npm - @zuplo/cli - Versions diffs - 6.70.8 → 6.70.9 - Mend

@zuplo/cli 6.70.8 → 6.70.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/node_modules/@zuplo/runtime/out/esm/mcp-gateway/index.js ADDED Viewed

@@ -0,0 +1,1249 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Zuplo, Inc. All rights reserved.
+ *
+ *  This software and associated documentation files (the "Software") is intended to be used
+ *  only by Zuplo customers solely to develop and test applications that will be deployed
+ *  to Zuplo hosted services. You and others in your organization may use these files on your
+ *  Development Devices solely for the above stated purpose.
+ *
+ *  Outside of uses stated above, no license is granted for any other purpose including
+ *  without limitation the rights to use, copy, modify, merge, publish, distribute,
+ *  sublicense, host, and/or sell copies of the Software.
+ *
+ *  The software may include third party components with separate legal notices or governed by
+ *  other agreements, as described in licenses either embedded in or accompanying the Software.
+ *
+ *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ *  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ *  PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
+ *  FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+ *  OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ *  DEALINGS IN THE SOFTWARE.
+ *--------------------------------------------------------------------------------------------*/
+import{$ as Zl,G as Hl,H as vi,I as xw,J as Gl,K as f,L as Bl,M as V,N as Y,O as Vl,P as Fl,Q as ue,R,S as I,T as fe,U as ne,V as bi,W as Ri,X as ee,Y as Ve,Z as P,_ as se,a as Ht,aa as Ii,ba as Kl,ca as Wl,da as u,ea as W,i as Nn,j as jl,p as wi,y as Ct}from"../chunk-YYF572GK.js";import{d as Si}from"../chunk-BHMDFTZV.js";import{a as L}from"../chunk-ZJ5LRHNO.js";import{U as ra,V as Tt,a as o,c as C,e as Ll}from"../chunk-FFHHHNST.js";var Kn=C(F=>{"use strict";Object.defineProperty(F,"__esModule",{value:!0});F.regexpCode=F.getEsmExportName=F.getProperty=F.safeStringify=F.stringify=F.strConcat=F.addCodeArg=F.str=F._=F.nil=F._Code=F.Name=F.IDENTIFIER=F._CodeOrName=void 0;var Fn=class{static{o(this,"_CodeOrName")}};F._CodeOrName=Fn;F.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var _r=class extends Fn{static{o(this,"Name")}constructor(t){if(super(),!F.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};F.Name=_r;var Je=class extends Fn{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof _r&&(r[n.str]=(r[n.str]||0)+1),r),{})}};F._Code=Je;F.nil=new Je("");function mp(e,...t){let r=[e[0]],n=0;for(;n<t.length;)oc(r,t[n]),r.push(e[++n]);return new Je(r)}o(mp,"_");F._=mp;var nc=new Je("+");function fp(e,...t){let r=[Zn(e[0])],n=0;for(;n<t.length;)r.push(nc),oc(r,t[n]),r.push(nc,Zn(e[++n]));return tv(r),new Je(r)}o(fp,"str");F.str=fp;function oc(e,t){t instanceof Je?e.push(...t._items):t instanceof _r?e.push(t):e.push(ov(t))}o(oc,"addCodeArg");F.addCodeArg=oc;function tv(e){let t=1;for(;t<e.length-1;){if(e[t]===nc){let r=rv(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(tv,"optimize");function rv(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof _r||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof _r))return`"${e}${t.slice(1)}`}o(rv,"mergeExprItems");function nv(e,t){return t.emptyStr()?e:e.emptyStr()?t:fp`${e}${t}`}o(nv,"strConcat");F.strConcat=nv;function ov(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:Zn(Array.isArray(e)?e.join(","):e)}o(ov,"interpolate");function av(e){return new Je(Zn(e))}o(av,"stringify");F.stringify=av;function Zn(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(Zn,"safeStringify");F.safeStringify=Zn;function sv(e){return typeof e=="string"&&F.IDENTIFIER.test(e)?new Je(`.${e}`):mp`[${e}]`}o(sv,"getProperty");F.getProperty=sv;function iv(e){if(typeof e=="string"&&F.IDENTIFIER.test(e))return new Je(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(iv,"getEsmExportName");F.getEsmExportName=iv;function cv(e){return new Je(e.toString())}o(cv,"regexpCode");F.regexpCode=cv});var ic=C(Me=>{"use strict";Object.defineProperty(Me,"__esModule",{value:!0});Me.ValueScope=Me.ValueScopeName=Me.Scope=Me.varKinds=Me.UsedValueState=void 0;var ze=Kn(),ac=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},ya;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(ya||(Me.UsedValueState=ya={}));Me.varKinds={const:new ze.Name("const"),let:new ze.Name("let"),var:new ze.Name("var")};var wa=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof ze.Name?t:this.name(t)}name(t){return new ze.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Me.Scope=wa;var Sa=class extends ze.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,ze._)`.${new ze.Name(r)}[${n}]`}};Me.ValueScopeName=Sa;var uv=(0,ze._)`\n`,sc=class extends wa{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?uv:ze.nil}}get(){return this._scope}name(t){return new Sa(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:s}=a,i=(n=r.key)!==null&&n!==void 0?n:r.ref,c=this._values[s];if(c){let l=c.get(i);if(l)return l}else c=this._values[s]=new Map;c.set(i,a);let d=this._scope[s]||(this._scope[s]=[]),p=d.length;return d[p]=r.ref,a.setValue(r,{property:s,itemIndex:p}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,ze._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let s=ze.nil;for(let i in t){let c=t[i];if(!c)continue;let d=n[i]=n[i]||new Map;c.forEach(p=>{if(d.has(p))return;d.set(p,ya.Started);let l=r(p);if(l){let m=this.opts.es5?Me.varKinds.var:Me.varKinds.const;s=(0,ze._)`${s}${m} ${p} = ${l};${this.opts._n}`}else if(l=a?.(p))s=(0,ze._)`${s}${l}${this.opts._n}`;else throw new ac(p);d.set(p,ya.Completed)})}return s}};Me.ValueScope=sc});var D=C(q=>{"use strict";Object.defineProperty(q,"__esModule",{value:!0});q.or=q.and=q.not=q.CodeGen=q.operators=q.varKinds=q.ValueScopeName=q.ValueScope=q.Scope=q.Name=q.regexpCode=q.stringify=q.getProperty=q.nil=q.strConcat=q.str=q._=void 0;var G=Kn(),ot=ic(),Yt=Kn();Object.defineProperty(q,"_",{enumerable:!0,get:o(function(){return Yt._},"get")});Object.defineProperty(q,"str",{enumerable:!0,get:o(function(){return Yt.str},"get")});Object.defineProperty(q,"strConcat",{enumerable:!0,get:o(function(){return Yt.strConcat},"get")});Object.defineProperty(q,"nil",{enumerable:!0,get:o(function(){return Yt.nil},"get")});Object.defineProperty(q,"getProperty",{enumerable:!0,get:o(function(){return Yt.getProperty},"get")});Object.defineProperty(q,"stringify",{enumerable:!0,get:o(function(){return Yt.stringify},"get")});Object.defineProperty(q,"regexpCode",{enumerable:!0,get:o(function(){return Yt.regexpCode},"get")});Object.defineProperty(q,"Name",{enumerable:!0,get:o(function(){return Yt.Name},"get")});var Ia=ic();Object.defineProperty(q,"Scope",{enumerable:!0,get:o(function(){return Ia.Scope},"get")});Object.defineProperty(q,"ValueScope",{enumerable:!0,get:o(function(){return Ia.ValueScope},"get")});Object.defineProperty(q,"ValueScopeName",{enumerable:!0,get:o(function(){return Ia.ValueScopeName},"get")});Object.defineProperty(q,"varKinds",{enumerable:!0,get:o(function(){return Ia.varKinds},"get")});q.operators={GT:new G._Code(">"),GTE:new G._Code(">="),LT:new G._Code("<"),LTE:new G._Code("<="),EQ:new G._Code("==="),NEQ:new G._Code("!=="),NOT:new G._Code("!"),OR:new G._Code("||"),AND:new G._Code("&&"),ADD:new G._Code("+")};var xt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},cc=class extends xt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?ot.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=Kr(this.rhs,t,r)),this}get names(){return this.rhs instanceof G._CodeOrName?this.rhs.names:{}}},va=class extends xt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof G.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=Kr(this.rhs,t,r),this}get names(){let t=this.lhs instanceof G.Name?{}:{...this.lhs.names};return Ra(t,this.rhs)}},uc=class extends va{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},dc=class extends xt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},lc=class extends xt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},pc=class extends xt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},mc=class extends xt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=Kr(this.code,t,r),this}get names(){return this.code instanceof G._CodeOrName?this.code.names:{}}},Wn=class extends xt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let s=n[a];s.optimizeNames(t,r)||(dv(t,s.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Sr(t,r.names),{})}},kt=class extends Wn{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},fc=class extends Wn{static{o(this,"Root")}},Zr=class extends kt{static{o(this,"Else")}};Zr.kind="else";var yr=class e extends kt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new Zr(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(hp(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=Kr(this.condition,t,r),this}get names(){let t=super.names;return Ra(t,this.condition),this.else&&Sr(t,this.else.names),t}};yr.kind="if";var wr=class extends kt{static{o(this,"For")}};wr.kind="for";var hc=class extends wr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=Kr(this.iteration,t,r),this}get names(){return Sr(super.names,this.iteration.names)}},gc=class extends wr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?ot.varKinds.var:this.varKind,{name:n,from:a,to:s}=this;return`for(${r} ${n}=${a}; ${n}<${s}; ${n}++)`+super.render(t)}get names(){let t=Ra(super.names,this.from);return Ra(t,this.to)}},ba=class extends wr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=Kr(this.iterable,t,r),this}get names(){return Sr(super.names,this.iterable.names)}},Jn=class extends kt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};Jn.kind="func";var Yn=class extends Wn{static{o(this,"Return")}render(t){return"return "+super.render(t)}};Yn.kind="return";var _c=class extends kt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Sr(t,this.catch.names),this.finally&&Sr(t,this.finally.names),t}},Xn=class extends kt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};Xn.kind="catch";var Qn=class extends kt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};Qn.kind="finally";var yc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
+`:""},this._extScope=t,this._scope=new ot.Scope({parent:t}),this._nodes=[new fc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let s=this._scope.toName(r);return n!==void 0&&a&&(this._constants[s.str]=n),this._leafNode(new cc(t,s,n)),s}const(t,r,n){return this._def(ot.varKinds.const,t,r,n)}let(t,r,n){return this._def(ot.varKinds.let,t,r,n)}var(t,r,n){return this._def(ot.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new va(t,r,n))}add(t,r){return this._leafNode(new uc(t,q.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==G.nil&&this._leafNode(new mc(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,G.addCodeArg)(r,a));return r.push("}"),new G._Code(r)}if(t,r,n){if(this._blockNode(new yr(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new yr(t))}else(){return this._elseNode(new Zr)}endIf(){return this._endBlockNode(yr,Zr)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new hc(t),r)}forRange(t,r,n,a,s=this.opts.es5?ot.varKinds.var:ot.varKinds.let){let i=this._scope.toName(t);return this._for(new gc(s,i,r,n),()=>a(i))}forOf(t,r,n,a=ot.varKinds.const){let s=this._scope.toName(t);if(this.opts.es5){let i=r instanceof G.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,G._)`${i}.length`,c=>{this.var(s,(0,G._)`${i}[${c}]`),n(s)})}return this._for(new ba("of",a,s,r),()=>n(s))}forIn(t,r,n,a=this.opts.es5?ot.varKinds.var:ot.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,G._)`Object.keys(${r})`,n);let s=this._scope.toName(t);return this._for(new ba("in",a,s,r),()=>n(s))}endFor(){return this._endBlockNode(wr)}label(t){return this._leafNode(new dc(t))}break(t){return this._leafNode(new lc(t))}return(t){let r=new Yn;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(Yn)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new _c;if(this._blockNode(a),this.code(t),r){let s=this.name("e");this._currNode=a.catch=new Xn(s),r(s)}return n&&(this._currNode=a.finally=new Qn,this.code(n)),this._endBlockNode(Xn,Qn)}throw(t){return this._leafNode(new pc(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=G.nil,n,a){return this._blockNode(new Jn(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(Jn)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof yr))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};q.CodeGen=yc;function Sr(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Sr,"addNames");function Ra(e,t){return t instanceof G._CodeOrName?Sr(e,t.names):e}o(Ra,"addExprNames");function Kr(e,t,r){if(e instanceof G.Name)return n(e);if(!a(e))return e;return new G._Code(e._items.reduce((s,i)=>(i instanceof G.Name&&(i=n(i)),i instanceof G._Code?s.push(...i._items):s.push(i),s),[]));function n(s){let i=r[s.str];return i===void 0||t[s.str]!==1?s:(delete t[s.str],i)}function a(s){return s instanceof G._Code&&s._items.some(i=>i instanceof G.Name&&t[i.str]===1&&r[i.str]!==void 0)}}o(Kr,"optimizeExpr");function dv(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(dv,"subtractNames");function hp(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,G._)`!${wc(e)}`}o(hp,"not");q.not=hp;var lv=gp(q.operators.AND);function pv(...e){return e.reduce(lv)}o(pv,"and");q.and=pv;var mv=gp(q.operators.OR);function fv(...e){return e.reduce(mv)}o(fv,"or");q.or=fv;function gp(e){return(t,r)=>t===G.nil?r:r===G.nil?t:(0,G._)`${wc(t)} ${e} ${wc(r)}`}o(gp,"mappend");function wc(e){return e instanceof G.Name?e:(0,G._)`(${e})`}o(wc,"par")});var Z=C(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.checkStrictMode=j.getErrorPath=j.Type=j.useFunc=j.setEvaluated=j.evaluatedPropsToName=j.mergeEvaluated=j.eachItem=j.unescapeJsonPointer=j.escapeJsonPointer=j.escapeFragment=j.unescapeFragment=j.schemaRefOrVal=j.schemaHasRulesButRef=j.schemaHasRules=j.checkUnknownRules=j.alwaysValidSchema=j.toHash=void 0;var X=D(),hv=Kn();function gv(e){let t={};for(let r of e)t[r]=!0;return t}o(gv,"toHash");j.toHash=gv;function _v(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(wp(e,t),!Sp(t,e.self.RULES.all))}o(_v,"alwaysValidSchema");j.alwaysValidSchema=_v;function wp(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let s in t)a[s]||Rp(e,`unknown keyword: "${s}"`)}o(wp,"checkUnknownRules");j.checkUnknownRules=wp;function Sp(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Sp,"schemaHasRules");j.schemaHasRules=Sp;function yv(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(yv,"schemaHasRulesButRef");j.schemaHasRulesButRef=yv;function wv({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,X._)`${r}`}return(0,X._)`${e}${t}${(0,X.getProperty)(n)}`}o(wv,"schemaRefOrVal");j.schemaRefOrVal=wv;function Sv(e){return vp(decodeURIComponent(e))}o(Sv,"unescapeFragment");j.unescapeFragment=Sv;function vv(e){return encodeURIComponent(vc(e))}o(vv,"escapeFragment");j.escapeFragment=vv;function vc(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(vc,"escapeJsonPointer");j.escapeJsonPointer=vc;function vp(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(vp,"unescapeJsonPointer");j.unescapeJsonPointer=vp;function bv(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(bv,"eachItem");j.eachItem=bv;function _p({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,s,i,c)=>{let d=i===void 0?s:i instanceof X.Name?(s instanceof X.Name?e(a,s,i):t(a,s,i),i):s instanceof X.Name?(t(a,i,s),s):r(s,i);return c===X.Name&&!(d instanceof X.Name)?n(a,d):d}}o(_p,"makeMergeEvaluated");j.mergeEvaluated={props:_p({mergeNames:o((e,t,r)=>e.if((0,X._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,X._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,X._)`${r} || {}`).code((0,X._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,X._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,X._)`${r} || {}`),bc(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:bp}),items:_p({mergeNames:o((e,t,r)=>e.if((0,X._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,X._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,X._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,X._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function bp(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,X._)`{}`);return t!==void 0&&bc(e,r,t),r}o(bp,"evaluatedPropsToName");j.evaluatedPropsToName=bp;function bc(e,t,r){Object.keys(r).forEach(n=>e.assign((0,X._)`${t}${(0,X.getProperty)(n)}`,!0))}o(bc,"setEvaluated");j.setEvaluated=bc;var yp={};function Rv(e,t){return e.scopeValue("func",{ref:t,code:yp[t.code]||(yp[t.code]=new hv._Code(t.code))})}o(Rv,"useFunc");j.useFunc=Rv;var Sc;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Sc||(j.Type=Sc={}));function Iv(e,t,r){if(e instanceof X.Name){let n=t===Sc.Num;return r?n?(0,X._)`"[" + ${e} + "]"`:(0,X._)`"['" + ${e} + "']"`:n?(0,X._)`"/" + ${e}`:(0,X._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,X.getProperty)(e).toString():"/"+vc(e)}o(Iv,"getErrorPath");j.getErrorPath=Iv;function Rp(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(Rp,"checkStrictMode");j.checkStrictMode=Rp});var Ot=C(Rc=>{"use strict";Object.defineProperty(Rc,"__esModule",{value:!0});var Ce=D(),Tv={data:new Ce.Name("data"),valCxt:new Ce.Name("valCxt"),instancePath:new Ce.Name("instancePath"),parentData:new Ce.Name("parentData"),parentDataProperty:new Ce.Name("parentDataProperty"),rootData:new Ce.Name("rootData"),dynamicAnchors:new Ce.Name("dynamicAnchors"),vErrors:new Ce.Name("vErrors"),errors:new Ce.Name("errors"),this:new Ce.Name("this"),self:new Ce.Name("self"),scope:new Ce.Name("scope"),json:new Ce.Name("json"),jsonPos:new Ce.Name("jsonPos"),jsonLen:new Ce.Name("jsonLen"),jsonPart:new Ce.Name("jsonPart")};Rc.default=Tv});var eo=C(Ee=>{"use strict";Object.defineProperty(Ee,"__esModule",{value:!0});Ee.extendErrors=Ee.resetErrorsCount=Ee.reportExtraError=Ee.reportError=Ee.keyword$DataError=Ee.keywordError=void 0;var B=D(),Ta=Z(),ke=Ot();Ee.keywordError={message:o(({keyword:e})=>(0,B.str)`must pass "${e}" keyword validation`,"message")};Ee.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,B.str)`"${e}" keyword must be ${t} ($data)`:(0,B.str)`"${e}" keyword is invalid ($data)`,"message")};function Cv(e,t=Ee.keywordError,r,n){let{it:a}=e,{gen:s,compositeRule:i,allErrors:c}=a,d=Cp(e,t,r);n??(i||c)?Ip(s,d):Tp(a,(0,B._)`[${d}]`)}o(Cv,"reportError");Ee.reportError=Cv;function Ev(e,t=Ee.keywordError,r){let{it:n}=e,{gen:a,compositeRule:s,allErrors:i}=n,c=Cp(e,t,r);Ip(a,c),s||i||Tp(n,ke.default.vErrors)}o(Ev,"reportExtraError");Ee.reportExtraError=Ev;function Av(e,t){e.assign(ke.default.errors,t),e.if((0,B._)`${ke.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,B._)`${ke.default.vErrors}.length`,t),()=>e.assign(ke.default.vErrors,null)))}o(Av,"resetErrorsCount");Ee.resetErrorsCount=Av;function Pv({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:s}){if(a===void 0)throw new Error("ajv implementation error");let i=e.name("err");e.forRange("i",a,ke.default.errors,c=>{e.const(i,(0,B._)`${ke.default.vErrors}[${c}]`),e.if((0,B._)`${i}.instancePath === undefined`,()=>e.assign((0,B._)`${i}.instancePath`,(0,B.strConcat)(ke.default.instancePath,s.errorPath))),e.assign((0,B._)`${i}.schemaPath`,(0,B.str)`${s.errSchemaPath}/${t}`),s.opts.verbose&&(e.assign((0,B._)`${i}.schema`,r),e.assign((0,B._)`${i}.data`,n))})}o(Pv,"extendErrors");Ee.extendErrors=Pv;function Ip(e,t){let r=e.const("err",t);e.if((0,B._)`${ke.default.vErrors} === null`,()=>e.assign(ke.default.vErrors,(0,B._)`[${r}]`),(0,B._)`${ke.default.vErrors}.push(${r})`),e.code((0,B._)`${ke.default.errors}++`)}o(Ip,"addError");function Tp(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,B._)`new ${e.ValidationError}(${t})`):(r.assign((0,B._)`${n}.errors`,t),r.return(!1))}o(Tp,"returnErrors");var vr={keyword:new B.Name("keyword"),schemaPath:new B.Name("schemaPath"),params:new B.Name("params"),propertyName:new B.Name("propertyName"),message:new B.Name("message"),schema:new B.Name("schema"),parentSchema:new B.Name("parentSchema")};function Cp(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,B._)`{}`:xv(e,t,r)}o(Cp,"errorObjectCode");function xv(e,t,r={}){let{gen:n,it:a}=e,s=[kv(a,r),Ov(e,r)];return Uv(e,t,s),n.object(...s)}o(xv,"errorObject");function kv({errorPath:e},{instancePath:t}){let r=t?(0,B.str)`${e}${(0,Ta.getErrorPath)(t,Ta.Type.Str)}`:e;return[ke.default.instancePath,(0,B.strConcat)(ke.default.instancePath,r)]}o(kv,"errorInstancePath");function Ov({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,B.str)`${t}/${e}`;return r&&(a=(0,B.str)`${a}${(0,Ta.getErrorPath)(r,Ta.Type.Str)}`),[vr.schemaPath,a]}o(Ov,"errorSchemaPath");function Uv(e,{params:t,message:r},n){let{keyword:a,data:s,schemaValue:i,it:c}=e,{opts:d,propertyName:p,topSchemaRef:l,schemaPath:m}=c;n.push([vr.keyword,a],[vr.params,typeof t=="function"?t(e):t||(0,B._)`{}`]),d.messages&&n.push([vr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([vr.schema,i],[vr.parentSchema,(0,B._)`${l}${m}`],[ke.default.data,s]),p&&n.push([vr.propertyName,p])}o(Uv,"extraErrorProps")});var Ap=C(Wr=>{"use strict";Object.defineProperty(Wr,"__esModule",{value:!0});Wr.boolOrEmptySchema=Wr.topBoolOrEmptySchema=void 0;var Nv=eo(),$v=D(),zv=Ot(),Mv={message:"boolean schema is false"};function Dv(e){let{gen:t,schema:r,validateName:n}=e;r===!1?Ep(e,!1):typeof r=="object"&&r.$async===!0?t.return(zv.default.data):(t.assign((0,$v._)`${n}.errors`,null),t.return(!0))}o(Dv,"topBoolOrEmptySchema");Wr.topBoolOrEmptySchema=Dv;function qv(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),Ep(e)):r.var(t,!0)}o(qv,"boolOrEmptySchema");Wr.boolOrEmptySchema=qv;function Ep(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,Nv.reportError)(a,Mv,void 0,t)}o(Ep,"falseSchemaError")});var Ic=C(Jr=>{"use strict";Object.defineProperty(Jr,"__esModule",{value:!0});Jr.getRules=Jr.isJSONType=void 0;var Lv=["string","number","integer","boolean","null","object","array"],jv=new Set(Lv);function Hv(e){return typeof e=="string"&&jv.has(e)}o(Hv,"isJSONType");Jr.isJSONType=Hv;function Gv(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(Gv,"getRules");Jr.getRules=Gv});var Tc=C(Xt=>{"use strict";Object.defineProperty(Xt,"__esModule",{value:!0});Xt.shouldUseRule=Xt.shouldUseGroup=Xt.schemaHasRulesForType=void 0;function Bv({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&Pp(e,n)}o(Bv,"schemaHasRulesForType");Xt.schemaHasRulesForType=Bv;function Pp(e,t){return t.rules.some(r=>xp(e,r))}o(Pp,"shouldUseGroup");Xt.shouldUseGroup=Pp;function xp(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(xp,"shouldUseRule");Xt.shouldUseRule=xp});var to=C(Ae=>{"use strict";Object.defineProperty(Ae,"__esModule",{value:!0});Ae.reportTypeError=Ae.checkDataTypes=Ae.checkDataType=Ae.coerceAndCheckDataType=Ae.getJSONTypes=Ae.getSchemaTypes=Ae.DataType=void 0;var Vv=Ic(),Fv=Tc(),Zv=eo(),M=D(),kp=Z(),Yr;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(Yr||(Ae.DataType=Yr={}));function Kv(e){let t=Op(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(Kv,"getSchemaTypes");Ae.getSchemaTypes=Kv;function Op(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(Vv.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(Op,"getJSONTypes");Ae.getJSONTypes=Op;function Wv(e,t){let{gen:r,data:n,opts:a}=e,s=Jv(t,a.coerceTypes),i=t.length>0&&!(s.length===0&&t.length===1&&(0,Fv.schemaHasRulesForType)(e,t[0]));if(i){let c=Ec(t,n,a.strictNumbers,Yr.Wrong);r.if(c,()=>{s.length?Yv(e,t,s):Ac(e)})}return i}o(Wv,"coerceAndCheckDataType");Ae.coerceAndCheckDataType=Wv;var Up=new Set(["string","number","integer","boolean","null"]);function Jv(e,t){return t?e.filter(r=>Up.has(r)||t==="array"&&r==="array"):[]}o(Jv,"coerceToTypes");function Yv(e,t,r){let{gen:n,data:a,opts:s}=e,i=n.let("dataType",(0,M._)`typeof ${a}`),c=n.let("coerced",(0,M._)`undefined`);s.coerceTypes==="array"&&n.if((0,M._)`${i} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,M._)`${a}[0]`).assign(i,(0,M._)`typeof ${a}`).if(Ec(t,a,s.strictNumbers),()=>n.assign(c,a))),n.if((0,M._)`${c} !== undefined`);for(let p of r)(Up.has(p)||p==="array"&&s.coerceTypes==="array")&&d(p);n.else(),Ac(e),n.endIf(),n.if((0,M._)`${c} !== undefined`,()=>{n.assign(a,c),Xv(e,c)});function d(p){switch(p){case"string":n.elseIf((0,M._)`${i} == "number" || ${i} == "boolean"`).assign(c,(0,M._)`"" + ${a}`).elseIf((0,M._)`${a} === null`).assign(c,(0,M._)`""`);return;case"number":n.elseIf((0,M._)`${i} == "boolean" || ${a} === null
+              || (${i} == "string" && ${a} && ${a} == +${a})`).assign(c,(0,M._)`+${a}`);return;case"integer":n.elseIf((0,M._)`${i} === "boolean" || ${a} === null
+              || (${i} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(c,(0,M._)`+${a}`);return;case"boolean":n.elseIf((0,M._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(c,!1).elseIf((0,M._)`${a} === "true" || ${a} === 1`).assign(c,!0);return;case"null":n.elseIf((0,M._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(c,null);return;case"array":n.elseIf((0,M._)`${i} === "string" || ${i} === "number"
+              || ${i} === "boolean" || ${a} === null`).assign(c,(0,M._)`[${a}]`)}}o(d,"coerceSpecificType")}o(Yv,"coerceData");function Xv({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,M._)`${t} !== undefined`,()=>e.assign((0,M._)`${t}[${r}]`,n))}o(Xv,"assignParentData");function Cc(e,t,r,n=Yr.Correct){let a=n===Yr.Correct?M.operators.EQ:M.operators.NEQ,s;switch(e){case"null":return(0,M._)`${t} ${a} null`;case"array":s=(0,M._)`Array.isArray(${t})`;break;case"object":s=(0,M._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":s=i((0,M._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":s=i();break;default:return(0,M._)`typeof ${t} ${a} ${e}`}return n===Yr.Correct?s:(0,M.not)(s);function i(c=M.nil){return(0,M.and)((0,M._)`typeof ${t} == "number"`,c,r?(0,M._)`isFinite(${t})`:M.nil)}}o(Cc,"checkDataType");Ae.checkDataType=Cc;function Ec(e,t,r,n){if(e.length===1)return Cc(e[0],t,r,n);let a,s=(0,kp.toHash)(e);if(s.array&&s.object){let i=(0,M._)`typeof ${t} != "object"`;a=s.null?i:(0,M._)`!${t} || ${i}`,delete s.null,delete s.array,delete s.object}else a=M.nil;s.number&&delete s.integer;for(let i in s)a=(0,M.and)(a,Cc(i,t,r,n));return a}o(Ec,"checkDataTypes");Ae.checkDataTypes=Ec;var Qv={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,M._)`{type: ${e}}`:(0,M._)`{type: ${t}}`,"params")};function Ac(e){let t=eb(e);(0,Zv.reportError)(t,Qv)}o(Ac,"reportTypeError");Ae.reportTypeError=Ac;function eb(e){let{gen:t,data:r,schema:n}=e,a=(0,kp.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(eb,"getTypeErrorContext")});var $p=C(Ca=>{"use strict";Object.defineProperty(Ca,"__esModule",{value:!0});Ca.assignDefaults=void 0;var Xr=D(),tb=Z();function rb(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)Np(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,s)=>Np(e,s,a.default))}o(rb,"assignDefaults");Ca.assignDefaults=rb;function Np(e,t,r){let{gen:n,compositeRule:a,data:s,opts:i}=e;if(r===void 0)return;let c=(0,Xr._)`${s}${(0,Xr.getProperty)(t)}`;if(a){(0,tb.checkStrictMode)(e,`default is ignored for: ${c}`);return}let d=(0,Xr._)`${c} === undefined`;i.useDefaults==="empty"&&(d=(0,Xr._)`${d} || ${c} === null || ${c} === ""`),n.if(d,(0,Xr._)`${c} = ${(0,Xr.stringify)(r)}`)}o(Np,"assignDefault")});var Ye=C(J=>{"use strict";Object.defineProperty(J,"__esModule",{value:!0});J.validateUnion=J.validateArray=J.usePattern=J.callValidateCode=J.schemaProperties=J.allSchemaProperties=J.noPropertyInData=J.propertyInData=J.isOwnProperty=J.hasPropFunc=J.reportMissingProp=J.checkMissingProp=J.checkReportMissingProp=void 0;var te=D(),Pc=Z(),Qt=Ot(),nb=Z();function ob(e,t){let{gen:r,data:n,it:a}=e;r.if(kc(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,te._)`${t}`},!0),e.error()})}o(ob,"checkReportMissingProp");J.checkReportMissingProp=ob;function ab({gen:e,data:t,it:{opts:r}},n,a){return(0,te.or)(...n.map(s=>(0,te.and)(kc(e,t,s,r.ownProperties),(0,te._)`${a} = ${s}`)))}o(ab,"checkMissingProp");J.checkMissingProp=ab;function sb(e,t){e.setParams({missingProperty:t},!0),e.error()}o(sb,"reportMissingProp");J.reportMissingProp=sb;function zp(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,te._)`Object.prototype.hasOwnProperty`})}o(zp,"hasPropFunc");J.hasPropFunc=zp;function xc(e,t,r){return(0,te._)`${zp(e)}.call(${t}, ${r})`}o(xc,"isOwnProperty");J.isOwnProperty=xc;function ib(e,t,r,n){let a=(0,te._)`${t}${(0,te.getProperty)(r)} !== undefined`;return n?(0,te._)`${a} && ${xc(e,t,r)}`:a}o(ib,"propertyInData");J.propertyInData=ib;function kc(e,t,r,n){let a=(0,te._)`${t}${(0,te.getProperty)(r)} === undefined`;return n?(0,te.or)(a,(0,te.not)(xc(e,t,r))):a}o(kc,"noPropertyInData");J.noPropertyInData=kc;function Mp(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(Mp,"allSchemaProperties");J.allSchemaProperties=Mp;function cb(e,t){return Mp(t).filter(r=>!(0,Pc.alwaysValidSchema)(e,t[r]))}o(cb,"schemaProperties");J.schemaProperties=cb;function ub({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:s},it:i},c,d,p){let l=p?(0,te._)`${e}, ${t}, ${n}${a}`:t,m=[[Qt.default.instancePath,(0,te.strConcat)(Qt.default.instancePath,s)],[Qt.default.parentData,i.parentData],[Qt.default.parentDataProperty,i.parentDataProperty],[Qt.default.rootData,Qt.default.rootData]];i.opts.dynamicRef&&m.push([Qt.default.dynamicAnchors,Qt.default.dynamicAnchors]);let h=(0,te._)`${l}, ${r.object(...m)}`;return d!==te.nil?(0,te._)`${c}.call(${d}, ${h})`:(0,te._)`${c}(${h})`}o(ub,"callValidateCode");J.callValidateCode=ub;var db=(0,te._)`new RegExp`;function lb({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,s=a(r,n);return e.scopeValue("pattern",{key:s.toString(),ref:s,code:(0,te._)`${a.code==="new RegExp"?db:(0,nb.useFunc)(e,a)}(${r}, ${n})`})}o(lb,"usePattern");J.usePattern=lb;function pb(e){let{gen:t,data:r,keyword:n,it:a}=e,s=t.name("valid");if(a.allErrors){let c=t.let("valid",!0);return i(()=>t.assign(c,!1)),c}return t.var(s,!0),i(()=>t.break()),s;function i(c){let d=t.const("len",(0,te._)`${r}.length`);t.forRange("i",0,d,p=>{e.subschema({keyword:n,dataProp:p,dataPropType:Pc.Type.Num},s),t.if((0,te.not)(s),c)})}o(i,"validateItems")}o(pb,"validateArray");J.validateArray=pb;function mb(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Pc.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let i=t.let("valid",!1),c=t.name("_valid");t.block(()=>r.forEach((d,p)=>{let l=e.subschema({keyword:n,schemaProp:p,compositeRule:!0},c);t.assign(i,(0,te._)`${i} || ${c}`),e.mergeValidEvaluated(l,c)||t.if((0,te.not)(i))})),e.result(i,()=>e.reset(),()=>e.error(!0))}o(mb,"validateUnion");J.validateUnion=mb});var Lp=C(ft=>{"use strict";Object.defineProperty(ft,"__esModule",{value:!0});ft.validateKeywordUsage=ft.validSchemaType=ft.funcKeywordCode=ft.macroKeywordCode=void 0;var Oe=D(),br=Ot(),fb=Ye(),hb=eo();function gb(e,t){let{gen:r,keyword:n,schema:a,parentSchema:s,it:i}=e,c=t.macro.call(i.self,a,s,i),d=qp(r,n,c);i.opts.validateSchema!==!1&&i.self.validateSchema(c,!0);let p=r.name("valid");e.subschema({schema:c,schemaPath:Oe.nil,errSchemaPath:`${i.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},p),e.pass(p,()=>e.error(!0))}o(gb,"macroKeywordCode");ft.macroKeywordCode=gb;function _b(e,t){var r;let{gen:n,keyword:a,schema:s,parentSchema:i,$data:c,it:d}=e;wb(d,t);let p=!c&&t.compile?t.compile.call(d.self,s,i,d):t.validate,l=qp(n,a,p),m=n.let("valid");e.block$data(m,h),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function h(){if(t.errors===!1)y(),t.modifying&&Dp(e),S(()=>e.error());else{let v=t.async?_():w();t.modifying&&Dp(e),S(()=>yb(e,v))}}o(h,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,Oe._)`await `),b=>n.assign(m,!1).if((0,Oe._)`${b} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,Oe._)`${b}.errors`),()=>n.throw(b))),v}o(_,"validateAsync");function w(){let v=(0,Oe._)`${l}.errors`;return n.assign(v,null),y(Oe.nil),v}o(w,"validateSync");function y(v=t.async?(0,Oe._)`await `:Oe.nil){let b=d.opts.passContext?br.default.this:br.default.self,T=!("compile"in t&&!c||t.schema===!1);n.assign(m,(0,Oe._)`${v}${(0,fb.callValidateCode)(e,l,b,T)}`,t.modifying)}o(y,"assignValid");function S(v){var b;n.if((0,Oe.not)((b=t.valid)!==null&&b!==void 0?b:m),v)}o(S,"reportErrs")}o(_b,"funcKeywordCode");ft.funcKeywordCode=_b;function Dp(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,Oe._)`${n.parentData}[${n.parentDataProperty}]`))}o(Dp,"modifyData");function yb(e,t){let{gen:r}=e;r.if((0,Oe._)`Array.isArray(${t})`,()=>{r.assign(br.default.vErrors,(0,Oe._)`${br.default.vErrors} === null ? ${t} : ${br.default.vErrors}.concat(${t})`).assign(br.default.errors,(0,Oe._)`${br.default.vErrors}.length`),(0,hb.extendErrors)(e)},()=>e.error())}o(yb,"addErrs");function wb({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(wb,"checkAsyncKeyword");function qp(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,Oe.stringify)(r)})}o(qp,"useKeyword");function Sb(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(Sb,"validSchemaType");ft.validSchemaType=Sb;function vb({schema:e,opts:t,self:r,errSchemaPath:n},a,s){if(Array.isArray(a.keyword)?!a.keyword.includes(s):a.keyword!==s)throw new Error("ajv implementation error");let i=a.dependencies;if(i?.some(c=>!Object.prototype.hasOwnProperty.call(e,c)))throw new Error(`parent schema must have dependencies of ${s}: ${i.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[s])){let d=`keyword "${s}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(vb,"validateKeywordUsage");ft.validateKeywordUsage=vb});var Hp=C(er=>{"use strict";Object.defineProperty(er,"__esModule",{value:!0});er.extendSubschemaMode=er.extendSubschemaData=er.getSubschema=void 0;var ht=D(),jp=Z();function bb(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:s,topSchemaRef:i}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let c=e.schema[t];return r===void 0?{schema:c,schemaPath:(0,ht._)`${e.schemaPath}${(0,ht.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:c[r],schemaPath:(0,ht._)`${e.schemaPath}${(0,ht.getProperty)(t)}${(0,ht.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,jp.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||s===void 0||i===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:i,errSchemaPath:s}}throw new Error('either "keyword" or "schema" must be passed')}o(bb,"getSubschema");er.getSubschema=bb;function Rb(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:s,propertyName:i}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:c}=t;if(r!==void 0){let{errorPath:p,dataPathArr:l,opts:m}=t,h=c.let("data",(0,ht._)`${t.data}${(0,ht.getProperty)(r)}`,!0);d(h),e.errorPath=(0,ht.str)`${p}${(0,jp.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,ht._)`${r}`,e.dataPathArr=[...l,e.parentDataProperty]}if(a!==void 0){let p=a instanceof ht.Name?a:c.let("data",a,!0);d(p),i!==void 0&&(e.propertyName=i)}s&&(e.dataTypes=s);function d(p){e.data=p,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,p]}o(d,"dataContextProps")}o(Rb,"extendSubschemaData");er.extendSubschemaData=Rb;function Ib(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:s}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),s!==void 0&&(e.allErrors=s),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Ib,"extendSubschemaMode");er.extendSubschemaMode=Ib});var Oc=C((pL,Gp)=>{"use strict";Gp.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,s;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(s=Object.keys(t),n=s.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,s[a]))return!1;for(a=n;a--!==0;){var i=s[a];if(!e(t[i],r[i]))return!1}return!0}return t!==t&&r!==r},"equal")});var Vp=C((fL,Bp)=>{"use strict";var tr=Bp.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Ea(t,n,a,e,"",e)};tr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};tr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};tr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};tr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Ea(e,t,r,n,a,s,i,c,d,p){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,s,i,c,d,p);for(var l in n){var m=n[l];if(Array.isArray(m)){if(l in tr.arrayKeywords)for(var h=0;h<m.length;h++)Ea(e,t,r,m[h],a+"/"+l+"/"+h,s,a,l,n,h)}else if(l in tr.propsKeywords){if(m&&typeof m=="object")for(var _ in m)Ea(e,t,r,m[_],a+"/"+l+"/"+Tb(_),s,a,l,n,_)}else(l in tr.keywords||e.allKeys&&!(l in tr.skipKeywords))&&Ea(e,t,r,m,a+"/"+l,s,a,l,n)}r(n,a,s,i,c,d,p)}}o(Ea,"_traverse");function Tb(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Tb,"escapeJsonPtr")});var ro=C(De=>{"use strict";Object.defineProperty(De,"__esModule",{value:!0});De.getSchemaRefs=De.resolveUrl=De.normalizeId=De._getFullPath=De.getFullPath=De.inlineRef=void 0;var Cb=Z(),Eb=Oc(),Ab=Vp(),Pb=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function xb(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Uc(e):t?Fp(e)<=t:!1}o(xb,"inlineRef");De.inlineRef=xb;var kb=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Uc(e){for(let t in e){if(kb.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Uc)||typeof r=="object"&&Uc(r))return!0}return!1}o(Uc,"hasRef");function Fp(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!Pb.has(r)&&(typeof e[r]=="object"&&(0,Cb.eachItem)(e[r],n=>t+=Fp(n)),t===1/0))return 1/0}return t}o(Fp,"countKeys");function Zp(e,t="",r){r!==!1&&(t=Qr(t));let n=e.parse(t);return Kp(e,n)}o(Zp,"getFullPath");De.getFullPath=Zp;function Kp(e,t){return e.serialize(t).split("#")[0]+"#"}o(Kp,"_getFullPath");De._getFullPath=Kp;var Ob=/#\/?$/;function Qr(e){return e?e.replace(Ob,""):""}o(Qr,"normalizeId");De.normalizeId=Qr;function Ub(e,t,r){return r=Qr(r),e.resolve(t,r)}o(Ub,"resolveUrl");De.resolveUrl=Ub;var Nb=/^[a-z_][-a-z0-9._]*$/i;function $b(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=Qr(e[r]||t),s={"":a},i=Zp(n,a,!1),c={},d=new Set;return Ab(e,{allKeys:!0},(m,h,_,w)=>{if(w===void 0)return;let y=i+h,S=s[w];typeof m[r]=="string"&&(S=v.call(this,m[r])),b.call(this,m.$anchor),b.call(this,m.$dynamicAnchor),s[h]=S;function v(T){let U=this.opts.uriResolver.resolve;if(T=Qr(S?U(S,T):T),d.has(T))throw l(T);d.add(T);let $=this.refs[T];return typeof $=="string"&&($=this.refs[$]),typeof $=="object"?p(m,$.schema,T):T!==Qr(y)&&(T[0]==="#"?(p(m,c[T],T),c[T]=m):this.refs[T]=y),T}o(v,"addRef");function b(T){if(typeof T=="string"){if(!Nb.test(T))throw new Error(`invalid anchor "${T}"`);v.call(this,`#${T}`)}}o(b,"addAnchor")}),c;function p(m,h,_){if(h!==void 0&&!Eb(m,h))throw l(_)}o(p,"checkAmbiguosRef");function l(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(l,"ambiguos")}o($b,"getSchemaRefs");De.getSchemaRefs=$b});var ao=C(rr=>{"use strict";Object.defineProperty(rr,"__esModule",{value:!0});rr.getData=rr.KeywordCxt=rr.validateFunctionCode=void 0;var Qp=Ap(),Wp=to(),$c=Tc(),Aa=to(),zb=$p(),oo=Lp(),Nc=Hp(),x=D(),N=Ot(),Mb=ro(),Ut=Z(),no=eo();function Db(e){if(rm(e)&&(nm(e),tm(e))){jb(e);return}em(e,()=>(0,Qp.topBoolOrEmptySchema)(e))}o(Db,"validateFunctionCode");rr.validateFunctionCode=Db;function em({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},s){a.code.es5?e.func(t,(0,x._)`${N.default.data}, ${N.default.valCxt}`,n.$async,()=>{e.code((0,x._)`"use strict"; ${Jp(r,a)}`),Lb(e,a),e.code(s)}):e.func(t,(0,x._)`${N.default.data}, ${qb(a)}`,n.$async,()=>e.code(Jp(r,a)).code(s))}o(em,"validateFunction");function qb(e){return(0,x._)`{${N.default.instancePath}="", ${N.default.parentData}, ${N.default.parentDataProperty}, ${N.default.rootData}=${N.default.data}${e.dynamicRef?(0,x._)`, ${N.default.dynamicAnchors}={}`:x.nil}}={}`}o(qb,"destructureValCxt");function Lb(e,t){e.if(N.default.valCxt,()=>{e.var(N.default.instancePath,(0,x._)`${N.default.valCxt}.${N.default.instancePath}`),e.var(N.default.parentData,(0,x._)`${N.default.valCxt}.${N.default.parentData}`),e.var(N.default.parentDataProperty,(0,x._)`${N.default.valCxt}.${N.default.parentDataProperty}`),e.var(N.default.rootData,(0,x._)`${N.default.valCxt}.${N.default.rootData}`),t.dynamicRef&&e.var(N.default.dynamicAnchors,(0,x._)`${N.default.valCxt}.${N.default.dynamicAnchors}`)},()=>{e.var(N.default.instancePath,(0,x._)`""`),e.var(N.default.parentData,(0,x._)`undefined`),e.var(N.default.parentDataProperty,(0,x._)`undefined`),e.var(N.default.rootData,N.default.data),t.dynamicRef&&e.var(N.default.dynamicAnchors,(0,x._)`{}`)})}o(Lb,"destructureValCxtES5");function jb(e){let{schema:t,opts:r,gen:n}=e;em(e,()=>{r.$comment&&t.$comment&&am(e),Fb(e),n.let(N.default.vErrors,null),n.let(N.default.errors,0),r.unevaluated&&Hb(e),om(e),Wb(e)})}o(jb,"topSchemaObjCode");function Hb(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,x._)`${r}.evaluated`),t.if((0,x._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,x._)`${e.evaluated}.props`,(0,x._)`undefined`)),t.if((0,x._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,x._)`${e.evaluated}.items`,(0,x._)`undefined`))}o(Hb,"resetEvaluated");function Jp(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,x._)`/*# sourceURL=${r} */`:x.nil}o(Jp,"funcSourceUrl");function Gb(e,t){if(rm(e)&&(nm(e),tm(e))){Bb(e,t);return}(0,Qp.boolOrEmptySchema)(e,t)}o(Gb,"subschemaCode");function tm({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(tm,"schemaCxtHasRules");function rm(e){return typeof e.schema!="boolean"}o(rm,"isSchemaObj");function Bb(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&am(e),Zb(e),Kb(e);let s=n.const("_errs",N.default.errors);om(e,s),n.var(t,(0,x._)`${s} === ${N.default.errors}`)}o(Bb,"subSchemaObjCode");function nm(e){(0,Ut.checkUnknownRules)(e),Vb(e)}o(nm,"checkKeywords");function om(e,t){if(e.opts.jtd)return Yp(e,[],!1,t);let r=(0,Wp.getSchemaTypes)(e.schema),n=(0,Wp.coerceAndCheckDataType)(e,r);Yp(e,r,!n,t)}o(om,"typeAndKeywords");function Vb(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Ut.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(Vb,"checkRefsAndKeywords");function Fb(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Ut.checkStrictMode)(e,"default is ignored in the schema root")}o(Fb,"checkNoDefault");function Zb(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,Mb.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(Zb,"updateContext");function Kb(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(Kb,"checkAsyncSchema");function am({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let s=r.$comment;if(a.$comment===!0)e.code((0,x._)`${N.default.self}.logger.log(${s})`);else if(typeof a.$comment=="function"){let i=(0,x.str)`${n}/$comment`,c=e.scopeValue("root",{ref:t.root});e.code((0,x._)`${N.default.self}.opts.$comment(${s}, ${i}, ${c}.schema)`)}}o(am,"commentKeyword");function Wb(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:s}=e;r.$async?t.if((0,x._)`${N.default.errors} === 0`,()=>t.return(N.default.data),()=>t.throw((0,x._)`new ${a}(${N.default.vErrors})`)):(t.assign((0,x._)`${n}.errors`,N.default.vErrors),s.unevaluated&&Jb(e),t.return((0,x._)`${N.default.errors} === 0`))}o(Wb,"returnResults");function Jb({gen:e,evaluated:t,props:r,items:n}){r instanceof x.Name&&e.assign((0,x._)`${t}.props`,r),n instanceof x.Name&&e.assign((0,x._)`${t}.items`,n)}o(Jb,"assignEvaluated");function Yp(e,t,r,n){let{gen:a,schema:s,data:i,allErrors:c,opts:d,self:p}=e,{RULES:l}=p;if(s.$ref&&(d.ignoreKeywordsWithRef||!(0,Ut.schemaHasRulesButRef)(s,l))){a.block(()=>im(e,"$ref",l.all.$ref.definition));return}d.jtd||Yb(e,t),a.block(()=>{for(let h of l.rules)m(h);m(l.post)});function m(h){(0,$c.shouldUseGroup)(s,h)&&(h.type?(a.if((0,Aa.checkDataType)(h.type,i,d.strictNumbers)),Xp(e,h),t.length===1&&t[0]===h.type&&r&&(a.else(),(0,Aa.reportTypeError)(e)),a.endIf()):Xp(e,h),c||a.if((0,x._)`${N.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(Yp,"schemaKeywords");function Xp(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,zb.assignDefaults)(e,t.type),r.block(()=>{for(let s of t.rules)(0,$c.shouldUseRule)(n,s)&&im(e,s.keyword,s.definition,t.type)})}o(Xp,"iterateKeywords");function Yb(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(Xb(e,t),e.opts.allowUnionTypes||Qb(e,t),eR(e,e.dataTypes))}o(Yb,"checkStrictTypes");function Xb(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{sm(e.dataTypes,r)||zc(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),rR(e,t)}}o(Xb,"checkContextTypes");function Qb(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&zc(e,"use allowUnionTypes to allow union type keyword")}o(Qb,"checkMultipleTypes");function eR(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,$c.shouldUseRule)(e.schema,a)){let{type:s}=a.definition;s.length&&!s.some(i=>tR(t,i))&&zc(e,`missing type "${s.join(",")}" for keyword "${n}"`)}}}o(eR,"checkKeywordTypes");function tR(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(tR,"hasApplicableType");function sm(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(sm,"includesType");function rR(e,t){let r=[];for(let n of e.dataTypes)sm(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(rR,"narrowSchemaTypes");function zc(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Ut.checkStrictMode)(e,t,e.opts.strictTypes)}o(zc,"strictTypesError");var Pa=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,oo.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Ut.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",cm(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,oo.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",N.default.errors))}result(t,r,n){this.failResult((0,x.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,x.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,x._)`${r} !== undefined && (${(0,x.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?no.reportExtraError:no.reportError)(this,this.def.error,r)}$dataError(){(0,no.reportError)(this,this.def.$dataError||no.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,no.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=x.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=x.nil,r=x.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:s,def:i}=this;n.if((0,x.or)((0,x._)`${a} === undefined`,r)),t!==x.nil&&n.assign(t,!0),(s.length||i.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==x.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:s}=this;return(0,x.or)(i(),c());function i(){if(n.length){if(!(r instanceof x.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,x._)`${(0,Aa.checkDataTypes)(d,r,s.opts.strictNumbers,Aa.DataType.Wrong)}`}return x.nil}function c(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,x._)`!${d}(${r})`}return x.nil}}subschema(t,r){let n=(0,Nc.getSubschema)(this.it,t);(0,Nc.extendSubschemaData)(n,this.it,t),(0,Nc.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return Gb(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Ut.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Ut.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,x.Name)),!0}};rr.KeywordCxt=Pa;function im(e,t,r,n){let a=new Pa(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,oo.funcKeywordCode)(a,r):"macro"in r?(0,oo.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,oo.funcKeywordCode)(a,r)}o(im,"keywordCode");var nR=/^\/(?:[^~]|~0|~1)*$/,oR=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function cm(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,s;if(e==="")return N.default.rootData;if(e[0]==="/"){if(!nR.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,s=N.default.rootData}else{let p=oR.exec(e);if(!p)throw new Error(`Invalid JSON-pointer: ${e}`);let l=+p[1];if(a=p[2],a==="#"){if(l>=t)throw new Error(d("property/index",l));return n[t-l]}if(l>t)throw new Error(d("data",l));if(s=r[t-l],!a)return s}let i=s,c=a.split("/");for(let p of c)p&&(s=(0,x._)`${s}${(0,x.getProperty)((0,Ut.unescapeJsonPointer)(p))}`,i=(0,x._)`${i} && ${s}`);return i;function d(p,l){return`Cannot access ${p} ${l} levels up, current level is ${t}`}}o(cm,"getData");rr.getData=cm});var xa=C(Dc=>{"use strict";Object.defineProperty(Dc,"__esModule",{value:!0});var Mc=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Dc.default=Mc});var so=C(jc=>{"use strict";Object.defineProperty(jc,"__esModule",{value:!0});var qc=ro(),Lc=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,qc.resolveUrl)(t,r,n),this.missingSchema=(0,qc.normalizeId)((0,qc.getFullPath)(t,this.missingRef))}};jc.default=Lc});var Oa=C(Xe=>{"use strict";Object.defineProperty(Xe,"__esModule",{value:!0});Xe.resolveSchema=Xe.getCompilingSchema=Xe.resolveRef=Xe.compileSchema=Xe.SchemaEnv=void 0;var at=D(),aR=xa(),Rr=Ot(),st=ro(),um=Z(),sR=ao(),en=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,st.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};Xe.SchemaEnv=en;function Gc(e){let t=dm.call(this,e);if(t)return t;let r=(0,st.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:s}=this.opts,i=new at.CodeGen(this.scope,{es5:n,lines:a,ownProperties:s}),c;e.$async&&(c=i.scopeValue("Error",{ref:aR.default,code:(0,at._)`require("ajv/dist/runtime/validation_error").default`}));let d=i.scopeName("validate");e.validateName=d;let p={gen:i,allErrors:this.opts.allErrors,data:Rr.default.data,parentData:Rr.default.parentData,parentDataProperty:Rr.default.parentDataProperty,dataNames:[Rr.default.data],dataPathArr:[at.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:i.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,at.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:c,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:at.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,at._)`""`,opts:this.opts,self:this},l;try{this._compilations.add(e),(0,sR.validateFunctionCode)(p),i.optimize(this.opts.code.optimize);let m=i.toString();l=`${i.scopeRefs(Rr.default.scope)}return ${m}`,this.opts.code.process&&(l=this.opts.code.process(l,e));let _=new Function(`${Rr.default.self}`,`${Rr.default.scope}`,l)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:i._values}),this.opts.unevaluated){let{props:w,items:y}=p;_.evaluated={props:w instanceof at.Name?void 0:w,items:y instanceof at.Name?void 0:y,dynamicProps:w instanceof at.Name,dynamicItems:y instanceof at.Name},_.source&&(_.source.evaluated=(0,at.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,l&&this.logger.error("Error compiling schema, function code:",l),m}finally{this._compilations.delete(e)}}o(Gc,"compileSchema");Xe.compileSchema=Gc;function iR(e,t,r){var n;r=(0,st.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let s=dR.call(this,e,r);if(s===void 0){let i=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:c}=this.opts;i&&(s=new en({schema:i,schemaId:c,root:e,baseId:t}))}if(s!==void 0)return e.refs[r]=cR.call(this,s)}o(iR,"resolveRef");Xe.resolveRef=iR;function cR(e){return(0,st.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:Gc.call(this,e)}o(cR,"inlineOrCompile");function dm(e){for(let t of this._compilations)if(uR(t,e))return t}o(dm,"getCompilingSchema");Xe.getCompilingSchema=dm;function uR(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(uR,"sameSchemaEnv");function dR(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||ka.call(this,e,t)}o(dR,"resolve");function ka(e,t){let r=this.opts.uriResolver.parse(t),n=(0,st._getFullPath)(this.opts.uriResolver,r),a=(0,st.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return Hc.call(this,r,e);let s=(0,st.normalizeId)(n),i=this.refs[s]||this.schemas[s];if(typeof i=="string"){let c=ka.call(this,e,i);return typeof c?.schema!="object"?void 0:Hc.call(this,r,c)}if(typeof i?.schema=="object"){if(i.validate||Gc.call(this,i),s===(0,st.normalizeId)(t)){let{schema:c}=i,{schemaId:d}=this.opts,p=c[d];return p&&(a=(0,st.resolveUrl)(this.opts.uriResolver,a,p)),new en({schema:c,schemaId:d,root:e,baseId:a})}return Hc.call(this,r,i)}}o(ka,"resolveSchema");Xe.resolveSchema=ka;var lR=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function Hc(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let c of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,um.unescapeFragment)(c)];if(d===void 0)return;r=d;let p=typeof r=="object"&&r[this.opts.schemaId];!lR.has(c)&&p&&(t=(0,st.resolveUrl)(this.opts.uriResolver,t,p))}let s;if(typeof r!="boolean"&&r.$ref&&!(0,um.schemaHasRulesButRef)(r,this.RULES)){let c=(0,st.resolveUrl)(this.opts.uriResolver,t,r.$ref);s=ka.call(this,n,c)}let{schemaId:i}=this.opts;if(s=s||new en({schema:r,schemaId:i,root:n,baseId:t}),s.schema!==s.root.schema)return s}o(Hc,"getJsonPointer")});var lm=C((CL,pR)=>{pR.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var Vc=C((EL,hm)=>{"use strict";var mR=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),mm=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function Bc(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(Bc,"stringArrayToHexStripped");var fR=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function pm(e){return e.length=0,!0}o(pm,"consumeIsZone");function hR(e,t,r){if(e.length){let n=Bc(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(hR,"consumeHextets");function gR(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],s=!1,i=!1,c=hR;for(let d=0;d<e.length;d++){let p=e[d];if(!(p==="["||p==="]"))if(p===":"){if(s===!0&&(i=!0),!c(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(s=!0),n.push(":");continue}else if(p==="%"){if(!c(a,n,r))break;c=pm}else{a.push(p);continue}}return a.length&&(c===pm?r.zone=a.join(""):i?n.push(a.join("")):n.push(Bc(a))),r.address=n.join(""),r}o(gR,"getIPV6");function fm(e){if(_R(e,":")<2)return{host:e,isIPV6:!1};let t=gR(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(fm,"normalizeIPv6");function _R(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(_R,"findToken");function yR(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(yR,"removeDotSegments");function wR(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(wR,"normalizeComponentEncoding");function SR(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!mm(r)){let n=fm(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(SR,"recomposeAuthority");hm.exports={nonSimpleDomain:fR,recomposeAuthority:SR,normalizeComponentEncoding:wR,removeDotSegments:yR,isIPv4:mm,isUUID:mR,normalizeIPv6:fm,stringArrayToHexStripped:Bc}});var Sm=C((PL,wm)=>{"use strict";var{isUUID:vR}=Vc(),bR=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,RR=["http","https","ws","wss","urn","urn:uuid"];function IR(e){return RR.indexOf(e)!==-1}o(IR,"isValidSchemeName");function Fc(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(Fc,"wsIsSecure");function gm(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(gm,"httpParse");function _m(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(_m,"httpSerialize");function TR(e){return e.secure=Fc(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(TR,"wsParse");function CR(e){if((e.port===(Fc(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(CR,"wsSerialize");function ER(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(bR);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,s=Zc(a);e.path=void 0,s&&(e=s.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(ER,"urnParse");function AR(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,s=Zc(a);s&&(e=s.serialize(e,t));let i=e,c=e.nss;return i.path=`${n||t.nid}:${c}`,t.skipEscape=!0,i}o(AR,"urnSerialize");function PR(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!vR(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(PR,"urnuuidParse");function xR(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(xR,"urnuuidSerialize");var ym={scheme:"http",domainHost:!0,parse:gm,serialize:_m},kR={scheme:"https",domainHost:ym.domainHost,parse:gm,serialize:_m},Ua={scheme:"ws",domainHost:!0,parse:TR,serialize:CR},OR={scheme:"wss",domainHost:Ua.domainHost,parse:Ua.parse,serialize:Ua.serialize},UR={scheme:"urn",parse:ER,serialize:AR,skipNormalize:!0},NR={scheme:"urn:uuid",parse:PR,serialize:xR,skipNormalize:!0},Na={http:ym,https:kR,ws:Ua,wss:OR,urn:UR,"urn:uuid":NR};Object.setPrototypeOf(Na,null);function Zc(e){return e&&(Na[e]||Na[e.toLowerCase()])||void 0}o(Zc,"getSchemeHandler");wm.exports={wsIsSecure:Fc,SCHEMES:Na,isValidSchemeName:IR,getSchemeHandler:Zc}});var Rm=C((kL,za)=>{"use strict";var{normalizeIPv6:$R,removeDotSegments:io,recomposeAuthority:zR,normalizeComponentEncoding:$a,isIPv4:MR,nonSimpleDomain:DR}=Vc(),{SCHEMES:qR,getSchemeHandler:vm}=Sm();function LR(e,t){return typeof e=="string"?e=gt(Nt(e,t),t):typeof e=="object"&&(e=Nt(gt(e,t),t)),e}o(LR,"normalize");function jR(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=bm(Nt(e,n),Nt(t,n),n,!0);return n.skipEscape=!0,gt(a,n)}o(jR,"resolve");function bm(e,t,r,n){let a={};return n||(e=Nt(gt(e,r),r),t=Nt(gt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=io(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=io(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=io(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=io(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(bm,"resolveComponent");function HR(e,t,r){return typeof e=="string"?(e=unescape(e),e=gt($a(Nt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=gt($a(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=gt($a(Nt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=gt($a(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(HR,"equal");function gt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],s=vm(n.scheme||r.scheme);s&&s.serialize&&s.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let i=zR(r);if(i!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(i),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let c=r.path;!n.absolutePath&&(!s||!s.absolutePath)&&(c=io(c)),i===void 0&&c[0]==="/"&&c[1]==="/"&&(c="/%2F"+c.slice(2)),a.push(c)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(gt,"serialize");var GR=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function Nt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let s=e.match(GR);if(s){if(n.scheme=s[1],n.userinfo=s[3],n.host=s[4],n.port=parseInt(s[5],10),n.path=s[6]||"",n.query=s[7],n.fragment=s[8],isNaN(n.port)&&(n.port=s[5]),n.host)if(MR(n.host)===!1){let d=$R(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let i=vm(r.scheme||n.scheme);if(!r.unicodeSupport&&(!i||!i.unicodeSupport)&&n.host&&(r.domainHost||i&&i.domainHost)&&a===!1&&DR(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(c){n.error=n.error||"Host's domain name can not be converted to ASCII: "+c}(!i||i&&!i.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),i&&i.parse&&i.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(Nt,"parse");var Kc={SCHEMES:qR,normalize:LR,resolve:jR,resolveComponent:bm,equal:HR,serialize:gt,parse:Nt};za.exports=Kc;za.exports.default=Kc;za.exports.fastUri=Kc});var Tm=C(Wc=>{"use strict";Object.defineProperty(Wc,"__esModule",{value:!0});var Im=Rm();Im.code='require("ajv/dist/runtime/uri").default';Wc.default=Im});var Um=C(ve=>{"use strict";Object.defineProperty(ve,"__esModule",{value:!0});ve.CodeGen=ve.Name=ve.nil=ve.stringify=ve.str=ve._=ve.KeywordCxt=void 0;var BR=ao();Object.defineProperty(ve,"KeywordCxt",{enumerable:!0,get:o(function(){return BR.KeywordCxt},"get")});var tn=D();Object.defineProperty(ve,"_",{enumerable:!0,get:o(function(){return tn._},"get")});Object.defineProperty(ve,"str",{enumerable:!0,get:o(function(){return tn.str},"get")});Object.defineProperty(ve,"stringify",{enumerable:!0,get:o(function(){return tn.stringify},"get")});Object.defineProperty(ve,"nil",{enumerable:!0,get:o(function(){return tn.nil},"get")});Object.defineProperty(ve,"Name",{enumerable:!0,get:o(function(){return tn.Name},"get")});Object.defineProperty(ve,"CodeGen",{enumerable:!0,get:o(function(){return tn.CodeGen},"get")});var VR=xa(),xm=so(),FR=Ic(),co=Oa(),ZR=D(),uo=ro(),Ma=to(),Yc=Z(),Cm=lm(),KR=Tm(),km=o((e,t)=>new RegExp(e,t),"defaultRegExp");km.code="new RegExp";var WR=["removeAdditional","useDefaults","coerceTypes"],JR=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),YR={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},XR={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},Em=200;function QR(e){var t,r,n,a,s,i,c,d,p,l,m,h,_,w,y,S,v,b,T,U,$,Be,It,gi,_i;let Un=e.strict,yi=(t=e.code)===null||t===void 0?void 0:t.optimize,Dl=yi===!0||yi===void 0?1:yi||0,ql=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:km,Pw=(a=e.uriResolver)!==null&&a!==void 0?a:KR.default;return{strictSchema:(i=(s=e.strictSchema)!==null&&s!==void 0?s:Un)!==null&&i!==void 0?i:!0,strictNumbers:(d=(c=e.strictNumbers)!==null&&c!==void 0?c:Un)!==null&&d!==void 0?d:!0,strictTypes:(l=(p=e.strictTypes)!==null&&p!==void 0?p:Un)!==null&&l!==void 0?l:"log",strictTuples:(h=(m=e.strictTuples)!==null&&m!==void 0?m:Un)!==null&&h!==void 0?h:"log",strictRequired:(w=(_=e.strictRequired)!==null&&_!==void 0?_:Un)!==null&&w!==void 0?w:!1,code:e.code?{...e.code,optimize:Dl,regExp:ql}:{optimize:Dl,regExp:ql},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:Em,loopEnum:(S=e.loopEnum)!==null&&S!==void 0?S:Em,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(b=e.messages)!==null&&b!==void 0?b:!0,inlineRefs:(T=e.inlineRefs)!==null&&T!==void 0?T:!0,schemaId:(U=e.schemaId)!==null&&U!==void 0?U:"$id",addUsedSchema:($=e.addUsedSchema)!==null&&$!==void 0?$:!0,validateSchema:(Be=e.validateSchema)!==null&&Be!==void 0?Be:!0,validateFormats:(It=e.validateFormats)!==null&&It!==void 0?It:!0,unicodeRegExp:(gi=e.unicodeRegExp)!==null&&gi!==void 0?gi:!0,int32range:(_i=e.int32range)!==null&&_i!==void 0?_i:!0,uriResolver:Pw}}o(QR,"requiredOptions");var lo=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...QR(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new ZR.ValueScope({scope:{},prefixes:JR,es5:r,lines:n}),this.logger=aI(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,FR.getRules)(),Am.call(this,YR,t,"NOT SUPPORTED"),Am.call(this,XR,t,"DEPRECATED","warn"),this._metaOpts=nI.call(this),t.formats&&tI.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&rI.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),eI.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=Cm;n==="id"&&(a={...Cm},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(l,m){await s.call(this,l.$schema);let h=this._addSchema(l,m);return h.validate||i.call(this,h)}async function s(l){l&&!this.getSchema(l)&&await a.call(this,{$ref:l},!0)}async function i(l){try{return this._compileSchemaEnv(l)}catch(m){if(!(m instanceof xm.default))throw m;return c.call(this,m),await d.call(this,m.missingSchema),i.call(this,l)}}function c({missingSchema:l,missingRef:m}){if(this.refs[l])throw new Error(`AnySchema ${l} is loaded but ${m} cannot be resolved`)}async function d(l){let m=await p.call(this,l);this.refs[l]||await s.call(this,m.$schema),this.refs[l]||this.addSchema(m,l,r)}async function p(l){let m=this._loading[l];if(m)return m;try{return await(this._loading[l]=n(l))}finally{delete this._loading[l]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let i of t)this.addSchema(i,void 0,n,a);return this}let s;if(typeof t=="object"){let{schemaId:i}=this.opts;if(s=t[i],s!==void 0&&typeof s!="string")throw new Error(`schema ${i} must be string`)}return r=(0,uo.normalizeId)(r||s),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let s="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(s);else throw new Error(s)}return a}getSchema(t){let r;for(;typeof(r=Pm.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new co.SchemaEnv({schema:{},schemaId:n});if(r=co.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=Pm.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,uo.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(iI.call(this,n,r),!r)return(0,Yc.eachItem)(n,s=>Jc.call(this,s)),this;uI.call(this,r);let a={...r,type:(0,Ma.getJSONTypes)(r.type),schemaType:(0,Ma.getJSONTypes)(r.schemaType)};return(0,Yc.eachItem)(n,a.type.length===0?s=>Jc.call(this,s,a):s=>a.type.forEach(i=>Jc.call(this,s,a,i))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(s=>s.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,s)=>a+r+s)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let s=a.split("/").slice(1),i=t;for(let c of s)i=i[c];for(let c in n){let d=n[c];if(typeof d!="object")continue;let{$data:p}=d.definition,l=i[c];p&&l&&(i[c]=Om(l))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,s=this.opts.addUsedSchema){let i,{schemaId:c}=this.opts;if(typeof t=="object")i=t[c];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,uo.normalizeId)(i||n);let p=uo.getSchemaRefs.call(this,t,n);return d=new co.SchemaEnv({schema:t,schemaId:c,meta:r,baseId:n,localRefs:p}),this._cache.set(d.schema,d),s&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):co.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{co.compileSchema.call(this,t)}finally{this.opts=r}}};lo.ValidationError=VR.default;lo.MissingRefError=xm.default;ve.default=lo;function Am(e,t,r,n="error"){for(let a in e){let s=a;s in t&&this.logger[n](`${r}: option ${a}. ${e[s]}`)}}o(Am,"checkOptions");function Pm(e){return e=(0,uo.normalizeId)(e),this.schemas[e]||this.refs[e]}o(Pm,"getSchEnv");function eI(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(eI,"addInitialSchemas");function tI(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(tI,"addInitialFormats");function rI(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(rI,"addInitialKeywords");function nI(){let e={...this.opts};for(let t of WR)delete e[t];return e}o(nI,"getMetaSchemaOptions");var oI={log(){},warn(){},error(){}};function aI(e){if(e===!1)return oI;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(aI,"getLogger");var sI=/^[a-z_$][a-z0-9_$:-]*$/i;function iI(e,t){let{RULES:r}=this;if((0,Yc.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!sI.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(iI,"checkKeyword");function Jc(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:s}=this,i=a?s.post:s.rules.find(({type:d})=>d===r);if(i||(i={type:r,rules:[]},s.rules.push(i)),s.keywords[e]=!0,!t)return;let c={keyword:e,definition:{...t,type:(0,Ma.getJSONTypes)(t.type),schemaType:(0,Ma.getJSONTypes)(t.schemaType)}};t.before?cI.call(this,i,c,t.before):i.rules.push(c),s.all[e]=c,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(Jc,"addRule");function cI(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(cI,"addBeforeRule");function uI(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=Om(t)),e.validateSchema=this.compile(t,!0))}o(uI,"keywordMetaschema");var dI={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function Om(e){return{anyOf:[e,dI]}}o(Om,"schemaOrData")});var Nm=C(Xc=>{"use strict";Object.defineProperty(Xc,"__esModule",{value:!0});var lI={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};Xc.default=lI});var Dm=C(Ir=>{"use strict";Object.defineProperty(Ir,"__esModule",{value:!0});Ir.callRef=Ir.getValidate=void 0;var pI=so(),$m=Ye(),qe=D(),rn=Ot(),zm=Oa(),Da=Z(),mI={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:s,validateName:i,opts:c,self:d}=n,{root:p}=s;if((r==="#"||r==="#/")&&a===p.baseId)return m();let l=zm.resolveRef.call(d,p,a,r);if(l===void 0)throw new pI.default(n.opts.uriResolver,a,r);if(l instanceof zm.SchemaEnv)return h(l);return _(l);function m(){if(s===p)return qa(e,i,s,s.$async);let w=t.scopeValue("root",{ref:p});return qa(e,(0,qe._)`${w}.validate`,p,p.$async)}function h(w){let y=Mm(e,w);qa(e,y,w,w.$async)}function _(w){let y=t.scopeValue("schema",c.code.source===!0?{ref:w,code:(0,qe.stringify)(w)}:{ref:w}),S=t.name("valid"),v=e.subschema({schema:w,dataTypes:[],schemaPath:qe.nil,topSchemaRef:y,errSchemaPath:r},S);e.mergeEvaluated(v),e.ok(S)}}};function Mm(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,qe._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(Mm,"getValidate");Ir.getValidate=Mm;function qa(e,t,r,n){let{gen:a,it:s}=e,{allErrors:i,schemaEnv:c,opts:d}=s,p=d.passContext?rn.default.this:qe.nil;n?l():m();function l(){if(!c.$async)throw new Error("async schema referenced by sync schema");let w=a.let("valid");a.try(()=>{a.code((0,qe._)`await ${(0,$m.callValidateCode)(e,t,p)}`),_(t),i||a.assign(w,!0)},y=>{a.if((0,qe._)`!(${y} instanceof ${s.ValidationError})`,()=>a.throw(y)),h(y),i||a.assign(w,!1)}),e.ok(w)}o(l,"callAsyncRef");function m(){e.result((0,$m.callValidateCode)(e,t,p),()=>_(t),()=>h(t))}o(m,"callSyncRef");function h(w){let y=(0,qe._)`${w}.errors`;a.assign(rn.default.vErrors,(0,qe._)`${rn.default.vErrors} === null ? ${y} : ${rn.default.vErrors}.concat(${y})`),a.assign(rn.default.errors,(0,qe._)`${rn.default.vErrors}.length`)}o(h,"addErrorsFrom");function _(w){var y;if(!s.opts.unevaluated)return;let S=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(s.props!==!0)if(S&&!S.dynamicProps)S.props!==void 0&&(s.props=Da.mergeEvaluated.props(a,S.props,s.props));else{let v=a.var("props",(0,qe._)`${w}.evaluated.props`);s.props=Da.mergeEvaluated.props(a,v,s.props,qe.Name)}if(s.items!==!0)if(S&&!S.dynamicItems)S.items!==void 0&&(s.items=Da.mergeEvaluated.items(a,S.items,s.items));else{let v=a.var("items",(0,qe._)`${w}.evaluated.items`);s.items=Da.mergeEvaluated.items(a,v,s.items,qe.Name)}}o(_,"addEvaluatedFrom")}o(qa,"callRef");Ir.callRef=qa;Ir.default=mI});var qm=C(Qc=>{"use strict";Object.defineProperty(Qc,"__esModule",{value:!0});var fI=Nm(),hI=Dm(),gI=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",fI.default,hI.default];Qc.default=gI});var Lm=C(eu=>{"use strict";Object.defineProperty(eu,"__esModule",{value:!0});var La=D(),nr=La.operators,ja={maximum:{okStr:"<=",ok:nr.LTE,fail:nr.GT},minimum:{okStr:">=",ok:nr.GTE,fail:nr.LT},exclusiveMaximum:{okStr:"<",ok:nr.LT,fail:nr.GTE},exclusiveMinimum:{okStr:">",ok:nr.GT,fail:nr.LTE}},_I={message:o(({keyword:e,schemaCode:t})=>(0,La.str)`must be ${ja[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,La._)`{comparison: ${ja[e].okStr}, limit: ${t}}`,"params")},yI={keyword:Object.keys(ja),type:"number",schemaType:"number",$data:!0,error:_I,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,La._)`${r} ${ja[t].fail} ${n} || isNaN(${r})`)}};eu.default=yI});var jm=C(tu=>{"use strict";Object.defineProperty(tu,"__esModule",{value:!0});var po=D(),wI={message:o(({schemaCode:e})=>(0,po.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,po._)`{multipleOf: ${e}}`,"params")},SI={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:wI,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,s=a.opts.multipleOfPrecision,i=t.let("res"),c=s?(0,po._)`Math.abs(Math.round(${i}) - ${i}) > 1e-${s}`:(0,po._)`${i} !== parseInt(${i})`;e.fail$data((0,po._)`(${n} === 0 || (${i} = ${r}/${n}, ${c}))`)}};tu.default=SI});var Gm=C(ru=>{"use strict";Object.defineProperty(ru,"__esModule",{value:!0});function Hm(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Hm,"ucs2length");ru.default=Hm;Hm.code='require("ajv/dist/runtime/ucs2length").default'});var Bm=C(nu=>{"use strict";Object.defineProperty(nu,"__esModule",{value:!0});var Tr=D(),vI=Z(),bI=Gm(),RI={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Tr.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Tr._)`{limit: ${e}}`,"params")},II={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:RI,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,s=t==="maxLength"?Tr.operators.GT:Tr.operators.LT,i=a.opts.unicode===!1?(0,Tr._)`${r}.length`:(0,Tr._)`${(0,vI.useFunc)(e.gen,bI.default)}(${r})`;e.fail$data((0,Tr._)`${i} ${s} ${n}`)}};nu.default=II});var Vm=C(ou=>{"use strict";Object.defineProperty(ou,"__esModule",{value:!0});var TI=Ye(),Ha=D(),CI={message:o(({schemaCode:e})=>(0,Ha.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Ha._)`{pattern: ${e}}`,"params")},EI={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:CI,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:s}=e,i=s.opts.unicodeRegExp?"u":"",c=r?(0,Ha._)`(new RegExp(${a}, ${i}))`:(0,TI.usePattern)(e,n);e.fail$data((0,Ha._)`!${c}.test(${t})`)}};ou.default=EI});var Fm=C(au=>{"use strict";Object.defineProperty(au,"__esModule",{value:!0});var mo=D(),AI={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,mo.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,mo._)`{limit: ${e}}`,"params")},PI={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:AI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?mo.operators.GT:mo.operators.LT;e.fail$data((0,mo._)`Object.keys(${r}).length ${a} ${n}`)}};au.default=PI});var Zm=C(su=>{"use strict";Object.defineProperty(su,"__esModule",{value:!0});var fo=Ye(),ho=D(),xI=Z(),kI={message:o(({params:{missingProperty:e}})=>(0,ho.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,ho._)`{missingProperty: ${e}}`,"params")},OI={keyword:"required",type:"object",schemaType:"array",$data:!0,error:kI,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:s,it:i}=e,{opts:c}=i;if(!s&&r.length===0)return;let d=r.length>=c.loopRequired;if(i.allErrors?p():l(),c.strictRequired){let _=e.parentSchema.properties,{definedProperties:w}=e.it;for(let y of r)if(_?.[y]===void 0&&!w.has(y)){let S=i.schemaEnv.baseId+i.errSchemaPath,v=`required property "${y}" is not defined at "${S}" (strictRequired)`;(0,xI.checkStrictMode)(i,v,i.opts.strictRequired)}}function p(){if(d||s)e.block$data(ho.nil,m);else for(let _ of r)(0,fo.checkReportMissingProp)(e,_)}o(p,"allErrorsMode");function l(){let _=t.let("missing");if(d||s){let w=t.let("valid",!0);e.block$data(w,()=>h(_,w)),e.ok(w)}else t.if((0,fo.checkMissingProp)(e,r,_)),(0,fo.reportMissingProp)(e,_),t.else()}o(l,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,fo.noPropertyInData)(t,a,_,c.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function h(_,w){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(w,(0,fo.propertyInData)(t,a,_,c.ownProperties)),t.if((0,ho.not)(w),()=>{e.error(),t.break()})},ho.nil)}o(h,"loopUntilMissing")}};su.default=OI});var Km=C(iu=>{"use strict";Object.defineProperty(iu,"__esModule",{value:!0});var go=D(),UI={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,go.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,go._)`{limit: ${e}}`,"params")},NI={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:UI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?go.operators.GT:go.operators.LT;e.fail$data((0,go._)`${r}.length ${a} ${n}`)}};iu.default=NI});var Ga=C(cu=>{"use strict";Object.defineProperty(cu,"__esModule",{value:!0});var Wm=Oc();Wm.code='require("ajv/dist/runtime/equal").default';cu.default=Wm});var Jm=C(du=>{"use strict";Object.defineProperty(du,"__esModule",{value:!0});var uu=to(),be=D(),$I=Z(),zI=Ga(),MI={message:o(({params:{i:e,j:t}})=>(0,be.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,be._)`{i: ${e}, j: ${t}}`,"params")},DI={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:MI,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:s,schemaCode:i,it:c}=e;if(!n&&!a)return;let d=t.let("valid"),p=s.items?(0,uu.getSchemaTypes)(s.items):[];e.block$data(d,l,(0,be._)`${i} === false`),e.ok(d);function l(){let w=t.let("i",(0,be._)`${r}.length`),y=t.let("j");e.setParams({i:w,j:y}),t.assign(d,!0),t.if((0,be._)`${w} > 1`,()=>(m()?h:_)(w,y))}o(l,"validateUniqueItems");function m(){return p.length>0&&!p.some(w=>w==="object"||w==="array")}o(m,"canOptimize");function h(w,y){let S=t.name("item"),v=(0,uu.checkDataTypes)(p,S,c.opts.strictNumbers,uu.DataType.Wrong),b=t.const("indices",(0,be._)`{}`);t.for((0,be._)`;${w}--;`,()=>{t.let(S,(0,be._)`${r}[${w}]`),t.if(v,(0,be._)`continue`),p.length>1&&t.if((0,be._)`typeof ${S} == "string"`,(0,be._)`${S} += "_"`),t.if((0,be._)`typeof ${b}[${S}] == "number"`,()=>{t.assign(y,(0,be._)`${b}[${S}]`),e.error(),t.assign(d,!1).break()}).code((0,be._)`${b}[${S}] = ${w}`)})}o(h,"loopN");function _(w,y){let S=(0,$I.useFunc)(t,zI.default),v=t.name("outer");t.label(v).for((0,be._)`;${w}--;`,()=>t.for((0,be._)`${y} = ${w}; ${y}--;`,()=>t.if((0,be._)`${S}(${r}[${w}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};du.default=DI});var Ym=C(pu=>{"use strict";Object.defineProperty(pu,"__esModule",{value:!0});var lu=D(),qI=Z(),LI=Ga(),jI={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,lu._)`{allowedValue: ${e}}`,"params")},HI={keyword:"const",$data:!0,error:jI,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:s}=e;n||s&&typeof s=="object"?e.fail$data((0,lu._)`!${(0,qI.useFunc)(t,LI.default)}(${r}, ${a})`):e.fail((0,lu._)`${s} !== ${r}`)}};pu.default=HI});var Xm=C(mu=>{"use strict";Object.defineProperty(mu,"__esModule",{value:!0});var _o=D(),GI=Z(),BI=Ga(),VI={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,_o._)`{allowedValues: ${e}}`,"params")},FI={keyword:"enum",schemaType:"array",$data:!0,error:VI,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:s,it:i}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let c=a.length>=i.opts.loopEnum,d,p=o(()=>d??(d=(0,GI.useFunc)(t,BI.default)),"getEql"),l;if(c||n)l=t.let("valid"),e.block$data(l,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",s);l=(0,_o.or)(...a.map((w,y)=>h(_,y)))}e.pass(l);function m(){t.assign(l,!1),t.forOf("v",s,_=>t.if((0,_o._)`${p()}(${r}, ${_})`,()=>t.assign(l,!0).break()))}o(m,"loopEnum");function h(_,w){let y=a[w];return typeof y=="object"&&y!==null?(0,_o._)`${p()}(${r}, ${_}[${w}])`:(0,_o._)`${r} === ${y}`}o(h,"equalCode")}};mu.default=FI});var Qm=C(fu=>{"use strict";Object.defineProperty(fu,"__esModule",{value:!0});var ZI=Lm(),KI=jm(),WI=Bm(),JI=Vm(),YI=Fm(),XI=Zm(),QI=Km(),eT=Jm(),tT=Ym(),rT=Xm(),nT=[ZI.default,KI.default,WI.default,JI.default,YI.default,XI.default,QI.default,eT.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},tT.default,rT.default];fu.default=nT});var gu=C(yo=>{"use strict";Object.defineProperty(yo,"__esModule",{value:!0});yo.validateAdditionalItems=void 0;var Cr=D(),hu=Z(),oT={message:o(({params:{len:e}})=>(0,Cr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Cr._)`{limit: ${e}}`,"params")},aT={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:oT,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,hu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}ef(e,n)}};function ef(e,t){let{gen:r,schema:n,data:a,keyword:s,it:i}=e;i.items=!0;let c=r.const("len",(0,Cr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,Cr._)`${c} <= ${t.length}`);else if(typeof n=="object"&&!(0,hu.alwaysValidSchema)(i,n)){let p=r.var("valid",(0,Cr._)`${c} <= ${t.length}`);r.if((0,Cr.not)(p),()=>d(p)),e.ok(p)}function d(p){r.forRange("i",t.length,c,l=>{e.subschema({keyword:s,dataProp:l,dataPropType:hu.Type.Num},p),i.allErrors||r.if((0,Cr.not)(p),()=>r.break())})}o(d,"validateItems")}o(ef,"validateAdditionalItems");yo.validateAdditionalItems=ef;yo.default=aT});var _u=C(wo=>{"use strict";Object.defineProperty(wo,"__esModule",{value:!0});wo.validateTuple=void 0;var tf=D(),Ba=Z(),sT=Ye(),iT={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return rf(e,"additionalItems",t);r.items=!0,!(0,Ba.alwaysValidSchema)(r,t)&&e.ok((0,sT.validateArray)(e))}};function rf(e,t,r=e.schema){let{gen:n,parentSchema:a,data:s,keyword:i,it:c}=e;l(a),c.opts.unevaluated&&r.length&&c.items!==!0&&(c.items=Ba.mergeEvaluated.items(n,r.length,c.items));let d=n.name("valid"),p=n.const("len",(0,tf._)`${s}.length`);r.forEach((m,h)=>{(0,Ba.alwaysValidSchema)(c,m)||(n.if((0,tf._)`${p} > ${h}`,()=>e.subschema({keyword:i,schemaProp:h,dataProp:h},d)),e.ok(d))});function l(m){let{opts:h,errSchemaPath:_}=c,w=r.length,y=w===m.minItems&&(w===m.maxItems||m[t]===!1);if(h.strictTuples&&!y){let S=`"${i}" is ${w}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,Ba.checkStrictMode)(c,S,h.strictTuples)}}o(l,"checkStrictTuple")}o(rf,"validateTuple");wo.validateTuple=rf;wo.default=iT});var nf=C(yu=>{"use strict";Object.defineProperty(yu,"__esModule",{value:!0});var cT=_u(),uT={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,cT.validateTuple)(e,"items"),"code")};yu.default=uT});var af=C(wu=>{"use strict";Object.defineProperty(wu,"__esModule",{value:!0});var of=D(),dT=Z(),lT=Ye(),pT=gu(),mT={message:o(({params:{len:e}})=>(0,of.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,of._)`{limit: ${e}}`,"params")},fT={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:mT,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,dT.alwaysValidSchema)(n,t)&&(a?(0,pT.validateAdditionalItems)(e,a):e.ok((0,lT.validateArray)(e)))}};wu.default=fT});var sf=C(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var Qe=D(),Va=Z(),hT={message:o(({params:{min:e,max:t}})=>t===void 0?(0,Qe.str)`must contain at least ${e} valid item(s)`:(0,Qe.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,Qe._)`{minContains: ${e}}`:(0,Qe._)`{minContains: ${e}, maxContains: ${t}}`,"params")},gT={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:hT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:s}=e,i,c,{minContains:d,maxContains:p}=n;s.opts.next?(i=d===void 0?1:d,c=p):i=1;let l=t.const("len",(0,Qe._)`${a}.length`);if(e.setParams({min:i,max:c}),c===void 0&&i===0){(0,Va.checkStrictMode)(s,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(c!==void 0&&i>c){(0,Va.checkStrictMode)(s,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,Va.alwaysValidSchema)(s,r)){let y=(0,Qe._)`${l} >= ${i}`;c!==void 0&&(y=(0,Qe._)`${y} && ${l} <= ${c}`),e.pass(y);return}s.items=!0;let m=t.name("valid");c===void 0&&i===1?_(m,()=>t.if(m,()=>t.break())):i===0?(t.let(m,!0),c!==void 0&&t.if((0,Qe._)`${a}.length > 0`,h)):(t.let(m,!1),h()),e.result(m,()=>e.reset());function h(){let y=t.name("_valid"),S=t.let("count",0);_(y,()=>t.if(y,()=>w(S)))}o(h,"validateItemsWithCount");function _(y,S){t.forRange("i",0,l,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:Va.Type.Num,compositeRule:!0},y),S()})}o(_,"validateItems");function w(y){t.code((0,Qe._)`${y}++`),c===void 0?t.if((0,Qe._)`${y} >= ${i}`,()=>t.assign(m,!0).break()):(t.if((0,Qe._)`${y} > ${c}`,()=>t.assign(m,!1).break()),i===1?t.assign(m,!0):t.if((0,Qe._)`${y} >= ${i}`,()=>t.assign(m,!0)))}o(w,"checkLimits")}};Su.default=gT});var df=C(_t=>{"use strict";Object.defineProperty(_t,"__esModule",{value:!0});_t.validateSchemaDeps=_t.validatePropertyDeps=_t.error=void 0;var vu=D(),_T=Z(),So=Ye();_t.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,vu.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,vu._)`{property: ${e},
+    missingProperty: ${n},
+    depsCount: ${t},
+    deps: ${r}}`,"params")};var yT={keyword:"dependencies",type:"object",schemaType:"object",error:_t.error,code(e){let[t,r]=wT(e);cf(e,t),uf(e,r)}};function wT({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(wT,"splitDependencies");function cf(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let s=r.let("missing");for(let i in t){let c=t[i];if(c.length===0)continue;let d=(0,So.propertyInData)(r,n,i,a.opts.ownProperties);e.setParams({property:i,depsCount:c.length,deps:c.join(", ")}),a.allErrors?r.if(d,()=>{for(let p of c)(0,So.checkReportMissingProp)(e,p)}):(r.if((0,vu._)`${d} && (${(0,So.checkMissingProp)(e,c,s)})`),(0,So.reportMissingProp)(e,s),r.else())}}o(cf,"validatePropertyDeps");_t.validatePropertyDeps=cf;function uf(e,t=e.schema){let{gen:r,data:n,keyword:a,it:s}=e,i=r.name("valid");for(let c in t)(0,_T.alwaysValidSchema)(s,t[c])||(r.if((0,So.propertyInData)(r,n,c,s.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:c},i);e.mergeValidEvaluated(d,i)},()=>r.var(i,!0)),e.ok(i))}o(uf,"validateSchemaDeps");_t.validateSchemaDeps=uf;_t.default=yT});var pf=C(bu=>{"use strict";Object.defineProperty(bu,"__esModule",{value:!0});var lf=D(),ST=Z(),vT={message:"property name must be valid",params:o(({params:e})=>(0,lf._)`{propertyName: ${e.propertyName}}`,"params")},bT={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:vT,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,ST.alwaysValidSchema)(a,r))return;let s=t.name("valid");t.forIn("key",n,i=>{e.setParams({propertyName:i}),e.subschema({keyword:"propertyNames",data:i,dataTypes:["string"],propertyName:i,compositeRule:!0},s),t.if((0,lf.not)(s),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(s)}};bu.default=bT});var Iu=C(Ru=>{"use strict";Object.defineProperty(Ru,"__esModule",{value:!0});var Fa=Ye(),it=D(),RT=Ot(),Za=Z(),IT={message:"must NOT have additional properties",params:o(({params:e})=>(0,it._)`{additionalProperty: ${e.additionalProperty}}`,"params")},TT={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:IT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:s,it:i}=e;if(!s)throw new Error("ajv implementation error");let{allErrors:c,opts:d}=i;if(i.props=!0,d.removeAdditional!=="all"&&(0,Za.alwaysValidSchema)(i,r))return;let p=(0,Fa.allSchemaProperties)(n.properties),l=(0,Fa.allSchemaProperties)(n.patternProperties);m(),e.ok((0,it._)`${s} === ${RT.default.errors}`);function m(){t.forIn("key",a,S=>{!p.length&&!l.length?w(S):t.if(h(S),()=>w(S))})}o(m,"checkAdditionalProperties");function h(S){let v;if(p.length>8){let b=(0,Za.schemaRefOrVal)(i,n.properties,"properties");v=(0,Fa.isOwnProperty)(t,b,S)}else p.length?v=(0,it.or)(...p.map(b=>(0,it._)`${S} === ${b}`)):v=it.nil;return l.length&&(v=(0,it.or)(v,...l.map(b=>(0,it._)`${(0,Fa.usePattern)(e,b)}.test(${S})`))),(0,it.not)(v)}o(h,"isAdditional");function _(S){t.code((0,it._)`delete ${a}[${S}]`)}o(_,"deleteAdditional");function w(S){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(S);return}if(r===!1){e.setParams({additionalProperty:S}),e.error(),c||t.break();return}if(typeof r=="object"&&!(0,Za.alwaysValidSchema)(i,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(S,v,!1),t.if((0,it.not)(v),()=>{e.reset(),_(S)})):(y(S,v),c||t.if((0,it.not)(v),()=>t.break()))}}o(w,"additionalPropertyCode");function y(S,v,b){let T={keyword:"additionalProperties",dataProp:S,dataPropType:Za.Type.Str};b===!1&&Object.assign(T,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(T,v)}o(y,"applyAdditionalSchema")}};Ru.default=TT});var hf=C(Cu=>{"use strict";Object.defineProperty(Cu,"__esModule",{value:!0});var CT=ao(),mf=Ye(),Tu=Z(),ff=Iu(),ET={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:s}=e;s.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&ff.default.code(new CT.KeywordCxt(s,ff.default,"additionalProperties"));let i=(0,mf.allSchemaProperties)(r);for(let m of i)s.definedProperties.add(m);s.opts.unevaluated&&i.length&&s.props!==!0&&(s.props=Tu.mergeEvaluated.props(t,(0,Tu.toHash)(i),s.props));let c=i.filter(m=>!(0,Tu.alwaysValidSchema)(s,r[m]));if(c.length===0)return;let d=t.name("valid");for(let m of c)p(m)?l(m):(t.if((0,mf.propertyInData)(t,a,m,s.opts.ownProperties)),l(m),s.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function p(m){return s.opts.useDefaults&&!s.compositeRule&&r[m].default!==void 0}o(p,"hasDefault");function l(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(l,"applyPropertySchema")}};Cu.default=ET});var wf=C(Eu=>{"use strict";Object.defineProperty(Eu,"__esModule",{value:!0});var gf=Ye(),Ka=D(),_f=Z(),yf=Z(),AT={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:s}=e,{opts:i}=s,c=(0,gf.allSchemaProperties)(r),d=c.filter(y=>(0,_f.alwaysValidSchema)(s,r[y]));if(c.length===0||d.length===c.length&&(!s.opts.unevaluated||s.props===!0))return;let p=i.strictSchema&&!i.allowMatchingProperties&&a.properties,l=t.name("valid");s.props!==!0&&!(s.props instanceof Ka.Name)&&(s.props=(0,yf.evaluatedPropsToName)(t,s.props));let{props:m}=s;h();function h(){for(let y of c)p&&_(y),s.allErrors?w(y):(t.var(l,!0),w(y),t.if(l))}o(h,"validatePatternProperties");function _(y){for(let S in p)new RegExp(y).test(S)&&(0,_f.checkStrictMode)(s,`property ${S} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function w(y){t.forIn("key",n,S=>{t.if((0,Ka._)`${(0,gf.usePattern)(e,y)}.test(${S})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:S,dataPropType:yf.Type.Str},l),s.opts.unevaluated&&m!==!0?t.assign((0,Ka._)`${m}[${S}]`,!0):!v&&!s.allErrors&&t.if((0,Ka.not)(l),()=>t.break())})})}o(w,"validateProperties")}};Eu.default=AT});var Sf=C(Au=>{"use strict";Object.defineProperty(Au,"__esModule",{value:!0});var PT=Z(),xT={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,PT.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Au.default=xT});var vf=C(Pu=>{"use strict";Object.defineProperty(Pu,"__esModule",{value:!0});var kT=Ye(),OT={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:kT.validateUnion,error:{message:"must match a schema in anyOf"}};Pu.default=OT});var bf=C(xu=>{"use strict";Object.defineProperty(xu,"__esModule",{value:!0});var Wa=D(),UT=Z(),NT={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,Wa._)`{passingSchemas: ${e.passing}}`,"params")},$T={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:NT,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let s=r,i=t.let("valid",!1),c=t.let("passing",null),d=t.name("_valid");e.setParams({passing:c}),t.block(p),e.result(i,()=>e.reset(),()=>e.error(!0));function p(){s.forEach((l,m)=>{let h;(0,UT.alwaysValidSchema)(a,l)?t.var(d,!0):h=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,Wa._)`${d} && ${i}`).assign(i,!1).assign(c,(0,Wa._)`[${c}, ${m}]`).else(),t.if(d,()=>{t.assign(i,!0),t.assign(c,m),h&&e.mergeEvaluated(h,Wa.Name)})})}o(p,"validateOneOf")}};xu.default=$T});var Rf=C(ku=>{"use strict";Object.defineProperty(ku,"__esModule",{value:!0});var zT=Z(),MT={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((s,i)=>{if((0,zT.alwaysValidSchema)(n,s))return;let c=e.subschema({keyword:"allOf",schemaProp:i},a);e.ok(a),e.mergeEvaluated(c)})}};ku.default=MT});var Cf=C(Ou=>{"use strict";Object.defineProperty(Ou,"__esModule",{value:!0});var Ja=D(),Tf=Z(),DT={message:o(({params:e})=>(0,Ja.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,Ja._)`{failingKeyword: ${e.ifClause}}`,"params")},qT={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:DT,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,Tf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=If(n,"then"),s=If(n,"else");if(!a&&!s)return;let i=t.let("valid",!0),c=t.name("_valid");if(d(),e.reset(),a&&s){let l=t.let("ifClause");e.setParams({ifClause:l}),t.if(c,p("then",l),p("else",l))}else a?t.if(c,p("then")):t.if((0,Ja.not)(c),p("else"));e.pass(i,()=>e.error(!0));function d(){let l=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},c);e.mergeEvaluated(l)}o(d,"validateIf");function p(l,m){return()=>{let h=e.subschema({keyword:l},c);t.assign(i,c),e.mergeValidEvaluated(h,i),m?t.assign(m,(0,Ja._)`${l}`):e.setParams({ifClause:l})}}o(p,"validateClause")}};function If(e,t){let r=e.schema[t];return r!==void 0&&!(0,Tf.alwaysValidSchema)(e,r)}o(If,"hasSchema");Ou.default=qT});var Ef=C(Uu=>{"use strict";Object.defineProperty(Uu,"__esModule",{value:!0});var LT=Z(),jT={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,LT.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Uu.default=jT});var Af=C(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var HT=gu(),GT=nf(),BT=_u(),VT=af(),FT=sf(),ZT=df(),KT=pf(),WT=Iu(),JT=hf(),YT=wf(),XT=Sf(),QT=vf(),eC=bf(),tC=Rf(),rC=Cf(),nC=Ef();function oC(e=!1){let t=[XT.default,QT.default,eC.default,tC.default,rC.default,nC.default,KT.default,WT.default,ZT.default,JT.default,YT.default];return e?t.push(GT.default,VT.default):t.push(HT.default,BT.default),t.push(FT.default),t}o(oC,"getApplicator");Nu.default=oC});var Pf=C($u=>{"use strict";Object.defineProperty($u,"__esModule",{value:!0});var de=D(),aC={message:o(({schemaCode:e})=>(0,de.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,de._)`{format: ${e}}`,"params")},sC={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:aC,code(e,t){let{gen:r,data:n,$data:a,schema:s,schemaCode:i,it:c}=e,{opts:d,errSchemaPath:p,schemaEnv:l,self:m}=c;if(!d.validateFormats)return;a?h():_();function h(){let w=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,de._)`${w}[${i}]`),S=r.let("fType"),v=r.let("format");r.if((0,de._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(S,(0,de._)`${y}.type || "string"`).assign(v,(0,de._)`${y}.validate`),()=>r.assign(S,(0,de._)`"string"`).assign(v,y)),e.fail$data((0,de.or)(b(),T()));function b(){return d.strictSchema===!1?de.nil:(0,de._)`${i} && !${v}`}o(b,"unknownFmt");function T(){let U=l.$async?(0,de._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,de._)`${v}(${n})`,$=(0,de._)`(typeof ${v} == "function" ? ${U} : ${v}.test(${n}))`;return(0,de._)`${v} && ${v} !== true && ${S} === ${t} && !${$}`}o(T,"invalidFmt")}o(h,"validate$DataFormat");function _(){let w=m.formats[s];if(!w){b();return}if(w===!0)return;let[y,S,v]=T(w);y===t&&e.pass(U());function b(){if(d.strictSchema===!1){m.logger.warn($());return}throw new Error($());function $(){return`unknown format "${s}" ignored in schema at path "${p}"`}}o(b,"unknownFormat");function T($){let Be=$ instanceof RegExp?(0,de.regexpCode)($):d.code.formats?(0,de._)`${d.code.formats}${(0,de.getProperty)(s)}`:void 0,It=r.scopeValue("formats",{key:s,ref:$,code:Be});return typeof $=="object"&&!($ instanceof RegExp)?[$.type||"string",$.validate,(0,de._)`${It}.validate`]:["string",$,It]}o(T,"getFormat");function U(){if(typeof w=="object"&&!(w instanceof RegExp)&&w.async){if(!l.$async)throw new Error("async format in sync schema");return(0,de._)`await ${v}(${n})`}return typeof S=="function"?(0,de._)`${v}(${n})`:(0,de._)`${v}.test(${n})`}o(U,"validCondition")}o(_,"validateFormat")}};$u.default=sC});var xf=C(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var iC=Pf(),cC=[iC.default];zu.default=cC});var kf=C(nn=>{"use strict";Object.defineProperty(nn,"__esModule",{value:!0});nn.contentVocabulary=nn.metadataVocabulary=void 0;nn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];nn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var Uf=C(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});var uC=qm(),dC=Qm(),lC=Af(),pC=xf(),Of=kf(),mC=[uC.default,dC.default,(0,lC.default)(),pC.default,Of.metadataVocabulary,Of.contentVocabulary];Mu.default=mC});var $f=C(Ya=>{"use strict";Object.defineProperty(Ya,"__esModule",{value:!0});Ya.DiscrError=void 0;var Nf;(function(e){e.Tag="tag",e.Mapping="mapping"})(Nf||(Ya.DiscrError=Nf={}))});var Mf=C(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var on=D(),Du=$f(),zf=Oa(),fC=so(),hC=Z(),gC={message:o(({params:{discrError:e,tagName:t}})=>e===Du.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,on._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},_C={keyword:"discriminator",type:"object",schemaType:"object",error:gC,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:s}=e,{oneOf:i}=a;if(!s.opts.discriminator)throw new Error("discriminator: requires discriminator option");let c=n.propertyName;if(typeof c!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!i)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),p=t.const("tag",(0,on._)`${r}${(0,on.getProperty)(c)}`);t.if((0,on._)`typeof ${p} == "string"`,()=>l(),()=>e.error(!1,{discrError:Du.DiscrError.Tag,tag:p,tagName:c})),e.ok(d);function l(){let _=h();t.if(!1);for(let w in _)t.elseIf((0,on._)`${p} === ${w}`),t.assign(d,m(_[w]));t.else(),e.error(!1,{discrError:Du.DiscrError.Mapping,tag:p,tagName:c}),t.endIf()}o(l,"validateMapping");function m(_){let w=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},w);return e.mergeEvaluated(y,on.Name),w}o(m,"applyTagSchema");function h(){var _;let w={},y=v(a),S=!0;for(let U=0;U<i.length;U++){let $=i[U];if($?.$ref&&!(0,hC.schemaHasRulesButRef)($,s.self.RULES)){let It=$.$ref;if($=zf.resolveRef.call(s.self,s.schemaEnv.root,s.baseId,It),$ instanceof zf.SchemaEnv&&($=$.schema),$===void 0)throw new fC.default(s.opts.uriResolver,s.baseId,It)}let Be=(_=$?.properties)===null||_===void 0?void 0:_[c];if(typeof Be!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${c}"`);S=S&&(y||v($)),b(Be,U)}if(!S)throw new Error(`discriminator: "${c}" must be required`);return w;function v({required:U}){return Array.isArray(U)&&U.includes(c)}function b(U,$){if(U.const)T(U.const,$);else if(U.enum)for(let Be of U.enum)T(Be,$);else throw new Error(`discriminator: "properties/${c}" must have "const" or "enum"`)}function T(U,$){if(typeof U!="string"||U in w)throw new Error(`discriminator: "${c}" values must be unique strings`);w[U]=$}}o(h,"getMapping")}};qu.default=_C});var Df=C((K1,yC)=>{yC.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var ju=C((re,Lu)=>{"use strict";Object.defineProperty(re,"__esModule",{value:!0});re.MissingRefError=re.ValidationError=re.CodeGen=re.Name=re.nil=re.stringify=re.str=re._=re.KeywordCxt=re.Ajv=void 0;var wC=Um(),SC=Uf(),vC=Mf(),qf=Df(),bC=["/properties"],Xa="http://json-schema.org/draft-07/schema",an=class extends wC.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),SC.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(vC.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(qf,bC):qf;this.addMetaSchema(t,Xa,!1),this.refs["http://json-schema.org/schema"]=Xa}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(Xa)?Xa:void 0)}};re.Ajv=an;Lu.exports=re=an;Lu.exports.Ajv=an;Object.defineProperty(re,"__esModule",{value:!0});re.default=an;var RC=ao();Object.defineProperty(re,"KeywordCxt",{enumerable:!0,get:o(function(){return RC.KeywordCxt},"get")});var sn=D();Object.defineProperty(re,"_",{enumerable:!0,get:o(function(){return sn._},"get")});Object.defineProperty(re,"str",{enumerable:!0,get:o(function(){return sn.str},"get")});Object.defineProperty(re,"stringify",{enumerable:!0,get:o(function(){return sn.stringify},"get")});Object.defineProperty(re,"nil",{enumerable:!0,get:o(function(){return sn.nil},"get")});Object.defineProperty(re,"Name",{enumerable:!0,get:o(function(){return sn.Name},"get")});Object.defineProperty(re,"CodeGen",{enumerable:!0,get:o(function(){return sn.CodeGen},"get")});var IC=xa();Object.defineProperty(re,"ValidationError",{enumerable:!0,get:o(function(){return IC.default},"get")});var TC=so();Object.defineProperty(re,"MissingRefError",{enumerable:!0,get:o(function(){return TC.default},"get")})});var Zf=C(wt=>{"use strict";Object.defineProperty(wt,"__esModule",{value:!0});wt.formatNames=wt.fastFormats=wt.fullFormats=void 0;function yt(e,t){return{validate:e,compare:t}}o(yt,"fmtDef");wt.fullFormats={date:yt(Gf,Vu),time:yt(Gu(!0),Fu),"date-time":yt(Lf(!0),Vf),"iso-time":yt(Gu(),Bf),"iso-date-time":yt(Lf(),Ff),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:kC,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:DC,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:OC,int32:{type:"number",validate:$C},int64:{type:"number",validate:zC},float:{type:"number",validate:Hf},double:{type:"number",validate:Hf},password:!0,binary:!0};wt.fastFormats={...wt.fullFormats,date:yt(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,Vu),time:yt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Fu),"date-time":yt(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Vf),"iso-time":yt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,Bf),"iso-date-time":yt(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,Ff),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};wt.formatNames=Object.keys(wt.fullFormats);function CC(e){return e%4===0&&(e%100!==0||e%400===0)}o(CC,"isLeapYear");var EC=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,AC=[0,31,28,31,30,31,30,31,31,30,31,30,31];function Gf(e){let t=EC.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&CC(r)?29:AC[n])}o(Gf,"date");function Vu(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(Vu,"compareDate");var Hu=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function Gu(e){return o(function(r){let n=Hu.exec(r);if(!n)return!1;let a=+n[1],s=+n[2],i=+n[3],c=n[4],d=n[5]==="-"?-1:1,p=+(n[6]||0),l=+(n[7]||0);if(p>23||l>59||e&&!c)return!1;if(a<=23&&s<=59&&i<60)return!0;let m=s-l*d,h=a-p*d-(m<0?1:0);return(h===23||h===-1)&&(m===59||m===-1)&&i<61},"time")}o(Gu,"getTime");function Fu(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(Fu,"compareTime");function Bf(e,t){if(!(e&&t))return;let r=Hu.exec(e),n=Hu.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(Bf,"compareIsoTime");var Bu=/t|\s/i;function Lf(e){let t=Gu(e);return o(function(n){let a=n.split(Bu);return a.length===2&&Gf(a[0])&&t(a[1])},"date_time")}o(Lf,"getDateTime");function Vf(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Vf,"compareDateTime");function Ff(e,t){if(!(e&&t))return;let[r,n]=e.split(Bu),[a,s]=t.split(Bu),i=Vu(r,a);if(i!==void 0)return i||Fu(n,s)}o(Ff,"compareIsoDateTime");var PC=/\/|:/,xC=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function kC(e){return PC.test(e)&&xC.test(e)}o(kC,"uri");var jf=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function OC(e){return jf.lastIndex=0,jf.test(e)}o(OC,"byte");var UC=-(2**31),NC=2**31-1;function $C(e){return Number.isInteger(e)&&e<=NC&&e>=UC}o($C,"validateInt32");function zC(e){return Number.isInteger(e)}o(zC,"validateInt64");function Hf(){return!0}o(Hf,"validateNumber");var MC=/[^\\]\\Z/;function DC(e){if(MC.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(DC,"regex")});var Kf=C(cn=>{"use strict";Object.defineProperty(cn,"__esModule",{value:!0});cn.formatLimitDefinition=void 0;var qC=ju(),ct=D(),or=ct.operators,Qa={formatMaximum:{okStr:"<=",ok:or.LTE,fail:or.GT},formatMinimum:{okStr:">=",ok:or.GTE,fail:or.LT},formatExclusiveMaximum:{okStr:"<",ok:or.LT,fail:or.GTE},formatExclusiveMinimum:{okStr:">",ok:or.GT,fail:or.LTE}},LC={message:o(({keyword:e,schemaCode:t})=>(0,ct.str)`should be ${Qa[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ct._)`{comparison: ${Qa[e].okStr}, limit: ${t}}`,"params")};cn.formatLimitDefinition={keyword:Object.keys(Qa),type:"string",schemaType:"string",$data:!0,error:LC,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:s}=e,{opts:i,self:c}=s;if(!i.validateFormats)return;let d=new qC.KeywordCxt(s,c.RULES.all.format.definition,"format");d.$data?p():l();function p(){let h=t.scopeValue("formats",{ref:c.formats,code:i.code.formats}),_=t.const("fmt",(0,ct._)`${h}[${d.schemaCode}]`);e.fail$data((0,ct.or)((0,ct._)`typeof ${_} != "object"`,(0,ct._)`${_} instanceof RegExp`,(0,ct._)`typeof ${_}.compare != "function"`,m(_)))}o(p,"validate$DataFormat");function l(){let h=d.schema,_=c.formats[h];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${h}" does not define "compare" function`);let w=t.scopeValue("formats",{key:h,ref:_,code:i.code.formats?(0,ct._)`${i.code.formats}${(0,ct.getProperty)(h)}`:void 0});e.fail$data(m(w))}o(l,"validateFormat");function m(h){return(0,ct._)`${h}.compare(${r}, ${n}) ${Qa[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var jC=o(e=>(e.addKeyword(cn.formatLimitDefinition),e),"formatLimitPlugin");cn.default=jC});var Xf=C((vo,Yf)=>{"use strict";Object.defineProperty(vo,"__esModule",{value:!0});var un=Zf(),HC=Kf(),Zu=D(),Wf=new Zu.Name("fullFormats"),GC=new Zu.Name("fastFormats"),Ku=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Jf(e,t,un.fullFormats,Wf),e;let[r,n]=t.mode==="fast"?[un.fastFormats,GC]:[un.fullFormats,Wf],a=t.formats||un.formatNames;return Jf(e,a,r,n),t.keywords&&(0,HC.default)(e),e},"formatsPlugin");Ku.get=(e,t="full")=>{let n=(t==="fast"?un.fastFormats:un.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Jf(e,t,r,n){var a,s;(a=(s=e.opts.code).formats)!==null&&a!==void 0||(s.formats=(0,Zu._)`require("ajv-formats/dist/formats").${n}`);for(let i of t)e.addFormat(i,r[i])}o(Jf,"addFormats");Yf.exports=vo=Ku;Object.defineProperty(vo,"__esModule",{value:!0});vo.default=Ku});xw();function Gt(e){return!!e._zod}o(Gt,"isZ4Schema");function xe(e,t){return Gt(e)?vi(e,t):e.safeParse(t)}o(xe,"safeParse");function jr(e){if(!e)return;let t;if(Gt(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(jr,"getObjectShape");function Jl(e){if(Gt(e)){let s=e._zod?.def;if(s){if(s.value!==void 0)return s.value;if(Array.isArray(s.values)&&s.values.length>0)return s.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Jl,"getLiteralValue");W();var Vt="2025-11-25",Yl="2025-03-26",Ft=[Vt,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],Zt="io.modelcontextprotocol/related-task",oa="2.0",he=Zl(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Xl=ne([f(),V().int()]),Ql=f(),p$=fe({ttl:V().optional(),pollInterval:V().optional()}),Uw=I({ttl:V().optional()}),Nw=I({taskId:f()}),Ti=fe({progressToken:Xl.optional(),[Zt]:Nw.optional()}),Fe=I({_meta:Ti.optional()}),$n=Fe.extend({task:Uw.optional()}),ep=o(e=>$n.safeParse(e).success,"isTaskAugmentedRequestParams"),ye=I({method:f(),params:Fe.loose().optional()}),Ke=I({_meta:Ti.optional()}),We=I({method:f(),params:Ke.loose().optional()}),we=fe({_meta:Ti.optional()}),aa=ne([f(),V().int()]),tp=I({jsonrpc:P(oa),id:aa,...ye.shape}).strict(),mt=o(e=>tp.safeParse(e).success,"isJSONRPCRequest"),rp=I({jsonrpc:P(oa),...We.shape}).strict(),np=o(e=>rp.safeParse(e).success,"isJSONRPCNotification"),Ci=I({jsonrpc:P(oa),id:aa,result:we}).strict(),nt=o(e=>Ci.safeParse(e).success,"isJSONRPCResultResponse");var A;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(A||(A={}));var Ei=I({jsonrpc:P(oa),id:aa.optional(),error:I({code:V().int(),message:f(),data:ue().optional()})}).strict();var Gr=o(e=>Ei.safeParse(e).success,"isJSONRPCErrorResponse");var hr=ne([tp,rp,Ci,Ei]),m$=ne([Ci,Ei]),Et=we.strict(),$w=Ke.extend({requestId:aa.optional(),reason:f().optional()}),sa=We.extend({method:P("notifications/cancelled"),params:$w}),zw=I({src:f(),mimeType:f().optional(),sizes:R(f()).optional(),theme:Ve(["light","dark"]).optional()}),zn=I({icons:R(zw).optional()}),Hr=I({name:f(),title:f().optional()}),Br=Hr.extend({...Hr.shape,...zn.shape,version:f(),websiteUrl:f().optional(),description:f().optional()}),Mw=Ri(I({applyDefaults:Y().optional()}),ee(f(),ue())),Dw=Ii(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,Ri(I({form:Mw.optional(),url:he.optional()}),ee(f(),ue()).optional())),qw=fe({list:he.optional(),cancel:he.optional(),requests:fe({sampling:fe({createMessage:he.optional()}).optional(),elicitation:fe({create:he.optional()}).optional()}).optional()}),Lw=fe({list:he.optional(),cancel:he.optional(),requests:fe({tools:fe({call:he.optional()}).optional()}).optional()}),jw=I({experimental:ee(f(),he).optional(),sampling:I({context:he.optional(),tools:he.optional()}).optional(),elicitation:Dw.optional(),roots:I({listChanged:Y().optional()}).optional(),tasks:qw.optional(),extensions:ee(f(),he).optional()}),Hw=Fe.extend({protocolVersion:f(),capabilities:jw,clientInfo:Br}),ia=ye.extend({method:P("initialize"),params:Hw}),Ai=o(e=>ia.safeParse(e).success,"isInitializeRequest"),Gw=I({experimental:ee(f(),he).optional(),logging:he.optional(),completions:he.optional(),prompts:I({listChanged:Y().optional()}).optional(),resources:I({subscribe:Y().optional(),listChanged:Y().optional()}).optional(),tools:I({listChanged:Y().optional()}).optional(),tasks:Lw.optional(),extensions:ee(f(),he).optional()}),Pi=we.extend({protocolVersion:f(),capabilities:Gw,serverInfo:Br,instructions:f().optional()}),ca=We.extend({method:P("notifications/initialized"),params:Ke.optional()}),op=o(e=>ca.safeParse(e).success,"isInitializedNotification"),ua=ye.extend({method:P("ping"),params:Fe.optional()}),Bw=I({progress:V(),total:se(V()),message:se(f())}),Vw=I({...Ke.shape,...Bw.shape,progressToken:Xl}),da=We.extend({method:P("notifications/progress"),params:Vw}),Fw=Fe.extend({cursor:Ql.optional()}),Mn=ye.extend({params:Fw.optional()}),Dn=we.extend({nextCursor:Ql.optional()}),Zw=Ve(["working","input_required","completed","failed","cancelled"]),qn=I({taskId:f(),status:Zw,ttl:ne([V(),Vl()]),createdAt:f(),lastUpdatedAt:f(),pollInterval:se(V()),statusMessage:se(f())}),At=we.extend({task:qn}),Kw=Ke.merge(qn),Ln=We.extend({method:P("notifications/tasks/status"),params:Kw}),la=ye.extend({method:P("tasks/get"),params:Fe.extend({taskId:f()})}),pa=we.merge(qn),ma=ye.extend({method:P("tasks/result"),params:Fe.extend({taskId:f()})}),f$=we.loose(),fa=Mn.extend({method:P("tasks/list")}),ha=Dn.extend({tasks:R(qn)}),ga=ye.extend({method:P("tasks/cancel"),params:Fe.extend({taskId:f()})}),ap=we.merge(qn),sp=I({uri:f(),mimeType:se(f()),_meta:ee(f(),ue()).optional()}),ip=sp.extend({text:f()}),xi=f().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),cp=sp.extend({blob:xi}),jn=Ve(["user","assistant"]),Vr=I({audience:R(jn).optional(),priority:V().min(0).max(1).optional(),lastModified:Gl.datetime({offset:!0}).optional()}),up=I({...Hr.shape,...zn.shape,uri:f(),description:se(f()),mimeType:se(f()),size:se(V()),annotations:Vr.optional(),_meta:se(fe({}))}),Ww=I({...Hr.shape,...zn.shape,uriTemplate:f(),description:se(f()),mimeType:se(f()),annotations:Vr.optional(),_meta:se(fe({}))}),ki=Mn.extend({method:P("resources/list")}),Oi=Dn.extend({resources:R(up)}),Jw=Mn.extend({method:P("resources/templates/list")}),Ui=Dn.extend({resourceTemplates:R(Ww)}),Ni=Fe.extend({uri:f()}),Yw=Ni,$i=ye.extend({method:P("resources/read"),params:Yw}),zi=we.extend({contents:R(ne([ip,cp]))}),Mi=We.extend({method:P("notifications/resources/list_changed"),params:Ke.optional()}),Xw=Ni,Qw=ye.extend({method:P("resources/subscribe"),params:Xw}),eS=Ni,tS=ye.extend({method:P("resources/unsubscribe"),params:eS}),rS=Ke.extend({uri:f()}),nS=We.extend({method:P("notifications/resources/updated"),params:rS}),oS=I({name:f(),description:se(f()),required:se(Y())}),aS=I({...Hr.shape,...zn.shape,description:se(f()),arguments:se(R(oS)),_meta:se(fe({}))}),Di=Mn.extend({method:P("prompts/list")}),qi=Dn.extend({prompts:R(aS)}),sS=Fe.extend({name:f(),arguments:ee(f(),f()).optional()}),Li=ye.extend({method:P("prompts/get"),params:sS}),ji=I({type:P("text"),text:f(),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),Hi=I({type:P("image"),data:xi,mimeType:f(),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),Gi=I({type:P("audio"),data:xi,mimeType:f(),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),iS=I({type:P("tool_use"),name:f(),id:f(),input:ee(f(),ue()),_meta:ee(f(),ue()).optional()}),cS=I({type:P("resource"),resource:ne([ip,cp]),annotations:Vr.optional(),_meta:ee(f(),ue()).optional()}),uS=up.extend({type:P("resource_link")}),Bi=ne([ji,Hi,Gi,uS,cS]),dS=I({role:jn,content:Bi}),Vi=we.extend({description:f().optional(),messages:R(dS)}),Fi=We.extend({method:P("notifications/prompts/list_changed"),params:Ke.optional()}),lS=I({title:f().optional(),readOnlyHint:Y().optional(),destructiveHint:Y().optional(),idempotentHint:Y().optional(),openWorldHint:Y().optional()}),pS=I({taskSupport:Ve(["required","optional","forbidden"]).optional()}),dp=I({...Hr.shape,...zn.shape,description:f().optional(),inputSchema:I({type:P("object"),properties:ee(f(),he).optional(),required:R(f()).optional()}).catchall(ue()),outputSchema:I({type:P("object"),properties:ee(f(),he).optional(),required:R(f()).optional()}).catchall(ue()).optional(),annotations:lS.optional(),execution:pS.optional(),_meta:ee(f(),ue()).optional()}),Zi=Mn.extend({method:P("tools/list")}),Ki=Dn.extend({tools:R(dp)}),Kt=we.extend({content:R(Bi).default([]),structuredContent:ee(f(),ue()).optional(),isError:Y().optional()}),h$=Kt.or(we.extend({toolResult:ue()})),mS=$n.extend({name:f(),arguments:ee(f(),ue()).optional()}),Hn=ye.extend({method:P("tools/call"),params:mS}),Wi=We.extend({method:P("notifications/tools/list_changed"),params:Ke.optional()}),lp=I({autoRefresh:Y().default(!0),debounceMs:V().int().nonnegative().default(300)}),Gn=Ve(["debug","info","notice","warning","error","critical","alert","emergency"]),fS=Fe.extend({level:Gn}),Ji=ye.extend({method:P("logging/setLevel"),params:fS}),hS=Ke.extend({level:Gn,logger:f().optional(),data:ue()}),gS=We.extend({method:P("notifications/message"),params:hS}),_S=I({name:f().optional()}),yS=I({hints:R(_S).optional(),costPriority:V().min(0).max(1).optional(),speedPriority:V().min(0).max(1).optional(),intelligencePriority:V().min(0).max(1).optional()}),wS=I({mode:Ve(["auto","required","none"]).optional()}),SS=I({type:P("tool_result"),toolUseId:f().describe("The unique identifier for the corresponding tool call."),content:R(Bi).default([]),structuredContent:I({}).loose().optional(),isError:Y().optional(),_meta:ee(f(),ue()).optional()}),vS=bi("type",[ji,Hi,Gi]),na=bi("type",[ji,Hi,Gi,iS,SS]),bS=I({role:jn,content:ne([na,R(na)]),_meta:ee(f(),ue()).optional()}),RS=$n.extend({messages:R(bS),modelPreferences:yS.optional(),systemPrompt:f().optional(),includeContext:Ve(["none","thisServer","allServers"]).optional(),temperature:V().optional(),maxTokens:V().int(),stopSequences:R(f()).optional(),metadata:he.optional(),tools:R(dp).optional(),toolChoice:wS.optional()}),Yi=ye.extend({method:P("sampling/createMessage"),params:RS}),gr=we.extend({model:f(),stopReason:se(Ve(["endTurn","stopSequence","maxTokens"]).or(f())),role:jn,content:vS}),Bn=we.extend({model:f(),stopReason:se(Ve(["endTurn","stopSequence","maxTokens","toolUse"]).or(f())),role:jn,content:ne([na,R(na)])}),IS=I({type:P("boolean"),title:f().optional(),description:f().optional(),default:Y().optional()}),TS=I({type:P("string"),title:f().optional(),description:f().optional(),minLength:V().optional(),maxLength:V().optional(),format:Ve(["email","uri","date","date-time"]).optional(),default:f().optional()}),CS=I({type:Ve(["number","integer"]),title:f().optional(),description:f().optional(),minimum:V().optional(),maximum:V().optional(),default:V().optional()}),ES=I({type:P("string"),title:f().optional(),description:f().optional(),enum:R(f()),default:f().optional()}),AS=I({type:P("string"),title:f().optional(),description:f().optional(),oneOf:R(I({const:f(),title:f()})),default:f().optional()}),PS=I({type:P("string"),title:f().optional(),description:f().optional(),enum:R(f()),enumNames:R(f()).optional(),default:f().optional()}),xS=ne([ES,AS]),kS=I({type:P("array"),title:f().optional(),description:f().optional(),minItems:V().optional(),maxItems:V().optional(),items:I({type:P("string"),enum:R(f())}),default:R(f()).optional()}),OS=I({type:P("array"),title:f().optional(),description:f().optional(),minItems:V().optional(),maxItems:V().optional(),items:I({anyOf:R(I({const:f(),title:f()}))}),default:R(f()).optional()}),US=ne([kS,OS]),NS=ne([PS,xS,US]),$S=ne([NS,IS,TS,CS]),zS=$n.extend({mode:P("form").optional(),message:f(),requestedSchema:I({type:P("object"),properties:ee(f(),$S),required:R(f()).optional()})}),MS=$n.extend({mode:P("url"),message:f(),elicitationId:f(),url:f().url()}),DS=ne([zS,MS]),Xi=ye.extend({method:P("elicitation/create"),params:DS}),qS=Ke.extend({elicitationId:f()}),LS=We.extend({method:P("notifications/elicitation/complete"),params:qS}),Wt=we.extend({action:Ve(["accept","decline","cancel"]),content:Ii(e=>e===null?void 0:e,ee(f(),ne([f(),V(),Y(),R(f())])).optional())}),jS=I({type:P("ref/resource"),uri:f()});var HS=I({type:P("ref/prompt"),name:f()}),GS=Fe.extend({ref:ne([HS,jS]),argument:I({name:f(),value:f()}),context:I({arguments:ee(f(),f()).optional()}).optional()}),BS=ye.extend({method:P("completion/complete"),params:GS});var Qi=we.extend({completion:fe({values:R(f()).max(100),total:se(V().int()),hasMore:se(Y())})}),VS=I({uri:f().startsWith("file://"),name:f().optional(),_meta:ee(f(),ue()).optional()}),FS=ye.extend({method:P("roots/list"),params:Fe.optional()}),ec=we.extend({roots:R(VS)}),ZS=We.extend({method:P("notifications/roots/list_changed"),params:Ke.optional()}),g$=ne([ua,ia,BS,Ji,Li,Di,ki,Jw,$i,Qw,tS,Hn,Zi,la,ma,fa,ga]),_$=ne([sa,da,ca,ZS,Ln]),y$=ne([Et,gr,Bn,Wt,ec,pa,ha,At]),w$=ne([ua,Yi,Xi,FS,la,ma,fa,ga]),S$=ne([sa,da,gS,nS,Mi,Wi,Fi,Ln,LS]),v$=ne([Et,Pi,Qi,Vi,qi,Oi,Ui,zi,Kt,Ki,pa,ha,At]),E=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===A.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Bt(a.elicitations,r)}return new e(t,r,n)}},Bt=class extends E{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(A.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function Jt(e){return e==="completed"||e==="failed"||e==="cancelled"}o(Jt,"isTerminal");var KS=Symbol("Let zodToJsonSchema decide on which parser to use");var yz=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function tc(e){let r=jr(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Jl(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(tc,"getMethodLiteral");function rc(e,t){let r=xe(e,t);if(!r.success)throw r.error;return r.data}o(rc,"parseWithCompat");var ev=6e4,Fr=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(sa,r=>{this._oncancel(r)}),this.setNotificationHandler(da,r=>{this._onprogress(r)}),this.setRequestHandler(ua,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(la,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new E(A.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(ma,async(r,n)=>{let a=o(async()=>{let s=r.params.taskId;if(this._taskMessageQueue){let c;for(;c=await this._taskMessageQueue.dequeue(s,n.sessionId);){if(c.type==="response"||c.type==="error"){let d=c.message,p=d.id,l=this._requestResolvers.get(p);if(l)if(this._requestResolvers.delete(p),c.type==="response")l(d);else{let m=d,h=new E(m.error.code,m.error.message,m.error.data);l(h)}else{let m=c.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${p}`))}continue}await this._transport?.send(c.message,{relatedRequestId:n.requestId})}}let i=await this._taskStore.getTask(s,n.sessionId);if(!i)throw new E(A.InvalidParams,`Task not found: ${s}`);if(!Jt(i.status))return await this._waitForTaskUpdate(s,n.signal),await a();if(Jt(i.status)){let c=await this._taskStore.getTaskResult(s,n.sessionId);return this._clearTaskQueue(s),{...c,_meta:{...c._meta,[Zt]:{taskId:s}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(fa,async(r,n)=>{try{let{tasks:a,nextCursor:s}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:s,_meta:{}}}catch(a){throw new E(A.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(ga,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new E(A.InvalidParams,`Task not found: ${r.params.taskId}`);if(Jt(a.status))throw new E(A.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let s=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!s)throw new E(A.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...s}}catch(a){throw a instanceof E?a:new E(A.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,s=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:s,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),E.fromError(A.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=s=>{n?.(s),this._onerror(s)};let a=this._transport?.onmessage;this._transport.onmessage=(s,i)=>{a?.(s,i),nt(s)||Gr(s)?this._onresponse(s):mt(s)?this._onrequest(s,i):np(s)?this._onnotification(s):this._onerror(new Error(`Unknown message type: ${JSON.stringify(s)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=E.fromError(A.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,s=t.params?._meta?.[Zt]?.taskId;if(n===void 0){let l={jsonrpc:"2.0",id:t.id,error:{code:A.MethodNotFound,message:"Method not found"}};s&&this._taskMessageQueue?this._enqueueTaskMessage(s,{type:"error",message:l,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(l).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let i=new AbortController;this._requestHandlerAbortControllers.set(t.id,i);let c=ep(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,p={signal:i.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async l=>{if(i.signal.aborted)return;let m={relatedRequestId:t.id};s&&(m.relatedTask={taskId:s}),await this.notification(l,m)},"sendNotification"),sendRequest:o(async(l,m,h)=>{if(i.signal.aborted)throw new E(A.ConnectionClosed,"Request was cancelled");let _={...h,relatedRequestId:t.id};s&&!_.relatedTask&&(_.relatedTask={taskId:s});let w=_.relatedTask?.taskId??s;return w&&d&&await d.updateTaskStatus(w,"input_required"),await this.request(l,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:s,taskStore:d,taskRequestedTtl:c?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{c&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,p)).then(async l=>{if(i.signal.aborted)return;let m={result:l,jsonrpc:"2.0",id:t.id};s&&this._taskMessageQueue?await this._enqueueTaskMessage(s,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async l=>{if(i.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(l.code)?l.code:A.InternalError,message:l.message??"Internal error",...l.data!==void 0&&{data:l.data}}};s&&this._taskMessageQueue?await this._enqueueTaskMessage(s,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(l=>this._onerror(new Error(`Failed to send response: ${l}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===i&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),s=this._progressHandlers.get(a);if(!s){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let i=this._responseHandlers.get(a),c=this._timeoutInfo.get(a);if(c&&i&&c.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),i(d);return}s(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),nt(t))n(t);else{let i=new E(t.error.code,t.error.message,t.error.data);n(i)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let s=!1;if(nt(t)&&t.result&&typeof t.result=="object"){let i=t.result;if(i.task&&typeof i.task=="object"){let c=i.task;typeof c.taskId=="string"&&(s=!0,this._taskProgressTokens.set(c.taskId,r))}}if(s||this._progressHandlers.delete(r),nt(t))a(t);else{let i=E.fromError(t.error.code,t.error.message,t.error.data);a(i)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(i){yield{type:"error",error:i instanceof E?i:new E(A.InternalError,String(i))}}return}let s;try{let i=await this.request(t,At,n);if(i.task)s=i.task.taskId,yield{type:"taskCreated",task:i.task};else throw new E(A.InternalError,"Task creation did not return a task");for(;;){let c=await this.getTask({taskId:s},n);if(yield{type:"taskStatus",task:c},Jt(c.status)){c.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:s},r,n)}:c.status==="failed"?yield{type:"error",error:new E(A.InternalError,`Task ${s} failed`)}:c.status==="cancelled"&&(yield{type:"error",error:new E(A.InternalError,`Task ${s} was cancelled`)});return}if(c.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:s},r,n)};return}let d=c.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(p=>setTimeout(p,d)),n?.signal?.throwIfAborted()}}catch(i){yield{type:"error",error:i instanceof E?i:new E(A.InternalError,String(i))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:s,onresumptiontoken:i,task:c,relatedTask:d}=n??{};return new Promise((p,l)=>{let m=o(b=>{l(b)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),c&&this.assertTaskCapability(t.method)}catch(b){m(b);return}n?.signal?.throwIfAborted();let h=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:h};n?.onprogress&&(this._progressHandlers.set(h,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:h}}),c&&(_.params={..._.params,task:c}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[Zt]:d}});let w=o(b=>{this._responseHandlers.delete(h),this._progressHandlers.delete(h),this._cleanupTimeout(h),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:h,reason:String(b)}},{relatedRequestId:a,resumptionToken:s,onresumptiontoken:i}).catch(U=>this._onerror(new Error(`Failed to send cancellation: ${U}`)));let T=b instanceof E?b:new E(A.RequestTimeout,String(b));l(T)},"cancel");this._responseHandlers.set(h,b=>{if(!n?.signal?.aborted){if(b instanceof Error)return l(b);try{let T=xe(r,b.result);T.success?p(T.data):l(T.error)}catch(T){l(T)}}}),n?.signal?.addEventListener("abort",()=>{w(n?.signal?.reason)});let y=n?.timeout??ev,S=o(()=>w(E.fromError(A.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(h,y,n?.maxTotalTimeout,S,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let b=o(T=>{let U=this._responseHandlers.get(h);U?U(T):this._onerror(new Error(`Response handler missing for side-channeled request ${h}`))},"responseResolver");this._requestResolvers.set(h,b),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(T=>{this._cleanupTimeout(h),l(T)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:s,onresumptiontoken:i}).catch(b=>{this._cleanupTimeout(h),l(b)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},pa,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},ha,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},ap,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let c={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[Zt]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:c,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let c={...t,jsonrpc:"2.0"};r?.relatedTask&&(c={...c,params:{...c.params,_meta:{...c.params?._meta||{},[Zt]:r.relatedTask}}}),this._transport?.send(c,r).catch(d=>this._onerror(d))});return}let i={...t,jsonrpc:"2.0"};r?.relatedTask&&(i={...i,params:{...i.params,_meta:{...i.params?._meta||{},[Zt]:r.relatedTask}}}),await this._transport.send(i,r)}setRequestHandler(t,r){let n=tc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,s)=>{let i=rc(t,a);return Promise.resolve(r(i,s))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=tc(t);this._notificationHandlers.set(n,a=>{let s=rc(t,a);return Promise.resolve(r(s))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&mt(a.message)){let s=a.message.id,i=this._requestResolvers.get(s);i?(i(new E(A.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(s)):this._onerror(new Error(`Resolver missing for request ${s} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,s)=>{if(r.aborted){s(new E(A.InvalidRequest,"Request cancelled"));return}let i=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(i),s(new E(A.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let s=await n.getTask(a,r);if(!s)throw new E(A.InvalidParams,"Failed to retrieve task: Task not found");return s},"getTask"),storeTaskResult:o(async(a,s,i)=>{await n.storeTaskResult(a,s,i,r);let c=await n.getTask(a,r);if(c){let d=Ln.parse({method:"notifications/tasks/status",params:c});await this.notification(d),Jt(c.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,s,i)=>{let c=await n.getTask(a,r);if(!c)throw new E(A.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(Jt(c.status))throw new E(A.InvalidParams,`Cannot update task "${a}" from terminal status "${c.status}" to "${s}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,s,i,r);let d=await n.getTask(a,r);if(d){let p=Ln.parse({method:"notifications/tasks/status",params:d});await this.notification(p),Jt(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function pp(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(pp,"isPlainObject");function _a(e,t){let r={...e};for(let n in t){let a=n,s=t[a];if(s===void 0)continue;let i=r[a];pp(i)&&pp(s)?r[a]={...i,...s}:r[a]=s}return r}o(_a,"mergeCapabilities");var Qf=Ll(ju(),1),eh=Ll(Xf(),1);function BC(){let e=new Qf.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,eh.default)(e),e}o(BC,"createDefaultAjvInstance");var dn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??BC()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var es=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],s=Array.isArray(a.content)?a.content:[a.content],i=s.some(l=>l.type==="tool_result"),c=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=c?Array.isArray(c.content)?c.content:[c.content]:[],p=d.some(l=>l.type==="tool_use");if(i){if(s.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!p)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(p){let l=new Set(d.filter(h=>h.type==="tool_use").map(h=>h.id)),m=new Set(s.filter(h=>h.type==="tool_result").map(h=>h.toolUseId));if(l.size!==m.size||![...l].every(h=>m.has(h)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},gr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let s=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:s},Wt,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function ts(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(ts,"assertToolsCallTaskCapability");function rs(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(rs,"assertClientRequestTaskCapability");var ns=class extends Fr{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(Gn.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let s=this._loggingLevels.get(a);return s?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(s):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new dn,this.setRequestHandler(ia,n=>this._oninitialize(n)),this.setNotificationHandler(ca,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(Ji,async(n,a)=>{let s=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:i}=n.params,c=Gn.safeParse(i);return c.success&&this._loggingLevels.set(s,c.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new es(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=_a(this._capabilities,t)}setRequestHandler(t,r){let a=jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let s;if(Gt(a)){let c=a;s=c._zod?.def?.value??c.value}else{let c=a;s=c._def?.value??c.value}if(typeof s!="string")throw new Error("Schema method literal must be a string");if(s==="tools/call"){let c=o(async(d,p)=>{let l=xe(Hn,d);if(!l.success){let w=l.error instanceof Error?l.error.message:String(l.error);throw new E(A.InvalidParams,`Invalid tools/call request: ${w}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let w=xe(At,h);if(!w.success){let y=w.error instanceof Error?w.error.message:String(w.error);throw new E(A.InvalidParams,`Invalid task creation result: ${y}`)}return w.data}let _=xe(Kt,h);if(!_.success){let w=_.error instanceof Error?_.error.message:String(_.error);throw new E(A.InvalidParams,`Invalid tools/call result: ${w}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){rs(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&ts(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Ft.includes(r)?r:Vt,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},Et)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],s=a.some(p=>p.type==="tool_result"),i=t.messages.length>1?t.messages[t.messages.length-2]:void 0,c=i?Array.isArray(i.content)?i.content:[i.content]:[],d=c.some(p=>p.type==="tool_use");if(s){if(a.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let p=new Set(c.filter(m=>m.type==="tool_use").map(m=>m.id)),l=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(p.size!==l.size||![...p].every(m=>l.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},Bn,r):this.request({method:"sampling/createMessage",params:t},gr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},Wt,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},s=await this.request({method:"elicitation/create",params:a},Wt,r);if(s.action==="accept"&&s.content&&a.requestedSchema)try{let c=this._jsonSchemaValidator.getValidator(a.requestedSchema)(s.content);if(!c.valid)throw new E(A.InvalidParams,`Elicitation response content does not match requested schema: ${c.errorMessage}`)}catch(i){throw i instanceof E?i:new E(A.InternalError,`Error validating elicitation response: ${i instanceof Error?i.message:String(i)}`)}return s}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},ec,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var os=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let s={code:r,message:n};return a?.data!==void 0&&(s.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:s,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let s=await this._eventStore.storeEvent(n,{}),i=`id: ${s}
+data:
+`;this._retryInterval!==void 0&&(i=`id: ${s}
+retry: ${this._retryInterval}
+data:
+`),t.enqueue(r.encode(i))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let p=t.headers.get("last-event-id");if(p)return this.replayEvents(p)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let s=new TextEncoder,i,c=new ReadableStream({start:o(p=>{i=p},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:i,encoder:s,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{i.close()}catch{}},"cleanup")}),new Response(c,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,s,i=new ReadableStream({start:o(d=>{s=d},"start"),cancel:o(()=>{},"cancel")}),c=await this._eventStore.replayEventsAfter(t,{send:o(async(d,p)=>{if(!this.writeSSEEvent(s,a,p,d)){this.onerror?.(new Error("Failed replay events"));try{s.close()}catch{}}},"send")});return this._streamMapping.set(c,{controller:s,encoder:a,cleanup:o(()=>{this._streamMapping.delete(c);try{s.close()}catch{}},"cleanup")}),new Response(i,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let s=`event: message
+`;return a&&(s+=`id: ${a}
+`),s+=`data: ${JSON.stringify(n)}
+`,t.enqueue(r.encode(s)),!0}catch(s){return this.onerror?.(s),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let s={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},i;if(r?.parsedBody!==void 0)i=r.parsedBody;else try{i=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let c;try{Array.isArray(i)?c=i.map(v=>hr.parse(v)):c=[hr.parse(i)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=c.some(Ai);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(c.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let b=this.validateProtocolVersion(t);if(b)return b}if(!c.some(mt)){for(let v of c)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:s});return new Response(null,{status:202})}let l=crypto.randomUUID(),m=c.find(v=>Ai(v)),h=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??Yl;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(l,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(l)},"cleanup")});for(let b of c)mt(b)&&this._requestToStreamMapping.set(b.id,l);for(let b of c)this.onmessage?.(b,{authInfo:r?.authInfo,requestInfo:s})});let _=new TextEncoder,w,y=new ReadableStream({start:o(v=>{w=v},"start"),cancel:o(()=>{this._streamMapping.delete(l)},"cancel")}),S={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(S["mcp-session-id"]=this.sessionId);for(let v of c)mt(v)&&(this._streamMapping.set(l,{controller:w,encoder:_,cleanup:o(()=>{this._streamMapping.delete(l);try{w.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,l));await this.writePrimingEvent(w,_,l,h);for(let v of c){let b,T;mt(v)&&this._eventStore&&h>="2025-11-25"&&(b=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),T=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:s,closeSSEStream:b,closeStandaloneSSEStream:T})}return new Response(y,{status:200,headers:S})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Ft.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Ft.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Ft.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((nt(t)||Gr(t))&&(n=t.id),n===void 0){if(nt(t)||Gr(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let i;this._eventStore&&(i=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let c=this._streamMapping.get(this._standaloneSseStreamId);if(c===void 0)return;c.controller&&c.encoder&&this.writeSSEEvent(c.controller,c.encoder,t,i);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let s=this._streamMapping.get(a);if(!this._enableJsonResponse&&s?.controller&&s?.encoder){let i;this._eventStore&&(i=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(s.controller,s.encoder,t,i)}if(nt(t)||Gr(t)){this._requestResponseMap.set(n,t);let i=Array.from(this._requestToStreamMapping.entries()).filter(([d,p])=>p===a).map(([d])=>d);if(i.every(d=>this._requestResponseMap.has(d))){if(!s)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&s.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let p=i.map(l=>this._requestResponseMap.get(l));p.length===1?s.resolveJson(new Response(JSON.stringify(p[0]),{status:200,headers:d})):s.resolveJson(new Response(JSON.stringify(p),{status:200,headers:d}))}else s.cleanup();for(let d of i)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function Wu(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(Wu,"truncate");function th(e){return"cause"in e?e.cause:void 0}o(th,"readCause");function Re(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=Wu(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=Wu(r.message);let n=th(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let s=a===1?"cause":`cause${a}`;e[`${s}Name`]=n.name,e[`${s}Message`]=Wu(n.message),n=th(n)}}o(Re,"addErrorLogFields");function et(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(et,"safeHost");function rh(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(rh,"setLogProperties");function Ju(e,t){rh(e,{tenantId:t.tenantId,subjectId:t.subjectId})}o(Ju,"applyGatewayPrincipalLogProperties");function nh(e,t){rh(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(nh,"applyGatewayRouteLogProperties");var ln={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},oh={...ln.runtime,...ln.config,...ln.downstream_auth,...ln.downstream_oauth,...ln.upstream_auth,...ln.upstream_mcp};function Yu(e){return typeof e=="string"&&Object.hasOwn(oh,e)}o(Yu,"isGatewayProblemCode");function as(e){return Yu(e)&&Le(e).callbackFailure===!0}o(as,"isGatewayCallbackFailureCode");function Le(e){return oh[e]}o(Le,"readGatewayProblemDefinition");var ah="gatewayCode";function sh(e){let t=Le(e);return{title:t.title,body:t.publicDetail}}o(sh,"readGatewayCallbackFailureContent");function ae(e){if(!(e instanceof ra))return;let t=e.extensionMembers?.[ah];return Yu(t)?t:void 0}o(ae,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Le(n.code),s=n.privateDetail??(ss(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),i=FC(n);return new ra({message:s,extensionMembers:{[ah]:n.code}},i===void 0?void 0:{cause:i})}o(g,"createGatewayRuntimeError");async function je(e,t,r){let n=Le(r.code),a=ZC(r.code,r.detail),s=ss(r.code)?r.title??n.title:n.title,c={problem:{...Nn.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:s,detail:a,code:r.code}};return r.headers!==void 0&&(c.additionalHeaders=r.headers),Nn.format(c,e,t)}o(je,"gatewayProblemResponse");function ss(e){return Le(e).status<500}o(ss,"canExposeGatewayProblemDetail");function FC(e){return!e.privateDetail||ss(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(FC,"readRuntimeErrorCause");function ZC(e,t){let r=Le(e);return ss(e)&&t||r.publicDetail}o(ZC,"readSafeGatewayProblemDetail");W();var KC=["tenant_shared_oauth","user_oauth","static_secret","user_static_secret","tenant_static_secret"],WC=["none","client_secret_basic","client_secret_post"],ut=u.string().min(1).brand(),ge=u.string().min(1).brand(),dt=u.string().min(1).brand(),St=u.string().min(1).brand(),is=u.enum(KC),Xu=u.enum(WC),cs=u.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),Qu=u.object({name:cs,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict();var ed=new Map;function us(e){ed.set(e.policyType,e)}o(us,"registerMcpAuthorizationPolicy");function td(e){if(e!==void 0)return ed.get(e)}o(td,"getMcpAuthorizationPolicy");function ds(e){return td(e)!==void 0}o(ds,"isRegisteredMcpAuthorizationPolicyType");function rd(){return[...ed.keys()]}o(rd,"listMcpAuthorizationPolicyTypes");W();var uh=ut,JC=u.object({mode:u.literal("auto")}).strict(),YC=u.object({mode:u.literal("manual"),clientId:u.string().trim().min(1),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:Xu.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:u.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),dh=u.discriminatedUnion("mode",[JC,YC]),XC=dh.default({mode:"auto"}),nd=u.object({scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:XC}).strict(),ih=nd.extend({redirectPath:u.string().startsWith("/auth/connections/")}).strict(),lh=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),QC=new Set([...lh,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),eE=u.object({kind:u.literal("bearer_token"),token:u.string().min(1)}).strict(),tE=u.object({kind:u.literal("headers"),headers:u.array(u.object({name:cs,value:u.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let s=a.name.toLowerCase();lh.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(s)}}),od=u.discriminatedUnion("kind",[eE,tE]),rE=u.object({kind:u.literal("basic_auth_app_password"),usernameLabel:u.string().min(1).default("Username"),passwordLabel:u.string().min(1).default("App password")}).strict(),nE=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key"),capture:u.enum(["browser_login"]).optional()}).strict(),ad=u.discriminatedUnion("kind",[rE,nE]),sd=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key")}).strict(),oE=u.discriminatedUnion("mode",[u.object({mode:u.literal("tenant_shared_oauth"),oauth:ih}).strict(),u.object({mode:u.literal("user_oauth"),oauth:ih}).strict(),u.object({mode:u.literal("static_secret"),secret:od}).strict(),u.object({mode:u.literal("user_static_secret"),secret:ad}).strict(),u.object({mode:u.literal("tenant_static_secret"),secret:sd}).strict()]),aE=u.object({baseUrl:u.url(),resourceMetadataUrl:u.url(),requestHeaders:u.array(Qu).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let s=a.name.toLowerCase();QC.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(s)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(s)}}),Wj=u.object({displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:Br.optional(),authProfiles:u.record(dt,oE),transport:aE}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),sE=u.object({tenant_shared_oauth:nd.optional(),user_oauth:nd.optional(),static_secret:u.object({secret:od}).strict().optional(),user_static_secret:u.object({secret:ad}).strict().optional(),tenant_static_secret:u.object({secret:sd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),ch=u.object({id:uh,displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:Br.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url(),requestHeaders:u.array(Qu).default([]),authProfiles:sE}).strict(),iE=u.object({name:cs,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict(),ls={id:uh.optional(),displayName:u.string().min(1),summary:u.string().min(1).optional(),serverInfo:Br.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url().optional(),requestHeaders:u.array(iE).default([])},cE=u.discriminatedUnion("authMode",[u.object({...ls,authMode:u.enum(["tenant_shared_oauth","user_oauth"]),scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:dh.optional(),clientId:u.string().trim().min(1).optional(),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:Xu.optional()}).strict(),u.object({...ls,authMode:u.literal("static_secret"),secret:od}).strict(),u.object({...ls,authMode:u.literal("user_static_secret"),secret:ad}).strict(),u.object({...ls,authMode:u.literal("tenant_static_secret"),secret:sd}).strict()]);function ph(e){throw g("internal_server_error",e)}o(ph,"throwGatewayConfigError");function uE(e){let t="mcp-upstream-";return e.startsWith(t)||ph(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),ut.parse(e.slice(t.length))}o(uE,"inferUpstreamConnectionIdFromPolicyName");function dE(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(dE,"buildDefaultProtectedResourceMetadataUrl");function pn(e,t){return dt.parse(`${e}:${t}`)}o(pn,"buildUpstreamAuthProfileId");function ps(e,t){let r=ch.safeParse(e);if(r.success)return r.data;let n=cE.parse(e),a=n.id??(t===void 0?void 0:uE(t));a===void 0&&ph("Upstream policy options must include id when policy name is unavailable.");let s=n.requestHeaders.map(c=>({name:c.name,value:c.value,required:c.required})),i=(()=>{switch(n.authMode){case"tenant_shared_oauth":case"user_oauth":{let c=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:c}}}case"static_secret":case"user_static_secret":case"tenant_static_secret":return{[n.authMode]:{secret:n.secret}}}})();return ch.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??dE(n.mcpUrl),requestHeaders:s,authProfiles:i})}o(ps,"parseUpstreamConnectionPolicyOptions");function mh(e){return e.mode==="tenant_shared_oauth"||e.mode==="user_oauth"}o(mh,"isUpstreamOAuthAuthConfig");W();var lE=u.looseObject({name:u.string().min(1),version:u.string().min(1).optional()}),pE=u.looseObject({}),mE=u.looseObject({name:St,namespace:St.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional(),inputSchema:pE}),fE=u.looseObject({name:St,namespace:St.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional()}),hE=u.looseObject({name:St,uri:u.string().min(1),upstreamPolicy:u.string().min(1).optional(),upstreamUri:u.string().min(1).optional(),enabled:u.boolean().optional()}),gE=u.enum(["openapi","upstream_mcp"]),_E=u.object({catalogSource:gE.default("openapi"),serverInfo:lE.optional(),tools:u.array(mE).default([]),prompts:u.array(fE).default([]),resources:u.array(hE).default([])}).strict();function fh(e){return _E.parse(e??{})}o(fh,"parseVirtualServerRouteOptions");function ms(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(ms,"toMcpTool");function fs(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(fs,"toMcpPrompt");function hs(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(hs,"toMcpResource");var yE="mcp-upstream-connection-inbound",hh="/mcp/";function Pe(e){throw new Tt(e)}o(Pe,"throwRegistryError");function gh(e){return e.policyType===yE}o(gh,"isUpstreamConnectionPolicy");function wE(e){return ds(e.policyType)}o(wE,"isMcpOAuthInboundPolicy");function SE(e){e.startsWith(hh)||Pe(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(hh.length);return(!t||t.includes("/"))&&Pe(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),ge.parse(t)}o(SE,"readVirtualServerIdFromPath");function vE(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&Pe(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&Pe(`Upstream policy ${e.policyName} does not declare an auth mode.`),is.parse(r)}o(vE,"readSingleAuthMode");function bE(e){let t=e.connection.authProfiles[e.authMode];t||Pe(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"tenant_shared_oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user_static_secret":return{mode:"user_static_secret",secret:t.secret};case"tenant_static_secret":return{mode:"tenant_static_secret",secret:t.secret}}}o(bE,"buildResolvedAuthConfig");function RE(e){let t=vE({policyName:e.policyName,connection:e.connection}),r=pn(e.connection.id,t),n=bE({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(RE,"buildRegisteredConnection");function IE(e){let t=new Map;for(let r of e)t.has(r.name)&&Pe(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(IE,"buildPolicyMap");function TE(e){let t=new Map,r=new Set;for(let n of e.values()){if(!gh(n))continue;let a=ps(n.handler.options,n.name);r.has(a.id)&&Pe(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let s=RE({policyName:n.name,connection:a});t.set(n.name,s)}return t}o(TE,"buildConnectionsByPolicyName");function CE(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(CE,"readOperationId");function _h(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return St.parse(t)}catch{Pe(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(_h,"buildPublishedCapabilityName");function cd(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||Pe(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;Pe(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(cd,"readCapabilityUpstreamPolicy");function id(e){e.seen.has(e.key)&&Pe(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(id,"assertUniqueCatalogKey");function EE(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=_h({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:cd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(EE,"normalizeCatalogTool");function AE(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=_h({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:cd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(AE,"normalizeCatalogPrompt");function PE(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:cd({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(PE,"normalizeCatalogResource");function xE(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>EE({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>AE({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>PE({resource:d,connections:e.connections,routePath:e.routePath})),s=new Set;for(let d of r)id({kind:"tool",key:d.name,routePath:e.routePath,seen:s});let i=new Set;for(let d of n)id({kind:"prompt",key:d.name,routePath:e.routePath,seen:i});let c=new Set;for(let d of a)id({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:c});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(xE,"normalizeVirtualServerCatalog");function kE(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let s=a[0],i=s===void 0?void 0:e.policyByName.get(s);if(!i||!wE(i))continue;let c=CE(n);c||Pe(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(c)&&Pe(`Duplicate MCP virtual server operationId ${c} across routes.`),r.add(c);let d=SE(n.path);t.has(d)&&Pe(`Duplicate MCP virtual server id ${d} across routes.`);let p=[];for(let h of a.slice(1)){let _=e.policyByName.get(h);if(!_||!gh(_))continue;let w=e.connectionsByPolicyName.get(h);w||Pe(`Upstream connection policy ${h} referenced by route ${n.path} could not be resolved.`),p.push(w)}let l=fh(n.handler.options),m=xE({catalog:l,connections:p,routePath:n.path});m.catalogSource==="upstream_mcp"&&p.length!==1&&Pe(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${p.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:c,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:p})}return t}o(kE,"buildVirtualServers");function yh(e){let t=IE(e.policies),r=TE(t),n=kE({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let s of r.values())a.set(s.upstreamServerId,s);return{byVirtualServerId:n,connectionsById:a}}o(yh,"buildGatewayConnectionRegistry");var gs;function wh(e){gs=e}o(wh,"setGatewayConnectionRegistry");function tt(){if(!gs)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return gs}o(tt,"getGatewayConnectionRegistry");function Sh(e){let t=tt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Sh,"getRegisteredVirtualServer");function bo(e){let t=tt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(bo,"requireRegisteredVirtualServer");function vh(){return gs}o(vh,"tryGetGatewayConnectionRegistry");var bh=new Ct("gateway-route");function Rh(e,t){bh.set(e,t)}o(Rh,"setGatewayRouteContext");function Ro(e){return bh.get(e)}o(Ro,"readGatewayRouteContext");function mn(e){let t=Ro(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(mn,"requireGatewayRouteContext");var Er="2025-06-18";var OE=new Set(["localhost","::1"]);function rt(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(rt,"normalizeHostname");function Ue(e){let t=rt(e.hostname);return e.protocol==="http:"&&(OE.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Ue,"isLoopbackHttpUrl");function Q(e){return new URL(e).origin}o(Q,"readGatewayRequestOrigin");import{metrics as UE,context as _s,propagation as Th,SpanKind as Ch,SpanStatusCode as ud,trace as Io}from"@opentelemetry/api";var NE="mcp-gateway",$E="mcp-gateway",zE=Er,ME="2.0",Eh=Io.getTracer(NE),dd=UE.getMeter($E),DE=dd.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),qE=dd.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),LE=dd.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),jE=["traceparent","tracestate","baggage"];function ld(){return performance.now()/1e3}o(ld,"nowSeconds");function Ah(e,t){t(Math.max(ld()-e,0))}o(Ah,"recordDurationSeconds");function Ih(e){return e===void 0?void 0:String(e)}o(Ih,"stringifyAttribute");function Ie(e,t,r){r!==void 0&&(e[t]=r)}o(Ie,"assignAttribute");function HE(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(HE,"readTargetName");function Ph(e){let t=HE({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(Ph,"buildMcpOperationSpanName");function pd(e){let t={"mcp.method.name":e.methodName};return Ie(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??ME),Ie(t,"jsonrpc.request.id",Ih(e.jsonRpcRequestId)),Ie(t,"mcp.protocol.version",e.mcpProtocolVersion??zE),Ie(t,"mcp.session.id",e.mcpSessionId),Ie(t,"mcp.resource.uri",e.resourceUri),Ie(t,"rpc.response.status_code",Ih(e.rpcResponseStatusCode)),Ie(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Ie(t,"gen_ai.operation.name","execute_tool"),Ie(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Ie(t,"gen_ai.prompt.name",e.capabilityName),Ie(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Ie(t,"network.protocol.version",e.networkProtocolVersion),Ie(t,"network.transport",e.networkTransport),Ie(t,"server.address",e.serverAddress),Ie(t,"server.port",e.serverPort),Ie(t,"client.address",e.clientAddress),Ie(t,"client.port",e.clientPort),t}o(pd,"buildMcpOperationAttributes");function GE(e){let t=pd({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(GE,"buildMcpSessionAttributes");function xh(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:ud.ERROR}),t instanceof Error&&e.recordException(t)}o(xh,"setSpanError");function kh(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(kh,"readErrorType");function BE(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?_s.active():Th.extract(_s.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(BE,"readServerParentContext");function VE(e){let t=Io.getSpanContext(_s.active()),r=Io.getSpanContext(e);if(!(!t||!Io.isSpanContextValid(t))&&!(r&&Io.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(VE,"readAmbientSpanLink");function Oh(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(Oh,"readResultErrorType");async function Ar(e,t){let r=ld(),n=pd({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return Eh.startActiveSpan(Ph(e),{kind:Ch.CLIENT,attributes:n},async a=>{try{let s=await t(),i=Oh(s);return i&&(a.setAttribute("error.type",i),a.setStatus({code:ud.ERROR}),n["error.type"]=i),s}catch(s){let i=e.errorType??kh(s);throw n["error.type"]=i,xh(a,s,i),s}finally{Ah(r,s=>{DE.record(s,n)}),a.end()}})}o(Ar,"runMcpClientOperation");async function Pr(e,t){let r=ld(),n=BE(e.params),a=pd({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),s=VE(n);return Eh.startActiveSpan(Ph(e),{kind:Ch.SERVER,attributes:a,...s?{links:s}:{}},n,async i=>{try{let c=await t(),d=Oh(c);return d&&(i.setAttribute("error.type",d),i.setStatus({code:ud.ERROR}),a["error.type"]=d),c}catch(c){let d=e.errorType??kh(c);throw a["error.type"]=d,xh(i,c,d),c}finally{Ah(r,c=>{qE.record(c,a)}),i.end()}})}o(Pr,"runMcpServerOperation");function Uh(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return Th.inject(_s.active(),t._meta,{set(r,n,a){jE.includes(n)&&(r[n]=a)}}),t}o(Uh,"injectMcpTraceContextIntoParams");function Nh(e,t){let r=GE({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});LE.record(Math.max(t,0),r)}o(Nh,"recordMcpClientSessionDuration");var md=new Ct("route-upstream-bindings");function FE(e){let t=md.get(e);if(t)return t;let r={bindings:[]};return md.set(e,r),r}o(FE,"readOrCreateRouteUpstreamBindingRegistry");function $h(e){return`${e.upstreamServerId}:${e.authProfileId}`}o($h,"buildRouteBindingDuplicateKey");function fd(e,t){let r=FE(e),n=$h(t);if(r.bindings.find(s=>$h(s)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(fd,"appendResolvedUpstreamBindingContext");function zh(e){return md.get(e)?.bindings??[]}o(zh,"readResolvedUpstreamBindingContexts");W();function lt(e){return Q(e)}o(lt,"readGatewayOAuthIssuer");W();var fn=u.string().trim().min(1),To={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},ZE=u.object({issuer:u.url(),jwksUrl:u.url(),audience:fn}),KE=u.object({url:u.url(),tokenUrl:u.url().optional(),clientId:fn.optional(),clientSecret:fn.optional(),scope:fn.default("openid profile email"),audience:fn.optional(),remoteTimeoutMs:u.coerce.number().int().positive().default(1e4),stateTtlSeconds:u.coerce.number().int().positive().default(900),sessionTtlSeconds:u.coerce.number().int().positive().default(28800)}).strict(),WE=u.object({accessTokenTtlSeconds:u.coerce.number().int().positive().default(To.accessTokenTtlSeconds),refreshTokenTtlSeconds:u.coerce.number().int().positive().default(To.refreshTokenTtlSeconds),cimdEnabled:u.boolean().default(To.cimdEnabled)}).strict().default(To),JE=u.object({oidc:ZE,browserLogin:KE,gateway:WE.optional().default(To),devTenantId:fn.optional()}).strict();function Mh(e){return YE(e.browserLogin.url)?"local_dev":"federated_oidc"}o(Mh,"readBrowserLoginKind");function YE(e){let t;try{t=new URL(e)}catch{return!1}return Ue(t)&&t.pathname==="/oauth/dev-login"}o(YE,"isLoopbackDevLoginUrl");function ys(e){return JE.parse(e)}o(ys,"parseMcpOAuthRuntimeConfig");var hd;function Dh(e){hd=e}o(Dh,"setGatewayOAuthConfig");function _e(){if(!hd)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return hd}o(_e,"getGatewayOAuthConfig");W();var XE=43,QE=128,eA=/^[A-Za-z0-9._~-]+$/,gd="S256",hn=u.literal(gd),ws=u.string().min(XE).max(QE).regex(eA);W();W();var Ne=u.string().datetime({offset:!0}).brand();function K(e){return Ne.parse(e.toISOString())}o(K,"toIsoTimestamp");function ar(e,t){return new Date(e.getTime()+t*1e3)}o(ar,"addSeconds");var Ss=["none","client_secret_post","client_secret_basic"],tA=[...Ss,"private_key_jwt"],rA=["awaiting_login","awaiting_setup"],nA=u.string().min(1).brand(),oA=u.string().min(1).brand(),Ze=u.string().min(1).brand(),$t=u.uuid().brand(),sr=u.uuid().brand(),vs=u.uuid().brand(),Co=u.enum(Ss),aA=u.enum(tA),_d=u.enum(rA),qh=u.object({client_id:Ze,client_name:u.string().min(1),redirect_uris:u.array(u.string().min(1)).min(1),token_endpoint_auth_method:aA.default("none")}),Lh=u.object({clientId:Ze,clientName:u.string().min(1),redirectUris:u.array(u.string().min(1)),tokenEndpointAuthMethod:Co,hashedClientSecret:u.string().optional(),clientSecretExpiresAt:Ne.optional(),clientExpiresAt:Ne,revokedAt:Ne.optional(),createdAt:Ne}),yd=u.object({clientId:Ze,resource:u.string(),virtualServerId:ge,tenantId:nA,subjectId:oA,scope:u.string(),roles:u.array(u.string()),createdAt:Ne,expiresAt:Ne}),jh=yd.extend({id:sr,redirectUri:u.string(),clientState:u.string().optional(),codeChallenge:u.string(),codeChallengeMethod:hn}),Hh=yd.extend({id:$t,currentRefreshTokenHash:u.string().optional(),previousRefreshTokenHash:u.string().optional(),revokedAt:Ne.optional(),revokedReason:u.string().optional()}),Gh=yd.extend({tokenHash:u.string(),grantId:$t,revokedAt:Ne.optional()});function wd(){return sr.parse(crypto.randomUUID())}o(wd,"createDownstreamAuthorizationTransactionId");function Sd(){return vs.parse(crypto.randomUUID())}o(Sd,"createDownstreamBrowserLoginStateId");function Bh(){return $t.parse(crypto.randomUUID())}o(Bh,"createDownstreamGrantId");var oe="mcp:tools";function Rs(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Ue(r)&&Ue(n)&&rt(r.hostname)===rt(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(Rs,"redirectUriMatchesRegistration");function Vh(e){return Ue(e)&&e.pathname==="/oauth/dev-login"}o(Vh,"isLoopbackDevLoginUrl");function bs(e,t){return new URL(e,lt(t)).toString()}o(bs,"buildGatewayOAuthUrl");function vd(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,Q(e.requestUrl)).toString()}o(vd,"buildScopedAuthorizationServerIssuer");function sA(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,Q(e.requestUrl)).toString()}o(sA,"buildScopedAuthorizationEndpoint");function bd(e){let t=_e();return{issuer:lt(e),authorization_endpoint:bs("/oauth/authorize",e),token_endpoint:bs("/oauth/token",e),registration_endpoint:bs("/oauth/register",e),revocation_endpoint:bs("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[oe],code_challenge_methods_supported:[gd],token_endpoint_auth_methods_supported:Ss,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":Mh(t)}}o(bd,"buildAuthorizationServerMetadata");function Fh(e){let t=vd(e);return{...bd(e.requestUrl),issuer:t,authorization_endpoint:sA(e)}}o(Fh,"buildScopedAuthorizationServerMetadata");async function Zh(e,t){try{let r=ge.parse(e.params.virtualServerId),n=bo(r);return Response.json(iA(n.virtualServerId,e.url))}catch(r){let n=ae(r);return je(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(Zh,"protectedResourceMetadataHandler");function iA(e,t){return{resource:Eo(e,t),resource_name:e,authorization_servers:[vd({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[oe],mcp_protocol_version:Er}}o(iA,"buildProtectedResourceMetadataResponseBody");function Eo(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,Q(t)).toString()}o(Eo,"buildCanonicalMcpResourceForVirtualServer");function Kh(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,Q(t)).toString()}o(Kh,"buildProtectedResourceMetadataUrlForVirtualServer");var cA=u.record(u.string(),u.unknown()),Wh=u.string().min(1),uA=u.union([Wh.transform(e=>[e]),u.array(Wh)]),$e=u.string().min(1).brand(),le=u.string().min(1).brand(),dA=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],lA=["https://zuplo.com/roles","roles","role","permissions","groups"],pA=$e.parse("zuplo-poc"),Jh=new Ct("gateway-principal");function mA(e){let t=cA.safeParse(e);return t.success?t.data:{}}o(mA,"toClaimRecord");function fA(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(fA,"readValidationFailureDetail");function hA(e,t,r){for(let s of dA){let i=le.safeParse(t[s]);if(i.success)return i.data}let n=le.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",fA(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===lt(r)?n.data:le.parse(`${a}|${n.data}`)}o(hA,"readNormalizedSubjectId");function gA(e){let t=new Set;for(let r of lA){let n=uA.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(gA,"readRoles");function gn(e,t){let r=mA(e?.data),n={subjectId:hA(e,r,t),tenantId:pA},a=gA(r);return a&&(n.roles=a),n}o(gn,"parseGatewayPrincipal");function Yh(e){let t=Id(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Yh,"requireGatewayPrincipal");function Xh(e,t){Jh.set(e,t)}o(Xh,"setGatewayPrincipal");function Id(e){return Jh.get(e)}o(Id,"readGatewayPrincipal");function _n(e){let r=['realm="OAuth"',`resource_metadata="${Rd(Kh(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${Rd(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${Rd(e.scope)}"`),`Bearer ${r.join(", ")}`}o(_n,"buildGatewayBearerChallenge");function Rd(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(Rd,"sanitizeQuotedHeaderParameter");var _A=2,Qh=4,yA=24,wA=16,eg=512,SA=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,vA=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,bA=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,RA=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,IA=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,TA=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function tg(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(tg,"readRoute");function CA(e){let t=tg(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(CA,"readRoutePath");function EA(e){let t=tg(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(EA,"readRouteOperationId");function AA(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o(AA,"deriveStatusClass");function PA(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="tenant_shared"?"tenant_shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(PA,"deriveOriginAttributionMode");function xA(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(xA,"deriveClientKind");function kA(e,t){return t==="success"?"none":e===L.MCP_GATEWAY_REQUEST_RECEIVED||e===L.MCP_GATEWAY_REQUEST_REJECTED||e===L.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===L.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===L.MCP_GATEWAY_POLICY_DECISION?"policy":e===L.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===L.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===L.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(kA,"deriveFailureStage");function OA(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===L.MCP_GATEWAY_POLICY_DECISION||e===L.MCP_GATEWAY_GUARDRAIL_DECISION||e===L.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===L.MCP_GATEWAY_CAPABILITY_FAILED||e===L.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===L.MCP_GATEWAY_REQUEST_REJECTED||e===L.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(OA,"deriveFailureOrigin");function UA(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===L.MCP_GATEWAY_POLICY_DECISION?"policy":e===L.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===L.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===L.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===L.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(UA,"deriveReasonClass");function NA(e){return e.length<=eg?e:`${e.slice(0,eg)}...`}o(NA,"truncateAnalyticsString");function $A(e){return NA(e.replace(vA,"$1[REDACTED]$3").replace(RA,"$1$2[REDACTED]").replace(bA,"$1$2[REDACTED]").replace(IA,"Bearer [REDACTED]").replace(TA,"Basic [REDACTED]"))}o($A,"redactAnalyticsString");function rg(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return $A(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=Qh?"[DEPTH_LIMIT]":e.slice(0,wA).map(r=>rg(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=Qh?"[DEPTH_LIMIT]":ng(e,t+1)}}o(rg,"sanitizeAnalyticsValue");function ng(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,yA)){if(SA.test(n)){r[n]="[REDACTED]";continue}let s=rg(a,t);s!==void 0&&(r[n]=s)}return Object.keys(r).length===0?void 0:r}o(ng,"sanitizeMcpGatewayAnalyticsAttributes");function O(e){return e===void 0?null:e}o(O,"nullable");function zA(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(zA,"readEnvironment");function MA(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(MA,"readRequestId");function DA(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(DA,"attributesToJsonString");function qA(e,t){let r=Id(e),n=Ro(e),a=ng(t.attributes),s=MA(e),i=t.ownerMode??t.routeBinding?.ownerMode??null,c=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,p=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,l=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,h=t.clientKind??xA(t.clientName)??null,_=PA(i??void 0,c??void 0)??null,w=AA(t.httpStatusCode)??null,y=t.reasonClass??UA(t.eventType,t.outcome),S=t.failureOrigin??OA(t.eventType,t.outcome),v=t.failureStage??kA(t.eventType,t.outcome);return{schemaVersion:_A,outcome:t.outcome,tenantId:O(r?.tenantId),subjectId:O(r?.subjectId),environment:zA(e),traceId:t.traceId??s,spanId:O(t.spanId),parentEventId:O(t.parentEventId),mcpSessionId:O(t.mcpSessionId),routeSurface:O(t.routeSurface),routePath:CA(e)??null,operationId:EA(e)??null,virtualServerName:d,virtualServerTitle:O(t.virtualServerTitle),upstreamServerName:p,upstreamServerTitle:l,upstreamBindingId:O(t.upstreamBindingId),clientName:O(t.clientName),clientTitle:O(t.clientTitle),clientVersion:O(t.clientVersion),clientKind:h,authProfileId:m,upstreamAuthMode:c,ownerMode:i,authMethod:O(t.authMethod),originAttributionMode:_,httpMethod:O(t.httpMethod),httpStatusCode:O(t.httpStatusCode),statusClass:w,mcpMethod:O(t.mcpMethod),mcpProtocolVersion:O(t.mcpProtocolVersion),mcpStatus:O(t.mcpStatus),mcpErrorType:O(t.mcpErrorType),applicationError:O(t.applicationError),applicationErrorCode:O(t.applicationErrorCode),toolResultIsError:O(t.toolResultIsError),capabilityType:O(t.capabilityType),capabilityName:O(t.capabilityName),capabilityTitle:O(t.capabilityTitle),upstreamCapabilityName:O(t.upstreamCapabilityName),upstreamCapabilityTitle:O(t.upstreamCapabilityTitle),capabilitySchemaHash:O(t.capabilitySchemaHash),policyId:O(t.policyId),policyAction:O(t.policyAction),guardrailType:O(t.guardrailType),guardrailDirection:O(t.guardrailDirection),guardrailFindingCount:O(t.guardrailFindingCount),redactionCount:O(t.redactionCount),requestMutated:O(t.requestMutated),responseMutated:O(t.responseMutated),latencyMs:O(t.latencyMs),gatewayLatencyMs:O(t.gatewayLatencyMs),upstreamLatencyMs:O(t.upstreamLatencyMs),authLatencyMs:O(t.authLatencyMs),policyLatencyMs:O(t.policyLatencyMs),requestBytes:O(t.requestBytes),responseBytes:O(t.responseBytes),estimatedInputTokens:O(t.estimatedInputTokens),estimatedOutputTokens:O(t.estimatedOutputTokens),estimatedContextTokens:O(t.estimatedContextTokens),contextPressureBucket:O(t.contextPressureBucket),responseMimeTypes:O(t.responseMimeTypes),base64Suspected:O(t.base64Suspected),truncated:O(t.truncated),isLargePayloadRequest:O(t.isLargePayloadRequest),isLargePayloadResponse:O(t.isLargePayloadResponse),payloadCaptureMode:O(t.payloadCaptureMode),reasonCode:O(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:S,failureStage:v,customMetadataJson:O(t.customMetadataJson),attributesJson:DA(a)}}o(qA,"buildMcpGatewayAnalyticsMetadata");function He(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,qA(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(He,"emitMcpGatewayAnalyticsEvent");function Ge(e){let t=tt().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(Ge,"getUpstreamServerConfig");function LA(e){let t=tt().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(LA,"resolveUpstreamAuthProfileId");function ir(e){LA(e);let t=tt().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(ir,"getUpstreamAuthConfig");function xr(e,t){let r=ir({upstreamServerId:e,authProfileId:t});if(!mh(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(xr,"requireUpstreamOAuthConfig");var jA={tenant_shared_oauth:{authMode:"tenant_shared_oauth",ownerMode:"tenant_shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},tenant_static_secret:{authMode:"tenant_static_secret",ownerMode:"tenant_shared",connectSupport:"none",connectUnsupportedDetail:"Tenant static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"tenant_static_secret_connection"},user_static_secret:{authMode:"user_static_secret",ownerMode:"user",connectSupport:"user_static_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_static_secret_connection"}};function vt(e){return jA[e]}o(vt,"describeUpstreamAuthMode");function Td(e){return vt(e).ownerMode}o(Td,"resolveOwnerModeForUpstreamAuthMode");W();var Cd=u.string().trim().min(1),HA=u.object({TOKEN_ENCRYPTION_KEY:Cd,OAUTH_STATE_SIGNING_KEY:Cd,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:Cd.optional()}),GA=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING"];function BA(e){let t=Si[e];return typeof t=="string"?t:void 0}o(BA,"readEnvValue");function VA(){let e={};for(let t of GA){let r=BA(t);r!==void 0&&(e[t]=r)}return e}o(VA,"readRawEnv");var Ed;function FA(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(FA,"formatZodIssues");function ZA(e){return new Tt(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...FA(e)].join(`
+`),{cause:e})}o(ZA,"createEnvValidationError");function KA(e){let t=HA.safeParse(e);if(!t.success)throw ZA(t.error);return t.data}o(KA,"parseGatewayEnv");function WA(){return Ed||(Ed=KA(VA())),Ed}o(WA,"readEnv");function Is(){return WA()}o(Is,"getEnv");W();W();function JA(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(JA,"parseDate");function cr(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(cr,"parseJsonValue");function Ad(e,t){return u.array(u.string()).parse(cr(e,t))}o(Ad,"parseStringArray");var ie=u.union([u.date(),u.string()]).transform(e=>JA(e));var YA=u.object({current_state_hash:u.string(),phase:_d,consumed_at:ie.nullable(),expires_at:ie}),XA=u.object({id:$t,revoked_at:ie.nullable().optional(),expires_at:ie,matched:u.enum(["current","previous"])}),QA=u.object({id:$t,matched:u.literal("current")}),eP=u.object({client_id:Ze,client_name:u.string(),redirect_uris:u.unknown(),token_endpoint_auth_method:Co,hashed_client_secret:u.string().nullable(),client_secret_expires_at:ie.nullable(),client_expires_at:ie,revoked_at:ie.nullable(),created_at:ie}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Ad(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:K(e.created_at),clientExpiresAt:K(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=K(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=K(e.revoked_at)),Lh.parse(t)}),Pd=u.object({id:sr,current_state_hash:u.string(),phase:_d,principal_subject_id:le.nullable(),principal_tenant_id:$e.nullable(),principal_roles:u.unknown().nullable(),client_id:Ze,redirect_uri:u.string(),resource:u.string(),virtual_server_id:ge,client_state:u.string().nullable(),scope:u.string(),code_challenge:u.string(),code_challenge_method:hn,created_at:ie,expires_at:ie,consumed_at:ie.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:K(e.created_at),expiresAt:K(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=K(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id||!e.principal_tenant_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,tenantId:e.principal_tenant_id,...e.principal_roles===null?{}:{roles:u.array(u.string()).parse(cr(e.principal_roles,"principal_roles"))}}}}),tP=u.object({id:sr});function ag(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,tenantId:e.tenant_id,subjectId:e.subject_id,scope:e.scope,roles:Ad(e.roles,"roles"),createdAt:K(e.created_at),expiresAt:K(e.expires_at)}}o(ag,"downstreamGrantAccessFields");var og=u.object({id:$t,client_id:Ze,resource:u.string(),virtual_server_id:ge,tenant_id:$e,subject_id:le,scope:u.string(),roles:u.unknown(),current_refresh_token_hash:u.string().nullable(),previous_refresh_token_hash:u.string().nullable(),created_at:ie,expires_at:ie,revoked_at:ie.nullable(),revoked_reason:u.string().nullable()}).transform(e=>{let t={id:e.id,...ag(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=K(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),Hh.parse(t)}),rP=u.object({token_hash:u.string(),grant_id:$t,client_id:Ze,resource:u.string(),virtual_server_id:ge,tenant_id:$e,subject_id:le,scope:u.string(),roles:u.unknown(),created_at:ie,expires_at:ie,revoked_at:ie.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...ag(e)};return e.revoked_at&&(t.revokedAt=K(e.revoked_at)),Gh.parse(t)});function sg(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.tenantId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(sg,"authorizationTransactionValues");function nP(e,t){let r=jh.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
+       id, client_id, redirect_uri, resource, virtual_server_id, tenant_id,
+       subject_id, scope, roles, code_challenge, code_challenge_method,
+       created_at, expires_at
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12, $13)`,[r.id,...sg(r)])}o(nP,"insertAuthorizationTransaction");function oP(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
+       code_hash, transaction_id, grant_id, client_id, redirect_uri, resource,
+       virtual_server_id, tenant_id, subject_id, scope, roles,
+       code_challenge, code_challenge_method, created_at, expires_at
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, $12, $13, $14, $15)`,[t.codeHash,t.id,t.grantId,...sg(t)])}o(oP,"insertAuthorizationCode");function aP(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(aP,"accessTokenGrantValidationFailure");var Ts=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return u.array(YA).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
+         FROM downstream_oauth_pending_authorization_transactions
+         WHERE id = $1
+         LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return u.array(eP).parse(await this.db.query(`SELECT
+           client_id,
+           client_name,
+           redirect_uris,
+           token_endpoint_auth_method,
+           hashed_client_secret,
+           client_secret_expires_at,
+           client_expires_at,
+           revoked_at,
+           created_at
+         FROM downstream_oauth_dcr_clients
+         WHERE client_id = $1
+           AND revoked_at IS NULL
+           AND client_expires_at > NOW()
+         LIMIT 1`,[t]))[0]}async saveDcrClient(t){await this.db.query(`INSERT INTO downstream_oauth_dcr_clients (
+         client_id,
+         client_name,
+         redirect_uris,
+         token_endpoint_auth_method,
+         hashed_client_secret,
+         client_secret_expires_at,
+         client_expires_at,
+         revoked_at,
+         created_at
+       ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return u.array(tP).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
+         id, current_state_hash, phase, principal_subject_id,
+         principal_tenant_id, principal_roles, client_id, redirect_uri,
+         resource, virtual_server_id, client_state, scope, code_challenge,
+         code_challenge_method, created_at, expires_at, consumed_at
+       ) VALUES ($1, $2, $3, $4, $5, $6::jsonb, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17)
+       ON CONFLICT (id) DO NOTHING
+       RETURNING id`,[t.id,t.currentStateHash,t.phase,t.phase==="awaiting_setup"?t.principal.subjectId:null,t.phase==="awaiting_setup"?t.principal.tenantId:null,t.phase==="awaiting_setup"&&t.principal.roles!==void 0?JSON.stringify(t.principal.roles):null,t.clientId,t.redirectUri,t.resource,t.virtualServerId,t.clientState??null,t.scope,t.codeChallenge,t.codeChallengeMethod,new Date(t.createdAt),new Date(t.expiresAt),t.consumedAt?new Date(t.consumedAt):null])).length>0?{kind:"saved"}:{kind:"already_exists"}}async advancePendingAuthorizationTransaction(t){let n=u.array(Pd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
+         SET current_state_hash = $4,
+             phase = $5,
+             principal_subject_id = $6,
+             principal_tenant_id = $7,
+             principal_roles = $8::jsonb
+         WHERE id = $1
+           AND current_state_hash = $2
+           AND phase = $3
+           AND consumed_at IS NULL
+           AND expires_at > $9
+         RETURNING *`,[t.id,t.currentStateHash,t.expectedPhase,t.nextStateHash,t.nextPhase,t.principal.subjectId,t.principal.tenantId,t.principal.roles===void 0?null:JSON.stringify(t.principal.roles),t.now]))[0];return n?{kind:"advanced",record:n}:this.readPendingAuthorizationAdvanceFailure(t)}async getPendingAuthorizationTransaction(t){let n=u.array(Pd).parse(await this.db.query(`SELECT *
+         FROM downstream_oauth_pending_authorization_transactions
+         WHERE id = $1
+         LIMIT 1`,[t.id]))[0];return n?n.consumedAt?{kind:"consumed"}:new Date(n.expiresAt).getTime()<=t.now.getTime()?{kind:"expired"}:n.currentStateHash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"available",record:n}:{kind:"missing"}}async consumePendingAuthorizationTransaction(t){let n=u.array(Pd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
+       SET consumed_at = $3
+       WHERE id = $1
+         AND current_state_hash = $2
+         AND consumed_at IS NULL
+         AND expires_at > $3
+       RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[nP(r,t),oP(r,t)])}async exchangeAuthorizationCode(t){let n=u.array(u.object({redirect_uri:u.string()})).parse(await this.db.query(`SELECT redirect_uri
+       FROM downstream_oauth_authorization_codes
+       WHERE code_hash = $1
+       LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&Rs(n,t.redirectUri)?n:t.redirectUri,i=u.array(u.record(u.string(),u.unknown())).parse(await this.db.query(`WITH candidate AS (
+           SELECT *
+           FROM downstream_oauth_authorization_codes
+           WHERE code_hash = $1
+           LIMIT 1
+         ),
+         claimed AS (
+           UPDATE downstream_oauth_authorization_codes
+           SET consumed_at = $8
+           WHERE code_hash = $1
+             AND consumed_at IS NULL
+             AND expires_at > $8
+             AND client_id = $2
+             AND redirect_uri = $3
+             AND ($4::text IS NULL OR resource = $4)
+             AND code_challenge = $5
+           RETURNING *
+         ),
+         replayed_grant AS (
+           UPDATE downstream_oauth_grants AS grants
+           SET revoked_at = $8,
+               revoked_reason = 'authorization_code_replay'
+           FROM candidate
+           WHERE candidate.consumed_at IS NOT NULL
+             AND grants.id = candidate.grant_id
+             AND grants.revoked_at IS NULL
+           RETURNING grants.id
+         ),
+         replayed_access AS (
+           UPDATE downstream_oauth_access_tokens AS access_tokens
+           SET revoked_at = $8
+           FROM candidate
+           WHERE candidate.consumed_at IS NOT NULL
+             AND access_tokens.grant_id = candidate.grant_id
+             AND access_tokens.revoked_at IS NULL
+           RETURNING access_tokens.token_hash
+         ),
+         replayed_code AS (
+           UPDATE downstream_oauth_authorization_codes AS codes
+           SET replayed_at = COALESCE(codes.replayed_at, $8)
+           FROM candidate
+           WHERE candidate.consumed_at IS NOT NULL
+             AND codes.code_hash = candidate.code_hash
+           RETURNING codes.code_hash
+         ),
+         inserted_grant AS (
+           INSERT INTO downstream_oauth_grants (
+             id, client_id, resource, virtual_server_id, tenant_id, subject_id,
+             scope, roles, current_refresh_token_hash, previous_refresh_token_hash,
+             created_at, expires_at, revoked_at, revoked_reason
+           )
+           SELECT
+             grant_id, client_id, resource, virtual_server_id, tenant_id,
+             subject_id, scope, roles, $6, NULL, $8, $9, NULL, NULL
+           FROM claimed
+           RETURNING *
+         ),
+         revoked_prior_grants AS (
+           UPDATE downstream_oauth_grants AS grants
+           SET revoked_at = $8,
+               revoked_reason = 'reauthorized'
+           FROM inserted_grant
+           WHERE grants.tenant_id = inserted_grant.tenant_id
+             AND grants.subject_id = inserted_grant.subject_id
+             AND grants.client_id = inserted_grant.client_id
+             AND grants.resource = inserted_grant.resource
+             AND grants.id <> inserted_grant.id
+             AND grants.revoked_at IS NULL
+           RETURNING grants.id
+         ),
+         revoked_prior_access AS (
+           UPDATE downstream_oauth_access_tokens AS access_tokens
+           SET revoked_at = $8
+           FROM revoked_prior_grants
+           WHERE access_tokens.grant_id = revoked_prior_grants.id
+             AND access_tokens.revoked_at IS NULL
+           RETURNING access_tokens.token_hash
+         ),
+         inserted_access AS (
+           INSERT INTO downstream_oauth_access_tokens (
+             token_hash, grant_id, client_id, resource, virtual_server_id,
+             tenant_id, subject_id, scope, roles, created_at, expires_at,
+             revoked_at
+           )
+           SELECT
+             $7, id, client_id, resource, virtual_server_id, tenant_id,
+             subject_id, scope, roles, $8, $10, NULL
+           FROM inserted_grant
+           RETURNING token_hash
+         )
+         SELECT
+           CASE
+             WHEN EXISTS (SELECT 1 FROM inserted_grant) THEN 'exchanged'
+             WHEN NOT EXISTS (SELECT 1 FROM candidate) THEN 'missing'
+             WHEN (SELECT consumed_at FROM candidate) IS NOT NULL THEN 'consumed'
+             WHEN (SELECT expires_at FROM candidate) <= $8 THEN 'expired'
+             WHEN (SELECT client_id FROM candidate) = $2
+               AND (SELECT redirect_uri FROM candidate) = $3
+               AND (SELECT code_challenge FROM candidate) = $5
+               AND $4::text IS NOT NULL
+               AND (SELECT resource FROM candidate) <> $4
+             THEN 'resource_mismatch'
+             ELSE 'binding_mismatch'
+           END AS kind,
+           inserted_grant.*
+         FROM (SELECT 1) AS marker
+         LEFT JOIN inserted_grant ON TRUE`,[t.codeHash,t.clientId,a,t.resource,t.codeChallenge,t.currentRefreshTokenHash,t.accessTokenHash,t.now,new Date(t.grantExpiresAt),new Date(t.accessTokenExpiresAt)]))[0],c=u.enum(["exchanged","consumed","missing","expired","resource_mismatch","binding_mismatch"]).parse(i?.kind??"missing");return c!=="exchanged"?{kind:c}:{kind:"exchanged",grant:og.parse(i)}}async getGrant(t){return u.array(og).parse(await this.db.query(`SELECT *
+         FROM downstream_oauth_grants
+         WHERE id = $1
+         LIMIT 1`,[t]))[0]}async saveAccessToken(t){await this.db.query(`INSERT INTO downstream_oauth_access_tokens (
+         token_hash, grant_id, client_id, resource, virtual_server_id, tenant_id,
+         subject_id, scope, roles, created_at, expires_at, revoked_at
+       ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.tenantId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=u.array(rP).parse(await this.db.query(`SELECT access_tokens.*
+         FROM downstream_oauth_access_tokens AS access_tokens
+         JOIN downstream_oauth_grants AS grants
+           ON grants.id = access_tokens.grant_id
+         WHERE access_tokens.token_hash = $1
+         LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),s=aP(a,t.now);return s||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return u.array(QA).parse(await this.db.query(`WITH candidate AS (
+           SELECT id,
+             'current' AS matched
+           FROM downstream_oauth_grants
+           WHERE client_id = $3
+             AND revoked_at IS NULL
+             AND expires_at > $4
+             AND ($5::text IS NULL OR resource = $5)
+             AND current_refresh_token_hash = $1
+           ORDER BY created_at DESC
+           LIMIT 1
+         )
+         UPDATE downstream_oauth_grants AS grants
+         SET previous_refresh_token_hash = $1,
+             current_refresh_token_hash = $2
+         FROM candidate
+         WHERE grants.id = candidate.id
+           AND grants.client_id = $3
+           AND grants.revoked_at IS NULL
+           AND grants.expires_at > $4
+           AND ($5::text IS NULL OR grants.resource = $5)
+           AND grants.current_refresh_token_hash = $1
+         RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),s=await this.refreshTokenGrantFailure(t,a);return s||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return u.array(XA).parse(await this.db.query(`SELECT id,
+                revoked_at,
+                expires_at,
+                CASE
+                  WHEN current_refresh_token_hash = $2 THEN 'current'
+                  ELSE 'previous'
+                END AS matched
+         FROM downstream_oauth_grants
+         WHERE client_id = $1
+           ${n}
+           AND (
+             current_refresh_token_hash = $2
+             OR previous_refresh_token_hash = $2
+           )
+         LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=u.array(u.object({token_hash:u.string(),client_id:Ze})).parse(await this.db.query(`SELECT token_hash, client_id
+         FROM downstream_oauth_access_tokens
+         WHERE token_hash = $1
+         LIMIT 1`,[t.tokenHash]))[0];if(n)return n.client_id!==t.clientId?{kind:"client_mismatch"}:(await this.db.query(`UPDATE downstream_oauth_access_tokens
+         SET revoked_at = $2
+         WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let s=u.array(u.object({id:$t,client_id:Ze})).parse(await this.db.query(`SELECT id, client_id
+         FROM downstream_oauth_grants
+         WHERE current_refresh_token_hash = $1
+            OR previous_refresh_token_hash = $1
+         ORDER BY created_at DESC
+         LIMIT 1`,[t.tokenHash]))[0];return s?this.revokeRefreshTokenGrantForOAuthToken(t,s):{kind:"missing"}}async revokeRefreshTokenGrantForOAuthToken(t,r){return r.client_id!==t.clientId?{kind:"client_mismatch"}:this.revokeGrantForOAuthToken(t,r.id)}async revokeGrantForOAuthToken(t,r){return await this.revokeGrant({grantId:r,now:t.now,reason:"token_revocation"}),{kind:"revoked_grant"}}async revokeGrant(t){await this.db.transaction(r=>[r.query(`UPDATE downstream_oauth_grants
+         SET revoked_at = $2,
+             revoked_reason = $3
+         WHERE id = $1 AND revoked_at IS NULL`,[t.grantId,t.now,t.reason]),r.query(`UPDATE downstream_oauth_access_tokens
+         SET revoked_at = $2
+         WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var Cs=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function sP(e){return e instanceof Cs}o(sP,"isHttpPgQuery");function iP(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(iP,"parseConnectionString");function cP(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(cP,"readErrorMessage");function uP(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(uP,"isSingleResponse");function dP(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(dP,"isBatchResponse");function ig(e,t={}){let{fetchEndpoint:r}=iP(e),n=t.fetchFn??fetch;async function a(d){let p=await s({query:d.query,params:d.params});if(!uP(p))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return p.rows}o(a,"runSingle");async function s(d){let p=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!p.ok){let l;try{l=await p.json()}catch{l=void 0}let m=new Error(cP(l));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${p.status})`,cause:m})}return p.json()}o(s,"runRequest");function i(){return{query(d,p){return new Cs({query:d,params:p??[]},a)}}}o(i,"buildQueryDatabase");let c=i();return{query:c.query,async transaction(d){let l=d(c).map((h,_)=>{if(!sP(h))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return h.raw}),m=await s({queries:l.map(h=>({query:h.query,params:h.params}))});if(!dP(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(h=>h.rows)}}}o(ig,"createHttpPostgresGatewayDatabase");var lP=`
+DO $$
+BEGIN
+  IF to_regclass('public.downstream_oauth_pending_authorization_transactions') IS NULL THEN
+    -- Fresh DB: 0000_messy_makkari created the right shape already.
+    RETURN;
+  END IF;
+  -- Old prototype shape (0000_narrow_cerise) used login_state_hash as part of
+  -- a composite PK. 0004_famous_mastermind renamed it. If we still have the old
+  -- column name, rename it instead of creating a new column so existing rows
+  -- (and any prototype data) survive.
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'login_state_hash'
+  ) AND NOT EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'current_state_hash'
+  ) THEN
+    -- 0004_famous_mastermind unconditionally truncated the table on rename
+    -- because the principal/phase columns are NOT NULL on the new shape and
+    -- there is no sane backfill. We mirror that here.
+    EXECUTE 'TRUNCATE TABLE public.downstream_oauth_pending_authorization_transactions';
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions RENAME COLUMN login_state_hash TO current_state_hash';
+  END IF;
+  -- If neither column exists, we are in the rewritten-0000_messy_makkari case
+  -- where the prototype edited the migration after applying it, leaving the
+  -- column out entirely. Add it (NOT NULL); the table is dev-only so any rows
+  -- that violate it are fine to drop.
+  IF NOT EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'current_state_hash'
+  ) THEN
+    EXECUTE 'TRUNCATE TABLE public.downstream_oauth_pending_authorization_transactions';
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN current_state_hash text NOT NULL';
+  END IF;
+  -- Composite PK (id, login_state_hash) -> single-column PK (id).
+  IF EXISTS (
+    SELECT 1
+    FROM pg_constraint
+    WHERE conname = 'downstream_oauth_pending_authorization_transactions_id_login_state_hash_pk'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions DROP CONSTRAINT downstream_oauth_pending_authorization_transactions_id_login_state_hash_pk';
+  END IF;
+  IF NOT EXISTS (
+    SELECT 1
+    FROM pg_constraint
+    WHERE conname = 'downstream_oauth_pending_authorization_transactions_id_pk'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_transactions_id_pk PRIMARY KEY (id)';
+  END IF;
+  -- 0004_famous_mastermind columns.
+  IF NOT EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'phase'
+  ) THEN
+    EXECUTE 'TRUNCATE TABLE public.downstream_oauth_pending_authorization_transactions';
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN phase text NOT NULL';
+  END IF;
+  IF NOT EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'principal_subject_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN principal_subject_id text';
+  END IF;
+  IF NOT EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'principal_tenant_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN principal_tenant_id text';
+  END IF;
+  IF NOT EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'principal_roles'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN principal_roles jsonb';
+  END IF;
+  -- UNIQUE on current_state_hash.
+  IF NOT EXISTS (
+    SELECT 1
+    FROM pg_constraint
+    WHERE conname = 'downstream_oauth_pending_authorization_current_state_hash_unique'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_current_state_hash_unique UNIQUE (current_state_hash)';
+  END IF;
+  -- CHECK constraints from 0004_famous_mastermind.
+  IF NOT EXISTS (
+    SELECT 1
+    FROM pg_constraint
+    WHERE conname = 'downstream_oauth_pending_authorization_phase_check'
+  ) THEN
+    EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_phase_check CHECK ("downstream_oauth_pending_authorization_transactions"."phase" IN ('awaiting_login', 'awaiting_setup'))$check$;
+  END IF;
+  IF NOT EXISTS (
+    SELECT 1
+    FROM pg_constraint
+    WHERE conname = 'downstream_oauth_pending_authorization_phase_principal_check'
+  ) THEN
+    EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_phase_principal_check CHECK ((
+        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_login'
+        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NULL
+        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NULL
+        AND "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
+      ) OR (
+        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_setup'
+        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NOT NULL
+        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NOT NULL
+        AND (
+          "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
+          OR jsonb_typeof("downstream_oauth_pending_authorization_transactions"."principal_roles") = 'array'
+        )
+      ))$check$;
+  END IF;
+  IF NOT EXISTS (
+    SELECT 1
+    FROM pg_constraint
+    WHERE conname = 'downstream_oauth_pending_authorization_code_challenge_method_check'
+  ) THEN
+    EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_code_challenge_method_check CHECK ("downstream_oauth_pending_authorization_transactions"."code_challenge_method" = 'S256')$check$;
+  END IF;
+END $$;
+`,pP=`
+DROP INDEX IF EXISTS public.downstream_oauth_cimd_metadata_cache_expiry_idx;
+`,mP=`
+DROP TABLE IF EXISTS public.downstream_oauth_cimd_metadata_cache;
+`,fP=`
+DO $$
+BEGIN
+  IF to_regclass('public.upstream_connections') IS NULL THEN
+    RETURN;
+  END IF;
+  IF EXISTS (
+    SELECT 1
+    FROM pg_constraint
+    WHERE conname = 'upstream_connections_owner_shape_check'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.upstream_connections DROP CONSTRAINT upstream_connections_owner_shape_check';
+  END IF;
+  EXECUTE $check$ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_shape_check CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NOT NULL)
+        OR ("upstream_connections"."owner_mode" = 'tenant_shared' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NULL))$check$;
+END $$;
+`,hP=[lP,pP,mP,fP].join(`
+--> statement-breakpoint
+`),cg=[{tag:"0000_messy_makkari",sql:`CREATE TABLE "browser_connect_ticket_consumptions" (
+	"id" uuid PRIMARY KEY NOT NULL,
+	"consumed_at" timestamp with time zone NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "downstream_oauth_access_tokens" (
+	"token_hash" text PRIMARY KEY NOT NULL,
+	"grant_id" uuid NOT NULL,
+	"client_id" text NOT NULL,
+	"resource" text NOT NULL,
+	"virtual_server_id" text NOT NULL,
+	"tenant_id" text NOT NULL,
+	"subject_id" text NOT NULL,
+	"scope" text NOT NULL,
+	"roles" jsonb NOT NULL,
+	"created_at" timestamp with time zone NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	"revoked_at" timestamp with time zone,
+	CONSTRAINT "downstream_oauth_access_tokens_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_access_tokens"."roles") = 'array')
+);
+--> statement-breakpoint
+CREATE TABLE "downstream_oauth_authorization_codes" (
+	"code_hash" text PRIMARY KEY NOT NULL,
+	"transaction_id" uuid NOT NULL,
+	"grant_id" uuid NOT NULL,
+	"client_id" text NOT NULL,
+	"resource" text NOT NULL,
+	"virtual_server_id" text NOT NULL,
+	"tenant_id" text NOT NULL,
+	"subject_id" text NOT NULL,
+	"scope" text NOT NULL,
+	"roles" jsonb NOT NULL,
+	"redirect_uri" text NOT NULL,
+	"code_challenge" text NOT NULL,
+	"code_challenge_method" text NOT NULL,
+	"created_at" timestamp with time zone NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	"consumed_at" timestamp with time zone,
+	"replayed_at" timestamp with time zone,
+	CONSTRAINT "downstream_oauth_authorization_codes_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_authorization_codes"."roles") = 'array'),
+	CONSTRAINT "downstream_oauth_authorization_codes_code_challenge_method_check" CHECK ("downstream_oauth_authorization_codes"."code_challenge_method" = 'S256')
+);
+--> statement-breakpoint
+CREATE TABLE "downstream_oauth_authorization_transactions" (
+	"id" uuid PRIMARY KEY NOT NULL,
+	"client_id" text NOT NULL,
+	"resource" text NOT NULL,
+	"virtual_server_id" text NOT NULL,
+	"tenant_id" text NOT NULL,
+	"subject_id" text NOT NULL,
+	"scope" text NOT NULL,
+	"roles" jsonb NOT NULL,
+	"redirect_uri" text NOT NULL,
+	"code_challenge" text NOT NULL,
+	"code_challenge_method" text NOT NULL,
+	"created_at" timestamp with time zone NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	CONSTRAINT "downstream_oauth_authorization_transactions_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_authorization_transactions"."roles") = 'array'),
+	CONSTRAINT "downstream_oauth_authorization_transactions_code_challenge_method_check" CHECK ("downstream_oauth_authorization_transactions"."code_challenge_method" = 'S256')
+);
+--> statement-breakpoint
+CREATE TABLE "downstream_oauth_dcr_clients" (
+	"client_id" text PRIMARY KEY NOT NULL,
+	"client_name" text NOT NULL,
+	"redirect_uris" jsonb NOT NULL,
+	"token_endpoint_auth_method" text NOT NULL,
+	"hashed_client_secret" text,
+	"client_secret_expires_at" timestamp with time zone,
+	"client_expires_at" timestamp with time zone NOT NULL,
+	"revoked_at" timestamp with time zone,
+	"created_at" timestamp with time zone NOT NULL,
+	CONSTRAINT "downstream_oauth_dcr_clients_redirect_uris_array_check" CHECK (jsonb_typeof("downstream_oauth_dcr_clients"."redirect_uris") = 'array'),
+	CONSTRAINT "downstream_oauth_dcr_clients_token_endpoint_auth_method_check" CHECK ("downstream_oauth_dcr_clients"."token_endpoint_auth_method" IN ('none', 'client_secret_post', 'client_secret_basic'))
+);
+--> statement-breakpoint
+CREATE TABLE "downstream_oauth_grants" (
+	"id" uuid PRIMARY KEY NOT NULL,
+	"client_id" text NOT NULL,
+	"resource" text NOT NULL,
+	"virtual_server_id" text NOT NULL,
+	"tenant_id" text NOT NULL,
+	"subject_id" text NOT NULL,
+	"scope" text NOT NULL,
+	"roles" jsonb NOT NULL,
+	"current_refresh_token_hash" text,
+	"previous_refresh_token_hash" text,
+	"created_at" timestamp with time zone NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	"revoked_at" timestamp with time zone,
+	"revoked_reason" text,
+	CONSTRAINT "downstream_oauth_grants_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_grants"."roles") = 'array')
+);
+--> statement-breakpoint
+CREATE TABLE "downstream_oauth_pending_authorization_transactions" (
+	"id" uuid NOT NULL,
+	"current_state_hash" text NOT NULL,
+	"phase" text NOT NULL,
+	"principal_subject_id" text,
+	"principal_tenant_id" text,
+	"principal_roles" jsonb,
+	"client_id" text NOT NULL,
+	"redirect_uri" text NOT NULL,
+	"resource" text NOT NULL,
+	"virtual_server_id" text NOT NULL,
+	"client_state" text,
+	"scope" text NOT NULL,
+	"code_challenge" text NOT NULL,
+	"code_challenge_method" text NOT NULL,
+	"created_at" timestamp with time zone NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	"consumed_at" timestamp with time zone,
+	CONSTRAINT "downstream_oauth_pending_authorization_transactions_id_pk" PRIMARY KEY("id"),
+	CONSTRAINT "downstream_oauth_pending_authorization_current_state_hash_unique" UNIQUE("current_state_hash"),
+	CONSTRAINT "downstream_oauth_pending_authorization_phase_check" CHECK ("downstream_oauth_pending_authorization_transactions"."phase" IN ('awaiting_login', 'awaiting_setup')),
+	CONSTRAINT "downstream_oauth_pending_authorization_phase_principal_check" CHECK ((
+        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_login'
+        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NULL
+        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NULL
+        AND "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
+      ) OR (
+        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_setup'
+        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NOT NULL
+        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NOT NULL
+        AND (
+          "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
+          OR jsonb_typeof("downstream_oauth_pending_authorization_transactions"."principal_roles") = 'array'
+        )
+      )),
+	CONSTRAINT "downstream_oauth_pending_authorization_code_challenge_method_check" CHECK ("downstream_oauth_pending_authorization_transactions"."code_challenge_method" = 'S256')
+);
+--> statement-breakpoint
+CREATE TABLE "upstream_connections" (
+	"id" uuid PRIMARY KEY NOT NULL,
+	"tenant_id" text,
+	"owner_mode" text NOT NULL,
+	"user_id" text,
+	"upstream_server_id" text NOT NULL,
+	"auth_profile_id" text NOT NULL,
+	"status" text NOT NULL,
+	"encrypted_access_token" text,
+	"encrypted_refresh_token" text,
+	"scopes" jsonb DEFAULT '[]'::jsonb NOT NULL,
+	"expires_at" timestamp with time zone,
+	"metadata" jsonb,
+	"created_at" timestamp with time zone NOT NULL,
+	"updated_at" timestamp with time zone NOT NULL,
+	CONSTRAINT "upstream_connections_owner_key" UNIQUE NULLS NOT DISTINCT("owner_mode","tenant_id","user_id","upstream_server_id","auth_profile_id"),
+	CONSTRAINT "upstream_connections_owner_mode_check" CHECK ("upstream_connections"."owner_mode" IN ('user', 'tenant_shared')),
+	CONSTRAINT "upstream_connections_status_check" CHECK ("upstream_connections"."status" IN ('active', 'not_connected', 'reconsent_required')),
+	CONSTRAINT "upstream_connections_scopes_array_check" CHECK (jsonb_typeof("upstream_connections"."scopes") = 'array'),
+	CONSTRAINT "upstream_connections_owner_shape_check" CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NOT NULL)
+        OR ("upstream_connections"."owner_mode" = 'tenant_shared' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NULL))
+);
+--> statement-breakpoint
+CREATE TABLE "upstream_oauth_state_consumptions" (
+	"id" uuid PRIMARY KEY NOT NULL,
+	"consumed_at" timestamp with time zone NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "upstream_oauth_states" (
+	"id" uuid PRIMARY KEY NOT NULL,
+	"record" jsonb NOT NULL,
+	"expires_at" timestamp with time zone NOT NULL,
+	"created_at" timestamp with time zone NOT NULL,
+	"updated_at" timestamp with time zone NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "downstream_oauth_access_tokens" ADD CONSTRAINT "downstream_oauth_access_tokens_grant_id_downstream_oauth_grants_id_fk" FOREIGN KEY ("grant_id") REFERENCES "public"."downstream_oauth_grants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "downstream_oauth_authorization_codes" ADD CONSTRAINT "downstream_oauth_authorization_codes_transaction_id_downstream_oauth_authorization_transactions_id_fk" FOREIGN KEY ("transaction_id") REFERENCES "public"."downstream_oauth_authorization_transactions"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "browser_connect_ticket_consumptions_expiry_idx" ON "browser_connect_ticket_consumptions" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "downstream_oauth_access_tokens_grant_idx" ON "downstream_oauth_access_tokens" USING btree ("grant_id");--> statement-breakpoint
+CREATE INDEX "downstream_oauth_access_tokens_expiry_idx" ON "downstream_oauth_access_tokens" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "downstream_oauth_authorization_codes_grant_idx" ON "downstream_oauth_authorization_codes" USING btree ("grant_id");--> statement-breakpoint
+CREATE INDEX "downstream_oauth_authorization_codes_expiry_idx" ON "downstream_oauth_authorization_codes" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "downstream_oauth_authorization_transactions_expiry_idx" ON "downstream_oauth_authorization_transactions" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "downstream_oauth_dcr_clients_expiry_idx" ON "downstream_oauth_dcr_clients" USING btree ("client_expires_at") WHERE "downstream_oauth_dcr_clients"."revoked_at" IS NULL;--> statement-breakpoint
+CREATE INDEX "downstream_oauth_grants_refresh_current_idx" ON "downstream_oauth_grants" USING btree ("current_refresh_token_hash") WHERE "downstream_oauth_grants"."current_refresh_token_hash" IS NOT NULL;--> statement-breakpoint
+CREATE INDEX "downstream_oauth_grants_refresh_previous_idx" ON "downstream_oauth_grants" USING btree ("previous_refresh_token_hash") WHERE "downstream_oauth_grants"."previous_refresh_token_hash" IS NOT NULL;--> statement-breakpoint
+CREATE INDEX "downstream_oauth_grants_subject_client_resource_idx" ON "downstream_oauth_grants" USING btree ("tenant_id","subject_id","client_id","resource") WHERE "downstream_oauth_grants"."revoked_at" IS NULL;--> statement-breakpoint
+CREATE INDEX "downstream_oauth_grants_expiry_idx" ON "downstream_oauth_grants" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "downstream_oauth_pending_authorization_expiry_idx" ON "downstream_oauth_pending_authorization_transactions" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "upstream_oauth_state_consumptions_expiry_idx" ON "upstream_oauth_state_consumptions" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING btree ("expires_at");
+`},{tag:"0001_self_heal_pending_authorization",sql:hP}];var Po="_runtime_applied_migrations",gP=`
+  CREATE TABLE IF NOT EXISTS ${Po} (
+    tag text PRIMARY KEY NOT NULL,
+    applied_at timestamp with time zone NOT NULL DEFAULT now()
+  )
+`,Ao;async function _P(e){if(Ao)return Ao;Ao=(async()=>{await e.query(gP),await e.query(`INSERT INTO ${Po} (tag)
+       SELECT '0000_messy_makkari'
+       WHERE to_regclass('public.audit_events') IS NOT NULL
+         AND NOT EXISTS (
+           SELECT 1 FROM ${Po}
+           WHERE tag = '0000_messy_makkari'
+         )
+       ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${Po}`),r=new Set(t.map(n=>n.tag));for(let n of cg){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(s=>s.trim()).filter(s=>s.length>0);for(let s of a)await e.query(s);await e.query(`INSERT INTO ${Po} (tag) VALUES ($1)`,[n.tag])}})();try{await Ao}catch(t){throw Ao=void 0,t}}o(_P,"ensureGatewayMigrationsApplied");function ug(e){let t=o(()=>_P(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(ug,"createMigrationGatedDatabase");W();W();var yP=["user","tenant_shared"],yn=u.enum(yP);function ur(e,t){if(!e)throw g("forbidden","User-owned upstream connections require an authenticated tenant.");return{mode:"user",tenantId:e,subjectId:t}}o(ur,"buildUserUpstreamConnectionOwner");function Es(e){if(!e)throw g("forbidden","Tenant-shared upstream connections require an authenticated tenant.");return{mode:"tenant_shared",tenantId:e}}o(Es,"buildTenantSharedUpstreamConnectionOwner");W();W();function As(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(As,"parseSafeRelativeReturnTo");var dg=u.object({tenantId:$e.optional(),ownerMode:yn,initiatedBySubjectId:le,ownerSubjectId:le.optional(),upstreamServerId:ut,authProfileId:dt,virtualServerId:ge,returnTo:u.string().min(1).transform(e=>As(e)).optional()});function lg(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="user"&&!e.tenantId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires tenantId",path:["tenantId"]}),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:u.ZodIssueCode.custom,message:"Tenant-shared state requires tenantId",path:["tenantId"]}),e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Tenant-shared state must not include ownerSubjectId",path:["ownerSubjectId"]}))}o(lg,"validateUpstreamOwnerState");var wn=dg.superRefine(lg),pg=dg.omit({returnTo:!0}).superRefine(lg);function xo(e){return wn.parse({tenantId:e.owner.tenantId,ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(xo,"buildUpstreamOwnerState");function Sn(e){if(e.ownerMode==="tenant_shared")return Es(e.tenantId);if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");if(!e.tenantId)throw g("oauth_state_invalid","User-owned upstream state is missing the tenant.");return ur(e.tenantId,e.ownerSubjectId)}o(Sn,"resolveUpstreamConnectionOwnerFromState");var wP=["active","not_connected","reconsent_required"],SP=["basic_auth_app_password","bearer_token"],mg=u.uuid().brand(),Ps=u.uuid().brand(),xd=u.uuid().brand(),kd=u.enum(wP),vP=u.enum(SP),fg=u.object({encryptedClientInformation:u.string().optional(),encryptedDiscoveryState:u.string().optional(),connectedBySubjectId:le.optional()}),Od=fg.extend({encryptedStaticSecret:u.string().optional(),staticSecretKind:vP.optional(),staticSecretLabel:u.string().min(1).optional(),staticSecretUsername:u.string().min(1).optional()}),bP=u.object({id:mg,tenantId:$e.optional(),subjectId:le.optional(),ownerMode:yn,upstreamServerId:ut,authProfileId:dt,status:kd,encryptedAccessToken:u.string().optional(),encryptedRefreshToken:u.string().optional(),scopes:u.array(u.string()),expiresAt:Ne.optional(),metadata:Od.optional(),createdAt:Ne,updatedAt:Ne});function RP(e,t){e.ownerMode==="user"&&!e.subjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]}),e.ownerMode==="tenant_shared"&&!e.tenantId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Tenant-shared upstream connections require tenantId",path:["tenantId"]})}o(RP,"validateUpstreamConnectionOwnerShape");var hg=bP.superRefine(RP),gg=wn.extend({id:Ps,callbackPath:u.string().min(1),expiresAt:Ne,codeVerifier:u.string().optional(),redirectUri:u.url(),returnOrigin:u.url().optional()}).extend(fg.shape);function _g(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o(_g,"readUpstreamConnectionStatus");function xs(){return mg.parse(crypto.randomUUID())}o(xs,"createUpstreamConnectionId");function yg(){return Ps.parse(crypto.randomUUID())}o(yg,"createOAuthStateId");function wg(){return xd.parse(crypto.randomUUID())}o(wg,"createBrowserConnectTicketId");var IP=u.unknown().transform(e=>cr(e,"upstream connection scopes")).pipe(u.array(u.string())),TP=u.unknown().transform(e=>{if(e!=null)return cr(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=Od.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),Sg=u.object({id:u.uuid(),tenant_id:$e.nullable(),owner_mode:yn,user_id:le.nullable(),upstream_server_id:ut,auth_profile_id:dt,status:kd,encrypted_access_token:u.string().nullable(),encrypted_refresh_token:u.string().nullable(),scopes:IP,expires_at:ie.nullable(),metadata:TP,created_at:ie,updated_at:ie}).transform(e=>hg.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?K(e.expires_at):void 0,metadata:e.metadata,createdAt:K(e.created_at),updatedAt:K(e.updated_at)}));function CP(e){let t=e.firstParam??1,r=`$${t}`,n=`$${t+1}`,a=`$${t+2}`;switch(e.owner.mode){case"user":return{whereClause:`owner_mode = ${r}
+           AND tenant_id IS NOT DISTINCT FROM ${n}
+           AND user_id = ${a}
+           AND upstream_server_id = $${t+3}
+           AND auth_profile_id = $${t+4}`,params:[e.owner.mode,e.owner.tenantId??null,e.owner.subjectId,e.upstreamServerId,e.authProfileId]};case"tenant_shared":return{whereClause:`owner_mode = ${r}
+           AND tenant_id = ${n}
+           AND user_id IS NULL
+           AND upstream_server_id = ${a}
+           AND auth_profile_id = $${t+3}`,params:[e.owner.mode,e.owner.tenantId,e.upstreamServerId,e.authProfileId]}}}o(CP,"buildOwnerLookup");function EP(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(EP,"metadataToDatabaseValue");function AP(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(AP,"requirePersistedUpstreamConnection");var ks=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async get(t,r,n){let a=CP({owner:t,upstreamServerId:r,authProfileId:n});return u.array(Sg).parse(await this.db.query(`SELECT
+           id,
+           tenant_id,
+           owner_mode,
+           user_id,
+           upstream_server_id,
+           auth_profile_id,
+           status,
+           encrypted_access_token,
+           encrypted_refresh_token,
+           scopes,
+           expires_at,
+           metadata,
+           created_at,
+           updated_at
+         FROM upstream_connections
+         WHERE ${a.whereClause}
+         LIMIT 1`,a.params))[0]}async upsert(t){let r=new Date,n=u.array(Sg).parse(await this.db.query(`INSERT INTO upstream_connections (
+           id,
+           tenant_id,
+           owner_mode,
+           user_id,
+           upstream_server_id,
+           auth_profile_id,
+           status,
+           encrypted_access_token,
+           encrypted_refresh_token,
+           scopes,
+           expires_at,
+           metadata,
+           created_at,
+           updated_at
+         ) VALUES (
+           $1,
+           $2,
+           $3,
+           $4,
+           $5,
+           $6,
+           $7,
+           $8,
+           $9,
+           $10::jsonb,
+           $11,
+           $12::jsonb,
+           $13,
+           $13
+         )
+         ON CONFLICT ON CONSTRAINT upstream_connections_owner_key
+         DO UPDATE SET
+           status = EXCLUDED.status,
+           encrypted_access_token = EXCLUDED.encrypted_access_token,
+           encrypted_refresh_token = EXCLUDED.encrypted_refresh_token,
+           scopes = EXCLUDED.scopes,
+           expires_at = EXCLUDED.expires_at,
+           metadata = EXCLUDED.metadata,
+           updated_at = EXCLUDED.updated_at
+         RETURNING
+           id,
+           tenant_id,
+           owner_mode,
+           user_id,
+           upstream_server_id,
+           auth_profile_id,
+           status,
+           encrypted_access_token,
+           encrypted_refresh_token,
+           scopes,
+           expires_at,
+           metadata,
+           created_at,
+           updated_at`,[t.id,t.tenantId??null,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,EP(t.metadata),r]));return AP(n[0])}};W();var PP=60*60*24*1e3,xP=u.object({kind:u.enum(["available","consumed","missing"]),record:u.unknown().nullable()}),kP=u.object({inserted:u.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},u.boolean())});function vg(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(vg,"requireSingleRow");function OP(e){return gg.parse(cr(e,"upstream OAuth state record"))}o(OP,"parseStoredOAuthStateRecord");var Os=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
+         id,
+         record,
+         expires_at,
+         created_at,
+         updated_at
+       ) VALUES ($1, $2::jsonb, $3, $4, $4)
+       ON CONFLICT (id) DO UPDATE
+       SET record = EXCLUDED.record,
+           expires_at = EXCLUDED.expires_at,
+           updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+PP),a=vg(u.array(xP).parse(await this.db.query(`WITH expired_state_cleanup AS (
+             DELETE FROM upstream_oauth_states
+             WHERE id = $1
+               AND expires_at <= $2
+             RETURNING id
+           ),
+           expired_consumption_cleanup AS (
+             DELETE FROM upstream_oauth_state_consumptions
+             WHERE id = $1
+               AND expires_at <= $2
+             RETURNING id
+           ),
+           candidate AS (
+             SELECT id
+             FROM upstream_oauth_states
+             WHERE id = $1
+               AND expires_at > $2
+               AND (SELECT count(*) FROM expired_state_cleanup) >= 0
+           ),
+           inserted_consumption AS (
+             INSERT INTO upstream_oauth_state_consumptions (
+               id,
+               consumed_at,
+               expires_at
+             )
+             SELECT $1, $2, $3
+             WHERE EXISTS (SELECT 1 FROM candidate)
+               AND (SELECT count(*) FROM expired_consumption_cleanup) >= 0
+             ON CONFLICT (id) DO NOTHING
+             RETURNING id
+           ),
+           deleted_state AS (
+             DELETE FROM upstream_oauth_states
+             WHERE id = $1
+               AND EXISTS (SELECT 1 FROM inserted_consumption)
+             RETURNING record
+           ),
+           existing_consumption AS (
+             SELECT id
+             FROM upstream_oauth_state_consumptions
+             WHERE id = $1
+               AND expires_at > $2
+               AND (SELECT count(*) FROM expired_consumption_cleanup) >= 0
+           )
+           SELECT
+             CASE
+               WHEN EXISTS (SELECT 1 FROM deleted_state) THEN 'available'
+               WHEN EXISTS (SELECT 1 FROM existing_consumption) THEN 'consumed'
+               WHEN EXISTS (SELECT 1 FROM candidate) THEN 'consumed'
+               ELSE 'missing'
+             END AS kind,
+             (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:OP(a.record)}}return{kind:a.kind}}},Us=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return vg(u.array(kP).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
+             DELETE FROM browser_connect_ticket_consumptions
+             WHERE id = $1
+               AND expires_at <= $2
+             RETURNING id
+           ),
+           inserted_consumption AS (
+             INSERT INTO browser_connect_ticket_consumptions (
+               id,
+               consumed_at,
+               expires_at
+             )
+             SELECT $1, $2, $3
+             WHERE $3 > $2
+               AND (SELECT count(*) FROM expired_consumption_cleanup) >= 0
+             ON CONFLICT (id) DO NOTHING
+             RETURNING id
+           )
+           SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var UP="__zuploMcpGatewayStorageBackend";function NP(e){return{upstreamConnectionRepository:new ks(e),downstreamOAuthRepository:new Ts(e),oauthStateStore:new Os(e),browserConnectTicketStore:new Us(e)}}o(NP,"createPostgresStorageBackend");var Ud;function $P(){let e=Is().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;if(!e)throw g("internal_server_error","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING is required for the MCP gateway HTTP postgres backend.");return e}o($P,"requireDatabaseUrl");function zP(){let e=ig($P()),t=ug(e);return NP(t)}o(zP,"buildProductionStorageBackend");function H(){let e=globalThis[UP];return e||(Ud||(Ud=zP()),Ud)}o(H,"getStorage");W();import{errors as Ag,jwtVerify as Pg,SignJWT as xg}from"jose";import{base64url as MP}from"jose";var DP=new TextEncoder,Nd=32;function bg(e,t={}){let r=[qP(e),DP.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=Nd){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<Nd){let a=t.name??"secret key material",s=n?.byteLength??0;throw new Error(`${a} must decode to at least ${Nd} bytes (got ${s}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(bg,"decodeConfiguredSecretKeyMaterial");function qP(e){try{return MP.decode(e)}catch{return}}o(qP,"tryDecodeBase64Url");var Rg=new Map,Ig=new Map;function LP(e){let t=Rg.get(e);return t||(t=bg(Is()[e],{name:e}),Rg.set(e,t)),t}o(LP,"getMasterKeyMaterial");async function bt(e){let t=Ig.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(LP(e.envVar));return Ig.set(e.purpose,r),r}o(bt,"readCachedDerivedKey");var jP="SHA-256";var HP="zuplo-mcp-gateway:",GP=new TextEncoder,Tg=new WeakMap;async function dr(e,t){let r=Tg.get(e);r||(r=new Map,Tg.set(e,r));let n=r.get(t);if(n)return n;let a=await BP(e,t);return r.set(t,a),a}o(dr,"deriveGatewaySigningKey");async function BP(e,t){let r=Cg(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=GP.encode(`${HP}${t}`),s=await crypto.subtle.deriveBits({name:"HKDF",hash:jP,salt:new Uint8Array,info:Cg(a)},n,32*8);return new Uint8Array(s)}o(BP,"hkdfExpand");function Cg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Cg,"copyToArrayBuffer");var Ns="HS256",kg=15*60,VP=15*60,$s="zuplo-mcp-gateway",zs="zuplo-mcp-gateway",FP=pg.extend({id:Ps}),ZP=FP.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),Og=wn.extend({id:xd,purpose:u.literal("browser_connect")}),KP=wn.extend({purpose:u.literal("browser_connect")}),WP=Og.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),Ug=kg*1e3;async function Ng(){return bt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"oauth-state"),"derive")})}o(Ng,"getOAuthStateKey");async function $g(){return bt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"browser-connect"),"derive")})}o($g,"getBrowserConnectKey");async function zg(e){let t=Math.floor(Date.now()/1e3)+kg;return new xg(e).setProtectedHeader({alg:Ns,typ:"JWT"}).setIssuer($s).setAudience(zs).setIssuedAt().setExpirationTime(t).sign(await Ng())}o(zg,"signOAuthState");async function Ms(e){try{let{payload:t}=await Pg(e,await Ng(),{algorithms:[Ns],issuer:$s,audience:zs});return ZP.parse(t)}catch(t){throw t instanceof Ag.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Ms,"verifyOAuthState");async function Mg(e){let t=Math.floor(Date.now()/1e3)+VP,r=KP.parse(e),n=Og.parse({...r,id:wg()});return new xg(n).setProtectedHeader({alg:Ns,typ:"JWT"}).setIssuer($s).setAudience(zs).setIssuedAt().setExpirationTime(t).sign(await $g())}o(Mg,"signBrowserConnectTicket");async function Ds(e){try{let{payload:t}=await Pg(e,await $g(),{algorithms:[Ns],issuer:$s,audience:zs});return WP.parse(t)}catch(t){throw t instanceof Ag.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(Ds,"verifyBrowserConnectTicket");async function qs(e){if((await H().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(qs,"consumeBrowserConnectTicket");function JP(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(JP,"buildConnectRequiredMessage");async function Dg(e){let t=Q(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Mg({...xo(e),purpose:"browser_connect"})),r.toString()}o(Dg,"buildGatewayBrowserTicketUrl");function YP(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(YP,"buildGatewayConnectPath");async function $d(e){return Dg({...e,path:YP(e.upstreamServerId),redirect:!0})}o($d,"buildGatewayConnectUrl");async function qg(e){return Dg({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(qg,"buildGatewayAppPasswordCaptureUrl");async function vn(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await $d(t),message:JP(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(vn,"buildRedirectConnectRequiredResponse");function Lg(e){return jg({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(Lg,"buildAdminConnectRequiredResponse");function jg(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(jg,"buildAdminSetupRequiredResponse");function Hg(e){return jg({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(Hg,"buildAdminStaticSecretRequiredResponse");W();import{base64url as lr}from"jose";var XP="SHA-256",Rn="AES-GCM",QP=12,Md="zuplo-secret",Dd=1,Gg="env:TOKEN_ENCRYPTION_KEY",ex=u.object({version:u.literal(Dd),keyId:u.literal(Gg),algorithm:u.literal(Rn),iv:u.string().min(1),ciphertext:u.string().min(1)}).strict();function bn(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(bn,"copyToArrayBuffer");async function zd(){return bt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(XP,bn(e));return crypto.subtle.importKey("raw",t,{name:Rn},!1,["encrypt","decrypt"])},"derive")})}o(zd,"getEncryptionKey");function Bg(e){return bn(new TextEncoder().encode(`${Md}:v${e.version}:${e.keyId}`))}o(Bg,"getAssociatedData");function tx(e){return`${Md}:v${e.version}:${lr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(tx,"encodeEnvelope");function rx(e){let t=`${Md}:v${Dd}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(lr.decode(r));return ex.parse(JSON.parse(n))}o(rx,"decodeEnvelope");async function kr(e){let t=await zd(),r=crypto.getRandomValues(new Uint8Array(QP)),n={version:Dd,keyId:Gg},a=await crypto.subtle.encrypt({name:Rn,iv:r,additionalData:Bg(n)},t,new TextEncoder().encode(e));return tx({...n,algorithm:Rn,iv:lr.encode(r),ciphertext:lr.encode(new Uint8Array(a))})}o(kr,"encryptSecret");async function zt(e){let t=rx(e);if(t){let i=await zd(),c=await crypto.subtle.decrypt({name:Rn,iv:bn(lr.decode(t.iv)),additionalData:Bg(t)},i,bn(lr.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await zd(),s=await crypto.subtle.decrypt({name:Rn,iv:bn(lr.decode(r))},a,bn(lr.decode(n)));return new TextDecoder().decode(s)}o(zt,"decryptSecret");function nx(e,t){let r=ir({upstreamServerId:e,authProfileId:t});if(r.mode!=="tenant_static_secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(nx,"requireTenantStaticSecretConfig");function Vg(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(Vg,"hasUsableTenantStaticSecret");async function ox(e){if(!Vg(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await zt(e.connection.metadata.encryptedStaticSecret)}}o(ox,"resolveTenantStaticSecretCredential");async function Fg(e){let t=Ge(e.upstreamServerId);nx(e.upstreamServerId,e.authProfileId);let r=await H().upstreamConnectionRepository.get(e.owner,e.upstreamServerId,e.authProfileId);if(Vg(r))return{kind:"authorized",credential:await ox({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:Hg(n)}}o(Fg,"resolveTenantStaticSecretCredentialForRequest");W();async function qd(e){let t=H().upstreamConnectionRepository,r=await t.get(e.owner,e.upstreamServerId,e.authProfileId);return t.upsert({id:r?.id??xs(),tenantId:e.owner.tenantId,ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(qd,"upsertStaticSecretConnection");var ax=u.string().trim().min(1).max(320),sx=u.string().min(1).max(4096),ix=u.string().trim().min(1).max(4096);function Ld(e,t){let r=ir({upstreamServerId:e,authProfileId:t});if(r.mode!=="user_static_secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(Ld,"requireUserStaticSecretConfig");function cx(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(cx,"encodeBase64Utf8");function ux(e){return`Basic ${cx(`${e.username}:${e.appPassword}`)}`}o(ux,"buildBasicAuthHeader");function Zg(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(Zg,"hasEncryptedUserStaticSecret");async function dx(e){if(!Zg(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await zt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:ux({username:e.connection.metadata.staticSecretUsername,appPassword:await zt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(dx,"resolveUserStaticSecretCredential");async function Kg(e){if(Ld(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=ax.parse(e.username),n=sx.parse(e.appPassword);return qd({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await kr(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(Kg,"saveUserStaticSecretCredential");async function Ls(e){let t=Ld(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=ix.parse(e.token);return qd({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await kr(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(Ls,"saveUserStaticBearerTokenCredential");function jd(e,t){return Ld(e,t)}o(jd,"readUserStaticSecretCaptureConfig");async function Wg(e){let t=Ge(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r=await H().upstreamConnectionRepository.get(e.owner,e.upstreamServerId,e.authProfileId);if(Zg(r))return{kind:"authorized",credential:await dx({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await vn(n)}}o(Wg,"resolveUserStaticSecretCredentialForRequest");function Jg(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return qg({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(Jg,"buildUserStaticSecretConnectUrl");var Hd;Hd=globalThis.crypto;async function lx(e){return(await Hd).getRandomValues(new Uint8Array(e))}o(lx,"getRandomValues");async function px(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await lx(e-n.length);for(let s of a)s<r&&(n+=t[s%t.length])}return n}o(px,"random");async function mx(e){return await px(e)}o(mx,"generateVerifier");async function fx(e){let t=await(await Hd).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(fx,"generateChallenge");async function Gd(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await mx(e),r=await fx(t);return{code_verifier:t,code_challenge:r}}o(Gd,"pkceChallenge");W();var Te=Bl().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Kl.custom,message:"URL must be parseable",fatal:!0}),Hl}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),js=fe({resource:f().url(),authorization_servers:R(Te).optional(),jwks_uri:f().url().optional(),scopes_supported:R(f()).optional(),bearer_methods_supported:R(f()).optional(),resource_signing_alg_values_supported:R(f()).optional(),resource_name:f().optional(),resource_documentation:f().optional(),resource_policy_uri:f().url().optional(),resource_tos_uri:f().url().optional(),tls_client_certificate_bound_access_tokens:Y().optional(),authorization_details_types_supported:R(f()).optional(),dpop_signing_alg_values_supported:R(f()).optional(),dpop_bound_access_tokens_required:Y().optional()}),ko=fe({issuer:f(),authorization_endpoint:Te,token_endpoint:Te,registration_endpoint:Te.optional(),scopes_supported:R(f()).optional(),response_types_supported:R(f()),response_modes_supported:R(f()).optional(),grant_types_supported:R(f()).optional(),token_endpoint_auth_methods_supported:R(f()).optional(),token_endpoint_auth_signing_alg_values_supported:R(f()).optional(),service_documentation:Te.optional(),revocation_endpoint:Te.optional(),revocation_endpoint_auth_methods_supported:R(f()).optional(),revocation_endpoint_auth_signing_alg_values_supported:R(f()).optional(),introspection_endpoint:f().optional(),introspection_endpoint_auth_methods_supported:R(f()).optional(),introspection_endpoint_auth_signing_alg_values_supported:R(f()).optional(),code_challenge_methods_supported:R(f()).optional(),client_id_metadata_document_supported:Y().optional()}),hx=fe({issuer:f(),authorization_endpoint:Te,token_endpoint:Te,userinfo_endpoint:Te.optional(),jwks_uri:Te,registration_endpoint:Te.optional(),scopes_supported:R(f()).optional(),response_types_supported:R(f()),response_modes_supported:R(f()).optional(),grant_types_supported:R(f()).optional(),acr_values_supported:R(f()).optional(),subject_types_supported:R(f()),id_token_signing_alg_values_supported:R(f()),id_token_encryption_alg_values_supported:R(f()).optional(),id_token_encryption_enc_values_supported:R(f()).optional(),userinfo_signing_alg_values_supported:R(f()).optional(),userinfo_encryption_alg_values_supported:R(f()).optional(),userinfo_encryption_enc_values_supported:R(f()).optional(),request_object_signing_alg_values_supported:R(f()).optional(),request_object_encryption_alg_values_supported:R(f()).optional(),request_object_encryption_enc_values_supported:R(f()).optional(),token_endpoint_auth_methods_supported:R(f()).optional(),token_endpoint_auth_signing_alg_values_supported:R(f()).optional(),display_values_supported:R(f()).optional(),claim_types_supported:R(f()).optional(),claims_supported:R(f()).optional(),service_documentation:f().optional(),claims_locales_supported:R(f()).optional(),ui_locales_supported:R(f()).optional(),claims_parameter_supported:Y().optional(),request_parameter_supported:Y().optional(),request_uri_parameter_supported:Y().optional(),require_request_uri_registration:Y().optional(),op_policy_uri:Te.optional(),op_tos_uri:Te.optional(),client_id_metadata_document_supported:Y().optional()}),Hs=I({...hx.shape,...ko.pick({code_challenge_methods_supported:!0}).shape}),Oo=I({access_token:f(),id_token:f().optional(),token_type:f(),expires_in:Wl.number().optional(),scope:f().optional(),refresh_token:f().optional()}).strip(),Xg=I({error:f(),error_description:f().optional(),error_uri:f().optional()}),Yg=Te.optional().or(P("").transform(()=>{})),gx=I({redirect_uris:R(Te),token_endpoint_auth_method:f().optional(),grant_types:R(f()).optional(),response_types:R(f()).optional(),client_name:f().optional(),client_uri:Te.optional(),logo_uri:Yg,scope:f().optional(),contacts:R(f()).optional(),tos_uri:Yg,policy_uri:f().optional(),jwks_uri:Te.optional(),jwks:Fl().optional(),software_id:f().optional(),software_version:f().optional(),software_statement:f().optional()}).strip(),Bd=I({client_id:f(),client_secret:f().optional(),client_id_issued_at:V().optional(),client_secret_expires_at:V().optional()}).strip(),Uo=gx.merge(Bd),V2=I({error:f(),error_description:f().optional()}).strip(),F2=I({token:f(),token_type_hint:f().optional()}).strip();function Qg(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(Qg,"resourceUrlFromServerUrl");function e_({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",s=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(s)}o(e_,"checkResourceAllowed");var pe=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},No=class extends pe{static{o(this,"InvalidRequestError")}};No.errorCode="invalid_request";var Or=class extends pe{static{o(this,"InvalidClientError")}};Or.errorCode="invalid_client";var Ur=class extends pe{static{o(this,"InvalidGrantError")}};Ur.errorCode="invalid_grant";var Nr=class extends pe{static{o(this,"UnauthorizedClientError")}};Nr.errorCode="unauthorized_client";var $o=class extends pe{static{o(this,"UnsupportedGrantTypeError")}};$o.errorCode="unsupported_grant_type";var zo=class extends pe{static{o(this,"InvalidScopeError")}};zo.errorCode="invalid_scope";var Mo=class extends pe{static{o(this,"AccessDeniedError")}};Mo.errorCode="access_denied";var Mt=class extends pe{static{o(this,"ServerError")}};Mt.errorCode="server_error";var Do=class extends pe{static{o(this,"TemporarilyUnavailableError")}};Do.errorCode="temporarily_unavailable";var qo=class extends pe{static{o(this,"UnsupportedResponseTypeError")}};qo.errorCode="unsupported_response_type";var Lo=class extends pe{static{o(this,"UnsupportedTokenTypeError")}};Lo.errorCode="unsupported_token_type";var jo=class extends pe{static{o(this,"InvalidTokenError")}};jo.errorCode="invalid_token";var Ho=class extends pe{static{o(this,"MethodNotAllowedError")}};Ho.errorCode="method_not_allowed";var Go=class extends pe{static{o(this,"TooManyRequestsError")}};Go.errorCode="too_many_requests";var $r=class extends pe{static{o(this,"InvalidClientMetadataError")}};$r.errorCode="invalid_client_metadata";var Bo=class extends pe{static{o(this,"InsufficientScopeError")}};Bo.errorCode="insufficient_scope";var Vo=class extends pe{static{o(this,"InvalidTargetError")}};Vo.errorCode="invalid_target";var t_={[No.errorCode]:No,[Or.errorCode]:Or,[Ur.errorCode]:Ur,[Nr.errorCode]:Nr,[$o.errorCode]:$o,[zo.errorCode]:zo,[Mo.errorCode]:Mo,[Mt.errorCode]:Mt,[Do.errorCode]:Do,[qo.errorCode]:qo,[Lo.errorCode]:Lo,[jo.errorCode]:jo,[Ho.errorCode]:Ho,[Go.errorCode]:Go,[$r.errorCode]:$r,[Bo.errorCode]:Bo,[Vo.errorCode]:Vo};var Dt=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function _x(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(_x,"isClientAuthMethod");var Vd="code",Fd="S256";function yx(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&_x(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(yx,"selectClientAuthMethod");function wx(e,t,r,n){let{client_id:a,client_secret:s}=t;switch(e){case"client_secret_basic":Sx(a,s,r);return;case"client_secret_post":vx(a,s,n);return;case"none":bx(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(wx,"applyClientAuthentication");function Sx(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(Sx,"applyBasicAuth");function vx(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(vx,"applyPostAuth");function bx(e,t){t.set("client_id",e)}o(bx,"applyPublicAuth");async function n_(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=Xg.parse(JSON.parse(r)),{error:a,error_description:s,error_uri:i}=n,c=t_[a]||Mt;return new c(s||"",i)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Mt(a)}}o(n_,"parseErrorResponse");async function pr(e,t){try{return await Zd(e,t)}catch(r){if(r instanceof Or||r instanceof Nr)return await e.invalidateCredentials?.("all"),await Zd(e,t);if(r instanceof Ur)return await e.invalidateCredentials?.("tokens"),await Zd(e,t);throw r}}o(pr,"auth");async function Zd(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:s}){let i=await e.discoveryState?.(),c,d,p,l=a;if(!l&&i?.resourceMetadataUrl&&(l=new URL(i.resourceMetadataUrl)),i?.authorizationServerUrl){if(d=i.authorizationServerUrl,c=i.resourceMetadata,p=i.authorizationServerMetadata??await a_(d,{fetchFn:s}),!c)try{c=await o_(t,{resourceMetadataUrl:l},s)}catch{}(p!==i.authorizationServerMetadata||c!==i.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let T=await Ax(t,{resourceMetadataUrl:l,fetchFn:s});d=T.authorizationServerUrl,p=T.authorizationServerMetadata,c=T.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let m=await Rx(t,e,c),h=n||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let T=p?.client_id_metadata_document_supported===!0,U=e.clientMetadataUrl;if(U&&!Wd(U))throw new $r(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${U}`);if(T&&U)_={client_id:U},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Be=await Ux(d,{metadata:p,clientMetadata:e.clientMetadata,scope:h,fetchFn:s});await e.saveClientInformation(Be),_=Be}}let w=!e.redirectUrl;if(r!==void 0||w){let T=await Ox(e,d,{metadata:p,resource:m,authorizationCode:r,fetchFn:s});return await e.saveTokens(T),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let T=await kx(d,{metadata:p,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:s});return await e.saveTokens(T),"AUTHORIZED"}catch(T){if(!(!(T instanceof pe)||T instanceof Mt))throw T}let S=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:b}=await Px(d,{metadata:p,clientInformation:_,state:S,redirectUrl:e.redirectUrl,scope:h,resource:m});return await e.saveCodeVerifier(b),await e.redirectToAuthorization(v),"REDIRECT"}o(Zd,"authInternal");function Wd(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Wd,"isHttpsUrl");async function Rx(e,t,r){let n=Qg(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!e_({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(Rx,"selectResourceURL");function Jd(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=Kd(e,"resource_metadata")||void 0,s;if(a)try{s=new URL(a)}catch{}let i=Kd(e,"scope")||void 0,c=Kd(e,"error")||void 0;return{resourceMetadataUrl:s,scope:i,error:c}}o(Jd,"extractWWWAuthenticateParams");function Kd(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(Kd,"extractFieldFromWwwAuth");async function o_(e,t,r=fetch){let n=await Cx(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return js.parse(await n.json())}o(o_,"discoverOAuthProtectedResourceMetadata");async function Yd(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?Yd(e,void 0,r):void 0;throw n}}o(Yd,"fetchWithCorsRetry");function Ix(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(Ix,"buildWellKnownPath");async function r_(e,t,r=fetch){return await Yd(e,{"MCP-Protocol-Version":t},r)}o(r_,"tryMetadataDiscovery");function Tx(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(Tx,"shouldAttemptFallback");async function Cx(e,t,r,n){let a=new URL(e),s=n?.protocolVersion??Vt,i;if(n?.metadataUrl)i=new URL(n.metadataUrl);else{let d=Ix(t,a.pathname);i=new URL(d,n?.metadataServerUrl??a),i.search=a.search}let c=await r_(i,s,r);if(!n?.metadataUrl&&Tx(c,a.pathname)){let d=new URL(`/.well-known/${t}`,a);c=await r_(d,s,r)}return c}o(Cx,"discoverMetadataWithFallback");function Ex(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(Ex,"buildDiscoveryUrls");async function a_(e,{fetchFn:t=fetch,protocolVersion:r=Vt}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=Ex(e);for(let{url:s,type:i}of a){let c=await Yd(s,n,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${i==="oauth"?"OAuth":"OpenID provider"} metadata from ${s}`)}return i==="oauth"?ko.parse(await c.json()):Hs.parse(await c.json())}}}o(a_,"discoverAuthorizationServerMetadata");async function Ax(e,t){let r,n;try{r=await o_(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await a_(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(Ax,"discoverOAuthServerInfo");async function Px(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:s,resource:i}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Vd))throw new Error(`Incompatible auth server: does not support response type ${Vd}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Fd))throw new Error(`Incompatible auth server: does not support code challenge method ${Fd}`)}else c=new URL("/authorize",e);let d=await Gd(),p=d.code_verifier,l=d.code_challenge;return c.searchParams.set("response_type",Vd),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",l),c.searchParams.set("code_challenge_method",Fd),c.searchParams.set("redirect_uri",String(n)),s&&c.searchParams.set("state",s),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),i&&c.searchParams.set("resource",i.href),{authorizationUrl:c,codeVerifier:p}}o(Px,"startAuthorization");function xx(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(xx,"prepareAuthorizationCodeRequest");async function s_(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:s,fetchFn:i}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(s&&r.set("resource",s.href),a)await a(d,r,c,t);else if(n){let l=t?.token_endpoint_auth_methods_supported??[],m=yx(n,l);wx(m,n,d,r)}let p=await(i??fetch)(c,{method:"POST",headers:d,body:r});if(!p.ok)throw await n_(p);return Oo.parse(await p.json())}o(s_,"executeTokenRequest");async function kx(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:s,fetchFn:i}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await s_(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:s,resource:a,fetchFn:i});return{refresh_token:n,...d}}o(kx,"refreshAuthorization");async function Ox(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:s}={}){let i=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(i)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=xx(a,p,e.redirectUrl)}let d=await e.clientInformation();return s_(t,{metadata:r,tokenRequestParams:c,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:s})}o(Ox,"fetchToken");async function Ux(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let s;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");s=new URL(t.registration_endpoint)}else s=new URL("/register",e);let i=await(a??fetch)(s,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!i.ok)throw await n_(i);return Uo.parse(await i.json())}o(Ux,"registerClient");var Nx=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),$x=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function i_(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(i_,"parseIpv4Octets");function zx([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(zx,"ipv4RangeMatches");function c_(e){let t=i_(e);return t!==void 0&&$x.some(r=>zx(t,r))}o(c_,"isPrivateIpv4");function Xd(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Xd,"parseIpv6Word");function Mx(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(Mx,"formatIpv4FromWords");function Dx(e){let t=e.slice(7),r=i_(t);if(r!==void 0)return r.join(".");let[n,a,s]=t.split(":"),i=Xd(n),c=Xd(a);return s===void 0&&i!==void 0&&c!==void 0?Mx(i,c):void 0}o(Dx,"parseIpv6MappedIpv4");function qx(e){return Xd(e.split(":").find(Boolean))}o(qx,"readFirstIpv6Hextet");function Lx(e){let t=rt(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=Dx(t);return n===void 0||c_(n)}let r=qx(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(Lx,"isPrivateIpv6");function Qd(e){let t=rt(e);return Nx.has(t)||t.endsWith(".internal")||c_(t)||Lx(t)}o(Qd,"isBlockedOutboundHostname");function u_(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Ue(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=rt(t.hostname);if(!r&&Qd(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(u_,"validateConfiguredOutboundUrl");function d_(e){let t=new URL(e);if(t.protocol!=="https:")throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let r=rt(t.hostname);if(Qd(r))throw g("invalid_request",`Blocked identity provider host: ${r}`);return t}o(d_,"validateIdentityProviderUrl");function Gs(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(Qd(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(Gs,"validateCimdClientMetadataUrl");function l_(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(l_,"mergeAbortSignals");async function jx(e){try{await e.cancel()}catch{}}o(jx,"cancelReader");async function Bs(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,s=await r.read();for(;!s.done;){let d=s.value;if(a+=d.byteLength,a>t.maxBytes)throw await jx(r),t.createLimitError();n.push(d),s=await r.read()}let i=new Uint8Array(a),c=0;for(let d of n)i.set(d,c),c+=d.byteLength;return i}o(Bs,"readBoundedByteStream");var Hx=2,Gx=1024*1024,Bx=1e4,Vx=new Set([301,302,303,307,308]),Fx=["authorization","proxy-authorization","cookie","cookie2"];function el(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(el,"readRequestUrl");function In(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(In,"readRequestMethod");function Zx(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(Zx,"assertContentLengthWithinLimit");async function Kx(e,t,r){return Zx(e,t,r),Bs(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(Kx,"readBoundedResponseBody");function Wx(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(Wx,"responseFromBufferedBody");function Jx(e,t){if(!Vx.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(Jx,"resolveRedirectUrl");function p_(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(p_,"validateOutboundUrl");function Yx(e,t){throw ae(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(Yx,"normalizeFetchError");function Fo(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Re(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(Fo,"logOutboundFailure");async function Xx(e,t,r,n,a,s,i){let c=In(r,n);try{return await t(r,n)}catch(d){let p=d instanceof DOMException&&d.name==="AbortError";Fo(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:c,host:et(s),error:d,extra:{abortReason:i()}}),Yx(d,a)}}o(Xx,"fetchWithNormalizedError");function Qx(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(Qx,"assertRedirectAllowed");function ek(e,t){let r=new Headers(e);for(let n of Fx)r.delete(n);for(let n of t)r.delete(n);return r}o(ek,"stripCrossOriginHeaders");function tk(e,t,r,n,a){let s={...e,method:t,redirect:"manual",signal:r};return n&&(s.headers=ek(e.headers,a)),s}o(tk,"buildRedirectInit");function rk(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(rk,"buildInitialRequestInit");function nk(e){let t=In(e.currentInput,e.currentInit);Qx({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=p_(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,s=r.toString();return{currentInput:s,currentUrl:s,currentInit:tk(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(nk,"followRedirect");async function tl(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??Hx,s=r.maxResponseBytes??Gx,i=r.timeoutMs??Bx,c=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],p=r.context,l=new AbortController,m=l_(l,t.signal),h=!1,_=setTimeout(()=>{h=!0,l.abort()},i),w=e,y=rk(e,t,l.signal),S;try{S=p_(el(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(b){throw Fo(p,{event:"outbound_url_blocked",problemCode:n,method:In(e,t),host:et(el(e)),error:b}),clearTimeout(_),m?.(),b}let v=0;try{for(;;){let b=await Xx(p,c,w,y,n,S,()=>h?`timeout_after_${i}ms`:void 0),T=Jx(b,S);if(T!==void 0)try{let U=nk({currentInput:w,currentInit:y,currentUrl:S,redirectUrl:T,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:l.signal,additionalCrossOriginStrippedHeaders:d});w=U.currentInput,y=U.currentInit,S=U.currentUrl,v=U.redirects;continue}catch(U){throw Fo(p,{event:"outbound_redirect_blocked",problemCode:n,method:In(w,y),host:et(S),error:U,extra:{redirects:v,maxRedirects:a,redirectTargetHost:et(T)}}),U}try{return Wx(b,await Kx(b,s,n))}catch(U){throw Fo(p,{event:"outbound_response_size_exceeded",problemCode:n,method:In(w,y),host:et(S),error:U,extra:{maxResponseBytes:s,status:b.status}}),U}}}finally{clearTimeout(_),m?.()}}o(tl,"runSafeOutboundExchange");async function rl(e,t,r){let n=await tl(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw Fo(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:In(e,t),host:et(el(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(rl,"runSafeOutboundJsonExchange");function Vs(e,t={},r={}){return tl(e,t,{...r,validateUrl:u_})}o(Vs,"fetchConfiguredOutbound");function m_(e,t={},r={}){return rl(e,t,{...r,validateUrl:d_})}o(m_,"fetchIdentityProviderJson");function f_(e,t={},r={}){return rl(e,t,{...r,validateUrl:Gs})}o(f_,"fetchCimdClientMetadataJson");W();function nl(e){return`Zuplo MCP Gateway - ${e}`}o(nl,"buildGatewayOAuthClientName");function h_(e,t){let r=new URL(e,Q(t));return Ue(r)&&rt(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(h_,"buildGatewayOAuthRedirectUri");function ol(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(ol,"buildOAuthClientMetadataDocumentUrl");function g_(e){return Q(e)}o(g_,"requireOAuthClientMetadataOrigin");function __(e,t,r){let n=Ge(t),a=xr(t,r);return{client_id:ol({origin:e,upstreamServerId:t,authProfileId:r}),client_name:nl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(__,"buildOAuthClientMetadataDocument");var ok=u.union([Uo,Bd]),ak=u.object({authorizationServerUrl:u.url(),resourceMetadataUrl:u.url().optional(),resourceMetadata:js.optional(),authorizationServerMetadata:u.union([ko,Hs]).optional()}).passthrough(),sk="Bearer";function ik(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(ik,"splitScopes");function ck(e){return ws.parse(e)}o(ck,"parsePkceCodeVerifier");function uk(e){if(typeof e.expires_in=="number")return K(new Date(Date.now()+e.expires_in*1e3))}o(uk,"readTokenExpiry");async function y_(e){if(e!==void 0)return kr(JSON.stringify(e))}o(y_,"encryptJson");async function w_(e,t){if(!e)return;let r=await zt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(w_,"decryptJson");function dk(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(dk,"toOAuthDiscoveryState");function lk(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(lk,"clientInformationAllowsRedirectUri");function pk(e,t,r){let n=Ge(e),a=xr(e,t),s;return a.scopes.length>0&&(s=a.scopes.join(a.scopeDelimiter)),{client_name:nl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:s,token_endpoint_auth_method:"none"}}o(pk,"buildOAuthClientMetadata");function mk(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Uo.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(mk,"buildManualOAuthClientInformation");function fk(e,t,r){let n=ol({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Wd(n)?n:void 0}o(fk,"buildClientMetadataUrl");function S_(e){for(let t of e)if(t!==void 0)return t}o(S_,"firstDefined");function hk(e){let t=xr(e.target.upstreamServerId,e.target.authProfileId),r=pk(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:mk({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=fk(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(hk,"buildInitialOAuthClientSetup");function gk(e,t){if(t===void 0)return S_([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(gk,"readEncryptedClientInformation");function _k(e){return S_([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(_k,"readEncryptedDiscoveryState");var zr=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=hk({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=gk(t,this.configuredClientInformation),this.encryptedDiscoveryState=_k(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return zg({id:t.id,...xo({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await y_(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await y_(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Oo.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??xs(),tenantId:this.target.owner.tenantId,ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await kr(r.access_token),encryptedRefreshToken:r.refresh_token?await kr(r.refresh_token):void 0,scopes:ik(r.scope??this.clientMetadataValue.scope),expiresAt:uk(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await H().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:ck(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",s=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(s),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:yg(),...xo({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:K(new Date(Date.now()+Ug)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await H().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await w_(this.encryptedClientInformation,ok)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!lk(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=dk(await w_(this.encryptedDiscoveryState,ak))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Oo.parse({access_token:await zt(this.connection.encryptedAccessToken),token_type:sk,refresh_token:this.connection.encryptedRefreshToken?await zt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,tenantId:this.connection.tenantId,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await H().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var yk=1e4,wk=256*1024,Sk=2;function vk(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(vk,"hasUsableAccessToken");var bk="does not support dynamic client registration";function Rk(e){return e instanceof Error&&e.message.includes(bk)}o(Rk,"isDynamicClientRegistrationUnsupported");function Ik(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(Ik,"readOAuthFetchRequest");function Tk(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(Tk,"responseLooksJson");function v_(e){return async(t,r)=>{let n=Ik(t),a=await Vs(t,r,{maxRedirects:Sk,maxResponseBytes:wk,problemCode:"upstream_token_exchange_failed",timeoutMs:yk}),s=await a.clone().text();if(!Tk(a,s))return a;try{JSON.parse(s)}catch(i){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,i)}return a}}o(v_,"createUpstreamOAuthFetch");async function b_(e,t){try{return await pr(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:v_(t.upstreamServerId)})}catch(r){throw Rk(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(b_,"runUpstreamOAuth");async function Ck(e,t){return pr(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:v_(t.upstreamServerId)})}o(Ck,"exchangeUpstreamAuthorizationCode");async function R_(e,t){let r=await b_(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o(R_,"requireUpstreamAuthorizationRedirect");async function I_(e){if(vk(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await b_(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await kk({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(I_,"authorizeUpstreamOAuthSession");async function Ek(e){let t=await Ms(e.stateToken),r=await H().oauthStateStore.consumeForCallback(t.id),n=Ak(r);return Pk({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),xk(n),n}o(Ek,"consumeStoredCallbackState");function Ak(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(Ak,"readConsumedCallbackState");function Pk(e){if(![e.storedState.tenantId===e.signedState.tenantId,e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(Pk,"assertStoredCallbackStateMatches");function xk(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(xk,"assertStoredCallbackStateFresh");async function kk(e){if(e.owner.mode==="tenant_shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Lg(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),vn(t)}o(kk,"buildOAuthConnectRequiredResponse");async function T_(e){let t=await Ek({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Sn(t),n=await H().upstreamConnectionRepository.get(r,t.upstreamServerId,t.authProfileId),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let s=new zr(a),i=await Ck(s,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(i==="AUTHORIZED")return t;throw i!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${i}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(T_,"finishUpstreamOAuthCallback");async function C_(e){let t=Ge(e.upstreamServerId),r=xr(e.upstreamServerId,e.authProfileId),n=h_(r.redirectPath,e.request.url),a=await H().upstreamConnectionRepository.get(e.owner,e.upstreamServerId,e.authProfileId);return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:Q(e.request.url)}}}o(C_,"prepareUpstreamOAuthRequest");async function E_(e){let t=await C_(e),r=new zr({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return R_(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(E_,"startUpstreamConnect");async function A_(e){let t=await C_(e),r=new zr({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return I_({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(A_,"authorizeUpstreamRequest");function Ok(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(Ok,"resolveStaticSecretCredential");async function P_(e){let{routeAuth:t}=e;switch(t.authMode){case"tenant_shared_oauth":case"user_oauth":return A_({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId});case"tenant_static_secret":return Fg({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId});case"static_secret":{let n=ir({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:Ok(n.secret,t.upstreamServerId)}}case"user_static_secret":return Wg({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(P_,"resolveUpstreamCredentialForRoute");async function x_(e){let t=ur(e.principal.tenantId,e.principal.subjectId),r=tt().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user_static_secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await Ls({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(x_,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function k_(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=vt(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await E_(r);break;case"user_static_secret_capture":t=await Jg(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(k_,"startUpstreamConnectForRequest");async function O_(e){let r=(await Ms(e.callbackRequest.state)).authProfileId,n=ir({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(vt(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return T_({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Ge(e.callbackRequest.upstreamServerId)})}o(O_,"finishUpstreamCallbackForRequest");var Fs=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=Kt,n){let a=this._client,s={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},i=a.requestStream({method:"tools/call",params:t},r,s),c=a.getToolOutputValidator(t.name);for await(let d of i){if(d.type==="result"&&c){let p=d.result;if(!p.structuredContent&&!p.isError){yield{type:"error",error:new E(A.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(p.structuredContent)try{let l=c(p.structuredContent);if(!l.valid){yield{type:"error",error:new E(A.InvalidParams,`Structured content does not match the tool's output schema: ${l.errorMessage}`)};return}}catch(l){if(l instanceof E){yield{type:"error",error:l};return}yield{type:"error",error:new E(A.InvalidParams,`Failed to validate structured content: ${l instanceof Error?l.message:String(l)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function Zs(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let s=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(s,"default")&&(r[a]=s.default),r[a]!==void 0&&Zs(s,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&Zs(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&Zs(r,t)}}o(Zs,"applyElicitationDefaults");function Uk(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(Uk,"getSupportedElicitationModes");var Ks=class extends Fr{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new dn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",Wi,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",Fi,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Mi,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new Fs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=_a(this._capabilities,t)}setRequestHandler(t,r){let a=jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let s;if(Gt(a)){let c=a;s=c._zod?.def?.value??c.value}else{let c=a;s=c._def?.value??c.value}if(typeof s!="string")throw new Error("Schema method literal must be a string");let i=s;if(i==="elicitation/create"){let c=o(async(d,p)=>{let l=xe(Xi,d);if(!l.success){let b=l.error instanceof Error?l.error.message:String(l.error);throw new E(A.InvalidParams,`Invalid elicitation request: ${b}`)}let{params:m}=l.data;m.mode=m.mode??"form";let{supportsFormMode:h,supportsUrlMode:_}=Uk(this._capabilities.elicitation);if(m.mode==="form"&&!h)throw new E(A.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new E(A.InvalidParams,"Client does not support URL-mode elicitation requests");let w=await Promise.resolve(r(d,p));if(m.task){let b=xe(At,w);if(!b.success){let T=b.error instanceof Error?b.error.message:String(b.error);throw new E(A.InvalidParams,`Invalid task creation result: ${T}`)}return b.data}let y=xe(Wt,w);if(!y.success){let b=y.error instanceof Error?y.error.message:String(y.error);throw new E(A.InvalidParams,`Invalid elicitation result: ${b}`)}let S=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&S.action==="accept"&&S.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{Zs(v,S.content)}catch{}return S},"wrappedHandler");return super.setRequestHandler(t,c)}if(i==="sampling/createMessage"){let c=o(async(d,p)=>{let l=xe(Yi,d);if(!l.success){let S=l.error instanceof Error?l.error.message:String(l.error);throw new E(A.InvalidParams,`Invalid sampling request: ${S}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let S=xe(At,h);if(!S.success){let v=S.error instanceof Error?S.error.message:String(S.error);throw new E(A.InvalidParams,`Invalid task creation result: ${v}`)}return S.data}let w=m.tools||m.toolChoice?Bn:gr,y=xe(w,h);if(!y.success){let S=y.error instanceof Error?y.error.message:String(y.error);throw new E(A.InvalidParams,`Invalid sampling result: ${S}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:Vt,capabilities:this._capabilities,clientInfo:this._clientInfo}},Pi,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Ft.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){ts(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&rs(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},Et,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},Qi,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},Et,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},Vi,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},qi,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Oi,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Ui,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},zi,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},Et,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},Et,r)}async callTool(t,r=Kt,n){if(this.isToolTaskRequired(t.name))throw new E(A.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),s=this.getToolOutputValidator(t.name);if(s){if(!a.structuredContent&&!a.isError)throw new E(A.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let i=s(a.structuredContent);if(!i.valid)throw new E(A.InvalidParams,`Structured content does not match the tool's output schema: ${i.errorMessage}`)}catch(i){throw i instanceof E?i:new E(A.InvalidParams,`Failed to validate structured content: ${i instanceof Error?i.message:String(i)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},Ki,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let s=lp.safeParse(n);if(!s.success)throw new Error(`Invalid ${t} listChanged options: ${s.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:i,debounceMs:c}=s.data,{onChanged:d}=n,p=o(async()=>{if(!i){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let h=m instanceof Error?m:new Error(String(m));d(h,null)}},"refresh"),l=o(()=>{if(c){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let h=setTimeout(p,c);this._listChangedDebounceTimers.set(t,h)}else p()},"handler");this.setNotificationHandler(r,l)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function Ws(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(Ws,"normalizeHeaders");function U_(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...Ws(t.headers),...Ws(n.headers)}:t.headers};return e(r,a)}:e}o(U_,"createFetchWithInit");var Js=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function al(e){}o(al,"noop");function N_(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=al,onError:r=al,onRetry:n=al,onComment:a}=e,s="",i=!0,c,d="",p="";function l(y){let S=i?y.replace(/^\xEF\xBB\xBF/,""):y,[v,b]=Nk(`${s}${S}`);for(let T of v)m(T);s=b,i=!1}o(l,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let S=y.indexOf(":");if(S!==-1){let v=y.slice(0,S),b=y[S+1]===" "?2:1,T=y.slice(S+b);h(v,T,y);return}h(y,"",y)}o(m,"parseLine");function h(y,S,v){switch(y){case"event":p=S;break;case"data":d=`${d}${S}
+`;break;case"id":c=S.includes("\0")?void 0:S;break;case"retry":/^\d+$/.test(S)?n(parseInt(S,10)):r(new Js(`Invalid \`retry\` value: "${S}"`,{type:"invalid-retry",value:S,line:v}));break;default:r(new Js(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:S,line:v}));break}}o(h,"processField");function _(){d.length>0&&t({id:c,event:p||void 0,data:d.endsWith(`
+`)?d.slice(0,-1):d}),c=void 0,d="",p=""}o(_,"dispatchEvent");function w(y={}){s&&y.consume&&m(s),i=!0,c=void 0,d="",p="",s=""}return o(w,"reset"),{feed:l,reset:w}}o(N_,"createParser");function Nk(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),s=e.indexOf(`
+`,n),i=-1;if(a!==-1&&s!==-1?i=Math.min(a,s):a!==-1?a===e.length-1?i=-1:i=a:s!==-1&&(i=s),i===-1){r=e.slice(n);break}else{let c=e.slice(n,i);t.push(c),n=i+1,e[n-1]==="\r"&&e[n]===`
+`&&n++}}return[t,r]}o(Nk,"splitLines");var Ys=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(s){a=N_({onEvent:o(i=>{s.enqueue(i)},"onEvent"),onError(i){t==="terminate"?s.error(i):typeof t=="function"&&t(i)},onRetry:r,onComment:n})},transform(s){a.feed(s)}})}};var $k={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},mr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},Xs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=U_(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??$k}async _authThenStart(){if(!this._authProvider)throw new Dt("No auth provider");let t;try{t=await pr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Dt;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=Ws(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new mr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(s=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${s instanceof Error?s.message:String(s)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:s}=r,i,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new Ys({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:w}=await l.read();if(w)break;if(_.id&&(i=_.id,c=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=hr.parse(JSON.parse(_.data));nt(y)&&(d=!0,s!==void 0&&(y.id=s)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:i,onresumptiontoken:a,replayMessageId:s},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:i,onresumptiontoken:a,replayMessageId:s},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Dt("No auth provider");if(await pr(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Dt("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:mt(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let s=await this._commonHeaders();s.set("content-type","application/json"),s.set("accept","application/json, text/event-stream");let i={...this._requestInit,method:"POST",headers:s,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,i),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new mr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:w}=Jd(c);if(this._resourceMetadataUrl=_,this._scope=w,await pr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Dt;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:w,error:y}=Jd(c);if(y==="insufficient_scope"){let S=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===S)throw new mr(403,"Server returned 403 after trying upscoping");if(w&&(this._scope=w),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=S??void 0,await pr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Dt;return this.send(t)}}throw new mr(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),op(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),_=Array.isArray(h)?h.map(w=>hr.parse(w)):[hr.parse(h)];for(let w of _)this.onmessage?.(w)}else throw await c.body?.cancel(),new mr(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new mr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function $_(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o($_,"resolveNativeMcpRequestHeaders");var zk={name:"zuplo-mcp-gateway",version:"0.1.0"},Mk=5,Dk=500,D_=3e4,qk=2*1024*1024,Lk=2;function z_(){return performance.now()/1e3}o(z_,"nowSeconds");function jk(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(jk,"readServerPort");function Hk(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:jk(e)}}o(Hk,"buildNativeMcpOperationContext");function Tn(e){return Uh(e)}o(Tn,"withTraceMeta");function sl(e){if(e>Dk)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(sl,"assertImportedCapabilityBudget");function M_(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(M_,"buildRequestInit");function Gk(e){return(t,r)=>Vs(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:Lk,maxResponseBytes:qk,problemCode:"upstream_capability_invocation_failed",timeoutMs:D_})}o(Gk,"createNativeMcpFetch");function Bk(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},D_);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(Bk,"withNativeMcpRequestTimeout");function Vk(e,t=[]){let r=$_(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],s={fetch:Gk(a)};if(!e)return{...s,...M_(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...s,...M_(r)};case"bearer_token":return{...s,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...s,requestInit:{headers:{...r,...e.headers}}}}}o(Vk,"buildNativeMcpTransportOptions");async function Cn(e,t,r){let{transport:n}=Ge(e),a=new URL(n.baseUrl),s=new Xs(a,Vk(r,n.requestHeaders)),i=new Ks(zk,{capabilities:{}});return Bk((async()=>{let c=z_();await i.connect(s);let d=s.sessionId,p=Hk(a,d);try{return await t(i,p)}finally{if(s.sessionId)try{await s.terminateSession()}catch{}await i.close(),d&&Nh(p,z_()-c)}})())}o(Cn,"withNativeMcpClient");async function Fk(e,t,r){let n=[],a,s=0;do{if(s>=Mk)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let i=await t(a);s+=1,n.push(...r(i)),a=i.nextCursor}while(a);return n}o(Fk,"collectPaginatedSdkItems");async function il(e){return e.enabled?Fk(e.label,e.fetchPage,e.readItems):[]}o(il,"listNativeMcpCapabilityItems");async function q_(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ar({methodName:"tools/list",...r},()=>il({enabled:!!n?.tools,label:"Tool list",fetchPage:o(s=>t.listTools(Tn(s?{cursor:s}:void 0)),"fetchPage"),readItems:o(s=>s.tools,"readItems")}));return sl(a.length),{tools:a}},e.credential)}o(q_,"listNativeMcpTools");async function L_(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ar({methodName:"prompts/list",...r},()=>il({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(s=>t.listPrompts(Tn(s?{cursor:s}:void 0)),"fetchPage"),readItems:o(s=>s.prompts,"readItems")}));return sl(a.length),{prompts:a}},e.credential)}o(L_,"listNativeMcpPrompts");async function j_(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ar({methodName:"resources/list",...r},()=>il({enabled:!!n?.resources,label:"Resource list",fetchPage:o(s=>t.listResources(Tn(s?{cursor:s}:void 0)),"fetchPage"),readItems:o(s=>s.resources,"readItems")}));return sl(a.length),{resources:a}},e.credential)}o(j_,"listNativeMcpResources");async function H_(e){return Cn(e.upstreamServerId,(t,r)=>Ar({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Tn(e.params))),e.credential)}o(H_,"callNativeMcpTool");async function G_(e){return Cn(e.upstreamServerId,(t,r)=>Ar({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Tn(e.params))),e.credential)}o(G_,"getNativeMcpPrompt");async function B_(e){return Cn(e.upstreamServerId,(t,r)=>Ar({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Tn(e.params))),e.credential)}o(B_,"readNativeMcpResource");var Zo=class extends E{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(A.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function Zk(e){return{content:[{type:"text",text:e}],isError:!0}}o(Zk,"buildToolErrorResult");function Kk(e){return e.authUrl?new Bt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new Zo(e)}o(Kk,"toConnectRequiredError");function Wk(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(Wk,"buildCredentialResolvedAttributes");function Jk(e){He(e.context,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Wk(e.credential)})}o(Jk,"emitCredentialResolvedAnalyticsEvent");function Yk(e){He(e.context,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(Yk,"emitCredentialMissingAnalyticsEvent");function Xk(e){let t=new Map;return r=>{let n=`${r.upstreamServerId}:${r.authProfileId}:${r.ownerMode}`,a=t.get(n);if(a)return a;let s=(async()=>{let i=await P_({request:e.request,routeAuth:r});if(i.kind==="connect_required")throw Yk({context:e.context,payload:i.payload,routeBinding:r}),Kk(i.payload);return Jk({context:e.context,credential:i.credential,routeBinding:r}),i.credential})();return t.set(n,s),s}}o(Xk,"createCredentialResolver");var V_=500;function Qk(e){return e.length<=V_?e:`${e.slice(0,V_)}...`}o(Qk,"truncateAnalyticsDetail");function eO(e){He(e.context,{eventType:L.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(eO,"emitToolInvocationCompletedAnalyticsEvent");function tO(e){return e instanceof Bt||e instanceof Zo?{eventType:L.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof E&&e.code===A.InvalidParams?{eventType:L.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:L.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(tO,"classifyToolInvocationFailure");function rO(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=tO(e.error);He(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:Qk(t)}})}o(rO,"emitToolInvocationFailedAnalyticsEvent");var nO=256*1024;function oO(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new E(A.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>nO)throw new E(A.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(oO,"assertToolArgumentsWithinLimit");function cl(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new E(A.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(cl,"findBindingForPublishedCapability");function En(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new E(A.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(En,"requireSingleTransparentBinding");function aO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:En(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new E(A.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:cl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(aO,"resolvePublishedToolRoute");function sO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:En(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new E(A.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:cl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(sO,"resolvePublishedPromptRoute");function iO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:En(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new E(A.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:cl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(iO,"resolvePublishedResourceRoute");function F_(e){let t=Xk({context:e.context,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(n=>n.enabled!==!1).map(ms)};let r=En(e);return q_({upstreamServerId:r.upstreamServerId,credential:await t(r)})},async callTool(r){let n=aO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:r.name});try{oO(r);let a=await t(n.binding),s=await H_({upstreamServerId:n.binding.upstreamServerId,params:{...r,name:n.upstreamName},credential:a});return eO({context:e.context,routeBinding:n.binding,toolName:r.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:r.name,upstreamName:n.upstreamName,upstreamServerId:n.binding.upstreamServerId,authProfileId:n.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(a){if(rO({context:e.context,routeBinding:n.binding,toolName:r.name,error:a}),a instanceof Bt||a instanceof Zo)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:r.name,upstreamServerId:n.binding.upstreamServerId,authProfileId:n.binding.authProfileId,ownerMode:n.binding.ownerMode,hasAuthUrl:a instanceof Bt},"Upstream tool invocation requires user to complete a connect flow"),a;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:r.name,upstreamName:n.upstreamName,upstreamServerId:n.binding.upstreamServerId,authProfileId:n.binding.authProfileId};return a instanceof E&&(s.mcpErrorCode=a.code),a instanceof Error?(s.errorName=a.name,s.errorMessage=a.message,a.cause instanceof Error&&(s.causeName=a.cause.name,s.causeMessage=a.cause.message)):s.errorMessage=String(a),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),Zk(Le("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(n=>n.enabled!==!1).map(fs)};let r=En(e);return L_({upstreamServerId:r.upstreamServerId,credential:await t(r)})},async getPrompt(r){let n=sO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:r.name});return G_({upstreamServerId:n.binding.upstreamServerId,params:{...r,name:n.upstreamName},credential:await t(n.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(n=>n.enabled!==!1).map(hs)};let r=En(e);return j_({upstreamServerId:r.upstreamServerId,credential:await t(r)})},async readResource(r){let n=iO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:r.uri});return B_({upstreamServerId:n.binding.upstreamServerId,params:{...r,uri:n.upstreamUri},credential:await t(n.binding)})}}}o(F_,"createCapabilityDispatcher");var cO="0.1.0",K_="POST",uO="POST, OPTIONS";function ul(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:K_}})}o(ul,"jsonRpcMethodNotAllowedResponse");function dO(e){let t={Allow:K_},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=uO;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(dO,"buildOptionsResponse");function An(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(An,"readJsonRpcRequestId");function dl(e){return e&&typeof e=="object"?e.params:void 0}o(dl,"readMcpRequestParams");function Z_(e,t){return e.headers.get(t)??void 0}o(Z_,"readMcpHeader");function lO(e){return{mcpProtocolVersion:Z_(e,"mcp-protocol-version")??Er,mcpSessionId:Z_(e,"mcp-session-id")}}o(lO,"buildServerTelemetryBase");function pO(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Er),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(pO,"ensureProtocolVersionHeader");async function ll(e,t){if(e.method==="OPTIONS")return dO(e);if(e.method==="GET")return ul("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return ul("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return ul("Only POST is supported by this virtual MCP server.");let r=mn(t),n=Sh(r.virtualServerId),a=zh(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let s=lO(e),i=F_({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=Q(e.url),d=new os({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new ns(n.catalog.serverInfo??{name:r.virtualServerId,version:cO},{capabilities:{prompts:{},resources:{},tools:{}}});p.setRequestHandler(Zi,async m=>Pr({methodName:"tools/list",params:dl(m),jsonRpcRequestId:An(m),...s},()=>i.listTools())),p.setRequestHandler(Hn,async m=>Pr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:An(m),...s},()=>i.callTool(m.params))),p.setRequestHandler(Di,async m=>Pr({methodName:"prompts/list",params:dl(m),jsonRpcRequestId:An(m),...s},()=>i.listPrompts())),p.setRequestHandler(Li,async m=>Pr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:An(m),...s},()=>i.getPrompt(m.params))),p.setRequestHandler(ki,async m=>Pr({methodName:"resources/list",params:dl(m),jsonRpcRequestId:An(m),...s},()=>i.listResources())),p.setRequestHandler($i,async m=>Pr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:An(m),...s},()=>i.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return pO(l)}o(ll,"virtualServerHandler");async function mO(e,t){return Ht("handler.mcp-virtual-server"),ll(e,t)}o(mO,"McpVirtualServerHandler");import{base64url as pl}from"jose";var fO="sha256:",hO=32;function W_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(W_,"copyToArrayBuffer");function gO(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(gO,"constantTimeEqual");function qt(){let e=crypto.getRandomValues(new Uint8Array(hO));return pl.encode(e)}o(qt,"createOpaqueToken");async function ce(e){let t=await crypto.subtle.digest("SHA-256",W_(new TextEncoder().encode(e)));return`${fO}${pl.encode(new Uint8Array(t))}`}o(ce,"hashOpaqueValue");async function J_(e){let t=await ce(e.value);return gO(t,e.expectedHash)}o(J_,"verifyOpaqueValue");async function Y_(e){let t=await crypto.subtle.digest("SHA-256",W_(new TextEncoder().encode(e)));return pl.encode(new Uint8Array(t))}o(Y_,"calculatePkceS256Challenge");function _O(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(_O,"readBearerToken");function yO(e,t,r){return je(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(yO,"gatewayAuthenticationRequiredResponse");async function wO(e,t,r){let n=await H().downstreamOAuthRepository.validateAccessToken({tokenHash:await ce(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(wO,"validateGatewayAccessToken");function SO(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(SO,"assertAccessTokenResource");function vO(e,t,r){return je(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":_n({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${oe} scope required by this MCP resource.`,scope:oe})}})}o(vO,"insufficientScopeResponse");function bO(e){return{subjectId:e.subjectId,tenantId:e.tenantId,roles:e.roles}}o(bO,"principalFromAccessToken");function RO(e){let t=ae(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),je(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":_n({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(RO,"gatewayTokenRejectedResponse");async function ml(e,t){let r=mn(t),n=Eo(r.virtualServerId,e.url),a=_O(e),s=_n({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),yO(e,t,s);try{let i=await wO(a,t,r.virtualServerId);if(SO({accessToken:i,resource:n,virtualServerId:r.virtualServerId},t),i.scope!==oe)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:i.scope,requiredScope:oe,virtualServerId:r.virtualServerId,clientId:i.clientId},"Gateway access token does not have the required MCP scope"),vO(e,t,r.virtualServerId);let c=bO(i);return Xh(t,c),Ju(t,c),e}catch(i){return RO({request:e,context:t,error:i,virtualServerId:r.virtualServerId})}}o(ml,"gatewayTokenInbound");var Pn={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},IO="oauth-protected-resource-metadata",TO="/.well-known/oauth-protected-resource/";function CO(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(CO,"readRouteOperationId");function EO(e){return e.hasGatewayRouteContext?Pn.VIRTUAL_MCP_SERVER:e.routeOperationId===IO||e.routeOperationId===void 0&&e.routePath.startsWith(TO)?Pn.OAUTH_PROTECTED_RESOURCE_METADATA:Pn.OTHER}o(EO,"classifyAnalyticsRouteSurface");function AO(e){let t=e.route.path;return{routePath:t,routeSurface:EO({routePath:t,routeOperationId:CO(e),hasGatewayRouteContext:Ro(e)!==void 0})}}o(AO,"readAnalyticsRequestContext");function PO(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Pn.VIRTUAL_MCP_SERVER}o(PO,"isIntentionalMethodRejection");function xO(e){return PO(e)||e.response.status===401&&e.routeSurface===Pn.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(xO,"classifyRequestCompletedOutcome");async function fl(e,t){let r=Date.now(),n=AO(t);return t.addResponseSendingFinalHook(a=>{let s=xO({response:a,routeSurface:n.routeSurface});He(t,{eventType:L.MCP_GATEWAY_REQUEST_COMPLETED,outcome:s,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(fl,"analyticsContextInbound");function kO(e){return e instanceof Response}o(kO,"isResponse");var X_="/mcp/";function OO(e){let t=e.route.path;if(!t.startsWith(X_))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(X_.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(OO,"readVirtualServerIdFromRoute");async function Ko(e,t){let n={virtualServerId:ge.parse(OO(t))};Rh(t,n),nh(t,n);let a=await fl(e,t);return kO(a)?a:ml(a,t)}o(Ko,"mcpOAuthInboundPolicy");var UO=o(async(e,t,r,n)=>(Ht("policy.inbound.mcp-auth0-oauth"),Ko(e,t)),"McpAuth0OAuthInboundPolicy");function NO(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return ys({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway,devTenantId:e.devTenantId})}o(NO,"buildAuth0McpOAuthRuntimeConfig");var $O={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return NO(e)}};us($O);var zO=o(async(e,t,r,n)=>(Ht("policy.inbound.mcp-oauth"),Ko(e,t)),"McpOAuthInboundPolicy"),MO={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return ys(e)}};us(MO);function DO(e){let t=vt(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(DO,"buildRouteAuthBaseFromConnection");function ey(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=vt(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:pn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(ey,"buildRouteAuthBaseFromPolicyOptions");function ty(e,t){let n=tt().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(s=>s.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return DO({connection:a,virtualServerId:t})}o(ty,"resolveRouteAuthBase");function Q_(e,t){switch(e){case"user":return ur(t.tenantId,t.subjectId);case"tenant_shared":return Es(t.tenantId)}}o(Q_,"buildOwnerForPrincipal");function Qs(e,t){switch(e.ownerMode){case"tenant_shared":return{...e,owner:Q_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:Q_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Qs,"resolveRouteAuthForPrincipal");function qO(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return is.parse(r)}o(qO,"readSingleAuthMode");function ry(e){return St.parse(e)}o(ry,"buildToolNamePrefixFromConnectionId");async function hl(e,t,r,n){let a=ps(r,n),s=qO({policyName:n,connection:a}),i=mn(t),c=ey({connection:a,virtualServerId:i.virtualServerId,authMode:s});if(c.ownerMode==="none")return fd(t,{...c,connectionPolicyName:n,toolNamePrefix:ry(a.id)}),e;let d=Yh(t);return d.tenantId?(fd(t,{...Qs(c,d),connectionPolicyName:n,toolNamePrefix:ry(a.id)}),e):je(e,t,{code:"forbidden",detail:"Upstream credentials for this virtual server require an authenticated tenant.",headers:{"WWW-Authenticate":_n({virtualServerId:i.virtualServerId,requestUrl:e.url,error:"insufficient_scope",errorDescription:"The access token is missing tenant context required by this virtual server.",scope:oe})}})}o(hl,"mcpUpstreamConnectionPolicy");var LO=o(async(e,t,r,n)=>(Ht("policy.inbound.mcp-upstream-connection"),hl(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");W();W();var ny="application/json",jO="application/x-www-form-urlencoded";function HO(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(HO,"normalizeContentType");function GO(e,t){return e===t?!0:t===ny&&e.endsWith("+json")}o(GO,"contentTypeMatches");function BO(e,t){if(!t||t.length===0)return;let r=HO(e.headers.get("content-type"));if(!t.some(n=>GO(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(BO,"assertExpectedContentType");function VO(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(VO,"assertContentLengthWithinLimit");async function oy(e,t){let r=t.label??"Request body";BO(e,t.expectedContentTypes),VO(e,t.maxBytes,r);let n=await Bs(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(oy,"readBoundedTextBody");async function ay(e,t){let r=await oy(e,{...t,expectedContentTypes:[ny]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(ay,"readBoundedJsonBody");async function ei(e,t){let r=await oy(e,{...t,expectedContentTypes:[jO]});return new URLSearchParams(r)}o(ei,"readBoundedFormUrlEncodedBody");var sy=Symbol("Html");function FO(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(FO,"escapeHtml");function ZO(e){return e===null||typeof e!="object"?!1:e[sy]===!0}o(ZO,"isHtml");function iy(e){return e==null||e===!1?"":Array.isArray(e)?e.map(iy).join(""):ZO(e)?e.value:FO(String(e))}o(iy,"renderValue");function pt(e){return{[sy]:!0,value:e}}o(pt,"trustedHtml");var me=pt("");function k(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=iy(t[n]),r+=e[n+1]??"";return pt(r)}o(k,"html");function Lt(e){return e.value}o(Lt,"renderHtml");var KO="text/html; charset=utf-8";function cy(e,t=200){return new Response(Lt(e),{status:t,headers:{"content-type":KO,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(cy,"apiKeyLoginHtmlResponse");function gl(e=401){return cy(k`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(gl,"apiKeyLoginFailureResponse");function uy(e){return cy(k`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(uy,"renderApiKeyLoginForm");W();W();import{errors as Sy,jwtVerify as vy,SignJWT as by}from"jose";W();import{errors as a0,jwtVerify as s0,SignJWT as i0}from"jose";function fr(e){let t=_e().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(fr,"requireBrowserLoginField");function ti(e){if(!e.tenantId)throw g("identity_context_missing","Gateway OAuth browser login requires a tenant-scoped principal.");return{...e,tenantId:e.tenantId}}o(ti,"requireTenantScopedBrowserPrincipal");W();import{createRemoteJWKSet as WO,errors as Wo,jwtVerify as JO}from"jose";var YO=u.object({id_token:u.string().min(1),token_type:u.string().min(1).optional(),expires_in:u.number().optional(),access_token:u.string().min(1).optional(),refresh_token:u.string().min(1).optional(),scope:u.string().min(1).optional()}),XO=u.object({error:u.string().min(1).optional(),error_description:u.string().min(1).optional(),error_uri:u.string().min(1).optional()});function QO(e){let t=XO.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(QO,"readIdpErrorFields");function e0(e){return e instanceof Wo.JWTExpired?"expired":e instanceof Wo.JWTClaimValidationFailed?"claim":e instanceof Wo.JWSSignatureVerificationFailed?"signature":e instanceof Wo.JWKSNoMatchingKey?"jwks_no_match":e instanceof Wo.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(e0,"readJwtFailureKind");var t0=u.object({sub:le,nonce:u.string().min(1)}).catchall(u.unknown()),_l;function r0(e){return e instanceof Error&&"cause"in e?e.cause:e}o(r0,"readErrorCause");function n0(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(n0,"readRuntimeGatewayCode");function o0(){if(!_l){let e=_e();_l=WO(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return _l}o(o0,"readFederatedJwks");async function dy(e){let t=_e(),r=fr("tokenUrl"),n=fr("clientId"),a=fr("clientSecret"),s=new URL("/oauth/callback",lt(e.requestUrl)).toString(),i=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:s,client_id:n,client_secret:a});try{let{response:c,json:d}=await m_(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:i},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let h=QO(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:et(r),idpStatus:c.status,...h},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${h.idpError?` idp_error=${h.idpError}`:""}${h.idpErrorDescription?` idp_error_description=${h.idpErrorDescription}`:""})`)})}let p=YO.parse(d),l;try{({payload:l}=await JO(p.id_token,o0(),{issuer:t.oidc.issuer,audience:n}))}catch(h){let _={};throw Re(_,"error",h),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:e0(h),idpHost:et(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),h}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:et(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=t0.parse(l);return ti(gn({sub:m.sub,data:m},e.requestUrl))}catch(c){let d=ae(c)??n0(c);throw d!==void 0&&d!=="browser_login_verification_failed"?c:g("browser_login_verification_failed","Federated browser login callback could not be verified.",r0(c))}}o(dy,"exchangeFederatedAuthorizationCode");var wl="zuplo_mcp_session",ly="HS256",py="zuplo-mcp-gateway",my="zuplo-mcp-gateway",c0=u.object({purpose:u.literal("gateway_browser_session"),sub:le,tenantId:$e,browserLoginOrigin:u.string().min(1),roles:u.array(u.string().min(1)).optional(),exp:u.number().int().positive(),iat:u.number().int().positive().optional()});function u0(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),s=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(s))}catch{t.set(a,s)}}return t}o(u0,"parseCookieHeader");async function fy(){return bt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"browser-session"),"derive")})}o(fy,"getBrowserSessionKey");function yl(e){let t=new URL(Q(e)),r=[`${wl}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(yl,"buildBrowserSessionEvictionCookie");function d0(e){let t=new URL(Q(e.requestUrl)),r=[`${wl}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(d0,"serializeSessionCookie");function hy(e={}){return new URL(fr("url")).origin}o(hy,"readBrowserLoginOrigin");function Sl(){return _e().browserLogin.stateTtlSeconds}o(Sl,"readBrowserLoginStateTtlSeconds");function gy(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return ti(gn(e.user,e.url))}o(gy,"resolveCurrentRequestPrincipal");async function ri(e,t={}){let r=u0(e.headers.get("cookie")).get(wl);if(!r)return{};try{let{payload:n}=await s0(r,await fy(),{algorithms:[ly],issuer:py,audience:my}),a=c0.parse(n);if(a.browserLoginOrigin!==hy(t))return{evictCookie:yl(e.url)};let s={subjectId:a.sub,tenantId:a.tenantId};return a.roles&&a.roles.length>0&&(s.roles=a.roles),{principal:s}}catch(n){return n instanceof a0.JWTExpired?{evictCookie:yl(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:yl(e.url)})}}o(ri,"readBrowserSession");async function Jo(e){let t=_e().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,tenantId:e.principal.tenantId,browserLoginOrigin:hy({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new i0(r).setProtectedHeader({alg:ly,typ:"JWT"}).setIssuer(py).setAudience(my).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await fy());return d0({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(Jo,"createBrowserSessionCookie");async function _y(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(_y,"resolveApiKeyBrowserLoginPrincipal");async function yy(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await ri(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return dy({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(yy,"resolveBrowserLoginCallbackPrincipal");function wy(e){let t=_e().browserLogin,r=new URL(fr("url")),n=new URL("/oauth/callback",lt(e.requestUrl));return Vh(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",fr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(wy,"buildBrowserLoginUrl");var l0=5*60,p0=["mcp_user"],ni="HS256",oi="zuplo-mcp-gateway",ai="zuplo-mcp-gateway",m0=u.object({purpose:u.literal("gateway_browser_login"),transactionId:sr,stateId:vs,exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),f0=u.object({purpose:u.literal("gateway_authorization_setup"),transactionId:sr,stateId:vs,exp:u.number().int().positive(),iat:u.number().int().positive().optional()});async function Ry(){return bt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"browser-login"),"derive")})}o(Ry,"getBrowserLoginKey");async function Iy(){return bt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>dr(e,"authorization-csrf"),"derive")})}o(Iy,"getCsrfKey");function h0(e){return[...new Set([...p0,...e.roles??[]])]}o(h0,"buildRoles");function Ty(e){return{repository:e.repository??H().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Sl()}}o(Ty,"readPendingTransactionDependencies");function g0(e,t){return e.subjectId===t.subjectId&&e.tenantId===t.tenantId}o(g0,"principalsMatch");function Cy(e){return{subjectId:e.subjectId,tenantId:e.tenantId,...e.roles===void 0?{}:{roles:e.roles}}}o(Cy,"toPendingPrincipal");function Ey(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:K(e.now),expiresAt:K(ar(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Cy(e.principal)}}o(Ey,"createTransactionRecord");async function Ay(e){if((await e.repository.savePendingAuthorizationTransaction(e.record)).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(Ay,"savePendingTransaction");async function _0(e){return new by({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:ni,typ:"JWT"}).setIssuer(oi).setAudience(ai).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Ry())}o(_0,"signBrowserLoginState");async function Py(e){return new by({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Sd()}).setProtectedHeader({alg:ni,typ:"JWT"}).setIssuer(oi).setAudience(ai).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Iy())}o(Py,"signCsrfToken");async function si(e){try{let{payload:t}=await vy(e,await Ry(),{algorithms:[ni],issuer:oi,audience:ai}),r=m0.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Sy.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(si,"verifyBrowserLoginStateToken");async function y0(e){try{let{payload:t}=await vy(e,await Iy(),{algorithms:[ni],issuer:oi,audience:ai});return{transactionId:f0.parse(t).transactionId}}catch(t){throw t instanceof Sy.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(y0,"verifyCsrfToken");function ii(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(ii,"pendingStateErrorCode");function w0(e){if(e.kind!=="available")throw g(ii(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(w0,"requireAwaitingSetup");function S0(e){if(e.kind!=="available")throw g(ii(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(S0,"requireAwaitingLogin");function v0(e){if(!g0(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(v0,"requireCurrentPrincipalMatches");async function xy(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date,n=Sl(),a=wd(),s=Sd(),i=await _0({transactionId:a,stateId:s,ttlSeconds:n}),c=Ey({id:a,transaction:e.transaction,currentStateHash:await ce(i),phase:"awaiting_login",now:r,ttlSeconds:n});if(c.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await Ay({repository:t,record:c}),{transaction:c,browserLoginStateToken:i,browserLoginUrl:wy({state:i,nonce:s,virtualServerId:c.virtualServerId,requestUrl:e.requestUrl})}}o(xy,"startAwaitingLogin");async function ky(e){let{repository:t,now:r,ttlSeconds:n}=Ty(e),a=wd(),s=await Py({transactionId:a,ttlSeconds:n}),i=Ey({id:a,transaction:e.transaction,currentStateHash:await ce(s),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(i.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await Ay({repository:t,record:i}),{transaction:i,csrfToken:s}}o(ky,"startAwaitingSetup");async function vl(e){let{repository:t,now:r,ttlSeconds:n}=Ty(e),a=await si(e.browserLoginStateToken),s=await Py({transactionId:a.transactionId,ttlSeconds:n}),i=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await ce(e.browserLoginStateToken),nextStateHash:await ce(s),nextPhase:"awaiting_setup",principal:Cy(e.principal),now:r});if(i.kind!=="advanced")throw g(ii(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:s}}o(vl,"completeLogin");async function Oy(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date,n=await si(e.browserLoginStateToken);return S0(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await ce(e.browserLoginStateToken),now:r}))}o(Oy,"getAwaitingLogin");async function bl(e){let t=await Rl(e);return v0({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(bl,"getSetup");async function Rl(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date,n=await y0(e.csrfToken);return w0(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await ce(e.csrfToken),now:r}))}o(Rl,"getSetupTransaction");async function b0(e){let t=qt(),r=await ce(t),n=Bh(),a=K(ar(e.now,l0)),s={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,tenantId:e.transaction.principal.tenantId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:h0(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:K(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...s,codeHash:r,grantId:n});let i=new URL(e.transaction.redirectUri);return i.searchParams.set("code",t),e.transaction.clientState&&i.searchParams.set("state",e.transaction.clientState),i}o(b0,"createAuthorizationCodeRedirect");function R0(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(R0,"buildClientCancelRedirect");async function I0(e){let t=await bl(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await ce(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(ii(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(I0,"consumeSetup");async function Uy(e){let t=e.repository??H().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await I0({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(Uy,"consumeSetupForDecision");async function Ny(e){let{repository:t,now:r,transaction:n}=await Uy(e);return b0({repository:t,transaction:n,now:r})}o(Ny,"approve");async function $y(e){let{transaction:t}=await Uy(e);return R0({redirectUri:t.redirectUri,clientState:t.clientState})}o($y,"cancel");W();var T0={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},z=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=T0[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};var C0=1e4,E0=5*1024,A0=2,P0=90*24*60*60,Il=["authorization_code","refresh_token"],Tl=["code"],x0=u.object({client_name:u.string().min(1).optional(),redirect_uris:u.array(u.string().min(1)).min(1),grant_types:u.array(u.enum(Il)).min(1).max(2).optional(),response_types:u.array(u.enum(Tl)).min(1).max(1).optional(),scope:u.literal(oe).optional(),token_endpoint_auth_method:Co.default("client_secret_basic")});function k0(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(k0,"isCimdClientIdCandidate");function Yo(e,t="invalid_request"){if(O0(e))throw new z(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new z(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new z(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Ue(r)))throw new z(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(Yo,"assertValidRedirectUri");function O0(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(O0,"hasForbiddenRawRedirectUriCharacter");async function U0(e){let{response:t,json:r}=await f_(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:A0,maxResponseBytes:E0,timeoutMs:C0});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=qh.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(U0,"fetchCimdMetadata");async function N0(e){let t=Gs(e),r=await U0({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(N0,"resolveCimdClient");async function Xo(e,t,r){let n=Ze.parse(t),a=await e.getDcrClient(n);if(a){let s={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(s.hashedClientSecret=a.hashedClientSecret),s}if(!_e().gateway.cimdEnabled||!k0(n))throw new z("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.");try{return await N0(n)}catch{throw new z("invalid_client","OAuth client is not registered.")}}o(Xo,"resolveClient");function ci(e,t){if(!e.metadata.redirect_uris.some(r=>Rs(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(ci,"assertRedirectRegistered");function $0(e){let t=zy(e.grant_types),r=e.response_types??[...Tl];if(!z0(t))throw new z("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!M0(r))throw new z("invalid_client_metadata","response_types must be code.");if(!D0(e.scope))throw new z("invalid_client_metadata",`Only the ${oe} scope is supported.`)}o($0,"assertSupportedDcrRequest");function zy(e){return e===void 0?[...Il]:Array.from(new Set(e))}o(zy,"normalizeGrantTypes");function z0(e){return e.length===0?!1:e.every(t=>Il.includes(t))}o(z0,"isSupportedGrantTypes");function M0(e){return e.length===Tl.length&&e[0]==="code"}o(M0,"isSupportedResponseTypes");function D0(e){return e===void 0||e===oe}o(D0,"isSupportedDcrScope");function Qo(e){if(e===void 0||e===oe)return oe;throw new z("invalid_request",`Only the ${oe} scope is supported.`)}o(Qo,"assertSupportedOAuthScope");function xn(e,t){let r;try{r=new URL(t)}catch{throw new z("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new z("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Ue(r))throw new z("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=Q(e),a=vh(),s=a?[...a.byVirtualServerId.values()].find(i=>new URL(i.routePath,n).toString()===t):void 0;if(!s)throw new z("invalid_target","resource must match a published virtual MCP server.");return s}o(xn,"resolveResource");async function My(e,t={}){let n=(q0(t)?{repository:t}:t).repository??H().downstreamOAuthRepository,a;try{a=x0.parse(e)}catch(h){if(h instanceof u.ZodError){let _=h.issues.some(w=>w.path[0]==="redirect_uris");throw new z(_?"invalid_redirect_uri":"invalid_client_metadata",h.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:h})}throw h}$0(a);for(let h of a.redirect_uris)Yo(h,"invalid_redirect_uri");let s=new Date,i=Ze.parse(`dcr:${crypto.randomUUID()}`),c=ar(s,P0),d=Math.floor(s.getTime()/1e3),p=Math.floor(c.getTime()/1e3),l={client_id:i,client_name:a.client_name??"Dynamically registered MCP client",redirect_uris:a.redirect_uris,grant_types:zy(a.grant_types),response_types:["code"],scope:oe,token_endpoint_auth_method:a.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:i,clientName:String(l.client_name),redirectUris:a.redirect_uris,tokenEndpointAuthMethod:a.token_endpoint_auth_method,createdAt:K(s),clientExpiresAt:K(c)};if(a.token_endpoint_auth_method!=="none"){let h=qt();m.hashedClientSecret=await ce(h),m.clientSecretExpiresAt=K(c),l.client_secret=h,l.client_secret_expires_at=p,l.client_secret_issued_at=d}return await n.saveDcrClient(m),l}o(My,"registerDownstreamClient");function q0(e){return typeof e.getDcrClient=="function"}o(q0,"isOAuthRepository");var L0=8;function El(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(El,"safeIconSrc");function j0(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(j0,"safeGatewayConnectHref");function H0(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(H0,"parseIconSize");function G0(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(G0,"selectIconCandidates");function B0(e){return El(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(H0)):0:-1}o(B0,"readIconScore");function Ly(e,t){if(!e||e.length===0)return;let r=G0(e,t),n,a=-1;for(let s of r){let i=B0(s);i>a&&(n=s,a=i)}return n}o(Ly,"pickIcon");var V0='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',Dy=pt(V0),F0=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),Z0=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),jy=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),qy=pt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function K0(e,t){let r=Ly(e,"light");if(!r)return k`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${Dy}</span>`;let n=El(r.src);return n?k`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:k`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${Dy}</span>`}o(K0,"renderIconFrame");function di(e,t){let r=Ly(e,"light");if(!r)return me;let n=El(r.src);return n?k`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:me}o(di,"renderInlineIcon");function W0(e){switch(e){case"user":return"your account";case"tenant_shared":return"shared by your team";case"none":return"gateway-managed"}}o(W0,"ownerModeLabel");function J0(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(J0,"authModeLabel");function Y0(e){switch(e){case"active":return k`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return k`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return k`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(Y0,"statusBadge");function X0(e){if(!e)return me;let t=[];return e.destructiveHint&&t.push(k`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(k`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(k`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?k`<span class="badge-row">${t}</span>`:me}o(X0,"annotationBadges");function Hy(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(Hy,"summarizeCapabilities");function Q0(e){let t=e.annotations?.title??e.title??e.name,r=e.description?k`<span class="capability-row__description">${e.description}</span>`:me;return k`<li class="capability-row">${di(e.icons,t)}<span class="capability-row__name">${t}</span>${X0(e.annotations)}${r}</li>`}o(Q0,"renderToolRow");function eU(e){let t=e.title??e.name,r=e.description?k`<span class="capability-row__description">${e.description}</span>`:me;return k`<li class="capability-row">${di(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(eU,"renderPromptRow");function tU(e){let t=e.title??e.name,r=e.mimeType===void 0?me:k` · ${e.mimeType}`,n=e.description===void 0?me:k` — ${e.description}`,a=k`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return k`<li class="capability-row">${di(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(tU,"renderResourceRow");function Cl(e,t,r,n){if(t===0)return me;let a=r.slice(0,L0),s=t-a.length,i=s>0?k`<li class="capability-row capability-row--more">+ ${s} more</li>`:me;return k`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${i}</ul></section>`}o(Cl,"renderCapabilitySection");function ui(e,t,r=!1){return r?k`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:k`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(ui,"countPill");function rU(e){let t=Hy(e);if(t.tools+t.prompts+t.resources===0)return k`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(ui(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(ui(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(ui(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(ui("destructive",t.destructiveTools,!0));let a=[Cl("Tools",t.tools,e.tools,Q0),Cl("Prompts",t.prompts,e.prompts,eU),Cl("Resources",t.resources,e.resources,tU)];return k`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${jy}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(rU,"renderUpstreamCapabilities");function nU(e){if(!e||e.length===0)return me;let t=e.map(n=>k`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return k`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${jy}</span></summary><div class="scopes-list">${t}</div></details>`}o(nU,"renderUpstreamScopes");function oU(e,t){if(e.ownerMode!=="user")return me;let r=j0(e.connectUrl,t);if(!r)return me;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return k`<a class="button button--secondary button--small" href="${r}"${a===void 0?me:k` title="${a}"`}>${n}</a>`}o(oU,"renderActionButton");function aU(e,t){let r=oU(e,t);return Lt(r)!==""?r:Y0(e.status)}o(aU,"renderUpstreamControl");function sU(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?pt('<article class="upstream-card upstream-card--needs-action">'):pt('<article class="upstream-card">'),a=e.description?k`<p class="upstream-card__description">${e.description}</p>`:me,s=e.transportHost?k`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:me,i=k`<div class="upstream-card__head">${K0(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${aU(e,t)}</div><div class="upstream-card__meta">${s}<span>${J0(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${W0(e.ownerMode)}</span></div>${a}</div></div>`,c=rU(e.capabilities),d=nU(e.scopesRequested);return k`${n}${i}${c}${d}</article>`}o(sU,"renderUpstreamCard");function iU(e){return e.reduce((t,r)=>{let n=Hy(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(iU,"aggregateCapabilities");function cU(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(cU,"deriveMode");function uU(e){if(e.mode==="setup"){let n=e.upstreams.filter(c=>c.ownerMode==="user"&&c.status!=="active"),a=n.length>0&&n.every(c=>c.status==="reconsent_required"),s=n.length===1?"the service":`the ${n.length} services`,i=a?k`Re-authorize ${s} below to refresh access. Authorization will continue automatically once each is ready.`:k`Connect ${s} below before continuing. Authorization will continue automatically once each is ready.`;return k`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${F0}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${i}</p></div></div>`}let t=iU(e.upstreams);if(t.destructiveTools===0)return me;let r=t.destructiveTools===1?"tool can":"tools can";return k`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${Z0}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(uU,"renderBanner");function dU(e){return e.mode==="grant"?k`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:k`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(dU,"renderActions");var lU=`
+*,*::before,*::after{box-sizing:border-box}
+:root{
+  --bg:#ffffff;
+  --surface:#ffffff;
+  --surface-2:#f1f5f9;
+  --border:#e2e8f0;
+  --border-strong:#c9cace;
+  --text:#20222e;
+  --text-2:#475569;
+  --text-3:#64748b;
+  --brand:#ff00bd;
+  --brand-strong:#d600a0;
+  --brand-soft:#fff0f7;
+  --brand-ring:rgba(255,0,189,.15);
+  --success:#13a688;
+  --success-soft:rgba(19,166,136,.10);
+  --success-border:rgba(19,166,136,.32);
+  --warning:#b45309;
+  --warning-soft:#fff7ed;
+  --warning-border:#fcd9b6;
+  --danger:#d03c38;
+  --danger-soft:rgba(208,60,56,.08);
+  --danger-border:rgba(208,60,56,.28);
+  --radius:2px;
+  --radius-md:6px;
+  --radius-lg:8px;
+  --shadow-sm:0 1px 2px rgba(15,23,42,.04);
+  --shadow-md:0 1px 3px rgba(15,23,42,.06),0 1px 2px rgba(15,23,42,.04);
+  --shadow-lg:0 8px 24px rgba(15,23,42,.08);
+  --font-sans:Inter,"Inter Fallback",-apple-system,BlinkMacSystemFont,"Segoe UI",system-ui,sans-serif;
+  --font-heading:"Readex Pro","Readex Pro Fallback",Inter,system-ui,sans-serif;
+  --font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace;
+}
+@media (prefers-color-scheme: dark){
+  :root{
+    --bg:#0a0c10;
+    --surface:#15171c;
+    --surface-2:#1e2128;
+    --border:#262932;
+    --border-strong:#3a3e48;
+    --text:#fafafa;
+    --text-2:#9ba3b0;
+    --text-3:#71757f;
+    --brand:#ff33c8;
+    --brand-strong:#ff66d4;
+    --brand-soft:rgba(255,0,189,.14);
+    --brand-ring:rgba(255,0,189,.28);
+    --success:#34d399;
+    --success-soft:rgba(19,166,136,.16);
+    --success-border:rgba(52,211,153,.32);
+    --warning:#fbbf24;
+    --warning-soft:rgba(251,191,36,.10);
+    --warning-border:rgba(251,191,36,.32);
+    --danger:#f87171;
+    --danger-soft:rgba(208,60,56,.14);
+    --danger-border:rgba(248,113,113,.32);
+    --shadow-sm:0 1px 2px rgba(0,0,0,.4);
+    --shadow-md:0 1px 3px rgba(0,0,0,.45),0 1px 2px rgba(0,0,0,.3);
+    --shadow-lg:0 12px 28px rgba(0,0,0,.5);
+  }
+}
+html,body{margin:0;padding:0}
+html{background:var(--bg);height:100%}
+body{
+  font-family:var(--font-sans);
+  background:var(--bg);
+  color:var(--text);
+  font-size:14px;
+  line-height:1.5;
+  -webkit-font-smoothing:antialiased;
+  -moz-osx-font-smoothing:grayscale;
+  height:100vh;
+  height:100dvh;
+  display:flex;flex-direction:column;
+  overflow:hidden;
+}
+.topbar{
+  flex-shrink:0;
+  background:var(--surface);
+  border-bottom:1px solid var(--border);
+}
+.topbar__inner{
+  max-width:640px;margin:0 auto;
+  display:flex;align-items:center;justify-content:space-between;
+  gap:16px;padding:14px 24px;
+}
+.brand{
+  display:flex;align-items:center;gap:10px;
+  color:var(--text);font-weight:600;font-size:13px;
+  letter-spacing:-.01em;
+}
+.brand__mark{
+  width:22px;height:22px;border-radius:var(--radius);
+  background:var(--brand);color:#fff;
+  display:inline-flex;align-items:center;justify-content:center;
+  font-weight:700;font-size:12px;letter-spacing:0;
+  font-family:var(--font-heading);
+}
+.brand__name{color:var(--text-2);font-weight:500}
+.principal{
+  display:inline-flex;align-items:center;gap:6px;
+  font-size:12.5px;color:var(--text-3);
+  padding:4px 10px;border-radius:9999px;
+  background:var(--surface-2);
+  max-width:280px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;
+}
+.shell-main{
+  flex:1;min-height:0;
+  display:flex;flex-direction:column;
+  width:100%;
+}
+.static-top{flex-shrink:0;background:var(--bg)}
+.static-top__inner{
+  max-width:640px;margin:0 auto;width:100%;
+  padding:32px 24px 16px;
+  display:flex;flex-direction:column;gap:18px;
+}
+.hero{display:flex;flex-direction:column;gap:6px;margin:0}
+.hero__title{
+  margin:0;font-family:var(--font-heading);
+  font-size:28px;font-weight:600;letter-spacing:-.02em;
+  color:var(--text);line-height:1.2;
+}
+.hero__connection{
+  margin:2px 0 0;font-size:15px;color:var(--text-2);
+  display:flex;align-items:center;gap:10px;flex-wrap:wrap;
+  line-height:1.4;
+}
+.hero__client,.hero__server{
+  color:var(--text);font-weight:600;
+  display:inline-flex;align-items:center;gap:6px;
+  min-width:0;
+}
+.hero__server .inline-icon{
+  width:16px;height:16px;border-radius:3px;margin:0;
+  vertical-align:baseline;
+}
+.hero__arrow{
+  color:var(--text-3);font-weight:500;
+  display:inline-flex;align-items:center;
+}
+.hero__description{
+  margin:6px 0 0;color:var(--text-2);font-size:13.5px;line-height:1.5;
+}
+.banner{
+  display:flex;align-items:flex-start;gap:12px;
+  padding:12px 14px;border-radius:var(--radius-md);
+  border:1px solid;
+  font-size:13.5px;
+}
+.banner__icon{
+  flex-shrink:0;display:inline-flex;align-items:center;justify-content:center;
+  width:18px;height:18px;margin-top:1px;
+}
+.banner__body{flex:1;min-width:0;display:flex;flex-direction:column;gap:2px}
+.banner__title{margin:0;font-weight:600;color:var(--text);font-size:13.5px}
+.banner__message{margin:0;color:var(--text-2);font-size:13px;line-height:1.5}
+.banner--warning{background:var(--warning-soft);border-color:var(--warning-border)}
+.banner--warning .banner__icon{color:var(--warning)}
+.banner--alert{background:var(--danger-soft);border-color:var(--danger-border)}
+.banner--alert .banner__icon{color:var(--danger)}
+.banner--alert .banner__title{color:var(--danger)}
+.upstream-region{
+  flex:1;min-height:0;
+  display:flex;flex-direction:column;
+  background:var(--bg);
+}
+.upstream-region__head{
+  flex-shrink:0;
+  max-width:640px;width:100%;margin:0 auto;
+  padding:8px 24px 8px;
+  display:flex;align-items:center;justify-content:space-between;gap:12px;
+}
+.section-label{
+  margin:0;font-size:11px;font-weight:600;
+  text-transform:uppercase;letter-spacing:.07em;
+  color:var(--text-3);
+}
+.section-label__count{color:var(--text-3);font-weight:500;margin-left:4px}
+.upstream-region__scroll{
+  flex:1;min-height:0;
+  overflow-y:auto;
+  overscroll-behavior:contain;
+  scrollbar-width:thin;
+  scrollbar-color:var(--border-strong) transparent;
+}
+.upstream-region__scroll::-webkit-scrollbar{width:8px}
+.upstream-region__scroll::-webkit-scrollbar-track{background:transparent}
+.upstream-region__scroll::-webkit-scrollbar-thumb{background:var(--border-strong);border-radius:4px;border:2px solid var(--bg)}
+.upstream-region__scroll-inner{
+  max-width:640px;margin:0 auto;width:100%;
+  padding:0 24px 24px;
+}
+.upstream-list{
+  display:flex;flex-direction:column;gap:10px;
+  margin:0;padding:0;list-style:none;
+}
+.upstream-card{
+  background:var(--surface);
+  border:1px solid var(--border);
+  border-radius:var(--radius-md);
+  padding:16px;
+  display:flex;flex-direction:column;gap:12px;
+  transition:border-color .12s ease,background .12s ease;
+}
+.upstream-card--needs-action{
+  border-color:var(--warning-border);
+  background:linear-gradient(to bottom,color-mix(in srgb,var(--warning-soft) 70%,var(--surface)),var(--surface) 56px);
+}
+.upstream-card__head{display:flex;align-items:flex-start;gap:12px}
+.icon-frame{
+  flex-shrink:0;width:36px;height:36px;
+  border-radius:var(--radius-md);border:1px solid var(--border);
+  background:var(--surface-2);color:var(--text-3);
+  display:inline-flex;align-items:center;justify-content:center;
+  overflow:hidden;
+}
+.icon-frame img{max-width:100%;max-height:100%;object-fit:contain}
+.icon-frame--fallback svg{width:20px;height:20px}
+.inline-icon{
+  width:14px;height:14px;border-radius:2px;object-fit:contain;
+  vertical-align:-2px;margin-right:4px;
+}
+.upstream-card__main{flex:1;min-width:0;display:flex;flex-direction:column;gap:4px}
+.upstream-card__title-row{
+  display:flex;align-items:center;gap:10px;justify-content:space-between;
+  min-width:0;
+}
+.upstream-card__title{
+  margin:0;font-family:var(--font-heading);
+  font-size:14.5px;font-weight:600;
+  color:var(--text);letter-spacing:-.005em;line-height:1.3;
+  overflow:hidden;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;
+}
+.upstream-card__meta{
+  display:flex;align-items:center;gap:6px;flex-wrap:wrap;
+  font-size:12px;color:var(--text-3);
+}
+.upstream-card__host{
+  font-family:var(--font-mono);font-size:11.5px;
+  background:var(--surface-2);color:var(--text-2);
+  padding:1px 6px;border-radius:var(--radius);
+}
+.upstream-card__sep{color:var(--border-strong)}
+.upstream-card__description{
+  margin:4px 0 0;font-size:13px;color:var(--text-2);line-height:1.5;
+}
+.status-badge{
+  display:inline-flex;align-items:center;gap:6px;
+  padding:3px 9px;border-radius:9999px;
+  font-size:11.5px;font-weight:600;letter-spacing:.005em;
+  white-space:nowrap;border:1px solid transparent;
+  flex-shrink:0;
+}
+.status-badge::before{
+  content:"";width:6px;height:6px;border-radius:50%;
+  background:currentColor;flex-shrink:0;
+}
+.status-badge--success{
+  background:var(--success-soft);color:var(--success);
+  border-color:var(--success-border);
+}
+.status-badge--warning{
+  background:var(--warning-soft);color:var(--warning);
+  border-color:var(--warning-border);
+}
+.status-badge--neutral{
+  background:var(--surface-2);color:var(--text-2);
+  border-color:var(--border);
+}
+.upstream-card__capabilities{
+  border-top:1px solid var(--border);
+  padding-top:12px;
+}
+.upstream-card__capabilities--empty{
+  font-size:12.5px;color:var(--text-3);font-style:italic;
+}
+.capabilities-summary,.scopes-summary{
+  display:flex;align-items:center;justify-content:space-between;
+  gap:12px;cursor:pointer;list-style:none;user-select:none;
+  font-size:13px;color:var(--text-2);
+  padding:2px 0;
+}
+.capabilities-summary::-webkit-details-marker,
+.scopes-summary::-webkit-details-marker{display:none}
+.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}
+.capabilities-summary:focus-visible,.scopes-summary:focus-visible{
+  outline:2px solid var(--brand);outline-offset:2px;border-radius:var(--radius);
+}
+.capabilities-summary__counts{
+  display:flex;gap:14px;align-items:center;flex-wrap:wrap;
+}
+.count-pill{
+  display:inline-flex;align-items:baseline;gap:4px;
+  font-size:12.5px;color:var(--text-2);
+}
+.count-pill__num{
+  font-weight:600;font-variant-numeric:tabular-nums;
+  color:var(--text);font-size:13px;
+}
+.count-pill--destructive .count-pill__num{color:var(--danger)}
+.count-pill--destructive .count-pill__label{color:var(--danger)}
+.capabilities-summary__chevron{
+  color:var(--text-3);transition:transform .15s ease;
+  display:inline-flex;flex-shrink:0;
+}
+details[open] > .capabilities-summary .capabilities-summary__chevron,
+details[open] > .scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}
+.capabilities-detail{margin-top:12px}
+.capability-section{margin-top:16px}
+.capability-section:first-child{margin-top:8px}
+.capability-section__title{
+  margin:0 0 6px;font-size:11px;font-weight:600;
+  text-transform:uppercase;letter-spacing:.07em;
+  color:var(--text-3);
+}
+.capability-list{
+  list-style:none;margin:0;padding:0;
+  display:flex;flex-direction:column;gap:6px;font-size:13px;
+}
+.capability-row{
+  display:flex;flex-wrap:wrap;align-items:baseline;gap:6px;
+  padding:3px 0;
+}
+.capability-row__name{
+  font-weight:500;font-family:var(--font-mono);
+  font-size:12.5px;color:var(--text);
+}
+.capability-row__description{
+  color:var(--text-3);font-size:12.5px;
+  flex-basis:100%;line-height:1.45;
+}
+.capability-row__description code{
+  font-family:var(--font-mono);background:var(--surface-2);
+  padding:1px 4px;border-radius:var(--radius);color:var(--text-2);
+}
+.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}
+.upstream-card__scopes{
+  border-top:1px solid var(--border);padding-top:12px;
+}
+.scopes-list{
+  display:flex;flex-wrap:wrap;gap:5px;margin-top:10px;
+}
+.scope-chip{
+  font-family:var(--font-mono);font-size:11.5px;
+  background:var(--surface-2);color:var(--text-2);
+  padding:2px 7px;border-radius:var(--radius);
+  border:1px solid var(--border);
+}
+.badge{
+  display:inline-flex;align-items:center;
+  border-radius:var(--radius);padding:1px 5px;
+  font-size:10px;font-weight:600;letter-spacing:.04em;
+  text-transform:uppercase;
+}
+.badge--destructive{background:var(--danger-soft);color:var(--danger)}
+.badge--muted{background:var(--surface-2);color:var(--text-3)}
+.badge-row{display:inline-flex;gap:4px;flex-wrap:wrap}
+.muted{color:var(--text-3)}
+.button{
+  font:inherit;font-weight:500;font-size:14px;
+  padding:9px 16px;border-radius:var(--radius);
+  border:1px solid transparent;cursor:pointer;
+  text-decoration:none;
+  display:inline-flex;align-items:center;justify-content:center;gap:6px;
+  white-space:nowrap;
+  transition:background .12s ease,border-color .12s ease,color .12s ease,box-shadow .12s ease,transform .04s ease;
+}
+.button:active{transform:translateY(1px)}
+.button--small{font-size:13px;padding:6px 12px}
+.button--primary{
+  background:var(--brand);color:#ffffff;
+  border-color:var(--brand);
+}
+.button--primary:hover{background:var(--brand-strong);border-color:var(--brand-strong)}
+.button--primary:focus-visible{
+  outline:0;
+  box-shadow:0 0 0 3px var(--brand-ring);
+}
+.button--secondary{
+  background:var(--surface);color:var(--text);
+  border-color:var(--border-strong);
+}
+.button--secondary:hover{background:var(--surface-2)}
+.button--secondary:focus-visible{
+  outline:0;
+  box-shadow:0 0 0 3px var(--brand-ring);
+  border-color:var(--brand);
+}
+.action-bar{
+  flex-shrink:0;
+  background:var(--surface);
+  border-top:1px solid var(--border);
+}
+.action-bar__inner{
+  max-width:640px;margin:0 auto;
+  display:flex;align-items:center;justify-content:space-between;gap:16px;
+  padding:12px max(24px,env(safe-area-inset-right)) max(12px,env(safe-area-inset-bottom)) max(24px,env(safe-area-inset-left));
+}
+.fineprint{
+  margin:0;flex:1;color:var(--text-3);font-size:12px;
+  line-height:1.45;display:flex;align-items:center;gap:6px;
+}
+.fineprint__icon{
+  flex-shrink:0;display:inline-flex;color:var(--text-3);
+}
+.fineprint strong{color:var(--text-2);font-weight:600}
+.actions{display:flex;gap:8px;margin:0;flex-shrink:0}
+.empty{
+  text-align:center;padding:32px 24px;
+  color:var(--text-3);font-size:13.5px;
+  border:1px dashed var(--border);border-radius:var(--radius-md);
+  background:var(--surface);
+}
+@media (max-width:600px){
+  .topbar__inner{padding:12px 16px}
+  .principal{font-size:11.5px;max-width:160px;padding:3px 8px}
+  .static-top__inner{padding:24px 16px 12px;gap:14px}
+  .upstream-region__head{padding:6px 16px}
+  .upstream-region__scroll-inner{padding:0 16px 20px}
+  .hero__title{font-size:24px}
+  .hero__connection{font-size:14px;gap:6px}
+  .upstream-card{padding:14px}
+  .action-bar__inner{flex-direction:column;align-items:stretch;gap:10px;padding:12px 16px max(12px,env(safe-area-inset-bottom))}
+  .actions{flex-direction:column-reverse;width:100%}
+  .button{width:100%;padding:11px 16px}
+  .fineprint{justify-content:center;text-align:center;font-size:11.5px}
+}
+@media (prefers-reduced-motion: reduce){
+  *{transition:none!important}
+}
+`,pU=pt(lU);function Al(e){let t=cU(e.upstreams),r=[...e.upstreams].sort((m,h)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),w=_(m)-_(h);return w!==0?w:m.upstreamDisplayName.localeCompare(h.upstreamDisplayName)}),n=e.principalLabel?k`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:me,a=e.virtualServerDescription?k`<p class="hero__description">${e.virtualServerDescription}</p>`:me,s=di(e.virtualServerIcons,e.virtualServerDisplayName),i=uU({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),c=r.length===0?k`<div class="empty">This virtual server does not declare any upstream services.</div>`:k`<ul class="upstream-list">${r.map(m=>k`<li>${sU(m,e.gatewayOrigin)}</li>`)}</ul>`,d=dU({mode:t,state:e.state}),p=t==="grant"?k`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${qy}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:k`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${qy}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,l=r.length>0?k`<span class="section-label__count">(${r.length})</span>`:me;return Lt(k`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${pU}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${s}${e.virtualServerDisplayName}</span></p>${a}</section>${i}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${l}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${c}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${p}${d}</div></div></body></html>`)}o(Al,"renderConsentPage");function mU(e){try{return new URL(e).host}catch{return}}o(mU,"safeUrlHost");function fU(e){if(e.mode==="user_oauth"||e.mode==="tenant_shared_oauth")return e.oauth.scopes}o(fU,"readOAuthScopes");function Pl(e){return e!==void 0&&e.length>0}o(Pl,"hasItems");async function hU(e){return H().upstreamConnectionRepository.get(e.userOwner,e.registeredConnection.upstreamServerId,e.registeredConnection.authProfileId)}o(hU,"readUserConnection");function gU(e){let t=e.registeredConnection.config.serverInfo?.icons;if(Pl(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&Pl(r)?r:void 0}o(gU,"readServerIcons");async function _U(e){if(!(e.returnTo===void 0||!e.isUserOwned))return $d({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(_U,"readConnectUrl");function Mr(e,t){return t===void 0?{}:{[e]:t}}o(Mr,"optionalRequirementField");function yU(e){return e.isUserOwned?_g(e.connection):{connected:!0,status:"active"}}o(yU,"readSetupConnectionStatus");function wU(e){let t=fU(e);return Pl(t)?t:void 0}o(wU,"readScopesRequested");function SU(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(SU,"readUpdatedAt");function vU(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(ms),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(fs),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(hs)}}o(vU,"readVirtualServerCapabilities");async function bU(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:s}=e.registeredConnection,i=Td(r),c=i==="user",d=yU({connection:e.connection,isUserOwned:c}),p=await _U({...e,connected:d.connected,isUserOwned:c});return{upstreamServerId:a,authProfileId:s,authMode:r,ownerMode:i,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:vU({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...Mr("description",n.description),...Mr("transportHost",mU(n.transport.baseUrl)),...Mr("scopesRequested",wU(t)),...Mr("serverIcons",gU({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...Mr("connectUrl",p),...Mr("updatedAt",SU({connectionStatus:d,isUserOwned:c})),...Mr("expiresAt",e.connection?.expiresAt)}}o(bU,"buildSetupRequirement");function Gy(e){let t=tt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(Gy,"requireVirtualServer");async function xl(e){let t=Gy(e.transaction.virtualServerId),r=ur(e.transaction.principal.tenantId,e.transaction.principal.subjectId),n=[];for(let a of t.connections){let s=Td(a.authMode)==="user";n.push(await bU({connection:s?await hU({registeredConnection:a,userOwner:r}):void 0,registeredConnection:a,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return n}o(xl,"requirementsForSetup");function RU(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(RU,"readVirtualServerDisplayName");async function kl(e){let t=e.repository??H().downstreamOAuthRepository,r=Gy(e.transaction.virtualServerId),n=RU({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),s={gatewayOrigin:Q(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:`${e.transaction.principal.subjectId} \xB7 ${e.transaction.principal.tenantId}`},i=r.serverInfo?.title;return i!==void 0&&i!==n&&(s.virtualServerDescription=i),s}o(kl,"consentContext");function By(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(By,"hasUnresolvedUserUpstream");var IU=["mcp_user"],TU="dev-browser-user",CU=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),EU=u.object({response_type:u.literal("code"),client_id:u.string().min(1),redirect_uri:u.string().min(1),resource:u.url(),code_challenge:u.string().min(43),code_challenge_method:hn,state:u.string().min(1).optional(),scope:u.literal(oe).default(oe)}),AU=u.enum(["continue","approve","cancel"]).default("continue"),PU=u.object({state:u.string().min(1),decision:AU}),xU=u.object({state:u.string().min(1),apiKey:u.string().min(1)}),Dr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Vy(e){return typeof e=="string"&&e.length>0?e:void 0}o(Vy,"readQueryString");function kU(e,t){let r=Vy(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new z("invalid_target",CU)}let n=Eo(t,e.url);if(r===void 0||r===n)return n;throw new z("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(kU,"requireAuthorizeResource");async function OU(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ri(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let s=gy(e);return{principal:s,setCookie:await Jo({principal:s,requestUrl:e.url,virtualServerId:t})}}o(OU,"resolveBrowserPrincipal");async function UU(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ri(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(UU,"requireSetupPrincipal");async function Fy(e){let t=await xl({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await kl({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:Al({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(Fy,"renderSetup");async function Ol(e,t={}){let r=EU.parse({...e.query,resource:kU(e,t.virtualServerId),state:Vy(e.query.state)}),n=Qo(r.scope);Yo(r.redirect_uri);let a=H().downstreamOAuthRepository,s=new Date,i=await Xo(a,r.client_id,s);ci(i,r.redirect_uri);try{let c=xn(e.url,r.resource);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i.clientId,virtualServerId:c.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let d={clientId:i.clientId,redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:c.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:p,setCookie:l}=await OU(e,c.virtualServerId,t.context);if(!p){let h=await xy({transaction:d,requestUrl:e.url,now:s,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i.clientId,virtualServerId:c.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let _={kind:"redirect",location:h.browserLoginUrl};return l!==void 0&&(_.setCookie=l),_}let m=await ky({transaction:d,principal:p,now:s,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i.clientId,virtualServerId:c.virtualServerId,tenantId:p.tenantId,subjectId:p.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),Fy({transaction:m.transaction,csrfToken:m.csrfToken,requestUrl:e.url,repository:a,setCookie:l})}catch(c){throw NU({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}o(Ol,"authorizeDownstreamClient");function NU(e){if(e.cause instanceof Dr)return e.cause;let t=$U(e.cause);return t?new Dr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(NU,"toDownstreamAuthorizeRedirectError");function $U(e){if(e instanceof z)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof u.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o($U,"mapToOAuthRedirectError");async function Zy(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let l=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...l===void 0?{}:{idpErrorDescription:l},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",l??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await si(n),s={request:e,stateId:a.stateId};t.context!==void 0&&(s.context=t.context);let i=await yy(s),c=H().downstreamOAuthRepository,d=await vl({browserLoginStateToken:n,principal:i,repository:c}),p=await Fy({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:c});return p.setCookie=await Jo({principal:i,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),p}o(Zy,"completeBrowserLoginCallback");async function Ky(e){let t=_e();if(!t.devTenantId)throw g("authentication_required","Local browser login requires the `devTenantId` policy option on mcp-oauth-inbound.");let r=new URL(e.url);if(!Ue(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",Q(e.url)),s=new URL(Q(e.url)).origin;if(a.origin!==s||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let i={subjectId:le.parse(TU),tenantId:$e.parse(t.devTenantId),roles:IU};return{kind:"redirect",location:a,setCookie:await Jo({principal:i,requestUrl:e.url})}}o(Ky,"completeLocalDevBrowserLogin");async function Wy(e){let t=xU.parse(e.body),r=H().downstreamOAuthRepository,n=await Oy({browserLoginStateToken:t.state,repository:r}),a=await _y({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),s=await vl({browserLoginStateToken:t.state,principal:a,repository:r});await x_({apiKey:t.apiKey,principal:a,virtualServerId:s.transaction.virtualServerId});let i=new URL("/oauth/setup",lt(e.request.url));return i.searchParams.set("state",s.csrfToken),{kind:"redirect",location:i,setCookie:await Jo({principal:a,requestUrl:e.request.url,virtualServerId:s.transaction.virtualServerId})}}o(Wy,"completeApiKeyBrowserLogin");function zU(e){let t=e.method==="POST"?e.body:e.query;return PU.parse(t)}o(zU,"readSetupContinueRequest");async function Jy(e){let{state:t,decision:r}=zU({method:e.request.method,query:e.request.query,body:e.body}),n=H().downstreamOAuthRepository,a=new Date,s=await Rl({csrfToken:t,now:a,repository:n}),i=await UU(e.request,s.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await $y({csrfToken:t,currentBrowserPrincipal:i,now:a,repository:n})};let c=await bl({csrfToken:t,currentBrowserPrincipal:i,now:a,repository:n}),d=await xl({transaction:c,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||By(d)){let p=await kl({repository:n,transaction:c,requestUrl:e.request.url});return{kind:"setup_page",html:Al({state:t,virtualServerId:c.virtualServerId,upstreams:d,...p})}}return{kind:"redirect",location:await Ny({csrfToken:t,currentBrowserPrincipal:i,now:a,repository:n})}}o(Jy,"continueDownstreamAuthorizeSetup");W();var MU=new Set(["authorization_code","refresh_token"]),DU=u.discriminatedUnion("grant_type",[u.object({grant_type:u.literal("authorization_code"),code:u.string().min(1),redirect_uri:u.string().min(1),client_id:u.string().min(1).optional(),code_verifier:ws,resource:u.url().optional(),scope:u.literal(oe).optional(),client_secret:u.string().min(1).optional()}),u.object({grant_type:u.literal("refresh_token"),refresh_token:u.string().min(1),client_id:u.string().min(1).optional(),resource:u.url().optional(),scope:u.literal(oe).optional(),client_secret:u.string().min(1).optional()})]);function qU(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!MU.has(t)))throw new z("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(qU,"assertSupportedGrantType");var LU=u.object({token:u.string().min(1),client_id:u.string().min(1).optional(),token_type_hint:u.string().optional(),client_secret:u.string().min(1).optional()});function jU(){return _e().gateway.accessTokenTtlSeconds}o(jU,"readAccessTokenTtlSeconds");function HU(){return _e().gateway.refreshTokenTtlSeconds}o(HU,"readRefreshTokenTtlSeconds");async function Yy(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new z("invalid_client",e.missingMessage);if(!await J_({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new z("invalid_client","Client authentication failed.")}o(Yy,"requireClientSecretAuthentication");async function Xy(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new z("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await Yy({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await Yy({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new z("invalid_client","private_key_jwt client authentication is not supported.")}}o(Xy,"requireClientAuthentication");function Qy(e,t){let r=jU(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:K(ar(e,a)),expiresIn:a}}o(Qy,"calculateAccessTokenExpiresAt");async function GU(e){let t=qt(),r=await ce(t),n=Qy(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,tenantId:e.grant.tenantId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:K(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(GU,"issueOpaqueAccessToken");function ew(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new z("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new z("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new z("invalid_client","Malformed HTTP Basic client authentication.")}}o(ew,"readBasicClientSecret");function tw(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new z("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new z("invalid_client","Client authentication or client_id is required.");return t}o(tw,"resolveAuthenticatedClientId");function rw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new z("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(rw,"resolveClientSecretInput");async function nw(e){qU(e.body);let t=DU.parse(e.body),r=ew(e.authorizationHeader),n=tw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=H().downstreamOAuthRepository,s=new Date,i=await Xo(a,n,s),c=rw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(await Xy({client:i,...c}),t.grant_type==="authorization_code"){Yo(t.redirect_uri),ci(i,t.redirect_uri),Qo(t.scope),t.resource!==void 0&&xn(e.requestUrl??t.resource,t.resource);let w=qt(),y=qt(),S=K(ar(s,HU())),v=Qy(s,S),b=await a.exchangeAuthorizationCode({codeHash:await ce(t.code),clientId:i.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await Y_(t.code_verifier),currentRefreshTokenHash:await ce(w),accessTokenHash:await ce(y),now:s,grantExpiresAt:S,accessTokenExpiresAt:v.expiresAt});if(b.kind==="resource_mismatch")throw new z("invalid_target","Token request resource must match the authorization code resource.");if(b.kind!=="exchanged")throw new z("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:i.clientId,scope:b.grant.scope,resource:b.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:w,scope:b.grant.scope,resource:b.grant.resource}}Qo(t.scope);let d=await ce(t.refresh_token);t.resource!==void 0&&xn(e.requestUrl??t.resource,t.resource);let p=qt(),l=await ce(p),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:l,clientId:i.clientId,...t.resource===void 0?{}:{resource:t.resource},now:s});if(m.kind==="resource_mismatch")throw new z("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new z("invalid_grant","Refresh token is invalid, expired, or revoked.");let h=m.grant;if(h.revokedAt||h.clientId!==i.clientId)throw new z("invalid_grant","Refresh token grant is invalid or revoked.");xn(e.requestUrl??h.resource,h.resource);let _=await GU({repository:a,grant:h,now:s});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:i.clientId,scope:h.scope,resource:h.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:p,scope:h.scope,resource:h.resource}}o(nw,"exchangeDownstreamToken");async function ow(e){let t=LU.parse(e.body),r=ew(e.authorizationHeader),n=tw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=H().downstreamOAuthRepository,s=await Xo(a,n,new Date),i=rw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});await Xy({client:s,...i});let c=await ce(t.token);await a.revokeOAuthToken({tokenHash:c,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(ow,"revokeDownstreamToken");var BU=64*1024,VU=16*1024,FU="text/html; charset=utf-8";function ZU(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(ZU,"formDataToObject");async function KU(e){return ay(e,{maxBytes:BU,label:"Request body"})}o(KU,"readJsonBody");async function li(e){return ZU(await ei(e,{maxBytes:VU,label:"Request body"}))}o(li,"readFormBody");async function pi(e,t,r){let n=ae(r),a=r instanceof u.ZodError?aw(r):r instanceof Error?r.message:void 0,s={code:n??"invalid_request"};return a!==void 0&&(s.detail=a),je(e,t,s)}o(pi,"handleProblem");function ea(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(ea,"oauthErrorResponse");function WU(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(WU,"readOAuthProtocolHeaders");function JU(e,t){let r=Le("internal_server_error");return ea({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:WU(e,t)})}o(JU,"oauthProtocolErrorResponse");function YU(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(YU,"readZodOAuthErrorCode");function XU(e){let t={error:YU(e)},r=aw(e);return r!==void 0&&(t.errorDescription=r),ea(t)}o(XU,"oauthZodErrorResponse");function QU(e){let t=ae(e);if(t===void 0)return;let r=Le(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:tN(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,ea(n)}o(QU,"oauthGatewayProblemResponse");function eN(){let t={error:"server_error",status:500,errorDescription:Le("internal_server_error").publicDetail};return ea(t)}o(eN,"oauthFallbackErrorResponse");function tN(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(tN,"readOAuthStatus");function kn(e,t={}){return e instanceof Dr?rN(e):e instanceof z?JU(e,t):e instanceof u.ZodError?XU(e):QU(e)??eN()}o(kn,"oauthProblemResponse");function Rt(e,t,r){let n={event:t},a=!1;if(r instanceof z)n.oauthError=r.errorCode,n.status=r.status,Re(n,"error",r);else if(r instanceof Dr)n.oauthError=r.errorCode,Re(n,"error",r);else if(r instanceof u.ZodError){n.code="invalid_request",Re(n,"error",r);let s=r.issues[0];s&&(n.zodPath=s.path.join("."))}else{let s=ae(r);if(s!==void 0){let i=Le(s);n.code=s,n.status=i.status,i.oauthError!==void 0&&(n.oauthError=i.oauthError),a=i.status>=500||i.oauthError==="server_error",Re(n,"error",r)}else a=!0,Re(n,"error",r)}if(a){let s=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,s.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Rt,"logUnexpectedOAuthHandlerError");function rN(e){let t;try{t=new URL(e.redirectUri)}catch{return ea({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(rN,"downstreamAuthorizeRedirectErrorResponse");function aw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(aw,"formatZodErrorDetail");function nN(e,t){let r={event:"browser_login_callback_failed",code:ae(t)??"invalid_request"};Re(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(nN,"logBrowserLoginCallbackFailure");function Ul(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(Ul,"redirectResultResponse");function mi(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":FU,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Ul(e)}o(mi,"authorizeResultResponse");async function sw(e,t){try{return Response.json(bd(e.url))}catch(r){return Rt(t,"oauth_authorization_server_metadata_failed",r),pi(e,t,r)}}o(sw,"authorizationServerMetadataHandler");async function iw(e,t){try{let r=ge.parse(e.params.virtualServerId),n=bo(r);return Response.json(Fh({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Rt(t,"oauth_authorization_server_metadata_failed",r),pi(e,t,r)}}o(iw,"scopedAuthorizationServerMetadataHandler");async function cw(e,t){try{let r=await My(await KU(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Rt(t,"oauth_register_failed",r),kn(r)}}o(cw,"registerHandler");async function uw(e,t){try{return mi(await Ol(e,{context:t}))}catch(r){return Rt(t,"oauth_authorize_failed",r),kn(r,{includeInvalidClientChallenge:!1})}}o(uw,"authorizeHandler");async function dw(e,t){try{let r=ge.parse(e.params.virtualServerId),n=bo(r);return mi(await Ol(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Rt(t,"oauth_authorize_scoped_failed",r),kn(r,{includeInvalidClientChallenge:!1})}}o(dw,"scopedAuthorizeHandler");async function lw(e,t){try{let r=await Zy(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),mi(r)}catch(r){return nN(t,r),pi(e,t,r)}}o(lw,"callbackHandler");async function pw(e,t){try{return Ul(await Ky(e))}catch(r){return Rt(t,"oauth_dev_login_failed",r),kn(r)}}o(pw,"devLoginHandler");async function mw(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?uy(r):gl(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):Ul(await Wy({request:e,body:await li(e)}))}catch(r){return Rt(t,"oauth_api_key_login_failed",r),gl()}}o(mw,"apiKeyLoginHandler");async function fw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Jy({request:e,body:e.method==="POST"?await li(e):void 0,context:t});return mi(r)}catch(r){return Rt(t,"oauth_setup_failed",r),pi(e,t,r)}}o(fw,"setupHandler");async function hw(e,t){try{return Response.json(await nw({body:await li(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Rt(t,"oauth_token_failed",r),kn(r)}}o(hw,"tokenHandler");async function gw(e,t){try{return await ow({body:await li(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Rt(t,"oauth_revoke_failed",r),kn(r)}}o(gw,"revokeHandler");var oN={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},_w=new Ct("upstream-request");function aN(e){let t=_w.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(aN,"readUpstreamRequestContext");function sN(e,t){return t.some(r=>r===e)}o(sN,"requestContextMatchesKind");function iN(e){return typeof e=="string"?[e]:e}o(iN,"toExpectedKinds");function qr(e,t){_w.set(e,t)}o(qr,"setUpstreamRequestContext");function Lr(e,t){let r=aN(e),n=iN(t);if(!sN(r.kind,n)){let a=oN[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(Lr,"requireUpstreamRequestContext");var cN="text/html; charset=utf-8",uN="none";function yw(e){return k`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??uN}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o(yw,"browserResultHtml");function ww(e,t=200){return new Response(Lt(e),{status:t,headers:{"content-type":cN,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(ww,"browserResultResponse");function fi(e){return ww(yw(e))}o(fi,"browserConnectionSuccessResponse");function On(e){let t=sh(e);return ww(yw({title:t.title,body:t.body,code:e}),400)}o(On,"browserConnectionFailureResponse");var dN="text/html; charset=utf-8",lN=16*1024;function pN(e,t=200){return new Response(Lt(e),{status:t,headers:{"content-type":dN,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(pN,"htmlResponse");function mN(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(mN,"safeRedirect");function fN(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(fN,"requireBrowserTicket");function hN(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(hN,"appPasswordTicketMatchesTarget");async function Sw(e){let t=fN(e.browserTicket),r=await Ds(t);if(!hN(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(Sw,"readAppPasswordTarget");function gN(e){let t=jd(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?k`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:k`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return pN(k`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(gN,"renderCaptureForm");function hi(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(hi,"readRequiredFormValue");function _N(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(_N,"readCaptureFormTargetInput");async function yN(e){return gN(await Sw(_N(e)))}o(yN,"handleCaptureFormRequest");async function wN(e){let t=await ei(e.request,{maxBytes:lN,label:"App password request body"});return{form:t,target:await Sw({upstreamServerId:e.upstreamServerId,browserTicket:hi(t,"browserTicket")})}}o(wN,"readSubmittedAppPasswordTarget");async function SN(e){let t=Sn(e.target.ticket);if(await qs(e.target.ticket),jd(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await Ls({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:hi(e.form,"token")});return}await Kg({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:hi(e.form,"username"),appPassword:hi(e.form,"appPassword")})}o(SN,"saveSubmittedAppPasswordCredential");function vN(e,t){return t.ticket.returnTo?mN(e,t.ticket.returnTo):fi({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(vN,"appPasswordSuccessResponse");async function bN(e){let t=await wN({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await SN(t),vN(e.request.url,t.target)}o(bN,"handleAppPasswordSubmission");function RN(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(RN,"methodNotAllowedResponse");function IN(e){let t=ae(e);return On(as(t)?t:"oauth_state_invalid")}o(IN,"appPasswordFailureResponse");async function TN(e){switch(e.request.method){case"GET":return yN(e.appPasswordRequest);case"POST":return bN(e);default:return RN()}}o(TN,"handleAppPasswordMethod");async function Nl(e,t){let r=Lr(t,"app_password");try{return await TN({request:e,appPasswordRequest:r})}catch(n){return IN(n)}}o(Nl,"appPasswordHandler");var CN=["callback_authorization_code","callback_provider_error","callback_invalid"];function EN(e){return"cause"in e?e.cause:void 0}o(EN,"readErrorCause");function AN(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}o(AN,"readFirstStackFrame");function vw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=AN(r))}o(vw,"addErrorAttributes");function PN(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),He(e,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),On("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),On("oauth_state_invalid");case"callback_authorization_code":return t}}o(PN,"requireAuthorizationCallbackRequest");function xN(e,t){He(e,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(xN,"emitCallbackReceivedAnalyticsEvent");function kN(e,t){He(e,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(kN,"emitTokenExchangeSucceededAnalyticsEvent");function ON(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return fi({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(ON,"buildSuccessfulCallbackResponse");function UN(e){let t={detail:e instanceof Error?e.message:void 0};return vw(t,"error",e),e instanceof Error&&vw(t,"cause",EN(e)),t}o(UN,"buildTokenExchangeFailureAttributes");function NN(e){He(e.context,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:ae(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:UN(e.error)})}o(NN,"emitTokenExchangeFailedAnalyticsEvent");function $N(e){let t=ae(e);return On(as(t)?t:"upstream_token_exchange_failed")}o($N,"tokenExchangeFailureResponse");async function $l(e,t){let r=Lr(t,CN),n=PN(t,r);if(n instanceof Response)return n;xN(t,n);try{let a=await O_({request:e,callbackRequest:n});return kN(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),ON(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:ae(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return Re(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),NN({context:t,callbackRequest:n,error:a}),$N(a)}}o($l,"callbackHandler");function zN(e){let t=ae(e);return t==="unknown_upstream_server"?t:"not_found"}o(zN,"clientMetadataProblemCode");function MN(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(MN,"clientMetadataProblemDetail");async function bw(e,t){let r=Lr(t,"connect"),n=await k_({request:e,connectRequest:r});if(He(t,{eventType:L.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await vn({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(bw,"connectHandler");async function Rw(e,t){let r=Lr(t,"client_metadata");try{let n=g_(e.url),a=__(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=zN(n),s=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:s},"Failed to serve OAuth client metadata document for upstream connection"),je(e,t,{code:a,detail:MN(n)})}}o(Rw,"oauthClientMetadataHandler");function jt(e){if(typeof e=="string"&&e.length!==0)return e}o(jt,"readOptionalQueryString");function DN(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(DN,"requirePathString");function Iw(e){let t=jt(e);return t?ge.parse(t):void 0}o(Iw,"readOptionalVirtualServerId");function qN(e,t){let r=jt(e);return r?dt.parse(r):pn(t,"user_oauth")}o(qN,"readOptionalAuthProfileId");function LN(e){let t=Iw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(LN,"readRequiredVirtualServerId");function jN(e){let t=jt(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(jN,"readOptionalBrowserTicket");function HN(e){let t=As(jt(e));return t===void 0?{}:{returnTo:t}}o(HN,"readOptionalReturnTo");function GN(e){let t=Iw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(GN,"readOptionalVirtualServerIdContext");function BN(e){let t=jt(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(BN,"readOptionalProviderErrorDescription");function VN(e){let t=vt(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(VN,"requireConnectableRouteAuth");function FN(e,t,r,n){let a=Qs(e,t);if(a.ownerMode==="none"||a.authMode==="tenant_static_secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(FN,"buildConnectContextForPrincipal");function ZN(e,t,r){let n=Sn(t),a=vt(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(ZN,"buildConnectContextForTicket");async function KN(e,t){let r=VN(ty(t,LN(e.query.virtualServerId))),n=e.query.redirect==="true",a=jt(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let i=gn(e.user,e.url);return FN(r,i,n,HN(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let s=await Ds(a);if(s.ownerMode!==r.ownerMode||s.upstreamServerId!==r.upstreamServerId||s.authProfileId!==r.authProfileId||s.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await qs(s),ZN(r,s,n)}o(KN,"resolveConnectContext");async function WN(e,t,r){let n=ut.parse(DN(e,"connection"));switch(r){case"connect":qr(t,await KN(e,n));return;case"app_password":qr(t,{kind:"app_password",upstreamServerId:n,...GN(e),...jN(e)});return;case"callback":{let a=jt(e.query.error);if(a){qr(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...BN(e)});return}let s=jt(e.query.code),i=jt(e.query.state);if(s&&i){qr(t,{kind:"callback_authorization_code",upstreamServerId:n,code:s,state:i});return}qr(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":qr(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:qN(e.query.authProfileId,n)});return}}o(WN,"resolveUpstreamRequestInbound");async function JN(e,t,r){try{await WN(e,t,r);return}catch(n){let a=ae(n);if(!a)throw n;let s=n instanceof Error?n.message:void 0;return je(e,t,{code:a,...s===void 0?{}:{detail:s}})}}o(JN,"applyUpstreamRequestContext");function ta(e,t){return o(async(n,a)=>{let s=await JN(n,a,e);return s||t(n,a)},"wrapped")}o(ta,"withUpstreamRequestContext");var YN={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function XN(){return new Response(null,{status:204,headers:YN})}o(XN,"buildWellKnownPreflightResponse");function QN(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(QN,"withWellKnownCorsHeaders");function zl(e){return async(t,r)=>t.method==="OPTIONS"?XN():QN(await e(t,r))}o(zl,"wrapWellKnownHandler");var e$=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:zl(sw)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:zl(iw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:zl(Zh)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:cw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:uw},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:dw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:lw},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:pw},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:mw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:fw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:hw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:gw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ta("client_metadata",Rw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ta("connect",bw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ta("callback",$l)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ta("app_password",Nl)}];function Tw(e){if(e)return e.find(t=>ds(t.policyType))}o(Tw,"findMcpOAuthPolicy");function Cw(e){return Tw(e)!==void 0}o(Cw,"shouldRegisterMcpGatewayInternalRoutes");function t$(e){let t=td(e.policyType);if(!t){let r=rd();throw new Tt(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof u.ZodError?new Tt(r$(e.name??e.policyType,r),{cause:r}):r}}o(t$,"resolveOAuthConfigFromPolicy");function r$(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
+`);return`MCP OAuth policy "${e}" is misconfigured. Missing/invalid options:
+${r}`}o(r$,"formatPolicyConfigError");function Ew(e){let t=Tw(e.policies);if(!t){let r=rd(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new Tt(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}Dh(t$(t)),wh(yh({routes:e.routes,policies:e.policies}))}o(Ew,"initializeMcpGatewayState");function n$(e,t){return async(r,n)=>{let a=n,s=r.method==="OPTIONS",i=Date.now();s||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let c=await t(r,n);return s||a.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-i},`MCP gateway: ${e} responded`),c}catch(c){let d={event:`${e}_threw`,durationMs:Date.now()-i};throw Re(d,"err",c),a.log.error(d,`MCP gateway: ${e} threw`),c}}}o(n$,"wrapInternalHandler");function Aw(e){for(let t of e$){let r=n$(t.routeName,t.handler),n=o((a,s)=>r(a,s),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[wi],corsPolicy:"none"})}}o(Aw,"registerMcpGatewayInternalRoutes");var Ml=class extends jl{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Cw(r.policies)&&(Ew({routes:r.routes,policies:r.policies}),Aw(t.router))}};export{UO as McpAuth0OAuthInboundPolicy,Ml as McpGatewayPlugin,zO as McpOAuthInboundPolicy,LO as McpUpstreamConnectionInboundPolicy,mO as McpVirtualServerHandler};
+//# sourceMappingURL=index.js.map