@zuplo/runtime 6.70.10 → 6.70.12

package/out/esm/mcp-gateway/index.js

@@ -22,14 +22,14 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{$ as pe,H as Sp,I as Ms,J as Jw,K as wp,L as h,M as vp,N as K,O as te,P as Rp,Q as bp,R as fe,S as b,T as I,U as we,V as ce,W as qs,X as $s,Y as oe,Z as Xe,_ as E,a as Wt,aa as Ip,b as _p,ba as Ls,ca as Cp,da as Tp,ea as c,fa as X,j as Vn,k as yp,q as Ds,z as Ut}from"../chunk-PG5BJ2JU.js";import{d as Fn}from"../chunk-BHMDFTZV.js";import{a as H}from"../chunk-ZJ5LRHNO.js";import{U as ya,V as et,W as gp,a as o,c as T,e as fp}from"../chunk-FFHHHNST.js";var io=T(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.regexpCode=W.getEsmExportName=W.getProperty=W.safeStringify=W.stringify=W.strConcat=W.addCodeArg=W.str=W._=W.nil=W._Code=W.Name=W.IDENTIFIER=W._CodeOrName=void 0;var oo=class{static{o(this,"_CodeOrName")}};W._CodeOrName=oo;W.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Rr=class extends oo{static{o(this,"Name")}constructor(t){if(super(),!W.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};W.Name=Rr;var nt=class extends oo{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Rr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};W._Code=nt;W.nil=new nt("");function Bp(e,...t){let r=[e[0]],n=0;for(;n<t.length;)wc(r,t[n]),r.push(e[++n]);return new nt(r)}o(Bp,"_");W._=Bp;var Sc=new nt("+");function Vp(e,...t){let r=[ao(e[0])],n=0;for(;n<t.length;)r.push(Sc),wc(r,t[n]),r.push(Sc,ao(e[++n]));return vR(r),new nt(r)}o(Vp,"str");W.str=Vp;function wc(e,t){t instanceof nt?e.push(...t._items):t instanceof Rr?e.push(t):e.push(IR(t))}o(wc,"addCodeArg");W.addCodeArg=wc;function vR(e){let t=1;for(;t<e.length-1;){if(e[t]===Sc){let r=RR(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(vR,"optimize");function RR(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Rr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Rr))return`"${e}${t.slice(1)}`}o(RR,"mergeExprItems");function bR(e,t){return t.emptyStr()?e:e.emptyStr()?t:Vp`${e}${t}`}o(bR,"strConcat");W.strConcat=bR;function IR(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:ao(Array.isArray(e)?e.join(","):e)}o(IR,"interpolate");function CR(e){return new nt(ao(e))}o(CR,"stringify");W.stringify=CR;function ao(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(ao,"safeStringify");W.safeStringify=ao;function TR(e){return typeof e=="string"&&W.IDENTIFIER.test(e)?new nt(`.${e}`):Bp`[${e}]`}o(TR,"getProperty");W.getProperty=TR;function AR(e){if(typeof e=="string"&&W.IDENTIFIER.test(e))return new nt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(AR,"getEsmExportName");W.getEsmExportName=AR;function kR(e){return new nt(e.toString())}o(kR,"regexpCode");W.regexpCode=kR});var bc=T(Ge=>{"use strict";Object.defineProperty(Ge,"__esModule",{value:!0});Ge.ValueScope=Ge.ValueScopeName=Ge.Scope=Ge.varKinds=Ge.UsedValueState=void 0;var He=io(),vc=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},za;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(za||(Ge.UsedValueState=za={}));Ge.varKinds={const:new He.Name("const"),let:new He.Name("let"),var:new He.Name("var")};var Na=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof He.Name?t:this.name(t)}name(t){return new He.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Ge.Scope=Na;var Da=class extends He.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,He._)`.${new He.Name(r)}[${n}]`}};Ge.ValueScopeName=Da;var ER=(0,He._)`\n`,Rc=class extends Na{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?ER:He.nil}}get(){return this._scope}name(t){return new Da(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,u=this._values[i];if(u){let p=u.get(s);if(p)return p}else u=this._values[i]=new Map;u.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),l=d.length;return d[l]=r.ref,a.setValue(r,{property:i,itemIndex:l}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,He._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=He.nil;for(let s in t){let u=t[s];if(!u)continue;let d=n[s]=n[s]||new Map;u.forEach(l=>{if(d.has(l))return;d.set(l,za.Started);let p=r(l);if(p){let m=this.opts.es5?Ge.varKinds.var:Ge.varKinds.const;i=(0,He._)`${i}${m} ${l} = ${p};${this.opts._n}`}else if(p=a?.(l))i=(0,He._)`${i}${p}${this.opts._n}`;else throw new vc(l);d.set(l,za.Completed)})}return i}};Ge.ValueScope=Rc});var L=T(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.or=j.and=j.not=j.CodeGen=j.operators=j.varKinds=j.ValueScopeName=j.ValueScope=j.Scope=j.Name=j.regexpCode=j.stringify=j.getProperty=j.nil=j.strConcat=j.str=j._=void 0;var B=io(),lt=bc(),or=io();Object.defineProperty(j,"_",{enumerable:!0,get:o(function(){return or._},"get")});Object.defineProperty(j,"str",{enumerable:!0,get:o(function(){return or.str},"get")});Object.defineProperty(j,"strConcat",{enumerable:!0,get:o(function(){return or.strConcat},"get")});Object.defineProperty(j,"nil",{enumerable:!0,get:o(function(){return or.nil},"get")});Object.defineProperty(j,"getProperty",{enumerable:!0,get:o(function(){return or.getProperty},"get")});Object.defineProperty(j,"stringify",{enumerable:!0,get:o(function(){return or.stringify},"get")});Object.defineProperty(j,"regexpCode",{enumerable:!0,get:o(function(){return or.regexpCode},"get")});Object.defineProperty(j,"Name",{enumerable:!0,get:o(function(){return or.Name},"get")});var La=bc();Object.defineProperty(j,"Scope",{enumerable:!0,get:o(function(){return La.Scope},"get")});Object.defineProperty(j,"ValueScope",{enumerable:!0,get:o(function(){return La.ValueScope},"get")});Object.defineProperty(j,"ValueScopeName",{enumerable:!0,get:o(function(){return La.ValueScopeName},"get")});Object.defineProperty(j,"varKinds",{enumerable:!0,get:o(function(){return La.varKinds},"get")});j.operators={GT:new B._Code(">"),GTE:new B._Code(">="),LT:new B._Code("<"),LTE:new B._Code("<="),EQ:new B._Code("==="),NEQ:new B._Code("!=="),NOT:new B._Code("!"),OR:new B._Code("||"),AND:new B._Code("&&"),ADD:new B._Code("+")};var Mt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},Ic=class extends Mt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?lt.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=nn(this.rhs,t,r)),this}get names(){return this.rhs instanceof B._CodeOrName?this.rhs.names:{}}},Ma=class extends Mt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof B.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=nn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof B.Name?{}:{...this.lhs.names};return $a(t,this.rhs)}},Cc=class extends Ma{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Tc=class extends Mt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},Ac=class extends Mt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},kc=class extends Mt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},Ec=class extends Mt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=nn(this.code,t,r),this}get names(){return this.code instanceof B._CodeOrName?this.code.names:{}}},so=class extends Mt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(PR(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Cr(t,r.names),{})}},qt=class extends so{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},Pc=class extends so{static{o(this,"Root")}},rn=class extends qt{static{o(this,"Else")}};rn.kind="else";var br=class e extends qt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new rn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Fp(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=nn(this.condition,t,r),this}get names(){let t=super.names;return $a(t,this.condition),this.else&&Cr(t,this.else.names),t}};br.kind="if";var Ir=class extends qt{static{o(this,"For")}};Ir.kind="for";var xc=class extends Ir{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=nn(this.iteration,t,r),this}get names(){return Cr(super.names,this.iteration.names)}},Oc=class extends Ir{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?lt.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=$a(super.names,this.from);return $a(t,this.to)}},qa=class extends Ir{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=nn(this.iterable,t,r),this}get names(){return Cr(super.names,this.iterable.names)}},co=class extends qt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};co.kind="func";var uo=class extends so{static{o(this,"Return")}render(t){return"return "+super.render(t)}};uo.kind="return";var Uc=class extends qt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Cr(t,this.catch.names),this.finally&&Cr(t,this.finally.names),t}},lo=class extends qt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};lo.kind="catch";var po=class extends qt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};po.kind="finally";var zc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
-`:""},this._extScope=t,this._scope=new lt.Scope({parent:t}),this._nodes=[new Pc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new Ic(t,i,n)),i}const(t,r,n){return this._def(lt.varKinds.const,t,r,n)}let(t,r,n){return this._def(lt.varKinds.let,t,r,n)}var(t,r,n){return this._def(lt.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new Ma(t,r,n))}add(t,r){return this._leafNode(new Cc(t,j.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==B.nil&&this._leafNode(new Ec(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,B.addCodeArg)(r,a));return r.push("}"),new B._Code(r)}if(t,r,n){if(this._blockNode(new br(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new br(t))}else(){return this._elseNode(new rn)}endIf(){return this._endBlockNode(br,rn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new xc(t),r)}forRange(t,r,n,a,i=this.opts.es5?lt.varKinds.var:lt.varKinds.let){let s=this._scope.toName(t);return this._for(new Oc(i,s,r,n),()=>a(s))}forOf(t,r,n,a=lt.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof B.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,B._)`${s}.length`,u=>{this.var(i,(0,B._)`${s}[${u}]`),n(i)})}return this._for(new qa("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?lt.varKinds.var:lt.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,B._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new qa("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Ir)}label(t){return this._leafNode(new Tc(t))}break(t){return this._leafNode(new Ac(t))}return(t){let r=new uo;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(uo)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Uc;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new lo(i),r(i)}return n&&(this._currNode=a.finally=new po,this.code(n)),this._endBlockNode(lo,po)}throw(t){return this._leafNode(new kc(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=B.nil,n,a){return this._blockNode(new co(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(co)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof br))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};j.CodeGen=zc;function Cr(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Cr,"addNames");function $a(e,t){return t instanceof B._CodeOrName?Cr(e,t.names):e}o($a,"addExprNames");function nn(e,t,r){if(e instanceof B.Name)return n(e);if(!a(e))return e;return new B._Code(e._items.reduce((i,s)=>(s instanceof B.Name&&(s=n(s)),s instanceof B._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof B._Code&&i._items.some(s=>s instanceof B.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(nn,"optimizeExpr");function PR(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(PR,"subtractNames");function Fp(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,B._)`!${Nc(e)}`}o(Fp,"not");j.not=Fp;var xR=Zp(j.operators.AND);function OR(...e){return e.reduce(xR)}o(OR,"and");j.and=OR;var UR=Zp(j.operators.OR);function zR(...e){return e.reduce(UR)}o(zR,"or");j.or=zR;function Zp(e){return(t,r)=>t===B.nil?r:r===B.nil?t:(0,B._)`${Nc(t)} ${e} ${Nc(r)}`}o(Zp,"mappend");function Nc(e){return e instanceof B.Name?e:(0,B._)`(${e})`}o(Nc,"par")});var J=T(G=>{"use strict";Object.defineProperty(G,"__esModule",{value:!0});G.checkStrictMode=G.getErrorPath=G.Type=G.useFunc=G.setEvaluated=G.evaluatedPropsToName=G.mergeEvaluated=G.eachItem=G.unescapeJsonPointer=G.escapeJsonPointer=G.escapeFragment=G.unescapeFragment=G.schemaRefOrVal=G.schemaHasRulesButRef=G.schemaHasRules=G.checkUnknownRules=G.alwaysValidSchema=G.toHash=void 0;var re=L(),NR=io();function DR(e){let t={};for(let r of e)t[r]=!0;return t}o(DR,"toHash");G.toHash=DR;function MR(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Jp(e,t),!Yp(t,e.self.RULES.all))}o(MR,"alwaysValidSchema");G.alwaysValidSchema=MR;function Jp(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||em(e,`unknown keyword: "${i}"`)}o(Jp,"checkUnknownRules");G.checkUnknownRules=Jp;function Yp(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Yp,"schemaHasRules");G.schemaHasRules=Yp;function qR(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(qR,"schemaHasRulesButRef");G.schemaHasRulesButRef=qR;function $R({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,re._)`${r}`}return(0,re._)`${e}${t}${(0,re.getProperty)(n)}`}o($R,"schemaRefOrVal");G.schemaRefOrVal=$R;function LR(e){return Xp(decodeURIComponent(e))}o(LR,"unescapeFragment");G.unescapeFragment=LR;function jR(e){return encodeURIComponent(Mc(e))}o(jR,"escapeFragment");G.escapeFragment=jR;function Mc(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Mc,"escapeJsonPointer");G.escapeJsonPointer=Mc;function Xp(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(Xp,"unescapeJsonPointer");G.unescapeJsonPointer=Xp;function HR(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(HR,"eachItem");G.eachItem=HR;function Kp({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,u)=>{let d=s===void 0?i:s instanceof re.Name?(i instanceof re.Name?e(a,i,s):t(a,i,s),s):i instanceof re.Name?(t(a,s,i),i):r(i,s);return u===re.Name&&!(d instanceof re.Name)?n(a,d):d}}o(Kp,"makeMergeEvaluated");G.mergeEvaluated={props:Kp({mergeNames:o((e,t,r)=>e.if((0,re._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,re._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,re._)`${r} || {}`).code((0,re._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,re._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,re._)`${r} || {}`),qc(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:Qp}),items:Kp({mergeNames:o((e,t,r)=>e.if((0,re._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,re._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,re._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,re._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function Qp(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,re._)`{}`);return t!==void 0&&qc(e,r,t),r}o(Qp,"evaluatedPropsToName");G.evaluatedPropsToName=Qp;function qc(e,t,r){Object.keys(r).forEach(n=>e.assign((0,re._)`${t}${(0,re.getProperty)(n)}`,!0))}o(qc,"setEvaluated");G.setEvaluated=qc;var Wp={};function GR(e,t){return e.scopeValue("func",{ref:t,code:Wp[t.code]||(Wp[t.code]=new NR._Code(t.code))})}o(GR,"useFunc");G.useFunc=GR;var Dc;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Dc||(G.Type=Dc={}));function BR(e,t,r){if(e instanceof re.Name){let n=t===Dc.Num;return r?n?(0,re._)`"[" + ${e} + "]"`:(0,re._)`"['" + ${e} + "']"`:n?(0,re._)`"/" + ${e}`:(0,re._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,re.getProperty)(e).toString():"/"+Mc(e)}o(BR,"getErrorPath");G.getErrorPath=BR;function em(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(em,"checkStrictMode");G.checkStrictMode=em});var $t=T($c=>{"use strict";Object.defineProperty($c,"__esModule",{value:!0});var Ue=L(),VR={data:new Ue.Name("data"),valCxt:new Ue.Name("valCxt"),instancePath:new Ue.Name("instancePath"),parentData:new Ue.Name("parentData"),parentDataProperty:new Ue.Name("parentDataProperty"),rootData:new Ue.Name("rootData"),dynamicAnchors:new Ue.Name("dynamicAnchors"),vErrors:new Ue.Name("vErrors"),errors:new Ue.Name("errors"),this:new Ue.Name("this"),self:new Ue.Name("self"),scope:new Ue.Name("scope"),json:new Ue.Name("json"),jsonPos:new Ue.Name("jsonPos"),jsonLen:new Ue.Name("jsonLen"),jsonPart:new Ue.Name("jsonPart")};$c.default=VR});var mo=T(ze=>{"use strict";Object.defineProperty(ze,"__esModule",{value:!0});ze.extendErrors=ze.resetErrorsCount=ze.reportExtraError=ze.reportError=ze.keyword$DataError=ze.keywordError=void 0;var Z=L(),ja=J(),qe=$t();ze.keywordError={message:o(({keyword:e})=>(0,Z.str)`must pass "${e}" keyword validation`,"message")};ze.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,Z.str)`"${e}" keyword must be ${t} ($data)`:(0,Z.str)`"${e}" keyword is invalid ($data)`,"message")};function FR(e,t=ze.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:u}=a,d=nm(e,t,r);n??(s||u)?tm(i,d):rm(a,(0,Z._)`[${d}]`)}o(FR,"reportError");ze.reportError=FR;function ZR(e,t=ze.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,u=nm(e,t,r);tm(a,u),i||s||rm(n,qe.default.vErrors)}o(ZR,"reportExtraError");ze.reportExtraError=ZR;function KR(e,t){e.assign(qe.default.errors,t),e.if((0,Z._)`${qe.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,Z._)`${qe.default.vErrors}.length`,t),()=>e.assign(qe.default.vErrors,null)))}o(KR,"resetErrorsCount");ze.resetErrorsCount=KR;function WR({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,qe.default.errors,u=>{e.const(s,(0,Z._)`${qe.default.vErrors}[${u}]`),e.if((0,Z._)`${s}.instancePath === undefined`,()=>e.assign((0,Z._)`${s}.instancePath`,(0,Z.strConcat)(qe.default.instancePath,i.errorPath))),e.assign((0,Z._)`${s}.schemaPath`,(0,Z.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,Z._)`${s}.schema`,r),e.assign((0,Z._)`${s}.data`,n))})}o(WR,"extendErrors");ze.extendErrors=WR;function tm(e,t){let r=e.const("err",t);e.if((0,Z._)`${qe.default.vErrors} === null`,()=>e.assign(qe.default.vErrors,(0,Z._)`[${r}]`),(0,Z._)`${qe.default.vErrors}.push(${r})`),e.code((0,Z._)`${qe.default.errors}++`)}o(tm,"addError");function rm(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,Z._)`new ${e.ValidationError}(${t})`):(r.assign((0,Z._)`${n}.errors`,t),r.return(!1))}o(rm,"returnErrors");var Tr={keyword:new Z.Name("keyword"),schemaPath:new Z.Name("schemaPath"),params:new Z.Name("params"),propertyName:new Z.Name("propertyName"),message:new Z.Name("message"),schema:new Z.Name("schema"),parentSchema:new Z.Name("parentSchema")};function nm(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,Z._)`{}`:JR(e,t,r)}o(nm,"errorObjectCode");function JR(e,t,r={}){let{gen:n,it:a}=e,i=[YR(a,r),XR(e,r)];return QR(e,t,i),n.object(...i)}o(JR,"errorObject");function YR({errorPath:e},{instancePath:t}){let r=t?(0,Z.str)`${e}${(0,ja.getErrorPath)(t,ja.Type.Str)}`:e;return[qe.default.instancePath,(0,Z.strConcat)(qe.default.instancePath,r)]}o(YR,"errorInstancePath");function XR({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,Z.str)`${t}/${e}`;return r&&(a=(0,Z.str)`${a}${(0,ja.getErrorPath)(r,ja.Type.Str)}`),[Tr.schemaPath,a]}o(XR,"errorSchemaPath");function QR(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:u}=e,{opts:d,propertyName:l,topSchemaRef:p,schemaPath:m}=u;n.push([Tr.keyword,a],[Tr.params,typeof t=="function"?t(e):t||(0,Z._)`{}`]),d.messages&&n.push([Tr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Tr.schema,s],[Tr.parentSchema,(0,Z._)`${p}${m}`],[qe.default.data,i]),l&&n.push([Tr.propertyName,l])}o(QR,"extraErrorProps")});var am=T(on=>{"use strict";Object.defineProperty(on,"__esModule",{value:!0});on.boolOrEmptySchema=on.topBoolOrEmptySchema=void 0;var eb=mo(),tb=L(),rb=$t(),nb={message:"boolean schema is false"};function ob(e){let{gen:t,schema:r,validateName:n}=e;r===!1?om(e,!1):typeof r=="object"&&r.$async===!0?t.return(rb.default.data):(t.assign((0,tb._)`${n}.errors`,null),t.return(!0))}o(ob,"topBoolOrEmptySchema");on.topBoolOrEmptySchema=ob;function ab(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),om(e)):r.var(t,!0)}o(ab,"boolOrEmptySchema");on.boolOrEmptySchema=ab;function om(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,eb.reportError)(a,nb,void 0,t)}o(om,"falseSchemaError")});var Lc=T(an=>{"use strict";Object.defineProperty(an,"__esModule",{value:!0});an.getRules=an.isJSONType=void 0;var ib=["string","number","integer","boolean","null","object","array"],sb=new Set(ib);function cb(e){return typeof e=="string"&&sb.has(e)}o(cb,"isJSONType");an.isJSONType=cb;function ub(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(ub,"getRules");an.getRules=ub});var jc=T(ar=>{"use strict";Object.defineProperty(ar,"__esModule",{value:!0});ar.shouldUseRule=ar.shouldUseGroup=ar.schemaHasRulesForType=void 0;function db({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&im(e,n)}o(db,"schemaHasRulesForType");ar.schemaHasRulesForType=db;function im(e,t){return t.rules.some(r=>sm(e,r))}o(im,"shouldUseGroup");ar.shouldUseGroup=im;function sm(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(sm,"shouldUseRule");ar.shouldUseRule=sm});var ho=T(Ne=>{"use strict";Object.defineProperty(Ne,"__esModule",{value:!0});Ne.reportTypeError=Ne.checkDataTypes=Ne.checkDataType=Ne.coerceAndCheckDataType=Ne.getJSONTypes=Ne.getSchemaTypes=Ne.DataType=void 0;var lb=Lc(),pb=jc(),mb=mo(),$=L(),cm=J(),sn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(sn||(Ne.DataType=sn={}));function hb(e){let t=um(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(hb,"getSchemaTypes");Ne.getSchemaTypes=hb;function um(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(lb.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(um,"getJSONTypes");Ne.getJSONTypes=um;function fb(e,t){let{gen:r,data:n,opts:a}=e,i=gb(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,pb.schemaHasRulesForType)(e,t[0]));if(s){let u=Gc(t,n,a.strictNumbers,sn.Wrong);r.if(u,()=>{i.length?_b(e,t,i):Bc(e)})}return s}o(fb,"coerceAndCheckDataType");Ne.coerceAndCheckDataType=fb;var dm=new Set(["string","number","integer","boolean","null"]);function gb(e,t){return t?e.filter(r=>dm.has(r)||t==="array"&&r==="array"):[]}o(gb,"coerceToTypes");function _b(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,$._)`typeof ${a}`),u=n.let("coerced",(0,$._)`undefined`);i.coerceTypes==="array"&&n.if((0,$._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,$._)`${a}[0]`).assign(s,(0,$._)`typeof ${a}`).if(Gc(t,a,i.strictNumbers),()=>n.assign(u,a))),n.if((0,$._)`${u} !== undefined`);for(let l of r)(dm.has(l)||l==="array"&&i.coerceTypes==="array")&&d(l);n.else(),Bc(e),n.endIf(),n.if((0,$._)`${u} !== undefined`,()=>{n.assign(a,u),yb(e,u)});function d(l){switch(l){case"string":n.elseIf((0,$._)`${s} == "number" || ${s} == "boolean"`).assign(u,(0,$._)`"" + ${a}`).elseIf((0,$._)`${a} === null`).assign(u,(0,$._)`""`);return;case"number":n.elseIf((0,$._)`${s} == "boolean" || ${a} === null
+import{$ as pe,H as Sp,I as Ds,J as Yw,K as wp,L as h,M as vp,N as K,O as ee,P as Rp,Q as bp,R as he,S as b,T as C,U as Se,V as se,W as Ms,X as qs,Y as ne,Z as Xe,_ as P,a as Wt,aa as Cp,b as _p,ba as $s,ca as Ip,da as Tp,ea as c,fa as Y,j as Vn,k as yp,q as zs,z as Ut}from"../chunk-PG5BJ2JU.js";import{d as Ns}from"../chunk-BHMDFTZV.js";import{a as H}from"../chunk-ZJ5LRHNO.js";import{U as _a,V as Ot,W as gp,a as o,c as T,e as fp}from"../chunk-FFHHHNST.js";var ao=T(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.regexpCode=W.getEsmExportName=W.getProperty=W.safeStringify=W.stringify=W.strConcat=W.addCodeArg=W.str=W._=W.nil=W._Code=W.Name=W.IDENTIFIER=W._CodeOrName=void 0;var no=class{static{o(this,"_CodeOrName")}};W._CodeOrName=no;W.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Rr=class extends no{static{o(this,"Name")}constructor(t){if(super(),!W.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};W.Name=Rr;var rt=class extends no{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Rr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};W._Code=rt;W.nil=new rt("");function Bp(e,...t){let r=[e[0]],n=0;for(;n<t.length;)Sc(r,t[n]),r.push(e[++n]);return new rt(r)}o(Bp,"_");W._=Bp;var yc=new rt("+");function Vp(e,...t){let r=[oo(e[0])],n=0;for(;n<t.length;)r.push(yc),Sc(r,t[n]),r.push(yc,oo(e[++n]));return RR(r),new rt(r)}o(Vp,"str");W.str=Vp;function Sc(e,t){t instanceof rt?e.push(...t._items):t instanceof Rr?e.push(t):e.push(IR(t))}o(Sc,"addCodeArg");W.addCodeArg=Sc;function RR(e){let t=1;for(;t<e.length-1;){if(e[t]===yc){let r=bR(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(RR,"optimize");function bR(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Rr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Rr))return`"${e}${t.slice(1)}`}o(bR,"mergeExprItems");function CR(e,t){return t.emptyStr()?e:e.emptyStr()?t:Vp`${e}${t}`}o(CR,"strConcat");W.strConcat=CR;function IR(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:oo(Array.isArray(e)?e.join(","):e)}o(IR,"interpolate");function TR(e){return new rt(oo(e))}o(TR,"stringify");W.stringify=TR;function oo(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(oo,"safeStringify");W.safeStringify=oo;function AR(e){return typeof e=="string"&&W.IDENTIFIER.test(e)?new rt(`.${e}`):Bp`[${e}]`}o(AR,"getProperty");W.getProperty=AR;function kR(e){if(typeof e=="string"&&W.IDENTIFIER.test(e))return new rt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(kR,"getEsmExportName");W.getEsmExportName=kR;function PR(e){return new rt(e.toString())}o(PR,"regexpCode");W.regexpCode=PR});var Rc=T(Ge=>{"use strict";Object.defineProperty(Ge,"__esModule",{value:!0});Ge.ValueScope=Ge.ValueScopeName=Ge.Scope=Ge.varKinds=Ge.UsedValueState=void 0;var He=ao(),wc=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Ua;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Ua||(Ge.UsedValueState=Ua={}));Ge.varKinds={const:new He.Name("const"),let:new He.Name("let"),var:new He.Name("var")};var za=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof He.Name?t:this.name(t)}name(t){return new He.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Ge.Scope=za;var Na=class extends He.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,He._)`.${new He.Name(r)}[${n}]`}};Ge.ValueScopeName=Na;var ER=(0,He._)`\n`,vc=class extends za{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?ER:He.nil}}get(){return this._scope}name(t){return new Na(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,u=this._values[i];if(u){let p=u.get(s);if(p)return p}else u=this._values[i]=new Map;u.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),l=d.length;return d[l]=r.ref,a.setValue(r,{property:i,itemIndex:l}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,He._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=He.nil;for(let s in t){let u=t[s];if(!u)continue;let d=n[s]=n[s]||new Map;u.forEach(l=>{if(d.has(l))return;d.set(l,Ua.Started);let p=r(l);if(p){let m=this.opts.es5?Ge.varKinds.var:Ge.varKinds.const;i=(0,He._)`${i}${m} ${l} = ${p};${this.opts._n}`}else if(p=a?.(l))i=(0,He._)`${i}${p}${this.opts._n}`;else throw new wc(l);d.set(l,Ua.Completed)})}return i}};Ge.ValueScope=vc});var L=T(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.or=j.and=j.not=j.CodeGen=j.operators=j.varKinds=j.ValueScopeName=j.ValueScope=j.Scope=j.Name=j.regexpCode=j.stringify=j.getProperty=j.nil=j.strConcat=j.str=j._=void 0;var B=ao(),dt=Rc(),or=ao();Object.defineProperty(j,"_",{enumerable:!0,get:o(function(){return or._},"get")});Object.defineProperty(j,"str",{enumerable:!0,get:o(function(){return or.str},"get")});Object.defineProperty(j,"strConcat",{enumerable:!0,get:o(function(){return or.strConcat},"get")});Object.defineProperty(j,"nil",{enumerable:!0,get:o(function(){return or.nil},"get")});Object.defineProperty(j,"getProperty",{enumerable:!0,get:o(function(){return or.getProperty},"get")});Object.defineProperty(j,"stringify",{enumerable:!0,get:o(function(){return or.stringify},"get")});Object.defineProperty(j,"regexpCode",{enumerable:!0,get:o(function(){return or.regexpCode},"get")});Object.defineProperty(j,"Name",{enumerable:!0,get:o(function(){return or.Name},"get")});var $a=Rc();Object.defineProperty(j,"Scope",{enumerable:!0,get:o(function(){return $a.Scope},"get")});Object.defineProperty(j,"ValueScope",{enumerable:!0,get:o(function(){return $a.ValueScope},"get")});Object.defineProperty(j,"ValueScopeName",{enumerable:!0,get:o(function(){return $a.ValueScopeName},"get")});Object.defineProperty(j,"varKinds",{enumerable:!0,get:o(function(){return $a.varKinds},"get")});j.operators={GT:new B._Code(">"),GTE:new B._Code(">="),LT:new B._Code("<"),LTE:new B._Code("<="),EQ:new B._Code("==="),NEQ:new B._Code("!=="),NOT:new B._Code("!"),OR:new B._Code("||"),AND:new B._Code("&&"),ADD:new B._Code("+")};var Mt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},bc=class extends Mt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?dt.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=nn(this.rhs,t,r)),this}get names(){return this.rhs instanceof B._CodeOrName?this.rhs.names:{}}},Da=class extends Mt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof B.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=nn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof B.Name?{}:{...this.lhs.names};return qa(t,this.rhs)}},Cc=class extends Da{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Ic=class extends Mt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},Tc=class extends Mt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},Ac=class extends Mt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},kc=class extends Mt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=nn(this.code,t,r),this}get names(){return this.code instanceof B._CodeOrName?this.code.names:{}}},io=class extends Mt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(xR(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Ir(t,r.names),{})}},qt=class extends io{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},Pc=class extends io{static{o(this,"Root")}},rn=class extends qt{static{o(this,"Else")}};rn.kind="else";var br=class e extends qt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new rn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Fp(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=nn(this.condition,t,r),this}get names(){let t=super.names;return qa(t,this.condition),this.else&&Ir(t,this.else.names),t}};br.kind="if";var Cr=class extends qt{static{o(this,"For")}};Cr.kind="for";var Ec=class extends Cr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=nn(this.iteration,t,r),this}get names(){return Ir(super.names,this.iteration.names)}},xc=class extends Cr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?dt.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=qa(super.names,this.from);return qa(t,this.to)}},Ma=class extends Cr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=nn(this.iterable,t,r),this}get names(){return Ir(super.names,this.iterable.names)}},so=class extends qt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};so.kind="func";var co=class extends io{static{o(this,"Return")}render(t){return"return "+super.render(t)}};co.kind="return";var Oc=class extends qt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Ir(t,this.catch.names),this.finally&&Ir(t,this.finally.names),t}},uo=class extends qt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};uo.kind="catch";var lo=class extends qt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};lo.kind="finally";var Uc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
+`:""},this._extScope=t,this._scope=new dt.Scope({parent:t}),this._nodes=[new Pc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new bc(t,i,n)),i}const(t,r,n){return this._def(dt.varKinds.const,t,r,n)}let(t,r,n){return this._def(dt.varKinds.let,t,r,n)}var(t,r,n){return this._def(dt.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new Da(t,r,n))}add(t,r){return this._leafNode(new Cc(t,j.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==B.nil&&this._leafNode(new kc(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,B.addCodeArg)(r,a));return r.push("}"),new B._Code(r)}if(t,r,n){if(this._blockNode(new br(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new br(t))}else(){return this._elseNode(new rn)}endIf(){return this._endBlockNode(br,rn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Ec(t),r)}forRange(t,r,n,a,i=this.opts.es5?dt.varKinds.var:dt.varKinds.let){let s=this._scope.toName(t);return this._for(new xc(i,s,r,n),()=>a(s))}forOf(t,r,n,a=dt.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof B.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,B._)`${s}.length`,u=>{this.var(i,(0,B._)`${s}[${u}]`),n(i)})}return this._for(new Ma("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?dt.varKinds.var:dt.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,B._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new Ma("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Cr)}label(t){return this._leafNode(new Ic(t))}break(t){return this._leafNode(new Tc(t))}return(t){let r=new co;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(co)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Oc;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new uo(i),r(i)}return n&&(this._currNode=a.finally=new lo,this.code(n)),this._endBlockNode(uo,lo)}throw(t){return this._leafNode(new Ac(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=B.nil,n,a){return this._blockNode(new so(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(so)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof br))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};j.CodeGen=Uc;function Ir(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Ir,"addNames");function qa(e,t){return t instanceof B._CodeOrName?Ir(e,t.names):e}o(qa,"addExprNames");function nn(e,t,r){if(e instanceof B.Name)return n(e);if(!a(e))return e;return new B._Code(e._items.reduce((i,s)=>(s instanceof B.Name&&(s=n(s)),s instanceof B._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof B._Code&&i._items.some(s=>s instanceof B.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(nn,"optimizeExpr");function xR(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(xR,"subtractNames");function Fp(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,B._)`!${zc(e)}`}o(Fp,"not");j.not=Fp;var OR=Zp(j.operators.AND);function UR(...e){return e.reduce(OR)}o(UR,"and");j.and=UR;var zR=Zp(j.operators.OR);function NR(...e){return e.reduce(zR)}o(NR,"or");j.or=NR;function Zp(e){return(t,r)=>t===B.nil?r:r===B.nil?t:(0,B._)`${zc(t)} ${e} ${zc(r)}`}o(Zp,"mappend");function zc(e){return e instanceof B.Name?e:(0,B._)`(${e})`}o(zc,"par")});var J=T(G=>{"use strict";Object.defineProperty(G,"__esModule",{value:!0});G.checkStrictMode=G.getErrorPath=G.Type=G.useFunc=G.setEvaluated=G.evaluatedPropsToName=G.mergeEvaluated=G.eachItem=G.unescapeJsonPointer=G.escapeJsonPointer=G.escapeFragment=G.unescapeFragment=G.schemaRefOrVal=G.schemaHasRulesButRef=G.schemaHasRules=G.checkUnknownRules=G.alwaysValidSchema=G.toHash=void 0;var te=L(),DR=ao();function MR(e){let t={};for(let r of e)t[r]=!0;return t}o(MR,"toHash");G.toHash=MR;function qR(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Jp(e,t),!Yp(t,e.self.RULES.all))}o(qR,"alwaysValidSchema");G.alwaysValidSchema=qR;function Jp(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||em(e,`unknown keyword: "${i}"`)}o(Jp,"checkUnknownRules");G.checkUnknownRules=Jp;function Yp(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Yp,"schemaHasRules");G.schemaHasRules=Yp;function $R(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o($R,"schemaHasRulesButRef");G.schemaHasRulesButRef=$R;function LR({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,te._)`${r}`}return(0,te._)`${e}${t}${(0,te.getProperty)(n)}`}o(LR,"schemaRefOrVal");G.schemaRefOrVal=LR;function jR(e){return Xp(decodeURIComponent(e))}o(jR,"unescapeFragment");G.unescapeFragment=jR;function HR(e){return encodeURIComponent(Dc(e))}o(HR,"escapeFragment");G.escapeFragment=HR;function Dc(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Dc,"escapeJsonPointer");G.escapeJsonPointer=Dc;function Xp(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(Xp,"unescapeJsonPointer");G.unescapeJsonPointer=Xp;function GR(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(GR,"eachItem");G.eachItem=GR;function Kp({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,u)=>{let d=s===void 0?i:s instanceof te.Name?(i instanceof te.Name?e(a,i,s):t(a,i,s),s):i instanceof te.Name?(t(a,s,i),i):r(i,s);return u===te.Name&&!(d instanceof te.Name)?n(a,d):d}}o(Kp,"makeMergeEvaluated");G.mergeEvaluated={props:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,te._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,te._)`${r} || {}`).code((0,te._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,te._)`${r} || {}`),Mc(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:Qp}),items:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,te._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,te._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function Qp(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,te._)`{}`);return t!==void 0&&Mc(e,r,t),r}o(Qp,"evaluatedPropsToName");G.evaluatedPropsToName=Qp;function Mc(e,t,r){Object.keys(r).forEach(n=>e.assign((0,te._)`${t}${(0,te.getProperty)(n)}`,!0))}o(Mc,"setEvaluated");G.setEvaluated=Mc;var Wp={};function BR(e,t){return e.scopeValue("func",{ref:t,code:Wp[t.code]||(Wp[t.code]=new DR._Code(t.code))})}o(BR,"useFunc");G.useFunc=BR;var Nc;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Nc||(G.Type=Nc={}));function VR(e,t,r){if(e instanceof te.Name){let n=t===Nc.Num;return r?n?(0,te._)`"[" + ${e} + "]"`:(0,te._)`"['" + ${e} + "']"`:n?(0,te._)`"/" + ${e}`:(0,te._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,te.getProperty)(e).toString():"/"+Dc(e)}o(VR,"getErrorPath");G.getErrorPath=VR;function em(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(em,"checkStrictMode");G.checkStrictMode=em});var $t=T(qc=>{"use strict";Object.defineProperty(qc,"__esModule",{value:!0});var Ue=L(),FR={data:new Ue.Name("data"),valCxt:new Ue.Name("valCxt"),instancePath:new Ue.Name("instancePath"),parentData:new Ue.Name("parentData"),parentDataProperty:new Ue.Name("parentDataProperty"),rootData:new Ue.Name("rootData"),dynamicAnchors:new Ue.Name("dynamicAnchors"),vErrors:new Ue.Name("vErrors"),errors:new Ue.Name("errors"),this:new Ue.Name("this"),self:new Ue.Name("self"),scope:new Ue.Name("scope"),json:new Ue.Name("json"),jsonPos:new Ue.Name("jsonPos"),jsonLen:new Ue.Name("jsonLen"),jsonPart:new Ue.Name("jsonPart")};qc.default=FR});var po=T(ze=>{"use strict";Object.defineProperty(ze,"__esModule",{value:!0});ze.extendErrors=ze.resetErrorsCount=ze.reportExtraError=ze.reportError=ze.keyword$DataError=ze.keywordError=void 0;var Z=L(),La=J(),qe=$t();ze.keywordError={message:o(({keyword:e})=>(0,Z.str)`must pass "${e}" keyword validation`,"message")};ze.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,Z.str)`"${e}" keyword must be ${t} ($data)`:(0,Z.str)`"${e}" keyword is invalid ($data)`,"message")};function ZR(e,t=ze.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:u}=a,d=nm(e,t,r);n??(s||u)?tm(i,d):rm(a,(0,Z._)`[${d}]`)}o(ZR,"reportError");ze.reportError=ZR;function KR(e,t=ze.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,u=nm(e,t,r);tm(a,u),i||s||rm(n,qe.default.vErrors)}o(KR,"reportExtraError");ze.reportExtraError=KR;function WR(e,t){e.assign(qe.default.errors,t),e.if((0,Z._)`${qe.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,Z._)`${qe.default.vErrors}.length`,t),()=>e.assign(qe.default.vErrors,null)))}o(WR,"resetErrorsCount");ze.resetErrorsCount=WR;function JR({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,qe.default.errors,u=>{e.const(s,(0,Z._)`${qe.default.vErrors}[${u}]`),e.if((0,Z._)`${s}.instancePath === undefined`,()=>e.assign((0,Z._)`${s}.instancePath`,(0,Z.strConcat)(qe.default.instancePath,i.errorPath))),e.assign((0,Z._)`${s}.schemaPath`,(0,Z.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,Z._)`${s}.schema`,r),e.assign((0,Z._)`${s}.data`,n))})}o(JR,"extendErrors");ze.extendErrors=JR;function tm(e,t){let r=e.const("err",t);e.if((0,Z._)`${qe.default.vErrors} === null`,()=>e.assign(qe.default.vErrors,(0,Z._)`[${r}]`),(0,Z._)`${qe.default.vErrors}.push(${r})`),e.code((0,Z._)`${qe.default.errors}++`)}o(tm,"addError");function rm(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,Z._)`new ${e.ValidationError}(${t})`):(r.assign((0,Z._)`${n}.errors`,t),r.return(!1))}o(rm,"returnErrors");var Tr={keyword:new Z.Name("keyword"),schemaPath:new Z.Name("schemaPath"),params:new Z.Name("params"),propertyName:new Z.Name("propertyName"),message:new Z.Name("message"),schema:new Z.Name("schema"),parentSchema:new Z.Name("parentSchema")};function nm(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,Z._)`{}`:YR(e,t,r)}o(nm,"errorObjectCode");function YR(e,t,r={}){let{gen:n,it:a}=e,i=[XR(a,r),QR(e,r)];return eb(e,t,i),n.object(...i)}o(YR,"errorObject");function XR({errorPath:e},{instancePath:t}){let r=t?(0,Z.str)`${e}${(0,La.getErrorPath)(t,La.Type.Str)}`:e;return[qe.default.instancePath,(0,Z.strConcat)(qe.default.instancePath,r)]}o(XR,"errorInstancePath");function QR({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,Z.str)`${t}/${e}`;return r&&(a=(0,Z.str)`${a}${(0,La.getErrorPath)(r,La.Type.Str)}`),[Tr.schemaPath,a]}o(QR,"errorSchemaPath");function eb(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:u}=e,{opts:d,propertyName:l,topSchemaRef:p,schemaPath:m}=u;n.push([Tr.keyword,a],[Tr.params,typeof t=="function"?t(e):t||(0,Z._)`{}`]),d.messages&&n.push([Tr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Tr.schema,s],[Tr.parentSchema,(0,Z._)`${p}${m}`],[qe.default.data,i]),l&&n.push([Tr.propertyName,l])}o(eb,"extraErrorProps")});var am=T(on=>{"use strict";Object.defineProperty(on,"__esModule",{value:!0});on.boolOrEmptySchema=on.topBoolOrEmptySchema=void 0;var tb=po(),rb=L(),nb=$t(),ob={message:"boolean schema is false"};function ab(e){let{gen:t,schema:r,validateName:n}=e;r===!1?om(e,!1):typeof r=="object"&&r.$async===!0?t.return(nb.default.data):(t.assign((0,rb._)`${n}.errors`,null),t.return(!0))}o(ab,"topBoolOrEmptySchema");on.topBoolOrEmptySchema=ab;function ib(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),om(e)):r.var(t,!0)}o(ib,"boolOrEmptySchema");on.boolOrEmptySchema=ib;function om(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,tb.reportError)(a,ob,void 0,t)}o(om,"falseSchemaError")});var $c=T(an=>{"use strict";Object.defineProperty(an,"__esModule",{value:!0});an.getRules=an.isJSONType=void 0;var sb=["string","number","integer","boolean","null","object","array"],cb=new Set(sb);function ub(e){return typeof e=="string"&&cb.has(e)}o(ub,"isJSONType");an.isJSONType=ub;function db(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(db,"getRules");an.getRules=db});var Lc=T(ar=>{"use strict";Object.defineProperty(ar,"__esModule",{value:!0});ar.shouldUseRule=ar.shouldUseGroup=ar.schemaHasRulesForType=void 0;function lb({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&im(e,n)}o(lb,"schemaHasRulesForType");ar.schemaHasRulesForType=lb;function im(e,t){return t.rules.some(r=>sm(e,r))}o(im,"shouldUseGroup");ar.shouldUseGroup=im;function sm(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(sm,"shouldUseRule");ar.shouldUseRule=sm});var mo=T(Ne=>{"use strict";Object.defineProperty(Ne,"__esModule",{value:!0});Ne.reportTypeError=Ne.checkDataTypes=Ne.checkDataType=Ne.coerceAndCheckDataType=Ne.getJSONTypes=Ne.getSchemaTypes=Ne.DataType=void 0;var pb=$c(),mb=Lc(),hb=po(),$=L(),cm=J(),sn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(sn||(Ne.DataType=sn={}));function fb(e){let t=um(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(fb,"getSchemaTypes");Ne.getSchemaTypes=fb;function um(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(pb.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(um,"getJSONTypes");Ne.getJSONTypes=um;function gb(e,t){let{gen:r,data:n,opts:a}=e,i=_b(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,mb.schemaHasRulesForType)(e,t[0]));if(s){let u=Hc(t,n,a.strictNumbers,sn.Wrong);r.if(u,()=>{i.length?yb(e,t,i):Gc(e)})}return s}o(gb,"coerceAndCheckDataType");Ne.coerceAndCheckDataType=gb;var dm=new Set(["string","number","integer","boolean","null"]);function _b(e,t){return t?e.filter(r=>dm.has(r)||t==="array"&&r==="array"):[]}o(_b,"coerceToTypes");function yb(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,$._)`typeof ${a}`),u=n.let("coerced",(0,$._)`undefined`);i.coerceTypes==="array"&&n.if((0,$._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,$._)`${a}[0]`).assign(s,(0,$._)`typeof ${a}`).if(Hc(t,a,i.strictNumbers),()=>n.assign(u,a))),n.if((0,$._)`${u} !== undefined`);for(let l of r)(dm.has(l)||l==="array"&&i.coerceTypes==="array")&&d(l);n.else(),Gc(e),n.endIf(),n.if((0,$._)`${u} !== undefined`,()=>{n.assign(a,u),Sb(e,u)});function d(l){switch(l){case"string":n.elseIf((0,$._)`${s} == "number" || ${s} == "boolean"`).assign(u,(0,$._)`"" + ${a}`).elseIf((0,$._)`${a} === null`).assign(u,(0,$._)`""`);return;case"number":n.elseIf((0,$._)`${s} == "boolean" || ${a} === null
               || (${s} == "string" && ${a} && ${a} == +${a})`).assign(u,(0,$._)`+${a}`);return;case"integer":n.elseIf((0,$._)`${s} === "boolean" || ${a} === null
               || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(u,(0,$._)`+${a}`);return;case"boolean":n.elseIf((0,$._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(u,!1).elseIf((0,$._)`${a} === "true" || ${a} === 1`).assign(u,!0);return;case"null":n.elseIf((0,$._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(u,null);return;case"array":n.elseIf((0,$._)`${s} === "string" || ${s} === "number"
-              || ${s} === "boolean" || ${a} === null`).assign(u,(0,$._)`[${a}]`)}}o(d,"coerceSpecificType")}o(_b,"coerceData");function yb({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,$._)`${t} !== undefined`,()=>e.assign((0,$._)`${t}[${r}]`,n))}o(yb,"assignParentData");function Hc(e,t,r,n=sn.Correct){let a=n===sn.Correct?$.operators.EQ:$.operators.NEQ,i;switch(e){case"null":return(0,$._)`${t} ${a} null`;case"array":i=(0,$._)`Array.isArray(${t})`;break;case"object":i=(0,$._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,$._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,$._)`typeof ${t} ${a} ${e}`}return n===sn.Correct?i:(0,$.not)(i);function s(u=$.nil){return(0,$.and)((0,$._)`typeof ${t} == "number"`,u,r?(0,$._)`isFinite(${t})`:$.nil)}}o(Hc,"checkDataType");Ne.checkDataType=Hc;function Gc(e,t,r,n){if(e.length===1)return Hc(e[0],t,r,n);let a,i=(0,cm.toHash)(e);if(i.array&&i.object){let s=(0,$._)`typeof ${t} != "object"`;a=i.null?s:(0,$._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=$.nil;i.number&&delete i.integer;for(let s in i)a=(0,$.and)(a,Hc(s,t,r,n));return a}o(Gc,"checkDataTypes");Ne.checkDataTypes=Gc;var Sb={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,$._)`{type: ${e}}`:(0,$._)`{type: ${t}}`,"params")};function Bc(e){let t=wb(e);(0,mb.reportError)(t,Sb)}o(Bc,"reportTypeError");Ne.reportTypeError=Bc;function wb(e){let{gen:t,data:r,schema:n}=e,a=(0,cm.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(wb,"getTypeErrorContext")});var pm=T(Ha=>{"use strict";Object.defineProperty(Ha,"__esModule",{value:!0});Ha.assignDefaults=void 0;var cn=L(),vb=J();function Rb(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)lm(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>lm(e,i,a.default))}o(Rb,"assignDefaults");Ha.assignDefaults=Rb;function lm(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let u=(0,cn._)`${i}${(0,cn.getProperty)(t)}`;if(a){(0,vb.checkStrictMode)(e,`default is ignored for: ${u}`);return}let d=(0,cn._)`${u} === undefined`;s.useDefaults==="empty"&&(d=(0,cn._)`${d} || ${u} === null || ${u} === ""`),n.if(d,(0,cn._)`${u} = ${(0,cn.stringify)(r)}`)}o(lm,"assignDefault")});var ot=T(ee=>{"use strict";Object.defineProperty(ee,"__esModule",{value:!0});ee.validateUnion=ee.validateArray=ee.usePattern=ee.callValidateCode=ee.schemaProperties=ee.allSchemaProperties=ee.noPropertyInData=ee.propertyInData=ee.isOwnProperty=ee.hasPropFunc=ee.reportMissingProp=ee.checkMissingProp=ee.checkReportMissingProp=void 0;var ae=L(),Vc=J(),ir=$t(),bb=J();function Ib(e,t){let{gen:r,data:n,it:a}=e;r.if(Zc(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,ae._)`${t}`},!0),e.error()})}o(Ib,"checkReportMissingProp");ee.checkReportMissingProp=Ib;function Cb({gen:e,data:t,it:{opts:r}},n,a){return(0,ae.or)(...n.map(i=>(0,ae.and)(Zc(e,t,i,r.ownProperties),(0,ae._)`${a} = ${i}`)))}o(Cb,"checkMissingProp");ee.checkMissingProp=Cb;function Tb(e,t){e.setParams({missingProperty:t},!0),e.error()}o(Tb,"reportMissingProp");ee.reportMissingProp=Tb;function mm(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,ae._)`Object.prototype.hasOwnProperty`})}o(mm,"hasPropFunc");ee.hasPropFunc=mm;function Fc(e,t,r){return(0,ae._)`${mm(e)}.call(${t}, ${r})`}o(Fc,"isOwnProperty");ee.isOwnProperty=Fc;function Ab(e,t,r,n){let a=(0,ae._)`${t}${(0,ae.getProperty)(r)} !== undefined`;return n?(0,ae._)`${a} && ${Fc(e,t,r)}`:a}o(Ab,"propertyInData");ee.propertyInData=Ab;function Zc(e,t,r,n){let a=(0,ae._)`${t}${(0,ae.getProperty)(r)} === undefined`;return n?(0,ae.or)(a,(0,ae.not)(Fc(e,t,r))):a}o(Zc,"noPropertyInData");ee.noPropertyInData=Zc;function hm(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(hm,"allSchemaProperties");ee.allSchemaProperties=hm;function kb(e,t){return hm(t).filter(r=>!(0,Vc.alwaysValidSchema)(e,t[r]))}o(kb,"schemaProperties");ee.schemaProperties=kb;function Eb({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},u,d,l){let p=l?(0,ae._)`${e}, ${t}, ${n}${a}`:t,m=[[ir.default.instancePath,(0,ae.strConcat)(ir.default.instancePath,i)],[ir.default.parentData,s.parentData],[ir.default.parentDataProperty,s.parentDataProperty],[ir.default.rootData,ir.default.rootData]];s.opts.dynamicRef&&m.push([ir.default.dynamicAnchors,ir.default.dynamicAnchors]);let f=(0,ae._)`${p}, ${r.object(...m)}`;return d!==ae.nil?(0,ae._)`${u}.call(${d}, ${f})`:(0,ae._)`${u}(${f})`}o(Eb,"callValidateCode");ee.callValidateCode=Eb;var Pb=(0,ae._)`new RegExp`;function xb({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,ae._)`${a.code==="new RegExp"?Pb:(0,bb.useFunc)(e,a)}(${r}, ${n})`})}o(xb,"usePattern");ee.usePattern=xb;function Ob(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let u=t.let("valid",!0);return s(()=>t.assign(u,!1)),u}return t.var(i,!0),s(()=>t.break()),i;function s(u){let d=t.const("len",(0,ae._)`${r}.length`);t.forRange("i",0,d,l=>{e.subschema({keyword:n,dataProp:l,dataPropType:Vc.Type.Num},i),t.if((0,ae.not)(i),u)})}o(s,"validateItems")}o(Ob,"validateArray");ee.validateArray=Ob;function Ub(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Vc.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),u=t.name("_valid");t.block(()=>r.forEach((d,l)=>{let p=e.subschema({keyword:n,schemaProp:l,compositeRule:!0},u);t.assign(s,(0,ae._)`${s} || ${u}`),e.mergeValidEvaluated(p,u)||t.if((0,ae.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(Ub,"validateUnion");ee.validateUnion=Ub});var _m=T(vt=>{"use strict";Object.defineProperty(vt,"__esModule",{value:!0});vt.validateKeywordUsage=vt.validSchemaType=vt.funcKeywordCode=vt.macroKeywordCode=void 0;var $e=L(),Ar=$t(),zb=ot(),Nb=mo();function Db(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,u=t.macro.call(s.self,a,i,s),d=gm(r,n,u);s.opts.validateSchema!==!1&&s.self.validateSchema(u,!0);let l=r.name("valid");e.subschema({schema:u,schemaPath:$e.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},l),e.pass(l,()=>e.error(!0))}o(Db,"macroKeywordCode");vt.macroKeywordCode=Db;function Mb(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:u,it:d}=e;$b(d,t);let l=!u&&t.compile?t.compile.call(d.self,i,s,d):t.validate,p=gm(n,a,l),m=n.let("valid");e.block$data(m,f),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function f(){if(t.errors===!1)y(),t.modifying&&fm(e),w(()=>e.error());else{let v=t.async?_():S();t.modifying&&fm(e),w(()=>qb(e,v))}}o(f,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,$e._)`await `),R=>n.assign(m,!1).if((0,$e._)`${R} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,$e._)`${R}.errors`),()=>n.throw(R))),v}o(_,"validateAsync");function S(){let v=(0,$e._)`${p}.errors`;return n.assign(v,null),y($e.nil),v}o(S,"validateSync");function y(v=t.async?(0,$e._)`await `:$e.nil){let R=d.opts.passContext?Ar.default.this:Ar.default.self,C=!("compile"in t&&!u||t.schema===!1);n.assign(m,(0,$e._)`${v}${(0,zb.callValidateCode)(e,p,R,C)}`,t.modifying)}o(y,"assignValid");function w(v){var R;n.if((0,$e.not)((R=t.valid)!==null&&R!==void 0?R:m),v)}o(w,"reportErrs")}o(Mb,"funcKeywordCode");vt.funcKeywordCode=Mb;function fm(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,$e._)`${n.parentData}[${n.parentDataProperty}]`))}o(fm,"modifyData");function qb(e,t){let{gen:r}=e;r.if((0,$e._)`Array.isArray(${t})`,()=>{r.assign(Ar.default.vErrors,(0,$e._)`${Ar.default.vErrors} === null ? ${t} : ${Ar.default.vErrors}.concat(${t})`).assign(Ar.default.errors,(0,$e._)`${Ar.default.vErrors}.length`),(0,Nb.extendErrors)(e)},()=>e.error())}o(qb,"addErrs");function $b({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o($b,"checkAsyncKeyword");function gm(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,$e.stringify)(r)})}o(gm,"useKeyword");function Lb(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(Lb,"validSchemaType");vt.validSchemaType=Lb;function jb({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(u=>!Object.prototype.hasOwnProperty.call(e,u)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(jb,"validateKeywordUsage");vt.validateKeywordUsage=jb});var Sm=T(sr=>{"use strict";Object.defineProperty(sr,"__esModule",{value:!0});sr.extendSubschemaMode=sr.extendSubschemaData=sr.getSubschema=void 0;var Rt=L(),ym=J();function Hb(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let u=e.schema[t];return r===void 0?{schema:u,schemaPath:(0,Rt._)`${e.schemaPath}${(0,Rt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:u[r],schemaPath:(0,Rt._)`${e.schemaPath}${(0,Rt.getProperty)(t)}${(0,Rt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,ym.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(Hb,"getSubschema");sr.getSubschema=Hb;function Gb(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:u}=t;if(r!==void 0){let{errorPath:l,dataPathArr:p,opts:m}=t,f=u.let("data",(0,Rt._)`${t.data}${(0,Rt.getProperty)(r)}`,!0);d(f),e.errorPath=(0,Rt.str)`${l}${(0,ym.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,Rt._)`${r}`,e.dataPathArr=[...p,e.parentDataProperty]}if(a!==void 0){let l=a instanceof Rt.Name?a:u.let("data",a,!0);d(l),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(l){e.data=l,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,l]}o(d,"dataContextProps")}o(Gb,"extendSubschemaData");sr.extendSubschemaData=Gb;function Bb(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Bb,"extendSubschemaMode");sr.extendSubschemaMode=Bb});var Kc=T((_1,wm)=>{"use strict";wm.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Rm=T((S1,vm)=>{"use strict";var cr=vm.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Ga(t,n,a,e,"",e)};cr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};cr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};cr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};cr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Ga(e,t,r,n,a,i,s,u,d,l){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,u,d,l);for(var p in n){var m=n[p];if(Array.isArray(m)){if(p in cr.arrayKeywords)for(var f=0;f<m.length;f++)Ga(e,t,r,m[f],a+"/"+p+"/"+f,i,a,p,n,f)}else if(p in cr.propsKeywords){if(m&&typeof m=="object")for(var _ in m)Ga(e,t,r,m[_],a+"/"+p+"/"+Vb(_),i,a,p,n,_)}else(p in cr.keywords||e.allKeys&&!(p in cr.skipKeywords))&&Ga(e,t,r,m,a+"/"+p,i,a,p,n)}r(n,a,i,s,u,d,l)}}o(Ga,"_traverse");function Vb(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Vb,"escapeJsonPtr")});var fo=T(Be=>{"use strict";Object.defineProperty(Be,"__esModule",{value:!0});Be.getSchemaRefs=Be.resolveUrl=Be.normalizeId=Be._getFullPath=Be.getFullPath=Be.inlineRef=void 0;var Fb=J(),Zb=Kc(),Kb=Rm(),Wb=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function Jb(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Wc(e):t?bm(e)<=t:!1}o(Jb,"inlineRef");Be.inlineRef=Jb;var Yb=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Wc(e){for(let t in e){if(Yb.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Wc)||typeof r=="object"&&Wc(r))return!0}return!1}o(Wc,"hasRef");function bm(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!Wb.has(r)&&(typeof e[r]=="object"&&(0,Fb.eachItem)(e[r],n=>t+=bm(n)),t===1/0))return 1/0}return t}o(bm,"countKeys");function Im(e,t="",r){r!==!1&&(t=un(t));let n=e.parse(t);return Cm(e,n)}o(Im,"getFullPath");Be.getFullPath=Im;function Cm(e,t){return e.serialize(t).split("#")[0]+"#"}o(Cm,"_getFullPath");Be._getFullPath=Cm;var Xb=/#\/?$/;function un(e){return e?e.replace(Xb,""):""}o(un,"normalizeId");Be.normalizeId=un;function Qb(e,t,r){return r=un(r),e.resolve(t,r)}o(Qb,"resolveUrl");Be.resolveUrl=Qb;var eI=/^[a-z_][-a-z0-9._]*$/i;function tI(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=un(e[r]||t),i={"":a},s=Im(n,a,!1),u={},d=new Set;return Kb(e,{allKeys:!0},(m,f,_,S)=>{if(S===void 0)return;let y=s+f,w=i[S];typeof m[r]=="string"&&(w=v.call(this,m[r])),R.call(this,m.$anchor),R.call(this,m.$dynamicAnchor),i[f]=w;function v(C){let N=this.opts.uriResolver.resolve;if(C=un(w?N(w,C):C),d.has(C))throw p(C);d.add(C);let M=this.refs[C];return typeof M=="string"&&(M=this.refs[M]),typeof M=="object"?l(m,M.schema,C):C!==un(y)&&(C[0]==="#"?(l(m,u[C],C),u[C]=m):this.refs[C]=y),C}o(v,"addRef");function R(C){if(typeof C=="string"){if(!eI.test(C))throw new Error(`invalid anchor "${C}"`);v.call(this,`#${C}`)}}o(R,"addAnchor")}),u;function l(m,f,_){if(f!==void 0&&!Zb(m,f))throw p(_)}o(l,"checkAmbiguosRef");function p(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(p,"ambiguos")}o(tI,"getSchemaRefs");Be.getSchemaRefs=tI});var yo=T(ur=>{"use strict";Object.defineProperty(ur,"__esModule",{value:!0});ur.getData=ur.KeywordCxt=ur.validateFunctionCode=void 0;var Pm=am(),Tm=ho(),Yc=jc(),Ba=ho(),rI=pm(),_o=_m(),Jc=Sm(),P=L(),D=$t(),nI=fo(),Lt=J(),go=mo();function oI(e){if(Um(e)&&(zm(e),Om(e))){sI(e);return}xm(e,()=>(0,Pm.topBoolOrEmptySchema)(e))}o(oI,"validateFunctionCode");ur.validateFunctionCode=oI;function xm({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,P._)`${D.default.data}, ${D.default.valCxt}`,n.$async,()=>{e.code((0,P._)`"use strict"; ${Am(r,a)}`),iI(e,a),e.code(i)}):e.func(t,(0,P._)`${D.default.data}, ${aI(a)}`,n.$async,()=>e.code(Am(r,a)).code(i))}o(xm,"validateFunction");function aI(e){return(0,P._)`{${D.default.instancePath}="", ${D.default.parentData}, ${D.default.parentDataProperty}, ${D.default.rootData}=${D.default.data}${e.dynamicRef?(0,P._)`, ${D.default.dynamicAnchors}={}`:P.nil}}={}`}o(aI,"destructureValCxt");function iI(e,t){e.if(D.default.valCxt,()=>{e.var(D.default.instancePath,(0,P._)`${D.default.valCxt}.${D.default.instancePath}`),e.var(D.default.parentData,(0,P._)`${D.default.valCxt}.${D.default.parentData}`),e.var(D.default.parentDataProperty,(0,P._)`${D.default.valCxt}.${D.default.parentDataProperty}`),e.var(D.default.rootData,(0,P._)`${D.default.valCxt}.${D.default.rootData}`),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,P._)`${D.default.valCxt}.${D.default.dynamicAnchors}`)},()=>{e.var(D.default.instancePath,(0,P._)`""`),e.var(D.default.parentData,(0,P._)`undefined`),e.var(D.default.parentDataProperty,(0,P._)`undefined`),e.var(D.default.rootData,D.default.data),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,P._)`{}`)})}o(iI,"destructureValCxtES5");function sI(e){let{schema:t,opts:r,gen:n}=e;xm(e,()=>{r.$comment&&t.$comment&&Dm(e),pI(e),n.let(D.default.vErrors,null),n.let(D.default.errors,0),r.unevaluated&&cI(e),Nm(e),fI(e)})}o(sI,"topSchemaObjCode");function cI(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,P._)`${r}.evaluated`),t.if((0,P._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,P._)`${e.evaluated}.props`,(0,P._)`undefined`)),t.if((0,P._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,P._)`${e.evaluated}.items`,(0,P._)`undefined`))}o(cI,"resetEvaluated");function Am(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,P._)`/*# sourceURL=${r} */`:P.nil}o(Am,"funcSourceUrl");function uI(e,t){if(Um(e)&&(zm(e),Om(e))){dI(e,t);return}(0,Pm.boolOrEmptySchema)(e,t)}o(uI,"subschemaCode");function Om({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(Om,"schemaCxtHasRules");function Um(e){return typeof e.schema!="boolean"}o(Um,"isSchemaObj");function dI(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&Dm(e),mI(e),hI(e);let i=n.const("_errs",D.default.errors);Nm(e,i),n.var(t,(0,P._)`${i} === ${D.default.errors}`)}o(dI,"subSchemaObjCode");function zm(e){(0,Lt.checkUnknownRules)(e),lI(e)}o(zm,"checkKeywords");function Nm(e,t){if(e.opts.jtd)return km(e,[],!1,t);let r=(0,Tm.getSchemaTypes)(e.schema),n=(0,Tm.coerceAndCheckDataType)(e,r);km(e,r,!n,t)}o(Nm,"typeAndKeywords");function lI(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Lt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(lI,"checkRefsAndKeywords");function pI(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Lt.checkStrictMode)(e,"default is ignored in the schema root")}o(pI,"checkNoDefault");function mI(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,nI.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(mI,"updateContext");function hI(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(hI,"checkAsyncSchema");function Dm({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,P._)`${D.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,P.str)`${n}/$comment`,u=e.scopeValue("root",{ref:t.root});e.code((0,P._)`${D.default.self}.opts.$comment(${i}, ${s}, ${u}.schema)`)}}o(Dm,"commentKeyword");function fI(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,P._)`${D.default.errors} === 0`,()=>t.return(D.default.data),()=>t.throw((0,P._)`new ${a}(${D.default.vErrors})`)):(t.assign((0,P._)`${n}.errors`,D.default.vErrors),i.unevaluated&&gI(e),t.return((0,P._)`${D.default.errors} === 0`))}o(fI,"returnResults");function gI({gen:e,evaluated:t,props:r,items:n}){r instanceof P.Name&&e.assign((0,P._)`${t}.props`,r),n instanceof P.Name&&e.assign((0,P._)`${t}.items`,n)}o(gI,"assignEvaluated");function km(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:u,opts:d,self:l}=e,{RULES:p}=l;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Lt.schemaHasRulesButRef)(i,p))){a.block(()=>qm(e,"$ref",p.all.$ref.definition));return}d.jtd||_I(e,t),a.block(()=>{for(let f of p.rules)m(f);m(p.post)});function m(f){(0,Yc.shouldUseGroup)(i,f)&&(f.type?(a.if((0,Ba.checkDataType)(f.type,s,d.strictNumbers)),Em(e,f),t.length===1&&t[0]===f.type&&r&&(a.else(),(0,Ba.reportTypeError)(e)),a.endIf()):Em(e,f),u||a.if((0,P._)`${D.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(km,"schemaKeywords");function Em(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,rI.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Yc.shouldUseRule)(n,i)&&qm(e,i.keyword,i.definition,t.type)})}o(Em,"iterateKeywords");function _I(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(yI(e,t),e.opts.allowUnionTypes||SI(e,t),wI(e,e.dataTypes))}o(_I,"checkStrictTypes");function yI(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{Mm(e.dataTypes,r)||Xc(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),RI(e,t)}}o(yI,"checkContextTypes");function SI(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Xc(e,"use allowUnionTypes to allow union type keyword")}o(SI,"checkMultipleTypes");function wI(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Yc.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>vI(t,s))&&Xc(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(wI,"checkKeywordTypes");function vI(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(vI,"hasApplicableType");function Mm(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(Mm,"includesType");function RI(e,t){let r=[];for(let n of e.dataTypes)Mm(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(RI,"narrowSchemaTypes");function Xc(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Lt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Xc,"strictTypesError");var Va=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,_o.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Lt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",$m(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,_o.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",D.default.errors))}result(t,r,n){this.failResult((0,P.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,P.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,P._)`${r} !== undefined && (${(0,P.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?go.reportExtraError:go.reportError)(this,this.def.error,r)}$dataError(){(0,go.reportError)(this,this.def.$dataError||go.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,go.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=P.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=P.nil,r=P.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,P.or)((0,P._)`${a} === undefined`,r)),t!==P.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==P.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,P.or)(s(),u());function s(){if(n.length){if(!(r instanceof P.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,P._)`${(0,Ba.checkDataTypes)(d,r,i.opts.strictNumbers,Ba.DataType.Wrong)}`}return P.nil}function u(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,P._)`!${d}(${r})`}return P.nil}}subschema(t,r){let n=(0,Jc.getSubschema)(this.it,t);(0,Jc.extendSubschemaData)(n,this.it,t),(0,Jc.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return uI(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Lt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Lt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,P.Name)),!0}};ur.KeywordCxt=Va;function qm(e,t,r,n){let a=new Va(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,_o.funcKeywordCode)(a,r):"macro"in r?(0,_o.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,_o.funcKeywordCode)(a,r)}o(qm,"keywordCode");var bI=/^\/(?:[^~]|~0|~1)*$/,II=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function $m(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return D.default.rootData;if(e[0]==="/"){if(!bI.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=D.default.rootData}else{let l=II.exec(e);if(!l)throw new Error(`Invalid JSON-pointer: ${e}`);let p=+l[1];if(a=l[2],a==="#"){if(p>=t)throw new Error(d("property/index",p));return n[t-p]}if(p>t)throw new Error(d("data",p));if(i=r[t-p],!a)return i}let s=i,u=a.split("/");for(let l of u)l&&(i=(0,P._)`${i}${(0,P.getProperty)((0,Lt.unescapeJsonPointer)(l))}`,s=(0,P._)`${s} && ${i}`);return s;function d(l,p){return`Cannot access ${l} ${p} levels up, current level is ${t}`}}o($m,"getData");ur.getData=$m});var Fa=T(eu=>{"use strict";Object.defineProperty(eu,"__esModule",{value:!0});var Qc=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};eu.default=Qc});var So=T(nu=>{"use strict";Object.defineProperty(nu,"__esModule",{value:!0});var tu=fo(),ru=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,tu.resolveUrl)(t,r,n),this.missingSchema=(0,tu.normalizeId)((0,tu.getFullPath)(t,this.missingRef))}};nu.default=ru});var Ka=T(at=>{"use strict";Object.defineProperty(at,"__esModule",{value:!0});at.resolveSchema=at.getCompilingSchema=at.resolveRef=at.compileSchema=at.SchemaEnv=void 0;var pt=L(),CI=Fa(),kr=$t(),mt=fo(),Lm=J(),TI=yo(),dn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,mt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};at.SchemaEnv=dn;function au(e){let t=jm.call(this,e);if(t)return t;let r=(0,mt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new pt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),u;e.$async&&(u=s.scopeValue("Error",{ref:CI.default,code:(0,pt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let l={gen:s,allErrors:this.opts.allErrors,data:kr.default.data,parentData:kr.default.parentData,parentDataProperty:kr.default.parentDataProperty,dataNames:[kr.default.data],dataPathArr:[pt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,pt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:u,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:pt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,pt._)`""`,opts:this.opts,self:this},p;try{this._compilations.add(e),(0,TI.validateFunctionCode)(l),s.optimize(this.opts.code.optimize);let m=s.toString();p=`${s.scopeRefs(kr.default.scope)}return ${m}`,this.opts.code.process&&(p=this.opts.code.process(p,e));let _=new Function(`${kr.default.self}`,`${kr.default.scope}`,p)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:S,items:y}=l;_.evaluated={props:S instanceof pt.Name?void 0:S,items:y instanceof pt.Name?void 0:y,dynamicProps:S instanceof pt.Name,dynamicItems:y instanceof pt.Name},_.source&&(_.source.evaluated=(0,pt.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,p&&this.logger.error("Error compiling schema, function code:",p),m}finally{this._compilations.delete(e)}}o(au,"compileSchema");at.compileSchema=au;function AI(e,t,r){var n;r=(0,mt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=PI.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:u}=this.opts;s&&(i=new dn({schema:s,schemaId:u,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=kI.call(this,i)}o(AI,"resolveRef");at.resolveRef=AI;function kI(e){return(0,mt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:au.call(this,e)}o(kI,"inlineOrCompile");function jm(e){for(let t of this._compilations)if(EI(t,e))return t}o(jm,"getCompilingSchema");at.getCompilingSchema=jm;function EI(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(EI,"sameSchemaEnv");function PI(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||Za.call(this,e,t)}o(PI,"resolve");function Za(e,t){let r=this.opts.uriResolver.parse(t),n=(0,mt._getFullPath)(this.opts.uriResolver,r),a=(0,mt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return ou.call(this,r,e);let i=(0,mt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let u=Za.call(this,e,s);return typeof u?.schema!="object"?void 0:ou.call(this,r,u)}if(typeof s?.schema=="object"){if(s.validate||au.call(this,s),i===(0,mt.normalizeId)(t)){let{schema:u}=s,{schemaId:d}=this.opts,l=u[d];return l&&(a=(0,mt.resolveUrl)(this.opts.uriResolver,a,l)),new dn({schema:u,schemaId:d,root:e,baseId:a})}return ou.call(this,r,s)}}o(Za,"resolveSchema");at.resolveSchema=Za;var xI=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function ou(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let u of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,Lm.unescapeFragment)(u)];if(d===void 0)return;r=d;let l=typeof r=="object"&&r[this.opts.schemaId];!xI.has(u)&&l&&(t=(0,mt.resolveUrl)(this.opts.uriResolver,t,l))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,Lm.schemaHasRulesButRef)(r,this.RULES)){let u=(0,mt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=Za.call(this,n,u)}let{schemaId:s}=this.opts;if(i=i||new dn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(ou,"getJsonPointer")});var Hm=T((x1,OI)=>{OI.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var su=T((O1,Fm)=>{"use strict";var UI=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),Bm=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function iu(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(iu,"stringArrayToHexStripped");var zI=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Gm(e){return e.length=0,!0}o(Gm,"consumeIsZone");function NI(e,t,r){if(e.length){let n=iu(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(NI,"consumeHextets");function DI(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,u=NI;for(let d=0;d<e.length;d++){let l=e[d];if(!(l==="["||l==="]"))if(l===":"){if(i===!0&&(s=!0),!u(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(l==="%"){if(!u(a,n,r))break;u=Gm}else{a.push(l);continue}}return a.length&&(u===Gm?r.zone=a.join(""):s?n.push(a.join("")):n.push(iu(a))),r.address=n.join(""),r}o(DI,"getIPV6");function Vm(e){if(MI(e,":")<2)return{host:e,isIPV6:!1};let t=DI(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(Vm,"normalizeIPv6");function MI(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(MI,"findToken");function qI(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(qI,"removeDotSegments");function $I(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o($I,"normalizeComponentEncoding");function LI(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!Bm(r)){let n=Vm(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(LI,"recomposeAuthority");Fm.exports={nonSimpleDomain:zI,recomposeAuthority:LI,normalizeComponentEncoding:$I,removeDotSegments:qI,isIPv4:Bm,isUUID:UI,normalizeIPv6:Vm,stringArrayToHexStripped:iu}});var Ym=T((z1,Jm)=>{"use strict";var{isUUID:jI}=su(),HI=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,GI=["http","https","ws","wss","urn","urn:uuid"];function BI(e){return GI.indexOf(e)!==-1}o(BI,"isValidSchemeName");function cu(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(cu,"wsIsSecure");function Zm(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(Zm,"httpParse");function Km(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Km,"httpSerialize");function VI(e){return e.secure=cu(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(VI,"wsParse");function FI(e){if((e.port===(cu(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(FI,"wsSerialize");function ZI(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(HI);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=uu(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(ZI,"urnParse");function KI(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=uu(a);i&&(e=i.serialize(e,t));let s=e,u=e.nss;return s.path=`${n||t.nid}:${u}`,t.skipEscape=!0,s}o(KI,"urnSerialize");function WI(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!jI(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(WI,"urnuuidParse");function JI(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(JI,"urnuuidSerialize");var Wm={scheme:"http",domainHost:!0,parse:Zm,serialize:Km},YI={scheme:"https",domainHost:Wm.domainHost,parse:Zm,serialize:Km},Wa={scheme:"ws",domainHost:!0,parse:VI,serialize:FI},XI={scheme:"wss",domainHost:Wa.domainHost,parse:Wa.parse,serialize:Wa.serialize},QI={scheme:"urn",parse:ZI,serialize:KI,skipNormalize:!0},eC={scheme:"urn:uuid",parse:WI,serialize:JI,skipNormalize:!0},Ja={http:Wm,https:YI,ws:Wa,wss:XI,urn:QI,"urn:uuid":eC};Object.setPrototypeOf(Ja,null);function uu(e){return e&&(Ja[e]||Ja[e.toLowerCase()])||void 0}o(uu,"getSchemeHandler");Jm.exports={wsIsSecure:cu,SCHEMES:Ja,isValidSchemeName:BI,getSchemeHandler:uu}});var eh=T((D1,Xa)=>{"use strict";var{normalizeIPv6:tC,removeDotSegments:wo,recomposeAuthority:rC,normalizeComponentEncoding:Ya,isIPv4:nC,nonSimpleDomain:oC}=su(),{SCHEMES:aC,getSchemeHandler:Xm}=Ym();function iC(e,t){return typeof e=="string"?e=bt(jt(e,t),t):typeof e=="object"&&(e=jt(bt(e,t),t)),e}o(iC,"normalize");function sC(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=Qm(jt(e,n),jt(t,n),n,!0);return n.skipEscape=!0,bt(a,n)}o(sC,"resolve");function Qm(e,t,r,n){let a={};return n||(e=jt(bt(e,r),r),t=jt(bt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=wo(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=wo(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=wo(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=wo(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(Qm,"resolveComponent");function cC(e,t,r){return typeof e=="string"?(e=unescape(e),e=bt(Ya(jt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=bt(Ya(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=bt(Ya(jt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=bt(Ya(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(cC,"equal");function bt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=Xm(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=rC(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let u=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(u=wo(u)),s===void 0&&u[0]==="/"&&u[1]==="/"&&(u="/%2F"+u.slice(2)),a.push(u)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(bt,"serialize");var uC=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function jt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(uC);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(nC(n.host)===!1){let d=tC(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=Xm(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&oC(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(u){n.error=n.error||"Host's domain name can not be converted to ASCII: "+u}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(jt,"parse");var du={SCHEMES:aC,normalize:iC,resolve:sC,resolveComponent:Qm,equal:cC,serialize:bt,parse:jt};Xa.exports=du;Xa.exports.default=du;Xa.exports.fastUri=du});var rh=T(lu=>{"use strict";Object.defineProperty(lu,"__esModule",{value:!0});var th=eh();th.code='require("ajv/dist/runtime/uri").default';lu.default=th});var dh=T(Te=>{"use strict";Object.defineProperty(Te,"__esModule",{value:!0});Te.CodeGen=Te.Name=Te.nil=Te.stringify=Te.str=Te._=Te.KeywordCxt=void 0;var dC=yo();Object.defineProperty(Te,"KeywordCxt",{enumerable:!0,get:o(function(){return dC.KeywordCxt},"get")});var ln=L();Object.defineProperty(Te,"_",{enumerable:!0,get:o(function(){return ln._},"get")});Object.defineProperty(Te,"str",{enumerable:!0,get:o(function(){return ln.str},"get")});Object.defineProperty(Te,"stringify",{enumerable:!0,get:o(function(){return ln.stringify},"get")});Object.defineProperty(Te,"nil",{enumerable:!0,get:o(function(){return ln.nil},"get")});Object.defineProperty(Te,"Name",{enumerable:!0,get:o(function(){return ln.Name},"get")});Object.defineProperty(Te,"CodeGen",{enumerable:!0,get:o(function(){return ln.CodeGen},"get")});var lC=Fa(),sh=So(),pC=Lc(),vo=Ka(),mC=L(),Ro=fo(),Qa=ho(),mu=J(),nh=Hm(),hC=rh(),ch=o((e,t)=>new RegExp(e,t),"defaultRegExp");ch.code="new RegExp";var fC=["removeAdditional","useDefaults","coerceTypes"],gC=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),_C={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},yC={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},oh=200;function SC(e){var t,r,n,a,i,s,u,d,l,p,m,f,_,S,y,w,v,R,C,N,M,Ye,Ot,Us,zs;let Bn=e.strict,Ns=(t=e.code)===null||t===void 0?void 0:t.optimize,mp=Ns===!0||Ns===void 0?1:Ns||0,hp=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:ch,Ww=(a=e.uriResolver)!==null&&a!==void 0?a:hC.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Bn)!==null&&s!==void 0?s:!0,strictNumbers:(d=(u=e.strictNumbers)!==null&&u!==void 0?u:Bn)!==null&&d!==void 0?d:!0,strictTypes:(p=(l=e.strictTypes)!==null&&l!==void 0?l:Bn)!==null&&p!==void 0?p:"log",strictTuples:(f=(m=e.strictTuples)!==null&&m!==void 0?m:Bn)!==null&&f!==void 0?f:"log",strictRequired:(S=(_=e.strictRequired)!==null&&_!==void 0?_:Bn)!==null&&S!==void 0?S:!1,code:e.code?{...e.code,optimize:mp,regExp:hp}:{optimize:mp,regExp:hp},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:oh,loopEnum:(w=e.loopEnum)!==null&&w!==void 0?w:oh,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(R=e.messages)!==null&&R!==void 0?R:!0,inlineRefs:(C=e.inlineRefs)!==null&&C!==void 0?C:!0,schemaId:(N=e.schemaId)!==null&&N!==void 0?N:"$id",addUsedSchema:(M=e.addUsedSchema)!==null&&M!==void 0?M:!0,validateSchema:(Ye=e.validateSchema)!==null&&Ye!==void 0?Ye:!0,validateFormats:(Ot=e.validateFormats)!==null&&Ot!==void 0?Ot:!0,unicodeRegExp:(Us=e.unicodeRegExp)!==null&&Us!==void 0?Us:!0,int32range:(zs=e.int32range)!==null&&zs!==void 0?zs:!0,uriResolver:Ww}}o(SC,"requiredOptions");var bo=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...SC(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new mC.ValueScope({scope:{},prefixes:gC,es5:r,lines:n}),this.logger=CC(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,pC.getRules)(),ah.call(this,_C,t,"NOT SUPPORTED"),ah.call(this,yC,t,"DEPRECATED","warn"),this._metaOpts=bC.call(this),t.formats&&vC.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&RC.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),wC.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=nh;n==="id"&&(a={...nh},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(p,m){await i.call(this,p.$schema);let f=this._addSchema(p,m);return f.validate||s.call(this,f)}async function i(p){p&&!this.getSchema(p)&&await a.call(this,{$ref:p},!0)}async function s(p){try{return this._compileSchemaEnv(p)}catch(m){if(!(m instanceof sh.default))throw m;return u.call(this,m),await d.call(this,m.missingSchema),s.call(this,p)}}function u({missingSchema:p,missingRef:m}){if(this.refs[p])throw new Error(`AnySchema ${p} is loaded but ${m} cannot be resolved`)}async function d(p){let m=await l.call(this,p);this.refs[p]||await i.call(this,m.$schema),this.refs[p]||this.addSchema(m,p,r)}async function l(p){let m=this._loading[p];if(m)return m;try{return await(this._loading[p]=n(p))}finally{delete this._loading[p]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,Ro.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=ih.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new vo.SchemaEnv({schema:{},schemaId:n});if(r=vo.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=ih.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,Ro.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(AC.call(this,n,r),!r)return(0,mu.eachItem)(n,i=>pu.call(this,i)),this;EC.call(this,r);let a={...r,type:(0,Qa.getJSONTypes)(r.type),schemaType:(0,Qa.getJSONTypes)(r.schemaType)};return(0,mu.eachItem)(n,a.type.length===0?i=>pu.call(this,i,a):i=>a.type.forEach(s=>pu.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let u of i)s=s[u];for(let u in n){let d=n[u];if(typeof d!="object")continue;let{$data:l}=d.definition,p=s[u];l&&p&&(s[u]=uh(p))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:u}=this.opts;if(typeof t=="object")s=t[u];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,Ro.normalizeId)(s||n);let l=Ro.getSchemaRefs.call(this,t,n);return d=new vo.SchemaEnv({schema:t,schemaId:u,meta:r,baseId:n,localRefs:l}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):vo.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{vo.compileSchema.call(this,t)}finally{this.opts=r}}};bo.ValidationError=lC.default;bo.MissingRefError=sh.default;Te.default=bo;function ah(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(ah,"checkOptions");function ih(e){return e=(0,Ro.normalizeId)(e),this.schemas[e]||this.refs[e]}o(ih,"getSchEnv");function wC(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(wC,"addInitialSchemas");function vC(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(vC,"addInitialFormats");function RC(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(RC,"addInitialKeywords");function bC(){let e={...this.opts};for(let t of fC)delete e[t];return e}o(bC,"getMetaSchemaOptions");var IC={log(){},warn(){},error(){}};function CC(e){if(e===!1)return IC;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(CC,"getLogger");var TC=/^[a-z_$][a-z0-9_$:-]*$/i;function AC(e,t){let{RULES:r}=this;if((0,mu.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!TC.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(AC,"checkKeyword");function pu(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let u={keyword:e,definition:{...t,type:(0,Qa.getJSONTypes)(t.type),schemaType:(0,Qa.getJSONTypes)(t.schemaType)}};t.before?kC.call(this,s,u,t.before):s.rules.push(u),i.all[e]=u,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(pu,"addRule");function kC(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(kC,"addBeforeRule");function EC(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=uh(t)),e.validateSchema=this.compile(t,!0))}o(EC,"keywordMetaschema");var PC={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function uh(e){return{anyOf:[e,PC]}}o(uh,"schemaOrData")});var lh=T(hu=>{"use strict";Object.defineProperty(hu,"__esModule",{value:!0});var xC={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};hu.default=xC});var fh=T(Er=>{"use strict";Object.defineProperty(Er,"__esModule",{value:!0});Er.callRef=Er.getValidate=void 0;var OC=So(),ph=ot(),Ve=L(),pn=$t(),mh=Ka(),ei=J(),UC={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:u,self:d}=n,{root:l}=i;if((r==="#"||r==="#/")&&a===l.baseId)return m();let p=mh.resolveRef.call(d,l,a,r);if(p===void 0)throw new OC.default(n.opts.uriResolver,a,r);if(p instanceof mh.SchemaEnv)return f(p);return _(p);function m(){if(i===l)return ti(e,s,i,i.$async);let S=t.scopeValue("root",{ref:l});return ti(e,(0,Ve._)`${S}.validate`,l,l.$async)}function f(S){let y=hh(e,S);ti(e,y,S,S.$async)}function _(S){let y=t.scopeValue("schema",u.code.source===!0?{ref:S,code:(0,Ve.stringify)(S)}:{ref:S}),w=t.name("valid"),v=e.subschema({schema:S,dataTypes:[],schemaPath:Ve.nil,topSchemaRef:y,errSchemaPath:r},w);e.mergeEvaluated(v),e.ok(w)}}};function hh(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,Ve._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(hh,"getValidate");Er.getValidate=hh;function ti(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:u,opts:d}=i,l=d.passContext?pn.default.this:Ve.nil;n?p():m();function p(){if(!u.$async)throw new Error("async schema referenced by sync schema");let S=a.let("valid");a.try(()=>{a.code((0,Ve._)`await ${(0,ph.callValidateCode)(e,t,l)}`),_(t),s||a.assign(S,!0)},y=>{a.if((0,Ve._)`!(${y} instanceof ${i.ValidationError})`,()=>a.throw(y)),f(y),s||a.assign(S,!1)}),e.ok(S)}o(p,"callAsyncRef");function m(){e.result((0,ph.callValidateCode)(e,t,l),()=>_(t),()=>f(t))}o(m,"callSyncRef");function f(S){let y=(0,Ve._)`${S}.errors`;a.assign(pn.default.vErrors,(0,Ve._)`${pn.default.vErrors} === null ? ${y} : ${pn.default.vErrors}.concat(${y})`),a.assign(pn.default.errors,(0,Ve._)`${pn.default.vErrors}.length`)}o(f,"addErrorsFrom");function _(S){var y;if(!i.opts.unevaluated)return;let w=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(i.props!==!0)if(w&&!w.dynamicProps)w.props!==void 0&&(i.props=ei.mergeEvaluated.props(a,w.props,i.props));else{let v=a.var("props",(0,Ve._)`${S}.evaluated.props`);i.props=ei.mergeEvaluated.props(a,v,i.props,Ve.Name)}if(i.items!==!0)if(w&&!w.dynamicItems)w.items!==void 0&&(i.items=ei.mergeEvaluated.items(a,w.items,i.items));else{let v=a.var("items",(0,Ve._)`${S}.evaluated.items`);i.items=ei.mergeEvaluated.items(a,v,i.items,Ve.Name)}}o(_,"addEvaluatedFrom")}o(ti,"callRef");Er.callRef=ti;Er.default=UC});var gh=T(fu=>{"use strict";Object.defineProperty(fu,"__esModule",{value:!0});var zC=lh(),NC=fh(),DC=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",zC.default,NC.default];fu.default=DC});var _h=T(gu=>{"use strict";Object.defineProperty(gu,"__esModule",{value:!0});var ri=L(),dr=ri.operators,ni={maximum:{okStr:"<=",ok:dr.LTE,fail:dr.GT},minimum:{okStr:">=",ok:dr.GTE,fail:dr.LT},exclusiveMaximum:{okStr:"<",ok:dr.LT,fail:dr.GTE},exclusiveMinimum:{okStr:">",ok:dr.GT,fail:dr.LTE}},MC={message:o(({keyword:e,schemaCode:t})=>(0,ri.str)`must be ${ni[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ri._)`{comparison: ${ni[e].okStr}, limit: ${t}}`,"params")},qC={keyword:Object.keys(ni),type:"number",schemaType:"number",$data:!0,error:MC,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,ri._)`${r} ${ni[t].fail} ${n} || isNaN(${r})`)}};gu.default=qC});var yh=T(_u=>{"use strict";Object.defineProperty(_u,"__esModule",{value:!0});var Io=L(),$C={message:o(({schemaCode:e})=>(0,Io.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,Io._)`{multipleOf: ${e}}`,"params")},LC={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:$C,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),u=i?(0,Io._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,Io._)`${s} !== parseInt(${s})`;e.fail$data((0,Io._)`(${n} === 0 || (${s} = ${r}/${n}, ${u}))`)}};_u.default=LC});var wh=T(yu=>{"use strict";Object.defineProperty(yu,"__esModule",{value:!0});function Sh(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Sh,"ucs2length");yu.default=Sh;Sh.code='require("ajv/dist/runtime/ucs2length").default'});var vh=T(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var Pr=L(),jC=J(),HC=wh(),GC={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Pr.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Pr._)`{limit: ${e}}`,"params")},BC={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:GC,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?Pr.operators.GT:Pr.operators.LT,s=a.opts.unicode===!1?(0,Pr._)`${r}.length`:(0,Pr._)`${(0,jC.useFunc)(e.gen,HC.default)}(${r})`;e.fail$data((0,Pr._)`${s} ${i} ${n}`)}};Su.default=BC});var Rh=T(wu=>{"use strict";Object.defineProperty(wu,"__esModule",{value:!0});var VC=ot(),oi=L(),FC={message:o(({schemaCode:e})=>(0,oi.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,oi._)`{pattern: ${e}}`,"params")},ZC={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:FC,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",u=r?(0,oi._)`(new RegExp(${a}, ${s}))`:(0,VC.usePattern)(e,n);e.fail$data((0,oi._)`!${u}.test(${t})`)}};wu.default=ZC});var bh=T(vu=>{"use strict";Object.defineProperty(vu,"__esModule",{value:!0});var Co=L(),KC={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Co.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Co._)`{limit: ${e}}`,"params")},WC={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:KC,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Co.operators.GT:Co.operators.LT;e.fail$data((0,Co._)`Object.keys(${r}).length ${a} ${n}`)}};vu.default=WC});var Ih=T(Ru=>{"use strict";Object.defineProperty(Ru,"__esModule",{value:!0});var To=ot(),Ao=L(),JC=J(),YC={message:o(({params:{missingProperty:e}})=>(0,Ao.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,Ao._)`{missingProperty: ${e}}`,"params")},XC={keyword:"required",type:"object",schemaType:"array",$data:!0,error:YC,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:u}=s;if(!i&&r.length===0)return;let d=r.length>=u.loopRequired;if(s.allErrors?l():p(),u.strictRequired){let _=e.parentSchema.properties,{definedProperties:S}=e.it;for(let y of r)if(_?.[y]===void 0&&!S.has(y)){let w=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${y}" is not defined at "${w}" (strictRequired)`;(0,JC.checkStrictMode)(s,v,s.opts.strictRequired)}}function l(){if(d||i)e.block$data(Ao.nil,m);else for(let _ of r)(0,To.checkReportMissingProp)(e,_)}o(l,"allErrorsMode");function p(){let _=t.let("missing");if(d||i){let S=t.let("valid",!0);e.block$data(S,()=>f(_,S)),e.ok(S)}else t.if((0,To.checkMissingProp)(e,r,_)),(0,To.reportMissingProp)(e,_),t.else()}o(p,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,To.noPropertyInData)(t,a,_,u.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function f(_,S){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(S,(0,To.propertyInData)(t,a,_,u.ownProperties)),t.if((0,Ao.not)(S),()=>{e.error(),t.break()})},Ao.nil)}o(f,"loopUntilMissing")}};Ru.default=XC});var Ch=T(bu=>{"use strict";Object.defineProperty(bu,"__esModule",{value:!0});var ko=L(),QC={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,ko.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,ko._)`{limit: ${e}}`,"params")},eT={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:QC,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?ko.operators.GT:ko.operators.LT;e.fail$data((0,ko._)`${r}.length ${a} ${n}`)}};bu.default=eT});var ai=T(Iu=>{"use strict";Object.defineProperty(Iu,"__esModule",{value:!0});var Th=Kc();Th.code='require("ajv/dist/runtime/equal").default';Iu.default=Th});var Ah=T(Tu=>{"use strict";Object.defineProperty(Tu,"__esModule",{value:!0});var Cu=ho(),Ae=L(),tT=J(),rT=ai(),nT={message:o(({params:{i:e,j:t}})=>(0,Ae.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,Ae._)`{i: ${e}, j: ${t}}`,"params")},oT={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:nT,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:u}=e;if(!n&&!a)return;let d=t.let("valid"),l=i.items?(0,Cu.getSchemaTypes)(i.items):[];e.block$data(d,p,(0,Ae._)`${s} === false`),e.ok(d);function p(){let S=t.let("i",(0,Ae._)`${r}.length`),y=t.let("j");e.setParams({i:S,j:y}),t.assign(d,!0),t.if((0,Ae._)`${S} > 1`,()=>(m()?f:_)(S,y))}o(p,"validateUniqueItems");function m(){return l.length>0&&!l.some(S=>S==="object"||S==="array")}o(m,"canOptimize");function f(S,y){let w=t.name("item"),v=(0,Cu.checkDataTypes)(l,w,u.opts.strictNumbers,Cu.DataType.Wrong),R=t.const("indices",(0,Ae._)`{}`);t.for((0,Ae._)`;${S}--;`,()=>{t.let(w,(0,Ae._)`${r}[${S}]`),t.if(v,(0,Ae._)`continue`),l.length>1&&t.if((0,Ae._)`typeof ${w} == "string"`,(0,Ae._)`${w} += "_"`),t.if((0,Ae._)`typeof ${R}[${w}] == "number"`,()=>{t.assign(y,(0,Ae._)`${R}[${w}]`),e.error(),t.assign(d,!1).break()}).code((0,Ae._)`${R}[${w}] = ${S}`)})}o(f,"loopN");function _(S,y){let w=(0,tT.useFunc)(t,rT.default),v=t.name("outer");t.label(v).for((0,Ae._)`;${S}--;`,()=>t.for((0,Ae._)`${y} = ${S}; ${y}--;`,()=>t.if((0,Ae._)`${w}(${r}[${S}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};Tu.default=oT});var kh=T(ku=>{"use strict";Object.defineProperty(ku,"__esModule",{value:!0});var Au=L(),aT=J(),iT=ai(),sT={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,Au._)`{allowedValue: ${e}}`,"params")},cT={keyword:"const",$data:!0,error:sT,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,Au._)`!${(0,aT.useFunc)(t,iT.default)}(${r}, ${a})`):e.fail((0,Au._)`${i} !== ${r}`)}};ku.default=cT});var Eh=T(Eu=>{"use strict";Object.defineProperty(Eu,"__esModule",{value:!0});var Eo=L(),uT=J(),dT=ai(),lT={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,Eo._)`{allowedValues: ${e}}`,"params")},pT={keyword:"enum",schemaType:"array",$data:!0,error:lT,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let u=a.length>=s.opts.loopEnum,d,l=o(()=>d??(d=(0,uT.useFunc)(t,dT.default)),"getEql"),p;if(u||n)p=t.let("valid"),e.block$data(p,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",i);p=(0,Eo.or)(...a.map((S,y)=>f(_,y)))}e.pass(p);function m(){t.assign(p,!1),t.forOf("v",i,_=>t.if((0,Eo._)`${l()}(${r}, ${_})`,()=>t.assign(p,!0).break()))}o(m,"loopEnum");function f(_,S){let y=a[S];return typeof y=="object"&&y!==null?(0,Eo._)`${l()}(${r}, ${_}[${S}])`:(0,Eo._)`${r} === ${y}`}o(f,"equalCode")}};Eu.default=pT});var Ph=T(Pu=>{"use strict";Object.defineProperty(Pu,"__esModule",{value:!0});var mT=_h(),hT=yh(),fT=vh(),gT=Rh(),_T=bh(),yT=Ih(),ST=Ch(),wT=Ah(),vT=kh(),RT=Eh(),bT=[mT.default,hT.default,fT.default,gT.default,_T.default,yT.default,ST.default,wT.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},vT.default,RT.default];Pu.default=bT});var Ou=T(Po=>{"use strict";Object.defineProperty(Po,"__esModule",{value:!0});Po.validateAdditionalItems=void 0;var xr=L(),xu=J(),IT={message:o(({params:{len:e}})=>(0,xr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,xr._)`{limit: ${e}}`,"params")},CT={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:IT,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,xu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}xh(e,n)}};function xh(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let u=r.const("len",(0,xr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,xr._)`${u} <= ${t.length}`);else if(typeof n=="object"&&!(0,xu.alwaysValidSchema)(s,n)){let l=r.var("valid",(0,xr._)`${u} <= ${t.length}`);r.if((0,xr.not)(l),()=>d(l)),e.ok(l)}function d(l){r.forRange("i",t.length,u,p=>{e.subschema({keyword:i,dataProp:p,dataPropType:xu.Type.Num},l),s.allErrors||r.if((0,xr.not)(l),()=>r.break())})}o(d,"validateItems")}o(xh,"validateAdditionalItems");Po.validateAdditionalItems=xh;Po.default=CT});var Uu=T(xo=>{"use strict";Object.defineProperty(xo,"__esModule",{value:!0});xo.validateTuple=void 0;var Oh=L(),ii=J(),TT=ot(),AT={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return Uh(e,"additionalItems",t);r.items=!0,!(0,ii.alwaysValidSchema)(r,t)&&e.ok((0,TT.validateArray)(e))}};function Uh(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:u}=e;p(a),u.opts.unevaluated&&r.length&&u.items!==!0&&(u.items=ii.mergeEvaluated.items(n,r.length,u.items));let d=n.name("valid"),l=n.const("len",(0,Oh._)`${i}.length`);r.forEach((m,f)=>{(0,ii.alwaysValidSchema)(u,m)||(n.if((0,Oh._)`${l} > ${f}`,()=>e.subschema({keyword:s,schemaProp:f,dataProp:f},d)),e.ok(d))});function p(m){let{opts:f,errSchemaPath:_}=u,S=r.length,y=S===m.minItems&&(S===m.maxItems||m[t]===!1);if(f.strictTuples&&!y){let w=`"${s}" is ${S}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,ii.checkStrictMode)(u,w,f.strictTuples)}}o(p,"checkStrictTuple")}o(Uh,"validateTuple");xo.validateTuple=Uh;xo.default=AT});var zh=T(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var kT=Uu(),ET={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,kT.validateTuple)(e,"items"),"code")};zu.default=ET});var Dh=T(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var Nh=L(),PT=J(),xT=ot(),OT=Ou(),UT={message:o(({params:{len:e}})=>(0,Nh.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Nh._)`{limit: ${e}}`,"params")},zT={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:UT,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,PT.alwaysValidSchema)(n,t)&&(a?(0,OT.validateAdditionalItems)(e,a):e.ok((0,xT.validateArray)(e)))}};Nu.default=zT});var Mh=T(Du=>{"use strict";Object.defineProperty(Du,"__esModule",{value:!0});var it=L(),si=J(),NT={message:o(({params:{min:e,max:t}})=>t===void 0?(0,it.str)`must contain at least ${e} valid item(s)`:(0,it.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,it._)`{minContains: ${e}}`:(0,it._)`{minContains: ${e}, maxContains: ${t}}`,"params")},DT={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:NT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,u,{minContains:d,maxContains:l}=n;i.opts.next?(s=d===void 0?1:d,u=l):s=1;let p=t.const("len",(0,it._)`${a}.length`);if(e.setParams({min:s,max:u}),u===void 0&&s===0){(0,si.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(u!==void 0&&s>u){(0,si.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,si.alwaysValidSchema)(i,r)){let y=(0,it._)`${p} >= ${s}`;u!==void 0&&(y=(0,it._)`${y} && ${p} <= ${u}`),e.pass(y);return}i.items=!0;let m=t.name("valid");u===void 0&&s===1?_(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),u!==void 0&&t.if((0,it._)`${a}.length > 0`,f)):(t.let(m,!1),f()),e.result(m,()=>e.reset());function f(){let y=t.name("_valid"),w=t.let("count",0);_(y,()=>t.if(y,()=>S(w)))}o(f,"validateItemsWithCount");function _(y,w){t.forRange("i",0,p,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:si.Type.Num,compositeRule:!0},y),w()})}o(_,"validateItems");function S(y){t.code((0,it._)`${y}++`),u===void 0?t.if((0,it._)`${y} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,it._)`${y} > ${u}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,it._)`${y} >= ${s}`,()=>t.assign(m,!0)))}o(S,"checkLimits")}};Du.default=DT});var Lh=T(It=>{"use strict";Object.defineProperty(It,"__esModule",{value:!0});It.validateSchemaDeps=It.validatePropertyDeps=It.error=void 0;var Mu=L(),MT=J(),Oo=ot();It.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,Mu.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,Mu._)`{property: ${e},
+              || ${s} === "boolean" || ${a} === null`).assign(u,(0,$._)`[${a}]`)}}o(d,"coerceSpecificType")}o(yb,"coerceData");function Sb({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,$._)`${t} !== undefined`,()=>e.assign((0,$._)`${t}[${r}]`,n))}o(Sb,"assignParentData");function jc(e,t,r,n=sn.Correct){let a=n===sn.Correct?$.operators.EQ:$.operators.NEQ,i;switch(e){case"null":return(0,$._)`${t} ${a} null`;case"array":i=(0,$._)`Array.isArray(${t})`;break;case"object":i=(0,$._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,$._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,$._)`typeof ${t} ${a} ${e}`}return n===sn.Correct?i:(0,$.not)(i);function s(u=$.nil){return(0,$.and)((0,$._)`typeof ${t} == "number"`,u,r?(0,$._)`isFinite(${t})`:$.nil)}}o(jc,"checkDataType");Ne.checkDataType=jc;function Hc(e,t,r,n){if(e.length===1)return jc(e[0],t,r,n);let a,i=(0,cm.toHash)(e);if(i.array&&i.object){let s=(0,$._)`typeof ${t} != "object"`;a=i.null?s:(0,$._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=$.nil;i.number&&delete i.integer;for(let s in i)a=(0,$.and)(a,jc(s,t,r,n));return a}o(Hc,"checkDataTypes");Ne.checkDataTypes=Hc;var wb={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,$._)`{type: ${e}}`:(0,$._)`{type: ${t}}`,"params")};function Gc(e){let t=vb(e);(0,hb.reportError)(t,wb)}o(Gc,"reportTypeError");Ne.reportTypeError=Gc;function vb(e){let{gen:t,data:r,schema:n}=e,a=(0,cm.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(vb,"getTypeErrorContext")});var pm=T(ja=>{"use strict";Object.defineProperty(ja,"__esModule",{value:!0});ja.assignDefaults=void 0;var cn=L(),Rb=J();function bb(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)lm(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>lm(e,i,a.default))}o(bb,"assignDefaults");ja.assignDefaults=bb;function lm(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let u=(0,cn._)`${i}${(0,cn.getProperty)(t)}`;if(a){(0,Rb.checkStrictMode)(e,`default is ignored for: ${u}`);return}let d=(0,cn._)`${u} === undefined`;s.useDefaults==="empty"&&(d=(0,cn._)`${d} || ${u} === null || ${u} === ""`),n.if(d,(0,cn._)`${u} = ${(0,cn.stringify)(r)}`)}o(lm,"assignDefault")});var nt=T(Q=>{"use strict";Object.defineProperty(Q,"__esModule",{value:!0});Q.validateUnion=Q.validateArray=Q.usePattern=Q.callValidateCode=Q.schemaProperties=Q.allSchemaProperties=Q.noPropertyInData=Q.propertyInData=Q.isOwnProperty=Q.hasPropFunc=Q.reportMissingProp=Q.checkMissingProp=Q.checkReportMissingProp=void 0;var oe=L(),Bc=J(),ir=$t(),Cb=J();function Ib(e,t){let{gen:r,data:n,it:a}=e;r.if(Fc(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,oe._)`${t}`},!0),e.error()})}o(Ib,"checkReportMissingProp");Q.checkReportMissingProp=Ib;function Tb({gen:e,data:t,it:{opts:r}},n,a){return(0,oe.or)(...n.map(i=>(0,oe.and)(Fc(e,t,i,r.ownProperties),(0,oe._)`${a} = ${i}`)))}o(Tb,"checkMissingProp");Q.checkMissingProp=Tb;function Ab(e,t){e.setParams({missingProperty:t},!0),e.error()}o(Ab,"reportMissingProp");Q.reportMissingProp=Ab;function mm(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,oe._)`Object.prototype.hasOwnProperty`})}o(mm,"hasPropFunc");Q.hasPropFunc=mm;function Vc(e,t,r){return(0,oe._)`${mm(e)}.call(${t}, ${r})`}o(Vc,"isOwnProperty");Q.isOwnProperty=Vc;function kb(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} !== undefined`;return n?(0,oe._)`${a} && ${Vc(e,t,r)}`:a}o(kb,"propertyInData");Q.propertyInData=kb;function Fc(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} === undefined`;return n?(0,oe.or)(a,(0,oe.not)(Vc(e,t,r))):a}o(Fc,"noPropertyInData");Q.noPropertyInData=Fc;function hm(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(hm,"allSchemaProperties");Q.allSchemaProperties=hm;function Pb(e,t){return hm(t).filter(r=>!(0,Bc.alwaysValidSchema)(e,t[r]))}o(Pb,"schemaProperties");Q.schemaProperties=Pb;function Eb({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},u,d,l){let p=l?(0,oe._)`${e}, ${t}, ${n}${a}`:t,m=[[ir.default.instancePath,(0,oe.strConcat)(ir.default.instancePath,i)],[ir.default.parentData,s.parentData],[ir.default.parentDataProperty,s.parentDataProperty],[ir.default.rootData,ir.default.rootData]];s.opts.dynamicRef&&m.push([ir.default.dynamicAnchors,ir.default.dynamicAnchors]);let f=(0,oe._)`${p}, ${r.object(...m)}`;return d!==oe.nil?(0,oe._)`${u}.call(${d}, ${f})`:(0,oe._)`${u}(${f})`}o(Eb,"callValidateCode");Q.callValidateCode=Eb;var xb=(0,oe._)`new RegExp`;function Ob({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,oe._)`${a.code==="new RegExp"?xb:(0,Cb.useFunc)(e,a)}(${r}, ${n})`})}o(Ob,"usePattern");Q.usePattern=Ob;function Ub(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let u=t.let("valid",!0);return s(()=>t.assign(u,!1)),u}return t.var(i,!0),s(()=>t.break()),i;function s(u){let d=t.const("len",(0,oe._)`${r}.length`);t.forRange("i",0,d,l=>{e.subschema({keyword:n,dataProp:l,dataPropType:Bc.Type.Num},i),t.if((0,oe.not)(i),u)})}o(s,"validateItems")}o(Ub,"validateArray");Q.validateArray=Ub;function zb(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Bc.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),u=t.name("_valid");t.block(()=>r.forEach((d,l)=>{let p=e.subschema({keyword:n,schemaProp:l,compositeRule:!0},u);t.assign(s,(0,oe._)`${s} || ${u}`),e.mergeValidEvaluated(p,u)||t.if((0,oe.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(zb,"validateUnion");Q.validateUnion=zb});var _m=T(wt=>{"use strict";Object.defineProperty(wt,"__esModule",{value:!0});wt.validateKeywordUsage=wt.validSchemaType=wt.funcKeywordCode=wt.macroKeywordCode=void 0;var $e=L(),Ar=$t(),Nb=nt(),Db=po();function Mb(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,u=t.macro.call(s.self,a,i,s),d=gm(r,n,u);s.opts.validateSchema!==!1&&s.self.validateSchema(u,!0);let l=r.name("valid");e.subschema({schema:u,schemaPath:$e.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},l),e.pass(l,()=>e.error(!0))}o(Mb,"macroKeywordCode");wt.macroKeywordCode=Mb;function qb(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:u,it:d}=e;Lb(d,t);let l=!u&&t.compile?t.compile.call(d.self,i,s,d):t.validate,p=gm(n,a,l),m=n.let("valid");e.block$data(m,f),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function f(){if(t.errors===!1)y(),t.modifying&&fm(e),w(()=>e.error());else{let v=t.async?_():S();t.modifying&&fm(e),w(()=>$b(e,v))}}o(f,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,$e._)`await `),R=>n.assign(m,!1).if((0,$e._)`${R} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,$e._)`${R}.errors`),()=>n.throw(R))),v}o(_,"validateAsync");function S(){let v=(0,$e._)`${p}.errors`;return n.assign(v,null),y($e.nil),v}o(S,"validateSync");function y(v=t.async?(0,$e._)`await `:$e.nil){let R=d.opts.passContext?Ar.default.this:Ar.default.self,I=!("compile"in t&&!u||t.schema===!1);n.assign(m,(0,$e._)`${v}${(0,Nb.callValidateCode)(e,p,R,I)}`,t.modifying)}o(y,"assignValid");function w(v){var R;n.if((0,$e.not)((R=t.valid)!==null&&R!==void 0?R:m),v)}o(w,"reportErrs")}o(qb,"funcKeywordCode");wt.funcKeywordCode=qb;function fm(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,$e._)`${n.parentData}[${n.parentDataProperty}]`))}o(fm,"modifyData");function $b(e,t){let{gen:r}=e;r.if((0,$e._)`Array.isArray(${t})`,()=>{r.assign(Ar.default.vErrors,(0,$e._)`${Ar.default.vErrors} === null ? ${t} : ${Ar.default.vErrors}.concat(${t})`).assign(Ar.default.errors,(0,$e._)`${Ar.default.vErrors}.length`),(0,Db.extendErrors)(e)},()=>e.error())}o($b,"addErrs");function Lb({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(Lb,"checkAsyncKeyword");function gm(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,$e.stringify)(r)})}o(gm,"useKeyword");function jb(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(jb,"validSchemaType");wt.validSchemaType=jb;function Hb({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(u=>!Object.prototype.hasOwnProperty.call(e,u)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(Hb,"validateKeywordUsage");wt.validateKeywordUsage=Hb});var Sm=T(sr=>{"use strict";Object.defineProperty(sr,"__esModule",{value:!0});sr.extendSubschemaMode=sr.extendSubschemaData=sr.getSubschema=void 0;var vt=L(),ym=J();function Gb(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let u=e.schema[t];return r===void 0?{schema:u,schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:u[r],schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}${(0,vt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,ym.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(Gb,"getSubschema");sr.getSubschema=Gb;function Bb(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:u}=t;if(r!==void 0){let{errorPath:l,dataPathArr:p,opts:m}=t,f=u.let("data",(0,vt._)`${t.data}${(0,vt.getProperty)(r)}`,!0);d(f),e.errorPath=(0,vt.str)`${l}${(0,ym.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,vt._)`${r}`,e.dataPathArr=[...p,e.parentDataProperty]}if(a!==void 0){let l=a instanceof vt.Name?a:u.let("data",a,!0);d(l),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(l){e.data=l,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,l]}o(d,"dataContextProps")}o(Bb,"extendSubschemaData");sr.extendSubschemaData=Bb;function Vb(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Vb,"extendSubschemaMode");sr.extendSubschemaMode=Vb});var Zc=T((w1,wm)=>{"use strict";wm.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Rm=T((R1,vm)=>{"use strict";var cr=vm.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Ha(t,n,a,e,"",e)};cr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};cr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};cr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};cr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Ha(e,t,r,n,a,i,s,u,d,l){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,u,d,l);for(var p in n){var m=n[p];if(Array.isArray(m)){if(p in cr.arrayKeywords)for(var f=0;f<m.length;f++)Ha(e,t,r,m[f],a+"/"+p+"/"+f,i,a,p,n,f)}else if(p in cr.propsKeywords){if(m&&typeof m=="object")for(var _ in m)Ha(e,t,r,m[_],a+"/"+p+"/"+Fb(_),i,a,p,n,_)}else(p in cr.keywords||e.allKeys&&!(p in cr.skipKeywords))&&Ha(e,t,r,m,a+"/"+p,i,a,p,n)}r(n,a,i,s,u,d,l)}}o(Ha,"_traverse");function Fb(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Fb,"escapeJsonPtr")});var ho=T(Be=>{"use strict";Object.defineProperty(Be,"__esModule",{value:!0});Be.getSchemaRefs=Be.resolveUrl=Be.normalizeId=Be._getFullPath=Be.getFullPath=Be.inlineRef=void 0;var Zb=J(),Kb=Zc(),Wb=Rm(),Jb=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function Yb(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Kc(e):t?bm(e)<=t:!1}o(Yb,"inlineRef");Be.inlineRef=Yb;var Xb=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Kc(e){for(let t in e){if(Xb.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Kc)||typeof r=="object"&&Kc(r))return!0}return!1}o(Kc,"hasRef");function bm(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!Jb.has(r)&&(typeof e[r]=="object"&&(0,Zb.eachItem)(e[r],n=>t+=bm(n)),t===1/0))return 1/0}return t}o(bm,"countKeys");function Cm(e,t="",r){r!==!1&&(t=un(t));let n=e.parse(t);return Im(e,n)}o(Cm,"getFullPath");Be.getFullPath=Cm;function Im(e,t){return e.serialize(t).split("#")[0]+"#"}o(Im,"_getFullPath");Be._getFullPath=Im;var Qb=/#\/?$/;function un(e){return e?e.replace(Qb,""):""}o(un,"normalizeId");Be.normalizeId=un;function eC(e,t,r){return r=un(r),e.resolve(t,r)}o(eC,"resolveUrl");Be.resolveUrl=eC;var tC=/^[a-z_][-a-z0-9._]*$/i;function rC(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=un(e[r]||t),i={"":a},s=Cm(n,a,!1),u={},d=new Set;return Wb(e,{allKeys:!0},(m,f,_,S)=>{if(S===void 0)return;let y=s+f,w=i[S];typeof m[r]=="string"&&(w=v.call(this,m[r])),R.call(this,m.$anchor),R.call(this,m.$dynamicAnchor),i[f]=w;function v(I){let N=this.opts.uriResolver.resolve;if(I=un(w?N(w,I):I),d.has(I))throw p(I);d.add(I);let M=this.refs[I];return typeof M=="string"&&(M=this.refs[M]),typeof M=="object"?l(m,M.schema,I):I!==un(y)&&(I[0]==="#"?(l(m,u[I],I),u[I]=m):this.refs[I]=y),I}o(v,"addRef");function R(I){if(typeof I=="string"){if(!tC.test(I))throw new Error(`invalid anchor "${I}"`);v.call(this,`#${I}`)}}o(R,"addAnchor")}),u;function l(m,f,_){if(f!==void 0&&!Kb(m,f))throw p(_)}o(l,"checkAmbiguosRef");function p(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(p,"ambiguos")}o(rC,"getSchemaRefs");Be.getSchemaRefs=rC});var _o=T(ur=>{"use strict";Object.defineProperty(ur,"__esModule",{value:!0});ur.getData=ur.KeywordCxt=ur.validateFunctionCode=void 0;var Em=am(),Tm=mo(),Jc=Lc(),Ga=mo(),nC=pm(),go=_m(),Wc=Sm(),E=L(),D=$t(),oC=ho(),Lt=J(),fo=po();function aC(e){if(Um(e)&&(zm(e),Om(e))){cC(e);return}xm(e,()=>(0,Em.topBoolOrEmptySchema)(e))}o(aC,"validateFunctionCode");ur.validateFunctionCode=aC;function xm({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,E._)`${D.default.data}, ${D.default.valCxt}`,n.$async,()=>{e.code((0,E._)`"use strict"; ${Am(r,a)}`),sC(e,a),e.code(i)}):e.func(t,(0,E._)`${D.default.data}, ${iC(a)}`,n.$async,()=>e.code(Am(r,a)).code(i))}o(xm,"validateFunction");function iC(e){return(0,E._)`{${D.default.instancePath}="", ${D.default.parentData}, ${D.default.parentDataProperty}, ${D.default.rootData}=${D.default.data}${e.dynamicRef?(0,E._)`, ${D.default.dynamicAnchors}={}`:E.nil}}={}`}o(iC,"destructureValCxt");function sC(e,t){e.if(D.default.valCxt,()=>{e.var(D.default.instancePath,(0,E._)`${D.default.valCxt}.${D.default.instancePath}`),e.var(D.default.parentData,(0,E._)`${D.default.valCxt}.${D.default.parentData}`),e.var(D.default.parentDataProperty,(0,E._)`${D.default.valCxt}.${D.default.parentDataProperty}`),e.var(D.default.rootData,(0,E._)`${D.default.valCxt}.${D.default.rootData}`),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`${D.default.valCxt}.${D.default.dynamicAnchors}`)},()=>{e.var(D.default.instancePath,(0,E._)`""`),e.var(D.default.parentData,(0,E._)`undefined`),e.var(D.default.parentDataProperty,(0,E._)`undefined`),e.var(D.default.rootData,D.default.data),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`{}`)})}o(sC,"destructureValCxtES5");function cC(e){let{schema:t,opts:r,gen:n}=e;xm(e,()=>{r.$comment&&t.$comment&&Dm(e),mC(e),n.let(D.default.vErrors,null),n.let(D.default.errors,0),r.unevaluated&&uC(e),Nm(e),gC(e)})}o(cC,"topSchemaObjCode");function uC(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,E._)`${r}.evaluated`),t.if((0,E._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,E._)`${e.evaluated}.props`,(0,E._)`undefined`)),t.if((0,E._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,E._)`${e.evaluated}.items`,(0,E._)`undefined`))}o(uC,"resetEvaluated");function Am(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,E._)`/*# sourceURL=${r} */`:E.nil}o(Am,"funcSourceUrl");function dC(e,t){if(Um(e)&&(zm(e),Om(e))){lC(e,t);return}(0,Em.boolOrEmptySchema)(e,t)}o(dC,"subschemaCode");function Om({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(Om,"schemaCxtHasRules");function Um(e){return typeof e.schema!="boolean"}o(Um,"isSchemaObj");function lC(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&Dm(e),hC(e),fC(e);let i=n.const("_errs",D.default.errors);Nm(e,i),n.var(t,(0,E._)`${i} === ${D.default.errors}`)}o(lC,"subSchemaObjCode");function zm(e){(0,Lt.checkUnknownRules)(e),pC(e)}o(zm,"checkKeywords");function Nm(e,t){if(e.opts.jtd)return km(e,[],!1,t);let r=(0,Tm.getSchemaTypes)(e.schema),n=(0,Tm.coerceAndCheckDataType)(e,r);km(e,r,!n,t)}o(Nm,"typeAndKeywords");function pC(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Lt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(pC,"checkRefsAndKeywords");function mC(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Lt.checkStrictMode)(e,"default is ignored in the schema root")}o(mC,"checkNoDefault");function hC(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,oC.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(hC,"updateContext");function fC(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(fC,"checkAsyncSchema");function Dm({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,E._)`${D.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,E.str)`${n}/$comment`,u=e.scopeValue("root",{ref:t.root});e.code((0,E._)`${D.default.self}.opts.$comment(${i}, ${s}, ${u}.schema)`)}}o(Dm,"commentKeyword");function gC(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,E._)`${D.default.errors} === 0`,()=>t.return(D.default.data),()=>t.throw((0,E._)`new ${a}(${D.default.vErrors})`)):(t.assign((0,E._)`${n}.errors`,D.default.vErrors),i.unevaluated&&_C(e),t.return((0,E._)`${D.default.errors} === 0`))}o(gC,"returnResults");function _C({gen:e,evaluated:t,props:r,items:n}){r instanceof E.Name&&e.assign((0,E._)`${t}.props`,r),n instanceof E.Name&&e.assign((0,E._)`${t}.items`,n)}o(_C,"assignEvaluated");function km(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:u,opts:d,self:l}=e,{RULES:p}=l;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Lt.schemaHasRulesButRef)(i,p))){a.block(()=>qm(e,"$ref",p.all.$ref.definition));return}d.jtd||yC(e,t),a.block(()=>{for(let f of p.rules)m(f);m(p.post)});function m(f){(0,Jc.shouldUseGroup)(i,f)&&(f.type?(a.if((0,Ga.checkDataType)(f.type,s,d.strictNumbers)),Pm(e,f),t.length===1&&t[0]===f.type&&r&&(a.else(),(0,Ga.reportTypeError)(e)),a.endIf()):Pm(e,f),u||a.if((0,E._)`${D.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(km,"schemaKeywords");function Pm(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,nC.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Jc.shouldUseRule)(n,i)&&qm(e,i.keyword,i.definition,t.type)})}o(Pm,"iterateKeywords");function yC(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(SC(e,t),e.opts.allowUnionTypes||wC(e,t),vC(e,e.dataTypes))}o(yC,"checkStrictTypes");function SC(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{Mm(e.dataTypes,r)||Yc(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),bC(e,t)}}o(SC,"checkContextTypes");function wC(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Yc(e,"use allowUnionTypes to allow union type keyword")}o(wC,"checkMultipleTypes");function vC(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Jc.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>RC(t,s))&&Yc(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(vC,"checkKeywordTypes");function RC(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(RC,"hasApplicableType");function Mm(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(Mm,"includesType");function bC(e,t){let r=[];for(let n of e.dataTypes)Mm(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(bC,"narrowSchemaTypes");function Yc(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Lt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Yc,"strictTypesError");var Ba=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,go.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Lt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",$m(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,go.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",D.default.errors))}result(t,r,n){this.failResult((0,E.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,E.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,E._)`${r} !== undefined && (${(0,E.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?fo.reportExtraError:fo.reportError)(this,this.def.error,r)}$dataError(){(0,fo.reportError)(this,this.def.$dataError||fo.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,fo.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=E.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=E.nil,r=E.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,E.or)((0,E._)`${a} === undefined`,r)),t!==E.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==E.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,E.or)(s(),u());function s(){if(n.length){if(!(r instanceof E.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,E._)`${(0,Ga.checkDataTypes)(d,r,i.opts.strictNumbers,Ga.DataType.Wrong)}`}return E.nil}function u(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,E._)`!${d}(${r})`}return E.nil}}subschema(t,r){let n=(0,Wc.getSubschema)(this.it,t);(0,Wc.extendSubschemaData)(n,this.it,t),(0,Wc.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return dC(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Lt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Lt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,E.Name)),!0}};ur.KeywordCxt=Ba;function qm(e,t,r,n){let a=new Ba(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,go.funcKeywordCode)(a,r):"macro"in r?(0,go.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,go.funcKeywordCode)(a,r)}o(qm,"keywordCode");var CC=/^\/(?:[^~]|~0|~1)*$/,IC=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function $m(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return D.default.rootData;if(e[0]==="/"){if(!CC.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=D.default.rootData}else{let l=IC.exec(e);if(!l)throw new Error(`Invalid JSON-pointer: ${e}`);let p=+l[1];if(a=l[2],a==="#"){if(p>=t)throw new Error(d("property/index",p));return n[t-p]}if(p>t)throw new Error(d("data",p));if(i=r[t-p],!a)return i}let s=i,u=a.split("/");for(let l of u)l&&(i=(0,E._)`${i}${(0,E.getProperty)((0,Lt.unescapeJsonPointer)(l))}`,s=(0,E._)`${s} && ${i}`);return s;function d(l,p){return`Cannot access ${l} ${p} levels up, current level is ${t}`}}o($m,"getData");ur.getData=$m});var Va=T(Qc=>{"use strict";Object.defineProperty(Qc,"__esModule",{value:!0});var Xc=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Qc.default=Xc});var yo=T(ru=>{"use strict";Object.defineProperty(ru,"__esModule",{value:!0});var eu=ho(),tu=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,eu.resolveUrl)(t,r,n),this.missingSchema=(0,eu.normalizeId)((0,eu.getFullPath)(t,this.missingRef))}};ru.default=tu});var Za=T(ot=>{"use strict";Object.defineProperty(ot,"__esModule",{value:!0});ot.resolveSchema=ot.getCompilingSchema=ot.resolveRef=ot.compileSchema=ot.SchemaEnv=void 0;var lt=L(),TC=Va(),kr=$t(),pt=ho(),Lm=J(),AC=_o(),dn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,pt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};ot.SchemaEnv=dn;function ou(e){let t=jm.call(this,e);if(t)return t;let r=(0,pt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new lt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),u;e.$async&&(u=s.scopeValue("Error",{ref:TC.default,code:(0,lt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let l={gen:s,allErrors:this.opts.allErrors,data:kr.default.data,parentData:kr.default.parentData,parentDataProperty:kr.default.parentDataProperty,dataNames:[kr.default.data],dataPathArr:[lt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,lt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:u,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:lt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,lt._)`""`,opts:this.opts,self:this},p;try{this._compilations.add(e),(0,AC.validateFunctionCode)(l),s.optimize(this.opts.code.optimize);let m=s.toString();p=`${s.scopeRefs(kr.default.scope)}return ${m}`,this.opts.code.process&&(p=this.opts.code.process(p,e));let _=new Function(`${kr.default.self}`,`${kr.default.scope}`,p)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:S,items:y}=l;_.evaluated={props:S instanceof lt.Name?void 0:S,items:y instanceof lt.Name?void 0:y,dynamicProps:S instanceof lt.Name,dynamicItems:y instanceof lt.Name},_.source&&(_.source.evaluated=(0,lt.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,p&&this.logger.error("Error compiling schema, function code:",p),m}finally{this._compilations.delete(e)}}o(ou,"compileSchema");ot.compileSchema=ou;function kC(e,t,r){var n;r=(0,pt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=xC.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:u}=this.opts;s&&(i=new dn({schema:s,schemaId:u,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=PC.call(this,i)}o(kC,"resolveRef");ot.resolveRef=kC;function PC(e){return(0,pt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:ou.call(this,e)}o(PC,"inlineOrCompile");function jm(e){for(let t of this._compilations)if(EC(t,e))return t}o(jm,"getCompilingSchema");ot.getCompilingSchema=jm;function EC(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(EC,"sameSchemaEnv");function xC(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||Fa.call(this,e,t)}o(xC,"resolve");function Fa(e,t){let r=this.opts.uriResolver.parse(t),n=(0,pt._getFullPath)(this.opts.uriResolver,r),a=(0,pt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return nu.call(this,r,e);let i=(0,pt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let u=Fa.call(this,e,s);return typeof u?.schema!="object"?void 0:nu.call(this,r,u)}if(typeof s?.schema=="object"){if(s.validate||ou.call(this,s),i===(0,pt.normalizeId)(t)){let{schema:u}=s,{schemaId:d}=this.opts,l=u[d];return l&&(a=(0,pt.resolveUrl)(this.opts.uriResolver,a,l)),new dn({schema:u,schemaId:d,root:e,baseId:a})}return nu.call(this,r,s)}}o(Fa,"resolveSchema");ot.resolveSchema=Fa;var OC=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function nu(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let u of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,Lm.unescapeFragment)(u)];if(d===void 0)return;r=d;let l=typeof r=="object"&&r[this.opts.schemaId];!OC.has(u)&&l&&(t=(0,pt.resolveUrl)(this.opts.uriResolver,t,l))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,Lm.schemaHasRulesButRef)(r,this.RULES)){let u=(0,pt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=Fa.call(this,n,u)}let{schemaId:s}=this.opts;if(i=i||new dn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(nu,"getJsonPointer")});var Hm=T((z1,UC)=>{UC.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var iu=T((N1,Fm)=>{"use strict";var zC=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),Bm=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function au(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(au,"stringArrayToHexStripped");var NC=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Gm(e){return e.length=0,!0}o(Gm,"consumeIsZone");function DC(e,t,r){if(e.length){let n=au(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(DC,"consumeHextets");function MC(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,u=DC;for(let d=0;d<e.length;d++){let l=e[d];if(!(l==="["||l==="]"))if(l===":"){if(i===!0&&(s=!0),!u(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(l==="%"){if(!u(a,n,r))break;u=Gm}else{a.push(l);continue}}return a.length&&(u===Gm?r.zone=a.join(""):s?n.push(a.join("")):n.push(au(a))),r.address=n.join(""),r}o(MC,"getIPV6");function Vm(e){if(qC(e,":")<2)return{host:e,isIPV6:!1};let t=MC(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(Vm,"normalizeIPv6");function qC(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(qC,"findToken");function $C(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o($C,"removeDotSegments");function LC(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(LC,"normalizeComponentEncoding");function jC(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!Bm(r)){let n=Vm(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(jC,"recomposeAuthority");Fm.exports={nonSimpleDomain:NC,recomposeAuthority:jC,normalizeComponentEncoding:LC,removeDotSegments:$C,isIPv4:Bm,isUUID:zC,normalizeIPv6:Vm,stringArrayToHexStripped:au}});var Ym=T((M1,Jm)=>{"use strict";var{isUUID:HC}=iu(),GC=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,BC=["http","https","ws","wss","urn","urn:uuid"];function VC(e){return BC.indexOf(e)!==-1}o(VC,"isValidSchemeName");function su(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(su,"wsIsSecure");function Zm(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(Zm,"httpParse");function Km(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Km,"httpSerialize");function FC(e){return e.secure=su(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(FC,"wsParse");function ZC(e){if((e.port===(su(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(ZC,"wsSerialize");function KC(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(GC);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=cu(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(KC,"urnParse");function WC(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=cu(a);i&&(e=i.serialize(e,t));let s=e,u=e.nss;return s.path=`${n||t.nid}:${u}`,t.skipEscape=!0,s}o(WC,"urnSerialize");function JC(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!HC(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(JC,"urnuuidParse");function YC(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(YC,"urnuuidSerialize");var Wm={scheme:"http",domainHost:!0,parse:Zm,serialize:Km},XC={scheme:"https",domainHost:Wm.domainHost,parse:Zm,serialize:Km},Ka={scheme:"ws",domainHost:!0,parse:FC,serialize:ZC},QC={scheme:"wss",domainHost:Ka.domainHost,parse:Ka.parse,serialize:Ka.serialize},eI={scheme:"urn",parse:KC,serialize:WC,skipNormalize:!0},tI={scheme:"urn:uuid",parse:JC,serialize:YC,skipNormalize:!0},Wa={http:Wm,https:XC,ws:Ka,wss:QC,urn:eI,"urn:uuid":tI};Object.setPrototypeOf(Wa,null);function cu(e){return e&&(Wa[e]||Wa[e.toLowerCase()])||void 0}o(cu,"getSchemeHandler");Jm.exports={wsIsSecure:su,SCHEMES:Wa,isValidSchemeName:VC,getSchemeHandler:cu}});var eh=T(($1,Ya)=>{"use strict";var{normalizeIPv6:rI,removeDotSegments:So,recomposeAuthority:nI,normalizeComponentEncoding:Ja,isIPv4:oI,nonSimpleDomain:aI}=iu(),{SCHEMES:iI,getSchemeHandler:Xm}=Ym();function sI(e,t){return typeof e=="string"?e=Rt(jt(e,t),t):typeof e=="object"&&(e=jt(Rt(e,t),t)),e}o(sI,"normalize");function cI(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=Qm(jt(e,n),jt(t,n),n,!0);return n.skipEscape=!0,Rt(a,n)}o(cI,"resolve");function Qm(e,t,r,n){let a={};return n||(e=jt(Rt(e,r),r),t=jt(Rt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=So(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=So(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(Qm,"resolveComponent");function uI(e,t,r){return typeof e=="string"?(e=unescape(e),e=Rt(Ja(jt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=Rt(Ja(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=Rt(Ja(jt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=Rt(Ja(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(uI,"equal");function Rt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=Xm(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=nI(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let u=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(u=So(u)),s===void 0&&u[0]==="/"&&u[1]==="/"&&(u="/%2F"+u.slice(2)),a.push(u)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(Rt,"serialize");var dI=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function jt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(dI);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(oI(n.host)===!1){let d=rI(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=Xm(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&aI(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(u){n.error=n.error||"Host's domain name can not be converted to ASCII: "+u}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(jt,"parse");var uu={SCHEMES:iI,normalize:sI,resolve:cI,resolveComponent:Qm,equal:uI,serialize:Rt,parse:jt};Ya.exports=uu;Ya.exports.default=uu;Ya.exports.fastUri=uu});var rh=T(du=>{"use strict";Object.defineProperty(du,"__esModule",{value:!0});var th=eh();th.code='require("ajv/dist/runtime/uri").default';du.default=th});var dh=T(Ie=>{"use strict";Object.defineProperty(Ie,"__esModule",{value:!0});Ie.CodeGen=Ie.Name=Ie.nil=Ie.stringify=Ie.str=Ie._=Ie.KeywordCxt=void 0;var lI=_o();Object.defineProperty(Ie,"KeywordCxt",{enumerable:!0,get:o(function(){return lI.KeywordCxt},"get")});var ln=L();Object.defineProperty(Ie,"_",{enumerable:!0,get:o(function(){return ln._},"get")});Object.defineProperty(Ie,"str",{enumerable:!0,get:o(function(){return ln.str},"get")});Object.defineProperty(Ie,"stringify",{enumerable:!0,get:o(function(){return ln.stringify},"get")});Object.defineProperty(Ie,"nil",{enumerable:!0,get:o(function(){return ln.nil},"get")});Object.defineProperty(Ie,"Name",{enumerable:!0,get:o(function(){return ln.Name},"get")});Object.defineProperty(Ie,"CodeGen",{enumerable:!0,get:o(function(){return ln.CodeGen},"get")});var pI=Va(),sh=yo(),mI=$c(),wo=Za(),hI=L(),vo=ho(),Xa=mo(),pu=J(),nh=Hm(),fI=rh(),ch=o((e,t)=>new RegExp(e,t),"defaultRegExp");ch.code="new RegExp";var gI=["removeAdditional","useDefaults","coerceTypes"],_I=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),yI={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},SI={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},oh=200;function wI(e){var t,r,n,a,i,s,u,d,l,p,m,f,_,S,y,w,v,R,I,N,M,Ye,xt,xs,Os;let Bn=e.strict,Us=(t=e.code)===null||t===void 0?void 0:t.optimize,mp=Us===!0||Us===void 0?1:Us||0,hp=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:ch,Jw=(a=e.uriResolver)!==null&&a!==void 0?a:fI.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Bn)!==null&&s!==void 0?s:!0,strictNumbers:(d=(u=e.strictNumbers)!==null&&u!==void 0?u:Bn)!==null&&d!==void 0?d:!0,strictTypes:(p=(l=e.strictTypes)!==null&&l!==void 0?l:Bn)!==null&&p!==void 0?p:"log",strictTuples:(f=(m=e.strictTuples)!==null&&m!==void 0?m:Bn)!==null&&f!==void 0?f:"log",strictRequired:(S=(_=e.strictRequired)!==null&&_!==void 0?_:Bn)!==null&&S!==void 0?S:!1,code:e.code?{...e.code,optimize:mp,regExp:hp}:{optimize:mp,regExp:hp},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:oh,loopEnum:(w=e.loopEnum)!==null&&w!==void 0?w:oh,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(R=e.messages)!==null&&R!==void 0?R:!0,inlineRefs:(I=e.inlineRefs)!==null&&I!==void 0?I:!0,schemaId:(N=e.schemaId)!==null&&N!==void 0?N:"$id",addUsedSchema:(M=e.addUsedSchema)!==null&&M!==void 0?M:!0,validateSchema:(Ye=e.validateSchema)!==null&&Ye!==void 0?Ye:!0,validateFormats:(xt=e.validateFormats)!==null&&xt!==void 0?xt:!0,unicodeRegExp:(xs=e.unicodeRegExp)!==null&&xs!==void 0?xs:!0,int32range:(Os=e.int32range)!==null&&Os!==void 0?Os:!0,uriResolver:Jw}}o(wI,"requiredOptions");var Ro=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...wI(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new hI.ValueScope({scope:{},prefixes:_I,es5:r,lines:n}),this.logger=TI(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,mI.getRules)(),ah.call(this,yI,t,"NOT SUPPORTED"),ah.call(this,SI,t,"DEPRECATED","warn"),this._metaOpts=CI.call(this),t.formats&&RI.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&bI.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),vI.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=nh;n==="id"&&(a={...nh},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(p,m){await i.call(this,p.$schema);let f=this._addSchema(p,m);return f.validate||s.call(this,f)}async function i(p){p&&!this.getSchema(p)&&await a.call(this,{$ref:p},!0)}async function s(p){try{return this._compileSchemaEnv(p)}catch(m){if(!(m instanceof sh.default))throw m;return u.call(this,m),await d.call(this,m.missingSchema),s.call(this,p)}}function u({missingSchema:p,missingRef:m}){if(this.refs[p])throw new Error(`AnySchema ${p} is loaded but ${m} cannot be resolved`)}async function d(p){let m=await l.call(this,p);this.refs[p]||await i.call(this,m.$schema),this.refs[p]||this.addSchema(m,p,r)}async function l(p){let m=this._loading[p];if(m)return m;try{return await(this._loading[p]=n(p))}finally{delete this._loading[p]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,vo.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=ih.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new wo.SchemaEnv({schema:{},schemaId:n});if(r=wo.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=ih.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,vo.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(kI.call(this,n,r),!r)return(0,pu.eachItem)(n,i=>lu.call(this,i)),this;EI.call(this,r);let a={...r,type:(0,Xa.getJSONTypes)(r.type),schemaType:(0,Xa.getJSONTypes)(r.schemaType)};return(0,pu.eachItem)(n,a.type.length===0?i=>lu.call(this,i,a):i=>a.type.forEach(s=>lu.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let u of i)s=s[u];for(let u in n){let d=n[u];if(typeof d!="object")continue;let{$data:l}=d.definition,p=s[u];l&&p&&(s[u]=uh(p))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:u}=this.opts;if(typeof t=="object")s=t[u];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,vo.normalizeId)(s||n);let l=vo.getSchemaRefs.call(this,t,n);return d=new wo.SchemaEnv({schema:t,schemaId:u,meta:r,baseId:n,localRefs:l}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):wo.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{wo.compileSchema.call(this,t)}finally{this.opts=r}}};Ro.ValidationError=pI.default;Ro.MissingRefError=sh.default;Ie.default=Ro;function ah(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(ah,"checkOptions");function ih(e){return e=(0,vo.normalizeId)(e),this.schemas[e]||this.refs[e]}o(ih,"getSchEnv");function vI(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(vI,"addInitialSchemas");function RI(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(RI,"addInitialFormats");function bI(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(bI,"addInitialKeywords");function CI(){let e={...this.opts};for(let t of gI)delete e[t];return e}o(CI,"getMetaSchemaOptions");var II={log(){},warn(){},error(){}};function TI(e){if(e===!1)return II;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(TI,"getLogger");var AI=/^[a-z_$][a-z0-9_$:-]*$/i;function kI(e,t){let{RULES:r}=this;if((0,pu.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!AI.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(kI,"checkKeyword");function lu(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let u={keyword:e,definition:{...t,type:(0,Xa.getJSONTypes)(t.type),schemaType:(0,Xa.getJSONTypes)(t.schemaType)}};t.before?PI.call(this,s,u,t.before):s.rules.push(u),i.all[e]=u,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(lu,"addRule");function PI(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(PI,"addBeforeRule");function EI(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=uh(t)),e.validateSchema=this.compile(t,!0))}o(EI,"keywordMetaschema");var xI={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function uh(e){return{anyOf:[e,xI]}}o(uh,"schemaOrData")});var lh=T(mu=>{"use strict";Object.defineProperty(mu,"__esModule",{value:!0});var OI={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};mu.default=OI});var fh=T(Pr=>{"use strict";Object.defineProperty(Pr,"__esModule",{value:!0});Pr.callRef=Pr.getValidate=void 0;var UI=yo(),ph=nt(),Ve=L(),pn=$t(),mh=Za(),Qa=J(),zI={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:u,self:d}=n,{root:l}=i;if((r==="#"||r==="#/")&&a===l.baseId)return m();let p=mh.resolveRef.call(d,l,a,r);if(p===void 0)throw new UI.default(n.opts.uriResolver,a,r);if(p instanceof mh.SchemaEnv)return f(p);return _(p);function m(){if(i===l)return ei(e,s,i,i.$async);let S=t.scopeValue("root",{ref:l});return ei(e,(0,Ve._)`${S}.validate`,l,l.$async)}function f(S){let y=hh(e,S);ei(e,y,S,S.$async)}function _(S){let y=t.scopeValue("schema",u.code.source===!0?{ref:S,code:(0,Ve.stringify)(S)}:{ref:S}),w=t.name("valid"),v=e.subschema({schema:S,dataTypes:[],schemaPath:Ve.nil,topSchemaRef:y,errSchemaPath:r},w);e.mergeEvaluated(v),e.ok(w)}}};function hh(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,Ve._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(hh,"getValidate");Pr.getValidate=hh;function ei(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:u,opts:d}=i,l=d.passContext?pn.default.this:Ve.nil;n?p():m();function p(){if(!u.$async)throw new Error("async schema referenced by sync schema");let S=a.let("valid");a.try(()=>{a.code((0,Ve._)`await ${(0,ph.callValidateCode)(e,t,l)}`),_(t),s||a.assign(S,!0)},y=>{a.if((0,Ve._)`!(${y} instanceof ${i.ValidationError})`,()=>a.throw(y)),f(y),s||a.assign(S,!1)}),e.ok(S)}o(p,"callAsyncRef");function m(){e.result((0,ph.callValidateCode)(e,t,l),()=>_(t),()=>f(t))}o(m,"callSyncRef");function f(S){let y=(0,Ve._)`${S}.errors`;a.assign(pn.default.vErrors,(0,Ve._)`${pn.default.vErrors} === null ? ${y} : ${pn.default.vErrors}.concat(${y})`),a.assign(pn.default.errors,(0,Ve._)`${pn.default.vErrors}.length`)}o(f,"addErrorsFrom");function _(S){var y;if(!i.opts.unevaluated)return;let w=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(i.props!==!0)if(w&&!w.dynamicProps)w.props!==void 0&&(i.props=Qa.mergeEvaluated.props(a,w.props,i.props));else{let v=a.var("props",(0,Ve._)`${S}.evaluated.props`);i.props=Qa.mergeEvaluated.props(a,v,i.props,Ve.Name)}if(i.items!==!0)if(w&&!w.dynamicItems)w.items!==void 0&&(i.items=Qa.mergeEvaluated.items(a,w.items,i.items));else{let v=a.var("items",(0,Ve._)`${S}.evaluated.items`);i.items=Qa.mergeEvaluated.items(a,v,i.items,Ve.Name)}}o(_,"addEvaluatedFrom")}o(ei,"callRef");Pr.callRef=ei;Pr.default=zI});var gh=T(hu=>{"use strict";Object.defineProperty(hu,"__esModule",{value:!0});var NI=lh(),DI=fh(),MI=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",NI.default,DI.default];hu.default=MI});var _h=T(fu=>{"use strict";Object.defineProperty(fu,"__esModule",{value:!0});var ti=L(),dr=ti.operators,ri={maximum:{okStr:"<=",ok:dr.LTE,fail:dr.GT},minimum:{okStr:">=",ok:dr.GTE,fail:dr.LT},exclusiveMaximum:{okStr:"<",ok:dr.LT,fail:dr.GTE},exclusiveMinimum:{okStr:">",ok:dr.GT,fail:dr.LTE}},qI={message:o(({keyword:e,schemaCode:t})=>(0,ti.str)`must be ${ri[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ti._)`{comparison: ${ri[e].okStr}, limit: ${t}}`,"params")},$I={keyword:Object.keys(ri),type:"number",schemaType:"number",$data:!0,error:qI,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,ti._)`${r} ${ri[t].fail} ${n} || isNaN(${r})`)}};fu.default=$I});var yh=T(gu=>{"use strict";Object.defineProperty(gu,"__esModule",{value:!0});var bo=L(),LI={message:o(({schemaCode:e})=>(0,bo.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,bo._)`{multipleOf: ${e}}`,"params")},jI={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:LI,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),u=i?(0,bo._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,bo._)`${s} !== parseInt(${s})`;e.fail$data((0,bo._)`(${n} === 0 || (${s} = ${r}/${n}, ${u}))`)}};gu.default=jI});var wh=T(_u=>{"use strict";Object.defineProperty(_u,"__esModule",{value:!0});function Sh(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Sh,"ucs2length");_u.default=Sh;Sh.code='require("ajv/dist/runtime/ucs2length").default'});var vh=T(yu=>{"use strict";Object.defineProperty(yu,"__esModule",{value:!0});var Er=L(),HI=J(),GI=wh(),BI={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Er.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Er._)`{limit: ${e}}`,"params")},VI={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:BI,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?Er.operators.GT:Er.operators.LT,s=a.opts.unicode===!1?(0,Er._)`${r}.length`:(0,Er._)`${(0,HI.useFunc)(e.gen,GI.default)}(${r})`;e.fail$data((0,Er._)`${s} ${i} ${n}`)}};yu.default=VI});var Rh=T(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var FI=nt(),ni=L(),ZI={message:o(({schemaCode:e})=>(0,ni.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ni._)`{pattern: ${e}}`,"params")},KI={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:ZI,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",u=r?(0,ni._)`(new RegExp(${a}, ${s}))`:(0,FI.usePattern)(e,n);e.fail$data((0,ni._)`!${u}.test(${t})`)}};Su.default=KI});var bh=T(wu=>{"use strict";Object.defineProperty(wu,"__esModule",{value:!0});var Co=L(),WI={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Co.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Co._)`{limit: ${e}}`,"params")},JI={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:WI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Co.operators.GT:Co.operators.LT;e.fail$data((0,Co._)`Object.keys(${r}).length ${a} ${n}`)}};wu.default=JI});var Ch=T(vu=>{"use strict";Object.defineProperty(vu,"__esModule",{value:!0});var Io=nt(),To=L(),YI=J(),XI={message:o(({params:{missingProperty:e}})=>(0,To.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,To._)`{missingProperty: ${e}}`,"params")},QI={keyword:"required",type:"object",schemaType:"array",$data:!0,error:XI,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:u}=s;if(!i&&r.length===0)return;let d=r.length>=u.loopRequired;if(s.allErrors?l():p(),u.strictRequired){let _=e.parentSchema.properties,{definedProperties:S}=e.it;for(let y of r)if(_?.[y]===void 0&&!S.has(y)){let w=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${y}" is not defined at "${w}" (strictRequired)`;(0,YI.checkStrictMode)(s,v,s.opts.strictRequired)}}function l(){if(d||i)e.block$data(To.nil,m);else for(let _ of r)(0,Io.checkReportMissingProp)(e,_)}o(l,"allErrorsMode");function p(){let _=t.let("missing");if(d||i){let S=t.let("valid",!0);e.block$data(S,()=>f(_,S)),e.ok(S)}else t.if((0,Io.checkMissingProp)(e,r,_)),(0,Io.reportMissingProp)(e,_),t.else()}o(p,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,Io.noPropertyInData)(t,a,_,u.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function f(_,S){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(S,(0,Io.propertyInData)(t,a,_,u.ownProperties)),t.if((0,To.not)(S),()=>{e.error(),t.break()})},To.nil)}o(f,"loopUntilMissing")}};vu.default=QI});var Ih=T(Ru=>{"use strict";Object.defineProperty(Ru,"__esModule",{value:!0});var Ao=L(),eT={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Ao.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Ao._)`{limit: ${e}}`,"params")},tT={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:eT,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Ao.operators.GT:Ao.operators.LT;e.fail$data((0,Ao._)`${r}.length ${a} ${n}`)}};Ru.default=tT});var oi=T(bu=>{"use strict";Object.defineProperty(bu,"__esModule",{value:!0});var Th=Zc();Th.code='require("ajv/dist/runtime/equal").default';bu.default=Th});var Ah=T(Iu=>{"use strict";Object.defineProperty(Iu,"__esModule",{value:!0});var Cu=mo(),Te=L(),rT=J(),nT=oi(),oT={message:o(({params:{i:e,j:t}})=>(0,Te.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,Te._)`{i: ${e}, j: ${t}}`,"params")},aT={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:oT,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:u}=e;if(!n&&!a)return;let d=t.let("valid"),l=i.items?(0,Cu.getSchemaTypes)(i.items):[];e.block$data(d,p,(0,Te._)`${s} === false`),e.ok(d);function p(){let S=t.let("i",(0,Te._)`${r}.length`),y=t.let("j");e.setParams({i:S,j:y}),t.assign(d,!0),t.if((0,Te._)`${S} > 1`,()=>(m()?f:_)(S,y))}o(p,"validateUniqueItems");function m(){return l.length>0&&!l.some(S=>S==="object"||S==="array")}o(m,"canOptimize");function f(S,y){let w=t.name("item"),v=(0,Cu.checkDataTypes)(l,w,u.opts.strictNumbers,Cu.DataType.Wrong),R=t.const("indices",(0,Te._)`{}`);t.for((0,Te._)`;${S}--;`,()=>{t.let(w,(0,Te._)`${r}[${S}]`),t.if(v,(0,Te._)`continue`),l.length>1&&t.if((0,Te._)`typeof ${w} == "string"`,(0,Te._)`${w} += "_"`),t.if((0,Te._)`typeof ${R}[${w}] == "number"`,()=>{t.assign(y,(0,Te._)`${R}[${w}]`),e.error(),t.assign(d,!1).break()}).code((0,Te._)`${R}[${w}] = ${S}`)})}o(f,"loopN");function _(S,y){let w=(0,rT.useFunc)(t,nT.default),v=t.name("outer");t.label(v).for((0,Te._)`;${S}--;`,()=>t.for((0,Te._)`${y} = ${S}; ${y}--;`,()=>t.if((0,Te._)`${w}(${r}[${S}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};Iu.default=aT});var kh=T(Au=>{"use strict";Object.defineProperty(Au,"__esModule",{value:!0});var Tu=L(),iT=J(),sT=oi(),cT={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,Tu._)`{allowedValue: ${e}}`,"params")},uT={keyword:"const",$data:!0,error:cT,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,Tu._)`!${(0,iT.useFunc)(t,sT.default)}(${r}, ${a})`):e.fail((0,Tu._)`${i} !== ${r}`)}};Au.default=uT});var Ph=T(ku=>{"use strict";Object.defineProperty(ku,"__esModule",{value:!0});var ko=L(),dT=J(),lT=oi(),pT={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,ko._)`{allowedValues: ${e}}`,"params")},mT={keyword:"enum",schemaType:"array",$data:!0,error:pT,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let u=a.length>=s.opts.loopEnum,d,l=o(()=>d??(d=(0,dT.useFunc)(t,lT.default)),"getEql"),p;if(u||n)p=t.let("valid"),e.block$data(p,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",i);p=(0,ko.or)(...a.map((S,y)=>f(_,y)))}e.pass(p);function m(){t.assign(p,!1),t.forOf("v",i,_=>t.if((0,ko._)`${l()}(${r}, ${_})`,()=>t.assign(p,!0).break()))}o(m,"loopEnum");function f(_,S){let y=a[S];return typeof y=="object"&&y!==null?(0,ko._)`${l()}(${r}, ${_}[${S}])`:(0,ko._)`${r} === ${y}`}o(f,"equalCode")}};ku.default=mT});var Eh=T(Pu=>{"use strict";Object.defineProperty(Pu,"__esModule",{value:!0});var hT=_h(),fT=yh(),gT=vh(),_T=Rh(),yT=bh(),ST=Ch(),wT=Ih(),vT=Ah(),RT=kh(),bT=Ph(),CT=[hT.default,fT.default,gT.default,_T.default,yT.default,ST.default,wT.default,vT.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},RT.default,bT.default];Pu.default=CT});var xu=T(Po=>{"use strict";Object.defineProperty(Po,"__esModule",{value:!0});Po.validateAdditionalItems=void 0;var xr=L(),Eu=J(),IT={message:o(({params:{len:e}})=>(0,xr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,xr._)`{limit: ${e}}`,"params")},TT={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:IT,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Eu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}xh(e,n)}};function xh(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let u=r.const("len",(0,xr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,xr._)`${u} <= ${t.length}`);else if(typeof n=="object"&&!(0,Eu.alwaysValidSchema)(s,n)){let l=r.var("valid",(0,xr._)`${u} <= ${t.length}`);r.if((0,xr.not)(l),()=>d(l)),e.ok(l)}function d(l){r.forRange("i",t.length,u,p=>{e.subschema({keyword:i,dataProp:p,dataPropType:Eu.Type.Num},l),s.allErrors||r.if((0,xr.not)(l),()=>r.break())})}o(d,"validateItems")}o(xh,"validateAdditionalItems");Po.validateAdditionalItems=xh;Po.default=TT});var Ou=T(Eo=>{"use strict";Object.defineProperty(Eo,"__esModule",{value:!0});Eo.validateTuple=void 0;var Oh=L(),ai=J(),AT=nt(),kT={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return Uh(e,"additionalItems",t);r.items=!0,!(0,ai.alwaysValidSchema)(r,t)&&e.ok((0,AT.validateArray)(e))}};function Uh(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:u}=e;p(a),u.opts.unevaluated&&r.length&&u.items!==!0&&(u.items=ai.mergeEvaluated.items(n,r.length,u.items));let d=n.name("valid"),l=n.const("len",(0,Oh._)`${i}.length`);r.forEach((m,f)=>{(0,ai.alwaysValidSchema)(u,m)||(n.if((0,Oh._)`${l} > ${f}`,()=>e.subschema({keyword:s,schemaProp:f,dataProp:f},d)),e.ok(d))});function p(m){let{opts:f,errSchemaPath:_}=u,S=r.length,y=S===m.minItems&&(S===m.maxItems||m[t]===!1);if(f.strictTuples&&!y){let w=`"${s}" is ${S}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,ai.checkStrictMode)(u,w,f.strictTuples)}}o(p,"checkStrictTuple")}o(Uh,"validateTuple");Eo.validateTuple=Uh;Eo.default=kT});var zh=T(Uu=>{"use strict";Object.defineProperty(Uu,"__esModule",{value:!0});var PT=Ou(),ET={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,PT.validateTuple)(e,"items"),"code")};Uu.default=ET});var Dh=T(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var Nh=L(),xT=J(),OT=nt(),UT=xu(),zT={message:o(({params:{len:e}})=>(0,Nh.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Nh._)`{limit: ${e}}`,"params")},NT={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:zT,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,xT.alwaysValidSchema)(n,t)&&(a?(0,UT.validateAdditionalItems)(e,a):e.ok((0,OT.validateArray)(e)))}};zu.default=NT});var Mh=T(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var at=L(),ii=J(),DT={message:o(({params:{min:e,max:t}})=>t===void 0?(0,at.str)`must contain at least ${e} valid item(s)`:(0,at.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,at._)`{minContains: ${e}}`:(0,at._)`{minContains: ${e}, maxContains: ${t}}`,"params")},MT={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:DT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,u,{minContains:d,maxContains:l}=n;i.opts.next?(s=d===void 0?1:d,u=l):s=1;let p=t.const("len",(0,at._)`${a}.length`);if(e.setParams({min:s,max:u}),u===void 0&&s===0){(0,ii.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(u!==void 0&&s>u){(0,ii.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,ii.alwaysValidSchema)(i,r)){let y=(0,at._)`${p} >= ${s}`;u!==void 0&&(y=(0,at._)`${y} && ${p} <= ${u}`),e.pass(y);return}i.items=!0;let m=t.name("valid");u===void 0&&s===1?_(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),u!==void 0&&t.if((0,at._)`${a}.length > 0`,f)):(t.let(m,!1),f()),e.result(m,()=>e.reset());function f(){let y=t.name("_valid"),w=t.let("count",0);_(y,()=>t.if(y,()=>S(w)))}o(f,"validateItemsWithCount");function _(y,w){t.forRange("i",0,p,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:ii.Type.Num,compositeRule:!0},y),w()})}o(_,"validateItems");function S(y){t.code((0,at._)`${y}++`),u===void 0?t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,at._)`${y} > ${u}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0)))}o(S,"checkLimits")}};Nu.default=MT});var Lh=T(bt=>{"use strict";Object.defineProperty(bt,"__esModule",{value:!0});bt.validateSchemaDeps=bt.validatePropertyDeps=bt.error=void 0;var Du=L(),qT=J(),xo=nt();bt.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,Du.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,Du._)`{property: ${e},
     missingProperty: ${n},
     depsCount: ${t},
-    deps: ${r}}`,"params")};var qT={keyword:"dependencies",type:"object",schemaType:"object",error:It.error,code(e){let[t,r]=$T(e);qh(e,t),$h(e,r)}};function $T({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o($T,"splitDependencies");function qh(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let u=t[s];if(u.length===0)continue;let d=(0,Oo.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:u.length,deps:u.join(", ")}),a.allErrors?r.if(d,()=>{for(let l of u)(0,Oo.checkReportMissingProp)(e,l)}):(r.if((0,Mu._)`${d} && (${(0,Oo.checkMissingProp)(e,u,i)})`),(0,Oo.reportMissingProp)(e,i),r.else())}}o(qh,"validatePropertyDeps");It.validatePropertyDeps=qh;function $h(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let u in t)(0,MT.alwaysValidSchema)(i,t[u])||(r.if((0,Oo.propertyInData)(r,n,u,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:u},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o($h,"validateSchemaDeps");It.validateSchemaDeps=$h;It.default=qT});var Hh=T(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var jh=L(),LT=J(),jT={message:"property name must be valid",params:o(({params:e})=>(0,jh._)`{propertyName: ${e.propertyName}}`,"params")},HT={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:jT,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,LT.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,jh.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};qu.default=HT});var Lu=T($u=>{"use strict";Object.defineProperty($u,"__esModule",{value:!0});var ci=ot(),ht=L(),GT=$t(),ui=J(),BT={message:"must NOT have additional properties",params:o(({params:e})=>(0,ht._)`{additionalProperty: ${e.additionalProperty}}`,"params")},VT={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:BT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:u,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,ui.alwaysValidSchema)(s,r))return;let l=(0,ci.allSchemaProperties)(n.properties),p=(0,ci.allSchemaProperties)(n.patternProperties);m(),e.ok((0,ht._)`${i} === ${GT.default.errors}`);function m(){t.forIn("key",a,w=>{!l.length&&!p.length?S(w):t.if(f(w),()=>S(w))})}o(m,"checkAdditionalProperties");function f(w){let v;if(l.length>8){let R=(0,ui.schemaRefOrVal)(s,n.properties,"properties");v=(0,ci.isOwnProperty)(t,R,w)}else l.length?v=(0,ht.or)(...l.map(R=>(0,ht._)`${w} === ${R}`)):v=ht.nil;return p.length&&(v=(0,ht.or)(v,...p.map(R=>(0,ht._)`${(0,ci.usePattern)(e,R)}.test(${w})`))),(0,ht.not)(v)}o(f,"isAdditional");function _(w){t.code((0,ht._)`delete ${a}[${w}]`)}o(_,"deleteAdditional");function S(w){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(w);return}if(r===!1){e.setParams({additionalProperty:w}),e.error(),u||t.break();return}if(typeof r=="object"&&!(0,ui.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(w,v,!1),t.if((0,ht.not)(v),()=>{e.reset(),_(w)})):(y(w,v),u||t.if((0,ht.not)(v),()=>t.break()))}}o(S,"additionalPropertyCode");function y(w,v,R){let C={keyword:"additionalProperties",dataProp:w,dataPropType:ui.Type.Str};R===!1&&Object.assign(C,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(C,v)}o(y,"applyAdditionalSchema")}};$u.default=VT});var Vh=T(Hu=>{"use strict";Object.defineProperty(Hu,"__esModule",{value:!0});var FT=yo(),Gh=ot(),ju=J(),Bh=Lu(),ZT={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&Bh.default.code(new FT.KeywordCxt(i,Bh.default,"additionalProperties"));let s=(0,Gh.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=ju.mergeEvaluated.props(t,(0,ju.toHash)(s),i.props));let u=s.filter(m=>!(0,ju.alwaysValidSchema)(i,r[m]));if(u.length===0)return;let d=t.name("valid");for(let m of u)l(m)?p(m):(t.if((0,Gh.propertyInData)(t,a,m,i.opts.ownProperties)),p(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function l(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(l,"hasDefault");function p(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(p,"applyPropertySchema")}};Hu.default=ZT});var Wh=T(Gu=>{"use strict";Object.defineProperty(Gu,"__esModule",{value:!0});var Fh=ot(),di=L(),Zh=J(),Kh=J(),KT={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,u=(0,Fh.allSchemaProperties)(r),d=u.filter(y=>(0,Zh.alwaysValidSchema)(i,r[y]));if(u.length===0||d.length===u.length&&(!i.opts.unevaluated||i.props===!0))return;let l=s.strictSchema&&!s.allowMatchingProperties&&a.properties,p=t.name("valid");i.props!==!0&&!(i.props instanceof di.Name)&&(i.props=(0,Kh.evaluatedPropsToName)(t,i.props));let{props:m}=i;f();function f(){for(let y of u)l&&_(y),i.allErrors?S(y):(t.var(p,!0),S(y),t.if(p))}o(f,"validatePatternProperties");function _(y){for(let w in l)new RegExp(y).test(w)&&(0,Zh.checkStrictMode)(i,`property ${w} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function S(y){t.forIn("key",n,w=>{t.if((0,di._)`${(0,Fh.usePattern)(e,y)}.test(${w})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:w,dataPropType:Kh.Type.Str},p),i.opts.unevaluated&&m!==!0?t.assign((0,di._)`${m}[${w}]`,!0):!v&&!i.allErrors&&t.if((0,di.not)(p),()=>t.break())})})}o(S,"validateProperties")}};Gu.default=KT});var Jh=T(Bu=>{"use strict";Object.defineProperty(Bu,"__esModule",{value:!0});var WT=J(),JT={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,WT.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Bu.default=JT});var Yh=T(Vu=>{"use strict";Object.defineProperty(Vu,"__esModule",{value:!0});var YT=ot(),XT={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:YT.validateUnion,error:{message:"must match a schema in anyOf"}};Vu.default=XT});var Xh=T(Fu=>{"use strict";Object.defineProperty(Fu,"__esModule",{value:!0});var li=L(),QT=J(),eA={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,li._)`{passingSchemas: ${e.passing}}`,"params")},tA={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:eA,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),u=t.let("passing",null),d=t.name("_valid");e.setParams({passing:u}),t.block(l),e.result(s,()=>e.reset(),()=>e.error(!0));function l(){i.forEach((p,m)=>{let f;(0,QT.alwaysValidSchema)(a,p)?t.var(d,!0):f=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,li._)`${d} && ${s}`).assign(s,!1).assign(u,(0,li._)`[${u}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(u,m),f&&e.mergeEvaluated(f,li.Name)})})}o(l,"validateOneOf")}};Fu.default=tA});var Qh=T(Zu=>{"use strict";Object.defineProperty(Zu,"__esModule",{value:!0});var rA=J(),nA={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,rA.alwaysValidSchema)(n,i))return;let u=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(u)})}};Zu.default=nA});var rf=T(Ku=>{"use strict";Object.defineProperty(Ku,"__esModule",{value:!0});var pi=L(),tf=J(),oA={message:o(({params:e})=>(0,pi.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,pi._)`{failingKeyword: ${e.ifClause}}`,"params")},aA={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:oA,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,tf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=ef(n,"then"),i=ef(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),u=t.name("_valid");if(d(),e.reset(),a&&i){let p=t.let("ifClause");e.setParams({ifClause:p}),t.if(u,l("then",p),l("else",p))}else a?t.if(u,l("then")):t.if((0,pi.not)(u),l("else"));e.pass(s,()=>e.error(!0));function d(){let p=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},u);e.mergeEvaluated(p)}o(d,"validateIf");function l(p,m){return()=>{let f=e.subschema({keyword:p},u);t.assign(s,u),e.mergeValidEvaluated(f,s),m?t.assign(m,(0,pi._)`${p}`):e.setParams({ifClause:p})}}o(l,"validateClause")}};function ef(e,t){let r=e.schema[t];return r!==void 0&&!(0,tf.alwaysValidSchema)(e,r)}o(ef,"hasSchema");Ku.default=aA});var nf=T(Wu=>{"use strict";Object.defineProperty(Wu,"__esModule",{value:!0});var iA=J(),sA={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,iA.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Wu.default=sA});var of=T(Ju=>{"use strict";Object.defineProperty(Ju,"__esModule",{value:!0});var cA=Ou(),uA=zh(),dA=Uu(),lA=Dh(),pA=Mh(),mA=Lh(),hA=Hh(),fA=Lu(),gA=Vh(),_A=Wh(),yA=Jh(),SA=Yh(),wA=Xh(),vA=Qh(),RA=rf(),bA=nf();function IA(e=!1){let t=[yA.default,SA.default,wA.default,vA.default,RA.default,bA.default,hA.default,fA.default,mA.default,gA.default,_A.default];return e?t.push(uA.default,lA.default):t.push(cA.default,dA.default),t.push(pA.default),t}o(IA,"getApplicator");Ju.default=IA});var af=T(Yu=>{"use strict";Object.defineProperty(Yu,"__esModule",{value:!0});var ge=L(),CA={message:o(({schemaCode:e})=>(0,ge.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ge._)`{format: ${e}}`,"params")},TA={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:CA,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:u}=e,{opts:d,errSchemaPath:l,schemaEnv:p,self:m}=u;if(!d.validateFormats)return;a?f():_();function f(){let S=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,ge._)`${S}[${s}]`),w=r.let("fType"),v=r.let("format");r.if((0,ge._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(w,(0,ge._)`${y}.type || "string"`).assign(v,(0,ge._)`${y}.validate`),()=>r.assign(w,(0,ge._)`"string"`).assign(v,y)),e.fail$data((0,ge.or)(R(),C()));function R(){return d.strictSchema===!1?ge.nil:(0,ge._)`${s} && !${v}`}o(R,"unknownFmt");function C(){let N=p.$async?(0,ge._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,ge._)`${v}(${n})`,M=(0,ge._)`(typeof ${v} == "function" ? ${N} : ${v}.test(${n}))`;return(0,ge._)`${v} && ${v} !== true && ${w} === ${t} && !${M}`}o(C,"invalidFmt")}o(f,"validate$DataFormat");function _(){let S=m.formats[i];if(!S){R();return}if(S===!0)return;let[y,w,v]=C(S);y===t&&e.pass(N());function R(){if(d.strictSchema===!1){m.logger.warn(M());return}throw new Error(M());function M(){return`unknown format "${i}" ignored in schema at path "${l}"`}}o(R,"unknownFormat");function C(M){let Ye=M instanceof RegExp?(0,ge.regexpCode)(M):d.code.formats?(0,ge._)`${d.code.formats}${(0,ge.getProperty)(i)}`:void 0,Ot=r.scopeValue("formats",{key:i,ref:M,code:Ye});return typeof M=="object"&&!(M instanceof RegExp)?[M.type||"string",M.validate,(0,ge._)`${Ot}.validate`]:["string",M,Ot]}o(C,"getFormat");function N(){if(typeof S=="object"&&!(S instanceof RegExp)&&S.async){if(!p.$async)throw new Error("async format in sync schema");return(0,ge._)`await ${v}(${n})`}return typeof w=="function"?(0,ge._)`${v}(${n})`:(0,ge._)`${v}.test(${n})`}o(N,"validCondition")}o(_,"validateFormat")}};Yu.default=TA});var sf=T(Xu=>{"use strict";Object.defineProperty(Xu,"__esModule",{value:!0});var AA=af(),kA=[AA.default];Xu.default=kA});var cf=T(mn=>{"use strict";Object.defineProperty(mn,"__esModule",{value:!0});mn.contentVocabulary=mn.metadataVocabulary=void 0;mn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];mn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var df=T(Qu=>{"use strict";Object.defineProperty(Qu,"__esModule",{value:!0});var EA=gh(),PA=Ph(),xA=of(),OA=sf(),uf=cf(),UA=[EA.default,PA.default,(0,xA.default)(),OA.default,uf.metadataVocabulary,uf.contentVocabulary];Qu.default=UA});var pf=T(mi=>{"use strict";Object.defineProperty(mi,"__esModule",{value:!0});mi.DiscrError=void 0;var lf;(function(e){e.Tag="tag",e.Mapping="mapping"})(lf||(mi.DiscrError=lf={}))});var hf=T(td=>{"use strict";Object.defineProperty(td,"__esModule",{value:!0});var hn=L(),ed=pf(),mf=Ka(),zA=So(),NA=J(),DA={message:o(({params:{discrError:e,tagName:t}})=>e===ed.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,hn._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},MA={keyword:"discriminator",type:"object",schemaType:"object",error:DA,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let u=n.propertyName;if(typeof u!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),l=t.const("tag",(0,hn._)`${r}${(0,hn.getProperty)(u)}`);t.if((0,hn._)`typeof ${l} == "string"`,()=>p(),()=>e.error(!1,{discrError:ed.DiscrError.Tag,tag:l,tagName:u})),e.ok(d);function p(){let _=f();t.if(!1);for(let S in _)t.elseIf((0,hn._)`${l} === ${S}`),t.assign(d,m(_[S]));t.else(),e.error(!1,{discrError:ed.DiscrError.Mapping,tag:l,tagName:u}),t.endIf()}o(p,"validateMapping");function m(_){let S=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},S);return e.mergeEvaluated(y,hn.Name),S}o(m,"applyTagSchema");function f(){var _;let S={},y=v(a),w=!0;for(let N=0;N<s.length;N++){let M=s[N];if(M?.$ref&&!(0,NA.schemaHasRulesButRef)(M,i.self.RULES)){let Ot=M.$ref;if(M=mf.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,Ot),M instanceof mf.SchemaEnv&&(M=M.schema),M===void 0)throw new zA.default(i.opts.uriResolver,i.baseId,Ot)}let Ye=(_=M?.properties)===null||_===void 0?void 0:_[u];if(typeof Ye!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${u}"`);w=w&&(y||v(M)),R(Ye,N)}if(!w)throw new Error(`discriminator: "${u}" must be required`);return S;function v({required:N}){return Array.isArray(N)&&N.includes(u)}function R(N,M){if(N.const)C(N.const,M);else if(N.enum)for(let Ye of N.enum)C(Ye,M);else throw new Error(`discriminator: "properties/${u}" must have "const" or "enum"`)}function C(N,M){if(typeof N!="string"||N in S)throw new Error(`discriminator: "${u}" values must be unique strings`);S[N]=M}}o(f,"getMapping")}};td.default=MA});var ff=T((QH,qA)=>{qA.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var nd=T((ie,rd)=>{"use strict";Object.defineProperty(ie,"__esModule",{value:!0});ie.MissingRefError=ie.ValidationError=ie.CodeGen=ie.Name=ie.nil=ie.stringify=ie.str=ie._=ie.KeywordCxt=ie.Ajv=void 0;var $A=dh(),LA=df(),jA=hf(),gf=ff(),HA=["/properties"],hi="http://json-schema.org/draft-07/schema",fn=class extends $A.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),LA.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(jA.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(gf,HA):gf;this.addMetaSchema(t,hi,!1),this.refs["http://json-schema.org/schema"]=hi}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(hi)?hi:void 0)}};ie.Ajv=fn;rd.exports=ie=fn;rd.exports.Ajv=fn;Object.defineProperty(ie,"__esModule",{value:!0});ie.default=fn;var GA=yo();Object.defineProperty(ie,"KeywordCxt",{enumerable:!0,get:o(function(){return GA.KeywordCxt},"get")});var gn=L();Object.defineProperty(ie,"_",{enumerable:!0,get:o(function(){return gn._},"get")});Object.defineProperty(ie,"str",{enumerable:!0,get:o(function(){return gn.str},"get")});Object.defineProperty(ie,"stringify",{enumerable:!0,get:o(function(){return gn.stringify},"get")});Object.defineProperty(ie,"nil",{enumerable:!0,get:o(function(){return gn.nil},"get")});Object.defineProperty(ie,"Name",{enumerable:!0,get:o(function(){return gn.Name},"get")});Object.defineProperty(ie,"CodeGen",{enumerable:!0,get:o(function(){return gn.CodeGen},"get")});var BA=Fa();Object.defineProperty(ie,"ValidationError",{enumerable:!0,get:o(function(){return BA.default},"get")});var VA=So();Object.defineProperty(ie,"MissingRefError",{enumerable:!0,get:o(function(){return VA.default},"get")})});var If=T(Tt=>{"use strict";Object.defineProperty(Tt,"__esModule",{value:!0});Tt.formatNames=Tt.fastFormats=Tt.fullFormats=void 0;function Ct(e,t){return{validate:e,compare:t}}o(Ct,"fmtDef");Tt.fullFormats={date:Ct(wf,sd),time:Ct(ad(!0),cd),"date-time":Ct(_f(!0),Rf),"iso-time":Ct(ad(),vf),"iso-date-time":Ct(_f(),bf),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:YA,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:ok,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:XA,int32:{type:"number",validate:tk},int64:{type:"number",validate:rk},float:{type:"number",validate:Sf},double:{type:"number",validate:Sf},password:!0,binary:!0};Tt.fastFormats={...Tt.fullFormats,date:Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,sd),time:Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,cd),"date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Rf),"iso-time":Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,vf),"iso-date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,bf),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};Tt.formatNames=Object.keys(Tt.fullFormats);function FA(e){return e%4===0&&(e%100!==0||e%400===0)}o(FA,"isLeapYear");var ZA=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,KA=[0,31,28,31,30,31,30,31,31,30,31,30,31];function wf(e){let t=ZA.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&FA(r)?29:KA[n])}o(wf,"date");function sd(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(sd,"compareDate");var od=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function ad(e){return o(function(r){let n=od.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],u=n[4],d=n[5]==="-"?-1:1,l=+(n[6]||0),p=+(n[7]||0);if(l>23||p>59||e&&!u)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-p*d,f=a-l*d-(m<0?1:0);return(f===23||f===-1)&&(m===59||m===-1)&&s<61},"time")}o(ad,"getTime");function cd(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(cd,"compareTime");function vf(e,t){if(!(e&&t))return;let r=od.exec(e),n=od.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(vf,"compareIsoTime");var id=/t|\s/i;function _f(e){let t=ad(e);return o(function(n){let a=n.split(id);return a.length===2&&wf(a[0])&&t(a[1])},"date_time")}o(_f,"getDateTime");function Rf(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Rf,"compareDateTime");function bf(e,t){if(!(e&&t))return;let[r,n]=e.split(id),[a,i]=t.split(id),s=sd(r,a);if(s!==void 0)return s||cd(n,i)}o(bf,"compareIsoDateTime");var WA=/\/|:/,JA=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function YA(e){return WA.test(e)&&JA.test(e)}o(YA,"uri");var yf=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function XA(e){return yf.lastIndex=0,yf.test(e)}o(XA,"byte");var QA=-(2**31),ek=2**31-1;function tk(e){return Number.isInteger(e)&&e<=ek&&e>=QA}o(tk,"validateInt32");function rk(e){return Number.isInteger(e)}o(rk,"validateInt64");function Sf(){return!0}o(Sf,"validateNumber");var nk=/[^\\]\\Z/;function ok(e){if(nk.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(ok,"regex")});var Cf=T(_n=>{"use strict";Object.defineProperty(_n,"__esModule",{value:!0});_n.formatLimitDefinition=void 0;var ak=nd(),ft=L(),lr=ft.operators,fi={formatMaximum:{okStr:"<=",ok:lr.LTE,fail:lr.GT},formatMinimum:{okStr:">=",ok:lr.GTE,fail:lr.LT},formatExclusiveMaximum:{okStr:"<",ok:lr.LT,fail:lr.GTE},formatExclusiveMinimum:{okStr:">",ok:lr.GT,fail:lr.LTE}},ik={message:o(({keyword:e,schemaCode:t})=>(0,ft.str)`should be ${fi[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ft._)`{comparison: ${fi[e].okStr}, limit: ${t}}`,"params")};_n.formatLimitDefinition={keyword:Object.keys(fi),type:"string",schemaType:"string",$data:!0,error:ik,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:u}=i;if(!s.validateFormats)return;let d=new ak.KeywordCxt(i,u.RULES.all.format.definition,"format");d.$data?l():p();function l(){let f=t.scopeValue("formats",{ref:u.formats,code:s.code.formats}),_=t.const("fmt",(0,ft._)`${f}[${d.schemaCode}]`);e.fail$data((0,ft.or)((0,ft._)`typeof ${_} != "object"`,(0,ft._)`${_} instanceof RegExp`,(0,ft._)`typeof ${_}.compare != "function"`,m(_)))}o(l,"validate$DataFormat");function p(){let f=d.schema,_=u.formats[f];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${f}" does not define "compare" function`);let S=t.scopeValue("formats",{key:f,ref:_,code:s.code.formats?(0,ft._)`${s.code.formats}${(0,ft.getProperty)(f)}`:void 0});e.fail$data(m(S))}o(p,"validateFormat");function m(f){return(0,ft._)`${f}.compare(${r}, ${n}) ${fi[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var sk=o(e=>(e.addKeyword(_n.formatLimitDefinition),e),"formatLimitPlugin");_n.default=sk});var Ef=T((Uo,kf)=>{"use strict";Object.defineProperty(Uo,"__esModule",{value:!0});var yn=If(),ck=Cf(),ud=L(),Tf=new ud.Name("fullFormats"),uk=new ud.Name("fastFormats"),dd=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Af(e,t,yn.fullFormats,Tf),e;let[r,n]=t.mode==="fast"?[yn.fastFormats,uk]:[yn.fullFormats,Tf],a=t.formats||yn.formatNames;return Af(e,a,r,n),t.keywords&&(0,ck.default)(e),e},"formatsPlugin");dd.get=(e,t="full")=>{let n=(t==="fast"?yn.fastFormats:yn.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Af(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,ud._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(Af,"addFormats");kf.exports=Uo=dd;Object.defineProperty(Uo,"__esModule",{value:!0});Uo.default=dd});Jw();function Jt(e){return!!e._zod}o(Jt,"isZ4Schema");function Me(e,t){return Jt(e)?Ms(e,t):e.safeParse(t)}o(Me,"safeParse");function Jr(e){if(!e)return;let t;if(Jt(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(Jr,"getObjectShape");function Ap(e){if(Jt(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Ap,"getLiteralValue");X();var Xt="2025-11-25",kp="2025-03-26",Qt=[Xt,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],er="io.modelcontextprotocol/related-task",wa="2.0",ve=Ip(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Ep=ce([h(),K().int()]),Pp=h(),_M=we({ttl:K().optional(),pollInterval:K().optional()}),Qw=I({ttl:K().optional()}),ev=I({taskId:h()}),js=we({progressToken:Ep.optional(),[er]:ev.optional()}),Qe=I({_meta:js.optional()}),Zn=Qe.extend({task:Qw.optional()}),xp=o(e=>Zn.safeParse(e).success,"isTaskAugmentedRequestParams"),be=I({method:h(),params:Qe.loose().optional()}),tt=I({_meta:js.optional()}),rt=I({method:h(),params:tt.loose().optional()}),Ie=we({_meta:js.optional()}),va=ce([h(),K().int()]),Op=I({jsonrpc:E(wa),id:va,...be.shape}).strict(),wt=o(e=>Op.safeParse(e).success,"isJSONRPCRequest"),Up=I({jsonrpc:E(wa),...rt.shape}).strict(),zp=o(e=>Up.safeParse(e).success,"isJSONRPCNotification"),Hs=I({jsonrpc:E(wa),id:va,result:Ie}).strict(),dt=o(e=>Hs.safeParse(e).success,"isJSONRPCResultResponse");var k;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(k||(k={}));var Gs=I({jsonrpc:E(wa),id:va.optional(),error:I({code:K().int(),message:h(),data:fe().optional()})}).strict();var Xr=o(e=>Gs.safeParse(e).success,"isJSONRPCErrorResponse");var wr=ce([Op,Up,Hs,Gs]),yM=ce([Hs,Gs]),zt=Ie.strict(),tv=tt.extend({requestId:va.optional(),reason:h().optional()}),Ra=rt.extend({method:E("notifications/cancelled"),params:tv}),rv=I({src:h(),mimeType:h().optional(),sizes:b(h()).optional(),theme:Xe(["light","dark"]).optional()}),Kn=I({icons:b(rv).optional()}),Yr=I({name:h(),title:h().optional()}),Qr=Yr.extend({...Yr.shape,...Kn.shape,version:h(),websiteUrl:h().optional(),description:h().optional()}),nv=$s(I({applyDefaults:te().optional()}),oe(h(),fe())),ov=Ls(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,$s(I({form:nv.optional(),url:ve.optional()}),oe(h(),fe()).optional())),av=we({list:ve.optional(),cancel:ve.optional(),requests:we({sampling:we({createMessage:ve.optional()}).optional(),elicitation:we({create:ve.optional()}).optional()}).optional()}),iv=we({list:ve.optional(),cancel:ve.optional(),requests:we({tools:we({call:ve.optional()}).optional()}).optional()}),sv=I({experimental:oe(h(),ve).optional(),sampling:I({context:ve.optional(),tools:ve.optional()}).optional(),elicitation:ov.optional(),roots:I({listChanged:te().optional()}).optional(),tasks:av.optional(),extensions:oe(h(),ve).optional()}),cv=Qe.extend({protocolVersion:h(),capabilities:sv,clientInfo:Qr}),ba=be.extend({method:E("initialize"),params:cv}),Bs=o(e=>ba.safeParse(e).success,"isInitializeRequest"),uv=I({experimental:oe(h(),ve).optional(),logging:ve.optional(),completions:ve.optional(),prompts:I({listChanged:te().optional()}).optional(),resources:I({subscribe:te().optional(),listChanged:te().optional()}).optional(),tools:I({listChanged:te().optional()}).optional(),tasks:iv.optional(),extensions:oe(h(),ve).optional()}),Vs=Ie.extend({protocolVersion:h(),capabilities:uv,serverInfo:Qr,instructions:h().optional()}),Ia=rt.extend({method:E("notifications/initialized"),params:tt.optional()}),Np=o(e=>Ia.safeParse(e).success,"isInitializedNotification"),Ca=be.extend({method:E("ping"),params:Qe.optional()}),dv=I({progress:K(),total:pe(K()),message:pe(h())}),lv=I({...tt.shape,...dv.shape,progressToken:Ep}),Ta=rt.extend({method:E("notifications/progress"),params:lv}),pv=Qe.extend({cursor:Pp.optional()}),Wn=be.extend({params:pv.optional()}),Jn=Ie.extend({nextCursor:Pp.optional()}),mv=Xe(["working","input_required","completed","failed","cancelled"]),Yn=I({taskId:h(),status:mv,ttl:ce([K(),Rp()]),createdAt:h(),lastUpdatedAt:h(),pollInterval:pe(K()),statusMessage:pe(h())}),Nt=Ie.extend({task:Yn}),hv=tt.merge(Yn),Xn=rt.extend({method:E("notifications/tasks/status"),params:hv}),Aa=be.extend({method:E("tasks/get"),params:Qe.extend({taskId:h()})}),ka=Ie.merge(Yn),Ea=be.extend({method:E("tasks/result"),params:Qe.extend({taskId:h()})}),SM=Ie.loose(),Pa=Wn.extend({method:E("tasks/list")}),xa=Jn.extend({tasks:b(Yn)}),Oa=be.extend({method:E("tasks/cancel"),params:Qe.extend({taskId:h()})}),Dp=Ie.merge(Yn),Mp=I({uri:h(),mimeType:pe(h()),_meta:oe(h(),fe()).optional()}),qp=Mp.extend({text:h()}),Fs=h().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),$p=Mp.extend({blob:Fs}),Qn=Xe(["user","assistant"]),en=I({audience:b(Qn).optional(),priority:K().min(0).max(1).optional(),lastModified:wp.datetime({offset:!0}).optional()}),Lp=I({...Yr.shape,...Kn.shape,uri:h(),description:pe(h()),mimeType:pe(h()),size:pe(K()),annotations:en.optional(),_meta:pe(we({}))}),fv=I({...Yr.shape,...Kn.shape,uriTemplate:h(),description:pe(h()),mimeType:pe(h()),annotations:en.optional(),_meta:pe(we({}))}),Zs=Wn.extend({method:E("resources/list")}),Ks=Jn.extend({resources:b(Lp)}),gv=Wn.extend({method:E("resources/templates/list")}),Ws=Jn.extend({resourceTemplates:b(fv)}),Js=Qe.extend({uri:h()}),_v=Js,Ys=be.extend({method:E("resources/read"),params:_v}),Xs=Ie.extend({contents:b(ce([qp,$p]))}),Qs=rt.extend({method:E("notifications/resources/list_changed"),params:tt.optional()}),yv=Js,Sv=be.extend({method:E("resources/subscribe"),params:yv}),wv=Js,vv=be.extend({method:E("resources/unsubscribe"),params:wv}),Rv=tt.extend({uri:h()}),bv=rt.extend({method:E("notifications/resources/updated"),params:Rv}),Iv=I({name:h(),description:pe(h()),required:pe(te())}),Cv=I({...Yr.shape,...Kn.shape,description:pe(h()),arguments:pe(b(Iv)),_meta:pe(we({}))}),ec=Wn.extend({method:E("prompts/list")}),tc=Jn.extend({prompts:b(Cv)}),Tv=Qe.extend({name:h(),arguments:oe(h(),h()).optional()}),rc=be.extend({method:E("prompts/get"),params:Tv}),nc=I({type:E("text"),text:h(),annotations:en.optional(),_meta:oe(h(),fe()).optional()}),oc=I({type:E("image"),data:Fs,mimeType:h(),annotations:en.optional(),_meta:oe(h(),fe()).optional()}),ac=I({type:E("audio"),data:Fs,mimeType:h(),annotations:en.optional(),_meta:oe(h(),fe()).optional()}),Av=I({type:E("tool_use"),name:h(),id:h(),input:oe(h(),fe()),_meta:oe(h(),fe()).optional()}),kv=I({type:E("resource"),resource:ce([qp,$p]),annotations:en.optional(),_meta:oe(h(),fe()).optional()}),Ev=Lp.extend({type:E("resource_link")}),ic=ce([nc,oc,ac,Ev,kv]),Pv=I({role:Qn,content:ic}),sc=Ie.extend({description:h().optional(),messages:b(Pv)}),cc=rt.extend({method:E("notifications/prompts/list_changed"),params:tt.optional()}),xv=I({title:h().optional(),readOnlyHint:te().optional(),destructiveHint:te().optional(),idempotentHint:te().optional(),openWorldHint:te().optional()}),Ov=I({taskSupport:Xe(["required","optional","forbidden"]).optional()}),jp=I({...Yr.shape,...Kn.shape,description:h().optional(),inputSchema:I({type:E("object"),properties:oe(h(),ve).optional(),required:b(h()).optional()}).catchall(fe()),outputSchema:I({type:E("object"),properties:oe(h(),ve).optional(),required:b(h()).optional()}).catchall(fe()).optional(),annotations:xv.optional(),execution:Ov.optional(),_meta:oe(h(),fe()).optional()}),uc=Wn.extend({method:E("tools/list")}),dc=Jn.extend({tools:b(jp)}),tr=Ie.extend({content:b(ic).default([]),structuredContent:oe(h(),fe()).optional(),isError:te().optional()}),wM=tr.or(Ie.extend({toolResult:fe()})),Uv=Zn.extend({name:h(),arguments:oe(h(),fe()).optional()}),eo=be.extend({method:E("tools/call"),params:Uv}),lc=rt.extend({method:E("notifications/tools/list_changed"),params:tt.optional()}),Hp=I({autoRefresh:te().default(!0),debounceMs:K().int().nonnegative().default(300)}),to=Xe(["debug","info","notice","warning","error","critical","alert","emergency"]),zv=Qe.extend({level:to}),pc=be.extend({method:E("logging/setLevel"),params:zv}),Nv=tt.extend({level:to,logger:h().optional(),data:fe()}),Dv=rt.extend({method:E("notifications/message"),params:Nv}),Mv=I({name:h().optional()}),qv=I({hints:b(Mv).optional(),costPriority:K().min(0).max(1).optional(),speedPriority:K().min(0).max(1).optional(),intelligencePriority:K().min(0).max(1).optional()}),$v=I({mode:Xe(["auto","required","none"]).optional()}),Lv=I({type:E("tool_result"),toolUseId:h().describe("The unique identifier for the corresponding tool call."),content:b(ic).default([]),structuredContent:I({}).loose().optional(),isError:te().optional(),_meta:oe(h(),fe()).optional()}),jv=qs("type",[nc,oc,ac]),Sa=qs("type",[nc,oc,ac,Av,Lv]),Hv=I({role:Qn,content:ce([Sa,b(Sa)]),_meta:oe(h(),fe()).optional()}),Gv=Zn.extend({messages:b(Hv),modelPreferences:qv.optional(),systemPrompt:h().optional(),includeContext:Xe(["none","thisServer","allServers"]).optional(),temperature:K().optional(),maxTokens:K().int(),stopSequences:b(h()).optional(),metadata:ve.optional(),tools:b(jp).optional(),toolChoice:$v.optional()}),mc=be.extend({method:E("sampling/createMessage"),params:Gv}),vr=Ie.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens"]).or(h())),role:Qn,content:jv}),ro=Ie.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens","toolUse"]).or(h())),role:Qn,content:ce([Sa,b(Sa)])}),Bv=I({type:E("boolean"),title:h().optional(),description:h().optional(),default:te().optional()}),Vv=I({type:E("string"),title:h().optional(),description:h().optional(),minLength:K().optional(),maxLength:K().optional(),format:Xe(["email","uri","date","date-time"]).optional(),default:h().optional()}),Fv=I({type:Xe(["number","integer"]),title:h().optional(),description:h().optional(),minimum:K().optional(),maximum:K().optional(),default:K().optional()}),Zv=I({type:E("string"),title:h().optional(),description:h().optional(),enum:b(h()),default:h().optional()}),Kv=I({type:E("string"),title:h().optional(),description:h().optional(),oneOf:b(I({const:h(),title:h()})),default:h().optional()}),Wv=I({type:E("string"),title:h().optional(),description:h().optional(),enum:b(h()),enumNames:b(h()).optional(),default:h().optional()}),Jv=ce([Zv,Kv]),Yv=I({type:E("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:I({type:E("string"),enum:b(h())}),default:b(h()).optional()}),Xv=I({type:E("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:I({anyOf:b(I({const:h(),title:h()}))}),default:b(h()).optional()}),Qv=ce([Yv,Xv]),eR=ce([Wv,Jv,Qv]),tR=ce([eR,Bv,Vv,Fv]),rR=Zn.extend({mode:E("form").optional(),message:h(),requestedSchema:I({type:E("object"),properties:oe(h(),tR),required:b(h()).optional()})}),nR=Zn.extend({mode:E("url"),message:h(),elicitationId:h(),url:h().url()}),oR=ce([rR,nR]),hc=be.extend({method:E("elicitation/create"),params:oR}),aR=tt.extend({elicitationId:h()}),iR=rt.extend({method:E("notifications/elicitation/complete"),params:aR}),rr=Ie.extend({action:Xe(["accept","decline","cancel"]),content:Ls(e=>e===null?void 0:e,oe(h(),ce([h(),K(),te(),b(h())])).optional())}),sR=I({type:E("ref/resource"),uri:h()});var cR=I({type:E("ref/prompt"),name:h()}),uR=Qe.extend({ref:ce([cR,sR]),argument:I({name:h(),value:h()}),context:I({arguments:oe(h(),h()).optional()}).optional()}),dR=be.extend({method:E("completion/complete"),params:uR});var fc=Ie.extend({completion:we({values:b(h()).max(100),total:pe(K().int()),hasMore:pe(te())})}),lR=I({uri:h().startsWith("file://"),name:h().optional(),_meta:oe(h(),fe()).optional()}),pR=be.extend({method:E("roots/list"),params:Qe.optional()}),gc=Ie.extend({roots:b(lR)}),mR=rt.extend({method:E("notifications/roots/list_changed"),params:tt.optional()}),vM=ce([Ca,ba,dR,pc,rc,ec,Zs,gv,Ys,Sv,vv,eo,uc,Aa,Ea,Pa,Oa]),RM=ce([Ra,Ta,Ia,mR,Xn]),bM=ce([zt,vr,ro,rr,gc,ka,xa,Nt]),IM=ce([Ca,mc,hc,pR,Aa,Ea,Pa,Oa]),CM=ce([Ra,Ta,Dv,bv,Qs,lc,cc,Xn,iR]),TM=ce([zt,Vs,fc,sc,tc,Ks,Ws,Xs,tr,dc,ka,xa,Nt]),A=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===k.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Yt(a.elicitations,r)}return new e(t,r,n)}},Yt=class extends A{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(k.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function nr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(nr,"isTerminal");var hR=Symbol("Let zodToJsonSchema decide on which parser to use");var bq=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function _c(e){let r=Jr(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Ap(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(_c,"getMethodLiteral");function yc(e,t){let r=Me(e,t);if(!r.success)throw r.error;return r.data}o(yc,"parseWithCompat");var wR=6e4,tn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(Ra,r=>{this._oncancel(r)}),this.setNotificationHandler(Ta,r=>{this._onprogress(r)}),this.setRequestHandler(Ca,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(Aa,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(Ea,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let u;for(;u=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(u.type==="response"||u.type==="error"){let d=u.message,l=d.id,p=this._requestResolvers.get(l);if(p)if(this._requestResolvers.delete(l),u.type==="response")p(d);else{let m=d,f=new A(m.error.code,m.error.message,m.error.data);p(f)}else{let m=u.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${l}`))}continue}await this._transport?.send(u.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new A(k.InvalidParams,`Task not found: ${i}`);if(!nr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(nr(s.status)){let u=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...u,_meta:{...u._meta,[er]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(Pa,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new A(k.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(Oa,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,`Task not found: ${r.params.taskId}`);if(nr(a.status))throw new A(k.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new A(k.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof A?a:new A(k.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),A.fromError(k.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),dt(i)||Xr(i)?this._onresponse(i):wt(i)?this._onrequest(i,s):zp(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=A.fromError(k.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[er]?.taskId;if(n===void 0){let p={jsonrpc:"2.0",id:t.id,error:{code:k.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:p,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(p).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let u=xp(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,l={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async p=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(p,m)},"sendNotification"),sendRequest:o(async(p,m,f)=>{if(s.signal.aborted)throw new A(k.ConnectionClosed,"Request was cancelled");let _={...f,relatedRequestId:t.id};i&&!_.relatedTask&&(_.relatedTask={taskId:i});let S=_.relatedTask?.taskId??i;return S&&d&&await d.updateTaskStatus(S,"input_required"),await this.request(p,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:u?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{u&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,l)).then(async p=>{if(s.signal.aborted)return;let m={result:p,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async p=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(p.code)?p.code:k.InternalError,message:p.message??"Internal error",...p.data!==void 0&&{data:p.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(p=>this._onerror(new Error(`Failed to send response: ${p}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),u=this._timeoutInfo.get(a);if(u&&s&&u.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),dt(t))n(t);else{let s=new A(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(dt(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let u=s.task;typeof u.taskId=="string"&&(i=!0,this._taskProgressTokens.set(u.taskId,r))}}if(i||this._progressHandlers.delete(r),dt(t))a(t);else{let s=A.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Nt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new A(k.InternalError,"Task creation did not return a task");for(;;){let u=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:u},nr(u.status)){u.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:u.status==="failed"?yield{type:"error",error:new A(k.InternalError,`Task ${i} failed`)}:u.status==="cancelled"&&(yield{type:"error",error:new A(k.InternalError,`Task ${i} was cancelled`)});return}if(u.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=u.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(l=>setTimeout(l,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:u,relatedTask:d}=n??{};return new Promise((l,p)=>{let m=o(R=>{p(R)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),u&&this.assertTaskCapability(t.method)}catch(R){m(R);return}n?.signal?.throwIfAborted();let f=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:f};n?.onprogress&&(this._progressHandlers.set(f,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:f}}),u&&(_.params={..._.params,task:u}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[er]:d}});let S=o(R=>{this._responseHandlers.delete(f),this._progressHandlers.delete(f),this._cleanupTimeout(f),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:f,reason:String(R)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(N=>this._onerror(new Error(`Failed to send cancellation: ${N}`)));let C=R instanceof A?R:new A(k.RequestTimeout,String(R));p(C)},"cancel");this._responseHandlers.set(f,R=>{if(!n?.signal?.aborted){if(R instanceof Error)return p(R);try{let C=Me(r,R.result);C.success?l(C.data):p(C.error)}catch(C){p(C)}}}),n?.signal?.addEventListener("abort",()=>{S(n?.signal?.reason)});let y=n?.timeout??wR,w=o(()=>S(A.fromError(k.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(f,y,n?.maxTotalTimeout,w,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let R=o(C=>{let N=this._responseHandlers.get(f);N?N(C):this._onerror(new Error(`Response handler missing for side-channeled request ${f}`))},"responseResolver");this._requestResolvers.set(f,R),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(C=>{this._cleanupTimeout(f),p(C)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(R=>{this._cleanupTimeout(f),p(R)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},ka,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},xa,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Dp,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let u={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[er]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:u,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let u={...t,jsonrpc:"2.0"};r?.relatedTask&&(u={...u,params:{...u.params,_meta:{...u.params?._meta||{},[er]:r.relatedTask}}}),this._transport?.send(u,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[er]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=_c(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=yc(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=_c(t);this._notificationHandlers.set(n,a=>{let i=yc(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&wt(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new A(k.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new A(k.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new A(k.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let u=await n.getTask(a,r);if(u){let d=Xn.parse({method:"notifications/tasks/status",params:u});await this.notification(d),nr(u.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let u=await n.getTask(a,r);if(!u)throw new A(k.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(nr(u.status))throw new A(k.InvalidParams,`Cannot update task "${a}" from terminal status "${u.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let l=Xn.parse({method:"notifications/tasks/status",params:d});await this.notification(l),nr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Gp(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Gp,"isPlainObject");function Ua(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Gp(s)&&Gp(i)?r[a]={...s,...i}:r[a]=i}return r}o(Ua,"mergeCapabilities");var Pf=fp(nd(),1),xf=fp(Ef(),1);function dk(){let e=new Pf.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,xf.default)(e),e}o(dk,"createDefaultAjvInstance");var Sn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??dk()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var gi=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(p=>p.type==="tool_result"),u=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=u?Array.isArray(u.content)?u.content:[u.content]:[],l=d.some(p=>p.type==="tool_use");if(s){if(i.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!l)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(l){let p=new Set(d.filter(f=>f.type==="tool_use").map(f=>f.id)),m=new Set(i.filter(f=>f.type==="tool_result").map(f=>f.toolUseId));if(p.size!==m.size||![...p].every(f=>m.has(f)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},vr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},rr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function _i(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(_i,"assertToolsCallTaskCapability");function yi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(yi,"assertClientRequestTaskCapability");var Si=class extends tn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(to.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,this.setRequestHandler(ba,n=>this._oninitialize(n)),this.setNotificationHandler(Ia,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(pc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,u=to.safeParse(s);return u.success&&this._loggingLevels.set(i,u.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new gi(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Ua(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let u=o(async(d,l)=>{let p=Me(eo,d);if(!p.success){let S=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid tools/call request: ${S}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let S=Me(Nt,f);if(!S.success){let y=S.error instanceof Error?S.error.message:String(S.error);throw new A(k.InvalidParams,`Invalid task creation result: ${y}`)}return S.data}let _=Me(tr,f);if(!_.success){let S=_.error instanceof Error?_.error.message:String(_.error);throw new A(k.InvalidParams,`Invalid tools/call result: ${S}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){yi(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&_i(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Qt.includes(r)?r:Xt,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},zt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(l=>l.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,u=s?Array.isArray(s.content)?s.content:[s.content]:[],d=u.some(l=>l.type==="tool_use");if(i){if(a.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let l=new Set(u.filter(m=>m.type==="tool_use").map(m=>m.id)),p=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(l.size!==p.size||![...l].every(m=>p.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},ro,r):this.request({method:"sampling/createMessage",params:t},vr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},rr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},rr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let u=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!u.valid)throw new A(k.InvalidParams,`Elicitation response content does not match requested schema: ${u.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},gc,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var wi=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
+    deps: ${r}}`,"params")};var $T={keyword:"dependencies",type:"object",schemaType:"object",error:bt.error,code(e){let[t,r]=LT(e);qh(e,t),$h(e,r)}};function LT({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(LT,"splitDependencies");function qh(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let u=t[s];if(u.length===0)continue;let d=(0,xo.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:u.length,deps:u.join(", ")}),a.allErrors?r.if(d,()=>{for(let l of u)(0,xo.checkReportMissingProp)(e,l)}):(r.if((0,Du._)`${d} && (${(0,xo.checkMissingProp)(e,u,i)})`),(0,xo.reportMissingProp)(e,i),r.else())}}o(qh,"validatePropertyDeps");bt.validatePropertyDeps=qh;function $h(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let u in t)(0,qT.alwaysValidSchema)(i,t[u])||(r.if((0,xo.propertyInData)(r,n,u,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:u},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o($h,"validateSchemaDeps");bt.validateSchemaDeps=$h;bt.default=$T});var Hh=T(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});var jh=L(),jT=J(),HT={message:"property name must be valid",params:o(({params:e})=>(0,jh._)`{propertyName: ${e.propertyName}}`,"params")},GT={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:HT,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,jT.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,jh.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};Mu.default=GT});var $u=T(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var si=nt(),mt=L(),BT=$t(),ci=J(),VT={message:"must NOT have additional properties",params:o(({params:e})=>(0,mt._)`{additionalProperty: ${e.additionalProperty}}`,"params")},FT={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:VT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:u,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,ci.alwaysValidSchema)(s,r))return;let l=(0,si.allSchemaProperties)(n.properties),p=(0,si.allSchemaProperties)(n.patternProperties);m(),e.ok((0,mt._)`${i} === ${BT.default.errors}`);function m(){t.forIn("key",a,w=>{!l.length&&!p.length?S(w):t.if(f(w),()=>S(w))})}o(m,"checkAdditionalProperties");function f(w){let v;if(l.length>8){let R=(0,ci.schemaRefOrVal)(s,n.properties,"properties");v=(0,si.isOwnProperty)(t,R,w)}else l.length?v=(0,mt.or)(...l.map(R=>(0,mt._)`${w} === ${R}`)):v=mt.nil;return p.length&&(v=(0,mt.or)(v,...p.map(R=>(0,mt._)`${(0,si.usePattern)(e,R)}.test(${w})`))),(0,mt.not)(v)}o(f,"isAdditional");function _(w){t.code((0,mt._)`delete ${a}[${w}]`)}o(_,"deleteAdditional");function S(w){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(w);return}if(r===!1){e.setParams({additionalProperty:w}),e.error(),u||t.break();return}if(typeof r=="object"&&!(0,ci.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(w,v,!1),t.if((0,mt.not)(v),()=>{e.reset(),_(w)})):(y(w,v),u||t.if((0,mt.not)(v),()=>t.break()))}}o(S,"additionalPropertyCode");function y(w,v,R){let I={keyword:"additionalProperties",dataProp:w,dataPropType:ci.Type.Str};R===!1&&Object.assign(I,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(I,v)}o(y,"applyAdditionalSchema")}};qu.default=FT});var Vh=T(ju=>{"use strict";Object.defineProperty(ju,"__esModule",{value:!0});var ZT=_o(),Gh=nt(),Lu=J(),Bh=$u(),KT={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&Bh.default.code(new ZT.KeywordCxt(i,Bh.default,"additionalProperties"));let s=(0,Gh.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Lu.mergeEvaluated.props(t,(0,Lu.toHash)(s),i.props));let u=s.filter(m=>!(0,Lu.alwaysValidSchema)(i,r[m]));if(u.length===0)return;let d=t.name("valid");for(let m of u)l(m)?p(m):(t.if((0,Gh.propertyInData)(t,a,m,i.opts.ownProperties)),p(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function l(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(l,"hasDefault");function p(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(p,"applyPropertySchema")}};ju.default=KT});var Wh=T(Hu=>{"use strict";Object.defineProperty(Hu,"__esModule",{value:!0});var Fh=nt(),ui=L(),Zh=J(),Kh=J(),WT={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,u=(0,Fh.allSchemaProperties)(r),d=u.filter(y=>(0,Zh.alwaysValidSchema)(i,r[y]));if(u.length===0||d.length===u.length&&(!i.opts.unevaluated||i.props===!0))return;let l=s.strictSchema&&!s.allowMatchingProperties&&a.properties,p=t.name("valid");i.props!==!0&&!(i.props instanceof ui.Name)&&(i.props=(0,Kh.evaluatedPropsToName)(t,i.props));let{props:m}=i;f();function f(){for(let y of u)l&&_(y),i.allErrors?S(y):(t.var(p,!0),S(y),t.if(p))}o(f,"validatePatternProperties");function _(y){for(let w in l)new RegExp(y).test(w)&&(0,Zh.checkStrictMode)(i,`property ${w} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function S(y){t.forIn("key",n,w=>{t.if((0,ui._)`${(0,Fh.usePattern)(e,y)}.test(${w})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:w,dataPropType:Kh.Type.Str},p),i.opts.unevaluated&&m!==!0?t.assign((0,ui._)`${m}[${w}]`,!0):!v&&!i.allErrors&&t.if((0,ui.not)(p),()=>t.break())})})}o(S,"validateProperties")}};Hu.default=WT});var Jh=T(Gu=>{"use strict";Object.defineProperty(Gu,"__esModule",{value:!0});var JT=J(),YT={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,JT.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Gu.default=YT});var Yh=T(Bu=>{"use strict";Object.defineProperty(Bu,"__esModule",{value:!0});var XT=nt(),QT={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:XT.validateUnion,error:{message:"must match a schema in anyOf"}};Bu.default=QT});var Xh=T(Vu=>{"use strict";Object.defineProperty(Vu,"__esModule",{value:!0});var di=L(),eA=J(),tA={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,di._)`{passingSchemas: ${e.passing}}`,"params")},rA={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:tA,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),u=t.let("passing",null),d=t.name("_valid");e.setParams({passing:u}),t.block(l),e.result(s,()=>e.reset(),()=>e.error(!0));function l(){i.forEach((p,m)=>{let f;(0,eA.alwaysValidSchema)(a,p)?t.var(d,!0):f=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,di._)`${d} && ${s}`).assign(s,!1).assign(u,(0,di._)`[${u}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(u,m),f&&e.mergeEvaluated(f,di.Name)})})}o(l,"validateOneOf")}};Vu.default=rA});var Qh=T(Fu=>{"use strict";Object.defineProperty(Fu,"__esModule",{value:!0});var nA=J(),oA={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,nA.alwaysValidSchema)(n,i))return;let u=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(u)})}};Fu.default=oA});var rf=T(Zu=>{"use strict";Object.defineProperty(Zu,"__esModule",{value:!0});var li=L(),tf=J(),aA={message:o(({params:e})=>(0,li.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,li._)`{failingKeyword: ${e.ifClause}}`,"params")},iA={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:aA,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,tf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=ef(n,"then"),i=ef(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),u=t.name("_valid");if(d(),e.reset(),a&&i){let p=t.let("ifClause");e.setParams({ifClause:p}),t.if(u,l("then",p),l("else",p))}else a?t.if(u,l("then")):t.if((0,li.not)(u),l("else"));e.pass(s,()=>e.error(!0));function d(){let p=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},u);e.mergeEvaluated(p)}o(d,"validateIf");function l(p,m){return()=>{let f=e.subschema({keyword:p},u);t.assign(s,u),e.mergeValidEvaluated(f,s),m?t.assign(m,(0,li._)`${p}`):e.setParams({ifClause:p})}}o(l,"validateClause")}};function ef(e,t){let r=e.schema[t];return r!==void 0&&!(0,tf.alwaysValidSchema)(e,r)}o(ef,"hasSchema");Zu.default=iA});var nf=T(Ku=>{"use strict";Object.defineProperty(Ku,"__esModule",{value:!0});var sA=J(),cA={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,sA.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Ku.default=cA});var of=T(Wu=>{"use strict";Object.defineProperty(Wu,"__esModule",{value:!0});var uA=xu(),dA=zh(),lA=Ou(),pA=Dh(),mA=Mh(),hA=Lh(),fA=Hh(),gA=$u(),_A=Vh(),yA=Wh(),SA=Jh(),wA=Yh(),vA=Xh(),RA=Qh(),bA=rf(),CA=nf();function IA(e=!1){let t=[SA.default,wA.default,vA.default,RA.default,bA.default,CA.default,fA.default,gA.default,hA.default,_A.default,yA.default];return e?t.push(dA.default,pA.default):t.push(uA.default,lA.default),t.push(mA.default),t}o(IA,"getApplicator");Wu.default=IA});var af=T(Ju=>{"use strict";Object.defineProperty(Ju,"__esModule",{value:!0});var fe=L(),TA={message:o(({schemaCode:e})=>(0,fe.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,fe._)`{format: ${e}}`,"params")},AA={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:TA,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:u}=e,{opts:d,errSchemaPath:l,schemaEnv:p,self:m}=u;if(!d.validateFormats)return;a?f():_();function f(){let S=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,fe._)`${S}[${s}]`),w=r.let("fType"),v=r.let("format");r.if((0,fe._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(w,(0,fe._)`${y}.type || "string"`).assign(v,(0,fe._)`${y}.validate`),()=>r.assign(w,(0,fe._)`"string"`).assign(v,y)),e.fail$data((0,fe.or)(R(),I()));function R(){return d.strictSchema===!1?fe.nil:(0,fe._)`${s} && !${v}`}o(R,"unknownFmt");function I(){let N=p.$async?(0,fe._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,fe._)`${v}(${n})`,M=(0,fe._)`(typeof ${v} == "function" ? ${N} : ${v}.test(${n}))`;return(0,fe._)`${v} && ${v} !== true && ${w} === ${t} && !${M}`}o(I,"invalidFmt")}o(f,"validate$DataFormat");function _(){let S=m.formats[i];if(!S){R();return}if(S===!0)return;let[y,w,v]=I(S);y===t&&e.pass(N());function R(){if(d.strictSchema===!1){m.logger.warn(M());return}throw new Error(M());function M(){return`unknown format "${i}" ignored in schema at path "${l}"`}}o(R,"unknownFormat");function I(M){let Ye=M instanceof RegExp?(0,fe.regexpCode)(M):d.code.formats?(0,fe._)`${d.code.formats}${(0,fe.getProperty)(i)}`:void 0,xt=r.scopeValue("formats",{key:i,ref:M,code:Ye});return typeof M=="object"&&!(M instanceof RegExp)?[M.type||"string",M.validate,(0,fe._)`${xt}.validate`]:["string",M,xt]}o(I,"getFormat");function N(){if(typeof S=="object"&&!(S instanceof RegExp)&&S.async){if(!p.$async)throw new Error("async format in sync schema");return(0,fe._)`await ${v}(${n})`}return typeof w=="function"?(0,fe._)`${v}(${n})`:(0,fe._)`${v}.test(${n})`}o(N,"validCondition")}o(_,"validateFormat")}};Ju.default=AA});var sf=T(Yu=>{"use strict";Object.defineProperty(Yu,"__esModule",{value:!0});var kA=af(),PA=[kA.default];Yu.default=PA});var cf=T(mn=>{"use strict";Object.defineProperty(mn,"__esModule",{value:!0});mn.contentVocabulary=mn.metadataVocabulary=void 0;mn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];mn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var df=T(Xu=>{"use strict";Object.defineProperty(Xu,"__esModule",{value:!0});var EA=gh(),xA=Eh(),OA=of(),UA=sf(),uf=cf(),zA=[EA.default,xA.default,(0,OA.default)(),UA.default,uf.metadataVocabulary,uf.contentVocabulary];Xu.default=zA});var pf=T(pi=>{"use strict";Object.defineProperty(pi,"__esModule",{value:!0});pi.DiscrError=void 0;var lf;(function(e){e.Tag="tag",e.Mapping="mapping"})(lf||(pi.DiscrError=lf={}))});var hf=T(ed=>{"use strict";Object.defineProperty(ed,"__esModule",{value:!0});var hn=L(),Qu=pf(),mf=Za(),NA=yo(),DA=J(),MA={message:o(({params:{discrError:e,tagName:t}})=>e===Qu.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,hn._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},qA={keyword:"discriminator",type:"object",schemaType:"object",error:MA,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let u=n.propertyName;if(typeof u!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),l=t.const("tag",(0,hn._)`${r}${(0,hn.getProperty)(u)}`);t.if((0,hn._)`typeof ${l} == "string"`,()=>p(),()=>e.error(!1,{discrError:Qu.DiscrError.Tag,tag:l,tagName:u})),e.ok(d);function p(){let _=f();t.if(!1);for(let S in _)t.elseIf((0,hn._)`${l} === ${S}`),t.assign(d,m(_[S]));t.else(),e.error(!1,{discrError:Qu.DiscrError.Mapping,tag:l,tagName:u}),t.endIf()}o(p,"validateMapping");function m(_){let S=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},S);return e.mergeEvaluated(y,hn.Name),S}o(m,"applyTagSchema");function f(){var _;let S={},y=v(a),w=!0;for(let N=0;N<s.length;N++){let M=s[N];if(M?.$ref&&!(0,DA.schemaHasRulesButRef)(M,i.self.RULES)){let xt=M.$ref;if(M=mf.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,xt),M instanceof mf.SchemaEnv&&(M=M.schema),M===void 0)throw new NA.default(i.opts.uriResolver,i.baseId,xt)}let Ye=(_=M?.properties)===null||_===void 0?void 0:_[u];if(typeof Ye!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${u}"`);w=w&&(y||v(M)),R(Ye,N)}if(!w)throw new Error(`discriminator: "${u}" must be required`);return S;function v({required:N}){return Array.isArray(N)&&N.includes(u)}function R(N,M){if(N.const)I(N.const,M);else if(N.enum)for(let Ye of N.enum)I(Ye,M);else throw new Error(`discriminator: "properties/${u}" must have "const" or "enum"`)}function I(N,M){if(typeof N!="string"||N in S)throw new Error(`discriminator: "${u}" values must be unique strings`);S[N]=M}}o(f,"getMapping")}};ed.default=qA});var ff=T((rG,$A)=>{$A.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var rd=T((ae,td)=>{"use strict";Object.defineProperty(ae,"__esModule",{value:!0});ae.MissingRefError=ae.ValidationError=ae.CodeGen=ae.Name=ae.nil=ae.stringify=ae.str=ae._=ae.KeywordCxt=ae.Ajv=void 0;var LA=dh(),jA=df(),HA=hf(),gf=ff(),GA=["/properties"],mi="http://json-schema.org/draft-07/schema",fn=class extends LA.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),jA.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(HA.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(gf,GA):gf;this.addMetaSchema(t,mi,!1),this.refs["http://json-schema.org/schema"]=mi}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(mi)?mi:void 0)}};ae.Ajv=fn;td.exports=ae=fn;td.exports.Ajv=fn;Object.defineProperty(ae,"__esModule",{value:!0});ae.default=fn;var BA=_o();Object.defineProperty(ae,"KeywordCxt",{enumerable:!0,get:o(function(){return BA.KeywordCxt},"get")});var gn=L();Object.defineProperty(ae,"_",{enumerable:!0,get:o(function(){return gn._},"get")});Object.defineProperty(ae,"str",{enumerable:!0,get:o(function(){return gn.str},"get")});Object.defineProperty(ae,"stringify",{enumerable:!0,get:o(function(){return gn.stringify},"get")});Object.defineProperty(ae,"nil",{enumerable:!0,get:o(function(){return gn.nil},"get")});Object.defineProperty(ae,"Name",{enumerable:!0,get:o(function(){return gn.Name},"get")});Object.defineProperty(ae,"CodeGen",{enumerable:!0,get:o(function(){return gn.CodeGen},"get")});var VA=Va();Object.defineProperty(ae,"ValidationError",{enumerable:!0,get:o(function(){return VA.default},"get")});var FA=yo();Object.defineProperty(ae,"MissingRefError",{enumerable:!0,get:o(function(){return FA.default},"get")})});var Cf=T(It=>{"use strict";Object.defineProperty(It,"__esModule",{value:!0});It.formatNames=It.fastFormats=It.fullFormats=void 0;function Ct(e,t){return{validate:e,compare:t}}o(Ct,"fmtDef");It.fullFormats={date:Ct(wf,id),time:Ct(od(!0),sd),"date-time":Ct(_f(!0),Rf),"iso-time":Ct(od(),vf),"iso-date-time":Ct(_f(),bf),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:XA,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:ak,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:QA,int32:{type:"number",validate:rk},int64:{type:"number",validate:nk},float:{type:"number",validate:Sf},double:{type:"number",validate:Sf},password:!0,binary:!0};It.fastFormats={...It.fullFormats,date:Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,id),time:Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,sd),"date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Rf),"iso-time":Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,vf),"iso-date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,bf),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};It.formatNames=Object.keys(It.fullFormats);function ZA(e){return e%4===0&&(e%100!==0||e%400===0)}o(ZA,"isLeapYear");var KA=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,WA=[0,31,28,31,30,31,30,31,31,30,31,30,31];function wf(e){let t=KA.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&ZA(r)?29:WA[n])}o(wf,"date");function id(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(id,"compareDate");var nd=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function od(e){return o(function(r){let n=nd.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],u=n[4],d=n[5]==="-"?-1:1,l=+(n[6]||0),p=+(n[7]||0);if(l>23||p>59||e&&!u)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-p*d,f=a-l*d-(m<0?1:0);return(f===23||f===-1)&&(m===59||m===-1)&&s<61},"time")}o(od,"getTime");function sd(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(sd,"compareTime");function vf(e,t){if(!(e&&t))return;let r=nd.exec(e),n=nd.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(vf,"compareIsoTime");var ad=/t|\s/i;function _f(e){let t=od(e);return o(function(n){let a=n.split(ad);return a.length===2&&wf(a[0])&&t(a[1])},"date_time")}o(_f,"getDateTime");function Rf(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Rf,"compareDateTime");function bf(e,t){if(!(e&&t))return;let[r,n]=e.split(ad),[a,i]=t.split(ad),s=id(r,a);if(s!==void 0)return s||sd(n,i)}o(bf,"compareIsoDateTime");var JA=/\/|:/,YA=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function XA(e){return JA.test(e)&&YA.test(e)}o(XA,"uri");var yf=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function QA(e){return yf.lastIndex=0,yf.test(e)}o(QA,"byte");var ek=-(2**31),tk=2**31-1;function rk(e){return Number.isInteger(e)&&e<=tk&&e>=ek}o(rk,"validateInt32");function nk(e){return Number.isInteger(e)}o(nk,"validateInt64");function Sf(){return!0}o(Sf,"validateNumber");var ok=/[^\\]\\Z/;function ak(e){if(ok.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(ak,"regex")});var If=T(_n=>{"use strict";Object.defineProperty(_n,"__esModule",{value:!0});_n.formatLimitDefinition=void 0;var ik=rd(),ht=L(),lr=ht.operators,hi={formatMaximum:{okStr:"<=",ok:lr.LTE,fail:lr.GT},formatMinimum:{okStr:">=",ok:lr.GTE,fail:lr.LT},formatExclusiveMaximum:{okStr:"<",ok:lr.LT,fail:lr.GTE},formatExclusiveMinimum:{okStr:">",ok:lr.GT,fail:lr.LTE}},sk={message:o(({keyword:e,schemaCode:t})=>(0,ht.str)`should be ${hi[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ht._)`{comparison: ${hi[e].okStr}, limit: ${t}}`,"params")};_n.formatLimitDefinition={keyword:Object.keys(hi),type:"string",schemaType:"string",$data:!0,error:sk,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:u}=i;if(!s.validateFormats)return;let d=new ik.KeywordCxt(i,u.RULES.all.format.definition,"format");d.$data?l():p();function l(){let f=t.scopeValue("formats",{ref:u.formats,code:s.code.formats}),_=t.const("fmt",(0,ht._)`${f}[${d.schemaCode}]`);e.fail$data((0,ht.or)((0,ht._)`typeof ${_} != "object"`,(0,ht._)`${_} instanceof RegExp`,(0,ht._)`typeof ${_}.compare != "function"`,m(_)))}o(l,"validate$DataFormat");function p(){let f=d.schema,_=u.formats[f];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${f}" does not define "compare" function`);let S=t.scopeValue("formats",{key:f,ref:_,code:s.code.formats?(0,ht._)`${s.code.formats}${(0,ht.getProperty)(f)}`:void 0});e.fail$data(m(S))}o(p,"validateFormat");function m(f){return(0,ht._)`${f}.compare(${r}, ${n}) ${hi[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var ck=o(e=>(e.addKeyword(_n.formatLimitDefinition),e),"formatLimitPlugin");_n.default=ck});var Pf=T((Oo,kf)=>{"use strict";Object.defineProperty(Oo,"__esModule",{value:!0});var yn=Cf(),uk=If(),cd=L(),Tf=new cd.Name("fullFormats"),dk=new cd.Name("fastFormats"),ud=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Af(e,t,yn.fullFormats,Tf),e;let[r,n]=t.mode==="fast"?[yn.fastFormats,dk]:[yn.fullFormats,Tf],a=t.formats||yn.formatNames;return Af(e,a,r,n),t.keywords&&(0,uk.default)(e),e},"formatsPlugin");ud.get=(e,t="full")=>{let n=(t==="fast"?yn.fastFormats:yn.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Af(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,cd._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(Af,"addFormats");kf.exports=Oo=ud;Object.defineProperty(Oo,"__esModule",{value:!0});Oo.default=ud});Yw();function Jt(e){return!!e._zod}o(Jt,"isZ4Schema");function Me(e,t){return Jt(e)?Ds(e,t):e.safeParse(t)}o(Me,"safeParse");function Jr(e){if(!e)return;let t;if(Jt(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(Jr,"getObjectShape");function Ap(e){if(Jt(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Ap,"getLiteralValue");Y();var Xt="2025-11-25",kp="2025-03-26",Qt=[Xt,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],er="io.modelcontextprotocol/related-task",Sa="2.0",we=Cp(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Pp=se([h(),K().int()]),Ep=h(),wM=Se({ttl:K().optional(),pollInterval:K().optional()}),ev=C({ttl:K().optional()}),tv=C({taskId:h()}),Ls=Se({progressToken:Pp.optional(),[er]:tv.optional()}),Qe=C({_meta:Ls.optional()}),Fn=Qe.extend({task:ev.optional()}),xp=o(e=>Fn.safeParse(e).success,"isTaskAugmentedRequestParams"),Re=C({method:h(),params:Qe.loose().optional()}),et=C({_meta:Ls.optional()}),tt=C({method:h(),params:et.loose().optional()}),be=Se({_meta:Ls.optional()}),wa=se([h(),K().int()]),Op=C({jsonrpc:P(Sa),id:wa,...Re.shape}).strict(),St=o(e=>Op.safeParse(e).success,"isJSONRPCRequest"),Up=C({jsonrpc:P(Sa),...tt.shape}).strict(),zp=o(e=>Up.safeParse(e).success,"isJSONRPCNotification"),js=C({jsonrpc:P(Sa),id:wa,result:be}).strict(),ut=o(e=>js.safeParse(e).success,"isJSONRPCResultResponse");var k;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(k||(k={}));var Hs=C({jsonrpc:P(Sa),id:wa.optional(),error:C({code:K().int(),message:h(),data:he().optional()})}).strict();var Xr=o(e=>Hs.safeParse(e).success,"isJSONRPCErrorResponse");var wr=se([Op,Up,js,Hs]),vM=se([js,Hs]),zt=be.strict(),rv=et.extend({requestId:wa.optional(),reason:h().optional()}),va=tt.extend({method:P("notifications/cancelled"),params:rv}),nv=C({src:h(),mimeType:h().optional(),sizes:b(h()).optional(),theme:Xe(["light","dark"]).optional()}),Zn=C({icons:b(nv).optional()}),Yr=C({name:h(),title:h().optional()}),Qr=Yr.extend({...Yr.shape,...Zn.shape,version:h(),websiteUrl:h().optional(),description:h().optional()}),ov=qs(C({applyDefaults:ee().optional()}),ne(h(),he())),av=$s(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,qs(C({form:ov.optional(),url:we.optional()}),ne(h(),he()).optional())),iv=Se({list:we.optional(),cancel:we.optional(),requests:Se({sampling:Se({createMessage:we.optional()}).optional(),elicitation:Se({create:we.optional()}).optional()}).optional()}),sv=Se({list:we.optional(),cancel:we.optional(),requests:Se({tools:Se({call:we.optional()}).optional()}).optional()}),cv=C({experimental:ne(h(),we).optional(),sampling:C({context:we.optional(),tools:we.optional()}).optional(),elicitation:av.optional(),roots:C({listChanged:ee().optional()}).optional(),tasks:iv.optional(),extensions:ne(h(),we).optional()}),uv=Qe.extend({protocolVersion:h(),capabilities:cv,clientInfo:Qr}),Ra=Re.extend({method:P("initialize"),params:uv}),Gs=o(e=>Ra.safeParse(e).success,"isInitializeRequest"),dv=C({experimental:ne(h(),we).optional(),logging:we.optional(),completions:we.optional(),prompts:C({listChanged:ee().optional()}).optional(),resources:C({subscribe:ee().optional(),listChanged:ee().optional()}).optional(),tools:C({listChanged:ee().optional()}).optional(),tasks:sv.optional(),extensions:ne(h(),we).optional()}),Bs=be.extend({protocolVersion:h(),capabilities:dv,serverInfo:Qr,instructions:h().optional()}),ba=tt.extend({method:P("notifications/initialized"),params:et.optional()}),Np=o(e=>ba.safeParse(e).success,"isInitializedNotification"),Ca=Re.extend({method:P("ping"),params:Qe.optional()}),lv=C({progress:K(),total:pe(K()),message:pe(h())}),pv=C({...et.shape,...lv.shape,progressToken:Pp}),Ia=tt.extend({method:P("notifications/progress"),params:pv}),mv=Qe.extend({cursor:Ep.optional()}),Kn=Re.extend({params:mv.optional()}),Wn=be.extend({nextCursor:Ep.optional()}),hv=Xe(["working","input_required","completed","failed","cancelled"]),Jn=C({taskId:h(),status:hv,ttl:se([K(),Rp()]),createdAt:h(),lastUpdatedAt:h(),pollInterval:pe(K()),statusMessage:pe(h())}),Nt=be.extend({task:Jn}),fv=et.merge(Jn),Yn=tt.extend({method:P("notifications/tasks/status"),params:fv}),Ta=Re.extend({method:P("tasks/get"),params:Qe.extend({taskId:h()})}),Aa=be.merge(Jn),ka=Re.extend({method:P("tasks/result"),params:Qe.extend({taskId:h()})}),RM=be.loose(),Pa=Kn.extend({method:P("tasks/list")}),Ea=Wn.extend({tasks:b(Jn)}),xa=Re.extend({method:P("tasks/cancel"),params:Qe.extend({taskId:h()})}),Dp=be.merge(Jn),Mp=C({uri:h(),mimeType:pe(h()),_meta:ne(h(),he()).optional()}),qp=Mp.extend({text:h()}),Vs=h().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),$p=Mp.extend({blob:Vs}),Xn=Xe(["user","assistant"]),en=C({audience:b(Xn).optional(),priority:K().min(0).max(1).optional(),lastModified:wp.datetime({offset:!0}).optional()}),Lp=C({...Yr.shape,...Zn.shape,uri:h(),description:pe(h()),mimeType:pe(h()),size:pe(K()),annotations:en.optional(),_meta:pe(Se({}))}),gv=C({...Yr.shape,...Zn.shape,uriTemplate:h(),description:pe(h()),mimeType:pe(h()),annotations:en.optional(),_meta:pe(Se({}))}),Fs=Kn.extend({method:P("resources/list")}),Zs=Wn.extend({resources:b(Lp)}),_v=Kn.extend({method:P("resources/templates/list")}),Ks=Wn.extend({resourceTemplates:b(gv)}),Ws=Qe.extend({uri:h()}),yv=Ws,Js=Re.extend({method:P("resources/read"),params:yv}),Ys=be.extend({contents:b(se([qp,$p]))}),Xs=tt.extend({method:P("notifications/resources/list_changed"),params:et.optional()}),Sv=Ws,wv=Re.extend({method:P("resources/subscribe"),params:Sv}),vv=Ws,Rv=Re.extend({method:P("resources/unsubscribe"),params:vv}),bv=et.extend({uri:h()}),Cv=tt.extend({method:P("notifications/resources/updated"),params:bv}),Iv=C({name:h(),description:pe(h()),required:pe(ee())}),Tv=C({...Yr.shape,...Zn.shape,description:pe(h()),arguments:pe(b(Iv)),_meta:pe(Se({}))}),Qs=Kn.extend({method:P("prompts/list")}),ec=Wn.extend({prompts:b(Tv)}),Av=Qe.extend({name:h(),arguments:ne(h(),h()).optional()}),tc=Re.extend({method:P("prompts/get"),params:Av}),rc=C({type:P("text"),text:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),nc=C({type:P("image"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),oc=C({type:P("audio"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),kv=C({type:P("tool_use"),name:h(),id:h(),input:ne(h(),he()),_meta:ne(h(),he()).optional()}),Pv=C({type:P("resource"),resource:se([qp,$p]),annotations:en.optional(),_meta:ne(h(),he()).optional()}),Ev=Lp.extend({type:P("resource_link")}),ac=se([rc,nc,oc,Ev,Pv]),xv=C({role:Xn,content:ac}),ic=be.extend({description:h().optional(),messages:b(xv)}),sc=tt.extend({method:P("notifications/prompts/list_changed"),params:et.optional()}),Ov=C({title:h().optional(),readOnlyHint:ee().optional(),destructiveHint:ee().optional(),idempotentHint:ee().optional(),openWorldHint:ee().optional()}),Uv=C({taskSupport:Xe(["required","optional","forbidden"]).optional()}),jp=C({...Yr.shape,...Zn.shape,description:h().optional(),inputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()),outputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()).optional(),annotations:Ov.optional(),execution:Uv.optional(),_meta:ne(h(),he()).optional()}),cc=Kn.extend({method:P("tools/list")}),uc=Wn.extend({tools:b(jp)}),tr=be.extend({content:b(ac).default([]),structuredContent:ne(h(),he()).optional(),isError:ee().optional()}),bM=tr.or(be.extend({toolResult:he()})),zv=Fn.extend({name:h(),arguments:ne(h(),he()).optional()}),Qn=Re.extend({method:P("tools/call"),params:zv}),dc=tt.extend({method:P("notifications/tools/list_changed"),params:et.optional()}),Hp=C({autoRefresh:ee().default(!0),debounceMs:K().int().nonnegative().default(300)}),eo=Xe(["debug","info","notice","warning","error","critical","alert","emergency"]),Nv=Qe.extend({level:eo}),lc=Re.extend({method:P("logging/setLevel"),params:Nv}),Dv=et.extend({level:eo,logger:h().optional(),data:he()}),Mv=tt.extend({method:P("notifications/message"),params:Dv}),qv=C({name:h().optional()}),$v=C({hints:b(qv).optional(),costPriority:K().min(0).max(1).optional(),speedPriority:K().min(0).max(1).optional(),intelligencePriority:K().min(0).max(1).optional()}),Lv=C({mode:Xe(["auto","required","none"]).optional()}),jv=C({type:P("tool_result"),toolUseId:h().describe("The unique identifier for the corresponding tool call."),content:b(ac).default([]),structuredContent:C({}).loose().optional(),isError:ee().optional(),_meta:ne(h(),he()).optional()}),Hv=Ms("type",[rc,nc,oc]),ya=Ms("type",[rc,nc,oc,kv,jv]),Gv=C({role:Xn,content:se([ya,b(ya)]),_meta:ne(h(),he()).optional()}),Bv=Fn.extend({messages:b(Gv),modelPreferences:$v.optional(),systemPrompt:h().optional(),includeContext:Xe(["none","thisServer","allServers"]).optional(),temperature:K().optional(),maxTokens:K().int(),stopSequences:b(h()).optional(),metadata:we.optional(),tools:b(jp).optional(),toolChoice:Lv.optional()}),pc=Re.extend({method:P("sampling/createMessage"),params:Bv}),vr=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens"]).or(h())),role:Xn,content:Hv}),to=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens","toolUse"]).or(h())),role:Xn,content:se([ya,b(ya)])}),Vv=C({type:P("boolean"),title:h().optional(),description:h().optional(),default:ee().optional()}),Fv=C({type:P("string"),title:h().optional(),description:h().optional(),minLength:K().optional(),maxLength:K().optional(),format:Xe(["email","uri","date","date-time"]).optional(),default:h().optional()}),Zv=C({type:Xe(["number","integer"]),title:h().optional(),description:h().optional(),minimum:K().optional(),maximum:K().optional(),default:K().optional()}),Kv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),default:h().optional()}),Wv=C({type:P("string"),title:h().optional(),description:h().optional(),oneOf:b(C({const:h(),title:h()})),default:h().optional()}),Jv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),enumNames:b(h()).optional(),default:h().optional()}),Yv=se([Kv,Wv]),Xv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({type:P("string"),enum:b(h())}),default:b(h()).optional()}),Qv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({anyOf:b(C({const:h(),title:h()}))}),default:b(h()).optional()}),eR=se([Xv,Qv]),tR=se([Jv,Yv,eR]),rR=se([tR,Vv,Fv,Zv]),nR=Fn.extend({mode:P("form").optional(),message:h(),requestedSchema:C({type:P("object"),properties:ne(h(),rR),required:b(h()).optional()})}),oR=Fn.extend({mode:P("url"),message:h(),elicitationId:h(),url:h().url()}),aR=se([nR,oR]),mc=Re.extend({method:P("elicitation/create"),params:aR}),iR=et.extend({elicitationId:h()}),sR=tt.extend({method:P("notifications/elicitation/complete"),params:iR}),rr=be.extend({action:Xe(["accept","decline","cancel"]),content:$s(e=>e===null?void 0:e,ne(h(),se([h(),K(),ee(),b(h())])).optional())}),cR=C({type:P("ref/resource"),uri:h()});var uR=C({type:P("ref/prompt"),name:h()}),dR=Qe.extend({ref:se([uR,cR]),argument:C({name:h(),value:h()}),context:C({arguments:ne(h(),h()).optional()}).optional()}),lR=Re.extend({method:P("completion/complete"),params:dR});var hc=be.extend({completion:Se({values:b(h()).max(100),total:pe(K().int()),hasMore:pe(ee())})}),pR=C({uri:h().startsWith("file://"),name:h().optional(),_meta:ne(h(),he()).optional()}),mR=Re.extend({method:P("roots/list"),params:Qe.optional()}),fc=be.extend({roots:b(pR)}),hR=tt.extend({method:P("notifications/roots/list_changed"),params:et.optional()}),CM=se([Ca,Ra,lR,lc,tc,Qs,Fs,_v,Js,wv,Rv,Qn,cc,Ta,ka,Pa,xa]),IM=se([va,Ia,ba,hR,Yn]),TM=se([zt,vr,to,rr,fc,Aa,Ea,Nt]),AM=se([Ca,pc,mc,mR,Ta,ka,Pa,xa]),kM=se([va,Ia,Mv,Cv,Xs,dc,sc,Yn,sR]),PM=se([zt,Bs,hc,ic,ec,Zs,Ks,Ys,tr,uc,Aa,Ea,Nt]),A=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===k.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Yt(a.elicitations,r)}return new e(t,r,n)}},Yt=class extends A{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(k.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function nr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(nr,"isTerminal");var fR=Symbol("Let zodToJsonSchema decide on which parser to use");var Tq=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function gc(e){let r=Jr(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Ap(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(gc,"getMethodLiteral");function _c(e,t){let r=Me(e,t);if(!r.success)throw r.error;return r.data}o(_c,"parseWithCompat");var vR=6e4,tn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(va,r=>{this._oncancel(r)}),this.setNotificationHandler(Ia,r=>{this._onprogress(r)}),this.setRequestHandler(Ca,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(Ta,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(ka,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let u;for(;u=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(u.type==="response"||u.type==="error"){let d=u.message,l=d.id,p=this._requestResolvers.get(l);if(p)if(this._requestResolvers.delete(l),u.type==="response")p(d);else{let m=d,f=new A(m.error.code,m.error.message,m.error.data);p(f)}else{let m=u.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${l}`))}continue}await this._transport?.send(u.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new A(k.InvalidParams,`Task not found: ${i}`);if(!nr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(nr(s.status)){let u=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...u,_meta:{...u._meta,[er]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(Pa,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new A(k.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(xa,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,`Task not found: ${r.params.taskId}`);if(nr(a.status))throw new A(k.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new A(k.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof A?a:new A(k.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),A.fromError(k.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),ut(i)||Xr(i)?this._onresponse(i):St(i)?this._onrequest(i,s):zp(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=A.fromError(k.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[er]?.taskId;if(n===void 0){let p={jsonrpc:"2.0",id:t.id,error:{code:k.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:p,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(p).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let u=xp(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,l={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async p=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(p,m)},"sendNotification"),sendRequest:o(async(p,m,f)=>{if(s.signal.aborted)throw new A(k.ConnectionClosed,"Request was cancelled");let _={...f,relatedRequestId:t.id};i&&!_.relatedTask&&(_.relatedTask={taskId:i});let S=_.relatedTask?.taskId??i;return S&&d&&await d.updateTaskStatus(S,"input_required"),await this.request(p,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:u?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{u&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,l)).then(async p=>{if(s.signal.aborted)return;let m={result:p,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async p=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(p.code)?p.code:k.InternalError,message:p.message??"Internal error",...p.data!==void 0&&{data:p.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(p=>this._onerror(new Error(`Failed to send response: ${p}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),u=this._timeoutInfo.get(a);if(u&&s&&u.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),ut(t))n(t);else{let s=new A(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(ut(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let u=s.task;typeof u.taskId=="string"&&(i=!0,this._taskProgressTokens.set(u.taskId,r))}}if(i||this._progressHandlers.delete(r),ut(t))a(t);else{let s=A.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Nt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new A(k.InternalError,"Task creation did not return a task");for(;;){let u=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:u},nr(u.status)){u.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:u.status==="failed"?yield{type:"error",error:new A(k.InternalError,`Task ${i} failed`)}:u.status==="cancelled"&&(yield{type:"error",error:new A(k.InternalError,`Task ${i} was cancelled`)});return}if(u.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=u.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(l=>setTimeout(l,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:u,relatedTask:d}=n??{};return new Promise((l,p)=>{let m=o(R=>{p(R)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),u&&this.assertTaskCapability(t.method)}catch(R){m(R);return}n?.signal?.throwIfAborted();let f=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:f};n?.onprogress&&(this._progressHandlers.set(f,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:f}}),u&&(_.params={..._.params,task:u}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[er]:d}});let S=o(R=>{this._responseHandlers.delete(f),this._progressHandlers.delete(f),this._cleanupTimeout(f),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:f,reason:String(R)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(N=>this._onerror(new Error(`Failed to send cancellation: ${N}`)));let I=R instanceof A?R:new A(k.RequestTimeout,String(R));p(I)},"cancel");this._responseHandlers.set(f,R=>{if(!n?.signal?.aborted){if(R instanceof Error)return p(R);try{let I=Me(r,R.result);I.success?l(I.data):p(I.error)}catch(I){p(I)}}}),n?.signal?.addEventListener("abort",()=>{S(n?.signal?.reason)});let y=n?.timeout??vR,w=o(()=>S(A.fromError(k.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(f,y,n?.maxTotalTimeout,w,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let R=o(I=>{let N=this._responseHandlers.get(f);N?N(I):this._onerror(new Error(`Response handler missing for side-channeled request ${f}`))},"responseResolver");this._requestResolvers.set(f,R),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(I=>{this._cleanupTimeout(f),p(I)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(R=>{this._cleanupTimeout(f),p(R)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},Aa,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},Ea,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Dp,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let u={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[er]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:u,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let u={...t,jsonrpc:"2.0"};r?.relatedTask&&(u={...u,params:{...u.params,_meta:{...u.params?._meta||{},[er]:r.relatedTask}}}),this._transport?.send(u,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[er]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=gc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=_c(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=gc(t);this._notificationHandlers.set(n,a=>{let i=_c(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&St(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new A(k.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new A(k.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new A(k.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let u=await n.getTask(a,r);if(u){let d=Yn.parse({method:"notifications/tasks/status",params:u});await this.notification(d),nr(u.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let u=await n.getTask(a,r);if(!u)throw new A(k.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(nr(u.status))throw new A(k.InvalidParams,`Cannot update task "${a}" from terminal status "${u.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let l=Yn.parse({method:"notifications/tasks/status",params:d});await this.notification(l),nr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Gp(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Gp,"isPlainObject");function Oa(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Gp(s)&&Gp(i)?r[a]={...s,...i}:r[a]=i}return r}o(Oa,"mergeCapabilities");var Ef=fp(rd(),1),xf=fp(Pf(),1);function lk(){let e=new Ef.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,xf.default)(e),e}o(lk,"createDefaultAjvInstance");var Sn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??lk()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var fi=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(p=>p.type==="tool_result"),u=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=u?Array.isArray(u.content)?u.content:[u.content]:[],l=d.some(p=>p.type==="tool_use");if(s){if(i.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!l)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(l){let p=new Set(d.filter(f=>f.type==="tool_use").map(f=>f.id)),m=new Set(i.filter(f=>f.type==="tool_result").map(f=>f.toolUseId));if(p.size!==m.size||![...p].every(f=>m.has(f)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},vr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},rr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function gi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(gi,"assertToolsCallTaskCapability");function _i(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(_i,"assertClientRequestTaskCapability");var yi=class extends tn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(eo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,this.setRequestHandler(Ra,n=>this._oninitialize(n)),this.setNotificationHandler(ba,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(lc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,u=eo.safeParse(s);return u.success&&this._loggingLevels.set(i,u.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new fi(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let u=o(async(d,l)=>{let p=Me(Qn,d);if(!p.success){let S=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid tools/call request: ${S}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let S=Me(Nt,f);if(!S.success){let y=S.error instanceof Error?S.error.message:String(S.error);throw new A(k.InvalidParams,`Invalid task creation result: ${y}`)}return S.data}let _=Me(tr,f);if(!_.success){let S=_.error instanceof Error?_.error.message:String(_.error);throw new A(k.InvalidParams,`Invalid tools/call result: ${S}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){_i(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&gi(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Qt.includes(r)?r:Xt,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},zt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(l=>l.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,u=s?Array.isArray(s.content)?s.content:[s.content]:[],d=u.some(l=>l.type==="tool_use");if(i){if(a.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let l=new Set(u.filter(m=>m.type==="tool_use").map(m=>m.id)),p=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(l.size!==p.size||![...l].every(m=>p.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},to,r):this.request({method:"sampling/createMessage",params:t},vr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},rr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},rr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let u=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!u.valid)throw new A(k.InvalidParams,`Elicitation response content does not match requested schema: ${u.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},fc,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var Si=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
 data: 
 
 `;this._retryInterval!==void 0&&(s=`id: ${i}
@@ -40,19 +40,19 @@ data:
 `;return a&&(i+=`id: ${a}
 `),i+=`data: ${JSON.stringify(n)}
 
-`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let u;try{Array.isArray(s)?u=s.map(v=>wr.parse(v)):u=[wr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=u.some(Bs);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(u.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let R=this.validateProtocolVersion(t);if(R)return R}if(!u.some(wt)){for(let v of u)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let p=crypto.randomUUID(),m=u.find(v=>Bs(v)),f=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??kp;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(p,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(p)},"cleanup")});for(let R of u)wt(R)&&this._requestToStreamMapping.set(R.id,p);for(let R of u)this.onmessage?.(R,{authInfo:r?.authInfo,requestInfo:i})});let _=new TextEncoder,S,y=new ReadableStream({start:o(v=>{S=v},"start"),cancel:o(()=>{this._streamMapping.delete(p)},"cancel")}),w={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(w["mcp-session-id"]=this.sessionId);for(let v of u)wt(v)&&(this._streamMapping.set(p,{controller:S,encoder:_,cleanup:o(()=>{this._streamMapping.delete(p);try{S.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,p));await this.writePrimingEvent(S,_,p,f);for(let v of u){let R,C;wt(v)&&this._eventStore&&f>="2025-11-25"&&(R=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),C=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:R,closeStandaloneSSEStream:C})}return new Response(y,{status:200,headers:w})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Qt.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((dt(t)||Xr(t))&&(n=t.id),n===void 0){if(dt(t)||Xr(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let u=this._streamMapping.get(this._standaloneSseStreamId);if(u===void 0)return;u.controller&&u.encoder&&this.writeSSEEvent(u.controller,u.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(dt(t)||Xr(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,l])=>l===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let l=s.map(p=>this._requestResponseMap.get(p));l.length===1?i.resolveJson(new Response(JSON.stringify(l[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(l),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function ld(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(ld,"truncate");function Of(e){return"cause"in e?e.cause:void 0}o(Of,"readCause");function ke(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=ld(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=ld(r.message);let n=Of(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=ld(n.message),n=Of(n)}}o(ke,"addErrorLogFields");function st(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(st,"safeHost");function Uf(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(Uf,"setLogProperties");function pd(e,t){Uf(e,{tenantId:t.tenantId,subjectId:t.subjectId})}o(pd,"applyGatewayPrincipalLogProperties");function zf(e,t){Uf(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(zf,"applyGatewayRouteLogProperties");var wn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},Nf={...wn.runtime,...wn.config,...wn.downstream_auth,...wn.downstream_oauth,...wn.upstream_auth,...wn.upstream_mcp};function zo(e){return typeof e=="string"&&Object.hasOwn(Nf,e)}o(zo,"isGatewayProblemCode");function vi(e){return zo(e)&&Fe(e).callbackFailure===!0}o(vi,"isGatewayCallbackFailureCode");function Fe(e){return Nf[e]}o(Fe,"readGatewayProblemDefinition");function md(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(md,"readDefaultGatewayProblemCodeForStatus");var Df="gatewayCode";function Mf(e){let t=Fe(e);return{title:t.title,body:t.publicDetail}}o(Mf,"readGatewayCallbackFailureContent");function le(e){if(!(e instanceof ya))return;let t=e.extensionMembers?.[Df];return zo(t)?t:void 0}o(le,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Fe(n.code),i=n.privateDetail??(Ri(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=pk(n);return new ya({message:i,extensionMembers:{[Df]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function Ze(e,t,r){let n=Fe(r.code),a=mk(r.code,r.detail),i=Ri(r.code)?r.title??n.title:n.title,u={problem:{...Vn.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(u.additionalHeaders=r.headers),Vn.format(u,e,t)}o(Ze,"gatewayProblemResponse");function Ri(e){return Fe(e).status<500}o(Ri,"canExposeGatewayProblemDetail");function pk(e){return!e.privateDetail||Ri(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(pk,"readRuntimeErrorCause");function mk(e,t){let r=Fe(e);return Ri(e)&&t||r.publicDetail}o(mk,"readSafeGatewayProblemDetail");X();var hk=["tenant_shared_oauth","user_oauth","static_secret","user_static_secret","tenant_static_secret"],fk=["none","client_secret_basic","client_secret_post"],Ee=c.string().min(1).brand(),me=c.string().min(1).brand(),Pe=c.string().min(1).brand(),At=c.string().min(1).brand(),bi=c.enum(hk),hd=c.enum(fk),Ii=c.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),fd=c.object({name:Ii,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict();var gd=new Map;function Ci(e){gd.set(e.policyType,e)}o(Ci,"registerMcpAuthorizationPolicy");function _d(e){if(e!==void 0)return gd.get(e)}o(_d,"getMcpAuthorizationPolicy");function Ti(e){return _d(e)!==void 0}o(Ti,"isRegisteredMcpAuthorizationPolicyType");function yd(){return[...gd.keys()]}o(yd,"listMcpAuthorizationPolicyTypes");X();var Lf=Ee,gk=c.object({mode:c.literal("auto")}).strict(),_k=c.object({mode:c.literal("manual"),clientId:c.string().trim().min(1),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:hd.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:c.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),jf=c.discriminatedUnion("mode",[gk,_k]),yk=jf.default({mode:"auto"}),Sd=c.object({scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:yk}).strict(),qf=Sd.extend({redirectPath:c.string().startsWith("/auth/connections/")}).strict(),Hf=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),Sk=new Set([...Hf,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),wk=c.object({kind:c.literal("bearer_token"),token:c.string().min(1)}).strict(),vk=c.object({kind:c.literal("headers"),headers:c.array(c.object({name:Ii,value:c.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Hf.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),wd=c.discriminatedUnion("kind",[wk,vk]),Rk=c.object({kind:c.literal("basic_auth_app_password"),usernameLabel:c.string().min(1).default("Username"),passwordLabel:c.string().min(1).default("App password")}).strict(),bk=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key"),capture:c.enum(["browser_login"]).optional()}).strict(),vd=c.discriminatedUnion("kind",[Rk,bk]),Rd=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key")}).strict(),Ik=c.discriminatedUnion("mode",[c.object({mode:c.literal("tenant_shared_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("user_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("static_secret"),secret:wd}).strict(),c.object({mode:c.literal("user_static_secret"),secret:vd}).strict(),c.object({mode:c.literal("tenant_static_secret"),secret:Rd}).strict()]),Ck=c.object({baseUrl:c.url(),resourceMetadataUrl:c.url(),requestHeaders:c.array(fd).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();Sk.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),QG=c.object({displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),authProfiles:c.record(Pe,Ik),transport:Ck}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),Tk=c.object({tenant_shared_oauth:Sd.optional(),user_oauth:Sd.optional(),static_secret:c.object({secret:wd}).strict().optional(),user_static_secret:c.object({secret:vd}).strict().optional(),tenant_static_secret:c.object({secret:Rd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),$f=c.object({id:Lf,displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url(),requestHeaders:c.array(fd).default([]),authProfiles:Tk}).strict(),Ak=c.object({name:Ii,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict(),Ai={id:Lf.optional(),displayName:c.string().min(1),summary:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url().optional(),requestHeaders:c.array(Ak).default([])},kk=c.discriminatedUnion("authMode",[c.object({...Ai,authMode:c.enum(["tenant_shared_oauth","user_oauth"]),scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:jf.optional(),clientId:c.string().trim().min(1).optional(),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:hd.optional()}).strict(),c.object({...Ai,authMode:c.literal("static_secret"),secret:wd}).strict(),c.object({...Ai,authMode:c.literal("user_static_secret"),secret:vd}).strict(),c.object({...Ai,authMode:c.literal("tenant_static_secret"),secret:Rd}).strict()]);function Gf(e){throw g("internal_server_error",e)}o(Gf,"throwGatewayConfigError");function Ek(e){let t="mcp-upstream-";return e.startsWith(t)||Gf(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),Ee.parse(e.slice(t.length))}o(Ek,"inferUpstreamConnectionIdFromPolicyName");function Pk(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(Pk,"buildDefaultProtectedResourceMetadataUrl");function vn(e,t){return Pe.parse(`${e}:${t}`)}o(vn,"buildUpstreamAuthProfileId");function ki(e,t){let r=$f.safeParse(e);if(r.success)return r.data;let n=kk.parse(e),a=n.id??(t===void 0?void 0:Ek(t));a===void 0&&Gf("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(u=>({name:u.name,value:u.value,required:u.required})),s=(()=>{switch(n.authMode){case"tenant_shared_oauth":case"user_oauth":{let u=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:u}}}case"static_secret":case"user_static_secret":case"tenant_static_secret":return{[n.authMode]:{secret:n.secret}}}})();return $f.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??Pk(n.mcpUrl),requestHeaders:i,authProfiles:s})}o(ki,"parseUpstreamConnectionPolicyOptions");function Bf(e){return e.mode==="tenant_shared_oauth"||e.mode==="user_oauth"}o(Bf,"isUpstreamOAuthAuthConfig");X();var xk=c.looseObject({name:c.string().min(1),version:c.string().min(1).optional()}),Ok=c.looseObject({}),Uk=c.looseObject({name:At,namespace:At.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional(),inputSchema:Ok}),zk=c.looseObject({name:At,namespace:At.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional()}),Nk=c.looseObject({name:At,uri:c.string().min(1),upstreamPolicy:c.string().min(1).optional(),upstreamUri:c.string().min(1).optional(),enabled:c.boolean().optional()}),Dk=c.enum(["openapi","upstream_mcp"]),Mk=c.object({catalogSource:Dk.default("openapi"),serverInfo:xk.optional(),tools:c.array(Uk).default([]),prompts:c.array(zk).default([]),resources:c.array(Nk).default([])}).strict();function Vf(e){return Mk.parse(e??{})}o(Vf,"parseVirtualServerRouteOptions");function Ei(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Ei,"toMcpTool");function Pi(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Pi,"toMcpPrompt");function xi(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(xi,"toMcpResource");var qk="mcp-upstream-connection-inbound",Ff="/mcp/";function De(e){throw new et(e)}o(De,"throwRegistryError");function Zf(e){return e.policyType===qk}o(Zf,"isUpstreamConnectionPolicy");function $k(e){return Ti(e.policyType)}o($k,"isMcpOAuthInboundPolicy");function Lk(e){e.startsWith(Ff)||De(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(Ff.length);return(!t||t.includes("/"))&&De(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),me.parse(t)}o(Lk,"readVirtualServerIdFromPath");function jk(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&De(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&De(`Upstream policy ${e.policyName} does not declare an auth mode.`),bi.parse(r)}o(jk,"readSingleAuthMode");function Hk(e){let t=e.connection.authProfiles[e.authMode];t||De(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"tenant_shared_oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user_static_secret":return{mode:"user_static_secret",secret:t.secret};case"tenant_static_secret":return{mode:"tenant_static_secret",secret:t.secret}}}o(Hk,"buildResolvedAuthConfig");function Gk(e){let t=jk({policyName:e.policyName,connection:e.connection}),r=vn(e.connection.id,t),n=Hk({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(Gk,"buildRegisteredConnection");function Bk(e){let t=new Map;for(let r of e)t.has(r.name)&&De(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(Bk,"buildPolicyMap");function Vk(e){let t=new Map,r=new Set;for(let n of e.values()){if(!Zf(n))continue;let a=ki(n.handler.options,n.name);r.has(a.id)&&De(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let i=Gk({policyName:n.name,connection:a});t.set(n.name,i)}return t}o(Vk,"buildConnectionsByPolicyName");function Fk(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(Fk,"readOperationId");function Kf(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return At.parse(t)}catch{De(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(Kf,"buildPublishedCapabilityName");function Id(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||De(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;De(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(Id,"readCapabilityUpstreamPolicy");function bd(e){e.seen.has(e.key)&&De(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(bd,"assertUniqueCatalogKey");function Zk(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=Kf({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:Id({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Zk,"normalizeCatalogTool");function Kk(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=Kf({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:Id({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Kk,"normalizeCatalogPrompt");function Wk(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:Id({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(Wk,"normalizeCatalogResource");function Jk(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>Zk({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>Kk({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>Wk({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)bd({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)bd({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let u=new Set;for(let d of a)bd({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:u});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(Jk,"normalizeVirtualServerCatalog");function Yk(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let i=a[0],s=i===void 0?void 0:e.policyByName.get(i);if(!s||!$k(s))continue;let u=Fk(n);u||De(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(u)&&De(`Duplicate MCP virtual server operationId ${u} across routes.`),r.add(u);let d=Lk(n.path);t.has(d)&&De(`Duplicate MCP virtual server id ${d} across routes.`);let l=[];for(let f of a.slice(1)){let _=e.policyByName.get(f);if(!_||!Zf(_))continue;let S=e.connectionsByPolicyName.get(f);S||De(`Upstream connection policy ${f} referenced by route ${n.path} could not be resolved.`),l.push(S)}let p=Vf(n.handler.options),m=Jk({catalog:p,connections:l,routePath:n.path});m.catalogSource==="upstream_mcp"&&l.length!==1&&De(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${l.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:u,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:l})}return t}o(Yk,"buildVirtualServers");function Wf(e){let t=Bk(e.policies),r=Vk(t),n=Yk({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let i of r.values())a.set(i.upstreamServerId,i);return{byVirtualServerId:n,connectionsById:a}}o(Wf,"buildGatewayConnectionRegistry");var Oi;function Jf(e){Oi=e}o(Jf,"setGatewayConnectionRegistry");function ct(){if(!Oi)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return Oi}o(ct,"getGatewayConnectionRegistry");function Yf(e){let t=ct().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Yf,"getRegisteredVirtualServer");function No(e){let t=ct().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(No,"requireRegisteredVirtualServer");function Xf(){return Oi}o(Xf,"tryGetGatewayConnectionRegistry");var Qf=new Ut("gateway-route");function eg(e,t){Qf.set(e,t)}o(eg,"setGatewayRouteContext");function Do(e){return Qf.get(e)}o(Do,"readGatewayRouteContext");function Rn(e){let t=Do(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(Rn,"requireGatewayRouteContext");var Or="2025-06-18";var Xk=new Set(["localhost","::1"]);function ut(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(ut,"normalizeHostname");function Le(e){let t=ut(e.hostname);return e.protocol==="http:"&&(Xk.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Le,"isLoopbackHttpUrl");function ne(e){return new URL(e).origin}o(ne,"readGatewayRequestOrigin");import{metrics as Qk,context as Ui,propagation as rg,SpanKind as ng,SpanStatusCode as Cd,trace as Mo}from"@opentelemetry/api";var eE="mcp-gateway",tE="mcp-gateway",rE=Or,nE="2.0",og=Mo.getTracer(eE),Td=Qk.getMeter(tE),oE=Td.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),aE=Td.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),iE=Td.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),sE=["traceparent","tracestate","baggage"];function Ad(){return performance.now()/1e3}o(Ad,"nowSeconds");function ag(e,t){t(Math.max(Ad()-e,0))}o(ag,"recordDurationSeconds");function tg(e){return e===void 0?void 0:String(e)}o(tg,"stringifyAttribute");function xe(e,t,r){r!==void 0&&(e[t]=r)}o(xe,"assignAttribute");function cE(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(cE,"readTargetName");function ig(e){let t=cE({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(ig,"buildMcpOperationSpanName");function kd(e){let t={"mcp.method.name":e.methodName};return xe(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??nE),xe(t,"jsonrpc.request.id",tg(e.jsonRpcRequestId)),xe(t,"mcp.protocol.version",e.mcpProtocolVersion??rE),xe(t,"mcp.session.id",e.mcpSessionId),xe(t,"mcp.resource.uri",e.resourceUri),xe(t,"rpc.response.status_code",tg(e.rpcResponseStatusCode)),xe(t,"error.type",e.errorType),e.capabilityType==="tool"&&(xe(t,"gen_ai.operation.name","execute_tool"),xe(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&xe(t,"gen_ai.prompt.name",e.capabilityName),xe(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),xe(t,"network.protocol.version",e.networkProtocolVersion),xe(t,"network.transport",e.networkTransport),xe(t,"server.address",e.serverAddress),xe(t,"server.port",e.serverPort),xe(t,"client.address",e.clientAddress),xe(t,"client.port",e.clientPort),t}o(kd,"buildMcpOperationAttributes");function uE(e){let t=kd({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(uE,"buildMcpSessionAttributes");function sg(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:Cd.ERROR}),t instanceof Error&&e.recordException(t)}o(sg,"setSpanError");function cg(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(cg,"readErrorType");function dE(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Ui.active():rg.extract(Ui.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(dE,"readServerParentContext");function lE(e){let t=Mo.getSpanContext(Ui.active()),r=Mo.getSpanContext(e);if(!(!t||!Mo.isSpanContextValid(t))&&!(r&&Mo.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(lE,"readAmbientSpanLink");function ug(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(ug,"readResultErrorType");async function Ur(e,t){let r=Ad(),n=kd({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return og.startActiveSpan(ig(e),{kind:ng.CLIENT,attributes:n},async a=>{try{let i=await t(),s=ug(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:Cd.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??cg(i);throw n["error.type"]=s,sg(a,i,s),i}finally{ag(r,i=>{oE.record(i,n)}),a.end()}})}o(Ur,"runMcpClientOperation");async function zr(e,t){let r=Ad(),n=dE(e.params),a=kd({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=lE(n);return og.startActiveSpan(ig(e),{kind:ng.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let u=await t(),d=ug(u);return d&&(s.setAttribute("error.type",d),s.setStatus({code:Cd.ERROR}),a["error.type"]=d),u}catch(u){let d=e.errorType??cg(u);throw a["error.type"]=d,sg(s,u,d),u}finally{ag(r,u=>{aE.record(u,a)}),s.end()}})}o(zr,"runMcpServerOperation");function dg(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return rg.inject(Ui.active(),t._meta,{set(r,n,a){sE.includes(n)&&(r[n]=a)}}),t}o(dg,"injectMcpTraceContextIntoParams");function lg(e,t){let r=uE({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});iE.record(Math.max(t,0),r)}o(lg,"recordMcpClientSessionDuration");var Ed=new Ut("route-upstream-bindings");function pE(e){let t=Ed.get(e);if(t)return t;let r={bindings:[]};return Ed.set(e,r),r}o(pE,"readOrCreateRouteUpstreamBindingRegistry");function pg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(pg,"buildRouteBindingDuplicateKey");function Pd(e,t){let r=pE(e),n=pg(t);if(r.bindings.find(i=>pg(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(Pd,"appendResolvedUpstreamBindingContext");function mg(e){return Ed.get(e)?.bindings??[]}o(mg,"readResolvedUpstreamBindingContexts");X();var V=c.string().datetime({offset:!0}).brand();function O(e){return V.parse(e.toISOString())}o(O,"toIsoTimestamp");function gt(e,t){return new Date(e.getTime()+t*1e3)}o(gt,"addSeconds");X();var bn=c.string().trim().min(1),qo={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},mE=c.object({issuer:c.url(),jwksUrl:c.url(),audience:bn}),hE=c.object({url:c.url(),tokenUrl:c.url().optional(),clientId:bn.optional(),clientSecret:bn.optional(),scope:bn.default("openid profile email"),audience:bn.optional(),remoteTimeoutMs:c.coerce.number().int().positive().default(1e4),stateTtlSeconds:c.coerce.number().int().positive().default(900),sessionTtlSeconds:c.coerce.number().int().positive().default(28800)}).strict(),fE=c.object({accessTokenTtlSeconds:c.coerce.number().int().positive().default(qo.accessTokenTtlSeconds),refreshTokenTtlSeconds:c.coerce.number().int().positive().default(qo.refreshTokenTtlSeconds),cimdEnabled:c.boolean().default(qo.cimdEnabled)}).strict().default(qo),gE=c.object({oidc:mE,browserLogin:hE,gateway:fE.optional().default(qo),devTenantId:bn.optional()}).strict();function hg(e){return _E(e.browserLogin.url)?"local_dev":"federated_oidc"}o(hg,"readBrowserLoginKind");function _E(e){let t;try{t=new URL(e)}catch{return!1}return Le(t)&&t.pathname==="/oauth/dev-login"}o(_E,"isLoopbackDevLoginUrl");function zi(e){return gE.parse(e)}o(zi,"parseMcpOAuthRuntimeConfig");var xd;function fg(e){xd=e}o(fg,"setGatewayOAuthConfig");function Re(){if(!xd)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return xd}o(Re,"getGatewayOAuthConfig");function _t(e){return ne(e)}o(_t,"readGatewayOAuthIssuer");X();var yE=43,SE=128,wE=/^[A-Za-z0-9._~-]+$/,Od="S256",In=c.literal(Od),Ni=c.string().min(yE).max(SE).regex(wE);X();var Di=["none","client_secret_post","client_secret_basic"],vE=[...Di,"private_key_jwt"],RE=["awaiting_login","awaiting_setup"],bE=c.string().min(1).brand(),IE=c.string().min(1).brand(),he=c.string().min(1).brand(),yt=c.uuid().brand(),je=c.uuid().brand(),Mi=c.uuid().brand(),$o=c.enum(Di),CE=c.enum(vE),Ud=c.enum(RE),gg=c.object({client_id:he,client_name:c.string().min(1),redirect_uris:c.array(c.string().min(1)).min(1),token_endpoint_auth_method:CE.default("none")}),qi=c.object({clientId:he,clientName:c.string().min(1),redirectUris:c.array(c.string().min(1)),tokenEndpointAuthMethod:$o,hashedClientSecret:c.string().optional(),clientSecretExpiresAt:V.optional(),clientExpiresAt:V,revokedAt:V.optional(),createdAt:V}),zd=c.object({clientId:he,resource:c.string(),virtualServerId:me,tenantId:bE,subjectId:IE,scope:c.string(),roles:c.array(c.string()),createdAt:V,expiresAt:V}),_g=zd.extend({id:je,redirectUri:c.string(),clientState:c.string().optional(),codeChallenge:c.string(),codeChallengeMethod:In}),Lo=zd.extend({id:yt,currentRefreshTokenHash:c.string().optional(),previousRefreshTokenHash:c.string().optional(),revokedAt:V.optional(),revokedReason:c.string().optional()}),Cn=zd.extend({tokenHash:c.string(),grantId:yt,revokedAt:V.optional()});function Nd(){return je.parse(crypto.randomUUID())}o(Nd,"createDownstreamAuthorizationTransactionId");function Dd(){return Mi.parse(crypto.randomUUID())}o(Dd,"createDownstreamBrowserLoginStateId");function Md(){return yt.parse(crypto.randomUUID())}o(Md,"createDownstreamGrantId");var ue="mcp:tools";function Li(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Le(r)&&Le(n)&&ut(r.hostname)===ut(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(Li,"redirectUriMatchesRegistration");function yg(e){return Le(e)&&e.pathname==="/oauth/dev-login"}o(yg,"isLoopbackDevLoginUrl");function $i(e,t){return new URL(e,_t(t)).toString()}o($i,"buildGatewayOAuthUrl");function qd(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,ne(e.requestUrl)).toString()}o(qd,"buildScopedAuthorizationServerIssuer");function TE(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,ne(e.requestUrl)).toString()}o(TE,"buildScopedAuthorizationEndpoint");function $d(e){let t=Re();return{issuer:_t(e),authorization_endpoint:$i("/oauth/authorize",e),token_endpoint:$i("/oauth/token",e),registration_endpoint:$i("/oauth/register",e),revocation_endpoint:$i("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ue],code_challenge_methods_supported:[Od],token_endpoint_auth_methods_supported:Di,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":hg(t)}}o($d,"buildAuthorizationServerMetadata");function Sg(e){let t=qd(e);return{...$d(e.requestUrl),issuer:t,authorization_endpoint:TE(e)}}o(Sg,"buildScopedAuthorizationServerMetadata");async function wg(e,t){try{let r=me.parse(e.params.virtualServerId),n=No(r);return Response.json(AE(n.virtualServerId,e.url))}catch(r){let n=le(r);return Ze(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(wg,"protectedResourceMetadataHandler");function AE(e,t){return{resource:Nr(e,t),resource_name:e,authorization_servers:[qd({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ue],mcp_protocol_version:Or}}o(AE,"buildProtectedResourceMetadataResponseBody");function Nr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,ne(t)).toString()}o(Nr,"buildCanonicalMcpResourceForVirtualServer");function vg(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,ne(t)).toString()}o(vg,"buildProtectedResourceMetadataUrlForVirtualServer");import{base64url as Ld}from"jose";var kE="sha256:",EE=32;function Rg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Rg,"copyToArrayBuffer");function PE(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(PE,"constantTimeEqual");function Ke(){let e=crypto.getRandomValues(new Uint8Array(EE));return Ld.encode(e)}o(Ke,"createOpaqueToken");async function F(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return`${kE}${Ld.encode(new Uint8Array(t))}`}o(F,"hashOpaqueValue");async function bg(e){let t=await F(e.value);return PE(t,e.expectedHash)}o(bg,"verifyOpaqueValue");async function jd(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return Ld.encode(new Uint8Array(t))}o(jd,"calculatePkceS256Challenge");X();var xE=c.record(c.string(),c.unknown()),Ig=c.string().min(1),OE=c.union([Ig.transform(e=>[e]),c.array(Ig)]),de=c.string().min(1).brand(),Q=c.string().min(1).brand(),UE=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],zE=["https://zuplo.com/roles","roles","role","permissions","groups"],NE=de.parse("zuplo-poc"),Cg=new Ut("gateway-principal");function DE(e){let t=xE.safeParse(e);return t.success?t.data:{}}o(DE,"toClaimRecord");function ME(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(ME,"readValidationFailureDetail");function qE(e,t,r){for(let i of UE){let s=Q.safeParse(t[i]);if(s.success)return s.data}let n=Q.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",ME(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===_t(r)?n.data:Q.parse(`${a}|${n.data}`)}o(qE,"readNormalizedSubjectId");function $E(e){let t=new Set;for(let r of zE){let n=OE.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o($E,"readRoles");function Tn(e,t){let r=DE(e?.data),n={subjectId:qE(e,r,t),tenantId:NE},a=$E(r);return a&&(n.roles=a),n}o(Tn,"parseGatewayPrincipal");function Tg(e){let t=Gd(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Tg,"requireGatewayPrincipal");function Ag(e,t){Cg.set(e,t)}o(Ag,"setGatewayPrincipal");function Gd(e){return Cg.get(e)}o(Gd,"readGatewayPrincipal");function An(e){let r=['realm="OAuth"',`resource_metadata="${Hd(vg(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${Hd(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${Hd(e.scope)}"`),`Bearer ${r.join(", ")}`}o(An,"buildGatewayBearerChallenge");function Hd(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(Hd,"sanitizeQuotedHeaderParameter");X();var ji=c.string().trim().min(1),LE=c.object({TOKEN_ENCRYPTION_KEY:ji,OAUTH_STATE_SIGNING_KEY:ji,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:ji.optional(),MCP_GATEWAY_RUNTIME_STORAGE_CONFIGURATION_ID:ji.optional()}),jE=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING","MCP_GATEWAY_RUNTIME_STORAGE_CONFIGURATION_ID"];function HE(e){let t=Fn[e];return typeof t=="string"?t:void 0}o(HE,"readEnvValue");function GE(){let e={};for(let t of jE){let r=HE(t);r!==void 0&&(e[t]=r)}return e}o(GE,"readRawEnv");var Bd;function BE(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(BE,"formatZodIssues");function VE(e){return new et(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...BE(e)].join(`
-`),{cause:e})}o(VE,"createEnvValidationError");function FE(e){let t=LE.safeParse(e);if(!t.success)throw VE(t.error);return t.data}o(FE,"parseGatewayEnv");function ZE(){return Bd||(Bd=FE(GE())),Bd}o(ZE,"readEnv");function jo(){return ZE()}o(jo,"getEnv");X();X();function KE(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(KE,"parseDate");function pr(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(pr,"parseJsonValue");function Vd(e,t){return c.array(c.string()).parse(pr(e,t))}o(Vd,"parseStringArray");var se=c.union([c.date(),c.string()]).transform(e=>KE(e));var WE=c.object({current_state_hash:c.string(),phase:Ud,consumed_at:se.nullable(),expires_at:se}),JE=c.object({id:yt,revoked_at:se.nullable().optional(),expires_at:se,matched:c.enum(["current","previous"])}),YE=c.object({id:yt,matched:c.literal("current")}),XE=c.object({client_id:he,client_name:c.string(),redirect_uris:c.unknown(),token_endpoint_auth_method:$o,hashed_client_secret:c.string().nullable(),client_secret_expires_at:se.nullable(),client_expires_at:se,revoked_at:se.nullable(),created_at:se}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Vd(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:O(e.created_at),clientExpiresAt:O(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=O(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),qi.parse(t)}),Fd=c.object({id:je,current_state_hash:c.string(),phase:Ud,principal_subject_id:Q.nullable(),principal_tenant_id:de.nullable(),principal_roles:c.unknown().nullable(),client_id:he,redirect_uri:c.string(),resource:c.string(),virtual_server_id:me,client_state:c.string().nullable(),scope:c.string(),code_challenge:c.string(),code_challenge_method:In,created_at:se,expires_at:se,consumed_at:se.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:O(e.created_at),expiresAt:O(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=O(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id||!e.principal_tenant_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,tenantId:e.principal_tenant_id,...e.principal_roles===null?{}:{roles:c.array(c.string()).parse(pr(e.principal_roles,"principal_roles"))}}}}),QE=c.object({id:je});function Eg(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,tenantId:e.tenant_id,subjectId:e.subject_id,scope:e.scope,roles:Vd(e.roles,"roles"),createdAt:O(e.created_at),expiresAt:O(e.expires_at)}}o(Eg,"downstreamGrantAccessFields");var kg=c.object({id:yt,client_id:he,resource:c.string(),virtual_server_id:me,tenant_id:de,subject_id:Q,scope:c.string(),roles:c.unknown(),current_refresh_token_hash:c.string().nullable(),previous_refresh_token_hash:c.string().nullable(),created_at:se,expires_at:se,revoked_at:se.nullable(),revoked_reason:c.string().nullable()}).transform(e=>{let t={id:e.id,...Eg(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),Lo.parse(t)}),eP=c.object({token_hash:c.string(),grant_id:yt,client_id:he,resource:c.string(),virtual_server_id:me,tenant_id:de,subject_id:Q,scope:c.string(),roles:c.unknown(),created_at:se,expires_at:se,revoked_at:se.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...Eg(e)};return e.revoked_at&&(t.revokedAt=O(e.revoked_at)),Cn.parse(t)});function Pg(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.tenantId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(Pg,"authorizationTransactionValues");function tP(e,t){let r=_g.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
+`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let u;try{Array.isArray(s)?u=s.map(v=>wr.parse(v)):u=[wr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=u.some(Gs);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(u.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let R=this.validateProtocolVersion(t);if(R)return R}if(!u.some(St)){for(let v of u)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let p=crypto.randomUUID(),m=u.find(v=>Gs(v)),f=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??kp;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(p,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(p)},"cleanup")});for(let R of u)St(R)&&this._requestToStreamMapping.set(R.id,p);for(let R of u)this.onmessage?.(R,{authInfo:r?.authInfo,requestInfo:i})});let _=new TextEncoder,S,y=new ReadableStream({start:o(v=>{S=v},"start"),cancel:o(()=>{this._streamMapping.delete(p)},"cancel")}),w={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(w["mcp-session-id"]=this.sessionId);for(let v of u)St(v)&&(this._streamMapping.set(p,{controller:S,encoder:_,cleanup:o(()=>{this._streamMapping.delete(p);try{S.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,p));await this.writePrimingEvent(S,_,p,f);for(let v of u){let R,I;St(v)&&this._eventStore&&f>="2025-11-25"&&(R=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),I=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:R,closeStandaloneSSEStream:I})}return new Response(y,{status:200,headers:w})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Qt.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((ut(t)||Xr(t))&&(n=t.id),n===void 0){if(ut(t)||Xr(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let u=this._streamMapping.get(this._standaloneSseStreamId);if(u===void 0)return;u.controller&&u.encoder&&this.writeSSEEvent(u.controller,u.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(ut(t)||Xr(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,l])=>l===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let l=s.map(p=>this._requestResponseMap.get(p));l.length===1?i.resolveJson(new Response(JSON.stringify(l[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(l),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function dd(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(dd,"truncate");function Of(e){return"cause"in e?e.cause:void 0}o(Of,"readCause");function Ae(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=dd(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=dd(r.message);let n=Of(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=dd(n.message),n=Of(n)}}o(Ae,"addErrorLogFields");function it(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(it,"safeHost");function Uf(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(Uf,"setLogProperties");function ld(e,t){Uf(e,{tenantId:t.tenantId,subjectId:t.subjectId})}o(ld,"applyGatewayPrincipalLogProperties");function zf(e,t){Uf(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(zf,"applyGatewayRouteLogProperties");var wn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},Nf={...wn.runtime,...wn.config,...wn.downstream_auth,...wn.downstream_oauth,...wn.upstream_auth,...wn.upstream_mcp};function Uo(e){return typeof e=="string"&&Object.hasOwn(Nf,e)}o(Uo,"isGatewayProblemCode");function wi(e){return Uo(e)&&Fe(e).callbackFailure===!0}o(wi,"isGatewayCallbackFailureCode");function Fe(e){return Nf[e]}o(Fe,"readGatewayProblemDefinition");function pd(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(pd,"readDefaultGatewayProblemCodeForStatus");var Df="gatewayCode";function Mf(e){let t=Fe(e);return{title:t.title,body:t.publicDetail}}o(Mf,"readGatewayCallbackFailureContent");function de(e){if(!(e instanceof _a))return;let t=e.extensionMembers?.[Df];return Uo(t)?t:void 0}o(de,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Fe(n.code),i=n.privateDetail??(vi(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=mk(n);return new _a({message:i,extensionMembers:{[Df]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function Ze(e,t,r){let n=Fe(r.code),a=hk(r.code,r.detail),i=vi(r.code)?r.title??n.title:n.title,u={problem:{...Vn.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(u.additionalHeaders=r.headers),Vn.format(u,e,t)}o(Ze,"gatewayProblemResponse");function vi(e){return Fe(e).status<500}o(vi,"canExposeGatewayProblemDetail");function mk(e){return!e.privateDetail||vi(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(mk,"readRuntimeErrorCause");function hk(e,t){let r=Fe(e);return vi(e)&&t||r.publicDetail}o(hk,"readSafeGatewayProblemDetail");Y();var fk=["tenant_shared_oauth","user_oauth","static_secret","user_static_secret","tenant_static_secret"],gk=["none","client_secret_basic","client_secret_post"],ke=c.string().min(1).brand(),me=c.string().min(1).brand(),Pe=c.string().min(1).brand(),Tt=c.string().min(1).brand(),Ri=c.enum(fk),md=c.enum(gk),bi=c.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),hd=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict();var fd=new Map;function Ci(e){fd.set(e.policyType,e)}o(Ci,"registerMcpAuthorizationPolicy");function gd(e){if(e!==void 0)return fd.get(e)}o(gd,"getMcpAuthorizationPolicy");function Ii(e){return gd(e)!==void 0}o(Ii,"isRegisteredMcpAuthorizationPolicyType");function _d(){return[...fd.keys()]}o(_d,"listMcpAuthorizationPolicyTypes");Y();var Lf=ke,_k=c.object({mode:c.literal("auto")}).strict(),yk=c.object({mode:c.literal("manual"),clientId:c.string().trim().min(1),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:c.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),jf=c.discriminatedUnion("mode",[_k,yk]),Sk=jf.default({mode:"auto"}),yd=c.object({scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:Sk}).strict(),qf=yd.extend({redirectPath:c.string().startsWith("/auth/connections/")}).strict(),Hf=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),wk=new Set([...Hf,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),vk=c.object({kind:c.literal("bearer_token"),token:c.string().min(1)}).strict(),Rk=c.object({kind:c.literal("headers"),headers:c.array(c.object({name:bi,value:c.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Hf.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),Sd=c.discriminatedUnion("kind",[vk,Rk]),bk=c.object({kind:c.literal("basic_auth_app_password"),usernameLabel:c.string().min(1).default("Username"),passwordLabel:c.string().min(1).default("App password")}).strict(),Ck=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key"),capture:c.enum(["browser_login"]).optional()}).strict(),wd=c.discriminatedUnion("kind",[bk,Ck]),vd=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key")}).strict(),Ik=c.discriminatedUnion("mode",[c.object({mode:c.literal("tenant_shared_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("user_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("static_secret"),secret:Sd}).strict(),c.object({mode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({mode:c.literal("tenant_static_secret"),secret:vd}).strict()]),Tk=c.object({baseUrl:c.url(),resourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();wk.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),rB=c.object({displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),authProfiles:c.record(Pe,Ik),transport:Tk}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),Ak=c.object({tenant_shared_oauth:yd.optional(),user_oauth:yd.optional(),static_secret:c.object({secret:Sd}).strict().optional(),user_static_secret:c.object({secret:wd}).strict().optional(),tenant_static_secret:c.object({secret:vd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),$f=c.object({id:Lf,displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([]),authProfiles:Ak}).strict(),kk=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict(),Ti={id:Lf.optional(),displayName:c.string().min(1),summary:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url().optional(),requestHeaders:c.array(kk).default([])},Pk=c.discriminatedUnion("authMode",[c.object({...Ti,authMode:c.enum(["tenant_shared_oauth","user_oauth"]),scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:jf.optional(),clientId:c.string().trim().min(1).optional(),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.optional()}).strict(),c.object({...Ti,authMode:c.literal("static_secret"),secret:Sd}).strict(),c.object({...Ti,authMode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({...Ti,authMode:c.literal("tenant_static_secret"),secret:vd}).strict()]);function Gf(e){throw g("internal_server_error",e)}o(Gf,"throwGatewayConfigError");function Ek(e){let t="mcp-upstream-";return e.startsWith(t)||Gf(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),ke.parse(e.slice(t.length))}o(Ek,"inferUpstreamConnectionIdFromPolicyName");function xk(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(xk,"buildDefaultProtectedResourceMetadataUrl");function vn(e,t){return Pe.parse(`${e}:${t}`)}o(vn,"buildUpstreamAuthProfileId");function Ai(e,t){let r=$f.safeParse(e);if(r.success)return r.data;let n=Pk.parse(e),a=n.id??(t===void 0?void 0:Ek(t));a===void 0&&Gf("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(u=>({name:u.name,value:u.value,required:u.required})),s=(()=>{switch(n.authMode){case"tenant_shared_oauth":case"user_oauth":{let u=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:u}}}case"static_secret":case"user_static_secret":case"tenant_static_secret":return{[n.authMode]:{secret:n.secret}}}})();return $f.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??xk(n.mcpUrl),requestHeaders:i,authProfiles:s})}o(Ai,"parseUpstreamConnectionPolicyOptions");function Bf(e){return e.mode==="tenant_shared_oauth"||e.mode==="user_oauth"}o(Bf,"isUpstreamOAuthAuthConfig");Y();var Ok=c.looseObject({name:c.string().min(1),version:c.string().min(1).optional()}),Uk=c.looseObject({}),zk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional(),inputSchema:Uk}),Nk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional()}),Dk=c.looseObject({name:Tt,uri:c.string().min(1),upstreamPolicy:c.string().min(1).optional(),upstreamUri:c.string().min(1).optional(),enabled:c.boolean().optional()}),Mk=c.enum(["openapi","upstream_mcp"]),qk=c.object({catalogSource:Mk.default("openapi"),serverInfo:Ok.optional(),tools:c.array(zk).default([]),prompts:c.array(Nk).default([]),resources:c.array(Dk).default([])}).strict();function Vf(e){return qk.parse(e??{})}o(Vf,"parseVirtualServerRouteOptions");function ki(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(ki,"toMcpTool");function Pi(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Pi,"toMcpPrompt");function Ei(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Ei,"toMcpResource");var $k="mcp-upstream-connection-inbound",Ff="/mcp/";function De(e){throw new Ot(e)}o(De,"throwRegistryError");function Zf(e){return e.policyType===$k}o(Zf,"isUpstreamConnectionPolicy");function Lk(e){return Ii(e.policyType)}o(Lk,"isMcpOAuthInboundPolicy");function jk(e){e.startsWith(Ff)||De(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(Ff.length);return(!t||t.includes("/"))&&De(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),me.parse(t)}o(jk,"readVirtualServerIdFromPath");function Hk(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&De(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&De(`Upstream policy ${e.policyName} does not declare an auth mode.`),Ri.parse(r)}o(Hk,"readSingleAuthMode");function Gk(e){let t=e.connection.authProfiles[e.authMode];t||De(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"tenant_shared_oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user_static_secret":return{mode:"user_static_secret",secret:t.secret};case"tenant_static_secret":return{mode:"tenant_static_secret",secret:t.secret}}}o(Gk,"buildResolvedAuthConfig");function Bk(e){let t=Hk({policyName:e.policyName,connection:e.connection}),r=vn(e.connection.id,t),n=Gk({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(Bk,"buildRegisteredConnection");function Vk(e){let t=new Map;for(let r of e)t.has(r.name)&&De(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(Vk,"buildPolicyMap");function Fk(e){let t=new Map,r=new Set;for(let n of e.values()){if(!Zf(n))continue;let a=Ai(n.handler.options,n.name);r.has(a.id)&&De(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let i=Bk({policyName:n.name,connection:a});t.set(n.name,i)}return t}o(Fk,"buildConnectionsByPolicyName");function Zk(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(Zk,"readOperationId");function Kf(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return Tt.parse(t)}catch{De(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(Kf,"buildPublishedCapabilityName");function bd(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||De(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;De(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(bd,"readCapabilityUpstreamPolicy");function Rd(e){e.seen.has(e.key)&&De(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Rd,"assertUniqueCatalogKey");function Kk(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=Kf({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Kk,"normalizeCatalogTool");function Wk(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=Kf({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Wk,"normalizeCatalogPrompt");function Jk(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:bd({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(Jk,"normalizeCatalogResource");function Yk(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>Kk({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>Wk({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>Jk({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Rd({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Rd({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let u=new Set;for(let d of a)Rd({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:u});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(Yk,"normalizeVirtualServerCatalog");function Xk(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let i=a[0],s=i===void 0?void 0:e.policyByName.get(i);if(!s||!Lk(s))continue;let u=Zk(n);u||De(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(u)&&De(`Duplicate MCP virtual server operationId ${u} across routes.`),r.add(u);let d=jk(n.path);t.has(d)&&De(`Duplicate MCP virtual server id ${d} across routes.`);let l=[];for(let f of a.slice(1)){let _=e.policyByName.get(f);if(!_||!Zf(_))continue;let S=e.connectionsByPolicyName.get(f);S||De(`Upstream connection policy ${f} referenced by route ${n.path} could not be resolved.`),l.push(S)}let p=Vf(n.handler.options),m=Yk({catalog:p,connections:l,routePath:n.path});m.catalogSource==="upstream_mcp"&&l.length!==1&&De(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${l.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:u,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:l})}return t}o(Xk,"buildVirtualServers");function Wf(e){let t=Vk(e.policies),r=Fk(t),n=Xk({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let i of r.values())a.set(i.upstreamServerId,i);return{byVirtualServerId:n,connectionsById:a}}o(Wf,"buildGatewayConnectionRegistry");var xi;function Jf(e){xi=e}o(Jf,"setGatewayConnectionRegistry");function st(){if(!xi)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return xi}o(st,"getGatewayConnectionRegistry");function Yf(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Yf,"getRegisteredVirtualServer");function zo(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(zo,"requireRegisteredVirtualServer");function Xf(){return xi}o(Xf,"tryGetGatewayConnectionRegistry");var Qf=new Ut("gateway-route");function eg(e,t){Qf.set(e,t)}o(eg,"setGatewayRouteContext");function No(e){return Qf.get(e)}o(No,"readGatewayRouteContext");function Rn(e){let t=No(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(Rn,"requireGatewayRouteContext");var Or="2025-06-18";var Qk=new Set(["localhost","::1"]);function ct(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(ct,"normalizeHostname");function Le(e){let t=ct(e.hostname);return e.protocol==="http:"&&(Qk.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Le,"isLoopbackHttpUrl");function re(e){return new URL(e).origin}o(re,"readGatewayRequestOrigin");import{metrics as eP,context as Oi,propagation as rg,SpanKind as ng,SpanStatusCode as Cd,trace as Do}from"@opentelemetry/api";var tP="mcp-gateway",rP="mcp-gateway",nP=Or,oP="2.0",og=Do.getTracer(tP),Id=eP.getMeter(rP),aP=Id.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),iP=Id.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),sP=Id.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),cP=["traceparent","tracestate","baggage"];function Td(){return performance.now()/1e3}o(Td,"nowSeconds");function ag(e,t){t(Math.max(Td()-e,0))}o(ag,"recordDurationSeconds");function tg(e){return e===void 0?void 0:String(e)}o(tg,"stringifyAttribute");function Ee(e,t,r){r!==void 0&&(e[t]=r)}o(Ee,"assignAttribute");function uP(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(uP,"readTargetName");function ig(e){let t=uP({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(ig,"buildMcpOperationSpanName");function Ad(e){let t={"mcp.method.name":e.methodName};return Ee(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??oP),Ee(t,"jsonrpc.request.id",tg(e.jsonRpcRequestId)),Ee(t,"mcp.protocol.version",e.mcpProtocolVersion??nP),Ee(t,"mcp.session.id",e.mcpSessionId),Ee(t,"mcp.resource.uri",e.resourceUri),Ee(t,"rpc.response.status_code",tg(e.rpcResponseStatusCode)),Ee(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Ee(t,"gen_ai.operation.name","execute_tool"),Ee(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Ee(t,"gen_ai.prompt.name",e.capabilityName),Ee(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Ee(t,"network.protocol.version",e.networkProtocolVersion),Ee(t,"network.transport",e.networkTransport),Ee(t,"server.address",e.serverAddress),Ee(t,"server.port",e.serverPort),Ee(t,"client.address",e.clientAddress),Ee(t,"client.port",e.clientPort),t}o(Ad,"buildMcpOperationAttributes");function dP(e){let t=Ad({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(dP,"buildMcpSessionAttributes");function sg(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:Cd.ERROR}),t instanceof Error&&e.recordException(t)}o(sg,"setSpanError");function cg(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(cg,"readErrorType");function lP(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Oi.active():rg.extract(Oi.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(lP,"readServerParentContext");function pP(e){let t=Do.getSpanContext(Oi.active()),r=Do.getSpanContext(e);if(!(!t||!Do.isSpanContextValid(t))&&!(r&&Do.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(pP,"readAmbientSpanLink");function ug(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(ug,"readResultErrorType");async function Ur(e,t){let r=Td(),n=Ad({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return og.startActiveSpan(ig(e),{kind:ng.CLIENT,attributes:n},async a=>{try{let i=await t(),s=ug(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:Cd.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??cg(i);throw n["error.type"]=s,sg(a,i,s),i}finally{ag(r,i=>{aP.record(i,n)}),a.end()}})}o(Ur,"runMcpClientOperation");async function zr(e,t){let r=Td(),n=lP(e.params),a=Ad({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=pP(n);return og.startActiveSpan(ig(e),{kind:ng.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let u=await t(),d=ug(u);return d&&(s.setAttribute("error.type",d),s.setStatus({code:Cd.ERROR}),a["error.type"]=d),u}catch(u){let d=e.errorType??cg(u);throw a["error.type"]=d,sg(s,u,d),u}finally{ag(r,u=>{iP.record(u,a)}),s.end()}})}o(zr,"runMcpServerOperation");function dg(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return rg.inject(Oi.active(),t._meta,{set(r,n,a){cP.includes(n)&&(r[n]=a)}}),t}o(dg,"injectMcpTraceContextIntoParams");function lg(e,t){let r=dP({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});sP.record(Math.max(t,0),r)}o(lg,"recordMcpClientSessionDuration");var kd=new Ut("route-upstream-bindings");function mP(e){let t=kd.get(e);if(t)return t;let r={bindings:[]};return kd.set(e,r),r}o(mP,"readOrCreateRouteUpstreamBindingRegistry");function pg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(pg,"buildRouteBindingDuplicateKey");function Pd(e,t){let r=mP(e),n=pg(t);if(r.bindings.find(i=>pg(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(Pd,"appendResolvedUpstreamBindingContext");function mg(e){return kd.get(e)?.bindings??[]}o(mg,"readResolvedUpstreamBindingContexts");Y();var V=c.string().datetime({offset:!0}).brand();function O(e){return V.parse(e.toISOString())}o(O,"toIsoTimestamp");function ft(e,t){return new Date(e.getTime()+t*1e3)}o(ft,"addSeconds");Y();var bn=c.string().trim().min(1),Mo={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},hP=c.object({issuer:c.url(),jwksUrl:c.url(),audience:bn}),fP=c.object({url:c.url(),tokenUrl:c.url().optional(),clientId:bn.optional(),clientSecret:bn.optional(),scope:bn.default("openid profile email"),audience:bn.optional(),remoteTimeoutMs:c.coerce.number().int().positive().default(1e4),stateTtlSeconds:c.coerce.number().int().positive().default(900),sessionTtlSeconds:c.coerce.number().int().positive().default(28800)}).strict(),gP=c.object({accessTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.accessTokenTtlSeconds),refreshTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.refreshTokenTtlSeconds),cimdEnabled:c.boolean().default(Mo.cimdEnabled)}).strict().default(Mo),_P=c.object({oidc:hP,browserLogin:fP,gateway:gP.optional().default(Mo),devTenantId:bn.optional()}).strict();function hg(e){return yP(e.browserLogin.url)?"local_dev":"federated_oidc"}o(hg,"readBrowserLoginKind");function yP(e){let t;try{t=new URL(e)}catch{return!1}return Le(t)&&t.pathname==="/oauth/dev-login"}o(yP,"isLoopbackDevLoginUrl");function Ui(e){return _P.parse(e)}o(Ui,"parseMcpOAuthRuntimeConfig");var Ed;function fg(e){Ed=e}o(fg,"setGatewayOAuthConfig");function ve(){if(!Ed)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return Ed}o(ve,"getGatewayOAuthConfig");function gt(e){return re(e)}o(gt,"readGatewayOAuthIssuer");Y();var SP=43,wP=128,vP=/^[A-Za-z0-9._~-]+$/,xd="S256",Cn=c.literal(xd),zi=c.string().min(SP).max(wP).regex(vP);Y();var Ni=["none","client_secret_post","client_secret_basic"],RP=[...Ni,"private_key_jwt"],bP=["awaiting_login","awaiting_setup"],CP=c.string().min(1).brand(),IP=c.string().min(1).brand(),le=c.string().min(1).brand(),_t=c.uuid().brand(),je=c.uuid().brand(),Di=c.uuid().brand(),qo=c.enum(Ni),TP=c.enum(RP),Od=c.enum(bP),gg=c.object({client_id:le,client_name:c.string().min(1),redirect_uris:c.array(c.string().min(1)).min(1),token_endpoint_auth_method:TP.default("none")}),$o=c.object({clientId:le,clientName:c.string().min(1),redirectUris:c.array(c.string().min(1)),tokenEndpointAuthMethod:qo,hashedClientSecret:c.string().optional(),clientSecretExpiresAt:V.optional(),clientExpiresAt:V,revokedAt:V.optional(),createdAt:V}),Ud=c.object({clientId:le,resource:c.string(),virtualServerId:me,tenantId:CP,subjectId:IP,scope:c.string(),roles:c.array(c.string()),createdAt:V,expiresAt:V}),_g=Ud.extend({id:je,redirectUri:c.string(),clientState:c.string().optional(),codeChallenge:c.string(),codeChallengeMethod:Cn}),Lo=Ud.extend({id:_t,currentRefreshTokenHash:c.string().optional(),previousRefreshTokenHash:c.string().optional(),revokedAt:V.optional(),revokedReason:c.string().optional()}),In=Ud.extend({tokenHash:c.string(),grantId:_t,revokedAt:V.optional()});function zd(){return je.parse(crypto.randomUUID())}o(zd,"createDownstreamAuthorizationTransactionId");function Nd(){return Di.parse(crypto.randomUUID())}o(Nd,"createDownstreamBrowserLoginStateId");function Dd(){return _t.parse(crypto.randomUUID())}o(Dd,"createDownstreamGrantId");var ce="mcp:tools";function qi(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Le(r)&&Le(n)&&ct(r.hostname)===ct(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(qi,"redirectUriMatchesRegistration");function yg(e){return Le(e)&&e.pathname==="/oauth/dev-login"}o(yg,"isLoopbackDevLoginUrl");function Mi(e,t){return new URL(e,gt(t)).toString()}o(Mi,"buildGatewayOAuthUrl");function Md(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(Md,"buildScopedAuthorizationServerIssuer");function AP(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(AP,"buildScopedAuthorizationEndpoint");function qd(e){let t=ve();return{issuer:gt(e),authorization_endpoint:Mi("/oauth/authorize",e),token_endpoint:Mi("/oauth/token",e),registration_endpoint:Mi("/oauth/register",e),revocation_endpoint:Mi("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ce],code_challenge_methods_supported:[xd],token_endpoint_auth_methods_supported:Ni,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":hg(t)}}o(qd,"buildAuthorizationServerMetadata");function Sg(e){let t=Md(e);return{...qd(e.requestUrl),issuer:t,authorization_endpoint:AP(e)}}o(Sg,"buildScopedAuthorizationServerMetadata");async function wg(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(kP(n.virtualServerId,e.url))}catch(r){let n=de(r);return Ze(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(wg,"protectedResourceMetadataHandler");function kP(e,t){return{resource:Nr(e,t),resource_name:e,authorization_servers:[Md({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ce],mcp_protocol_version:Or}}o(kP,"buildProtectedResourceMetadataResponseBody");function Nr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(Nr,"buildCanonicalMcpResourceForVirtualServer");function vg(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(vg,"buildProtectedResourceMetadataUrlForVirtualServer");import{base64url as $d}from"jose";var PP="sha256:",EP=32;function Rg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Rg,"copyToArrayBuffer");function xP(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(xP,"constantTimeEqual");function Ke(){let e=crypto.getRandomValues(new Uint8Array(EP));return $d.encode(e)}o(Ke,"createOpaqueToken");async function F(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return`${PP}${$d.encode(new Uint8Array(t))}`}o(F,"hashOpaqueValue");async function bg(e){let t=await F(e.value);return xP(t,e.expectedHash)}o(bg,"verifyOpaqueValue");async function Ld(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return $d.encode(new Uint8Array(t))}o(Ld,"calculatePkceS256Challenge");Y();var OP=c.record(c.string(),c.unknown()),Cg=c.string().min(1),UP=c.union([Cg.transform(e=>[e]),c.array(Cg)]),ue=c.string().min(1).brand(),X=c.string().min(1).brand(),zP=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],NP=["https://zuplo.com/roles","roles","role","permissions","groups"],DP=ue.parse("zuplo-poc"),Ig=new Ut("gateway-principal");function MP(e){let t=OP.safeParse(e);return t.success?t.data:{}}o(MP,"toClaimRecord");function qP(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(qP,"readValidationFailureDetail");function $P(e,t,r){for(let i of zP){let s=X.safeParse(t[i]);if(s.success)return s.data}let n=X.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",qP(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===gt(r)?n.data:X.parse(`${a}|${n.data}`)}o($P,"readNormalizedSubjectId");function LP(e){let t=new Set;for(let r of NP){let n=UP.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(LP,"readRoles");function Tn(e,t){let r=MP(e?.data),n={subjectId:$P(e,r,t),tenantId:DP},a=LP(r);return a&&(n.roles=a),n}o(Tn,"parseGatewayPrincipal");function Tg(e){let t=Hd(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Tg,"requireGatewayPrincipal");function Ag(e,t){Ig.set(e,t)}o(Ag,"setGatewayPrincipal");function Hd(e){return Ig.get(e)}o(Hd,"readGatewayPrincipal");function An(e){let r=['realm="OAuth"',`resource_metadata="${jd(vg(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${jd(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${jd(e.scope)}"`),`Bearer ${r.join(", ")}`}o(An,"buildGatewayBearerChallenge");function jd(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(jd,"sanitizeQuotedHeaderParameter");Y();var Gd=c.string().trim().min(1),jP=c.object({TOKEN_ENCRYPTION_KEY:Gd,OAUTH_STATE_SIGNING_KEY:Gd,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:Gd.optional()}),HP=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING"];function GP(e){let t=Ns[e];return typeof t=="string"?t:void 0}o(GP,"readEnvValue");function BP(){let e={};for(let t of HP){let r=GP(t);r!==void 0&&(e[t]=r)}return e}o(BP,"readRawEnv");var Bd;function VP(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(VP,"formatZodIssues");function FP(e){return new Ot(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...VP(e)].join(`
+`),{cause:e})}o(FP,"createEnvValidationError");function ZP(e){let t=jP.safeParse(e);if(!t.success)throw FP(t.error);return t.data}o(ZP,"parseGatewayEnv");function KP(){return Bd||(Bd=ZP(BP())),Bd}o(KP,"readEnv");function $i(){return KP()}o($i,"getEnv");Y();Y();function WP(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(WP,"parseDate");function pr(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(pr,"parseJsonValue");function Vd(e,t){return c.array(c.string()).parse(pr(e,t))}o(Vd,"parseStringArray");var ie=c.union([c.date(),c.string()]).transform(e=>WP(e));var JP=c.object({current_state_hash:c.string(),phase:Od,consumed_at:ie.nullable(),expires_at:ie}),YP=c.object({id:_t,revoked_at:ie.nullable().optional(),expires_at:ie,matched:c.enum(["current","previous"])}),XP=c.object({id:_t,matched:c.literal("current")}),QP=c.object({client_id:le,client_name:c.string(),redirect_uris:c.unknown(),token_endpoint_auth_method:qo,hashed_client_secret:c.string().nullable(),client_secret_expires_at:ie.nullable(),client_expires_at:ie,revoked_at:ie.nullable(),created_at:ie}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Vd(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:O(e.created_at),clientExpiresAt:O(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=O(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),$o.parse(t)}),Fd=c.object({id:je,current_state_hash:c.string(),phase:Od,principal_subject_id:X.nullable(),principal_tenant_id:ue.nullable(),principal_roles:c.unknown().nullable(),client_id:le,redirect_uri:c.string(),resource:c.string(),virtual_server_id:me,client_state:c.string().nullable(),scope:c.string(),code_challenge:c.string(),code_challenge_method:Cn,created_at:ie,expires_at:ie,consumed_at:ie.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:O(e.created_at),expiresAt:O(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=O(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id||!e.principal_tenant_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,tenantId:e.principal_tenant_id,...e.principal_roles===null?{}:{roles:c.array(c.string()).parse(pr(e.principal_roles,"principal_roles"))}}}}),eE=c.object({id:je});function Pg(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,tenantId:e.tenant_id,subjectId:e.subject_id,scope:e.scope,roles:Vd(e.roles,"roles"),createdAt:O(e.created_at),expiresAt:O(e.expires_at)}}o(Pg,"downstreamGrantAccessFields");var kg=c.object({id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),current_refresh_token_hash:c.string().nullable(),previous_refresh_token_hash:c.string().nullable(),created_at:ie,expires_at:ie,revoked_at:ie.nullable(),revoked_reason:c.string().nullable()}).transform(e=>{let t={id:e.id,...Pg(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),Lo.parse(t)}),tE=c.object({token_hash:c.string(),grant_id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),created_at:ie,expires_at:ie,revoked_at:ie.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...Pg(e)};return e.revoked_at&&(t.revokedAt=O(e.revoked_at)),In.parse(t)});function Eg(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.tenantId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(Eg,"authorizationTransactionValues");function rE(e,t){let r=_g.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
        id, client_id, redirect_uri, resource, virtual_server_id, tenant_id,
        subject_id, scope, roles, code_challenge, code_challenge_method,
        created_at, expires_at
-     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12, $13)`,[r.id,...Pg(r)])}o(tP,"insertAuthorizationTransaction");function rP(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12, $13)`,[r.id,...Eg(r)])}o(rE,"insertAuthorizationTransaction");function nE(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
        code_hash, transaction_id, grant_id, client_id, redirect_uri, resource,
        virtual_server_id, tenant_id, subject_id, scope, roles,
        code_challenge, code_challenge_method, created_at, expires_at
-     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, $12, $13, $14, $15)`,[t.codeHash,t.id,t.grantId,...Pg(t)])}o(rP,"insertAuthorizationCode");function nP(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(nP,"accessTokenGrantValidationFailure");var Hi=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return c.array(WE).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, $12, $13, $14, $15)`,[t.codeHash,t.id,t.grantId,...Eg(t)])}o(nE,"insertAuthorizationCode");function oE(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(oE,"accessTokenGrantValidationFailure");var Li=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return c.array(JP).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
          FROM downstream_oauth_pending_authorization_transactions
          WHERE id = $1
-         LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return c.array(XE).parse(await this.db.query(`SELECT
+         LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return c.array(QP).parse(await this.db.query(`SELECT
            client_id,
            client_name,
            redirect_uris,
@@ -76,7 +76,7 @@ data:
          client_expires_at,
          revoked_at,
          created_at
-       ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return c.array(QE).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
+       ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return c.array(eE).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
          id, current_state_hash, phase, principal_subject_id,
          principal_tenant_id, principal_roles, client_id, redirect_uri,
          resource, virtual_server_id, client_state, scope, code_challenge,
@@ -103,10 +103,10 @@ data:
          AND current_state_hash = $2
          AND consumed_at IS NULL
          AND expires_at > $3
-       RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[tP(r,t),rP(r,t)])}async exchangeAuthorizationCode(t){let n=c.array(c.object({redirect_uri:c.string()})).parse(await this.db.query(`SELECT redirect_uri
+       RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[rE(r,t),nE(r,t)])}async exchangeAuthorizationCode(t){let n=c.array(c.object({redirect_uri:c.string()})).parse(await this.db.query(`SELECT redirect_uri
        FROM downstream_oauth_authorization_codes
        WHERE code_hash = $1
-       LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&Li(n,t.redirectUri)?n:t.redirectUri,s=c.array(c.record(c.string(),c.unknown())).parse(await this.db.query(`WITH candidate AS (
+       LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&qi(n,t.redirectUri)?n:t.redirectUri,s=c.array(c.record(c.string(),c.unknown())).parse(await this.db.query(`WITH candidate AS (
            SELECT *
            FROM downstream_oauth_authorization_codes
            WHERE code_hash = $1
@@ -218,12 +218,12 @@ data:
          LIMIT 1`,[t]))[0]}async saveAccessToken(t){await this.db.query(`INSERT INTO downstream_oauth_access_tokens (
          token_hash, grant_id, client_id, resource, virtual_server_id, tenant_id,
          subject_id, scope, roles, created_at, expires_at, revoked_at
-       ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.tenantId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=c.array(eP).parse(await this.db.query(`SELECT access_tokens.*
+       ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.tenantId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=c.array(tE).parse(await this.db.query(`SELECT access_tokens.*
          FROM downstream_oauth_access_tokens AS access_tokens
          JOIN downstream_oauth_grants AS grants
            ON grants.id = access_tokens.grant_id
          WHERE access_tokens.token_hash = $1
-         LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),i=nP(a,t.now);return i||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return c.array(YE).parse(await this.db.query(`WITH candidate AS (
+         LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),i=oE(a,t.now);return i||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return c.array(XP).parse(await this.db.query(`WITH candidate AS (
            SELECT id,
              'current' AS matched
            FROM downstream_oauth_grants
@@ -245,7 +245,7 @@ data:
            AND grants.expires_at > $4
            AND ($5::text IS NULL OR grants.resource = $5)
            AND grants.current_refresh_token_hash = $1
-         RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),i=await this.refreshTokenGrantFailure(t,a);return i||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return c.array(JE).parse(await this.db.query(`SELECT id,
+         RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),i=await this.refreshTokenGrantFailure(t,a);return i||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return c.array(YP).parse(await this.db.query(`SELECT id,
                 revoked_at,
                 expires_at,
                 CASE
@@ -259,12 +259,12 @@ data:
              current_refresh_token_hash = $2
              OR previous_refresh_token_hash = $2
            )
-         LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=c.array(c.object({token_hash:c.string(),client_id:he})).parse(await this.db.query(`SELECT token_hash, client_id
+         LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=c.array(c.object({token_hash:c.string(),client_id:le})).parse(await this.db.query(`SELECT token_hash, client_id
          FROM downstream_oauth_access_tokens
          WHERE token_hash = $1
          LIMIT 1`,[t.tokenHash]))[0];if(n)return n.client_id!==t.clientId?{kind:"client_mismatch"}:(await this.db.query(`UPDATE downstream_oauth_access_tokens
          SET revoked_at = $2
-         WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let i=c.array(c.object({id:yt,client_id:he})).parse(await this.db.query(`SELECT id, client_id
+         WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let i=c.array(c.object({id:_t,client_id:le})).parse(await this.db.query(`SELECT id, client_id
          FROM downstream_oauth_grants
          WHERE current_refresh_token_hash = $1
             OR previous_refresh_token_hash = $1
@@ -274,7 +274,7 @@ data:
              revoked_reason = $3
          WHERE id = $1 AND revoked_at IS NULL`,[t.grantId,t.now,t.reason]),r.query(`UPDATE downstream_oauth_access_tokens
          SET revoked_at = $2
-         WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var Gi=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function oP(e){return e instanceof Gi}o(oP,"isHttpPgQuery");function aP(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(aP,"parseConnectionString");function iP(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(iP,"readErrorMessage");function sP(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(sP,"isSingleResponse");function cP(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(cP,"isBatchResponse");function xg(e,t={}){let{fetchEndpoint:r}=aP(e),n=t.fetchFn??fetch;async function a(d){let l=await i({query:d.query,params:d.params});if(!sP(l))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return l.rows}o(a,"runSingle");async function i(d){let l=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!l.ok){let p;try{p=await l.json()}catch{p=void 0}let m=new Error(iP(p));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${l.status})`,cause:m})}return l.json()}o(i,"runRequest");function s(){return{query(d,l){return new Gi({query:d,params:l??[]},a)}}}o(s,"buildQueryDatabase");let u=s();return{query:u.query,async transaction(d){let p=d(u).map((f,_)=>{if(!oP(f))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return f.raw}),m=await i({queries:p.map(f=>({query:f.query,params:f.params}))});if(!cP(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(f=>f.rows)}}}o(xg,"createHttpPostgresGatewayDatabase");var uP=`
+         WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var ji=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function aE(e){return e instanceof ji}o(aE,"isHttpPgQuery");function iE(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(iE,"parseConnectionString");function sE(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(sE,"readErrorMessage");function cE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(cE,"isSingleResponse");function uE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(uE,"isBatchResponse");function xg(e,t={}){let{fetchEndpoint:r}=iE(e),n=t.fetchFn??fetch;async function a(d){let l=await i({query:d.query,params:d.params});if(!cE(l))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return l.rows}o(a,"runSingle");async function i(d){let l=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!l.ok){let p;try{p=await l.json()}catch{p=void 0}let m=new Error(sE(p));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${l.status})`,cause:m})}return l.json()}o(i,"runRequest");function s(){return{query(d,l){return new ji({query:d,params:l??[]},a)}}}o(s,"buildQueryDatabase");let u=s();return{query:u.query,async transaction(d){let p=d(u).map((f,_)=>{if(!aE(f))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return f.raw}),m=await i({queries:p.map(f=>({query:f.query,params:f.params}))});if(!uE(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(f=>f.rows)}}}o(xg,"createHttpPostgresGatewayDatabase");var dE=`
 DO $$
 BEGIN
   IF to_regclass('public.downstream_oauth_pending_authorization_transactions') IS NULL THEN
@@ -427,11 +427,11 @@ BEGIN
     EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_code_challenge_method_check CHECK ("downstream_oauth_pending_authorization_transactions"."code_challenge_method" = 'S256')$check$;
   END IF;
 END $$;
-`,dP=`
+`,lE=`
 DROP INDEX IF EXISTS public.downstream_oauth_cimd_metadata_cache_expiry_idx;
-`,lP=`
+`,pE=`
 DROP TABLE IF EXISTS public.downstream_oauth_cimd_metadata_cache;
-`,pP=`
+`,mE=`
 DO $$
 BEGIN
   IF to_regclass('public.upstream_connections') IS NULL THEN
@@ -449,9 +449,9 @@ BEGIN
   EXECUTE $check$ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_shape_check CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NOT NULL)
         OR ("upstream_connections"."owner_mode" = 'tenant_shared' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NULL))$check$;
 END $$;
-`,mP=[uP,dP,lP,pP].join(`
+`,hE=[dE,lE,pE,mE].join(`
 --> statement-breakpoint
-`),hP=`
+`),fE=`
 DO $$
 BEGIN
   IF to_regclass('public.upstream_connections') IS NULL THEN
@@ -654,19 +654,19 @@ CREATE INDEX "downstream_oauth_grants_expiry_idx" ON "downstream_oauth_grants" U
 CREATE INDEX "downstream_oauth_pending_authorization_expiry_idx" ON "downstream_oauth_pending_authorization_transactions" USING btree ("expires_at");--> statement-breakpoint
 CREATE INDEX "upstream_oauth_state_consumptions_expiry_idx" ON "upstream_oauth_state_consumptions" USING btree ("expires_at");--> statement-breakpoint
 CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING btree ("expires_at");
-`},{tag:"0001_self_heal_pending_authorization",sql:mP},{tag:"0002_upstream_connection_id_text",sql:hP}];var Go="_runtime_applied_migrations",fP=`
-  CREATE TABLE IF NOT EXISTS ${Go} (
+`},{tag:"0001_self_heal_pending_authorization",sql:hE},{tag:"0002_upstream_connection_id_text",sql:fE}];var Ho="_runtime_applied_migrations",gE=`
+  CREATE TABLE IF NOT EXISTS ${Ho} (
     tag text PRIMARY KEY NOT NULL,
     applied_at timestamp with time zone NOT NULL DEFAULT now()
   )
-`,Ho;async function gP(e){if(Ho)return Ho;Ho=(async()=>{await e.query(fP),await e.query(`INSERT INTO ${Go} (tag)
+`,jo;async function _E(e){if(jo)return jo;jo=(async()=>{await e.query(gE),await e.query(`INSERT INTO ${Ho} (tag)
        SELECT '0000_messy_makkari'
        WHERE to_regclass('public.audit_events') IS NOT NULL
          AND NOT EXISTS (
-           SELECT 1 FROM ${Go}
+           SELECT 1 FROM ${Ho}
            WHERE tag = '0000_messy_makkari'
          )
-       ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${Go}`),r=new Set(t.map(n=>n.tag));for(let n of Og){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(i=>i.trim()).filter(i=>i.length>0);for(let i of a)await e.query(i);await e.query(`INSERT INTO ${Go} (tag) VALUES ($1)`,[n.tag])}})();try{await Ho}catch(t){throw Ho=void 0,t}}o(gP,"ensureGatewayMigrationsApplied");function Ug(e){let t=o(()=>gP(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(Ug,"createMigrationGatedDatabase");X();X();var _P=["user","tenant_shared"],Ht=c.enum(_P);function mr(e,t){if(!e)throw g("forbidden","User-owned upstream connections require an authenticated tenant.");return{mode:"user",tenantId:e,subjectId:t}}o(mr,"buildUserUpstreamConnectionOwner");function Bi(e){if(!e)throw g("forbidden","Tenant-shared upstream connections require an authenticated tenant.");return{mode:"tenant_shared",tenantId:e}}o(Bi,"buildTenantSharedUpstreamConnectionOwner");X();X();function Vi(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(Vi,"parseSafeRelativeReturnTo");var zg=c.object({tenantId:de.optional(),ownerMode:Ht,initiatedBySubjectId:Q,ownerSubjectId:Q.optional(),upstreamServerId:Ee,authProfileId:Pe,virtualServerId:me,returnTo:c.string().min(1).transform(e=>Vi(e)).optional()});function Ng(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="user"&&!e.tenantId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires tenantId",path:["tenantId"]}),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state requires tenantId",path:["tenantId"]}),e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state must not include ownerSubjectId",path:["ownerSubjectId"]}))}o(Ng,"validateUpstreamOwnerState");var kn=zg.superRefine(Ng),Dg=zg.omit({returnTo:!0}).superRefine(Ng);function Bo(e){return kn.parse({tenantId:e.owner.tenantId,ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Bo,"buildUpstreamOwnerState");function En(e){if(e.ownerMode==="tenant_shared")return Bi(e.tenantId);if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");if(!e.tenantId)throw g("oauth_state_invalid","User-owned upstream state is missing the tenant.");return mr(e.tenantId,e.ownerSubjectId)}o(En,"resolveUpstreamConnectionOwnerFromState");var yP=["active","not_connected","reconsent_required"],SP=["basic_auth_app_password","bearer_token"],Mg=c.string().trim().min(1).brand(),Pn=c.uuid().brand(),Vo=c.uuid().brand(),xn=c.enum(yP),wP=c.enum(SP),qg=c.object({encryptedClientInformation:c.string().optional(),encryptedDiscoveryState:c.string().optional(),connectedBySubjectId:Q.optional()}),Zd=qg.extend({encryptedStaticSecret:c.string().optional(),staticSecretKind:wP.optional(),staticSecretLabel:c.string().min(1).optional(),staticSecretUsername:c.string().min(1).optional()}).strict(),vP=c.object({id:Mg,tenantId:de.optional(),subjectId:Q.optional(),ownerMode:Ht,upstreamServerId:Ee,authProfileId:Pe,status:xn,encryptedAccessToken:c.string().min(1).optional(),encryptedRefreshToken:c.string().min(1).optional(),scopes:c.array(c.string()),expiresAt:V.optional(),metadata:Zd.optional(),createdAt:V,updatedAt:V});function Kd(e,t){e.ownerMode==="user"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require tenantId",path:["tenantId"]}),e.subjectId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections require tenantId",path:["tenantId"]}),e.subjectId!==void 0&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections must not include subjectId",path:["subjectId"]}))}o(Kd,"validateUpstreamConnectionOwnerShape");var Gt=vP.superRefine(Kd);function Dr(e){return JSON.stringify([e.owner.mode,e.owner.tenantId,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Dr,"readUpstreamConnectionLookupKey");var Fo=kn.extend({id:Pn,callbackPath:c.string().min(1),expiresAt:V,codeVerifier:c.string().optional(),redirectUri:c.url(),returnOrigin:c.url().optional()}).extend(qg.shape);function $g(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o($g,"readUpstreamConnectionStatus");function Fi(){return Mg.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(Fi,"createUpstreamConnectionId");function Lg(){return Pn.parse(crypto.randomUUID())}o(Lg,"createOAuthStateId");function jg(){return Vo.parse(crypto.randomUUID())}o(jg,"createBrowserConnectTicketId");var Hg=c.unknown().transform(e=>pr(e,"upstream connection scopes")).pipe(c.array(c.string())),Gg=c.unknown().transform(e=>{if(e!=null)return pr(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=Zd.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),RP=c.object({id:c.string().min(1),tenant_id:de.nullable(),owner_mode:Ht,user_id:Q.nullable(),upstream_server_id:Ee,auth_profile_id:Pe,status:xn,encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg,expires_at:se.nullable(),metadata:Gg,created_at:se,updated_at:se}).transform(e=>Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})),bP=c.object({requested_ordinal:c.number(),id:c.string().min(1).nullable(),tenant_id:de.nullable(),owner_mode:Ht.nullable(),user_id:Q.nullable(),upstream_server_id:Ee.nullable(),auth_profile_id:Pe.nullable(),status:xn.nullable(),encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg.nullable(),expires_at:se.nullable(),metadata:Gg,created_at:se.nullable(),updated_at:se.nullable()}).transform(e=>{if(e.id!==null)return Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes??[],expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})});function IP(e){let t=[],r=e.map((n,a)=>{let i=t.length+1;return t.push(a,n.owner.mode,n.owner.tenantId,n.owner.mode==="user"?n.owner.subjectId:null,n.upstreamServerId,n.authProfileId),`($${i}::integer, $${i+1}, $${i+2}, $${i+3}, $${i+4}, $${i+5})`});return{params:t,sql:`WITH requested(
+       ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${Ho}`),r=new Set(t.map(n=>n.tag));for(let n of Og){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(i=>i.trim()).filter(i=>i.length>0);for(let i of a)await e.query(i);await e.query(`INSERT INTO ${Ho} (tag) VALUES ($1)`,[n.tag])}})();try{await jo}catch(t){throw jo=void 0,t}}o(_E,"ensureGatewayMigrationsApplied");function Ug(e){let t=o(()=>_E(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(Ug,"createMigrationGatedDatabase");Y();Y();var yE=["user","tenant_shared"],Ht=c.enum(yE);function mr(e,t){if(!e)throw g("forbidden","User-owned upstream connections require an authenticated tenant.");return{mode:"user",tenantId:e,subjectId:t}}o(mr,"buildUserUpstreamConnectionOwner");function Hi(e){if(!e)throw g("forbidden","Tenant-shared upstream connections require an authenticated tenant.");return{mode:"tenant_shared",tenantId:e}}o(Hi,"buildTenantSharedUpstreamConnectionOwner");Y();Y();function Gi(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(Gi,"parseSafeRelativeReturnTo");var zg=c.object({tenantId:ue.optional(),ownerMode:Ht,initiatedBySubjectId:X,ownerSubjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe,virtualServerId:me,returnTo:c.string().min(1).transform(e=>Gi(e)).optional()});function Ng(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="user"&&!e.tenantId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires tenantId",path:["tenantId"]}),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state requires tenantId",path:["tenantId"]}),e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state must not include ownerSubjectId",path:["ownerSubjectId"]}))}o(Ng,"validateUpstreamOwnerState");var kn=zg.superRefine(Ng),Dg=zg.omit({returnTo:!0}).superRefine(Ng);function Go(e){return kn.parse({tenantId:e.owner.tenantId,ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Go,"buildUpstreamOwnerState");function Pn(e){if(e.ownerMode==="tenant_shared")return Hi(e.tenantId);if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");if(!e.tenantId)throw g("oauth_state_invalid","User-owned upstream state is missing the tenant.");return mr(e.tenantId,e.ownerSubjectId)}o(Pn,"resolveUpstreamConnectionOwnerFromState");var SE=["active","not_connected","reconsent_required"],wE=["basic_auth_app_password","bearer_token"],Mg=c.string().trim().min(1).brand(),En=c.uuid().brand(),Bo=c.uuid().brand(),xn=c.enum(SE),vE=c.enum(wE),qg=c.object({encryptedClientInformation:c.string().optional(),encryptedDiscoveryState:c.string().optional(),connectedBySubjectId:X.optional()}),Zd=qg.extend({encryptedStaticSecret:c.string().optional(),staticSecretKind:vE.optional(),staticSecretLabel:c.string().min(1).optional(),staticSecretUsername:c.string().min(1).optional()}).strict(),RE=c.object({id:Mg,tenantId:ue.optional(),subjectId:X.optional(),ownerMode:Ht,upstreamServerId:ke,authProfileId:Pe,status:xn,encryptedAccessToken:c.string().min(1).optional(),encryptedRefreshToken:c.string().min(1).optional(),scopes:c.array(c.string()),expiresAt:V.optional(),metadata:Zd.optional(),createdAt:V,updatedAt:V});function Kd(e,t){e.ownerMode==="user"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require tenantId",path:["tenantId"]}),e.subjectId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections require tenantId",path:["tenantId"]}),e.subjectId!==void 0&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections must not include subjectId",path:["subjectId"]}))}o(Kd,"validateUpstreamConnectionOwnerShape");var Gt=RE.superRefine(Kd);function Dr(e){return JSON.stringify([e.owner.mode,e.owner.tenantId,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Dr,"readUpstreamConnectionLookupKey");var Vo=kn.extend({id:En,callbackPath:c.string().min(1),expiresAt:V,codeVerifier:c.string().optional(),redirectUri:c.url(),returnOrigin:c.url().optional()}).extend(qg.shape);function $g(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o($g,"readUpstreamConnectionStatus");function Bi(){return Mg.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(Bi,"createUpstreamConnectionId");function Lg(){return En.parse(crypto.randomUUID())}o(Lg,"createOAuthStateId");function jg(){return Bo.parse(crypto.randomUUID())}o(jg,"createBrowserConnectTicketId");var Hg=c.unknown().transform(e=>pr(e,"upstream connection scopes")).pipe(c.array(c.string())),Gg=c.unknown().transform(e=>{if(e!=null)return pr(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=Zd.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),bE=c.object({id:c.string().min(1),tenant_id:ue.nullable(),owner_mode:Ht,user_id:X.nullable(),upstream_server_id:ke,auth_profile_id:Pe,status:xn,encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg,expires_at:ie.nullable(),metadata:Gg,created_at:ie,updated_at:ie}).transform(e=>Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})),CE=c.object({requested_ordinal:c.number(),id:c.string().min(1).nullable(),tenant_id:ue.nullable(),owner_mode:Ht.nullable(),user_id:X.nullable(),upstream_server_id:ke.nullable(),auth_profile_id:Pe.nullable(),status:xn.nullable(),encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg.nullable(),expires_at:ie.nullable(),metadata:Gg,created_at:ie.nullable(),updated_at:ie.nullable()}).transform(e=>{if(e.id!==null)return Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes??[],expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})});function IE(e){let t=[],r=e.map((n,a)=>{let i=t.length+1;return t.push(a,n.owner.mode,n.owner.tenantId,n.owner.mode==="user"?n.owner.subjectId:null,n.upstreamServerId,n.authProfileId),`($${i}::integer, $${i+1}, $${i+2}, $${i+3}, $${i+4}, $${i+5})`});return{params:t,sql:`WITH requested(
            requested_ordinal,
            owner_mode,
            tenant_id,
@@ -699,7 +699,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
           AND upstream_connections.user_id IS NOT DISTINCT FROM requested.user_id
           AND upstream_connections.upstream_server_id = requested.upstream_server_id
           AND upstream_connections.auth_profile_id = requested.auth_profile_id
-         ORDER BY requested.requested_ordinal`}}o(IP,"buildBatchGetQuery");function CP(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(CP,"metadataToDatabaseValue");function TP(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(TP,"requirePersistedUpstreamConnection");var Zi=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async batchGet(t){if(t.length===0)return[];let r=IP(t);return c.array(bP).parse(await this.db.query(r.sql,r.params))}async upsert(t){let r=new Date,n=c.array(RP).parse(await this.db.query(`INSERT INTO upstream_connections (
+         ORDER BY requested.requested_ordinal`}}o(IE,"buildBatchGetQuery");function TE(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(TE,"metadataToDatabaseValue");function AE(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(AE,"requirePersistedUpstreamConnection");var Vi=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async batchGet(t){if(t.length===0)return[];let r=IE(t);return c.array(CE).parse(await this.db.query(r.sql,r.params))}async upsert(t){let r=new Date,n=c.array(bE).parse(await this.db.query(`INSERT INTO upstream_connections (
            id,
            tenant_id,
            owner_mode,
@@ -753,7 +753,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
            expires_at,
            metadata,
            created_at,
-           updated_at`,[t.id,t.tenantId??null,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,CP(t.metadata),r]));return TP(n[0])}};X();var AP=60*60*24*1e3,kP=c.object({kind:c.enum(["available","consumed","missing"]),record:c.unknown().nullable()}),EP=c.object({inserted:c.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},c.boolean())});function Bg(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(Bg,"requireSingleRow");function PP(e){return Fo.parse(pr(e,"upstream OAuth state record"))}o(PP,"parseStoredOAuthStateRecord");var Ki=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
+           updated_at`,[t.id,t.tenantId??null,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,TE(t.metadata),r]));return AE(n[0])}};Y();var kE=60*60*24*1e3,PE=c.object({kind:c.enum(["available","consumed","missing"]),record:c.unknown().nullable()}),EE=c.object({inserted:c.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},c.boolean())});function Bg(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(Bg,"requireSingleRow");function xE(e){return Vo.parse(pr(e,"upstream OAuth state record"))}o(xE,"parseStoredOAuthStateRecord");var Fi=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
          id,
          record,
          expires_at,
@@ -763,7 +763,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
        ON CONFLICT (id) DO UPDATE
        SET record = EXCLUDED.record,
            expires_at = EXCLUDED.expires_at,
-           updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+AP),a=Bg(c.array(kP).parse(await this.db.query(`WITH expired_state_cleanup AS (
+           updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+kE),a=Bg(c.array(PE).parse(await this.db.query(`WITH expired_state_cleanup AS (
              DELETE FROM upstream_oauth_states
              WHERE id = $1
                AND expires_at <= $2
@@ -814,7 +814,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
                WHEN EXISTS (SELECT 1 FROM candidate) THEN 'consumed'
                ELSE 'missing'
              END AS kind,
-             (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:PP(a.record)}}return{kind:a.kind}}},Wi=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return Bg(c.array(EP).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
+             (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:xE(a.record)}}return{kind:a.kind}}},Zi=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return Bg(c.array(EE).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
              DELETE FROM browser_connect_ticket_consumptions
              WHERE id = $1
                AND expires_at <= $2
@@ -832,11 +832,11 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
              ON CONFLICT (id) DO NOTHING
              RETURNING id
            )
-           SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var xP={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},U=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=xP[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};X();var Fg=c.object({bucketId:c.string().trim().min(1),configurationId:c.string().trim().min(1)}),Jd=c.discriminatedUnion("mode",[c.object({mode:c.literal("user"),tenantId:de,subjectId:Q}).strict(),c.object({mode:c.literal("tenant_shared"),tenantId:de}).strict()]),Zg=c.object({owner:Jd,upstreamServerId:Ee,authProfileId:Pe}).strict(),Kg=c.object({items:c.array(Zg).min(1).max(100)}).strict(),Yd=c.object({items:c.array(c.object({key:c.object({ownerMode:Ht,tenantId:de,subjectId:Q.optional(),upstreamServerId:Ee,authProfileId:Pe}).strict(),connection:Gt.strict().optional()}).strict())}).strict(),Wg=Gt.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Kd),Jg=Gt.strict(),Yg=c.object({owner:Jd,upstreamServerId:Ee,authProfileId:Pe}).strict(),Xg=c.object({owner:Jd,upstreamServerId:Ee,authProfileId:Pe,connection:Gt.strict().optional(),connectionStatus:c.object({connected:c.boolean(),status:xn,updatedAt:Gt.shape.updatedAt.optional()}).strict()}).strict(),OP=c.enum(["none","client_secret_basic","client_secret_post"]),Mr=c.object({clientId:he,clientName:c.string().min(1),tokenEndpointAuthMethod:OP}).strict(),Xd=c.discriminatedUnion("method",[c.object({method:c.literal("none"),clientId:he}).strict(),c.object({method:c.enum(["client_secret_basic","client_secret_post"]),clientId:he,clientSecretHashInput:c.string().min(1)}).strict()]),Qd=c.object({id:je,currentStateHash:c.string().min(1),clientId:he,redirectUri:c.string().min(1),resource:c.string().min(1),virtualServerId:me,clientState:c.string().optional(),scope:c.string(),codeChallenge:c.string().min(1),codeChallengeMethod:c.literal("S256"),createdAt:V,expiresAt:V,consumedAt:V.optional()}).strict(),Vg=Qd.omit({id:!0,consumedAt:!0}).extend({transactionId:je,client:Mr.optional()}).strict(),el=c.object({tenantId:de,subjectId:Q,roles:c.array(c.string()).optional()}).strict(),UP=Qd.extend({phase:c.literal("awaiting_login")}).strict(),Wd=Qd.extend({phase:c.literal("awaiting_setup"),principal:el}).strict(),zP=c.discriminatedUnion("phase",[UP,Wd]),tl=c.object({transaction:zP,client:Mr}).strict(),Qg=qi.omit({revokedAt:!0}).strict(),e_=c.discriminatedUnion("kind",[c.object({kind:c.literal("registered"),client:Mr}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),t_=c.discriminatedUnion("phase",[Vg.extend({phase:c.literal("awaiting_login")}).strict(),Vg.extend({phase:c.literal("awaiting_setup"),principal:el}).strict()]),r_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("started")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("redirect_uri_mismatch")}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),n_=c.object({transactionId:je,currentStateHash:c.string().min(1),now:V}).strict(),o_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("available")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),a_=c.object({transactionId:je,expectedPhase:c.literal("awaiting_login"),currentStateHash:c.string().min(1),nextStateHash:c.string().min(1),nextPhase:c.literal("awaiting_setup"),principal:el,now:V}).strict(),i_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("advanced")}).strict(),c.object({kind:c.literal("wrong_phase"),current:c.enum(["awaiting_login","awaiting_setup"])}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),s_=c.discriminatedUnion("decision",[c.object({decision:c.literal("approve"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:de,subjectId:Q}).strict(),authorizationCodeHash:c.string().min(1),authorizationCodeExpiresAt:V,grantId:yt,now:V}).strict(),c.object({decision:c.literal("cancel"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:de,subjectId:Q}).strict(),now:V}).strict()]),c_=c.discriminatedUnion("kind",[c.object({kind:c.literal("approved"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("cancelled"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed_already")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),u_=c.object({clientAuth:Xd,codeHash:c.string().min(1),redirectUri:c.string().min(1),resource:c.string().min(1).optional(),codeChallenge:c.string().min(1),currentRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),grantExpiresAt:V,accessTokenExpiresAt:V,now:V}).strict(),d_=c.discriminatedUnion("kind",[c.object({kind:c.literal("exchanged"),client:Mr,grant:Lo.strict()}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("binding_mismatch")}).strict()]),l_=c.object({clientAuth:Xd,currentRefreshTokenHash:c.string().min(1),nextRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),resource:c.string().min(1).optional(),accessTokenExpiresAt:V,now:V}).strict(),p_=c.discriminatedUnion("kind",[c.object({kind:c.literal("rotated"),client:Mr,grant:Lo.strict(),accessToken:Cn.strict(),matched:c.literal("current")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),m_=c.object({clientAuth:Xd,tokenHash:c.string().min(1),now:V}).strict(),h_=c.discriminatedUnion("kind",[c.object({kind:c.literal("revoked_access_token")}).strict(),c.object({kind:c.literal("revoked_grant")}).strict(),c.object({kind:c.literal("client_mismatch")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("invalid_client")}).strict()]),f_=c.object({tokenHash:c.string().min(1),now:V}).strict(),g_=c.discriminatedUnion("kind",[c.object({kind:c.literal("valid"),record:Cn.strict()}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),__=c.object({accessTokenHash:c.string().min(1),resource:c.string().min(1),virtualServerId:me,upstreamConnectionKeys:c.array(Zg).max(100),now:V}).strict(),y_=c.discriminatedUnion("kind",[c.object({kind:c.literal("authorized"),principal:c.object({tenantId:de,subjectId:Q,roles:c.array(c.string())}).strict(),accessToken:Cn.strict(),upstreamConnections:Yd.shape.items}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict()]),S_=c.object({record:Fo}).strict(),w_=c.object({kind:c.literal("saved")}).strict(),v_=c.object({id:Pn,now:V}).strict(),R_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available"),record:Fo}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict()]),b_=c.object({id:Vo,expiresAt:V,now:V}).strict(),I_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available")}).strict(),c.object({kind:c.literal("consumed")}).strict()]);var C_=100;function Y(e){return encodeURIComponent(e)}o(Y,"encodePathSegment");function T_(e){return e!==null&&typeof e=="object"}o(T_,"isProblemDetailsShape");function NP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/upstream-connections/batch-get"].join("/")}o(NP,"buildBatchGetUpstreamConnectionsPath");function DP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/upstream-connections/upsert"].join("/")}o(DP,"buildUpsertUpstreamConnectionPath");function MP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/authorization/read-setup"].join("/")}o(MP,"buildReadAuthorizationSetupPath");function qP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/oauth/register-client"].join("/")}o(qP,"buildRegisterClientPath");function $P(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/authorization/start"].join("/")}o($P,"buildStartAuthorizationPath");function LP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/authorization/read-pending"].join("/")}o(LP,"buildReadPendingAuthorizationPath");function jP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/authorization/advance-pending"].join("/")}o(jP,"buildAdvancePendingAuthorizationPath");function HP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/authorization/decide-setup"].join("/")}o(HP,"buildDecideAuthorizationSetupPath");function GP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/token/exchange-authorization-code"].join("/")}o(GP,"buildExchangeAuthorizationCodePath");function BP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/token/refresh"].join("/")}o(BP,"buildRefreshTokenPath");function VP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/token/revoke"].join("/")}o(VP,"buildRevokeOAuthTokenPath");function FP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/token/validate-access-token"].join("/")}o(FP,"buildValidateAccessTokenPath");function ZP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/mcp/authorize-and-load-connections"].join("/")}o(ZP,"buildAuthorizeAndLoadConnectionsPath");function KP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/upstream-oauth-state/save"].join("/")}o(KP,"buildSaveUpstreamOAuthStatePath");function WP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/upstream-oauth-state/consume"].join("/")}o(WP,"buildConsumeUpstreamOAuthStatePath");function JP(e){return["/zups/v2/buckets",Y(e.bucketId),"mcp/configurations",Y(e.configurationId),"storage/browser-connect-ticket/consume"].join("/")}o(JP,"buildConsumeBrowserConnectTicketPath");function YP(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(YP,"responseKeyMatchesLookup");function XP(e,t){return e.owner.mode===t.owner.mode&&e.owner.tenantId===t.owner.tenantId&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(XP,"authorizationSetupMatchesLookup");function E_(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(E_,"connectionMatchesLookup");function QP(e,t){return e.ownerMode===t.ownerMode&&(e.tenantId??"")===(t.tenantId??"")&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&nl(e.scopes,t.scopes)&&rl(e.expiresAt,t.expiresAt)&&tx(e.metadata,t.metadata)}o(QP,"connectionMatchesUpsertRecord");function rl(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(rl,"optionalTimestampInstantsMatch");function ex(e,t){return Date.parse(e)<=Date.parse(t)}o(ex,"timestampInstantIsAtOrBefore");function nl(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(nl,"stringArraysMatch");function tx(e,t){let r=A_(e),n=A_(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(tx,"metadataMatches");function A_(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(A_,"definedMetadataEntries");function Se(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(Se,"throwInvalidStorageResponse");async function rx(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){Se("Gateway Service storage response did not match the runtime storage contract.",r)}}o(rx,"parseRuntimeHttpStorageResponse");function P_(e,t){e.length!==t.length&&Se("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];YP(n.key,a)||Se("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!E_(n.connection,a)&&Se("Gateway Service storage response connection did not match the response key.")}}o(P_,"validateUpstreamConnectionItemsMatchLookups");function nx(e,t){XP(e,t)||Se("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!E_(e.connection,t)&&Se("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!rl(e.connectionStatus.updatedAt,a))&&Se("Gateway Service storage response authorization setup status did not match the connection.")}o(nx,"validateAuthorizationSetupResponseMatchesLookup");function ox(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&Se("Gateway Service storage response registered client did not match the request.")}o(ox,"validateRegisterClientResponseMatchesRequest");function ax(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&Se("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&Se("Gateway Service storage response started authorization principal did not match the request."))}o(ax,"validateStartAuthorizationResponseMatchesRequest");function k_(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&Se("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&Se("Gateway Service storage response advanced authorization did not match the request."))}o(k_,"validatePendingAuthorizationResponseMatchesRequest");function ix(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.tenantId!==t.currentPrincipal.tenantId||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&Se("Gateway Service storage response authorization setup transaction did not match the request.")}o(ix,"validateAuthorizationSetupDecisionResponseMatchesRequest");function sx(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!rl(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&Se("Gateway Service storage response authorization-code exchange did not match the request.")}o(sx,"validateExchangeAuthorizationCodeResponseMatchesRequest");function cx(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&Se("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!ex(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!lx(e.accessToken,e.grant))&&Se("Gateway Service storage response token refresh access token did not match the request."))}o(cx,"validateRefreshTokenResponseMatchesRequest");function ux(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&Se("Gateway Service storage response access token did not match the request.")}o(ux,"validateAccessTokenValidationResponseMatchesRequest");function dx(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.tenantId!==e.accessToken.tenantId||e.principal.subjectId!==e.accessToken.subjectId||!nl(e.principal.roles,e.accessToken.roles))&&Se("Gateway Service storage response MCP authorization did not match the request."),P_(e.upstreamConnections,t.upstreamConnectionKeys))}o(dx,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function lx(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.tenantId===t.tenantId&&e.subjectId===t.subjectId&&e.scope===t.scope&&nl(e.roles,t.roles)}o(lx,"accessTokenMatchesGrant");async function px(e){try{return await e.clone().json()}catch{return}}o(px,"readProblemDetails");async function mx(e){let t=await px(e),r=T_(t)&&typeof t.status=="number"?t.status:e.status,n=T_(t)&&zo(t.code)?t.code:md(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(mx,"throwRuntimeHttpStorageError");var Ji=class{static{o(this,"RuntimeHttpStorageClient")}#r;#n;#e;constructor(t){this.#r=t.baseUrl??gp.instance.zuploEdgeApiUrl,this.#n=t.fetch??fetch,this.#e=Fg.parse(t.identity)}async#t(t){let r=t.requestSchema.parse(t.input),n=new URL(t.path,this.#r),a=new Headers({"Content-Type":"application/json"});_p(a);let i=await this.#n(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await mx(i),{request:r,response:await rx(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let u=Dr(s),d=n.get(u);if(d!==void 0)return d;let l=r.length;return r.push(s),n.set(u,l),l}),i=[];for(let s=0;s<r.length;s+=C_){let u=r.slice(s,s+C_);i.push(...await this.#o(u))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#t({input:t,path:DP(this.#e),requestSchema:Wg,responseSchema:Jg});return QP(n,r)||Se("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#t({input:t,path:MP(this.#e),requestSchema:Yg,responseSchema:Xg});return nx(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#t({input:t,path:qP(this.#e),requestSchema:Qg,responseSchema:e_});return ox(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#t({input:t,path:$P(this.#e),requestSchema:t_,responseSchema:r_});return ax(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#t({input:t,path:LP(this.#e),requestSchema:n_,responseSchema:o_});return k_(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#t({input:t,path:jP(this.#e),requestSchema:a_,responseSchema:i_});return k_(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#t({input:t,path:HP(this.#e),requestSchema:s_,responseSchema:c_});return ix(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#t({input:t,path:KP(this.#e),requestSchema:S_,responseSchema:w_});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#t({input:t,path:WP(this.#e),requestSchema:v_,responseSchema:R_});return n.kind==="available"&&n.record.id!==r.id&&Se("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#t({input:t,path:JP(this.#e),requestSchema:b_,responseSchema:I_});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#t({input:t,path:GP(this.#e),requestSchema:u_,responseSchema:d_});return sx(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#t({input:t,path:BP(this.#e),requestSchema:l_,responseSchema:p_});return cx(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#t({input:t,path:VP(this.#e),requestSchema:m_,responseSchema:h_});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#t({input:t,path:FP(this.#e),requestSchema:f_,responseSchema:g_});return ux(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#t({input:t,path:ZP(this.#e),requestSchema:__,responseSchema:y_});return dx(n,r),n}async#o(t){let r={items:[...t]},{response:n}=await this.#t({input:r,path:NP(this.#e),requestSchema:Kg,responseSchema:Yd});return P_(n.items,t),n.items.map(a=>a.connection)}};var ol=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpUpstreamConnectionRepository")}batchGet(t){return this.client.batchGetUpstreamConnections(t)}upsert(t){return this.client.upsertUpstreamConnection(t)}},al=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpDownstreamOAuthRepository")}#r=new Map;#n=new Map;async getDcrClient(t){return this.#r.get(t)}async saveDcrClient(t){if((await this.client.registerClient(t)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");this.#r.set(t.clientId,t)}async savePendingAuthorizationTransaction(t,r){let{id:n,...a}=t,i=await this.client.startAuthorization({...a,transactionId:n,...r?.client===void 0?{}:{client:r.client}});switch(i.kind){case"started":return this.#e(i.client),{kind:"saved"};case"already_exists":return{kind:"already_exists"};case"invalid_client":throw new U("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new U("invalid_request","redirect_uri is not registered for the client.")}}async advancePendingAuthorizationTransaction(t){let r=await this.client.advancePendingAuthorization({transactionId:t.id,expectedPhase:t.expectedPhase,currentStateHash:t.currentStateHash,nextStateHash:t.nextStateHash,nextPhase:t.nextPhase,principal:t.principal,now:O(t.now)});return r.kind==="advanced"?(this.#e(r.client),{kind:"advanced",record:r.transaction}):r}async getPendingAuthorizationTransaction(t){let r=await this.client.readPendingAuthorization({transactionId:t.id,currentStateHash:t.currentStateHash,now:O(t.now)});return r.kind==="available"?(this.#e(r.client),{kind:"available",record:r.transaction}):r}async consumePendingAuthorizationTransaction(t){let r=await this.getPendingAuthorizationTransaction(t);return r.kind!=="available"?r.kind==="consumed"?{kind:"consumed_already"}:r:r.record.phase!=="awaiting_setup"?{kind:"missing"}:(this.#n.set(r.record.id,{currentStateHash:t.currentStateHash,now:t.now,transaction:r.record}),{kind:"consumed",record:r.record})}async issueAuthorizationCode(t){let r=this.#n.get(t.id);if(!r)throw g("internal_server_error","Authorization code issuance requires a pending setup decision.");let n=await this.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:r.currentStateHash,currentPrincipal:{tenantId:r.transaction.principal.tenantId,subjectId:r.transaction.principal.subjectId},authorizationCodeHash:t.codeHash,authorizationCodeExpiresAt:t.expiresAt,grantId:t.grantId,now:O(r.now)});if(this.#n.delete(t.id),n.kind!=="approved")throw g("oauth_state_invalid","Authorization setup state is invalid, expired, or already used.")}async exchangeAuthorizationCode(t){let r=await this.exchangeAuthorizationCodeWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},codeHash:t.codeHash,redirectUri:t.redirectUri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:t.codeChallenge,currentRefreshTokenHash:t.currentRefreshTokenHash,accessTokenHash:t.accessTokenHash,grantExpiresAt:t.grantExpiresAt,accessTokenExpiresAt:t.accessTokenExpiresAt,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r.kind==="exchanged"?{kind:"exchanged",grant:r.grant}:r}async saveAccessToken(t){throw g("internal_server_error","Runtime HTTP access-token save is covered by token exchange/refresh operations.")}async validateAccessToken(t){return this.client.validateAccessToken({tokenHash:t.tokenHash,now:O(t.now)})}async rotateRefreshToken(t){throw g("internal_server_error","Runtime HTTP refresh-token rotation is covered by the token refresh operation.")}async revokeOAuthToken(t){let r=await this.revokeOAuthTokenWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},tokenHash:t.tokenHash,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r}async revokeGrant(t){throw g("internal_server_error","Runtime HTTP grant revocation is not exposed as a standalone storage operation.")}decideAuthorizationSetup(t){return this.client.decideAuthorizationSetup(t)}exchangeAuthorizationCodeWithClientAuth(t){return this.client.exchangeAuthorizationCode(t)}refreshTokenWithClientAuth(t){return this.client.refreshToken(t)}revokeOAuthTokenWithClientAuth(t){return this.client.revokeOAuthToken(t)}authorizeAndLoadConnections(t){return this.client.authorizeAndLoadConnections(t)}#e(t){this.#r.has(t.clientId)||this.#r.set(t.clientId,{clientId:t.clientId,clientName:t.clientName,redirectUris:[],tokenEndpointAuthMethod:t.tokenEndpointAuthMethod,clientExpiresAt:O(new Date(864e10)),createdAt:O(new Date(0))})}},il=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpOAuthStateStore")}async save(t){await this.client.saveUpstreamOAuthState({record:t})}consumeForCallback(t){return this.client.consumeUpstreamOAuthState({id:t,now:O(new Date)})}},sl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpBrowserConnectTicketStore")}consume(t,r){return this.client.consumeBrowserConnectTicket({id:t,expiresAt:O(r),now:O(new Date)})}};function x_(e){let t=new Ji(e);return{upstreamConnectionRepository:new ol(t),downstreamOAuthRepository:new al(t),oauthStateStore:new il(t),browserConnectTicketStore:new sl(t)}}o(x_,"createRuntimeHttpStorageBackend");var hx="__zuploMcpGatewayStorageBackend",cl;function fx(e){return{upstreamConnectionRepository:new Zi(e),downstreamOAuthRepository:new Hi(e),oauthStateStore:new Ki(e),browserConnectTicketStore:new Wi(e)}}o(fx,"createPostgresStorageBackend");function gx(){let e=Fn.ZUPLO_SERVICE_BUCKET_ID;if(!e)throw new et("ZUPLO_SERVICE_BUCKET_ID env not configured");let t=jo().MCP_GATEWAY_RUNTIME_STORAGE_CONFIGURATION_ID;if(!t)throw new et("MCP_GATEWAY_RUNTIME_STORAGE_CONFIGURATION_ID env not configured");return{bucketId:e,configurationId:t}}o(gx,"requireRuntimeHttpStorageIdentity");function _x(e){let t=xg(e),r=Ug(t);return fx(r)}o(_x,"buildPostgresStorageBackend");function yx(){let e=jo().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;return e?_x(e):x_({identity:gx()})}o(yx,"buildProductionStorageBackend");function q(){let e=globalThis[hx];return e||(cl||(cl=yx()),cl)}o(q,"getStorage");function ul(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(ul,"readBearerToken");function Sx(e,t,r){return Ze(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(Sx,"gatewayAuthenticationRequiredResponse");async function wx(e,t,r){let n=await q().downstreamOAuthRepository.validateAccessToken({tokenHash:await F(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(wx,"validateGatewayAccessToken");function vx(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(vx,"assertAccessTokenResource");function Rx(e,t,r){return Ze(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":An({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ue} scope required by this MCP resource.`,scope:ue})}})}o(Rx,"insufficientScopeResponse");function bx(e){return{subjectId:e.subjectId,tenantId:e.tenantId,roles:e.roles}}o(bx,"principalFromAccessToken");function Ix(e){let t=le(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),Ze(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":An({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(Ix,"gatewayTokenRejectedResponse");async function dl(e,t){let r=Rn(t),n=Nr(r.virtualServerId,e.url),a=ul(e),i=An({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),Sx(e,t,i);try{let s=await wx(a,t,r.virtualServerId);if(vx({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ue)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ue,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),Rx(e,t,r.virtualServerId);let u=bx(s);return Ag(t,u),pd(t,u),e}catch(s){return Ix({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(dl,"gatewayTokenInbound");var Cx=2,O_=4,Tx=24,Ax=16,U_=512,kx=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,Ex=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,Px=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,xx=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,Ox=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,Ux=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function z_(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(z_,"readRoute");function zx(e){let t=z_(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(zx,"readRoutePath");function Nx(e){let t=z_(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(Nx,"readRouteOperationId");function Dx(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o(Dx,"deriveStatusClass");function Mx(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="tenant_shared"?"tenant_shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(Mx,"deriveOriginAttributionMode");function qx(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(qx,"deriveClientKind");function $x(e,t){return t==="success"?"none":e===H.MCP_GATEWAY_REQUEST_RECEIVED||e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===H.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o($x,"deriveFailureStage");function Lx(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION||e===H.MCP_GATEWAY_GUARDRAIL_DECISION||e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===H.MCP_GATEWAY_CAPABILITY_FAILED||e===H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(Lx,"deriveFailureOrigin");function jx(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===H.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(jx,"deriveReasonClass");function Hx(e){return e.length<=U_?e:`${e.slice(0,U_)}...`}o(Hx,"truncateAnalyticsString");function Gx(e){return Hx(e.replace(Ex,"$1[REDACTED]$3").replace(xx,"$1$2[REDACTED]").replace(Px,"$1$2[REDACTED]").replace(Ox,"Bearer [REDACTED]").replace(Ux,"Basic [REDACTED]"))}o(Gx,"redactAnalyticsString");function N_(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return Gx(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=O_?"[DEPTH_LIMIT]":e.slice(0,Ax).map(r=>N_(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=O_?"[DEPTH_LIMIT]":D_(e,t+1)}}o(N_,"sanitizeAnalyticsValue");function D_(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,Tx)){if(kx.test(n)){r[n]="[REDACTED]";continue}let i=N_(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(D_,"sanitizeMcpGatewayAnalyticsAttributes");function z(e){return e===void 0?null:e}o(z,"nullable");function Bx(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(Bx,"readEnvironment");function Vx(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(Vx,"readRequestId");function Fx(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(Fx,"attributesToJsonString");function Zx(e,t){let r=Gd(e),n=Do(e),a=D_(t.attributes),i=Vx(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,u=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,l=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,p=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,f=t.clientKind??qx(t.clientName)??null,_=Mx(s??void 0,u??void 0)??null,S=Dx(t.httpStatusCode)??null,y=t.reasonClass??jx(t.eventType,t.outcome),w=t.failureOrigin??Lx(t.eventType,t.outcome),v=t.failureStage??$x(t.eventType,t.outcome);return{schemaVersion:Cx,outcome:t.outcome,tenantId:z(r?.tenantId),subjectId:z(r?.subjectId),environment:Bx(e),traceId:t.traceId??i,spanId:z(t.spanId),parentEventId:z(t.parentEventId),mcpSessionId:z(t.mcpSessionId),routeSurface:z(t.routeSurface),routePath:zx(e)??null,operationId:Nx(e)??null,virtualServerName:d,virtualServerTitle:z(t.virtualServerTitle),upstreamServerName:l,upstreamServerTitle:p,upstreamBindingId:z(t.upstreamBindingId),clientName:z(t.clientName),clientTitle:z(t.clientTitle),clientVersion:z(t.clientVersion),clientKind:f,authProfileId:m,upstreamAuthMode:u,ownerMode:s,authMethod:z(t.authMethod),originAttributionMode:_,httpMethod:z(t.httpMethod),httpStatusCode:z(t.httpStatusCode),statusClass:S,mcpMethod:z(t.mcpMethod),mcpProtocolVersion:z(t.mcpProtocolVersion),mcpStatus:z(t.mcpStatus),mcpErrorType:z(t.mcpErrorType),applicationError:z(t.applicationError),applicationErrorCode:z(t.applicationErrorCode),toolResultIsError:z(t.toolResultIsError),capabilityType:z(t.capabilityType),capabilityName:z(t.capabilityName),capabilityTitle:z(t.capabilityTitle),upstreamCapabilityName:z(t.upstreamCapabilityName),upstreamCapabilityTitle:z(t.upstreamCapabilityTitle),capabilitySchemaHash:z(t.capabilitySchemaHash),policyId:z(t.policyId),policyAction:z(t.policyAction),guardrailType:z(t.guardrailType),guardrailDirection:z(t.guardrailDirection),guardrailFindingCount:z(t.guardrailFindingCount),redactionCount:z(t.redactionCount),requestMutated:z(t.requestMutated),responseMutated:z(t.responseMutated),latencyMs:z(t.latencyMs),gatewayLatencyMs:z(t.gatewayLatencyMs),upstreamLatencyMs:z(t.upstreamLatencyMs),authLatencyMs:z(t.authLatencyMs),policyLatencyMs:z(t.policyLatencyMs),requestBytes:z(t.requestBytes),responseBytes:z(t.responseBytes),estimatedInputTokens:z(t.estimatedInputTokens),estimatedOutputTokens:z(t.estimatedOutputTokens),estimatedContextTokens:z(t.estimatedContextTokens),contextPressureBucket:z(t.contextPressureBucket),responseMimeTypes:z(t.responseMimeTypes),base64Suspected:z(t.base64Suspected),truncated:z(t.truncated),isLargePayloadRequest:z(t.isLargePayloadRequest),isLargePayloadResponse:z(t.isLargePayloadResponse),payloadCaptureMode:z(t.payloadCaptureMode),reasonCode:z(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:w,failureStage:v,customMetadataJson:z(t.customMetadataJson),attributesJson:Fx(a)}}o(Zx,"buildMcpGatewayAnalyticsMetadata");function We(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,Zx(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(We,"emitMcpGatewayAnalyticsEvent");function Je(e){let t=ct().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(Je,"getUpstreamServerConfig");function Kx(e){let t=ct().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(Kx,"resolveUpstreamAuthProfileId");function hr(e){Kx(e);let t=ct().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(hr,"getUpstreamAuthConfig");function qr(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(!Bf(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(qr,"requireUpstreamOAuthConfig");var Wx={tenant_shared_oauth:{authMode:"tenant_shared_oauth",ownerMode:"tenant_shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},tenant_static_secret:{authMode:"tenant_static_secret",ownerMode:"tenant_shared",connectSupport:"none",connectUnsupportedDetail:"Tenant static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"tenant_static_secret_connection"},user_static_secret:{authMode:"user_static_secret",ownerMode:"user",connectSupport:"user_static_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_static_secret_connection"}};function kt(e){return Wx[e]}o(kt,"describeUpstreamAuthMode");function Yi(e){return kt(e).ownerMode}o(Yi,"resolveOwnerModeForUpstreamAuthMode");X();import{errors as G_,jwtVerify as B_,SignJWT as V_}from"jose";import{base64url as Jx}from"jose";var Yx=new TextEncoder,ll=32;function M_(e,t={}){let r=[Xx(e),Yx.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=ll){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<ll){let a=t.name??"secret key material",i=n?.byteLength??0;throw new Error(`${a} must decode to at least ${ll} bytes (got ${i}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(M_,"decodeConfiguredSecretKeyMaterial");function Xx(e){try{return Jx.decode(e)}catch{return}}o(Xx,"tryDecodeBase64Url");var q_=new Map,$_=new Map;function Qx(e){let t=q_.get(e);return t||(t=M_(jo()[e],{name:e}),q_.set(e,t)),t}o(Qx,"getMasterKeyMaterial");async function Et(e){let t=$_.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Qx(e.envVar));return $_.set(e.purpose,r),r}o(Et,"readCachedDerivedKey");var eO="SHA-256";var tO="zuplo-mcp-gateway:",rO=new TextEncoder,L_=new WeakMap;async function fr(e,t){let r=L_.get(e);r||(r=new Map,L_.set(e,r));let n=r.get(t);if(n)return n;let a=await nO(e,t);return r.set(t,a),a}o(fr,"deriveGatewaySigningKey");async function nO(e,t){let r=j_(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=rO.encode(`${tO}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:eO,salt:new Uint8Array,info:j_(a)},n,32*8);return new Uint8Array(i)}o(nO,"hkdfExpand");function j_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(j_,"copyToArrayBuffer");var Xi="HS256",F_=15*60,oO=15*60,Qi="zuplo-mcp-gateway",es="zuplo-mcp-gateway",aO=Dg.extend({id:Pn}),iO=aO.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Z_=kn.extend({id:Vo,purpose:c.literal("browser_connect")}),sO=kn.extend({purpose:c.literal("browser_connect")}),cO=Z_.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),K_=F_*1e3;async function W_(){return Et({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"oauth-state"),"derive")})}o(W_,"getOAuthStateKey");async function J_(){return Et({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-connect"),"derive")})}o(J_,"getBrowserConnectKey");async function Y_(e){let t=Math.floor(Date.now()/1e3)+F_;return new V_(e).setProtectedHeader({alg:Xi,typ:"JWT"}).setIssuer(Qi).setAudience(es).setIssuedAt().setExpirationTime(t).sign(await W_())}o(Y_,"signOAuthState");async function ts(e){try{let{payload:t}=await B_(e,await W_(),{algorithms:[Xi],issuer:Qi,audience:es});return iO.parse(t)}catch(t){throw t instanceof G_.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(ts,"verifyOAuthState");async function X_(e){let t=Math.floor(Date.now()/1e3)+oO,r=sO.parse(e),n=Z_.parse({...r,id:jg()});return new V_(n).setProtectedHeader({alg:Xi,typ:"JWT"}).setIssuer(Qi).setAudience(es).setIssuedAt().setExpirationTime(t).sign(await J_())}o(X_,"signBrowserConnectTicket");async function rs(e){try{let{payload:t}=await B_(e,await J_(),{algorithms:[Xi],issuer:Qi,audience:es});return cO.parse(t)}catch(t){throw t instanceof G_.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(rs,"verifyBrowserConnectTicket");async function ns(e){if((await q().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(ns,"consumeBrowserConnectTicket");function uO(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(uO,"buildConnectRequiredMessage");async function Q_(e){let t=ne(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await X_({...Bo(e),purpose:"browser_connect"})),r.toString()}o(Q_,"buildGatewayBrowserTicketUrl");function dO(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(dO,"buildGatewayConnectPath");async function pl(e){return Q_({...e,path:dO(e.upstreamServerId),redirect:!0})}o(pl,"buildGatewayConnectUrl");async function ey(e){return Q_({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(ey,"buildGatewayAppPasswordCaptureUrl");async function On(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await pl(t),message:uO(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(On,"buildRedirectConnectRequiredResponse");function ty(e){return ry({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(ty,"buildAdminConnectRequiredResponse");function ry(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(ry,"buildAdminSetupRequiredResponse");function ny(e){return ry({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(ny,"buildAdminStaticSecretRequiredResponse");X();import{base64url as gr}from"jose";var lO="SHA-256",zn="AES-GCM",pO=12,hl="zuplo-secret",fl=1,oy="env:TOKEN_ENCRYPTION_KEY",mO=c.object({version:c.literal(fl),keyId:c.literal(oy),algorithm:c.literal(zn),iv:c.string().min(1),ciphertext:c.string().min(1)}).strict();function Un(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Un,"copyToArrayBuffer");async function ml(){return Et({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(lO,Un(e));return crypto.subtle.importKey("raw",t,{name:zn},!1,["encrypt","decrypt"])},"derive")})}o(ml,"getEncryptionKey");function ay(e){return Un(new TextEncoder().encode(`${hl}:v${e.version}:${e.keyId}`))}o(ay,"getAssociatedData");function hO(e){return`${hl}:v${e.version}:${gr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(hO,"encodeEnvelope");function fO(e){let t=`${hl}:v${fl}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(gr.decode(r));return mO.parse(JSON.parse(n))}o(fO,"decodeEnvelope");async function $r(e){let t=await ml(),r=crypto.getRandomValues(new Uint8Array(pO)),n={version:fl,keyId:oy},a=await crypto.subtle.encrypt({name:zn,iv:r,additionalData:ay(n)},t,new TextEncoder().encode(e));return hO({...n,algorithm:zn,iv:gr.encode(r),ciphertext:gr.encode(new Uint8Array(a))})}o($r,"encryptSecret");async function Bt(e){let t=fO(e);if(t){let s=await ml(),u=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(t.iv)),additionalData:ay(t)},s,Un(gr.decode(t.ciphertext)));return new TextDecoder().decode(u)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await ml(),i=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(r))},a,Un(gr.decode(n)));return new TextDecoder().decode(i)}o(Bt,"decryptSecret");function gO(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="tenant_static_secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(gO,"requireTenantStaticSecretConfig");function iy(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(iy,"hasUsableTenantStaticSecret");async function _O(e){if(!iy(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)}}o(_O,"resolveTenantStaticSecretCredential");async function sy(e){let t=Je(e.upstreamServerId);gO(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(iy(r))return{kind:"authorized",credential:await _O({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:ny(n)}}o(sy,"resolveTenantStaticSecretCredentialForRequest");X();async function gl(e){return q().upstreamConnectionRepository.upsert({id:Fi(),tenantId:e.owner.tenantId,ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(gl,"upsertStaticSecretConnection");var yO=c.string().trim().min(1).max(320),SO=c.string().min(1).max(4096),wO=c.string().trim().min(1).max(4096);function _l(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="user_static_secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(_l,"requireUserStaticSecretConfig");function vO(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(vO,"encodeBase64Utf8");function RO(e){return`Basic ${vO(`${e.username}:${e.appPassword}`)}`}o(RO,"buildBasicAuthHeader");function cy(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(cy,"hasEncryptedUserStaticSecret");async function bO(e){if(!cy(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:RO({username:e.connection.metadata.staticSecretUsername,appPassword:await Bt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(bO,"resolveUserStaticSecretCredential");async function uy(e){if(_l(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=yO.parse(e.username),n=SO.parse(e.appPassword);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(uy,"saveUserStaticSecretCredential");async function os(e){let t=_l(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=wO.parse(e.token);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(os,"saveUserStaticBearerTokenCredential");function yl(e,t){return _l(e,t)}o(yl,"readUserStaticSecretCaptureConfig");async function dy(e){let t=Je(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(cy(r))return{kind:"authorized",credential:await bO({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await On(n)}}o(dy,"resolveUserStaticSecretCredentialForRequest");function ly(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return ey({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(ly,"buildUserStaticSecretConnectUrl");var Sl;Sl=globalThis.crypto;async function IO(e){return(await Sl).getRandomValues(new Uint8Array(e))}o(IO,"getRandomValues");async function CO(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await IO(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(CO,"random");async function TO(e){return await CO(e)}o(TO,"generateVerifier");async function AO(e){let t=await(await Sl).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(AO,"generateChallenge");async function wl(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await TO(e),r=await AO(t);return{code_verifier:t,code_challenge:r}}o(wl,"pkceChallenge");X();var Oe=vp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Cp.custom,message:"URL must be parseable",fatal:!0}),Sp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),as=we({resource:h().url(),authorization_servers:b(Oe).optional(),jwks_uri:h().url().optional(),scopes_supported:b(h()).optional(),bearer_methods_supported:b(h()).optional(),resource_signing_alg_values_supported:b(h()).optional(),resource_name:h().optional(),resource_documentation:h().optional(),resource_policy_uri:h().url().optional(),resource_tos_uri:h().url().optional(),tls_client_certificate_bound_access_tokens:te().optional(),authorization_details_types_supported:b(h()).optional(),dpop_signing_alg_values_supported:b(h()).optional(),dpop_bound_access_tokens_required:te().optional()}),Zo=we({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),service_documentation:Oe.optional(),revocation_endpoint:Oe.optional(),revocation_endpoint_auth_methods_supported:b(h()).optional(),revocation_endpoint_auth_signing_alg_values_supported:b(h()).optional(),introspection_endpoint:h().optional(),introspection_endpoint_auth_methods_supported:b(h()).optional(),introspection_endpoint_auth_signing_alg_values_supported:b(h()).optional(),code_challenge_methods_supported:b(h()).optional(),client_id_metadata_document_supported:te().optional()}),kO=we({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,userinfo_endpoint:Oe.optional(),jwks_uri:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),acr_values_supported:b(h()).optional(),subject_types_supported:b(h()),id_token_signing_alg_values_supported:b(h()),id_token_encryption_alg_values_supported:b(h()).optional(),id_token_encryption_enc_values_supported:b(h()).optional(),userinfo_signing_alg_values_supported:b(h()).optional(),userinfo_encryption_alg_values_supported:b(h()).optional(),userinfo_encryption_enc_values_supported:b(h()).optional(),request_object_signing_alg_values_supported:b(h()).optional(),request_object_encryption_alg_values_supported:b(h()).optional(),request_object_encryption_enc_values_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),display_values_supported:b(h()).optional(),claim_types_supported:b(h()).optional(),claims_supported:b(h()).optional(),service_documentation:h().optional(),claims_locales_supported:b(h()).optional(),ui_locales_supported:b(h()).optional(),claims_parameter_supported:te().optional(),request_parameter_supported:te().optional(),request_uri_parameter_supported:te().optional(),require_request_uri_registration:te().optional(),op_policy_uri:Oe.optional(),op_tos_uri:Oe.optional(),client_id_metadata_document_supported:te().optional()}),is=I({...kO.shape,...Zo.pick({code_challenge_methods_supported:!0}).shape}),Ko=I({access_token:h(),id_token:h().optional(),token_type:h(),expires_in:Tp.number().optional(),scope:h().optional(),refresh_token:h().optional()}).strip(),my=I({error:h(),error_description:h().optional(),error_uri:h().optional()}),py=Oe.optional().or(E("").transform(()=>{})),EO=I({redirect_uris:b(Oe),token_endpoint_auth_method:h().optional(),grant_types:b(h()).optional(),response_types:b(h()).optional(),client_name:h().optional(),client_uri:Oe.optional(),logo_uri:py,scope:h().optional(),contacts:b(h()).optional(),tos_uri:py,policy_uri:h().optional(),jwks_uri:Oe.optional(),jwks:bp().optional(),software_id:h().optional(),software_version:h().optional(),software_statement:h().optional()}).strip(),vl=I({client_id:h(),client_secret:h().optional(),client_id_issued_at:K().optional(),client_secret_expires_at:K().optional()}).strip(),Wo=EO.merge(vl),U4=I({error:h(),error_description:h().optional()}).strip(),z4=I({token:h(),token_type_hint:h().optional()}).strip();function hy(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(hy,"resourceUrlFromServerUrl");function fy({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(fy,"checkResourceAllowed");var _e=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Jo=class extends _e{static{o(this,"InvalidRequestError")}};Jo.errorCode="invalid_request";var Lr=class extends _e{static{o(this,"InvalidClientError")}};Lr.errorCode="invalid_client";var jr=class extends _e{static{o(this,"InvalidGrantError")}};jr.errorCode="invalid_grant";var Hr=class extends _e{static{o(this,"UnauthorizedClientError")}};Hr.errorCode="unauthorized_client";var Yo=class extends _e{static{o(this,"UnsupportedGrantTypeError")}};Yo.errorCode="unsupported_grant_type";var Xo=class extends _e{static{o(this,"InvalidScopeError")}};Xo.errorCode="invalid_scope";var Qo=class extends _e{static{o(this,"AccessDeniedError")}};Qo.errorCode="access_denied";var Vt=class extends _e{static{o(this,"ServerError")}};Vt.errorCode="server_error";var ea=class extends _e{static{o(this,"TemporarilyUnavailableError")}};ea.errorCode="temporarily_unavailable";var ta=class extends _e{static{o(this,"UnsupportedResponseTypeError")}};ta.errorCode="unsupported_response_type";var ra=class extends _e{static{o(this,"UnsupportedTokenTypeError")}};ra.errorCode="unsupported_token_type";var na=class extends _e{static{o(this,"InvalidTokenError")}};na.errorCode="invalid_token";var oa=class extends _e{static{o(this,"MethodNotAllowedError")}};oa.errorCode="method_not_allowed";var aa=class extends _e{static{o(this,"TooManyRequestsError")}};aa.errorCode="too_many_requests";var Gr=class extends _e{static{o(this,"InvalidClientMetadataError")}};Gr.errorCode="invalid_client_metadata";var ia=class extends _e{static{o(this,"InsufficientScopeError")}};ia.errorCode="insufficient_scope";var sa=class extends _e{static{o(this,"InvalidTargetError")}};sa.errorCode="invalid_target";var gy={[Jo.errorCode]:Jo,[Lr.errorCode]:Lr,[jr.errorCode]:jr,[Hr.errorCode]:Hr,[Yo.errorCode]:Yo,[Xo.errorCode]:Xo,[Qo.errorCode]:Qo,[Vt.errorCode]:Vt,[ea.errorCode]:ea,[ta.errorCode]:ta,[ra.errorCode]:ra,[na.errorCode]:na,[oa.errorCode]:oa,[aa.errorCode]:aa,[Gr.errorCode]:Gr,[ia.errorCode]:ia,[sa.errorCode]:sa};var Ft=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function PO(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(PO,"isClientAuthMethod");var Rl="code",bl="S256";function xO(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&PO(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(xO,"selectClientAuthMethod");function OO(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":UO(a,i,r);return;case"client_secret_post":zO(a,i,n);return;case"none":NO(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(OO,"applyClientAuthentication");function UO(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(UO,"applyBasicAuth");function zO(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(zO,"applyPostAuth");function NO(e,t){t.set("client_id",e)}o(NO,"applyPublicAuth");async function yy(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=my.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,u=gy[a]||Vt;return new u(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Vt(a)}}o(yy,"parseErrorResponse");async function _r(e,t){try{return await Il(e,t)}catch(r){if(r instanceof Lr||r instanceof Hr)return await e.invalidateCredentials?.("all"),await Il(e,t);if(r instanceof jr)return await e.invalidateCredentials?.("tokens"),await Il(e,t);throw r}}o(_r,"auth");async function Il(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),u,d,l,p=a;if(!p&&s?.resourceMetadataUrl&&(p=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,u=s.resourceMetadata,l=s.authorizationServerMetadata??await wy(d,{fetchFn:i}),!u)try{u=await Sy(t,{resourceMetadataUrl:p},i)}catch{}(l!==s.authorizationServerMetadata||u!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}else{let C=await jO(t,{resourceMetadataUrl:p,fetchFn:i});d=C.authorizationServerUrl,l=C.authorizationServerMetadata,u=C.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}let m=await DO(t,e,u),f=n||u?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let C=l?.client_id_metadata_document_supported===!0,N=e.clientMetadataUrl;if(N&&!Tl(N))throw new Gr(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${N}`);if(C&&N)_={client_id:N},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Ye=await FO(d,{metadata:l,clientMetadata:e.clientMetadata,scope:f,fetchFn:i});await e.saveClientInformation(Ye),_=Ye}}let S=!e.redirectUrl;if(r!==void 0||S){let C=await VO(e,d,{metadata:l,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(C),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let C=await BO(d,{metadata:l,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(C),"AUTHORIZED"}catch(C){if(!(!(C instanceof _e)||C instanceof Vt))throw C}let w=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:R}=await HO(d,{metadata:l,clientInformation:_,state:w,redirectUrl:e.redirectUrl,scope:f,resource:m});return await e.saveCodeVerifier(R),await e.redirectToAuthorization(v),"REDIRECT"}o(Il,"authInternal");function Tl(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Tl,"isHttpsUrl");async function DO(e,t,r){let n=hy(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!fy({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(DO,"selectResourceURL");function Al(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=Cl(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=Cl(e,"scope")||void 0,u=Cl(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:u}}o(Al,"extractWWWAuthenticateParams");function Cl(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(Cl,"extractFieldFromWwwAuth");async function Sy(e,t,r=fetch){let n=await $O(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return as.parse(await n.json())}o(Sy,"discoverOAuthProtectedResourceMetadata");async function kl(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?kl(e,void 0,r):void 0;throw n}}o(kl,"fetchWithCorsRetry");function MO(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(MO,"buildWellKnownPath");async function _y(e,t,r=fetch){return await kl(e,{"MCP-Protocol-Version":t},r)}o(_y,"tryMetadataDiscovery");function qO(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(qO,"shouldAttemptFallback");async function $O(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??Xt,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=MO(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let u=await _y(s,i,r);if(!n?.metadataUrl&&qO(u,a.pathname)){let d=new URL(`/.well-known/${t}`,a);u=await _y(d,i,r)}return u}o($O,"discoverMetadataWithFallback");function LO(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(LO,"buildDiscoveryUrls");async function wy(e,{fetchFn:t=fetch,protocolVersion:r=Xt}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=LO(e);for(let{url:i,type:s}of a){let u=await kl(i,n,t);if(u){if(!u.ok){if(await u.body?.cancel(),u.status>=400&&u.status<500)continue;throw new Error(`HTTP ${u.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Zo.parse(await u.json()):is.parse(await u.json())}}}o(wy,"discoverAuthorizationServerMetadata");async function jO(e,t){let r,n;try{r=await Sy(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await wy(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(jO,"discoverOAuthServerInfo");async function HO(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let u;if(t){if(u=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Rl))throw new Error(`Incompatible auth server: does not support response type ${Rl}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(bl))throw new Error(`Incompatible auth server: does not support code challenge method ${bl}`)}else u=new URL("/authorize",e);let d=await wl(),l=d.code_verifier,p=d.code_challenge;return u.searchParams.set("response_type",Rl),u.searchParams.set("client_id",r.client_id),u.searchParams.set("code_challenge",p),u.searchParams.set("code_challenge_method",bl),u.searchParams.set("redirect_uri",String(n)),i&&u.searchParams.set("state",i),a&&u.searchParams.set("scope",a),a?.includes("offline_access")&&u.searchParams.append("prompt","consent"),s&&u.searchParams.set("resource",s.href),{authorizationUrl:u,codeVerifier:l}}o(HO,"startAuthorization");function GO(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(GO,"prepareAuthorizationCodeRequest");async function vy(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let u=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,u,t);else if(n){let p=t?.token_endpoint_auth_methods_supported??[],m=xO(n,p);OO(m,n,d,r)}let l=await(s??fetch)(u,{method:"POST",headers:d,body:r});if(!l.ok)throw await yy(l);return Ko.parse(await l.json())}o(vy,"executeTokenRequest");async function BO(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let u=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await vy(e,{metadata:t,tokenRequestParams:u,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(BO,"refreshAuthorization");async function VO(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,u;if(e.prepareTokenRequest&&(u=await e.prepareTokenRequest(s)),!u){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let l=await e.codeVerifier();u=GO(a,l,e.redirectUrl)}let d=await e.clientInformation();return vy(t,{metadata:r,tokenRequestParams:u,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(VO,"fetchToken");async function FO(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await yy(s);return Wo.parse(await s.json())}o(FO,"registerClient");var ZO=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),KO=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function Ry(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(Ry,"parseIpv4Octets");function WO([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(WO,"ipv4RangeMatches");function by(e){let t=Ry(e);return t!==void 0&&KO.some(r=>WO(t,r))}o(by,"isPrivateIpv4");function El(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(El,"parseIpv6Word");function JO(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(JO,"formatIpv4FromWords");function YO(e){let t=e.slice(7),r=Ry(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=El(n),u=El(a);return i===void 0&&s!==void 0&&u!==void 0?JO(s,u):void 0}o(YO,"parseIpv6MappedIpv4");function XO(e){return El(e.split(":").find(Boolean))}o(XO,"readFirstIpv6Hextet");function QO(e){let t=ut(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=YO(t);return n===void 0||by(n)}let r=XO(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(QO,"isPrivateIpv6");function Pl(e){let t=ut(e);return ZO.has(t)||t.endsWith(".internal")||by(t)||QO(t)}o(Pl,"isBlockedOutboundHostname");function Iy(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Le(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=ut(t.hostname);if(!r&&Pl(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(Iy,"validateConfiguredOutboundUrl");function Cy(e){let t=new URL(e);if(t.protocol!=="https:")throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let r=ut(t.hostname);if(Pl(r))throw g("invalid_request",`Blocked identity provider host: ${r}`);return t}o(Cy,"validateIdentityProviderUrl");function ss(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(Pl(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(ss,"validateCimdClientMetadataUrl");function Ty(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(Ty,"mergeAbortSignals");async function eU(e){try{await e.cancel()}catch{}}o(eU,"cancelReader");async function cs(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await eU(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),u=0;for(let d of n)s.set(d,u),u+=d.byteLength;return s}o(cs,"readBoundedByteStream");var tU=2,rU=1024*1024,nU=1e4,oU=new Set([301,302,303,307,308]),aU=["authorization","proxy-authorization","cookie","cookie2"];function xl(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(xl,"readRequestUrl");function Nn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Nn,"readRequestMethod");function iU(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(iU,"assertContentLengthWithinLimit");async function sU(e,t,r){return iU(e,t,r),cs(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(sU,"readBoundedResponseBody");function cU(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(cU,"responseFromBufferedBody");function uU(e,t){if(!oU.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(uU,"resolveRedirectUrl");function Ay(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(Ay,"validateOutboundUrl");function dU(e,t){throw le(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(dU,"normalizeFetchError");function ca(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&ke(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(ca,"logOutboundFailure");async function lU(e,t,r,n,a,i,s){let u=Nn(r,n);try{return await t(r,n)}catch(d){let l=d instanceof DOMException&&d.name==="AbortError";ca(e,{event:l?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:u,host:st(i),error:d,extra:{abortReason:s()}}),dU(d,a)}}o(lU,"fetchWithNormalizedError");function pU(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(pU,"assertRedirectAllowed");function mU(e,t){let r=new Headers(e);for(let n of aU)r.delete(n);for(let n of t)r.delete(n);return r}o(mU,"stripCrossOriginHeaders");function hU(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=mU(e.headers,a)),i}o(hU,"buildRedirectInit");function fU(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(fU,"buildInitialRequestInit");function gU(e){let t=Nn(e.currentInput,e.currentInit);pU({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=Ay(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:hU(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(gU,"followRedirect");async function Ol(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??tU,i=r.maxResponseBytes??rU,s=r.timeoutMs??nU,u=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],l=r.context,p=new AbortController,m=Ty(p,t.signal),f=!1,_=setTimeout(()=>{f=!0,p.abort()},s),S=e,y=fU(e,t,p.signal),w;try{w=Ay(xl(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(R){throw ca(l,{event:"outbound_url_blocked",problemCode:n,method:Nn(e,t),host:st(xl(e)),error:R}),clearTimeout(_),m?.(),R}let v=0;try{for(;;){let R=await lU(l,u,S,y,n,w,()=>f?`timeout_after_${s}ms`:void 0),C=uU(R,w);if(C!==void 0)try{let N=gU({currentInput:S,currentInit:y,currentUrl:w,redirectUrl:C,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:p.signal,additionalCrossOriginStrippedHeaders:d});S=N.currentInput,y=N.currentInit,w=N.currentUrl,v=N.redirects;continue}catch(N){throw ca(l,{event:"outbound_redirect_blocked",problemCode:n,method:Nn(S,y),host:st(w),error:N,extra:{redirects:v,maxRedirects:a,redirectTargetHost:st(C)}}),N}try{return cU(R,await sU(R,i,n))}catch(N){throw ca(l,{event:"outbound_response_size_exceeded",problemCode:n,method:Nn(S,y),host:st(w),error:N,extra:{maxResponseBytes:i,status:R.status}}),N}}}finally{clearTimeout(_),m?.()}}o(Ol,"runSafeOutboundExchange");async function Ul(e,t,r){let n=await Ol(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw ca(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Nn(e,t),host:st(xl(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Ul,"runSafeOutboundJsonExchange");function us(e,t={},r={}){return Ol(e,t,{...r,validateUrl:Iy})}o(us,"fetchConfiguredOutbound");function ky(e,t={},r={}){return Ul(e,t,{...r,validateUrl:Cy})}o(ky,"fetchIdentityProviderJson");function Ey(e,t={},r={}){return Ul(e,t,{...r,validateUrl:ss})}o(Ey,"fetchCimdClientMetadataJson");X();function zl(e){return`Zuplo MCP Gateway - ${e}`}o(zl,"buildGatewayOAuthClientName");function Py(e,t){let r=new URL(e,ne(t));return Le(r)&&ut(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(Py,"buildGatewayOAuthRedirectUri");function Nl(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(Nl,"buildOAuthClientMetadataDocumentUrl");function xy(e){return ne(e)}o(xy,"requireOAuthClientMetadataOrigin");function Oy(e,t,r){let n=Je(t),a=qr(t,r);return{client_id:Nl({origin:e,upstreamServerId:t,authProfileId:r}),client_name:zl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(Oy,"buildOAuthClientMetadataDocument");var _U=c.union([Wo,vl]),yU=c.object({authorizationServerUrl:c.url(),resourceMetadataUrl:c.url().optional(),resourceMetadata:as.optional(),authorizationServerMetadata:c.union([Zo,is]).optional()}).passthrough(),SU="Bearer";function wU(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(wU,"splitScopes");function vU(e){return Ni.parse(e)}o(vU,"parsePkceCodeVerifier");function RU(e){if(typeof e.expires_in=="number")return O(new Date(Date.now()+e.expires_in*1e3))}o(RU,"readTokenExpiry");async function Uy(e){if(e!==void 0)return $r(JSON.stringify(e))}o(Uy,"encryptJson");async function zy(e,t){if(!e)return;let r=await Bt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(zy,"decryptJson");function bU(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(bU,"toOAuthDiscoveryState");function IU(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(IU,"clientInformationAllowsRedirectUri");function CU(e,t,r){let n=Je(e),a=qr(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:zl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(CU,"buildOAuthClientMetadata");function TU(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Wo.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(TU,"buildManualOAuthClientInformation");function AU(e,t,r){let n=Nl({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Tl(n)?n:void 0}o(AU,"buildClientMetadataUrl");function Ny(e){for(let t of e)if(t!==void 0)return t}o(Ny,"firstDefined");function kU(e){let t=qr(e.target.upstreamServerId,e.target.authProfileId),r=CU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:TU({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=AU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(kU,"buildInitialOAuthClientSetup");function EU(e,t){if(t===void 0)return Ny([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(EU,"readEncryptedClientInformation");function PU(e){return Ny([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(PU,"readEncryptedDiscoveryState");var Br=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=kU({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=EU(t,this.configuredClientInformation),this.encryptedDiscoveryState=PU(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return Y_({id:t.id,...Bo({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await Uy(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await Uy(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ko.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??Fi(),tenantId:this.target.owner.tenantId,ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await $r(r.access_token),encryptedRefreshToken:r.refresh_token?await $r(r.refresh_token):void 0,scopes:wU(r.scope??this.clientMetadataValue.scope),expiresAt:RU(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await q().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:vU(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Lg(),...Bo({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:O(new Date(Date.now()+K_)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await q().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await zy(this.encryptedClientInformation,_U)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!IU(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=bU(await zy(this.encryptedDiscoveryState,yU))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Ko.parse({access_token:await Bt(this.connection.encryptedAccessToken),token_type:SU,refresh_token:this.connection.encryptedRefreshToken?await Bt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,tenantId:this.connection.tenantId,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await q().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var xU=1e4,OU=256*1024,UU=2;function zU(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(zU,"hasUsableAccessToken");var NU="does not support dynamic client registration";function DU(e){return e instanceof Error&&e.message.includes(NU)}o(DU,"isDynamicClientRegistrationUnsupported");function MU(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(MU,"readOAuthFetchRequest");function qU(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(qU,"responseLooksJson");function Dy(e){return async(t,r)=>{let n=MU(t),a=await us(t,r,{maxRedirects:UU,maxResponseBytes:OU,problemCode:"upstream_token_exchange_failed",timeoutMs:xU}),i=await a.clone().text();if(!qU(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(Dy,"createUpstreamOAuthFetch");async function My(e,t){try{return await _r(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Dy(t.upstreamServerId)})}catch(r){throw DU(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(My,"runUpstreamOAuth");async function $U(e,t){return _r(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Dy(t.upstreamServerId)})}o($U,"exchangeUpstreamAuthorizationCode");async function qy(e,t){let r=await My(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o(qy,"requireUpstreamAuthorizationRedirect");async function $y(e){if(zU(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await My(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await BU({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o($y,"authorizeUpstreamOAuthSession");async function LU(e){let t=await ts(e.stateToken),r=await q().oauthStateStore.consumeForCallback(t.id),n=jU(r);return HU({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),GU(n),n}o(LU,"consumeStoredCallbackState");function jU(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(jU,"readConsumedCallbackState");function HU(e){if(![e.storedState.tenantId===e.signedState.tenantId,e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(HU,"assertStoredCallbackStateMatches");function GU(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(GU,"assertStoredCallbackStateFresh");async function BU(e){if(e.owner.mode==="tenant_shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ty(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),On(t)}o(BU,"buildOAuthConnectRequiredResponse");async function Ly(e){let t=await LU({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=En(t),[n]=await q().upstreamConnectionRepository.batchGet([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new Br(a),s=await $U(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(Ly,"finishUpstreamOAuthCallback");async function jy(e){let t=Je(e.upstreamServerId),r=qr(e.upstreamServerId,e.authProfileId),n=Py(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:ne(e.request.url)}}}o(jy,"prepareUpstreamOAuthRequest");async function Hy(e){let t=await jy(e),r=new Br({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return qy(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Hy,"startUpstreamConnect");async function Gy(e){let t=await jy(e),r=new Br({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return $y({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Gy,"authorizeUpstreamRequest");function VU(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(VU,"resolveStaticSecretCredential");async function By(e){let{routeAuth:t}=e;switch(t.authMode){case"tenant_shared_oauth":case"user_oauth":return Gy({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"tenant_static_secret":return sy({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=hr({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:VU(n.secret,t.upstreamServerId)}}case"user_static_secret":return dy({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(By,"resolveUpstreamCredentialForRoute");async function Vy(e){let t=mr(e.principal.tenantId,e.principal.subjectId),r=ct().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user_static_secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await os({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(Vy,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function Fy(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=kt(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await Hy(r);break;case"user_static_secret_capture":t=await ly(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(Fy,"startUpstreamConnectForRequest");async function Zy(e){let r=(await ts(e.callbackRequest.state)).authProfileId,n=hr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(kt(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return Ly({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Je(e.callbackRequest.upstreamServerId)})}o(Zy,"finishUpstreamCallbackForRequest");var ds=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=tr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),u=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&u){let l=d.result;if(!l.structuredContent&&!l.isError){yield{type:"error",error:new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(l.structuredContent)try{let p=u(l.structuredContent);if(!p.valid){yield{type:"error",error:new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${p.errorMessage}`)};return}}catch(p){if(p instanceof A){yield{type:"error",error:p};return}yield{type:"error",error:new A(k.InvalidParams,`Failed to validate structured content: ${p instanceof Error?p.message:String(p)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function ls(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&ls(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&ls(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&ls(r,t)}}o(ls,"applyElicitationDefaults");function FU(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(FU,"getSupportedElicitationModes");var ps=class extends tn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",lc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",cc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Qs,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new ds(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Ua(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let u=o(async(d,l)=>{let p=Me(hc,d);if(!p.success){let R=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid elicitation request: ${R}`)}let{params:m}=p.data;m.mode=m.mode??"form";let{supportsFormMode:f,supportsUrlMode:_}=FU(this._capabilities.elicitation);if(m.mode==="form"&&!f)throw new A(k.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new A(k.InvalidParams,"Client does not support URL-mode elicitation requests");let S=await Promise.resolve(r(d,l));if(m.task){let R=Me(Nt,S);if(!R.success){let C=R.error instanceof Error?R.error.message:String(R.error);throw new A(k.InvalidParams,`Invalid task creation result: ${C}`)}return R.data}let y=Me(rr,S);if(!y.success){let R=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid elicitation result: ${R}`)}let w=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&w.action==="accept"&&w.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{ls(v,w.content)}catch{}return w},"wrappedHandler");return super.setRequestHandler(t,u)}if(s==="sampling/createMessage"){let u=o(async(d,l)=>{let p=Me(mc,d);if(!p.success){let w=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid sampling request: ${w}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let w=Me(Nt,f);if(!w.success){let v=w.error instanceof Error?w.error.message:String(w.error);throw new A(k.InvalidParams,`Invalid task creation result: ${v}`)}return w.data}let S=m.tools||m.toolChoice?ro:vr,y=Me(S,f);if(!y.success){let w=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid sampling result: ${w}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:Xt,capabilities:this._capabilities,clientInfo:this._clientInfo}},Vs,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Qt.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){_i(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&yi(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},zt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},fc,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},zt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},sc,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},tc,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Ks,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Ws,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},Xs,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},zt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},zt,r)}async callTool(t,r=tr,n){if(this.isToolTaskRequired(t.name))throw new A(k.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},dc,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Hp.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:u}=i.data,{onChanged:d}=n,l=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let f=m instanceof Error?m:new Error(String(m));d(f,null)}},"refresh"),p=o(()=>{if(u){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let f=setTimeout(l,u);this._listChangedDebounceTimers.set(t,f)}else l()},"handler");this.setNotificationHandler(r,p)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function ms(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(ms,"normalizeHeaders");function Ky(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...ms(t.headers),...ms(n.headers)}:t.headers};return e(r,a)}:e}o(Ky,"createFetchWithInit");var hs=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function Dl(e){}o(Dl,"noop");function Wy(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=Dl,onError:r=Dl,onRetry:n=Dl,onComment:a}=e,i="",s=!0,u,d="",l="";function p(y){let w=s?y.replace(/^\xEF\xBB\xBF/,""):y,[v,R]=ZU(`${i}${w}`);for(let C of v)m(C);i=R,s=!1}o(p,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let w=y.indexOf(":");if(w!==-1){let v=y.slice(0,w),R=y[w+1]===" "?2:1,C=y.slice(w+R);f(v,C,y);return}f(y,"",y)}o(m,"parseLine");function f(y,w,v){switch(y){case"event":l=w;break;case"data":d=`${d}${w}
-`;break;case"id":u=w.includes("\0")?void 0:w;break;case"retry":/^\d+$/.test(w)?n(parseInt(w,10)):r(new hs(`Invalid \`retry\` value: "${w}"`,{type:"invalid-retry",value:w,line:v}));break;default:r(new hs(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:w,line:v}));break}}o(f,"processField");function _(){d.length>0&&t({id:u,event:l||void 0,data:d.endsWith(`
-`)?d.slice(0,-1):d}),u=void 0,d="",l=""}o(_,"dispatchEvent");function S(y={}){i&&y.consume&&m(i),s=!0,u=void 0,d="",l="",i=""}return o(S,"reset"),{feed:p,reset:S}}o(Wy,"createParser");function ZU(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
+           SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var OE={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},U=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=OE[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};Y();var Jd=c.discriminatedUnion("mode",[c.object({mode:c.literal("user"),tenantId:ue,subjectId:X}).strict(),c.object({mode:c.literal("tenant_shared"),tenantId:ue}).strict()]),Fg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Zg=c.object({items:c.array(Fg).min(1).max(100)}).strict(),Yd=c.object({items:c.array(c.object({key:c.object({ownerMode:Ht,tenantId:ue,subjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe}).strict(),connection:Gt.strict().optional()}).strict())}).strict(),Kg=Gt.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Kd),Wg=Gt.strict(),Jg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Yg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe,connection:Gt.strict().optional(),connectionStatus:c.object({connected:c.boolean(),status:xn,updatedAt:Gt.shape.updatedAt.optional()}).strict()}).strict(),UE=c.enum(["none","client_secret_basic","client_secret_post"]),Mr=c.object({clientId:le,clientName:c.string().min(1),tokenEndpointAuthMethod:UE}).strict(),Xd=c.discriminatedUnion("method",[c.object({method:c.literal("none"),clientId:le}).strict(),c.object({method:c.enum(["client_secret_basic","client_secret_post"]),clientId:le,clientSecretHashInput:c.string().min(1)}).strict()]),Qd=c.object({id:je,currentStateHash:c.string().min(1),clientId:le,redirectUri:c.string().min(1),resource:c.string().min(1),virtualServerId:me,clientState:c.string().optional(),scope:c.string(),codeChallenge:c.string().min(1),codeChallengeMethod:c.literal("S256"),createdAt:V,expiresAt:V,consumedAt:V.optional()}).strict(),Vg=Qd.omit({id:!0,consumedAt:!0}).extend({transactionId:je,client:Mr.optional()}).strict(),el=c.object({tenantId:ue,subjectId:X,roles:c.array(c.string()).optional()}).strict(),zE=Qd.extend({phase:c.literal("awaiting_login")}).strict(),Wd=Qd.extend({phase:c.literal("awaiting_setup"),principal:el}).strict(),NE=c.discriminatedUnion("phase",[zE,Wd]),tl=c.object({transaction:NE,client:Mr}).strict(),Xg=$o.omit({revokedAt:!0}).strict(),Qg=c.discriminatedUnion("kind",[c.object({kind:c.literal("registered"),client:Mr}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),e_=c.object({clientId:le}).strict(),t_=c.discriminatedUnion("kind",[c.object({kind:c.literal("found"),client:$o.strict()}).strict(),c.object({kind:c.literal("missing")}).strict()]),r_=c.discriminatedUnion("phase",[Vg.extend({phase:c.literal("awaiting_login")}).strict(),Vg.extend({phase:c.literal("awaiting_setup"),principal:el}).strict()]),n_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("started")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("redirect_uri_mismatch")}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),o_=c.object({transactionId:je,currentStateHash:c.string().min(1),now:V}).strict(),a_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("available")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),i_=c.object({transactionId:je,expectedPhase:c.literal("awaiting_login"),currentStateHash:c.string().min(1),nextStateHash:c.string().min(1),nextPhase:c.literal("awaiting_setup"),principal:el,now:V}).strict(),s_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("advanced")}).strict(),c.object({kind:c.literal("wrong_phase"),current:c.enum(["awaiting_login","awaiting_setup"])}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),c_=c.discriminatedUnion("decision",[c.object({decision:c.literal("approve"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),authorizationCodeHash:c.string().min(1),authorizationCodeExpiresAt:V,grantId:_t,now:V}).strict(),c.object({decision:c.literal("cancel"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),now:V}).strict()]),u_=c.discriminatedUnion("kind",[c.object({kind:c.literal("approved"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("cancelled"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed_already")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),d_=c.object({clientAuth:Xd,codeHash:c.string().min(1),redirectUri:c.string().min(1),resource:c.string().min(1).optional(),codeChallenge:c.string().min(1),currentRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),grantExpiresAt:V,accessTokenExpiresAt:V,now:V}).strict(),l_=c.discriminatedUnion("kind",[c.object({kind:c.literal("exchanged"),client:Mr,grant:Lo.strict()}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("binding_mismatch")}).strict()]),p_=c.object({clientAuth:Xd,currentRefreshTokenHash:c.string().min(1),nextRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),resource:c.string().min(1).optional(),accessTokenExpiresAt:V,now:V}).strict(),m_=c.discriminatedUnion("kind",[c.object({kind:c.literal("rotated"),client:Mr,grant:Lo.strict(),accessToken:In.strict(),matched:c.literal("current")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),h_=c.object({clientAuth:Xd,tokenHash:c.string().min(1),now:V}).strict(),f_=c.discriminatedUnion("kind",[c.object({kind:c.literal("revoked_access_token")}).strict(),c.object({kind:c.literal("revoked_grant")}).strict(),c.object({kind:c.literal("client_mismatch")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("invalid_client")}).strict()]),g_=c.object({tokenHash:c.string().min(1),now:V}).strict(),__=c.discriminatedUnion("kind",[c.object({kind:c.literal("valid"),record:In.strict()}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),y_=c.object({accessTokenHash:c.string().min(1),resource:c.string().min(1),virtualServerId:me,upstreamConnectionKeys:c.array(Fg).max(100),now:V}).strict(),S_=c.discriminatedUnion("kind",[c.object({kind:c.literal("authorized"),principal:c.object({tenantId:ue,subjectId:X,roles:c.array(c.string())}).strict(),accessToken:In.strict(),upstreamConnections:Yd.shape.items}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict()]),w_=c.object({record:Vo}).strict(),v_=c.object({kind:c.literal("saved")}).strict(),R_=c.object({id:En,now:V}).strict(),b_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available"),record:Vo}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict()]),C_=c.object({id:Bo,expiresAt:V,now:V}).strict(),I_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available")}).strict(),c.object({kind:c.literal("consumed")}).strict()]);var T_=100;function A_(e){return e!==null&&typeof e=="object"}o(A_,"isProblemDetailsShape");var DE="/zups/v2/mcp/storage";function xe(e){return`${DE}/${e}`}o(xe,"buildStoragePath");function ME(){return xe("upstream-connections/batch-get")}o(ME,"buildBatchGetUpstreamConnectionsPath");function qE(){return xe("upstream-connections/upsert")}o(qE,"buildUpsertUpstreamConnectionPath");function $E(){return xe("authorization/read-setup")}o($E,"buildReadAuthorizationSetupPath");function LE(){return xe("oauth/register-client")}o(LE,"buildRegisterClientPath");function jE(){return xe("oauth/read-client")}o(jE,"buildReadClientPath");function HE(){return xe("authorization/start")}o(HE,"buildStartAuthorizationPath");function GE(){return xe("authorization/read-pending")}o(GE,"buildReadPendingAuthorizationPath");function BE(){return xe("authorization/advance-pending")}o(BE,"buildAdvancePendingAuthorizationPath");function VE(){return xe("authorization/decide-setup")}o(VE,"buildDecideAuthorizationSetupPath");function FE(){return xe("token/exchange-authorization-code")}o(FE,"buildExchangeAuthorizationCodePath");function ZE(){return xe("token/refresh")}o(ZE,"buildRefreshTokenPath");function KE(){return xe("token/revoke")}o(KE,"buildRevokeOAuthTokenPath");function WE(){return xe("token/validate-access-token")}o(WE,"buildValidateAccessTokenPath");function JE(){return xe("mcp/authorize-and-load-connections")}o(JE,"buildAuthorizeAndLoadConnectionsPath");function YE(){return xe("upstream-oauth-state/save")}o(YE,"buildSaveUpstreamOAuthStatePath");function XE(){return xe("upstream-oauth-state/consume")}o(XE,"buildConsumeUpstreamOAuthStatePath");function QE(){return xe("browser-connect-ticket/consume")}o(QE,"buildConsumeBrowserConnectTicketPath");function ex(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(ex,"responseKeyMatchesLookup");function tx(e,t){return e.owner.mode===t.owner.mode&&e.owner.tenantId===t.owner.tenantId&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(tx,"authorizationSetupMatchesLookup");function E_(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(E_,"connectionMatchesLookup");function rx(e,t){return e.ownerMode===t.ownerMode&&(e.tenantId??"")===(t.tenantId??"")&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&nl(e.scopes,t.scopes)&&rl(e.expiresAt,t.expiresAt)&&ox(e.metadata,t.metadata)}o(rx,"connectionMatchesUpsertRecord");function rl(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(rl,"optionalTimestampInstantsMatch");function nx(e,t){return Date.parse(e)<=Date.parse(t)}o(nx,"timestampInstantIsAtOrBefore");function nl(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(nl,"stringArraysMatch");function ox(e,t){let r=k_(e),n=k_(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(ox,"metadataMatches");function k_(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(k_,"definedMetadataEntries");function ge(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(ge,"throwInvalidStorageResponse");async function ax(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){ge("Gateway Service storage response did not match the runtime storage contract.",r)}}o(ax,"parseRuntimeHttpStorageResponse");function x_(e,t){e.length!==t.length&&ge("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];ex(n.key,a)||ge("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!E_(n.connection,a)&&ge("Gateway Service storage response connection did not match the response key.")}}o(x_,"validateUpstreamConnectionItemsMatchLookups");function ix(e,t){tx(e,t)||ge("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!E_(e.connection,t)&&ge("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!rl(e.connectionStatus.updatedAt,a))&&ge("Gateway Service storage response authorization setup status did not match the connection.")}o(ix,"validateAuthorizationSetupResponseMatchesLookup");function sx(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&ge("Gateway Service storage response registered client did not match the request.")}o(sx,"validateRegisterClientResponseMatchesRequest");function cx(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&ge("Gateway Service storage response client did not match the request.")}o(cx,"validateReadClientResponseMatchesRequest");function ux(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&ge("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response started authorization principal did not match the request."))}o(ux,"validateStartAuthorizationResponseMatchesRequest");function P_(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&ge("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response advanced authorization did not match the request."))}o(P_,"validatePendingAuthorizationResponseMatchesRequest");function dx(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.tenantId!==t.currentPrincipal.tenantId||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&ge("Gateway Service storage response authorization setup transaction did not match the request.")}o(dx,"validateAuthorizationSetupDecisionResponseMatchesRequest");function lx(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!rl(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response authorization-code exchange did not match the request.")}o(lx,"validateExchangeAuthorizationCodeResponseMatchesRequest");function px(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!nx(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!fx(e.accessToken,e.grant))&&ge("Gateway Service storage response token refresh access token did not match the request."))}o(px,"validateRefreshTokenResponseMatchesRequest");function mx(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&ge("Gateway Service storage response access token did not match the request.")}o(mx,"validateAccessTokenValidationResponseMatchesRequest");function hx(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.tenantId!==e.accessToken.tenantId||e.principal.subjectId!==e.accessToken.subjectId||!nl(e.principal.roles,e.accessToken.roles))&&ge("Gateway Service storage response MCP authorization did not match the request."),x_(e.upstreamConnections,t.upstreamConnectionKeys))}o(hx,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function fx(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.tenantId===t.tenantId&&e.subjectId===t.subjectId&&e.scope===t.scope&&nl(e.roles,t.roles)}o(fx,"accessTokenMatchesGrant");async function gx(e){try{return await e.clone().json()}catch{return}}o(gx,"readProblemDetails");async function _x(e){let t=await gx(e),r=A_(t)&&typeof t.status=="number"?t.status:e.status,n=A_(t)&&Uo(t.code)?t.code:pd(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(_x,"throwRuntimeHttpStorageError");var Ki=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??gp.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}async#e(t){let r=t.requestSchema.parse(t.input),n=new URL(t.path,this.#t),a=new Headers({"Content-Type":"application/json"});_p(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await _x(i),{request:r,response:await ax(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let u=Dr(s),d=n.get(u);if(d!==void 0)return d;let l=r.length;return r.push(s),n.set(u,l),l}),i=[];for(let s=0;s<r.length;s+=T_){let u=r.slice(s,s+T_);i.push(...await this.#n(u))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:qE(),requestSchema:Kg,responseSchema:Wg});return rx(n,r)||ge("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:$E(),requestSchema:Jg,responseSchema:Yg});return ix(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:LE(),requestSchema:Xg,responseSchema:Qg});return sx(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:jE(),requestSchema:e_,responseSchema:t_});return cx(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:HE(),requestSchema:r_,responseSchema:n_});return ux(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:GE(),requestSchema:o_,responseSchema:a_});return P_(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:BE(),requestSchema:i_,responseSchema:s_});return P_(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:VE(),requestSchema:c_,responseSchema:u_});return dx(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:YE(),requestSchema:w_,responseSchema:v_});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:XE(),requestSchema:R_,responseSchema:b_});return n.kind==="available"&&n.record.id!==r.id&&ge("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:QE(),requestSchema:C_,responseSchema:I_});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:FE(),requestSchema:d_,responseSchema:l_});return lx(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:ZE(),requestSchema:p_,responseSchema:m_});return px(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:KE(),requestSchema:h_,responseSchema:f_});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:WE(),requestSchema:g_,responseSchema:__});return mx(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:JE(),requestSchema:y_,responseSchema:S_});return hx(n,r),n}async#n(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:ME(),requestSchema:Zg,responseSchema:Yd});return x_(n.items,t),n.items.map(a=>a.connection)}};var ol=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpUpstreamConnectionRepository")}batchGet(t){return this.client.batchGetUpstreamConnections(t)}upsert(t){return this.client.upsertUpstreamConnection(t)}},al=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpDownstreamOAuthRepository")}#t=new Map;#r=new Map;async getDcrClient(t){let r=this.#t.get(t);if(r&&r.redirectUris.length>0)return r;let n=await this.client.readClient({clientId:t});if(n.kind!=="missing")return this.#t.set(t,n.client),n.client}async saveDcrClient(t){if((await this.client.registerClient(t)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");this.#t.set(t.clientId,t)}async savePendingAuthorizationTransaction(t,r){let{id:n,...a}=t,i=await this.client.startAuthorization({...a,transactionId:n,...r?.client===void 0?{}:{client:r.client}});switch(i.kind){case"started":return this.#e(i.client),{kind:"saved"};case"already_exists":return{kind:"already_exists"};case"invalid_client":throw new U("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new U("invalid_request","redirect_uri is not registered for the client.")}}async advancePendingAuthorizationTransaction(t){let r=await this.client.advancePendingAuthorization({transactionId:t.id,expectedPhase:t.expectedPhase,currentStateHash:t.currentStateHash,nextStateHash:t.nextStateHash,nextPhase:t.nextPhase,principal:t.principal,now:O(t.now)});return r.kind==="advanced"?(this.#e(r.client),{kind:"advanced",record:r.transaction}):r}async getPendingAuthorizationTransaction(t){let r=await this.client.readPendingAuthorization({transactionId:t.id,currentStateHash:t.currentStateHash,now:O(t.now)});return r.kind==="available"?(this.#e(r.client),{kind:"available",record:r.transaction}):r}async consumePendingAuthorizationTransaction(t){let r=await this.getPendingAuthorizationTransaction(t);return r.kind!=="available"?r.kind==="consumed"?{kind:"consumed_already"}:r:r.record.phase!=="awaiting_setup"?{kind:"missing"}:(this.#r.set(r.record.id,{currentStateHash:t.currentStateHash,now:t.now,transaction:r.record}),{kind:"consumed",record:r.record})}async issueAuthorizationCode(t){let r=this.#r.get(t.id);if(!r)throw g("internal_server_error","Authorization code issuance requires a pending setup decision.");let n=await this.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:r.currentStateHash,currentPrincipal:{tenantId:r.transaction.principal.tenantId,subjectId:r.transaction.principal.subjectId},authorizationCodeHash:t.codeHash,authorizationCodeExpiresAt:t.expiresAt,grantId:t.grantId,now:O(r.now)});if(this.#r.delete(t.id),n.kind!=="approved")throw g("oauth_state_invalid","Authorization setup state is invalid, expired, or already used.")}async exchangeAuthorizationCode(t){let r=await this.exchangeAuthorizationCodeWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},codeHash:t.codeHash,redirectUri:t.redirectUri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:t.codeChallenge,currentRefreshTokenHash:t.currentRefreshTokenHash,accessTokenHash:t.accessTokenHash,grantExpiresAt:t.grantExpiresAt,accessTokenExpiresAt:t.accessTokenExpiresAt,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r.kind==="exchanged"?{kind:"exchanged",grant:r.grant}:r}async saveAccessToken(t){throw g("internal_server_error","Runtime HTTP access-token save is covered by token exchange/refresh operations.")}async validateAccessToken(t){return this.client.validateAccessToken({tokenHash:t.tokenHash,now:O(t.now)})}async rotateRefreshToken(t){throw g("internal_server_error","Runtime HTTP refresh-token rotation is covered by the token refresh operation.")}async revokeOAuthToken(t){let r=await this.revokeOAuthTokenWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},tokenHash:t.tokenHash,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r}async revokeGrant(t){throw g("internal_server_error","Runtime HTTP grant revocation is not exposed as a standalone storage operation.")}decideAuthorizationSetup(t){return this.client.decideAuthorizationSetup(t)}exchangeAuthorizationCodeWithClientAuth(t){return this.client.exchangeAuthorizationCode(t)}refreshTokenWithClientAuth(t){return this.client.refreshToken(t)}revokeOAuthTokenWithClientAuth(t){return this.client.revokeOAuthToken(t)}authorizeAndLoadConnections(t){return this.client.authorizeAndLoadConnections(t)}#e(t){this.#t.has(t.clientId)||this.#t.set(t.clientId,{clientId:t.clientId,clientName:t.clientName,redirectUris:[],tokenEndpointAuthMethod:t.tokenEndpointAuthMethod,clientExpiresAt:O(new Date(864e10)),createdAt:O(new Date(0))})}},il=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpOAuthStateStore")}async save(t){await this.client.saveUpstreamOAuthState({record:t})}consumeForCallback(t){return this.client.consumeUpstreamOAuthState({id:t,now:O(new Date)})}},sl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpBrowserConnectTicketStore")}consume(t,r){return this.client.consumeBrowserConnectTicket({id:t,expiresAt:O(r),now:O(new Date)})}};function O_(e={}){let t=new Ki(e);return{upstreamConnectionRepository:new ol(t),downstreamOAuthRepository:new al(t),oauthStateStore:new il(t),browserConnectTicketStore:new sl(t)}}o(O_,"createRuntimeHttpStorageBackend");var yx="__zuploMcpGatewayStorageBackend",cl;function Sx(e){return{upstreamConnectionRepository:new Vi(e),downstreamOAuthRepository:new Li(e),oauthStateStore:new Fi(e),browserConnectTicketStore:new Zi(e)}}o(Sx,"createPostgresStorageBackend");function wx(e){let t=xg(e),r=Ug(t);return Sx(r)}o(wx,"buildPostgresStorageBackend");function vx(){let e=$i().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;return e?wx(e):O_()}o(vx,"buildProductionStorageBackend");function q(){let e=globalThis[yx];return e||(cl||(cl=vx()),cl)}o(q,"getStorage");function ul(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(ul,"readBearerToken");function Rx(e,t,r){return Ze(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(Rx,"gatewayAuthenticationRequiredResponse");async function bx(e,t,r){let n=await q().downstreamOAuthRepository.validateAccessToken({tokenHash:await F(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(bx,"validateGatewayAccessToken");function Cx(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(Cx,"assertAccessTokenResource");function Ix(e,t,r){return Ze(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":An({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ce} scope required by this MCP resource.`,scope:ce})}})}o(Ix,"insufficientScopeResponse");function Tx(e){return{subjectId:e.subjectId,tenantId:e.tenantId,roles:e.roles}}o(Tx,"principalFromAccessToken");function Ax(e){let t=de(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),Ze(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":An({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(Ax,"gatewayTokenRejectedResponse");async function dl(e,t){let r=Rn(t),n=Nr(r.virtualServerId,e.url),a=ul(e),i=An({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),Rx(e,t,i);try{let s=await bx(a,t,r.virtualServerId);if(Cx({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ce)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ce,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),Ix(e,t,r.virtualServerId);let u=Tx(s);return Ag(t,u),ld(t,u),e}catch(s){return Ax({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(dl,"gatewayTokenInbound");var kx=2,U_=4,Px=24,Ex=16,z_=512,xx=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,Ox=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,Ux=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,zx=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,Nx=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,Dx=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function N_(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(N_,"readRoute");function Mx(e){let t=N_(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(Mx,"readRoutePath");function qx(e){let t=N_(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(qx,"readRouteOperationId");function $x(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o($x,"deriveStatusClass");function Lx(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="tenant_shared"?"tenant_shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(Lx,"deriveOriginAttributionMode");function jx(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(jx,"deriveClientKind");function Hx(e,t){return t==="success"?"none":e===H.MCP_GATEWAY_REQUEST_RECEIVED||e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===H.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(Hx,"deriveFailureStage");function Gx(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION||e===H.MCP_GATEWAY_GUARDRAIL_DECISION||e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===H.MCP_GATEWAY_CAPABILITY_FAILED||e===H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(Gx,"deriveFailureOrigin");function Bx(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===H.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(Bx,"deriveReasonClass");function Vx(e){return e.length<=z_?e:`${e.slice(0,z_)}...`}o(Vx,"truncateAnalyticsString");function Fx(e){return Vx(e.replace(Ox,"$1[REDACTED]$3").replace(zx,"$1$2[REDACTED]").replace(Ux,"$1$2[REDACTED]").replace(Nx,"Bearer [REDACTED]").replace(Dx,"Basic [REDACTED]"))}o(Fx,"redactAnalyticsString");function D_(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return Fx(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=U_?"[DEPTH_LIMIT]":e.slice(0,Ex).map(r=>D_(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=U_?"[DEPTH_LIMIT]":M_(e,t+1)}}o(D_,"sanitizeAnalyticsValue");function M_(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,Px)){if(xx.test(n)){r[n]="[REDACTED]";continue}let i=D_(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(M_,"sanitizeMcpGatewayAnalyticsAttributes");function z(e){return e===void 0?null:e}o(z,"nullable");function Zx(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(Zx,"readEnvironment");function Kx(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(Kx,"readRequestId");function Wx(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(Wx,"attributesToJsonString");function Jx(e,t){let r=Hd(e),n=No(e),a=M_(t.attributes),i=Kx(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,u=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,l=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,p=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,f=t.clientKind??jx(t.clientName)??null,_=Lx(s??void 0,u??void 0)??null,S=$x(t.httpStatusCode)??null,y=t.reasonClass??Bx(t.eventType,t.outcome),w=t.failureOrigin??Gx(t.eventType,t.outcome),v=t.failureStage??Hx(t.eventType,t.outcome);return{schemaVersion:kx,outcome:t.outcome,tenantId:z(r?.tenantId),subjectId:z(r?.subjectId),environment:Zx(e),traceId:t.traceId??i,spanId:z(t.spanId),parentEventId:z(t.parentEventId),mcpSessionId:z(t.mcpSessionId),routeSurface:z(t.routeSurface),routePath:Mx(e)??null,operationId:qx(e)??null,virtualServerName:d,virtualServerTitle:z(t.virtualServerTitle),upstreamServerName:l,upstreamServerTitle:p,upstreamBindingId:z(t.upstreamBindingId),clientName:z(t.clientName),clientTitle:z(t.clientTitle),clientVersion:z(t.clientVersion),clientKind:f,authProfileId:m,upstreamAuthMode:u,ownerMode:s,authMethod:z(t.authMethod),originAttributionMode:_,httpMethod:z(t.httpMethod),httpStatusCode:z(t.httpStatusCode),statusClass:S,mcpMethod:z(t.mcpMethod),mcpProtocolVersion:z(t.mcpProtocolVersion),mcpStatus:z(t.mcpStatus),mcpErrorType:z(t.mcpErrorType),applicationError:z(t.applicationError),applicationErrorCode:z(t.applicationErrorCode),toolResultIsError:z(t.toolResultIsError),capabilityType:z(t.capabilityType),capabilityName:z(t.capabilityName),capabilityTitle:z(t.capabilityTitle),upstreamCapabilityName:z(t.upstreamCapabilityName),upstreamCapabilityTitle:z(t.upstreamCapabilityTitle),capabilitySchemaHash:z(t.capabilitySchemaHash),policyId:z(t.policyId),policyAction:z(t.policyAction),guardrailType:z(t.guardrailType),guardrailDirection:z(t.guardrailDirection),guardrailFindingCount:z(t.guardrailFindingCount),redactionCount:z(t.redactionCount),requestMutated:z(t.requestMutated),responseMutated:z(t.responseMutated),latencyMs:z(t.latencyMs),gatewayLatencyMs:z(t.gatewayLatencyMs),upstreamLatencyMs:z(t.upstreamLatencyMs),authLatencyMs:z(t.authLatencyMs),policyLatencyMs:z(t.policyLatencyMs),requestBytes:z(t.requestBytes),responseBytes:z(t.responseBytes),estimatedInputTokens:z(t.estimatedInputTokens),estimatedOutputTokens:z(t.estimatedOutputTokens),estimatedContextTokens:z(t.estimatedContextTokens),contextPressureBucket:z(t.contextPressureBucket),responseMimeTypes:z(t.responseMimeTypes),base64Suspected:z(t.base64Suspected),truncated:z(t.truncated),isLargePayloadRequest:z(t.isLargePayloadRequest),isLargePayloadResponse:z(t.isLargePayloadResponse),payloadCaptureMode:z(t.payloadCaptureMode),reasonCode:z(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:w,failureStage:v,customMetadataJson:z(t.customMetadataJson),attributesJson:Wx(a)}}o(Jx,"buildMcpGatewayAnalyticsMetadata");function We(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,Jx(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(We,"emitMcpGatewayAnalyticsEvent");function Je(e){let t=st().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(Je,"getUpstreamServerConfig");function Yx(e){let t=st().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(Yx,"resolveUpstreamAuthProfileId");function hr(e){Yx(e);let t=st().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(hr,"getUpstreamAuthConfig");function qr(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(!Bf(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(qr,"requireUpstreamOAuthConfig");var Xx={tenant_shared_oauth:{authMode:"tenant_shared_oauth",ownerMode:"tenant_shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},tenant_static_secret:{authMode:"tenant_static_secret",ownerMode:"tenant_shared",connectSupport:"none",connectUnsupportedDetail:"Tenant static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"tenant_static_secret_connection"},user_static_secret:{authMode:"user_static_secret",ownerMode:"user",connectSupport:"user_static_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_static_secret_connection"}};function At(e){return Xx[e]}o(At,"describeUpstreamAuthMode");function Wi(e){return At(e).ownerMode}o(Wi,"resolveOwnerModeForUpstreamAuthMode");Y();import{errors as B_,jwtVerify as V_,SignJWT as F_}from"jose";import{base64url as Qx}from"jose";var eO=new TextEncoder,ll=32;function q_(e,t={}){let r=[tO(e),eO.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=ll){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<ll){let a=t.name??"secret key material",i=n?.byteLength??0;throw new Error(`${a} must decode to at least ${ll} bytes (got ${i}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(q_,"decodeConfiguredSecretKeyMaterial");function tO(e){try{return Qx.decode(e)}catch{return}}o(tO,"tryDecodeBase64Url");var $_=new Map,L_=new Map;function rO(e){let t=$_.get(e);return t||(t=q_($i()[e],{name:e}),$_.set(e,t)),t}o(rO,"getMasterKeyMaterial");async function kt(e){let t=L_.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(rO(e.envVar));return L_.set(e.purpose,r),r}o(kt,"readCachedDerivedKey");var nO="SHA-256";var oO="zuplo-mcp-gateway:",aO=new TextEncoder,j_=new WeakMap;async function fr(e,t){let r=j_.get(e);r||(r=new Map,j_.set(e,r));let n=r.get(t);if(n)return n;let a=await iO(e,t);return r.set(t,a),a}o(fr,"deriveGatewaySigningKey");async function iO(e,t){let r=H_(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=aO.encode(`${oO}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:nO,salt:new Uint8Array,info:H_(a)},n,32*8);return new Uint8Array(i)}o(iO,"hkdfExpand");function H_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(H_,"copyToArrayBuffer");var Ji="HS256",Z_=15*60,sO=15*60,Yi="zuplo-mcp-gateway",Xi="zuplo-mcp-gateway",cO=Dg.extend({id:En}),uO=cO.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),K_=kn.extend({id:Bo,purpose:c.literal("browser_connect")}),dO=kn.extend({purpose:c.literal("browser_connect")}),lO=K_.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),W_=Z_*1e3;async function J_(){return kt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"oauth-state"),"derive")})}o(J_,"getOAuthStateKey");async function Y_(){return kt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-connect"),"derive")})}o(Y_,"getBrowserConnectKey");async function X_(e){let t=Math.floor(Date.now()/1e3)+Z_;return new F_(e).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await J_())}o(X_,"signOAuthState");async function Qi(e){try{let{payload:t}=await V_(e,await J_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return uO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Qi,"verifyOAuthState");async function Q_(e){let t=Math.floor(Date.now()/1e3)+sO,r=dO.parse(e),n=K_.parse({...r,id:jg()});return new F_(n).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await Y_())}o(Q_,"signBrowserConnectTicket");async function es(e){try{let{payload:t}=await V_(e,await Y_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return lO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(es,"verifyBrowserConnectTicket");async function ts(e){if((await q().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(ts,"consumeBrowserConnectTicket");function pO(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(pO,"buildConnectRequiredMessage");async function ey(e){let t=re(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Q_({...Go(e),purpose:"browser_connect"})),r.toString()}o(ey,"buildGatewayBrowserTicketUrl");function mO(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(mO,"buildGatewayConnectPath");async function pl(e){return ey({...e,path:mO(e.upstreamServerId),redirect:!0})}o(pl,"buildGatewayConnectUrl");async function ty(e){return ey({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(ty,"buildGatewayAppPasswordCaptureUrl");async function On(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await pl(t),message:pO(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(On,"buildRedirectConnectRequiredResponse");function ry(e){return ny({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(ry,"buildAdminConnectRequiredResponse");function ny(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(ny,"buildAdminSetupRequiredResponse");function oy(e){return ny({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(oy,"buildAdminStaticSecretRequiredResponse");Y();import{base64url as gr}from"jose";var hO="SHA-256",zn="AES-GCM",fO=12,hl="zuplo-secret",fl=1,ay="env:TOKEN_ENCRYPTION_KEY",gO=c.object({version:c.literal(fl),keyId:c.literal(ay),algorithm:c.literal(zn),iv:c.string().min(1),ciphertext:c.string().min(1)}).strict();function Un(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Un,"copyToArrayBuffer");async function ml(){return kt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(hO,Un(e));return crypto.subtle.importKey("raw",t,{name:zn},!1,["encrypt","decrypt"])},"derive")})}o(ml,"getEncryptionKey");function iy(e){return Un(new TextEncoder().encode(`${hl}:v${e.version}:${e.keyId}`))}o(iy,"getAssociatedData");function _O(e){return`${hl}:v${e.version}:${gr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(_O,"encodeEnvelope");function yO(e){let t=`${hl}:v${fl}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(gr.decode(r));return gO.parse(JSON.parse(n))}o(yO,"decodeEnvelope");async function $r(e){let t=await ml(),r=crypto.getRandomValues(new Uint8Array(fO)),n={version:fl,keyId:ay},a=await crypto.subtle.encrypt({name:zn,iv:r,additionalData:iy(n)},t,new TextEncoder().encode(e));return _O({...n,algorithm:zn,iv:gr.encode(r),ciphertext:gr.encode(new Uint8Array(a))})}o($r,"encryptSecret");async function Bt(e){let t=yO(e);if(t){let s=await ml(),u=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(t.iv)),additionalData:iy(t)},s,Un(gr.decode(t.ciphertext)));return new TextDecoder().decode(u)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await ml(),i=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(r))},a,Un(gr.decode(n)));return new TextDecoder().decode(i)}o(Bt,"decryptSecret");function SO(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="tenant_static_secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(SO,"requireTenantStaticSecretConfig");function sy(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(sy,"hasUsableTenantStaticSecret");async function wO(e){if(!sy(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)}}o(wO,"resolveTenantStaticSecretCredential");async function cy(e){let t=Je(e.upstreamServerId);SO(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(sy(r))return{kind:"authorized",credential:await wO({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:oy(n)}}o(cy,"resolveTenantStaticSecretCredentialForRequest");Y();async function gl(e){return q().upstreamConnectionRepository.upsert({id:Bi(),tenantId:e.owner.tenantId,ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(gl,"upsertStaticSecretConnection");var vO=c.string().trim().min(1).max(320),RO=c.string().min(1).max(4096),bO=c.string().trim().min(1).max(4096);function _l(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="user_static_secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(_l,"requireUserStaticSecretConfig");function CO(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(CO,"encodeBase64Utf8");function IO(e){return`Basic ${CO(`${e.username}:${e.appPassword}`)}`}o(IO,"buildBasicAuthHeader");function uy(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(uy,"hasEncryptedUserStaticSecret");async function TO(e){if(!uy(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:IO({username:e.connection.metadata.staticSecretUsername,appPassword:await Bt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(TO,"resolveUserStaticSecretCredential");async function dy(e){if(_l(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=vO.parse(e.username),n=RO.parse(e.appPassword);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(dy,"saveUserStaticSecretCredential");async function rs(e){let t=_l(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=bO.parse(e.token);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(rs,"saveUserStaticBearerTokenCredential");function yl(e,t){return _l(e,t)}o(yl,"readUserStaticSecretCaptureConfig");async function ly(e){let t=Je(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(uy(r))return{kind:"authorized",credential:await TO({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await On(n)}}o(ly,"resolveUserStaticSecretCredentialForRequest");function py(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return ty({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(py,"buildUserStaticSecretConnectUrl");var Sl;Sl=globalThis.crypto;async function AO(e){return(await Sl).getRandomValues(new Uint8Array(e))}o(AO,"getRandomValues");async function kO(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await AO(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(kO,"random");async function PO(e){return await kO(e)}o(PO,"generateVerifier");async function EO(e){let t=await(await Sl).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(EO,"generateChallenge");async function wl(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await PO(e),r=await EO(t);return{code_verifier:t,code_challenge:r}}o(wl,"pkceChallenge");Y();var Oe=vp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Ip.custom,message:"URL must be parseable",fatal:!0}),Sp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),ns=Se({resource:h().url(),authorization_servers:b(Oe).optional(),jwks_uri:h().url().optional(),scopes_supported:b(h()).optional(),bearer_methods_supported:b(h()).optional(),resource_signing_alg_values_supported:b(h()).optional(),resource_name:h().optional(),resource_documentation:h().optional(),resource_policy_uri:h().url().optional(),resource_tos_uri:h().url().optional(),tls_client_certificate_bound_access_tokens:ee().optional(),authorization_details_types_supported:b(h()).optional(),dpop_signing_alg_values_supported:b(h()).optional(),dpop_bound_access_tokens_required:ee().optional()}),Fo=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),service_documentation:Oe.optional(),revocation_endpoint:Oe.optional(),revocation_endpoint_auth_methods_supported:b(h()).optional(),revocation_endpoint_auth_signing_alg_values_supported:b(h()).optional(),introspection_endpoint:h().optional(),introspection_endpoint_auth_methods_supported:b(h()).optional(),introspection_endpoint_auth_signing_alg_values_supported:b(h()).optional(),code_challenge_methods_supported:b(h()).optional(),client_id_metadata_document_supported:ee().optional()}),xO=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,userinfo_endpoint:Oe.optional(),jwks_uri:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),acr_values_supported:b(h()).optional(),subject_types_supported:b(h()),id_token_signing_alg_values_supported:b(h()),id_token_encryption_alg_values_supported:b(h()).optional(),id_token_encryption_enc_values_supported:b(h()).optional(),userinfo_signing_alg_values_supported:b(h()).optional(),userinfo_encryption_alg_values_supported:b(h()).optional(),userinfo_encryption_enc_values_supported:b(h()).optional(),request_object_signing_alg_values_supported:b(h()).optional(),request_object_encryption_alg_values_supported:b(h()).optional(),request_object_encryption_enc_values_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),display_values_supported:b(h()).optional(),claim_types_supported:b(h()).optional(),claims_supported:b(h()).optional(),service_documentation:h().optional(),claims_locales_supported:b(h()).optional(),ui_locales_supported:b(h()).optional(),claims_parameter_supported:ee().optional(),request_parameter_supported:ee().optional(),request_uri_parameter_supported:ee().optional(),require_request_uri_registration:ee().optional(),op_policy_uri:Oe.optional(),op_tos_uri:Oe.optional(),client_id_metadata_document_supported:ee().optional()}),os=C({...xO.shape,...Fo.pick({code_challenge_methods_supported:!0}).shape}),Zo=C({access_token:h(),id_token:h().optional(),token_type:h(),expires_in:Tp.number().optional(),scope:h().optional(),refresh_token:h().optional()}).strip(),hy=C({error:h(),error_description:h().optional(),error_uri:h().optional()}),my=Oe.optional().or(P("").transform(()=>{})),OO=C({redirect_uris:b(Oe),token_endpoint_auth_method:h().optional(),grant_types:b(h()).optional(),response_types:b(h()).optional(),client_name:h().optional(),client_uri:Oe.optional(),logo_uri:my,scope:h().optional(),contacts:b(h()).optional(),tos_uri:my,policy_uri:h().optional(),jwks_uri:Oe.optional(),jwks:bp().optional(),software_id:h().optional(),software_version:h().optional(),software_statement:h().optional()}).strip(),vl=C({client_id:h(),client_secret:h().optional(),client_id_issued_at:K().optional(),client_secret_expires_at:K().optional()}).strip(),Ko=OO.merge(vl),N4=C({error:h(),error_description:h().optional()}).strip(),D4=C({token:h(),token_type_hint:h().optional()}).strip();function fy(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(fy,"resourceUrlFromServerUrl");function gy({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(gy,"checkResourceAllowed");var _e=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Wo=class extends _e{static{o(this,"InvalidRequestError")}};Wo.errorCode="invalid_request";var Lr=class extends _e{static{o(this,"InvalidClientError")}};Lr.errorCode="invalid_client";var jr=class extends _e{static{o(this,"InvalidGrantError")}};jr.errorCode="invalid_grant";var Hr=class extends _e{static{o(this,"UnauthorizedClientError")}};Hr.errorCode="unauthorized_client";var Jo=class extends _e{static{o(this,"UnsupportedGrantTypeError")}};Jo.errorCode="unsupported_grant_type";var Yo=class extends _e{static{o(this,"InvalidScopeError")}};Yo.errorCode="invalid_scope";var Xo=class extends _e{static{o(this,"AccessDeniedError")}};Xo.errorCode="access_denied";var Vt=class extends _e{static{o(this,"ServerError")}};Vt.errorCode="server_error";var Qo=class extends _e{static{o(this,"TemporarilyUnavailableError")}};Qo.errorCode="temporarily_unavailable";var ea=class extends _e{static{o(this,"UnsupportedResponseTypeError")}};ea.errorCode="unsupported_response_type";var ta=class extends _e{static{o(this,"UnsupportedTokenTypeError")}};ta.errorCode="unsupported_token_type";var ra=class extends _e{static{o(this,"InvalidTokenError")}};ra.errorCode="invalid_token";var na=class extends _e{static{o(this,"MethodNotAllowedError")}};na.errorCode="method_not_allowed";var oa=class extends _e{static{o(this,"TooManyRequestsError")}};oa.errorCode="too_many_requests";var Gr=class extends _e{static{o(this,"InvalidClientMetadataError")}};Gr.errorCode="invalid_client_metadata";var aa=class extends _e{static{o(this,"InsufficientScopeError")}};aa.errorCode="insufficient_scope";var ia=class extends _e{static{o(this,"InvalidTargetError")}};ia.errorCode="invalid_target";var _y={[Wo.errorCode]:Wo,[Lr.errorCode]:Lr,[jr.errorCode]:jr,[Hr.errorCode]:Hr,[Jo.errorCode]:Jo,[Yo.errorCode]:Yo,[Xo.errorCode]:Xo,[Vt.errorCode]:Vt,[Qo.errorCode]:Qo,[ea.errorCode]:ea,[ta.errorCode]:ta,[ra.errorCode]:ra,[na.errorCode]:na,[oa.errorCode]:oa,[Gr.errorCode]:Gr,[aa.errorCode]:aa,[ia.errorCode]:ia};var Ft=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function UO(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(UO,"isClientAuthMethod");var Rl="code",bl="S256";function zO(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&UO(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(zO,"selectClientAuthMethod");function NO(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":DO(a,i,r);return;case"client_secret_post":MO(a,i,n);return;case"none":qO(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(NO,"applyClientAuthentication");function DO(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(DO,"applyBasicAuth");function MO(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(MO,"applyPostAuth");function qO(e,t){t.set("client_id",e)}o(qO,"applyPublicAuth");async function Sy(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=hy.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,u=_y[a]||Vt;return new u(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Vt(a)}}o(Sy,"parseErrorResponse");async function _r(e,t){try{return await Cl(e,t)}catch(r){if(r instanceof Lr||r instanceof Hr)return await e.invalidateCredentials?.("all"),await Cl(e,t);if(r instanceof jr)return await e.invalidateCredentials?.("tokens"),await Cl(e,t);throw r}}o(_r,"auth");async function Cl(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),u,d,l,p=a;if(!p&&s?.resourceMetadataUrl&&(p=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,u=s.resourceMetadata,l=s.authorizationServerMetadata??await vy(d,{fetchFn:i}),!u)try{u=await wy(t,{resourceMetadataUrl:p},i)}catch{}(l!==s.authorizationServerMetadata||u!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}else{let I=await BO(t,{resourceMetadataUrl:p,fetchFn:i});d=I.authorizationServerUrl,l=I.authorizationServerMetadata,u=I.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}let m=await $O(t,e,u),f=n||u?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let I=l?.client_id_metadata_document_supported===!0,N=e.clientMetadataUrl;if(N&&!Tl(N))throw new Gr(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${N}`);if(I&&N)_={client_id:N},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Ye=await WO(d,{metadata:l,clientMetadata:e.clientMetadata,scope:f,fetchFn:i});await e.saveClientInformation(Ye),_=Ye}}let S=!e.redirectUrl;if(r!==void 0||S){let I=await KO(e,d,{metadata:l,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let I=await ZO(d,{metadata:l,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}catch(I){if(!(!(I instanceof _e)||I instanceof Vt))throw I}let w=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:R}=await VO(d,{metadata:l,clientInformation:_,state:w,redirectUrl:e.redirectUrl,scope:f,resource:m});return await e.saveCodeVerifier(R),await e.redirectToAuthorization(v),"REDIRECT"}o(Cl,"authInternal");function Tl(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Tl,"isHttpsUrl");async function $O(e,t,r){let n=fy(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!gy({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o($O,"selectResourceURL");function Al(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=Il(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=Il(e,"scope")||void 0,u=Il(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:u}}o(Al,"extractWWWAuthenticateParams");function Il(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(Il,"extractFieldFromWwwAuth");async function wy(e,t,r=fetch){let n=await HO(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return ns.parse(await n.json())}o(wy,"discoverOAuthProtectedResourceMetadata");async function kl(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?kl(e,void 0,r):void 0;throw n}}o(kl,"fetchWithCorsRetry");function LO(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(LO,"buildWellKnownPath");async function yy(e,t,r=fetch){return await kl(e,{"MCP-Protocol-Version":t},r)}o(yy,"tryMetadataDiscovery");function jO(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(jO,"shouldAttemptFallback");async function HO(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??Xt,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=LO(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let u=await yy(s,i,r);if(!n?.metadataUrl&&jO(u,a.pathname)){let d=new URL(`/.well-known/${t}`,a);u=await yy(d,i,r)}return u}o(HO,"discoverMetadataWithFallback");function GO(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(GO,"buildDiscoveryUrls");async function vy(e,{fetchFn:t=fetch,protocolVersion:r=Xt}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=GO(e);for(let{url:i,type:s}of a){let u=await kl(i,n,t);if(u){if(!u.ok){if(await u.body?.cancel(),u.status>=400&&u.status<500)continue;throw new Error(`HTTP ${u.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Fo.parse(await u.json()):os.parse(await u.json())}}}o(vy,"discoverAuthorizationServerMetadata");async function BO(e,t){let r,n;try{r=await wy(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await vy(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(BO,"discoverOAuthServerInfo");async function VO(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let u;if(t){if(u=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Rl))throw new Error(`Incompatible auth server: does not support response type ${Rl}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(bl))throw new Error(`Incompatible auth server: does not support code challenge method ${bl}`)}else u=new URL("/authorize",e);let d=await wl(),l=d.code_verifier,p=d.code_challenge;return u.searchParams.set("response_type",Rl),u.searchParams.set("client_id",r.client_id),u.searchParams.set("code_challenge",p),u.searchParams.set("code_challenge_method",bl),u.searchParams.set("redirect_uri",String(n)),i&&u.searchParams.set("state",i),a&&u.searchParams.set("scope",a),a?.includes("offline_access")&&u.searchParams.append("prompt","consent"),s&&u.searchParams.set("resource",s.href),{authorizationUrl:u,codeVerifier:l}}o(VO,"startAuthorization");function FO(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(FO,"prepareAuthorizationCodeRequest");async function Ry(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let u=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,u,t);else if(n){let p=t?.token_endpoint_auth_methods_supported??[],m=zO(n,p);NO(m,n,d,r)}let l=await(s??fetch)(u,{method:"POST",headers:d,body:r});if(!l.ok)throw await Sy(l);return Zo.parse(await l.json())}o(Ry,"executeTokenRequest");async function ZO(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let u=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await Ry(e,{metadata:t,tokenRequestParams:u,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(ZO,"refreshAuthorization");async function KO(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,u;if(e.prepareTokenRequest&&(u=await e.prepareTokenRequest(s)),!u){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let l=await e.codeVerifier();u=FO(a,l,e.redirectUrl)}let d=await e.clientInformation();return Ry(t,{metadata:r,tokenRequestParams:u,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(KO,"fetchToken");async function WO(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await Sy(s);return Ko.parse(await s.json())}o(WO,"registerClient");var JO=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),YO=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function by(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(by,"parseIpv4Octets");function XO([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(XO,"ipv4RangeMatches");function Cy(e){let t=by(e);return t!==void 0&&YO.some(r=>XO(t,r))}o(Cy,"isPrivateIpv4");function Pl(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Pl,"parseIpv6Word");function QO(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(QO,"formatIpv4FromWords");function eU(e){let t=e.slice(7),r=by(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Pl(n),u=Pl(a);return i===void 0&&s!==void 0&&u!==void 0?QO(s,u):void 0}o(eU,"parseIpv6MappedIpv4");function tU(e){return Pl(e.split(":").find(Boolean))}o(tU,"readFirstIpv6Hextet");function rU(e){let t=ct(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=eU(t);return n===void 0||Cy(n)}let r=tU(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(rU,"isPrivateIpv6");function El(e){let t=ct(e);return JO.has(t)||t.endsWith(".internal")||Cy(t)||rU(t)}o(El,"isBlockedOutboundHostname");function Iy(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Le(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=ct(t.hostname);if(!r&&El(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(Iy,"validateConfiguredOutboundUrl");function Ty(e){let t=new URL(e);if(t.protocol!=="https:")throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let r=ct(t.hostname);if(El(r))throw g("invalid_request",`Blocked identity provider host: ${r}`);return t}o(Ty,"validateIdentityProviderUrl");function as(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(El(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(as,"validateCimdClientMetadataUrl");function Ay(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(Ay,"mergeAbortSignals");async function nU(e){try{await e.cancel()}catch{}}o(nU,"cancelReader");async function is(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await nU(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),u=0;for(let d of n)s.set(d,u),u+=d.byteLength;return s}o(is,"readBoundedByteStream");var oU=2,aU=1024*1024,iU=1e4,sU=new Set([301,302,303,307,308]),cU=["authorization","proxy-authorization","cookie","cookie2"];function xl(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(xl,"readRequestUrl");function Nn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Nn,"readRequestMethod");function uU(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(uU,"assertContentLengthWithinLimit");async function dU(e,t,r){return uU(e,t,r),is(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(dU,"readBoundedResponseBody");function lU(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(lU,"responseFromBufferedBody");function pU(e,t){if(!sU.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(pU,"resolveRedirectUrl");function ky(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(ky,"validateOutboundUrl");function mU(e,t){throw de(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(mU,"normalizeFetchError");function sa(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Ae(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(sa,"logOutboundFailure");async function hU(e,t,r,n,a,i,s){let u=Nn(r,n);try{return await t(r,n)}catch(d){let l=d instanceof DOMException&&d.name==="AbortError";sa(e,{event:l?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:u,host:it(i),error:d,extra:{abortReason:s()}}),mU(d,a)}}o(hU,"fetchWithNormalizedError");function fU(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(fU,"assertRedirectAllowed");function gU(e,t){let r=new Headers(e);for(let n of cU)r.delete(n);for(let n of t)r.delete(n);return r}o(gU,"stripCrossOriginHeaders");function _U(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=gU(e.headers,a)),i}o(_U,"buildRedirectInit");function yU(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(yU,"buildInitialRequestInit");function SU(e){let t=Nn(e.currentInput,e.currentInit);fU({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ky(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:_U(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(SU,"followRedirect");async function Ol(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??oU,i=r.maxResponseBytes??aU,s=r.timeoutMs??iU,u=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],l=r.context,p=new AbortController,m=Ay(p,t.signal),f=!1,_=setTimeout(()=>{f=!0,p.abort()},s),S=e,y=yU(e,t,p.signal),w;try{w=ky(xl(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(R){throw sa(l,{event:"outbound_url_blocked",problemCode:n,method:Nn(e,t),host:it(xl(e)),error:R}),clearTimeout(_),m?.(),R}let v=0;try{for(;;){let R=await hU(l,u,S,y,n,w,()=>f?`timeout_after_${s}ms`:void 0),I=pU(R,w);if(I!==void 0)try{let N=SU({currentInput:S,currentInit:y,currentUrl:w,redirectUrl:I,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:p.signal,additionalCrossOriginStrippedHeaders:d});S=N.currentInput,y=N.currentInit,w=N.currentUrl,v=N.redirects;continue}catch(N){throw sa(l,{event:"outbound_redirect_blocked",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{redirects:v,maxRedirects:a,redirectTargetHost:it(I)}}),N}try{return lU(R,await dU(R,i,n))}catch(N){throw sa(l,{event:"outbound_response_size_exceeded",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{maxResponseBytes:i,status:R.status}}),N}}}finally{clearTimeout(_),m?.()}}o(Ol,"runSafeOutboundExchange");async function Ul(e,t,r){let n=await Ol(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw sa(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Nn(e,t),host:it(xl(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Ul,"runSafeOutboundJsonExchange");function ss(e,t={},r={}){return Ol(e,t,{...r,validateUrl:Iy})}o(ss,"fetchConfiguredOutbound");function Py(e,t={},r={}){return Ul(e,t,{...r,validateUrl:Ty})}o(Py,"fetchIdentityProviderJson");function Ey(e,t={},r={}){return Ul(e,t,{...r,validateUrl:as})}o(Ey,"fetchCimdClientMetadataJson");Y();function zl(e){return`Zuplo MCP Gateway - ${e}`}o(zl,"buildGatewayOAuthClientName");function xy(e,t){let r=new URL(e,re(t));return Le(r)&&ct(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(xy,"buildGatewayOAuthRedirectUri");function Nl(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(Nl,"buildOAuthClientMetadataDocumentUrl");function Oy(e){return re(e)}o(Oy,"requireOAuthClientMetadataOrigin");function Uy(e,t,r){let n=Je(t),a=qr(t,r);return{client_id:Nl({origin:e,upstreamServerId:t,authProfileId:r}),client_name:zl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(Uy,"buildOAuthClientMetadataDocument");var wU=c.union([Ko,vl]),vU=c.object({authorizationServerUrl:c.url(),resourceMetadataUrl:c.url().optional(),resourceMetadata:ns.optional(),authorizationServerMetadata:c.union([Fo,os]).optional()}).passthrough(),RU="Bearer";function bU(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(bU,"splitScopes");function CU(e){return zi.parse(e)}o(CU,"parsePkceCodeVerifier");function IU(e){if(typeof e.expires_in=="number")return O(new Date(Date.now()+e.expires_in*1e3))}o(IU,"readTokenExpiry");async function zy(e){if(e!==void 0)return $r(JSON.stringify(e))}o(zy,"encryptJson");async function Ny(e,t){if(!e)return;let r=await Bt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(Ny,"decryptJson");function TU(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(TU,"toOAuthDiscoveryState");function AU(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(AU,"clientInformationAllowsRedirectUri");function kU(e,t,r){let n=Je(e),a=qr(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:zl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(kU,"buildOAuthClientMetadata");function PU(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Ko.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(PU,"buildManualOAuthClientInformation");function EU(e,t,r){let n=Nl({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Tl(n)?n:void 0}o(EU,"buildClientMetadataUrl");function Dy(e){for(let t of e)if(t!==void 0)return t}o(Dy,"firstDefined");function xU(e){let t=qr(e.target.upstreamServerId,e.target.authProfileId),r=kU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:PU({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=EU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(xU,"buildInitialOAuthClientSetup");function OU(e,t){if(t===void 0)return Dy([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(OU,"readEncryptedClientInformation");function UU(e){return Dy([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(UU,"readEncryptedDiscoveryState");var Br=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=xU({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=OU(t,this.configuredClientInformation),this.encryptedDiscoveryState=UU(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return X_({id:t.id,...Go({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await zy(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await zy(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Zo.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??Bi(),tenantId:this.target.owner.tenantId,ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await $r(r.access_token),encryptedRefreshToken:r.refresh_token?await $r(r.refresh_token):void 0,scopes:bU(r.scope??this.clientMetadataValue.scope),expiresAt:IU(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await q().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:CU(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Lg(),...Go({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:O(new Date(Date.now()+W_)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await q().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ny(this.encryptedClientInformation,wU)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!AU(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=TU(await Ny(this.encryptedDiscoveryState,vU))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Zo.parse({access_token:await Bt(this.connection.encryptedAccessToken),token_type:RU,refresh_token:this.connection.encryptedRefreshToken?await Bt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,tenantId:this.connection.tenantId,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await q().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var zU=1e4,NU=256*1024,DU=2;function MU(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(MU,"hasUsableAccessToken");var qU="does not support dynamic client registration";function $U(e){return e instanceof Error&&e.message.includes(qU)}o($U,"isDynamicClientRegistrationUnsupported");function LU(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(LU,"readOAuthFetchRequest");function jU(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(jU,"responseLooksJson");function My(e){return async(t,r)=>{let n=LU(t),a=await ss(t,r,{maxRedirects:DU,maxResponseBytes:NU,problemCode:"upstream_token_exchange_failed",timeoutMs:zU}),i=await a.clone().text();if(!jU(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(My,"createUpstreamOAuthFetch");async function qy(e,t){try{return await _r(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}catch(r){throw $U(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(qy,"runUpstreamOAuth");async function HU(e,t){return _r(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}o(HU,"exchangeUpstreamAuthorizationCode");async function $y(e,t){let r=await qy(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o($y,"requireUpstreamAuthorizationRedirect");async function Ly(e){if(MU(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await qy(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await ZU({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(Ly,"authorizeUpstreamOAuthSession");async function GU(e){let t=await Qi(e.stateToken),r=await q().oauthStateStore.consumeForCallback(t.id),n=BU(r);return VU({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),FU(n),n}o(GU,"consumeStoredCallbackState");function BU(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(BU,"readConsumedCallbackState");function VU(e){if(![e.storedState.tenantId===e.signedState.tenantId,e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(VU,"assertStoredCallbackStateMatches");function FU(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(FU,"assertStoredCallbackStateFresh");async function ZU(e){if(e.owner.mode==="tenant_shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ry(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),On(t)}o(ZU,"buildOAuthConnectRequiredResponse");async function jy(e){let t=await GU({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Pn(t),[n]=await q().upstreamConnectionRepository.batchGet([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new Br(a),s=await HU(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(jy,"finishUpstreamOAuthCallback");async function Hy(e){let t=Je(e.upstreamServerId),r=qr(e.upstreamServerId,e.authProfileId),n=xy(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:re(e.request.url)}}}o(Hy,"prepareUpstreamOAuthRequest");async function Gy(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return $y(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Gy,"startUpstreamConnect");async function By(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Ly({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(By,"authorizeUpstreamRequest");function KU(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(KU,"resolveStaticSecretCredential");async function Vy(e){let{routeAuth:t}=e;switch(t.authMode){case"tenant_shared_oauth":case"user_oauth":return By({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"tenant_static_secret":return cy({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=hr({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:KU(n.secret,t.upstreamServerId)}}case"user_static_secret":return ly({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(Vy,"resolveUpstreamCredentialForRoute");async function Fy(e){let t=mr(e.principal.tenantId,e.principal.subjectId),r=st().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user_static_secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await rs({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(Fy,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function Zy(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=At(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await Gy(r);break;case"user_static_secret_capture":t=await py(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(Zy,"startUpstreamConnectForRequest");async function Ky(e){let r=(await Qi(e.callbackRequest.state)).authProfileId,n=hr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(At(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return jy({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Je(e.callbackRequest.upstreamServerId)})}o(Ky,"finishUpstreamCallbackForRequest");var cs=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=tr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),u=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&u){let l=d.result;if(!l.structuredContent&&!l.isError){yield{type:"error",error:new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(l.structuredContent)try{let p=u(l.structuredContent);if(!p.valid){yield{type:"error",error:new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${p.errorMessage}`)};return}}catch(p){if(p instanceof A){yield{type:"error",error:p};return}yield{type:"error",error:new A(k.InvalidParams,`Failed to validate structured content: ${p instanceof Error?p.message:String(p)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function us(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&us(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&us(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&us(r,t)}}o(us,"applyElicitationDefaults");function WU(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(WU,"getSupportedElicitationModes");var ds=class extends tn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",dc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",sc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Xs,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new cs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let u=o(async(d,l)=>{let p=Me(mc,d);if(!p.success){let R=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid elicitation request: ${R}`)}let{params:m}=p.data;m.mode=m.mode??"form";let{supportsFormMode:f,supportsUrlMode:_}=WU(this._capabilities.elicitation);if(m.mode==="form"&&!f)throw new A(k.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new A(k.InvalidParams,"Client does not support URL-mode elicitation requests");let S=await Promise.resolve(r(d,l));if(m.task){let R=Me(Nt,S);if(!R.success){let I=R.error instanceof Error?R.error.message:String(R.error);throw new A(k.InvalidParams,`Invalid task creation result: ${I}`)}return R.data}let y=Me(rr,S);if(!y.success){let R=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid elicitation result: ${R}`)}let w=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&w.action==="accept"&&w.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{us(v,w.content)}catch{}return w},"wrappedHandler");return super.setRequestHandler(t,u)}if(s==="sampling/createMessage"){let u=o(async(d,l)=>{let p=Me(pc,d);if(!p.success){let w=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid sampling request: ${w}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let w=Me(Nt,f);if(!w.success){let v=w.error instanceof Error?w.error.message:String(w.error);throw new A(k.InvalidParams,`Invalid task creation result: ${v}`)}return w.data}let S=m.tools||m.toolChoice?to:vr,y=Me(S,f);if(!y.success){let w=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid sampling result: ${w}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:Xt,capabilities:this._capabilities,clientInfo:this._clientInfo}},Bs,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Qt.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){gi(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&_i(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},zt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},hc,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},zt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},ic,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},ec,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Zs,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Ks,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},Ys,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},zt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},zt,r)}async callTool(t,r=tr,n){if(this.isToolTaskRequired(t.name))throw new A(k.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},uc,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Hp.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:u}=i.data,{onChanged:d}=n,l=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let f=m instanceof Error?m:new Error(String(m));d(f,null)}},"refresh"),p=o(()=>{if(u){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let f=setTimeout(l,u);this._listChangedDebounceTimers.set(t,f)}else l()},"handler");this.setNotificationHandler(r,p)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function ls(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(ls,"normalizeHeaders");function Wy(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...ls(t.headers),...ls(n.headers)}:t.headers};return e(r,a)}:e}o(Wy,"createFetchWithInit");var ps=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function Dl(e){}o(Dl,"noop");function Jy(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=Dl,onError:r=Dl,onRetry:n=Dl,onComment:a}=e,i="",s=!0,u,d="",l="";function p(y){let w=s?y.replace(/^\xEF\xBB\xBF/,""):y,[v,R]=JU(`${i}${w}`);for(let I of v)m(I);i=R,s=!1}o(p,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let w=y.indexOf(":");if(w!==-1){let v=y.slice(0,w),R=y[w+1]===" "?2:1,I=y.slice(w+R);f(v,I,y);return}f(y,"",y)}o(m,"parseLine");function f(y,w,v){switch(y){case"event":l=w;break;case"data":d=`${d}${w}
+`;break;case"id":u=w.includes("\0")?void 0:w;break;case"retry":/^\d+$/.test(w)?n(parseInt(w,10)):r(new ps(`Invalid \`retry\` value: "${w}"`,{type:"invalid-retry",value:w,line:v}));break;default:r(new ps(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:w,line:v}));break}}o(f,"processField");function _(){d.length>0&&t({id:u,event:l||void 0,data:d.endsWith(`
+`)?d.slice(0,-1):d}),u=void 0,d="",l=""}o(_,"dispatchEvent");function S(y={}){i&&y.consume&&m(i),s=!0,u=void 0,d="",l="",i=""}return o(S,"reset"),{feed:p,reset:S}}o(Jy,"createParser");function JU(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
 `,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let u=e.slice(n,s);t.push(u),n=s+1,e[n-1]==="\r"&&e[n]===`
-`&&n++}}return[t,r]}o(ZU,"splitLines");var fs=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Wy({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var KU={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},yr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},gs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Ky(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??KU}async _authThenStart(){if(!this._authProvider)throw new Ft("No auth provider");let t;try{t=await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Ft;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=ms(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new yr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,u=!1,d=!1;o(async()=>{try{let p=t.pipeThrough(new TextDecoderStream).pipeThrough(new fs({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:S}=await p.read();if(S)break;if(_.id&&(s=_.id,u=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=wr.parse(JSON.parse(_.data));dt(y)&&(d=!0,i!==void 0&&(y.id=i)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(p){if(this.onerror?.(new Error(`SSE stream disconnected: ${p}`)),(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Ft("No auth provider");if(await _r(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:wt(t)?t.id:void 0}).catch(f=>this.onerror?.(f));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},u=await(this._fetch??fetch)(this._url,s),d=u.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!u.ok){let f=await u.text().catch(()=>null);if(u.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new yr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:S}=Al(u);if(this._resourceMetadataUrl=_,this._scope=S,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft;return this._hasCompletedAuthFlow=!0,this.send(t)}if(u.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:S,error:y}=Al(u);if(y==="insufficient_scope"){let w=u.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===w)throw new yr(403,"Server returned 403 after trying upscoping");if(S&&(this._scope=S),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=w??void 0,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Ft;return this.send(t)}}throw new yr(u.status,`Error POSTing to endpoint: ${f}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,u.status===202){await u.body?.cancel(),Np(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(f=>this.onerror?.(f));return}let p=(Array.isArray(t)?t:[t]).filter(f=>"method"in f&&"id"in f&&f.id!==void 0).length>0,m=u.headers.get("content-type");if(p)if(m?.includes("text/event-stream"))this._handleSseStream(u.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let f=await u.json(),_=Array.isArray(f)?f.map(S=>wr.parse(S)):[wr.parse(f)];for(let S of _)this.onmessage?.(S)}else throw await u.body?.cancel(),new yr(-1,`Unexpected content type: ${m}`);else await u.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new yr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Jy(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Jy,"resolveNativeMcpRequestHeaders");var WU={name:"zuplo-mcp-gateway",version:"0.1.0"},JU=5,YU=500,Qy=3e4,XU=2*1024*1024,QU=2;function Yy(){return performance.now()/1e3}o(Yy,"nowSeconds");function e0(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(e0,"readServerPort");function t0(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:e0(e)}}o(t0,"buildNativeMcpOperationContext");function Dn(e){return dg(e)}o(Dn,"withTraceMeta");function Ml(e){if(e>YU)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ml,"assertImportedCapabilityBudget");function Xy(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Xy,"buildRequestInit");function r0(e){return(t,r)=>us(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:QU,maxResponseBytes:XU,problemCode:"upstream_capability_invocation_failed",timeoutMs:Qy})}o(r0,"createNativeMcpFetch");function n0(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},Qy);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(n0,"withNativeMcpRequestTimeout");function o0(e,t=[]){let r=Jy(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:r0(a)};if(!e)return{...i,...Xy(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Xy(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(o0,"buildNativeMcpTransportOptions");async function Mn(e,t,r){let{transport:n}=Je(e),a=new URL(n.baseUrl),i=new gs(a,o0(r,n.requestHeaders)),s=new ps(WU,{capabilities:{}});return n0((async()=>{let u=Yy();await s.connect(i);let d=i.sessionId,l=t0(a,d);try{return await t(s,l)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&lg(l,Yy()-u)}})())}o(Mn,"withNativeMcpClient");async function a0(e,t,r){let n=[],a,i=0;do{if(i>=JU)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(a0,"collectPaginatedSdkItems");async function ql(e){return e.enabled?a0(e.label,e.fetchPage,e.readItems):[]}o(ql,"listNativeMcpCapabilityItems");async function eS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"tools/list",...r},()=>ql({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ml(a.length),{tools:a}},e.credential)}o(eS,"listNativeMcpTools");async function tS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"prompts/list",...r},()=>ql({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ml(a.length),{prompts:a}},e.credential)}o(tS,"listNativeMcpPrompts");async function rS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/list",...r},()=>ql({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ml(a.length),{resources:a}},e.credential)}o(rS,"listNativeMcpResources");async function nS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Dn(e.params))),e.credential)}o(nS,"callNativeMcpTool");async function oS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Dn(e.params))),e.credential)}o(oS,"getNativeMcpPrompt");async function aS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Dn(e.params))),e.credential)}o(aS,"readNativeMcpResource");var ua=class extends A{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(k.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function i0(e){return{content:[{type:"text",text:e}],isError:!0}}o(i0,"buildToolErrorResult");function s0(e){return e.authUrl?new Yt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new ua(e)}o(s0,"toConnectRequiredError");function c0(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(c0,"buildCredentialResolvedAttributes");function u0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:c0(e.credential)})}o(u0,"emitCredentialResolvedAnalyticsEvent");function d0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(d0,"emitCredentialMissingAnalyticsEvent");function l0(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Dr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(l0,"readRouteBindingCredentialCacheKey");function p0(e){return typeof e.authorizeAndLoadConnections=="function"}o(p0,"isRuntimeHttpCompositeAuthorizationRepository");function sS(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(sS,"readOwnedRouteBindingLookup");async function m0(e){let t=q().downstreamOAuthRepository;if(!p0(t))return new Map;let r=ul(e.request);if(!r)return new Map;let n=new Map;for(let u of e.routeBindings){let d=sS(u);d!==void 0&&n.set(Dr(d),d)}if(n.size===0)return new Map;let a=[...n.values()],i=await t.authorizeAndLoadConnections({accessTokenHash:await F(r),resource:Nr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:a,now:O(new Date)});if(i.kind!=="authorized")return new Map;let s=new Map;return i.upstreamConnections.forEach((u,d)=>{let l=a[d];l!==void 0&&s.set(Dr(l),u.connection)}),s}o(m0,"preloadCompositeAuthorizedConnections");function h0(e){let t=new Map;return r=>{let n=l0(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,u=sS(r),d=u===void 0?void 0:Dr(u),l=await By({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(l.kind==="connect_required")throw d0({context:e.context,payload:l.payload,routeBinding:r}),s0(l.payload);return u0({context:e.context,credential:l.credential,routeBinding:r}),l.credential})();return t.set(n,i),i}}o(h0,"createCredentialResolver");var iS=500;function f0(e){return e.length<=iS?e:`${e.slice(0,iS)}...`}o(f0,"truncateAnalyticsDetail");function g0(e){We(e.context,{eventType:H.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(g0,"emitToolInvocationCompletedAnalyticsEvent");function _0(e){return e instanceof Yt||e instanceof ua?{eventType:H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof A&&e.code===k.InvalidParams?{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(_0,"classifyToolInvocationFailure");function y0(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=_0(e.error);We(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:f0(t)}})}o(y0,"emitToolInvocationFailedAnalyticsEvent");var S0=256*1024;function w0(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new A(k.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>S0)throw new A(k.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(w0,"assertToolArgumentsWithinLimit");function $l(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new A(k.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o($l,"findBindingForPublishedCapability");function qn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new A(k.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(qn,"requireSingleTransparentBinding");function v0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(v0,"resolvePublishedToolRoute");function R0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(R0,"resolvePublishedPromptRoute");function b0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(b0,"resolvePublishedResourceRoute");function cS(e){let t=m0({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=h0({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(Ei)};let n=qn(e);return eS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=v0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{w0(n);let i=await r(a.binding),s=await nS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return g0({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(y0({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof Yt||i instanceof ua)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof Yt},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof A&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),i0(Fe("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(Pi)};let n=qn(e);return tS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=R0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return oS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(xi)};let n=qn(e);return rS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=b0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return aS({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(cS,"createCapabilityDispatcher");var I0="0.1.0",dS="POST",C0="POST, OPTIONS";function Ll(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:dS}})}o(Ll,"jsonRpcMethodNotAllowedResponse");function T0(e){let t={Allow:dS},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=C0;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(T0,"buildOptionsResponse");function $n(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o($n,"readJsonRpcRequestId");function jl(e){return e&&typeof e=="object"?e.params:void 0}o(jl,"readMcpRequestParams");function uS(e,t){return e.headers.get(t)??void 0}o(uS,"readMcpHeader");function A0(e){return{mcpProtocolVersion:uS(e,"mcp-protocol-version")??Or,mcpSessionId:uS(e,"mcp-session-id")}}o(A0,"buildServerTelemetryBase");function k0(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Or),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(k0,"ensureProtocolVersionHeader");async function Hl(e,t){if(e.method==="OPTIONS")return T0(e);if(e.method==="GET")return Ll("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return Ll("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return Ll("Only POST is supported by this virtual MCP server.");let r=Rn(t),n=Yf(r.virtualServerId),a=mg(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=A0(e),s=cS({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),u=ne(e.url),d=new wi({enableDnsRebindingProtection:!0,allowedOrigins:[u]}),l=new Si(n.catalog.serverInfo??{name:r.virtualServerId,version:I0},{capabilities:{prompts:{},resources:{},tools:{}}});l.setRequestHandler(uc,async m=>zr({methodName:"tools/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listTools())),l.setRequestHandler(eo,async m=>zr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.callTool(m.params))),l.setRequestHandler(ec,async m=>zr({methodName:"prompts/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listPrompts())),l.setRequestHandler(rc,async m=>zr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.getPrompt(m.params))),l.setRequestHandler(Zs,async m=>zr({methodName:"resources/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listResources())),l.setRequestHandler(Ys,async m=>zr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.readResource(m.params))),await l.connect(d);let p=await d.handleRequest(e);return k0(p)}o(Hl,"virtualServerHandler");async function E0(e,t){return Wt("handler.mcp-virtual-server"),Hl(e,t)}o(E0,"McpVirtualServerHandler");var Ln={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},P0="oauth-protected-resource-metadata",x0="/.well-known/oauth-protected-resource/";function O0(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(O0,"readRouteOperationId");function U0(e){return e.hasGatewayRouteContext?Ln.VIRTUAL_MCP_SERVER:e.routeOperationId===P0||e.routeOperationId===void 0&&e.routePath.startsWith(x0)?Ln.OAUTH_PROTECTED_RESOURCE_METADATA:Ln.OTHER}o(U0,"classifyAnalyticsRouteSurface");function z0(e){let t=e.route.path;return{routePath:t,routeSurface:U0({routePath:t,routeOperationId:O0(e),hasGatewayRouteContext:Do(e)!==void 0})}}o(z0,"readAnalyticsRequestContext");function N0(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Ln.VIRTUAL_MCP_SERVER}o(N0,"isIntentionalMethodRejection");function D0(e){return N0(e)||e.response.status===401&&e.routeSurface===Ln.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(D0,"classifyRequestCompletedOutcome");async function Gl(e,t){let r=Date.now(),n=z0(t);return t.addResponseSendingFinalHook(a=>{let i=D0({response:a,routeSurface:n.routeSurface});We(t,{eventType:H.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Gl,"analyticsContextInbound");function M0(e){return e instanceof Response}o(M0,"isResponse");var lS="/mcp/";function q0(e){let t=e.route.path;if(!t.startsWith(lS))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(lS.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(q0,"readVirtualServerIdFromRoute");async function da(e,t){let n={virtualServerId:me.parse(q0(t))};eg(t,n),zf(t,n);let a=await Gl(e,t);return M0(a)?a:dl(a,t)}o(da,"mcpOAuthInboundPolicy");var $0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-auth0-oauth"),da(e,t)),"McpAuth0OAuthInboundPolicy");function L0(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return zi({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway,devTenantId:e.devTenantId})}o(L0,"buildAuth0McpOAuthRuntimeConfig");var j0={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return L0(e)}};Ci(j0);var H0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-oauth"),da(e,t)),"McpOAuthInboundPolicy"),G0={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return zi(e)}};Ci(G0);function B0(e){let t=kt(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(B0,"buildRouteAuthBaseFromConnection");function mS(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=kt(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:vn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(mS,"buildRouteAuthBaseFromPolicyOptions");function hS(e,t){let n=ct().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return B0({connection:a,virtualServerId:t})}o(hS,"resolveRouteAuthBase");function pS(e,t){switch(e){case"user":return mr(t.tenantId,t.subjectId);case"tenant_shared":return Bi(t.tenantId)}}o(pS,"buildOwnerForPrincipal");function _s(e,t){switch(e.ownerMode){case"tenant_shared":return{...e,owner:pS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:pS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(_s,"resolveRouteAuthForPrincipal");function V0(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return bi.parse(r)}o(V0,"readSingleAuthMode");function fS(e){return At.parse(e)}o(fS,"buildToolNamePrefixFromConnectionId");async function Bl(e,t,r,n){let a=ki(r,n),i=V0({policyName:n,connection:a}),s=Rn(t),u=mS({connection:a,virtualServerId:s.virtualServerId,authMode:i});if(u.ownerMode==="none")return Pd(t,{...u,connectionPolicyName:n,toolNamePrefix:fS(a.id)}),e;let d=Tg(t);return d.tenantId?(Pd(t,{..._s(u,d),connectionPolicyName:n,toolNamePrefix:fS(a.id)}),e):Ze(e,t,{code:"forbidden",detail:"Upstream credentials for this virtual server require an authenticated tenant.",headers:{"WWW-Authenticate":An({virtualServerId:s.virtualServerId,requestUrl:e.url,error:"insufficient_scope",errorDescription:"The access token is missing tenant context required by this virtual server.",scope:ue})}})}o(Bl,"mcpUpstreamConnectionPolicy");var F0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-upstream-connection"),Bl(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");X();X();var gS="application/json",Z0="application/x-www-form-urlencoded";function K0(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(K0,"normalizeContentType");function W0(e,t){return e===t?!0:t===gS&&e.endsWith("+json")}o(W0,"contentTypeMatches");function J0(e,t){if(!t||t.length===0)return;let r=K0(e.headers.get("content-type"));if(!t.some(n=>W0(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(J0,"assertExpectedContentType");function Y0(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(Y0,"assertContentLengthWithinLimit");async function _S(e,t){let r=t.label??"Request body";J0(e,t.expectedContentTypes),Y0(e,t.maxBytes,r);let n=await cs(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(_S,"readBoundedTextBody");async function yS(e,t){let r=await _S(e,{...t,expectedContentTypes:[gS]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(yS,"readBoundedJsonBody");async function ys(e,t){let r=await _S(e,{...t,expectedContentTypes:[Z0]});return new URLSearchParams(r)}o(ys,"readBoundedFormUrlEncodedBody");var SS=Symbol("Html");function X0(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(X0,"escapeHtml");function Q0(e){return e===null||typeof e!="object"?!1:e[SS]===!0}o(Q0,"isHtml");function wS(e){return e==null||e===!1?"":Array.isArray(e)?e.map(wS).join(""):Q0(e)?e.value:X0(String(e))}o(wS,"renderValue");function St(e){return{[SS]:!0,value:e}}o(St,"trustedHtml");var ye=St("");function x(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=wS(t[n]),r+=e[n+1]??"";return St(r)}o(x,"html");function Zt(e){return e.value}o(Zt,"renderHtml");var ez="text/html; charset=utf-8";function vS(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":ez,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(vS,"apiKeyLoginHtmlResponse");function Vl(e=401){return vS(x`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(Vl,"apiKeyLoginFailureResponse");function RS(e){return vS(x`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(RS,"renderApiKeyLoginForm");X();X();import{errors as US,jwtVerify as zS,SignJWT as NS}from"jose";X();import{errors as lz,jwtVerify as pz,SignJWT as mz}from"jose";function Sr(e){let t=Re().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Sr,"requireBrowserLoginField");function Ss(e){if(!e.tenantId)throw g("identity_context_missing","Gateway OAuth browser login requires a tenant-scoped principal.");return{...e,tenantId:e.tenantId}}o(Ss,"requireTenantScopedBrowserPrincipal");X();import{createRemoteJWKSet as tz,errors as la,jwtVerify as rz}from"jose";var nz=c.object({id_token:c.string().min(1),token_type:c.string().min(1).optional(),expires_in:c.number().optional(),access_token:c.string().min(1).optional(),refresh_token:c.string().min(1).optional(),scope:c.string().min(1).optional()}),oz=c.object({error:c.string().min(1).optional(),error_description:c.string().min(1).optional(),error_uri:c.string().min(1).optional()});function az(e){let t=oz.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(az,"readIdpErrorFields");function iz(e){return e instanceof la.JWTExpired?"expired":e instanceof la.JWTClaimValidationFailed?"claim":e instanceof la.JWSSignatureVerificationFailed?"signature":e instanceof la.JWKSNoMatchingKey?"jwks_no_match":e instanceof la.JWTInvalid?"invalid":e instanceof c.ZodError?"schema":"other"}o(iz,"readJwtFailureKind");var sz=c.object({sub:Q,nonce:c.string().min(1)}).catchall(c.unknown()),Fl;function cz(e){return e instanceof Error&&"cause"in e?e.cause:e}o(cz,"readErrorCause");function uz(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(uz,"readRuntimeGatewayCode");function dz(){if(!Fl){let e=Re();Fl=tz(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Fl}o(dz,"readFederatedJwks");async function bS(e){let t=Re(),r=Sr("tokenUrl"),n=Sr("clientId"),a=Sr("clientSecret"),i=new URL("/oauth/callback",_t(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:u,json:d}=await ky(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!u.ok){let f=az(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:st(r),idpStatus:u.status,...f},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${u.status}${f.idpError?` idp_error=${f.idpError}`:""}${f.idpErrorDescription?` idp_error_description=${f.idpErrorDescription}`:""})`)})}let l=nz.parse(d),p;try{({payload:p}=await rz(l.id_token,dz(),{issuer:t.oidc.issuer,audience:n}))}catch(f){let _={};throw ke(_,"error",f),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:iz(f),idpHost:st(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),f}if(p.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:st(r),nonceMissingFromIdToken:p.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=sz.parse(p);return Ss(Tn({sub:m.sub,data:m},e.requestUrl))}catch(u){let d=le(u)??uz(u);throw d!==void 0&&d!=="browser_login_verification_failed"?u:g("browser_login_verification_failed","Federated browser login callback could not be verified.",cz(u))}}o(bS,"exchangeFederatedAuthorizationCode");var Kl="zuplo_mcp_session",IS="HS256",CS="zuplo-mcp-gateway",TS="zuplo-mcp-gateway",hz=c.object({purpose:c.literal("gateway_browser_session"),sub:Q,tenantId:de,browserLoginOrigin:c.string().min(1),roles:c.array(c.string().min(1)).optional(),exp:c.number().int().positive(),iat:c.number().int().positive().optional()});function fz(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(fz,"parseCookieHeader");async function AS(){return Et({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-session"),"derive")})}o(AS,"getBrowserSessionKey");function Zl(e){let t=new URL(ne(e)),r=[`${Kl}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Zl,"buildBrowserSessionEvictionCookie");function gz(e){let t=new URL(ne(e.requestUrl)),r=[`${Kl}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(gz,"serializeSessionCookie");function kS(e={}){return new URL(Sr("url")).origin}o(kS,"readBrowserLoginOrigin");function Wl(){return Re().browserLogin.stateTtlSeconds}o(Wl,"readBrowserLoginStateTtlSeconds");function ES(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ss(Tn(e.user,e.url))}o(ES,"resolveCurrentRequestPrincipal");async function ws(e,t={}){let r=fz(e.headers.get("cookie")).get(Kl);if(!r)return{};try{let{payload:n}=await pz(r,await AS(),{algorithms:[IS],issuer:CS,audience:TS}),a=hz.parse(n);if(a.browserLoginOrigin!==kS(t))return{evictCookie:Zl(e.url)};let i={subjectId:a.sub,tenantId:a.tenantId};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof lz.JWTExpired?{evictCookie:Zl(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Zl(e.url)})}}o(ws,"readBrowserSession");async function pa(e){let t=Re().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,tenantId:e.principal.tenantId,browserLoginOrigin:kS({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new mz(r).setProtectedHeader({alg:IS,typ:"JWT"}).setIssuer(CS).setAudience(TS).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await AS());return gz({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(pa,"createBrowserSessionCookie");async function PS(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(PS,"resolveApiKeyBrowserLoginPrincipal");async function xS(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await ws(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return bS({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(xS,"resolveBrowserLoginCallbackPrincipal");function OS(e){let t=Re().browserLogin,r=new URL(Sr("url")),n=new URL("/oauth/callback",_t(e.requestUrl));return yg(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Sr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(OS,"buildBrowserLoginUrl");var DS=5*60,_z=["mcp_user"],vs="HS256",Rs="zuplo-mcp-gateway",bs="zuplo-mcp-gateway",yz=c.object({purpose:c.literal("gateway_browser_login"),transactionId:je,stateId:Mi,exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Sz=c.object({purpose:c.literal("gateway_authorization_setup"),transactionId:je,stateId:Mi,exp:c.number().int().positive(),iat:c.number().int().positive().optional()});async function MS(){return Et({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-login"),"derive")})}o(MS,"getBrowserLoginKey");async function qS(){return Et({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"authorization-csrf"),"derive")})}o(qS,"getCsrfKey");function wz(e){return[...new Set([..._z,...e.roles??[]])]}o(wz,"buildRoles");function $S(e){return{repository:e.repository??q().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Wl()}}o($S,"readPendingTransactionDependencies");function vz(e,t){return e.subjectId===t.subjectId&&e.tenantId===t.tenantId}o(vz,"principalsMatch");function LS(e){return{subjectId:e.subjectId,tenantId:e.tenantId,...e.roles===void 0?{}:{roles:e.roles}}}o(LS,"toPendingPrincipal");function jS(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:O(gt(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:LS(e.principal)}}o(jS,"createTransactionRecord");async function HS(e){if((await e.repository.savePendingAuthorizationTransaction(e.record,e.client===void 0?void 0:{client:e.client})).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(HS,"savePendingTransaction");async function Rz(e){return new NS({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:vs,typ:"JWT"}).setIssuer(Rs).setAudience(bs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await MS())}o(Rz,"signBrowserLoginState");async function GS(e){return new NS({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Dd()}).setProtectedHeader({alg:vs,typ:"JWT"}).setIssuer(Rs).setAudience(bs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await qS())}o(GS,"signCsrfToken");async function Is(e){try{let{payload:t}=await zS(e,await MS(),{algorithms:[vs],issuer:Rs,audience:bs}),r=yz.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof US.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Is,"verifyBrowserLoginStateToken");async function bz(e){try{let{payload:t}=await zS(e,await qS(),{algorithms:[vs],issuer:Rs,audience:bs});return{transactionId:Sz.parse(t).transactionId}}catch(t){throw t instanceof US.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(bz,"verifyCsrfToken");function ma(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(ma,"pendingStateErrorCode");function BS(e){return e==="principal_mismatch"?"oauth_callback_mismatch":ma(e==="consumed_already"?"consumed_already":e)}o(BS,"setupDecisionErrorCode");function Iz(e){if(e.kind!=="available")throw g(ma(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Iz,"requireAwaitingSetup");function Cz(e){if(e.kind!=="available")throw g(ma(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(Cz,"requireAwaitingLogin");function Tz(e){if(!vz(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(Tz,"requireCurrentPrincipalMatches");function VS(e){return typeof e.decideAuthorizationSetup=="function"}o(VS,"hasRuntimeHttpAuthorizationDecision");async function FS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=Wl(),a=Nd(),i=Dd(),s=await Rz({transactionId:a,stateId:i,ttlSeconds:n}),u=jS({id:a,transaction:e.transaction,currentStateHash:await F(s),phase:"awaiting_login",now:r,ttlSeconds:n});if(u.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await HS({repository:t,record:u,client:e.transaction.client}),{transaction:u,browserLoginStateToken:s,browserLoginUrl:OS({state:s,nonce:i,virtualServerId:u.virtualServerId,requestUrl:e.requestUrl})}}o(FS,"startAwaitingLogin");async function ZS(e){let{repository:t,now:r,ttlSeconds:n}=$S(e),a=Nd(),i=await GS({transactionId:a,ttlSeconds:n}),s=jS({id:a,transaction:e.transaction,currentStateHash:await F(i),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await HS({repository:t,record:s,client:e.transaction.client}),{transaction:s,csrfToken:i}}o(ZS,"startAwaitingSetup");async function Jl(e){let{repository:t,now:r,ttlSeconds:n}=$S(e),a=await Is(e.browserLoginStateToken),i=await GS({transactionId:a.transactionId,ttlSeconds:n}),s=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await F(e.browserLoginStateToken),nextStateHash:await F(i),nextPhase:"awaiting_setup",principal:LS(e.principal),now:r});if(s.kind!=="advanced")throw g(ma(s.kind),"Browser login state is invalid, expired, or already used.");if(s.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:s.record,csrfToken:i}}o(Jl,"completeLogin");async function KS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Is(e.browserLoginStateToken);return Cz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.browserLoginStateToken),now:r}))}o(KS,"getAwaitingLogin");async function ha(e){let t=await Yl(e);return Tz({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(ha,"getSetup");async function Yl(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await bz(e.csrfToken);return Iz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.csrfToken),now:r}))}o(Yl,"getSetupTransaction");async function Az(e){let t=Ke(),r=await F(t),n=Md(),a=O(gt(e.now,DS)),i={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,tenantId:e.transaction.principal.tenantId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:wz(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...i,codeHash:r,grantId:n});let s=new URL(e.transaction.redirectUri);return s.searchParams.set("code",t),e.transaction.clientState&&s.searchParams.set("state",e.transaction.clientState),s}o(Az,"createAuthorizationCodeRedirect");async function kz(e){let t=await ha({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=Ke(),n=O(gt(e.now,DS)),a=await e.repository.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await F(r),authorizationCodeExpiresAt:n,grantId:Md(),now:O(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":BS(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(kz,"createAuthorizationCodeRedirectWithDecision");async function Ez(e){let t=await ha({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=await e.repository.decideAuthorizationSetup({decision:"cancel",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},now:O(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":BS(r.kind),"Authorization setup state is invalid, expired, or already used.");return WS({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(Ez,"createCancelRedirectWithDecision");function WS(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(WS,"buildClientCancelRedirect");async function Pz(e){let t=await ha(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await F(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(ma(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(Pz,"consumeSetup");async function JS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await Pz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(JS,"consumeSetupForDecision");async function YS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(VS(t))return kz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let n=await JS(e);return Az({repository:n.repository,transaction:n.transaction,now:n.now})}o(YS,"approve");async function XS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(VS(t))return Ez({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let{transaction:n}=await JS(e);return WS({redirectUri:n.redirectUri,clientState:n.clientState})}o(XS,"cancel");X();var xz=1e4,Oz=5*1024,Uz=2,zz=90*24*60*60,Xl=["authorization_code","refresh_token"],Ql=["code"],Nz=c.object({client_name:c.string().min(1).optional(),redirect_uris:c.array(c.string().min(1)).min(1),grant_types:c.array(c.enum(Xl)).min(1).max(2).optional(),response_types:c.array(c.enum(Ql)).min(1).max(1).optional(),scope:c.literal(ue).optional(),token_endpoint_auth_method:$o.default("client_secret_basic")});function Dz(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Dz,"isCimdClientIdCandidate");function jn(e,t="invalid_request"){if(Mz(e))throw new U(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new U(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new U(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Le(r)))throw new U(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(jn,"assertValidRedirectUri");function Mz(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(Mz,"hasForbiddenRawRedirectUriCharacter");async function qz(e){let{response:t,json:r}=await Ey(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Uz,maxResponseBytes:Oz,timeoutMs:xz});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=gg.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(qz,"fetchCimdMetadata");async function $z(e){let t=ss(e),r=await qz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o($z,"resolveCimdClient");async function fa(e,t,r){let n=he.parse(t);if(Dz(n)){if(!Re().gateway.cimdEnabled)throw new U("invalid_client","OAuth client is not registered.");try{return await $z(n)}catch{throw new U("invalid_client","OAuth client is not registered.")}}let a=await e.getDcrClient(n);if(a){let i={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new U("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(fa,"resolveClient");function Cs(e,t){if(!e.metadata.redirect_uris.some(r=>Li(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(Cs,"assertRedirectRegistered");function Lz(e){let t=QS(e.grant_types),r=e.response_types??[...Ql];if(!jz(t))throw new U("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Hz(r))throw new U("invalid_client_metadata","response_types must be code.");if(!Gz(e.scope))throw new U("invalid_client_metadata",`Only the ${ue} scope is supported.`)}o(Lz,"assertSupportedDcrRequest");function QS(e){return e===void 0?[...Xl]:Array.from(new Set(e))}o(QS,"normalizeGrantTypes");function jz(e){return e.length===0?!1:e.every(t=>Xl.includes(t))}o(jz,"isSupportedGrantTypes");function Hz(e){return e.length===Ql.length&&e[0]==="code"}o(Hz,"isSupportedResponseTypes");function Gz(e){return e===void 0||e===ue}o(Gz,"isSupportedDcrScope");function Vr(e){if(e===void 0||e===ue)return ue;throw new U("invalid_request",`Only the ${ue} scope is supported.`)}o(Vr,"assertSupportedOAuthScope");function Pt(e,t){let r;try{r=new URL(t)}catch{throw new U("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new U("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Le(r))throw new U("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=ne(e),a=Xf(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new U("invalid_target","resource must match a published virtual MCP server.");return i}o(Pt,"resolveResource");async function ew(e,t={}){let r=Bz(t)?{repository:t}:t,n;try{n=Nz.parse(e)}catch(f){if(f instanceof c.ZodError){let _=f.issues.some(S=>S.path[0]==="redirect_uris");throw new U(_?"invalid_redirect_uri":"invalid_client_metadata",f.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:f})}throw f}Lz(n);for(let f of n.redirect_uris)jn(f,"invalid_redirect_uri");let a=r.repository??q().downstreamOAuthRepository,i=new Date,s=he.parse(`dcr:${crypto.randomUUID()}`),u=gt(i,zz),d=Math.floor(i.getTime()/1e3),l=Math.floor(u.getTime()/1e3),p={client_id:s,client_name:n.client_name??"Dynamically registered MCP client",redirect_uris:n.redirect_uris,grant_types:QS(n.grant_types),response_types:["code"],scope:ue,token_endpoint_auth_method:n.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:s,clientName:String(p.client_name),redirectUris:n.redirect_uris,tokenEndpointAuthMethod:n.token_endpoint_auth_method,createdAt:O(i),clientExpiresAt:O(u)};if(n.token_endpoint_auth_method!=="none"){let f=Ke();m.hashedClientSecret=await F(f),m.clientSecretExpiresAt=O(u),p.client_secret=f,p.client_secret_expires_at=l,p.client_secret_issued_at=d}return await a.saveDcrClient(m),p}o(ew,"registerDownstreamClient");function Bz(e){return typeof e.getDcrClient=="function"}o(Bz,"isOAuthRepository");var Vz=8;function tp(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(tp,"safeIconSrc");function Fz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Fz,"safeGatewayConnectHref");function Zz(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(Zz,"parseIconSize");function Kz(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(Kz,"selectIconCandidates");function Wz(e){return tp(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(Zz)):0:-1}o(Wz,"readIconScore");function nw(e,t){if(!e||e.length===0)return;let r=Kz(e,t),n,a=-1;for(let i of r){let s=Wz(i);s>a&&(n=i,a=s)}return n}o(nw,"pickIcon");var Jz='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',tw=St(Jz),Yz=St('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),Xz=St('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),ow=St('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),rw=St('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function Qz(e,t){let r=nw(e,"light");if(!r)return x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${tw}</span>`;let n=tp(r.src);return n?x`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${tw}</span>`}o(Qz,"renderIconFrame");function As(e,t){let r=nw(e,"light");if(!r)return ye;let n=tp(r.src);return n?x`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:ye}o(As,"renderInlineIcon");function eN(e){switch(e){case"user":return"your account";case"tenant_shared":return"shared by your team";case"none":return"gateway-managed"}}o(eN,"ownerModeLabel");function tN(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(tN,"authModeLabel");function rN(e){switch(e){case"active":return x`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return x`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return x`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(rN,"statusBadge");function nN(e){if(!e)return ye;let t=[];return e.destructiveHint&&t.push(x`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(x`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(x`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?x`<span class="badge-row">${t}</span>`:ye}o(nN,"annotationBadges");function aw(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(aw,"summarizeCapabilities");function oN(e){let t=e.annotations?.title??e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${As(e.icons,t)}<span class="capability-row__name">${t}</span>${nN(e.annotations)}${r}</li>`}o(oN,"renderToolRow");function aN(e){let t=e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${As(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(aN,"renderPromptRow");function iN(e){let t=e.title??e.name,r=e.mimeType===void 0?ye:x` · ${e.mimeType}`,n=e.description===void 0?ye:x` — ${e.description}`,a=x`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return x`<li class="capability-row">${As(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(iN,"renderResourceRow");function ep(e,t,r,n){if(t===0)return ye;let a=r.slice(0,Vz),i=t-a.length,s=i>0?x`<li class="capability-row capability-row--more">+ ${i} more</li>`:ye;return x`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${s}</ul></section>`}o(ep,"renderCapabilitySection");function Ts(e,t,r=!1){return r?x`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:x`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(Ts,"countPill");function sN(e){let t=aw(e);if(t.tools+t.prompts+t.resources===0)return x`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(Ts(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(Ts(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(Ts(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(Ts("destructive",t.destructiveTools,!0));let a=[ep("Tools",t.tools,e.tools,oN),ep("Prompts",t.prompts,e.prompts,aN),ep("Resources",t.resources,e.resources,iN)];return x`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${ow}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(sN,"renderUpstreamCapabilities");function cN(e){if(!e||e.length===0)return ye;let t=e.map(n=>x`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return x`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${ow}</span></summary><div class="scopes-list">${t}</div></details>`}o(cN,"renderUpstreamScopes");function uN(e,t){if(e.ownerMode!=="user")return ye;let r=Fz(e.connectUrl,t);if(!r)return ye;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return x`<a class="button button--secondary button--small" href="${r}"${a===void 0?ye:x` title="${a}"`}>${n}</a>`}o(uN,"renderActionButton");function dN(e,t){let r=uN(e,t);return Zt(r)!==""?r:rN(e.status)}o(dN,"renderUpstreamControl");function lN(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?St('<article class="upstream-card upstream-card--needs-action">'):St('<article class="upstream-card">'),a=e.description?x`<p class="upstream-card__description">${e.description}</p>`:ye,i=e.transportHost?x`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:ye,s=x`<div class="upstream-card__head">${Qz(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${dN(e,t)}</div><div class="upstream-card__meta">${i}<span>${tN(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${eN(e.ownerMode)}</span></div>${a}</div></div>`,u=sN(e.capabilities),d=cN(e.scopesRequested);return x`${n}${s}${u}${d}</article>`}o(lN,"renderUpstreamCard");function pN(e){return e.reduce((t,r)=>{let n=aw(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(pN,"aggregateCapabilities");function mN(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(mN,"deriveMode");function hN(e){if(e.mode==="setup"){let n=e.upstreams.filter(u=>u.ownerMode==="user"&&u.status!=="active"),a=n.length>0&&n.every(u=>u.status==="reconsent_required"),i=n.length===1?"the service":`the ${n.length} services`,s=a?x`Re-authorize ${i} below to refresh access. Authorization will continue automatically once each is ready.`:x`Connect ${i} below before continuing. Authorization will continue automatically once each is ready.`;return x`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${Yz}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${s}</p></div></div>`}let t=pN(e.upstreams);if(t.destructiveTools===0)return ye;let r=t.destructiveTools===1?"tool can":"tools can";return x`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${Xz}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(hN,"renderBanner");function fN(e){return e.mode==="grant"?x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(fN,"renderActions");var gN=`
+`&&n++}}return[t,r]}o(JU,"splitLines");var ms=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Jy({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var YU={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},yr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},hs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Wy(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??YU}async _authThenStart(){if(!this._authProvider)throw new Ft("No auth provider");let t;try{t=await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Ft;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=ls(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new yr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,u=!1,d=!1;o(async()=>{try{let p=t.pipeThrough(new TextDecoderStream).pipeThrough(new ms({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:S}=await p.read();if(S)break;if(_.id&&(s=_.id,u=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=wr.parse(JSON.parse(_.data));ut(y)&&(d=!0,i!==void 0&&(y.id=i)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(p){if(this.onerror?.(new Error(`SSE stream disconnected: ${p}`)),(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Ft("No auth provider");if(await _r(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:St(t)?t.id:void 0}).catch(f=>this.onerror?.(f));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},u=await(this._fetch??fetch)(this._url,s),d=u.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!u.ok){let f=await u.text().catch(()=>null);if(u.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new yr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:S}=Al(u);if(this._resourceMetadataUrl=_,this._scope=S,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft;return this._hasCompletedAuthFlow=!0,this.send(t)}if(u.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:S,error:y}=Al(u);if(y==="insufficient_scope"){let w=u.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===w)throw new yr(403,"Server returned 403 after trying upscoping");if(S&&(this._scope=S),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=w??void 0,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Ft;return this.send(t)}}throw new yr(u.status,`Error POSTing to endpoint: ${f}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,u.status===202){await u.body?.cancel(),Np(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(f=>this.onerror?.(f));return}let p=(Array.isArray(t)?t:[t]).filter(f=>"method"in f&&"id"in f&&f.id!==void 0).length>0,m=u.headers.get("content-type");if(p)if(m?.includes("text/event-stream"))this._handleSseStream(u.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let f=await u.json(),_=Array.isArray(f)?f.map(S=>wr.parse(S)):[wr.parse(f)];for(let S of _)this.onmessage?.(S)}else throw await u.body?.cancel(),new yr(-1,`Unexpected content type: ${m}`);else await u.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new yr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Yy(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Yy,"resolveNativeMcpRequestHeaders");var XU={name:"zuplo-mcp-gateway",version:"0.1.0"},QU=5,e0=500,eS=3e4,t0=2*1024*1024,r0=2;function Xy(){return performance.now()/1e3}o(Xy,"nowSeconds");function n0(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(n0,"readServerPort");function o0(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:n0(e)}}o(o0,"buildNativeMcpOperationContext");function Dn(e){return dg(e)}o(Dn,"withTraceMeta");function Ml(e){if(e>e0)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ml,"assertImportedCapabilityBudget");function Qy(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Qy,"buildRequestInit");function a0(e){return(t,r)=>ss(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:r0,maxResponseBytes:t0,problemCode:"upstream_capability_invocation_failed",timeoutMs:eS})}o(a0,"createNativeMcpFetch");function i0(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},eS);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(i0,"withNativeMcpRequestTimeout");function s0(e,t=[]){let r=Yy(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:a0(a)};if(!e)return{...i,...Qy(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Qy(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(s0,"buildNativeMcpTransportOptions");async function Mn(e,t,r){let{transport:n}=Je(e),a=new URL(n.baseUrl),i=new hs(a,s0(r,n.requestHeaders)),s=new ds(XU,{capabilities:{}});return i0((async()=>{let u=Xy();await s.connect(i);let d=i.sessionId,l=o0(a,d);try{return await t(s,l)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&lg(l,Xy()-u)}})())}o(Mn,"withNativeMcpClient");async function c0(e,t,r){let n=[],a,i=0;do{if(i>=QU)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(c0,"collectPaginatedSdkItems");async function ql(e){return e.enabled?c0(e.label,e.fetchPage,e.readItems):[]}o(ql,"listNativeMcpCapabilityItems");async function tS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"tools/list",...r},()=>ql({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ml(a.length),{tools:a}},e.credential)}o(tS,"listNativeMcpTools");async function rS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"prompts/list",...r},()=>ql({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ml(a.length),{prompts:a}},e.credential)}o(rS,"listNativeMcpPrompts");async function nS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/list",...r},()=>ql({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ml(a.length),{resources:a}},e.credential)}o(nS,"listNativeMcpResources");async function oS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Dn(e.params))),e.credential)}o(oS,"callNativeMcpTool");async function aS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Dn(e.params))),e.credential)}o(aS,"getNativeMcpPrompt");async function iS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Dn(e.params))),e.credential)}o(iS,"readNativeMcpResource");var ca=class extends A{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(k.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function u0(e){return{content:[{type:"text",text:e}],isError:!0}}o(u0,"buildToolErrorResult");function d0(e){return e.authUrl?new Yt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new ca(e)}o(d0,"toConnectRequiredError");function l0(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(l0,"buildCredentialResolvedAttributes");function p0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:l0(e.credential)})}o(p0,"emitCredentialResolvedAnalyticsEvent");function m0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(m0,"emitCredentialMissingAnalyticsEvent");function h0(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Dr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(h0,"readRouteBindingCredentialCacheKey");function f0(e){return typeof e.authorizeAndLoadConnections=="function"}o(f0,"isRuntimeHttpCompositeAuthorizationRepository");function cS(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(cS,"readOwnedRouteBindingLookup");async function g0(e){let t=q().downstreamOAuthRepository;if(!f0(t))return new Map;let r=ul(e.request);if(!r)return new Map;let n=new Map;for(let u of e.routeBindings){let d=cS(u);d!==void 0&&n.set(Dr(d),d)}if(n.size===0)return new Map;let a=[...n.values()],i=await t.authorizeAndLoadConnections({accessTokenHash:await F(r),resource:Nr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:a,now:O(new Date)});if(i.kind!=="authorized")return new Map;let s=new Map;return i.upstreamConnections.forEach((u,d)=>{let l=a[d];l!==void 0&&s.set(Dr(l),u.connection)}),s}o(g0,"preloadCompositeAuthorizedConnections");function _0(e){let t=new Map;return r=>{let n=h0(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,u=cS(r),d=u===void 0?void 0:Dr(u),l=await Vy({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(l.kind==="connect_required")throw m0({context:e.context,payload:l.payload,routeBinding:r}),d0(l.payload);return p0({context:e.context,credential:l.credential,routeBinding:r}),l.credential})();return t.set(n,i),i}}o(_0,"createCredentialResolver");var sS=500;function y0(e){return e.length<=sS?e:`${e.slice(0,sS)}...`}o(y0,"truncateAnalyticsDetail");function S0(e){We(e.context,{eventType:H.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(S0,"emitToolInvocationCompletedAnalyticsEvent");function w0(e){return e instanceof Yt||e instanceof ca?{eventType:H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof A&&e.code===k.InvalidParams?{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(w0,"classifyToolInvocationFailure");function v0(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=w0(e.error);We(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:y0(t)}})}o(v0,"emitToolInvocationFailedAnalyticsEvent");var R0=256*1024;function b0(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new A(k.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>R0)throw new A(k.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(b0,"assertToolArgumentsWithinLimit");function $l(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new A(k.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o($l,"findBindingForPublishedCapability");function qn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new A(k.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(qn,"requireSingleTransparentBinding");function C0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(C0,"resolvePublishedToolRoute");function I0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(I0,"resolvePublishedPromptRoute");function T0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(T0,"resolvePublishedResourceRoute");function uS(e){let t=g0({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=_0({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(ki)};let n=qn(e);return tS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=C0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{b0(n);let i=await r(a.binding),s=await oS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return S0({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(v0({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof Yt||i instanceof ca)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof Yt},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof A&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),u0(Fe("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(Pi)};let n=qn(e);return rS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=I0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return aS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(Ei)};let n=qn(e);return nS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=T0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return iS({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(uS,"createCapabilityDispatcher");var A0="0.1.0",lS="POST",k0="POST, OPTIONS";function Ll(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:lS}})}o(Ll,"jsonRpcMethodNotAllowedResponse");function P0(e){let t={Allow:lS},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=k0;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(P0,"buildOptionsResponse");function $n(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o($n,"readJsonRpcRequestId");function jl(e){return e&&typeof e=="object"?e.params:void 0}o(jl,"readMcpRequestParams");function dS(e,t){return e.headers.get(t)??void 0}o(dS,"readMcpHeader");function E0(e){return{mcpProtocolVersion:dS(e,"mcp-protocol-version")??Or,mcpSessionId:dS(e,"mcp-session-id")}}o(E0,"buildServerTelemetryBase");function x0(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Or),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(x0,"ensureProtocolVersionHeader");async function Hl(e,t){if(e.method==="OPTIONS")return P0(e);if(e.method==="GET")return Ll("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return Ll("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return Ll("Only POST is supported by this virtual MCP server.");let r=Rn(t),n=Yf(r.virtualServerId),a=mg(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=E0(e),s=uS({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),u=re(e.url),d=new Si({enableDnsRebindingProtection:!0,allowedOrigins:[u]}),l=new yi(n.catalog.serverInfo??{name:r.virtualServerId,version:A0},{capabilities:{prompts:{},resources:{},tools:{}}});l.setRequestHandler(cc,async m=>zr({methodName:"tools/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listTools())),l.setRequestHandler(Qn,async m=>zr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.callTool(m.params))),l.setRequestHandler(Qs,async m=>zr({methodName:"prompts/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listPrompts())),l.setRequestHandler(tc,async m=>zr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.getPrompt(m.params))),l.setRequestHandler(Fs,async m=>zr({methodName:"resources/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listResources())),l.setRequestHandler(Js,async m=>zr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.readResource(m.params))),await l.connect(d);let p=await d.handleRequest(e);return x0(p)}o(Hl,"virtualServerHandler");async function O0(e,t){return Wt("handler.mcp-virtual-server"),Hl(e,t)}o(O0,"McpVirtualServerHandler");var Ln={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},U0="oauth-protected-resource-metadata",z0="/.well-known/oauth-protected-resource/";function N0(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(N0,"readRouteOperationId");function D0(e){return e.hasGatewayRouteContext?Ln.VIRTUAL_MCP_SERVER:e.routeOperationId===U0||e.routeOperationId===void 0&&e.routePath.startsWith(z0)?Ln.OAUTH_PROTECTED_RESOURCE_METADATA:Ln.OTHER}o(D0,"classifyAnalyticsRouteSurface");function M0(e){let t=e.route.path;return{routePath:t,routeSurface:D0({routePath:t,routeOperationId:N0(e),hasGatewayRouteContext:No(e)!==void 0})}}o(M0,"readAnalyticsRequestContext");function q0(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Ln.VIRTUAL_MCP_SERVER}o(q0,"isIntentionalMethodRejection");function $0(e){return q0(e)||e.response.status===401&&e.routeSurface===Ln.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o($0,"classifyRequestCompletedOutcome");async function Gl(e,t){let r=Date.now(),n=M0(t);return t.addResponseSendingFinalHook(a=>{let i=$0({response:a,routeSurface:n.routeSurface});We(t,{eventType:H.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Gl,"analyticsContextInbound");function L0(e){return e instanceof Response}o(L0,"isResponse");var pS="/mcp/";function j0(e){let t=e.route.path;if(!t.startsWith(pS))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(pS.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(j0,"readVirtualServerIdFromRoute");async function ua(e,t){let n={virtualServerId:me.parse(j0(t))};eg(t,n),zf(t,n);let a=await Gl(e,t);return L0(a)?a:dl(a,t)}o(ua,"mcpOAuthInboundPolicy");var H0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-auth0-oauth"),ua(e,t)),"McpAuth0OAuthInboundPolicy");function G0(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return Ui({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway,devTenantId:e.devTenantId})}o(G0,"buildAuth0McpOAuthRuntimeConfig");var B0={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return G0(e)}};Ci(B0);var V0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-oauth"),ua(e,t)),"McpOAuthInboundPolicy"),F0={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return Ui(e)}};Ci(F0);function Z0(e){let t=At(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(Z0,"buildRouteAuthBaseFromConnection");function hS(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=At(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:vn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(hS,"buildRouteAuthBaseFromPolicyOptions");function fS(e,t){let n=st().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return Z0({connection:a,virtualServerId:t})}o(fS,"resolveRouteAuthBase");function mS(e,t){switch(e){case"user":return mr(t.tenantId,t.subjectId);case"tenant_shared":return Hi(t.tenantId)}}o(mS,"buildOwnerForPrincipal");function fs(e,t){switch(e.ownerMode){case"tenant_shared":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(fs,"resolveRouteAuthForPrincipal");function K0(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Ri.parse(r)}o(K0,"readSingleAuthMode");function gS(e){return Tt.parse(e)}o(gS,"buildToolNamePrefixFromConnectionId");async function Bl(e,t,r,n){let a=Ai(r,n),i=K0({policyName:n,connection:a}),s=Rn(t),u=hS({connection:a,virtualServerId:s.virtualServerId,authMode:i});if(u.ownerMode==="none")return Pd(t,{...u,connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e;let d=Tg(t);return d.tenantId?(Pd(t,{...fs(u,d),connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e):Ze(e,t,{code:"forbidden",detail:"Upstream credentials for this virtual server require an authenticated tenant.",headers:{"WWW-Authenticate":An({virtualServerId:s.virtualServerId,requestUrl:e.url,error:"insufficient_scope",errorDescription:"The access token is missing tenant context required by this virtual server.",scope:ce})}})}o(Bl,"mcpUpstreamConnectionPolicy");var W0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-upstream-connection"),Bl(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");Y();Y();var _S="application/json",J0="application/x-www-form-urlencoded";function Y0(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(Y0,"normalizeContentType");function X0(e,t){return e===t?!0:t===_S&&e.endsWith("+json")}o(X0,"contentTypeMatches");function Q0(e,t){if(!t||t.length===0)return;let r=Y0(e.headers.get("content-type"));if(!t.some(n=>X0(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(Q0,"assertExpectedContentType");function ez(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(ez,"assertContentLengthWithinLimit");async function yS(e,t){let r=t.label??"Request body";Q0(e,t.expectedContentTypes),ez(e,t.maxBytes,r);let n=await is(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(yS,"readBoundedTextBody");async function SS(e,t){let r=await yS(e,{...t,expectedContentTypes:[_S]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(SS,"readBoundedJsonBody");async function gs(e,t){let r=await yS(e,{...t,expectedContentTypes:[J0]});return new URLSearchParams(r)}o(gs,"readBoundedFormUrlEncodedBody");var wS=Symbol("Html");function tz(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(tz,"escapeHtml");function rz(e){return e===null||typeof e!="object"?!1:e[wS]===!0}o(rz,"isHtml");function vS(e){return e==null||e===!1?"":Array.isArray(e)?e.map(vS).join(""):rz(e)?e.value:tz(String(e))}o(vS,"renderValue");function yt(e){return{[wS]:!0,value:e}}o(yt,"trustedHtml");var ye=yt("");function x(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=vS(t[n]),r+=e[n+1]??"";return yt(r)}o(x,"html");function Zt(e){return e.value}o(Zt,"renderHtml");var nz="text/html; charset=utf-8";function RS(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":nz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(RS,"apiKeyLoginHtmlResponse");function Vl(e=401){return RS(x`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(Vl,"apiKeyLoginFailureResponse");function bS(e){return RS(x`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(bS,"renderApiKeyLoginForm");Y();Y();import{errors as zS,jwtVerify as NS,SignJWT as DS}from"jose";Y();import{errors as hz,jwtVerify as fz,SignJWT as gz}from"jose";function Sr(e){let t=ve().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Sr,"requireBrowserLoginField");function _s(e){if(!e.tenantId)throw g("identity_context_missing","Gateway OAuth browser login requires a tenant-scoped principal.");return{...e,tenantId:e.tenantId}}o(_s,"requireTenantScopedBrowserPrincipal");Y();import{createRemoteJWKSet as oz,errors as da,jwtVerify as az}from"jose";var iz=c.object({id_token:c.string().min(1),token_type:c.string().min(1).optional(),expires_in:c.number().optional(),access_token:c.string().min(1).optional(),refresh_token:c.string().min(1).optional(),scope:c.string().min(1).optional()}),sz=c.object({error:c.string().min(1).optional(),error_description:c.string().min(1).optional(),error_uri:c.string().min(1).optional()});function cz(e){let t=sz.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(cz,"readIdpErrorFields");function uz(e){return e instanceof da.JWTExpired?"expired":e instanceof da.JWTClaimValidationFailed?"claim":e instanceof da.JWSSignatureVerificationFailed?"signature":e instanceof da.JWKSNoMatchingKey?"jwks_no_match":e instanceof da.JWTInvalid?"invalid":e instanceof c.ZodError?"schema":"other"}o(uz,"readJwtFailureKind");var dz=c.object({sub:X,nonce:c.string().min(1)}).catchall(c.unknown()),Fl;function lz(e){return e instanceof Error&&"cause"in e?e.cause:e}o(lz,"readErrorCause");function pz(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(pz,"readRuntimeGatewayCode");function mz(){if(!Fl){let e=ve();Fl=oz(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Fl}o(mz,"readFederatedJwks");async function CS(e){let t=ve(),r=Sr("tokenUrl"),n=Sr("clientId"),a=Sr("clientSecret"),i=new URL("/oauth/callback",gt(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:u,json:d}=await Py(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!u.ok){let f=cz(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:it(r),idpStatus:u.status,...f},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${u.status}${f.idpError?` idp_error=${f.idpError}`:""}${f.idpErrorDescription?` idp_error_description=${f.idpErrorDescription}`:""})`)})}let l=iz.parse(d),p;try{({payload:p}=await az(l.id_token,mz(),{issuer:t.oidc.issuer,audience:n}))}catch(f){let _={};throw Ae(_,"error",f),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:uz(f),idpHost:it(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),f}if(p.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:it(r),nonceMissingFromIdToken:p.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=dz.parse(p);return _s(Tn({sub:m.sub,data:m},e.requestUrl))}catch(u){let d=de(u)??pz(u);throw d!==void 0&&d!=="browser_login_verification_failed"?u:g("browser_login_verification_failed","Federated browser login callback could not be verified.",lz(u))}}o(CS,"exchangeFederatedAuthorizationCode");var Kl="zuplo_mcp_session",IS="HS256",TS="zuplo-mcp-gateway",AS="zuplo-mcp-gateway",_z=c.object({purpose:c.literal("gateway_browser_session"),sub:X,tenantId:ue,browserLoginOrigin:c.string().min(1),roles:c.array(c.string().min(1)).optional(),exp:c.number().int().positive(),iat:c.number().int().positive().optional()});function yz(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(yz,"parseCookieHeader");async function kS(){return kt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-session"),"derive")})}o(kS,"getBrowserSessionKey");function Zl(e){let t=new URL(re(e)),r=[`${Kl}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Zl,"buildBrowserSessionEvictionCookie");function Sz(e){let t=new URL(re(e.requestUrl)),r=[`${Kl}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Sz,"serializeSessionCookie");function PS(e={}){return new URL(Sr("url")).origin}o(PS,"readBrowserLoginOrigin");function Wl(){return ve().browserLogin.stateTtlSeconds}o(Wl,"readBrowserLoginStateTtlSeconds");function ES(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return _s(Tn(e.user,e.url))}o(ES,"resolveCurrentRequestPrincipal");async function ys(e,t={}){let r=yz(e.headers.get("cookie")).get(Kl);if(!r)return{};try{let{payload:n}=await fz(r,await kS(),{algorithms:[IS],issuer:TS,audience:AS}),a=_z.parse(n);if(a.browserLoginOrigin!==PS(t))return{evictCookie:Zl(e.url)};let i={subjectId:a.sub,tenantId:a.tenantId};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof hz.JWTExpired?{evictCookie:Zl(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Zl(e.url)})}}o(ys,"readBrowserSession");async function la(e){let t=ve().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,tenantId:e.principal.tenantId,browserLoginOrigin:PS({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new gz(r).setProtectedHeader({alg:IS,typ:"JWT"}).setIssuer(TS).setAudience(AS).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await kS());return Sz({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(la,"createBrowserSessionCookie");async function xS(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(xS,"resolveApiKeyBrowserLoginPrincipal");async function OS(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await ys(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return CS({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(OS,"resolveBrowserLoginCallbackPrincipal");function US(e){let t=ve().browserLogin,r=new URL(Sr("url")),n=new URL("/oauth/callback",gt(e.requestUrl));return yg(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Sr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(US,"buildBrowserLoginUrl");var MS=5*60,wz=["mcp_user"],Ss="HS256",ws="zuplo-mcp-gateway",vs="zuplo-mcp-gateway",vz=c.object({purpose:c.literal("gateway_browser_login"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Rz=c.object({purpose:c.literal("gateway_authorization_setup"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()});async function qS(){return kt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-login"),"derive")})}o(qS,"getBrowserLoginKey");async function $S(){return kt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"authorization-csrf"),"derive")})}o($S,"getCsrfKey");function bz(e){return[...new Set([...wz,...e.roles??[]])]}o(bz,"buildRoles");function LS(e){return{repository:e.repository??q().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Wl()}}o(LS,"readPendingTransactionDependencies");function Cz(e,t){return e.subjectId===t.subjectId&&e.tenantId===t.tenantId}o(Cz,"principalsMatch");function jS(e){return{subjectId:e.subjectId,tenantId:e.tenantId,...e.roles===void 0?{}:{roles:e.roles}}}o(jS,"toPendingPrincipal");function HS(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:O(ft(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:jS(e.principal)}}o(HS,"createTransactionRecord");async function GS(e){if((await e.repository.savePendingAuthorizationTransaction(e.record,e.client===void 0?void 0:{client:e.client})).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(GS,"savePendingTransaction");async function Iz(e){return new DS({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await qS())}o(Iz,"signBrowserLoginState");async function BS(e){return new DS({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Nd()}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await $S())}o(BS,"signCsrfToken");async function Rs(e){try{let{payload:t}=await NS(e,await qS(),{algorithms:[Ss],issuer:ws,audience:vs}),r=vz.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Rs,"verifyBrowserLoginStateToken");async function Tz(e){try{let{payload:t}=await NS(e,await $S(),{algorithms:[Ss],issuer:ws,audience:vs});return{transactionId:Rz.parse(t).transactionId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(Tz,"verifyCsrfToken");function pa(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(pa,"pendingStateErrorCode");function VS(e){return e==="principal_mismatch"?"oauth_callback_mismatch":pa(e==="consumed_already"?"consumed_already":e)}o(VS,"setupDecisionErrorCode");function Az(e){if(e.kind!=="available")throw g(pa(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Az,"requireAwaitingSetup");function kz(e){if(e.kind!=="available")throw g(pa(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(kz,"requireAwaitingLogin");function Pz(e){if(!Cz(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(Pz,"requireCurrentPrincipalMatches");function FS(e){return typeof e.decideAuthorizationSetup=="function"}o(FS,"hasRuntimeHttpAuthorizationDecision");async function ZS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=Wl(),a=zd(),i=Nd(),s=await Iz({transactionId:a,stateId:i,ttlSeconds:n}),u=HS({id:a,transaction:e.transaction,currentStateHash:await F(s),phase:"awaiting_login",now:r,ttlSeconds:n});if(u.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await GS({repository:t,record:u,client:e.transaction.client}),{transaction:u,browserLoginStateToken:s,browserLoginUrl:US({state:s,nonce:i,virtualServerId:u.virtualServerId,requestUrl:e.requestUrl})}}o(ZS,"startAwaitingLogin");async function KS(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=zd(),i=await BS({transactionId:a,ttlSeconds:n}),s=HS({id:a,transaction:e.transaction,currentStateHash:await F(i),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await GS({repository:t,record:s,client:e.transaction.client}),{transaction:s,csrfToken:i}}o(KS,"startAwaitingSetup");async function Jl(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=await Rs(e.browserLoginStateToken),i=await BS({transactionId:a.transactionId,ttlSeconds:n}),s=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await F(e.browserLoginStateToken),nextStateHash:await F(i),nextPhase:"awaiting_setup",principal:jS(e.principal),now:r});if(s.kind!=="advanced")throw g(pa(s.kind),"Browser login state is invalid, expired, or already used.");if(s.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:s.record,csrfToken:i}}o(Jl,"completeLogin");async function WS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Rs(e.browserLoginStateToken);return kz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.browserLoginStateToken),now:r}))}o(WS,"getAwaitingLogin");async function ma(e){let t=await Yl(e);return Pz({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(ma,"getSetup");async function Yl(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Tz(e.csrfToken);return Az(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.csrfToken),now:r}))}o(Yl,"getSetupTransaction");async function Ez(e){let t=Ke(),r=await F(t),n=Dd(),a=O(ft(e.now,MS)),i={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,tenantId:e.transaction.principal.tenantId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:bz(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...i,codeHash:r,grantId:n});let s=new URL(e.transaction.redirectUri);return s.searchParams.set("code",t),e.transaction.clientState&&s.searchParams.set("state",e.transaction.clientState),s}o(Ez,"createAuthorizationCodeRedirect");async function xz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=Ke(),n=O(ft(e.now,MS)),a=await e.repository.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await F(r),authorizationCodeExpiresAt:n,grantId:Dd(),now:O(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":VS(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(xz,"createAuthorizationCodeRedirectWithDecision");async function Oz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=await e.repository.decideAuthorizationSetup({decision:"cancel",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},now:O(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":VS(r.kind),"Authorization setup state is invalid, expired, or already used.");return JS({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(Oz,"createCancelRedirectWithDecision");function JS(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(JS,"buildClientCancelRedirect");async function Uz(e){let t=await ma(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await F(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(pa(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(Uz,"consumeSetup");async function YS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await Uz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(YS,"consumeSetupForDecision");async function XS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return xz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let n=await YS(e);return Ez({repository:n.repository,transaction:n.transaction,now:n.now})}o(XS,"approve");async function QS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return Oz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let{transaction:n}=await YS(e);return JS({redirectUri:n.redirectUri,clientState:n.clientState})}o(QS,"cancel");Y();var zz=1e4,Nz=5*1024,Dz=2,Mz=90*24*60*60,Xl=["authorization_code","refresh_token"],Ql=["code"],qz=c.object({client_name:c.string().min(1).optional(),redirect_uris:c.array(c.string().min(1)).min(1),grant_types:c.array(c.enum(Xl)).min(1).max(2).optional(),response_types:c.array(c.enum(Ql)).min(1).max(1).optional(),scope:c.literal(ce).optional(),token_endpoint_auth_method:qo.default("client_secret_basic")});function $z(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o($z,"isCimdClientIdCandidate");function jn(e,t="invalid_request"){if(Lz(e))throw new U(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new U(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new U(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Le(r)))throw new U(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(jn,"assertValidRedirectUri");function Lz(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(Lz,"hasForbiddenRawRedirectUriCharacter");async function jz(e){let{response:t,json:r}=await Ey(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Dz,maxResponseBytes:Nz,timeoutMs:zz});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=gg.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(jz,"fetchCimdMetadata");async function Hz(e){let t=as(e),r=await jz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(Hz,"resolveCimdClient");async function ha(e,t,r){let n=le.parse(t);if($z(n)){if(!ve().gateway.cimdEnabled)throw new U("invalid_client","OAuth client is not registered.");try{return await Hz(n)}catch{throw new U("invalid_client","OAuth client is not registered.")}}let a=await e.getDcrClient(n);if(a){let i={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new U("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(ha,"resolveClient");function bs(e,t){if(!e.metadata.redirect_uris.some(r=>qi(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(bs,"assertRedirectRegistered");function Gz(e){let t=ew(e.grant_types),r=e.response_types??[...Ql];if(!Bz(t))throw new U("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Vz(r))throw new U("invalid_client_metadata","response_types must be code.");if(!Fz(e.scope))throw new U("invalid_client_metadata",`Only the ${ce} scope is supported.`)}o(Gz,"assertSupportedDcrRequest");function ew(e){return e===void 0?[...Xl]:Array.from(new Set(e))}o(ew,"normalizeGrantTypes");function Bz(e){return e.length===0?!1:e.every(t=>Xl.includes(t))}o(Bz,"isSupportedGrantTypes");function Vz(e){return e.length===Ql.length&&e[0]==="code"}o(Vz,"isSupportedResponseTypes");function Fz(e){return e===void 0||e===ce}o(Fz,"isSupportedDcrScope");function Vr(e){if(e===void 0||e===ce)return ce;throw new U("invalid_request",`Only the ${ce} scope is supported.`)}o(Vr,"assertSupportedOAuthScope");function Pt(e,t){let r;try{r=new URL(t)}catch{throw new U("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new U("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Le(r))throw new U("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=re(e),a=Xf(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new U("invalid_target","resource must match a published virtual MCP server.");return i}o(Pt,"resolveResource");async function tw(e,t={}){let r=Zz(t)?{repository:t}:t,n;try{n=qz.parse(e)}catch(f){if(f instanceof c.ZodError){let _=f.issues.some(S=>S.path[0]==="redirect_uris");throw new U(_?"invalid_redirect_uri":"invalid_client_metadata",f.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:f})}throw f}Gz(n);for(let f of n.redirect_uris)jn(f,"invalid_redirect_uri");let a=r.repository??q().downstreamOAuthRepository,i=new Date,s=le.parse(`dcr:${crypto.randomUUID()}`),u=ft(i,Mz),d=Math.floor(i.getTime()/1e3),l=Math.floor(u.getTime()/1e3),p={client_id:s,client_name:n.client_name??"Dynamically registered MCP client",redirect_uris:n.redirect_uris,grant_types:ew(n.grant_types),response_types:["code"],scope:ce,token_endpoint_auth_method:n.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:s,clientName:String(p.client_name),redirectUris:n.redirect_uris,tokenEndpointAuthMethod:n.token_endpoint_auth_method,createdAt:O(i),clientExpiresAt:O(u)};if(n.token_endpoint_auth_method!=="none"){let f=Ke();m.hashedClientSecret=await F(f),m.clientSecretExpiresAt=O(u),p.client_secret=f,p.client_secret_expires_at=l,p.client_secret_issued_at=d}return await a.saveDcrClient(m),p}o(tw,"registerDownstreamClient");function Zz(e){return typeof e.getDcrClient=="function"}o(Zz,"isOAuthRepository");var Kz=8;function tp(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(tp,"safeIconSrc");function Wz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Wz,"safeGatewayConnectHref");function Jz(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(Jz,"parseIconSize");function Yz(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(Yz,"selectIconCandidates");function Xz(e){return tp(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(Jz)):0:-1}o(Xz,"readIconScore");function ow(e,t){if(!e||e.length===0)return;let r=Yz(e,t),n,a=-1;for(let i of r){let s=Xz(i);s>a&&(n=i,a=s)}return n}o(ow,"pickIcon");var Qz='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',rw=yt(Qz),eN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),tN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),aw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),nw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function rN(e,t){let r=ow(e,"light");if(!r)return x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`;let n=tp(r.src);return n?x`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`}o(rN,"renderIconFrame");function Is(e,t){let r=ow(e,"light");if(!r)return ye;let n=tp(r.src);return n?x`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:ye}o(Is,"renderInlineIcon");function nN(e){switch(e){case"user":return"your account";case"tenant_shared":return"shared by your team";case"none":return"gateway-managed"}}o(nN,"ownerModeLabel");function oN(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(oN,"authModeLabel");function aN(e){switch(e){case"active":return x`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return x`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return x`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(aN,"statusBadge");function iN(e){if(!e)return ye;let t=[];return e.destructiveHint&&t.push(x`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(x`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(x`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?x`<span class="badge-row">${t}</span>`:ye}o(iN,"annotationBadges");function iw(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(iw,"summarizeCapabilities");function sN(e){let t=e.annotations?.title??e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${iN(e.annotations)}${r}</li>`}o(sN,"renderToolRow");function cN(e){let t=e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(cN,"renderPromptRow");function uN(e){let t=e.title??e.name,r=e.mimeType===void 0?ye:x` · ${e.mimeType}`,n=e.description===void 0?ye:x` — ${e.description}`,a=x`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(uN,"renderResourceRow");function ep(e,t,r,n){if(t===0)return ye;let a=r.slice(0,Kz),i=t-a.length,s=i>0?x`<li class="capability-row capability-row--more">+ ${i} more</li>`:ye;return x`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${s}</ul></section>`}o(ep,"renderCapabilitySection");function Cs(e,t,r=!1){return r?x`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:x`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(Cs,"countPill");function dN(e){let t=iw(e);if(t.tools+t.prompts+t.resources===0)return x`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(Cs(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(Cs(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(Cs(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(Cs("destructive",t.destructiveTools,!0));let a=[ep("Tools",t.tools,e.tools,sN),ep("Prompts",t.prompts,e.prompts,cN),ep("Resources",t.resources,e.resources,uN)];return x`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(dN,"renderUpstreamCapabilities");function lN(e){if(!e||e.length===0)return ye;let t=e.map(n=>x`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return x`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="scopes-list">${t}</div></details>`}o(lN,"renderUpstreamScopes");function pN(e,t){if(e.ownerMode!=="user")return ye;let r=Wz(e.connectUrl,t);if(!r)return ye;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return x`<a class="button button--secondary button--small" href="${r}"${a===void 0?ye:x` title="${a}"`}>${n}</a>`}o(pN,"renderActionButton");function mN(e,t){let r=pN(e,t);return Zt(r)!==""?r:aN(e.status)}o(mN,"renderUpstreamControl");function hN(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?yt('<article class="upstream-card upstream-card--needs-action">'):yt('<article class="upstream-card">'),a=e.description?x`<p class="upstream-card__description">${e.description}</p>`:ye,i=e.transportHost?x`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:ye,s=x`<div class="upstream-card__head">${rN(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${mN(e,t)}</div><div class="upstream-card__meta">${i}<span>${oN(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${nN(e.ownerMode)}</span></div>${a}</div></div>`,u=dN(e.capabilities),d=lN(e.scopesRequested);return x`${n}${s}${u}${d}</article>`}o(hN,"renderUpstreamCard");function fN(e){return e.reduce((t,r)=>{let n=iw(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(fN,"aggregateCapabilities");function gN(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(gN,"deriveMode");function _N(e){if(e.mode==="setup"){let n=e.upstreams.filter(u=>u.ownerMode==="user"&&u.status!=="active"),a=n.length>0&&n.every(u=>u.status==="reconsent_required"),i=n.length===1?"the service":`the ${n.length} services`,s=a?x`Re-authorize ${i} below to refresh access. Authorization will continue automatically once each is ready.`:x`Connect ${i} below before continuing. Authorization will continue automatically once each is ready.`;return x`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${eN}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${s}</p></div></div>`}let t=fN(e.upstreams);if(t.destructiveTools===0)return ye;let r=t.destructiveTools===1?"tool can":"tools can";return x`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${tN}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(_N,"renderBanner");function yN(e){return e.mode==="grant"?x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(yN,"renderActions");var SN=`
 *,*::before,*::after{box-sizing:border-box}
 :root{
   --bg:#ffffff;
@@ -1268,8 +1268,8 @@ details[open] > .scopes-summary .capabilities-summary__chevron{transform:rotate(
 @media (prefers-reduced-motion: reduce){
   *{transition:none!important}
 }
-`,_N=St(gN);function rp(e){let t=mN(e.upstreams),r=[...e.upstreams].sort((m,f)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),S=_(m)-_(f);return S!==0?S:m.upstreamDisplayName.localeCompare(f.upstreamDisplayName)}),n=e.principalLabel?x`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:ye,a=e.virtualServerDescription?x`<p class="hero__description">${e.virtualServerDescription}</p>`:ye,i=As(e.virtualServerIcons,e.virtualServerDisplayName),s=hN({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),u=r.length===0?x`<div class="empty">This virtual server does not declare any upstream services.</div>`:x`<ul class="upstream-list">${r.map(m=>x`<li>${lN(m,e.gatewayOrigin)}</li>`)}</ul>`,d=fN({mode:t,state:e.state}),l=t==="grant"?x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${rw}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${rw}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,p=r.length>0?x`<span class="section-label__count">(${r.length})</span>`:ye;return Zt(x`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${_N}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${i}${e.virtualServerDisplayName}</span></p>${a}</section>${s}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${p}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${u}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${l}${d}</div></div></body></html>`)}o(rp,"renderConsentPage");function yN(e){try{return new URL(e).host}catch{return}}o(yN,"safeUrlHost");function SN(e){if(e.mode==="user_oauth"||e.mode==="tenant_shared_oauth")return e.oauth.scopes}o(SN,"readOAuthScopes");function np(e){return e!==void 0&&e.length>0}o(np,"hasItems");function wN(e){let t=e.registeredConnection.config.serverInfo?.icons;if(np(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&np(r)?r:void 0}o(wN,"readServerIcons");async function vN(e){if(!(e.returnTo===void 0||!e.isUserOwned))return pl({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(vN,"readConnectUrl");function Fr(e,t){return t===void 0?{}:{[e]:t}}o(Fr,"optionalRequirementField");function RN(e){return e.isUserOwned?$g(e.connection):{connected:!0,status:"active"}}o(RN,"readSetupConnectionStatus");function bN(e){let t=SN(e);return np(t)?t:void 0}o(bN,"readScopesRequested");function IN(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(IN,"readUpdatedAt");function CN(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(Ei),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Pi),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(xi)}}o(CN,"readVirtualServerCapabilities");async function TN(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=Yi(r),u=s==="user",d=RN({connection:e.connection,isUserOwned:u}),l=await vN({...e,connected:d.connected,isUserOwned:u});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:CN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...Fr("description",n.description),...Fr("transportHost",yN(n.transport.baseUrl)),...Fr("scopesRequested",bN(t)),...Fr("serverIcons",wN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...Fr("connectUrl",l),...Fr("updatedAt",IN({connectionStatus:d,isUserOwned:u})),...Fr("expiresAt",e.connection?.expiresAt)}}o(TN,"buildSetupRequirement");function iw(e){let t=ct().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(iw,"requireVirtualServer");async function op(e){let t=iw(e.transaction.virtualServerId),r=mr(e.transaction.principal.tenantId,e.transaction.principal.subjectId),n=[],a=new Map;for(let u of t.connections)Yi(u.authMode)==="user"&&(a.set(u,n.length),n.push({owner:r,upstreamServerId:u.upstreamServerId,authProfileId:u.authProfileId}));let i=await q().upstreamConnectionRepository.batchGet(n),s=[];for(let u of t.connections){let d=Yi(u.authMode)==="user",l=a.get(u);s.push(await TN({connection:d&&l!==void 0?i[l]:void 0,registeredConnection:u,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(op,"requirementsForSetup");function AN(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(AN,"readVirtualServerDisplayName");async function ap(e){let t=e.repository??q().downstreamOAuthRepository,r=iw(e.transaction.virtualServerId),n=AN({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),i={gatewayOrigin:ne(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:`${e.transaction.principal.subjectId} \xB7 ${e.transaction.principal.tenantId}`},s=r.serverInfo?.title;return s!==void 0&&s!==n&&(i.virtualServerDescription=s),i}o(ap,"consentContext");function sw(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(sw,"hasUnresolvedUserUpstream");var kN=["mcp_user"],EN="dev-browser-user",PN=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),xN=c.object({response_type:c.literal("code"),client_id:c.string().min(1),redirect_uri:c.string().min(1),resource:c.url(),code_challenge:c.string().min(43),code_challenge_method:In,state:c.string().min(1).optional(),scope:c.literal(ue).default(ue)}),ON=c.enum(["continue","approve","cancel"]).default("continue"),UN=c.object({state:c.string().min(1),decision:ON}),zN=c.object({state:c.string().min(1),apiKey:c.string().min(1)}),Zr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function cw(e){return typeof e=="string"&&e.length>0?e:void 0}o(cw,"readQueryString");function NN(e,t){let r=cw(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new U("invalid_target",PN)}let n=Nr(t,e.url);if(r===void 0||r===n)return n;throw new U("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(NN,"requireAuthorizeResource");async function DN(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ws(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=ES(e);return{principal:i,setCookie:await pa({principal:i,requestUrl:e.url,virtualServerId:t})}}o(DN,"resolveBrowserPrincipal");async function MN(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ws(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(MN,"requireSetupPrincipal");async function uw(e){let t=await op({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await ap({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:rp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(uw,"renderSetup");function qN(e){return typeof e.decideAuthorizationSetup=="function"}o(qN,"usesRuntimeHttpAuthorizationOperations");function $N(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new U("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o($N,"toAuthorizationTransactionClient");async function ip(e,t={}){let r=xN.parse({...e.query,resource:NN(e,t.virtualServerId),state:cw(e.query.state)}),n=Vr(r.scope);jn(r.redirect_uri);let a=q().downstreamOAuthRepository,i=new Date,s=he.parse(r.client_id),u=qN(a)&&s.startsWith("dcr:")?void 0:await fa(a,r.client_id,i);u!==void 0&&Cs(u,r.redirect_uri);let d=u===void 0,l=d?Pt(e.url,r.resource):void 0;try{let p=l??Pt(e.url,r.resource),m=$N(u);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:s,virtualServerId:p.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let f={clientId:u?.clientId??s,...m===void 0?{}:{client:m},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:p.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:_,setCookie:S}=await DN(e,p.virtualServerId,t.context);if(!_){let w=await FS({transaction:f,requestUrl:e.url,now:i,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:s,virtualServerId:p.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:w.browserLoginUrl};return S!==void 0&&(v.setCookie=S),v}let y=await ZS({transaction:f,principal:_,now:i,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:s,virtualServerId:p.virtualServerId,tenantId:_.tenantId,subjectId:_.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),uw({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,repository:a,setCookie:S})}catch(p){throw d?p:LN({redirectUri:r.redirect_uri,clientState:r.state,cause:p})}}o(ip,"authorizeDownstreamClient");function LN(e){if(e.cause instanceof Zr)return e.cause;let t=jN(e.cause);return t?new Zr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(LN,"toDownstreamAuthorizeRedirectError");function jN(e){if(e instanceof U)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof c.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(jN,"mapToOAuthRedirectError");async function dw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Is(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await xS(i),u=q().downstreamOAuthRepository,d=await Jl({browserLoginStateToken:n,principal:s,repository:u}),l=await uw({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:u});return l.setCookie=await pa({principal:s,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),l}o(dw,"completeBrowserLoginCallback");async function lw(e){let t=Re();if(!t.devTenantId)throw g("authentication_required","Local browser login requires the `devTenantId` policy option on mcp-oauth-inbound.");let r=new URL(e.url);if(!Le(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",ne(e.url)),i=new URL(ne(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:Q.parse(EN),tenantId:de.parse(t.devTenantId),roles:kN};return{kind:"redirect",location:a,setCookie:await pa({principal:s,requestUrl:e.url})}}o(lw,"completeLocalDevBrowserLogin");async function pw(e){let t=zN.parse(e.body),r=q().downstreamOAuthRepository,n=await KS({browserLoginStateToken:t.state,repository:r}),a=await PS({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),i=await Jl({browserLoginStateToken:t.state,principal:a,repository:r});await Vy({apiKey:t.apiKey,principal:a,virtualServerId:i.transaction.virtualServerId});let s=new URL("/oauth/setup",_t(e.request.url));return s.searchParams.set("state",i.csrfToken),{kind:"redirect",location:s,setCookie:await pa({principal:a,requestUrl:e.request.url,virtualServerId:i.transaction.virtualServerId})}}o(pw,"completeApiKeyBrowserLogin");function HN(e){let t=e.method==="POST"?e.body:e.query;return UN.parse(t)}o(HN,"readSetupContinueRequest");async function mw(e){let{state:t,decision:r}=HN({method:e.request.method,query:e.request.query,body:e.body}),n=q().downstreamOAuthRepository,a=new Date,i=await Yl({csrfToken:t,now:a,repository:n}),s=await MN(e.request,i.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await XS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})};let u=await ha({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n}),d=await op({transaction:u,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||sw(d)){let l=await ap({repository:n,transaction:u,requestUrl:e.request.url});return{kind:"setup_page",html:rp({state:t,virtualServerId:u.virtualServerId,upstreams:d,...l})}}return{kind:"redirect",location:await YS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})}}o(mw,"continueDownstreamAuthorizeSetup");X();var GN=new Set(["authorization_code","refresh_token"]),BN=c.discriminatedUnion("grant_type",[c.object({grant_type:c.literal("authorization_code"),code:c.string().min(1),redirect_uri:c.string().min(1),client_id:c.string().min(1).optional(),code_verifier:Ni,resource:c.url().optional(),scope:c.literal(ue).optional(),client_secret:c.string().min(1).optional()}),c.object({grant_type:c.literal("refresh_token"),refresh_token:c.string().min(1),client_id:c.string().min(1).optional(),resource:c.url().optional(),scope:c.literal(ue).optional(),client_secret:c.string().min(1).optional()})]);function VN(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!GN.has(t)))throw new U("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(VN,"assertSupportedGrantType");var FN=c.object({token:c.string().min(1),client_id:c.string().min(1).optional(),token_type_hint:c.string().optional(),client_secret:c.string().min(1).optional()});function fw(){return Re().gateway.accessTokenTtlSeconds}o(fw,"readAccessTokenTtlSeconds");function gw(){return Re().gateway.refreshTokenTtlSeconds}o(gw,"readRefreshTokenTtlSeconds");async function hw(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new U("invalid_client",e.missingMessage);if(!await bg({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new U("invalid_client","Client authentication failed.")}o(hw,"requireClientSecretAuthentication");async function _w(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new U("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await hw({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await hw({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new U("invalid_client","private_key_jwt client authentication is not supported.")}}o(_w,"requireClientAuthentication");function sp(e,t){let r=fw(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:O(gt(e,a)),expiresIn:a}}o(sp,"calculateAccessTokenExpiresAt");async function ZN(e){let t=Ke(),r=await F(t),n=sp(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,tenantId:e.grant.tenantId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:O(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(ZN,"issueOpaqueAccessToken");function yw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new U("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}}o(yw,"readBasicClientSecret");function Sw(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new U("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new U("invalid_client","Client authentication or client_id is required.");return t}o(Sw,"resolveAuthenticatedClientId");function ww(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new U("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(ww,"resolveClientSecretInput");function vw(e){return typeof e.exchangeAuthorizationCodeWithClientAuth=="function"&&typeof e.refreshTokenWithClientAuth=="function"&&typeof e.revokeOAuthTokenWithClientAuth=="function"}o(vw,"usesRuntimeHttpTokenOperations");async function Rw(e){let t=he.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await F(e.clientSecret)}}o(Rw,"buildRuntimeHttpClientAuth");async function bw(e){VN(e.body);let t=BN.parse(e.body),r=yw(e.authorizationHeader),n=Sw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=new Date,s=ww({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(vw(a))return KN({parsed:t,clientId:n,clientSecretInput:s,now:i,repository:a,requestUrl:e.requestUrl});let u=await fa(a,n,i);if(await _w({client:u,...s}),t.grant_type==="authorization_code"){jn(t.redirect_uri),Cs(u,t.redirect_uri),Vr(t.scope),t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let S=Ke(),y=Ke(),w=O(gt(i,gw())),v=sp(i,w),R=await a.exchangeAuthorizationCode({codeHash:await F(t.code),clientId:u.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await jd(t.code_verifier),currentRefreshTokenHash:await F(S),accessTokenHash:await F(y),now:i,grantExpiresAt:w,accessTokenExpiresAt:v.expiresAt});if(R.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(R.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:u.clientId,scope:R.grant.scope,resource:R.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:S,scope:R.grant.scope,resource:R.grant.resource}}Vr(t.scope);let d=await F(t.refresh_token);t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let l=Ke(),p=await F(l),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:p,clientId:u.clientId,...t.resource===void 0?{}:{resource:t.resource},now:i});if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");let f=m.grant;if(f.revokedAt||f.clientId!==u.clientId)throw new U("invalid_grant","Refresh token grant is invalid or revoked.");Pt(e.requestUrl??f.resource,f.resource);let _=await ZN({repository:a,grant:f,now:i});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:u.clientId,scope:f.scope,resource:f.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:l,scope:f.scope,resource:f.resource}}o(bw,"exchangeDownstreamToken");async function KN(e){let t=await Rw({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){jn(e.parsed.redirect_uri),Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let u=Ke(),d=Ke(),l=O(gt(e.now,gw())),p=sp(e.now,l),m=await e.repository.exchangeAuthorizationCodeWithClientAuth({clientAuth:t,codeHash:await F(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await jd(e.parsed.code_verifier),currentRefreshTokenHash:await F(u),accessTokenHash:await F(d),grantExpiresAt:l,accessTokenExpiresAt:p.expiresAt,now:O(e.now)});if(m.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:p.expiresIn,refresh_token:u,scope:m.grant.scope,resource:m.grant.resource}}Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=Ke(),n=Ke(),a=O(gt(e.now,fw())),i=await e.repository.refreshTokenWithClientAuth({clientAuth:t,currentRefreshTokenHash:await F(e.parsed.refresh_token),nextRefreshTokenHash:await F(r),accessTokenHash:await F(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:O(e.now)});if(i.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");Pt(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(KN,"exchangeDownstreamTokenWithRuntimeHttp");async function Iw(e){let t=FN.parse(e.body),r=yw(e.authorizationHeader),n=Sw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=ww({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(vw(a)){let d=new Date;if((await a.revokeOAuthTokenWithClientAuth({clientAuth:await Rw({clientId:n,...i}),tokenHash:await F(t.token),now:O(d)})).kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");return}let s=await fa(a,n,new Date);await _w({client:s,...i});let u=await F(t.token);await a.revokeOAuthToken({tokenHash:u,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(Iw,"revokeDownstreamToken");var WN=64*1024,JN=16*1024,YN="text/html; charset=utf-8";function XN(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(XN,"formDataToObject");async function QN(e){return yS(e,{maxBytes:WN,label:"Request body"})}o(QN,"readJsonBody");async function ks(e){return XN(await ys(e,{maxBytes:JN,label:"Request body"}))}o(ks,"readFormBody");async function Es(e,t,r){let n=le(r),a=r instanceof c.ZodError?Cw(r):r instanceof Error?r.message:void 0,i={code:n??"invalid_request"};return a!==void 0&&(i.detail=a),Ze(e,t,i)}o(Es,"handleProblem");function ga(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(ga,"oauthErrorResponse");function eD(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(eD,"readOAuthProtocolHeaders");function tD(e,t){let r=Fe("internal_server_error");return ga({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:eD(e,t)})}o(tD,"oauthProtocolErrorResponse");function rD(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(rD,"readZodOAuthErrorCode");function nD(e){let t={error:rD(e)},r=Cw(e);return r!==void 0&&(t.errorDescription=r),ga(t)}o(nD,"oauthZodErrorResponse");function oD(e){let t=le(e);if(t===void 0)return;let r=Fe(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:iD(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,ga(n)}o(oD,"oauthGatewayProblemResponse");function aD(){let t={error:"server_error",status:500,errorDescription:Fe("internal_server_error").publicDetail};return ga(t)}o(aD,"oauthFallbackErrorResponse");function iD(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(iD,"readOAuthStatus");function Hn(e,t={}){return e instanceof Zr?sD(e):e instanceof U?tD(e,t):e instanceof c.ZodError?nD(e):oD(e)??aD()}o(Hn,"oauthProblemResponse");function xt(e,t,r){let n={event:t},a=!1;if(r instanceof U)n.oauthError=r.errorCode,n.status=r.status,ke(n,"error",r);else if(r instanceof Zr)n.oauthError=r.errorCode,ke(n,"error",r);else if(r instanceof c.ZodError){n.code="invalid_request",ke(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=le(r);if(i!==void 0){let s=Fe(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",ke(n,"error",r)}else a=!0,ke(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(xt,"logUnexpectedOAuthHandlerError");function sD(e){let t;try{t=new URL(e.redirectUri)}catch{return ga({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(sD,"downstreamAuthorizeRedirectErrorResponse");function Cw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Cw,"formatZodErrorDetail");function cD(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};ke(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(cD,"logBrowserLoginCallbackFailure");function cp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(cp,"redirectResultResponse");function Ps(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":YN,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return cp(e)}o(Ps,"authorizeResultResponse");async function Tw(e,t){try{return Response.json($d(e.url))}catch(r){return xt(t,"oauth_authorization_server_metadata_failed",r),Es(e,t,r)}}o(Tw,"authorizationServerMetadataHandler");async function Aw(e,t){try{let r=me.parse(e.params.virtualServerId),n=No(r);return Response.json(Sg({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return xt(t,"oauth_authorization_server_metadata_failed",r),Es(e,t,r)}}o(Aw,"scopedAuthorizationServerMetadataHandler");async function kw(e,t){try{let r=await ew(await QN(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return xt(t,"oauth_register_failed",r),Hn(r)}}o(kw,"registerHandler");async function Ew(e,t){try{return Ps(await ip(e,{context:t}))}catch(r){return xt(t,"oauth_authorize_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(Ew,"authorizeHandler");async function Pw(e,t){try{let r=me.parse(e.params.virtualServerId),n=No(r);return Ps(await ip(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return xt(t,"oauth_authorize_scoped_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(Pw,"scopedAuthorizeHandler");async function xw(e,t){try{let r=await dw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Ps(r)}catch(r){return cD(t,r),Es(e,t,r)}}o(xw,"callbackHandler");async function Ow(e,t){try{return cp(await lw(e))}catch(r){return xt(t,"oauth_dev_login_failed",r),Hn(r)}}o(Ow,"devLoginHandler");async function Uw(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?RS(r):Vl(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):cp(await pw({request:e,body:await ks(e)}))}catch(r){return xt(t,"oauth_api_key_login_failed",r),Vl()}}o(Uw,"apiKeyLoginHandler");async function zw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await mw({request:e,body:e.method==="POST"?await ks(e):void 0,context:t});return Ps(r)}catch(r){return xt(t,"oauth_setup_failed",r),Es(e,t,r)}}o(zw,"setupHandler");async function Nw(e,t){try{return Response.json(await bw({body:await ks(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return xt(t,"oauth_token_failed",r),Hn(r)}}o(Nw,"tokenHandler");async function Dw(e,t){try{return await Iw({body:await ks(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return xt(t,"oauth_revoke_failed",r),Hn(r)}}o(Dw,"revokeHandler");var uD={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},Mw=new Ut("upstream-request");function dD(e){let t=Mw.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(dD,"readUpstreamRequestContext");function lD(e,t){return t.some(r=>r===e)}o(lD,"requestContextMatchesKind");function pD(e){return typeof e=="string"?[e]:e}o(pD,"toExpectedKinds");function Kr(e,t){Mw.set(e,t)}o(Kr,"setUpstreamRequestContext");function Wr(e,t){let r=dD(e),n=pD(t);if(!lD(r.kind,n)){let a=uD[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(Wr,"requireUpstreamRequestContext");var mD="text/html; charset=utf-8",hD="none";function qw(e){return x`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??hD}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o(qw,"browserResultHtml");function $w(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":mD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o($w,"browserResultResponse");function xs(e){return $w(qw(e))}o(xs,"browserConnectionSuccessResponse");function Gn(e){let t=Mf(e);return $w(qw({title:t.title,body:t.body,code:e}),400)}o(Gn,"browserConnectionFailureResponse");var fD="text/html; charset=utf-8",gD=16*1024;function _D(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":fD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(_D,"htmlResponse");function yD(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(yD,"safeRedirect");function SD(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(SD,"requireBrowserTicket");function wD(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(wD,"appPasswordTicketMatchesTarget");async function Lw(e){let t=SD(e.browserTicket),r=await rs(t);if(!wD(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(Lw,"readAppPasswordTarget");function vD(e){let t=yl(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?x`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:x`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return _D(x`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(vD,"renderCaptureForm");function Os(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Os,"readRequiredFormValue");function RD(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(RD,"readCaptureFormTargetInput");async function bD(e){return vD(await Lw(RD(e)))}o(bD,"handleCaptureFormRequest");async function ID(e){let t=await ys(e.request,{maxBytes:gD,label:"App password request body"});return{form:t,target:await Lw({upstreamServerId:e.upstreamServerId,browserTicket:Os(t,"browserTicket")})}}o(ID,"readSubmittedAppPasswordTarget");async function CD(e){let t=En(e.target.ticket);if(await ns(e.target.ticket),yl(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await os({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Os(e.form,"token")});return}await uy({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Os(e.form,"username"),appPassword:Os(e.form,"appPassword")})}o(CD,"saveSubmittedAppPasswordCredential");function TD(e,t){return t.ticket.returnTo?yD(e,t.ticket.returnTo):xs({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(TD,"appPasswordSuccessResponse");async function AD(e){let t=await ID({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await CD(t),TD(e.request.url,t.target)}o(AD,"handleAppPasswordSubmission");function kD(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(kD,"methodNotAllowedResponse");function ED(e){let t=le(e);return Gn(vi(t)?t:"oauth_state_invalid")}o(ED,"appPasswordFailureResponse");async function PD(e){switch(e.request.method){case"GET":return bD(e.appPasswordRequest);case"POST":return AD(e);default:return kD()}}o(PD,"handleAppPasswordMethod");async function up(e,t){let r=Wr(t,"app_password");try{return await PD({request:e,appPasswordRequest:r})}catch(n){return ED(n)}}o(up,"appPasswordHandler");var xD=["callback_authorization_code","callback_provider_error","callback_invalid"];function OD(e){return"cause"in e?e.cause:void 0}o(OD,"readErrorCause");function UD(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}o(UD,"readFirstStackFrame");function jw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=UD(r))}o(jw,"addErrorAttributes");function zD(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),Gn("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Gn("oauth_state_invalid");case"callback_authorization_code":return t}}o(zD,"requireAuthorizationCallbackRequest");function ND(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(ND,"emitCallbackReceivedAnalyticsEvent");function DD(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(DD,"emitTokenExchangeSucceededAnalyticsEvent");function MD(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return xs({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(MD,"buildSuccessfulCallbackResponse");function qD(e){let t={detail:e instanceof Error?e.message:void 0};return jw(t,"error",e),e instanceof Error&&jw(t,"cause",OD(e)),t}o(qD,"buildTokenExchangeFailureAttributes");function $D(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:le(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:qD(e.error)})}o($D,"emitTokenExchangeFailedAnalyticsEvent");function LD(e){let t=le(e);return Gn(vi(t)?t:"upstream_token_exchange_failed")}o(LD,"tokenExchangeFailureResponse");async function dp(e,t){let r=Wr(t,xD),n=zD(t,r);if(n instanceof Response)return n;ND(t,n);try{let a=await Zy({request:e,callbackRequest:n});return DD(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),MD(e,a)}catch(a){let i={event:"upstream_oauth_token_exchange_failed",code:le(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return ke(i,"error",a),t.log.warn(i,"Upstream OAuth token exchange failed; user shown connection-failure page"),$D({context:t,callbackRequest:n,error:a}),LD(a)}}o(dp,"callbackHandler");function jD(e){let t=le(e);return t==="unknown_upstream_server"?t:"not_found"}o(jD,"clientMetadataProblemCode");function HD(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(HD,"clientMetadataProblemDetail");async function Hw(e,t){let r=Wr(t,"connect"),n=await Fy({request:e,connectRequest:r});if(We(t,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await On({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(Hw,"connectHandler");async function Gw(e,t){let r=Wr(t,"client_metadata");try{let n=xy(e.url),a=Oy(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=jD(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),Ze(e,t,{code:a,detail:HD(n)})}}o(Gw,"oauthClientMetadataHandler");function Kt(e){if(typeof e=="string"&&e.length!==0)return e}o(Kt,"readOptionalQueryString");function GD(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(GD,"requirePathString");function Bw(e){let t=Kt(e);return t?me.parse(t):void 0}o(Bw,"readOptionalVirtualServerId");function BD(e,t){let r=Kt(e);return r?Pe.parse(r):vn(t,"user_oauth")}o(BD,"readOptionalAuthProfileId");function VD(e){let t=Bw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(VD,"readRequiredVirtualServerId");function FD(e){let t=Kt(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(FD,"readOptionalBrowserTicket");function ZD(e){let t=Vi(Kt(e));return t===void 0?{}:{returnTo:t}}o(ZD,"readOptionalReturnTo");function KD(e){let t=Bw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(KD,"readOptionalVirtualServerIdContext");function WD(e){let t=Kt(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(WD,"readOptionalProviderErrorDescription");function JD(e){let t=kt(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(JD,"requireConnectableRouteAuth");function YD(e,t,r,n){let a=_s(e,t);if(a.ownerMode==="none"||a.authMode==="tenant_static_secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(YD,"buildConnectContextForPrincipal");function XD(e,t,r){let n=En(t),a=kt(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(XD,"buildConnectContextForTicket");async function QD(e,t){let r=JD(hS(t,VD(e.query.virtualServerId))),n=e.query.redirect==="true",a=Kt(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Tn(e.user,e.url);return YD(r,s,n,ZD(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await rs(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await ns(i),XD(r,i,n)}o(QD,"resolveConnectContext");async function eM(e,t,r){let n=Ee.parse(GD(e,"connection"));switch(r){case"connect":Kr(t,await QD(e,n));return;case"app_password":Kr(t,{kind:"app_password",upstreamServerId:n,...KD(e),...FD(e)});return;case"callback":{let a=Kt(e.query.error);if(a){Kr(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...WD(e)});return}let i=Kt(e.query.code),s=Kt(e.query.state);if(i&&s){Kr(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}Kr(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":Kr(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:BD(e.query.authProfileId,n)});return}}o(eM,"resolveUpstreamRequestInbound");async function tM(e,t,r){try{await eM(e,t,r);return}catch(n){let a=le(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return Ze(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(tM,"applyUpstreamRequestContext");function _a(e,t){return o(async(n,a)=>{let i=await tM(n,a,e);return i||t(n,a)},"wrapped")}o(_a,"withUpstreamRequestContext");var rM={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function nM(){return new Response(null,{status:204,headers:rM})}o(nM,"buildWellKnownPreflightResponse");function oM(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(oM,"withWellKnownCorsHeaders");function lp(e){return async(t,r)=>t.method==="OPTIONS"?nM():oM(await e(t,r))}o(lp,"wrapWellKnownHandler");var aM=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:lp(Tw)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(Aw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(wg)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:kw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ew},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:Pw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:xw},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Ow},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:Uw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:zw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Nw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Dw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:_a("client_metadata",Gw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:_a("connect",Hw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:_a("callback",dp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:_a("app_password",up)}];function Vw(e){if(e)return e.find(t=>Ti(t.policyType))}o(Vw,"findMcpOAuthPolicy");function Fw(e){return Vw(e)!==void 0}o(Fw,"shouldRegisterMcpGatewayInternalRoutes");function iM(e){let t=_d(e.policyType);if(!t){let r=yd();throw new et(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof c.ZodError?new et(sM(e.name??e.policyType,r),{cause:r}):r}}o(iM,"resolveOAuthConfigFromPolicy");function sM(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
+`,wN=yt(SN);function rp(e){let t=gN(e.upstreams),r=[...e.upstreams].sort((m,f)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),S=_(m)-_(f);return S!==0?S:m.upstreamDisplayName.localeCompare(f.upstreamDisplayName)}),n=e.principalLabel?x`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:ye,a=e.virtualServerDescription?x`<p class="hero__description">${e.virtualServerDescription}</p>`:ye,i=Is(e.virtualServerIcons,e.virtualServerDisplayName),s=_N({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),u=r.length===0?x`<div class="empty">This virtual server does not declare any upstream services.</div>`:x`<ul class="upstream-list">${r.map(m=>x`<li>${hN(m,e.gatewayOrigin)}</li>`)}</ul>`,d=yN({mode:t,state:e.state}),l=t==="grant"?x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,p=r.length>0?x`<span class="section-label__count">(${r.length})</span>`:ye;return Zt(x`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${wN}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${i}${e.virtualServerDisplayName}</span></p>${a}</section>${s}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${p}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${u}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${l}${d}</div></div></body></html>`)}o(rp,"renderConsentPage");function vN(e){try{return new URL(e).host}catch{return}}o(vN,"safeUrlHost");function RN(e){if(e.mode==="user_oauth"||e.mode==="tenant_shared_oauth")return e.oauth.scopes}o(RN,"readOAuthScopes");function np(e){return e!==void 0&&e.length>0}o(np,"hasItems");function bN(e){let t=e.registeredConnection.config.serverInfo?.icons;if(np(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&np(r)?r:void 0}o(bN,"readServerIcons");async function CN(e){if(!(e.returnTo===void 0||!e.isUserOwned))return pl({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(CN,"readConnectUrl");function Fr(e,t){return t===void 0?{}:{[e]:t}}o(Fr,"optionalRequirementField");function IN(e){return e.isUserOwned?$g(e.connection):{connected:!0,status:"active"}}o(IN,"readSetupConnectionStatus");function TN(e){let t=RN(e);return np(t)?t:void 0}o(TN,"readScopesRequested");function AN(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(AN,"readUpdatedAt");function kN(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(ki),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Pi),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Ei)}}o(kN,"readVirtualServerCapabilities");async function PN(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=Wi(r),u=s==="user",d=IN({connection:e.connection,isUserOwned:u}),l=await CN({...e,connected:d.connected,isUserOwned:u});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:kN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...Fr("description",n.description),...Fr("transportHost",vN(n.transport.baseUrl)),...Fr("scopesRequested",TN(t)),...Fr("serverIcons",bN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...Fr("connectUrl",l),...Fr("updatedAt",AN({connectionStatus:d,isUserOwned:u})),...Fr("expiresAt",e.connection?.expiresAt)}}o(PN,"buildSetupRequirement");function sw(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(sw,"requireVirtualServer");async function op(e){let t=sw(e.transaction.virtualServerId),r=mr(e.transaction.principal.tenantId,e.transaction.principal.subjectId),n=[],a=new Map;for(let u of t.connections)Wi(u.authMode)==="user"&&(a.set(u,n.length),n.push({owner:r,upstreamServerId:u.upstreamServerId,authProfileId:u.authProfileId}));let i=await q().upstreamConnectionRepository.batchGet(n),s=[];for(let u of t.connections){let d=Wi(u.authMode)==="user",l=a.get(u);s.push(await PN({connection:d&&l!==void 0?i[l]:void 0,registeredConnection:u,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(op,"requirementsForSetup");function EN(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(EN,"readVirtualServerDisplayName");async function ap(e){let t=e.repository??q().downstreamOAuthRepository,r=sw(e.transaction.virtualServerId),n=EN({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),i={gatewayOrigin:re(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:`${e.transaction.principal.subjectId} \xB7 ${e.transaction.principal.tenantId}`},s=r.serverInfo?.title;return s!==void 0&&s!==n&&(i.virtualServerDescription=s),i}o(ap,"consentContext");function cw(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(cw,"hasUnresolvedUserUpstream");var xN=["mcp_user"],ON="dev-browser-user",UN=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),zN=c.object({response_type:c.literal("code"),client_id:c.string().min(1),redirect_uri:c.string().min(1),resource:c.url(),code_challenge:c.string().min(43),code_challenge_method:Cn,state:c.string().min(1).optional(),scope:c.literal(ce).default(ce)}),NN=c.enum(["continue","approve","cancel"]).default("continue"),DN=c.object({state:c.string().min(1),decision:NN}),MN=c.object({state:c.string().min(1),apiKey:c.string().min(1)}),Zr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function uw(e){return typeof e=="string"&&e.length>0?e:void 0}o(uw,"readQueryString");function qN(e,t){let r=uw(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new U("invalid_target",UN)}let n=Nr(t,e.url);if(r===void 0||r===n)return n;throw new U("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(qN,"requireAuthorizeResource");async function $N(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=ES(e);return{principal:i,setCookie:await la({principal:i,requestUrl:e.url,virtualServerId:t})}}o($N,"resolveBrowserPrincipal");async function LN(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(LN,"requireSetupPrincipal");async function dw(e){let t=await op({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await ap({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:rp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(dw,"renderSetup");function jN(e){return typeof e.decideAuthorizationSetup=="function"}o(jN,"usesRuntimeHttpAuthorizationOperations");function HN(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new U("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(HN,"toAuthorizationTransactionClient");async function ip(e,t={}){let r=zN.parse({...e.query,resource:qN(e,t.virtualServerId),state:uw(e.query.state)}),n=Vr(r.scope);jn(r.redirect_uri);let a=q().downstreamOAuthRepository,i=new Date,s=le.parse(r.client_id),u=jN(a)&&s.startsWith("dcr:")?void 0:await ha(a,r.client_id,i);u!==void 0&&bs(u,r.redirect_uri);let d=u===void 0,l=d?Pt(e.url,r.resource):void 0;try{let p=l??Pt(e.url,r.resource),m=HN(u);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:s,virtualServerId:p.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let f={clientId:u?.clientId??s,...m===void 0?{}:{client:m},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:p.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:_,setCookie:S}=await $N(e,p.virtualServerId,t.context);if(!_){let w=await ZS({transaction:f,requestUrl:e.url,now:i,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:s,virtualServerId:p.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:w.browserLoginUrl};return S!==void 0&&(v.setCookie=S),v}let y=await KS({transaction:f,principal:_,now:i,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:s,virtualServerId:p.virtualServerId,tenantId:_.tenantId,subjectId:_.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),dw({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,repository:a,setCookie:S})}catch(p){throw d?p:GN({redirectUri:r.redirect_uri,clientState:r.state,cause:p})}}o(ip,"authorizeDownstreamClient");function GN(e){if(e.cause instanceof Zr)return e.cause;let t=BN(e.cause);return t?new Zr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(GN,"toDownstreamAuthorizeRedirectError");function BN(e){if(e instanceof U)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof c.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(BN,"mapToOAuthRedirectError");async function lw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Rs(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await OS(i),u=q().downstreamOAuthRepository,d=await Jl({browserLoginStateToken:n,principal:s,repository:u}),l=await dw({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:u});return l.setCookie=await la({principal:s,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),l}o(lw,"completeBrowserLoginCallback");async function pw(e){let t=ve();if(!t.devTenantId)throw g("authentication_required","Local browser login requires the `devTenantId` policy option on mcp-oauth-inbound.");let r=new URL(e.url);if(!Le(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",re(e.url)),i=new URL(re(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:X.parse(ON),tenantId:ue.parse(t.devTenantId),roles:xN};return{kind:"redirect",location:a,setCookie:await la({principal:s,requestUrl:e.url})}}o(pw,"completeLocalDevBrowserLogin");async function mw(e){let t=MN.parse(e.body),r=q().downstreamOAuthRepository,n=await WS({browserLoginStateToken:t.state,repository:r}),a=await xS({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),i=await Jl({browserLoginStateToken:t.state,principal:a,repository:r});await Fy({apiKey:t.apiKey,principal:a,virtualServerId:i.transaction.virtualServerId});let s=new URL("/oauth/setup",gt(e.request.url));return s.searchParams.set("state",i.csrfToken),{kind:"redirect",location:s,setCookie:await la({principal:a,requestUrl:e.request.url,virtualServerId:i.transaction.virtualServerId})}}o(mw,"completeApiKeyBrowserLogin");function VN(e){let t=e.method==="POST"?e.body:e.query;return DN.parse(t)}o(VN,"readSetupContinueRequest");async function hw(e){let{state:t,decision:r}=VN({method:e.request.method,query:e.request.query,body:e.body}),n=q().downstreamOAuthRepository,a=new Date,i=await Yl({csrfToken:t,now:a,repository:n}),s=await LN(e.request,i.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await QS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})};let u=await ma({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n}),d=await op({transaction:u,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||cw(d)){let l=await ap({repository:n,transaction:u,requestUrl:e.request.url});return{kind:"setup_page",html:rp({state:t,virtualServerId:u.virtualServerId,upstreams:d,...l})}}return{kind:"redirect",location:await XS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})}}o(hw,"continueDownstreamAuthorizeSetup");Y();var FN=new Set(["authorization_code","refresh_token"]),ZN=c.discriminatedUnion("grant_type",[c.object({grant_type:c.literal("authorization_code"),code:c.string().min(1),redirect_uri:c.string().min(1),client_id:c.string().min(1).optional(),code_verifier:zi,resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()}),c.object({grant_type:c.literal("refresh_token"),refresh_token:c.string().min(1),client_id:c.string().min(1).optional(),resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()})]);function KN(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!FN.has(t)))throw new U("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(KN,"assertSupportedGrantType");var WN=c.object({token:c.string().min(1),client_id:c.string().min(1).optional(),token_type_hint:c.string().optional(),client_secret:c.string().min(1).optional()});function gw(){return ve().gateway.accessTokenTtlSeconds}o(gw,"readAccessTokenTtlSeconds");function _w(){return ve().gateway.refreshTokenTtlSeconds}o(_w,"readRefreshTokenTtlSeconds");async function fw(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new U("invalid_client",e.missingMessage);if(!await bg({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new U("invalid_client","Client authentication failed.")}o(fw,"requireClientSecretAuthentication");async function yw(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new U("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await fw({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await fw({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new U("invalid_client","private_key_jwt client authentication is not supported.")}}o(yw,"requireClientAuthentication");function sp(e,t){let r=gw(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:O(ft(e,a)),expiresIn:a}}o(sp,"calculateAccessTokenExpiresAt");async function JN(e){let t=Ke(),r=await F(t),n=sp(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,tenantId:e.grant.tenantId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:O(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(JN,"issueOpaqueAccessToken");function Sw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new U("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}}o(Sw,"readBasicClientSecret");function ww(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new U("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new U("invalid_client","Client authentication or client_id is required.");return t}o(ww,"resolveAuthenticatedClientId");function vw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new U("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(vw,"resolveClientSecretInput");function Rw(e){return typeof e.exchangeAuthorizationCodeWithClientAuth=="function"&&typeof e.refreshTokenWithClientAuth=="function"&&typeof e.revokeOAuthTokenWithClientAuth=="function"}o(Rw,"usesRuntimeHttpTokenOperations");async function bw(e){let t=le.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await F(e.clientSecret)}}o(bw,"buildRuntimeHttpClientAuth");async function Cw(e){KN(e.body);let t=ZN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=new Date,s=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a))return YN({parsed:t,clientId:n,clientSecretInput:s,now:i,repository:a,requestUrl:e.requestUrl});let u=await ha(a,n,i);if(await yw({client:u,...s}),t.grant_type==="authorization_code"){jn(t.redirect_uri),bs(u,t.redirect_uri),Vr(t.scope),t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let S=Ke(),y=Ke(),w=O(ft(i,_w())),v=sp(i,w),R=await a.exchangeAuthorizationCode({codeHash:await F(t.code),clientId:u.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await Ld(t.code_verifier),currentRefreshTokenHash:await F(S),accessTokenHash:await F(y),now:i,grantExpiresAt:w,accessTokenExpiresAt:v.expiresAt});if(R.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(R.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:u.clientId,scope:R.grant.scope,resource:R.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:S,scope:R.grant.scope,resource:R.grant.resource}}Vr(t.scope);let d=await F(t.refresh_token);t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let l=Ke(),p=await F(l),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:p,clientId:u.clientId,...t.resource===void 0?{}:{resource:t.resource},now:i});if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");let f=m.grant;if(f.revokedAt||f.clientId!==u.clientId)throw new U("invalid_grant","Refresh token grant is invalid or revoked.");Pt(e.requestUrl??f.resource,f.resource);let _=await JN({repository:a,grant:f,now:i});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:u.clientId,scope:f.scope,resource:f.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:l,scope:f.scope,resource:f.resource}}o(Cw,"exchangeDownstreamToken");async function YN(e){let t=await bw({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){jn(e.parsed.redirect_uri),Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let u=Ke(),d=Ke(),l=O(ft(e.now,_w())),p=sp(e.now,l),m=await e.repository.exchangeAuthorizationCodeWithClientAuth({clientAuth:t,codeHash:await F(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Ld(e.parsed.code_verifier),currentRefreshTokenHash:await F(u),accessTokenHash:await F(d),grantExpiresAt:l,accessTokenExpiresAt:p.expiresAt,now:O(e.now)});if(m.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:p.expiresIn,refresh_token:u,scope:m.grant.scope,resource:m.grant.resource}}Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=Ke(),n=Ke(),a=O(ft(e.now,gw())),i=await e.repository.refreshTokenWithClientAuth({clientAuth:t,currentRefreshTokenHash:await F(e.parsed.refresh_token),nextRefreshTokenHash:await F(r),accessTokenHash:await F(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:O(e.now)});if(i.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");Pt(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(YN,"exchangeDownstreamTokenWithRuntimeHttp");async function Iw(e){let t=WN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a)){let d=new Date;if((await a.revokeOAuthTokenWithClientAuth({clientAuth:await bw({clientId:n,...i}),tokenHash:await F(t.token),now:O(d)})).kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");return}let s=await ha(a,n,new Date);await yw({client:s,...i});let u=await F(t.token);await a.revokeOAuthToken({tokenHash:u,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(Iw,"revokeDownstreamToken");var XN=64*1024,QN=16*1024,eD="text/html; charset=utf-8";function tD(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(tD,"formDataToObject");async function rD(e){return SS(e,{maxBytes:XN,label:"Request body"})}o(rD,"readJsonBody");async function Ts(e){return tD(await gs(e,{maxBytes:QN,label:"Request body"}))}o(Ts,"readFormBody");async function As(e,t,r){let n=de(r),a=r instanceof c.ZodError?Tw(r):r instanceof Error?r.message:void 0,i={code:n??"invalid_request"};return a!==void 0&&(i.detail=a),Ze(e,t,i)}o(As,"handleProblem");function fa(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(fa,"oauthErrorResponse");function nD(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(nD,"readOAuthProtocolHeaders");function oD(e,t){let r=Fe("internal_server_error");return fa({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:nD(e,t)})}o(oD,"oauthProtocolErrorResponse");function aD(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(aD,"readZodOAuthErrorCode");function iD(e){let t={error:aD(e)},r=Tw(e);return r!==void 0&&(t.errorDescription=r),fa(t)}o(iD,"oauthZodErrorResponse");function sD(e){let t=de(e);if(t===void 0)return;let r=Fe(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:uD(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,fa(n)}o(sD,"oauthGatewayProblemResponse");function cD(){let t={error:"server_error",status:500,errorDescription:Fe("internal_server_error").publicDetail};return fa(t)}o(cD,"oauthFallbackErrorResponse");function uD(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(uD,"readOAuthStatus");function Hn(e,t={}){return e instanceof Zr?dD(e):e instanceof U?oD(e,t):e instanceof c.ZodError?iD(e):sD(e)??cD()}o(Hn,"oauthProblemResponse");function Et(e,t,r){let n={event:t},a=!1;if(r instanceof U)n.oauthError=r.errorCode,n.status=r.status,Ae(n,"error",r);else if(r instanceof Zr)n.oauthError=r.errorCode,Ae(n,"error",r);else if(r instanceof c.ZodError){n.code="invalid_request",Ae(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=de(r);if(i!==void 0){let s=Fe(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Ae(n,"error",r)}else a=!0,Ae(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Et,"logUnexpectedOAuthHandlerError");function dD(e){let t;try{t=new URL(e.redirectUri)}catch{return fa({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(dD,"downstreamAuthorizeRedirectErrorResponse");function Tw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Tw,"formatZodErrorDetail");function lD(e,t){let r={event:"browser_login_callback_failed",code:de(t)??"invalid_request"};Ae(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(lD,"logBrowserLoginCallbackFailure");function cp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(cp,"redirectResultResponse");function ks(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":eD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return cp(e)}o(ks,"authorizeResultResponse");async function Aw(e,t){try{return Response.json(qd(e.url))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(Aw,"authorizationServerMetadataHandler");async function kw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(Sg({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(kw,"scopedAuthorizationServerMetadataHandler");async function Pw(e,t){try{let r=await tw(await rD(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_register_failed",r),Hn(r)}}o(Pw,"registerHandler");async function Ew(e,t){try{return ks(await ip(e,{context:t}))}catch(r){return Et(t,"oauth_authorize_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(Ew,"authorizeHandler");async function xw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return ks(await ip(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Et(t,"oauth_authorize_scoped_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(xw,"scopedAuthorizeHandler");async function Ow(e,t){try{let r=await lw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),ks(r)}catch(r){return lD(t,r),As(e,t,r)}}o(Ow,"callbackHandler");async function Uw(e,t){try{return cp(await pw(e))}catch(r){return Et(t,"oauth_dev_login_failed",r),Hn(r)}}o(Uw,"devLoginHandler");async function zw(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?bS(r):Vl(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):cp(await mw({request:e,body:await Ts(e)}))}catch(r){return Et(t,"oauth_api_key_login_failed",r),Vl()}}o(zw,"apiKeyLoginHandler");async function Nw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await hw({request:e,body:e.method==="POST"?await Ts(e):void 0,context:t});return ks(r)}catch(r){return Et(t,"oauth_setup_failed",r),As(e,t,r)}}o(Nw,"setupHandler");async function Dw(e,t){try{return Response.json(await Cw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Et(t,"oauth_token_failed",r),Hn(r)}}o(Dw,"tokenHandler");async function Mw(e,t){try{return await Iw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_revoke_failed",r),Hn(r)}}o(Mw,"revokeHandler");var pD={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},qw=new Ut("upstream-request");function mD(e){let t=qw.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(mD,"readUpstreamRequestContext");function hD(e,t){return t.some(r=>r===e)}o(hD,"requestContextMatchesKind");function fD(e){return typeof e=="string"?[e]:e}o(fD,"toExpectedKinds");function Kr(e,t){qw.set(e,t)}o(Kr,"setUpstreamRequestContext");function Wr(e,t){let r=mD(e),n=fD(t);if(!hD(r.kind,n)){let a=pD[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(Wr,"requireUpstreamRequestContext");var gD="text/html; charset=utf-8",_D="none";function $w(e){return x`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??_D}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o($w,"browserResultHtml");function Lw(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":gD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Lw,"browserResultResponse");function Ps(e){return Lw($w(e))}o(Ps,"browserConnectionSuccessResponse");function Gn(e){let t=Mf(e);return Lw($w({title:t.title,body:t.body,code:e}),400)}o(Gn,"browserConnectionFailureResponse");var yD="text/html; charset=utf-8",SD=16*1024;function wD(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":yD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(wD,"htmlResponse");function vD(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(vD,"safeRedirect");function RD(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(RD,"requireBrowserTicket");function bD(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(bD,"appPasswordTicketMatchesTarget");async function jw(e){let t=RD(e.browserTicket),r=await es(t);if(!bD(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(jw,"readAppPasswordTarget");function CD(e){let t=yl(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?x`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:x`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return wD(x`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(CD,"renderCaptureForm");function Es(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Es,"readRequiredFormValue");function ID(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(ID,"readCaptureFormTargetInput");async function TD(e){return CD(await jw(ID(e)))}o(TD,"handleCaptureFormRequest");async function AD(e){let t=await gs(e.request,{maxBytes:SD,label:"App password request body"});return{form:t,target:await jw({upstreamServerId:e.upstreamServerId,browserTicket:Es(t,"browserTicket")})}}o(AD,"readSubmittedAppPasswordTarget");async function kD(e){let t=Pn(e.target.ticket);if(await ts(e.target.ticket),yl(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await rs({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Es(e.form,"token")});return}await dy({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Es(e.form,"username"),appPassword:Es(e.form,"appPassword")})}o(kD,"saveSubmittedAppPasswordCredential");function PD(e,t){return t.ticket.returnTo?vD(e,t.ticket.returnTo):Ps({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(PD,"appPasswordSuccessResponse");async function ED(e){let t=await AD({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await kD(t),PD(e.request.url,t.target)}o(ED,"handleAppPasswordSubmission");function xD(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(xD,"methodNotAllowedResponse");function OD(e){let t=de(e);return Gn(wi(t)?t:"oauth_state_invalid")}o(OD,"appPasswordFailureResponse");async function UD(e){switch(e.request.method){case"GET":return TD(e.appPasswordRequest);case"POST":return ED(e);default:return xD()}}o(UD,"handleAppPasswordMethod");async function up(e,t){let r=Wr(t,"app_password");try{return await UD({request:e,appPasswordRequest:r})}catch(n){return OD(n)}}o(up,"appPasswordHandler");var zD=["callback_authorization_code","callback_provider_error","callback_invalid"];function ND(e){return"cause"in e?e.cause:void 0}o(ND,"readErrorCause");function DD(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}o(DD,"readFirstStackFrame");function Hw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=DD(r))}o(Hw,"addErrorAttributes");function MD(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),Gn("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Gn("oauth_state_invalid");case"callback_authorization_code":return t}}o(MD,"requireAuthorizationCallbackRequest");function qD(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(qD,"emitCallbackReceivedAnalyticsEvent");function $D(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o($D,"emitTokenExchangeSucceededAnalyticsEvent");function LD(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Ps({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(LD,"buildSuccessfulCallbackResponse");function jD(e){let t={detail:e instanceof Error?e.message:void 0};return Hw(t,"error",e),e instanceof Error&&Hw(t,"cause",ND(e)),t}o(jD,"buildTokenExchangeFailureAttributes");function HD(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:de(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:jD(e.error)})}o(HD,"emitTokenExchangeFailedAnalyticsEvent");function GD(e){let t=de(e);return Gn(wi(t)?t:"upstream_token_exchange_failed")}o(GD,"tokenExchangeFailureResponse");async function dp(e,t){let r=Wr(t,zD),n=MD(t,r);if(n instanceof Response)return n;qD(t,n);try{let a=await Ky({request:e,callbackRequest:n});return $D(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),LD(e,a)}catch(a){let i={event:"upstream_oauth_token_exchange_failed",code:de(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return Ae(i,"error",a),t.log.warn(i,"Upstream OAuth token exchange failed; user shown connection-failure page"),HD({context:t,callbackRequest:n,error:a}),GD(a)}}o(dp,"callbackHandler");function BD(e){let t=de(e);return t==="unknown_upstream_server"?t:"not_found"}o(BD,"clientMetadataProblemCode");function VD(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(VD,"clientMetadataProblemDetail");async function Gw(e,t){let r=Wr(t,"connect"),n=await Zy({request:e,connectRequest:r});if(We(t,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await On({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(Gw,"connectHandler");async function Bw(e,t){let r=Wr(t,"client_metadata");try{let n=Oy(e.url),a=Uy(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=BD(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),Ze(e,t,{code:a,detail:VD(n)})}}o(Bw,"oauthClientMetadataHandler");function Kt(e){if(typeof e=="string"&&e.length!==0)return e}o(Kt,"readOptionalQueryString");function FD(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(FD,"requirePathString");function Vw(e){let t=Kt(e);return t?me.parse(t):void 0}o(Vw,"readOptionalVirtualServerId");function ZD(e,t){let r=Kt(e);return r?Pe.parse(r):vn(t,"user_oauth")}o(ZD,"readOptionalAuthProfileId");function KD(e){let t=Vw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(KD,"readRequiredVirtualServerId");function WD(e){let t=Kt(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(WD,"readOptionalBrowserTicket");function JD(e){let t=Gi(Kt(e));return t===void 0?{}:{returnTo:t}}o(JD,"readOptionalReturnTo");function YD(e){let t=Vw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(YD,"readOptionalVirtualServerIdContext");function XD(e){let t=Kt(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(XD,"readOptionalProviderErrorDescription");function QD(e){let t=At(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(QD,"requireConnectableRouteAuth");function eM(e,t,r,n){let a=fs(e,t);if(a.ownerMode==="none"||a.authMode==="tenant_static_secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(eM,"buildConnectContextForPrincipal");function tM(e,t,r){let n=Pn(t),a=At(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(tM,"buildConnectContextForTicket");async function rM(e,t){let r=QD(fS(t,KD(e.query.virtualServerId))),n=e.query.redirect==="true",a=Kt(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Tn(e.user,e.url);return eM(r,s,n,JD(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await es(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await ts(i),tM(r,i,n)}o(rM,"resolveConnectContext");async function nM(e,t,r){let n=ke.parse(FD(e,"connection"));switch(r){case"connect":Kr(t,await rM(e,n));return;case"app_password":Kr(t,{kind:"app_password",upstreamServerId:n,...YD(e),...WD(e)});return;case"callback":{let a=Kt(e.query.error);if(a){Kr(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...XD(e)});return}let i=Kt(e.query.code),s=Kt(e.query.state);if(i&&s){Kr(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}Kr(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":Kr(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:ZD(e.query.authProfileId,n)});return}}o(nM,"resolveUpstreamRequestInbound");async function oM(e,t,r){try{await nM(e,t,r);return}catch(n){let a=de(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return Ze(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(oM,"applyUpstreamRequestContext");function ga(e,t){return o(async(n,a)=>{let i=await oM(n,a,e);return i||t(n,a)},"wrapped")}o(ga,"withUpstreamRequestContext");var aM={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function iM(){return new Response(null,{status:204,headers:aM})}o(iM,"buildWellKnownPreflightResponse");function sM(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(sM,"withWellKnownCorsHeaders");function lp(e){return async(t,r)=>t.method==="OPTIONS"?iM():sM(await e(t,r))}o(lp,"wrapWellKnownHandler");var cM=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:lp(Aw)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(kw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(wg)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Pw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ew},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:xw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Ow},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Uw},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:zw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Nw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Dw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Mw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ga("client_metadata",Bw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ga("connect",Gw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ga("callback",dp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ga("app_password",up)}];function Fw(e){if(e)return e.find(t=>Ii(t.policyType))}o(Fw,"findMcpOAuthPolicy");function Zw(e){return Fw(e)!==void 0}o(Zw,"shouldRegisterMcpGatewayInternalRoutes");function uM(e){let t=gd(e.policyType);if(!t){let r=_d();throw new Ot(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof c.ZodError?new Ot(dM(e.name??e.policyType,r),{cause:r}):r}}o(uM,"resolveOAuthConfigFromPolicy");function dM(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
 `);return`MCP OAuth policy "${e}" is misconfigured. Missing/invalid options:
-${r}`}o(sM,"formatPolicyConfigError");function Zw(e){let t=Vw(e.policies);if(!t){let r=yd(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new et(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}fg(iM(t)),Jf(Wf({routes:e.routes,policies:e.policies}))}o(Zw,"initializeMcpGatewayState");function cM(e,t){return async(r,n)=>{let a=n,i=r.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let u=await t(r,n);return i||a.log.info({event:`${e}_responded`,status:u.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),u}catch(u){let d={event:`${e}_threw`,durationMs:Date.now()-s};throw ke(d,"err",u),a.log.error(d,`MCP gateway: ${e} threw`),u}}}o(cM,"wrapInternalHandler");function Kw(e){for(let t of aM){let r=cM(t.routeName,t.handler),n=o((a,i)=>r(a,i),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[Ds],corsPolicy:"none"})}}o(Kw,"registerMcpGatewayInternalRoutes");var pp=class extends yp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Fw(r.policies)&&(Zw({routes:r.routes,policies:r.policies}),Kw(t.router))}};export{$0 as McpAuth0OAuthInboundPolicy,pp as McpGatewayPlugin,H0 as McpOAuthInboundPolicy,F0 as McpUpstreamConnectionInboundPolicy,E0 as McpVirtualServerHandler};
+${r}`}o(dM,"formatPolicyConfigError");function Kw(e){let t=Fw(e.policies);if(!t){let r=_d(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new Ot(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}fg(uM(t)),Jf(Wf({routes:e.routes,policies:e.policies}))}o(Kw,"initializeMcpGatewayState");function lM(e,t){return async(r,n)=>{let a=n,i=r.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let u=await t(r,n);return i||a.log.info({event:`${e}_responded`,status:u.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),u}catch(u){let d={event:`${e}_threw`,durationMs:Date.now()-s};throw Ae(d,"err",u),a.log.error(d,`MCP gateway: ${e} threw`),u}}}o(lM,"wrapInternalHandler");function Ww(e){for(let t of cM){let r=lM(t.routeName,t.handler),n=o((a,i)=>r(a,i),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[zs],corsPolicy:"none"})}}o(Ww,"registerMcpGatewayInternalRoutes");var pp=class extends yp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Zw(r.policies)&&(Kw({routes:r.routes,policies:r.policies}),Ww(t.router))}};export{H0 as McpAuth0OAuthInboundPolicy,pp as McpGatewayPlugin,V0 as McpOAuthInboundPolicy,W0 as McpUpstreamConnectionInboundPolicy,O0 as McpVirtualServerHandler};
 //# sourceMappingURL=index.js.map