@ function httpConnect(baseUrl, options) {
   async function ensureMethodCache() {
     if (methodCache)
       return methodCache;
-    const desc = await httpIntrospect(baseUrl, { prefix });
+    const desc = await httpIntrospect(baseUrl, { prefix, authorization });
     methodCache = new Map(desc.methods.map((m) => [m.name, m]));
     return methodCache;
   }
@@ -721,6 +807,7 @@ function httpConnect(baseUrl, options) {
         headers: buildHeaders(),
         body: prepareBody(body)
       });
+      checkAuth(resp);
       const responseBody = await readResponse(resp);
       const { batches } = await readResponseBatches(responseBody);
       let resultBatch = null;
@@ -756,6 +843,7 @@ function httpConnect(baseUrl, options) {
         headers: buildHeaders(),
         body: prepareBody(body)
       });
+      checkAuth(resp);
       const responseBody = await readResponse(resp);
       let header = null;
       let stateToken = null;
@@ -861,7 +949,8 @@ function httpConnect(baseUrl, options) {
         header,
         compressionLevel,
         compressFn,
-        decompressFn
+        decompressFn,
+        authorization
       });
     },
     async describe() {
@@ -870,6 +959,53 @@ function httpConnect(baseUrl, options) {
     close() {}
   };
 }
+// src/client/oauth.ts
+function parseMetadataJson(json) {
+  const result = {
+    resource: json.resource,
+    authorizationServers: json.authorization_servers
+  };
+  if (json.scopes_supported)
+    result.scopesSupported = json.scopes_supported;
+  if (json.bearer_methods_supported)
+    result.bearerMethodsSupported = json.bearer_methods_supported;
+  if (json.resource_name)
+    result.resourceName = json.resource_name;
+  if (json.resource_documentation)
+    result.resourceDocumentation = json.resource_documentation;
+  if (json.resource_policy_uri)
+    result.resourcePolicyUri = json.resource_policy_uri;
+  if (json.resource_tos_uri)
+    result.resourceTosUri = json.resource_tos_uri;
+  return result;
+}
+async function httpOAuthMetadata(baseUrl, prefix) {
+  const effectivePrefix = (prefix ?? "/vgi").replace(/\/+$/, "");
+  const metadataUrl = `${baseUrl.replace(/\/+$/, "")}/.well-known/oauth-protected-resource${effectivePrefix}`;
+  try {
+    return await fetchOAuthMetadata(metadataUrl);
+  } catch {
+    return null;
+  }
+}
+async function fetchOAuthMetadata(metadataUrl) {
+  const response = await fetch(metadataUrl);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch OAuth metadata from ${metadataUrl}: ${response.status}`);
+  }
+  const json = await response.json();
+  return parseMetadataJson(json);
+}
+function parseResourceMetadataUrl(wwwAuthenticate) {
+  const bearerMatch = wwwAuthenticate.match(/^Bearer\s+(.*)/i);
+  if (!bearerMatch)
+    return null;
+  const params = bearerMatch[1];
+  const metadataMatch = params.match(/resource_metadata="([^"]+)"/);
+  if (!metadataMatch)
+    return null;
+  return metadataMatch[1];
+}
 // src/client/pipe.ts
 import {
   Field as Field2,
@@ -878,7 +1014,7 @@ import {
   RecordBatchStreamWriter as RecordBatchStreamWriter2,
   Schema as Schema2,
   Struct as Struct4,
-  vectorFromArray as vectorFromArray3
+  vectorFromArray as vectorFromArray4
 } from "@query-farm/apache-arrow";
 class PipeIncrementalWriter {
   writer;
@@ -1001,7 +1137,7 @@ class PipeStreamSession {
       }
       const children = inputSchema.fields.map((f) => {
         const values = input.map((row) => row[f.name]);
-        return vectorFromArray3(values, f.type).data[0];
+        return vectorFromArray4(values, f.type).data[0];
       });
       const structType = new Struct4(inputSchema.fields);
       const data = makeData4({
@@ -1303,6 +1439,35 @@ function subprocessConnect(cmd, options) {
   };
   return client;
 }
+// src/http/auth.ts
+function oauthResourceMetadataToJson(metadata) {
+  const json = {
+    resource: metadata.resource,
+    authorization_servers: metadata.authorizationServers
+  };
+  if (metadata.scopesSupported)
+    json.scopes_supported = metadata.scopesSupported;
+  if (metadata.bearerMethodsSupported)
+    json.bearer_methods_supported = metadata.bearerMethodsSupported;
+  if (metadata.resourceName)
+    json.resource_name = metadata.resourceName;
+  if (metadata.resourceDocumentation)
+    json.resource_documentation = metadata.resourceDocumentation;
+  if (metadata.resourcePolicyUri)
+    json.resource_policy_uri = metadata.resourcePolicyUri;
+  if (metadata.resourceTosUri)
+    json.resource_tos_uri = metadata.resourceTosUri;
+  return json;
+}
+function wellKnownPath(prefix) {
+  return `/.well-known/oauth-protected-resource${prefix}`;
+}
+function buildWwwAuthenticateHeader(metadataUrl) {
+  if (metadataUrl) {
+    return `Bearer resource_metadata="${metadataUrl}"`;
+  }
+  return "Bearer";
+}
 // src/http/handler.ts
 import { randomBytes } from "node:crypto";
 import { Schema as Schema5 } from "@query-farm/apache-arrow";
@@ -1317,7 +1482,7 @@ import {
   makeData as makeData5,
   RecordBatch as RecordBatch5,
   Struct as Struct5,
-  vectorFromArray as vectorFromArray4
+  vectorFromArray as vectorFromArray5
 } from "@query-farm/apache-arrow";
 function coerceInt64(schema, values) {
   const result = { ...values };
@@ -1356,7 +1521,7 @@ function buildResultBatch(schema, values, serverId, requestId) {
     if (val instanceof Data) {
       return val;
     }
-    const arr = vectorFromArray4([val], f.type);
+    const arr = vectorFromArray5([val], f.type);
     return arr.data[0];
   });
   const structType = new Struct5(schema.fields);
@@ -1399,20 +1564,28 @@ function buildLogBatch(schema, level, message, extra, serverId, requestId) {
   }
   return buildEmptyBatch(schema, metadata);
 }
-function buildEmptyBatch(schema, metadata) {
-  const children = schema.fields.map((f) => {
-    return makeData5({ type: f.type, length: 0, nullCount: 0 });
-  });
-  if (schema.fields.length === 0) {
-    const structType2 = new Struct5(schema.fields);
-    const data2 = makeData5({
-      type: structType2,
-      length: 0,
-      children: [],
-      nullCount: 0
-    });
-    return new RecordBatch5(schema, data2, metadata);
+function makeEmptyData(type) {
+  if (DataType2.isStruct(type)) {
+    const children = type.children.map((f) => makeEmptyData(f.type));
+    return makeData5({ type, length: 0, children, nullCount: 0 });
+  }
+  if (DataType2.isList(type)) {
+    const childData = makeEmptyData(type.children[0].type);
+    return makeData5({ type, length: 0, children: [childData], nullCount: 0, valueOffsets: new Int32Array([0]) });
+  }
+  if (DataType2.isFixedSizeList(type)) {
+    const childData = makeEmptyData(type.children[0].type);
+    return makeData5({ type, length: 0, child: childData, nullCount: 0 });
   }
+  if (DataType2.isMap(type)) {
+    const entryType = type.children[0]?.type;
+    const entryData = entryType ? makeEmptyData(entryType) : makeData5({ type: new Struct5([]), length: 0, children: [], nullCount: 0 });
+    return makeData5({ type, length: 0, children: [entryData], nullCount: 0, valueOffsets: new Int32Array([0]) });
+  }
+  return makeData5({ type, length: 0, nullCount: 0 });
+}
+function buildEmptyBatch(schema, metadata) {
+  const children = schema.fields.map((f) => makeEmptyData(f.type));
   const structType = new Struct5(schema.fields);
   const data = makeData5({
     type: structType,
@@ -1438,11 +1611,13 @@ class OutputCollector {
   _outputSchema;
   _serverId;
   _requestId;
-  constructor(outputSchema, producerMode = true, serverId = "", requestId = null) {
+  auth;
+  constructor(outputSchema, producerMode = true, serverId = "", requestId = null, authContext) {
     this._outputSchema = outputSchema;
     this._producerMode = producerMode;
     this._serverId = serverId;
     this._requestId = requestId;
+    this.auth = authContext ?? AuthContext.anonymous();
   }
   get outputSchema() {
     return this._outputSchema;
@@ -1502,7 +1677,7 @@ import {
   Schema as Schema3,
   Struct as Struct6,
   Utf8 as Utf82,
-  vectorFromArray as vectorFromArray5
+  vectorFromArray as vectorFromArray6
 } from "@query-farm/apache-arrow";
 
 // src/util/schema.ts
@@ -1566,16 +1741,16 @@ function buildDescribeBatch(protocolName, methods, serverId) {
     hasHeaders.push(!!method.headerSchema);
     headerSchemas.push(method.headerSchema ? serializeSchema(method.headerSchema) : null);
   }
-  const nameArr = vectorFromArray5(names, new Utf82);
-  const methodTypeArr = vectorFromArray5(methodTypes, new Utf82);
-  const docArr = vectorFromArray5(docs, new Utf82);
-  const hasReturnArr = vectorFromArray5(hasReturns, new Bool2);
-  const paramsSchemaArr = vectorFromArray5(paramsSchemas, new Binary2);
-  const resultSchemaArr = vectorFromArray5(resultSchemas, new Binary2);
-  const paramTypesArr = vectorFromArray5(paramTypesJsons, new Utf82);
-  const paramDefaultsArr = vectorFromArray5(paramDefaultsJsons, new Utf82);
-  const hasHeaderArr = vectorFromArray5(hasHeaders, new Bool2);
-  const headerSchemaArr = vectorFromArray5(headerSchemas, new Binary2);
+  const nameArr = vectorFromArray6(names, new Utf82);
+  const methodTypeArr = vectorFromArray6(methodTypes, new Utf82);
+  const docArr = vectorFromArray6(docs, new Utf82);
+  const hasReturnArr = vectorFromArray6(hasReturns, new Bool2);
+  const paramsSchemaArr = vectorFromArray6(paramsSchemas, new Binary2);
+  const resultSchemaArr = vectorFromArray6(resultSchemas, new Binary2);
+  const paramTypesArr = vectorFromArray6(paramTypesJsons, new Utf82);
+  const paramDefaultsArr = vectorFromArray6(paramDefaultsJsons, new Utf82);
+  const hasHeaderArr = vectorFromArray6(hasHeaders, new Bool2);
+  const headerSchemaArr = vectorFromArray6(headerSchemas, new Binary2);
   const children = [
     nameArr.data[0],
     methodTypeArr.data[0],
@@ -1745,7 +1920,7 @@ async function httpDispatchUnary(method, body, ctx) {
   if (parsed.methodName !== method.name) {
     throw new HttpRpcError(`Method name in request '${parsed.methodName}' does not match URL '${method.name}'`, 400);
   }
-  const out = new OutputCollector(schema, true, ctx.serverId, parsed.requestId);
+  const out = new OutputCollector(schema, true, ctx.serverId, parsed.requestId, ctx.authContext);
   try {
     const result = await method.handler(parsed.params, out);
     const resultBatch = buildResultBatch(schema, result, ctx.serverId, parsed.requestId);
@@ -1782,7 +1957,7 @@ async function httpDispatchStreamInit(method, body, ctx) {
   let headerBytes = null;
   if (method.headerSchema && method.headerInit) {
     try {
-      const headerOut = new OutputCollector(method.headerSchema, true, ctx.serverId, parsed.requestId);
+      const headerOut = new OutputCollector(method.headerSchema, true, ctx.serverId, parsed.requestId, ctx.authContext);
       const headerValues = method.headerInit(parsed.params, state, headerOut);
       const headerBatch = buildResultBatch(method.headerSchema, headerValues, ctx.serverId, parsed.requestId);
       const headerBatches = [...headerOut.batches.map((b) => b.batch), headerBatch];
@@ -1850,7 +2025,7 @@ async function httpDispatchStreamExchange(method, body, ctx) {
   if (effectiveProducer) {
     return produceStreamResponse(method, state, outputSchema, inputSchema, ctx, null, null);
   } else {
-    const out = new OutputCollector(outputSchema, effectiveProducer, ctx.serverId, null);
+    const out = new OutputCollector(outputSchema, effectiveProducer, ctx.serverId, null, ctx.authContext);
     const conformedBatch = conformBatchToSchema(reqBatch, inputSchema);
     try {
       if (method.exchangeFn) {
@@ -1900,7 +2075,7 @@ async function produceStreamResponse(method, state, outputSchema, inputSchema, c
   const maxBytes = ctx.maxStreamResponseBytes;
   let estimatedBytes = 0;
   while (true) {
-    const out = new OutputCollector(outputSchema, true, ctx.serverId, requestId);
+    const out = new OutputCollector(outputSchema, true, ctx.serverId, requestId, ctx.authContext);
     try {
       if (method.producerFn) {
         await method.producerFn(state, out);
@@ -1976,10 +2151,12 @@ function createHttpHandler(protocol, options) {
   const maxRequestBytes = options?.maxRequestBytes;
   const maxStreamResponseBytes = options?.maxStreamResponseBytes;
   const serverId = options?.serverId ?? crypto.randomUUID().replace(/-/g, "").slice(0, 12);
+  const authenticate = options?.authenticate;
+  const oauthMetadata = options?.oauthResourceMetadata;
   const methods = protocol.getMethods();
   const compressionLevel = options?.compressionLevel;
   const stateSerializer = options?.stateSerializer ?? jsonStateSerializer;
-  const ctx = {
+  const baseCtx = {
     signingKey,
     tokenTtl,
     serverId,
@@ -2015,6 +2192,18 @@ function createHttpHandler(protocol, options) {
   return async function handler(request) {
     const url = new URL(request.url);
     const path = url.pathname;
+    if (oauthMetadata && path === wellKnownPath(prefix)) {
+      if (request.method !== "GET") {
+        return new Response("Method Not Allowed", { status: 405 });
+      }
+      const body2 = JSON.stringify(oauthResourceMetadataToJson(oauthMetadata));
+      const headers = new Headers({
+        "Content-Type": "application/json",
+        "Cache-Control": "public, max-age=3600"
+      });
+      addCorsHeaders(headers);
+      return new Response(body2, { status: 200, headers });
+    }
     if (request.method === "OPTIONS") {
       if (path === `${prefix}/__capabilities__`) {
         const headers = new Headers;
@@ -2050,6 +2239,22 @@ function createHttpHandler(protocol, options) {
     if (contentEncoding === "zstd") {
       body = zstdDecompress(body);
     }
+    const ctx = { ...baseCtx };
+    if (authenticate) {
+      try {
+        ctx.authContext = await authenticate(request);
+      } catch (error) {
+        const headers = new Headers({ "Content-Type": "text/plain" });
+        addCorsHeaders(headers);
+        if (oauthMetadata) {
+          const metadataUrl = new URL(request.url);
+          metadataUrl.pathname = wellKnownPath(prefix);
+          metadataUrl.search = "";
+          headers.set("WWW-Authenticate", buildWwwAuthenticateHeader(metadataUrl.toString()));
+        }
+        return new Response(error.message || "Unauthorized", { status: 401, headers });
+      }
+    }
     if (path === `${prefix}/${DESCRIBE_METHOD_NAME}`) {
       try {
         const response = httpDispatchDescribe(protocol.name, methods, serverId);
@@ -2109,6 +2314,1200 @@ function createHttpHandler(protocol, options) {
     }
   };
 }
+// node_modules/oauth4webapi/build/index.js
+var USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+  const NAME = "oauth4webapi";
+  const VERSION = "v3.8.5";
+  USER_AGENT = `${NAME}/${VERSION}`;
+}
+function looseInstanceOf(input, expected) {
+  if (input == null) {
+    return false;
+  }
+  try {
+    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
+  } catch {
+    return false;
+  }
+}
+var ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
+var ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
+function CodedTypeError(message, code, cause) {
+  const err = new TypeError(message, { cause });
+  Object.assign(err, { code });
+  return err;
+}
+var allowInsecureRequests = Symbol();
+var clockSkew = Symbol();
+var clockTolerance = Symbol();
+var customFetch = Symbol();
+var modifyAssertion = Symbol();
+var jweDecrypt = Symbol();
+var jwksCache = Symbol();
+var encoder = new TextEncoder;
+var decoder = new TextDecoder;
+function buf(input) {
+  if (typeof input === "string") {
+    return encoder.encode(input);
+  }
+  return decoder.decode(input);
+}
+var encodeBase64Url;
+if (Uint8Array.prototype.toBase64) {
+  encodeBase64Url = (input) => {
+    if (input instanceof ArrayBuffer) {
+      input = new Uint8Array(input);
+    }
+    return input.toBase64({ alphabet: "base64url", omitPadding: true });
+  };
+} else {
+  const CHUNK_SIZE = 32768;
+  encodeBase64Url = (input) => {
+    if (input instanceof ArrayBuffer) {
+      input = new Uint8Array(input);
+    }
+    const arr = [];
+    for (let i = 0;i < input.byteLength; i += CHUNK_SIZE) {
+      arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+    }
+    return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  };
+}
+var decodeBase64Url;
+if (Uint8Array.fromBase64) {
+  decodeBase64Url = (input) => {
+    try {
+      return Uint8Array.fromBase64(input, { alphabet: "base64url" });
+    } catch (cause) {
+      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
+    }
+  };
+} else {
+  decodeBase64Url = (input) => {
+    try {
+      const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0;i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    } catch (cause) {
+      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
+    }
+  };
+}
+function b64u(input) {
+  if (typeof input === "string") {
+    return decodeBase64Url(input);
+  }
+  return encodeBase64Url(input);
+}
+
+class UnsupportedOperationError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = UNSUPPORTED_OPERATION;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+
+class OperationProcessingError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    if (options?.code) {
+      this.code = options?.code;
+    }
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+function OPE(message, code, cause) {
+  return new OperationProcessingError(message, { code, cause });
+}
+async function calculateJwkThumbprint(jwk) {
+  let components;
+  switch (jwk.kty) {
+    case "EC":
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+        y: jwk.y
+      };
+      break;
+    case "OKP":
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x
+      };
+      break;
+    case "AKP":
+      components = {
+        alg: jwk.alg,
+        kty: jwk.kty,
+        pub: jwk.pub
+      };
+      break;
+    case "RSA":
+      components = {
+        e: jwk.e,
+        kty: jwk.kty,
+        n: jwk.n
+      };
+      break;
+    default:
+      throw new UnsupportedOperationError("unsupported JWK key type", { cause: jwk });
+  }
+  return b64u(await crypto.subtle.digest("SHA-256", buf(JSON.stringify(components))));
+}
+function assertCryptoKey(key, it) {
+  if (!(key instanceof CryptoKey)) {
+    throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);
+  }
+}
+function assertPrivateKey(key, it) {
+  assertCryptoKey(key, it);
+  if (key.type !== "private") {
+    throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);
+  }
+}
+function assertPublicKey(key, it) {
+  assertCryptoKey(key, it);
+  if (key.type !== "public") {
+    throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);
+  }
+}
+function normalizeTyp(value) {
+  return value.toLowerCase().replace(/^application\//, "");
+}
+function isJsonObject(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    return false;
+  }
+  return true;
+}
+function prepareHeaders(input) {
+  if (looseInstanceOf(input, Headers)) {
+    input = Object.fromEntries(input.entries());
+  }
+  const headers = new Headers(input ?? {});
+  if (USER_AGENT && !headers.has("user-agent")) {
+    headers.set("user-agent", USER_AGENT);
+  }
+  if (headers.has("authorization")) {
+    throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE);
+  }
+  return headers;
+}
+function signal(url, value) {
+  if (value !== undefined) {
+    if (typeof value === "function") {
+      value = value(url.href);
+    }
+    if (!(value instanceof AbortSignal)) {
+      throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);
+    }
+    return value;
+  }
+  return;
+}
+function replaceDoubleSlash(pathname) {
+  if (pathname.includes("//")) {
+    return pathname.replace("//", "/");
+  }
+  return pathname;
+}
+function prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {
+  if (url.pathname === "/") {
+    url.pathname = wellKnown;
+  } else {
+    url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\/)$/, "")}`);
+  }
+  return url;
+}
+function appendWellKnown(url, wellKnown) {
+  url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);
+  return url;
+}
+async function performDiscovery(input, urlName, transform, options) {
+  if (!(input instanceof URL)) {
+    throw CodedTypeError(`"${urlName}" must be an instance of URL`, ERR_INVALID_ARG_TYPE);
+  }
+  checkProtocol(input, options?.[allowInsecureRequests] !== true);
+  const url = transform(new URL(input.href));
+  const headers = prepareHeaders(options?.headers);
+  headers.set("accept", "application/json");
+  return (options?.[customFetch] || fetch)(url.href, {
+    body: undefined,
+    headers: Object.fromEntries(headers.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: signal(url, options?.signal)
+  });
+}
+async function discoveryRequest(issuerIdentifier, options) {
+  return performDiscovery(issuerIdentifier, "issuerIdentifier", (url) => {
+    switch (options?.algorithm) {
+      case undefined:
+      case "oidc":
+        appendWellKnown(url, ".well-known/openid-configuration");
+        break;
+      case "oauth2":
+        prependWellKnown(url, ".well-known/oauth-authorization-server");
+        break;
+      default:
+        throw CodedTypeError('"options.algorithm" must be "oidc" (default), or "oauth2"', ERR_INVALID_ARG_VALUE);
+    }
+    return url;
+  }, options);
+}
+function assertString(input, it, code, cause) {
+  try {
+    if (typeof input !== "string") {
+      throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);
+    }
+    if (input.length === 0) {
+      throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
+    }
+  } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
+    throw err;
+  }
+}
+async function processDiscoveryResponse(expectedIssuerIdentifier, response) {
+  const expected = expectedIssuerIdentifier;
+  if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {
+    throw CodedTypeError('"expectedIssuerIdentifier" must be an instance of URL', ERR_INVALID_ARG_TYPE);
+  }
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  if (response.status !== 200) {
+    throw OPE('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+  }
+  assertReadableResponse(response);
+  const json = await getResponseJsonBody(response);
+  assertString(json.issuer, '"response" body "issuer" property', INVALID_RESPONSE, { body: json });
+  if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) {
+    throw OPE('"response" body "issuer" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: "issuer" });
+  }
+  return json;
+}
+function assertApplicationJson(response) {
+  assertContentType(response, "application/json");
+}
+function notJson(response, ...types) {
+  let msg = '"response" content-type must be ';
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `${types.join(", ")}, or ${last}`;
+  } else if (types.length === 2) {
+    msg += `${types[0]} or ${types[1]}`;
+  } else {
+    msg += types[0];
+  }
+  return OPE(msg, RESPONSE_IS_NOT_JSON, response);
+}
+function assertContentTypes(response, ...types) {
+  if (!types.includes(getContentType(response))) {
+    throw notJson(response, ...types);
+  }
+}
+function assertContentType(response, contentType) {
+  if (getContentType(response) !== contentType) {
+    throw notJson(response, contentType);
+  }
+}
+function randomBytes2() {
+  return b64u(crypto.getRandomValues(new Uint8Array(32)));
+}
+function psAlg(key) {
+  switch (key.algorithm.hash.name) {
+    case "SHA-256":
+      return "PS256";
+    case "SHA-384":
+      return "PS384";
+    case "SHA-512":
+      return "PS512";
+    default:
+      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
+        cause: key
+      });
+  }
+}
+function rsAlg(key) {
+  switch (key.algorithm.hash.name) {
+    case "SHA-256":
+      return "RS256";
+    case "SHA-384":
+      return "RS384";
+    case "SHA-512":
+      return "RS512";
+    default:
+      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
+        cause: key
+      });
+  }
+}
+function esAlg(key) {
+  switch (key.algorithm.namedCurve) {
+    case "P-256":
+      return "ES256";
+    case "P-384":
+      return "ES384";
+    case "P-521":
+      return "ES512";
+    default:
+      throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve", { cause: key });
+  }
+}
+function keyToJws(key) {
+  switch (key.algorithm.name) {
+    case "RSA-PSS":
+      return psAlg(key);
+    case "RSASSA-PKCS1-v1_5":
+      return rsAlg(key);
+    case "ECDSA":
+      return esAlg(key);
+    case "Ed25519":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return key.algorithm.name;
+    case "EdDSA":
+      return "Ed25519";
+    default:
+      throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
+  }
+}
+function getClockSkew(client) {
+  const skew = client?.[clockSkew];
+  return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
+}
+function getClockTolerance(client) {
+  const tolerance = client?.[clockTolerance];
+  return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
+}
+function epochTime() {
+  return Math.floor(Date.now() / 1000);
+}
+function assertAs(as) {
+  if (typeof as !== "object" || as === null) {
+    throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(as.issuer, '"as.issuer"');
+}
+async function signJwt(header, payload, key) {
+  if (!key.usages.includes("sign")) {
+    throw CodedTypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"', ERR_INVALID_ARG_VALUE);
+  }
+  const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;
+  const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
+  return `${input}.${signature}`;
+}
+var jwkCache;
+async function getSetPublicJwkCache(key, alg) {
+  const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey("jwk", key);
+  const jwk = { kty, e, n, x, y, crv, pub };
+  if (kty === "AKP")
+    jwk.alg = alg;
+  jwkCache.set(key, jwk);
+  return jwk;
+}
+async function publicJwk(key, alg) {
+  jwkCache ||= new WeakMap;
+  return jwkCache.get(key) || getSetPublicJwkCache(key, alg);
+}
+var URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
+  try {
+    return new URL(url, base);
+  } catch {
+    return null;
+  }
+};
+function checkProtocol(url, enforceHttps) {
+  if (enforceHttps && url.protocol !== "https:") {
+    throw OPE("only requests to HTTPS are allowed", HTTP_REQUEST_FORBIDDEN, url);
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw OPE("only HTTP and HTTPS requests are allowed", REQUEST_PROTOCOL_FORBIDDEN, url);
+  }
+}
+function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
+  let url;
+  if (typeof value !== "string" || !(url = URLParse(value))) {
+    throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
+  }
+  checkProtocol(url, enforceHttps);
+  return url;
+}
+function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
+  if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
+    return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
+  }
+  return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
+}
+class DPoPHandler {
+  #header;
+  #privateKey;
+  #publicKey;
+  #clockSkew;
+  #modifyAssertion;
+  #map;
+  #jkt;
+  constructor(client, keyPair, options) {
+    assertPrivateKey(keyPair?.privateKey, '"DPoP.privateKey"');
+    assertPublicKey(keyPair?.publicKey, '"DPoP.publicKey"');
+    if (!keyPair.publicKey.extractable) {
+      throw CodedTypeError('"DPoP.publicKey.extractable" must be true', ERR_INVALID_ARG_VALUE);
+    }
+    this.#modifyAssertion = options?.[modifyAssertion];
+    this.#clockSkew = getClockSkew(client);
+    this.#privateKey = keyPair.privateKey;
+    this.#publicKey = keyPair.publicKey;
+    branded.add(this);
+  }
+  #get(key) {
+    this.#map ||= new Map;
+    let item = this.#map.get(key);
+    if (item) {
+      this.#map.delete(key);
+      this.#map.set(key, item);
+    }
+    return item;
+  }
+  #set(key, val) {
+    this.#map ||= new Map;
+    this.#map.delete(key);
+    if (this.#map.size === 100) {
+      this.#map.delete(this.#map.keys().next().value);
+    }
+    this.#map.set(key, val);
+  }
+  async calculateThumbprint() {
+    if (!this.#jkt) {
+      const jwk = await crypto.subtle.exportKey("jwk", this.#publicKey);
+      this.#jkt ||= await calculateJwkThumbprint(jwk);
+    }
+    return this.#jkt;
+  }
+  async addProof(url, headers, htm, accessToken) {
+    const alg = keyToJws(this.#privateKey);
+    this.#header ||= {
+      alg,
+      typ: "dpop+jwt",
+      jwk: await publicJwk(this.#publicKey, alg)
+    };
+    const nonce = this.#get(url.origin);
+    const now = epochTime() + this.#clockSkew;
+    const payload = {
+      iat: now,
+      jti: randomBytes2(),
+      htm,
+      nonce,
+      htu: `${url.origin}${url.pathname}`,
+      ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : undefined
+    };
+    this.#modifyAssertion?.(this.#header, payload);
+    headers.set("dpop", await signJwt(this.#header, payload, this.#privateKey));
+  }
+  cacheNonce(response, url) {
+    try {
+      const nonce = response.headers.get("dpop-nonce");
+      if (nonce) {
+        this.#set(url.origin, nonce);
+      }
+    } catch {}
+  }
+}
+var tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+var token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}";
+var quotedMatch = '"((?:[^"\\\\]|\\\\[\\s\\S])*)"';
+var quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*" + quotedMatch;
+var paramMatcher = "(" + tokenMatch + ")\\s*=\\s*(" + tokenMatch + ")";
+var schemeRE = new RegExp("^[,\\s]*(" + tokenMatch + ")");
+var quotedParamRE = new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
+var unquotedParamRE = new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
+var token68ParamRE = new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
+var jwksMap;
+function setJwksCache(as, jwks, uat, cache) {
+  jwksMap ||= new WeakMap;
+  jwksMap.set(as, {
+    jwks,
+    uat,
+    get age() {
+      return epochTime() - this.uat;
+    }
+  });
+  if (cache) {
+    Object.assign(cache, { jwks: structuredClone(jwks), uat });
+  }
+}
+function isFreshJwksCache(input) {
+  if (typeof input !== "object" || input === null) {
+    return false;
+  }
+  if (!("uat" in input) || typeof input.uat !== "number" || epochTime() - input.uat >= 300) {
+    return false;
+  }
+  if (!("jwks" in input) || !isJsonObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {
+    return false;
+  }
+  return true;
+}
+function clearJwksCache(as, cache) {
+  jwksMap?.delete(as);
+  delete cache?.jwks;
+  delete cache?.uat;
+}
+async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
+  const { alg, kid } = header;
+  checkSupportedJwsAlg(header);
+  if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) {
+    setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat);
+  }
+  let jwks;
+  let age;
+  if (jwksMap?.has(as)) {
+    ({ jwks, age } = jwksMap.get(as));
+    if (age >= 300) {
+      clearJwksCache(as, options?.[jwksCache]);
+      return getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    }
+  } else {
+    jwks = await jwksRequest(as, options).then(processJwksResponse);
+    age = 0;
+    setJwksCache(as, jwks, epochTime(), options?.[jwksCache]);
+  }
+  let kty;
+  switch (alg.slice(0, 2)) {
+    case "RS":
+    case "PS":
+      kty = "RSA";
+      break;
+    case "ES":
+      kty = "EC";
+      break;
+    case "Ed":
+      kty = "OKP";
+      break;
+    case "ML":
+      kty = "AKP";
+      break;
+    default:
+      throw new UnsupportedOperationError("unsupported JWS algorithm", { cause: { alg } });
+  }
+  const candidates = jwks.keys.filter((jwk2) => {
+    if (jwk2.kty !== kty) {
+      return false;
+    }
+    if (kid !== undefined && kid !== jwk2.kid) {
+      return false;
+    }
+    if (jwk2.alg !== undefined && alg !== jwk2.alg) {
+      return false;
+    }
+    if (jwk2.use !== undefined && jwk2.use !== "sig") {
+      return false;
+    }
+    if (jwk2.key_ops?.includes("verify") === false) {
+      return false;
+    }
+    switch (true) {
+      case (alg === "ES256" && jwk2.crv !== "P-256"):
+      case (alg === "ES384" && jwk2.crv !== "P-384"):
+      case (alg === "ES512" && jwk2.crv !== "P-521"):
+      case (alg === "Ed25519" && jwk2.crv !== "Ed25519"):
+      case (alg === "EdDSA" && jwk2.crv !== "Ed25519"):
+        return false;
+    }
+    return true;
+  });
+  const { 0: jwk, length } = candidates;
+  if (!length) {
+    if (age >= 60) {
+      clearJwksCache(as, options?.[jwksCache]);
+      return getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    }
+    throw OPE("error when selecting a JWT verification key, no applicable keys found", KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });
+  }
+  if (length !== 1) {
+    throw OPE('error when selecting a JWT verification key, multiple applicable keys found, a "kid" JWT Header Parameter is required', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });
+  }
+  return importJwk(alg, jwk);
+}
+var skipSubjectCheck = Symbol();
+function getContentType(input) {
+  return input.headers.get("content-type")?.split(";")[0];
+}
+var idTokenClaims = new WeakMap;
+var jwtRefs = new WeakMap;
+function validateAudience(expected, result) {
+  if (Array.isArray(result.claims.aud)) {
+    if (!result.claims.aud.includes(expected)) {
+      throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: result.claims,
+        claim: "aud"
+      });
+    }
+  } else if (result.claims.aud !== expected) {
+    throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: "aud"
+    });
+  }
+  return result;
+}
+function validateIssuer(as, result) {
+  const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
+  if (result.claims.iss !== expected) {
+    throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: "iss"
+    });
+  }
+  return result;
+}
+var branded = new WeakSet;
+var nopkce = Symbol();
+var jwtClaimNames = {
+  aud: "audience",
+  c_hash: "code hash",
+  client_id: "client id",
+  exp: "expiration time",
+  iat: "issued at",
+  iss: "issuer",
+  jti: "jwt id",
+  nonce: "nonce",
+  s_hash: "state hash",
+  sub: "subject",
+  ath: "access token hash",
+  htm: "http method",
+  htu: "http uri",
+  cnf: "confirmation",
+  auth_time: "authentication time"
+};
+function validatePresence(required, result) {
+  for (const claim of required) {
+    if (result.claims[claim] === undefined) {
+      throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {
+        claims: result.claims
+      });
+    }
+  }
+  return result;
+}
+var expectNoNonce = Symbol();
+var skipAuthTimeCheck = Symbol();
+var UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
+var PARSE_ERROR = "OAUTH_PARSE_ERROR";
+var INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE";
+var INVALID_REQUEST = "OAUTH_INVALID_REQUEST";
+var RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON";
+var RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM";
+var HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN";
+var REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
+var JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
+var JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
+var JSON_ATTRIBUTE_COMPARISON = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED";
+var KEY_SELECTION = "OAUTH_KEY_SELECTION_FAILED";
+var MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA";
+var INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA";
+function checkJwtType(expected, result) {
+  if (typeof result.header.typ !== "string" || normalizeTyp(result.header.typ) !== expected) {
+    throw OPE('unexpected JWT "typ" header parameter value', INVALID_RESPONSE, {
+      header: result.header
+    });
+  }
+  return result;
+}
+function assertReadableResponse(response) {
+  if (response.bodyUsed) {
+    throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
+  }
+}
+async function jwksRequest(as, options) {
+  assertAs(as);
+  const url = resolveEndpoint(as, "jwks_uri", false, options?.[allowInsecureRequests] !== true);
+  const headers = prepareHeaders(options?.headers);
+  headers.set("accept", "application/json");
+  headers.append("accept", "application/jwk-set+json");
+  return (options?.[customFetch] || fetch)(url.href, {
+    body: undefined,
+    headers: Object.fromEntries(headers.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: signal(url, options?.signal)
+  });
+}
+async function processJwksResponse(response) {
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  if (response.status !== 200) {
+    throw OPE('"response" is not a conform JSON Web Key Set response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+  }
+  assertReadableResponse(response);
+  const json = await getResponseJsonBody(response, (response2) => assertContentTypes(response2, "application/json", "application/jwk-set+json"));
+  if (!Array.isArray(json.keys)) {
+    throw OPE('"response" body "keys" property must be an array', INVALID_RESPONSE, { body: json });
+  }
+  if (!Array.prototype.every.call(json.keys, isJsonObject)) {
+    throw OPE('"response" body "keys" property members must be JWK formatted objects', INVALID_RESPONSE, { body: json });
+  }
+  return json;
+}
+function supported(alg) {
+  switch (alg) {
+    case "PS256":
+    case "ES256":
+    case "RS256":
+    case "PS384":
+    case "ES384":
+    case "RS384":
+    case "PS512":
+    case "ES512":
+    case "RS512":
+    case "Ed25519":
+    case "EdDSA":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return true;
+    default:
+      return false;
+  }
+}
+function checkSupportedJwsAlg(header) {
+  if (!supported(header.alg)) {
+    throw new UnsupportedOperationError('unsupported JWS "alg" identifier', {
+      cause: { alg: header.alg }
+    });
+  }
+}
+function checkRsaKeyAlgorithm(key) {
+  const { algorithm } = key;
+  if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
+    throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {
+      cause: key
+    });
+  }
+}
+function ecdsaHashName(key) {
+  const { algorithm } = key;
+  switch (algorithm.namedCurve) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new UnsupportedOperationError("unsupported ECDSA namedCurve", { cause: key });
+  }
+}
+function keyToSubtle(key) {
+  switch (key.algorithm.name) {
+    case "ECDSA":
+      return {
+        name: key.algorithm.name,
+        hash: ecdsaHashName(key)
+      };
+    case "RSA-PSS": {
+      checkRsaKeyAlgorithm(key);
+      switch (key.algorithm.hash.name) {
+        case "SHA-256":
+        case "SHA-384":
+        case "SHA-512":
+          return {
+            name: key.algorithm.name,
+            saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3
+          };
+        default:
+          throw new UnsupportedOperationError("unsupported RSA-PSS hash name", { cause: key });
+      }
+    }
+    case "RSASSA-PKCS1-v1_5":
+      checkRsaKeyAlgorithm(key);
+      return key.algorithm.name;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+    case "Ed25519":
+      return key.algorithm.name;
+  }
+  throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
+}
+async function validateJwsSignature(protectedHeader, payload, key, signature) {
+  const data = buf(`${protectedHeader}.${payload}`);
+  const algorithm = keyToSubtle(key);
+  const verified = await crypto.subtle.verify(algorithm, key, signature, data);
+  if (!verified) {
+    throw OPE("JWT signature verification failed", INVALID_RESPONSE, {
+      key,
+      data,
+      signature,
+      algorithm
+    });
+  }
+}
+async function validateJwt(jws, checkAlg, clockSkew2, clockTolerance2, decryptJwt) {
+  let { 0: protectedHeader, 1: payload, length } = jws.split(".");
+  if (length === 5) {
+    if (decryptJwt !== undefined) {
+      jws = await decryptJwt(jws);
+      ({ 0: protectedHeader, 1: payload, length } = jws.split("."));
+    } else {
+      throw new UnsupportedOperationError("JWE decryption is not configured", { cause: jws });
+    }
+  }
+  if (length !== 3) {
+    throw OPE("Invalid JWT", INVALID_RESPONSE, jws);
+  }
+  let header;
+  try {
+    header = JSON.parse(buf(b64u(protectedHeader)));
+  } catch (cause) {
+    throw OPE("failed to parse JWT Header body as base64url encoded JSON", PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(header)) {
+    throw OPE("JWT Header must be a top level object", INVALID_RESPONSE, jws);
+  }
+  checkAlg(header);
+  if (header.crit !== undefined) {
+    throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', {
+      cause: { header }
+    });
+  }
+  let claims;
+  try {
+    claims = JSON.parse(buf(b64u(payload)));
+  } catch (cause) {
+    throw OPE("failed to parse JWT Payload body as base64url encoded JSON", PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(claims)) {
+    throw OPE("JWT Payload must be a top level object", INVALID_RESPONSE, jws);
+  }
+  const now = epochTime() + clockSkew2;
+  if (claims.exp !== undefined) {
+    if (typeof claims.exp !== "number") {
+      throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, { claims });
+    }
+    if (claims.exp <= now - clockTolerance2) {
+      throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance2, claim: "exp" });
+    }
+  }
+  if (claims.iat !== undefined) {
+    if (typeof claims.iat !== "number") {
+      throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  if (claims.iss !== undefined) {
+    if (typeof claims.iss !== "string") {
+      throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  if (claims.nbf !== undefined) {
+    if (typeof claims.nbf !== "number") {
+      throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, { claims });
+    }
+    if (claims.nbf > now + clockTolerance2) {
+      throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance: clockTolerance2,
+        claim: "nbf"
+      });
+    }
+  }
+  if (claims.aud !== undefined) {
+    if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) {
+      throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  return { header, claims, jwt: jws };
+}
+function checkSigningAlgorithm(client, issuer, fallback, header) {
+  if (client !== undefined) {
+    if (typeof client === "string" ? header.alg !== client : !client.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: client,
+        reason: "client configuration"
+      });
+    }
+    return;
+  }
+  if (Array.isArray(issuer)) {
+    if (!issuer.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: issuer,
+        reason: "authorization server metadata"
+      });
+    }
+    return;
+  }
+  if (fallback !== undefined) {
+    if (typeof fallback === "string" ? header.alg !== fallback : typeof fallback === "function" ? !fallback(header.alg) : !fallback.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: fallback,
+        reason: "default value"
+      });
+    }
+    return;
+  }
+  throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, { client, issuer, fallback });
+}
+var skipStateCheck = Symbol();
+var expectNoState = Symbol();
+function algToSubtle(alg) {
+  switch (alg) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { name: "RSA-PSS", hash: `SHA-${alg.slice(-3)}` };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${alg.slice(-3)}` };
+    case "ES256":
+    case "ES384":
+      return { name: "ECDSA", namedCurve: `P-${alg.slice(-3)}` };
+    case "ES512":
+      return { name: "ECDSA", namedCurve: "P-521" };
+    case "EdDSA":
+      return "Ed25519";
+    case "Ed25519":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return alg;
+    default:
+      throw new UnsupportedOperationError("unsupported JWS algorithm", { cause: { alg } });
+  }
+}
+async function importJwk(alg, jwk) {
+  const { ext, key_ops, use, ...key } = jwk;
+  return crypto.subtle.importKey("jwk", key, algToSubtle(alg), true, ["verify"]);
+}
+function normalizeHtu(htu) {
+  const url = new URL(htu);
+  url.search = "";
+  url.hash = "";
+  return url.href;
+}
+async function validateDPoP(request, accessToken, accessTokenClaims, options) {
+  const headerValue = request.headers.get("dpop");
+  if (headerValue === null) {
+    throw OPE("operation indicated DPoP use but the request has no DPoP HTTP Header", INVALID_REQUEST, { headers: request.headers });
+  }
+  if (request.headers.get("authorization")?.toLowerCase().startsWith("dpop ") === false) {
+    throw OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`, INVALID_REQUEST, { headers: request.headers });
+  }
+  if (typeof accessTokenClaims.cnf?.jkt !== "string") {
+    throw OPE("operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim", INVALID_REQUEST, { claims: accessTokenClaims });
+  }
+  const clockSkew2 = getClockSkew(options);
+  const proof = await validateJwt(headerValue, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), clockSkew2, getClockTolerance(options), undefined).then(checkJwtType.bind(undefined, "dpop+jwt")).then(validatePresence.bind(undefined, ["iat", "jti", "ath", "htm", "htu"]));
+  const now = epochTime() + clockSkew2;
+  const diff = Math.abs(now - proof.claims.iat);
+  if (diff > 300) {
+    throw OPE("DPoP Proof iat is not recent enough", JWT_TIMESTAMP_CHECK, {
+      now,
+      claims: proof.claims,
+      claim: "iat"
+    });
+  }
+  if (proof.claims.htm !== request.method) {
+    throw OPE("DPoP Proof htm mismatch", JWT_CLAIM_COMPARISON, {
+      expected: request.method,
+      claims: proof.claims,
+      claim: "htm"
+    });
+  }
+  if (typeof proof.claims.htu !== "string" || normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {
+    throw OPE("DPoP Proof htu mismatch", JWT_CLAIM_COMPARISON, {
+      expected: normalizeHtu(request.url),
+      claims: proof.claims,
+      claim: "htu"
+    });
+  }
+  {
+    const expected = b64u(await crypto.subtle.digest("SHA-256", buf(accessToken)));
+    if (proof.claims.ath !== expected) {
+      throw OPE("DPoP Proof ath mismatch", JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: proof.claims,
+        claim: "ath"
+      });
+    }
+  }
+  {
+    const expected = await calculateJwkThumbprint(proof.header.jwk);
+    if (accessTokenClaims.cnf.jkt !== expected) {
+      throw OPE("JWT Access Token confirmation mismatch", JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: accessTokenClaims,
+        claim: "cnf.jkt"
+      });
+    }
+  }
+  const { 0: protectedHeader, 1: payload, 2: encodedSignature } = headerValue.split(".");
+  const signature = b64u(encodedSignature);
+  const { jwk, alg } = proof.header;
+  if (!jwk) {
+    throw OPE("DPoP Proof is missing the jwk header parameter", INVALID_REQUEST, {
+      header: proof.header
+    });
+  }
+  const key = await importJwk(alg, jwk);
+  if (key.type !== "public") {
+    throw OPE("DPoP Proof jwk header parameter must contain a public key", INVALID_REQUEST, {
+      header: proof.header
+    });
+  }
+  await validateJwsSignature(protectedHeader, payload, key, signature);
+}
+async function validateJwtAccessToken(as, request, expectedAudience, options) {
+  assertAs(as);
+  if (!looseInstanceOf(request, Request)) {
+    throw CodedTypeError('"request" must be an instance of Request', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(expectedAudience, '"expectedAudience"');
+  const authorization = request.headers.get("authorization");
+  if (authorization === null) {
+    throw OPE('"request" is missing an Authorization HTTP Header', INVALID_REQUEST, {
+      headers: request.headers
+    });
+  }
+  let { 0: scheme, 1: accessToken, length } = authorization.split(" ");
+  scheme = scheme.toLowerCase();
+  switch (scheme) {
+    case "dpop":
+    case "bearer":
+      break;
+    default:
+      throw new UnsupportedOperationError("unsupported Authorization HTTP Header scheme", {
+        cause: { headers: request.headers }
+      });
+  }
+  if (length !== 2) {
+    throw OPE("invalid Authorization HTTP Header format", INVALID_REQUEST, {
+      headers: request.headers
+    });
+  }
+  const requiredClaims = [
+    "iss",
+    "exp",
+    "aud",
+    "sub",
+    "iat",
+    "jti",
+    "client_id"
+  ];
+  if (options?.requireDPoP || scheme === "dpop" || request.headers.has("dpop")) {
+    requiredClaims.push("cnf");
+  }
+  const { claims, header } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), getClockSkew(options), getClockTolerance(options), undefined).then(checkJwtType.bind(undefined, "at+jwt")).then(validatePresence.bind(undefined, requiredClaims)).then(validateIssuer.bind(undefined, as)).then(validateAudience.bind(undefined, expectedAudience)).catch(reassignRSCode);
+  for (const claim of ["client_id", "jti", "sub"]) {
+    if (typeof claims[claim] !== "string") {
+      throw OPE(`unexpected JWT "${claim}" claim type`, INVALID_REQUEST, { claims });
+    }
+  }
+  if ("cnf" in claims) {
+    if (!isJsonObject(claims.cnf)) {
+      throw OPE('unexpected JWT "cnf" (confirmation) claim value', INVALID_REQUEST, { claims });
+    }
+    const { 0: cnf, length: length2 } = Object.keys(claims.cnf);
+    if (length2) {
+      if (length2 !== 1) {
+        throw new UnsupportedOperationError("multiple confirmation claims are not supported", {
+          cause: { claims }
+        });
+      }
+      if (cnf !== "jkt") {
+        throw new UnsupportedOperationError("unsupported JWT Confirmation method", {
+          cause: { claims }
+        });
+      }
+    }
+  }
+  const { 0: protectedHeader, 1: payload, 2: encodedSignature } = accessToken.split(".");
+  const signature = b64u(encodedSignature);
+  const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+  await validateJwsSignature(protectedHeader, payload, key, signature);
+  if (options?.requireDPoP || scheme === "dpop" || claims.cnf?.jkt !== undefined || request.headers.has("dpop")) {
+    await validateDPoP(request, accessToken, claims, options).catch(reassignRSCode);
+  }
+  return claims;
+}
+function reassignRSCode(err) {
+  if (err instanceof OperationProcessingError && err?.code === INVALID_REQUEST) {
+    err.code = INVALID_RESPONSE;
+  }
+  throw err;
+}
+async function getResponseJsonBody(response, check = assertApplicationJson) {
+  let json;
+  try {
+    json = await response.json();
+  } catch (cause) {
+    check(response);
+    throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(json)) {
+    throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json });
+  }
+  return json;
+}
+var _nodiscoverycheck = Symbol();
+var _expectedIssuer = Symbol();
+
+// src/http/jwt.ts
+function jwtAuthenticate(options) {
+  const principalClaim = options.principalClaim ?? "sub";
+  const domain = options.domain ?? "jwt";
+  const audience = options.audience;
+  let asPromise = null;
+  async function getAuthorizationServer() {
+    if (options.jwksUri) {
+      return {
+        issuer: options.issuer,
+        jwks_uri: options.jwksUri
+      };
+    }
+    const issuerUrl = new URL(options.issuer);
+    const response = await discoveryRequest(issuerUrl);
+    return processDiscoveryResponse(issuerUrl, response);
+  }
+  return async function authenticate(request) {
+    if (!asPromise) {
+      asPromise = getAuthorizationServer();
+    }
+    let as;
+    try {
+      as = await asPromise;
+    } catch (error) {
+      asPromise = null;
+      throw error;
+    }
+    const claims = await validateJwtAccessToken(as, request, audience);
+    const principal = claims[principalClaim] ?? null;
+    return new AuthContext(domain, true, principal, claims);
+  };
+}
 // src/protocol.ts
 import { Schema as Schema7 } from "@query-farm/apache-arrow";
 
@@ -2303,8 +3702,11 @@ async function dispatchStream(method, params, writer, reader, serverId, requestI
       if (expectedInputSchema && !isProducer && inputBatch.schema !== expectedInputSchema) {
         try {
           inputBatch = conformBatchToSchema(inputBatch, expectedInputSchema);
-        } catch {
-          throw new TypeError(`Input schema mismatch: expected ${expectedInputSchema}, got ${inputBatch.schema}`);
+        } catch (e) {
+          if (e instanceof TypeError) {
+            throw e;
+          }
+          console.debug?.(`Schema conformance skipped: ${e instanceof Error ? e.message : e}`);
         }
       }
       const out = new OutputCollector(outputSchema, effectiveProducer, serverId, requestId);
@@ -2512,15 +3914,20 @@ export {
   subprocessConnect,
   str,
   pipeConnect,
+  parseResourceMetadataUrl,
   parseDescribeResponse,
+  oauthResourceMetadataToJson,
+  jwtAuthenticate,
   jsonStateSerializer,
   int32,
   int,
   inferParamTypes,
+  httpOAuthMetadata,
   httpIntrospect,
   httpConnect,
   float32,
   float,
+  fetchOAuthMetadata,
   createHttpHandler,
   bytes,
   bool,
@@ -2545,7 +3952,8 @@ export {
   DESCRIBE_VERSION_KEY,
   DESCRIBE_VERSION,
   DESCRIBE_METHOD_NAME,
+  AuthContext,
   ARROW_CONTENT_TYPE
 };
 
-//# debugId=5E36C5DD1C64E65A64756E2164756E21
+//# debugId=FCA96ECA4C5D644864756E2164756E21