@zuplo/runtime 6.70.16 → 6.70.21

package/out/esm/mcp-gateway/index.js

@@ -22,37 +22,37 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{$ as pe,H as Sp,I as Ds,J as Yw,K as wp,L as h,M as vp,N as K,O as ee,P as Rp,Q as bp,R as he,S as b,T as C,U as Se,V as se,W as Ms,X as qs,Y as ne,Z as Xe,_ as P,a as Wt,aa as Cp,b as _p,ba as $s,ca as Ip,da as Tp,ea as c,fa as Y,j as Vn,k as yp,q as zs,z as Ut}from"../chunk-STBDRSX7.js";import{d as Ns}from"../chunk-YJ3VHQXF.js";import{a as H}from"../chunk-NJNTFB34.js";import{X as _a,Y as Ot,Z as gp,a as o,c as T,e as fp}from"../chunk-KWR5BV7H.js";var ao=T(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.regexpCode=W.getEsmExportName=W.getProperty=W.safeStringify=W.stringify=W.strConcat=W.addCodeArg=W.str=W._=W.nil=W._Code=W.Name=W.IDENTIFIER=W._CodeOrName=void 0;var no=class{static{o(this,"_CodeOrName")}};W._CodeOrName=no;W.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Rr=class extends no{static{o(this,"Name")}constructor(t){if(super(),!W.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};W.Name=Rr;var rt=class extends no{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Rr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};W._Code=rt;W.nil=new rt("");function Bp(e,...t){let r=[e[0]],n=0;for(;n<t.length;)Sc(r,t[n]),r.push(e[++n]);return new rt(r)}o(Bp,"_");W._=Bp;var yc=new rt("+");function Vp(e,...t){let r=[oo(e[0])],n=0;for(;n<t.length;)r.push(yc),Sc(r,t[n]),r.push(yc,oo(e[++n]));return RR(r),new rt(r)}o(Vp,"str");W.str=Vp;function Sc(e,t){t instanceof rt?e.push(...t._items):t instanceof Rr?e.push(t):e.push(IR(t))}o(Sc,"addCodeArg");W.addCodeArg=Sc;function RR(e){let t=1;for(;t<e.length-1;){if(e[t]===yc){let r=bR(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(RR,"optimize");function bR(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Rr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Rr))return`"${e}${t.slice(1)}`}o(bR,"mergeExprItems");function CR(e,t){return t.emptyStr()?e:e.emptyStr()?t:Vp`${e}${t}`}o(CR,"strConcat");W.strConcat=CR;function IR(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:oo(Array.isArray(e)?e.join(","):e)}o(IR,"interpolate");function TR(e){return new rt(oo(e))}o(TR,"stringify");W.stringify=TR;function oo(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(oo,"safeStringify");W.safeStringify=oo;function AR(e){return typeof e=="string"&&W.IDENTIFIER.test(e)?new rt(`.${e}`):Bp`[${e}]`}o(AR,"getProperty");W.getProperty=AR;function kR(e){if(typeof e=="string"&&W.IDENTIFIER.test(e))return new rt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(kR,"getEsmExportName");W.getEsmExportName=kR;function PR(e){return new rt(e.toString())}o(PR,"regexpCode");W.regexpCode=PR});var Rc=T(Ge=>{"use strict";Object.defineProperty(Ge,"__esModule",{value:!0});Ge.ValueScope=Ge.ValueScopeName=Ge.Scope=Ge.varKinds=Ge.UsedValueState=void 0;var He=ao(),wc=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Ua;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Ua||(Ge.UsedValueState=Ua={}));Ge.varKinds={const:new He.Name("const"),let:new He.Name("let"),var:new He.Name("var")};var za=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof He.Name?t:this.name(t)}name(t){return new He.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Ge.Scope=za;var Na=class extends He.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,He._)`.${new He.Name(r)}[${n}]`}};Ge.ValueScopeName=Na;var ER=(0,He._)`\n`,vc=class extends za{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?ER:He.nil}}get(){return this._scope}name(t){return new Na(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,u=this._values[i];if(u){let p=u.get(s);if(p)return p}else u=this._values[i]=new Map;u.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),l=d.length;return d[l]=r.ref,a.setValue(r,{property:i,itemIndex:l}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,He._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=He.nil;for(let s in t){let u=t[s];if(!u)continue;let d=n[s]=n[s]||new Map;u.forEach(l=>{if(d.has(l))return;d.set(l,Ua.Started);let p=r(l);if(p){let m=this.opts.es5?Ge.varKinds.var:Ge.varKinds.const;i=(0,He._)`${i}${m} ${l} = ${p};${this.opts._n}`}else if(p=a?.(l))i=(0,He._)`${i}${p}${this.opts._n}`;else throw new wc(l);d.set(l,Ua.Completed)})}return i}};Ge.ValueScope=vc});var L=T(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.or=j.and=j.not=j.CodeGen=j.operators=j.varKinds=j.ValueScopeName=j.ValueScope=j.Scope=j.Name=j.regexpCode=j.stringify=j.getProperty=j.nil=j.strConcat=j.str=j._=void 0;var B=ao(),dt=Rc(),or=ao();Object.defineProperty(j,"_",{enumerable:!0,get:o(function(){return or._},"get")});Object.defineProperty(j,"str",{enumerable:!0,get:o(function(){return or.str},"get")});Object.defineProperty(j,"strConcat",{enumerable:!0,get:o(function(){return or.strConcat},"get")});Object.defineProperty(j,"nil",{enumerable:!0,get:o(function(){return or.nil},"get")});Object.defineProperty(j,"getProperty",{enumerable:!0,get:o(function(){return or.getProperty},"get")});Object.defineProperty(j,"stringify",{enumerable:!0,get:o(function(){return or.stringify},"get")});Object.defineProperty(j,"regexpCode",{enumerable:!0,get:o(function(){return or.regexpCode},"get")});Object.defineProperty(j,"Name",{enumerable:!0,get:o(function(){return or.Name},"get")});var $a=Rc();Object.defineProperty(j,"Scope",{enumerable:!0,get:o(function(){return $a.Scope},"get")});Object.defineProperty(j,"ValueScope",{enumerable:!0,get:o(function(){return $a.ValueScope},"get")});Object.defineProperty(j,"ValueScopeName",{enumerable:!0,get:o(function(){return $a.ValueScopeName},"get")});Object.defineProperty(j,"varKinds",{enumerable:!0,get:o(function(){return $a.varKinds},"get")});j.operators={GT:new B._Code(">"),GTE:new B._Code(">="),LT:new B._Code("<"),LTE:new B._Code("<="),EQ:new B._Code("==="),NEQ:new B._Code("!=="),NOT:new B._Code("!"),OR:new B._Code("||"),AND:new B._Code("&&"),ADD:new B._Code("+")};var Mt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},bc=class extends Mt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?dt.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=nn(this.rhs,t,r)),this}get names(){return this.rhs instanceof B._CodeOrName?this.rhs.names:{}}},Da=class extends Mt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof B.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=nn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof B.Name?{}:{...this.lhs.names};return qa(t,this.rhs)}},Cc=class extends Da{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Ic=class extends Mt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},Tc=class extends Mt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},Ac=class extends Mt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},kc=class extends Mt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=nn(this.code,t,r),this}get names(){return this.code instanceof B._CodeOrName?this.code.names:{}}},io=class extends Mt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(xR(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Ir(t,r.names),{})}},qt=class extends io{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},Pc=class extends io{static{o(this,"Root")}},rn=class extends qt{static{o(this,"Else")}};rn.kind="else";var br=class e extends qt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new rn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Fp(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=nn(this.condition,t,r),this}get names(){let t=super.names;return qa(t,this.condition),this.else&&Ir(t,this.else.names),t}};br.kind="if";var Cr=class extends qt{static{o(this,"For")}};Cr.kind="for";var Ec=class extends Cr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=nn(this.iteration,t,r),this}get names(){return Ir(super.names,this.iteration.names)}},xc=class extends Cr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?dt.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=qa(super.names,this.from);return qa(t,this.to)}},Ma=class extends Cr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=nn(this.iterable,t,r),this}get names(){return Ir(super.names,this.iterable.names)}},so=class extends qt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};so.kind="func";var co=class extends io{static{o(this,"Return")}render(t){return"return "+super.render(t)}};co.kind="return";var Oc=class extends qt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Ir(t,this.catch.names),this.finally&&Ir(t,this.finally.names),t}},uo=class extends qt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};uo.kind="catch";var lo=class extends qt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};lo.kind="finally";var Uc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
-`:""},this._extScope=t,this._scope=new dt.Scope({parent:t}),this._nodes=[new Pc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new bc(t,i,n)),i}const(t,r,n){return this._def(dt.varKinds.const,t,r,n)}let(t,r,n){return this._def(dt.varKinds.let,t,r,n)}var(t,r,n){return this._def(dt.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new Da(t,r,n))}add(t,r){return this._leafNode(new Cc(t,j.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==B.nil&&this._leafNode(new kc(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,B.addCodeArg)(r,a));return r.push("}"),new B._Code(r)}if(t,r,n){if(this._blockNode(new br(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new br(t))}else(){return this._elseNode(new rn)}endIf(){return this._endBlockNode(br,rn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Ec(t),r)}forRange(t,r,n,a,i=this.opts.es5?dt.varKinds.var:dt.varKinds.let){let s=this._scope.toName(t);return this._for(new xc(i,s,r,n),()=>a(s))}forOf(t,r,n,a=dt.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof B.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,B._)`${s}.length`,u=>{this.var(i,(0,B._)`${s}[${u}]`),n(i)})}return this._for(new Ma("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?dt.varKinds.var:dt.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,B._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new Ma("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Cr)}label(t){return this._leafNode(new Ic(t))}break(t){return this._leafNode(new Tc(t))}return(t){let r=new co;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(co)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Oc;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new uo(i),r(i)}return n&&(this._currNode=a.finally=new lo,this.code(n)),this._endBlockNode(uo,lo)}throw(t){return this._leafNode(new Ac(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=B.nil,n,a){return this._blockNode(new so(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(so)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof br))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};j.CodeGen=Uc;function Ir(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Ir,"addNames");function qa(e,t){return t instanceof B._CodeOrName?Ir(e,t.names):e}o(qa,"addExprNames");function nn(e,t,r){if(e instanceof B.Name)return n(e);if(!a(e))return e;return new B._Code(e._items.reduce((i,s)=>(s instanceof B.Name&&(s=n(s)),s instanceof B._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof B._Code&&i._items.some(s=>s instanceof B.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(nn,"optimizeExpr");function xR(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(xR,"subtractNames");function Fp(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,B._)`!${zc(e)}`}o(Fp,"not");j.not=Fp;var OR=Zp(j.operators.AND);function UR(...e){return e.reduce(OR)}o(UR,"and");j.and=UR;var zR=Zp(j.operators.OR);function NR(...e){return e.reduce(zR)}o(NR,"or");j.or=NR;function Zp(e){return(t,r)=>t===B.nil?r:r===B.nil?t:(0,B._)`${zc(t)} ${e} ${zc(r)}`}o(Zp,"mappend");function zc(e){return e instanceof B.Name?e:(0,B._)`(${e})`}o(zc,"par")});var J=T(G=>{"use strict";Object.defineProperty(G,"__esModule",{value:!0});G.checkStrictMode=G.getErrorPath=G.Type=G.useFunc=G.setEvaluated=G.evaluatedPropsToName=G.mergeEvaluated=G.eachItem=G.unescapeJsonPointer=G.escapeJsonPointer=G.escapeFragment=G.unescapeFragment=G.schemaRefOrVal=G.schemaHasRulesButRef=G.schemaHasRules=G.checkUnknownRules=G.alwaysValidSchema=G.toHash=void 0;var te=L(),DR=ao();function MR(e){let t={};for(let r of e)t[r]=!0;return t}o(MR,"toHash");G.toHash=MR;function qR(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Jp(e,t),!Yp(t,e.self.RULES.all))}o(qR,"alwaysValidSchema");G.alwaysValidSchema=qR;function Jp(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||em(e,`unknown keyword: "${i}"`)}o(Jp,"checkUnknownRules");G.checkUnknownRules=Jp;function Yp(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Yp,"schemaHasRules");G.schemaHasRules=Yp;function $R(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o($R,"schemaHasRulesButRef");G.schemaHasRulesButRef=$R;function LR({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,te._)`${r}`}return(0,te._)`${e}${t}${(0,te.getProperty)(n)}`}o(LR,"schemaRefOrVal");G.schemaRefOrVal=LR;function jR(e){return Xp(decodeURIComponent(e))}o(jR,"unescapeFragment");G.unescapeFragment=jR;function HR(e){return encodeURIComponent(Dc(e))}o(HR,"escapeFragment");G.escapeFragment=HR;function Dc(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Dc,"escapeJsonPointer");G.escapeJsonPointer=Dc;function Xp(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(Xp,"unescapeJsonPointer");G.unescapeJsonPointer=Xp;function GR(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(GR,"eachItem");G.eachItem=GR;function Kp({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,u)=>{let d=s===void 0?i:s instanceof te.Name?(i instanceof te.Name?e(a,i,s):t(a,i,s),s):i instanceof te.Name?(t(a,s,i),i):r(i,s);return u===te.Name&&!(d instanceof te.Name)?n(a,d):d}}o(Kp,"makeMergeEvaluated");G.mergeEvaluated={props:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,te._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,te._)`${r} || {}`).code((0,te._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,te._)`${r} || {}`),Mc(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:Qp}),items:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,te._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,te._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function Qp(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,te._)`{}`);return t!==void 0&&Mc(e,r,t),r}o(Qp,"evaluatedPropsToName");G.evaluatedPropsToName=Qp;function Mc(e,t,r){Object.keys(r).forEach(n=>e.assign((0,te._)`${t}${(0,te.getProperty)(n)}`,!0))}o(Mc,"setEvaluated");G.setEvaluated=Mc;var Wp={};function BR(e,t){return e.scopeValue("func",{ref:t,code:Wp[t.code]||(Wp[t.code]=new DR._Code(t.code))})}o(BR,"useFunc");G.useFunc=BR;var Nc;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Nc||(G.Type=Nc={}));function VR(e,t,r){if(e instanceof te.Name){let n=t===Nc.Num;return r?n?(0,te._)`"[" + ${e} + "]"`:(0,te._)`"['" + ${e} + "']"`:n?(0,te._)`"/" + ${e}`:(0,te._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,te.getProperty)(e).toString():"/"+Dc(e)}o(VR,"getErrorPath");G.getErrorPath=VR;function em(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(em,"checkStrictMode");G.checkStrictMode=em});var $t=T(qc=>{"use strict";Object.defineProperty(qc,"__esModule",{value:!0});var Ue=L(),FR={data:new Ue.Name("data"),valCxt:new Ue.Name("valCxt"),instancePath:new Ue.Name("instancePath"),parentData:new Ue.Name("parentData"),parentDataProperty:new Ue.Name("parentDataProperty"),rootData:new Ue.Name("rootData"),dynamicAnchors:new Ue.Name("dynamicAnchors"),vErrors:new Ue.Name("vErrors"),errors:new Ue.Name("errors"),this:new Ue.Name("this"),self:new Ue.Name("self"),scope:new Ue.Name("scope"),json:new Ue.Name("json"),jsonPos:new Ue.Name("jsonPos"),jsonLen:new Ue.Name("jsonLen"),jsonPart:new Ue.Name("jsonPart")};qc.default=FR});var po=T(ze=>{"use strict";Object.defineProperty(ze,"__esModule",{value:!0});ze.extendErrors=ze.resetErrorsCount=ze.reportExtraError=ze.reportError=ze.keyword$DataError=ze.keywordError=void 0;var Z=L(),La=J(),qe=$t();ze.keywordError={message:o(({keyword:e})=>(0,Z.str)`must pass "${e}" keyword validation`,"message")};ze.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,Z.str)`"${e}" keyword must be ${t} ($data)`:(0,Z.str)`"${e}" keyword is invalid ($data)`,"message")};function ZR(e,t=ze.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:u}=a,d=nm(e,t,r);n??(s||u)?tm(i,d):rm(a,(0,Z._)`[${d}]`)}o(ZR,"reportError");ze.reportError=ZR;function KR(e,t=ze.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,u=nm(e,t,r);tm(a,u),i||s||rm(n,qe.default.vErrors)}o(KR,"reportExtraError");ze.reportExtraError=KR;function WR(e,t){e.assign(qe.default.errors,t),e.if((0,Z._)`${qe.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,Z._)`${qe.default.vErrors}.length`,t),()=>e.assign(qe.default.vErrors,null)))}o(WR,"resetErrorsCount");ze.resetErrorsCount=WR;function JR({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,qe.default.errors,u=>{e.const(s,(0,Z._)`${qe.default.vErrors}[${u}]`),e.if((0,Z._)`${s}.instancePath === undefined`,()=>e.assign((0,Z._)`${s}.instancePath`,(0,Z.strConcat)(qe.default.instancePath,i.errorPath))),e.assign((0,Z._)`${s}.schemaPath`,(0,Z.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,Z._)`${s}.schema`,r),e.assign((0,Z._)`${s}.data`,n))})}o(JR,"extendErrors");ze.extendErrors=JR;function tm(e,t){let r=e.const("err",t);e.if((0,Z._)`${qe.default.vErrors} === null`,()=>e.assign(qe.default.vErrors,(0,Z._)`[${r}]`),(0,Z._)`${qe.default.vErrors}.push(${r})`),e.code((0,Z._)`${qe.default.errors}++`)}o(tm,"addError");function rm(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,Z._)`new ${e.ValidationError}(${t})`):(r.assign((0,Z._)`${n}.errors`,t),r.return(!1))}o(rm,"returnErrors");var Tr={keyword:new Z.Name("keyword"),schemaPath:new Z.Name("schemaPath"),params:new Z.Name("params"),propertyName:new Z.Name("propertyName"),message:new Z.Name("message"),schema:new Z.Name("schema"),parentSchema:new Z.Name("parentSchema")};function nm(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,Z._)`{}`:YR(e,t,r)}o(nm,"errorObjectCode");function YR(e,t,r={}){let{gen:n,it:a}=e,i=[XR(a,r),QR(e,r)];return eb(e,t,i),n.object(...i)}o(YR,"errorObject");function XR({errorPath:e},{instancePath:t}){let r=t?(0,Z.str)`${e}${(0,La.getErrorPath)(t,La.Type.Str)}`:e;return[qe.default.instancePath,(0,Z.strConcat)(qe.default.instancePath,r)]}o(XR,"errorInstancePath");function QR({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,Z.str)`${t}/${e}`;return r&&(a=(0,Z.str)`${a}${(0,La.getErrorPath)(r,La.Type.Str)}`),[Tr.schemaPath,a]}o(QR,"errorSchemaPath");function eb(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:u}=e,{opts:d,propertyName:l,topSchemaRef:p,schemaPath:m}=u;n.push([Tr.keyword,a],[Tr.params,typeof t=="function"?t(e):t||(0,Z._)`{}`]),d.messages&&n.push([Tr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Tr.schema,s],[Tr.parentSchema,(0,Z._)`${p}${m}`],[qe.default.data,i]),l&&n.push([Tr.propertyName,l])}o(eb,"extraErrorProps")});var am=T(on=>{"use strict";Object.defineProperty(on,"__esModule",{value:!0});on.boolOrEmptySchema=on.topBoolOrEmptySchema=void 0;var tb=po(),rb=L(),nb=$t(),ob={message:"boolean schema is false"};function ab(e){let{gen:t,schema:r,validateName:n}=e;r===!1?om(e,!1):typeof r=="object"&&r.$async===!0?t.return(nb.default.data):(t.assign((0,rb._)`${n}.errors`,null),t.return(!0))}o(ab,"topBoolOrEmptySchema");on.topBoolOrEmptySchema=ab;function ib(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),om(e)):r.var(t,!0)}o(ib,"boolOrEmptySchema");on.boolOrEmptySchema=ib;function om(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,tb.reportError)(a,ob,void 0,t)}o(om,"falseSchemaError")});var $c=T(an=>{"use strict";Object.defineProperty(an,"__esModule",{value:!0});an.getRules=an.isJSONType=void 0;var sb=["string","number","integer","boolean","null","object","array"],cb=new Set(sb);function ub(e){return typeof e=="string"&&cb.has(e)}o(ub,"isJSONType");an.isJSONType=ub;function db(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(db,"getRules");an.getRules=db});var Lc=T(ar=>{"use strict";Object.defineProperty(ar,"__esModule",{value:!0});ar.shouldUseRule=ar.shouldUseGroup=ar.schemaHasRulesForType=void 0;function lb({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&im(e,n)}o(lb,"schemaHasRulesForType");ar.schemaHasRulesForType=lb;function im(e,t){return t.rules.some(r=>sm(e,r))}o(im,"shouldUseGroup");ar.shouldUseGroup=im;function sm(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(sm,"shouldUseRule");ar.shouldUseRule=sm});var mo=T(Ne=>{"use strict";Object.defineProperty(Ne,"__esModule",{value:!0});Ne.reportTypeError=Ne.checkDataTypes=Ne.checkDataType=Ne.coerceAndCheckDataType=Ne.getJSONTypes=Ne.getSchemaTypes=Ne.DataType=void 0;var pb=$c(),mb=Lc(),hb=po(),$=L(),cm=J(),sn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(sn||(Ne.DataType=sn={}));function fb(e){let t=um(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(fb,"getSchemaTypes");Ne.getSchemaTypes=fb;function um(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(pb.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(um,"getJSONTypes");Ne.getJSONTypes=um;function gb(e,t){let{gen:r,data:n,opts:a}=e,i=_b(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,mb.schemaHasRulesForType)(e,t[0]));if(s){let u=Hc(t,n,a.strictNumbers,sn.Wrong);r.if(u,()=>{i.length?yb(e,t,i):Gc(e)})}return s}o(gb,"coerceAndCheckDataType");Ne.coerceAndCheckDataType=gb;var dm=new Set(["string","number","integer","boolean","null"]);function _b(e,t){return t?e.filter(r=>dm.has(r)||t==="array"&&r==="array"):[]}o(_b,"coerceToTypes");function yb(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,$._)`typeof ${a}`),u=n.let("coerced",(0,$._)`undefined`);i.coerceTypes==="array"&&n.if((0,$._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,$._)`${a}[0]`).assign(s,(0,$._)`typeof ${a}`).if(Hc(t,a,i.strictNumbers),()=>n.assign(u,a))),n.if((0,$._)`${u} !== undefined`);for(let l of r)(dm.has(l)||l==="array"&&i.coerceTypes==="array")&&d(l);n.else(),Gc(e),n.endIf(),n.if((0,$._)`${u} !== undefined`,()=>{n.assign(a,u),Sb(e,u)});function d(l){switch(l){case"string":n.elseIf((0,$._)`${s} == "number" || ${s} == "boolean"`).assign(u,(0,$._)`"" + ${a}`).elseIf((0,$._)`${a} === null`).assign(u,(0,$._)`""`);return;case"number":n.elseIf((0,$._)`${s} == "boolean" || ${a} === null
-              || (${s} == "string" && ${a} && ${a} == +${a})`).assign(u,(0,$._)`+${a}`);return;case"integer":n.elseIf((0,$._)`${s} === "boolean" || ${a} === null
-              || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(u,(0,$._)`+${a}`);return;case"boolean":n.elseIf((0,$._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(u,!1).elseIf((0,$._)`${a} === "true" || ${a} === 1`).assign(u,!0);return;case"null":n.elseIf((0,$._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(u,null);return;case"array":n.elseIf((0,$._)`${s} === "string" || ${s} === "number"
-              || ${s} === "boolean" || ${a} === null`).assign(u,(0,$._)`[${a}]`)}}o(d,"coerceSpecificType")}o(yb,"coerceData");function Sb({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,$._)`${t} !== undefined`,()=>e.assign((0,$._)`${t}[${r}]`,n))}o(Sb,"assignParentData");function jc(e,t,r,n=sn.Correct){let a=n===sn.Correct?$.operators.EQ:$.operators.NEQ,i;switch(e){case"null":return(0,$._)`${t} ${a} null`;case"array":i=(0,$._)`Array.isArray(${t})`;break;case"object":i=(0,$._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,$._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,$._)`typeof ${t} ${a} ${e}`}return n===sn.Correct?i:(0,$.not)(i);function s(u=$.nil){return(0,$.and)((0,$._)`typeof ${t} == "number"`,u,r?(0,$._)`isFinite(${t})`:$.nil)}}o(jc,"checkDataType");Ne.checkDataType=jc;function Hc(e,t,r,n){if(e.length===1)return jc(e[0],t,r,n);let a,i=(0,cm.toHash)(e);if(i.array&&i.object){let s=(0,$._)`typeof ${t} != "object"`;a=i.null?s:(0,$._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=$.nil;i.number&&delete i.integer;for(let s in i)a=(0,$.and)(a,jc(s,t,r,n));return a}o(Hc,"checkDataTypes");Ne.checkDataTypes=Hc;var wb={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,$._)`{type: ${e}}`:(0,$._)`{type: ${t}}`,"params")};function Gc(e){let t=vb(e);(0,hb.reportError)(t,wb)}o(Gc,"reportTypeError");Ne.reportTypeError=Gc;function vb(e){let{gen:t,data:r,schema:n}=e,a=(0,cm.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(vb,"getTypeErrorContext")});var pm=T(ja=>{"use strict";Object.defineProperty(ja,"__esModule",{value:!0});ja.assignDefaults=void 0;var cn=L(),Rb=J();function bb(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)lm(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>lm(e,i,a.default))}o(bb,"assignDefaults");ja.assignDefaults=bb;function lm(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let u=(0,cn._)`${i}${(0,cn.getProperty)(t)}`;if(a){(0,Rb.checkStrictMode)(e,`default is ignored for: ${u}`);return}let d=(0,cn._)`${u} === undefined`;s.useDefaults==="empty"&&(d=(0,cn._)`${d} || ${u} === null || ${u} === ""`),n.if(d,(0,cn._)`${u} = ${(0,cn.stringify)(r)}`)}o(lm,"assignDefault")});var nt=T(Q=>{"use strict";Object.defineProperty(Q,"__esModule",{value:!0});Q.validateUnion=Q.validateArray=Q.usePattern=Q.callValidateCode=Q.schemaProperties=Q.allSchemaProperties=Q.noPropertyInData=Q.propertyInData=Q.isOwnProperty=Q.hasPropFunc=Q.reportMissingProp=Q.checkMissingProp=Q.checkReportMissingProp=void 0;var oe=L(),Bc=J(),ir=$t(),Cb=J();function Ib(e,t){let{gen:r,data:n,it:a}=e;r.if(Fc(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,oe._)`${t}`},!0),e.error()})}o(Ib,"checkReportMissingProp");Q.checkReportMissingProp=Ib;function Tb({gen:e,data:t,it:{opts:r}},n,a){return(0,oe.or)(...n.map(i=>(0,oe.and)(Fc(e,t,i,r.ownProperties),(0,oe._)`${a} = ${i}`)))}o(Tb,"checkMissingProp");Q.checkMissingProp=Tb;function Ab(e,t){e.setParams({missingProperty:t},!0),e.error()}o(Ab,"reportMissingProp");Q.reportMissingProp=Ab;function mm(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,oe._)`Object.prototype.hasOwnProperty`})}o(mm,"hasPropFunc");Q.hasPropFunc=mm;function Vc(e,t,r){return(0,oe._)`${mm(e)}.call(${t}, ${r})`}o(Vc,"isOwnProperty");Q.isOwnProperty=Vc;function kb(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} !== undefined`;return n?(0,oe._)`${a} && ${Vc(e,t,r)}`:a}o(kb,"propertyInData");Q.propertyInData=kb;function Fc(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} === undefined`;return n?(0,oe.or)(a,(0,oe.not)(Vc(e,t,r))):a}o(Fc,"noPropertyInData");Q.noPropertyInData=Fc;function hm(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(hm,"allSchemaProperties");Q.allSchemaProperties=hm;function Pb(e,t){return hm(t).filter(r=>!(0,Bc.alwaysValidSchema)(e,t[r]))}o(Pb,"schemaProperties");Q.schemaProperties=Pb;function Eb({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},u,d,l){let p=l?(0,oe._)`${e}, ${t}, ${n}${a}`:t,m=[[ir.default.instancePath,(0,oe.strConcat)(ir.default.instancePath,i)],[ir.default.parentData,s.parentData],[ir.default.parentDataProperty,s.parentDataProperty],[ir.default.rootData,ir.default.rootData]];s.opts.dynamicRef&&m.push([ir.default.dynamicAnchors,ir.default.dynamicAnchors]);let f=(0,oe._)`${p}, ${r.object(...m)}`;return d!==oe.nil?(0,oe._)`${u}.call(${d}, ${f})`:(0,oe._)`${u}(${f})`}o(Eb,"callValidateCode");Q.callValidateCode=Eb;var xb=(0,oe._)`new RegExp`;function Ob({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,oe._)`${a.code==="new RegExp"?xb:(0,Cb.useFunc)(e,a)}(${r}, ${n})`})}o(Ob,"usePattern");Q.usePattern=Ob;function Ub(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let u=t.let("valid",!0);return s(()=>t.assign(u,!1)),u}return t.var(i,!0),s(()=>t.break()),i;function s(u){let d=t.const("len",(0,oe._)`${r}.length`);t.forRange("i",0,d,l=>{e.subschema({keyword:n,dataProp:l,dataPropType:Bc.Type.Num},i),t.if((0,oe.not)(i),u)})}o(s,"validateItems")}o(Ub,"validateArray");Q.validateArray=Ub;function zb(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Bc.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),u=t.name("_valid");t.block(()=>r.forEach((d,l)=>{let p=e.subschema({keyword:n,schemaProp:l,compositeRule:!0},u);t.assign(s,(0,oe._)`${s} || ${u}`),e.mergeValidEvaluated(p,u)||t.if((0,oe.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(zb,"validateUnion");Q.validateUnion=zb});var _m=T(wt=>{"use strict";Object.defineProperty(wt,"__esModule",{value:!0});wt.validateKeywordUsage=wt.validSchemaType=wt.funcKeywordCode=wt.macroKeywordCode=void 0;var $e=L(),Ar=$t(),Nb=nt(),Db=po();function Mb(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,u=t.macro.call(s.self,a,i,s),d=gm(r,n,u);s.opts.validateSchema!==!1&&s.self.validateSchema(u,!0);let l=r.name("valid");e.subschema({schema:u,schemaPath:$e.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},l),e.pass(l,()=>e.error(!0))}o(Mb,"macroKeywordCode");wt.macroKeywordCode=Mb;function qb(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:u,it:d}=e;Lb(d,t);let l=!u&&t.compile?t.compile.call(d.self,i,s,d):t.validate,p=gm(n,a,l),m=n.let("valid");e.block$data(m,f),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function f(){if(t.errors===!1)y(),t.modifying&&fm(e),w(()=>e.error());else{let v=t.async?_():S();t.modifying&&fm(e),w(()=>$b(e,v))}}o(f,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,$e._)`await `),R=>n.assign(m,!1).if((0,$e._)`${R} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,$e._)`${R}.errors`),()=>n.throw(R))),v}o(_,"validateAsync");function S(){let v=(0,$e._)`${p}.errors`;return n.assign(v,null),y($e.nil),v}o(S,"validateSync");function y(v=t.async?(0,$e._)`await `:$e.nil){let R=d.opts.passContext?Ar.default.this:Ar.default.self,I=!("compile"in t&&!u||t.schema===!1);n.assign(m,(0,$e._)`${v}${(0,Nb.callValidateCode)(e,p,R,I)}`,t.modifying)}o(y,"assignValid");function w(v){var R;n.if((0,$e.not)((R=t.valid)!==null&&R!==void 0?R:m),v)}o(w,"reportErrs")}o(qb,"funcKeywordCode");wt.funcKeywordCode=qb;function fm(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,$e._)`${n.parentData}[${n.parentDataProperty}]`))}o(fm,"modifyData");function $b(e,t){let{gen:r}=e;r.if((0,$e._)`Array.isArray(${t})`,()=>{r.assign(Ar.default.vErrors,(0,$e._)`${Ar.default.vErrors} === null ? ${t} : ${Ar.default.vErrors}.concat(${t})`).assign(Ar.default.errors,(0,$e._)`${Ar.default.vErrors}.length`),(0,Db.extendErrors)(e)},()=>e.error())}o($b,"addErrs");function Lb({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(Lb,"checkAsyncKeyword");function gm(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,$e.stringify)(r)})}o(gm,"useKeyword");function jb(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(jb,"validSchemaType");wt.validSchemaType=jb;function Hb({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(u=>!Object.prototype.hasOwnProperty.call(e,u)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(Hb,"validateKeywordUsage");wt.validateKeywordUsage=Hb});var Sm=T(sr=>{"use strict";Object.defineProperty(sr,"__esModule",{value:!0});sr.extendSubschemaMode=sr.extendSubschemaData=sr.getSubschema=void 0;var vt=L(),ym=J();function Gb(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let u=e.schema[t];return r===void 0?{schema:u,schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:u[r],schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}${(0,vt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,ym.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(Gb,"getSubschema");sr.getSubschema=Gb;function Bb(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:u}=t;if(r!==void 0){let{errorPath:l,dataPathArr:p,opts:m}=t,f=u.let("data",(0,vt._)`${t.data}${(0,vt.getProperty)(r)}`,!0);d(f),e.errorPath=(0,vt.str)`${l}${(0,ym.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,vt._)`${r}`,e.dataPathArr=[...p,e.parentDataProperty]}if(a!==void 0){let l=a instanceof vt.Name?a:u.let("data",a,!0);d(l),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(l){e.data=l,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,l]}o(d,"dataContextProps")}o(Bb,"extendSubschemaData");sr.extendSubschemaData=Bb;function Vb(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Vb,"extendSubschemaMode");sr.extendSubschemaMode=Vb});var Zc=T((w1,wm)=>{"use strict";wm.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Rm=T((R1,vm)=>{"use strict";var cr=vm.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Ha(t,n,a,e,"",e)};cr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};cr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};cr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};cr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Ha(e,t,r,n,a,i,s,u,d,l){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,u,d,l);for(var p in n){var m=n[p];if(Array.isArray(m)){if(p in cr.arrayKeywords)for(var f=0;f<m.length;f++)Ha(e,t,r,m[f],a+"/"+p+"/"+f,i,a,p,n,f)}else if(p in cr.propsKeywords){if(m&&typeof m=="object")for(var _ in m)Ha(e,t,r,m[_],a+"/"+p+"/"+Fb(_),i,a,p,n,_)}else(p in cr.keywords||e.allKeys&&!(p in cr.skipKeywords))&&Ha(e,t,r,m,a+"/"+p,i,a,p,n)}r(n,a,i,s,u,d,l)}}o(Ha,"_traverse");function Fb(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Fb,"escapeJsonPtr")});var ho=T(Be=>{"use strict";Object.defineProperty(Be,"__esModule",{value:!0});Be.getSchemaRefs=Be.resolveUrl=Be.normalizeId=Be._getFullPath=Be.getFullPath=Be.inlineRef=void 0;var Zb=J(),Kb=Zc(),Wb=Rm(),Jb=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function Yb(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Kc(e):t?bm(e)<=t:!1}o(Yb,"inlineRef");Be.inlineRef=Yb;var Xb=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Kc(e){for(let t in e){if(Xb.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Kc)||typeof r=="object"&&Kc(r))return!0}return!1}o(Kc,"hasRef");function bm(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!Jb.has(r)&&(typeof e[r]=="object"&&(0,Zb.eachItem)(e[r],n=>t+=bm(n)),t===1/0))return 1/0}return t}o(bm,"countKeys");function Cm(e,t="",r){r!==!1&&(t=un(t));let n=e.parse(t);return Im(e,n)}o(Cm,"getFullPath");Be.getFullPath=Cm;function Im(e,t){return e.serialize(t).split("#")[0]+"#"}o(Im,"_getFullPath");Be._getFullPath=Im;var Qb=/#\/?$/;function un(e){return e?e.replace(Qb,""):""}o(un,"normalizeId");Be.normalizeId=un;function eC(e,t,r){return r=un(r),e.resolve(t,r)}o(eC,"resolveUrl");Be.resolveUrl=eC;var tC=/^[a-z_][-a-z0-9._]*$/i;function rC(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=un(e[r]||t),i={"":a},s=Cm(n,a,!1),u={},d=new Set;return Wb(e,{allKeys:!0},(m,f,_,S)=>{if(S===void 0)return;let y=s+f,w=i[S];typeof m[r]=="string"&&(w=v.call(this,m[r])),R.call(this,m.$anchor),R.call(this,m.$dynamicAnchor),i[f]=w;function v(I){let N=this.opts.uriResolver.resolve;if(I=un(w?N(w,I):I),d.has(I))throw p(I);d.add(I);let M=this.refs[I];return typeof M=="string"&&(M=this.refs[M]),typeof M=="object"?l(m,M.schema,I):I!==un(y)&&(I[0]==="#"?(l(m,u[I],I),u[I]=m):this.refs[I]=y),I}o(v,"addRef");function R(I){if(typeof I=="string"){if(!tC.test(I))throw new Error(`invalid anchor "${I}"`);v.call(this,`#${I}`)}}o(R,"addAnchor")}),u;function l(m,f,_){if(f!==void 0&&!Kb(m,f))throw p(_)}o(l,"checkAmbiguosRef");function p(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(p,"ambiguos")}o(rC,"getSchemaRefs");Be.getSchemaRefs=rC});var _o=T(ur=>{"use strict";Object.defineProperty(ur,"__esModule",{value:!0});ur.getData=ur.KeywordCxt=ur.validateFunctionCode=void 0;var Em=am(),Tm=mo(),Jc=Lc(),Ga=mo(),nC=pm(),go=_m(),Wc=Sm(),E=L(),D=$t(),oC=ho(),Lt=J(),fo=po();function aC(e){if(Um(e)&&(zm(e),Om(e))){cC(e);return}xm(e,()=>(0,Em.topBoolOrEmptySchema)(e))}o(aC,"validateFunctionCode");ur.validateFunctionCode=aC;function xm({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,E._)`${D.default.data}, ${D.default.valCxt}`,n.$async,()=>{e.code((0,E._)`"use strict"; ${Am(r,a)}`),sC(e,a),e.code(i)}):e.func(t,(0,E._)`${D.default.data}, ${iC(a)}`,n.$async,()=>e.code(Am(r,a)).code(i))}o(xm,"validateFunction");function iC(e){return(0,E._)`{${D.default.instancePath}="", ${D.default.parentData}, ${D.default.parentDataProperty}, ${D.default.rootData}=${D.default.data}${e.dynamicRef?(0,E._)`, ${D.default.dynamicAnchors}={}`:E.nil}}={}`}o(iC,"destructureValCxt");function sC(e,t){e.if(D.default.valCxt,()=>{e.var(D.default.instancePath,(0,E._)`${D.default.valCxt}.${D.default.instancePath}`),e.var(D.default.parentData,(0,E._)`${D.default.valCxt}.${D.default.parentData}`),e.var(D.default.parentDataProperty,(0,E._)`${D.default.valCxt}.${D.default.parentDataProperty}`),e.var(D.default.rootData,(0,E._)`${D.default.valCxt}.${D.default.rootData}`),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`${D.default.valCxt}.${D.default.dynamicAnchors}`)},()=>{e.var(D.default.instancePath,(0,E._)`""`),e.var(D.default.parentData,(0,E._)`undefined`),e.var(D.default.parentDataProperty,(0,E._)`undefined`),e.var(D.default.rootData,D.default.data),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`{}`)})}o(sC,"destructureValCxtES5");function cC(e){let{schema:t,opts:r,gen:n}=e;xm(e,()=>{r.$comment&&t.$comment&&Dm(e),mC(e),n.let(D.default.vErrors,null),n.let(D.default.errors,0),r.unevaluated&&uC(e),Nm(e),gC(e)})}o(cC,"topSchemaObjCode");function uC(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,E._)`${r}.evaluated`),t.if((0,E._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,E._)`${e.evaluated}.props`,(0,E._)`undefined`)),t.if((0,E._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,E._)`${e.evaluated}.items`,(0,E._)`undefined`))}o(uC,"resetEvaluated");function Am(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,E._)`/*# sourceURL=${r} */`:E.nil}o(Am,"funcSourceUrl");function dC(e,t){if(Um(e)&&(zm(e),Om(e))){lC(e,t);return}(0,Em.boolOrEmptySchema)(e,t)}o(dC,"subschemaCode");function Om({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(Om,"schemaCxtHasRules");function Um(e){return typeof e.schema!="boolean"}o(Um,"isSchemaObj");function lC(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&Dm(e),hC(e),fC(e);let i=n.const("_errs",D.default.errors);Nm(e,i),n.var(t,(0,E._)`${i} === ${D.default.errors}`)}o(lC,"subSchemaObjCode");function zm(e){(0,Lt.checkUnknownRules)(e),pC(e)}o(zm,"checkKeywords");function Nm(e,t){if(e.opts.jtd)return km(e,[],!1,t);let r=(0,Tm.getSchemaTypes)(e.schema),n=(0,Tm.coerceAndCheckDataType)(e,r);km(e,r,!n,t)}o(Nm,"typeAndKeywords");function pC(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Lt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(pC,"checkRefsAndKeywords");function mC(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Lt.checkStrictMode)(e,"default is ignored in the schema root")}o(mC,"checkNoDefault");function hC(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,oC.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(hC,"updateContext");function fC(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(fC,"checkAsyncSchema");function Dm({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,E._)`${D.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,E.str)`${n}/$comment`,u=e.scopeValue("root",{ref:t.root});e.code((0,E._)`${D.default.self}.opts.$comment(${i}, ${s}, ${u}.schema)`)}}o(Dm,"commentKeyword");function gC(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,E._)`${D.default.errors} === 0`,()=>t.return(D.default.data),()=>t.throw((0,E._)`new ${a}(${D.default.vErrors})`)):(t.assign((0,E._)`${n}.errors`,D.default.vErrors),i.unevaluated&&_C(e),t.return((0,E._)`${D.default.errors} === 0`))}o(gC,"returnResults");function _C({gen:e,evaluated:t,props:r,items:n}){r instanceof E.Name&&e.assign((0,E._)`${t}.props`,r),n instanceof E.Name&&e.assign((0,E._)`${t}.items`,n)}o(_C,"assignEvaluated");function km(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:u,opts:d,self:l}=e,{RULES:p}=l;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Lt.schemaHasRulesButRef)(i,p))){a.block(()=>qm(e,"$ref",p.all.$ref.definition));return}d.jtd||yC(e,t),a.block(()=>{for(let f of p.rules)m(f);m(p.post)});function m(f){(0,Jc.shouldUseGroup)(i,f)&&(f.type?(a.if((0,Ga.checkDataType)(f.type,s,d.strictNumbers)),Pm(e,f),t.length===1&&t[0]===f.type&&r&&(a.else(),(0,Ga.reportTypeError)(e)),a.endIf()):Pm(e,f),u||a.if((0,E._)`${D.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(km,"schemaKeywords");function Pm(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,nC.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Jc.shouldUseRule)(n,i)&&qm(e,i.keyword,i.definition,t.type)})}o(Pm,"iterateKeywords");function yC(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(SC(e,t),e.opts.allowUnionTypes||wC(e,t),vC(e,e.dataTypes))}o(yC,"checkStrictTypes");function SC(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{Mm(e.dataTypes,r)||Yc(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),bC(e,t)}}o(SC,"checkContextTypes");function wC(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Yc(e,"use allowUnionTypes to allow union type keyword")}o(wC,"checkMultipleTypes");function vC(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Jc.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>RC(t,s))&&Yc(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(vC,"checkKeywordTypes");function RC(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(RC,"hasApplicableType");function Mm(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(Mm,"includesType");function bC(e,t){let r=[];for(let n of e.dataTypes)Mm(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(bC,"narrowSchemaTypes");function Yc(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Lt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Yc,"strictTypesError");var Ba=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,go.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Lt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",$m(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,go.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",D.default.errors))}result(t,r,n){this.failResult((0,E.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,E.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,E._)`${r} !== undefined && (${(0,E.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?fo.reportExtraError:fo.reportError)(this,this.def.error,r)}$dataError(){(0,fo.reportError)(this,this.def.$dataError||fo.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,fo.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=E.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=E.nil,r=E.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,E.or)((0,E._)`${a} === undefined`,r)),t!==E.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==E.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,E.or)(s(),u());function s(){if(n.length){if(!(r instanceof E.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,E._)`${(0,Ga.checkDataTypes)(d,r,i.opts.strictNumbers,Ga.DataType.Wrong)}`}return E.nil}function u(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,E._)`!${d}(${r})`}return E.nil}}subschema(t,r){let n=(0,Wc.getSubschema)(this.it,t);(0,Wc.extendSubschemaData)(n,this.it,t),(0,Wc.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return dC(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Lt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Lt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,E.Name)),!0}};ur.KeywordCxt=Ba;function qm(e,t,r,n){let a=new Ba(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,go.funcKeywordCode)(a,r):"macro"in r?(0,go.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,go.funcKeywordCode)(a,r)}o(qm,"keywordCode");var CC=/^\/(?:[^~]|~0|~1)*$/,IC=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function $m(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return D.default.rootData;if(e[0]==="/"){if(!CC.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=D.default.rootData}else{let l=IC.exec(e);if(!l)throw new Error(`Invalid JSON-pointer: ${e}`);let p=+l[1];if(a=l[2],a==="#"){if(p>=t)throw new Error(d("property/index",p));return n[t-p]}if(p>t)throw new Error(d("data",p));if(i=r[t-p],!a)return i}let s=i,u=a.split("/");for(let l of u)l&&(i=(0,E._)`${i}${(0,E.getProperty)((0,Lt.unescapeJsonPointer)(l))}`,s=(0,E._)`${s} && ${i}`);return s;function d(l,p){return`Cannot access ${l} ${p} levels up, current level is ${t}`}}o($m,"getData");ur.getData=$m});var Va=T(Qc=>{"use strict";Object.defineProperty(Qc,"__esModule",{value:!0});var Xc=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Qc.default=Xc});var yo=T(ru=>{"use strict";Object.defineProperty(ru,"__esModule",{value:!0});var eu=ho(),tu=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,eu.resolveUrl)(t,r,n),this.missingSchema=(0,eu.normalizeId)((0,eu.getFullPath)(t,this.missingRef))}};ru.default=tu});var Za=T(ot=>{"use strict";Object.defineProperty(ot,"__esModule",{value:!0});ot.resolveSchema=ot.getCompilingSchema=ot.resolveRef=ot.compileSchema=ot.SchemaEnv=void 0;var lt=L(),TC=Va(),kr=$t(),pt=ho(),Lm=J(),AC=_o(),dn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,pt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};ot.SchemaEnv=dn;function ou(e){let t=jm.call(this,e);if(t)return t;let r=(0,pt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new lt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),u;e.$async&&(u=s.scopeValue("Error",{ref:TC.default,code:(0,lt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let l={gen:s,allErrors:this.opts.allErrors,data:kr.default.data,parentData:kr.default.parentData,parentDataProperty:kr.default.parentDataProperty,dataNames:[kr.default.data],dataPathArr:[lt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,lt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:u,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:lt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,lt._)`""`,opts:this.opts,self:this},p;try{this._compilations.add(e),(0,AC.validateFunctionCode)(l),s.optimize(this.opts.code.optimize);let m=s.toString();p=`${s.scopeRefs(kr.default.scope)}return ${m}`,this.opts.code.process&&(p=this.opts.code.process(p,e));let _=new Function(`${kr.default.self}`,`${kr.default.scope}`,p)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:S,items:y}=l;_.evaluated={props:S instanceof lt.Name?void 0:S,items:y instanceof lt.Name?void 0:y,dynamicProps:S instanceof lt.Name,dynamicItems:y instanceof lt.Name},_.source&&(_.source.evaluated=(0,lt.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,p&&this.logger.error("Error compiling schema, function code:",p),m}finally{this._compilations.delete(e)}}o(ou,"compileSchema");ot.compileSchema=ou;function kC(e,t,r){var n;r=(0,pt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=xC.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:u}=this.opts;s&&(i=new dn({schema:s,schemaId:u,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=PC.call(this,i)}o(kC,"resolveRef");ot.resolveRef=kC;function PC(e){return(0,pt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:ou.call(this,e)}o(PC,"inlineOrCompile");function jm(e){for(let t of this._compilations)if(EC(t,e))return t}o(jm,"getCompilingSchema");ot.getCompilingSchema=jm;function EC(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(EC,"sameSchemaEnv");function xC(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||Fa.call(this,e,t)}o(xC,"resolve");function Fa(e,t){let r=this.opts.uriResolver.parse(t),n=(0,pt._getFullPath)(this.opts.uriResolver,r),a=(0,pt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return nu.call(this,r,e);let i=(0,pt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let u=Fa.call(this,e,s);return typeof u?.schema!="object"?void 0:nu.call(this,r,u)}if(typeof s?.schema=="object"){if(s.validate||ou.call(this,s),i===(0,pt.normalizeId)(t)){let{schema:u}=s,{schemaId:d}=this.opts,l=u[d];return l&&(a=(0,pt.resolveUrl)(this.opts.uriResolver,a,l)),new dn({schema:u,schemaId:d,root:e,baseId:a})}return nu.call(this,r,s)}}o(Fa,"resolveSchema");ot.resolveSchema=Fa;var OC=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function nu(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let u of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,Lm.unescapeFragment)(u)];if(d===void 0)return;r=d;let l=typeof r=="object"&&r[this.opts.schemaId];!OC.has(u)&&l&&(t=(0,pt.resolveUrl)(this.opts.uriResolver,t,l))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,Lm.schemaHasRulesButRef)(r,this.RULES)){let u=(0,pt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=Fa.call(this,n,u)}let{schemaId:s}=this.opts;if(i=i||new dn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(nu,"getJsonPointer")});var Hm=T((z1,UC)=>{UC.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var iu=T((N1,Fm)=>{"use strict";var zC=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),Bm=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function au(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(au,"stringArrayToHexStripped");var NC=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Gm(e){return e.length=0,!0}o(Gm,"consumeIsZone");function DC(e,t,r){if(e.length){let n=au(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(DC,"consumeHextets");function MC(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,u=DC;for(let d=0;d<e.length;d++){let l=e[d];if(!(l==="["||l==="]"))if(l===":"){if(i===!0&&(s=!0),!u(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(l==="%"){if(!u(a,n,r))break;u=Gm}else{a.push(l);continue}}return a.length&&(u===Gm?r.zone=a.join(""):s?n.push(a.join("")):n.push(au(a))),r.address=n.join(""),r}o(MC,"getIPV6");function Vm(e){if(qC(e,":")<2)return{host:e,isIPV6:!1};let t=MC(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(Vm,"normalizeIPv6");function qC(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(qC,"findToken");function $C(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o($C,"removeDotSegments");function LC(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(LC,"normalizeComponentEncoding");function jC(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!Bm(r)){let n=Vm(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(jC,"recomposeAuthority");Fm.exports={nonSimpleDomain:NC,recomposeAuthority:jC,normalizeComponentEncoding:LC,removeDotSegments:$C,isIPv4:Bm,isUUID:zC,normalizeIPv6:Vm,stringArrayToHexStripped:au}});var Ym=T((M1,Jm)=>{"use strict";var{isUUID:HC}=iu(),GC=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,BC=["http","https","ws","wss","urn","urn:uuid"];function VC(e){return BC.indexOf(e)!==-1}o(VC,"isValidSchemeName");function su(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(su,"wsIsSecure");function Zm(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(Zm,"httpParse");function Km(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Km,"httpSerialize");function FC(e){return e.secure=su(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(FC,"wsParse");function ZC(e){if((e.port===(su(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(ZC,"wsSerialize");function KC(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(GC);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=cu(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(KC,"urnParse");function WC(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=cu(a);i&&(e=i.serialize(e,t));let s=e,u=e.nss;return s.path=`${n||t.nid}:${u}`,t.skipEscape=!0,s}o(WC,"urnSerialize");function JC(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!HC(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(JC,"urnuuidParse");function YC(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(YC,"urnuuidSerialize");var Wm={scheme:"http",domainHost:!0,parse:Zm,serialize:Km},XC={scheme:"https",domainHost:Wm.domainHost,parse:Zm,serialize:Km},Ka={scheme:"ws",domainHost:!0,parse:FC,serialize:ZC},QC={scheme:"wss",domainHost:Ka.domainHost,parse:Ka.parse,serialize:Ka.serialize},eI={scheme:"urn",parse:KC,serialize:WC,skipNormalize:!0},tI={scheme:"urn:uuid",parse:JC,serialize:YC,skipNormalize:!0},Wa={http:Wm,https:XC,ws:Ka,wss:QC,urn:eI,"urn:uuid":tI};Object.setPrototypeOf(Wa,null);function cu(e){return e&&(Wa[e]||Wa[e.toLowerCase()])||void 0}o(cu,"getSchemeHandler");Jm.exports={wsIsSecure:su,SCHEMES:Wa,isValidSchemeName:VC,getSchemeHandler:cu}});var eh=T(($1,Ya)=>{"use strict";var{normalizeIPv6:rI,removeDotSegments:So,recomposeAuthority:nI,normalizeComponentEncoding:Ja,isIPv4:oI,nonSimpleDomain:aI}=iu(),{SCHEMES:iI,getSchemeHandler:Xm}=Ym();function sI(e,t){return typeof e=="string"?e=Rt(jt(e,t),t):typeof e=="object"&&(e=jt(Rt(e,t),t)),e}o(sI,"normalize");function cI(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=Qm(jt(e,n),jt(t,n),n,!0);return n.skipEscape=!0,Rt(a,n)}o(cI,"resolve");function Qm(e,t,r,n){let a={};return n||(e=jt(Rt(e,r),r),t=jt(Rt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=So(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=So(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(Qm,"resolveComponent");function uI(e,t,r){return typeof e=="string"?(e=unescape(e),e=Rt(Ja(jt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=Rt(Ja(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=Rt(Ja(jt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=Rt(Ja(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(uI,"equal");function Rt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=Xm(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=nI(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let u=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(u=So(u)),s===void 0&&u[0]==="/"&&u[1]==="/"&&(u="/%2F"+u.slice(2)),a.push(u)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(Rt,"serialize");var dI=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function jt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(dI);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(oI(n.host)===!1){let d=rI(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=Xm(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&aI(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(u){n.error=n.error||"Host's domain name can not be converted to ASCII: "+u}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(jt,"parse");var uu={SCHEMES:iI,normalize:sI,resolve:cI,resolveComponent:Qm,equal:uI,serialize:Rt,parse:jt};Ya.exports=uu;Ya.exports.default=uu;Ya.exports.fastUri=uu});var rh=T(du=>{"use strict";Object.defineProperty(du,"__esModule",{value:!0});var th=eh();th.code='require("ajv/dist/runtime/uri").default';du.default=th});var dh=T(Ie=>{"use strict";Object.defineProperty(Ie,"__esModule",{value:!0});Ie.CodeGen=Ie.Name=Ie.nil=Ie.stringify=Ie.str=Ie._=Ie.KeywordCxt=void 0;var lI=_o();Object.defineProperty(Ie,"KeywordCxt",{enumerable:!0,get:o(function(){return lI.KeywordCxt},"get")});var ln=L();Object.defineProperty(Ie,"_",{enumerable:!0,get:o(function(){return ln._},"get")});Object.defineProperty(Ie,"str",{enumerable:!0,get:o(function(){return ln.str},"get")});Object.defineProperty(Ie,"stringify",{enumerable:!0,get:o(function(){return ln.stringify},"get")});Object.defineProperty(Ie,"nil",{enumerable:!0,get:o(function(){return ln.nil},"get")});Object.defineProperty(Ie,"Name",{enumerable:!0,get:o(function(){return ln.Name},"get")});Object.defineProperty(Ie,"CodeGen",{enumerable:!0,get:o(function(){return ln.CodeGen},"get")});var pI=Va(),sh=yo(),mI=$c(),wo=Za(),hI=L(),vo=ho(),Xa=mo(),pu=J(),nh=Hm(),fI=rh(),ch=o((e,t)=>new RegExp(e,t),"defaultRegExp");ch.code="new RegExp";var gI=["removeAdditional","useDefaults","coerceTypes"],_I=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),yI={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},SI={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},oh=200;function wI(e){var t,r,n,a,i,s,u,d,l,p,m,f,_,S,y,w,v,R,I,N,M,Ye,xt,xs,Os;let Bn=e.strict,Us=(t=e.code)===null||t===void 0?void 0:t.optimize,mp=Us===!0||Us===void 0?1:Us||0,hp=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:ch,Jw=(a=e.uriResolver)!==null&&a!==void 0?a:fI.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Bn)!==null&&s!==void 0?s:!0,strictNumbers:(d=(u=e.strictNumbers)!==null&&u!==void 0?u:Bn)!==null&&d!==void 0?d:!0,strictTypes:(p=(l=e.strictTypes)!==null&&l!==void 0?l:Bn)!==null&&p!==void 0?p:"log",strictTuples:(f=(m=e.strictTuples)!==null&&m!==void 0?m:Bn)!==null&&f!==void 0?f:"log",strictRequired:(S=(_=e.strictRequired)!==null&&_!==void 0?_:Bn)!==null&&S!==void 0?S:!1,code:e.code?{...e.code,optimize:mp,regExp:hp}:{optimize:mp,regExp:hp},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:oh,loopEnum:(w=e.loopEnum)!==null&&w!==void 0?w:oh,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(R=e.messages)!==null&&R!==void 0?R:!0,inlineRefs:(I=e.inlineRefs)!==null&&I!==void 0?I:!0,schemaId:(N=e.schemaId)!==null&&N!==void 0?N:"$id",addUsedSchema:(M=e.addUsedSchema)!==null&&M!==void 0?M:!0,validateSchema:(Ye=e.validateSchema)!==null&&Ye!==void 0?Ye:!0,validateFormats:(xt=e.validateFormats)!==null&&xt!==void 0?xt:!0,unicodeRegExp:(xs=e.unicodeRegExp)!==null&&xs!==void 0?xs:!0,int32range:(Os=e.int32range)!==null&&Os!==void 0?Os:!0,uriResolver:Jw}}o(wI,"requiredOptions");var Ro=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...wI(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new hI.ValueScope({scope:{},prefixes:_I,es5:r,lines:n}),this.logger=TI(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,mI.getRules)(),ah.call(this,yI,t,"NOT SUPPORTED"),ah.call(this,SI,t,"DEPRECATED","warn"),this._metaOpts=CI.call(this),t.formats&&RI.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&bI.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),vI.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=nh;n==="id"&&(a={...nh},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(p,m){await i.call(this,p.$schema);let f=this._addSchema(p,m);return f.validate||s.call(this,f)}async function i(p){p&&!this.getSchema(p)&&await a.call(this,{$ref:p},!0)}async function s(p){try{return this._compileSchemaEnv(p)}catch(m){if(!(m instanceof sh.default))throw m;return u.call(this,m),await d.call(this,m.missingSchema),s.call(this,p)}}function u({missingSchema:p,missingRef:m}){if(this.refs[p])throw new Error(`AnySchema ${p} is loaded but ${m} cannot be resolved`)}async function d(p){let m=await l.call(this,p);this.refs[p]||await i.call(this,m.$schema),this.refs[p]||this.addSchema(m,p,r)}async function l(p){let m=this._loading[p];if(m)return m;try{return await(this._loading[p]=n(p))}finally{delete this._loading[p]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,vo.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=ih.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new wo.SchemaEnv({schema:{},schemaId:n});if(r=wo.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=ih.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,vo.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(kI.call(this,n,r),!r)return(0,pu.eachItem)(n,i=>lu.call(this,i)),this;EI.call(this,r);let a={...r,type:(0,Xa.getJSONTypes)(r.type),schemaType:(0,Xa.getJSONTypes)(r.schemaType)};return(0,pu.eachItem)(n,a.type.length===0?i=>lu.call(this,i,a):i=>a.type.forEach(s=>lu.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let u of i)s=s[u];for(let u in n){let d=n[u];if(typeof d!="object")continue;let{$data:l}=d.definition,p=s[u];l&&p&&(s[u]=uh(p))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:u}=this.opts;if(typeof t=="object")s=t[u];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,vo.normalizeId)(s||n);let l=vo.getSchemaRefs.call(this,t,n);return d=new wo.SchemaEnv({schema:t,schemaId:u,meta:r,baseId:n,localRefs:l}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):wo.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{wo.compileSchema.call(this,t)}finally{this.opts=r}}};Ro.ValidationError=pI.default;Ro.MissingRefError=sh.default;Ie.default=Ro;function ah(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(ah,"checkOptions");function ih(e){return e=(0,vo.normalizeId)(e),this.schemas[e]||this.refs[e]}o(ih,"getSchEnv");function vI(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(vI,"addInitialSchemas");function RI(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(RI,"addInitialFormats");function bI(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(bI,"addInitialKeywords");function CI(){let e={...this.opts};for(let t of gI)delete e[t];return e}o(CI,"getMetaSchemaOptions");var II={log(){},warn(){},error(){}};function TI(e){if(e===!1)return II;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(TI,"getLogger");var AI=/^[a-z_$][a-z0-9_$:-]*$/i;function kI(e,t){let{RULES:r}=this;if((0,pu.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!AI.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(kI,"checkKeyword");function lu(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let u={keyword:e,definition:{...t,type:(0,Xa.getJSONTypes)(t.type),schemaType:(0,Xa.getJSONTypes)(t.schemaType)}};t.before?PI.call(this,s,u,t.before):s.rules.push(u),i.all[e]=u,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(lu,"addRule");function PI(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(PI,"addBeforeRule");function EI(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=uh(t)),e.validateSchema=this.compile(t,!0))}o(EI,"keywordMetaschema");var xI={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function uh(e){return{anyOf:[e,xI]}}o(uh,"schemaOrData")});var lh=T(mu=>{"use strict";Object.defineProperty(mu,"__esModule",{value:!0});var OI={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};mu.default=OI});var fh=T(Pr=>{"use strict";Object.defineProperty(Pr,"__esModule",{value:!0});Pr.callRef=Pr.getValidate=void 0;var UI=yo(),ph=nt(),Ve=L(),pn=$t(),mh=Za(),Qa=J(),zI={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:u,self:d}=n,{root:l}=i;if((r==="#"||r==="#/")&&a===l.baseId)return m();let p=mh.resolveRef.call(d,l,a,r);if(p===void 0)throw new UI.default(n.opts.uriResolver,a,r);if(p instanceof mh.SchemaEnv)return f(p);return _(p);function m(){if(i===l)return ei(e,s,i,i.$async);let S=t.scopeValue("root",{ref:l});return ei(e,(0,Ve._)`${S}.validate`,l,l.$async)}function f(S){let y=hh(e,S);ei(e,y,S,S.$async)}function _(S){let y=t.scopeValue("schema",u.code.source===!0?{ref:S,code:(0,Ve.stringify)(S)}:{ref:S}),w=t.name("valid"),v=e.subschema({schema:S,dataTypes:[],schemaPath:Ve.nil,topSchemaRef:y,errSchemaPath:r},w);e.mergeEvaluated(v),e.ok(w)}}};function hh(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,Ve._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(hh,"getValidate");Pr.getValidate=hh;function ei(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:u,opts:d}=i,l=d.passContext?pn.default.this:Ve.nil;n?p():m();function p(){if(!u.$async)throw new Error("async schema referenced by sync schema");let S=a.let("valid");a.try(()=>{a.code((0,Ve._)`await ${(0,ph.callValidateCode)(e,t,l)}`),_(t),s||a.assign(S,!0)},y=>{a.if((0,Ve._)`!(${y} instanceof ${i.ValidationError})`,()=>a.throw(y)),f(y),s||a.assign(S,!1)}),e.ok(S)}o(p,"callAsyncRef");function m(){e.result((0,ph.callValidateCode)(e,t,l),()=>_(t),()=>f(t))}o(m,"callSyncRef");function f(S){let y=(0,Ve._)`${S}.errors`;a.assign(pn.default.vErrors,(0,Ve._)`${pn.default.vErrors} === null ? ${y} : ${pn.default.vErrors}.concat(${y})`),a.assign(pn.default.errors,(0,Ve._)`${pn.default.vErrors}.length`)}o(f,"addErrorsFrom");function _(S){var y;if(!i.opts.unevaluated)return;let w=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(i.props!==!0)if(w&&!w.dynamicProps)w.props!==void 0&&(i.props=Qa.mergeEvaluated.props(a,w.props,i.props));else{let v=a.var("props",(0,Ve._)`${S}.evaluated.props`);i.props=Qa.mergeEvaluated.props(a,v,i.props,Ve.Name)}if(i.items!==!0)if(w&&!w.dynamicItems)w.items!==void 0&&(i.items=Qa.mergeEvaluated.items(a,w.items,i.items));else{let v=a.var("items",(0,Ve._)`${S}.evaluated.items`);i.items=Qa.mergeEvaluated.items(a,v,i.items,Ve.Name)}}o(_,"addEvaluatedFrom")}o(ei,"callRef");Pr.callRef=ei;Pr.default=zI});var gh=T(hu=>{"use strict";Object.defineProperty(hu,"__esModule",{value:!0});var NI=lh(),DI=fh(),MI=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",NI.default,DI.default];hu.default=MI});var _h=T(fu=>{"use strict";Object.defineProperty(fu,"__esModule",{value:!0});var ti=L(),dr=ti.operators,ri={maximum:{okStr:"<=",ok:dr.LTE,fail:dr.GT},minimum:{okStr:">=",ok:dr.GTE,fail:dr.LT},exclusiveMaximum:{okStr:"<",ok:dr.LT,fail:dr.GTE},exclusiveMinimum:{okStr:">",ok:dr.GT,fail:dr.LTE}},qI={message:o(({keyword:e,schemaCode:t})=>(0,ti.str)`must be ${ri[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ti._)`{comparison: ${ri[e].okStr}, limit: ${t}}`,"params")},$I={keyword:Object.keys(ri),type:"number",schemaType:"number",$data:!0,error:qI,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,ti._)`${r} ${ri[t].fail} ${n} || isNaN(${r})`)}};fu.default=$I});var yh=T(gu=>{"use strict";Object.defineProperty(gu,"__esModule",{value:!0});var bo=L(),LI={message:o(({schemaCode:e})=>(0,bo.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,bo._)`{multipleOf: ${e}}`,"params")},jI={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:LI,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),u=i?(0,bo._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,bo._)`${s} !== parseInt(${s})`;e.fail$data((0,bo._)`(${n} === 0 || (${s} = ${r}/${n}, ${u}))`)}};gu.default=jI});var wh=T(_u=>{"use strict";Object.defineProperty(_u,"__esModule",{value:!0});function Sh(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Sh,"ucs2length");_u.default=Sh;Sh.code='require("ajv/dist/runtime/ucs2length").default'});var vh=T(yu=>{"use strict";Object.defineProperty(yu,"__esModule",{value:!0});var Er=L(),HI=J(),GI=wh(),BI={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Er.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Er._)`{limit: ${e}}`,"params")},VI={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:BI,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?Er.operators.GT:Er.operators.LT,s=a.opts.unicode===!1?(0,Er._)`${r}.length`:(0,Er._)`${(0,HI.useFunc)(e.gen,GI.default)}(${r})`;e.fail$data((0,Er._)`${s} ${i} ${n}`)}};yu.default=VI});var Rh=T(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var FI=nt(),ni=L(),ZI={message:o(({schemaCode:e})=>(0,ni.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ni._)`{pattern: ${e}}`,"params")},KI={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:ZI,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",u=r?(0,ni._)`(new RegExp(${a}, ${s}))`:(0,FI.usePattern)(e,n);e.fail$data((0,ni._)`!${u}.test(${t})`)}};Su.default=KI});var bh=T(wu=>{"use strict";Object.defineProperty(wu,"__esModule",{value:!0});var Co=L(),WI={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Co.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Co._)`{limit: ${e}}`,"params")},JI={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:WI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Co.operators.GT:Co.operators.LT;e.fail$data((0,Co._)`Object.keys(${r}).length ${a} ${n}`)}};wu.default=JI});var Ch=T(vu=>{"use strict";Object.defineProperty(vu,"__esModule",{value:!0});var Io=nt(),To=L(),YI=J(),XI={message:o(({params:{missingProperty:e}})=>(0,To.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,To._)`{missingProperty: ${e}}`,"params")},QI={keyword:"required",type:"object",schemaType:"array",$data:!0,error:XI,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:u}=s;if(!i&&r.length===0)return;let d=r.length>=u.loopRequired;if(s.allErrors?l():p(),u.strictRequired){let _=e.parentSchema.properties,{definedProperties:S}=e.it;for(let y of r)if(_?.[y]===void 0&&!S.has(y)){let w=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${y}" is not defined at "${w}" (strictRequired)`;(0,YI.checkStrictMode)(s,v,s.opts.strictRequired)}}function l(){if(d||i)e.block$data(To.nil,m);else for(let _ of r)(0,Io.checkReportMissingProp)(e,_)}o(l,"allErrorsMode");function p(){let _=t.let("missing");if(d||i){let S=t.let("valid",!0);e.block$data(S,()=>f(_,S)),e.ok(S)}else t.if((0,Io.checkMissingProp)(e,r,_)),(0,Io.reportMissingProp)(e,_),t.else()}o(p,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,Io.noPropertyInData)(t,a,_,u.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function f(_,S){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(S,(0,Io.propertyInData)(t,a,_,u.ownProperties)),t.if((0,To.not)(S),()=>{e.error(),t.break()})},To.nil)}o(f,"loopUntilMissing")}};vu.default=QI});var Ih=T(Ru=>{"use strict";Object.defineProperty(Ru,"__esModule",{value:!0});var Ao=L(),eT={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Ao.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Ao._)`{limit: ${e}}`,"params")},tT={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:eT,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Ao.operators.GT:Ao.operators.LT;e.fail$data((0,Ao._)`${r}.length ${a} ${n}`)}};Ru.default=tT});var oi=T(bu=>{"use strict";Object.defineProperty(bu,"__esModule",{value:!0});var Th=Zc();Th.code='require("ajv/dist/runtime/equal").default';bu.default=Th});var Ah=T(Iu=>{"use strict";Object.defineProperty(Iu,"__esModule",{value:!0});var Cu=mo(),Te=L(),rT=J(),nT=oi(),oT={message:o(({params:{i:e,j:t}})=>(0,Te.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,Te._)`{i: ${e}, j: ${t}}`,"params")},aT={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:oT,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:u}=e;if(!n&&!a)return;let d=t.let("valid"),l=i.items?(0,Cu.getSchemaTypes)(i.items):[];e.block$data(d,p,(0,Te._)`${s} === false`),e.ok(d);function p(){let S=t.let("i",(0,Te._)`${r}.length`),y=t.let("j");e.setParams({i:S,j:y}),t.assign(d,!0),t.if((0,Te._)`${S} > 1`,()=>(m()?f:_)(S,y))}o(p,"validateUniqueItems");function m(){return l.length>0&&!l.some(S=>S==="object"||S==="array")}o(m,"canOptimize");function f(S,y){let w=t.name("item"),v=(0,Cu.checkDataTypes)(l,w,u.opts.strictNumbers,Cu.DataType.Wrong),R=t.const("indices",(0,Te._)`{}`);t.for((0,Te._)`;${S}--;`,()=>{t.let(w,(0,Te._)`${r}[${S}]`),t.if(v,(0,Te._)`continue`),l.length>1&&t.if((0,Te._)`typeof ${w} == "string"`,(0,Te._)`${w} += "_"`),t.if((0,Te._)`typeof ${R}[${w}] == "number"`,()=>{t.assign(y,(0,Te._)`${R}[${w}]`),e.error(),t.assign(d,!1).break()}).code((0,Te._)`${R}[${w}] = ${S}`)})}o(f,"loopN");function _(S,y){let w=(0,rT.useFunc)(t,nT.default),v=t.name("outer");t.label(v).for((0,Te._)`;${S}--;`,()=>t.for((0,Te._)`${y} = ${S}; ${y}--;`,()=>t.if((0,Te._)`${w}(${r}[${S}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};Iu.default=aT});var kh=T(Au=>{"use strict";Object.defineProperty(Au,"__esModule",{value:!0});var Tu=L(),iT=J(),sT=oi(),cT={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,Tu._)`{allowedValue: ${e}}`,"params")},uT={keyword:"const",$data:!0,error:cT,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,Tu._)`!${(0,iT.useFunc)(t,sT.default)}(${r}, ${a})`):e.fail((0,Tu._)`${i} !== ${r}`)}};Au.default=uT});var Ph=T(ku=>{"use strict";Object.defineProperty(ku,"__esModule",{value:!0});var ko=L(),dT=J(),lT=oi(),pT={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,ko._)`{allowedValues: ${e}}`,"params")},mT={keyword:"enum",schemaType:"array",$data:!0,error:pT,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let u=a.length>=s.opts.loopEnum,d,l=o(()=>d??(d=(0,dT.useFunc)(t,lT.default)),"getEql"),p;if(u||n)p=t.let("valid"),e.block$data(p,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",i);p=(0,ko.or)(...a.map((S,y)=>f(_,y)))}e.pass(p);function m(){t.assign(p,!1),t.forOf("v",i,_=>t.if((0,ko._)`${l()}(${r}, ${_})`,()=>t.assign(p,!0).break()))}o(m,"loopEnum");function f(_,S){let y=a[S];return typeof y=="object"&&y!==null?(0,ko._)`${l()}(${r}, ${_}[${S}])`:(0,ko._)`${r} === ${y}`}o(f,"equalCode")}};ku.default=mT});var Eh=T(Pu=>{"use strict";Object.defineProperty(Pu,"__esModule",{value:!0});var hT=_h(),fT=yh(),gT=vh(),_T=Rh(),yT=bh(),ST=Ch(),wT=Ih(),vT=Ah(),RT=kh(),bT=Ph(),CT=[hT.default,fT.default,gT.default,_T.default,yT.default,ST.default,wT.default,vT.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},RT.default,bT.default];Pu.default=CT});var xu=T(Po=>{"use strict";Object.defineProperty(Po,"__esModule",{value:!0});Po.validateAdditionalItems=void 0;var xr=L(),Eu=J(),IT={message:o(({params:{len:e}})=>(0,xr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,xr._)`{limit: ${e}}`,"params")},TT={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:IT,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Eu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}xh(e,n)}};function xh(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let u=r.const("len",(0,xr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,xr._)`${u} <= ${t.length}`);else if(typeof n=="object"&&!(0,Eu.alwaysValidSchema)(s,n)){let l=r.var("valid",(0,xr._)`${u} <= ${t.length}`);r.if((0,xr.not)(l),()=>d(l)),e.ok(l)}function d(l){r.forRange("i",t.length,u,p=>{e.subschema({keyword:i,dataProp:p,dataPropType:Eu.Type.Num},l),s.allErrors||r.if((0,xr.not)(l),()=>r.break())})}o(d,"validateItems")}o(xh,"validateAdditionalItems");Po.validateAdditionalItems=xh;Po.default=TT});var Ou=T(Eo=>{"use strict";Object.defineProperty(Eo,"__esModule",{value:!0});Eo.validateTuple=void 0;var Oh=L(),ai=J(),AT=nt(),kT={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return Uh(e,"additionalItems",t);r.items=!0,!(0,ai.alwaysValidSchema)(r,t)&&e.ok((0,AT.validateArray)(e))}};function Uh(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:u}=e;p(a),u.opts.unevaluated&&r.length&&u.items!==!0&&(u.items=ai.mergeEvaluated.items(n,r.length,u.items));let d=n.name("valid"),l=n.const("len",(0,Oh._)`${i}.length`);r.forEach((m,f)=>{(0,ai.alwaysValidSchema)(u,m)||(n.if((0,Oh._)`${l} > ${f}`,()=>e.subschema({keyword:s,schemaProp:f,dataProp:f},d)),e.ok(d))});function p(m){let{opts:f,errSchemaPath:_}=u,S=r.length,y=S===m.minItems&&(S===m.maxItems||m[t]===!1);if(f.strictTuples&&!y){let w=`"${s}" is ${S}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,ai.checkStrictMode)(u,w,f.strictTuples)}}o(p,"checkStrictTuple")}o(Uh,"validateTuple");Eo.validateTuple=Uh;Eo.default=kT});var zh=T(Uu=>{"use strict";Object.defineProperty(Uu,"__esModule",{value:!0});var PT=Ou(),ET={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,PT.validateTuple)(e,"items"),"code")};Uu.default=ET});var Dh=T(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var Nh=L(),xT=J(),OT=nt(),UT=xu(),zT={message:o(({params:{len:e}})=>(0,Nh.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Nh._)`{limit: ${e}}`,"params")},NT={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:zT,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,xT.alwaysValidSchema)(n,t)&&(a?(0,UT.validateAdditionalItems)(e,a):e.ok((0,OT.validateArray)(e)))}};zu.default=NT});var Mh=T(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var at=L(),ii=J(),DT={message:o(({params:{min:e,max:t}})=>t===void 0?(0,at.str)`must contain at least ${e} valid item(s)`:(0,at.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,at._)`{minContains: ${e}}`:(0,at._)`{minContains: ${e}, maxContains: ${t}}`,"params")},MT={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:DT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,u,{minContains:d,maxContains:l}=n;i.opts.next?(s=d===void 0?1:d,u=l):s=1;let p=t.const("len",(0,at._)`${a}.length`);if(e.setParams({min:s,max:u}),u===void 0&&s===0){(0,ii.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(u!==void 0&&s>u){(0,ii.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,ii.alwaysValidSchema)(i,r)){let y=(0,at._)`${p} >= ${s}`;u!==void 0&&(y=(0,at._)`${y} && ${p} <= ${u}`),e.pass(y);return}i.items=!0;let m=t.name("valid");u===void 0&&s===1?_(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),u!==void 0&&t.if((0,at._)`${a}.length > 0`,f)):(t.let(m,!1),f()),e.result(m,()=>e.reset());function f(){let y=t.name("_valid"),w=t.let("count",0);_(y,()=>t.if(y,()=>S(w)))}o(f,"validateItemsWithCount");function _(y,w){t.forRange("i",0,p,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:ii.Type.Num,compositeRule:!0},y),w()})}o(_,"validateItems");function S(y){t.code((0,at._)`${y}++`),u===void 0?t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,at._)`${y} > ${u}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0)))}o(S,"checkLimits")}};Nu.default=MT});var Lh=T(bt=>{"use strict";Object.defineProperty(bt,"__esModule",{value:!0});bt.validateSchemaDeps=bt.validatePropertyDeps=bt.error=void 0;var Du=L(),qT=J(),xo=nt();bt.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,Du.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,Du._)`{property: ${e},
+import{$ as we,H as sm,I as yc,J as Bv,K as cm,L as h,M as um,N as re,O as ce,P as dm,Q as lm,R as Re,S as C,T as I,U as Ae,V as fe,W as wc,X as Sc,Y as le,Z as it,_ as O,a as dr,aa as pm,b as am,ba as vc,ca as mm,da as hm,ea as c,fa as ae,j as fo,k as im,q as _c,z as Vt}from"../chunk-UMZORQLU.js";import{d as go}from"../chunk-2ZQVIVZ3.js";import{a as J}from"../chunk-ZS34EO4B.js";import{X as Za,Y as Ft,Z as om,a as o,c as A,e as nm}from"../chunk-YGYFQCBA.js";var xo=A(ne=>{"use strict";Object.defineProperty(ne,"__esModule",{value:!0});ne.regexpCode=ne.getEsmExportName=ne.getProperty=ne.safeStringify=ne.stringify=ne.strConcat=ne.addCodeArg=ne.str=ne._=ne.nil=ne._Code=ne.Name=ne.IDENTIFIER=ne._CodeOrName=void 0;var ko=class{static{o(this,"_CodeOrName")}};ne._CodeOrName=ko;ne.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Lr=class extends ko{static{o(this,"Name")}constructor(t){if(super(),!ne.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};ne.Name=Lr;var pt=class extends ko{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Lr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};ne._Code=pt;ne.nil=new pt("");function Om(e,...t){let r=[e[0]],n=0;for(;n<t.length;)tu(r,t[n]),r.push(e[++n]);return new pt(r)}o(Om,"_");ne._=Om;var eu=new pt("+");function Um(e,...t){let r=[Eo(e[0])],n=0;for(;n<t.length;)r.push(eu),tu(r,t[n]),r.push(eu,Eo(e[++n]));return fb(r),new pt(r)}o(Um,"str");ne.str=Um;function tu(e,t){t instanceof pt?e.push(...t._items):t instanceof Lr?e.push(t):e.push(yb(t))}o(tu,"addCodeArg");ne.addCodeArg=tu;function fb(e){let t=1;for(;t<e.length-1;){if(e[t]===eu){let r=gb(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(fb,"optimize");function gb(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Lr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Lr))return`"${e}${t.slice(1)}`}o(gb,"mergeExprItems");function _b(e,t){return t.emptyStr()?e:e.emptyStr()?t:Um`${e}${t}`}o(_b,"strConcat");ne.strConcat=_b;function yb(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:Eo(Array.isArray(e)?e.join(","):e)}o(yb,"interpolate");function wb(e){return new pt(Eo(e))}o(wb,"stringify");ne.stringify=wb;function Eo(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(Eo,"safeStringify");ne.safeStringify=Eo;function Sb(e){return typeof e=="string"&&ne.IDENTIFIER.test(e)?new pt(`.${e}`):Om`[${e}]`}o(Sb,"getProperty");ne.getProperty=Sb;function vb(e){if(typeof e=="string"&&ne.IDENTIFIER.test(e))return new pt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(vb,"getEsmExportName");ne.getEsmExportName=vb;function Rb(e){return new pt(e.toString())}o(Rb,"regexpCode");ne.regexpCode=Rb});var ou=A(Qe=>{"use strict";Object.defineProperty(Qe,"__esModule",{value:!0});Qe.ValueScope=Qe.ValueScopeName=Qe.Scope=Qe.varKinds=Qe.UsedValueState=void 0;var Xe=xo(),ru=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},di;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(di||(Qe.UsedValueState=di={}));Qe.varKinds={const:new Xe.Name("const"),let:new Xe.Name("let"),var:new Xe.Name("var")};var li=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof Xe.Name?t:this.name(t)}name(t){return new Xe.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Qe.Scope=li;var pi=class extends Xe.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,Xe._)`.${new Xe.Name(r)}[${n}]`}};Qe.ValueScopeName=pi;var bb=(0,Xe._)`\n`,nu=class extends li{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?bb:Xe.nil}}get(){return this._scope}name(t){return new pi(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,u=this._values[i];if(u){let l=u.get(s);if(l)return l}else u=this._values[i]=new Map;u.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),p=d.length;return d[p]=r.ref,a.setValue(r,{property:i,itemIndex:p}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,Xe._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=Xe.nil;for(let s in t){let u=t[s];if(!u)continue;let d=n[s]=n[s]||new Map;u.forEach(p=>{if(d.has(p))return;d.set(p,di.Started);let l=r(p);if(l){let m=this.opts.es5?Qe.varKinds.var:Qe.varKinds.const;i=(0,Xe._)`${i}${m} ${p} = ${l};${this.opts._n}`}else if(l=a?.(p))i=(0,Xe._)`${i}${l}${this.opts._n}`;else throw new ru(p);d.set(p,di.Completed)})}return i}};Qe.ValueScope=nu});var Z=A(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.or=W.and=W.not=W.CodeGen=W.operators=W.varKinds=W.ValueScopeName=W.ValueScope=W.Scope=W.Name=W.regexpCode=W.stringify=W.getProperty=W.nil=W.strConcat=W.str=W._=void 0;var X=xo(),vt=ou(),wr=xo();Object.defineProperty(W,"_",{enumerable:!0,get:o(function(){return wr._},"get")});Object.defineProperty(W,"str",{enumerable:!0,get:o(function(){return wr.str},"get")});Object.defineProperty(W,"strConcat",{enumerable:!0,get:o(function(){return wr.strConcat},"get")});Object.defineProperty(W,"nil",{enumerable:!0,get:o(function(){return wr.nil},"get")});Object.defineProperty(W,"getProperty",{enumerable:!0,get:o(function(){return wr.getProperty},"get")});Object.defineProperty(W,"stringify",{enumerable:!0,get:o(function(){return wr.stringify},"get")});Object.defineProperty(W,"regexpCode",{enumerable:!0,get:o(function(){return wr.regexpCode},"get")});Object.defineProperty(W,"Name",{enumerable:!0,get:o(function(){return wr.Name},"get")});var gi=ou();Object.defineProperty(W,"Scope",{enumerable:!0,get:o(function(){return gi.Scope},"get")});Object.defineProperty(W,"ValueScope",{enumerable:!0,get:o(function(){return gi.ValueScope},"get")});Object.defineProperty(W,"ValueScopeName",{enumerable:!0,get:o(function(){return gi.ValueScopeName},"get")});Object.defineProperty(W,"varKinds",{enumerable:!0,get:o(function(){return gi.varKinds},"get")});W.operators={GT:new X._Code(">"),GTE:new X._Code(">="),LT:new X._Code("<"),LTE:new X._Code("<="),EQ:new X._Code("==="),NEQ:new X._Code("!=="),NOT:new X._Code("!"),OR:new X._Code("||"),AND:new X._Code("&&"),ADD:new X._Code("+")};var Jt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},au=class extends Jt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?vt.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=bn(this.rhs,t,r)),this}get names(){return this.rhs instanceof X._CodeOrName?this.rhs.names:{}}},mi=class extends Jt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof X.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=bn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof X.Name?{}:{...this.lhs.names};return fi(t,this.rhs)}},iu=class extends mi{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},su=class extends Jt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},cu=class extends Jt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},uu=class extends Jt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},du=class extends Jt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=bn(this.code,t,r),this}get names(){return this.code instanceof X._CodeOrName?this.code.names:{}}},Po=class extends Jt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(Cb(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Gr(t,r.names),{})}},Yt=class extends Po{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},lu=class extends Po{static{o(this,"Root")}},Rn=class extends Yt{static{o(this,"Else")}};Rn.kind="else";var jr=class e extends Yt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new Rn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Nm(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=bn(this.condition,t,r),this}get names(){let t=super.names;return fi(t,this.condition),this.else&&Gr(t,this.else.names),t}};jr.kind="if";var Hr=class extends Yt{static{o(this,"For")}};Hr.kind="for";var pu=class extends Hr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=bn(this.iteration,t,r),this}get names(){return Gr(super.names,this.iteration.names)}},mu=class extends Hr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?vt.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=fi(super.names,this.from);return fi(t,this.to)}},hi=class extends Hr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=bn(this.iterable,t,r),this}get names(){return Gr(super.names,this.iterable.names)}},Oo=class extends Yt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};Oo.kind="func";var Uo=class extends Po{static{o(this,"Return")}render(t){return"return "+super.render(t)}};Uo.kind="return";var hu=class extends Yt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Gr(t,this.catch.names),this.finally&&Gr(t,this.finally.names),t}},No=class extends Yt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};No.kind="catch";var zo=class extends Yt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};zo.kind="finally";var fu=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
+`:""},this._extScope=t,this._scope=new vt.Scope({parent:t}),this._nodes=[new lu]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new au(t,i,n)),i}const(t,r,n){return this._def(vt.varKinds.const,t,r,n)}let(t,r,n){return this._def(vt.varKinds.let,t,r,n)}var(t,r,n){return this._def(vt.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new mi(t,r,n))}add(t,r){return this._leafNode(new iu(t,W.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==X.nil&&this._leafNode(new du(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,X.addCodeArg)(r,a));return r.push("}"),new X._Code(r)}if(t,r,n){if(this._blockNode(new jr(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new jr(t))}else(){return this._elseNode(new Rn)}endIf(){return this._endBlockNode(jr,Rn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new pu(t),r)}forRange(t,r,n,a,i=this.opts.es5?vt.varKinds.var:vt.varKinds.let){let s=this._scope.toName(t);return this._for(new mu(i,s,r,n),()=>a(s))}forOf(t,r,n,a=vt.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof X.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,X._)`${s}.length`,u=>{this.var(i,(0,X._)`${s}[${u}]`),n(i)})}return this._for(new hi("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?vt.varKinds.var:vt.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,X._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new hi("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Hr)}label(t){return this._leafNode(new su(t))}break(t){return this._leafNode(new cu(t))}return(t){let r=new Uo;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(Uo)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new hu;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new No(i),r(i)}return n&&(this._currNode=a.finally=new zo,this.code(n)),this._endBlockNode(No,zo)}throw(t){return this._leafNode(new uu(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=X.nil,n,a){return this._blockNode(new Oo(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(Oo)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof jr))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};W.CodeGen=fu;function Gr(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Gr,"addNames");function fi(e,t){return t instanceof X._CodeOrName?Gr(e,t.names):e}o(fi,"addExprNames");function bn(e,t,r){if(e instanceof X.Name)return n(e);if(!a(e))return e;return new X._Code(e._items.reduce((i,s)=>(s instanceof X.Name&&(s=n(s)),s instanceof X._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof X._Code&&i._items.some(s=>s instanceof X.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(bn,"optimizeExpr");function Cb(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(Cb,"subtractNames");function Nm(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,X._)`!${gu(e)}`}o(Nm,"not");W.not=Nm;var Ib=zm(W.operators.AND);function Tb(...e){return e.reduce(Ib)}o(Tb,"and");W.and=Tb;var Ab=zm(W.operators.OR);function kb(...e){return e.reduce(Ab)}o(kb,"or");W.or=kb;function zm(e){return(t,r)=>t===X.nil?r:r===X.nil?t:(0,X._)`${gu(t)} ${e} ${gu(r)}`}o(zm,"mappend");function gu(e){return e instanceof X.Name?e:(0,X._)`(${e})`}o(gu,"par")});var oe=A(Y=>{"use strict";Object.defineProperty(Y,"__esModule",{value:!0});Y.checkStrictMode=Y.getErrorPath=Y.Type=Y.useFunc=Y.setEvaluated=Y.evaluatedPropsToName=Y.mergeEvaluated=Y.eachItem=Y.unescapeJsonPointer=Y.escapeJsonPointer=Y.escapeFragment=Y.unescapeFragment=Y.schemaRefOrVal=Y.schemaHasRulesButRef=Y.schemaHasRules=Y.checkUnknownRules=Y.alwaysValidSchema=Y.toHash=void 0;var ue=Z(),Eb=xo();function xb(e){let t={};for(let r of e)t[r]=!0;return t}o(xb,"toHash");Y.toHash=xb;function Pb(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Mm(e,t),!qm(t,e.self.RULES.all))}o(Pb,"alwaysValidSchema");Y.alwaysValidSchema=Pb;function Mm(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||Hm(e,`unknown keyword: "${i}"`)}o(Mm,"checkUnknownRules");Y.checkUnknownRules=Mm;function qm(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(qm,"schemaHasRules");Y.schemaHasRules=qm;function Ob(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(Ob,"schemaHasRulesButRef");Y.schemaHasRulesButRef=Ob;function Ub({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,ue._)`${r}`}return(0,ue._)`${e}${t}${(0,ue.getProperty)(n)}`}o(Ub,"schemaRefOrVal");Y.schemaRefOrVal=Ub;function Nb(e){return Lm(decodeURIComponent(e))}o(Nb,"unescapeFragment");Y.unescapeFragment=Nb;function zb(e){return encodeURIComponent(yu(e))}o(zb,"escapeFragment");Y.escapeFragment=zb;function yu(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(yu,"escapeJsonPointer");Y.escapeJsonPointer=yu;function Lm(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(Lm,"unescapeJsonPointer");Y.unescapeJsonPointer=Lm;function $b(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o($b,"eachItem");Y.eachItem=$b;function $m({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,u)=>{let d=s===void 0?i:s instanceof ue.Name?(i instanceof ue.Name?e(a,i,s):t(a,i,s),s):i instanceof ue.Name?(t(a,s,i),i):r(i,s);return u===ue.Name&&!(d instanceof ue.Name)?n(a,d):d}}o($m,"makeMergeEvaluated");Y.mergeEvaluated={props:$m({mergeNames:o((e,t,r)=>e.if((0,ue._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,ue._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,ue._)`${r} || {}`).code((0,ue._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,ue._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,ue._)`${r} || {}`),wu(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:jm}),items:$m({mergeNames:o((e,t,r)=>e.if((0,ue._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,ue._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,ue._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,ue._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function jm(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,ue._)`{}`);return t!==void 0&&wu(e,r,t),r}o(jm,"evaluatedPropsToName");Y.evaluatedPropsToName=jm;function wu(e,t,r){Object.keys(r).forEach(n=>e.assign((0,ue._)`${t}${(0,ue.getProperty)(n)}`,!0))}o(wu,"setEvaluated");Y.setEvaluated=wu;var Dm={};function Db(e,t){return e.scopeValue("func",{ref:t,code:Dm[t.code]||(Dm[t.code]=new Eb._Code(t.code))})}o(Db,"useFunc");Y.useFunc=Db;var _u;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(_u||(Y.Type=_u={}));function Mb(e,t,r){if(e instanceof ue.Name){let n=t===_u.Num;return r?n?(0,ue._)`"[" + ${e} + "]"`:(0,ue._)`"['" + ${e} + "']"`:n?(0,ue._)`"/" + ${e}`:(0,ue._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,ue.getProperty)(e).toString():"/"+yu(e)}o(Mb,"getErrorPath");Y.getErrorPath=Mb;function Hm(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(Hm,"checkStrictMode");Y.checkStrictMode=Hm});var Xt=A(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var He=Z(),qb={data:new He.Name("data"),valCxt:new He.Name("valCxt"),instancePath:new He.Name("instancePath"),parentData:new He.Name("parentData"),parentDataProperty:new He.Name("parentDataProperty"),rootData:new He.Name("rootData"),dynamicAnchors:new He.Name("dynamicAnchors"),vErrors:new He.Name("vErrors"),errors:new He.Name("errors"),this:new He.Name("this"),self:new He.Name("self"),scope:new He.Name("scope"),json:new He.Name("json"),jsonPos:new He.Name("jsonPos"),jsonLen:new He.Name("jsonLen"),jsonPart:new He.Name("jsonPart")};Su.default=qb});var $o=A(Ge=>{"use strict";Object.defineProperty(Ge,"__esModule",{value:!0});Ge.extendErrors=Ge.resetErrorsCount=Ge.reportExtraError=Ge.reportError=Ge.keyword$DataError=Ge.keywordError=void 0;var te=Z(),_i=oe(),Ze=Xt();Ge.keywordError={message:o(({keyword:e})=>(0,te.str)`must pass "${e}" keyword validation`,"message")};Ge.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,te.str)`"${e}" keyword must be ${t} ($data)`:(0,te.str)`"${e}" keyword is invalid ($data)`,"message")};function Lb(e,t=Ge.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:u}=a,d=Fm(e,t,r);n??(s||u)?Gm(i,d):Bm(a,(0,te._)`[${d}]`)}o(Lb,"reportError");Ge.reportError=Lb;function jb(e,t=Ge.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,u=Fm(e,t,r);Gm(a,u),i||s||Bm(n,Ze.default.vErrors)}o(jb,"reportExtraError");Ge.reportExtraError=jb;function Hb(e,t){e.assign(Ze.default.errors,t),e.if((0,te._)`${Ze.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,te._)`${Ze.default.vErrors}.length`,t),()=>e.assign(Ze.default.vErrors,null)))}o(Hb,"resetErrorsCount");Ge.resetErrorsCount=Hb;function Gb({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,Ze.default.errors,u=>{e.const(s,(0,te._)`${Ze.default.vErrors}[${u}]`),e.if((0,te._)`${s}.instancePath === undefined`,()=>e.assign((0,te._)`${s}.instancePath`,(0,te.strConcat)(Ze.default.instancePath,i.errorPath))),e.assign((0,te._)`${s}.schemaPath`,(0,te.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,te._)`${s}.schema`,r),e.assign((0,te._)`${s}.data`,n))})}o(Gb,"extendErrors");Ge.extendErrors=Gb;function Gm(e,t){let r=e.const("err",t);e.if((0,te._)`${Ze.default.vErrors} === null`,()=>e.assign(Ze.default.vErrors,(0,te._)`[${r}]`),(0,te._)`${Ze.default.vErrors}.push(${r})`),e.code((0,te._)`${Ze.default.errors}++`)}o(Gm,"addError");function Bm(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,te._)`new ${e.ValidationError}(${t})`):(r.assign((0,te._)`${n}.errors`,t),r.return(!1))}o(Bm,"returnErrors");var Br={keyword:new te.Name("keyword"),schemaPath:new te.Name("schemaPath"),params:new te.Name("params"),propertyName:new te.Name("propertyName"),message:new te.Name("message"),schema:new te.Name("schema"),parentSchema:new te.Name("parentSchema")};function Fm(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,te._)`{}`:Bb(e,t,r)}o(Fm,"errorObjectCode");function Bb(e,t,r={}){let{gen:n,it:a}=e,i=[Fb(a,r),Vb(e,r)];return Kb(e,t,i),n.object(...i)}o(Bb,"errorObject");function Fb({errorPath:e},{instancePath:t}){let r=t?(0,te.str)`${e}${(0,_i.getErrorPath)(t,_i.Type.Str)}`:e;return[Ze.default.instancePath,(0,te.strConcat)(Ze.default.instancePath,r)]}o(Fb,"errorInstancePath");function Vb({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,te.str)`${t}/${e}`;return r&&(a=(0,te.str)`${a}${(0,_i.getErrorPath)(r,_i.Type.Str)}`),[Br.schemaPath,a]}o(Vb,"errorSchemaPath");function Kb(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:u}=e,{opts:d,propertyName:p,topSchemaRef:l,schemaPath:m}=u;n.push([Br.keyword,a],[Br.params,typeof t=="function"?t(e):t||(0,te._)`{}`]),d.messages&&n.push([Br.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Br.schema,s],[Br.parentSchema,(0,te._)`${l}${m}`],[Ze.default.data,i]),p&&n.push([Br.propertyName,p])}o(Kb,"extraErrorProps")});var Km=A(Cn=>{"use strict";Object.defineProperty(Cn,"__esModule",{value:!0});Cn.boolOrEmptySchema=Cn.topBoolOrEmptySchema=void 0;var Zb=$o(),Wb=Z(),Jb=Xt(),Yb={message:"boolean schema is false"};function Xb(e){let{gen:t,schema:r,validateName:n}=e;r===!1?Vm(e,!1):typeof r=="object"&&r.$async===!0?t.return(Jb.default.data):(t.assign((0,Wb._)`${n}.errors`,null),t.return(!0))}o(Xb,"topBoolOrEmptySchema");Cn.topBoolOrEmptySchema=Xb;function Qb(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),Vm(e)):r.var(t,!0)}o(Qb,"boolOrEmptySchema");Cn.boolOrEmptySchema=Qb;function Vm(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,Zb.reportError)(a,Yb,void 0,t)}o(Vm,"falseSchemaError")});var vu=A(In=>{"use strict";Object.defineProperty(In,"__esModule",{value:!0});In.getRules=In.isJSONType=void 0;var eC=["string","number","integer","boolean","null","object","array"],tC=new Set(eC);function rC(e){return typeof e=="string"&&tC.has(e)}o(rC,"isJSONType");In.isJSONType=rC;function nC(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(nC,"getRules");In.getRules=nC});var Ru=A(Sr=>{"use strict";Object.defineProperty(Sr,"__esModule",{value:!0});Sr.shouldUseRule=Sr.shouldUseGroup=Sr.schemaHasRulesForType=void 0;function oC({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&Zm(e,n)}o(oC,"schemaHasRulesForType");Sr.schemaHasRulesForType=oC;function Zm(e,t){return t.rules.some(r=>Wm(e,r))}o(Zm,"shouldUseGroup");Sr.shouldUseGroup=Zm;function Wm(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(Wm,"shouldUseRule");Sr.shouldUseRule=Wm});var Do=A(Be=>{"use strict";Object.defineProperty(Be,"__esModule",{value:!0});Be.reportTypeError=Be.checkDataTypes=Be.checkDataType=Be.coerceAndCheckDataType=Be.getJSONTypes=Be.getSchemaTypes=Be.DataType=void 0;var aC=vu(),iC=Ru(),sC=$o(),K=Z(),Jm=oe(),Tn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(Tn||(Be.DataType=Tn={}));function cC(e){let t=Ym(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(cC,"getSchemaTypes");Be.getSchemaTypes=cC;function Ym(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(aC.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(Ym,"getJSONTypes");Be.getJSONTypes=Ym;function uC(e,t){let{gen:r,data:n,opts:a}=e,i=dC(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,iC.schemaHasRulesForType)(e,t[0]));if(s){let u=Cu(t,n,a.strictNumbers,Tn.Wrong);r.if(u,()=>{i.length?lC(e,t,i):Iu(e)})}return s}o(uC,"coerceAndCheckDataType");Be.coerceAndCheckDataType=uC;var Xm=new Set(["string","number","integer","boolean","null"]);function dC(e,t){return t?e.filter(r=>Xm.has(r)||t==="array"&&r==="array"):[]}o(dC,"coerceToTypes");function lC(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,K._)`typeof ${a}`),u=n.let("coerced",(0,K._)`undefined`);i.coerceTypes==="array"&&n.if((0,K._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,K._)`${a}[0]`).assign(s,(0,K._)`typeof ${a}`).if(Cu(t,a,i.strictNumbers),()=>n.assign(u,a))),n.if((0,K._)`${u} !== undefined`);for(let p of r)(Xm.has(p)||p==="array"&&i.coerceTypes==="array")&&d(p);n.else(),Iu(e),n.endIf(),n.if((0,K._)`${u} !== undefined`,()=>{n.assign(a,u),pC(e,u)});function d(p){switch(p){case"string":n.elseIf((0,K._)`${s} == "number" || ${s} == "boolean"`).assign(u,(0,K._)`"" + ${a}`).elseIf((0,K._)`${a} === null`).assign(u,(0,K._)`""`);return;case"number":n.elseIf((0,K._)`${s} == "boolean" || ${a} === null
+              || (${s} == "string" && ${a} && ${a} == +${a})`).assign(u,(0,K._)`+${a}`);return;case"integer":n.elseIf((0,K._)`${s} === "boolean" || ${a} === null
+              || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(u,(0,K._)`+${a}`);return;case"boolean":n.elseIf((0,K._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(u,!1).elseIf((0,K._)`${a} === "true" || ${a} === 1`).assign(u,!0);return;case"null":n.elseIf((0,K._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(u,null);return;case"array":n.elseIf((0,K._)`${s} === "string" || ${s} === "number"
+              || ${s} === "boolean" || ${a} === null`).assign(u,(0,K._)`[${a}]`)}}o(d,"coerceSpecificType")}o(lC,"coerceData");function pC({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,K._)`${t} !== undefined`,()=>e.assign((0,K._)`${t}[${r}]`,n))}o(pC,"assignParentData");function bu(e,t,r,n=Tn.Correct){let a=n===Tn.Correct?K.operators.EQ:K.operators.NEQ,i;switch(e){case"null":return(0,K._)`${t} ${a} null`;case"array":i=(0,K._)`Array.isArray(${t})`;break;case"object":i=(0,K._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,K._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,K._)`typeof ${t} ${a} ${e}`}return n===Tn.Correct?i:(0,K.not)(i);function s(u=K.nil){return(0,K.and)((0,K._)`typeof ${t} == "number"`,u,r?(0,K._)`isFinite(${t})`:K.nil)}}o(bu,"checkDataType");Be.checkDataType=bu;function Cu(e,t,r,n){if(e.length===1)return bu(e[0],t,r,n);let a,i=(0,Jm.toHash)(e);if(i.array&&i.object){let s=(0,K._)`typeof ${t} != "object"`;a=i.null?s:(0,K._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=K.nil;i.number&&delete i.integer;for(let s in i)a=(0,K.and)(a,bu(s,t,r,n));return a}o(Cu,"checkDataTypes");Be.checkDataTypes=Cu;var mC={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,K._)`{type: ${e}}`:(0,K._)`{type: ${t}}`,"params")};function Iu(e){let t=hC(e);(0,sC.reportError)(t,mC)}o(Iu,"reportTypeError");Be.reportTypeError=Iu;function hC(e){let{gen:t,data:r,schema:n}=e,a=(0,Jm.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(hC,"getTypeErrorContext")});var eh=A(yi=>{"use strict";Object.defineProperty(yi,"__esModule",{value:!0});yi.assignDefaults=void 0;var An=Z(),fC=oe();function gC(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)Qm(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>Qm(e,i,a.default))}o(gC,"assignDefaults");yi.assignDefaults=gC;function Qm(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let u=(0,An._)`${i}${(0,An.getProperty)(t)}`;if(a){(0,fC.checkStrictMode)(e,`default is ignored for: ${u}`);return}let d=(0,An._)`${u} === undefined`;s.useDefaults==="empty"&&(d=(0,An._)`${d} || ${u} === null || ${u} === ""`),n.if(d,(0,An._)`${u} = ${(0,An.stringify)(r)}`)}o(Qm,"assignDefault")});var mt=A(se=>{"use strict";Object.defineProperty(se,"__esModule",{value:!0});se.validateUnion=se.validateArray=se.usePattern=se.callValidateCode=se.schemaProperties=se.allSchemaProperties=se.noPropertyInData=se.propertyInData=se.isOwnProperty=se.hasPropFunc=se.reportMissingProp=se.checkMissingProp=se.checkReportMissingProp=void 0;var pe=Z(),Tu=oe(),vr=Xt(),_C=oe();function yC(e,t){let{gen:r,data:n,it:a}=e;r.if(ku(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,pe._)`${t}`},!0),e.error()})}o(yC,"checkReportMissingProp");se.checkReportMissingProp=yC;function wC({gen:e,data:t,it:{opts:r}},n,a){return(0,pe.or)(...n.map(i=>(0,pe.and)(ku(e,t,i,r.ownProperties),(0,pe._)`${a} = ${i}`)))}o(wC,"checkMissingProp");se.checkMissingProp=wC;function SC(e,t){e.setParams({missingProperty:t},!0),e.error()}o(SC,"reportMissingProp");se.reportMissingProp=SC;function th(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,pe._)`Object.prototype.hasOwnProperty`})}o(th,"hasPropFunc");se.hasPropFunc=th;function Au(e,t,r){return(0,pe._)`${th(e)}.call(${t}, ${r})`}o(Au,"isOwnProperty");se.isOwnProperty=Au;function vC(e,t,r,n){let a=(0,pe._)`${t}${(0,pe.getProperty)(r)} !== undefined`;return n?(0,pe._)`${a} && ${Au(e,t,r)}`:a}o(vC,"propertyInData");se.propertyInData=vC;function ku(e,t,r,n){let a=(0,pe._)`${t}${(0,pe.getProperty)(r)} === undefined`;return n?(0,pe.or)(a,(0,pe.not)(Au(e,t,r))):a}o(ku,"noPropertyInData");se.noPropertyInData=ku;function rh(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(rh,"allSchemaProperties");se.allSchemaProperties=rh;function RC(e,t){return rh(t).filter(r=>!(0,Tu.alwaysValidSchema)(e,t[r]))}o(RC,"schemaProperties");se.schemaProperties=RC;function bC({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},u,d,p){let l=p?(0,pe._)`${e}, ${t}, ${n}${a}`:t,m=[[vr.default.instancePath,(0,pe.strConcat)(vr.default.instancePath,i)],[vr.default.parentData,s.parentData],[vr.default.parentDataProperty,s.parentDataProperty],[vr.default.rootData,vr.default.rootData]];s.opts.dynamicRef&&m.push([vr.default.dynamicAnchors,vr.default.dynamicAnchors]);let f=(0,pe._)`${l}, ${r.object(...m)}`;return d!==pe.nil?(0,pe._)`${u}.call(${d}, ${f})`:(0,pe._)`${u}(${f})`}o(bC,"callValidateCode");se.callValidateCode=bC;var CC=(0,pe._)`new RegExp`;function IC({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,pe._)`${a.code==="new RegExp"?CC:(0,_C.useFunc)(e,a)}(${r}, ${n})`})}o(IC,"usePattern");se.usePattern=IC;function TC(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let u=t.let("valid",!0);return s(()=>t.assign(u,!1)),u}return t.var(i,!0),s(()=>t.break()),i;function s(u){let d=t.const("len",(0,pe._)`${r}.length`);t.forRange("i",0,d,p=>{e.subschema({keyword:n,dataProp:p,dataPropType:Tu.Type.Num},i),t.if((0,pe.not)(i),u)})}o(s,"validateItems")}o(TC,"validateArray");se.validateArray=TC;function AC(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Tu.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),u=t.name("_valid");t.block(()=>r.forEach((d,p)=>{let l=e.subschema({keyword:n,schemaProp:p,compositeRule:!0},u);t.assign(s,(0,pe._)`${s} || ${u}`),e.mergeValidEvaluated(l,u)||t.if((0,pe.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(AC,"validateUnion");se.validateUnion=AC});var ah=A(Pt=>{"use strict";Object.defineProperty(Pt,"__esModule",{value:!0});Pt.validateKeywordUsage=Pt.validSchemaType=Pt.funcKeywordCode=Pt.macroKeywordCode=void 0;var We=Z(),Fr=Xt(),kC=mt(),EC=$o();function xC(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,u=t.macro.call(s.self,a,i,s),d=oh(r,n,u);s.opts.validateSchema!==!1&&s.self.validateSchema(u,!0);let p=r.name("valid");e.subschema({schema:u,schemaPath:We.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},p),e.pass(p,()=>e.error(!0))}o(xC,"macroKeywordCode");Pt.macroKeywordCode=xC;function PC(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:u,it:d}=e;UC(d,t);let p=!u&&t.compile?t.compile.call(d.self,i,s,d):t.validate,l=oh(n,a,p),m=n.let("valid");e.block$data(m,f),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function f(){if(t.errors===!1)y(),t.modifying&&nh(e),S(()=>e.error());else{let v=t.async?_():w();t.modifying&&nh(e),S(()=>OC(e,v))}}o(f,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,We._)`await `),R=>n.assign(m,!1).if((0,We._)`${R} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,We._)`${R}.errors`),()=>n.throw(R))),v}o(_,"validateAsync");function w(){let v=(0,We._)`${l}.errors`;return n.assign(v,null),y(We.nil),v}o(w,"validateSync");function y(v=t.async?(0,We._)`await `:We.nil){let R=d.opts.passContext?Fr.default.this:Fr.default.self,b=!("compile"in t&&!u||t.schema===!1);n.assign(m,(0,We._)`${v}${(0,kC.callValidateCode)(e,l,R,b)}`,t.modifying)}o(y,"assignValid");function S(v){var R;n.if((0,We.not)((R=t.valid)!==null&&R!==void 0?R:m),v)}o(S,"reportErrs")}o(PC,"funcKeywordCode");Pt.funcKeywordCode=PC;function nh(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,We._)`${n.parentData}[${n.parentDataProperty}]`))}o(nh,"modifyData");function OC(e,t){let{gen:r}=e;r.if((0,We._)`Array.isArray(${t})`,()=>{r.assign(Fr.default.vErrors,(0,We._)`${Fr.default.vErrors} === null ? ${t} : ${Fr.default.vErrors}.concat(${t})`).assign(Fr.default.errors,(0,We._)`${Fr.default.vErrors}.length`),(0,EC.extendErrors)(e)},()=>e.error())}o(OC,"addErrs");function UC({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(UC,"checkAsyncKeyword");function oh(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,We.stringify)(r)})}o(oh,"useKeyword");function NC(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(NC,"validSchemaType");Pt.validSchemaType=NC;function zC({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(u=>!Object.prototype.hasOwnProperty.call(e,u)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(zC,"validateKeywordUsage");Pt.validateKeywordUsage=zC});var sh=A(Rr=>{"use strict";Object.defineProperty(Rr,"__esModule",{value:!0});Rr.extendSubschemaMode=Rr.extendSubschemaData=Rr.getSubschema=void 0;var Ot=Z(),ih=oe();function $C(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let u=e.schema[t];return r===void 0?{schema:u,schemaPath:(0,Ot._)`${e.schemaPath}${(0,Ot.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:u[r],schemaPath:(0,Ot._)`${e.schemaPath}${(0,Ot.getProperty)(t)}${(0,Ot.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,ih.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o($C,"getSubschema");Rr.getSubschema=$C;function DC(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:u}=t;if(r!==void 0){let{errorPath:p,dataPathArr:l,opts:m}=t,f=u.let("data",(0,Ot._)`${t.data}${(0,Ot.getProperty)(r)}`,!0);d(f),e.errorPath=(0,Ot.str)`${p}${(0,ih.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,Ot._)`${r}`,e.dataPathArr=[...l,e.parentDataProperty]}if(a!==void 0){let p=a instanceof Ot.Name?a:u.let("data",a,!0);d(p),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(p){e.data=p,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,p]}o(d,"dataContextProps")}o(DC,"extendSubschemaData");Rr.extendSubschemaData=DC;function MC(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(MC,"extendSubschemaMode");Rr.extendSubschemaMode=MC});var Eu=A((GH,ch)=>{"use strict";ch.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var dh=A((FH,uh)=>{"use strict";var br=uh.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};wi(t,n,a,e,"",e)};br.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};br.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};br.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};br.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function wi(e,t,r,n,a,i,s,u,d,p){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,u,d,p);for(var l in n){var m=n[l];if(Array.isArray(m)){if(l in br.arrayKeywords)for(var f=0;f<m.length;f++)wi(e,t,r,m[f],a+"/"+l+"/"+f,i,a,l,n,f)}else if(l in br.propsKeywords){if(m&&typeof m=="object")for(var _ in m)wi(e,t,r,m[_],a+"/"+l+"/"+qC(_),i,a,l,n,_)}else(l in br.keywords||e.allKeys&&!(l in br.skipKeywords))&&wi(e,t,r,m,a+"/"+l,i,a,l,n)}r(n,a,i,s,u,d,p)}}o(wi,"_traverse");function qC(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(qC,"escapeJsonPtr")});var Mo=A(et=>{"use strict";Object.defineProperty(et,"__esModule",{value:!0});et.getSchemaRefs=et.resolveUrl=et.normalizeId=et._getFullPath=et.getFullPath=et.inlineRef=void 0;var LC=oe(),jC=Eu(),HC=dh(),GC=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function BC(e,t=!0){return typeof e=="boolean"?!0:t===!0?!xu(e):t?lh(e)<=t:!1}o(BC,"inlineRef");et.inlineRef=BC;var FC=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function xu(e){for(let t in e){if(FC.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(xu)||typeof r=="object"&&xu(r))return!0}return!1}o(xu,"hasRef");function lh(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!GC.has(r)&&(typeof e[r]=="object"&&(0,LC.eachItem)(e[r],n=>t+=lh(n)),t===1/0))return 1/0}return t}o(lh,"countKeys");function ph(e,t="",r){r!==!1&&(t=kn(t));let n=e.parse(t);return mh(e,n)}o(ph,"getFullPath");et.getFullPath=ph;function mh(e,t){return e.serialize(t).split("#")[0]+"#"}o(mh,"_getFullPath");et._getFullPath=mh;var VC=/#\/?$/;function kn(e){return e?e.replace(VC,""):""}o(kn,"normalizeId");et.normalizeId=kn;function KC(e,t,r){return r=kn(r),e.resolve(t,r)}o(KC,"resolveUrl");et.resolveUrl=KC;var ZC=/^[a-z_][-a-z0-9._]*$/i;function WC(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=kn(e[r]||t),i={"":a},s=ph(n,a,!1),u={},d=new Set;return HC(e,{allKeys:!0},(m,f,_,w)=>{if(w===void 0)return;let y=s+f,S=i[w];typeof m[r]=="string"&&(S=v.call(this,m[r])),R.call(this,m.$anchor),R.call(this,m.$dynamicAnchor),i[f]=S;function v(b){let q=this.opts.uriResolver.resolve;if(b=kn(S?q(S,b):b),d.has(b))throw l(b);d.add(b);let L=this.refs[b];return typeof L=="string"&&(L=this.refs[L]),typeof L=="object"?p(m,L.schema,b):b!==kn(y)&&(b[0]==="#"?(p(m,u[b],b),u[b]=m):this.refs[b]=y),b}o(v,"addRef");function R(b){if(typeof b=="string"){if(!ZC.test(b))throw new Error(`invalid anchor "${b}"`);v.call(this,`#${b}`)}}o(R,"addAnchor")}),u;function p(m,f,_){if(f!==void 0&&!jC(m,f))throw l(_)}o(p,"checkAmbiguosRef");function l(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(l,"ambiguos")}o(WC,"getSchemaRefs");et.getSchemaRefs=WC});var jo=A(Cr=>{"use strict";Object.defineProperty(Cr,"__esModule",{value:!0});Cr.getData=Cr.KeywordCxt=Cr.validateFunctionCode=void 0;var yh=Km(),hh=Do(),Ou=Ru(),Si=Do(),JC=eh(),Lo=ah(),Pu=sh(),U=Z(),B=Xt(),YC=Mo(),Qt=oe(),qo=$o();function XC(e){if(vh(e)&&(Rh(e),Sh(e))){tI(e);return}wh(e,()=>(0,yh.topBoolOrEmptySchema)(e))}o(XC,"validateFunctionCode");Cr.validateFunctionCode=XC;function wh({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,U._)`${B.default.data}, ${B.default.valCxt}`,n.$async,()=>{e.code((0,U._)`"use strict"; ${fh(r,a)}`),eI(e,a),e.code(i)}):e.func(t,(0,U._)`${B.default.data}, ${QC(a)}`,n.$async,()=>e.code(fh(r,a)).code(i))}o(wh,"validateFunction");function QC(e){return(0,U._)`{${B.default.instancePath}="", ${B.default.parentData}, ${B.default.parentDataProperty}, ${B.default.rootData}=${B.default.data}${e.dynamicRef?(0,U._)`, ${B.default.dynamicAnchors}={}`:U.nil}}={}`}o(QC,"destructureValCxt");function eI(e,t){e.if(B.default.valCxt,()=>{e.var(B.default.instancePath,(0,U._)`${B.default.valCxt}.${B.default.instancePath}`),e.var(B.default.parentData,(0,U._)`${B.default.valCxt}.${B.default.parentData}`),e.var(B.default.parentDataProperty,(0,U._)`${B.default.valCxt}.${B.default.parentDataProperty}`),e.var(B.default.rootData,(0,U._)`${B.default.valCxt}.${B.default.rootData}`),t.dynamicRef&&e.var(B.default.dynamicAnchors,(0,U._)`${B.default.valCxt}.${B.default.dynamicAnchors}`)},()=>{e.var(B.default.instancePath,(0,U._)`""`),e.var(B.default.parentData,(0,U._)`undefined`),e.var(B.default.parentDataProperty,(0,U._)`undefined`),e.var(B.default.rootData,B.default.data),t.dynamicRef&&e.var(B.default.dynamicAnchors,(0,U._)`{}`)})}o(eI,"destructureValCxtES5");function tI(e){let{schema:t,opts:r,gen:n}=e;wh(e,()=>{r.$comment&&t.$comment&&Ch(e),iI(e),n.let(B.default.vErrors,null),n.let(B.default.errors,0),r.unevaluated&&rI(e),bh(e),uI(e)})}o(tI,"topSchemaObjCode");function rI(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,U._)`${r}.evaluated`),t.if((0,U._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,U._)`${e.evaluated}.props`,(0,U._)`undefined`)),t.if((0,U._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,U._)`${e.evaluated}.items`,(0,U._)`undefined`))}o(rI,"resetEvaluated");function fh(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,U._)`/*# sourceURL=${r} */`:U.nil}o(fh,"funcSourceUrl");function nI(e,t){if(vh(e)&&(Rh(e),Sh(e))){oI(e,t);return}(0,yh.boolOrEmptySchema)(e,t)}o(nI,"subschemaCode");function Sh({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(Sh,"schemaCxtHasRules");function vh(e){return typeof e.schema!="boolean"}o(vh,"isSchemaObj");function oI(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&Ch(e),sI(e),cI(e);let i=n.const("_errs",B.default.errors);bh(e,i),n.var(t,(0,U._)`${i} === ${B.default.errors}`)}o(oI,"subSchemaObjCode");function Rh(e){(0,Qt.checkUnknownRules)(e),aI(e)}o(Rh,"checkKeywords");function bh(e,t){if(e.opts.jtd)return gh(e,[],!1,t);let r=(0,hh.getSchemaTypes)(e.schema),n=(0,hh.coerceAndCheckDataType)(e,r);gh(e,r,!n,t)}o(bh,"typeAndKeywords");function aI(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Qt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(aI,"checkRefsAndKeywords");function iI(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Qt.checkStrictMode)(e,"default is ignored in the schema root")}o(iI,"checkNoDefault");function sI(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,YC.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(sI,"updateContext");function cI(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(cI,"checkAsyncSchema");function Ch({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,U._)`${B.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,U.str)`${n}/$comment`,u=e.scopeValue("root",{ref:t.root});e.code((0,U._)`${B.default.self}.opts.$comment(${i}, ${s}, ${u}.schema)`)}}o(Ch,"commentKeyword");function uI(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,U._)`${B.default.errors} === 0`,()=>t.return(B.default.data),()=>t.throw((0,U._)`new ${a}(${B.default.vErrors})`)):(t.assign((0,U._)`${n}.errors`,B.default.vErrors),i.unevaluated&&dI(e),t.return((0,U._)`${B.default.errors} === 0`))}o(uI,"returnResults");function dI({gen:e,evaluated:t,props:r,items:n}){r instanceof U.Name&&e.assign((0,U._)`${t}.props`,r),n instanceof U.Name&&e.assign((0,U._)`${t}.items`,n)}o(dI,"assignEvaluated");function gh(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:u,opts:d,self:p}=e,{RULES:l}=p;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Qt.schemaHasRulesButRef)(i,l))){a.block(()=>Th(e,"$ref",l.all.$ref.definition));return}d.jtd||lI(e,t),a.block(()=>{for(let f of l.rules)m(f);m(l.post)});function m(f){(0,Ou.shouldUseGroup)(i,f)&&(f.type?(a.if((0,Si.checkDataType)(f.type,s,d.strictNumbers)),_h(e,f),t.length===1&&t[0]===f.type&&r&&(a.else(),(0,Si.reportTypeError)(e)),a.endIf()):_h(e,f),u||a.if((0,U._)`${B.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(gh,"schemaKeywords");function _h(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,JC.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Ou.shouldUseRule)(n,i)&&Th(e,i.keyword,i.definition,t.type)})}o(_h,"iterateKeywords");function lI(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(pI(e,t),e.opts.allowUnionTypes||mI(e,t),hI(e,e.dataTypes))}o(lI,"checkStrictTypes");function pI(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{Ih(e.dataTypes,r)||Uu(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),gI(e,t)}}o(pI,"checkContextTypes");function mI(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Uu(e,"use allowUnionTypes to allow union type keyword")}o(mI,"checkMultipleTypes");function hI(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Ou.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>fI(t,s))&&Uu(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(hI,"checkKeywordTypes");function fI(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(fI,"hasApplicableType");function Ih(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(Ih,"includesType");function gI(e,t){let r=[];for(let n of e.dataTypes)Ih(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(gI,"narrowSchemaTypes");function Uu(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Qt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Uu,"strictTypesError");var vi=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,Lo.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Qt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",Ah(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,Lo.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",B.default.errors))}result(t,r,n){this.failResult((0,U.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,U.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,U._)`${r} !== undefined && (${(0,U.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?qo.reportExtraError:qo.reportError)(this,this.def.error,r)}$dataError(){(0,qo.reportError)(this,this.def.$dataError||qo.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,qo.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=U.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=U.nil,r=U.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,U.or)((0,U._)`${a} === undefined`,r)),t!==U.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==U.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,U.or)(s(),u());function s(){if(n.length){if(!(r instanceof U.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,U._)`${(0,Si.checkDataTypes)(d,r,i.opts.strictNumbers,Si.DataType.Wrong)}`}return U.nil}function u(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,U._)`!${d}(${r})`}return U.nil}}subschema(t,r){let n=(0,Pu.getSubschema)(this.it,t);(0,Pu.extendSubschemaData)(n,this.it,t),(0,Pu.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return nI(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Qt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Qt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,U.Name)),!0}};Cr.KeywordCxt=vi;function Th(e,t,r,n){let a=new vi(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,Lo.funcKeywordCode)(a,r):"macro"in r?(0,Lo.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,Lo.funcKeywordCode)(a,r)}o(Th,"keywordCode");var _I=/^\/(?:[^~]|~0|~1)*$/,yI=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function Ah(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return B.default.rootData;if(e[0]==="/"){if(!_I.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=B.default.rootData}else{let p=yI.exec(e);if(!p)throw new Error(`Invalid JSON-pointer: ${e}`);let l=+p[1];if(a=p[2],a==="#"){if(l>=t)throw new Error(d("property/index",l));return n[t-l]}if(l>t)throw new Error(d("data",l));if(i=r[t-l],!a)return i}let s=i,u=a.split("/");for(let p of u)p&&(i=(0,U._)`${i}${(0,U.getProperty)((0,Qt.unescapeJsonPointer)(p))}`,s=(0,U._)`${s} && ${i}`);return s;function d(p,l){return`Cannot access ${p} ${l} levels up, current level is ${t}`}}o(Ah,"getData");Cr.getData=Ah});var Ri=A(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var Nu=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};zu.default=Nu});var Ho=A(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});var $u=Mo(),Du=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,$u.resolveUrl)(t,r,n),this.missingSchema=(0,$u.normalizeId)((0,$u.getFullPath)(t,this.missingRef))}};Mu.default=Du});var Ci=A(ht=>{"use strict";Object.defineProperty(ht,"__esModule",{value:!0});ht.resolveSchema=ht.getCompilingSchema=ht.resolveRef=ht.compileSchema=ht.SchemaEnv=void 0;var Rt=Z(),wI=Ri(),Vr=Xt(),bt=Mo(),kh=oe(),SI=jo(),En=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,bt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};ht.SchemaEnv=En;function Lu(e){let t=Eh.call(this,e);if(t)return t;let r=(0,bt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new Rt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),u;e.$async&&(u=s.scopeValue("Error",{ref:wI.default,code:(0,Rt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let p={gen:s,allErrors:this.opts.allErrors,data:Vr.default.data,parentData:Vr.default.parentData,parentDataProperty:Vr.default.parentDataProperty,dataNames:[Vr.default.data],dataPathArr:[Rt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,Rt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:u,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:Rt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,Rt._)`""`,opts:this.opts,self:this},l;try{this._compilations.add(e),(0,SI.validateFunctionCode)(p),s.optimize(this.opts.code.optimize);let m=s.toString();l=`${s.scopeRefs(Vr.default.scope)}return ${m}`,this.opts.code.process&&(l=this.opts.code.process(l,e));let _=new Function(`${Vr.default.self}`,`${Vr.default.scope}`,l)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:w,items:y}=p;_.evaluated={props:w instanceof Rt.Name?void 0:w,items:y instanceof Rt.Name?void 0:y,dynamicProps:w instanceof Rt.Name,dynamicItems:y instanceof Rt.Name},_.source&&(_.source.evaluated=(0,Rt.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,l&&this.logger.error("Error compiling schema, function code:",l),m}finally{this._compilations.delete(e)}}o(Lu,"compileSchema");ht.compileSchema=Lu;function vI(e,t,r){var n;r=(0,bt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=CI.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:u}=this.opts;s&&(i=new En({schema:s,schemaId:u,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=RI.call(this,i)}o(vI,"resolveRef");ht.resolveRef=vI;function RI(e){return(0,bt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:Lu.call(this,e)}o(RI,"inlineOrCompile");function Eh(e){for(let t of this._compilations)if(bI(t,e))return t}o(Eh,"getCompilingSchema");ht.getCompilingSchema=Eh;function bI(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(bI,"sameSchemaEnv");function CI(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||bi.call(this,e,t)}o(CI,"resolve");function bi(e,t){let r=this.opts.uriResolver.parse(t),n=(0,bt._getFullPath)(this.opts.uriResolver,r),a=(0,bt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return qu.call(this,r,e);let i=(0,bt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let u=bi.call(this,e,s);return typeof u?.schema!="object"?void 0:qu.call(this,r,u)}if(typeof s?.schema=="object"){if(s.validate||Lu.call(this,s),i===(0,bt.normalizeId)(t)){let{schema:u}=s,{schemaId:d}=this.opts,p=u[d];return p&&(a=(0,bt.resolveUrl)(this.opts.uriResolver,a,p)),new En({schema:u,schemaId:d,root:e,baseId:a})}return qu.call(this,r,s)}}o(bi,"resolveSchema");ht.resolveSchema=bi;var II=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function qu(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let u of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,kh.unescapeFragment)(u)];if(d===void 0)return;r=d;let p=typeof r=="object"&&r[this.opts.schemaId];!II.has(u)&&p&&(t=(0,bt.resolveUrl)(this.opts.uriResolver,t,p))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,kh.schemaHasRulesButRef)(r,this.RULES)){let u=(0,bt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=bi.call(this,n,u)}let{schemaId:s}=this.opts;if(i=i||new En({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(qu,"getJsonPointer")});var xh=A((nG,TI)=>{TI.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var Hu=A((oG,Nh)=>{"use strict";var AI=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),Oh=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function ju(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(ju,"stringArrayToHexStripped");var kI=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Ph(e){return e.length=0,!0}o(Ph,"consumeIsZone");function EI(e,t,r){if(e.length){let n=ju(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(EI,"consumeHextets");function xI(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,u=EI;for(let d=0;d<e.length;d++){let p=e[d];if(!(p==="["||p==="]"))if(p===":"){if(i===!0&&(s=!0),!u(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(p==="%"){if(!u(a,n,r))break;u=Ph}else{a.push(p);continue}}return a.length&&(u===Ph?r.zone=a.join(""):s?n.push(a.join("")):n.push(ju(a))),r.address=n.join(""),r}o(xI,"getIPV6");function Uh(e){if(PI(e,":")<2)return{host:e,isIPV6:!1};let t=xI(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(Uh,"normalizeIPv6");function PI(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(PI,"findToken");function OI(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(OI,"removeDotSegments");function UI(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(UI,"normalizeComponentEncoding");function NI(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!Oh(r)){let n=Uh(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(NI,"recomposeAuthority");Nh.exports={nonSimpleDomain:kI,recomposeAuthority:NI,normalizeComponentEncoding:UI,removeDotSegments:OI,isIPv4:Oh,isUUID:AI,normalizeIPv6:Uh,stringArrayToHexStripped:ju}});var qh=A((iG,Mh)=>{"use strict";var{isUUID:zI}=Hu(),$I=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,DI=["http","https","ws","wss","urn","urn:uuid"];function MI(e){return DI.indexOf(e)!==-1}o(MI,"isValidSchemeName");function Gu(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(Gu,"wsIsSecure");function zh(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(zh,"httpParse");function $h(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o($h,"httpSerialize");function qI(e){return e.secure=Gu(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(qI,"wsParse");function LI(e){if((e.port===(Gu(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(LI,"wsSerialize");function jI(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match($I);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=Bu(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(jI,"urnParse");function HI(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=Bu(a);i&&(e=i.serialize(e,t));let s=e,u=e.nss;return s.path=`${n||t.nid}:${u}`,t.skipEscape=!0,s}o(HI,"urnSerialize");function GI(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!zI(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(GI,"urnuuidParse");function BI(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(BI,"urnuuidSerialize");var Dh={scheme:"http",domainHost:!0,parse:zh,serialize:$h},FI={scheme:"https",domainHost:Dh.domainHost,parse:zh,serialize:$h},Ii={scheme:"ws",domainHost:!0,parse:qI,serialize:LI},VI={scheme:"wss",domainHost:Ii.domainHost,parse:Ii.parse,serialize:Ii.serialize},KI={scheme:"urn",parse:jI,serialize:HI,skipNormalize:!0},ZI={scheme:"urn:uuid",parse:GI,serialize:BI,skipNormalize:!0},Ti={http:Dh,https:FI,ws:Ii,wss:VI,urn:KI,"urn:uuid":ZI};Object.setPrototypeOf(Ti,null);function Bu(e){return e&&(Ti[e]||Ti[e.toLowerCase()])||void 0}o(Bu,"getSchemeHandler");Mh.exports={wsIsSecure:Gu,SCHEMES:Ti,isValidSchemeName:MI,getSchemeHandler:Bu}});var Hh=A((cG,ki)=>{"use strict";var{normalizeIPv6:WI,removeDotSegments:Go,recomposeAuthority:JI,normalizeComponentEncoding:Ai,isIPv4:YI,nonSimpleDomain:XI}=Hu(),{SCHEMES:QI,getSchemeHandler:Lh}=qh();function eT(e,t){return typeof e=="string"?e=Ut(er(e,t),t):typeof e=="object"&&(e=er(Ut(e,t),t)),e}o(eT,"normalize");function tT(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=jh(er(e,n),er(t,n),n,!0);return n.skipEscape=!0,Ut(a,n)}o(tT,"resolve");function jh(e,t,r,n){let a={};return n||(e=er(Ut(e,r),r),t=er(Ut(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=Go(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=Go(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=Go(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=Go(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(jh,"resolveComponent");function rT(e,t,r){return typeof e=="string"?(e=unescape(e),e=Ut(Ai(er(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=Ut(Ai(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=Ut(Ai(er(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=Ut(Ai(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(rT,"equal");function Ut(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=Lh(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=JI(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let u=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(u=Go(u)),s===void 0&&u[0]==="/"&&u[1]==="/"&&(u="/%2F"+u.slice(2)),a.push(u)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(Ut,"serialize");var nT=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function er(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(nT);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(YI(n.host)===!1){let d=WI(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=Lh(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&XI(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(u){n.error=n.error||"Host's domain name can not be converted to ASCII: "+u}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(er,"parse");var Fu={SCHEMES:QI,normalize:eT,resolve:tT,resolveComponent:jh,equal:rT,serialize:Ut,parse:er};ki.exports=Fu;ki.exports.default=Fu;ki.exports.fastUri=Fu});var Bh=A(Vu=>{"use strict";Object.defineProperty(Vu,"__esModule",{value:!0});var Gh=Hh();Gh.code='require("ajv/dist/runtime/uri").default';Vu.default=Gh});var Xh=A(Ue=>{"use strict";Object.defineProperty(Ue,"__esModule",{value:!0});Ue.CodeGen=Ue.Name=Ue.nil=Ue.stringify=Ue.str=Ue._=Ue.KeywordCxt=void 0;var oT=jo();Object.defineProperty(Ue,"KeywordCxt",{enumerable:!0,get:o(function(){return oT.KeywordCxt},"get")});var xn=Z();Object.defineProperty(Ue,"_",{enumerable:!0,get:o(function(){return xn._},"get")});Object.defineProperty(Ue,"str",{enumerable:!0,get:o(function(){return xn.str},"get")});Object.defineProperty(Ue,"stringify",{enumerable:!0,get:o(function(){return xn.stringify},"get")});Object.defineProperty(Ue,"nil",{enumerable:!0,get:o(function(){return xn.nil},"get")});Object.defineProperty(Ue,"Name",{enumerable:!0,get:o(function(){return xn.Name},"get")});Object.defineProperty(Ue,"CodeGen",{enumerable:!0,get:o(function(){return xn.CodeGen},"get")});var aT=Ri(),Wh=Ho(),iT=vu(),Bo=Ci(),sT=Z(),Fo=Mo(),Ei=Do(),Zu=oe(),Fh=xh(),cT=Bh(),Jh=o((e,t)=>new RegExp(e,t),"defaultRegExp");Jh.code="new RegExp";var uT=["removeAdditional","useDefaults","coerceTypes"],dT=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),lT={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},pT={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},Vh=200;function mT(e){var t,r,n,a,i,s,u,d,p,l,m,f,_,w,y,S,v,R,b,q,L,je,ut,fn,ur;let Gt=e.strict,zr=(t=e.code)===null||t===void 0?void 0:t.optimize,co=zr===!0||zr===void 0?1:zr||0,uo=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:Jh,lo=(a=e.uriResolver)!==null&&a!==void 0?a:cT.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Gt)!==null&&s!==void 0?s:!0,strictNumbers:(d=(u=e.strictNumbers)!==null&&u!==void 0?u:Gt)!==null&&d!==void 0?d:!0,strictTypes:(l=(p=e.strictTypes)!==null&&p!==void 0?p:Gt)!==null&&l!==void 0?l:"log",strictTuples:(f=(m=e.strictTuples)!==null&&m!==void 0?m:Gt)!==null&&f!==void 0?f:"log",strictRequired:(w=(_=e.strictRequired)!==null&&_!==void 0?_:Gt)!==null&&w!==void 0?w:!1,code:e.code?{...e.code,optimize:co,regExp:uo}:{optimize:co,regExp:uo},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:Vh,loopEnum:(S=e.loopEnum)!==null&&S!==void 0?S:Vh,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(R=e.messages)!==null&&R!==void 0?R:!0,inlineRefs:(b=e.inlineRefs)!==null&&b!==void 0?b:!0,schemaId:(q=e.schemaId)!==null&&q!==void 0?q:"$id",addUsedSchema:(L=e.addUsedSchema)!==null&&L!==void 0?L:!0,validateSchema:(je=e.validateSchema)!==null&&je!==void 0?je:!0,validateFormats:(ut=e.validateFormats)!==null&&ut!==void 0?ut:!0,unicodeRegExp:(fn=e.unicodeRegExp)!==null&&fn!==void 0?fn:!0,int32range:(ur=e.int32range)!==null&&ur!==void 0?ur:!0,uriResolver:lo}}o(mT,"requiredOptions");var Vo=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...mT(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new sT.ValueScope({scope:{},prefixes:dT,es5:r,lines:n}),this.logger=wT(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,iT.getRules)(),Kh.call(this,lT,t,"NOT SUPPORTED"),Kh.call(this,pT,t,"DEPRECATED","warn"),this._metaOpts=_T.call(this),t.formats&&fT.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&gT.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),hT.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=Fh;n==="id"&&(a={...Fh},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(l,m){await i.call(this,l.$schema);let f=this._addSchema(l,m);return f.validate||s.call(this,f)}async function i(l){l&&!this.getSchema(l)&&await a.call(this,{$ref:l},!0)}async function s(l){try{return this._compileSchemaEnv(l)}catch(m){if(!(m instanceof Wh.default))throw m;return u.call(this,m),await d.call(this,m.missingSchema),s.call(this,l)}}function u({missingSchema:l,missingRef:m}){if(this.refs[l])throw new Error(`AnySchema ${l} is loaded but ${m} cannot be resolved`)}async function d(l){let m=await p.call(this,l);this.refs[l]||await i.call(this,m.$schema),this.refs[l]||this.addSchema(m,l,r)}async function p(l){let m=this._loading[l];if(m)return m;try{return await(this._loading[l]=n(l))}finally{delete this._loading[l]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,Fo.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=Zh.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new Bo.SchemaEnv({schema:{},schemaId:n});if(r=Bo.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=Zh.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,Fo.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(vT.call(this,n,r),!r)return(0,Zu.eachItem)(n,i=>Ku.call(this,i)),this;bT.call(this,r);let a={...r,type:(0,Ei.getJSONTypes)(r.type),schemaType:(0,Ei.getJSONTypes)(r.schemaType)};return(0,Zu.eachItem)(n,a.type.length===0?i=>Ku.call(this,i,a):i=>a.type.forEach(s=>Ku.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let u of i)s=s[u];for(let u in n){let d=n[u];if(typeof d!="object")continue;let{$data:p}=d.definition,l=s[u];p&&l&&(s[u]=Yh(l))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:u}=this.opts;if(typeof t=="object")s=t[u];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,Fo.normalizeId)(s||n);let p=Fo.getSchemaRefs.call(this,t,n);return d=new Bo.SchemaEnv({schema:t,schemaId:u,meta:r,baseId:n,localRefs:p}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):Bo.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{Bo.compileSchema.call(this,t)}finally{this.opts=r}}};Vo.ValidationError=aT.default;Vo.MissingRefError=Wh.default;Ue.default=Vo;function Kh(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(Kh,"checkOptions");function Zh(e){return e=(0,Fo.normalizeId)(e),this.schemas[e]||this.refs[e]}o(Zh,"getSchEnv");function hT(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(hT,"addInitialSchemas");function fT(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(fT,"addInitialFormats");function gT(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(gT,"addInitialKeywords");function _T(){let e={...this.opts};for(let t of uT)delete e[t];return e}o(_T,"getMetaSchemaOptions");var yT={log(){},warn(){},error(){}};function wT(e){if(e===!1)return yT;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(wT,"getLogger");var ST=/^[a-z_$][a-z0-9_$:-]*$/i;function vT(e,t){let{RULES:r}=this;if((0,Zu.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!ST.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(vT,"checkKeyword");function Ku(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let u={keyword:e,definition:{...t,type:(0,Ei.getJSONTypes)(t.type),schemaType:(0,Ei.getJSONTypes)(t.schemaType)}};t.before?RT.call(this,s,u,t.before):s.rules.push(u),i.all[e]=u,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(Ku,"addRule");function RT(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(RT,"addBeforeRule");function bT(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=Yh(t)),e.validateSchema=this.compile(t,!0))}o(bT,"keywordMetaschema");var CT={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function Yh(e){return{anyOf:[e,CT]}}o(Yh,"schemaOrData")});var Qh=A(Wu=>{"use strict";Object.defineProperty(Wu,"__esModule",{value:!0});var IT={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};Wu.default=IT});var nf=A(Kr=>{"use strict";Object.defineProperty(Kr,"__esModule",{value:!0});Kr.callRef=Kr.getValidate=void 0;var TT=Ho(),ef=mt(),tt=Z(),Pn=Xt(),tf=Ci(),xi=oe(),AT={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:u,self:d}=n,{root:p}=i;if((r==="#"||r==="#/")&&a===p.baseId)return m();let l=tf.resolveRef.call(d,p,a,r);if(l===void 0)throw new TT.default(n.opts.uriResolver,a,r);if(l instanceof tf.SchemaEnv)return f(l);return _(l);function m(){if(i===p)return Pi(e,s,i,i.$async);let w=t.scopeValue("root",{ref:p});return Pi(e,(0,tt._)`${w}.validate`,p,p.$async)}function f(w){let y=rf(e,w);Pi(e,y,w,w.$async)}function _(w){let y=t.scopeValue("schema",u.code.source===!0?{ref:w,code:(0,tt.stringify)(w)}:{ref:w}),S=t.name("valid"),v=e.subschema({schema:w,dataTypes:[],schemaPath:tt.nil,topSchemaRef:y,errSchemaPath:r},S);e.mergeEvaluated(v),e.ok(S)}}};function rf(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,tt._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(rf,"getValidate");Kr.getValidate=rf;function Pi(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:u,opts:d}=i,p=d.passContext?Pn.default.this:tt.nil;n?l():m();function l(){if(!u.$async)throw new Error("async schema referenced by sync schema");let w=a.let("valid");a.try(()=>{a.code((0,tt._)`await ${(0,ef.callValidateCode)(e,t,p)}`),_(t),s||a.assign(w,!0)},y=>{a.if((0,tt._)`!(${y} instanceof ${i.ValidationError})`,()=>a.throw(y)),f(y),s||a.assign(w,!1)}),e.ok(w)}o(l,"callAsyncRef");function m(){e.result((0,ef.callValidateCode)(e,t,p),()=>_(t),()=>f(t))}o(m,"callSyncRef");function f(w){let y=(0,tt._)`${w}.errors`;a.assign(Pn.default.vErrors,(0,tt._)`${Pn.default.vErrors} === null ? ${y} : ${Pn.default.vErrors}.concat(${y})`),a.assign(Pn.default.errors,(0,tt._)`${Pn.default.vErrors}.length`)}o(f,"addErrorsFrom");function _(w){var y;if(!i.opts.unevaluated)return;let S=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(i.props!==!0)if(S&&!S.dynamicProps)S.props!==void 0&&(i.props=xi.mergeEvaluated.props(a,S.props,i.props));else{let v=a.var("props",(0,tt._)`${w}.evaluated.props`);i.props=xi.mergeEvaluated.props(a,v,i.props,tt.Name)}if(i.items!==!0)if(S&&!S.dynamicItems)S.items!==void 0&&(i.items=xi.mergeEvaluated.items(a,S.items,i.items));else{let v=a.var("items",(0,tt._)`${w}.evaluated.items`);i.items=xi.mergeEvaluated.items(a,v,i.items,tt.Name)}}o(_,"addEvaluatedFrom")}o(Pi,"callRef");Kr.callRef=Pi;Kr.default=AT});var of=A(Ju=>{"use strict";Object.defineProperty(Ju,"__esModule",{value:!0});var kT=Qh(),ET=nf(),xT=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",kT.default,ET.default];Ju.default=xT});var af=A(Yu=>{"use strict";Object.defineProperty(Yu,"__esModule",{value:!0});var Oi=Z(),Ir=Oi.operators,Ui={maximum:{okStr:"<=",ok:Ir.LTE,fail:Ir.GT},minimum:{okStr:">=",ok:Ir.GTE,fail:Ir.LT},exclusiveMaximum:{okStr:"<",ok:Ir.LT,fail:Ir.GTE},exclusiveMinimum:{okStr:">",ok:Ir.GT,fail:Ir.LTE}},PT={message:o(({keyword:e,schemaCode:t})=>(0,Oi.str)`must be ${Ui[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,Oi._)`{comparison: ${Ui[e].okStr}, limit: ${t}}`,"params")},OT={keyword:Object.keys(Ui),type:"number",schemaType:"number",$data:!0,error:PT,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,Oi._)`${r} ${Ui[t].fail} ${n} || isNaN(${r})`)}};Yu.default=OT});var sf=A(Xu=>{"use strict";Object.defineProperty(Xu,"__esModule",{value:!0});var Ko=Z(),UT={message:o(({schemaCode:e})=>(0,Ko.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,Ko._)`{multipleOf: ${e}}`,"params")},NT={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:UT,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),u=i?(0,Ko._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,Ko._)`${s} !== parseInt(${s})`;e.fail$data((0,Ko._)`(${n} === 0 || (${s} = ${r}/${n}, ${u}))`)}};Xu.default=NT});var uf=A(Qu=>{"use strict";Object.defineProperty(Qu,"__esModule",{value:!0});function cf(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(cf,"ucs2length");Qu.default=cf;cf.code='require("ajv/dist/runtime/ucs2length").default'});var df=A(ed=>{"use strict";Object.defineProperty(ed,"__esModule",{value:!0});var Zr=Z(),zT=oe(),$T=uf(),DT={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Zr.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Zr._)`{limit: ${e}}`,"params")},MT={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:DT,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?Zr.operators.GT:Zr.operators.LT,s=a.opts.unicode===!1?(0,Zr._)`${r}.length`:(0,Zr._)`${(0,zT.useFunc)(e.gen,$T.default)}(${r})`;e.fail$data((0,Zr._)`${s} ${i} ${n}`)}};ed.default=MT});var lf=A(td=>{"use strict";Object.defineProperty(td,"__esModule",{value:!0});var qT=mt(),Ni=Z(),LT={message:o(({schemaCode:e})=>(0,Ni.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Ni._)`{pattern: ${e}}`,"params")},jT={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:LT,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",u=r?(0,Ni._)`(new RegExp(${a}, ${s}))`:(0,qT.usePattern)(e,n);e.fail$data((0,Ni._)`!${u}.test(${t})`)}};td.default=jT});var pf=A(rd=>{"use strict";Object.defineProperty(rd,"__esModule",{value:!0});var Zo=Z(),HT={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Zo.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Zo._)`{limit: ${e}}`,"params")},GT={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:HT,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Zo.operators.GT:Zo.operators.LT;e.fail$data((0,Zo._)`Object.keys(${r}).length ${a} ${n}`)}};rd.default=GT});var mf=A(nd=>{"use strict";Object.defineProperty(nd,"__esModule",{value:!0});var Wo=mt(),Jo=Z(),BT=oe(),FT={message:o(({params:{missingProperty:e}})=>(0,Jo.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,Jo._)`{missingProperty: ${e}}`,"params")},VT={keyword:"required",type:"object",schemaType:"array",$data:!0,error:FT,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:u}=s;if(!i&&r.length===0)return;let d=r.length>=u.loopRequired;if(s.allErrors?p():l(),u.strictRequired){let _=e.parentSchema.properties,{definedProperties:w}=e.it;for(let y of r)if(_?.[y]===void 0&&!w.has(y)){let S=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${y}" is not defined at "${S}" (strictRequired)`;(0,BT.checkStrictMode)(s,v,s.opts.strictRequired)}}function p(){if(d||i)e.block$data(Jo.nil,m);else for(let _ of r)(0,Wo.checkReportMissingProp)(e,_)}o(p,"allErrorsMode");function l(){let _=t.let("missing");if(d||i){let w=t.let("valid",!0);e.block$data(w,()=>f(_,w)),e.ok(w)}else t.if((0,Wo.checkMissingProp)(e,r,_)),(0,Wo.reportMissingProp)(e,_),t.else()}o(l,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,Wo.noPropertyInData)(t,a,_,u.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function f(_,w){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(w,(0,Wo.propertyInData)(t,a,_,u.ownProperties)),t.if((0,Jo.not)(w),()=>{e.error(),t.break()})},Jo.nil)}o(f,"loopUntilMissing")}};nd.default=VT});var hf=A(od=>{"use strict";Object.defineProperty(od,"__esModule",{value:!0});var Yo=Z(),KT={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Yo.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Yo._)`{limit: ${e}}`,"params")},ZT={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:KT,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Yo.operators.GT:Yo.operators.LT;e.fail$data((0,Yo._)`${r}.length ${a} ${n}`)}};od.default=ZT});var zi=A(ad=>{"use strict";Object.defineProperty(ad,"__esModule",{value:!0});var ff=Eu();ff.code='require("ajv/dist/runtime/equal").default';ad.default=ff});var gf=A(sd=>{"use strict";Object.defineProperty(sd,"__esModule",{value:!0});var id=Do(),Ne=Z(),WT=oe(),JT=zi(),YT={message:o(({params:{i:e,j:t}})=>(0,Ne.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,Ne._)`{i: ${e}, j: ${t}}`,"params")},XT={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:YT,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:u}=e;if(!n&&!a)return;let d=t.let("valid"),p=i.items?(0,id.getSchemaTypes)(i.items):[];e.block$data(d,l,(0,Ne._)`${s} === false`),e.ok(d);function l(){let w=t.let("i",(0,Ne._)`${r}.length`),y=t.let("j");e.setParams({i:w,j:y}),t.assign(d,!0),t.if((0,Ne._)`${w} > 1`,()=>(m()?f:_)(w,y))}o(l,"validateUniqueItems");function m(){return p.length>0&&!p.some(w=>w==="object"||w==="array")}o(m,"canOptimize");function f(w,y){let S=t.name("item"),v=(0,id.checkDataTypes)(p,S,u.opts.strictNumbers,id.DataType.Wrong),R=t.const("indices",(0,Ne._)`{}`);t.for((0,Ne._)`;${w}--;`,()=>{t.let(S,(0,Ne._)`${r}[${w}]`),t.if(v,(0,Ne._)`continue`),p.length>1&&t.if((0,Ne._)`typeof ${S} == "string"`,(0,Ne._)`${S} += "_"`),t.if((0,Ne._)`typeof ${R}[${S}] == "number"`,()=>{t.assign(y,(0,Ne._)`${R}[${S}]`),e.error(),t.assign(d,!1).break()}).code((0,Ne._)`${R}[${S}] = ${w}`)})}o(f,"loopN");function _(w,y){let S=(0,WT.useFunc)(t,JT.default),v=t.name("outer");t.label(v).for((0,Ne._)`;${w}--;`,()=>t.for((0,Ne._)`${y} = ${w}; ${y}--;`,()=>t.if((0,Ne._)`${S}(${r}[${w}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};sd.default=XT});var _f=A(ud=>{"use strict";Object.defineProperty(ud,"__esModule",{value:!0});var cd=Z(),QT=oe(),eA=zi(),tA={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,cd._)`{allowedValue: ${e}}`,"params")},rA={keyword:"const",$data:!0,error:tA,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,cd._)`!${(0,QT.useFunc)(t,eA.default)}(${r}, ${a})`):e.fail((0,cd._)`${i} !== ${r}`)}};ud.default=rA});var yf=A(dd=>{"use strict";Object.defineProperty(dd,"__esModule",{value:!0});var Xo=Z(),nA=oe(),oA=zi(),aA={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,Xo._)`{allowedValues: ${e}}`,"params")},iA={keyword:"enum",schemaType:"array",$data:!0,error:aA,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let u=a.length>=s.opts.loopEnum,d,p=o(()=>d??(d=(0,nA.useFunc)(t,oA.default)),"getEql"),l;if(u||n)l=t.let("valid"),e.block$data(l,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",i);l=(0,Xo.or)(...a.map((w,y)=>f(_,y)))}e.pass(l);function m(){t.assign(l,!1),t.forOf("v",i,_=>t.if((0,Xo._)`${p()}(${r}, ${_})`,()=>t.assign(l,!0).break()))}o(m,"loopEnum");function f(_,w){let y=a[w];return typeof y=="object"&&y!==null?(0,Xo._)`${p()}(${r}, ${_}[${w}])`:(0,Xo._)`${r} === ${y}`}o(f,"equalCode")}};dd.default=iA});var wf=A(ld=>{"use strict";Object.defineProperty(ld,"__esModule",{value:!0});var sA=af(),cA=sf(),uA=df(),dA=lf(),lA=pf(),pA=mf(),mA=hf(),hA=gf(),fA=_f(),gA=yf(),_A=[sA.default,cA.default,uA.default,dA.default,lA.default,pA.default,mA.default,hA.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},fA.default,gA.default];ld.default=_A});var md=A(Qo=>{"use strict";Object.defineProperty(Qo,"__esModule",{value:!0});Qo.validateAdditionalItems=void 0;var Wr=Z(),pd=oe(),yA={message:o(({params:{len:e}})=>(0,Wr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Wr._)`{limit: ${e}}`,"params")},wA={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:yA,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,pd.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}Sf(e,n)}};function Sf(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let u=r.const("len",(0,Wr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,Wr._)`${u} <= ${t.length}`);else if(typeof n=="object"&&!(0,pd.alwaysValidSchema)(s,n)){let p=r.var("valid",(0,Wr._)`${u} <= ${t.length}`);r.if((0,Wr.not)(p),()=>d(p)),e.ok(p)}function d(p){r.forRange("i",t.length,u,l=>{e.subschema({keyword:i,dataProp:l,dataPropType:pd.Type.Num},p),s.allErrors||r.if((0,Wr.not)(p),()=>r.break())})}o(d,"validateItems")}o(Sf,"validateAdditionalItems");Qo.validateAdditionalItems=Sf;Qo.default=wA});var hd=A(ea=>{"use strict";Object.defineProperty(ea,"__esModule",{value:!0});ea.validateTuple=void 0;var vf=Z(),$i=oe(),SA=mt(),vA={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return Rf(e,"additionalItems",t);r.items=!0,!(0,$i.alwaysValidSchema)(r,t)&&e.ok((0,SA.validateArray)(e))}};function Rf(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:u}=e;l(a),u.opts.unevaluated&&r.length&&u.items!==!0&&(u.items=$i.mergeEvaluated.items(n,r.length,u.items));let d=n.name("valid"),p=n.const("len",(0,vf._)`${i}.length`);r.forEach((m,f)=>{(0,$i.alwaysValidSchema)(u,m)||(n.if((0,vf._)`${p} > ${f}`,()=>e.subschema({keyword:s,schemaProp:f,dataProp:f},d)),e.ok(d))});function l(m){let{opts:f,errSchemaPath:_}=u,w=r.length,y=w===m.minItems&&(w===m.maxItems||m[t]===!1);if(f.strictTuples&&!y){let S=`"${s}" is ${w}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,$i.checkStrictMode)(u,S,f.strictTuples)}}o(l,"checkStrictTuple")}o(Rf,"validateTuple");ea.validateTuple=Rf;ea.default=vA});var bf=A(fd=>{"use strict";Object.defineProperty(fd,"__esModule",{value:!0});var RA=hd(),bA={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,RA.validateTuple)(e,"items"),"code")};fd.default=bA});var If=A(gd=>{"use strict";Object.defineProperty(gd,"__esModule",{value:!0});var Cf=Z(),CA=oe(),IA=mt(),TA=md(),AA={message:o(({params:{len:e}})=>(0,Cf.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Cf._)`{limit: ${e}}`,"params")},kA={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:AA,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,CA.alwaysValidSchema)(n,t)&&(a?(0,TA.validateAdditionalItems)(e,a):e.ok((0,IA.validateArray)(e)))}};gd.default=kA});var Tf=A(_d=>{"use strict";Object.defineProperty(_d,"__esModule",{value:!0});var ft=Z(),Di=oe(),EA={message:o(({params:{min:e,max:t}})=>t===void 0?(0,ft.str)`must contain at least ${e} valid item(s)`:(0,ft.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,ft._)`{minContains: ${e}}`:(0,ft._)`{minContains: ${e}, maxContains: ${t}}`,"params")},xA={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:EA,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,u,{minContains:d,maxContains:p}=n;i.opts.next?(s=d===void 0?1:d,u=p):s=1;let l=t.const("len",(0,ft._)`${a}.length`);if(e.setParams({min:s,max:u}),u===void 0&&s===0){(0,Di.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(u!==void 0&&s>u){(0,Di.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,Di.alwaysValidSchema)(i,r)){let y=(0,ft._)`${l} >= ${s}`;u!==void 0&&(y=(0,ft._)`${y} && ${l} <= ${u}`),e.pass(y);return}i.items=!0;let m=t.name("valid");u===void 0&&s===1?_(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),u!==void 0&&t.if((0,ft._)`${a}.length > 0`,f)):(t.let(m,!1),f()),e.result(m,()=>e.reset());function f(){let y=t.name("_valid"),S=t.let("count",0);_(y,()=>t.if(y,()=>w(S)))}o(f,"validateItemsWithCount");function _(y,S){t.forRange("i",0,l,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:Di.Type.Num,compositeRule:!0},y),S()})}o(_,"validateItems");function w(y){t.code((0,ft._)`${y}++`),u===void 0?t.if((0,ft._)`${y} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,ft._)`${y} > ${u}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,ft._)`${y} >= ${s}`,()=>t.assign(m,!0)))}o(w,"checkLimits")}};_d.default=xA});var Ef=A(Nt=>{"use strict";Object.defineProperty(Nt,"__esModule",{value:!0});Nt.validateSchemaDeps=Nt.validatePropertyDeps=Nt.error=void 0;var yd=Z(),PA=oe(),ta=mt();Nt.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,yd.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,yd._)`{property: ${e},
     missingProperty: ${n},
     depsCount: ${t},
-    deps: ${r}}`,"params")};var $T={keyword:"dependencies",type:"object",schemaType:"object",error:bt.error,code(e){let[t,r]=LT(e);qh(e,t),$h(e,r)}};function LT({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(LT,"splitDependencies");function qh(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let u=t[s];if(u.length===0)continue;let d=(0,xo.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:u.length,deps:u.join(", ")}),a.allErrors?r.if(d,()=>{for(let l of u)(0,xo.checkReportMissingProp)(e,l)}):(r.if((0,Du._)`${d} && (${(0,xo.checkMissingProp)(e,u,i)})`),(0,xo.reportMissingProp)(e,i),r.else())}}o(qh,"validatePropertyDeps");bt.validatePropertyDeps=qh;function $h(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let u in t)(0,qT.alwaysValidSchema)(i,t[u])||(r.if((0,xo.propertyInData)(r,n,u,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:u},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o($h,"validateSchemaDeps");bt.validateSchemaDeps=$h;bt.default=$T});var Hh=T(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});var jh=L(),jT=J(),HT={message:"property name must be valid",params:o(({params:e})=>(0,jh._)`{propertyName: ${e.propertyName}}`,"params")},GT={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:HT,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,jT.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,jh.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};Mu.default=GT});var $u=T(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var si=nt(),mt=L(),BT=$t(),ci=J(),VT={message:"must NOT have additional properties",params:o(({params:e})=>(0,mt._)`{additionalProperty: ${e.additionalProperty}}`,"params")},FT={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:VT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:u,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,ci.alwaysValidSchema)(s,r))return;let l=(0,si.allSchemaProperties)(n.properties),p=(0,si.allSchemaProperties)(n.patternProperties);m(),e.ok((0,mt._)`${i} === ${BT.default.errors}`);function m(){t.forIn("key",a,w=>{!l.length&&!p.length?S(w):t.if(f(w),()=>S(w))})}o(m,"checkAdditionalProperties");function f(w){let v;if(l.length>8){let R=(0,ci.schemaRefOrVal)(s,n.properties,"properties");v=(0,si.isOwnProperty)(t,R,w)}else l.length?v=(0,mt.or)(...l.map(R=>(0,mt._)`${w} === ${R}`)):v=mt.nil;return p.length&&(v=(0,mt.or)(v,...p.map(R=>(0,mt._)`${(0,si.usePattern)(e,R)}.test(${w})`))),(0,mt.not)(v)}o(f,"isAdditional");function _(w){t.code((0,mt._)`delete ${a}[${w}]`)}o(_,"deleteAdditional");function S(w){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(w);return}if(r===!1){e.setParams({additionalProperty:w}),e.error(),u||t.break();return}if(typeof r=="object"&&!(0,ci.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(w,v,!1),t.if((0,mt.not)(v),()=>{e.reset(),_(w)})):(y(w,v),u||t.if((0,mt.not)(v),()=>t.break()))}}o(S,"additionalPropertyCode");function y(w,v,R){let I={keyword:"additionalProperties",dataProp:w,dataPropType:ci.Type.Str};R===!1&&Object.assign(I,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(I,v)}o(y,"applyAdditionalSchema")}};qu.default=FT});var Vh=T(ju=>{"use strict";Object.defineProperty(ju,"__esModule",{value:!0});var ZT=_o(),Gh=nt(),Lu=J(),Bh=$u(),KT={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&Bh.default.code(new ZT.KeywordCxt(i,Bh.default,"additionalProperties"));let s=(0,Gh.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Lu.mergeEvaluated.props(t,(0,Lu.toHash)(s),i.props));let u=s.filter(m=>!(0,Lu.alwaysValidSchema)(i,r[m]));if(u.length===0)return;let d=t.name("valid");for(let m of u)l(m)?p(m):(t.if((0,Gh.propertyInData)(t,a,m,i.opts.ownProperties)),p(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function l(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(l,"hasDefault");function p(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(p,"applyPropertySchema")}};ju.default=KT});var Wh=T(Hu=>{"use strict";Object.defineProperty(Hu,"__esModule",{value:!0});var Fh=nt(),ui=L(),Zh=J(),Kh=J(),WT={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,u=(0,Fh.allSchemaProperties)(r),d=u.filter(y=>(0,Zh.alwaysValidSchema)(i,r[y]));if(u.length===0||d.length===u.length&&(!i.opts.unevaluated||i.props===!0))return;let l=s.strictSchema&&!s.allowMatchingProperties&&a.properties,p=t.name("valid");i.props!==!0&&!(i.props instanceof ui.Name)&&(i.props=(0,Kh.evaluatedPropsToName)(t,i.props));let{props:m}=i;f();function f(){for(let y of u)l&&_(y),i.allErrors?S(y):(t.var(p,!0),S(y),t.if(p))}o(f,"validatePatternProperties");function _(y){for(let w in l)new RegExp(y).test(w)&&(0,Zh.checkStrictMode)(i,`property ${w} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function S(y){t.forIn("key",n,w=>{t.if((0,ui._)`${(0,Fh.usePattern)(e,y)}.test(${w})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:w,dataPropType:Kh.Type.Str},p),i.opts.unevaluated&&m!==!0?t.assign((0,ui._)`${m}[${w}]`,!0):!v&&!i.allErrors&&t.if((0,ui.not)(p),()=>t.break())})})}o(S,"validateProperties")}};Hu.default=WT});var Jh=T(Gu=>{"use strict";Object.defineProperty(Gu,"__esModule",{value:!0});var JT=J(),YT={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,JT.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Gu.default=YT});var Yh=T(Bu=>{"use strict";Object.defineProperty(Bu,"__esModule",{value:!0});var XT=nt(),QT={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:XT.validateUnion,error:{message:"must match a schema in anyOf"}};Bu.default=QT});var Xh=T(Vu=>{"use strict";Object.defineProperty(Vu,"__esModule",{value:!0});var di=L(),eA=J(),tA={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,di._)`{passingSchemas: ${e.passing}}`,"params")},rA={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:tA,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),u=t.let("passing",null),d=t.name("_valid");e.setParams({passing:u}),t.block(l),e.result(s,()=>e.reset(),()=>e.error(!0));function l(){i.forEach((p,m)=>{let f;(0,eA.alwaysValidSchema)(a,p)?t.var(d,!0):f=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,di._)`${d} && ${s}`).assign(s,!1).assign(u,(0,di._)`[${u}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(u,m),f&&e.mergeEvaluated(f,di.Name)})})}o(l,"validateOneOf")}};Vu.default=rA});var Qh=T(Fu=>{"use strict";Object.defineProperty(Fu,"__esModule",{value:!0});var nA=J(),oA={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,nA.alwaysValidSchema)(n,i))return;let u=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(u)})}};Fu.default=oA});var rf=T(Zu=>{"use strict";Object.defineProperty(Zu,"__esModule",{value:!0});var li=L(),tf=J(),aA={message:o(({params:e})=>(0,li.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,li._)`{failingKeyword: ${e.ifClause}}`,"params")},iA={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:aA,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,tf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=ef(n,"then"),i=ef(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),u=t.name("_valid");if(d(),e.reset(),a&&i){let p=t.let("ifClause");e.setParams({ifClause:p}),t.if(u,l("then",p),l("else",p))}else a?t.if(u,l("then")):t.if((0,li.not)(u),l("else"));e.pass(s,()=>e.error(!0));function d(){let p=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},u);e.mergeEvaluated(p)}o(d,"validateIf");function l(p,m){return()=>{let f=e.subschema({keyword:p},u);t.assign(s,u),e.mergeValidEvaluated(f,s),m?t.assign(m,(0,li._)`${p}`):e.setParams({ifClause:p})}}o(l,"validateClause")}};function ef(e,t){let r=e.schema[t];return r!==void 0&&!(0,tf.alwaysValidSchema)(e,r)}o(ef,"hasSchema");Zu.default=iA});var nf=T(Ku=>{"use strict";Object.defineProperty(Ku,"__esModule",{value:!0});var sA=J(),cA={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,sA.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Ku.default=cA});var of=T(Wu=>{"use strict";Object.defineProperty(Wu,"__esModule",{value:!0});var uA=xu(),dA=zh(),lA=Ou(),pA=Dh(),mA=Mh(),hA=Lh(),fA=Hh(),gA=$u(),_A=Vh(),yA=Wh(),SA=Jh(),wA=Yh(),vA=Xh(),RA=Qh(),bA=rf(),CA=nf();function IA(e=!1){let t=[SA.default,wA.default,vA.default,RA.default,bA.default,CA.default,fA.default,gA.default,hA.default,_A.default,yA.default];return e?t.push(dA.default,pA.default):t.push(uA.default,lA.default),t.push(mA.default),t}o(IA,"getApplicator");Wu.default=IA});var af=T(Ju=>{"use strict";Object.defineProperty(Ju,"__esModule",{value:!0});var fe=L(),TA={message:o(({schemaCode:e})=>(0,fe.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,fe._)`{format: ${e}}`,"params")},AA={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:TA,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:u}=e,{opts:d,errSchemaPath:l,schemaEnv:p,self:m}=u;if(!d.validateFormats)return;a?f():_();function f(){let S=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,fe._)`${S}[${s}]`),w=r.let("fType"),v=r.let("format");r.if((0,fe._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(w,(0,fe._)`${y}.type || "string"`).assign(v,(0,fe._)`${y}.validate`),()=>r.assign(w,(0,fe._)`"string"`).assign(v,y)),e.fail$data((0,fe.or)(R(),I()));function R(){return d.strictSchema===!1?fe.nil:(0,fe._)`${s} && !${v}`}o(R,"unknownFmt");function I(){let N=p.$async?(0,fe._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,fe._)`${v}(${n})`,M=(0,fe._)`(typeof ${v} == "function" ? ${N} : ${v}.test(${n}))`;return(0,fe._)`${v} && ${v} !== true && ${w} === ${t} && !${M}`}o(I,"invalidFmt")}o(f,"validate$DataFormat");function _(){let S=m.formats[i];if(!S){R();return}if(S===!0)return;let[y,w,v]=I(S);y===t&&e.pass(N());function R(){if(d.strictSchema===!1){m.logger.warn(M());return}throw new Error(M());function M(){return`unknown format "${i}" ignored in schema at path "${l}"`}}o(R,"unknownFormat");function I(M){let Ye=M instanceof RegExp?(0,fe.regexpCode)(M):d.code.formats?(0,fe._)`${d.code.formats}${(0,fe.getProperty)(i)}`:void 0,xt=r.scopeValue("formats",{key:i,ref:M,code:Ye});return typeof M=="object"&&!(M instanceof RegExp)?[M.type||"string",M.validate,(0,fe._)`${xt}.validate`]:["string",M,xt]}o(I,"getFormat");function N(){if(typeof S=="object"&&!(S instanceof RegExp)&&S.async){if(!p.$async)throw new Error("async format in sync schema");return(0,fe._)`await ${v}(${n})`}return typeof w=="function"?(0,fe._)`${v}(${n})`:(0,fe._)`${v}.test(${n})`}o(N,"validCondition")}o(_,"validateFormat")}};Ju.default=AA});var sf=T(Yu=>{"use strict";Object.defineProperty(Yu,"__esModule",{value:!0});var kA=af(),PA=[kA.default];Yu.default=PA});var cf=T(mn=>{"use strict";Object.defineProperty(mn,"__esModule",{value:!0});mn.contentVocabulary=mn.metadataVocabulary=void 0;mn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];mn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var df=T(Xu=>{"use strict";Object.defineProperty(Xu,"__esModule",{value:!0});var EA=gh(),xA=Eh(),OA=of(),UA=sf(),uf=cf(),zA=[EA.default,xA.default,(0,OA.default)(),UA.default,uf.metadataVocabulary,uf.contentVocabulary];Xu.default=zA});var pf=T(pi=>{"use strict";Object.defineProperty(pi,"__esModule",{value:!0});pi.DiscrError=void 0;var lf;(function(e){e.Tag="tag",e.Mapping="mapping"})(lf||(pi.DiscrError=lf={}))});var hf=T(ed=>{"use strict";Object.defineProperty(ed,"__esModule",{value:!0});var hn=L(),Qu=pf(),mf=Za(),NA=yo(),DA=J(),MA={message:o(({params:{discrError:e,tagName:t}})=>e===Qu.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,hn._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},qA={keyword:"discriminator",type:"object",schemaType:"object",error:MA,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let u=n.propertyName;if(typeof u!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),l=t.const("tag",(0,hn._)`${r}${(0,hn.getProperty)(u)}`);t.if((0,hn._)`typeof ${l} == "string"`,()=>p(),()=>e.error(!1,{discrError:Qu.DiscrError.Tag,tag:l,tagName:u})),e.ok(d);function p(){let _=f();t.if(!1);for(let S in _)t.elseIf((0,hn._)`${l} === ${S}`),t.assign(d,m(_[S]));t.else(),e.error(!1,{discrError:Qu.DiscrError.Mapping,tag:l,tagName:u}),t.endIf()}o(p,"validateMapping");function m(_){let S=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},S);return e.mergeEvaluated(y,hn.Name),S}o(m,"applyTagSchema");function f(){var _;let S={},y=v(a),w=!0;for(let N=0;N<s.length;N++){let M=s[N];if(M?.$ref&&!(0,DA.schemaHasRulesButRef)(M,i.self.RULES)){let xt=M.$ref;if(M=mf.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,xt),M instanceof mf.SchemaEnv&&(M=M.schema),M===void 0)throw new NA.default(i.opts.uriResolver,i.baseId,xt)}let Ye=(_=M?.properties)===null||_===void 0?void 0:_[u];if(typeof Ye!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${u}"`);w=w&&(y||v(M)),R(Ye,N)}if(!w)throw new Error(`discriminator: "${u}" must be required`);return S;function v({required:N}){return Array.isArray(N)&&N.includes(u)}function R(N,M){if(N.const)I(N.const,M);else if(N.enum)for(let Ye of N.enum)I(Ye,M);else throw new Error(`discriminator: "properties/${u}" must have "const" or "enum"`)}function I(N,M){if(typeof N!="string"||N in S)throw new Error(`discriminator: "${u}" values must be unique strings`);S[N]=M}}o(f,"getMapping")}};ed.default=qA});var ff=T((rG,$A)=>{$A.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var rd=T((ae,td)=>{"use strict";Object.defineProperty(ae,"__esModule",{value:!0});ae.MissingRefError=ae.ValidationError=ae.CodeGen=ae.Name=ae.nil=ae.stringify=ae.str=ae._=ae.KeywordCxt=ae.Ajv=void 0;var LA=dh(),jA=df(),HA=hf(),gf=ff(),GA=["/properties"],mi="http://json-schema.org/draft-07/schema",fn=class extends LA.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),jA.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(HA.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(gf,GA):gf;this.addMetaSchema(t,mi,!1),this.refs["http://json-schema.org/schema"]=mi}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(mi)?mi:void 0)}};ae.Ajv=fn;td.exports=ae=fn;td.exports.Ajv=fn;Object.defineProperty(ae,"__esModule",{value:!0});ae.default=fn;var BA=_o();Object.defineProperty(ae,"KeywordCxt",{enumerable:!0,get:o(function(){return BA.KeywordCxt},"get")});var gn=L();Object.defineProperty(ae,"_",{enumerable:!0,get:o(function(){return gn._},"get")});Object.defineProperty(ae,"str",{enumerable:!0,get:o(function(){return gn.str},"get")});Object.defineProperty(ae,"stringify",{enumerable:!0,get:o(function(){return gn.stringify},"get")});Object.defineProperty(ae,"nil",{enumerable:!0,get:o(function(){return gn.nil},"get")});Object.defineProperty(ae,"Name",{enumerable:!0,get:o(function(){return gn.Name},"get")});Object.defineProperty(ae,"CodeGen",{enumerable:!0,get:o(function(){return gn.CodeGen},"get")});var VA=Va();Object.defineProperty(ae,"ValidationError",{enumerable:!0,get:o(function(){return VA.default},"get")});var FA=yo();Object.defineProperty(ae,"MissingRefError",{enumerable:!0,get:o(function(){return FA.default},"get")})});var Cf=T(It=>{"use strict";Object.defineProperty(It,"__esModule",{value:!0});It.formatNames=It.fastFormats=It.fullFormats=void 0;function Ct(e,t){return{validate:e,compare:t}}o(Ct,"fmtDef");It.fullFormats={date:Ct(wf,id),time:Ct(od(!0),sd),"date-time":Ct(_f(!0),Rf),"iso-time":Ct(od(),vf),"iso-date-time":Ct(_f(),bf),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:XA,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:ak,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:QA,int32:{type:"number",validate:rk},int64:{type:"number",validate:nk},float:{type:"number",validate:Sf},double:{type:"number",validate:Sf},password:!0,binary:!0};It.fastFormats={...It.fullFormats,date:Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,id),time:Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,sd),"date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Rf),"iso-time":Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,vf),"iso-date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,bf),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};It.formatNames=Object.keys(It.fullFormats);function ZA(e){return e%4===0&&(e%100!==0||e%400===0)}o(ZA,"isLeapYear");var KA=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,WA=[0,31,28,31,30,31,30,31,31,30,31,30,31];function wf(e){let t=KA.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&ZA(r)?29:WA[n])}o(wf,"date");function id(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(id,"compareDate");var nd=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function od(e){return o(function(r){let n=nd.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],u=n[4],d=n[5]==="-"?-1:1,l=+(n[6]||0),p=+(n[7]||0);if(l>23||p>59||e&&!u)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-p*d,f=a-l*d-(m<0?1:0);return(f===23||f===-1)&&(m===59||m===-1)&&s<61},"time")}o(od,"getTime");function sd(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(sd,"compareTime");function vf(e,t){if(!(e&&t))return;let r=nd.exec(e),n=nd.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(vf,"compareIsoTime");var ad=/t|\s/i;function _f(e){let t=od(e);return o(function(n){let a=n.split(ad);return a.length===2&&wf(a[0])&&t(a[1])},"date_time")}o(_f,"getDateTime");function Rf(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Rf,"compareDateTime");function bf(e,t){if(!(e&&t))return;let[r,n]=e.split(ad),[a,i]=t.split(ad),s=id(r,a);if(s!==void 0)return s||sd(n,i)}o(bf,"compareIsoDateTime");var JA=/\/|:/,YA=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function XA(e){return JA.test(e)&&YA.test(e)}o(XA,"uri");var yf=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function QA(e){return yf.lastIndex=0,yf.test(e)}o(QA,"byte");var ek=-(2**31),tk=2**31-1;function rk(e){return Number.isInteger(e)&&e<=tk&&e>=ek}o(rk,"validateInt32");function nk(e){return Number.isInteger(e)}o(nk,"validateInt64");function Sf(){return!0}o(Sf,"validateNumber");var ok=/[^\\]\\Z/;function ak(e){if(ok.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(ak,"regex")});var If=T(_n=>{"use strict";Object.defineProperty(_n,"__esModule",{value:!0});_n.formatLimitDefinition=void 0;var ik=rd(),ht=L(),lr=ht.operators,hi={formatMaximum:{okStr:"<=",ok:lr.LTE,fail:lr.GT},formatMinimum:{okStr:">=",ok:lr.GTE,fail:lr.LT},formatExclusiveMaximum:{okStr:"<",ok:lr.LT,fail:lr.GTE},formatExclusiveMinimum:{okStr:">",ok:lr.GT,fail:lr.LTE}},sk={message:o(({keyword:e,schemaCode:t})=>(0,ht.str)`should be ${hi[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ht._)`{comparison: ${hi[e].okStr}, limit: ${t}}`,"params")};_n.formatLimitDefinition={keyword:Object.keys(hi),type:"string",schemaType:"string",$data:!0,error:sk,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:u}=i;if(!s.validateFormats)return;let d=new ik.KeywordCxt(i,u.RULES.all.format.definition,"format");d.$data?l():p();function l(){let f=t.scopeValue("formats",{ref:u.formats,code:s.code.formats}),_=t.const("fmt",(0,ht._)`${f}[${d.schemaCode}]`);e.fail$data((0,ht.or)((0,ht._)`typeof ${_} != "object"`,(0,ht._)`${_} instanceof RegExp`,(0,ht._)`typeof ${_}.compare != "function"`,m(_)))}o(l,"validate$DataFormat");function p(){let f=d.schema,_=u.formats[f];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${f}" does not define "compare" function`);let S=t.scopeValue("formats",{key:f,ref:_,code:s.code.formats?(0,ht._)`${s.code.formats}${(0,ht.getProperty)(f)}`:void 0});e.fail$data(m(S))}o(p,"validateFormat");function m(f){return(0,ht._)`${f}.compare(${r}, ${n}) ${hi[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var ck=o(e=>(e.addKeyword(_n.formatLimitDefinition),e),"formatLimitPlugin");_n.default=ck});var Pf=T((Oo,kf)=>{"use strict";Object.defineProperty(Oo,"__esModule",{value:!0});var yn=Cf(),uk=If(),cd=L(),Tf=new cd.Name("fullFormats"),dk=new cd.Name("fastFormats"),ud=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Af(e,t,yn.fullFormats,Tf),e;let[r,n]=t.mode==="fast"?[yn.fastFormats,dk]:[yn.fullFormats,Tf],a=t.formats||yn.formatNames;return Af(e,a,r,n),t.keywords&&(0,uk.default)(e),e},"formatsPlugin");ud.get=(e,t="full")=>{let n=(t==="fast"?yn.fastFormats:yn.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Af(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,cd._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(Af,"addFormats");kf.exports=Oo=ud;Object.defineProperty(Oo,"__esModule",{value:!0});Oo.default=ud});Yw();function Jt(e){return!!e._zod}o(Jt,"isZ4Schema");function Me(e,t){return Jt(e)?Ds(e,t):e.safeParse(t)}o(Me,"safeParse");function Jr(e){if(!e)return;let t;if(Jt(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(Jr,"getObjectShape");function Ap(e){if(Jt(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Ap,"getLiteralValue");Y();var Xt="2025-11-25",kp="2025-03-26",Qt=[Xt,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],er="io.modelcontextprotocol/related-task",Sa="2.0",we=Cp(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Pp=se([h(),K().int()]),Ep=h(),wM=Se({ttl:K().optional(),pollInterval:K().optional()}),ev=C({ttl:K().optional()}),tv=C({taskId:h()}),Ls=Se({progressToken:Pp.optional(),[er]:tv.optional()}),Qe=C({_meta:Ls.optional()}),Fn=Qe.extend({task:ev.optional()}),xp=o(e=>Fn.safeParse(e).success,"isTaskAugmentedRequestParams"),Re=C({method:h(),params:Qe.loose().optional()}),et=C({_meta:Ls.optional()}),tt=C({method:h(),params:et.loose().optional()}),be=Se({_meta:Ls.optional()}),wa=se([h(),K().int()]),Op=C({jsonrpc:P(Sa),id:wa,...Re.shape}).strict(),St=o(e=>Op.safeParse(e).success,"isJSONRPCRequest"),Up=C({jsonrpc:P(Sa),...tt.shape}).strict(),zp=o(e=>Up.safeParse(e).success,"isJSONRPCNotification"),js=C({jsonrpc:P(Sa),id:wa,result:be}).strict(),ut=o(e=>js.safeParse(e).success,"isJSONRPCResultResponse");var k;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(k||(k={}));var Hs=C({jsonrpc:P(Sa),id:wa.optional(),error:C({code:K().int(),message:h(),data:he().optional()})}).strict();var Xr=o(e=>Hs.safeParse(e).success,"isJSONRPCErrorResponse");var wr=se([Op,Up,js,Hs]),vM=se([js,Hs]),zt=be.strict(),rv=et.extend({requestId:wa.optional(),reason:h().optional()}),va=tt.extend({method:P("notifications/cancelled"),params:rv}),nv=C({src:h(),mimeType:h().optional(),sizes:b(h()).optional(),theme:Xe(["light","dark"]).optional()}),Zn=C({icons:b(nv).optional()}),Yr=C({name:h(),title:h().optional()}),Qr=Yr.extend({...Yr.shape,...Zn.shape,version:h(),websiteUrl:h().optional(),description:h().optional()}),ov=qs(C({applyDefaults:ee().optional()}),ne(h(),he())),av=$s(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,qs(C({form:ov.optional(),url:we.optional()}),ne(h(),he()).optional())),iv=Se({list:we.optional(),cancel:we.optional(),requests:Se({sampling:Se({createMessage:we.optional()}).optional(),elicitation:Se({create:we.optional()}).optional()}).optional()}),sv=Se({list:we.optional(),cancel:we.optional(),requests:Se({tools:Se({call:we.optional()}).optional()}).optional()}),cv=C({experimental:ne(h(),we).optional(),sampling:C({context:we.optional(),tools:we.optional()}).optional(),elicitation:av.optional(),roots:C({listChanged:ee().optional()}).optional(),tasks:iv.optional(),extensions:ne(h(),we).optional()}),uv=Qe.extend({protocolVersion:h(),capabilities:cv,clientInfo:Qr}),Ra=Re.extend({method:P("initialize"),params:uv}),Gs=o(e=>Ra.safeParse(e).success,"isInitializeRequest"),dv=C({experimental:ne(h(),we).optional(),logging:we.optional(),completions:we.optional(),prompts:C({listChanged:ee().optional()}).optional(),resources:C({subscribe:ee().optional(),listChanged:ee().optional()}).optional(),tools:C({listChanged:ee().optional()}).optional(),tasks:sv.optional(),extensions:ne(h(),we).optional()}),Bs=be.extend({protocolVersion:h(),capabilities:dv,serverInfo:Qr,instructions:h().optional()}),ba=tt.extend({method:P("notifications/initialized"),params:et.optional()}),Np=o(e=>ba.safeParse(e).success,"isInitializedNotification"),Ca=Re.extend({method:P("ping"),params:Qe.optional()}),lv=C({progress:K(),total:pe(K()),message:pe(h())}),pv=C({...et.shape,...lv.shape,progressToken:Pp}),Ia=tt.extend({method:P("notifications/progress"),params:pv}),mv=Qe.extend({cursor:Ep.optional()}),Kn=Re.extend({params:mv.optional()}),Wn=be.extend({nextCursor:Ep.optional()}),hv=Xe(["working","input_required","completed","failed","cancelled"]),Jn=C({taskId:h(),status:hv,ttl:se([K(),Rp()]),createdAt:h(),lastUpdatedAt:h(),pollInterval:pe(K()),statusMessage:pe(h())}),Nt=be.extend({task:Jn}),fv=et.merge(Jn),Yn=tt.extend({method:P("notifications/tasks/status"),params:fv}),Ta=Re.extend({method:P("tasks/get"),params:Qe.extend({taskId:h()})}),Aa=be.merge(Jn),ka=Re.extend({method:P("tasks/result"),params:Qe.extend({taskId:h()})}),RM=be.loose(),Pa=Kn.extend({method:P("tasks/list")}),Ea=Wn.extend({tasks:b(Jn)}),xa=Re.extend({method:P("tasks/cancel"),params:Qe.extend({taskId:h()})}),Dp=be.merge(Jn),Mp=C({uri:h(),mimeType:pe(h()),_meta:ne(h(),he()).optional()}),qp=Mp.extend({text:h()}),Vs=h().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),$p=Mp.extend({blob:Vs}),Xn=Xe(["user","assistant"]),en=C({audience:b(Xn).optional(),priority:K().min(0).max(1).optional(),lastModified:wp.datetime({offset:!0}).optional()}),Lp=C({...Yr.shape,...Zn.shape,uri:h(),description:pe(h()),mimeType:pe(h()),size:pe(K()),annotations:en.optional(),_meta:pe(Se({}))}),gv=C({...Yr.shape,...Zn.shape,uriTemplate:h(),description:pe(h()),mimeType:pe(h()),annotations:en.optional(),_meta:pe(Se({}))}),Fs=Kn.extend({method:P("resources/list")}),Zs=Wn.extend({resources:b(Lp)}),_v=Kn.extend({method:P("resources/templates/list")}),Ks=Wn.extend({resourceTemplates:b(gv)}),Ws=Qe.extend({uri:h()}),yv=Ws,Js=Re.extend({method:P("resources/read"),params:yv}),Ys=be.extend({contents:b(se([qp,$p]))}),Xs=tt.extend({method:P("notifications/resources/list_changed"),params:et.optional()}),Sv=Ws,wv=Re.extend({method:P("resources/subscribe"),params:Sv}),vv=Ws,Rv=Re.extend({method:P("resources/unsubscribe"),params:vv}),bv=et.extend({uri:h()}),Cv=tt.extend({method:P("notifications/resources/updated"),params:bv}),Iv=C({name:h(),description:pe(h()),required:pe(ee())}),Tv=C({...Yr.shape,...Zn.shape,description:pe(h()),arguments:pe(b(Iv)),_meta:pe(Se({}))}),Qs=Kn.extend({method:P("prompts/list")}),ec=Wn.extend({prompts:b(Tv)}),Av=Qe.extend({name:h(),arguments:ne(h(),h()).optional()}),tc=Re.extend({method:P("prompts/get"),params:Av}),rc=C({type:P("text"),text:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),nc=C({type:P("image"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),oc=C({type:P("audio"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),kv=C({type:P("tool_use"),name:h(),id:h(),input:ne(h(),he()),_meta:ne(h(),he()).optional()}),Pv=C({type:P("resource"),resource:se([qp,$p]),annotations:en.optional(),_meta:ne(h(),he()).optional()}),Ev=Lp.extend({type:P("resource_link")}),ac=se([rc,nc,oc,Ev,Pv]),xv=C({role:Xn,content:ac}),ic=be.extend({description:h().optional(),messages:b(xv)}),sc=tt.extend({method:P("notifications/prompts/list_changed"),params:et.optional()}),Ov=C({title:h().optional(),readOnlyHint:ee().optional(),destructiveHint:ee().optional(),idempotentHint:ee().optional(),openWorldHint:ee().optional()}),Uv=C({taskSupport:Xe(["required","optional","forbidden"]).optional()}),jp=C({...Yr.shape,...Zn.shape,description:h().optional(),inputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()),outputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()).optional(),annotations:Ov.optional(),execution:Uv.optional(),_meta:ne(h(),he()).optional()}),cc=Kn.extend({method:P("tools/list")}),uc=Wn.extend({tools:b(jp)}),tr=be.extend({content:b(ac).default([]),structuredContent:ne(h(),he()).optional(),isError:ee().optional()}),bM=tr.or(be.extend({toolResult:he()})),zv=Fn.extend({name:h(),arguments:ne(h(),he()).optional()}),Qn=Re.extend({method:P("tools/call"),params:zv}),dc=tt.extend({method:P("notifications/tools/list_changed"),params:et.optional()}),Hp=C({autoRefresh:ee().default(!0),debounceMs:K().int().nonnegative().default(300)}),eo=Xe(["debug","info","notice","warning","error","critical","alert","emergency"]),Nv=Qe.extend({level:eo}),lc=Re.extend({method:P("logging/setLevel"),params:Nv}),Dv=et.extend({level:eo,logger:h().optional(),data:he()}),Mv=tt.extend({method:P("notifications/message"),params:Dv}),qv=C({name:h().optional()}),$v=C({hints:b(qv).optional(),costPriority:K().min(0).max(1).optional(),speedPriority:K().min(0).max(1).optional(),intelligencePriority:K().min(0).max(1).optional()}),Lv=C({mode:Xe(["auto","required","none"]).optional()}),jv=C({type:P("tool_result"),toolUseId:h().describe("The unique identifier for the corresponding tool call."),content:b(ac).default([]),structuredContent:C({}).loose().optional(),isError:ee().optional(),_meta:ne(h(),he()).optional()}),Hv=Ms("type",[rc,nc,oc]),ya=Ms("type",[rc,nc,oc,kv,jv]),Gv=C({role:Xn,content:se([ya,b(ya)]),_meta:ne(h(),he()).optional()}),Bv=Fn.extend({messages:b(Gv),modelPreferences:$v.optional(),systemPrompt:h().optional(),includeContext:Xe(["none","thisServer","allServers"]).optional(),temperature:K().optional(),maxTokens:K().int(),stopSequences:b(h()).optional(),metadata:we.optional(),tools:b(jp).optional(),toolChoice:Lv.optional()}),pc=Re.extend({method:P("sampling/createMessage"),params:Bv}),vr=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens"]).or(h())),role:Xn,content:Hv}),to=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens","toolUse"]).or(h())),role:Xn,content:se([ya,b(ya)])}),Vv=C({type:P("boolean"),title:h().optional(),description:h().optional(),default:ee().optional()}),Fv=C({type:P("string"),title:h().optional(),description:h().optional(),minLength:K().optional(),maxLength:K().optional(),format:Xe(["email","uri","date","date-time"]).optional(),default:h().optional()}),Zv=C({type:Xe(["number","integer"]),title:h().optional(),description:h().optional(),minimum:K().optional(),maximum:K().optional(),default:K().optional()}),Kv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),default:h().optional()}),Wv=C({type:P("string"),title:h().optional(),description:h().optional(),oneOf:b(C({const:h(),title:h()})),default:h().optional()}),Jv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),enumNames:b(h()).optional(),default:h().optional()}),Yv=se([Kv,Wv]),Xv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({type:P("string"),enum:b(h())}),default:b(h()).optional()}),Qv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({anyOf:b(C({const:h(),title:h()}))}),default:b(h()).optional()}),eR=se([Xv,Qv]),tR=se([Jv,Yv,eR]),rR=se([tR,Vv,Fv,Zv]),nR=Fn.extend({mode:P("form").optional(),message:h(),requestedSchema:C({type:P("object"),properties:ne(h(),rR),required:b(h()).optional()})}),oR=Fn.extend({mode:P("url"),message:h(),elicitationId:h(),url:h().url()}),aR=se([nR,oR]),mc=Re.extend({method:P("elicitation/create"),params:aR}),iR=et.extend({elicitationId:h()}),sR=tt.extend({method:P("notifications/elicitation/complete"),params:iR}),rr=be.extend({action:Xe(["accept","decline","cancel"]),content:$s(e=>e===null?void 0:e,ne(h(),se([h(),K(),ee(),b(h())])).optional())}),cR=C({type:P("ref/resource"),uri:h()});var uR=C({type:P("ref/prompt"),name:h()}),dR=Qe.extend({ref:se([uR,cR]),argument:C({name:h(),value:h()}),context:C({arguments:ne(h(),h()).optional()}).optional()}),lR=Re.extend({method:P("completion/complete"),params:dR});var hc=be.extend({completion:Se({values:b(h()).max(100),total:pe(K().int()),hasMore:pe(ee())})}),pR=C({uri:h().startsWith("file://"),name:h().optional(),_meta:ne(h(),he()).optional()}),mR=Re.extend({method:P("roots/list"),params:Qe.optional()}),fc=be.extend({roots:b(pR)}),hR=tt.extend({method:P("notifications/roots/list_changed"),params:et.optional()}),CM=se([Ca,Ra,lR,lc,tc,Qs,Fs,_v,Js,wv,Rv,Qn,cc,Ta,ka,Pa,xa]),IM=se([va,Ia,ba,hR,Yn]),TM=se([zt,vr,to,rr,fc,Aa,Ea,Nt]),AM=se([Ca,pc,mc,mR,Ta,ka,Pa,xa]),kM=se([va,Ia,Mv,Cv,Xs,dc,sc,Yn,sR]),PM=se([zt,Bs,hc,ic,ec,Zs,Ks,Ys,tr,uc,Aa,Ea,Nt]),A=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===k.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Yt(a.elicitations,r)}return new e(t,r,n)}},Yt=class extends A{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(k.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function nr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(nr,"isTerminal");var fR=Symbol("Let zodToJsonSchema decide on which parser to use");var Tq=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function gc(e){let r=Jr(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Ap(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(gc,"getMethodLiteral");function _c(e,t){let r=Me(e,t);if(!r.success)throw r.error;return r.data}o(_c,"parseWithCompat");var vR=6e4,tn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(va,r=>{this._oncancel(r)}),this.setNotificationHandler(Ia,r=>{this._onprogress(r)}),this.setRequestHandler(Ca,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(Ta,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(ka,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let u;for(;u=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(u.type==="response"||u.type==="error"){let d=u.message,l=d.id,p=this._requestResolvers.get(l);if(p)if(this._requestResolvers.delete(l),u.type==="response")p(d);else{let m=d,f=new A(m.error.code,m.error.message,m.error.data);p(f)}else{let m=u.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${l}`))}continue}await this._transport?.send(u.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new A(k.InvalidParams,`Task not found: ${i}`);if(!nr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(nr(s.status)){let u=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...u,_meta:{...u._meta,[er]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(Pa,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new A(k.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(xa,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,`Task not found: ${r.params.taskId}`);if(nr(a.status))throw new A(k.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new A(k.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof A?a:new A(k.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),A.fromError(k.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),ut(i)||Xr(i)?this._onresponse(i):St(i)?this._onrequest(i,s):zp(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=A.fromError(k.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[er]?.taskId;if(n===void 0){let p={jsonrpc:"2.0",id:t.id,error:{code:k.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:p,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(p).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let u=xp(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,l={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async p=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(p,m)},"sendNotification"),sendRequest:o(async(p,m,f)=>{if(s.signal.aborted)throw new A(k.ConnectionClosed,"Request was cancelled");let _={...f,relatedRequestId:t.id};i&&!_.relatedTask&&(_.relatedTask={taskId:i});let S=_.relatedTask?.taskId??i;return S&&d&&await d.updateTaskStatus(S,"input_required"),await this.request(p,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:u?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{u&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,l)).then(async p=>{if(s.signal.aborted)return;let m={result:p,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async p=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(p.code)?p.code:k.InternalError,message:p.message??"Internal error",...p.data!==void 0&&{data:p.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(p=>this._onerror(new Error(`Failed to send response: ${p}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),u=this._timeoutInfo.get(a);if(u&&s&&u.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),ut(t))n(t);else{let s=new A(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(ut(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let u=s.task;typeof u.taskId=="string"&&(i=!0,this._taskProgressTokens.set(u.taskId,r))}}if(i||this._progressHandlers.delete(r),ut(t))a(t);else{let s=A.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Nt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new A(k.InternalError,"Task creation did not return a task");for(;;){let u=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:u},nr(u.status)){u.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:u.status==="failed"?yield{type:"error",error:new A(k.InternalError,`Task ${i} failed`)}:u.status==="cancelled"&&(yield{type:"error",error:new A(k.InternalError,`Task ${i} was cancelled`)});return}if(u.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=u.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(l=>setTimeout(l,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:u,relatedTask:d}=n??{};return new Promise((l,p)=>{let m=o(R=>{p(R)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),u&&this.assertTaskCapability(t.method)}catch(R){m(R);return}n?.signal?.throwIfAborted();let f=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:f};n?.onprogress&&(this._progressHandlers.set(f,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:f}}),u&&(_.params={..._.params,task:u}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[er]:d}});let S=o(R=>{this._responseHandlers.delete(f),this._progressHandlers.delete(f),this._cleanupTimeout(f),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:f,reason:String(R)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(N=>this._onerror(new Error(`Failed to send cancellation: ${N}`)));let I=R instanceof A?R:new A(k.RequestTimeout,String(R));p(I)},"cancel");this._responseHandlers.set(f,R=>{if(!n?.signal?.aborted){if(R instanceof Error)return p(R);try{let I=Me(r,R.result);I.success?l(I.data):p(I.error)}catch(I){p(I)}}}),n?.signal?.addEventListener("abort",()=>{S(n?.signal?.reason)});let y=n?.timeout??vR,w=o(()=>S(A.fromError(k.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(f,y,n?.maxTotalTimeout,w,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let R=o(I=>{let N=this._responseHandlers.get(f);N?N(I):this._onerror(new Error(`Response handler missing for side-channeled request ${f}`))},"responseResolver");this._requestResolvers.set(f,R),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(I=>{this._cleanupTimeout(f),p(I)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(R=>{this._cleanupTimeout(f),p(R)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},Aa,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},Ea,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Dp,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let u={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[er]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:u,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let u={...t,jsonrpc:"2.0"};r?.relatedTask&&(u={...u,params:{...u.params,_meta:{...u.params?._meta||{},[er]:r.relatedTask}}}),this._transport?.send(u,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[er]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=gc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=_c(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=gc(t);this._notificationHandlers.set(n,a=>{let i=_c(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&St(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new A(k.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new A(k.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new A(k.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let u=await n.getTask(a,r);if(u){let d=Yn.parse({method:"notifications/tasks/status",params:u});await this.notification(d),nr(u.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let u=await n.getTask(a,r);if(!u)throw new A(k.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(nr(u.status))throw new A(k.InvalidParams,`Cannot update task "${a}" from terminal status "${u.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let l=Yn.parse({method:"notifications/tasks/status",params:d});await this.notification(l),nr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Gp(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Gp,"isPlainObject");function Oa(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Gp(s)&&Gp(i)?r[a]={...s,...i}:r[a]=i}return r}o(Oa,"mergeCapabilities");var Ef=fp(rd(),1),xf=fp(Pf(),1);function lk(){let e=new Ef.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,xf.default)(e),e}o(lk,"createDefaultAjvInstance");var Sn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??lk()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var fi=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(p=>p.type==="tool_result"),u=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=u?Array.isArray(u.content)?u.content:[u.content]:[],l=d.some(p=>p.type==="tool_use");if(s){if(i.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!l)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(l){let p=new Set(d.filter(f=>f.type==="tool_use").map(f=>f.id)),m=new Set(i.filter(f=>f.type==="tool_result").map(f=>f.toolUseId));if(p.size!==m.size||![...p].every(f=>m.has(f)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},vr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},rr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function gi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(gi,"assertToolsCallTaskCapability");function _i(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(_i,"assertClientRequestTaskCapability");var yi=class extends tn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(eo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,this.setRequestHandler(Ra,n=>this._oninitialize(n)),this.setNotificationHandler(ba,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(lc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,u=eo.safeParse(s);return u.success&&this._loggingLevels.set(i,u.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new fi(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let u=o(async(d,l)=>{let p=Me(Qn,d);if(!p.success){let S=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid tools/call request: ${S}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let S=Me(Nt,f);if(!S.success){let y=S.error instanceof Error?S.error.message:String(S.error);throw new A(k.InvalidParams,`Invalid task creation result: ${y}`)}return S.data}let _=Me(tr,f);if(!_.success){let S=_.error instanceof Error?_.error.message:String(_.error);throw new A(k.InvalidParams,`Invalid tools/call result: ${S}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){_i(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&gi(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Qt.includes(r)?r:Xt,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},zt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(l=>l.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,u=s?Array.isArray(s.content)?s.content:[s.content]:[],d=u.some(l=>l.type==="tool_use");if(i){if(a.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let l=new Set(u.filter(m=>m.type==="tool_use").map(m=>m.id)),p=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(l.size!==p.size||![...l].every(m=>p.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},to,r):this.request({method:"sampling/createMessage",params:t},vr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},rr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},rr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let u=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!u.valid)throw new A(k.InvalidParams,`Elicitation response content does not match requested schema: ${u.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},fc,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var Si=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
+    deps: ${r}}`,"params")};var OA={keyword:"dependencies",type:"object",schemaType:"object",error:Nt.error,code(e){let[t,r]=UA(e);Af(e,t),kf(e,r)}};function UA({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(UA,"splitDependencies");function Af(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let u=t[s];if(u.length===0)continue;let d=(0,ta.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:u.length,deps:u.join(", ")}),a.allErrors?r.if(d,()=>{for(let p of u)(0,ta.checkReportMissingProp)(e,p)}):(r.if((0,yd._)`${d} && (${(0,ta.checkMissingProp)(e,u,i)})`),(0,ta.reportMissingProp)(e,i),r.else())}}o(Af,"validatePropertyDeps");Nt.validatePropertyDeps=Af;function kf(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let u in t)(0,PA.alwaysValidSchema)(i,t[u])||(r.if((0,ta.propertyInData)(r,n,u,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:u},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o(kf,"validateSchemaDeps");Nt.validateSchemaDeps=kf;Nt.default=OA});var Pf=A(wd=>{"use strict";Object.defineProperty(wd,"__esModule",{value:!0});var xf=Z(),NA=oe(),zA={message:"property name must be valid",params:o(({params:e})=>(0,xf._)`{propertyName: ${e.propertyName}}`,"params")},$A={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:zA,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,NA.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,xf.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};wd.default=$A});var vd=A(Sd=>{"use strict";Object.defineProperty(Sd,"__esModule",{value:!0});var Mi=mt(),Ct=Z(),DA=Xt(),qi=oe(),MA={message:"must NOT have additional properties",params:o(({params:e})=>(0,Ct._)`{additionalProperty: ${e.additionalProperty}}`,"params")},qA={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:MA,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:u,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,qi.alwaysValidSchema)(s,r))return;let p=(0,Mi.allSchemaProperties)(n.properties),l=(0,Mi.allSchemaProperties)(n.patternProperties);m(),e.ok((0,Ct._)`${i} === ${DA.default.errors}`);function m(){t.forIn("key",a,S=>{!p.length&&!l.length?w(S):t.if(f(S),()=>w(S))})}o(m,"checkAdditionalProperties");function f(S){let v;if(p.length>8){let R=(0,qi.schemaRefOrVal)(s,n.properties,"properties");v=(0,Mi.isOwnProperty)(t,R,S)}else p.length?v=(0,Ct.or)(...p.map(R=>(0,Ct._)`${S} === ${R}`)):v=Ct.nil;return l.length&&(v=(0,Ct.or)(v,...l.map(R=>(0,Ct._)`${(0,Mi.usePattern)(e,R)}.test(${S})`))),(0,Ct.not)(v)}o(f,"isAdditional");function _(S){t.code((0,Ct._)`delete ${a}[${S}]`)}o(_,"deleteAdditional");function w(S){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(S);return}if(r===!1){e.setParams({additionalProperty:S}),e.error(),u||t.break();return}if(typeof r=="object"&&!(0,qi.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(S,v,!1),t.if((0,Ct.not)(v),()=>{e.reset(),_(S)})):(y(S,v),u||t.if((0,Ct.not)(v),()=>t.break()))}}o(w,"additionalPropertyCode");function y(S,v,R){let b={keyword:"additionalProperties",dataProp:S,dataPropType:qi.Type.Str};R===!1&&Object.assign(b,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(b,v)}o(y,"applyAdditionalSchema")}};Sd.default=qA});var Nf=A(bd=>{"use strict";Object.defineProperty(bd,"__esModule",{value:!0});var LA=jo(),Of=mt(),Rd=oe(),Uf=vd(),jA={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&Uf.default.code(new LA.KeywordCxt(i,Uf.default,"additionalProperties"));let s=(0,Of.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Rd.mergeEvaluated.props(t,(0,Rd.toHash)(s),i.props));let u=s.filter(m=>!(0,Rd.alwaysValidSchema)(i,r[m]));if(u.length===0)return;let d=t.name("valid");for(let m of u)p(m)?l(m):(t.if((0,Of.propertyInData)(t,a,m,i.opts.ownProperties)),l(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function p(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(p,"hasDefault");function l(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(l,"applyPropertySchema")}};bd.default=jA});var Mf=A(Cd=>{"use strict";Object.defineProperty(Cd,"__esModule",{value:!0});var zf=mt(),Li=Z(),$f=oe(),Df=oe(),HA={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,u=(0,zf.allSchemaProperties)(r),d=u.filter(y=>(0,$f.alwaysValidSchema)(i,r[y]));if(u.length===0||d.length===u.length&&(!i.opts.unevaluated||i.props===!0))return;let p=s.strictSchema&&!s.allowMatchingProperties&&a.properties,l=t.name("valid");i.props!==!0&&!(i.props instanceof Li.Name)&&(i.props=(0,Df.evaluatedPropsToName)(t,i.props));let{props:m}=i;f();function f(){for(let y of u)p&&_(y),i.allErrors?w(y):(t.var(l,!0),w(y),t.if(l))}o(f,"validatePatternProperties");function _(y){for(let S in p)new RegExp(y).test(S)&&(0,$f.checkStrictMode)(i,`property ${S} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function w(y){t.forIn("key",n,S=>{t.if((0,Li._)`${(0,zf.usePattern)(e,y)}.test(${S})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:S,dataPropType:Df.Type.Str},l),i.opts.unevaluated&&m!==!0?t.assign((0,Li._)`${m}[${S}]`,!0):!v&&!i.allErrors&&t.if((0,Li.not)(l),()=>t.break())})})}o(w,"validateProperties")}};Cd.default=HA});var qf=A(Id=>{"use strict";Object.defineProperty(Id,"__esModule",{value:!0});var GA=oe(),BA={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,GA.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Id.default=BA});var Lf=A(Td=>{"use strict";Object.defineProperty(Td,"__esModule",{value:!0});var FA=mt(),VA={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:FA.validateUnion,error:{message:"must match a schema in anyOf"}};Td.default=VA});var jf=A(Ad=>{"use strict";Object.defineProperty(Ad,"__esModule",{value:!0});var ji=Z(),KA=oe(),ZA={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,ji._)`{passingSchemas: ${e.passing}}`,"params")},WA={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:ZA,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),u=t.let("passing",null),d=t.name("_valid");e.setParams({passing:u}),t.block(p),e.result(s,()=>e.reset(),()=>e.error(!0));function p(){i.forEach((l,m)=>{let f;(0,KA.alwaysValidSchema)(a,l)?t.var(d,!0):f=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,ji._)`${d} && ${s}`).assign(s,!1).assign(u,(0,ji._)`[${u}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(u,m),f&&e.mergeEvaluated(f,ji.Name)})})}o(p,"validateOneOf")}};Ad.default=WA});var Hf=A(kd=>{"use strict";Object.defineProperty(kd,"__esModule",{value:!0});var JA=oe(),YA={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,JA.alwaysValidSchema)(n,i))return;let u=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(u)})}};kd.default=YA});var Ff=A(Ed=>{"use strict";Object.defineProperty(Ed,"__esModule",{value:!0});var Hi=Z(),Bf=oe(),XA={message:o(({params:e})=>(0,Hi.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,Hi._)`{failingKeyword: ${e.ifClause}}`,"params")},QA={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:XA,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,Bf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=Gf(n,"then"),i=Gf(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),u=t.name("_valid");if(d(),e.reset(),a&&i){let l=t.let("ifClause");e.setParams({ifClause:l}),t.if(u,p("then",l),p("else",l))}else a?t.if(u,p("then")):t.if((0,Hi.not)(u),p("else"));e.pass(s,()=>e.error(!0));function d(){let l=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},u);e.mergeEvaluated(l)}o(d,"validateIf");function p(l,m){return()=>{let f=e.subschema({keyword:l},u);t.assign(s,u),e.mergeValidEvaluated(f,s),m?t.assign(m,(0,Hi._)`${l}`):e.setParams({ifClause:l})}}o(p,"validateClause")}};function Gf(e,t){let r=e.schema[t];return r!==void 0&&!(0,Bf.alwaysValidSchema)(e,r)}o(Gf,"hasSchema");Ed.default=QA});var Vf=A(xd=>{"use strict";Object.defineProperty(xd,"__esModule",{value:!0});var ek=oe(),tk={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,ek.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};xd.default=tk});var Kf=A(Pd=>{"use strict";Object.defineProperty(Pd,"__esModule",{value:!0});var rk=md(),nk=bf(),ok=hd(),ak=If(),ik=Tf(),sk=Ef(),ck=Pf(),uk=vd(),dk=Nf(),lk=Mf(),pk=qf(),mk=Lf(),hk=jf(),fk=Hf(),gk=Ff(),_k=Vf();function yk(e=!1){let t=[pk.default,mk.default,hk.default,fk.default,gk.default,_k.default,ck.default,uk.default,sk.default,dk.default,lk.default];return e?t.push(nk.default,ak.default):t.push(rk.default,ok.default),t.push(ik.default),t}o(yk,"getApplicator");Pd.default=yk});var Zf=A(Od=>{"use strict";Object.defineProperty(Od,"__esModule",{value:!0});var be=Z(),wk={message:o(({schemaCode:e})=>(0,be.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,be._)`{format: ${e}}`,"params")},Sk={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:wk,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:u}=e,{opts:d,errSchemaPath:p,schemaEnv:l,self:m}=u;if(!d.validateFormats)return;a?f():_();function f(){let w=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,be._)`${w}[${s}]`),S=r.let("fType"),v=r.let("format");r.if((0,be._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(S,(0,be._)`${y}.type || "string"`).assign(v,(0,be._)`${y}.validate`),()=>r.assign(S,(0,be._)`"string"`).assign(v,y)),e.fail$data((0,be.or)(R(),b()));function R(){return d.strictSchema===!1?be.nil:(0,be._)`${s} && !${v}`}o(R,"unknownFmt");function b(){let q=l.$async?(0,be._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,be._)`${v}(${n})`,L=(0,be._)`(typeof ${v} == "function" ? ${q} : ${v}.test(${n}))`;return(0,be._)`${v} && ${v} !== true && ${S} === ${t} && !${L}`}o(b,"invalidFmt")}o(f,"validate$DataFormat");function _(){let w=m.formats[i];if(!w){R();return}if(w===!0)return;let[y,S,v]=b(w);y===t&&e.pass(q());function R(){if(d.strictSchema===!1){m.logger.warn(L());return}throw new Error(L());function L(){return`unknown format "${i}" ignored in schema at path "${p}"`}}o(R,"unknownFormat");function b(L){let je=L instanceof RegExp?(0,be.regexpCode)(L):d.code.formats?(0,be._)`${d.code.formats}${(0,be.getProperty)(i)}`:void 0,ut=r.scopeValue("formats",{key:i,ref:L,code:je});return typeof L=="object"&&!(L instanceof RegExp)?[L.type||"string",L.validate,(0,be._)`${ut}.validate`]:["string",L,ut]}o(b,"getFormat");function q(){if(typeof w=="object"&&!(w instanceof RegExp)&&w.async){if(!l.$async)throw new Error("async format in sync schema");return(0,be._)`await ${v}(${n})`}return typeof S=="function"?(0,be._)`${v}(${n})`:(0,be._)`${v}.test(${n})`}o(q,"validCondition")}o(_,"validateFormat")}};Od.default=Sk});var Wf=A(Ud=>{"use strict";Object.defineProperty(Ud,"__esModule",{value:!0});var vk=Zf(),Rk=[vk.default];Ud.default=Rk});var Jf=A(On=>{"use strict";Object.defineProperty(On,"__esModule",{value:!0});On.contentVocabulary=On.metadataVocabulary=void 0;On.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];On.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var Xf=A(Nd=>{"use strict";Object.defineProperty(Nd,"__esModule",{value:!0});var bk=of(),Ck=wf(),Ik=Kf(),Tk=Wf(),Yf=Jf(),Ak=[bk.default,Ck.default,(0,Ik.default)(),Tk.default,Yf.metadataVocabulary,Yf.contentVocabulary];Nd.default=Ak});var eg=A(Gi=>{"use strict";Object.defineProperty(Gi,"__esModule",{value:!0});Gi.DiscrError=void 0;var Qf;(function(e){e.Tag="tag",e.Mapping="mapping"})(Qf||(Gi.DiscrError=Qf={}))});var rg=A($d=>{"use strict";Object.defineProperty($d,"__esModule",{value:!0});var Un=Z(),zd=eg(),tg=Ci(),kk=Ho(),Ek=oe(),xk={message:o(({params:{discrError:e,tagName:t}})=>e===zd.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,Un._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},Pk={keyword:"discriminator",type:"object",schemaType:"object",error:xk,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let u=n.propertyName;if(typeof u!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),p=t.const("tag",(0,Un._)`${r}${(0,Un.getProperty)(u)}`);t.if((0,Un._)`typeof ${p} == "string"`,()=>l(),()=>e.error(!1,{discrError:zd.DiscrError.Tag,tag:p,tagName:u})),e.ok(d);function l(){let _=f();t.if(!1);for(let w in _)t.elseIf((0,Un._)`${p} === ${w}`),t.assign(d,m(_[w]));t.else(),e.error(!1,{discrError:zd.DiscrError.Mapping,tag:p,tagName:u}),t.endIf()}o(l,"validateMapping");function m(_){let w=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},w);return e.mergeEvaluated(y,Un.Name),w}o(m,"applyTagSchema");function f(){var _;let w={},y=v(a),S=!0;for(let q=0;q<s.length;q++){let L=s[q];if(L?.$ref&&!(0,Ek.schemaHasRulesButRef)(L,i.self.RULES)){let ut=L.$ref;if(L=tg.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,ut),L instanceof tg.SchemaEnv&&(L=L.schema),L===void 0)throw new kk.default(i.opts.uriResolver,i.baseId,ut)}let je=(_=L?.properties)===null||_===void 0?void 0:_[u];if(typeof je!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${u}"`);S=S&&(y||v(L)),R(je,q)}if(!S)throw new Error(`discriminator: "${u}" must be required`);return w;function v({required:q}){return Array.isArray(q)&&q.includes(u)}function R(q,L){if(q.const)b(q.const,L);else if(q.enum)for(let je of q.enum)b(je,L);else throw new Error(`discriminator: "properties/${u}" must have "const" or "enum"`)}function b(q,L){if(typeof q!="string"||q in w)throw new Error(`discriminator: "${u}" values must be unique strings`);w[q]=L}}o(f,"getMapping")}};$d.default=Pk});var ng=A((IB,Ok)=>{Ok.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var Md=A((me,Dd)=>{"use strict";Object.defineProperty(me,"__esModule",{value:!0});me.MissingRefError=me.ValidationError=me.CodeGen=me.Name=me.nil=me.stringify=me.str=me._=me.KeywordCxt=me.Ajv=void 0;var Uk=Xh(),Nk=Xf(),zk=rg(),og=ng(),$k=["/properties"],Bi="http://json-schema.org/draft-07/schema",Nn=class extends Uk.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),Nk.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(zk.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(og,$k):og;this.addMetaSchema(t,Bi,!1),this.refs["http://json-schema.org/schema"]=Bi}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(Bi)?Bi:void 0)}};me.Ajv=Nn;Dd.exports=me=Nn;Dd.exports.Ajv=Nn;Object.defineProperty(me,"__esModule",{value:!0});me.default=Nn;var Dk=jo();Object.defineProperty(me,"KeywordCxt",{enumerable:!0,get:o(function(){return Dk.KeywordCxt},"get")});var zn=Z();Object.defineProperty(me,"_",{enumerable:!0,get:o(function(){return zn._},"get")});Object.defineProperty(me,"str",{enumerable:!0,get:o(function(){return zn.str},"get")});Object.defineProperty(me,"stringify",{enumerable:!0,get:o(function(){return zn.stringify},"get")});Object.defineProperty(me,"nil",{enumerable:!0,get:o(function(){return zn.nil},"get")});Object.defineProperty(me,"Name",{enumerable:!0,get:o(function(){return zn.Name},"get")});Object.defineProperty(me,"CodeGen",{enumerable:!0,get:o(function(){return zn.CodeGen},"get")});var Mk=Ri();Object.defineProperty(me,"ValidationError",{enumerable:!0,get:o(function(){return Mk.default},"get")});var qk=Ho();Object.defineProperty(me,"MissingRefError",{enumerable:!0,get:o(function(){return qk.default},"get")})});var pg=A($t=>{"use strict";Object.defineProperty($t,"__esModule",{value:!0});$t.formatNames=$t.fastFormats=$t.fullFormats=void 0;function zt(e,t){return{validate:e,compare:t}}o(zt,"fmtDef");$t.fullFormats={date:zt(cg,Hd),time:zt(Ld(!0),Gd),"date-time":zt(ag(!0),dg),"iso-time":zt(Ld(),ug),"iso-date-time":zt(ag(),lg),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:Fk,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:Xk,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:Vk,int32:{type:"number",validate:Wk},int64:{type:"number",validate:Jk},float:{type:"number",validate:sg},double:{type:"number",validate:sg},password:!0,binary:!0};$t.fastFormats={...$t.fullFormats,date:zt(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,Hd),time:zt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Gd),"date-time":zt(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,dg),"iso-time":zt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,ug),"iso-date-time":zt(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,lg),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};$t.formatNames=Object.keys($t.fullFormats);function Lk(e){return e%4===0&&(e%100!==0||e%400===0)}o(Lk,"isLeapYear");var jk=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,Hk=[0,31,28,31,30,31,30,31,31,30,31,30,31];function cg(e){let t=jk.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&Lk(r)?29:Hk[n])}o(cg,"date");function Hd(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(Hd,"compareDate");var qd=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function Ld(e){return o(function(r){let n=qd.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],u=n[4],d=n[5]==="-"?-1:1,p=+(n[6]||0),l=+(n[7]||0);if(p>23||l>59||e&&!u)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-l*d,f=a-p*d-(m<0?1:0);return(f===23||f===-1)&&(m===59||m===-1)&&s<61},"time")}o(Ld,"getTime");function Gd(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(Gd,"compareTime");function ug(e,t){if(!(e&&t))return;let r=qd.exec(e),n=qd.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(ug,"compareIsoTime");var jd=/t|\s/i;function ag(e){let t=Ld(e);return o(function(n){let a=n.split(jd);return a.length===2&&cg(a[0])&&t(a[1])},"date_time")}o(ag,"getDateTime");function dg(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(dg,"compareDateTime");function lg(e,t){if(!(e&&t))return;let[r,n]=e.split(jd),[a,i]=t.split(jd),s=Hd(r,a);if(s!==void 0)return s||Gd(n,i)}o(lg,"compareIsoDateTime");var Gk=/\/|:/,Bk=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function Fk(e){return Gk.test(e)&&Bk.test(e)}o(Fk,"uri");var ig=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function Vk(e){return ig.lastIndex=0,ig.test(e)}o(Vk,"byte");var Kk=-(2**31),Zk=2**31-1;function Wk(e){return Number.isInteger(e)&&e<=Zk&&e>=Kk}o(Wk,"validateInt32");function Jk(e){return Number.isInteger(e)}o(Jk,"validateInt64");function sg(){return!0}o(sg,"validateNumber");var Yk=/[^\\]\\Z/;function Xk(e){if(Yk.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(Xk,"regex")});var mg=A($n=>{"use strict";Object.defineProperty($n,"__esModule",{value:!0});$n.formatLimitDefinition=void 0;var Qk=Md(),It=Z(),Tr=It.operators,Fi={formatMaximum:{okStr:"<=",ok:Tr.LTE,fail:Tr.GT},formatMinimum:{okStr:">=",ok:Tr.GTE,fail:Tr.LT},formatExclusiveMaximum:{okStr:"<",ok:Tr.LT,fail:Tr.GTE},formatExclusiveMinimum:{okStr:">",ok:Tr.GT,fail:Tr.LTE}},eE={message:o(({keyword:e,schemaCode:t})=>(0,It.str)`should be ${Fi[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,It._)`{comparison: ${Fi[e].okStr}, limit: ${t}}`,"params")};$n.formatLimitDefinition={keyword:Object.keys(Fi),type:"string",schemaType:"string",$data:!0,error:eE,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:u}=i;if(!s.validateFormats)return;let d=new Qk.KeywordCxt(i,u.RULES.all.format.definition,"format");d.$data?p():l();function p(){let f=t.scopeValue("formats",{ref:u.formats,code:s.code.formats}),_=t.const("fmt",(0,It._)`${f}[${d.schemaCode}]`);e.fail$data((0,It.or)((0,It._)`typeof ${_} != "object"`,(0,It._)`${_} instanceof RegExp`,(0,It._)`typeof ${_}.compare != "function"`,m(_)))}o(p,"validate$DataFormat");function l(){let f=d.schema,_=u.formats[f];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${f}" does not define "compare" function`);let w=t.scopeValue("formats",{key:f,ref:_,code:s.code.formats?(0,It._)`${s.code.formats}${(0,It.getProperty)(f)}`:void 0});e.fail$data(m(w))}o(l,"validateFormat");function m(f){return(0,It._)`${f}.compare(${r}, ${n}) ${Fi[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var tE=o(e=>(e.addKeyword($n.formatLimitDefinition),e),"formatLimitPlugin");$n.default=tE});var _g=A((ra,gg)=>{"use strict";Object.defineProperty(ra,"__esModule",{value:!0});var Dn=pg(),rE=mg(),Bd=Z(),hg=new Bd.Name("fullFormats"),nE=new Bd.Name("fastFormats"),Fd=o((e,t={keywords:!0})=>{if(Array.isArray(t))return fg(e,t,Dn.fullFormats,hg),e;let[r,n]=t.mode==="fast"?[Dn.fastFormats,nE]:[Dn.fullFormats,hg],a=t.formats||Dn.formatNames;return fg(e,a,r,n),t.keywords&&(0,rE.default)(e),e},"formatsPlugin");Fd.get=(e,t="full")=>{let n=(t==="fast"?Dn.fastFormats:Dn.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function fg(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,Bd._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(fg,"addFormats");gg.exports=ra=Fd;Object.defineProperty(ra,"__esModule",{value:!0});ra.default=Fd});Bv();function lr(e){return!!e._zod}o(lr,"isZ4Schema");function Ke(e,t){return lr(e)?yc(e,t):e.safeParse(t)}o(Ke,"safeParse");function gn(e){if(!e)return;let t;if(lr(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(gn,"getObjectShape");function fm(e){if(lr(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(fm,"getLiteralValue");ae();var mr="2025-11-25",gm="2025-03-26",hr=[mr,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],fr="io.modelcontextprotocol/related-task",Ja="2.0",ke=pm(e=>e!==null&&(typeof e=="object"||typeof e=="function")),_m=fe([h(),re().int()]),ym=h(),GM=Ae({ttl:re().optional(),pollInterval:re().optional()}),Kv=I({ttl:re().optional()}),Zv=I({taskId:h()}),Rc=Ae({progressToken:_m.optional(),[fr]:Zv.optional()}),st=I({_meta:Rc.optional()}),_o=st.extend({task:Kv.optional()}),wm=o(e=>_o.safeParse(e).success,"isTaskAugmentedRequestParams"),xe=I({method:h(),params:st.loose().optional()}),dt=I({_meta:Rc.optional()}),lt=I({method:h(),params:dt.loose().optional()}),Pe=Ae({_meta:Rc.optional()}),Ya=fe([h(),re().int()]),Sm=I({jsonrpc:O(Ja),id:Ya,...xe.shape}).strict(),xt=o(e=>Sm.safeParse(e).success,"isJSONRPCRequest"),vm=I({jsonrpc:O(Ja),...lt.shape}).strict(),Rm=o(e=>vm.safeParse(e).success,"isJSONRPCNotification"),bc=I({jsonrpc:O(Ja),id:Ya,result:Pe}).strict(),St=o(e=>bc.safeParse(e).success,"isJSONRPCResultResponse");var P;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(P||(P={}));var Cc=I({jsonrpc:O(Ja),id:Ya.optional(),error:I({code:re().int(),message:h(),data:Re().optional()})}).strict();var yn=o(e=>Cc.safeParse(e).success,"isJSONRPCErrorResponse");var Mr=fe([Sm,vm,bc,Cc]),BM=fe([bc,Cc]),Kt=Pe.strict(),Wv=dt.extend({requestId:Ya.optional(),reason:h().optional()}),Xa=lt.extend({method:O("notifications/cancelled"),params:Wv}),Jv=I({src:h(),mimeType:h().optional(),sizes:C(h()).optional(),theme:it(["light","dark"]).optional()}),yo=I({icons:C(Jv).optional()}),_n=I({name:h(),title:h().optional()}),wn=_n.extend({..._n.shape,...yo.shape,version:h(),websiteUrl:h().optional(),description:h().optional()}),Yv=Sc(I({applyDefaults:ce().optional()}),le(h(),Re())),Xv=vc(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,Sc(I({form:Yv.optional(),url:ke.optional()}),le(h(),Re()).optional())),Qv=Ae({list:ke.optional(),cancel:ke.optional(),requests:Ae({sampling:Ae({createMessage:ke.optional()}).optional(),elicitation:Ae({create:ke.optional()}).optional()}).optional()}),eR=Ae({list:ke.optional(),cancel:ke.optional(),requests:Ae({tools:Ae({call:ke.optional()}).optional()}).optional()}),tR=I({experimental:le(h(),ke).optional(),sampling:I({context:ke.optional(),tools:ke.optional()}).optional(),elicitation:Xv.optional(),roots:I({listChanged:ce().optional()}).optional(),tasks:Qv.optional(),extensions:le(h(),ke).optional()}),rR=st.extend({protocolVersion:h(),capabilities:tR,clientInfo:wn}),Qa=xe.extend({method:O("initialize"),params:rR}),Ic=o(e=>Qa.safeParse(e).success,"isInitializeRequest"),nR=I({experimental:le(h(),ke).optional(),logging:ke.optional(),completions:ke.optional(),prompts:I({listChanged:ce().optional()}).optional(),resources:I({subscribe:ce().optional(),listChanged:ce().optional()}).optional(),tools:I({listChanged:ce().optional()}).optional(),tasks:eR.optional(),extensions:le(h(),ke).optional()}),Tc=Pe.extend({protocolVersion:h(),capabilities:nR,serverInfo:wn,instructions:h().optional()}),ei=lt.extend({method:O("notifications/initialized"),params:dt.optional()}),bm=o(e=>ei.safeParse(e).success,"isInitializedNotification"),ti=xe.extend({method:O("ping"),params:st.optional()}),oR=I({progress:re(),total:we(re()),message:we(h())}),aR=I({...dt.shape,...oR.shape,progressToken:_m}),ri=lt.extend({method:O("notifications/progress"),params:aR}),iR=st.extend({cursor:ym.optional()}),wo=xe.extend({params:iR.optional()}),So=Pe.extend({nextCursor:ym.optional()}),sR=it(["working","input_required","completed","failed","cancelled"]),vo=I({taskId:h(),status:sR,ttl:fe([re(),dm()]),createdAt:h(),lastUpdatedAt:h(),pollInterval:we(re()),statusMessage:we(h())}),Zt=Pe.extend({task:vo}),cR=dt.merge(vo),Ro=lt.extend({method:O("notifications/tasks/status"),params:cR}),ni=xe.extend({method:O("tasks/get"),params:st.extend({taskId:h()})}),oi=Pe.merge(vo),ai=xe.extend({method:O("tasks/result"),params:st.extend({taskId:h()})}),FM=Pe.loose(),ii=wo.extend({method:O("tasks/list")}),si=So.extend({tasks:C(vo)}),ci=xe.extend({method:O("tasks/cancel"),params:st.extend({taskId:h()})}),Cm=Pe.merge(vo),Im=I({uri:h(),mimeType:we(h()),_meta:le(h(),Re()).optional()}),Tm=Im.extend({text:h()}),Ac=h().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),Am=Im.extend({blob:Ac}),bo=it(["user","assistant"]),Sn=I({audience:C(bo).optional(),priority:re().min(0).max(1).optional(),lastModified:cm.datetime({offset:!0}).optional()}),km=I({..._n.shape,...yo.shape,uri:h(),description:we(h()),mimeType:we(h()),size:we(re()),annotations:Sn.optional(),_meta:we(Ae({}))}),uR=I({..._n.shape,...yo.shape,uriTemplate:h(),description:we(h()),mimeType:we(h()),annotations:Sn.optional(),_meta:we(Ae({}))}),kc=wo.extend({method:O("resources/list")}),Ec=So.extend({resources:C(km)}),dR=wo.extend({method:O("resources/templates/list")}),xc=So.extend({resourceTemplates:C(uR)}),Pc=st.extend({uri:h()}),lR=Pc,Oc=xe.extend({method:O("resources/read"),params:lR}),Uc=Pe.extend({contents:C(fe([Tm,Am]))}),Nc=lt.extend({method:O("notifications/resources/list_changed"),params:dt.optional()}),pR=Pc,mR=xe.extend({method:O("resources/subscribe"),params:pR}),hR=Pc,fR=xe.extend({method:O("resources/unsubscribe"),params:hR}),gR=dt.extend({uri:h()}),_R=lt.extend({method:O("notifications/resources/updated"),params:gR}),yR=I({name:h(),description:we(h()),required:we(ce())}),wR=I({..._n.shape,...yo.shape,description:we(h()),arguments:we(C(yR)),_meta:we(Ae({}))}),zc=wo.extend({method:O("prompts/list")}),$c=So.extend({prompts:C(wR)}),SR=st.extend({name:h(),arguments:le(h(),h()).optional()}),Dc=xe.extend({method:O("prompts/get"),params:SR}),Mc=I({type:O("text"),text:h(),annotations:Sn.optional(),_meta:le(h(),Re()).optional()}),qc=I({type:O("image"),data:Ac,mimeType:h(),annotations:Sn.optional(),_meta:le(h(),Re()).optional()}),Lc=I({type:O("audio"),data:Ac,mimeType:h(),annotations:Sn.optional(),_meta:le(h(),Re()).optional()}),vR=I({type:O("tool_use"),name:h(),id:h(),input:le(h(),Re()),_meta:le(h(),Re()).optional()}),RR=I({type:O("resource"),resource:fe([Tm,Am]),annotations:Sn.optional(),_meta:le(h(),Re()).optional()}),bR=km.extend({type:O("resource_link")}),jc=fe([Mc,qc,Lc,bR,RR]),CR=I({role:bo,content:jc}),Hc=Pe.extend({description:h().optional(),messages:C(CR)}),Gc=lt.extend({method:O("notifications/prompts/list_changed"),params:dt.optional()}),IR=I({title:h().optional(),readOnlyHint:ce().optional(),destructiveHint:ce().optional(),idempotentHint:ce().optional(),openWorldHint:ce().optional()}),TR=I({taskSupport:it(["required","optional","forbidden"]).optional()}),Em=I({..._n.shape,...yo.shape,description:h().optional(),inputSchema:I({type:O("object"),properties:le(h(),ke).optional(),required:C(h()).optional()}).catchall(Re()),outputSchema:I({type:O("object"),properties:le(h(),ke).optional(),required:C(h()).optional()}).catchall(Re()).optional(),annotations:IR.optional(),execution:TR.optional(),_meta:le(h(),Re()).optional()}),Bc=wo.extend({method:O("tools/list")}),Fc=So.extend({tools:C(Em)}),gr=Pe.extend({content:C(jc).default([]),structuredContent:le(h(),Re()).optional(),isError:ce().optional()}),VM=gr.or(Pe.extend({toolResult:Re()})),AR=_o.extend({name:h(),arguments:le(h(),Re()).optional()}),Co=xe.extend({method:O("tools/call"),params:AR}),Vc=lt.extend({method:O("notifications/tools/list_changed"),params:dt.optional()}),xm=I({autoRefresh:ce().default(!0),debounceMs:re().int().nonnegative().default(300)}),Io=it(["debug","info","notice","warning","error","critical","alert","emergency"]),kR=st.extend({level:Io}),Kc=xe.extend({method:O("logging/setLevel"),params:kR}),ER=dt.extend({level:Io,logger:h().optional(),data:Re()}),xR=lt.extend({method:O("notifications/message"),params:ER}),PR=I({name:h().optional()}),OR=I({hints:C(PR).optional(),costPriority:re().min(0).max(1).optional(),speedPriority:re().min(0).max(1).optional(),intelligencePriority:re().min(0).max(1).optional()}),UR=I({mode:it(["auto","required","none"]).optional()}),NR=I({type:O("tool_result"),toolUseId:h().describe("The unique identifier for the corresponding tool call."),content:C(jc).default([]),structuredContent:I({}).loose().optional(),isError:ce().optional(),_meta:le(h(),Re()).optional()}),zR=wc("type",[Mc,qc,Lc]),Wa=wc("type",[Mc,qc,Lc,vR,NR]),$R=I({role:bo,content:fe([Wa,C(Wa)]),_meta:le(h(),Re()).optional()}),DR=_o.extend({messages:C($R),modelPreferences:OR.optional(),systemPrompt:h().optional(),includeContext:it(["none","thisServer","allServers"]).optional(),temperature:re().optional(),maxTokens:re().int(),stopSequences:C(h()).optional(),metadata:ke.optional(),tools:C(Em).optional(),toolChoice:UR.optional()}),Zc=xe.extend({method:O("sampling/createMessage"),params:DR}),qr=Pe.extend({model:h(),stopReason:we(it(["endTurn","stopSequence","maxTokens"]).or(h())),role:bo,content:zR}),To=Pe.extend({model:h(),stopReason:we(it(["endTurn","stopSequence","maxTokens","toolUse"]).or(h())),role:bo,content:fe([Wa,C(Wa)])}),MR=I({type:O("boolean"),title:h().optional(),description:h().optional(),default:ce().optional()}),qR=I({type:O("string"),title:h().optional(),description:h().optional(),minLength:re().optional(),maxLength:re().optional(),format:it(["email","uri","date","date-time"]).optional(),default:h().optional()}),LR=I({type:it(["number","integer"]),title:h().optional(),description:h().optional(),minimum:re().optional(),maximum:re().optional(),default:re().optional()}),jR=I({type:O("string"),title:h().optional(),description:h().optional(),enum:C(h()),default:h().optional()}),HR=I({type:O("string"),title:h().optional(),description:h().optional(),oneOf:C(I({const:h(),title:h()})),default:h().optional()}),GR=I({type:O("string"),title:h().optional(),description:h().optional(),enum:C(h()),enumNames:C(h()).optional(),default:h().optional()}),BR=fe([jR,HR]),FR=I({type:O("array"),title:h().optional(),description:h().optional(),minItems:re().optional(),maxItems:re().optional(),items:I({type:O("string"),enum:C(h())}),default:C(h()).optional()}),VR=I({type:O("array"),title:h().optional(),description:h().optional(),minItems:re().optional(),maxItems:re().optional(),items:I({anyOf:C(I({const:h(),title:h()}))}),default:C(h()).optional()}),KR=fe([FR,VR]),ZR=fe([GR,BR,KR]),WR=fe([ZR,MR,qR,LR]),JR=_o.extend({mode:O("form").optional(),message:h(),requestedSchema:I({type:O("object"),properties:le(h(),WR),required:C(h()).optional()})}),YR=_o.extend({mode:O("url"),message:h(),elicitationId:h(),url:h().url()}),XR=fe([JR,YR]),Wc=xe.extend({method:O("elicitation/create"),params:XR}),QR=dt.extend({elicitationId:h()}),eb=lt.extend({method:O("notifications/elicitation/complete"),params:QR}),_r=Pe.extend({action:it(["accept","decline","cancel"]),content:vc(e=>e===null?void 0:e,le(h(),fe([h(),re(),ce(),C(h())])).optional())}),tb=I({type:O("ref/resource"),uri:h()});var rb=I({type:O("ref/prompt"),name:h()}),nb=st.extend({ref:fe([rb,tb]),argument:I({name:h(),value:h()}),context:I({arguments:le(h(),h()).optional()}).optional()}),ob=xe.extend({method:O("completion/complete"),params:nb});var Jc=Pe.extend({completion:Ae({values:C(h()).max(100),total:we(re().int()),hasMore:we(ce())})}),ab=I({uri:h().startsWith("file://"),name:h().optional(),_meta:le(h(),Re()).optional()}),ib=xe.extend({method:O("roots/list"),params:st.optional()}),Yc=Pe.extend({roots:C(ab)}),sb=lt.extend({method:O("notifications/roots/list_changed"),params:dt.optional()}),KM=fe([ti,Qa,ob,Kc,Dc,zc,kc,dR,Oc,mR,fR,Co,Bc,ni,ai,ii,ci]),ZM=fe([Xa,ri,ei,sb,Ro]),WM=fe([Kt,qr,To,_r,Yc,oi,si,Zt]),JM=fe([ti,Zc,Wc,ib,ni,ai,ii,ci]),YM=fe([Xa,ri,xR,_R,Nc,Vc,Gc,Ro,eb]),XM=fe([Kt,Tc,Jc,Hc,$c,Ec,xc,Uc,gr,Fc,oi,si,Zt]),k=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===P.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new pr(a.elicitations,r)}return new e(t,r,n)}},pr=class extends k{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(P.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function yr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(yr,"isTerminal");var cb=Symbol("Let zodToJsonSchema decide on which parser to use");var Wq=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function Xc(e){let r=gn(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=fm(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(Xc,"getMethodLiteral");function Qc(e,t){let r=Ke(e,t);if(!r.success)throw r.error;return r.data}o(Qc,"parseWithCompat");var hb=6e4,vn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(Xa,r=>{this._oncancel(r)}),this.setNotificationHandler(ri,r=>{this._onprogress(r)}),this.setRequestHandler(ti,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(ni,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new k(P.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(ai,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let u;for(;u=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(u.type==="response"||u.type==="error"){let d=u.message,p=d.id,l=this._requestResolvers.get(p);if(l)if(this._requestResolvers.delete(p),u.type==="response")l(d);else{let m=d,f=new k(m.error.code,m.error.message,m.error.data);l(f)}else{let m=u.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${p}`))}continue}await this._transport?.send(u.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new k(P.InvalidParams,`Task not found: ${i}`);if(!yr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(yr(s.status)){let u=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...u,_meta:{...u._meta,[fr]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(ii,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new k(P.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(ci,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new k(P.InvalidParams,`Task not found: ${r.params.taskId}`);if(yr(a.status))throw new k(P.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new k(P.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof k?a:new k(P.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),k.fromError(P.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),St(i)||yn(i)?this._onresponse(i):xt(i)?this._onrequest(i,s):Rm(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=k.fromError(P.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[fr]?.taskId;if(n===void 0){let l={jsonrpc:"2.0",id:t.id,error:{code:P.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:l,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(l).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let u=wm(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,p={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async l=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(l,m)},"sendNotification"),sendRequest:o(async(l,m,f)=>{if(s.signal.aborted)throw new k(P.ConnectionClosed,"Request was cancelled");let _={...f,relatedRequestId:t.id};i&&!_.relatedTask&&(_.relatedTask={taskId:i});let w=_.relatedTask?.taskId??i;return w&&d&&await d.updateTaskStatus(w,"input_required"),await this.request(l,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:u?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{u&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,p)).then(async l=>{if(s.signal.aborted)return;let m={result:l,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async l=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(l.code)?l.code:P.InternalError,message:l.message??"Internal error",...l.data!==void 0&&{data:l.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(l=>this._onerror(new Error(`Failed to send response: ${l}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),u=this._timeoutInfo.get(a);if(u&&s&&u.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),St(t))n(t);else{let s=new k(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(St(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let u=s.task;typeof u.taskId=="string"&&(i=!0,this._taskProgressTokens.set(u.taskId,r))}}if(i||this._progressHandlers.delete(r),St(t))a(t);else{let s=k.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof k?s:new k(P.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Zt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new k(P.InternalError,"Task creation did not return a task");for(;;){let u=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:u},yr(u.status)){u.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:u.status==="failed"?yield{type:"error",error:new k(P.InternalError,`Task ${i} failed`)}:u.status==="cancelled"&&(yield{type:"error",error:new k(P.InternalError,`Task ${i} was cancelled`)});return}if(u.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=u.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(p=>setTimeout(p,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof k?s:new k(P.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:u,relatedTask:d}=n??{};return new Promise((p,l)=>{let m=o(R=>{l(R)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),u&&this.assertTaskCapability(t.method)}catch(R){m(R);return}n?.signal?.throwIfAborted();let f=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:f};n?.onprogress&&(this._progressHandlers.set(f,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:f}}),u&&(_.params={..._.params,task:u}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[fr]:d}});let w=o(R=>{this._responseHandlers.delete(f),this._progressHandlers.delete(f),this._cleanupTimeout(f),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:f,reason:String(R)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(q=>this._onerror(new Error(`Failed to send cancellation: ${q}`)));let b=R instanceof k?R:new k(P.RequestTimeout,String(R));l(b)},"cancel");this._responseHandlers.set(f,R=>{if(!n?.signal?.aborted){if(R instanceof Error)return l(R);try{let b=Ke(r,R.result);b.success?p(b.data):l(b.error)}catch(b){l(b)}}}),n?.signal?.addEventListener("abort",()=>{w(n?.signal?.reason)});let y=n?.timeout??hb,S=o(()=>w(k.fromError(P.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(f,y,n?.maxTotalTimeout,S,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let R=o(b=>{let q=this._responseHandlers.get(f);q?q(b):this._onerror(new Error(`Response handler missing for side-channeled request ${f}`))},"responseResolver");this._requestResolvers.set(f,R),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(b=>{this._cleanupTimeout(f),l(b)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(R=>{this._cleanupTimeout(f),l(R)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},oi,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},si,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Cm,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let u={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[fr]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:u,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let u={...t,jsonrpc:"2.0"};r?.relatedTask&&(u={...u,params:{...u.params,_meta:{...u.params?._meta||{},[fr]:r.relatedTask}}}),this._transport?.send(u,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[fr]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=Xc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=Qc(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=Xc(t);this._notificationHandlers.set(n,a=>{let i=Qc(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&xt(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new k(P.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new k(P.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new k(P.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new k(P.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let u=await n.getTask(a,r);if(u){let d=Ro.parse({method:"notifications/tasks/status",params:u});await this.notification(d),yr(u.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let u=await n.getTask(a,r);if(!u)throw new k(P.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(yr(u.status))throw new k(P.InvalidParams,`Cannot update task "${a}" from terminal status "${u.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let p=Ro.parse({method:"notifications/tasks/status",params:d});await this.notification(p),yr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Pm(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Pm,"isPlainObject");function ui(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Pm(s)&&Pm(i)?r[a]={...s,...i}:r[a]=i}return r}o(ui,"mergeCapabilities");var yg=nm(Md(),1),wg=nm(_g(),1);function oE(){let e=new yg.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,wg.default)(e),e}o(oE,"createDefaultAjvInstance");var Mn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??oE()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var Vi=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(l=>l.type==="tool_result"),u=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=u?Array.isArray(u.content)?u.content:[u.content]:[],p=d.some(l=>l.type==="tool_use");if(s){if(i.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!p)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(p){let l=new Set(d.filter(f=>f.type==="tool_use").map(f=>f.id)),m=new Set(i.filter(f=>f.type==="tool_result").map(f=>f.toolUseId));if(l.size!==m.size||![...l].every(f=>m.has(f)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},qr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},_r,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function Ki(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(Ki,"assertToolsCallTaskCapability");function Zi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(Zi,"assertClientRequestTaskCapability");var Wi=class extends vn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(Io.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new Mn,this.setRequestHandler(Qa,n=>this._oninitialize(n)),this.setNotificationHandler(ei,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(Kc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,u=Io.safeParse(s);return u.success&&this._loggingLevels.set(i,u.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new Vi(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=ui(this._capabilities,t)}setRequestHandler(t,r){let a=gn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(lr(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let u=o(async(d,p)=>{let l=Ke(Co,d);if(!l.success){let w=l.error instanceof Error?l.error.message:String(l.error);throw new k(P.InvalidParams,`Invalid tools/call request: ${w}`)}let{params:m}=l.data,f=await Promise.resolve(r(d,p));if(m.task){let w=Ke(Zt,f);if(!w.success){let y=w.error instanceof Error?w.error.message:String(w.error);throw new k(P.InvalidParams,`Invalid task creation result: ${y}`)}return w.data}let _=Ke(gr,f);if(!_.success){let w=_.error instanceof Error?_.error.message:String(_.error);throw new k(P.InvalidParams,`Invalid tools/call result: ${w}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){Zi(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&Ki(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:hr.includes(r)?r:mr,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},Kt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(p=>p.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,u=s?Array.isArray(s.content)?s.content:[s.content]:[],d=u.some(p=>p.type==="tool_use");if(i){if(a.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let p=new Set(u.filter(m=>m.type==="tool_use").map(m=>m.id)),l=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(p.size!==l.size||![...p].every(m=>l.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},To,r):this.request({method:"sampling/createMessage",params:t},qr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},_r,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},_r,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let u=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!u.valid)throw new k(P.InvalidParams,`Elicitation response content does not match requested schema: ${u.errorMessage}`)}catch(s){throw s instanceof k?s:new k(P.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},Yc,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var Ji=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
 data: 
 
 `;this._retryInterval!==void 0&&(s=`id: ${i}
 retry: ${this._retryInterval}
 data: 
 
-`),t.enqueue(r.encode(s))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let l=t.headers.get("last-event-id");if(l)return this.replayEvents(l)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let i=new TextEncoder,s,u=new ReadableStream({start:o(l=>{s=l},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:s,encoder:i,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{s.close()}catch{}},"cleanup")}),new Response(u,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,i,s=new ReadableStream({start:o(d=>{i=d},"start"),cancel:o(()=>{},"cancel")}),u=await this._eventStore.replayEventsAfter(t,{send:o(async(d,l)=>{if(!this.writeSSEEvent(i,a,l,d)){this.onerror?.(new Error("Failed replay events"));try{i.close()}catch{}}},"send")});return this._streamMapping.set(u,{controller:i,encoder:a,cleanup:o(()=>{this._streamMapping.delete(u);try{i.close()}catch{}},"cleanup")}),new Response(s,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let i=`event: message
+`),t.enqueue(r.encode(s))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let p=t.headers.get("last-event-id");if(p)return this.replayEvents(p)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let i=new TextEncoder,s,u=new ReadableStream({start:o(p=>{s=p},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:s,encoder:i,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{s.close()}catch{}},"cleanup")}),new Response(u,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,i,s=new ReadableStream({start:o(d=>{i=d},"start"),cancel:o(()=>{},"cancel")}),u=await this._eventStore.replayEventsAfter(t,{send:o(async(d,p)=>{if(!this.writeSSEEvent(i,a,p,d)){this.onerror?.(new Error("Failed replay events"));try{i.close()}catch{}}},"send")});return this._streamMapping.set(u,{controller:i,encoder:a,cleanup:o(()=>{this._streamMapping.delete(u);try{i.close()}catch{}},"cleanup")}),new Response(s,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let i=`event: message
 `;return a&&(i+=`id: ${a}
 `),i+=`data: ${JSON.stringify(n)}
 
-`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let u;try{Array.isArray(s)?u=s.map(v=>wr.parse(v)):u=[wr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=u.some(Gs);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(u.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let R=this.validateProtocolVersion(t);if(R)return R}if(!u.some(St)){for(let v of u)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let p=crypto.randomUUID(),m=u.find(v=>Gs(v)),f=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??kp;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(p,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(p)},"cleanup")});for(let R of u)St(R)&&this._requestToStreamMapping.set(R.id,p);for(let R of u)this.onmessage?.(R,{authInfo:r?.authInfo,requestInfo:i})});let _=new TextEncoder,S,y=new ReadableStream({start:o(v=>{S=v},"start"),cancel:o(()=>{this._streamMapping.delete(p)},"cancel")}),w={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(w["mcp-session-id"]=this.sessionId);for(let v of u)St(v)&&(this._streamMapping.set(p,{controller:S,encoder:_,cleanup:o(()=>{this._streamMapping.delete(p);try{S.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,p));await this.writePrimingEvent(S,_,p,f);for(let v of u){let R,I;St(v)&&this._eventStore&&f>="2025-11-25"&&(R=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),I=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:R,closeStandaloneSSEStream:I})}return new Response(y,{status:200,headers:w})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Qt.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((ut(t)||Xr(t))&&(n=t.id),n===void 0){if(ut(t)||Xr(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let u=this._streamMapping.get(this._standaloneSseStreamId);if(u===void 0)return;u.controller&&u.encoder&&this.writeSSEEvent(u.controller,u.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(ut(t)||Xr(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,l])=>l===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let l=s.map(p=>this._requestResponseMap.get(p));l.length===1?i.resolveJson(new Response(JSON.stringify(l[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(l),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function dd(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(dd,"truncate");function Of(e){return"cause"in e?e.cause:void 0}o(Of,"readCause");function Ae(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=dd(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=dd(r.message);let n=Of(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=dd(n.message),n=Of(n)}}o(Ae,"addErrorLogFields");function it(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(it,"safeHost");function Uf(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(Uf,"setLogProperties");function ld(e,t){Uf(e,{tenantId:t.tenantId,subjectId:t.subjectId})}o(ld,"applyGatewayPrincipalLogProperties");function zf(e,t){Uf(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(zf,"applyGatewayRouteLogProperties");var wn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},Nf={...wn.runtime,...wn.config,...wn.downstream_auth,...wn.downstream_oauth,...wn.upstream_auth,...wn.upstream_mcp};function Uo(e){return typeof e=="string"&&Object.hasOwn(Nf,e)}o(Uo,"isGatewayProblemCode");function wi(e){return Uo(e)&&Fe(e).callbackFailure===!0}o(wi,"isGatewayCallbackFailureCode");function Fe(e){return Nf[e]}o(Fe,"readGatewayProblemDefinition");function pd(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(pd,"readDefaultGatewayProblemCodeForStatus");var Df="gatewayCode";function Mf(e){let t=Fe(e);return{title:t.title,body:t.publicDetail}}o(Mf,"readGatewayCallbackFailureContent");function de(e){if(!(e instanceof _a))return;let t=e.extensionMembers?.[Df];return Uo(t)?t:void 0}o(de,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Fe(n.code),i=n.privateDetail??(vi(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=mk(n);return new _a({message:i,extensionMembers:{[Df]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function Ze(e,t,r){let n=Fe(r.code),a=hk(r.code,r.detail),i=vi(r.code)?r.title??n.title:n.title,u={problem:{...Vn.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(u.additionalHeaders=r.headers),Vn.format(u,e,t)}o(Ze,"gatewayProblemResponse");function vi(e){return Fe(e).status<500}o(vi,"canExposeGatewayProblemDetail");function mk(e){return!e.privateDetail||vi(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(mk,"readRuntimeErrorCause");function hk(e,t){let r=Fe(e);return vi(e)&&t||r.publicDetail}o(hk,"readSafeGatewayProblemDetail");Y();var fk=["tenant_shared_oauth","user_oauth","static_secret","user_static_secret","tenant_static_secret"],gk=["none","client_secret_basic","client_secret_post"],ke=c.string().min(1).brand(),me=c.string().min(1).brand(),Pe=c.string().min(1).brand(),Tt=c.string().min(1).brand(),Ri=c.enum(fk),md=c.enum(gk),bi=c.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),hd=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict();var fd=new Map;function Ci(e){fd.set(e.policyType,e)}o(Ci,"registerMcpAuthorizationPolicy");function gd(e){if(e!==void 0)return fd.get(e)}o(gd,"getMcpAuthorizationPolicy");function Ii(e){return gd(e)!==void 0}o(Ii,"isRegisteredMcpAuthorizationPolicyType");function _d(){return[...fd.keys()]}o(_d,"listMcpAuthorizationPolicyTypes");Y();var Lf=ke,_k=c.object({mode:c.literal("auto")}).strict(),yk=c.object({mode:c.literal("manual"),clientId:c.string().trim().min(1),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:c.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),jf=c.discriminatedUnion("mode",[_k,yk]),Sk=jf.default({mode:"auto"}),yd=c.object({scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:Sk}).strict(),qf=yd.extend({redirectPath:c.string().startsWith("/auth/connections/")}).strict(),Hf=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),wk=new Set([...Hf,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),vk=c.object({kind:c.literal("bearer_token"),token:c.string().min(1)}).strict(),Rk=c.object({kind:c.literal("headers"),headers:c.array(c.object({name:bi,value:c.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Hf.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),Sd=c.discriminatedUnion("kind",[vk,Rk]),bk=c.object({kind:c.literal("basic_auth_app_password"),usernameLabel:c.string().min(1).default("Username"),passwordLabel:c.string().min(1).default("App password")}).strict(),Ck=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key"),capture:c.enum(["browser_login"]).optional()}).strict(),wd=c.discriminatedUnion("kind",[bk,Ck]),vd=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key")}).strict(),Ik=c.discriminatedUnion("mode",[c.object({mode:c.literal("tenant_shared_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("user_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("static_secret"),secret:Sd}).strict(),c.object({mode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({mode:c.literal("tenant_static_secret"),secret:vd}).strict()]),Tk=c.object({baseUrl:c.url(),resourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();wk.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),rB=c.object({displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),authProfiles:c.record(Pe,Ik),transport:Tk}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),Ak=c.object({tenant_shared_oauth:yd.optional(),user_oauth:yd.optional(),static_secret:c.object({secret:Sd}).strict().optional(),user_static_secret:c.object({secret:wd}).strict().optional(),tenant_static_secret:c.object({secret:vd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),$f=c.object({id:Lf,displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([]),authProfiles:Ak}).strict(),kk=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict(),Ti={id:Lf.optional(),displayName:c.string().min(1),summary:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url().optional(),requestHeaders:c.array(kk).default([])},Pk=c.discriminatedUnion("authMode",[c.object({...Ti,authMode:c.enum(["tenant_shared_oauth","user_oauth"]),scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:jf.optional(),clientId:c.string().trim().min(1).optional(),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.optional()}).strict(),c.object({...Ti,authMode:c.literal("static_secret"),secret:Sd}).strict(),c.object({...Ti,authMode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({...Ti,authMode:c.literal("tenant_static_secret"),secret:vd}).strict()]);function Gf(e){throw g("internal_server_error",e)}o(Gf,"throwGatewayConfigError");function Ek(e){let t="mcp-upstream-";return e.startsWith(t)||Gf(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),ke.parse(e.slice(t.length))}o(Ek,"inferUpstreamConnectionIdFromPolicyName");function xk(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(xk,"buildDefaultProtectedResourceMetadataUrl");function vn(e,t){return Pe.parse(`${e}:${t}`)}o(vn,"buildUpstreamAuthProfileId");function Ai(e,t){let r=$f.safeParse(e);if(r.success)return r.data;let n=Pk.parse(e),a=n.id??(t===void 0?void 0:Ek(t));a===void 0&&Gf("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(u=>({name:u.name,value:u.value,required:u.required})),s=(()=>{switch(n.authMode){case"tenant_shared_oauth":case"user_oauth":{let u=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:u}}}case"static_secret":case"user_static_secret":case"tenant_static_secret":return{[n.authMode]:{secret:n.secret}}}})();return $f.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??xk(n.mcpUrl),requestHeaders:i,authProfiles:s})}o(Ai,"parseUpstreamConnectionPolicyOptions");function Bf(e){return e.mode==="tenant_shared_oauth"||e.mode==="user_oauth"}o(Bf,"isUpstreamOAuthAuthConfig");Y();var Ok=c.looseObject({name:c.string().min(1),version:c.string().min(1).optional()}),Uk=c.looseObject({}),zk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional(),inputSchema:Uk}),Nk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional()}),Dk=c.looseObject({name:Tt,uri:c.string().min(1),upstreamPolicy:c.string().min(1).optional(),upstreamUri:c.string().min(1).optional(),enabled:c.boolean().optional()}),Mk=c.enum(["openapi","upstream_mcp"]),qk=c.object({catalogSource:Mk.default("openapi"),serverInfo:Ok.optional(),tools:c.array(zk).default([]),prompts:c.array(Nk).default([]),resources:c.array(Dk).default([])}).strict();function Vf(e){return qk.parse(e??{})}o(Vf,"parseVirtualServerRouteOptions");function ki(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(ki,"toMcpTool");function Pi(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Pi,"toMcpPrompt");function Ei(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Ei,"toMcpResource");var $k="mcp-upstream-connection-inbound",Ff="/mcp/";function De(e){throw new Ot(e)}o(De,"throwRegistryError");function Zf(e){return e.policyType===$k}o(Zf,"isUpstreamConnectionPolicy");function Lk(e){return Ii(e.policyType)}o(Lk,"isMcpOAuthInboundPolicy");function jk(e){e.startsWith(Ff)||De(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(Ff.length);return(!t||t.includes("/"))&&De(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),me.parse(t)}o(jk,"readVirtualServerIdFromPath");function Hk(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&De(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&De(`Upstream policy ${e.policyName} does not declare an auth mode.`),Ri.parse(r)}o(Hk,"readSingleAuthMode");function Gk(e){let t=e.connection.authProfiles[e.authMode];t||De(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"tenant_shared_oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user_static_secret":return{mode:"user_static_secret",secret:t.secret};case"tenant_static_secret":return{mode:"tenant_static_secret",secret:t.secret}}}o(Gk,"buildResolvedAuthConfig");function Bk(e){let t=Hk({policyName:e.policyName,connection:e.connection}),r=vn(e.connection.id,t),n=Gk({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(Bk,"buildRegisteredConnection");function Vk(e){let t=new Map;for(let r of e)t.has(r.name)&&De(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(Vk,"buildPolicyMap");function Fk(e){let t=new Map,r=new Set;for(let n of e.values()){if(!Zf(n))continue;let a=Ai(n.handler.options,n.name);r.has(a.id)&&De(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let i=Bk({policyName:n.name,connection:a});t.set(n.name,i)}return t}o(Fk,"buildConnectionsByPolicyName");function Zk(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(Zk,"readOperationId");function Kf(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return Tt.parse(t)}catch{De(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(Kf,"buildPublishedCapabilityName");function bd(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||De(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;De(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(bd,"readCapabilityUpstreamPolicy");function Rd(e){e.seen.has(e.key)&&De(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Rd,"assertUniqueCatalogKey");function Kk(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=Kf({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Kk,"normalizeCatalogTool");function Wk(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=Kf({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Wk,"normalizeCatalogPrompt");function Jk(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:bd({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(Jk,"normalizeCatalogResource");function Yk(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>Kk({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>Wk({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>Jk({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Rd({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Rd({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let u=new Set;for(let d of a)Rd({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:u});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(Yk,"normalizeVirtualServerCatalog");function Xk(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let i=a[0],s=i===void 0?void 0:e.policyByName.get(i);if(!s||!Lk(s))continue;let u=Zk(n);u||De(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(u)&&De(`Duplicate MCP virtual server operationId ${u} across routes.`),r.add(u);let d=jk(n.path);t.has(d)&&De(`Duplicate MCP virtual server id ${d} across routes.`);let l=[];for(let f of a.slice(1)){let _=e.policyByName.get(f);if(!_||!Zf(_))continue;let S=e.connectionsByPolicyName.get(f);S||De(`Upstream connection policy ${f} referenced by route ${n.path} could not be resolved.`),l.push(S)}let p=Vf(n.handler.options),m=Yk({catalog:p,connections:l,routePath:n.path});m.catalogSource==="upstream_mcp"&&l.length!==1&&De(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${l.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:u,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:l})}return t}o(Xk,"buildVirtualServers");function Wf(e){let t=Vk(e.policies),r=Fk(t),n=Xk({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let i of r.values())a.set(i.upstreamServerId,i);return{byVirtualServerId:n,connectionsById:a}}o(Wf,"buildGatewayConnectionRegistry");var xi;function Jf(e){xi=e}o(Jf,"setGatewayConnectionRegistry");function st(){if(!xi)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return xi}o(st,"getGatewayConnectionRegistry");function Yf(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Yf,"getRegisteredVirtualServer");function zo(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(zo,"requireRegisteredVirtualServer");function Xf(){return xi}o(Xf,"tryGetGatewayConnectionRegistry");var Qf=new Ut("gateway-route");function eg(e,t){Qf.set(e,t)}o(eg,"setGatewayRouteContext");function No(e){return Qf.get(e)}o(No,"readGatewayRouteContext");function Rn(e){let t=No(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(Rn,"requireGatewayRouteContext");var Or="2025-06-18";var Qk=new Set(["localhost","::1"]);function ct(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(ct,"normalizeHostname");function Le(e){let t=ct(e.hostname);return e.protocol==="http:"&&(Qk.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Le,"isLoopbackHttpUrl");function re(e){return new URL(e).origin}o(re,"readGatewayRequestOrigin");import{metrics as eP,context as Oi,propagation as rg,SpanKind as ng,SpanStatusCode as Cd,trace as Do}from"@opentelemetry/api";var tP="mcp-gateway",rP="mcp-gateway",nP=Or,oP="2.0",og=Do.getTracer(tP),Id=eP.getMeter(rP),aP=Id.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),iP=Id.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),sP=Id.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),cP=["traceparent","tracestate","baggage"];function Td(){return performance.now()/1e3}o(Td,"nowSeconds");function ag(e,t){t(Math.max(Td()-e,0))}o(ag,"recordDurationSeconds");function tg(e){return e===void 0?void 0:String(e)}o(tg,"stringifyAttribute");function Ee(e,t,r){r!==void 0&&(e[t]=r)}o(Ee,"assignAttribute");function uP(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(uP,"readTargetName");function ig(e){let t=uP({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(ig,"buildMcpOperationSpanName");function Ad(e){let t={"mcp.method.name":e.methodName};return Ee(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??oP),Ee(t,"jsonrpc.request.id",tg(e.jsonRpcRequestId)),Ee(t,"mcp.protocol.version",e.mcpProtocolVersion??nP),Ee(t,"mcp.session.id",e.mcpSessionId),Ee(t,"mcp.resource.uri",e.resourceUri),Ee(t,"rpc.response.status_code",tg(e.rpcResponseStatusCode)),Ee(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Ee(t,"gen_ai.operation.name","execute_tool"),Ee(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Ee(t,"gen_ai.prompt.name",e.capabilityName),Ee(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Ee(t,"network.protocol.version",e.networkProtocolVersion),Ee(t,"network.transport",e.networkTransport),Ee(t,"server.address",e.serverAddress),Ee(t,"server.port",e.serverPort),Ee(t,"client.address",e.clientAddress),Ee(t,"client.port",e.clientPort),t}o(Ad,"buildMcpOperationAttributes");function dP(e){let t=Ad({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(dP,"buildMcpSessionAttributes");function sg(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:Cd.ERROR}),t instanceof Error&&e.recordException(t)}o(sg,"setSpanError");function cg(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(cg,"readErrorType");function lP(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Oi.active():rg.extract(Oi.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(lP,"readServerParentContext");function pP(e){let t=Do.getSpanContext(Oi.active()),r=Do.getSpanContext(e);if(!(!t||!Do.isSpanContextValid(t))&&!(r&&Do.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(pP,"readAmbientSpanLink");function ug(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(ug,"readResultErrorType");async function Ur(e,t){let r=Td(),n=Ad({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return og.startActiveSpan(ig(e),{kind:ng.CLIENT,attributes:n},async a=>{try{let i=await t(),s=ug(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:Cd.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??cg(i);throw n["error.type"]=s,sg(a,i,s),i}finally{ag(r,i=>{aP.record(i,n)}),a.end()}})}o(Ur,"runMcpClientOperation");async function zr(e,t){let r=Td(),n=lP(e.params),a=Ad({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=pP(n);return og.startActiveSpan(ig(e),{kind:ng.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let u=await t(),d=ug(u);return d&&(s.setAttribute("error.type",d),s.setStatus({code:Cd.ERROR}),a["error.type"]=d),u}catch(u){let d=e.errorType??cg(u);throw a["error.type"]=d,sg(s,u,d),u}finally{ag(r,u=>{iP.record(u,a)}),s.end()}})}o(zr,"runMcpServerOperation");function dg(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return rg.inject(Oi.active(),t._meta,{set(r,n,a){cP.includes(n)&&(r[n]=a)}}),t}o(dg,"injectMcpTraceContextIntoParams");function lg(e,t){let r=dP({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});sP.record(Math.max(t,0),r)}o(lg,"recordMcpClientSessionDuration");var kd=new Ut("route-upstream-bindings");function mP(e){let t=kd.get(e);if(t)return t;let r={bindings:[]};return kd.set(e,r),r}o(mP,"readOrCreateRouteUpstreamBindingRegistry");function pg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(pg,"buildRouteBindingDuplicateKey");function Pd(e,t){let r=mP(e),n=pg(t);if(r.bindings.find(i=>pg(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(Pd,"appendResolvedUpstreamBindingContext");function mg(e){return kd.get(e)?.bindings??[]}o(mg,"readResolvedUpstreamBindingContexts");Y();var V=c.string().datetime({offset:!0}).brand();function O(e){return V.parse(e.toISOString())}o(O,"toIsoTimestamp");function ft(e,t){return new Date(e.getTime()+t*1e3)}o(ft,"addSeconds");Y();var bn=c.string().trim().min(1),Mo={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},hP=c.object({issuer:c.url(),jwksUrl:c.url(),audience:bn}),fP=c.object({url:c.url(),tokenUrl:c.url().optional(),clientId:bn.optional(),clientSecret:bn.optional(),scope:bn.default("openid profile email"),audience:bn.optional(),remoteTimeoutMs:c.coerce.number().int().positive().default(1e4),stateTtlSeconds:c.coerce.number().int().positive().default(900),sessionTtlSeconds:c.coerce.number().int().positive().default(28800)}).strict(),gP=c.object({accessTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.accessTokenTtlSeconds),refreshTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.refreshTokenTtlSeconds),cimdEnabled:c.boolean().default(Mo.cimdEnabled)}).strict().default(Mo),_P=c.object({oidc:hP,browserLogin:fP,gateway:gP.optional().default(Mo),devTenantId:bn.optional()}).strict();function hg(e){return yP(e.browserLogin.url)?"local_dev":"federated_oidc"}o(hg,"readBrowserLoginKind");function yP(e){let t;try{t=new URL(e)}catch{return!1}return Le(t)&&t.pathname==="/oauth/dev-login"}o(yP,"isLoopbackDevLoginUrl");function Ui(e){return _P.parse(e)}o(Ui,"parseMcpOAuthRuntimeConfig");var Ed;function fg(e){Ed=e}o(fg,"setGatewayOAuthConfig");function ve(){if(!Ed)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return Ed}o(ve,"getGatewayOAuthConfig");function gt(e){return re(e)}o(gt,"readGatewayOAuthIssuer");Y();var SP=43,wP=128,vP=/^[A-Za-z0-9._~-]+$/,xd="S256",Cn=c.literal(xd),zi=c.string().min(SP).max(wP).regex(vP);Y();var Ni=["none","client_secret_post","client_secret_basic"],RP=[...Ni,"private_key_jwt"],bP=["awaiting_login","awaiting_setup"],CP=c.string().min(1).brand(),IP=c.string().min(1).brand(),le=c.string().min(1).brand(),_t=c.uuid().brand(),je=c.uuid().brand(),Di=c.uuid().brand(),qo=c.enum(Ni),TP=c.enum(RP),Od=c.enum(bP),gg=c.object({client_id:le,client_name:c.string().min(1),redirect_uris:c.array(c.string().min(1)).min(1),token_endpoint_auth_method:TP.default("none")}),$o=c.object({clientId:le,clientName:c.string().min(1),redirectUris:c.array(c.string().min(1)),tokenEndpointAuthMethod:qo,hashedClientSecret:c.string().optional(),clientSecretExpiresAt:V.optional(),clientExpiresAt:V,revokedAt:V.optional(),createdAt:V}),Ud=c.object({clientId:le,resource:c.string(),virtualServerId:me,tenantId:CP,subjectId:IP,scope:c.string(),roles:c.array(c.string()),createdAt:V,expiresAt:V}),_g=Ud.extend({id:je,redirectUri:c.string(),clientState:c.string().optional(),codeChallenge:c.string(),codeChallengeMethod:Cn}),Lo=Ud.extend({id:_t,currentRefreshTokenHash:c.string().optional(),previousRefreshTokenHash:c.string().optional(),revokedAt:V.optional(),revokedReason:c.string().optional()}),In=Ud.extend({tokenHash:c.string(),grantId:_t,revokedAt:V.optional()});function zd(){return je.parse(crypto.randomUUID())}o(zd,"createDownstreamAuthorizationTransactionId");function Nd(){return Di.parse(crypto.randomUUID())}o(Nd,"createDownstreamBrowserLoginStateId");function Dd(){return _t.parse(crypto.randomUUID())}o(Dd,"createDownstreamGrantId");var ce="mcp:tools";function qi(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Le(r)&&Le(n)&&ct(r.hostname)===ct(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(qi,"redirectUriMatchesRegistration");function yg(e){return Le(e)&&e.pathname==="/oauth/dev-login"}o(yg,"isLoopbackDevLoginUrl");function Mi(e,t){return new URL(e,gt(t)).toString()}o(Mi,"buildGatewayOAuthUrl");function Md(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(Md,"buildScopedAuthorizationServerIssuer");function AP(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(AP,"buildScopedAuthorizationEndpoint");function qd(e){let t=ve();return{issuer:gt(e),authorization_endpoint:Mi("/oauth/authorize",e),token_endpoint:Mi("/oauth/token",e),registration_endpoint:Mi("/oauth/register",e),revocation_endpoint:Mi("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ce],code_challenge_methods_supported:[xd],token_endpoint_auth_methods_supported:Ni,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":hg(t)}}o(qd,"buildAuthorizationServerMetadata");function Sg(e){let t=Md(e);return{...qd(e.requestUrl),issuer:t,authorization_endpoint:AP(e)}}o(Sg,"buildScopedAuthorizationServerMetadata");async function wg(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(kP(n.virtualServerId,e.url))}catch(r){let n=de(r);return Ze(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(wg,"protectedResourceMetadataHandler");function kP(e,t){return{resource:Nr(e,t),resource_name:e,authorization_servers:[Md({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ce],mcp_protocol_version:Or}}o(kP,"buildProtectedResourceMetadataResponseBody");function Nr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(Nr,"buildCanonicalMcpResourceForVirtualServer");function vg(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(vg,"buildProtectedResourceMetadataUrlForVirtualServer");import{base64url as $d}from"jose";var PP="sha256:",EP=32;function Rg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Rg,"copyToArrayBuffer");function xP(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(xP,"constantTimeEqual");function Ke(){let e=crypto.getRandomValues(new Uint8Array(EP));return $d.encode(e)}o(Ke,"createOpaqueToken");async function F(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return`${PP}${$d.encode(new Uint8Array(t))}`}o(F,"hashOpaqueValue");async function bg(e){let t=await F(e.value);return xP(t,e.expectedHash)}o(bg,"verifyOpaqueValue");async function Ld(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return $d.encode(new Uint8Array(t))}o(Ld,"calculatePkceS256Challenge");Y();var OP=c.record(c.string(),c.unknown()),Cg=c.string().min(1),UP=c.union([Cg.transform(e=>[e]),c.array(Cg)]),ue=c.string().min(1).brand(),X=c.string().min(1).brand(),zP=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],NP=["https://zuplo.com/roles","roles","role","permissions","groups"],DP=ue.parse("zuplo-poc"),Ig=new Ut("gateway-principal");function MP(e){let t=OP.safeParse(e);return t.success?t.data:{}}o(MP,"toClaimRecord");function qP(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(qP,"readValidationFailureDetail");function $P(e,t,r){for(let i of zP){let s=X.safeParse(t[i]);if(s.success)return s.data}let n=X.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",qP(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===gt(r)?n.data:X.parse(`${a}|${n.data}`)}o($P,"readNormalizedSubjectId");function LP(e){let t=new Set;for(let r of NP){let n=UP.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(LP,"readRoles");function Tn(e,t){let r=MP(e?.data),n={subjectId:$P(e,r,t),tenantId:DP},a=LP(r);return a&&(n.roles=a),n}o(Tn,"parseGatewayPrincipal");function Tg(e){let t=Hd(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Tg,"requireGatewayPrincipal");function Ag(e,t){Ig.set(e,t)}o(Ag,"setGatewayPrincipal");function Hd(e){return Ig.get(e)}o(Hd,"readGatewayPrincipal");function An(e){let r=['realm="OAuth"',`resource_metadata="${jd(vg(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${jd(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${jd(e.scope)}"`),`Bearer ${r.join(", ")}`}o(An,"buildGatewayBearerChallenge");function jd(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(jd,"sanitizeQuotedHeaderParameter");Y();var Gd=c.string().trim().min(1),jP=c.object({TOKEN_ENCRYPTION_KEY:Gd,OAUTH_STATE_SIGNING_KEY:Gd,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:Gd.optional()}),HP=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING"];function GP(e){let t=Ns[e];return typeof t=="string"?t:void 0}o(GP,"readEnvValue");function BP(){let e={};for(let t of HP){let r=GP(t);r!==void 0&&(e[t]=r)}return e}o(BP,"readRawEnv");var Bd;function VP(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(VP,"formatZodIssues");function FP(e){return new Ot(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...VP(e)].join(`
-`),{cause:e})}o(FP,"createEnvValidationError");function ZP(e){let t=jP.safeParse(e);if(!t.success)throw FP(t.error);return t.data}o(ZP,"parseGatewayEnv");function KP(){return Bd||(Bd=ZP(BP())),Bd}o(KP,"readEnv");function $i(){return KP()}o($i,"getEnv");Y();Y();function WP(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(WP,"parseDate");function pr(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(pr,"parseJsonValue");function Vd(e,t){return c.array(c.string()).parse(pr(e,t))}o(Vd,"parseStringArray");var ie=c.union([c.date(),c.string()]).transform(e=>WP(e));var JP=c.object({current_state_hash:c.string(),phase:Od,consumed_at:ie.nullable(),expires_at:ie}),YP=c.object({id:_t,revoked_at:ie.nullable().optional(),expires_at:ie,matched:c.enum(["current","previous"])}),XP=c.object({id:_t,matched:c.literal("current")}),QP=c.object({client_id:le,client_name:c.string(),redirect_uris:c.unknown(),token_endpoint_auth_method:qo,hashed_client_secret:c.string().nullable(),client_secret_expires_at:ie.nullable(),client_expires_at:ie,revoked_at:ie.nullable(),created_at:ie}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Vd(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:O(e.created_at),clientExpiresAt:O(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=O(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),$o.parse(t)}),Fd=c.object({id:je,current_state_hash:c.string(),phase:Od,principal_subject_id:X.nullable(),principal_tenant_id:ue.nullable(),principal_roles:c.unknown().nullable(),client_id:le,redirect_uri:c.string(),resource:c.string(),virtual_server_id:me,client_state:c.string().nullable(),scope:c.string(),code_challenge:c.string(),code_challenge_method:Cn,created_at:ie,expires_at:ie,consumed_at:ie.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:O(e.created_at),expiresAt:O(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=O(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id||!e.principal_tenant_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,tenantId:e.principal_tenant_id,...e.principal_roles===null?{}:{roles:c.array(c.string()).parse(pr(e.principal_roles,"principal_roles"))}}}}),eE=c.object({id:je});function Pg(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,tenantId:e.tenant_id,subjectId:e.subject_id,scope:e.scope,roles:Vd(e.roles,"roles"),createdAt:O(e.created_at),expiresAt:O(e.expires_at)}}o(Pg,"downstreamGrantAccessFields");var kg=c.object({id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),current_refresh_token_hash:c.string().nullable(),previous_refresh_token_hash:c.string().nullable(),created_at:ie,expires_at:ie,revoked_at:ie.nullable(),revoked_reason:c.string().nullable()}).transform(e=>{let t={id:e.id,...Pg(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),Lo.parse(t)}),tE=c.object({token_hash:c.string(),grant_id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),created_at:ie,expires_at:ie,revoked_at:ie.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...Pg(e)};return e.revoked_at&&(t.revokedAt=O(e.revoked_at)),In.parse(t)});function Eg(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.tenantId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(Eg,"authorizationTransactionValues");function rE(e,t){let r=_g.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
-       id, client_id, redirect_uri, resource, virtual_server_id, tenant_id,
+`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let u;try{Array.isArray(s)?u=s.map(v=>Mr.parse(v)):u=[Mr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=u.some(Ic);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(u.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let R=this.validateProtocolVersion(t);if(R)return R}if(!u.some(xt)){for(let v of u)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let l=crypto.randomUUID(),m=u.find(v=>Ic(v)),f=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??gm;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(l,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(l)},"cleanup")});for(let R of u)xt(R)&&this._requestToStreamMapping.set(R.id,l);for(let R of u)this.onmessage?.(R,{authInfo:r?.authInfo,requestInfo:i})});let _=new TextEncoder,w,y=new ReadableStream({start:o(v=>{w=v},"start"),cancel:o(()=>{this._streamMapping.delete(l)},"cancel")}),S={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(S["mcp-session-id"]=this.sessionId);for(let v of u)xt(v)&&(this._streamMapping.set(l,{controller:w,encoder:_,cleanup:o(()=>{this._streamMapping.delete(l);try{w.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,l));await this.writePrimingEvent(w,_,l,f);for(let v of u){let R,b;xt(v)&&this._eventStore&&f>="2025-11-25"&&(R=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),b=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:R,closeStandaloneSSEStream:b})}return new Response(y,{status:200,headers:S})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!hr.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${hr.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${hr.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((St(t)||yn(t))&&(n=t.id),n===void 0){if(St(t)||yn(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let u=this._streamMapping.get(this._standaloneSseStreamId);if(u===void 0)return;u.controller&&u.encoder&&this.writeSSEEvent(u.controller,u.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(St(t)||yn(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,p])=>p===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let p=s.map(l=>this._requestResponseMap.get(l));p.length===1?i.resolveJson(new Response(JSON.stringify(p[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(p),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function Vd(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(Vd,"truncate");function Sg(e){return"cause"in e?e.cause:void 0}o(Sg,"readCause");function ze(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=Vd(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=Vd(r.message);let n=Sg(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=Vd(n.message),n=Sg(n)}}o(ze,"addErrorLogFields");function gt(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(gt,"safeHost");function vg(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(vg,"setLogProperties");function Kd(e,t){vg(e,{subjectId:t.subjectId})}o(Kd,"applyGatewayPrincipalLogProperties");function Rg(e,t){vg(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(Rg,"applyGatewayRouteLogProperties");var qn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},bg={...qn.runtime,...qn.config,...qn.downstream_auth,...qn.downstream_oauth,...qn.upstream_auth,...qn.upstream_mcp};function na(e){return typeof e=="string"&&Object.hasOwn(bg,e)}o(na,"isGatewayProblemCode");function Yi(e){return na(e)&&rt(e).callbackFailure===!0}o(Yi,"isGatewayCallbackFailureCode");function rt(e){return bg[e]}o(rt,"readGatewayProblemDefinition");function Zd(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(Zd,"readDefaultGatewayProblemCodeForStatus");var Cg="gatewayCode";function Ig(e){let t=rt(e);return{title:t.title,body:t.publicDetail}}o(Ig,"readGatewayCallbackFailureContent");function _e(e){if(!(e instanceof Za))return;let t=e.extensionMembers?.[Cg];return na(t)?t:void 0}o(_e,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=rt(n.code),i=n.privateDetail??(Xi(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=iE(n);return new Za({message:i,extensionMembers:{[Cg]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function _t(e,t,r){let n=rt(r.code),a=sE(r.code,r.detail),i=Xi(r.code)?r.title??n.title:n.title,u={problem:{...fo.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(u.additionalHeaders=r.headers),fo.format(u,e,t)}o(_t,"gatewayProblemResponse");function Xi(e){return rt(e).status<500}o(Xi,"canExposeGatewayProblemDetail");function iE(e){return!e.privateDetail||Xi(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(iE,"readRuntimeErrorCause");function sE(e,t){let r=rt(e);return Xi(e)&&t||r.publicDetail}o(sE,"readSafeGatewayProblemDetail");ae();var cE=["shared-oauth","user_oauth","static_secret","user-secret","shared-secret"],uE=["none","client_secret_basic","client_secret_post"],$e=c.string().min(1).brand(),Se=c.string().min(1).brand(),De=c.string().min(1).brand(),Dt=c.string().min(1).brand(),Qi=c.enum(cE),Wd=c.enum(uE),es=c.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),Jd=c.object({name:es,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict();var Yd=new Map;function ts(e){Yd.set(e.policyType,e)}o(ts,"registerMcpAuthorizationPolicy");function Xd(e){if(e!==void 0)return Yd.get(e)}o(Xd,"getMcpAuthorizationPolicy");function rs(e){return Xd(e)!==void 0}o(rs,"isRegisteredMcpAuthorizationPolicyType");function Qd(){return[...Yd.keys()]}o(Qd,"listMcpAuthorizationPolicyTypes");ae();var kg=$e,dE=c.object({mode:c.literal("auto")}).strict(),lE=c.object({mode:c.literal("manual"),clientId:c.string().trim().min(1),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:Wd.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:c.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),Eg=c.discriminatedUnion("mode",[dE,lE]),pE=Eg.default({mode:"auto"}),el=c.object({scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:pE}).strict(),Tg=el.extend({redirectPath:c.string().startsWith("/auth/connections/")}).strict(),xg=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),mE=new Set([...xg,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),hE=c.object({kind:c.literal("bearer_token"),token:c.string().min(1)}).strict(),fE=c.object({kind:c.literal("headers"),headers:c.array(c.object({name:es,value:c.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();xg.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),tl=c.discriminatedUnion("kind",[hE,fE]),gE=c.object({kind:c.literal("basic_auth_app_password"),usernameLabel:c.string().min(1).default("Username"),passwordLabel:c.string().min(1).default("App password")}).strict(),_E=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key"),capture:c.enum(["browser_login"]).optional()}).strict(),rl=c.discriminatedUnion("kind",[gE,_E]),nl=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key")}).strict(),yE=c.discriminatedUnion("mode",[c.object({mode:c.literal("shared-oauth"),oauth:Tg}).strict(),c.object({mode:c.literal("user_oauth"),oauth:Tg}).strict(),c.object({mode:c.literal("static_secret"),secret:tl}).strict(),c.object({mode:c.literal("user-secret"),secret:rl}).strict(),c.object({mode:c.literal("shared-secret"),secret:nl}).strict()]),wE=c.object({baseUrl:c.url(),resourceMetadataUrl:c.url(),requestHeaders:c.array(Jd).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();mE.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),I2=c.object({displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:wn.optional(),authProfiles:c.record(De,yE),transport:wE}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),SE=c.object({"shared-oauth":el.optional(),user_oauth:el.optional(),static_secret:c.object({secret:tl}).strict().optional(),"user-secret":c.object({secret:rl}).strict().optional(),"shared-secret":c.object({secret:nl}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),Ag=c.object({id:kg,displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:wn.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url(),requestHeaders:c.array(Jd).default([]),authProfiles:SE}).strict(),vE=c.object({name:es,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict(),ns={id:kg.optional(),displayName:c.string().min(1),summary:c.string().min(1).optional(),serverInfo:wn.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url().optional(),requestHeaders:c.array(vE).default([])},RE=c.discriminatedUnion("authMode",[c.object({...ns,authMode:c.enum(["shared-oauth","user_oauth"]),scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:Eg.optional(),clientId:c.string().trim().min(1).optional(),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:Wd.optional()}).strict(),c.object({...ns,authMode:c.literal("static_secret"),secret:tl}).strict(),c.object({...ns,authMode:c.literal("user-secret"),secret:rl}).strict(),c.object({...ns,authMode:c.literal("shared-secret"),secret:nl}).strict()]);function Pg(e){throw g("internal_server_error",e)}o(Pg,"throwGatewayConfigError");function bE(e){let t="mcp-upstream-";return e.startsWith(t)||Pg(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),$e.parse(e.slice(t.length))}o(bE,"inferUpstreamConnectionIdFromPolicyName");function CE(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(CE,"buildDefaultProtectedResourceMetadataUrl");function Ln(e,t){return De.parse(`${e}:${t}`)}o(Ln,"buildUpstreamAuthProfileId");function os(e,t){let r=Ag.safeParse(e);if(r.success)return r.data;let n=RE.parse(e),a=n.id??(t===void 0?void 0:bE(t));a===void 0&&Pg("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(u=>({name:u.name,value:u.value,required:u.required})),s=(()=>{switch(n.authMode){case"shared-oauth":case"user_oauth":{let u=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:u}}}case"static_secret":case"user-secret":case"shared-secret":return{[n.authMode]:{secret:n.secret}}}})();return Ag.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??CE(n.mcpUrl),requestHeaders:i,authProfiles:s})}o(os,"parseUpstreamConnectionPolicyOptions");function Og(e){return e.mode==="shared-oauth"||e.mode==="user_oauth"}o(Og,"isUpstreamOAuthAuthConfig");ae();var IE=c.looseObject({name:c.string().min(1),version:c.string().min(1).optional()}),TE=c.looseObject({}),AE=c.looseObject({name:Dt,namespace:Dt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional(),inputSchema:TE}),kE=c.looseObject({name:Dt,namespace:Dt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional()}),EE=c.looseObject({name:Dt,uri:c.string().min(1),upstreamPolicy:c.string().min(1).optional(),upstreamUri:c.string().min(1).optional(),enabled:c.boolean().optional()}),xE=c.enum(["openapi","upstream_mcp"]),PE=c.object({catalogSource:xE.default("openapi"),serverInfo:IE.optional(),tools:c.array(AE).default([]),prompts:c.array(kE).default([]),resources:c.array(EE).default([])}).strict();function Ug(e){return PE.parse(e??{})}o(Ug,"parseVirtualServerRouteOptions");function as(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(as,"toMcpTool");function is(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(is,"toMcpPrompt");function ss(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(ss,"toMcpResource");var OE="mcp-upstream-connection-inbound",Ng="/mcp/";function Fe(e){throw new Ft(e)}o(Fe,"throwRegistryError");function zg(e){return e.policyType===OE}o(zg,"isUpstreamConnectionPolicy");function UE(e){return rs(e.policyType)}o(UE,"isMcpOAuthInboundPolicy");function NE(e){e.startsWith(Ng)||Fe(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(Ng.length);return(!t||t.includes("/"))&&Fe(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),Se.parse(t)}o(NE,"readVirtualServerIdFromPath");function zE(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&Fe(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&Fe(`Upstream policy ${e.policyName} does not declare an auth mode.`),Qi.parse(r)}o(zE,"readSingleAuthMode");function $E(e){let t=e.connection.authProfiles[e.authMode];t||Fe(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"shared-oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user-secret":return{mode:"user-secret",secret:t.secret};case"shared-secret":return{mode:"shared-secret",secret:t.secret}}}o($E,"buildResolvedAuthConfig");function DE(e){let t=zE({policyName:e.policyName,connection:e.connection}),r=Ln(e.connection.id,t),n=$E({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(DE,"buildRegisteredConnection");function ME(e){let t=new Map;for(let r of e)t.has(r.name)&&Fe(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(ME,"buildPolicyMap");function qE(e){let t=new Map,r=new Set;for(let n of e.values()){if(!zg(n))continue;let a=os(n.handler.options,n.name);r.has(a.id)&&Fe(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let i=DE({policyName:n.name,connection:a});t.set(n.name,i)}return t}o(qE,"buildConnectionsByPolicyName");function LE(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(LE,"readOperationId");function $g(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return Dt.parse(t)}catch{Fe(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o($g,"buildPublishedCapabilityName");function al(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||Fe(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;Fe(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(al,"readCapabilityUpstreamPolicy");function ol(e){e.seen.has(e.key)&&Fe(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(ol,"assertUniqueCatalogKey");function jE(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=$g({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:al({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(jE,"normalizeCatalogTool");function HE(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=$g({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:al({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(HE,"normalizeCatalogPrompt");function GE(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:al({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(GE,"normalizeCatalogResource");function BE(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>jE({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>HE({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>GE({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)ol({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)ol({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let u=new Set;for(let d of a)ol({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:u});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(BE,"normalizeVirtualServerCatalog");function FE(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let i=a[0],s=i===void 0?void 0:e.policyByName.get(i);if(!s||!UE(s))continue;let u=LE(n);u||Fe(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(u)&&Fe(`Duplicate MCP virtual server operationId ${u} across routes.`),r.add(u);let d=NE(n.path);t.has(d)&&Fe(`Duplicate MCP virtual server id ${d} across routes.`);let p=[];for(let f of a.slice(1)){let _=e.policyByName.get(f);if(!_||!zg(_))continue;let w=e.connectionsByPolicyName.get(f);w||Fe(`Upstream connection policy ${f} referenced by route ${n.path} could not be resolved.`),p.push(w)}let l=Ug(n.handler.options),m=BE({catalog:l,connections:p,routePath:n.path});m.catalogSource==="upstream_mcp"&&p.length!==1&&Fe(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${p.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:u,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:p})}return t}o(FE,"buildVirtualServers");function Dg(e){let t=ME(e.policies),r=qE(t),n=FE({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let i of r.values())a.set(i.upstreamServerId,i);return{byVirtualServerId:n,connectionsById:a}}o(Dg,"buildGatewayConnectionRegistry");var cs;function Mg(e){cs=e}o(Mg,"setGatewayConnectionRegistry");function yt(){if(!cs)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return cs}o(yt,"getGatewayConnectionRegistry");function qg(e){let t=yt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(qg,"getRegisteredVirtualServer");function oa(e){let t=yt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(oa,"requireRegisteredVirtualServer");function Lg(){return cs}o(Lg,"tryGetGatewayConnectionRegistry");var jg=new Vt("gateway-route");function Hg(e,t){jg.set(e,t)}o(Hg,"setGatewayRouteContext");function aa(e){return jg.get(e)}o(aa,"readGatewayRouteContext");function jn(e){let t=aa(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(jn,"requireGatewayRouteContext");var Jr="2025-06-18";var VE=new Set(["localhost","::1"]);function wt(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(wt,"normalizeHostname");function Ve(e){let t=wt(e.hostname);return e.protocol==="http:"&&(VE.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Ve,"isLoopbackHttpUrl");function de(e){return new URL(e).origin}o(de,"readGatewayRequestOrigin");import{metrics as KE,context as us,propagation as Bg,SpanKind as Fg,SpanStatusCode as il,trace as ia}from"@opentelemetry/api";var ZE="mcp-gateway",WE="mcp-gateway",JE=Jr,YE="2.0",Vg=ia.getTracer(ZE),sl=KE.getMeter(WE),XE=sl.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),QE=sl.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),ex=sl.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),tx=["traceparent","tracestate","baggage"];function cl(){return performance.now()/1e3}o(cl,"nowSeconds");function Kg(e,t){t(Math.max(cl()-e,0))}o(Kg,"recordDurationSeconds");function Gg(e){return e===void 0?void 0:String(e)}o(Gg,"stringifyAttribute");function Me(e,t,r){r!==void 0&&(e[t]=r)}o(Me,"assignAttribute");function rx(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(rx,"readTargetName");function Zg(e){let t=rx({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(Zg,"buildMcpOperationSpanName");function ul(e){let t={"mcp.method.name":e.methodName};return Me(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??YE),Me(t,"jsonrpc.request.id",Gg(e.jsonRpcRequestId)),Me(t,"mcp.protocol.version",e.mcpProtocolVersion??JE),Me(t,"mcp.session.id",e.mcpSessionId),Me(t,"mcp.resource.uri",e.resourceUri),Me(t,"rpc.response.status_code",Gg(e.rpcResponseStatusCode)),Me(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Me(t,"gen_ai.operation.name","execute_tool"),Me(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Me(t,"gen_ai.prompt.name",e.capabilityName),Me(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Me(t,"network.protocol.version",e.networkProtocolVersion),Me(t,"network.transport",e.networkTransport),Me(t,"server.address",e.serverAddress),Me(t,"server.port",e.serverPort),Me(t,"client.address",e.clientAddress),Me(t,"client.port",e.clientPort),t}o(ul,"buildMcpOperationAttributes");function nx(e){let t=ul({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(nx,"buildMcpSessionAttributes");function Wg(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:il.ERROR}),t instanceof Error&&e.recordException(t)}o(Wg,"setSpanError");function Jg(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(Jg,"readErrorType");function ox(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?us.active():Bg.extract(us.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(ox,"readServerParentContext");function ax(e){let t=ia.getSpanContext(us.active()),r=ia.getSpanContext(e);if(!(!t||!ia.isSpanContextValid(t))&&!(r&&ia.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(ax,"readAmbientSpanLink");function Yg(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(Yg,"readResultErrorType");async function Yr(e,t){let r=cl(),n=ul({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return Vg.startActiveSpan(Zg(e),{kind:Fg.CLIENT,attributes:n},async a=>{try{let i=await t(),s=Yg(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:il.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??Jg(i);throw n["error.type"]=s,Wg(a,i,s),i}finally{Kg(r,i=>{XE.record(i,n)}),a.end()}})}o(Yr,"runMcpClientOperation");async function Xr(e,t){let r=cl(),n=ox(e.params),a=ul({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=ax(n);return Vg.startActiveSpan(Zg(e),{kind:Fg.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let u=await t(),d=Yg(u);return d&&(s.setAttribute("error.type",d),s.setStatus({code:il.ERROR}),a["error.type"]=d),u}catch(u){let d=e.errorType??Jg(u);throw a["error.type"]=d,Wg(s,u,d),u}finally{Kg(r,u=>{QE.record(u,a)}),s.end()}})}o(Xr,"runMcpServerOperation");function Xg(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return Bg.inject(us.active(),t._meta,{set(r,n,a){tx.includes(n)&&(r[n]=a)}}),t}o(Xg,"injectMcpTraceContextIntoParams");function Qg(e,t){let r=nx({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});ex.record(Math.max(t,0),r)}o(Qg,"recordMcpClientSessionDuration");var dl=new Vt("route-upstream-bindings");function ix(e){let t=dl.get(e);if(t)return t;let r={bindings:[]};return dl.set(e,r),r}o(ix,"readOrCreateRouteUpstreamBindingRegistry");function e_(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(e_,"buildRouteBindingDuplicateKey");function ll(e,t){let r=ix(e),n=e_(t);if(r.bindings.find(i=>e_(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(ll,"appendResolvedUpstreamBindingContext");function t_(e){return dl.get(e)?.bindings??[]}o(t_,"readResolvedUpstreamBindingContexts");ae();var Q=c.string().datetime({offset:!0}).brand();function z(e){return Q.parse(e.toISOString())}o(z,"toIsoTimestamp");function Tt(e,t){return new Date(e.getTime()+t*1e3)}o(Tt,"addSeconds");ae();var sa=c.string().trim().min(1),ca={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},sx=c.object({issuer:c.url(),jwksUrl:c.url(),audience:sa}),cx=c.object({url:c.url(),tokenUrl:c.url().optional(),clientId:sa.optional(),clientSecret:sa.optional(),scope:sa.default("openid profile email"),audience:sa.optional(),remoteTimeoutMs:c.coerce.number().int().positive().default(1e4),stateTtlSeconds:c.coerce.number().int().positive().default(900),sessionTtlSeconds:c.coerce.number().int().positive().default(28800)}).strict(),ux=c.object({accessTokenTtlSeconds:c.coerce.number().int().positive().default(ca.accessTokenTtlSeconds),refreshTokenTtlSeconds:c.coerce.number().int().positive().default(ca.refreshTokenTtlSeconds),cimdEnabled:c.boolean().default(ca.cimdEnabled)}).strict().default(ca),dx=c.object({oidc:sx,browserLogin:cx,gateway:ux.optional().default(ca)}).strict();function r_(e){return lx(e.browserLogin.url)?"local_dev":"federated_oidc"}o(r_,"readBrowserLoginKind");function lx(e){let t;try{t=new URL(e)}catch{return!1}return Ve(t)&&t.pathname==="/oauth/dev-login"}o(lx,"isLoopbackDevLoginUrl");function ds(e){return dx.parse(e)}o(ds,"parseMcpOAuthRuntimeConfig");var pl;function n_(e){pl=e}o(n_,"setGatewayOAuthConfig");function Ee(){if(!pl)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return pl}o(Ee,"getGatewayOAuthConfig");function At(e){return de(e)}o(At,"readGatewayOAuthIssuer");ae();var px=43,mx=128,hx=/^[A-Za-z0-9._~-]+$/,ml="S256",Hn=c.literal(ml),ls=c.string().min(px).max(mx).regex(hx);ae();var ps=["none","client_secret_post","client_secret_basic"],fx=[...ps,"private_key_jwt"],gx=["awaiting_login","awaiting_setup"],_x=c.string().min(1).brand(),ye=c.string().min(1).brand(),kt=c.uuid().brand(),Je=c.uuid().brand(),ms=c.uuid().brand(),ua=c.enum(ps),yx=c.enum(fx),hl=c.enum(gx),o_=c.object({client_id:ye,client_name:c.string().min(1),redirect_uris:c.array(c.string().min(1)).min(1),token_endpoint_auth_method:yx.default("none")}),da=c.object({clientId:ye,clientName:c.string().min(1),redirectUris:c.array(c.string().min(1)),tokenEndpointAuthMethod:ua,hashedClientSecret:c.string().optional(),clientSecretExpiresAt:Q.optional(),clientExpiresAt:Q,revokedAt:Q.optional(),createdAt:Q}),fl=c.object({clientId:ye,resource:c.string(),virtualServerId:Se,subjectId:_x,scope:c.string(),roles:c.array(c.string()),createdAt:Q,expiresAt:Q}),a_=fl.extend({id:Je,redirectUri:c.string(),clientState:c.string().optional(),codeChallenge:c.string(),codeChallengeMethod:Hn}),la=fl.extend({id:kt,currentRefreshTokenHash:c.string().optional(),previousRefreshTokenHash:c.string().optional(),revokedAt:Q.optional(),revokedReason:c.string().optional()}),Gn=fl.extend({tokenHash:c.string(),grantId:kt,revokedAt:Q.optional()});function gl(){return Je.parse(crypto.randomUUID())}o(gl,"createDownstreamAuthorizationTransactionId");function _l(){return ms.parse(crypto.randomUUID())}o(_l,"createDownstreamBrowserLoginStateId");function yl(){return kt.parse(crypto.randomUUID())}o(yl,"createDownstreamGrantId");var ve="mcp:tools";function fs(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Ve(r)&&Ve(n)&&wt(r.hostname)===wt(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(fs,"redirectUriMatchesRegistration");function i_(e){return Ve(e)&&e.pathname==="/oauth/dev-login"}o(i_,"isLoopbackDevLoginUrl");function hs(e,t){return new URL(e,At(t)).toString()}o(hs,"buildGatewayOAuthUrl");function wl(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,de(e.requestUrl)).toString()}o(wl,"buildScopedAuthorizationServerIssuer");function wx(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,de(e.requestUrl)).toString()}o(wx,"buildScopedAuthorizationEndpoint");function Sl(e){let t=Ee();return{issuer:At(e),authorization_endpoint:hs("/oauth/authorize",e),token_endpoint:hs("/oauth/token",e),registration_endpoint:hs("/oauth/register",e),revocation_endpoint:hs("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ve],code_challenge_methods_supported:[ml],token_endpoint_auth_methods_supported:ps,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":r_(t)}}o(Sl,"buildAuthorizationServerMetadata");function s_(e){let t=wl(e);return{...Sl(e.requestUrl),issuer:t,authorization_endpoint:wx(e)}}o(s_,"buildScopedAuthorizationServerMetadata");async function c_(e,t){try{let r=Se.parse(e.params.virtualServerId),n=oa(r);return Response.json(Sx(n.virtualServerId,e.url))}catch(r){let n=_e(r);return _t(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(c_,"protectedResourceMetadataHandler");function Sx(e,t){return{resource:Qr(e,t),resource_name:e,authorization_servers:[wl({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ve],mcp_protocol_version:Jr}}o(Sx,"buildProtectedResourceMetadataResponseBody");function Qr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,de(t)).toString()}o(Qr,"buildCanonicalMcpResourceForVirtualServer");function u_(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,de(t)).toString()}o(u_,"buildProtectedResourceMetadataUrlForVirtualServer");import{base64url as vl}from"jose";var vx="sha256:",Rx=32;function d_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(d_,"copyToArrayBuffer");function bx(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(bx,"constantTimeEqual");function nt(){let e=crypto.getRandomValues(new Uint8Array(Rx));return vl.encode(e)}o(nt,"createOpaqueToken");async function ee(e){let t=await crypto.subtle.digest("SHA-256",d_(new TextEncoder().encode(e)));return`${vx}${vl.encode(new Uint8Array(t))}`}o(ee,"hashOpaqueValue");async function l_(e){let t=await ee(e.value);return bx(t,e.expectedHash)}o(l_,"verifyOpaqueValue");async function Rl(e){let t=await crypto.subtle.digest("SHA-256",d_(new TextEncoder().encode(e)));return vl.encode(new Uint8Array(t))}o(Rl,"calculatePkceS256Challenge");ae();var Cx=c.record(c.string(),c.unknown()),p_=c.string().min(1),Ix=c.union([p_.transform(e=>[e]),c.array(p_)]),ie=c.string().min(1).brand(),Tx=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],Ax=["https://zuplo.com/roles","roles","role","permissions","groups"],m_=new Vt("gateway-principal");function kx(e){let t=Cx.safeParse(e);return t.success?t.data:{}}o(kx,"toClaimRecord");function Ex(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(Ex,"readValidationFailureDetail");function xx(e,t,r){for(let i of Tx){let s=ie.safeParse(t[i]);if(s.success)return s.data}let n=ie.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",Ex(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===At(r)?n.data:ie.parse(`${a}|${n.data}`)}o(xx,"readNormalizedSubjectId");function Px(e){let t=new Set;for(let r of Ax){let n=Ix.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(Px,"readRoles");function Bn(e,t){let r=kx(e?.data),n={subjectId:xx(e,r,t)},a=Px(r);return a&&(n.roles=a),n}o(Bn,"parseGatewayPrincipal");function h_(e){let t=Cl(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(h_,"requireGatewayPrincipal");function f_(e,t){m_.set(e,t)}o(f_,"setGatewayPrincipal");function Cl(e){return m_.get(e)}o(Cl,"readGatewayPrincipal");function gs(e){let r=['realm="OAuth"',`resource_metadata="${bl(u_(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${bl(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${bl(e.scope)}"`),`Bearer ${r.join(", ")}`}o(gs,"buildGatewayBearerChallenge");function bl(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(bl,"sanitizeQuotedHeaderParameter");ae();var Il=c.string().trim().min(1),Ox=c.object({TOKEN_ENCRYPTION_KEY:Il,OAUTH_STATE_SIGNING_KEY:Il,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:Il.optional()}),Ux=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING"];function Nx(e){let t=go[e];return typeof t=="string"?t:void 0}o(Nx,"readEnvValue");function zx(){let e={};for(let t of Ux){let r=Nx(t);r!==void 0&&(e[t]=r)}return e}o(zx,"readRawEnv");var Tl;function $x(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o($x,"formatZodIssues");function Dx(e){return new Ft(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...$x(e)].join(`
+`),{cause:e})}o(Dx,"createEnvValidationError");function Mx(e){let t=Ox.safeParse(e);if(!t.success)throw Dx(t.error);return t.data}o(Mx,"parseGatewayEnv");function qx(){return Tl||(Tl=Mx(zx())),Tl}o(qx,"readEnv");function _s(){return qx()}o(_s,"getEnv");ae();ae();function Lx(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(Lx,"parseDate");function Ar(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(Ar,"parseJsonValue");function Al(e,t){return c.array(c.string()).parse(Ar(e,t))}o(Al,"parseStringArray");var he=c.union([c.date(),c.string()]).transform(e=>Lx(e));var jx=c.object({current_state_hash:c.string(),phase:hl,consumed_at:he.nullable(),expires_at:he}),Hx=c.object({id:kt,revoked_at:he.nullable().optional(),expires_at:he,matched:c.enum(["current","previous"])}),Gx=c.object({id:kt,matched:c.literal("current")}),Bx=c.object({client_id:ye,client_name:c.string(),redirect_uris:c.unknown(),token_endpoint_auth_method:ua,hashed_client_secret:c.string().nullable(),client_secret_expires_at:he.nullable(),client_expires_at:he,revoked_at:he.nullable(),created_at:he}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Al(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:z(e.created_at),clientExpiresAt:z(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=z(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=z(e.revoked_at)),da.parse(t)}),kl=c.object({id:Je,current_state_hash:c.string(),phase:hl,principal_subject_id:ie.nullable(),principal_roles:c.unknown().nullable(),client_id:ye,redirect_uri:c.string(),resource:c.string(),virtual_server_id:Se,client_state:c.string().nullable(),scope:c.string(),code_challenge:c.string(),code_challenge_method:Hn,created_at:he,expires_at:he,consumed_at:he.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:z(e.created_at),expiresAt:z(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=z(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,...e.principal_roles===null?{}:{roles:c.array(c.string()).parse(Ar(e.principal_roles,"principal_roles"))}}}}),Fx=c.object({id:Je});function __(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,subjectId:e.subject_id,scope:e.scope,roles:Al(e.roles,"roles"),createdAt:z(e.created_at),expiresAt:z(e.expires_at)}}o(__,"downstreamGrantAccessFields");var g_=c.object({id:kt,client_id:ye,resource:c.string(),virtual_server_id:Se,subject_id:ie,scope:c.string(),roles:c.unknown(),current_refresh_token_hash:c.string().nullable(),previous_refresh_token_hash:c.string().nullable(),created_at:he,expires_at:he,revoked_at:he.nullable(),revoked_reason:c.string().nullable()}).transform(e=>{let t={id:e.id,...__(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=z(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),la.parse(t)}),Vx=c.object({token_hash:c.string(),grant_id:kt,client_id:ye,resource:c.string(),virtual_server_id:Se,subject_id:ie,scope:c.string(),roles:c.unknown(),created_at:he,expires_at:he,revoked_at:he.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...__(e)};return e.revoked_at&&(t.revokedAt=z(e.revoked_at)),Gn.parse(t)});function y_(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(y_,"authorizationTransactionValues");function Kx(e,t){let r=a_.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
+       id, client_id, redirect_uri, resource, virtual_server_id,
        subject_id, scope, roles, code_challenge, code_challenge_method,
        created_at, expires_at
-     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12, $13)`,[r.id,...Eg(r)])}o(rE,"insertAuthorizationTransaction");function nE(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8::jsonb, $9, $10, $11, $12)`,[r.id,...y_(r)])}o(Kx,"insertAuthorizationTransaction");function Zx(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
        code_hash, transaction_id, grant_id, client_id, redirect_uri, resource,
-       virtual_server_id, tenant_id, subject_id, scope, roles,
+       virtual_server_id, subject_id, scope, roles,
        code_challenge, code_challenge_method, created_at, expires_at
-     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, $12, $13, $14, $15)`,[t.codeHash,t.id,t.grantId,...Eg(t)])}o(nE,"insertAuthorizationCode");function oE(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(oE,"accessTokenGrantValidationFailure");var Li=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return c.array(JP).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
+     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10::jsonb, $11, $12, $13, $14)`,[t.codeHash,t.id,t.grantId,...y_(t)])}o(Zx,"insertAuthorizationCode");function Wx(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(Wx,"accessTokenGrantValidationFailure");var ys=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return c.array(jx).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
          FROM downstream_oauth_pending_authorization_transactions
          WHERE id = $1
-         LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return c.array(QP).parse(await this.db.query(`SELECT
+         LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return c.array(Bx).parse(await this.db.query(`SELECT
            client_id,
            client_name,
            redirect_uris,
@@ -76,37 +76,36 @@ data:
          client_expires_at,
          revoked_at,
          created_at
-       ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return c.array(eE).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
+       ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return c.array(Fx).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
          id, current_state_hash, phase, principal_subject_id,
-         principal_tenant_id, principal_roles, client_id, redirect_uri,
+         principal_roles, client_id, redirect_uri,
          resource, virtual_server_id, client_state, scope, code_challenge,
          code_challenge_method, created_at, expires_at, consumed_at
-       ) VALUES ($1, $2, $3, $4, $5, $6::jsonb, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17)
+       ) VALUES ($1, $2, $3, $4, $5::jsonb, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16)
        ON CONFLICT (id) DO NOTHING
-       RETURNING id`,[t.id,t.currentStateHash,t.phase,t.phase==="awaiting_setup"?t.principal.subjectId:null,t.phase==="awaiting_setup"?t.principal.tenantId:null,t.phase==="awaiting_setup"&&t.principal.roles!==void 0?JSON.stringify(t.principal.roles):null,t.clientId,t.redirectUri,t.resource,t.virtualServerId,t.clientState??null,t.scope,t.codeChallenge,t.codeChallengeMethod,new Date(t.createdAt),new Date(t.expiresAt),t.consumedAt?new Date(t.consumedAt):null])).length>0?{kind:"saved"}:{kind:"already_exists"}}async advancePendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
+       RETURNING id`,[t.id,t.currentStateHash,t.phase,t.phase==="awaiting_setup"?t.principal.subjectId:null,t.phase==="awaiting_setup"&&t.principal.roles!==void 0?JSON.stringify(t.principal.roles):null,t.clientId,t.redirectUri,t.resource,t.virtualServerId,t.clientState??null,t.scope,t.codeChallenge,t.codeChallengeMethod,new Date(t.createdAt),new Date(t.expiresAt),t.consumedAt?new Date(t.consumedAt):null])).length>0?{kind:"saved"}:{kind:"already_exists"}}async advancePendingAuthorizationTransaction(t){let n=c.array(kl).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
          SET current_state_hash = $4,
              phase = $5,
              principal_subject_id = $6,
-             principal_tenant_id = $7,
-             principal_roles = $8::jsonb
+             principal_roles = $7::jsonb
          WHERE id = $1
            AND current_state_hash = $2
            AND phase = $3
            AND consumed_at IS NULL
-           AND expires_at > $9
-         RETURNING *`,[t.id,t.currentStateHash,t.expectedPhase,t.nextStateHash,t.nextPhase,t.principal.subjectId,t.principal.tenantId,t.principal.roles===void 0?null:JSON.stringify(t.principal.roles),t.now]))[0];return n?{kind:"advanced",record:n}:this.readPendingAuthorizationAdvanceFailure(t)}async getPendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`SELECT *
+           AND expires_at > $8
+         RETURNING *`,[t.id,t.currentStateHash,t.expectedPhase,t.nextStateHash,t.nextPhase,t.principal.subjectId,t.principal.roles===void 0?null:JSON.stringify(t.principal.roles),t.now]))[0];return n?{kind:"advanced",record:n}:this.readPendingAuthorizationAdvanceFailure(t)}async getPendingAuthorizationTransaction(t){let n=c.array(kl).parse(await this.db.query(`SELECT *
          FROM downstream_oauth_pending_authorization_transactions
          WHERE id = $1
-         LIMIT 1`,[t.id]))[0];return n?n.consumedAt?{kind:"consumed"}:new Date(n.expiresAt).getTime()<=t.now.getTime()?{kind:"expired"}:n.currentStateHash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"available",record:n}:{kind:"missing"}}async consumePendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
+         LIMIT 1`,[t.id]))[0];return n?n.consumedAt?{kind:"consumed"}:new Date(n.expiresAt).getTime()<=t.now.getTime()?{kind:"expired"}:n.currentStateHash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"available",record:n}:{kind:"missing"}}async consumePendingAuthorizationTransaction(t){let n=c.array(kl).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
        SET consumed_at = $3
        WHERE id = $1
          AND current_state_hash = $2
          AND consumed_at IS NULL
          AND expires_at > $3
-       RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[rE(r,t),nE(r,t)])}async exchangeAuthorizationCode(t){let n=c.array(c.object({redirect_uri:c.string()})).parse(await this.db.query(`SELECT redirect_uri
+       RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[Kx(r,t),Zx(r,t)])}async exchangeAuthorizationCode(t){let n=c.array(c.object({redirect_uri:c.string()})).parse(await this.db.query(`SELECT redirect_uri
        FROM downstream_oauth_authorization_codes
        WHERE code_hash = $1
-       LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&qi(n,t.redirectUri)?n:t.redirectUri,s=c.array(c.record(c.string(),c.unknown())).parse(await this.db.query(`WITH candidate AS (
+       LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&fs(n,t.redirectUri)?n:t.redirectUri,s=c.array(c.record(c.string(),c.unknown())).parse(await this.db.query(`WITH candidate AS (
            SELECT *
            FROM downstream_oauth_authorization_codes
            WHERE code_hash = $1
@@ -153,12 +152,12 @@ data:
          ),
          inserted_grant AS (
            INSERT INTO downstream_oauth_grants (
-             id, client_id, resource, virtual_server_id, tenant_id, subject_id,
+             id, client_id, resource, virtual_server_id, subject_id,
              scope, roles, current_refresh_token_hash, previous_refresh_token_hash,
              created_at, expires_at, revoked_at, revoked_reason
            )
            SELECT
-             grant_id, client_id, resource, virtual_server_id, tenant_id,
+             grant_id, client_id, resource, virtual_server_id,
              subject_id, scope, roles, $6, NULL, $8, $9, NULL, NULL
            FROM claimed
            RETURNING *
@@ -168,8 +167,7 @@ data:
            SET revoked_at = $8,
                revoked_reason = 'reauthorized'
            FROM inserted_grant
-           WHERE grants.tenant_id = inserted_grant.tenant_id
-             AND grants.subject_id = inserted_grant.subject_id
+           WHERE grants.subject_id = inserted_grant.subject_id
              AND grants.client_id = inserted_grant.client_id
              AND grants.resource = inserted_grant.resource
              AND grants.id <> inserted_grant.id
@@ -187,11 +185,11 @@ data:
          inserted_access AS (
            INSERT INTO downstream_oauth_access_tokens (
              token_hash, grant_id, client_id, resource, virtual_server_id,
-             tenant_id, subject_id, scope, roles, created_at, expires_at,
+             subject_id, scope, roles, created_at, expires_at,
              revoked_at
            )
            SELECT
-             $7, id, client_id, resource, virtual_server_id, tenant_id,
+             $7, id, client_id, resource, virtual_server_id,
              subject_id, scope, roles, $8, $10, NULL
            FROM inserted_grant
            RETURNING token_hash
@@ -212,18 +210,18 @@ data:
            END AS kind,
            inserted_grant.*
          FROM (SELECT 1) AS marker
-         LEFT JOIN inserted_grant ON TRUE`,[t.codeHash,t.clientId,a,t.resource,t.codeChallenge,t.currentRefreshTokenHash,t.accessTokenHash,t.now,new Date(t.grantExpiresAt),new Date(t.accessTokenExpiresAt)]))[0],u=c.enum(["exchanged","consumed","missing","expired","resource_mismatch","binding_mismatch"]).parse(s?.kind??"missing");return u!=="exchanged"?{kind:u}:{kind:"exchanged",grant:kg.parse(s)}}async getGrant(t){return c.array(kg).parse(await this.db.query(`SELECT *
+         LEFT JOIN inserted_grant ON TRUE`,[t.codeHash,t.clientId,a,t.resource,t.codeChallenge,t.currentRefreshTokenHash,t.accessTokenHash,t.now,new Date(t.grantExpiresAt),new Date(t.accessTokenExpiresAt)]))[0],u=c.enum(["exchanged","consumed","missing","expired","resource_mismatch","binding_mismatch"]).parse(s?.kind??"missing");return u!=="exchanged"?{kind:u}:{kind:"exchanged",grant:g_.parse(s)}}async getGrant(t){return c.array(g_).parse(await this.db.query(`SELECT *
          FROM downstream_oauth_grants
          WHERE id = $1
          LIMIT 1`,[t]))[0]}async saveAccessToken(t){await this.db.query(`INSERT INTO downstream_oauth_access_tokens (
-         token_hash, grant_id, client_id, resource, virtual_server_id, tenant_id,
+         token_hash, grant_id, client_id, resource, virtual_server_id,
          subject_id, scope, roles, created_at, expires_at, revoked_at
-       ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.tenantId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=c.array(tE).parse(await this.db.query(`SELECT access_tokens.*
+       ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8::jsonb, $9, $10, $11)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=c.array(Vx).parse(await this.db.query(`SELECT access_tokens.*
          FROM downstream_oauth_access_tokens AS access_tokens
          JOIN downstream_oauth_grants AS grants
            ON grants.id = access_tokens.grant_id
          WHERE access_tokens.token_hash = $1
-         LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),i=oE(a,t.now);return i||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return c.array(XP).parse(await this.db.query(`WITH candidate AS (
+         LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),i=Wx(a,t.now);return i||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return c.array(Gx).parse(await this.db.query(`WITH candidate AS (
            SELECT id,
              'current' AS matched
            FROM downstream_oauth_grants
@@ -245,7 +243,7 @@ data:
            AND grants.expires_at > $4
            AND ($5::text IS NULL OR grants.resource = $5)
            AND grants.current_refresh_token_hash = $1
-         RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),i=await this.refreshTokenGrantFailure(t,a);return i||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return c.array(YP).parse(await this.db.query(`SELECT id,
+         RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),i=await this.refreshTokenGrantFailure(t,a);return i||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return c.array(Hx).parse(await this.db.query(`SELECT id,
                 revoked_at,
                 expires_at,
                 CASE
@@ -259,12 +257,12 @@ data:
              current_refresh_token_hash = $2
              OR previous_refresh_token_hash = $2
            )
-         LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=c.array(c.object({token_hash:c.string(),client_id:le})).parse(await this.db.query(`SELECT token_hash, client_id
+         LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=c.array(c.object({token_hash:c.string(),client_id:ye})).parse(await this.db.query(`SELECT token_hash, client_id
          FROM downstream_oauth_access_tokens
          WHERE token_hash = $1
          LIMIT 1`,[t.tokenHash]))[0];if(n)return n.client_id!==t.clientId?{kind:"client_mismatch"}:(await this.db.query(`UPDATE downstream_oauth_access_tokens
          SET revoked_at = $2
-         WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let i=c.array(c.object({id:_t,client_id:le})).parse(await this.db.query(`SELECT id, client_id
+         WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let i=c.array(c.object({id:kt,client_id:ye})).parse(await this.db.query(`SELECT id, client_id
          FROM downstream_oauth_grants
          WHERE current_refresh_token_hash = $1
             OR previous_refresh_token_hash = $1
@@ -274,7 +272,7 @@ data:
              revoked_reason = $3
          WHERE id = $1 AND revoked_at IS NULL`,[t.grantId,t.now,t.reason]),r.query(`UPDATE downstream_oauth_access_tokens
          SET revoked_at = $2
-         WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var ji=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function aE(e){return e instanceof ji}o(aE,"isHttpPgQuery");function iE(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(iE,"parseConnectionString");function sE(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(sE,"readErrorMessage");function cE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(cE,"isSingleResponse");function uE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(uE,"isBatchResponse");function xg(e,t={}){let{fetchEndpoint:r}=iE(e),n=t.fetchFn??fetch;async function a(d){let l=await i({query:d.query,params:d.params});if(!cE(l))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return l.rows}o(a,"runSingle");async function i(d){let l=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!l.ok){let p;try{p=await l.json()}catch{p=void 0}let m=new Error(sE(p));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${l.status})`,cause:m})}return l.json()}o(i,"runRequest");function s(){return{query(d,l){return new ji({query:d,params:l??[]},a)}}}o(s,"buildQueryDatabase");let u=s();return{query:u.query,async transaction(d){let p=d(u).map((f,_)=>{if(!aE(f))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return f.raw}),m=await i({queries:p.map(f=>({query:f.query,params:f.params}))});if(!uE(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(f=>f.rows)}}}o(xg,"createHttpPostgresGatewayDatabase");var dE=`
+         WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var ws=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function Jx(e){return e instanceof ws}o(Jx,"isHttpPgQuery");function Yx(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(Yx,"parseConnectionString");function Xx(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(Xx,"readErrorMessage");function Qx(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(Qx,"isSingleResponse");function eP(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(eP,"isBatchResponse");function w_(e,t={}){let{fetchEndpoint:r}=Yx(e),n=t.fetchFn??fetch;async function a(d){let p=await i({query:d.query,params:d.params});if(!Qx(p))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return p.rows}o(a,"runSingle");async function i(d){let p=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!p.ok){let l;try{l=await p.json()}catch{l=void 0}let m=new Error(Xx(l));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${p.status})`,cause:m})}return p.json()}o(i,"runRequest");function s(){return{query(d,p){return new ws({query:d,params:p??[]},a)}}}o(s,"buildQueryDatabase");let u=s();return{query:u.query,async transaction(d){let l=d(u).map((f,_)=>{if(!Jx(f))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return f.raw}),m=await i({queries:l.map(f=>({query:f.query,params:f.params}))});if(!eP(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(f=>f.rows)}}}o(w_,"createHttpPostgresGatewayDatabase");var tP=`
 DO $$
 BEGIN
   IF to_regclass('public.downstream_oauth_pending_authorization_transactions') IS NULL THEN
@@ -427,11 +425,11 @@ BEGIN
     EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_code_challenge_method_check CHECK ("downstream_oauth_pending_authorization_transactions"."code_challenge_method" = 'S256')$check$;
   END IF;
 END $$;
-`,lE=`
+`,rP=`
 DROP INDEX IF EXISTS public.downstream_oauth_cimd_metadata_cache_expiry_idx;
-`,pE=`
+`,nP=`
 DROP TABLE IF EXISTS public.downstream_oauth_cimd_metadata_cache;
-`,mE=`
+`,oP=`
 DO $$
 BEGIN
   IF to_regclass('public.upstream_connections') IS NULL THEN
@@ -449,9 +447,9 @@ BEGIN
   EXECUTE $check$ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_shape_check CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NOT NULL)
         OR ("upstream_connections"."owner_mode" = 'tenant_shared' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NULL))$check$;
 END $$;
-`,hE=[dE,lE,pE,mE].join(`
+`,aP=[tP,rP,nP,oP].join(`
 --> statement-breakpoint
-`),fE=`
+`),iP=`
 DO $$
 BEGIN
   IF to_regclass('public.upstream_connections') IS NULL THEN
@@ -469,7 +467,148 @@ BEGIN
     EXECUTE 'ALTER TABLE public.upstream_connections ALTER COLUMN id TYPE text USING id::text';
   END IF;
 END $$;
-`,Og=[{tag:"0000_messy_makkari",sql:`CREATE TABLE "browser_connect_ticket_consumptions" (
+`,sP=`
+DO $$
+BEGIN
+  -- upstream_connections: drop CHECK + UNIQUE constraints that reference the
+  -- legacy tenant_id column or the legacy owner_mode='tenant_shared' value
+  -- before we rewrite rows. Without dropping owner_mode_check first, the
+  -- UPDATE below would violate it.
+  IF EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'upstream_connections_owner_shape_check'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.upstream_connections DROP CONSTRAINT upstream_connections_owner_shape_check';
+  END IF;
+
+  IF EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'upstream_connections_owner_mode_check'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.upstream_connections DROP CONSTRAINT upstream_connections_owner_mode_check';
+  END IF;
+
+  IF EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'upstream_connections_owner_key'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.upstream_connections DROP CONSTRAINT upstream_connections_owner_key';
+  END IF;
+
+  -- Migrate persisted row values to the new naming before we re-add the
+  -- CHECK constraints. owner_mode tenant_shared becomes shared; auth_profile_id
+  -- suffixes :tenant_shared_oauth become :shared-oauth,
+  -- :tenant_static_secret become :shared-secret,
+  -- :user_static_secret become :user-secret.
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.tables
+    WHERE table_schema = 'public'
+      AND table_name = 'upstream_connections'
+  ) THEN
+    EXECUTE $upd$UPDATE public.upstream_connections SET owner_mode = 'shared' WHERE owner_mode = 'tenant_shared'$upd$;
+    EXECUTE $upd$UPDATE public.upstream_connections SET auth_profile_id = REPLACE(auth_profile_id, ':tenant_shared_oauth', ':shared-oauth') WHERE auth_profile_id LIKE '%:tenant_shared_oauth'$upd$;
+    EXECUTE $upd$UPDATE public.upstream_connections SET auth_profile_id = REPLACE(auth_profile_id, ':tenant_static_secret', ':shared-secret') WHERE auth_profile_id LIKE '%:tenant_static_secret'$upd$;
+    EXECUTE $upd$UPDATE public.upstream_connections SET auth_profile_id = REPLACE(auth_profile_id, ':user_static_secret', ':user-secret') WHERE auth_profile_id LIKE '%:user_static_secret'$upd$;
+  END IF;
+
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'upstream_connections'
+      AND column_name = 'tenant_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.upstream_connections DROP COLUMN tenant_id';
+  END IF;
+
+  EXECUTE $check$ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_mode_check CHECK ("upstream_connections"."owner_mode" IN ('user', 'shared'))$check$;
+
+  EXECUTE $check$ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_shape_check CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."user_id" IS NOT NULL)
+        OR ("upstream_connections"."owner_mode" = 'shared' AND "upstream_connections"."user_id" IS NULL))$check$;
+
+  EXECUTE 'ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_key UNIQUE NULLS NOT DISTINCT ("owner_mode","user_id","upstream_server_id","auth_profile_id")';
+
+  -- downstream_oauth_pending_authorization_transactions: drop phase_principal_check + principal_tenant_id column
+  IF EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'downstream_oauth_pending_authorization_phase_principal_check'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions DROP CONSTRAINT downstream_oauth_pending_authorization_phase_principal_check';
+  END IF;
+
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_pending_authorization_transactions'
+      AND column_name = 'principal_tenant_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions DROP COLUMN principal_tenant_id';
+  END IF;
+
+  EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_phase_principal_check CHECK ((
+      "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_login'
+      AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NULL
+      AND "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
+    ) OR (
+      "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_setup'
+      AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NOT NULL
+      AND (
+        "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
+        OR jsonb_typeof("downstream_oauth_pending_authorization_transactions"."principal_roles") = 'array'
+      )
+    ))$check$;
+
+  -- downstream_oauth_grants: drop index referencing tenant_id, then drop the column
+  EXECUTE 'DROP INDEX IF EXISTS public.downstream_oauth_grants_subject_client_resource_idx';
+
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_grants'
+      AND column_name = 'tenant_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_grants DROP COLUMN tenant_id';
+  END IF;
+
+  EXECUTE 'CREATE INDEX "downstream_oauth_grants_subject_client_resource_idx" ON "downstream_oauth_grants" USING btree ("subject_id","client_id","resource") WHERE "downstream_oauth_grants"."revoked_at" IS NULL';
+
+  -- downstream_oauth_access_tokens: drop tenant_id column
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_access_tokens'
+      AND column_name = 'tenant_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_access_tokens DROP COLUMN tenant_id';
+  END IF;
+
+  -- downstream_oauth_authorization_codes: drop tenant_id column
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_authorization_codes'
+      AND column_name = 'tenant_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_authorization_codes DROP COLUMN tenant_id';
+  END IF;
+
+  -- downstream_oauth_authorization_transactions: drop tenant_id column
+  IF EXISTS (
+    SELECT 1
+    FROM information_schema.columns
+    WHERE table_schema = 'public'
+      AND table_name = 'downstream_oauth_authorization_transactions'
+      AND column_name = 'tenant_id'
+  ) THEN
+    EXECUTE 'ALTER TABLE public.downstream_oauth_authorization_transactions DROP COLUMN tenant_id';
+  END IF;
+END $$;
+`,S_=[{tag:"0000_messy_makkari",sql:`CREATE TABLE "browser_connect_ticket_consumptions" (
 	"id" uuid PRIMARY KEY NOT NULL,
 	"consumed_at" timestamp with time zone NOT NULL,
 	"expires_at" timestamp with time zone NOT NULL
@@ -654,22 +793,21 @@ CREATE INDEX "downstream_oauth_grants_expiry_idx" ON "downstream_oauth_grants" U
 CREATE INDEX "downstream_oauth_pending_authorization_expiry_idx" ON "downstream_oauth_pending_authorization_transactions" USING btree ("expires_at");--> statement-breakpoint
 CREATE INDEX "upstream_oauth_state_consumptions_expiry_idx" ON "upstream_oauth_state_consumptions" USING btree ("expires_at");--> statement-breakpoint
 CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING btree ("expires_at");
-`},{tag:"0001_self_heal_pending_authorization",sql:hE},{tag:"0002_upstream_connection_id_text",sql:fE}];var Ho="_runtime_applied_migrations",gE=`
-  CREATE TABLE IF NOT EXISTS ${Ho} (
+`},{tag:"0001_self_heal_pending_authorization",sql:aP},{tag:"0002_upstream_connection_id_text",sql:iP},{tag:"0003_drop_tenant_id_columns",sql:sP}];var ma="_runtime_applied_migrations",cP=`
+  CREATE TABLE IF NOT EXISTS ${ma} (
     tag text PRIMARY KEY NOT NULL,
     applied_at timestamp with time zone NOT NULL DEFAULT now()
   )
-`,jo;async function _E(e){if(jo)return jo;jo=(async()=>{await e.query(gE),await e.query(`INSERT INTO ${Ho} (tag)
+`,pa;async function uP(e){if(pa)return pa;pa=(async()=>{await e.query(cP),await e.query(`INSERT INTO ${ma} (tag)
        SELECT '0000_messy_makkari'
        WHERE to_regclass('public.audit_events') IS NOT NULL
          AND NOT EXISTS (
-           SELECT 1 FROM ${Ho}
+           SELECT 1 FROM ${ma}
            WHERE tag = '0000_messy_makkari'
          )
-       ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${Ho}`),r=new Set(t.map(n=>n.tag));for(let n of Og){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(i=>i.trim()).filter(i=>i.length>0);for(let i of a)await e.query(i);await e.query(`INSERT INTO ${Ho} (tag) VALUES ($1)`,[n.tag])}})();try{await jo}catch(t){throw jo=void 0,t}}o(_E,"ensureGatewayMigrationsApplied");function Ug(e){let t=o(()=>_E(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(Ug,"createMigrationGatedDatabase");Y();Y();var yE=["user","tenant_shared"],Ht=c.enum(yE);function mr(e,t){if(!e)throw g("forbidden","User-owned upstream connections require an authenticated tenant.");return{mode:"user",tenantId:e,subjectId:t}}o(mr,"buildUserUpstreamConnectionOwner");function Hi(e){if(!e)throw g("forbidden","Tenant-shared upstream connections require an authenticated tenant.");return{mode:"tenant_shared",tenantId:e}}o(Hi,"buildTenantSharedUpstreamConnectionOwner");Y();Y();function Gi(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(Gi,"parseSafeRelativeReturnTo");var zg=c.object({tenantId:ue.optional(),ownerMode:Ht,initiatedBySubjectId:X,ownerSubjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe,virtualServerId:me,returnTo:c.string().min(1).transform(e=>Gi(e)).optional()});function Ng(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="user"&&!e.tenantId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires tenantId",path:["tenantId"]}),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state requires tenantId",path:["tenantId"]}),e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state must not include ownerSubjectId",path:["ownerSubjectId"]}))}o(Ng,"validateUpstreamOwnerState");var kn=zg.superRefine(Ng),Dg=zg.omit({returnTo:!0}).superRefine(Ng);function Go(e){return kn.parse({tenantId:e.owner.tenantId,ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Go,"buildUpstreamOwnerState");function Pn(e){if(e.ownerMode==="tenant_shared")return Hi(e.tenantId);if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");if(!e.tenantId)throw g("oauth_state_invalid","User-owned upstream state is missing the tenant.");return mr(e.tenantId,e.ownerSubjectId)}o(Pn,"resolveUpstreamConnectionOwnerFromState");var SE=["active","not_connected","reconsent_required"],wE=["basic_auth_app_password","bearer_token"],Mg=c.string().trim().min(1).brand(),En=c.uuid().brand(),Bo=c.uuid().brand(),xn=c.enum(SE),vE=c.enum(wE),qg=c.object({encryptedClientInformation:c.string().optional(),encryptedDiscoveryState:c.string().optional(),connectedBySubjectId:X.optional()}),Zd=qg.extend({encryptedStaticSecret:c.string().optional(),staticSecretKind:vE.optional(),staticSecretLabel:c.string().min(1).optional(),staticSecretUsername:c.string().min(1).optional()}).strict(),RE=c.object({id:Mg,tenantId:ue.optional(),subjectId:X.optional(),ownerMode:Ht,upstreamServerId:ke,authProfileId:Pe,status:xn,encryptedAccessToken:c.string().min(1).optional(),encryptedRefreshToken:c.string().min(1).optional(),scopes:c.array(c.string()),expiresAt:V.optional(),metadata:Zd.optional(),createdAt:V,updatedAt:V});function Kd(e,t){e.ownerMode==="user"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require tenantId",path:["tenantId"]}),e.subjectId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections require tenantId",path:["tenantId"]}),e.subjectId!==void 0&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections must not include subjectId",path:["subjectId"]}))}o(Kd,"validateUpstreamConnectionOwnerShape");var Gt=RE.superRefine(Kd);function Dr(e){return JSON.stringify([e.owner.mode,e.owner.tenantId,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Dr,"readUpstreamConnectionLookupKey");var Vo=kn.extend({id:En,callbackPath:c.string().min(1),expiresAt:V,codeVerifier:c.string().optional(),redirectUri:c.url(),returnOrigin:c.url().optional()}).extend(qg.shape);function $g(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o($g,"readUpstreamConnectionStatus");function Bi(){return Mg.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(Bi,"createUpstreamConnectionId");function Lg(){return En.parse(crypto.randomUUID())}o(Lg,"createOAuthStateId");function jg(){return Bo.parse(crypto.randomUUID())}o(jg,"createBrowserConnectTicketId");var Hg=c.unknown().transform(e=>pr(e,"upstream connection scopes")).pipe(c.array(c.string())),Gg=c.unknown().transform(e=>{if(e!=null)return pr(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=Zd.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),bE=c.object({id:c.string().min(1),tenant_id:ue.nullable(),owner_mode:Ht,user_id:X.nullable(),upstream_server_id:ke,auth_profile_id:Pe,status:xn,encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg,expires_at:ie.nullable(),metadata:Gg,created_at:ie,updated_at:ie}).transform(e=>Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})),CE=c.object({requested_ordinal:c.number(),id:c.string().min(1).nullable(),tenant_id:ue.nullable(),owner_mode:Ht.nullable(),user_id:X.nullable(),upstream_server_id:ke.nullable(),auth_profile_id:Pe.nullable(),status:xn.nullable(),encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg.nullable(),expires_at:ie.nullable(),metadata:Gg,created_at:ie.nullable(),updated_at:ie.nullable()}).transform(e=>{if(e.id!==null)return Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes??[],expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})});function IE(e){let t=[],r=e.map((n,a)=>{let i=t.length+1;return t.push(a,n.owner.mode,n.owner.tenantId,n.owner.mode==="user"?n.owner.subjectId:null,n.upstreamServerId,n.authProfileId),`($${i}::integer, $${i+1}, $${i+2}, $${i+3}, $${i+4}, $${i+5})`});return{params:t,sql:`WITH requested(
+       ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${ma}`),r=new Set(t.map(n=>n.tag));for(let n of S_){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(i=>i.trim()).filter(i=>i.length>0);for(let i of a)await e.query(i);await e.query(`INSERT INTO ${ma} (tag) VALUES ($1)`,[n.tag])}})();try{await pa}catch(t){throw pa=void 0,t}}o(uP,"ensureGatewayMigrationsApplied");function v_(e){let t=o(()=>uP(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(v_,"createMigrationGatedDatabase");ae();ae();var dP=["user","shared"],tr=c.enum(dP);function kr(e){return{mode:"user",subjectId:e}}o(kr,"buildUserUpstreamConnectionOwner");function Ss(){return{mode:"shared"}}o(Ss,"buildSharedUpstreamConnectionOwner");ae();ae();function vs(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(vs,"parseSafeRelativeReturnTo");var R_=c.object({ownerMode:tr,initiatedBySubjectId:ie,ownerSubjectId:ie.optional(),upstreamServerId:$e,authProfileId:De,virtualServerId:Se,returnTo:c.string().min(1).transform(e=>vs(e)).optional()});function b_(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="shared"&&e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"Shared state must not include ownerSubjectId",path:["ownerSubjectId"]})}o(b_,"validateUpstreamOwnerState");var Fn=R_.superRefine(b_),C_=R_.omit({returnTo:!0}).superRefine(b_);function ha(e){return Fn.parse({ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(ha,"buildUpstreamOwnerState");function Vn(e){if(e.ownerMode==="shared")return Ss();if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");return kr(e.ownerSubjectId)}o(Vn,"resolveUpstreamConnectionOwnerFromState");var lP=["active","not_connected","reconsent_required"],pP=["basic_auth_app_password","bearer_token"],I_=c.string().trim().min(1).brand(),Kn=c.uuid().brand(),fa=c.uuid().brand(),Zn=c.enum(lP),mP=c.enum(pP),T_=c.object({encryptedClientInformation:c.string().optional(),encryptedDiscoveryState:c.string().optional(),connectedBySubjectId:ie.optional()}),El=T_.extend({encryptedStaticSecret:c.string().optional(),staticSecretKind:mP.optional(),staticSecretLabel:c.string().min(1).optional(),staticSecretUsername:c.string().min(1).optional()}).strict(),hP=c.object({id:I_,subjectId:ie.optional(),ownerMode:tr,upstreamServerId:$e,authProfileId:De,status:Zn,encryptedAccessToken:c.string().min(1).optional(),encryptedRefreshToken:c.string().min(1).optional(),scopes:c.array(c.string()),expiresAt:Q.optional(),metadata:El.optional(),createdAt:Q,updatedAt:Q});function xl(e,t){e.ownerMode==="user"&&(e.subjectId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="shared"&&e.subjectId!==void 0&&t.addIssue({code:c.ZodIssueCode.custom,message:"Shared upstream connections must not include subjectId",path:["subjectId"]})}o(xl,"validateUpstreamConnectionOwnerShape");var rr=hP.superRefine(xl);function en(e){return JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(en,"readUpstreamConnectionLookupKey");var ga=Fn.extend({id:Kn,callbackPath:c.string().min(1),expiresAt:Q,codeVerifier:c.string().optional(),redirectUri:c.url(),returnOrigin:c.url().optional()}).extend(T_.shape);function A_(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o(A_,"readUpstreamConnectionStatus");function Rs(){return I_.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(Rs,"createUpstreamConnectionId");function k_(){return Kn.parse(crypto.randomUUID())}o(k_,"createOAuthStateId");function E_(){return fa.parse(crypto.randomUUID())}o(E_,"createBrowserConnectTicketId");var x_=c.unknown().transform(e=>Ar(e,"upstream connection scopes")).pipe(c.array(c.string())),P_=c.unknown().transform(e=>{if(e!=null)return Ar(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=El.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),fP=c.object({id:c.string().min(1),owner_mode:tr,user_id:ie.nullable(),upstream_server_id:$e,auth_profile_id:De,status:Zn,encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:x_,expires_at:he.nullable(),metadata:P_,created_at:he,updated_at:he}).transform(e=>rr.parse({id:e.id,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?z(e.expires_at):void 0,metadata:e.metadata,createdAt:z(e.created_at),updatedAt:z(e.updated_at)})),gP=c.object({requested_ordinal:c.number(),id:c.string().min(1).nullable(),owner_mode:tr.nullable(),user_id:ie.nullable(),upstream_server_id:$e.nullable(),auth_profile_id:De.nullable(),status:Zn.nullable(),encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:x_.nullable(),expires_at:he.nullable(),metadata:P_,created_at:he.nullable(),updated_at:he.nullable()}).transform(e=>{if(e.id!==null)return rr.parse({id:e.id,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes??[],expiresAt:e.expires_at?z(e.expires_at):void 0,metadata:e.metadata,createdAt:z(e.created_at),updatedAt:z(e.updated_at)})});function _P(e){let t=[],r=e.map((n,a)=>{let i=t.length+1;return t.push(a,n.owner.mode,n.owner.mode==="user"?n.owner.subjectId:null,n.upstreamServerId,n.authProfileId),`($${i}::integer, $${i+1}, $${i+2}, $${i+3}, $${i+4})`});return{params:t,sql:`WITH requested(
            requested_ordinal,
            owner_mode,
-           tenant_id,
            user_id,
            upstream_server_id,
            auth_profile_id
@@ -679,7 +817,6 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
          SELECT
            requested.requested_ordinal,
            upstream_connections.id,
-           upstream_connections.tenant_id,
            upstream_connections.owner_mode,
            upstream_connections.user_id,
            upstream_connections.upstream_server_id,
@@ -695,13 +832,11 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
          FROM requested
          LEFT JOIN upstream_connections
            ON upstream_connections.owner_mode = requested.owner_mode
-          AND upstream_connections.tenant_id IS NOT DISTINCT FROM requested.tenant_id
           AND upstream_connections.user_id IS NOT DISTINCT FROM requested.user_id
           AND upstream_connections.upstream_server_id = requested.upstream_server_id
           AND upstream_connections.auth_profile_id = requested.auth_profile_id
-         ORDER BY requested.requested_ordinal`}}o(IE,"buildBatchGetQuery");function TE(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(TE,"metadataToDatabaseValue");function AE(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(AE,"requirePersistedUpstreamConnection");var Vi=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async batchGet(t){if(t.length===0)return[];let r=IE(t);return c.array(CE).parse(await this.db.query(r.sql,r.params))}async upsert(t){let r=new Date,n=c.array(bE).parse(await this.db.query(`INSERT INTO upstream_connections (
+         ORDER BY requested.requested_ordinal`}}o(_P,"buildBatchGetQuery");function yP(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(yP,"metadataToDatabaseValue");function wP(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(wP,"requirePersistedUpstreamConnection");var bs=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async batchGet(t){if(t.length===0)return[];let r=_P(t);return c.array(gP).parse(await this.db.query(r.sql,r.params))}async upsert(t){let r=new Date,n=c.array(fP).parse(await this.db.query(`INSERT INTO upstream_connections (
            id,
-           tenant_id,
            owner_mode,
            user_id,
            upstream_server_id,
@@ -723,12 +858,11 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
            $6,
            $7,
            $8,
-           $9,
-           $10::jsonb,
-           $11,
-           $12::jsonb,
-           $13,
-           $13
+           $9::jsonb,
+           $10,
+           $11::jsonb,
+           $12,
+           $12
          )
          ON CONFLICT ON CONSTRAINT upstream_connections_owner_key
          DO UPDATE SET
@@ -741,7 +875,6 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
            updated_at = EXCLUDED.updated_at
          RETURNING
            id,
-           tenant_id,
            owner_mode,
            user_id,
            upstream_server_id,
@@ -753,7 +886,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
            expires_at,
            metadata,
            created_at,
-           updated_at`,[t.id,t.tenantId??null,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,TE(t.metadata),r]));return AE(n[0])}};Y();var kE=60*60*24*1e3,PE=c.object({kind:c.enum(["available","consumed","missing"]),record:c.unknown().nullable()}),EE=c.object({inserted:c.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},c.boolean())});function Bg(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(Bg,"requireSingleRow");function xE(e){return Vo.parse(pr(e,"upstream OAuth state record"))}o(xE,"parseStoredOAuthStateRecord");var Fi=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
+           updated_at`,[t.id,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,yP(t.metadata),r]));return wP(n[0])}};ae();var SP=60*60*24*1e3,vP=c.object({kind:c.enum(["available","consumed","missing"]),record:c.unknown().nullable()}),RP=c.object({inserted:c.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},c.boolean())});function O_(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(O_,"requireSingleRow");function bP(e){return ga.parse(Ar(e,"upstream OAuth state record"))}o(bP,"parseStoredOAuthStateRecord");var Cs=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
          id,
          record,
          expires_at,
@@ -763,7 +896,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
        ON CONFLICT (id) DO UPDATE
        SET record = EXCLUDED.record,
            expires_at = EXCLUDED.expires_at,
-           updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+kE),a=Bg(c.array(PE).parse(await this.db.query(`WITH expired_state_cleanup AS (
+           updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+SP),a=O_(c.array(vP).parse(await this.db.query(`WITH expired_state_cleanup AS (
              DELETE FROM upstream_oauth_states
              WHERE id = $1
                AND expires_at <= $2
@@ -814,7 +947,7 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
                WHEN EXISTS (SELECT 1 FROM candidate) THEN 'consumed'
                ELSE 'missing'
              END AS kind,
-             (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:xE(a.record)}}return{kind:a.kind}}},Zi=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return Bg(c.array(EE).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
+             (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:bP(a.record)}}return{kind:a.kind}}},Is=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return O_(c.array(RP).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
              DELETE FROM browser_connect_ticket_consumptions
              WHERE id = $1
                AND expires_at <= $2
@@ -832,11 +965,14 @@ CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING
              ON CONFLICT (id) DO NOTHING
              RETURNING id
            )
-           SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var OE={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},U=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=OE[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};Y();var Jd=c.discriminatedUnion("mode",[c.object({mode:c.literal("user"),tenantId:ue,subjectId:X}).strict(),c.object({mode:c.literal("tenant_shared"),tenantId:ue}).strict()]),Fg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Zg=c.object({items:c.array(Fg).min(1).max(100)}).strict(),Yd=c.object({items:c.array(c.object({key:c.object({ownerMode:Ht,tenantId:ue,subjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe}).strict(),connection:Gt.strict().optional()}).strict())}).strict(),Kg=Gt.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Kd),Wg=Gt.strict(),Jg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Yg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe,connection:Gt.strict().optional(),connectionStatus:c.object({connected:c.boolean(),status:xn,updatedAt:Gt.shape.updatedAt.optional()}).strict()}).strict(),UE=c.enum(["none","client_secret_basic","client_secret_post"]),Mr=c.object({clientId:le,clientName:c.string().min(1),tokenEndpointAuthMethod:UE}).strict(),Xd=c.discriminatedUnion("method",[c.object({method:c.literal("none"),clientId:le}).strict(),c.object({method:c.enum(["client_secret_basic","client_secret_post"]),clientId:le,clientSecretHashInput:c.string().min(1)}).strict()]),Qd=c.object({id:je,currentStateHash:c.string().min(1),clientId:le,redirectUri:c.string().min(1),resource:c.string().min(1),virtualServerId:me,clientState:c.string().optional(),scope:c.string(),codeChallenge:c.string().min(1),codeChallengeMethod:c.literal("S256"),createdAt:V,expiresAt:V,consumedAt:V.optional()}).strict(),Vg=Qd.omit({id:!0,consumedAt:!0}).extend({transactionId:je,client:Mr.optional()}).strict(),el=c.object({tenantId:ue,subjectId:X,roles:c.array(c.string()).optional()}).strict(),zE=Qd.extend({phase:c.literal("awaiting_login")}).strict(),Wd=Qd.extend({phase:c.literal("awaiting_setup"),principal:el}).strict(),NE=c.discriminatedUnion("phase",[zE,Wd]),tl=c.object({transaction:NE,client:Mr}).strict(),Xg=$o.omit({revokedAt:!0}).strict(),Qg=c.discriminatedUnion("kind",[c.object({kind:c.literal("registered"),client:Mr}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),e_=c.object({clientId:le}).strict(),t_=c.discriminatedUnion("kind",[c.object({kind:c.literal("found"),client:$o.strict()}).strict(),c.object({kind:c.literal("missing")}).strict()]),r_=c.discriminatedUnion("phase",[Vg.extend({phase:c.literal("awaiting_login")}).strict(),Vg.extend({phase:c.literal("awaiting_setup"),principal:el}).strict()]),n_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("started")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("redirect_uri_mismatch")}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),o_=c.object({transactionId:je,currentStateHash:c.string().min(1),now:V}).strict(),a_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("available")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),i_=c.object({transactionId:je,expectedPhase:c.literal("awaiting_login"),currentStateHash:c.string().min(1),nextStateHash:c.string().min(1),nextPhase:c.literal("awaiting_setup"),principal:el,now:V}).strict(),s_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("advanced")}).strict(),c.object({kind:c.literal("wrong_phase"),current:c.enum(["awaiting_login","awaiting_setup"])}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),c_=c.discriminatedUnion("decision",[c.object({decision:c.literal("approve"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),authorizationCodeHash:c.string().min(1),authorizationCodeExpiresAt:V,grantId:_t,now:V}).strict(),c.object({decision:c.literal("cancel"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),now:V}).strict()]),u_=c.discriminatedUnion("kind",[c.object({kind:c.literal("approved"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("cancelled"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed_already")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),d_=c.object({clientAuth:Xd,codeHash:c.string().min(1),redirectUri:c.string().min(1),resource:c.string().min(1).optional(),codeChallenge:c.string().min(1),currentRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),grantExpiresAt:V,accessTokenExpiresAt:V,now:V}).strict(),l_=c.discriminatedUnion("kind",[c.object({kind:c.literal("exchanged"),client:Mr,grant:Lo.strict()}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("binding_mismatch")}).strict()]),p_=c.object({clientAuth:Xd,currentRefreshTokenHash:c.string().min(1),nextRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),resource:c.string().min(1).optional(),accessTokenExpiresAt:V,now:V}).strict(),m_=c.discriminatedUnion("kind",[c.object({kind:c.literal("rotated"),client:Mr,grant:Lo.strict(),accessToken:In.strict(),matched:c.literal("current")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),h_=c.object({clientAuth:Xd,tokenHash:c.string().min(1),now:V}).strict(),f_=c.discriminatedUnion("kind",[c.object({kind:c.literal("revoked_access_token")}).strict(),c.object({kind:c.literal("revoked_grant")}).strict(),c.object({kind:c.literal("client_mismatch")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("invalid_client")}).strict()]),g_=c.object({tokenHash:c.string().min(1),now:V}).strict(),__=c.discriminatedUnion("kind",[c.object({kind:c.literal("valid"),record:In.strict()}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),y_=c.object({accessTokenHash:c.string().min(1),resource:c.string().min(1),virtualServerId:me,upstreamConnectionKeys:c.array(Fg).max(100),now:V}).strict(),S_=c.discriminatedUnion("kind",[c.object({kind:c.literal("authorized"),principal:c.object({tenantId:ue,subjectId:X,roles:c.array(c.string())}).strict(),accessToken:In.strict(),upstreamConnections:Yd.shape.items}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict()]),w_=c.object({record:Vo}).strict(),v_=c.object({kind:c.literal("saved")}).strict(),R_=c.object({id:En,now:V}).strict(),b_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available"),record:Vo}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict()]),C_=c.object({id:Bo,expiresAt:V,now:V}).strict(),I_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available")}).strict(),c.object({kind:c.literal("consumed")}).strict()]);var T_=100;function A_(e){return e!==null&&typeof e=="object"}o(A_,"isProblemDetailsShape");var DE="/zups/v2/mcp/storage";function xe(e){return`${DE}/${e}`}o(xe,"buildStoragePath");function ME(){return xe("upstream-connections/batch-get")}o(ME,"buildBatchGetUpstreamConnectionsPath");function qE(){return xe("upstream-connections/upsert")}o(qE,"buildUpsertUpstreamConnectionPath");function $E(){return xe("authorization/read-setup")}o($E,"buildReadAuthorizationSetupPath");function LE(){return xe("oauth/register-client")}o(LE,"buildRegisterClientPath");function jE(){return xe("oauth/read-client")}o(jE,"buildReadClientPath");function HE(){return xe("authorization/start")}o(HE,"buildStartAuthorizationPath");function GE(){return xe("authorization/read-pending")}o(GE,"buildReadPendingAuthorizationPath");function BE(){return xe("authorization/advance-pending")}o(BE,"buildAdvancePendingAuthorizationPath");function VE(){return xe("authorization/decide-setup")}o(VE,"buildDecideAuthorizationSetupPath");function FE(){return xe("token/exchange-authorization-code")}o(FE,"buildExchangeAuthorizationCodePath");function ZE(){return xe("token/refresh")}o(ZE,"buildRefreshTokenPath");function KE(){return xe("token/revoke")}o(KE,"buildRevokeOAuthTokenPath");function WE(){return xe("token/validate-access-token")}o(WE,"buildValidateAccessTokenPath");function JE(){return xe("mcp/authorize-and-load-connections")}o(JE,"buildAuthorizeAndLoadConnectionsPath");function YE(){return xe("upstream-oauth-state/save")}o(YE,"buildSaveUpstreamOAuthStatePath");function XE(){return xe("upstream-oauth-state/consume")}o(XE,"buildConsumeUpstreamOAuthStatePath");function QE(){return xe("browser-connect-ticket/consume")}o(QE,"buildConsumeBrowserConnectTicketPath");function ex(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(ex,"responseKeyMatchesLookup");function tx(e,t){return e.owner.mode===t.owner.mode&&e.owner.tenantId===t.owner.tenantId&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(tx,"authorizationSetupMatchesLookup");function E_(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(E_,"connectionMatchesLookup");function rx(e,t){return e.ownerMode===t.ownerMode&&(e.tenantId??"")===(t.tenantId??"")&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&nl(e.scopes,t.scopes)&&rl(e.expiresAt,t.expiresAt)&&ox(e.metadata,t.metadata)}o(rx,"connectionMatchesUpsertRecord");function rl(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(rl,"optionalTimestampInstantsMatch");function nx(e,t){return Date.parse(e)<=Date.parse(t)}o(nx,"timestampInstantIsAtOrBefore");function nl(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(nl,"stringArraysMatch");function ox(e,t){let r=k_(e),n=k_(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(ox,"metadataMatches");function k_(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(k_,"definedMetadataEntries");function ge(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(ge,"throwInvalidStorageResponse");async function ax(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){ge("Gateway Service storage response did not match the runtime storage contract.",r)}}o(ax,"parseRuntimeHttpStorageResponse");function x_(e,t){e.length!==t.length&&ge("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];ex(n.key,a)||ge("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!E_(n.connection,a)&&ge("Gateway Service storage response connection did not match the response key.")}}o(x_,"validateUpstreamConnectionItemsMatchLookups");function ix(e,t){tx(e,t)||ge("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!E_(e.connection,t)&&ge("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!rl(e.connectionStatus.updatedAt,a))&&ge("Gateway Service storage response authorization setup status did not match the connection.")}o(ix,"validateAuthorizationSetupResponseMatchesLookup");function sx(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&ge("Gateway Service storage response registered client did not match the request.")}o(sx,"validateRegisterClientResponseMatchesRequest");function cx(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&ge("Gateway Service storage response client did not match the request.")}o(cx,"validateReadClientResponseMatchesRequest");function ux(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&ge("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response started authorization principal did not match the request."))}o(ux,"validateStartAuthorizationResponseMatchesRequest");function P_(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&ge("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response advanced authorization did not match the request."))}o(P_,"validatePendingAuthorizationResponseMatchesRequest");function dx(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.tenantId!==t.currentPrincipal.tenantId||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&ge("Gateway Service storage response authorization setup transaction did not match the request.")}o(dx,"validateAuthorizationSetupDecisionResponseMatchesRequest");function lx(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!rl(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response authorization-code exchange did not match the request.")}o(lx,"validateExchangeAuthorizationCodeResponseMatchesRequest");function px(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!nx(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!fx(e.accessToken,e.grant))&&ge("Gateway Service storage response token refresh access token did not match the request."))}o(px,"validateRefreshTokenResponseMatchesRequest");function mx(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&ge("Gateway Service storage response access token did not match the request.")}o(mx,"validateAccessTokenValidationResponseMatchesRequest");function hx(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.tenantId!==e.accessToken.tenantId||e.principal.subjectId!==e.accessToken.subjectId||!nl(e.principal.roles,e.accessToken.roles))&&ge("Gateway Service storage response MCP authorization did not match the request."),x_(e.upstreamConnections,t.upstreamConnectionKeys))}o(hx,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function fx(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.tenantId===t.tenantId&&e.subjectId===t.subjectId&&e.scope===t.scope&&nl(e.roles,t.roles)}o(fx,"accessTokenMatchesGrant");async function gx(e){try{return await e.clone().json()}catch{return}}o(gx,"readProblemDetails");async function _x(e){let t=await gx(e),r=A_(t)&&typeof t.status=="number"?t.status:e.status,n=A_(t)&&Uo(t.code)?t.code:pd(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(_x,"throwRuntimeHttpStorageError");var Ki=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??gp.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}async#e(t){let r=t.requestSchema.parse(t.input),n=new URL(t.path,this.#t),a=new Headers({"Content-Type":"application/json"});_p(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await _x(i),{request:r,response:await ax(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let u=Dr(s),d=n.get(u);if(d!==void 0)return d;let l=r.length;return r.push(s),n.set(u,l),l}),i=[];for(let s=0;s<r.length;s+=T_){let u=r.slice(s,s+T_);i.push(...await this.#n(u))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:qE(),requestSchema:Kg,responseSchema:Wg});return rx(n,r)||ge("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:$E(),requestSchema:Jg,responseSchema:Yg});return ix(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:LE(),requestSchema:Xg,responseSchema:Qg});return sx(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:jE(),requestSchema:e_,responseSchema:t_});return cx(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:HE(),requestSchema:r_,responseSchema:n_});return ux(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:GE(),requestSchema:o_,responseSchema:a_});return P_(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:BE(),requestSchema:i_,responseSchema:s_});return P_(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:VE(),requestSchema:c_,responseSchema:u_});return dx(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:YE(),requestSchema:w_,responseSchema:v_});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:XE(),requestSchema:R_,responseSchema:b_});return n.kind==="available"&&n.record.id!==r.id&&ge("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:QE(),requestSchema:C_,responseSchema:I_});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:FE(),requestSchema:d_,responseSchema:l_});return lx(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:ZE(),requestSchema:p_,responseSchema:m_});return px(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:KE(),requestSchema:h_,responseSchema:f_});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:WE(),requestSchema:g_,responseSchema:__});return mx(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:JE(),requestSchema:y_,responseSchema:S_});return hx(n,r),n}async#n(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:ME(),requestSchema:Zg,responseSchema:Yd});return x_(n.items,t),n.items.map(a=>a.connection)}};var ol=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpUpstreamConnectionRepository")}batchGet(t){return this.client.batchGetUpstreamConnections(t)}upsert(t){return this.client.upsertUpstreamConnection(t)}},al=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpDownstreamOAuthRepository")}#t=new Map;#r=new Map;async getDcrClient(t){let r=this.#t.get(t);if(r&&r.redirectUris.length>0)return r;let n=await this.client.readClient({clientId:t});if(n.kind!=="missing")return this.#t.set(t,n.client),n.client}async saveDcrClient(t){if((await this.client.registerClient(t)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");this.#t.set(t.clientId,t)}async savePendingAuthorizationTransaction(t,r){let{id:n,...a}=t,i=await this.client.startAuthorization({...a,transactionId:n,...r?.client===void 0?{}:{client:r.client}});switch(i.kind){case"started":return this.#e(i.client),{kind:"saved"};case"already_exists":return{kind:"already_exists"};case"invalid_client":throw new U("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new U("invalid_request","redirect_uri is not registered for the client.")}}async advancePendingAuthorizationTransaction(t){let r=await this.client.advancePendingAuthorization({transactionId:t.id,expectedPhase:t.expectedPhase,currentStateHash:t.currentStateHash,nextStateHash:t.nextStateHash,nextPhase:t.nextPhase,principal:t.principal,now:O(t.now)});return r.kind==="advanced"?(this.#e(r.client),{kind:"advanced",record:r.transaction}):r}async getPendingAuthorizationTransaction(t){let r=await this.client.readPendingAuthorization({transactionId:t.id,currentStateHash:t.currentStateHash,now:O(t.now)});return r.kind==="available"?(this.#e(r.client),{kind:"available",record:r.transaction}):r}async consumePendingAuthorizationTransaction(t){let r=await this.getPendingAuthorizationTransaction(t);return r.kind!=="available"?r.kind==="consumed"?{kind:"consumed_already"}:r:r.record.phase!=="awaiting_setup"?{kind:"missing"}:(this.#r.set(r.record.id,{currentStateHash:t.currentStateHash,now:t.now,transaction:r.record}),{kind:"consumed",record:r.record})}async issueAuthorizationCode(t){let r=this.#r.get(t.id);if(!r)throw g("internal_server_error","Authorization code issuance requires a pending setup decision.");let n=await this.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:r.currentStateHash,currentPrincipal:{tenantId:r.transaction.principal.tenantId,subjectId:r.transaction.principal.subjectId},authorizationCodeHash:t.codeHash,authorizationCodeExpiresAt:t.expiresAt,grantId:t.grantId,now:O(r.now)});if(this.#r.delete(t.id),n.kind!=="approved")throw g("oauth_state_invalid","Authorization setup state is invalid, expired, or already used.")}async exchangeAuthorizationCode(t){let r=await this.exchangeAuthorizationCodeWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},codeHash:t.codeHash,redirectUri:t.redirectUri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:t.codeChallenge,currentRefreshTokenHash:t.currentRefreshTokenHash,accessTokenHash:t.accessTokenHash,grantExpiresAt:t.grantExpiresAt,accessTokenExpiresAt:t.accessTokenExpiresAt,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r.kind==="exchanged"?{kind:"exchanged",grant:r.grant}:r}async saveAccessToken(t){throw g("internal_server_error","Runtime HTTP access-token save is covered by token exchange/refresh operations.")}async validateAccessToken(t){return this.client.validateAccessToken({tokenHash:t.tokenHash,now:O(t.now)})}async rotateRefreshToken(t){throw g("internal_server_error","Runtime HTTP refresh-token rotation is covered by the token refresh operation.")}async revokeOAuthToken(t){let r=await this.revokeOAuthTokenWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},tokenHash:t.tokenHash,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r}async revokeGrant(t){throw g("internal_server_error","Runtime HTTP grant revocation is not exposed as a standalone storage operation.")}decideAuthorizationSetup(t){return this.client.decideAuthorizationSetup(t)}exchangeAuthorizationCodeWithClientAuth(t){return this.client.exchangeAuthorizationCode(t)}refreshTokenWithClientAuth(t){return this.client.refreshToken(t)}revokeOAuthTokenWithClientAuth(t){return this.client.revokeOAuthToken(t)}authorizeAndLoadConnections(t){return this.client.authorizeAndLoadConnections(t)}#e(t){this.#t.has(t.clientId)||this.#t.set(t.clientId,{clientId:t.clientId,clientName:t.clientName,redirectUris:[],tokenEndpointAuthMethod:t.tokenEndpointAuthMethod,clientExpiresAt:O(new Date(864e10)),createdAt:O(new Date(0))})}},il=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpOAuthStateStore")}async save(t){await this.client.saveUpstreamOAuthState({record:t})}consumeForCallback(t){return this.client.consumeUpstreamOAuthState({id:t,now:O(new Date)})}},sl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpBrowserConnectTicketStore")}consume(t,r){return this.client.consumeBrowserConnectTicket({id:t,expiresAt:O(r),now:O(new Date)})}};function O_(e={}){let t=new Ki(e);return{upstreamConnectionRepository:new ol(t),downstreamOAuthRepository:new al(t),oauthStateStore:new il(t),browserConnectTicketStore:new sl(t)}}o(O_,"createRuntimeHttpStorageBackend");var yx="__zuploMcpGatewayStorageBackend",cl;function Sx(e){return{upstreamConnectionRepository:new Vi(e),downstreamOAuthRepository:new Li(e),oauthStateStore:new Fi(e),browserConnectTicketStore:new Zi(e)}}o(Sx,"createPostgresStorageBackend");function wx(e){let t=xg(e),r=Ug(t);return Sx(r)}o(wx,"buildPostgresStorageBackend");function vx(){let e=$i().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;return e?wx(e):O_()}o(vx,"buildProductionStorageBackend");function q(){let e=globalThis[yx];return e||(cl||(cl=vx()),cl)}o(q,"getStorage");function ul(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(ul,"readBearerToken");function Rx(e,t,r){return Ze(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(Rx,"gatewayAuthenticationRequiredResponse");async function bx(e,t,r){let n=await q().downstreamOAuthRepository.validateAccessToken({tokenHash:await F(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(bx,"validateGatewayAccessToken");function Cx(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(Cx,"assertAccessTokenResource");function Ix(e,t,r){return Ze(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":An({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ce} scope required by this MCP resource.`,scope:ce})}})}o(Ix,"insufficientScopeResponse");function Tx(e){return{subjectId:e.subjectId,tenantId:e.tenantId,roles:e.roles}}o(Tx,"principalFromAccessToken");function Ax(e){let t=de(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),Ze(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":An({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(Ax,"gatewayTokenRejectedResponse");async function dl(e,t){let r=Rn(t),n=Nr(r.virtualServerId,e.url),a=ul(e),i=An({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),Rx(e,t,i);try{let s=await bx(a,t,r.virtualServerId);if(Cx({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ce)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ce,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),Ix(e,t,r.virtualServerId);let u=Tx(s);return Ag(t,u),ld(t,u),e}catch(s){return Ax({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(dl,"gatewayTokenInbound");var kx=2,U_=4,Px=24,Ex=16,z_=512,xx=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,Ox=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,Ux=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,zx=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,Nx=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,Dx=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function N_(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(N_,"readRoute");function Mx(e){let t=N_(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(Mx,"readRoutePath");function qx(e){let t=N_(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(qx,"readRouteOperationId");function $x(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o($x,"deriveStatusClass");function Lx(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="tenant_shared"?"tenant_shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(Lx,"deriveOriginAttributionMode");function jx(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(jx,"deriveClientKind");function Hx(e,t){return t==="success"?"none":e===H.MCP_GATEWAY_REQUEST_RECEIVED||e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===H.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(Hx,"deriveFailureStage");function Gx(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION||e===H.MCP_GATEWAY_GUARDRAIL_DECISION||e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===H.MCP_GATEWAY_CAPABILITY_FAILED||e===H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(Gx,"deriveFailureOrigin");function Bx(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===H.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(Bx,"deriveReasonClass");function Vx(e){return e.length<=z_?e:`${e.slice(0,z_)}...`}o(Vx,"truncateAnalyticsString");function Fx(e){return Vx(e.replace(Ox,"$1[REDACTED]$3").replace(zx,"$1$2[REDACTED]").replace(Ux,"$1$2[REDACTED]").replace(Nx,"Bearer [REDACTED]").replace(Dx,"Basic [REDACTED]"))}o(Fx,"redactAnalyticsString");function D_(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return Fx(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=U_?"[DEPTH_LIMIT]":e.slice(0,Ex).map(r=>D_(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=U_?"[DEPTH_LIMIT]":M_(e,t+1)}}o(D_,"sanitizeAnalyticsValue");function M_(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,Px)){if(xx.test(n)){r[n]="[REDACTED]";continue}let i=D_(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(M_,"sanitizeMcpGatewayAnalyticsAttributes");function z(e){return e===void 0?null:e}o(z,"nullable");function Zx(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(Zx,"readEnvironment");function Kx(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(Kx,"readRequestId");function Wx(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(Wx,"attributesToJsonString");function Jx(e,t){let r=Hd(e),n=No(e),a=M_(t.attributes),i=Kx(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,u=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,l=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,p=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,f=t.clientKind??jx(t.clientName)??null,_=Lx(s??void 0,u??void 0)??null,S=$x(t.httpStatusCode)??null,y=t.reasonClass??Bx(t.eventType,t.outcome),w=t.failureOrigin??Gx(t.eventType,t.outcome),v=t.failureStage??Hx(t.eventType,t.outcome);return{schemaVersion:kx,outcome:t.outcome,tenantId:z(r?.tenantId),subjectId:z(r?.subjectId),environment:Zx(e),traceId:t.traceId??i,spanId:z(t.spanId),parentEventId:z(t.parentEventId),mcpSessionId:z(t.mcpSessionId),routeSurface:z(t.routeSurface),routePath:Mx(e)??null,operationId:qx(e)??null,virtualServerName:d,virtualServerTitle:z(t.virtualServerTitle),upstreamServerName:l,upstreamServerTitle:p,upstreamBindingId:z(t.upstreamBindingId),clientName:z(t.clientName),clientTitle:z(t.clientTitle),clientVersion:z(t.clientVersion),clientKind:f,authProfileId:m,upstreamAuthMode:u,ownerMode:s,authMethod:z(t.authMethod),originAttributionMode:_,httpMethod:z(t.httpMethod),httpStatusCode:z(t.httpStatusCode),statusClass:S,mcpMethod:z(t.mcpMethod),mcpProtocolVersion:z(t.mcpProtocolVersion),mcpStatus:z(t.mcpStatus),mcpErrorType:z(t.mcpErrorType),applicationError:z(t.applicationError),applicationErrorCode:z(t.applicationErrorCode),toolResultIsError:z(t.toolResultIsError),capabilityType:z(t.capabilityType),capabilityName:z(t.capabilityName),capabilityTitle:z(t.capabilityTitle),upstreamCapabilityName:z(t.upstreamCapabilityName),upstreamCapabilityTitle:z(t.upstreamCapabilityTitle),capabilitySchemaHash:z(t.capabilitySchemaHash),policyId:z(t.policyId),policyAction:z(t.policyAction),guardrailType:z(t.guardrailType),guardrailDirection:z(t.guardrailDirection),guardrailFindingCount:z(t.guardrailFindingCount),redactionCount:z(t.redactionCount),requestMutated:z(t.requestMutated),responseMutated:z(t.responseMutated),latencyMs:z(t.latencyMs),gatewayLatencyMs:z(t.gatewayLatencyMs),upstreamLatencyMs:z(t.upstreamLatencyMs),authLatencyMs:z(t.authLatencyMs),policyLatencyMs:z(t.policyLatencyMs),requestBytes:z(t.requestBytes),responseBytes:z(t.responseBytes),estimatedInputTokens:z(t.estimatedInputTokens),estimatedOutputTokens:z(t.estimatedOutputTokens),estimatedContextTokens:z(t.estimatedContextTokens),contextPressureBucket:z(t.contextPressureBucket),responseMimeTypes:z(t.responseMimeTypes),base64Suspected:z(t.base64Suspected),truncated:z(t.truncated),isLargePayloadRequest:z(t.isLargePayloadRequest),isLargePayloadResponse:z(t.isLargePayloadResponse),payloadCaptureMode:z(t.payloadCaptureMode),reasonCode:z(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:w,failureStage:v,customMetadataJson:z(t.customMetadataJson),attributesJson:Wx(a)}}o(Jx,"buildMcpGatewayAnalyticsMetadata");function We(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,Jx(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(We,"emitMcpGatewayAnalyticsEvent");function Je(e){let t=st().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(Je,"getUpstreamServerConfig");function Yx(e){let t=st().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(Yx,"resolveUpstreamAuthProfileId");function hr(e){Yx(e);let t=st().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(hr,"getUpstreamAuthConfig");function qr(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(!Bf(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(qr,"requireUpstreamOAuthConfig");var Xx={tenant_shared_oauth:{authMode:"tenant_shared_oauth",ownerMode:"tenant_shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},tenant_static_secret:{authMode:"tenant_static_secret",ownerMode:"tenant_shared",connectSupport:"none",connectUnsupportedDetail:"Tenant static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"tenant_static_secret_connection"},user_static_secret:{authMode:"user_static_secret",ownerMode:"user",connectSupport:"user_static_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_static_secret_connection"}};function At(e){return Xx[e]}o(At,"describeUpstreamAuthMode");function Wi(e){return At(e).ownerMode}o(Wi,"resolveOwnerModeForUpstreamAuthMode");Y();import{errors as B_,jwtVerify as V_,SignJWT as F_}from"jose";import{base64url as Qx}from"jose";var eO=new TextEncoder,ll=32;function q_(e,t={}){let r=[tO(e),eO.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=ll){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<ll){let a=t.name??"secret key material",i=n?.byteLength??0;throw new Error(`${a} must decode to at least ${ll} bytes (got ${i}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(q_,"decodeConfiguredSecretKeyMaterial");function tO(e){try{return Qx.decode(e)}catch{return}}o(tO,"tryDecodeBase64Url");var $_=new Map,L_=new Map;function rO(e){let t=$_.get(e);return t||(t=q_($i()[e],{name:e}),$_.set(e,t)),t}o(rO,"getMasterKeyMaterial");async function kt(e){let t=L_.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(rO(e.envVar));return L_.set(e.purpose,r),r}o(kt,"readCachedDerivedKey");var nO="SHA-256";var oO="zuplo-mcp-gateway:",aO=new TextEncoder,j_=new WeakMap;async function fr(e,t){let r=j_.get(e);r||(r=new Map,j_.set(e,r));let n=r.get(t);if(n)return n;let a=await iO(e,t);return r.set(t,a),a}o(fr,"deriveGatewaySigningKey");async function iO(e,t){let r=H_(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=aO.encode(`${oO}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:nO,salt:new Uint8Array,info:H_(a)},n,32*8);return new Uint8Array(i)}o(iO,"hkdfExpand");function H_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(H_,"copyToArrayBuffer");var Ji="HS256",Z_=15*60,sO=15*60,Yi="zuplo-mcp-gateway",Xi="zuplo-mcp-gateway",cO=Dg.extend({id:En}),uO=cO.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),K_=kn.extend({id:Bo,purpose:c.literal("browser_connect")}),dO=kn.extend({purpose:c.literal("browser_connect")}),lO=K_.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),W_=Z_*1e3;async function J_(){return kt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"oauth-state"),"derive")})}o(J_,"getOAuthStateKey");async function Y_(){return kt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-connect"),"derive")})}o(Y_,"getBrowserConnectKey");async function X_(e){let t=Math.floor(Date.now()/1e3)+Z_;return new F_(e).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await J_())}o(X_,"signOAuthState");async function Qi(e){try{let{payload:t}=await V_(e,await J_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return uO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Qi,"verifyOAuthState");async function Q_(e){let t=Math.floor(Date.now()/1e3)+sO,r=dO.parse(e),n=K_.parse({...r,id:jg()});return new F_(n).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await Y_())}o(Q_,"signBrowserConnectTicket");async function es(e){try{let{payload:t}=await V_(e,await Y_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return lO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(es,"verifyBrowserConnectTicket");async function ts(e){if((await q().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(ts,"consumeBrowserConnectTicket");function pO(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(pO,"buildConnectRequiredMessage");async function ey(e){let t=re(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Q_({...Go(e),purpose:"browser_connect"})),r.toString()}o(ey,"buildGatewayBrowserTicketUrl");function mO(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(mO,"buildGatewayConnectPath");async function pl(e){return ey({...e,path:mO(e.upstreamServerId),redirect:!0})}o(pl,"buildGatewayConnectUrl");async function ty(e){return ey({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(ty,"buildGatewayAppPasswordCaptureUrl");async function On(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await pl(t),message:pO(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(On,"buildRedirectConnectRequiredResponse");function ry(e){return ny({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(ry,"buildAdminConnectRequiredResponse");function ny(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(ny,"buildAdminSetupRequiredResponse");function oy(e){return ny({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(oy,"buildAdminStaticSecretRequiredResponse");Y();import{base64url as gr}from"jose";var hO="SHA-256",zn="AES-GCM",fO=12,hl="zuplo-secret",fl=1,ay="env:TOKEN_ENCRYPTION_KEY",gO=c.object({version:c.literal(fl),keyId:c.literal(ay),algorithm:c.literal(zn),iv:c.string().min(1),ciphertext:c.string().min(1)}).strict();function Un(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Un,"copyToArrayBuffer");async function ml(){return kt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(hO,Un(e));return crypto.subtle.importKey("raw",t,{name:zn},!1,["encrypt","decrypt"])},"derive")})}o(ml,"getEncryptionKey");function iy(e){return Un(new TextEncoder().encode(`${hl}:v${e.version}:${e.keyId}`))}o(iy,"getAssociatedData");function _O(e){return`${hl}:v${e.version}:${gr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(_O,"encodeEnvelope");function yO(e){let t=`${hl}:v${fl}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(gr.decode(r));return gO.parse(JSON.parse(n))}o(yO,"decodeEnvelope");async function $r(e){let t=await ml(),r=crypto.getRandomValues(new Uint8Array(fO)),n={version:fl,keyId:ay},a=await crypto.subtle.encrypt({name:zn,iv:r,additionalData:iy(n)},t,new TextEncoder().encode(e));return _O({...n,algorithm:zn,iv:gr.encode(r),ciphertext:gr.encode(new Uint8Array(a))})}o($r,"encryptSecret");async function Bt(e){let t=yO(e);if(t){let s=await ml(),u=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(t.iv)),additionalData:iy(t)},s,Un(gr.decode(t.ciphertext)));return new TextDecoder().decode(u)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await ml(),i=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(r))},a,Un(gr.decode(n)));return new TextDecoder().decode(i)}o(Bt,"decryptSecret");function SO(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="tenant_static_secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(SO,"requireTenantStaticSecretConfig");function sy(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(sy,"hasUsableTenantStaticSecret");async function wO(e){if(!sy(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)}}o(wO,"resolveTenantStaticSecretCredential");async function cy(e){let t=Je(e.upstreamServerId);SO(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(sy(r))return{kind:"authorized",credential:await wO({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:oy(n)}}o(cy,"resolveTenantStaticSecretCredentialForRequest");Y();async function gl(e){return q().upstreamConnectionRepository.upsert({id:Bi(),tenantId:e.owner.tenantId,ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(gl,"upsertStaticSecretConnection");var vO=c.string().trim().min(1).max(320),RO=c.string().min(1).max(4096),bO=c.string().trim().min(1).max(4096);function _l(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="user_static_secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(_l,"requireUserStaticSecretConfig");function CO(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(CO,"encodeBase64Utf8");function IO(e){return`Basic ${CO(`${e.username}:${e.appPassword}`)}`}o(IO,"buildBasicAuthHeader");function uy(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(uy,"hasEncryptedUserStaticSecret");async function TO(e){if(!uy(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:IO({username:e.connection.metadata.staticSecretUsername,appPassword:await Bt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(TO,"resolveUserStaticSecretCredential");async function dy(e){if(_l(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=vO.parse(e.username),n=RO.parse(e.appPassword);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(dy,"saveUserStaticSecretCredential");async function rs(e){let t=_l(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=bO.parse(e.token);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(rs,"saveUserStaticBearerTokenCredential");function yl(e,t){return _l(e,t)}o(yl,"readUserStaticSecretCaptureConfig");async function ly(e){let t=Je(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(uy(r))return{kind:"authorized",credential:await TO({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await On(n)}}o(ly,"resolveUserStaticSecretCredentialForRequest");function py(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return ty({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(py,"buildUserStaticSecretConnectUrl");var Sl;Sl=globalThis.crypto;async function AO(e){return(await Sl).getRandomValues(new Uint8Array(e))}o(AO,"getRandomValues");async function kO(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await AO(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(kO,"random");async function PO(e){return await kO(e)}o(PO,"generateVerifier");async function EO(e){let t=await(await Sl).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(EO,"generateChallenge");async function wl(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await PO(e),r=await EO(t);return{code_verifier:t,code_challenge:r}}o(wl,"pkceChallenge");Y();var Oe=vp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Ip.custom,message:"URL must be parseable",fatal:!0}),Sp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),ns=Se({resource:h().url(),authorization_servers:b(Oe).optional(),jwks_uri:h().url().optional(),scopes_supported:b(h()).optional(),bearer_methods_supported:b(h()).optional(),resource_signing_alg_values_supported:b(h()).optional(),resource_name:h().optional(),resource_documentation:h().optional(),resource_policy_uri:h().url().optional(),resource_tos_uri:h().url().optional(),tls_client_certificate_bound_access_tokens:ee().optional(),authorization_details_types_supported:b(h()).optional(),dpop_signing_alg_values_supported:b(h()).optional(),dpop_bound_access_tokens_required:ee().optional()}),Fo=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),service_documentation:Oe.optional(),revocation_endpoint:Oe.optional(),revocation_endpoint_auth_methods_supported:b(h()).optional(),revocation_endpoint_auth_signing_alg_values_supported:b(h()).optional(),introspection_endpoint:h().optional(),introspection_endpoint_auth_methods_supported:b(h()).optional(),introspection_endpoint_auth_signing_alg_values_supported:b(h()).optional(),code_challenge_methods_supported:b(h()).optional(),client_id_metadata_document_supported:ee().optional()}),xO=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,userinfo_endpoint:Oe.optional(),jwks_uri:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),acr_values_supported:b(h()).optional(),subject_types_supported:b(h()),id_token_signing_alg_values_supported:b(h()),id_token_encryption_alg_values_supported:b(h()).optional(),id_token_encryption_enc_values_supported:b(h()).optional(),userinfo_signing_alg_values_supported:b(h()).optional(),userinfo_encryption_alg_values_supported:b(h()).optional(),userinfo_encryption_enc_values_supported:b(h()).optional(),request_object_signing_alg_values_supported:b(h()).optional(),request_object_encryption_alg_values_supported:b(h()).optional(),request_object_encryption_enc_values_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),display_values_supported:b(h()).optional(),claim_types_supported:b(h()).optional(),claims_supported:b(h()).optional(),service_documentation:h().optional(),claims_locales_supported:b(h()).optional(),ui_locales_supported:b(h()).optional(),claims_parameter_supported:ee().optional(),request_parameter_supported:ee().optional(),request_uri_parameter_supported:ee().optional(),require_request_uri_registration:ee().optional(),op_policy_uri:Oe.optional(),op_tos_uri:Oe.optional(),client_id_metadata_document_supported:ee().optional()}),os=C({...xO.shape,...Fo.pick({code_challenge_methods_supported:!0}).shape}),Zo=C({access_token:h(),id_token:h().optional(),token_type:h(),expires_in:Tp.number().optional(),scope:h().optional(),refresh_token:h().optional()}).strip(),hy=C({error:h(),error_description:h().optional(),error_uri:h().optional()}),my=Oe.optional().or(P("").transform(()=>{})),OO=C({redirect_uris:b(Oe),token_endpoint_auth_method:h().optional(),grant_types:b(h()).optional(),response_types:b(h()).optional(),client_name:h().optional(),client_uri:Oe.optional(),logo_uri:my,scope:h().optional(),contacts:b(h()).optional(),tos_uri:my,policy_uri:h().optional(),jwks_uri:Oe.optional(),jwks:bp().optional(),software_id:h().optional(),software_version:h().optional(),software_statement:h().optional()}).strip(),vl=C({client_id:h(),client_secret:h().optional(),client_id_issued_at:K().optional(),client_secret_expires_at:K().optional()}).strip(),Ko=OO.merge(vl),N4=C({error:h(),error_description:h().optional()}).strip(),D4=C({token:h(),token_type_hint:h().optional()}).strip();function fy(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(fy,"resourceUrlFromServerUrl");function gy({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(gy,"checkResourceAllowed");var _e=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Wo=class extends _e{static{o(this,"InvalidRequestError")}};Wo.errorCode="invalid_request";var Lr=class extends _e{static{o(this,"InvalidClientError")}};Lr.errorCode="invalid_client";var jr=class extends _e{static{o(this,"InvalidGrantError")}};jr.errorCode="invalid_grant";var Hr=class extends _e{static{o(this,"UnauthorizedClientError")}};Hr.errorCode="unauthorized_client";var Jo=class extends _e{static{o(this,"UnsupportedGrantTypeError")}};Jo.errorCode="unsupported_grant_type";var Yo=class extends _e{static{o(this,"InvalidScopeError")}};Yo.errorCode="invalid_scope";var Xo=class extends _e{static{o(this,"AccessDeniedError")}};Xo.errorCode="access_denied";var Vt=class extends _e{static{o(this,"ServerError")}};Vt.errorCode="server_error";var Qo=class extends _e{static{o(this,"TemporarilyUnavailableError")}};Qo.errorCode="temporarily_unavailable";var ea=class extends _e{static{o(this,"UnsupportedResponseTypeError")}};ea.errorCode="unsupported_response_type";var ta=class extends _e{static{o(this,"UnsupportedTokenTypeError")}};ta.errorCode="unsupported_token_type";var ra=class extends _e{static{o(this,"InvalidTokenError")}};ra.errorCode="invalid_token";var na=class extends _e{static{o(this,"MethodNotAllowedError")}};na.errorCode="method_not_allowed";var oa=class extends _e{static{o(this,"TooManyRequestsError")}};oa.errorCode="too_many_requests";var Gr=class extends _e{static{o(this,"InvalidClientMetadataError")}};Gr.errorCode="invalid_client_metadata";var aa=class extends _e{static{o(this,"InsufficientScopeError")}};aa.errorCode="insufficient_scope";var ia=class extends _e{static{o(this,"InvalidTargetError")}};ia.errorCode="invalid_target";var _y={[Wo.errorCode]:Wo,[Lr.errorCode]:Lr,[jr.errorCode]:jr,[Hr.errorCode]:Hr,[Jo.errorCode]:Jo,[Yo.errorCode]:Yo,[Xo.errorCode]:Xo,[Vt.errorCode]:Vt,[Qo.errorCode]:Qo,[ea.errorCode]:ea,[ta.errorCode]:ta,[ra.errorCode]:ra,[na.errorCode]:na,[oa.errorCode]:oa,[Gr.errorCode]:Gr,[aa.errorCode]:aa,[ia.errorCode]:ia};var Ft=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function UO(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(UO,"isClientAuthMethod");var Rl="code",bl="S256";function zO(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&UO(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(zO,"selectClientAuthMethod");function NO(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":DO(a,i,r);return;case"client_secret_post":MO(a,i,n);return;case"none":qO(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(NO,"applyClientAuthentication");function DO(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(DO,"applyBasicAuth");function MO(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(MO,"applyPostAuth");function qO(e,t){t.set("client_id",e)}o(qO,"applyPublicAuth");async function Sy(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=hy.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,u=_y[a]||Vt;return new u(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Vt(a)}}o(Sy,"parseErrorResponse");async function _r(e,t){try{return await Cl(e,t)}catch(r){if(r instanceof Lr||r instanceof Hr)return await e.invalidateCredentials?.("all"),await Cl(e,t);if(r instanceof jr)return await e.invalidateCredentials?.("tokens"),await Cl(e,t);throw r}}o(_r,"auth");async function Cl(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),u,d,l,p=a;if(!p&&s?.resourceMetadataUrl&&(p=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,u=s.resourceMetadata,l=s.authorizationServerMetadata??await vy(d,{fetchFn:i}),!u)try{u=await wy(t,{resourceMetadataUrl:p},i)}catch{}(l!==s.authorizationServerMetadata||u!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}else{let I=await BO(t,{resourceMetadataUrl:p,fetchFn:i});d=I.authorizationServerUrl,l=I.authorizationServerMetadata,u=I.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}let m=await $O(t,e,u),f=n||u?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let I=l?.client_id_metadata_document_supported===!0,N=e.clientMetadataUrl;if(N&&!Tl(N))throw new Gr(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${N}`);if(I&&N)_={client_id:N},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Ye=await WO(d,{metadata:l,clientMetadata:e.clientMetadata,scope:f,fetchFn:i});await e.saveClientInformation(Ye),_=Ye}}let S=!e.redirectUrl;if(r!==void 0||S){let I=await KO(e,d,{metadata:l,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let I=await ZO(d,{metadata:l,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}catch(I){if(!(!(I instanceof _e)||I instanceof Vt))throw I}let w=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:R}=await VO(d,{metadata:l,clientInformation:_,state:w,redirectUrl:e.redirectUrl,scope:f,resource:m});return await e.saveCodeVerifier(R),await e.redirectToAuthorization(v),"REDIRECT"}o(Cl,"authInternal");function Tl(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Tl,"isHttpsUrl");async function $O(e,t,r){let n=fy(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!gy({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o($O,"selectResourceURL");function Al(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=Il(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=Il(e,"scope")||void 0,u=Il(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:u}}o(Al,"extractWWWAuthenticateParams");function Il(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(Il,"extractFieldFromWwwAuth");async function wy(e,t,r=fetch){let n=await HO(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return ns.parse(await n.json())}o(wy,"discoverOAuthProtectedResourceMetadata");async function kl(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?kl(e,void 0,r):void 0;throw n}}o(kl,"fetchWithCorsRetry");function LO(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(LO,"buildWellKnownPath");async function yy(e,t,r=fetch){return await kl(e,{"MCP-Protocol-Version":t},r)}o(yy,"tryMetadataDiscovery");function jO(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(jO,"shouldAttemptFallback");async function HO(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??Xt,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=LO(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let u=await yy(s,i,r);if(!n?.metadataUrl&&jO(u,a.pathname)){let d=new URL(`/.well-known/${t}`,a);u=await yy(d,i,r)}return u}o(HO,"discoverMetadataWithFallback");function GO(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(GO,"buildDiscoveryUrls");async function vy(e,{fetchFn:t=fetch,protocolVersion:r=Xt}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=GO(e);for(let{url:i,type:s}of a){let u=await kl(i,n,t);if(u){if(!u.ok){if(await u.body?.cancel(),u.status>=400&&u.status<500)continue;throw new Error(`HTTP ${u.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Fo.parse(await u.json()):os.parse(await u.json())}}}o(vy,"discoverAuthorizationServerMetadata");async function BO(e,t){let r,n;try{r=await wy(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await vy(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(BO,"discoverOAuthServerInfo");async function VO(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let u;if(t){if(u=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Rl))throw new Error(`Incompatible auth server: does not support response type ${Rl}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(bl))throw new Error(`Incompatible auth server: does not support code challenge method ${bl}`)}else u=new URL("/authorize",e);let d=await wl(),l=d.code_verifier,p=d.code_challenge;return u.searchParams.set("response_type",Rl),u.searchParams.set("client_id",r.client_id),u.searchParams.set("code_challenge",p),u.searchParams.set("code_challenge_method",bl),u.searchParams.set("redirect_uri",String(n)),i&&u.searchParams.set("state",i),a&&u.searchParams.set("scope",a),a?.includes("offline_access")&&u.searchParams.append("prompt","consent"),s&&u.searchParams.set("resource",s.href),{authorizationUrl:u,codeVerifier:l}}o(VO,"startAuthorization");function FO(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(FO,"prepareAuthorizationCodeRequest");async function Ry(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let u=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,u,t);else if(n){let p=t?.token_endpoint_auth_methods_supported??[],m=zO(n,p);NO(m,n,d,r)}let l=await(s??fetch)(u,{method:"POST",headers:d,body:r});if(!l.ok)throw await Sy(l);return Zo.parse(await l.json())}o(Ry,"executeTokenRequest");async function ZO(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let u=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await Ry(e,{metadata:t,tokenRequestParams:u,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(ZO,"refreshAuthorization");async function KO(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,u;if(e.prepareTokenRequest&&(u=await e.prepareTokenRequest(s)),!u){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let l=await e.codeVerifier();u=FO(a,l,e.redirectUrl)}let d=await e.clientInformation();return Ry(t,{metadata:r,tokenRequestParams:u,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(KO,"fetchToken");async function WO(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await Sy(s);return Ko.parse(await s.json())}o(WO,"registerClient");var JO=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),YO=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function by(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(by,"parseIpv4Octets");function XO([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(XO,"ipv4RangeMatches");function Cy(e){let t=by(e);return t!==void 0&&YO.some(r=>XO(t,r))}o(Cy,"isPrivateIpv4");function Pl(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Pl,"parseIpv6Word");function QO(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(QO,"formatIpv4FromWords");function eU(e){let t=e.slice(7),r=by(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Pl(n),u=Pl(a);return i===void 0&&s!==void 0&&u!==void 0?QO(s,u):void 0}o(eU,"parseIpv6MappedIpv4");function tU(e){return Pl(e.split(":").find(Boolean))}o(tU,"readFirstIpv6Hextet");function rU(e){let t=ct(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=eU(t);return n===void 0||Cy(n)}let r=tU(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(rU,"isPrivateIpv6");function El(e){let t=ct(e);return JO.has(t)||t.endsWith(".internal")||Cy(t)||rU(t)}o(El,"isBlockedOutboundHostname");function Iy(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Le(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=ct(t.hostname);if(!r&&El(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(Iy,"validateConfiguredOutboundUrl");function Ty(e){let t=new URL(e);if(t.protocol!=="https:")throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let r=ct(t.hostname);if(El(r))throw g("invalid_request",`Blocked identity provider host: ${r}`);return t}o(Ty,"validateIdentityProviderUrl");function as(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(El(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(as,"validateCimdClientMetadataUrl");function Ay(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(Ay,"mergeAbortSignals");async function nU(e){try{await e.cancel()}catch{}}o(nU,"cancelReader");async function is(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await nU(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),u=0;for(let d of n)s.set(d,u),u+=d.byteLength;return s}o(is,"readBoundedByteStream");var oU=2,aU=1024*1024,iU=1e4,sU=new Set([301,302,303,307,308]),cU=["authorization","proxy-authorization","cookie","cookie2"];function xl(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(xl,"readRequestUrl");function Nn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Nn,"readRequestMethod");function uU(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(uU,"assertContentLengthWithinLimit");async function dU(e,t,r){return uU(e,t,r),is(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(dU,"readBoundedResponseBody");function lU(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(lU,"responseFromBufferedBody");function pU(e,t){if(!sU.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(pU,"resolveRedirectUrl");function ky(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(ky,"validateOutboundUrl");function mU(e,t){throw de(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(mU,"normalizeFetchError");function sa(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Ae(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(sa,"logOutboundFailure");async function hU(e,t,r,n,a,i,s){let u=Nn(r,n);try{return await t(r,n)}catch(d){let l=d instanceof DOMException&&d.name==="AbortError";sa(e,{event:l?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:u,host:it(i),error:d,extra:{abortReason:s()}}),mU(d,a)}}o(hU,"fetchWithNormalizedError");function fU(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(fU,"assertRedirectAllowed");function gU(e,t){let r=new Headers(e);for(let n of cU)r.delete(n);for(let n of t)r.delete(n);return r}o(gU,"stripCrossOriginHeaders");function _U(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=gU(e.headers,a)),i}o(_U,"buildRedirectInit");function yU(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(yU,"buildInitialRequestInit");function SU(e){let t=Nn(e.currentInput,e.currentInit);fU({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ky(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:_U(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(SU,"followRedirect");async function Ol(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??oU,i=r.maxResponseBytes??aU,s=r.timeoutMs??iU,u=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],l=r.context,p=new AbortController,m=Ay(p,t.signal),f=!1,_=setTimeout(()=>{f=!0,p.abort()},s),S=e,y=yU(e,t,p.signal),w;try{w=ky(xl(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(R){throw sa(l,{event:"outbound_url_blocked",problemCode:n,method:Nn(e,t),host:it(xl(e)),error:R}),clearTimeout(_),m?.(),R}let v=0;try{for(;;){let R=await hU(l,u,S,y,n,w,()=>f?`timeout_after_${s}ms`:void 0),I=pU(R,w);if(I!==void 0)try{let N=SU({currentInput:S,currentInit:y,currentUrl:w,redirectUrl:I,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:p.signal,additionalCrossOriginStrippedHeaders:d});S=N.currentInput,y=N.currentInit,w=N.currentUrl,v=N.redirects;continue}catch(N){throw sa(l,{event:"outbound_redirect_blocked",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{redirects:v,maxRedirects:a,redirectTargetHost:it(I)}}),N}try{return lU(R,await dU(R,i,n))}catch(N){throw sa(l,{event:"outbound_response_size_exceeded",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{maxResponseBytes:i,status:R.status}}),N}}}finally{clearTimeout(_),m?.()}}o(Ol,"runSafeOutboundExchange");async function Ul(e,t,r){let n=await Ol(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw sa(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Nn(e,t),host:it(xl(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Ul,"runSafeOutboundJsonExchange");function ss(e,t={},r={}){return Ol(e,t,{...r,validateUrl:Iy})}o(ss,"fetchConfiguredOutbound");function Py(e,t={},r={}){return Ul(e,t,{...r,validateUrl:Ty})}o(Py,"fetchIdentityProviderJson");function Ey(e,t={},r={}){return Ul(e,t,{...r,validateUrl:as})}o(Ey,"fetchCimdClientMetadataJson");Y();function zl(e){return`Zuplo MCP Gateway - ${e}`}o(zl,"buildGatewayOAuthClientName");function xy(e,t){let r=new URL(e,re(t));return Le(r)&&ct(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(xy,"buildGatewayOAuthRedirectUri");function Nl(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(Nl,"buildOAuthClientMetadataDocumentUrl");function Oy(e){return re(e)}o(Oy,"requireOAuthClientMetadataOrigin");function Uy(e,t,r){let n=Je(t),a=qr(t,r);return{client_id:Nl({origin:e,upstreamServerId:t,authProfileId:r}),client_name:zl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(Uy,"buildOAuthClientMetadataDocument");var wU=c.union([Ko,vl]),vU=c.object({authorizationServerUrl:c.url(),resourceMetadataUrl:c.url().optional(),resourceMetadata:ns.optional(),authorizationServerMetadata:c.union([Fo,os]).optional()}).passthrough(),RU="Bearer";function bU(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(bU,"splitScopes");function CU(e){return zi.parse(e)}o(CU,"parsePkceCodeVerifier");function IU(e){if(typeof e.expires_in=="number")return O(new Date(Date.now()+e.expires_in*1e3))}o(IU,"readTokenExpiry");async function zy(e){if(e!==void 0)return $r(JSON.stringify(e))}o(zy,"encryptJson");async function Ny(e,t){if(!e)return;let r=await Bt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(Ny,"decryptJson");function TU(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(TU,"toOAuthDiscoveryState");function AU(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(AU,"clientInformationAllowsRedirectUri");function kU(e,t,r){let n=Je(e),a=qr(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:zl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(kU,"buildOAuthClientMetadata");function PU(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Ko.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(PU,"buildManualOAuthClientInformation");function EU(e,t,r){let n=Nl({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Tl(n)?n:void 0}o(EU,"buildClientMetadataUrl");function Dy(e){for(let t of e)if(t!==void 0)return t}o(Dy,"firstDefined");function xU(e){let t=qr(e.target.upstreamServerId,e.target.authProfileId),r=kU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:PU({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=EU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(xU,"buildInitialOAuthClientSetup");function OU(e,t){if(t===void 0)return Dy([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(OU,"readEncryptedClientInformation");function UU(e){return Dy([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(UU,"readEncryptedDiscoveryState");var Br=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=xU({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=OU(t,this.configuredClientInformation),this.encryptedDiscoveryState=UU(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return X_({id:t.id,...Go({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await zy(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await zy(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Zo.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??Bi(),tenantId:this.target.owner.tenantId,ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await $r(r.access_token),encryptedRefreshToken:r.refresh_token?await $r(r.refresh_token):void 0,scopes:bU(r.scope??this.clientMetadataValue.scope),expiresAt:IU(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await q().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:CU(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Lg(),...Go({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:O(new Date(Date.now()+W_)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await q().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ny(this.encryptedClientInformation,wU)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!AU(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=TU(await Ny(this.encryptedDiscoveryState,vU))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Zo.parse({access_token:await Bt(this.connection.encryptedAccessToken),token_type:RU,refresh_token:this.connection.encryptedRefreshToken?await Bt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,tenantId:this.connection.tenantId,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await q().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var zU=1e4,NU=256*1024,DU=2;function MU(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(MU,"hasUsableAccessToken");var qU="does not support dynamic client registration";function $U(e){return e instanceof Error&&e.message.includes(qU)}o($U,"isDynamicClientRegistrationUnsupported");function LU(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(LU,"readOAuthFetchRequest");function jU(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(jU,"responseLooksJson");function My(e){return async(t,r)=>{let n=LU(t),a=await ss(t,r,{maxRedirects:DU,maxResponseBytes:NU,problemCode:"upstream_token_exchange_failed",timeoutMs:zU}),i=await a.clone().text();if(!jU(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(My,"createUpstreamOAuthFetch");async function qy(e,t){try{return await _r(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}catch(r){throw $U(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(qy,"runUpstreamOAuth");async function HU(e,t){return _r(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}o(HU,"exchangeUpstreamAuthorizationCode");async function $y(e,t){let r=await qy(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o($y,"requireUpstreamAuthorizationRedirect");async function Ly(e){if(MU(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await qy(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await ZU({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(Ly,"authorizeUpstreamOAuthSession");async function GU(e){let t=await Qi(e.stateToken),r=await q().oauthStateStore.consumeForCallback(t.id),n=BU(r);return VU({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),FU(n),n}o(GU,"consumeStoredCallbackState");function BU(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(BU,"readConsumedCallbackState");function VU(e){if(![e.storedState.tenantId===e.signedState.tenantId,e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(VU,"assertStoredCallbackStateMatches");function FU(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(FU,"assertStoredCallbackStateFresh");async function ZU(e){if(e.owner.mode==="tenant_shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ry(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),On(t)}o(ZU,"buildOAuthConnectRequiredResponse");async function jy(e){let t=await GU({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Pn(t),[n]=await q().upstreamConnectionRepository.batchGet([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new Br(a),s=await HU(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(jy,"finishUpstreamOAuthCallback");async function Hy(e){let t=Je(e.upstreamServerId),r=qr(e.upstreamServerId,e.authProfileId),n=xy(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:re(e.request.url)}}}o(Hy,"prepareUpstreamOAuthRequest");async function Gy(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return $y(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Gy,"startUpstreamConnect");async function By(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Ly({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(By,"authorizeUpstreamRequest");function KU(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(KU,"resolveStaticSecretCredential");async function Vy(e){let{routeAuth:t}=e;switch(t.authMode){case"tenant_shared_oauth":case"user_oauth":return By({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"tenant_static_secret":return cy({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=hr({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:KU(n.secret,t.upstreamServerId)}}case"user_static_secret":return ly({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(Vy,"resolveUpstreamCredentialForRoute");async function Fy(e){let t=mr(e.principal.tenantId,e.principal.subjectId),r=st().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user_static_secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await rs({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(Fy,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function Zy(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=At(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await Gy(r);break;case"user_static_secret_capture":t=await py(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(Zy,"startUpstreamConnectForRequest");async function Ky(e){let r=(await Qi(e.callbackRequest.state)).authProfileId,n=hr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(At(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return jy({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Je(e.callbackRequest.upstreamServerId)})}o(Ky,"finishUpstreamCallbackForRequest");var cs=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=tr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),u=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&u){let l=d.result;if(!l.structuredContent&&!l.isError){yield{type:"error",error:new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(l.structuredContent)try{let p=u(l.structuredContent);if(!p.valid){yield{type:"error",error:new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${p.errorMessage}`)};return}}catch(p){if(p instanceof A){yield{type:"error",error:p};return}yield{type:"error",error:new A(k.InvalidParams,`Failed to validate structured content: ${p instanceof Error?p.message:String(p)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function us(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&us(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&us(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&us(r,t)}}o(us,"applyElicitationDefaults");function WU(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(WU,"getSupportedElicitationModes");var ds=class extends tn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",dc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",sc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Xs,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new cs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let u=o(async(d,l)=>{let p=Me(mc,d);if(!p.success){let R=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid elicitation request: ${R}`)}let{params:m}=p.data;m.mode=m.mode??"form";let{supportsFormMode:f,supportsUrlMode:_}=WU(this._capabilities.elicitation);if(m.mode==="form"&&!f)throw new A(k.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new A(k.InvalidParams,"Client does not support URL-mode elicitation requests");let S=await Promise.resolve(r(d,l));if(m.task){let R=Me(Nt,S);if(!R.success){let I=R.error instanceof Error?R.error.message:String(R.error);throw new A(k.InvalidParams,`Invalid task creation result: ${I}`)}return R.data}let y=Me(rr,S);if(!y.success){let R=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid elicitation result: ${R}`)}let w=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&w.action==="accept"&&w.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{us(v,w.content)}catch{}return w},"wrappedHandler");return super.setRequestHandler(t,u)}if(s==="sampling/createMessage"){let u=o(async(d,l)=>{let p=Me(pc,d);if(!p.success){let w=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid sampling request: ${w}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let w=Me(Nt,f);if(!w.success){let v=w.error instanceof Error?w.error.message:String(w.error);throw new A(k.InvalidParams,`Invalid task creation result: ${v}`)}return w.data}let S=m.tools||m.toolChoice?to:vr,y=Me(S,f);if(!y.success){let w=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid sampling result: ${w}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:Xt,capabilities:this._capabilities,clientInfo:this._clientInfo}},Bs,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Qt.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){gi(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&_i(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},zt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},hc,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},zt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},ic,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},ec,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Zs,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Ks,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},Ys,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},zt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},zt,r)}async callTool(t,r=tr,n){if(this.isToolTaskRequired(t.name))throw new A(k.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},uc,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Hp.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:u}=i.data,{onChanged:d}=n,l=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let f=m instanceof Error?m:new Error(String(m));d(f,null)}},"refresh"),p=o(()=>{if(u){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let f=setTimeout(l,u);this._listChangedDebounceTimers.set(t,f)}else l()},"handler");this.setNotificationHandler(r,p)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function ls(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(ls,"normalizeHeaders");function Wy(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...ls(t.headers),...ls(n.headers)}:t.headers};return e(r,a)}:e}o(Wy,"createFetchWithInit");var ps=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function Dl(e){}o(Dl,"noop");function Jy(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=Dl,onError:r=Dl,onRetry:n=Dl,onComment:a}=e,i="",s=!0,u,d="",l="";function p(y){let w=s?y.replace(/^\xEF\xBB\xBF/,""):y,[v,R]=JU(`${i}${w}`);for(let I of v)m(I);i=R,s=!1}o(p,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let w=y.indexOf(":");if(w!==-1){let v=y.slice(0,w),R=y[w+1]===" "?2:1,I=y.slice(w+R);f(v,I,y);return}f(y,"",y)}o(m,"parseLine");function f(y,w,v){switch(y){case"event":l=w;break;case"data":d=`${d}${w}
-`;break;case"id":u=w.includes("\0")?void 0:w;break;case"retry":/^\d+$/.test(w)?n(parseInt(w,10)):r(new ps(`Invalid \`retry\` value: "${w}"`,{type:"invalid-retry",value:w,line:v}));break;default:r(new ps(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:w,line:v}));break}}o(f,"processField");function _(){d.length>0&&t({id:u,event:l||void 0,data:d.endsWith(`
-`)?d.slice(0,-1):d}),u=void 0,d="",l=""}o(_,"dispatchEvent");function S(y={}){i&&y.consume&&m(i),s=!0,u=void 0,d="",l="",i=""}return o(S,"reset"),{feed:p,reset:S}}o(Jy,"createParser");function JU(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
+           SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var CP={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},D=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=CP[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};ae();var Ol=c.discriminatedUnion("mode",[c.object({mode:c.literal("user"),subjectId:ie}).strict(),c.object({mode:c.literal("shared")}).strict()]),N_=c.object({owner:Ol,upstreamServerId:$e,authProfileId:De}).strict(),z_=c.object({items:c.array(N_).min(1).max(100)}).strict(),Ul=c.object({items:c.array(c.object({key:c.object({ownerMode:tr,subjectId:ie.optional(),upstreamServerId:$e,authProfileId:De}).strict(),connection:rr.strict().optional()}).strict())}).strict(),$_=rr.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(xl),D_=rr.strict(),M_=c.object({owner:Ol,upstreamServerId:$e,authProfileId:De}).strict(),q_=c.object({owner:Ol,upstreamServerId:$e,authProfileId:De,connection:rr.strict().optional(),connectionStatus:c.object({connected:c.boolean(),status:Zn,updatedAt:rr.shape.updatedAt.optional()}).strict()}).strict(),IP=c.enum(["none","client_secret_basic","client_secret_post"]),tn=c.object({clientId:ye,clientName:c.string().min(1),tokenEndpointAuthMethod:IP}).strict(),Nl=c.discriminatedUnion("method",[c.object({method:c.literal("none"),clientId:ye}).strict(),c.object({method:c.enum(["client_secret_basic","client_secret_post"]),clientId:ye,clientSecretHashInput:c.string().min(1)}).strict()]),zl=c.object({id:Je,currentStateHash:c.string().min(1),clientId:ye,redirectUri:c.string().min(1),resource:c.string().min(1),virtualServerId:Se,clientState:c.string().optional(),scope:c.string(),codeChallenge:c.string().min(1),codeChallengeMethod:c.literal("S256"),createdAt:Q,expiresAt:Q,consumedAt:Q.optional()}).strict(),U_=zl.omit({id:!0,consumedAt:!0}).extend({transactionId:Je,client:tn.optional()}).strict(),$l=c.object({subjectId:ie,roles:c.array(c.string()).optional()}).strict(),TP=zl.extend({phase:c.literal("awaiting_login")}).strict(),Pl=zl.extend({phase:c.literal("awaiting_setup"),principal:$l}).strict(),AP=c.discriminatedUnion("phase",[TP,Pl]),Dl=c.object({transaction:AP,client:tn}).strict(),L_=da.omit({revokedAt:!0}).strict(),j_=c.discriminatedUnion("kind",[c.object({kind:c.literal("registered"),client:tn}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),H_=c.object({clientId:ye}).strict(),G_=c.discriminatedUnion("kind",[c.object({kind:c.literal("found"),client:da.strict()}).strict(),c.object({kind:c.literal("missing")}).strict()]),B_=c.discriminatedUnion("phase",[U_.extend({phase:c.literal("awaiting_login")}).strict(),U_.extend({phase:c.literal("awaiting_setup"),principal:$l}).strict()]),F_=c.discriminatedUnion("kind",[Dl.extend({kind:c.literal("started")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("redirect_uri_mismatch")}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),V_=c.object({transactionId:Je,currentStateHash:c.string().min(1),now:Q}).strict(),K_=c.discriminatedUnion("kind",[Dl.extend({kind:c.literal("available")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),Z_=c.object({transactionId:Je,expectedPhase:c.literal("awaiting_login"),currentStateHash:c.string().min(1),nextStateHash:c.string().min(1),nextPhase:c.literal("awaiting_setup"),principal:$l,now:Q}).strict(),W_=c.discriminatedUnion("kind",[Dl.extend({kind:c.literal("advanced")}).strict(),c.object({kind:c.literal("wrong_phase"),current:c.enum(["awaiting_login","awaiting_setup"])}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),J_=c.discriminatedUnion("decision",[c.object({decision:c.literal("approve"),transactionId:Je,currentStateHash:c.string().min(1),currentPrincipal:c.object({subjectId:ie}).strict(),authorizationCodeHash:c.string().min(1),authorizationCodeExpiresAt:Q,grantId:kt,now:Q}).strict(),c.object({decision:c.literal("cancel"),transactionId:Je,currentStateHash:c.string().min(1),currentPrincipal:c.object({subjectId:ie}).strict(),now:Q}).strict()]),Y_=c.discriminatedUnion("kind",[c.object({kind:c.literal("approved"),transaction:Pl,client:tn}).strict(),c.object({kind:c.literal("cancelled"),transaction:Pl,client:tn}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed_already")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),X_=c.object({clientAuth:Nl,codeHash:c.string().min(1),redirectUri:c.string().min(1),resource:c.string().min(1).optional(),codeChallenge:c.string().min(1),currentRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),grantExpiresAt:Q,accessTokenExpiresAt:Q,now:Q}).strict(),Q_=c.discriminatedUnion("kind",[c.object({kind:c.literal("exchanged"),client:tn,grant:la.strict()}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("binding_mismatch")}).strict()]),ey=c.object({clientAuth:Nl,currentRefreshTokenHash:c.string().min(1),nextRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),resource:c.string().min(1).optional(),accessTokenExpiresAt:Q,now:Q}).strict(),ty=c.discriminatedUnion("kind",[c.object({kind:c.literal("rotated"),client:tn,grant:la.strict(),accessToken:Gn.strict(),matched:c.literal("current")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),ry=c.object({clientAuth:Nl,tokenHash:c.string().min(1),now:Q}).strict(),ny=c.discriminatedUnion("kind",[c.object({kind:c.literal("revoked_access_token")}).strict(),c.object({kind:c.literal("revoked_grant")}).strict(),c.object({kind:c.literal("client_mismatch")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("invalid_client")}).strict()]),oy=c.object({tokenHash:c.string().min(1),now:Q}).strict(),ay=c.discriminatedUnion("kind",[c.object({kind:c.literal("valid"),record:Gn.strict()}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),iy=c.object({accessTokenHash:c.string().min(1),resource:c.string().min(1),virtualServerId:Se,upstreamConnectionKeys:c.array(N_).max(100),now:Q}).strict(),sy=c.discriminatedUnion("kind",[c.object({kind:c.literal("authorized"),principal:c.object({subjectId:ie,roles:c.array(c.string())}).strict(),accessToken:Gn.strict(),upstreamConnections:Ul.shape.items}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict()]),cy=c.object({record:ga}).strict(),uy=c.object({kind:c.literal("saved")}).strict(),dy=c.object({id:Kn,now:Q}).strict(),ly=c.discriminatedUnion("kind",[c.object({kind:c.literal("available"),record:ga}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict()]),py=c.object({id:fa,expiresAt:Q,now:Q}).strict(),my=c.discriminatedUnion("kind",[c.object({kind:c.literal("available")}).strict(),c.object({kind:c.literal("consumed")}).strict()]);var hy=100;function fy(e){return e!==null&&typeof e=="object"}o(fy,"isProblemDetailsShape");var kP="/zups/v2/mcp/storage";function qe(e){return`${kP}/${e}`}o(qe,"buildStoragePath");function EP(){return qe("upstream-connections/batch-get")}o(EP,"buildBatchGetUpstreamConnectionsPath");function xP(){return qe("upstream-connections/upsert")}o(xP,"buildUpsertUpstreamConnectionPath");function PP(){return qe("authorization/read-setup")}o(PP,"buildReadAuthorizationSetupPath");function OP(){return qe("oauth/register-client")}o(OP,"buildRegisterClientPath");function UP(){return qe("oauth/read-client")}o(UP,"buildReadClientPath");function NP(){return qe("authorization/start")}o(NP,"buildStartAuthorizationPath");function zP(){return qe("authorization/read-pending")}o(zP,"buildReadPendingAuthorizationPath");function $P(){return qe("authorization/advance-pending")}o($P,"buildAdvancePendingAuthorizationPath");function DP(){return qe("authorization/decide-setup")}o(DP,"buildDecideAuthorizationSetupPath");function MP(){return qe("token/exchange-authorization-code")}o(MP,"buildExchangeAuthorizationCodePath");function qP(){return qe("token/refresh")}o(qP,"buildRefreshTokenPath");function LP(){return qe("token/revoke")}o(LP,"buildRevokeOAuthTokenPath");function jP(){return qe("token/validate-access-token")}o(jP,"buildValidateAccessTokenPath");function HP(){return qe("mcp/authorize-and-load-connections")}o(HP,"buildAuthorizeAndLoadConnectionsPath");function GP(){return qe("upstream-oauth-state/save")}o(GP,"buildSaveUpstreamOAuthStatePath");function BP(){return qe("upstream-oauth-state/consume")}o(BP,"buildConsumeUpstreamOAuthStatePath");function FP(){return qe("browser-connect-ticket/consume")}o(FP,"buildConsumeBrowserConnectTicketPath");function VP(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(VP,"responseKeyMatchesLookup");function KP(e,t){return e.owner.mode===t.owner.mode&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(KP,"authorizationSetupMatchesLookup");function yy(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(yy,"connectionMatchesLookup");function ZP(e,t){return e.ownerMode===t.ownerMode&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&ql(e.scopes,t.scopes)&&Ml(e.expiresAt,t.expiresAt)&&JP(e.metadata,t.metadata)}o(ZP,"connectionMatchesUpsertRecord");function Ml(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(Ml,"optionalTimestampInstantsMatch");function WP(e,t){return Date.parse(e)<=Date.parse(t)}o(WP,"timestampInstantIsAtOrBefore");function ql(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(ql,"stringArraysMatch");function JP(e,t){let r=gy(e),n=gy(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(JP,"metadataMatches");function gy(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(gy,"definedMetadataEntries");function Ce(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(Ce,"throwInvalidStorageResponse");async function YP(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){Ce("Gateway Service storage response did not match the runtime storage contract.",r)}}o(YP,"parseRuntimeHttpStorageResponse");function wy(e,t){e.length!==t.length&&Ce("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];VP(n.key,a)||Ce("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!yy(n.connection,a)&&Ce("Gateway Service storage response connection did not match the response key.")}}o(wy,"validateUpstreamConnectionItemsMatchLookups");function XP(e,t){KP(e,t)||Ce("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!yy(e.connection,t)&&Ce("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!Ml(e.connectionStatus.updatedAt,a))&&Ce("Gateway Service storage response authorization setup status did not match the connection.")}o(XP,"validateAuthorizationSetupResponseMatchesLookup");function QP(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&Ce("Gateway Service storage response registered client did not match the request.")}o(QP,"validateRegisterClientResponseMatchesRequest");function e0(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&Ce("Gateway Service storage response client did not match the request.")}o(e0,"validateReadClientResponseMatchesRequest");function t0(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&Ce("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&Ce("Gateway Service storage response started authorization principal did not match the request."))}o(t0,"validateStartAuthorizationResponseMatchesRequest");function _y(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&Ce("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&Ce("Gateway Service storage response advanced authorization did not match the request."))}o(_y,"validatePendingAuthorizationResponseMatchesRequest");function r0(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&Ce("Gateway Service storage response authorization setup transaction did not match the request.")}o(r0,"validateAuthorizationSetupDecisionResponseMatchesRequest");function n0(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!Ml(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&Ce("Gateway Service storage response authorization-code exchange did not match the request.")}o(n0,"validateExchangeAuthorizationCodeResponseMatchesRequest");function o0(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&Ce("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!WP(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!s0(e.accessToken,e.grant))&&Ce("Gateway Service storage response token refresh access token did not match the request."))}o(o0,"validateRefreshTokenResponseMatchesRequest");function a0(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&Ce("Gateway Service storage response access token did not match the request.")}o(a0,"validateAccessTokenValidationResponseMatchesRequest");function i0(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.subjectId!==e.accessToken.subjectId||!ql(e.principal.roles,e.accessToken.roles))&&Ce("Gateway Service storage response MCP authorization did not match the request."),wy(e.upstreamConnections,t.upstreamConnectionKeys))}o(i0,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function s0(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.subjectId===t.subjectId&&e.scope===t.scope&&ql(e.roles,t.roles)}o(s0,"accessTokenMatchesGrant");async function c0(e){try{return await e.clone().json()}catch{return}}o(c0,"readProblemDetails");async function u0(e){let t=await c0(e),r=fy(t)&&typeof t.status=="number"?t.status:e.status,n=fy(t)&&na(t.code)?t.code:Zd(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(u0,"throwRuntimeHttpStorageError");var Ts=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??om.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}async#e(t){let r=t.requestSchema.parse(t.input),n=new URL(t.path,this.#t),a=new Headers({"Content-Type":"application/json"});am(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await u0(i),{request:r,response:await YP(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let u=en(s),d=n.get(u);if(d!==void 0)return d;let p=r.length;return r.push(s),n.set(u,p),p}),i=[];for(let s=0;s<r.length;s+=hy){let u=r.slice(s,s+hy);i.push(...await this.#n(u))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:xP(),requestSchema:$_,responseSchema:D_});return ZP(n,r)||Ce("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:PP(),requestSchema:M_,responseSchema:q_});return XP(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:OP(),requestSchema:L_,responseSchema:j_});return QP(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:UP(),requestSchema:H_,responseSchema:G_});return e0(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:NP(),requestSchema:B_,responseSchema:F_});return t0(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:zP(),requestSchema:V_,responseSchema:K_});return _y(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:$P(),requestSchema:Z_,responseSchema:W_});return _y(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:DP(),requestSchema:J_,responseSchema:Y_});return r0(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:GP(),requestSchema:cy,responseSchema:uy});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:BP(),requestSchema:dy,responseSchema:ly});return n.kind==="available"&&n.record.id!==r.id&&Ce("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:FP(),requestSchema:py,responseSchema:my});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:MP(),requestSchema:X_,responseSchema:Q_});return n0(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:qP(),requestSchema:ey,responseSchema:ty});return o0(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:LP(),requestSchema:ry,responseSchema:ny});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:jP(),requestSchema:oy,responseSchema:ay});return a0(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:HP(),requestSchema:iy,responseSchema:sy});return i0(n,r),n}async#n(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:EP(),requestSchema:z_,responseSchema:Ul});return wy(n.items,t),n.items.map(a=>a.connection)}};var Ll=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpUpstreamConnectionRepository")}batchGet(t){return this.client.batchGetUpstreamConnections(t)}upsert(t){return this.client.upsertUpstreamConnection(t)}},jl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpDownstreamOAuthRepository")}#t=new Map;#r=new Map;async getDcrClient(t){let r=this.#t.get(t);if(r&&r.redirectUris.length>0)return r;let n=await this.client.readClient({clientId:t});if(n.kind!=="missing")return this.#t.set(t,n.client),n.client}async saveDcrClient(t){if((await this.client.registerClient(t)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");this.#t.set(t.clientId,t)}async savePendingAuthorizationTransaction(t,r){let{id:n,...a}=t,i=await this.client.startAuthorization({...a,transactionId:n,...r?.client===void 0?{}:{client:r.client}});switch(i.kind){case"started":return this.#e(i.client),{kind:"saved"};case"already_exists":return{kind:"already_exists"};case"invalid_client":throw new D("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new D("invalid_request","redirect_uri is not registered for the client.")}}async advancePendingAuthorizationTransaction(t){let r=await this.client.advancePendingAuthorization({transactionId:t.id,expectedPhase:t.expectedPhase,currentStateHash:t.currentStateHash,nextStateHash:t.nextStateHash,nextPhase:t.nextPhase,principal:t.principal,now:z(t.now)});return r.kind==="advanced"?(this.#e(r.client),{kind:"advanced",record:r.transaction}):r}async getPendingAuthorizationTransaction(t){let r=await this.client.readPendingAuthorization({transactionId:t.id,currentStateHash:t.currentStateHash,now:z(t.now)});return r.kind==="available"?(this.#e(r.client),{kind:"available",record:r.transaction}):r}async consumePendingAuthorizationTransaction(t){let r=await this.getPendingAuthorizationTransaction(t);return r.kind!=="available"?r.kind==="consumed"?{kind:"consumed_already"}:r:r.record.phase!=="awaiting_setup"?{kind:"missing"}:(this.#r.set(r.record.id,{currentStateHash:t.currentStateHash,now:t.now,transaction:r.record}),{kind:"consumed",record:r.record})}async issueAuthorizationCode(t){let r=this.#r.get(t.id);if(!r)throw g("internal_server_error","Authorization code issuance requires a pending setup decision.");let n=await this.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:r.currentStateHash,currentPrincipal:{subjectId:r.transaction.principal.subjectId},authorizationCodeHash:t.codeHash,authorizationCodeExpiresAt:t.expiresAt,grantId:t.grantId,now:z(r.now)});if(this.#r.delete(t.id),n.kind!=="approved")throw g("oauth_state_invalid","Authorization setup state is invalid, expired, or already used.")}async exchangeAuthorizationCode(t){let r=await this.exchangeAuthorizationCodeWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},codeHash:t.codeHash,redirectUri:t.redirectUri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:t.codeChallenge,currentRefreshTokenHash:t.currentRefreshTokenHash,accessTokenHash:t.accessTokenHash,grantExpiresAt:t.grantExpiresAt,accessTokenExpiresAt:t.accessTokenExpiresAt,now:z(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r.kind==="exchanged"?{kind:"exchanged",grant:r.grant}:r}async saveAccessToken(t){throw g("internal_server_error","Runtime HTTP access-token save is covered by token exchange/refresh operations.")}async validateAccessToken(t){return this.client.validateAccessToken({tokenHash:t.tokenHash,now:z(t.now)})}async rotateRefreshToken(t){throw g("internal_server_error","Runtime HTTP refresh-token rotation is covered by the token refresh operation.")}async revokeOAuthToken(t){let r=await this.revokeOAuthTokenWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},tokenHash:t.tokenHash,now:z(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r}async revokeGrant(t){throw g("internal_server_error","Runtime HTTP grant revocation is not exposed as a standalone storage operation.")}decideAuthorizationSetup(t){return this.client.decideAuthorizationSetup(t)}exchangeAuthorizationCodeWithClientAuth(t){return this.client.exchangeAuthorizationCode(t)}refreshTokenWithClientAuth(t){return this.client.refreshToken(t)}revokeOAuthTokenWithClientAuth(t){return this.client.revokeOAuthToken(t)}authorizeAndLoadConnections(t){return this.client.authorizeAndLoadConnections(t)}#e(t){this.#t.has(t.clientId)||this.#t.set(t.clientId,{clientId:t.clientId,clientName:t.clientName,redirectUris:[],tokenEndpointAuthMethod:t.tokenEndpointAuthMethod,clientExpiresAt:z(new Date(864e10)),createdAt:z(new Date(0))})}},Hl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpOAuthStateStore")}async save(t){await this.client.saveUpstreamOAuthState({record:t})}consumeForCallback(t){return this.client.consumeUpstreamOAuthState({id:t,now:z(new Date)})}},Gl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpBrowserConnectTicketStore")}consume(t,r){return this.client.consumeBrowserConnectTicket({id:t,expiresAt:z(r),now:z(new Date)})}};function Sy(e={}){let t=new Ts(e);return{upstreamConnectionRepository:new Ll(t),downstreamOAuthRepository:new jl(t),oauthStateStore:new Hl(t),browserConnectTicketStore:new Gl(t)}}o(Sy,"createRuntimeHttpStorageBackend");var d0="__zuploMcpGatewayStorageBackend",Bl;function l0(e){return{upstreamConnectionRepository:new bs(e),downstreamOAuthRepository:new ys(e),oauthStateStore:new Cs(e),browserConnectTicketStore:new Is(e)}}o(l0,"createPostgresStorageBackend");function p0(e){let t=w_(e),r=v_(t);return l0(r)}o(p0,"buildPostgresStorageBackend");function m0(){let e=_s().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;return e?p0(e):Sy()}o(m0,"buildProductionStorageBackend");function V(){let e=globalThis[d0];return e||(Bl||(Bl=m0()),Bl)}o(V,"getStorage");function Fl(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(Fl,"readBearerToken");function h0(e,t,r){return _t(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(h0,"gatewayAuthenticationRequiredResponse");async function f0(e,t,r){let n=await V().downstreamOAuthRepository.validateAccessToken({tokenHash:await ee(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(f0,"validateGatewayAccessToken");function g0(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(g0,"assertAccessTokenResource");function _0(e,t,r){return _t(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":gs({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ve} scope required by this MCP resource.`,scope:ve})}})}o(_0,"insufficientScopeResponse");function y0(e){return{subjectId:e.subjectId,roles:e.roles}}o(y0,"principalFromAccessToken");function w0(e){let t=_e(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),_t(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":gs({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(w0,"gatewayTokenRejectedResponse");async function Vl(e,t){let r=jn(t),n=Qr(r.virtualServerId,e.url),a=Fl(e),i=gs({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),h0(e,t,i);try{let s=await f0(a,t,r.virtualServerId);if(g0({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ve)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ve,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),_0(e,t,r.virtualServerId);let u=y0(s);return f_(t,u),Kd(t,u),e}catch(s){return w0({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(Vl,"gatewayTokenInbound");var S0=2,vy=4,v0=24,R0=16,Ry=512,b0=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,C0=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,I0=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,T0=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,A0=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,k0=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function by(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(by,"readRoute");function E0(e){let t=by(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(E0,"readRoutePath");function x0(e){let t=by(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(x0,"readRouteOperationId");function P0(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o(P0,"deriveStatusClass");function O0(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="shared"?"shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(O0,"deriveOriginAttributionMode");function U0(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(U0,"deriveClientKind");function N0(e,t){return t==="success"?"none":e===J.MCP_GATEWAY_REQUEST_RECEIVED||e===J.MCP_GATEWAY_REQUEST_REJECTED||e===J.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===J.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===J.MCP_GATEWAY_POLICY_DECISION?"policy":e===J.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===J.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===J.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(N0,"deriveFailureStage");function z0(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===J.MCP_GATEWAY_POLICY_DECISION||e===J.MCP_GATEWAY_GUARDRAIL_DECISION||e===J.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===J.MCP_GATEWAY_CAPABILITY_FAILED||e===J.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===J.MCP_GATEWAY_REQUEST_REJECTED||e===J.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(z0,"deriveFailureOrigin");function $0(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===J.MCP_GATEWAY_POLICY_DECISION?"policy":e===J.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===J.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===J.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===J.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o($0,"deriveReasonClass");function D0(e){return e.length<=Ry?e:`${e.slice(0,Ry)}...`}o(D0,"truncateAnalyticsString");function M0(e){return D0(e.replace(C0,"$1[REDACTED]$3").replace(T0,"$1$2[REDACTED]").replace(I0,"$1$2[REDACTED]").replace(A0,"Bearer [REDACTED]").replace(k0,"Basic [REDACTED]"))}o(M0,"redactAnalyticsString");function Cy(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return M0(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=vy?"[DEPTH_LIMIT]":e.slice(0,R0).map(r=>Cy(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=vy?"[DEPTH_LIMIT]":Iy(e,t+1)}}o(Cy,"sanitizeAnalyticsValue");function Iy(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,v0)){if(b0.test(n)){r[n]="[REDACTED]";continue}let i=Cy(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(Iy,"sanitizeMcpGatewayAnalyticsAttributes");function M(e){return e===void 0?null:e}o(M,"nullable");function q0(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(q0,"readEnvironment");function L0(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(L0,"readRequestId");function j0(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(j0,"attributesToJsonString");function H0(e,t){let r=Cl(e),n=aa(e),a=Iy(t.attributes),i=L0(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,u=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,p=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,l=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,f=t.clientKind??U0(t.clientName)??null,_=O0(s??void 0,u??void 0)??null,w=P0(t.httpStatusCode)??null,y=t.reasonClass??$0(t.eventType,t.outcome),S=t.failureOrigin??z0(t.eventType,t.outcome),v=t.failureStage??N0(t.eventType,t.outcome);return{schemaVersion:S0,outcome:t.outcome,subjectId:M(r?.subjectId),environment:q0(e),traceId:t.traceId??i,spanId:M(t.spanId),parentEventId:M(t.parentEventId),mcpSessionId:M(t.mcpSessionId),routeSurface:M(t.routeSurface),routePath:E0(e)??null,operationId:x0(e)??null,virtualServerName:d,virtualServerTitle:M(t.virtualServerTitle),upstreamServerName:p,upstreamServerTitle:l,upstreamBindingId:M(t.upstreamBindingId),clientName:M(t.clientName),clientTitle:M(t.clientTitle),clientVersion:M(t.clientVersion),clientKind:f,authProfileId:m,upstreamAuthMode:u,ownerMode:s,authMethod:M(t.authMethod),originAttributionMode:_,httpMethod:M(t.httpMethod),httpStatusCode:M(t.httpStatusCode),statusClass:w,mcpMethod:M(t.mcpMethod),mcpProtocolVersion:M(t.mcpProtocolVersion),mcpStatus:M(t.mcpStatus),mcpErrorType:M(t.mcpErrorType),applicationError:M(t.applicationError),applicationErrorCode:M(t.applicationErrorCode),toolResultIsError:M(t.toolResultIsError),capabilityType:M(t.capabilityType),capabilityName:M(t.capabilityName),capabilityTitle:M(t.capabilityTitle),upstreamCapabilityName:M(t.upstreamCapabilityName),upstreamCapabilityTitle:M(t.upstreamCapabilityTitle),capabilitySchemaHash:M(t.capabilitySchemaHash),policyId:M(t.policyId),policyAction:M(t.policyAction),guardrailType:M(t.guardrailType),guardrailDirection:M(t.guardrailDirection),guardrailFindingCount:M(t.guardrailFindingCount),redactionCount:M(t.redactionCount),requestMutated:M(t.requestMutated),responseMutated:M(t.responseMutated),latencyMs:M(t.latencyMs),gatewayLatencyMs:M(t.gatewayLatencyMs),upstreamLatencyMs:M(t.upstreamLatencyMs),authLatencyMs:M(t.authLatencyMs),policyLatencyMs:M(t.policyLatencyMs),requestBytes:M(t.requestBytes),responseBytes:M(t.responseBytes),estimatedInputTokens:M(t.estimatedInputTokens),estimatedOutputTokens:M(t.estimatedOutputTokens),estimatedContextTokens:M(t.estimatedContextTokens),contextPressureBucket:M(t.contextPressureBucket),responseMimeTypes:M(t.responseMimeTypes),base64Suspected:M(t.base64Suspected),truncated:M(t.truncated),isLargePayloadRequest:M(t.isLargePayloadRequest),isLargePayloadResponse:M(t.isLargePayloadResponse),payloadCaptureMode:M(t.payloadCaptureMode),reasonCode:M(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:S,failureStage:v,customMetadataJson:M(t.customMetadataJson),attributesJson:j0(a)}}o(H0,"buildMcpGatewayAnalyticsMetadata");function ot(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,H0(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(ot,"emitMcpGatewayAnalyticsEvent");function at(e){let t=yt().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(at,"getUpstreamServerConfig");function G0(e){let t=yt().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(G0,"resolveUpstreamAuthProfileId");function Er(e){G0(e);let t=yt().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(Er,"getUpstreamAuthConfig");function rn(e,t){let r=Er({upstreamServerId:e,authProfileId:t});if(!Og(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(rn,"requireUpstreamOAuthConfig");var B0={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},"shared-secret":{authMode:"shared-secret",ownerMode:"shared",connectSupport:"none",connectUnsupportedDetail:"Shared static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"shared_secret_connection"},"user-secret":{authMode:"user-secret",ownerMode:"user",connectSupport:"user_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_secret_connection"}};function Mt(e){return B0[e]}o(Mt,"describeUpstreamAuthMode");function As(e){return Mt(e).ownerMode}o(As,"resolveOwnerModeForUpstreamAuthMode");ae();import{errors as Oy,jwtVerify as Uy,SignJWT as Ny}from"jose";import{base64url as F0}from"jose";var V0=new TextEncoder,Kl=32;function Ty(e,t={}){let r=[K0(e),V0.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=Kl){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<Kl){let a=t.name??"secret key material",i=n?.byteLength??0;throw new Error(`${a} must decode to at least ${Kl} bytes (got ${i}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(Ty,"decodeConfiguredSecretKeyMaterial");function K0(e){try{return F0.decode(e)}catch{return}}o(K0,"tryDecodeBase64Url");var Ay=new Map,ky=new Map;function Z0(e){let t=Ay.get(e);return t||(t=Ty(_s()[e],{name:e}),Ay.set(e,t)),t}o(Z0,"getMasterKeyMaterial");async function qt(e){let t=ky.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Z0(e.envVar));return ky.set(e.purpose,r),r}o(qt,"readCachedDerivedKey");var W0="SHA-256";var J0="zuplo-mcp-gateway:",Y0=new TextEncoder,Ey=new WeakMap;async function xr(e,t){let r=Ey.get(e);r||(r=new Map,Ey.set(e,r));let n=r.get(t);if(n)return n;let a=await X0(e,t);return r.set(t,a),a}o(xr,"deriveGatewaySigningKey");async function X0(e,t){let r=xy(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=Y0.encode(`${J0}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:W0,salt:new Uint8Array,info:xy(a)},n,32*8);return new Uint8Array(i)}o(X0,"hkdfExpand");function xy(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(xy,"copyToArrayBuffer");var ks="HS256",zy=15*60,Q0=15*60,Es="zuplo-mcp-gateway",xs="zuplo-mcp-gateway",eO=C_.extend({id:Kn}),tO=eO.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),$y=Fn.extend({id:fa,purpose:c.literal("browser_connect")}),rO=Fn.extend({purpose:c.literal("browser_connect")}),nO=$y.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Dy=zy*1e3;async function My(){return qt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>xr(e,"oauth-state"),"derive")})}o(My,"getOAuthStateKey");async function qy(){return qt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>xr(e,"browser-connect"),"derive")})}o(qy,"getBrowserConnectKey");async function Ly(e){let t=Math.floor(Date.now()/1e3)+zy;return new Ny(e).setProtectedHeader({alg:ks,typ:"JWT"}).setIssuer(Es).setAudience(xs).setIssuedAt().setExpirationTime(t).sign(await My())}o(Ly,"signOAuthState");async function Ps(e){try{let{payload:t}=await Uy(e,await My(),{algorithms:[ks],issuer:Es,audience:xs});return tO.parse(t)}catch(t){throw t instanceof Oy.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Ps,"verifyOAuthState");async function jy(e){let t=Math.floor(Date.now()/1e3)+Q0,r=rO.parse(e),n=$y.parse({...r,id:E_()});return new Ny(n).setProtectedHeader({alg:ks,typ:"JWT"}).setIssuer(Es).setAudience(xs).setIssuedAt().setExpirationTime(t).sign(await qy())}o(jy,"signBrowserConnectTicket");async function Os(e){try{let{payload:t}=await Uy(e,await qy(),{algorithms:[ks],issuer:Es,audience:xs});return nO.parse(t)}catch(t){throw t instanceof Oy.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(Os,"verifyBrowserConnectTicket");async function Us(e){if((await V().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(Us,"consumeBrowserConnectTicket");function oO(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(oO,"buildConnectRequiredMessage");async function Hy(e){let t=de(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await jy({...ha(e),purpose:"browser_connect"})),r.toString()}o(Hy,"buildGatewayBrowserTicketUrl");function aO(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(aO,"buildGatewayConnectPath");async function Zl(e){return Hy({...e,path:aO(e.upstreamServerId),redirect:!0})}o(Zl,"buildGatewayConnectUrl");async function Gy(e){return Hy({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(Gy,"buildGatewayAppPasswordCaptureUrl");async function Wn(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Zl(t),message:oO(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(Wn,"buildRedirectConnectRequiredResponse");function By(e){return Fy({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(By,"buildAdminConnectRequiredResponse");function Fy(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(Fy,"buildAdminSetupRequiredResponse");function Vy(e){return Fy({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(Vy,"buildAdminStaticSecretRequiredResponse");ae();import{base64url as Pr}from"jose";var iO="SHA-256",Yn="AES-GCM",sO=12,Jl="zuplo-secret",Yl=1,Ky="env:TOKEN_ENCRYPTION_KEY",cO=c.object({version:c.literal(Yl),keyId:c.literal(Ky),algorithm:c.literal(Yn),iv:c.string().min(1),ciphertext:c.string().min(1)}).strict();function Jn(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Jn,"copyToArrayBuffer");async function Wl(){return qt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(iO,Jn(e));return crypto.subtle.importKey("raw",t,{name:Yn},!1,["encrypt","decrypt"])},"derive")})}o(Wl,"getEncryptionKey");function Zy(e){return Jn(new TextEncoder().encode(`${Jl}:v${e.version}:${e.keyId}`))}o(Zy,"getAssociatedData");function uO(e){return`${Jl}:v${e.version}:${Pr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(uO,"encodeEnvelope");function dO(e){let t=`${Jl}:v${Yl}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(Pr.decode(r));return cO.parse(JSON.parse(n))}o(dO,"decodeEnvelope");async function nn(e){let t=await Wl(),r=crypto.getRandomValues(new Uint8Array(sO)),n={version:Yl,keyId:Ky},a=await crypto.subtle.encrypt({name:Yn,iv:r,additionalData:Zy(n)},t,new TextEncoder().encode(e));return uO({...n,algorithm:Yn,iv:Pr.encode(r),ciphertext:Pr.encode(new Uint8Array(a))})}o(nn,"encryptSecret");async function nr(e){let t=dO(e);if(t){let s=await Wl(),u=await crypto.subtle.decrypt({name:Yn,iv:Jn(Pr.decode(t.iv)),additionalData:Zy(t)},s,Jn(Pr.decode(t.ciphertext)));return new TextDecoder().decode(u)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await Wl(),i=await crypto.subtle.decrypt({name:Yn,iv:Jn(Pr.decode(r))},a,Jn(Pr.decode(n)));return new TextDecoder().decode(i)}o(nr,"decryptSecret");function lO(e,t){let r=Er({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(lO,"requireTenantStaticSecretConfig");function Wy(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(Wy,"hasUsableTenantStaticSecret");async function pO(e){if(!Wy(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await nr(e.connection.metadata.encryptedStaticSecret)}}o(pO,"resolveTenantStaticSecretCredential");async function Jy(e){let t=at(e.upstreamServerId);lO(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await V().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(Wy(r))return{kind:"authorized",credential:await pO({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:Vy(n)}}o(Jy,"resolveTenantStaticSecretCredentialForRequest");ae();async function Xl(e){return V().upstreamConnectionRepository.upsert({id:Rs(),ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(Xl,"upsertStaticSecretConnection");var mO=c.string().trim().min(1).max(320),hO=c.string().min(1).max(4096),fO=c.string().trim().min(1).max(4096);function Ql(e,t){let r=Er({upstreamServerId:e,authProfileId:t});if(r.mode!=="user-secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(Ql,"requireUserStaticSecretConfig");function gO(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(gO,"encodeBase64Utf8");function _O(e){return`Basic ${gO(`${e.username}:${e.appPassword}`)}`}o(_O,"buildBasicAuthHeader");function Yy(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(Yy,"hasEncryptedUserStaticSecret");async function yO(e){if(!Yy(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await nr(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:_O({username:e.connection.metadata.staticSecretUsername,appPassword:await nr(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(yO,"resolveUserStaticSecretCredential");async function Xy(e){if(Ql(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=mO.parse(e.username),n=hO.parse(e.appPassword);return Xl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await nn(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(Xy,"saveUserStaticSecretCredential");async function Ns(e){let t=Ql(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=fO.parse(e.token);return Xl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await nn(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(Ns,"saveUserStaticBearerTokenCredential");function ep(e,t){return Ql(e,t)}o(ep,"readUserStaticSecretCaptureConfig");async function Qy(e){let t=at(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await V().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(Yy(r))return{kind:"authorized",credential:await yO({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await Wn(n)}}o(Qy,"resolveUserStaticSecretCredentialForRequest");function ew(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return Gy({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(ew,"buildUserStaticSecretConnectUrl");var tp;tp=globalThis.crypto;async function wO(e){return(await tp).getRandomValues(new Uint8Array(e))}o(wO,"getRandomValues");async function SO(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await wO(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(SO,"random");async function vO(e){return await SO(e)}o(vO,"generateVerifier");async function RO(e){let t=await(await tp).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(RO,"generateChallenge");async function rp(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await vO(e),r=await RO(t);return{code_verifier:t,code_challenge:r}}o(rp,"pkceChallenge");ae();var Le=um().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:mm.custom,message:"URL must be parseable",fatal:!0}),sm}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),zs=Ae({resource:h().url(),authorization_servers:C(Le).optional(),jwks_uri:h().url().optional(),scopes_supported:C(h()).optional(),bearer_methods_supported:C(h()).optional(),resource_signing_alg_values_supported:C(h()).optional(),resource_name:h().optional(),resource_documentation:h().optional(),resource_policy_uri:h().url().optional(),resource_tos_uri:h().url().optional(),tls_client_certificate_bound_access_tokens:ce().optional(),authorization_details_types_supported:C(h()).optional(),dpop_signing_alg_values_supported:C(h()).optional(),dpop_bound_access_tokens_required:ce().optional()}),_a=Ae({issuer:h(),authorization_endpoint:Le,token_endpoint:Le,registration_endpoint:Le.optional(),scopes_supported:C(h()).optional(),response_types_supported:C(h()),response_modes_supported:C(h()).optional(),grant_types_supported:C(h()).optional(),token_endpoint_auth_methods_supported:C(h()).optional(),token_endpoint_auth_signing_alg_values_supported:C(h()).optional(),service_documentation:Le.optional(),revocation_endpoint:Le.optional(),revocation_endpoint_auth_methods_supported:C(h()).optional(),revocation_endpoint_auth_signing_alg_values_supported:C(h()).optional(),introspection_endpoint:h().optional(),introspection_endpoint_auth_methods_supported:C(h()).optional(),introspection_endpoint_auth_signing_alg_values_supported:C(h()).optional(),code_challenge_methods_supported:C(h()).optional(),client_id_metadata_document_supported:ce().optional()}),bO=Ae({issuer:h(),authorization_endpoint:Le,token_endpoint:Le,userinfo_endpoint:Le.optional(),jwks_uri:Le,registration_endpoint:Le.optional(),scopes_supported:C(h()).optional(),response_types_supported:C(h()),response_modes_supported:C(h()).optional(),grant_types_supported:C(h()).optional(),acr_values_supported:C(h()).optional(),subject_types_supported:C(h()),id_token_signing_alg_values_supported:C(h()),id_token_encryption_alg_values_supported:C(h()).optional(),id_token_encryption_enc_values_supported:C(h()).optional(),userinfo_signing_alg_values_supported:C(h()).optional(),userinfo_encryption_alg_values_supported:C(h()).optional(),userinfo_encryption_enc_values_supported:C(h()).optional(),request_object_signing_alg_values_supported:C(h()).optional(),request_object_encryption_alg_values_supported:C(h()).optional(),request_object_encryption_enc_values_supported:C(h()).optional(),token_endpoint_auth_methods_supported:C(h()).optional(),token_endpoint_auth_signing_alg_values_supported:C(h()).optional(),display_values_supported:C(h()).optional(),claim_types_supported:C(h()).optional(),claims_supported:C(h()).optional(),service_documentation:h().optional(),claims_locales_supported:C(h()).optional(),ui_locales_supported:C(h()).optional(),claims_parameter_supported:ce().optional(),request_parameter_supported:ce().optional(),request_uri_parameter_supported:ce().optional(),require_request_uri_registration:ce().optional(),op_policy_uri:Le.optional(),op_tos_uri:Le.optional(),client_id_metadata_document_supported:ce().optional()}),$s=I({...bO.shape,..._a.pick({code_challenge_methods_supported:!0}).shape}),ya=I({access_token:h(),id_token:h().optional(),token_type:h(),expires_in:hm.number().optional(),scope:h().optional(),refresh_token:h().optional()}).strip(),rw=I({error:h(),error_description:h().optional(),error_uri:h().optional()}),tw=Le.optional().or(O("").transform(()=>{})),CO=I({redirect_uris:C(Le),token_endpoint_auth_method:h().optional(),grant_types:C(h()).optional(),response_types:C(h()).optional(),client_name:h().optional(),client_uri:Le.optional(),logo_uri:tw,scope:h().optional(),contacts:C(h()).optional(),tos_uri:tw,policy_uri:h().optional(),jwks_uri:Le.optional(),jwks:lm().optional(),software_id:h().optional(),software_version:h().optional(),software_statement:h().optional()}).strip(),np=I({client_id:h(),client_secret:h().optional(),client_id_issued_at:re().optional(),client_secret_expires_at:re().optional()}).strip(),wa=CO.merge(np),nK=I({error:h(),error_description:h().optional()}).strip(),oK=I({token:h(),token_type_hint:h().optional()}).strip();function nw(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(nw,"resourceUrlFromServerUrl");function ow({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(ow,"checkResourceAllowed");var Ie=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Sa=class extends Ie{static{o(this,"InvalidRequestError")}};Sa.errorCode="invalid_request";var on=class extends Ie{static{o(this,"InvalidClientError")}};on.errorCode="invalid_client";var an=class extends Ie{static{o(this,"InvalidGrantError")}};an.errorCode="invalid_grant";var sn=class extends Ie{static{o(this,"UnauthorizedClientError")}};sn.errorCode="unauthorized_client";var va=class extends Ie{static{o(this,"UnsupportedGrantTypeError")}};va.errorCode="unsupported_grant_type";var Ra=class extends Ie{static{o(this,"InvalidScopeError")}};Ra.errorCode="invalid_scope";var ba=class extends Ie{static{o(this,"AccessDeniedError")}};ba.errorCode="access_denied";var or=class extends Ie{static{o(this,"ServerError")}};or.errorCode="server_error";var Ca=class extends Ie{static{o(this,"TemporarilyUnavailableError")}};Ca.errorCode="temporarily_unavailable";var Ia=class extends Ie{static{o(this,"UnsupportedResponseTypeError")}};Ia.errorCode="unsupported_response_type";var Ta=class extends Ie{static{o(this,"UnsupportedTokenTypeError")}};Ta.errorCode="unsupported_token_type";var Aa=class extends Ie{static{o(this,"InvalidTokenError")}};Aa.errorCode="invalid_token";var ka=class extends Ie{static{o(this,"MethodNotAllowedError")}};ka.errorCode="method_not_allowed";var Ea=class extends Ie{static{o(this,"TooManyRequestsError")}};Ea.errorCode="too_many_requests";var cn=class extends Ie{static{o(this,"InvalidClientMetadataError")}};cn.errorCode="invalid_client_metadata";var xa=class extends Ie{static{o(this,"InsufficientScopeError")}};xa.errorCode="insufficient_scope";var Pa=class extends Ie{static{o(this,"InvalidTargetError")}};Pa.errorCode="invalid_target";var aw={[Sa.errorCode]:Sa,[on.errorCode]:on,[an.errorCode]:an,[sn.errorCode]:sn,[va.errorCode]:va,[Ra.errorCode]:Ra,[ba.errorCode]:ba,[or.errorCode]:or,[Ca.errorCode]:Ca,[Ia.errorCode]:Ia,[Ta.errorCode]:Ta,[Aa.errorCode]:Aa,[ka.errorCode]:ka,[Ea.errorCode]:Ea,[cn.errorCode]:cn,[xa.errorCode]:xa,[Pa.errorCode]:Pa};var ar=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function IO(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(IO,"isClientAuthMethod");var op="code",ap="S256";function TO(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&IO(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(TO,"selectClientAuthMethod");function AO(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":kO(a,i,r);return;case"client_secret_post":EO(a,i,n);return;case"none":xO(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(AO,"applyClientAuthentication");function kO(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(kO,"applyBasicAuth");function EO(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(EO,"applyPostAuth");function xO(e,t){t.set("client_id",e)}o(xO,"applyPublicAuth");async function sw(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=rw.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,u=aw[a]||or;return new u(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new or(a)}}o(sw,"parseErrorResponse");async function Or(e,t){try{return await ip(e,t)}catch(r){if(r instanceof on||r instanceof sn)return await e.invalidateCredentials?.("all"),await ip(e,t);if(r instanceof an)return await e.invalidateCredentials?.("tokens"),await ip(e,t);throw r}}o(Or,"auth");async function ip(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),u,d,p,l=a;if(!l&&s?.resourceMetadataUrl&&(l=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,u=s.resourceMetadata,p=s.authorizationServerMetadata??await uw(d,{fetchFn:i}),!u)try{u=await cw(t,{resourceMetadataUrl:l},i)}catch{}(p!==s.authorizationServerMetadata||u!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:u,authorizationServerMetadata:p})}else{let b=await $O(t,{resourceMetadataUrl:l,fetchFn:i});d=b.authorizationServerUrl,p=b.authorizationServerMetadata,u=b.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:u,authorizationServerMetadata:p})}let m=await PO(t,e,u),f=n||u?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let b=p?.client_id_metadata_document_supported===!0,q=e.clientMetadataUrl;if(q&&!cp(q))throw new cn(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${q}`);if(b&&q)_={client_id:q},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let je=await jO(d,{metadata:p,clientMetadata:e.clientMetadata,scope:f,fetchFn:i});await e.saveClientInformation(je),_=je}}let w=!e.redirectUrl;if(r!==void 0||w){let b=await LO(e,d,{metadata:p,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(b),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let b=await qO(d,{metadata:p,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(b),"AUTHORIZED"}catch(b){if(!(!(b instanceof Ie)||b instanceof or))throw b}let S=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:R}=await DO(d,{metadata:p,clientInformation:_,state:S,redirectUrl:e.redirectUrl,scope:f,resource:m});return await e.saveCodeVerifier(R),await e.redirectToAuthorization(v),"REDIRECT"}o(ip,"authInternal");function cp(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(cp,"isHttpsUrl");async function PO(e,t,r){let n=nw(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!ow({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(PO,"selectResourceURL");function up(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=sp(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=sp(e,"scope")||void 0,u=sp(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:u}}o(up,"extractWWWAuthenticateParams");function sp(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(sp,"extractFieldFromWwwAuth");async function cw(e,t,r=fetch){let n=await NO(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return zs.parse(await n.json())}o(cw,"discoverOAuthProtectedResourceMetadata");async function dp(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?dp(e,void 0,r):void 0;throw n}}o(dp,"fetchWithCorsRetry");function OO(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(OO,"buildWellKnownPath");async function iw(e,t,r=fetch){return await dp(e,{"MCP-Protocol-Version":t},r)}o(iw,"tryMetadataDiscovery");function UO(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(UO,"shouldAttemptFallback");async function NO(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??mr,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=OO(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let u=await iw(s,i,r);if(!n?.metadataUrl&&UO(u,a.pathname)){let d=new URL(`/.well-known/${t}`,a);u=await iw(d,i,r)}return u}o(NO,"discoverMetadataWithFallback");function zO(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(zO,"buildDiscoveryUrls");async function uw(e,{fetchFn:t=fetch,protocolVersion:r=mr}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=zO(e);for(let{url:i,type:s}of a){let u=await dp(i,n,t);if(u){if(!u.ok){if(await u.body?.cancel(),u.status>=400&&u.status<500)continue;throw new Error(`HTTP ${u.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?_a.parse(await u.json()):$s.parse(await u.json())}}}o(uw,"discoverAuthorizationServerMetadata");async function $O(e,t){let r,n;try{r=await cw(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await uw(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o($O,"discoverOAuthServerInfo");async function DO(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let u;if(t){if(u=new URL(t.authorization_endpoint),!t.response_types_supported.includes(op))throw new Error(`Incompatible auth server: does not support response type ${op}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(ap))throw new Error(`Incompatible auth server: does not support code challenge method ${ap}`)}else u=new URL("/authorize",e);let d=await rp(),p=d.code_verifier,l=d.code_challenge;return u.searchParams.set("response_type",op),u.searchParams.set("client_id",r.client_id),u.searchParams.set("code_challenge",l),u.searchParams.set("code_challenge_method",ap),u.searchParams.set("redirect_uri",String(n)),i&&u.searchParams.set("state",i),a&&u.searchParams.set("scope",a),a?.includes("offline_access")&&u.searchParams.append("prompt","consent"),s&&u.searchParams.set("resource",s.href),{authorizationUrl:u,codeVerifier:p}}o(DO,"startAuthorization");function MO(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(MO,"prepareAuthorizationCodeRequest");async function dw(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let u=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,u,t);else if(n){let l=t?.token_endpoint_auth_methods_supported??[],m=TO(n,l);AO(m,n,d,r)}let p=await(s??fetch)(u,{method:"POST",headers:d,body:r});if(!p.ok)throw await sw(p);return ya.parse(await p.json())}o(dw,"executeTokenRequest");async function qO(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let u=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await dw(e,{metadata:t,tokenRequestParams:u,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(qO,"refreshAuthorization");async function LO(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,u;if(e.prepareTokenRequest&&(u=await e.prepareTokenRequest(s)),!u){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();u=MO(a,p,e.redirectUrl)}let d=await e.clientInformation();return dw(t,{metadata:r,tokenRequestParams:u,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(LO,"fetchToken");async function jO(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await sw(s);return wa.parse(await s.json())}o(jO,"registerClient");function HO(){let e=go.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}o(HO,"isTestOnlyAllowHttpLoopbackIdpEnabled");var GO=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),BO=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function lw(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(lw,"parseIpv4Octets");function FO([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(FO,"ipv4RangeMatches");function pw(e){let t=lw(e);return t!==void 0&&BO.some(r=>FO(t,r))}o(pw,"isPrivateIpv4");function lp(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(lp,"parseIpv6Word");function VO(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(VO,"formatIpv4FromWords");function KO(e){let t=e.slice(7),r=lw(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=lp(n),u=lp(a);return i===void 0&&s!==void 0&&u!==void 0?VO(s,u):void 0}o(KO,"parseIpv6MappedIpv4");function ZO(e){return lp(e.split(":").find(Boolean))}o(ZO,"readFirstIpv6Hextet");function WO(e){let t=wt(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=KO(t);return n===void 0||pw(n)}let r=ZO(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(WO,"isPrivateIpv6");function pp(e){let t=wt(e);return GO.has(t)||t.endsWith(".internal")||pw(t)||WO(t)}o(pp,"isBlockedOutboundHostname");function mw(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Ve(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=wt(t.hostname);if(!r&&pp(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(mw,"validateConfiguredOutboundUrl");function hw(e){let t=new URL(e),r=Ve(t),n=r&&HO();if(t.protocol!=="https:"&&!n)throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let a=wt(t.hostname);if(!r&&pp(a))throw g("invalid_request",`Blocked identity provider host: ${a}`);return t}o(hw,"validateIdentityProviderUrl");function Ds(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(pp(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(Ds,"validateCimdClientMetadataUrl");function fw(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(fw,"mergeAbortSignals");async function JO(e){try{await e.cancel()}catch{}}o(JO,"cancelReader");async function Ms(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await JO(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),u=0;for(let d of n)s.set(d,u),u+=d.byteLength;return s}o(Ms,"readBoundedByteStream");var YO=2,XO=1024*1024,QO=1e4,eU=new Set([301,302,303,307,308]),tU=["authorization","proxy-authorization","cookie","cookie2"];function mp(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(mp,"readRequestUrl");function Xn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Xn,"readRequestMethod");function rU(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(rU,"assertContentLengthWithinLimit");async function nU(e,t,r){return rU(e,t,r),Ms(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(nU,"readBoundedResponseBody");function oU(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(oU,"responseFromBufferedBody");function aU(e,t){if(!eU.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(aU,"resolveRedirectUrl");function gw(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(gw,"validateOutboundUrl");function iU(e,t){throw _e(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(iU,"normalizeFetchError");function Oa(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&ze(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(Oa,"logOutboundFailure");async function sU(e,t,r,n,a,i,s){let u=Xn(r,n);try{return await t(r,n)}catch(d){let p=d instanceof DOMException&&d.name==="AbortError";Oa(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:u,host:gt(i),error:d,extra:{abortReason:s()}}),iU(d,a)}}o(sU,"fetchWithNormalizedError");function cU(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(cU,"assertRedirectAllowed");function uU(e,t){let r=new Headers(e);for(let n of tU)r.delete(n);for(let n of t)r.delete(n);return r}o(uU,"stripCrossOriginHeaders");function dU(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=uU(e.headers,a)),i}o(dU,"buildRedirectInit");function lU(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(lU,"buildInitialRequestInit");function pU(e){let t=Xn(e.currentInput,e.currentInit);cU({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=gw(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:dU(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(pU,"followRedirect");async function hp(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??YO,i=r.maxResponseBytes??XO,s=r.timeoutMs??QO,u=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],p=r.context,l=new AbortController,m=fw(l,t.signal),f=!1,_=setTimeout(()=>{f=!0,l.abort()},s),w=e,y=lU(e,t,l.signal),S;try{S=gw(mp(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(R){throw Oa(p,{event:"outbound_url_blocked",problemCode:n,method:Xn(e,t),host:gt(mp(e)),error:R}),clearTimeout(_),m?.(),R}let v=0;try{for(;;){let R=await sU(p,u,w,y,n,S,()=>f?`timeout_after_${s}ms`:void 0),b=aU(R,S);if(b!==void 0)try{let q=pU({currentInput:w,currentInit:y,currentUrl:S,redirectUrl:b,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:l.signal,additionalCrossOriginStrippedHeaders:d});w=q.currentInput,y=q.currentInit,S=q.currentUrl,v=q.redirects;continue}catch(q){throw Oa(p,{event:"outbound_redirect_blocked",problemCode:n,method:Xn(w,y),host:gt(S),error:q,extra:{redirects:v,maxRedirects:a,redirectTargetHost:gt(b)}}),q}try{return oU(R,await nU(R,i,n))}catch(q){throw Oa(p,{event:"outbound_response_size_exceeded",problemCode:n,method:Xn(w,y),host:gt(S),error:q,extra:{maxResponseBytes:i,status:R.status}}),q}}}finally{clearTimeout(_),m?.()}}o(hp,"runSafeOutboundExchange");async function fp(e,t,r){let n=await hp(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw Oa(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Xn(e,t),host:gt(mp(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(fp,"runSafeOutboundJsonExchange");function qs(e,t={},r={}){return hp(e,t,{...r,validateUrl:mw})}o(qs,"fetchConfiguredOutbound");function _w(e,t={},r={}){return fp(e,t,{...r,validateUrl:hw})}o(_w,"fetchIdentityProviderJson");function yw(e,t={},r={}){return fp(e,t,{...r,validateUrl:Ds})}o(yw,"fetchCimdClientMetadataJson");ae();function gp(e){return`Zuplo MCP Gateway - ${e}`}o(gp,"buildGatewayOAuthClientName");function ww(e,t){let r=new URL(e,de(t));return Ve(r)&&wt(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(ww,"buildGatewayOAuthRedirectUri");function _p(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(_p,"buildOAuthClientMetadataDocumentUrl");function Sw(e){return de(e)}o(Sw,"requireOAuthClientMetadataOrigin");function vw(e,t,r){let n=at(t),a=rn(t,r);return{client_id:_p({origin:e,upstreamServerId:t,authProfileId:r}),client_name:gp(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(vw,"buildOAuthClientMetadataDocument");var mU=c.union([wa,np]),hU=c.object({authorizationServerUrl:c.url(),resourceMetadataUrl:c.url().optional(),resourceMetadata:zs.optional(),authorizationServerMetadata:c.union([_a,$s]).optional()}).passthrough(),fU="Bearer";function gU(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(gU,"splitScopes");function _U(e){return ls.parse(e)}o(_U,"parsePkceCodeVerifier");function yU(e){if(typeof e.expires_in=="number")return z(new Date(Date.now()+e.expires_in*1e3))}o(yU,"readTokenExpiry");async function Rw(e){if(e!==void 0)return nn(JSON.stringify(e))}o(Rw,"encryptJson");async function bw(e,t){if(!e)return;let r=await nr(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(bw,"decryptJson");function wU(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(wU,"toOAuthDiscoveryState");function SU(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(SU,"clientInformationAllowsRedirectUri");function vU(e,t,r){let n=at(e),a=rn(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:gp(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(vU,"buildOAuthClientMetadata");function RU(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return wa.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(RU,"buildManualOAuthClientInformation");function bU(e,t,r){let n=_p({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return cp(n)?n:void 0}o(bU,"buildClientMetadataUrl");function Cw(e){for(let t of e)if(t!==void 0)return t}o(Cw,"firstDefined");function CU(e){let t=rn(e.target.upstreamServerId,e.target.authProfileId),r=vU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:RU({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=bU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(CU,"buildInitialOAuthClientSetup");function IU(e,t){if(t===void 0)return Cw([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(IU,"readEncryptedClientInformation");function TU(e){return Cw([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(TU,"readEncryptedDiscoveryState");var un=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=CU({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=IU(t,this.configuredClientInformation),this.encryptedDiscoveryState=TU(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return Ly({id:t.id,...ha({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await Rw(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await Rw(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=ya.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??Rs(),ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await nn(r.access_token),encryptedRefreshToken:r.refresh_token?await nn(r.refresh_token):void 0,scopes:gU(r.scope??this.clientMetadataValue.scope),expiresAt:yU(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await V().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:_U(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:k_(),...ha({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:z(new Date(Date.now()+Dy)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await V().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await bw(this.encryptedClientInformation,mU)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!SU(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=wU(await bw(this.encryptedDiscoveryState,hU))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=ya.parse({access_token:await nr(this.connection.encryptedAccessToken),token_type:fU,refresh_token:this.connection.encryptedRefreshToken?await nr(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await V().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var AU=1e4,kU=256*1024,EU=2;function xU(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(xU,"hasUsableAccessToken");var PU="does not support dynamic client registration";function OU(e){return e instanceof Error&&e.message.includes(PU)}o(OU,"isDynamicClientRegistrationUnsupported");function UU(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(UU,"readOAuthFetchRequest");function NU(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(NU,"responseLooksJson");function Iw(e){return async(t,r)=>{let n=UU(t),a=await qs(t,r,{maxRedirects:EU,maxResponseBytes:kU,problemCode:"upstream_token_exchange_failed",timeoutMs:AU}),i=await a.clone().text();if(!NU(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(Iw,"createUpstreamOAuthFetch");async function Tw(e,t){try{return await Or(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Iw(t.upstreamServerId)})}catch(r){throw OU(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(Tw,"runUpstreamOAuth");async function zU(e,t){return Or(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Iw(t.upstreamServerId)})}o(zU,"exchangeUpstreamAuthorizationCode");async function Aw(e,t){let r=await Tw(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o(Aw,"requireUpstreamAuthorizationRedirect");async function kw(e){if(xU(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await Tw(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await LU({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(kw,"authorizeUpstreamOAuthSession");async function $U(e){let t=await Ps(e.stateToken),r=await V().oauthStateStore.consumeForCallback(t.id),n=DU(r);return MU({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),qU(n),n}o($U,"consumeStoredCallbackState");function DU(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(DU,"readConsumedCallbackState");function MU(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(MU,"assertStoredCallbackStateMatches");function qU(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(qU,"assertStoredCallbackStateFresh");async function LU(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),By(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Wn(t)}o(LU,"buildOAuthConnectRequiredResponse");async function Ew(e){let t=await $U({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Vn(t),[n]=await V().upstreamConnectionRepository.batchGet([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new un(a),s=await zU(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(Ew,"finishUpstreamOAuthCallback");async function xw(e){let t=at(e.upstreamServerId),r=rn(e.upstreamServerId,e.authProfileId),n=ww(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await V().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:de(e.request.url)}}}o(xw,"prepareUpstreamOAuthRequest");async function Pw(e){let t=await xw(e),r=new un({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return Aw(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Pw,"startUpstreamConnect");async function Ow(e){let t=await xw(e),r=new un({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return kw({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Ow,"authorizeUpstreamRequest");function jU(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(jU,"resolveStaticSecretCredential");async function Uw(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user_oauth":return Ow({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"shared-secret":return Jy({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=Er({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:jU(n.secret,t.upstreamServerId)}}case"user-secret":return Qy({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(Uw,"resolveUpstreamCredentialForRoute");async function Nw(e){let t=kr(e.principal.subjectId),r=yt().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user-secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await Ns({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(Nw,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function zw(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=Mt(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await Pw(r);break;case"user_secret_capture":t=await ew(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(zw,"startUpstreamConnectForRequest");async function $w(e){let r=(await Ps(e.callbackRequest.state)).authProfileId,n=Er({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(Mt(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return Ew({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:at(e.callbackRequest.upstreamServerId)})}o($w,"finishUpstreamCallbackForRequest");var Ls=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=gr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),u=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&u){let p=d.result;if(!p.structuredContent&&!p.isError){yield{type:"error",error:new k(P.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(p.structuredContent)try{let l=u(p.structuredContent);if(!l.valid){yield{type:"error",error:new k(P.InvalidParams,`Structured content does not match the tool's output schema: ${l.errorMessage}`)};return}}catch(l){if(l instanceof k){yield{type:"error",error:l};return}yield{type:"error",error:new k(P.InvalidParams,`Failed to validate structured content: ${l instanceof Error?l.message:String(l)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function js(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&js(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&js(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&js(r,t)}}o(js,"applyElicitationDefaults");function HU(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(HU,"getSupportedElicitationModes");var Hs=class extends vn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new Mn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",Vc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",Gc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Nc,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new Ls(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=ui(this._capabilities,t)}setRequestHandler(t,r){let a=gn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(lr(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let u=o(async(d,p)=>{let l=Ke(Wc,d);if(!l.success){let R=l.error instanceof Error?l.error.message:String(l.error);throw new k(P.InvalidParams,`Invalid elicitation request: ${R}`)}let{params:m}=l.data;m.mode=m.mode??"form";let{supportsFormMode:f,supportsUrlMode:_}=HU(this._capabilities.elicitation);if(m.mode==="form"&&!f)throw new k(P.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new k(P.InvalidParams,"Client does not support URL-mode elicitation requests");let w=await Promise.resolve(r(d,p));if(m.task){let R=Ke(Zt,w);if(!R.success){let b=R.error instanceof Error?R.error.message:String(R.error);throw new k(P.InvalidParams,`Invalid task creation result: ${b}`)}return R.data}let y=Ke(_r,w);if(!y.success){let R=y.error instanceof Error?y.error.message:String(y.error);throw new k(P.InvalidParams,`Invalid elicitation result: ${R}`)}let S=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&S.action==="accept"&&S.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{js(v,S.content)}catch{}return S},"wrappedHandler");return super.setRequestHandler(t,u)}if(s==="sampling/createMessage"){let u=o(async(d,p)=>{let l=Ke(Zc,d);if(!l.success){let S=l.error instanceof Error?l.error.message:String(l.error);throw new k(P.InvalidParams,`Invalid sampling request: ${S}`)}let{params:m}=l.data,f=await Promise.resolve(r(d,p));if(m.task){let S=Ke(Zt,f);if(!S.success){let v=S.error instanceof Error?S.error.message:String(S.error);throw new k(P.InvalidParams,`Invalid task creation result: ${v}`)}return S.data}let w=m.tools||m.toolChoice?To:qr,y=Ke(w,f);if(!y.success){let S=y.error instanceof Error?y.error.message:String(y.error);throw new k(P.InvalidParams,`Invalid sampling result: ${S}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:mr,capabilities:this._capabilities,clientInfo:this._clientInfo}},Tc,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!hr.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){Ki(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&Zi(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},Kt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},Jc,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},Kt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},Hc,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},$c,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Ec,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},xc,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},Uc,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},Kt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},Kt,r)}async callTool(t,r=gr,n){if(this.isToolTaskRequired(t.name))throw new k(P.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new k(P.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new k(P.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof k?s:new k(P.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},Fc,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=xm.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:u}=i.data,{onChanged:d}=n,p=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let f=m instanceof Error?m:new Error(String(m));d(f,null)}},"refresh"),l=o(()=>{if(u){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let f=setTimeout(p,u);this._listChangedDebounceTimers.set(t,f)}else p()},"handler");this.setNotificationHandler(r,l)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function Gs(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(Gs,"normalizeHeaders");function Dw(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...Gs(t.headers),...Gs(n.headers)}:t.headers};return e(r,a)}:e}o(Dw,"createFetchWithInit");var Bs=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function yp(e){}o(yp,"noop");function Mw(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=yp,onError:r=yp,onRetry:n=yp,onComment:a}=e,i="",s=!0,u,d="",p="";function l(y){let S=s?y.replace(/^\xEF\xBB\xBF/,""):y,[v,R]=GU(`${i}${S}`);for(let b of v)m(b);i=R,s=!1}o(l,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let S=y.indexOf(":");if(S!==-1){let v=y.slice(0,S),R=y[S+1]===" "?2:1,b=y.slice(S+R);f(v,b,y);return}f(y,"",y)}o(m,"parseLine");function f(y,S,v){switch(y){case"event":p=S;break;case"data":d=`${d}${S}
+`;break;case"id":u=S.includes("\0")?void 0:S;break;case"retry":/^\d+$/.test(S)?n(parseInt(S,10)):r(new Bs(`Invalid \`retry\` value: "${S}"`,{type:"invalid-retry",value:S,line:v}));break;default:r(new Bs(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:S,line:v}));break}}o(f,"processField");function _(){d.length>0&&t({id:u,event:p||void 0,data:d.endsWith(`
+`)?d.slice(0,-1):d}),u=void 0,d="",p=""}o(_,"dispatchEvent");function w(y={}){i&&y.consume&&m(i),s=!0,u=void 0,d="",p="",i=""}return o(w,"reset"),{feed:l,reset:w}}o(Mw,"createParser");function GU(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
 `,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let u=e.slice(n,s);t.push(u),n=s+1,e[n-1]==="\r"&&e[n]===`
-`&&n++}}return[t,r]}o(JU,"splitLines");var ms=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Jy({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var YU={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},yr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},hs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Wy(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??YU}async _authThenStart(){if(!this._authProvider)throw new Ft("No auth provider");let t;try{t=await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Ft;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=ls(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new yr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,u=!1,d=!1;o(async()=>{try{let p=t.pipeThrough(new TextDecoderStream).pipeThrough(new ms({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:S}=await p.read();if(S)break;if(_.id&&(s=_.id,u=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=wr.parse(JSON.parse(_.data));ut(y)&&(d=!0,i!==void 0&&(y.id=i)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(p){if(this.onerror?.(new Error(`SSE stream disconnected: ${p}`)),(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Ft("No auth provider");if(await _r(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:St(t)?t.id:void 0}).catch(f=>this.onerror?.(f));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},u=await(this._fetch??fetch)(this._url,s),d=u.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!u.ok){let f=await u.text().catch(()=>null);if(u.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new yr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:S}=Al(u);if(this._resourceMetadataUrl=_,this._scope=S,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft;return this._hasCompletedAuthFlow=!0,this.send(t)}if(u.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:S,error:y}=Al(u);if(y==="insufficient_scope"){let w=u.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===w)throw new yr(403,"Server returned 403 after trying upscoping");if(S&&(this._scope=S),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=w??void 0,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Ft;return this.send(t)}}throw new yr(u.status,`Error POSTing to endpoint: ${f}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,u.status===202){await u.body?.cancel(),Np(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(f=>this.onerror?.(f));return}let p=(Array.isArray(t)?t:[t]).filter(f=>"method"in f&&"id"in f&&f.id!==void 0).length>0,m=u.headers.get("content-type");if(p)if(m?.includes("text/event-stream"))this._handleSseStream(u.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let f=await u.json(),_=Array.isArray(f)?f.map(S=>wr.parse(S)):[wr.parse(f)];for(let S of _)this.onmessage?.(S)}else throw await u.body?.cancel(),new yr(-1,`Unexpected content type: ${m}`);else await u.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new yr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Yy(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Yy,"resolveNativeMcpRequestHeaders");var XU={name:"zuplo-mcp-gateway",version:"0.1.0"},QU=5,e0=500,eS=3e4,t0=2*1024*1024,r0=2;function Xy(){return performance.now()/1e3}o(Xy,"nowSeconds");function n0(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(n0,"readServerPort");function o0(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:n0(e)}}o(o0,"buildNativeMcpOperationContext");function Dn(e){return dg(e)}o(Dn,"withTraceMeta");function Ml(e){if(e>e0)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ml,"assertImportedCapabilityBudget");function Qy(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Qy,"buildRequestInit");function a0(e){return(t,r)=>ss(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:r0,maxResponseBytes:t0,problemCode:"upstream_capability_invocation_failed",timeoutMs:eS})}o(a0,"createNativeMcpFetch");function i0(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},eS);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(i0,"withNativeMcpRequestTimeout");function s0(e,t=[]){let r=Yy(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:a0(a)};if(!e)return{...i,...Qy(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Qy(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(s0,"buildNativeMcpTransportOptions");async function Mn(e,t,r){let{transport:n}=Je(e),a=new URL(n.baseUrl),i=new hs(a,s0(r,n.requestHeaders)),s=new ds(XU,{capabilities:{}});return i0((async()=>{let u=Xy();await s.connect(i);let d=i.sessionId,l=o0(a,d);try{return await t(s,l)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&lg(l,Xy()-u)}})())}o(Mn,"withNativeMcpClient");async function c0(e,t,r){let n=[],a,i=0;do{if(i>=QU)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(c0,"collectPaginatedSdkItems");async function ql(e){return e.enabled?c0(e.label,e.fetchPage,e.readItems):[]}o(ql,"listNativeMcpCapabilityItems");async function tS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"tools/list",...r},()=>ql({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ml(a.length),{tools:a}},e.credential)}o(tS,"listNativeMcpTools");async function rS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"prompts/list",...r},()=>ql({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ml(a.length),{prompts:a}},e.credential)}o(rS,"listNativeMcpPrompts");async function nS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/list",...r},()=>ql({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ml(a.length),{resources:a}},e.credential)}o(nS,"listNativeMcpResources");async function oS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Dn(e.params))),e.credential)}o(oS,"callNativeMcpTool");async function aS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Dn(e.params))),e.credential)}o(aS,"getNativeMcpPrompt");async function iS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Dn(e.params))),e.credential)}o(iS,"readNativeMcpResource");var ca=class extends A{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(k.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function u0(e){return{content:[{type:"text",text:e}],isError:!0}}o(u0,"buildToolErrorResult");function d0(e){return e.authUrl?new Yt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new ca(e)}o(d0,"toConnectRequiredError");function l0(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(l0,"buildCredentialResolvedAttributes");function p0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:l0(e.credential)})}o(p0,"emitCredentialResolvedAnalyticsEvent");function m0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(m0,"emitCredentialMissingAnalyticsEvent");function h0(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Dr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(h0,"readRouteBindingCredentialCacheKey");function f0(e){return typeof e.authorizeAndLoadConnections=="function"}o(f0,"isRuntimeHttpCompositeAuthorizationRepository");function cS(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(cS,"readOwnedRouteBindingLookup");async function g0(e){let t=q().downstreamOAuthRepository;if(!f0(t))return new Map;let r=ul(e.request);if(!r)return new Map;let n=new Map;for(let u of e.routeBindings){let d=cS(u);d!==void 0&&n.set(Dr(d),d)}if(n.size===0)return new Map;let a=[...n.values()],i=await t.authorizeAndLoadConnections({accessTokenHash:await F(r),resource:Nr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:a,now:O(new Date)});if(i.kind!=="authorized")return new Map;let s=new Map;return i.upstreamConnections.forEach((u,d)=>{let l=a[d];l!==void 0&&s.set(Dr(l),u.connection)}),s}o(g0,"preloadCompositeAuthorizedConnections");function _0(e){let t=new Map;return r=>{let n=h0(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,u=cS(r),d=u===void 0?void 0:Dr(u),l=await Vy({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(l.kind==="connect_required")throw m0({context:e.context,payload:l.payload,routeBinding:r}),d0(l.payload);return p0({context:e.context,credential:l.credential,routeBinding:r}),l.credential})();return t.set(n,i),i}}o(_0,"createCredentialResolver");var sS=500;function y0(e){return e.length<=sS?e:`${e.slice(0,sS)}...`}o(y0,"truncateAnalyticsDetail");function S0(e){We(e.context,{eventType:H.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(S0,"emitToolInvocationCompletedAnalyticsEvent");function w0(e){return e instanceof Yt||e instanceof ca?{eventType:H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof A&&e.code===k.InvalidParams?{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(w0,"classifyToolInvocationFailure");function v0(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=w0(e.error);We(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:y0(t)}})}o(v0,"emitToolInvocationFailedAnalyticsEvent");var R0=256*1024;function b0(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new A(k.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>R0)throw new A(k.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(b0,"assertToolArgumentsWithinLimit");function $l(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new A(k.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o($l,"findBindingForPublishedCapability");function qn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new A(k.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(qn,"requireSingleTransparentBinding");function C0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(C0,"resolvePublishedToolRoute");function I0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(I0,"resolvePublishedPromptRoute");function T0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(T0,"resolvePublishedResourceRoute");function uS(e){let t=g0({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=_0({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(ki)};let n=qn(e);return tS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=C0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{b0(n);let i=await r(a.binding),s=await oS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return S0({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(v0({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof Yt||i instanceof ca)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof Yt},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof A&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),u0(Fe("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(Pi)};let n=qn(e);return rS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=I0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return aS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(Ei)};let n=qn(e);return nS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=T0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return iS({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(uS,"createCapabilityDispatcher");var A0="0.1.0",lS="POST",k0="POST, OPTIONS";function Ll(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:lS}})}o(Ll,"jsonRpcMethodNotAllowedResponse");function P0(e){let t={Allow:lS},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=k0;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(P0,"buildOptionsResponse");function $n(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o($n,"readJsonRpcRequestId");function jl(e){return e&&typeof e=="object"?e.params:void 0}o(jl,"readMcpRequestParams");function dS(e,t){return e.headers.get(t)??void 0}o(dS,"readMcpHeader");function E0(e){return{mcpProtocolVersion:dS(e,"mcp-protocol-version")??Or,mcpSessionId:dS(e,"mcp-session-id")}}o(E0,"buildServerTelemetryBase");function x0(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Or),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(x0,"ensureProtocolVersionHeader");async function Hl(e,t){if(e.method==="OPTIONS")return P0(e);if(e.method==="GET")return Ll("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return Ll("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return Ll("Only POST is supported by this virtual MCP server.");let r=Rn(t),n=Yf(r.virtualServerId),a=mg(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=E0(e),s=uS({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),u=re(e.url),d=new Si({enableDnsRebindingProtection:!0,allowedOrigins:[u]}),l=new yi(n.catalog.serverInfo??{name:r.virtualServerId,version:A0},{capabilities:{prompts:{},resources:{},tools:{}}});l.setRequestHandler(cc,async m=>zr({methodName:"tools/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listTools())),l.setRequestHandler(Qn,async m=>zr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.callTool(m.params))),l.setRequestHandler(Qs,async m=>zr({methodName:"prompts/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listPrompts())),l.setRequestHandler(tc,async m=>zr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.getPrompt(m.params))),l.setRequestHandler(Fs,async m=>zr({methodName:"resources/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listResources())),l.setRequestHandler(Js,async m=>zr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.readResource(m.params))),await l.connect(d);let p=await d.handleRequest(e);return x0(p)}o(Hl,"virtualServerHandler");async function O0(e,t){return Wt("handler.mcp-virtual-server"),Hl(e,t)}o(O0,"McpVirtualServerHandler");var Ln={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},U0="oauth-protected-resource-metadata",z0="/.well-known/oauth-protected-resource/";function N0(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(N0,"readRouteOperationId");function D0(e){return e.hasGatewayRouteContext?Ln.VIRTUAL_MCP_SERVER:e.routeOperationId===U0||e.routeOperationId===void 0&&e.routePath.startsWith(z0)?Ln.OAUTH_PROTECTED_RESOURCE_METADATA:Ln.OTHER}o(D0,"classifyAnalyticsRouteSurface");function M0(e){let t=e.route.path;return{routePath:t,routeSurface:D0({routePath:t,routeOperationId:N0(e),hasGatewayRouteContext:No(e)!==void 0})}}o(M0,"readAnalyticsRequestContext");function q0(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Ln.VIRTUAL_MCP_SERVER}o(q0,"isIntentionalMethodRejection");function $0(e){return q0(e)||e.response.status===401&&e.routeSurface===Ln.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o($0,"classifyRequestCompletedOutcome");async function Gl(e,t){let r=Date.now(),n=M0(t);return t.addResponseSendingFinalHook(a=>{let i=$0({response:a,routeSurface:n.routeSurface});We(t,{eventType:H.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Gl,"analyticsContextInbound");function L0(e){return e instanceof Response}o(L0,"isResponse");var pS="/mcp/";function j0(e){let t=e.route.path;if(!t.startsWith(pS))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(pS.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(j0,"readVirtualServerIdFromRoute");async function ua(e,t){let n={virtualServerId:me.parse(j0(t))};eg(t,n),zf(t,n);let a=await Gl(e,t);return L0(a)?a:dl(a,t)}o(ua,"mcpOAuthInboundPolicy");var H0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-auth0-oauth"),ua(e,t)),"McpAuth0OAuthInboundPolicy");function G0(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return Ui({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway,devTenantId:e.devTenantId})}o(G0,"buildAuth0McpOAuthRuntimeConfig");var B0={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return G0(e)}};Ci(B0);var V0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-oauth"),ua(e,t)),"McpOAuthInboundPolicy"),F0={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return Ui(e)}};Ci(F0);function Z0(e){let t=At(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(Z0,"buildRouteAuthBaseFromConnection");function hS(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=At(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:vn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(hS,"buildRouteAuthBaseFromPolicyOptions");function fS(e,t){let n=st().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return Z0({connection:a,virtualServerId:t})}o(fS,"resolveRouteAuthBase");function mS(e,t){switch(e){case"user":return mr(t.tenantId,t.subjectId);case"tenant_shared":return Hi(t.tenantId)}}o(mS,"buildOwnerForPrincipal");function fs(e,t){switch(e.ownerMode){case"tenant_shared":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(fs,"resolveRouteAuthForPrincipal");function K0(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Ri.parse(r)}o(K0,"readSingleAuthMode");function gS(e){return Tt.parse(e)}o(gS,"buildToolNamePrefixFromConnectionId");async function Bl(e,t,r,n){let a=Ai(r,n),i=K0({policyName:n,connection:a}),s=Rn(t),u=hS({connection:a,virtualServerId:s.virtualServerId,authMode:i});if(u.ownerMode==="none")return Pd(t,{...u,connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e;let d=Tg(t);return d.tenantId?(Pd(t,{...fs(u,d),connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e):Ze(e,t,{code:"forbidden",detail:"Upstream credentials for this virtual server require an authenticated tenant.",headers:{"WWW-Authenticate":An({virtualServerId:s.virtualServerId,requestUrl:e.url,error:"insufficient_scope",errorDescription:"The access token is missing tenant context required by this virtual server.",scope:ce})}})}o(Bl,"mcpUpstreamConnectionPolicy");var W0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-upstream-connection"),Bl(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");Y();Y();var _S="application/json",J0="application/x-www-form-urlencoded";function Y0(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(Y0,"normalizeContentType");function X0(e,t){return e===t?!0:t===_S&&e.endsWith("+json")}o(X0,"contentTypeMatches");function Q0(e,t){if(!t||t.length===0)return;let r=Y0(e.headers.get("content-type"));if(!t.some(n=>X0(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(Q0,"assertExpectedContentType");function ez(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(ez,"assertContentLengthWithinLimit");async function yS(e,t){let r=t.label??"Request body";Q0(e,t.expectedContentTypes),ez(e,t.maxBytes,r);let n=await is(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(yS,"readBoundedTextBody");async function SS(e,t){let r=await yS(e,{...t,expectedContentTypes:[_S]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(SS,"readBoundedJsonBody");async function gs(e,t){let r=await yS(e,{...t,expectedContentTypes:[J0]});return new URLSearchParams(r)}o(gs,"readBoundedFormUrlEncodedBody");var wS=Symbol("Html");function tz(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(tz,"escapeHtml");function rz(e){return e===null||typeof e!="object"?!1:e[wS]===!0}o(rz,"isHtml");function vS(e){return e==null||e===!1?"":Array.isArray(e)?e.map(vS).join(""):rz(e)?e.value:tz(String(e))}o(vS,"renderValue");function yt(e){return{[wS]:!0,value:e}}o(yt,"trustedHtml");var ye=yt("");function x(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=vS(t[n]),r+=e[n+1]??"";return yt(r)}o(x,"html");function Zt(e){return e.value}o(Zt,"renderHtml");var nz="text/html; charset=utf-8";function RS(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":nz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(RS,"apiKeyLoginHtmlResponse");function Vl(e=401){return RS(x`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(Vl,"apiKeyLoginFailureResponse");function bS(e){return RS(x`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(bS,"renderApiKeyLoginForm");Y();Y();import{errors as zS,jwtVerify as NS,SignJWT as DS}from"jose";Y();import{errors as hz,jwtVerify as fz,SignJWT as gz}from"jose";function Sr(e){let t=ve().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Sr,"requireBrowserLoginField");function _s(e){if(!e.tenantId)throw g("identity_context_missing","Gateway OAuth browser login requires a tenant-scoped principal.");return{...e,tenantId:e.tenantId}}o(_s,"requireTenantScopedBrowserPrincipal");Y();import{createRemoteJWKSet as oz,errors as da,jwtVerify as az}from"jose";var iz=c.object({id_token:c.string().min(1),token_type:c.string().min(1).optional(),expires_in:c.number().optional(),access_token:c.string().min(1).optional(),refresh_token:c.string().min(1).optional(),scope:c.string().min(1).optional()}),sz=c.object({error:c.string().min(1).optional(),error_description:c.string().min(1).optional(),error_uri:c.string().min(1).optional()});function cz(e){let t=sz.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(cz,"readIdpErrorFields");function uz(e){return e instanceof da.JWTExpired?"expired":e instanceof da.JWTClaimValidationFailed?"claim":e instanceof da.JWSSignatureVerificationFailed?"signature":e instanceof da.JWKSNoMatchingKey?"jwks_no_match":e instanceof da.JWTInvalid?"invalid":e instanceof c.ZodError?"schema":"other"}o(uz,"readJwtFailureKind");var dz=c.object({sub:X,nonce:c.string().min(1)}).catchall(c.unknown()),Fl;function lz(e){return e instanceof Error&&"cause"in e?e.cause:e}o(lz,"readErrorCause");function pz(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(pz,"readRuntimeGatewayCode");function mz(){if(!Fl){let e=ve();Fl=oz(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Fl}o(mz,"readFederatedJwks");async function CS(e){let t=ve(),r=Sr("tokenUrl"),n=Sr("clientId"),a=Sr("clientSecret"),i=new URL("/oauth/callback",gt(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:u,json:d}=await Py(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!u.ok){let f=cz(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:it(r),idpStatus:u.status,...f},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${u.status}${f.idpError?` idp_error=${f.idpError}`:""}${f.idpErrorDescription?` idp_error_description=${f.idpErrorDescription}`:""})`)})}let l=iz.parse(d),p;try{({payload:p}=await az(l.id_token,mz(),{issuer:t.oidc.issuer,audience:n}))}catch(f){let _={};throw Ae(_,"error",f),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:uz(f),idpHost:it(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),f}if(p.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:it(r),nonceMissingFromIdToken:p.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=dz.parse(p);return _s(Tn({sub:m.sub,data:m},e.requestUrl))}catch(u){let d=de(u)??pz(u);throw d!==void 0&&d!=="browser_login_verification_failed"?u:g("browser_login_verification_failed","Federated browser login callback could not be verified.",lz(u))}}o(CS,"exchangeFederatedAuthorizationCode");var Kl="zuplo_mcp_session",IS="HS256",TS="zuplo-mcp-gateway",AS="zuplo-mcp-gateway",_z=c.object({purpose:c.literal("gateway_browser_session"),sub:X,tenantId:ue,browserLoginOrigin:c.string().min(1),roles:c.array(c.string().min(1)).optional(),exp:c.number().int().positive(),iat:c.number().int().positive().optional()});function yz(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(yz,"parseCookieHeader");async function kS(){return kt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-session"),"derive")})}o(kS,"getBrowserSessionKey");function Zl(e){let t=new URL(re(e)),r=[`${Kl}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Zl,"buildBrowserSessionEvictionCookie");function Sz(e){let t=new URL(re(e.requestUrl)),r=[`${Kl}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Sz,"serializeSessionCookie");function PS(e={}){return new URL(Sr("url")).origin}o(PS,"readBrowserLoginOrigin");function Wl(){return ve().browserLogin.stateTtlSeconds}o(Wl,"readBrowserLoginStateTtlSeconds");function ES(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return _s(Tn(e.user,e.url))}o(ES,"resolveCurrentRequestPrincipal");async function ys(e,t={}){let r=yz(e.headers.get("cookie")).get(Kl);if(!r)return{};try{let{payload:n}=await fz(r,await kS(),{algorithms:[IS],issuer:TS,audience:AS}),a=_z.parse(n);if(a.browserLoginOrigin!==PS(t))return{evictCookie:Zl(e.url)};let i={subjectId:a.sub,tenantId:a.tenantId};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof hz.JWTExpired?{evictCookie:Zl(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Zl(e.url)})}}o(ys,"readBrowserSession");async function la(e){let t=ve().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,tenantId:e.principal.tenantId,browserLoginOrigin:PS({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new gz(r).setProtectedHeader({alg:IS,typ:"JWT"}).setIssuer(TS).setAudience(AS).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await kS());return Sz({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(la,"createBrowserSessionCookie");async function xS(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(xS,"resolveApiKeyBrowserLoginPrincipal");async function OS(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await ys(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return CS({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(OS,"resolveBrowserLoginCallbackPrincipal");function US(e){let t=ve().browserLogin,r=new URL(Sr("url")),n=new URL("/oauth/callback",gt(e.requestUrl));return yg(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Sr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(US,"buildBrowserLoginUrl");var MS=5*60,wz=["mcp_user"],Ss="HS256",ws="zuplo-mcp-gateway",vs="zuplo-mcp-gateway",vz=c.object({purpose:c.literal("gateway_browser_login"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Rz=c.object({purpose:c.literal("gateway_authorization_setup"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()});async function qS(){return kt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-login"),"derive")})}o(qS,"getBrowserLoginKey");async function $S(){return kt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"authorization-csrf"),"derive")})}o($S,"getCsrfKey");function bz(e){return[...new Set([...wz,...e.roles??[]])]}o(bz,"buildRoles");function LS(e){return{repository:e.repository??q().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Wl()}}o(LS,"readPendingTransactionDependencies");function Cz(e,t){return e.subjectId===t.subjectId&&e.tenantId===t.tenantId}o(Cz,"principalsMatch");function jS(e){return{subjectId:e.subjectId,tenantId:e.tenantId,...e.roles===void 0?{}:{roles:e.roles}}}o(jS,"toPendingPrincipal");function HS(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:O(ft(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:jS(e.principal)}}o(HS,"createTransactionRecord");async function GS(e){if((await e.repository.savePendingAuthorizationTransaction(e.record,e.client===void 0?void 0:{client:e.client})).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(GS,"savePendingTransaction");async function Iz(e){return new DS({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await qS())}o(Iz,"signBrowserLoginState");async function BS(e){return new DS({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Nd()}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await $S())}o(BS,"signCsrfToken");async function Rs(e){try{let{payload:t}=await NS(e,await qS(),{algorithms:[Ss],issuer:ws,audience:vs}),r=vz.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Rs,"verifyBrowserLoginStateToken");async function Tz(e){try{let{payload:t}=await NS(e,await $S(),{algorithms:[Ss],issuer:ws,audience:vs});return{transactionId:Rz.parse(t).transactionId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(Tz,"verifyCsrfToken");function pa(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(pa,"pendingStateErrorCode");function VS(e){return e==="principal_mismatch"?"oauth_callback_mismatch":pa(e==="consumed_already"?"consumed_already":e)}o(VS,"setupDecisionErrorCode");function Az(e){if(e.kind!=="available")throw g(pa(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Az,"requireAwaitingSetup");function kz(e){if(e.kind!=="available")throw g(pa(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(kz,"requireAwaitingLogin");function Pz(e){if(!Cz(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(Pz,"requireCurrentPrincipalMatches");function FS(e){return typeof e.decideAuthorizationSetup=="function"}o(FS,"hasRuntimeHttpAuthorizationDecision");async function ZS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=Wl(),a=zd(),i=Nd(),s=await Iz({transactionId:a,stateId:i,ttlSeconds:n}),u=HS({id:a,transaction:e.transaction,currentStateHash:await F(s),phase:"awaiting_login",now:r,ttlSeconds:n});if(u.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await GS({repository:t,record:u,client:e.transaction.client}),{transaction:u,browserLoginStateToken:s,browserLoginUrl:US({state:s,nonce:i,virtualServerId:u.virtualServerId,requestUrl:e.requestUrl})}}o(ZS,"startAwaitingLogin");async function KS(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=zd(),i=await BS({transactionId:a,ttlSeconds:n}),s=HS({id:a,transaction:e.transaction,currentStateHash:await F(i),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await GS({repository:t,record:s,client:e.transaction.client}),{transaction:s,csrfToken:i}}o(KS,"startAwaitingSetup");async function Jl(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=await Rs(e.browserLoginStateToken),i=await BS({transactionId:a.transactionId,ttlSeconds:n}),s=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await F(e.browserLoginStateToken),nextStateHash:await F(i),nextPhase:"awaiting_setup",principal:jS(e.principal),now:r});if(s.kind!=="advanced")throw g(pa(s.kind),"Browser login state is invalid, expired, or already used.");if(s.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:s.record,csrfToken:i}}o(Jl,"completeLogin");async function WS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Rs(e.browserLoginStateToken);return kz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.browserLoginStateToken),now:r}))}o(WS,"getAwaitingLogin");async function ma(e){let t=await Yl(e);return Pz({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(ma,"getSetup");async function Yl(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Tz(e.csrfToken);return Az(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.csrfToken),now:r}))}o(Yl,"getSetupTransaction");async function Ez(e){let t=Ke(),r=await F(t),n=Dd(),a=O(ft(e.now,MS)),i={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,tenantId:e.transaction.principal.tenantId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:bz(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...i,codeHash:r,grantId:n});let s=new URL(e.transaction.redirectUri);return s.searchParams.set("code",t),e.transaction.clientState&&s.searchParams.set("state",e.transaction.clientState),s}o(Ez,"createAuthorizationCodeRedirect");async function xz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=Ke(),n=O(ft(e.now,MS)),a=await e.repository.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await F(r),authorizationCodeExpiresAt:n,grantId:Dd(),now:O(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":VS(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(xz,"createAuthorizationCodeRedirectWithDecision");async function Oz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=await e.repository.decideAuthorizationSetup({decision:"cancel",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},now:O(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":VS(r.kind),"Authorization setup state is invalid, expired, or already used.");return JS({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(Oz,"createCancelRedirectWithDecision");function JS(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(JS,"buildClientCancelRedirect");async function Uz(e){let t=await ma(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await F(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(pa(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(Uz,"consumeSetup");async function YS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await Uz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(YS,"consumeSetupForDecision");async function XS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return xz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let n=await YS(e);return Ez({repository:n.repository,transaction:n.transaction,now:n.now})}o(XS,"approve");async function QS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return Oz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let{transaction:n}=await YS(e);return JS({redirectUri:n.redirectUri,clientState:n.clientState})}o(QS,"cancel");Y();var zz=1e4,Nz=5*1024,Dz=2,Mz=90*24*60*60,Xl=["authorization_code","refresh_token"],Ql=["code"],qz=c.object({client_name:c.string().min(1).optional(),redirect_uris:c.array(c.string().min(1)).min(1),grant_types:c.array(c.enum(Xl)).min(1).max(2).optional(),response_types:c.array(c.enum(Ql)).min(1).max(1).optional(),scope:c.literal(ce).optional(),token_endpoint_auth_method:qo.default("client_secret_basic")});function $z(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o($z,"isCimdClientIdCandidate");function jn(e,t="invalid_request"){if(Lz(e))throw new U(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new U(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new U(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Le(r)))throw new U(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(jn,"assertValidRedirectUri");function Lz(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(Lz,"hasForbiddenRawRedirectUriCharacter");async function jz(e){let{response:t,json:r}=await Ey(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Dz,maxResponseBytes:Nz,timeoutMs:zz});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=gg.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(jz,"fetchCimdMetadata");async function Hz(e){let t=as(e),r=await jz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(Hz,"resolveCimdClient");async function ha(e,t,r){let n=le.parse(t);if($z(n)){if(!ve().gateway.cimdEnabled)throw new U("invalid_client","OAuth client is not registered.");try{return await Hz(n)}catch{throw new U("invalid_client","OAuth client is not registered.")}}let a=await e.getDcrClient(n);if(a){let i={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new U("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(ha,"resolveClient");function bs(e,t){if(!e.metadata.redirect_uris.some(r=>qi(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(bs,"assertRedirectRegistered");function Gz(e){let t=ew(e.grant_types),r=e.response_types??[...Ql];if(!Bz(t))throw new U("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Vz(r))throw new U("invalid_client_metadata","response_types must be code.");if(!Fz(e.scope))throw new U("invalid_client_metadata",`Only the ${ce} scope is supported.`)}o(Gz,"assertSupportedDcrRequest");function ew(e){return e===void 0?[...Xl]:Array.from(new Set(e))}o(ew,"normalizeGrantTypes");function Bz(e){return e.length===0?!1:e.every(t=>Xl.includes(t))}o(Bz,"isSupportedGrantTypes");function Vz(e){return e.length===Ql.length&&e[0]==="code"}o(Vz,"isSupportedResponseTypes");function Fz(e){return e===void 0||e===ce}o(Fz,"isSupportedDcrScope");function Vr(e){if(e===void 0||e===ce)return ce;throw new U("invalid_request",`Only the ${ce} scope is supported.`)}o(Vr,"assertSupportedOAuthScope");function Pt(e,t){let r;try{r=new URL(t)}catch{throw new U("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new U("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Le(r))throw new U("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=re(e),a=Xf(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new U("invalid_target","resource must match a published virtual MCP server.");return i}o(Pt,"resolveResource");async function tw(e,t={}){let r=Zz(t)?{repository:t}:t,n;try{n=qz.parse(e)}catch(f){if(f instanceof c.ZodError){let _=f.issues.some(S=>S.path[0]==="redirect_uris");throw new U(_?"invalid_redirect_uri":"invalid_client_metadata",f.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:f})}throw f}Gz(n);for(let f of n.redirect_uris)jn(f,"invalid_redirect_uri");let a=r.repository??q().downstreamOAuthRepository,i=new Date,s=le.parse(`dcr:${crypto.randomUUID()}`),u=ft(i,Mz),d=Math.floor(i.getTime()/1e3),l=Math.floor(u.getTime()/1e3),p={client_id:s,client_name:n.client_name??"Dynamically registered MCP client",redirect_uris:n.redirect_uris,grant_types:ew(n.grant_types),response_types:["code"],scope:ce,token_endpoint_auth_method:n.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:s,clientName:String(p.client_name),redirectUris:n.redirect_uris,tokenEndpointAuthMethod:n.token_endpoint_auth_method,createdAt:O(i),clientExpiresAt:O(u)};if(n.token_endpoint_auth_method!=="none"){let f=Ke();m.hashedClientSecret=await F(f),m.clientSecretExpiresAt=O(u),p.client_secret=f,p.client_secret_expires_at=l,p.client_secret_issued_at=d}return await a.saveDcrClient(m),p}o(tw,"registerDownstreamClient");function Zz(e){return typeof e.getDcrClient=="function"}o(Zz,"isOAuthRepository");var Kz=8;function tp(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(tp,"safeIconSrc");function Wz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Wz,"safeGatewayConnectHref");function Jz(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(Jz,"parseIconSize");function Yz(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(Yz,"selectIconCandidates");function Xz(e){return tp(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(Jz)):0:-1}o(Xz,"readIconScore");function ow(e,t){if(!e||e.length===0)return;let r=Yz(e,t),n,a=-1;for(let i of r){let s=Xz(i);s>a&&(n=i,a=s)}return n}o(ow,"pickIcon");var Qz='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',rw=yt(Qz),eN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),tN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),aw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),nw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function rN(e,t){let r=ow(e,"light");if(!r)return x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`;let n=tp(r.src);return n?x`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`}o(rN,"renderIconFrame");function Is(e,t){let r=ow(e,"light");if(!r)return ye;let n=tp(r.src);return n?x`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:ye}o(Is,"renderInlineIcon");function nN(e){switch(e){case"user":return"your account";case"tenant_shared":return"shared by your team";case"none":return"gateway-managed"}}o(nN,"ownerModeLabel");function oN(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(oN,"authModeLabel");function aN(e){switch(e){case"active":return x`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return x`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return x`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(aN,"statusBadge");function iN(e){if(!e)return ye;let t=[];return e.destructiveHint&&t.push(x`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(x`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(x`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?x`<span class="badge-row">${t}</span>`:ye}o(iN,"annotationBadges");function iw(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(iw,"summarizeCapabilities");function sN(e){let t=e.annotations?.title??e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${iN(e.annotations)}${r}</li>`}o(sN,"renderToolRow");function cN(e){let t=e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(cN,"renderPromptRow");function uN(e){let t=e.title??e.name,r=e.mimeType===void 0?ye:x` · ${e.mimeType}`,n=e.description===void 0?ye:x` — ${e.description}`,a=x`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(uN,"renderResourceRow");function ep(e,t,r,n){if(t===0)return ye;let a=r.slice(0,Kz),i=t-a.length,s=i>0?x`<li class="capability-row capability-row--more">+ ${i} more</li>`:ye;return x`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${s}</ul></section>`}o(ep,"renderCapabilitySection");function Cs(e,t,r=!1){return r?x`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:x`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(Cs,"countPill");function dN(e){let t=iw(e);if(t.tools+t.prompts+t.resources===0)return x`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(Cs(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(Cs(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(Cs(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(Cs("destructive",t.destructiveTools,!0));let a=[ep("Tools",t.tools,e.tools,sN),ep("Prompts",t.prompts,e.prompts,cN),ep("Resources",t.resources,e.resources,uN)];return x`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(dN,"renderUpstreamCapabilities");function lN(e){if(!e||e.length===0)return ye;let t=e.map(n=>x`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return x`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="scopes-list">${t}</div></details>`}o(lN,"renderUpstreamScopes");function pN(e,t){if(e.ownerMode!=="user")return ye;let r=Wz(e.connectUrl,t);if(!r)return ye;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return x`<a class="button button--secondary button--small" href="${r}"${a===void 0?ye:x` title="${a}"`}>${n}</a>`}o(pN,"renderActionButton");function mN(e,t){let r=pN(e,t);return Zt(r)!==""?r:aN(e.status)}o(mN,"renderUpstreamControl");function hN(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?yt('<article class="upstream-card upstream-card--needs-action">'):yt('<article class="upstream-card">'),a=e.description?x`<p class="upstream-card__description">${e.description}</p>`:ye,i=e.transportHost?x`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:ye,s=x`<div class="upstream-card__head">${rN(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${mN(e,t)}</div><div class="upstream-card__meta">${i}<span>${oN(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${nN(e.ownerMode)}</span></div>${a}</div></div>`,u=dN(e.capabilities),d=lN(e.scopesRequested);return x`${n}${s}${u}${d}</article>`}o(hN,"renderUpstreamCard");function fN(e){return e.reduce((t,r)=>{let n=iw(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(fN,"aggregateCapabilities");function gN(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(gN,"deriveMode");function _N(e){if(e.mode==="setup"){let n=e.upstreams.filter(u=>u.ownerMode==="user"&&u.status!=="active"),a=n.length>0&&n.every(u=>u.status==="reconsent_required"),i=n.length===1?"the service":`the ${n.length} services`,s=a?x`Re-authorize ${i} below to refresh access. Authorization will continue automatically once each is ready.`:x`Connect ${i} below before continuing. Authorization will continue automatically once each is ready.`;return x`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${eN}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${s}</p></div></div>`}let t=fN(e.upstreams);if(t.destructiveTools===0)return ye;let r=t.destructiveTools===1?"tool can":"tools can";return x`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${tN}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(_N,"renderBanner");function yN(e){return e.mode==="grant"?x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(yN,"renderActions");var SN=`
+`&&n++}}return[t,r]}o(GU,"splitLines");var Fs=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Mw({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var BU={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},Ur=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},Vs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Dw(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??BU}async _authThenStart(){if(!this._authProvider)throw new ar("No auth provider");let t;try{t=await Or(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new ar;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=Gs(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new Ur(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,u=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new Fs({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:w}=await l.read();if(w)break;if(_.id&&(s=_.id,u=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=Mr.parse(JSON.parse(_.data));St(y)&&(d=!0,i!==void 0&&(y.id=i)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new ar("No auth provider");if(await Or(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new ar("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:xt(t)?t.id:void 0}).catch(f=>this.onerror?.(f));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},u=await(this._fetch??fetch)(this._url,s),d=u.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!u.ok){let f=await u.text().catch(()=>null);if(u.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new Ur(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:w}=up(u);if(this._resourceMetadataUrl=_,this._scope=w,await Or(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new ar;return this._hasCompletedAuthFlow=!0,this.send(t)}if(u.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:w,error:y}=up(u);if(y==="insufficient_scope"){let S=u.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===S)throw new Ur(403,"Server returned 403 after trying upscoping");if(w&&(this._scope=w),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=S??void 0,await Or(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new ar;return this.send(t)}}throw new Ur(u.status,`Error POSTing to endpoint: ${f}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,u.status===202){await u.body?.cancel(),bm(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(f=>this.onerror?.(f));return}let l=(Array.isArray(t)?t:[t]).filter(f=>"method"in f&&"id"in f&&f.id!==void 0).length>0,m=u.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(u.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let f=await u.json(),_=Array.isArray(f)?f.map(w=>Mr.parse(w)):[Mr.parse(f)];for(let w of _)this.onmessage?.(w)}else throw await u.body?.cancel(),new Ur(-1,`Unexpected content type: ${m}`);else await u.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new Ur(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Qn(e,t){let r=typeof e;if(r!==typeof t)return!1;if(Array.isArray(e)){if(!Array.isArray(t))return!1;let n=e.length;if(n!==t.length)return!1;for(let a=0;a<n;a++)if(!Qn(e[a],t[a]))return!1;return!0}if(r==="object"){if(!e||!t)return e===t;let n=Object.keys(e),a=Object.keys(t);if(n.length!==a.length)return!1;for(let s of n)if(!Qn(e[s],t[s]))return!1;return!0}return e===t}o(Qn,"deepCompareStrict");function ct(e){return encodeURI(FU(e))}o(ct,"encodePointer");function FU(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(FU,"escapePointer");var VU={prefixItems:!0,items:!0,allOf:!0,anyOf:!0,oneOf:!0},KU={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependentSchemas:!0},ZU={id:!0,$id:!0,$ref:!0,$schema:!0,$anchor:!0,$vocabulary:!0,$comment:!0,default:!0,enum:!0,const:!0,required:!0,type:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0},WU=typeof self<"u"&&self.location&&self.location.origin!=="null"?new URL(self.location.origin+self.location.pathname+location.search):new URL("https://github.com/cfworker");function ir(e,t=Object.create(null),r=WU,n=""){if(e&&typeof e=="object"&&!Array.isArray(e)){let i=e.$id||e.id;if(i){let s=new URL(i,r.href);s.hash.length>1?t[s.href]=e:(s.hash="",n===""?r=s:ir(e,t,r))}}else if(e!==!0&&e!==!1)return t;let a=r.href+(n?"#"+n:"");if(t[a]!==void 0)throw new Error(`Duplicate schema URI "${a}".`);if(t[a]=e,e===!0||e===!1)return t;if(e.__absolute_uri__===void 0&&Object.defineProperty(e,"__absolute_uri__",{enumerable:!1,value:a}),e.$ref&&e.__absolute_ref__===void 0){let i=new URL(e.$ref,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_ref__",{enumerable:!1,value:i.href})}if(e.$recursiveRef&&e.__absolute_recursive_ref__===void 0){let i=new URL(e.$recursiveRef,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_recursive_ref__",{enumerable:!1,value:i.href})}if(e.$anchor){let i=new URL("#"+e.$anchor,r.href);t[i.href]=e}for(let i in e){if(ZU[i])continue;let s=`${n}/${ct(i)}`,u=e[i];if(Array.isArray(u)){if(VU[i]){let d=u.length;for(let p=0;p<d;p++)ir(u[p],t,r,`${s}/${p}`)}}else if(KU[i])for(let d in u)ir(u[d],t,r,`${s}/${ct(d)}`);else ir(u,t,r,s)}return t}o(ir,"dereference");var JU=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,YU=[0,31,28,31,30,31,30,31,31,30,31,30,31],XU=/^(\d\d):(\d\d):(\d\d)(\.\d+)?(z|[+-]\d\d(?::?\d\d)?)?$/i,QU=/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,eN=/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,tN=/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,rN=/^(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)(?:\.(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,nN=/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,oN=/^(?:\/(?:[^~/]|~0|~1)*)*$/,aN=/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,iN=/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,sN=o(e=>{if(e[0]==='"')return!1;let[t,r,...n]=e.split("@");return!t||!r||n.length!==0||t.length>64||r.length>253||t[0]==="."||t.endsWith(".")||t.includes("..")||!/^[a-z0-9.-]+$/i.test(r)||!/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+$/i.test(t)?!1:r.split(".").every(a=>/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/i.test(a))},"EMAIL"),cN=/^(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)$/,uN=/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,dN=o(e=>e.length>1&&e.length<80&&(/^P\d+([.,]\d+)?W$/.test(e)||/^P[\dYMDTHS]*(\d[.,]\d+)?[YMDHS]$/.test(e)&&/^P([.,\d]+Y)?([.,\d]+M)?([.,\d]+D)?(T([.,\d]+H)?([.,\d]+M)?([.,\d]+S)?)?$/.test(e)),"DURATION");function Lt(e){return e.test.bind(e)}o(Lt,"bind");var wp={date:qw,time:Lw.bind(void 0,!1),"date-time":mN,duration:dN,uri:gN,"uri-reference":Lt(eN),"uri-template":Lt(tN),url:Lt(rN),email:sN,hostname:Lt(QU),ipv4:Lt(cN),ipv6:Lt(uN),regex:yN,uuid:Lt(nN),"json-pointer":Lt(oN),"json-pointer-uri-fragment":Lt(aN),"relative-json-pointer":Lt(iN)};function lN(e){return e%4===0&&(e%100!==0||e%400===0)}o(lN,"isLeapYear");function qw(e){let t=e.match(JU);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n==2&&lN(r)?29:YU[n])}o(qw,"date");function Lw(e,t){let r=t.match(XU);if(!r)return!1;let n=+r[1],a=+r[2],i=+r[3],s=!!r[5];return(n<=23&&a<=59&&i<=59||n==23&&a==59&&i==60)&&(!e||s)}o(Lw,"time");var pN=/t|\s/i;function mN(e){let t=e.split(pN);return t.length==2&&qw(t[0])&&Lw(!0,t[1])}o(mN,"date_time");var hN=/\/|:/,fN=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function gN(e){return hN.test(e)&&fN.test(e)}o(gN,"uri");var _N=/[^\\]\\Z/;function yN(e){if(_N.test(e))return!1;try{return new RegExp(e,"u"),!0}catch{return!1}}o(yN,"regex");var jw;(function(e){e[e.Flag=1]="Flag",e[e.Basic=2]="Basic",e[e.Detailed=4]="Detailed"})(jw||(jw={}));function Hw(e){let t=0,r=e.length,n=0,a;for(;n<r;)t++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<r&&(a=e.charCodeAt(n),(a&64512)==56320&&n++);return t}o(Hw,"ucs2length");function ge(e,t,r="2019-09",n=ir(t),a=!0,i=null,s="#",u="#",d=Object.create(null)){if(t===!0)return{valid:!0,errors:[]};if(t===!1)return{valid:!1,errors:[{instanceLocation:s,keyword:"false",keywordLocation:s,error:"False boolean schema."}]};let p=typeof e,l;switch(p){case"boolean":case"number":case"string":l=p;break;case"object":e===null?l="null":Array.isArray(e)?l="array":l="object";break;default:throw new Error(`Instances of "${p}" type are not supported.`)}let{$ref:m,$recursiveRef:f,$recursiveAnchor:_,type:w,const:y,enum:S,required:v,not:R,anyOf:b,allOf:q,oneOf:L,if:je,then:ut,else:fn,format:ur,properties:Gt,patternProperties:zr,additionalProperties:co,unevaluatedProperties:uo,minProperties:lo,maxProperties:dc,propertyNames:Jp,dependentRequired:lc,dependentSchemas:pc,dependencies:mc,prefixItems:hc,items:po,additionalItems:Yp,unevaluatedItems:Xp,contains:Qp,minContains:Bt,maxContains:Ha,minItems:fc,maxItems:gc,uniqueItems:Hv,minimum:$r,maximum:Dr,exclusiveMinimum:mo,exclusiveMaximum:ho,multipleOf:Ga,minLength:Ba,maxLength:Fa,pattern:em,__absolute_ref__:Va,__absolute_recursive_ref__:Gv}=t,E=[];if(_===!0&&i===null&&(i=t),f==="#"){let j=i===null?n[Gv]:i,$=`${u}/$recursiveRef`,F=ge(e,i===null?t:i,r,n,a,j,s,$,d);F.valid||E.push({instanceLocation:s,keyword:"$recursiveRef",keywordLocation:$,error:"A subschema had errors."},...F.errors)}if(m!==void 0){let $=n[Va||m];if($===void 0){let T=`Unresolved $ref "${m}".`;throw Va&&Va!==m&&(T+=`  Absolute URI "${Va}".`),T+=`
+Known schemas:
+- ${Object.keys(n).join(`
+- `)}`,new Error(T)}let F=`${u}/$ref`,x=ge(e,$,r,n,a,i,s,F,d);if(x.valid||E.push({instanceLocation:s,keyword:"$ref",keywordLocation:F,error:"A subschema had errors."},...x.errors),r==="4"||r==="7")return{valid:E.length===0,errors:E}}if(Array.isArray(w)){let j=w.length,$=!1;for(let F=0;F<j;F++)if(l===w[F]||w[F]==="integer"&&l==="number"&&e%1===0&&e===e){$=!0;break}$||E.push({instanceLocation:s,keyword:"type",keywordLocation:`${u}/type`,error:`Instance type "${l}" is invalid. Expected "${w.join('", "')}".`})}else w==="integer"?(l!=="number"||e%1||e!==e)&&E.push({instanceLocation:s,keyword:"type",keywordLocation:`${u}/type`,error:`Instance type "${l}" is invalid. Expected "${w}".`}):w!==void 0&&l!==w&&E.push({instanceLocation:s,keyword:"type",keywordLocation:`${u}/type`,error:`Instance type "${l}" is invalid. Expected "${w}".`});if(y!==void 0&&(l==="object"||l==="array"?Qn(e,y)||E.push({instanceLocation:s,keyword:"const",keywordLocation:`${u}/const`,error:`Instance does not match ${JSON.stringify(y)}.`}):e!==y&&E.push({instanceLocation:s,keyword:"const",keywordLocation:`${u}/const`,error:`Instance does not match ${JSON.stringify(y)}.`})),S!==void 0&&(l==="object"||l==="array"?S.some(j=>Qn(e,j))||E.push({instanceLocation:s,keyword:"enum",keywordLocation:`${u}/enum`,error:`Instance does not match any of ${JSON.stringify(S)}.`}):S.some(j=>e===j)||E.push({instanceLocation:s,keyword:"enum",keywordLocation:`${u}/enum`,error:`Instance does not match any of ${JSON.stringify(S)}.`})),R!==void 0){let j=`${u}/not`;ge(e,R,r,n,a,i,s,j).valid&&E.push({instanceLocation:s,keyword:"not",keywordLocation:j,error:'Instance matched "not" schema.'})}let Ka=[];if(b!==void 0){let j=`${u}/anyOf`,$=E.length,F=!1;for(let x=0;x<b.length;x++){let T=b[x],G=Object.create(d),H=ge(e,T,r,n,a,_===!0?i:null,s,`${j}/${x}`,G);E.push(...H.errors),F=F||H.valid,H.valid&&Ka.push(G)}F?E.length=$:E.splice($,0,{instanceLocation:s,keyword:"anyOf",keywordLocation:j,error:"Instance does not match any subschemas."})}if(q!==void 0){let j=`${u}/allOf`,$=E.length,F=!0;for(let x=0;x<q.length;x++){let T=q[x],G=Object.create(d),H=ge(e,T,r,n,a,_===!0?i:null,s,`${j}/${x}`,G);E.push(...H.errors),F=F&&H.valid,H.valid&&Ka.push(G)}F?E.length=$:E.splice($,0,{instanceLocation:s,keyword:"allOf",keywordLocation:j,error:"Instance does not match every subschema."})}if(L!==void 0){let j=`${u}/oneOf`,$=E.length,F=L.filter((x,T)=>{let G=Object.create(d),H=ge(e,x,r,n,a,_===!0?i:null,s,`${j}/${T}`,G);return E.push(...H.errors),H.valid&&Ka.push(G),H.valid}).length;F===1?E.length=$:E.splice($,0,{instanceLocation:s,keyword:"oneOf",keywordLocation:j,error:`Instance does not match exactly one subschema (${F} matches).`})}if((l==="object"||l==="array")&&Object.assign(d,...Ka),je!==void 0){let j=`${u}/if`;if(ge(e,je,r,n,a,i,s,j,d).valid){if(ut!==void 0){let F=ge(e,ut,r,n,a,i,s,`${u}/then`,d);F.valid||E.push({instanceLocation:s,keyword:"if",keywordLocation:j,error:'Instance does not match "then" schema.'},...F.errors)}}else if(fn!==void 0){let F=ge(e,fn,r,n,a,i,s,`${u}/else`,d);F.valid||E.push({instanceLocation:s,keyword:"if",keywordLocation:j,error:'Instance does not match "else" schema.'},...F.errors)}}if(l==="object"){if(v!==void 0)for(let x of v)x in e||E.push({instanceLocation:s,keyword:"required",keywordLocation:`${u}/required`,error:`Instance does not have required property "${x}".`});let j=Object.keys(e);if(lo!==void 0&&j.length<lo&&E.push({instanceLocation:s,keyword:"minProperties",keywordLocation:`${u}/minProperties`,error:`Instance does not have at least ${lo} properties.`}),dc!==void 0&&j.length>dc&&E.push({instanceLocation:s,keyword:"maxProperties",keywordLocation:`${u}/maxProperties`,error:`Instance does not have at least ${dc} properties.`}),Jp!==void 0){let x=`${u}/propertyNames`;for(let T in e){let G=`${s}/${ct(T)}`,H=ge(T,Jp,r,n,a,i,G,x);H.valid||E.push({instanceLocation:s,keyword:"propertyNames",keywordLocation:x,error:`Property name "${T}" does not match schema.`},...H.errors)}}if(lc!==void 0){let x=`${u}/dependantRequired`;for(let T in lc)if(T in e){let G=lc[T];for(let H of G)H in e||E.push({instanceLocation:s,keyword:"dependentRequired",keywordLocation:x,error:`Instance has "${T}" but does not have "${H}".`})}}if(pc!==void 0)for(let x in pc){let T=`${u}/dependentSchemas`;if(x in e){let G=ge(e,pc[x],r,n,a,i,s,`${T}/${ct(x)}`,d);G.valid||E.push({instanceLocation:s,keyword:"dependentSchemas",keywordLocation:T,error:`Instance has "${x}" but does not match dependant schema.`},...G.errors)}}if(mc!==void 0){let x=`${u}/dependencies`;for(let T in mc)if(T in e){let G=mc[T];if(Array.isArray(G))for(let H of G)H in e||E.push({instanceLocation:s,keyword:"dependencies",keywordLocation:x,error:`Instance has "${T}" but does not have "${H}".`});else{let H=ge(e,G,r,n,a,i,s,`${x}/${ct(T)}`);H.valid||E.push({instanceLocation:s,keyword:"dependencies",keywordLocation:x,error:`Instance has "${T}" but does not match dependant schema.`},...H.errors)}}}let $=Object.create(null),F=!1;if(Gt!==void 0){let x=`${u}/properties`;for(let T in Gt){if(!(T in e))continue;let G=`${s}/${ct(T)}`,H=ge(e[T],Gt[T],r,n,a,i,G,`${x}/${ct(T)}`);if(H.valid)d[T]=$[T]=!0;else if(F=a,E.push({instanceLocation:s,keyword:"properties",keywordLocation:x,error:`Property "${T}" does not match schema.`},...H.errors),F)break}}if(!F&&zr!==void 0){let x=`${u}/patternProperties`;for(let T in zr){let G=new RegExp(T,"u"),H=zr[T];for(let Ye in e){if(!G.test(Ye))continue;let tm=`${s}/${ct(Ye)}`,rm=ge(e[Ye],H,r,n,a,i,tm,`${x}/${ct(T)}`);rm.valid?d[Ye]=$[Ye]=!0:(F=a,E.push({instanceLocation:s,keyword:"patternProperties",keywordLocation:x,error:`Property "${Ye}" matches pattern "${T}" but does not match associated schema.`},...rm.errors))}}}if(!F&&co!==void 0){let x=`${u}/additionalProperties`;for(let T in e){if($[T])continue;let G=`${s}/${ct(T)}`,H=ge(e[T],co,r,n,a,i,G,x);H.valid?d[T]=!0:(F=a,E.push({instanceLocation:s,keyword:"additionalProperties",keywordLocation:x,error:`Property "${T}" does not match additional properties schema.`},...H.errors))}}else if(!F&&uo!==void 0){let x=`${u}/unevaluatedProperties`;for(let T in e)if(!d[T]){let G=`${s}/${ct(T)}`,H=ge(e[T],uo,r,n,a,i,G,x);H.valid?d[T]=!0:E.push({instanceLocation:s,keyword:"unevaluatedProperties",keywordLocation:x,error:`Property "${T}" does not match unevaluated properties schema.`},...H.errors)}}}else if(l==="array"){gc!==void 0&&e.length>gc&&E.push({instanceLocation:s,keyword:"maxItems",keywordLocation:`${u}/maxItems`,error:`Array has too many items (${e.length} > ${gc}).`}),fc!==void 0&&e.length<fc&&E.push({instanceLocation:s,keyword:"minItems",keywordLocation:`${u}/minItems`,error:`Array has too few items (${e.length} < ${fc}).`});let j=e.length,$=0,F=!1;if(hc!==void 0){let x=`${u}/prefixItems`,T=Math.min(hc.length,j);for(;$<T;$++){let G=ge(e[$],hc[$],r,n,a,i,`${s}/${$}`,`${x}/${$}`);if(d[$]=!0,!G.valid&&(F=a,E.push({instanceLocation:s,keyword:"prefixItems",keywordLocation:x,error:"Items did not match schema."},...G.errors),F))break}}if(po!==void 0){let x=`${u}/items`;if(Array.isArray(po)){let T=Math.min(po.length,j);for(;$<T;$++){let G=ge(e[$],po[$],r,n,a,i,`${s}/${$}`,`${x}/${$}`);if(d[$]=!0,!G.valid&&(F=a,E.push({instanceLocation:s,keyword:"items",keywordLocation:x,error:"Items did not match schema."},...G.errors),F))break}}else for(;$<j;$++){let T=ge(e[$],po,r,n,a,i,`${s}/${$}`,x);if(d[$]=!0,!T.valid&&(F=a,E.push({instanceLocation:s,keyword:"items",keywordLocation:x,error:"Items did not match schema."},...T.errors),F))break}if(!F&&Yp!==void 0){let T=`${u}/additionalItems`;for(;$<j;$++){let G=ge(e[$],Yp,r,n,a,i,`${s}/${$}`,T);d[$]=!0,G.valid||(F=a,E.push({instanceLocation:s,keyword:"additionalItems",keywordLocation:T,error:"Items did not match additional items schema."},...G.errors))}}}if(Qp!==void 0)if(j===0&&Bt===void 0)E.push({instanceLocation:s,keyword:"contains",keywordLocation:`${u}/contains`,error:"Array is empty. It must contain at least one item matching the schema."});else if(Bt!==void 0&&j<Bt)E.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${u}/minContains`,error:`Array has less items (${j}) than minContains (${Bt}).`});else{let x=`${u}/contains`,T=E.length,G=0;for(let H=0;H<j;H++){let Ye=ge(e[H],Qp,r,n,a,i,`${s}/${H}`,x);Ye.valid?(d[H]=!0,G++):E.push(...Ye.errors)}G>=(Bt||0)&&(E.length=T),Bt===void 0&&Ha===void 0&&G===0?E.splice(T,0,{instanceLocation:s,keyword:"contains",keywordLocation:x,error:"Array does not contain item matching schema."}):Bt!==void 0&&G<Bt?E.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${u}/minContains`,error:`Array must contain at least ${Bt} items matching schema. Only ${G} items were found.`}):Ha!==void 0&&G>Ha&&E.push({instanceLocation:s,keyword:"maxContains",keywordLocation:`${u}/maxContains`,error:`Array may contain at most ${Ha} items matching schema. ${G} items were found.`})}if(!F&&Xp!==void 0){let x=`${u}/unevaluatedItems`;for($;$<j;$++){if(d[$])continue;let T=ge(e[$],Xp,r,n,a,i,`${s}/${$}`,x);d[$]=!0,T.valid||E.push({instanceLocation:s,keyword:"unevaluatedItems",keywordLocation:x,error:"Items did not match unevaluated items schema."},...T.errors)}}if(Hv)for(let x=0;x<j;x++){let T=e[x],G=typeof T=="object"&&T!==null;for(let H=0;H<j;H++){if(x===H)continue;let Ye=e[H];(T===Ye||G&&(typeof Ye=="object"&&Ye!==null)&&Qn(T,Ye))&&(E.push({instanceLocation:s,keyword:"uniqueItems",keywordLocation:`${u}/uniqueItems`,error:`Duplicate items at indexes ${x} and ${H}.`}),x=Number.MAX_SAFE_INTEGER,H=Number.MAX_SAFE_INTEGER)}}}else if(l==="number"){if(r==="4"?($r!==void 0&&(mo===!0&&e<=$r||e<$r)&&E.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${u}/minimum`,error:`${e} is less than ${mo?"or equal to ":""} ${$r}.`}),Dr!==void 0&&(ho===!0&&e>=Dr||e>Dr)&&E.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${u}/maximum`,error:`${e} is greater than ${ho?"or equal to ":""} ${Dr}.`})):($r!==void 0&&e<$r&&E.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${u}/minimum`,error:`${e} is less than ${$r}.`}),Dr!==void 0&&e>Dr&&E.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${u}/maximum`,error:`${e} is greater than ${Dr}.`}),mo!==void 0&&e<=mo&&E.push({instanceLocation:s,keyword:"exclusiveMinimum",keywordLocation:`${u}/exclusiveMinimum`,error:`${e} is less than ${mo}.`}),ho!==void 0&&e>=ho&&E.push({instanceLocation:s,keyword:"exclusiveMaximum",keywordLocation:`${u}/exclusiveMaximum`,error:`${e} is greater than or equal to ${ho}.`})),Ga!==void 0){let j=e%Ga;Math.abs(0-j)>=11920929e-14&&Math.abs(Ga-j)>=11920929e-14&&E.push({instanceLocation:s,keyword:"multipleOf",keywordLocation:`${u}/multipleOf`,error:`${e} is not a multiple of ${Ga}.`})}}else if(l==="string"){let j=Ba===void 0&&Fa===void 0?0:Hw(e);Ba!==void 0&&j<Ba&&E.push({instanceLocation:s,keyword:"minLength",keywordLocation:`${u}/minLength`,error:`String is too short (${j} < ${Ba}).`}),Fa!==void 0&&j>Fa&&E.push({instanceLocation:s,keyword:"maxLength",keywordLocation:`${u}/maxLength`,error:`String is too long (${j} > ${Fa}).`}),em!==void 0&&!new RegExp(em,"u").test(e)&&E.push({instanceLocation:s,keyword:"pattern",keywordLocation:`${u}/pattern`,error:"String does not match pattern."}),ur!==void 0&&wp[ur]&&!wp[ur](e)&&E.push({instanceLocation:s,keyword:"format",keywordLocation:`${u}/format`,error:`String does not match format "${ur}".`})}return{valid:E.length===0,errors:E}}o(ge,"validate");var Ks=class{static{o(this,"Validator")}schema;draft;shortCircuit;lookup;constructor(t,r="2019-09",n=!0){this.schema=t,this.draft=r,this.shortCircuit=n,this.lookup=ir(t)}validate(t){return ge(t,this.schema,this.draft,this.lookup,this.shortCircuit)}addSchema(t,r){r&&(t={...t,$id:r}),ir(t,this.lookup)}};var Zs=class{static{o(this,"CfWorkerJsonSchemaValidator")}constructor(t){this.shortcircuit=t?.shortcircuit??!0,this.draft=t?.draft??"2020-12"}getValidator(t){let r=new Ks(t,this.draft,this.shortcircuit);return n=>{let a=r.validate(n);return a.valid?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:a.errors.map(i=>`${i.instanceLocation}: ${i.error}`).join("; ")}}}};function Gw(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Gw,"resolveNativeMcpRequestHeaders");var wN={name:"zuplo-mcp-gateway",version:"0.1.0"},SN=new Zs({draft:"7",shortcircuit:!1}),vN=5,RN=500,Vw=3e4,bN=2*1024*1024,CN=2;function Bw(){return performance.now()/1e3}o(Bw,"nowSeconds");function IN(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(IN,"readServerPort");function TN(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:IN(e)}}o(TN,"buildNativeMcpOperationContext");function eo(e){return Xg(e)}o(eo,"withTraceMeta");function Sp(e){if(e>RN)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Sp,"assertImportedCapabilityBudget");function Fw(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Fw,"buildRequestInit");function AN(e){return(t,r)=>qs(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:CN,maxResponseBytes:bN,problemCode:"upstream_capability_invocation_failed",timeoutMs:Vw})}o(AN,"createNativeMcpFetch");function kN(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},Vw);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(kN,"withNativeMcpRequestTimeout");function EN(e,t=[]){let r=Gw(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:AN(a)};if(!e)return{...i,...Fw(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Fw(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(EN,"buildNativeMcpTransportOptions");async function to(e,t,r){let{transport:n}=at(e),a=new URL(n.baseUrl),i=new Vs(a,EN(r,n.requestHeaders)),s=new Hs(wN,{capabilities:{},jsonSchemaValidator:SN});return kN((async()=>{let u=Bw();await s.connect(i);let d=i.sessionId,p=TN(a,d);try{return await t(s,p)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&Qg(p,Bw()-u)}})())}o(to,"withNativeMcpClient");async function xN(e,t,r){let n=[],a,i=0;do{if(i>=vN)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(xN,"collectPaginatedSdkItems");async function vp(e){return e.enabled?xN(e.label,e.fetchPage,e.readItems):[]}o(vp,"listNativeMcpCapabilityItems");async function Kw(e){return to(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Yr({methodName:"tools/list",...r},()=>vp({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(eo(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Sp(a.length),{tools:a}},e.credential)}o(Kw,"listNativeMcpTools");async function Zw(e){return to(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Yr({methodName:"prompts/list",...r},()=>vp({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(eo(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Sp(a.length),{prompts:a}},e.credential)}o(Zw,"listNativeMcpPrompts");async function Ww(e){return to(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Yr({methodName:"resources/list",...r},()=>vp({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(eo(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Sp(a.length),{resources:a}},e.credential)}o(Ww,"listNativeMcpResources");async function Jw(e){return to(e.upstreamServerId,(t,r)=>Yr({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(eo(e.params))),e.credential)}o(Jw,"callNativeMcpTool");async function Yw(e){return to(e.upstreamServerId,(t,r)=>Yr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(eo(e.params))),e.credential)}o(Yw,"getNativeMcpPrompt");async function Xw(e){return to(e.upstreamServerId,(t,r)=>Yr({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(eo(e.params))),e.credential)}o(Xw,"readNativeMcpResource");var Ua=class extends k{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(P.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function PN(e){return{content:[{type:"text",text:e}],isError:!0}}o(PN,"buildToolErrorResult");function ON(e){return e.authUrl?new pr([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new Ua(e)}o(ON,"toConnectRequiredError");function UN(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(UN,"buildCredentialResolvedAttributes");function NN(e){ot(e.context,{eventType:J.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:UN(e.credential)})}o(NN,"emitCredentialResolvedAnalyticsEvent");function zN(e){ot(e.context,{eventType:J.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(zN,"emitCredentialMissingAnalyticsEvent");function $N(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):en({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o($N,"readRouteBindingCredentialCacheKey");function DN(e){return typeof e.authorizeAndLoadConnections=="function"}o(DN,"isRuntimeHttpCompositeAuthorizationRepository");function eS(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(eS,"readOwnedRouteBindingLookup");async function MN(e){let t=V().downstreamOAuthRepository;if(!DN(t))return new Map;let r=Fl(e.request);if(!r)return new Map;let n=new Map;for(let u of e.routeBindings){let d=eS(u);d!==void 0&&n.set(en(d),d)}if(n.size===0)return new Map;let a=[...n.values()],i=await t.authorizeAndLoadConnections({accessTokenHash:await ee(r),resource:Qr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:a,now:z(new Date)});if(i.kind!=="authorized")return new Map;let s=new Map;return i.upstreamConnections.forEach((u,d)=>{let p=a[d];p!==void 0&&s.set(en(p),u.connection)}),s}o(MN,"preloadCompositeAuthorizedConnections");function qN(e){let t=new Map;return r=>{let n=$N(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,u=eS(r),d=u===void 0?void 0:en(u),p=await Uw({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(p.kind==="connect_required")throw zN({context:e.context,payload:p.payload,routeBinding:r}),ON(p.payload);return NN({context:e.context,credential:p.credential,routeBinding:r}),p.credential})();return t.set(n,i),i}}o(qN,"createCredentialResolver");var Qw=500;function LN(e){return e.length<=Qw?e:`${e.slice(0,Qw)}...`}o(LN,"truncateAnalyticsDetail");function jN(e){ot(e.context,{eventType:J.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(jN,"emitToolInvocationCompletedAnalyticsEvent");function HN(e){return e instanceof pr||e instanceof Ua?{eventType:J.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof k&&e.code===P.InvalidParams?{eventType:J.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:J.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(HN,"classifyToolInvocationFailure");function GN(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=HN(e.error);ot(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:LN(t)}})}o(GN,"emitToolInvocationFailedAnalyticsEvent");var BN=256*1024;function FN(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new k(P.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>BN)throw new k(P.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(FN,"assertToolArgumentsWithinLimit");function Rp(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new k(P.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(Rp,"findBindingForPublishedCapability");function ro(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new k(P.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(ro,"requireSingleTransparentBinding");function VN(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:ro(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new k(P.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Rp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(VN,"resolvePublishedToolRoute");function KN(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:ro(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new k(P.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Rp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(KN,"resolvePublishedPromptRoute");function ZN(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:ro(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new k(P.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Rp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(ZN,"resolvePublishedResourceRoute");function tS(e){let t=MN({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=qN({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(as)};let n=ro(e);return Kw({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=VN({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{FN(n);let i=await r(a.binding),s=await Jw({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return jN({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(GN({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof pr||i instanceof Ua)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof pr},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof k&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),PN(rt("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(is)};let n=ro(e);return Zw({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=KN({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return Yw({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(ss)};let n=ro(e);return Ww({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=ZN({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return Xw({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(tS,"createCapabilityDispatcher");var WN="0.1.0",nS="POST",JN="POST, OPTIONS";function bp(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:nS}})}o(bp,"jsonRpcMethodNotAllowedResponse");function YN(e){let t={Allow:nS},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=JN;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(YN,"buildOptionsResponse");function no(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(no,"readJsonRpcRequestId");function Cp(e){return e&&typeof e=="object"?e.params:void 0}o(Cp,"readMcpRequestParams");function rS(e,t){return e.headers.get(t)??void 0}o(rS,"readMcpHeader");function XN(e){return{mcpProtocolVersion:rS(e,"mcp-protocol-version")??Jr,mcpSessionId:rS(e,"mcp-session-id")}}o(XN,"buildServerTelemetryBase");function QN(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Jr),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(QN,"ensureProtocolVersionHeader");async function Ip(e,t){if(e.method==="OPTIONS")return YN(e);if(e.method==="GET")return bp("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return bp("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return bp("Only POST is supported by this virtual MCP server.");let r=jn(t),n=qg(r.virtualServerId),a=t_(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=XN(e),s=tS({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),u=de(e.url),d=new Ji({enableDnsRebindingProtection:!0,allowedOrigins:[u]}),p=new Wi(n.catalog.serverInfo??{name:r.virtualServerId,version:WN},{capabilities:{prompts:{},resources:{},tools:{}}});p.setRequestHandler(Bc,async m=>Xr({methodName:"tools/list",params:Cp(m),jsonRpcRequestId:no(m),...i},()=>s.listTools())),p.setRequestHandler(Co,async m=>Xr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:no(m),...i},()=>s.callTool(m.params))),p.setRequestHandler(zc,async m=>Xr({methodName:"prompts/list",params:Cp(m),jsonRpcRequestId:no(m),...i},()=>s.listPrompts())),p.setRequestHandler(Dc,async m=>Xr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:no(m),...i},()=>s.getPrompt(m.params))),p.setRequestHandler(kc,async m=>Xr({methodName:"resources/list",params:Cp(m),jsonRpcRequestId:no(m),...i},()=>s.listResources())),p.setRequestHandler(Oc,async m=>Xr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:no(m),...i},()=>s.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return QN(l)}o(Ip,"virtualServerHandler");async function ez(e,t){return dr("handler.mcp-virtual-server"),Ip(e,t)}o(ez,"McpVirtualServerHandler");var oo={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},tz="oauth-protected-resource-metadata",rz="/.well-known/oauth-protected-resource/";function nz(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(nz,"readRouteOperationId");function oz(e){return e.hasGatewayRouteContext?oo.VIRTUAL_MCP_SERVER:e.routeOperationId===tz||e.routeOperationId===void 0&&e.routePath.startsWith(rz)?oo.OAUTH_PROTECTED_RESOURCE_METADATA:oo.OTHER}o(oz,"classifyAnalyticsRouteSurface");function az(e){let t=e.route.path;return{routePath:t,routeSurface:oz({routePath:t,routeOperationId:nz(e),hasGatewayRouteContext:aa(e)!==void 0})}}o(az,"readAnalyticsRequestContext");function iz(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===oo.VIRTUAL_MCP_SERVER}o(iz,"isIntentionalMethodRejection");function sz(e){return iz(e)||e.response.status===401&&e.routeSurface===oo.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(sz,"classifyRequestCompletedOutcome");async function Tp(e,t){let r=Date.now(),n=az(t);return t.addResponseSendingFinalHook(a=>{let i=sz({response:a,routeSurface:n.routeSurface});ot(t,{eventType:J.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Tp,"analyticsContextInbound");function cz(e){return e instanceof Response}o(cz,"isResponse");var oS="/mcp/";function uz(e){let t=e.route.path;if(!t.startsWith(oS))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(oS.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(uz,"readVirtualServerIdFromRoute");async function Na(e,t){let n={virtualServerId:Se.parse(uz(t))};Hg(t,n),Rg(t,n);let a=await Tp(e,t);return cz(a)?a:Vl(a,t)}o(Na,"mcpOAuthInboundPolicy");var dz=o(async(e,t,r,n)=>(dr("policy.inbound.mcp-auth0-oauth"),Na(e,t)),"McpAuth0OAuthInboundPolicy");function lz(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return ds({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway})}o(lz,"buildAuth0McpOAuthRuntimeConfig");var pz={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return lz(e)}};ts(pz);var mz=o(async(e,t,r,n)=>(dr("policy.inbound.mcp-oauth"),Na(e,t)),"McpOAuthInboundPolicy"),hz={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return ds(e)}};ts(hz);function fz(e){let t=Mt(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(fz,"buildRouteAuthBaseFromConnection");function iS(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=Mt(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:Ln(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(iS,"buildRouteAuthBaseFromPolicyOptions");function sS(e,t){let n=yt().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return fz({connection:a,virtualServerId:t})}o(sS,"resolveRouteAuthBase");function aS(e,t){switch(e){case"user":return kr(t.subjectId);case"shared":return Ss()}}o(aS,"buildOwnerForPrincipal");function Ws(e,t){switch(e.ownerMode){case"shared":return{...e,owner:aS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:aS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Ws,"resolveRouteAuthForPrincipal");function gz(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Qi.parse(r)}o(gz,"readSingleAuthMode");function cS(e){return Dt.parse(e)}o(cS,"buildToolNamePrefixFromConnectionId");async function Ap(e,t,r,n){let a=os(r,n),i=gz({policyName:n,connection:a}),s=jn(t),u=iS({connection:a,virtualServerId:s.virtualServerId,authMode:i});if(u.ownerMode==="none")return ll(t,{...u,connectionPolicyName:n,toolNamePrefix:cS(a.id)}),e;let d=h_(t);return ll(t,{...Ws(u,d),connectionPolicyName:n,toolNamePrefix:cS(a.id)}),e}o(Ap,"mcpUpstreamConnectionPolicy");var _z=o(async(e,t,r,n)=>(dr("policy.inbound.mcp-upstream-connection"),Ap(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");ae();ae();var uS="application/json",yz="application/x-www-form-urlencoded";function wz(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(wz,"normalizeContentType");function Sz(e,t){return e===t?!0:t===uS&&e.endsWith("+json")}o(Sz,"contentTypeMatches");function vz(e,t){if(!t||t.length===0)return;let r=wz(e.headers.get("content-type"));if(!t.some(n=>Sz(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(vz,"assertExpectedContentType");function Rz(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(Rz,"assertContentLengthWithinLimit");async function dS(e,t){let r=t.label??"Request body";vz(e,t.expectedContentTypes),Rz(e,t.maxBytes,r);let n=await Ms(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(dS,"readBoundedTextBody");async function lS(e,t){let r=await dS(e,{...t,expectedContentTypes:[uS]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(lS,"readBoundedJsonBody");async function Js(e,t){let r=await dS(e,{...t,expectedContentTypes:[yz]});return new URLSearchParams(r)}o(Js,"readBoundedFormUrlEncodedBody");var pS=Symbol("Html");function bz(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(bz,"escapeHtml");function Cz(e){return e===null||typeof e!="object"?!1:e[pS]===!0}o(Cz,"isHtml");function mS(e){return e==null||e===!1?"":Array.isArray(e)?e.map(mS).join(""):Cz(e)?e.value:bz(String(e))}o(mS,"renderValue");function Et(e){return{[pS]:!0,value:e}}o(Et,"trustedHtml");var Te=Et("");function N(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=mS(t[n]),r+=e[n+1]??"";return Et(r)}o(N,"html");function sr(e){return e.value}o(sr,"renderHtml");var Iz="text/html; charset=utf-8";function hS(e,t=200){return new Response(sr(e),{status:t,headers:{"content-type":Iz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(hS,"apiKeyLoginHtmlResponse");function kp(e=401){return hS(N`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(kp,"apiKeyLoginFailureResponse");function fS(e){return hS(N`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(fS,"renderApiKeyLoginForm");ae();ae();import{errors as TS,jwtVerify as AS,SignJWT as kS}from"jose";ae();import{errors as Dz,jwtVerify as Mz,SignJWT as qz}from"jose";function Nr(e){let t=Ee().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Nr,"requireBrowserLoginField");ae();import{createRemoteJWKSet as Az,errors as za,jwtVerify as kz}from"jose";var Ez=c.object({id_token:c.string().min(1),token_type:c.string().min(1).optional(),expires_in:c.number().optional(),access_token:c.string().min(1).optional(),refresh_token:c.string().min(1).optional(),scope:c.string().min(1).optional()}),xz=c.object({error:c.string().min(1).optional(),error_description:c.string().min(1).optional(),error_uri:c.string().min(1).optional()});function Pz(e){let t=xz.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(Pz,"readIdpErrorFields");function Oz(e){return e instanceof za.JWTExpired?"expired":e instanceof za.JWTClaimValidationFailed?"claim":e instanceof za.JWSSignatureVerificationFailed?"signature":e instanceof za.JWKSNoMatchingKey?"jwks_no_match":e instanceof za.JWTInvalid?"invalid":e instanceof c.ZodError?"schema":"other"}o(Oz,"readJwtFailureKind");var Uz=c.object({sub:ie,nonce:c.string().min(1)}).catchall(c.unknown()),Ep;function Nz(e){return e instanceof Error&&"cause"in e?e.cause:e}o(Nz,"readErrorCause");function zz(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(zz,"readRuntimeGatewayCode");function $z(){if(!Ep){let e=Ee();Ep=Az(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Ep}o($z,"readFederatedJwks");async function gS(e){let t=Ee(),r=Nr("tokenUrl"),n=Nr("clientId"),a=Nr("clientSecret"),i=new URL("/oauth/callback",At(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:u,json:d}=await _w(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!u.ok){let f=Pz(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:gt(r),idpStatus:u.status,...f},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${u.status}${f.idpError?` idp_error=${f.idpError}`:""}${f.idpErrorDescription?` idp_error_description=${f.idpErrorDescription}`:""})`)})}let p=Ez.parse(d),l;try{({payload:l}=await kz(p.id_token,$z(),{issuer:t.oidc.issuer,audience:n}))}catch(f){let _={};throw ze(_,"error",f),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:Oz(f),idpHost:gt(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),f}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:gt(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=Uz.parse(l);return Bn({sub:m.sub,data:m},e.requestUrl)}catch(u){let d=_e(u)??zz(u);throw d!==void 0&&d!=="browser_login_verification_failed"?u:g("browser_login_verification_failed","Federated browser login callback could not be verified.",Nz(u))}}o(gS,"exchangeFederatedAuthorizationCode");var Pp="zuplo_mcp_session",_S="HS256",yS="zuplo-mcp-gateway",wS="zuplo-mcp-gateway",Lz=c.object({purpose:c.literal("gateway_browser_session"),sub:ie,browserLoginOrigin:c.string().min(1),roles:c.array(c.string().min(1)).optional(),exp:c.number().int().positive(),iat:c.number().int().positive().optional()});function jz(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(jz,"parseCookieHeader");async function SS(){return qt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>xr(e,"browser-session"),"derive")})}o(SS,"getBrowserSessionKey");function xp(e){let t=new URL(de(e)),r=[`${Pp}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(xp,"buildBrowserSessionEvictionCookie");function Hz(e){let t=new URL(de(e.requestUrl)),r=[`${Pp}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Hz,"serializeSessionCookie");function vS(e={}){return new URL(Nr("url")).origin}o(vS,"readBrowserLoginOrigin");function Op(){return Ee().browserLogin.stateTtlSeconds}o(Op,"readBrowserLoginStateTtlSeconds");function RS(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Bn(e.user,e.url)}o(RS,"resolveCurrentRequestPrincipal");async function Ys(e,t={}){let r=jz(e.headers.get("cookie")).get(Pp);if(!r)return{};try{let{payload:n}=await Mz(r,await SS(),{algorithms:[_S],issuer:yS,audience:wS}),a=Lz.parse(n);if(a.browserLoginOrigin!==vS(t))return{evictCookie:xp(e.url)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof Dz.JWTExpired?{evictCookie:xp(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:xp(e.url)})}}o(Ys,"readBrowserSession");async function $a(e){let t=Ee().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:vS({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new qz(r).setProtectedHeader({alg:_S,typ:"JWT"}).setIssuer(yS).setAudience(wS).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await SS());return Hz({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o($a,"createBrowserSessionCookie");async function bS(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(bS,"resolveApiKeyBrowserLoginPrincipal");async function CS(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Ys(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return gS({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(CS,"resolveBrowserLoginCallbackPrincipal");function IS(e){let t=Ee().browserLogin,r=new URL(Nr("url")),n=new URL("/oauth/callback",At(e.requestUrl));return i_(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Nr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(IS,"buildBrowserLoginUrl");var ES=5*60,Gz=["mcp_user"],Xs="HS256",Qs="zuplo-mcp-gateway",ec="zuplo-mcp-gateway",Bz=c.object({purpose:c.literal("gateway_browser_login"),transactionId:Je,stateId:ms,exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Fz=c.object({purpose:c.literal("gateway_authorization_setup"),transactionId:Je,stateId:ms,exp:c.number().int().positive(),iat:c.number().int().positive().optional()});async function xS(){return qt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>xr(e,"browser-login"),"derive")})}o(xS,"getBrowserLoginKey");async function PS(){return qt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>xr(e,"authorization-csrf"),"derive")})}o(PS,"getCsrfKey");function Vz(e){return[...new Set([...Gz,...e.roles??[]])]}o(Vz,"buildRoles");function OS(e){return{repository:e.repository??V().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Op()}}o(OS,"readPendingTransactionDependencies");function Kz(e,t){return e.subjectId===t.subjectId}o(Kz,"principalsMatch");function US(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}o(US,"toPendingPrincipal");function NS(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:z(e.now),expiresAt:z(Tt(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:US(e.principal)}}o(NS,"createTransactionRecord");async function zS(e){if((await e.repository.savePendingAuthorizationTransaction(e.record,e.client===void 0?void 0:{client:e.client})).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(zS,"savePendingTransaction");async function Zz(e){return new kS({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:Xs,typ:"JWT"}).setIssuer(Qs).setAudience(ec).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await xS())}o(Zz,"signBrowserLoginState");async function $S(e){return new kS({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:_l()}).setProtectedHeader({alg:Xs,typ:"JWT"}).setIssuer(Qs).setAudience(ec).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await PS())}o($S,"signCsrfToken");async function tc(e){try{let{payload:t}=await AS(e,await xS(),{algorithms:[Xs],issuer:Qs,audience:ec}),r=Bz.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof TS.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(tc,"verifyBrowserLoginStateToken");async function Wz(e){try{let{payload:t}=await AS(e,await PS(),{algorithms:[Xs],issuer:Qs,audience:ec});return{transactionId:Fz.parse(t).transactionId}}catch(t){throw t instanceof TS.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(Wz,"verifyCsrfToken");function Da(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(Da,"pendingStateErrorCode");function DS(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Da(e==="consumed_already"?"consumed_already":e)}o(DS,"setupDecisionErrorCode");function Jz(e){if(e.kind!=="available")throw g(Da(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Jz,"requireAwaitingSetup");function Yz(e){if(e.kind!=="available")throw g(Da(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(Yz,"requireAwaitingLogin");function Xz(e){if(!Kz(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(Xz,"requireCurrentPrincipalMatches");function MS(e){return typeof e.decideAuthorizationSetup=="function"}o(MS,"hasRuntimeHttpAuthorizationDecision");async function qS(e){let t=e.repository??V().downstreamOAuthRepository,r=e.now??new Date,n=Op(),a=gl(),i=_l(),s=await Zz({transactionId:a,stateId:i,ttlSeconds:n}),u=NS({id:a,transaction:e.transaction,currentStateHash:await ee(s),phase:"awaiting_login",now:r,ttlSeconds:n});if(u.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await zS({repository:t,record:u,client:e.transaction.client}),{transaction:u,browserLoginStateToken:s,browserLoginUrl:IS({state:s,nonce:i,virtualServerId:u.virtualServerId,requestUrl:e.requestUrl})}}o(qS,"startAwaitingLogin");async function LS(e){let{repository:t,now:r,ttlSeconds:n}=OS(e),a=gl(),i=await $S({transactionId:a,ttlSeconds:n}),s=NS({id:a,transaction:e.transaction,currentStateHash:await ee(i),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await zS({repository:t,record:s,client:e.transaction.client}),{transaction:s,csrfToken:i}}o(LS,"startAwaitingSetup");async function Up(e){let{repository:t,now:r,ttlSeconds:n}=OS(e),a=await tc(e.browserLoginStateToken),i=await $S({transactionId:a.transactionId,ttlSeconds:n}),s=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await ee(e.browserLoginStateToken),nextStateHash:await ee(i),nextPhase:"awaiting_setup",principal:US(e.principal),now:r});if(s.kind!=="advanced")throw g(Da(s.kind),"Browser login state is invalid, expired, or already used.");if(s.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:s.record,csrfToken:i}}o(Up,"completeLogin");async function jS(e){let t=e.repository??V().downstreamOAuthRepository,r=e.now??new Date,n=await tc(e.browserLoginStateToken);return Yz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await ee(e.browserLoginStateToken),now:r}))}o(jS,"getAwaitingLogin");async function Ma(e){let t=await Np(e);return Xz({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(Ma,"getSetup");async function Np(e){let t=e.repository??V().downstreamOAuthRepository,r=e.now??new Date,n=await Wz(e.csrfToken);return Jz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await ee(e.csrfToken),now:r}))}o(Np,"getSetupTransaction");async function Qz(e){let t=nt(),r=await ee(t),n=yl(),a=z(Tt(e.now,ES)),i={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:Vz(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:z(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...i,codeHash:r,grantId:n});let s=new URL(e.transaction.redirectUri);return s.searchParams.set("code",t),e.transaction.clientState&&s.searchParams.set("state",e.transaction.clientState),s}o(Qz,"createAuthorizationCodeRedirect");async function e$(e){let t=await Ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=nt(),n=z(Tt(e.now,ES)),a=await e.repository.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:await ee(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await ee(r),authorizationCodeExpiresAt:n,grantId:yl(),now:z(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":DS(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(e$,"createAuthorizationCodeRedirectWithDecision");async function t$(e){let t=await Ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=await e.repository.decideAuthorizationSetup({decision:"cancel",transactionId:t.id,currentStateHash:await ee(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:z(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":DS(r.kind),"Authorization setup state is invalid, expired, or already used.");return HS({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(t$,"createCancelRedirectWithDecision");function HS(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(HS,"buildClientCancelRedirect");async function r$(e){let t=await Ma(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await ee(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(Da(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(r$,"consumeSetup");async function GS(e){let t=e.repository??V().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await r$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(GS,"consumeSetupForDecision");async function BS(e){let t=e.repository??V().downstreamOAuthRepository,r=e.now??new Date;if(MS(t))return e$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let n=await GS(e);return Qz({repository:n.repository,transaction:n.transaction,now:n.now})}o(BS,"approve");async function FS(e){let t=e.repository??V().downstreamOAuthRepository,r=e.now??new Date;if(MS(t))return t$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let{transaction:n}=await GS(e);return HS({redirectUri:n.redirectUri,clientState:n.clientState})}o(FS,"cancel");ae();var n$=1e4,o$=5*1024,a$=2,i$=90*24*60*60,zp=["authorization_code","refresh_token"],$p=["code"],s$=c.object({client_name:c.string().min(1).optional(),redirect_uris:c.array(c.string().min(1)).min(1),grant_types:c.array(c.enum(zp)).min(1).max(2).optional(),response_types:c.array(c.enum($p)).min(1).max(1).optional(),scope:c.literal(ve).optional(),token_endpoint_auth_method:ua.default("client_secret_basic")});function c$(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(c$,"isCimdClientIdCandidate");function ao(e,t="invalid_request"){if(u$(e))throw new D(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new D(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new D(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Ve(r)))throw new D(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(ao,"assertValidRedirectUri");function u$(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(u$,"hasForbiddenRawRedirectUriCharacter");async function d$(e){let{response:t,json:r}=await yw(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:a$,maxResponseBytes:o$,timeoutMs:n$});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=o_.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(d$,"fetchCimdMetadata");async function l$(e){let t=Ds(e),r=await d$({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(l$,"resolveCimdClient");async function qa(e,t,r){let n=ye.parse(t);if(c$(n)){if(!Ee().gateway.cimdEnabled)throw new D("invalid_client","OAuth client is not registered.");try{return await l$(n)}catch{throw new D("invalid_client","OAuth client is not registered.")}}let a=await e.getDcrClient(n);if(a){let i={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new D("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(qa,"resolveClient");function rc(e,t){if(!e.metadata.redirect_uris.some(r=>fs(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(rc,"assertRedirectRegistered");function p$(e){let t=VS(e.grant_types),r=e.response_types??[...$p];if(!m$(t))throw new D("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!h$(r))throw new D("invalid_client_metadata","response_types must be code.");if(!f$(e.scope))throw new D("invalid_client_metadata",`Only the ${ve} scope is supported.`)}o(p$,"assertSupportedDcrRequest");function VS(e){return e===void 0?[...zp]:Array.from(new Set(e))}o(VS,"normalizeGrantTypes");function m$(e){return e.length===0?!1:e.every(t=>zp.includes(t))}o(m$,"isSupportedGrantTypes");function h$(e){return e.length===$p.length&&e[0]==="code"}o(h$,"isSupportedResponseTypes");function f$(e){return e===void 0||e===ve}o(f$,"isSupportedDcrScope");function dn(e){if(e===void 0||e===ve)return ve;throw new D("invalid_request",`Only the ${ve} scope is supported.`)}o(dn,"assertSupportedOAuthScope");function jt(e,t){let r;try{r=new URL(t)}catch{throw new D("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new D("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Ve(r))throw new D("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=de(e),a=Lg(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new D("invalid_target","resource must match a published virtual MCP server.");return i}o(jt,"resolveResource");async function KS(e,t={}){let r=g$(t)?{repository:t}:t,n;try{n=s$.parse(e)}catch(f){if(f instanceof c.ZodError){let _=f.issues.some(w=>w.path[0]==="redirect_uris");throw new D(_?"invalid_redirect_uri":"invalid_client_metadata",f.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:f})}throw f}p$(n);for(let f of n.redirect_uris)ao(f,"invalid_redirect_uri");let a=r.repository??V().downstreamOAuthRepository,i=new Date,s=ye.parse(`dcr:${crypto.randomUUID()}`),u=Tt(i,i$),d=Math.floor(i.getTime()/1e3),p=Math.floor(u.getTime()/1e3),l={client_id:s,client_name:n.client_name??"Dynamically registered MCP client",redirect_uris:n.redirect_uris,grant_types:VS(n.grant_types),response_types:["code"],scope:ve,token_endpoint_auth_method:n.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:s,clientName:String(l.client_name),redirectUris:n.redirect_uris,tokenEndpointAuthMethod:n.token_endpoint_auth_method,createdAt:z(i),clientExpiresAt:z(u)};if(n.token_endpoint_auth_method!=="none"){let f=nt();m.hashedClientSecret=await ee(f),m.clientSecretExpiresAt=z(u),l.client_secret=f,l.client_secret_expires_at=p,l.client_secret_issued_at=d}return await a.saveDcrClient(m),l}o(KS,"registerDownstreamClient");function g$(e){return typeof e.getDcrClient=="function"}o(g$,"isOAuthRepository");var _$=8;function Mp(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(Mp,"safeIconSrc");function y$(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(y$,"safeGatewayConnectHref");function w$(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(w$,"parseIconSize");function S$(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(S$,"selectIconCandidates");function v$(e){return Mp(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(w$)):0:-1}o(v$,"readIconScore");function JS(e,t){if(!e||e.length===0)return;let r=S$(e,t),n,a=-1;for(let i of r){let s=v$(i);s>a&&(n=i,a=s)}return n}o(JS,"pickIcon");var R$='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',ZS=Et(R$),b$=Et('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),C$=Et('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),YS=Et('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),WS=Et('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function I$(e,t){let r=JS(e,"light");if(!r)return N`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${ZS}</span>`;let n=Mp(r.src);return n?N`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:N`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${ZS}</span>`}o(I$,"renderIconFrame");function oc(e,t){let r=JS(e,"light");if(!r)return Te;let n=Mp(r.src);return n?N`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:Te}o(oc,"renderInlineIcon");function T$(e){switch(e){case"user":return"your account";case"shared":return"shared by your team";case"none":return"gateway-managed"}}o(T$,"ownerModeLabel");function A$(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(A$,"authModeLabel");function k$(e){switch(e){case"active":return N`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return N`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return N`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(k$,"statusBadge");function E$(e){if(!e)return Te;let t=[];return e.destructiveHint&&t.push(N`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(N`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(N`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?N`<span class="badge-row">${t}</span>`:Te}o(E$,"annotationBadges");function XS(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(XS,"summarizeCapabilities");function x$(e){let t=e.annotations?.title??e.title??e.name,r=e.description?N`<span class="capability-row__description">${e.description}</span>`:Te;return N`<li class="capability-row">${oc(e.icons,t)}<span class="capability-row__name">${t}</span>${E$(e.annotations)}${r}</li>`}o(x$,"renderToolRow");function P$(e){let t=e.title??e.name,r=e.description?N`<span class="capability-row__description">${e.description}</span>`:Te;return N`<li class="capability-row">${oc(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(P$,"renderPromptRow");function O$(e){let t=e.title??e.name,r=e.mimeType===void 0?Te:N` · ${e.mimeType}`,n=e.description===void 0?Te:N` — ${e.description}`,a=N`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return N`<li class="capability-row">${oc(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(O$,"renderResourceRow");function Dp(e,t,r,n){if(t===0)return Te;let a=r.slice(0,_$),i=t-a.length,s=i>0?N`<li class="capability-row capability-row--more">+ ${i} more</li>`:Te;return N`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${s}</ul></section>`}o(Dp,"renderCapabilitySection");function nc(e,t,r=!1){return r?N`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:N`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(nc,"countPill");function U$(e){let t=XS(e);if(t.tools+t.prompts+t.resources===0)return N`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(nc(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(nc(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(nc(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(nc("destructive",t.destructiveTools,!0));let a=[Dp("Tools",t.tools,e.tools,x$),Dp("Prompts",t.prompts,e.prompts,P$),Dp("Resources",t.resources,e.resources,O$)];return N`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${YS}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(U$,"renderUpstreamCapabilities");function N$(e){if(!e||e.length===0)return Te;let t=e.map(n=>N`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return N`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${YS}</span></summary><div class="scopes-list">${t}</div></details>`}o(N$,"renderUpstreamScopes");function z$(e,t){if(e.ownerMode!=="user")return Te;let r=y$(e.connectUrl,t);if(!r)return Te;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return N`<a class="button button--secondary button--small" href="${r}"${a===void 0?Te:N` title="${a}"`}>${n}</a>`}o(z$,"renderActionButton");function $$(e,t){let r=z$(e,t);return sr(r)!==""?r:k$(e.status)}o($$,"renderUpstreamControl");function D$(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?Et('<article class="upstream-card upstream-card--needs-action">'):Et('<article class="upstream-card">'),a=e.description?N`<p class="upstream-card__description">${e.description}</p>`:Te,i=e.transportHost?N`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:Te,s=N`<div class="upstream-card__head">${I$(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${$$(e,t)}</div><div class="upstream-card__meta">${i}<span>${A$(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${T$(e.ownerMode)}</span></div>${a}</div></div>`,u=U$(e.capabilities),d=N$(e.scopesRequested);return N`${n}${s}${u}${d}</article>`}o(D$,"renderUpstreamCard");function M$(e){return e.reduce((t,r)=>{let n=XS(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(M$,"aggregateCapabilities");function q$(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(q$,"deriveMode");function L$(e){if(e.mode==="setup"){let n=e.upstreams.filter(u=>u.ownerMode==="user"&&u.status!=="active"),a=n.length>0&&n.every(u=>u.status==="reconsent_required"),i=n.length===1?"the service":`the ${n.length} services`,s=a?N`Re-authorize ${i} below to refresh access. Authorization will continue automatically once each is ready.`:N`Connect ${i} below before continuing. Authorization will continue automatically once each is ready.`;return N`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${b$}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${s}</p></div></div>`}let t=M$(e.upstreams);if(t.destructiveTools===0)return Te;let r=t.destructiveTools===1?"tool can":"tools can";return N`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${C$}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(L$,"renderBanner");function j$(e){return e.mode==="grant"?N`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:N`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(j$,"renderActions");var H$=`
 *,*::before,*::after{box-sizing:border-box}
 :root{
   --bg:#ffffff;
@@ -1268,8 +1404,8 @@ details[open] > .scopes-summary .capabilities-summary__chevron{transform:rotate(
 @media (prefers-reduced-motion: reduce){
   *{transition:none!important}
 }
-`,wN=yt(SN);function rp(e){let t=gN(e.upstreams),r=[...e.upstreams].sort((m,f)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),S=_(m)-_(f);return S!==0?S:m.upstreamDisplayName.localeCompare(f.upstreamDisplayName)}),n=e.principalLabel?x`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:ye,a=e.virtualServerDescription?x`<p class="hero__description">${e.virtualServerDescription}</p>`:ye,i=Is(e.virtualServerIcons,e.virtualServerDisplayName),s=_N({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),u=r.length===0?x`<div class="empty">This virtual server does not declare any upstream services.</div>`:x`<ul class="upstream-list">${r.map(m=>x`<li>${hN(m,e.gatewayOrigin)}</li>`)}</ul>`,d=yN({mode:t,state:e.state}),l=t==="grant"?x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,p=r.length>0?x`<span class="section-label__count">(${r.length})</span>`:ye;return Zt(x`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${wN}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${i}${e.virtualServerDisplayName}</span></p>${a}</section>${s}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${p}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${u}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${l}${d}</div></div></body></html>`)}o(rp,"renderConsentPage");function vN(e){try{return new URL(e).host}catch{return}}o(vN,"safeUrlHost");function RN(e){if(e.mode==="user_oauth"||e.mode==="tenant_shared_oauth")return e.oauth.scopes}o(RN,"readOAuthScopes");function np(e){return e!==void 0&&e.length>0}o(np,"hasItems");function bN(e){let t=e.registeredConnection.config.serverInfo?.icons;if(np(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&np(r)?r:void 0}o(bN,"readServerIcons");async function CN(e){if(!(e.returnTo===void 0||!e.isUserOwned))return pl({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(CN,"readConnectUrl");function Fr(e,t){return t===void 0?{}:{[e]:t}}o(Fr,"optionalRequirementField");function IN(e){return e.isUserOwned?$g(e.connection):{connected:!0,status:"active"}}o(IN,"readSetupConnectionStatus");function TN(e){let t=RN(e);return np(t)?t:void 0}o(TN,"readScopesRequested");function AN(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(AN,"readUpdatedAt");function kN(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(ki),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Pi),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Ei)}}o(kN,"readVirtualServerCapabilities");async function PN(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=Wi(r),u=s==="user",d=IN({connection:e.connection,isUserOwned:u}),l=await CN({...e,connected:d.connected,isUserOwned:u});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:kN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...Fr("description",n.description),...Fr("transportHost",vN(n.transport.baseUrl)),...Fr("scopesRequested",TN(t)),...Fr("serverIcons",bN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...Fr("connectUrl",l),...Fr("updatedAt",AN({connectionStatus:d,isUserOwned:u})),...Fr("expiresAt",e.connection?.expiresAt)}}o(PN,"buildSetupRequirement");function sw(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(sw,"requireVirtualServer");async function op(e){let t=sw(e.transaction.virtualServerId),r=mr(e.transaction.principal.tenantId,e.transaction.principal.subjectId),n=[],a=new Map;for(let u of t.connections)Wi(u.authMode)==="user"&&(a.set(u,n.length),n.push({owner:r,upstreamServerId:u.upstreamServerId,authProfileId:u.authProfileId}));let i=await q().upstreamConnectionRepository.batchGet(n),s=[];for(let u of t.connections){let d=Wi(u.authMode)==="user",l=a.get(u);s.push(await PN({connection:d&&l!==void 0?i[l]:void 0,registeredConnection:u,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(op,"requirementsForSetup");function EN(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(EN,"readVirtualServerDisplayName");async function ap(e){let t=e.repository??q().downstreamOAuthRepository,r=sw(e.transaction.virtualServerId),n=EN({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),i={gatewayOrigin:re(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:`${e.transaction.principal.subjectId} \xB7 ${e.transaction.principal.tenantId}`},s=r.serverInfo?.title;return s!==void 0&&s!==n&&(i.virtualServerDescription=s),i}o(ap,"consentContext");function cw(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(cw,"hasUnresolvedUserUpstream");var xN=["mcp_user"],ON="dev-browser-user",UN=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),zN=c.object({response_type:c.literal("code"),client_id:c.string().min(1),redirect_uri:c.string().min(1),resource:c.url(),code_challenge:c.string().min(43),code_challenge_method:Cn,state:c.string().min(1).optional(),scope:c.literal(ce).default(ce)}),NN=c.enum(["continue","approve","cancel"]).default("continue"),DN=c.object({state:c.string().min(1),decision:NN}),MN=c.object({state:c.string().min(1),apiKey:c.string().min(1)}),Zr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function uw(e){return typeof e=="string"&&e.length>0?e:void 0}o(uw,"readQueryString");function qN(e,t){let r=uw(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new U("invalid_target",UN)}let n=Nr(t,e.url);if(r===void 0||r===n)return n;throw new U("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(qN,"requireAuthorizeResource");async function $N(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=ES(e);return{principal:i,setCookie:await la({principal:i,requestUrl:e.url,virtualServerId:t})}}o($N,"resolveBrowserPrincipal");async function LN(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(LN,"requireSetupPrincipal");async function dw(e){let t=await op({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await ap({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:rp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(dw,"renderSetup");function jN(e){return typeof e.decideAuthorizationSetup=="function"}o(jN,"usesRuntimeHttpAuthorizationOperations");function HN(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new U("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(HN,"toAuthorizationTransactionClient");async function ip(e,t={}){let r=zN.parse({...e.query,resource:qN(e,t.virtualServerId),state:uw(e.query.state)}),n=Vr(r.scope);jn(r.redirect_uri);let a=q().downstreamOAuthRepository,i=new Date,s=le.parse(r.client_id),u=jN(a)&&s.startsWith("dcr:")?void 0:await ha(a,r.client_id,i);u!==void 0&&bs(u,r.redirect_uri);let d=u===void 0,l=d?Pt(e.url,r.resource):void 0;try{let p=l??Pt(e.url,r.resource),m=HN(u);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:s,virtualServerId:p.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let f={clientId:u?.clientId??s,...m===void 0?{}:{client:m},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:p.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:_,setCookie:S}=await $N(e,p.virtualServerId,t.context);if(!_){let w=await ZS({transaction:f,requestUrl:e.url,now:i,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:s,virtualServerId:p.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:w.browserLoginUrl};return S!==void 0&&(v.setCookie=S),v}let y=await KS({transaction:f,principal:_,now:i,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:s,virtualServerId:p.virtualServerId,tenantId:_.tenantId,subjectId:_.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),dw({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,repository:a,setCookie:S})}catch(p){throw d?p:GN({redirectUri:r.redirect_uri,clientState:r.state,cause:p})}}o(ip,"authorizeDownstreamClient");function GN(e){if(e.cause instanceof Zr)return e.cause;let t=BN(e.cause);return t?new Zr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(GN,"toDownstreamAuthorizeRedirectError");function BN(e){if(e instanceof U)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof c.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(BN,"mapToOAuthRedirectError");async function lw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Rs(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await OS(i),u=q().downstreamOAuthRepository,d=await Jl({browserLoginStateToken:n,principal:s,repository:u}),l=await dw({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:u});return l.setCookie=await la({principal:s,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),l}o(lw,"completeBrowserLoginCallback");async function pw(e){let t=ve();if(!t.devTenantId)throw g("authentication_required","Local browser login requires the `devTenantId` policy option on mcp-oauth-inbound.");let r=new URL(e.url);if(!Le(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",re(e.url)),i=new URL(re(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:X.parse(ON),tenantId:ue.parse(t.devTenantId),roles:xN};return{kind:"redirect",location:a,setCookie:await la({principal:s,requestUrl:e.url})}}o(pw,"completeLocalDevBrowserLogin");async function mw(e){let t=MN.parse(e.body),r=q().downstreamOAuthRepository,n=await WS({browserLoginStateToken:t.state,repository:r}),a=await xS({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),i=await Jl({browserLoginStateToken:t.state,principal:a,repository:r});await Fy({apiKey:t.apiKey,principal:a,virtualServerId:i.transaction.virtualServerId});let s=new URL("/oauth/setup",gt(e.request.url));return s.searchParams.set("state",i.csrfToken),{kind:"redirect",location:s,setCookie:await la({principal:a,requestUrl:e.request.url,virtualServerId:i.transaction.virtualServerId})}}o(mw,"completeApiKeyBrowserLogin");function VN(e){let t=e.method==="POST"?e.body:e.query;return DN.parse(t)}o(VN,"readSetupContinueRequest");async function hw(e){let{state:t,decision:r}=VN({method:e.request.method,query:e.request.query,body:e.body}),n=q().downstreamOAuthRepository,a=new Date,i=await Yl({csrfToken:t,now:a,repository:n}),s=await LN(e.request,i.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await QS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})};let u=await ma({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n}),d=await op({transaction:u,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||cw(d)){let l=await ap({repository:n,transaction:u,requestUrl:e.request.url});return{kind:"setup_page",html:rp({state:t,virtualServerId:u.virtualServerId,upstreams:d,...l})}}return{kind:"redirect",location:await XS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})}}o(hw,"continueDownstreamAuthorizeSetup");Y();var FN=new Set(["authorization_code","refresh_token"]),ZN=c.discriminatedUnion("grant_type",[c.object({grant_type:c.literal("authorization_code"),code:c.string().min(1),redirect_uri:c.string().min(1),client_id:c.string().min(1).optional(),code_verifier:zi,resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()}),c.object({grant_type:c.literal("refresh_token"),refresh_token:c.string().min(1),client_id:c.string().min(1).optional(),resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()})]);function KN(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!FN.has(t)))throw new U("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(KN,"assertSupportedGrantType");var WN=c.object({token:c.string().min(1),client_id:c.string().min(1).optional(),token_type_hint:c.string().optional(),client_secret:c.string().min(1).optional()});function gw(){return ve().gateway.accessTokenTtlSeconds}o(gw,"readAccessTokenTtlSeconds");function _w(){return ve().gateway.refreshTokenTtlSeconds}o(_w,"readRefreshTokenTtlSeconds");async function fw(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new U("invalid_client",e.missingMessage);if(!await bg({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new U("invalid_client","Client authentication failed.")}o(fw,"requireClientSecretAuthentication");async function yw(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new U("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await fw({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await fw({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new U("invalid_client","private_key_jwt client authentication is not supported.")}}o(yw,"requireClientAuthentication");function sp(e,t){let r=gw(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:O(ft(e,a)),expiresIn:a}}o(sp,"calculateAccessTokenExpiresAt");async function JN(e){let t=Ke(),r=await F(t),n=sp(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,tenantId:e.grant.tenantId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:O(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(JN,"issueOpaqueAccessToken");function Sw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new U("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}}o(Sw,"readBasicClientSecret");function ww(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new U("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new U("invalid_client","Client authentication or client_id is required.");return t}o(ww,"resolveAuthenticatedClientId");function vw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new U("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(vw,"resolveClientSecretInput");function Rw(e){return typeof e.exchangeAuthorizationCodeWithClientAuth=="function"&&typeof e.refreshTokenWithClientAuth=="function"&&typeof e.revokeOAuthTokenWithClientAuth=="function"}o(Rw,"usesRuntimeHttpTokenOperations");async function bw(e){let t=le.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await F(e.clientSecret)}}o(bw,"buildRuntimeHttpClientAuth");async function Cw(e){KN(e.body);let t=ZN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=new Date,s=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a))return YN({parsed:t,clientId:n,clientSecretInput:s,now:i,repository:a,requestUrl:e.requestUrl});let u=await ha(a,n,i);if(await yw({client:u,...s}),t.grant_type==="authorization_code"){jn(t.redirect_uri),bs(u,t.redirect_uri),Vr(t.scope),t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let S=Ke(),y=Ke(),w=O(ft(i,_w())),v=sp(i,w),R=await a.exchangeAuthorizationCode({codeHash:await F(t.code),clientId:u.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await Ld(t.code_verifier),currentRefreshTokenHash:await F(S),accessTokenHash:await F(y),now:i,grantExpiresAt:w,accessTokenExpiresAt:v.expiresAt});if(R.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(R.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:u.clientId,scope:R.grant.scope,resource:R.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:S,scope:R.grant.scope,resource:R.grant.resource}}Vr(t.scope);let d=await F(t.refresh_token);t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let l=Ke(),p=await F(l),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:p,clientId:u.clientId,...t.resource===void 0?{}:{resource:t.resource},now:i});if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");let f=m.grant;if(f.revokedAt||f.clientId!==u.clientId)throw new U("invalid_grant","Refresh token grant is invalid or revoked.");Pt(e.requestUrl??f.resource,f.resource);let _=await JN({repository:a,grant:f,now:i});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:u.clientId,scope:f.scope,resource:f.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:l,scope:f.scope,resource:f.resource}}o(Cw,"exchangeDownstreamToken");async function YN(e){let t=await bw({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){jn(e.parsed.redirect_uri),Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let u=Ke(),d=Ke(),l=O(ft(e.now,_w())),p=sp(e.now,l),m=await e.repository.exchangeAuthorizationCodeWithClientAuth({clientAuth:t,codeHash:await F(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Ld(e.parsed.code_verifier),currentRefreshTokenHash:await F(u),accessTokenHash:await F(d),grantExpiresAt:l,accessTokenExpiresAt:p.expiresAt,now:O(e.now)});if(m.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:p.expiresIn,refresh_token:u,scope:m.grant.scope,resource:m.grant.resource}}Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=Ke(),n=Ke(),a=O(ft(e.now,gw())),i=await e.repository.refreshTokenWithClientAuth({clientAuth:t,currentRefreshTokenHash:await F(e.parsed.refresh_token),nextRefreshTokenHash:await F(r),accessTokenHash:await F(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:O(e.now)});if(i.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");Pt(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(YN,"exchangeDownstreamTokenWithRuntimeHttp");async function Iw(e){let t=WN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a)){let d=new Date;if((await a.revokeOAuthTokenWithClientAuth({clientAuth:await bw({clientId:n,...i}),tokenHash:await F(t.token),now:O(d)})).kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");return}let s=await ha(a,n,new Date);await yw({client:s,...i});let u=await F(t.token);await a.revokeOAuthToken({tokenHash:u,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(Iw,"revokeDownstreamToken");var XN=64*1024,QN=16*1024,eD="text/html; charset=utf-8";function tD(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(tD,"formDataToObject");async function rD(e){return SS(e,{maxBytes:XN,label:"Request body"})}o(rD,"readJsonBody");async function Ts(e){return tD(await gs(e,{maxBytes:QN,label:"Request body"}))}o(Ts,"readFormBody");async function As(e,t,r){let n=de(r),a=r instanceof c.ZodError?Tw(r):r instanceof Error?r.message:void 0,i={code:n??"invalid_request"};return a!==void 0&&(i.detail=a),Ze(e,t,i)}o(As,"handleProblem");function fa(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(fa,"oauthErrorResponse");function nD(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(nD,"readOAuthProtocolHeaders");function oD(e,t){let r=Fe("internal_server_error");return fa({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:nD(e,t)})}o(oD,"oauthProtocolErrorResponse");function aD(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(aD,"readZodOAuthErrorCode");function iD(e){let t={error:aD(e)},r=Tw(e);return r!==void 0&&(t.errorDescription=r),fa(t)}o(iD,"oauthZodErrorResponse");function sD(e){let t=de(e);if(t===void 0)return;let r=Fe(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:uD(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,fa(n)}o(sD,"oauthGatewayProblemResponse");function cD(){let t={error:"server_error",status:500,errorDescription:Fe("internal_server_error").publicDetail};return fa(t)}o(cD,"oauthFallbackErrorResponse");function uD(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(uD,"readOAuthStatus");function Hn(e,t={}){return e instanceof Zr?dD(e):e instanceof U?oD(e,t):e instanceof c.ZodError?iD(e):sD(e)??cD()}o(Hn,"oauthProblemResponse");function Et(e,t,r){let n={event:t},a=!1;if(r instanceof U)n.oauthError=r.errorCode,n.status=r.status,Ae(n,"error",r);else if(r instanceof Zr)n.oauthError=r.errorCode,Ae(n,"error",r);else if(r instanceof c.ZodError){n.code="invalid_request",Ae(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=de(r);if(i!==void 0){let s=Fe(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Ae(n,"error",r)}else a=!0,Ae(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Et,"logUnexpectedOAuthHandlerError");function dD(e){let t;try{t=new URL(e.redirectUri)}catch{return fa({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(dD,"downstreamAuthorizeRedirectErrorResponse");function Tw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Tw,"formatZodErrorDetail");function lD(e,t){let r={event:"browser_login_callback_failed",code:de(t)??"invalid_request"};Ae(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(lD,"logBrowserLoginCallbackFailure");function cp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(cp,"redirectResultResponse");function ks(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":eD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return cp(e)}o(ks,"authorizeResultResponse");async function Aw(e,t){try{return Response.json(qd(e.url))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(Aw,"authorizationServerMetadataHandler");async function kw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(Sg({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(kw,"scopedAuthorizationServerMetadataHandler");async function Pw(e,t){try{let r=await tw(await rD(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_register_failed",r),Hn(r)}}o(Pw,"registerHandler");async function Ew(e,t){try{return ks(await ip(e,{context:t}))}catch(r){return Et(t,"oauth_authorize_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(Ew,"authorizeHandler");async function xw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return ks(await ip(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Et(t,"oauth_authorize_scoped_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(xw,"scopedAuthorizeHandler");async function Ow(e,t){try{let r=await lw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),ks(r)}catch(r){return lD(t,r),As(e,t,r)}}o(Ow,"callbackHandler");async function Uw(e,t){try{return cp(await pw(e))}catch(r){return Et(t,"oauth_dev_login_failed",r),Hn(r)}}o(Uw,"devLoginHandler");async function zw(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?bS(r):Vl(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):cp(await mw({request:e,body:await Ts(e)}))}catch(r){return Et(t,"oauth_api_key_login_failed",r),Vl()}}o(zw,"apiKeyLoginHandler");async function Nw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await hw({request:e,body:e.method==="POST"?await Ts(e):void 0,context:t});return ks(r)}catch(r){return Et(t,"oauth_setup_failed",r),As(e,t,r)}}o(Nw,"setupHandler");async function Dw(e,t){try{return Response.json(await Cw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Et(t,"oauth_token_failed",r),Hn(r)}}o(Dw,"tokenHandler");async function Mw(e,t){try{return await Iw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_revoke_failed",r),Hn(r)}}o(Mw,"revokeHandler");var pD={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},qw=new Ut("upstream-request");function mD(e){let t=qw.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(mD,"readUpstreamRequestContext");function hD(e,t){return t.some(r=>r===e)}o(hD,"requestContextMatchesKind");function fD(e){return typeof e=="string"?[e]:e}o(fD,"toExpectedKinds");function Kr(e,t){qw.set(e,t)}o(Kr,"setUpstreamRequestContext");function Wr(e,t){let r=mD(e),n=fD(t);if(!hD(r.kind,n)){let a=pD[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(Wr,"requireUpstreamRequestContext");var gD="text/html; charset=utf-8",_D="none";function $w(e){return x`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??_D}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o($w,"browserResultHtml");function Lw(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":gD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Lw,"browserResultResponse");function Ps(e){return Lw($w(e))}o(Ps,"browserConnectionSuccessResponse");function Gn(e){let t=Mf(e);return Lw($w({title:t.title,body:t.body,code:e}),400)}o(Gn,"browserConnectionFailureResponse");var yD="text/html; charset=utf-8",SD=16*1024;function wD(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":yD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(wD,"htmlResponse");function vD(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(vD,"safeRedirect");function RD(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(RD,"requireBrowserTicket");function bD(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(bD,"appPasswordTicketMatchesTarget");async function jw(e){let t=RD(e.browserTicket),r=await es(t);if(!bD(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(jw,"readAppPasswordTarget");function CD(e){let t=yl(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?x`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:x`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return wD(x`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(CD,"renderCaptureForm");function Es(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Es,"readRequiredFormValue");function ID(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(ID,"readCaptureFormTargetInput");async function TD(e){return CD(await jw(ID(e)))}o(TD,"handleCaptureFormRequest");async function AD(e){let t=await gs(e.request,{maxBytes:SD,label:"App password request body"});return{form:t,target:await jw({upstreamServerId:e.upstreamServerId,browserTicket:Es(t,"browserTicket")})}}o(AD,"readSubmittedAppPasswordTarget");async function kD(e){let t=Pn(e.target.ticket);if(await ts(e.target.ticket),yl(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await rs({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Es(e.form,"token")});return}await dy({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Es(e.form,"username"),appPassword:Es(e.form,"appPassword")})}o(kD,"saveSubmittedAppPasswordCredential");function PD(e,t){return t.ticket.returnTo?vD(e,t.ticket.returnTo):Ps({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(PD,"appPasswordSuccessResponse");async function ED(e){let t=await AD({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await kD(t),PD(e.request.url,t.target)}o(ED,"handleAppPasswordSubmission");function xD(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(xD,"methodNotAllowedResponse");function OD(e){let t=de(e);return Gn(wi(t)?t:"oauth_state_invalid")}o(OD,"appPasswordFailureResponse");async function UD(e){switch(e.request.method){case"GET":return TD(e.appPasswordRequest);case"POST":return ED(e);default:return xD()}}o(UD,"handleAppPasswordMethod");async function up(e,t){let r=Wr(t,"app_password");try{return await UD({request:e,appPasswordRequest:r})}catch(n){return OD(n)}}o(up,"appPasswordHandler");var zD=["callback_authorization_code","callback_provider_error","callback_invalid"];function ND(e){return"cause"in e?e.cause:void 0}o(ND,"readErrorCause");function DD(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}o(DD,"readFirstStackFrame");function Hw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=DD(r))}o(Hw,"addErrorAttributes");function MD(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),Gn("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Gn("oauth_state_invalid");case"callback_authorization_code":return t}}o(MD,"requireAuthorizationCallbackRequest");function qD(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(qD,"emitCallbackReceivedAnalyticsEvent");function $D(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o($D,"emitTokenExchangeSucceededAnalyticsEvent");function LD(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Ps({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(LD,"buildSuccessfulCallbackResponse");function jD(e){let t={detail:e instanceof Error?e.message:void 0};return Hw(t,"error",e),e instanceof Error&&Hw(t,"cause",ND(e)),t}o(jD,"buildTokenExchangeFailureAttributes");function HD(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:de(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:jD(e.error)})}o(HD,"emitTokenExchangeFailedAnalyticsEvent");function GD(e){let t=de(e);return Gn(wi(t)?t:"upstream_token_exchange_failed")}o(GD,"tokenExchangeFailureResponse");async function dp(e,t){let r=Wr(t,zD),n=MD(t,r);if(n instanceof Response)return n;qD(t,n);try{let a=await Ky({request:e,callbackRequest:n});return $D(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),LD(e,a)}catch(a){let i={event:"upstream_oauth_token_exchange_failed",code:de(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return Ae(i,"error",a),t.log.warn(i,"Upstream OAuth token exchange failed; user shown connection-failure page"),HD({context:t,callbackRequest:n,error:a}),GD(a)}}o(dp,"callbackHandler");function BD(e){let t=de(e);return t==="unknown_upstream_server"?t:"not_found"}o(BD,"clientMetadataProblemCode");function VD(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(VD,"clientMetadataProblemDetail");async function Gw(e,t){let r=Wr(t,"connect"),n=await Zy({request:e,connectRequest:r});if(We(t,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await On({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(Gw,"connectHandler");async function Bw(e,t){let r=Wr(t,"client_metadata");try{let n=Oy(e.url),a=Uy(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=BD(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),Ze(e,t,{code:a,detail:VD(n)})}}o(Bw,"oauthClientMetadataHandler");function Kt(e){if(typeof e=="string"&&e.length!==0)return e}o(Kt,"readOptionalQueryString");function FD(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(FD,"requirePathString");function Vw(e){let t=Kt(e);return t?me.parse(t):void 0}o(Vw,"readOptionalVirtualServerId");function ZD(e,t){let r=Kt(e);return r?Pe.parse(r):vn(t,"user_oauth")}o(ZD,"readOptionalAuthProfileId");function KD(e){let t=Vw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(KD,"readRequiredVirtualServerId");function WD(e){let t=Kt(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(WD,"readOptionalBrowserTicket");function JD(e){let t=Gi(Kt(e));return t===void 0?{}:{returnTo:t}}o(JD,"readOptionalReturnTo");function YD(e){let t=Vw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(YD,"readOptionalVirtualServerIdContext");function XD(e){let t=Kt(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(XD,"readOptionalProviderErrorDescription");function QD(e){let t=At(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(QD,"requireConnectableRouteAuth");function eM(e,t,r,n){let a=fs(e,t);if(a.ownerMode==="none"||a.authMode==="tenant_static_secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(eM,"buildConnectContextForPrincipal");function tM(e,t,r){let n=Pn(t),a=At(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(tM,"buildConnectContextForTicket");async function rM(e,t){let r=QD(fS(t,KD(e.query.virtualServerId))),n=e.query.redirect==="true",a=Kt(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Tn(e.user,e.url);return eM(r,s,n,JD(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await es(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await ts(i),tM(r,i,n)}o(rM,"resolveConnectContext");async function nM(e,t,r){let n=ke.parse(FD(e,"connection"));switch(r){case"connect":Kr(t,await rM(e,n));return;case"app_password":Kr(t,{kind:"app_password",upstreamServerId:n,...YD(e),...WD(e)});return;case"callback":{let a=Kt(e.query.error);if(a){Kr(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...XD(e)});return}let i=Kt(e.query.code),s=Kt(e.query.state);if(i&&s){Kr(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}Kr(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":Kr(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:ZD(e.query.authProfileId,n)});return}}o(nM,"resolveUpstreamRequestInbound");async function oM(e,t,r){try{await nM(e,t,r);return}catch(n){let a=de(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return Ze(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(oM,"applyUpstreamRequestContext");function ga(e,t){return o(async(n,a)=>{let i=await oM(n,a,e);return i||t(n,a)},"wrapped")}o(ga,"withUpstreamRequestContext");var aM={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function iM(){return new Response(null,{status:204,headers:aM})}o(iM,"buildWellKnownPreflightResponse");function sM(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(sM,"withWellKnownCorsHeaders");function lp(e){return async(t,r)=>t.method==="OPTIONS"?iM():sM(await e(t,r))}o(lp,"wrapWellKnownHandler");var cM=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:lp(Aw)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(kw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(wg)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Pw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ew},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:xw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Ow},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Uw},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:zw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Nw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Dw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Mw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ga("client_metadata",Bw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ga("connect",Gw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ga("callback",dp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ga("app_password",up)}];function Fw(e){if(e)return e.find(t=>Ii(t.policyType))}o(Fw,"findMcpOAuthPolicy");function Zw(e){return Fw(e)!==void 0}o(Zw,"shouldRegisterMcpGatewayInternalRoutes");function uM(e){let t=gd(e.policyType);if(!t){let r=_d();throw new Ot(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof c.ZodError?new Ot(dM(e.name??e.policyType,r),{cause:r}):r}}o(uM,"resolveOAuthConfigFromPolicy");function dM(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
+`,G$=Et(H$);function qp(e){let t=q$(e.upstreams),r=[...e.upstreams].sort((m,f)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),w=_(m)-_(f);return w!==0?w:m.upstreamDisplayName.localeCompare(f.upstreamDisplayName)}),n=e.principalLabel?N`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:Te,a=e.virtualServerDescription?N`<p class="hero__description">${e.virtualServerDescription}</p>`:Te,i=oc(e.virtualServerIcons,e.virtualServerDisplayName),s=L$({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),u=r.length===0?N`<div class="empty">This virtual server does not declare any upstream services.</div>`:N`<ul class="upstream-list">${r.map(m=>N`<li>${D$(m,e.gatewayOrigin)}</li>`)}</ul>`,d=j$({mode:t,state:e.state}),p=t==="grant"?N`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${WS}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:N`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${WS}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,l=r.length>0?N`<span class="section-label__count">(${r.length})</span>`:Te;return sr(N`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${G$}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${i}${e.virtualServerDisplayName}</span></p>${a}</section>${s}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${l}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${u}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${p}${d}</div></div></body></html>`)}o(qp,"renderConsentPage");function B$(e){try{return new URL(e).host}catch{return}}o(B$,"safeUrlHost");function F$(e){if(e.mode==="user_oauth"||e.mode==="shared-oauth")return e.oauth.scopes}o(F$,"readOAuthScopes");function Lp(e){return e!==void 0&&e.length>0}o(Lp,"hasItems");function V$(e){let t=e.registeredConnection.config.serverInfo?.icons;if(Lp(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&Lp(r)?r:void 0}o(V$,"readServerIcons");async function K$(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Zl({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(K$,"readConnectUrl");function ln(e,t){return t===void 0?{}:{[e]:t}}o(ln,"optionalRequirementField");function Z$(e){return e.isUserOwned?A_(e.connection):{connected:!0,status:"active"}}o(Z$,"readSetupConnectionStatus");function W$(e){let t=F$(e);return Lp(t)?t:void 0}o(W$,"readScopesRequested");function J$(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(J$,"readUpdatedAt");function Y$(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(as),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(is),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(ss)}}o(Y$,"readVirtualServerCapabilities");async function X$(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=As(r),u=s==="user",d=Z$({connection:e.connection,isUserOwned:u}),p=await K$({...e,connected:d.connected,isUserOwned:u});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:Y$({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...ln("description",n.description),...ln("transportHost",B$(n.transport.baseUrl)),...ln("scopesRequested",W$(t)),...ln("serverIcons",V$({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...ln("connectUrl",p),...ln("updatedAt",J$({connectionStatus:d,isUserOwned:u})),...ln("expiresAt",e.connection?.expiresAt)}}o(X$,"buildSetupRequirement");function QS(e){let t=yt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(QS,"requireVirtualServer");async function jp(e){let t=QS(e.transaction.virtualServerId),r=kr(e.transaction.principal.subjectId),n=[],a=new Map;for(let u of t.connections)As(u.authMode)==="user"&&(a.set(u,n.length),n.push({owner:r,upstreamServerId:u.upstreamServerId,authProfileId:u.authProfileId}));let i=await V().upstreamConnectionRepository.batchGet(n),s=[];for(let u of t.connections){let d=As(u.authMode)==="user",p=a.get(u);s.push(await X$({connection:d&&p!==void 0?i[p]:void 0,registeredConnection:u,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(jp,"requirementsForSetup");function Q$(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(Q$,"readVirtualServerDisplayName");async function Hp(e){let t=e.repository??V().downstreamOAuthRepository,r=QS(e.transaction.virtualServerId),n=Q$({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),i={gatewayOrigin:de(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=r.serverInfo?.title;return s!==void 0&&s!==n&&(i.virtualServerDescription=s),i}o(Hp,"consentContext");function ev(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(ev,"hasUnresolvedUserUpstream");var eD=["mcp_user"],tD="dev-browser-user",rD=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),nD=c.object({response_type:c.literal("code"),client_id:c.string().min(1),redirect_uri:c.string().min(1),resource:c.url(),code_challenge:c.string().min(43),code_challenge_method:Hn,state:c.string().min(1).optional(),scope:c.literal(ve).default(ve)}),oD=c.enum(["continue","approve","cancel"]).default("continue"),aD=c.object({state:c.string().min(1),decision:oD}),iD=c.object({state:c.string().min(1),apiKey:c.string().min(1)}),pn=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function tv(e){return typeof e=="string"&&e.length>0?e:void 0}o(tv,"readQueryString");function sD(e,t){let r=tv(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new D("invalid_target",rD)}let n=Qr(t,e.url);if(r===void 0||r===n)return n;throw new D("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(sD,"requireAuthorizeResource");async function cD(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Ys(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=RS(e);return{principal:i,setCookie:await $a({principal:i,requestUrl:e.url,virtualServerId:t})}}o(cD,"resolveBrowserPrincipal");async function uD(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Ys(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(uD,"requireSetupPrincipal");async function rv(e){let t=await jp({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await Hp({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:qp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(rv,"renderSetup");function dD(e){return typeof e.decideAuthorizationSetup=="function"}o(dD,"usesRuntimeHttpAuthorizationOperations");function lD(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new D("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(lD,"toAuthorizationTransactionClient");async function Gp(e,t={}){let r=nD.parse({...e.query,resource:sD(e,t.virtualServerId),state:tv(e.query.state)}),n=dn(r.scope);ao(r.redirect_uri);let a=V().downstreamOAuthRepository,i=new Date,s=ye.parse(r.client_id),u=dD(a)&&s.startsWith("dcr:")?void 0:await qa(a,r.client_id,i);u!==void 0&&rc(u,r.redirect_uri);let d=u===void 0,p=d?jt(e.url,r.resource):void 0;try{let l=p??jt(e.url,r.resource),m=lD(u);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:s,virtualServerId:l.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let f={clientId:u?.clientId??s,...m===void 0?{}:{client:m},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:l.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:_,setCookie:w}=await cD(e,l.virtualServerId,t.context);if(!_){let S=await qS({transaction:f,requestUrl:e.url,now:i,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:s,virtualServerId:l.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:S.browserLoginUrl};return w!==void 0&&(v.setCookie=w),v}let y=await LS({transaction:f,principal:_,now:i,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:s,virtualServerId:l.virtualServerId,subjectId:_.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),rv({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,repository:a,setCookie:w})}catch(l){throw d?l:pD({redirectUri:r.redirect_uri,clientState:r.state,cause:l})}}o(Gp,"authorizeDownstreamClient");function pD(e){if(e.cause instanceof pn)return e.cause;let t=mD(e.cause);return t?new pn({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(pD,"toDownstreamAuthorizeRedirectError");function mD(e){if(e instanceof D)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof c.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(mD,"mapToOAuthRedirectError");async function nv(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let l=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...l===void 0?{}:{idpErrorDescription:l},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",l??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await tc(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await CS(i),u=V().downstreamOAuthRepository,d=await Up({browserLoginStateToken:n,principal:s,repository:u}),p=await rv({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:u});return p.setCookie=await $a({principal:s,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),p}o(nv,"completeBrowserLoginCallback");async function ov(e){let t=Ee(),r=new URL(e.url);if(!Ve(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",de(e.url)),i=new URL(de(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:ie.parse(tD),roles:eD};return{kind:"redirect",location:a,setCookie:await $a({principal:s,requestUrl:e.url})}}o(ov,"completeLocalDevBrowserLogin");async function av(e){let t=iD.parse(e.body),r=V().downstreamOAuthRepository,n=await jS({browserLoginStateToken:t.state,repository:r}),a=await bS({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),i=await Up({browserLoginStateToken:t.state,principal:a,repository:r});await Nw({apiKey:t.apiKey,principal:a,virtualServerId:i.transaction.virtualServerId});let s=new URL("/oauth/setup",At(e.request.url));return s.searchParams.set("state",i.csrfToken),{kind:"redirect",location:s,setCookie:await $a({principal:a,requestUrl:e.request.url,virtualServerId:i.transaction.virtualServerId})}}o(av,"completeApiKeyBrowserLogin");function hD(e){let t=e.method==="POST"?e.body:e.query;return aD.parse(t)}o(hD,"readSetupContinueRequest");async function iv(e){let{state:t,decision:r}=hD({method:e.request.method,query:e.request.query,body:e.body}),n=V().downstreamOAuthRepository,a=new Date,i=await Np({csrfToken:t,now:a,repository:n}),s=await uD(e.request,i.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await FS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})};let u=await Ma({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n}),d=await jp({transaction:u,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||ev(d)){let p=await Hp({repository:n,transaction:u,requestUrl:e.request.url});return{kind:"setup_page",html:qp({state:t,virtualServerId:u.virtualServerId,upstreams:d,...p})}}return{kind:"redirect",location:await BS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})}}o(iv,"continueDownstreamAuthorizeSetup");ae();var fD=new Set(["authorization_code","refresh_token"]),gD=c.discriminatedUnion("grant_type",[c.object({grant_type:c.literal("authorization_code"),code:c.string().min(1),redirect_uri:c.string().min(1),client_id:c.string().min(1).optional(),code_verifier:ls,resource:c.url().optional(),scope:c.literal(ve).optional(),client_secret:c.string().min(1).optional()}),c.object({grant_type:c.literal("refresh_token"),refresh_token:c.string().min(1),client_id:c.string().min(1).optional(),resource:c.url().optional(),scope:c.literal(ve).optional(),client_secret:c.string().min(1).optional()})]);function _D(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!fD.has(t)))throw new D("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(_D,"assertSupportedGrantType");var yD=c.object({token:c.string().min(1),client_id:c.string().min(1).optional(),token_type_hint:c.string().optional(),client_secret:c.string().min(1).optional()});function cv(){return Ee().gateway.accessTokenTtlSeconds}o(cv,"readAccessTokenTtlSeconds");function uv(){return Ee().gateway.refreshTokenTtlSeconds}o(uv,"readRefreshTokenTtlSeconds");async function sv(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new D("invalid_client",e.missingMessage);if(!await l_({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new D("invalid_client","Client authentication failed.")}o(sv,"requireClientSecretAuthentication");async function dv(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new D("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await sv({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await sv({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new D("invalid_client","private_key_jwt client authentication is not supported.")}}o(dv,"requireClientAuthentication");function Bp(e,t){let r=cv(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:z(Tt(e,a)),expiresIn:a}}o(Bp,"calculateAccessTokenExpiresAt");async function wD(e){let t=nt(),r=await ee(t),n=Bp(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:z(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(wD,"issueOpaqueAccessToken");function lv(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new D("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new D("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new D("invalid_client","Malformed HTTP Basic client authentication.")}}o(lv,"readBasicClientSecret");function pv(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new D("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new D("invalid_client","Client authentication or client_id is required.");return t}o(pv,"resolveAuthenticatedClientId");function mv(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new D("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(mv,"resolveClientSecretInput");function hv(e){return typeof e.exchangeAuthorizationCodeWithClientAuth=="function"&&typeof e.refreshTokenWithClientAuth=="function"&&typeof e.revokeOAuthTokenWithClientAuth=="function"}o(hv,"usesRuntimeHttpTokenOperations");async function fv(e){let t=ye.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await ee(e.clientSecret)}}o(fv,"buildRuntimeHttpClientAuth");async function gv(e){_D(e.body);let t=gD.parse(e.body),r=lv(e.authorizationHeader),n=pv({basicClientId:r.clientId,bodyClientId:t.client_id}),a=V().downstreamOAuthRepository,i=new Date,s=mv({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(hv(a))return SD({parsed:t,clientId:n,clientSecretInput:s,now:i,repository:a,requestUrl:e.requestUrl});let u=await qa(a,n,i);if(await dv({client:u,...s}),t.grant_type==="authorization_code"){ao(t.redirect_uri),rc(u,t.redirect_uri),dn(t.scope),t.resource!==void 0&&jt(e.requestUrl??t.resource,t.resource);let w=nt(),y=nt(),S=z(Tt(i,uv())),v=Bp(i,S),R=await a.exchangeAuthorizationCode({codeHash:await ee(t.code),clientId:u.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await Rl(t.code_verifier),currentRefreshTokenHash:await ee(w),accessTokenHash:await ee(y),now:i,grantExpiresAt:S,accessTokenExpiresAt:v.expiresAt});if(R.kind==="resource_mismatch")throw new D("invalid_target","Token request resource must match the authorization code resource.");if(R.kind!=="exchanged")throw new D("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:u.clientId,scope:R.grant.scope,resource:R.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:w,scope:R.grant.scope,resource:R.grant.resource}}dn(t.scope);let d=await ee(t.refresh_token);t.resource!==void 0&&jt(e.requestUrl??t.resource,t.resource);let p=nt(),l=await ee(p),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:l,clientId:u.clientId,...t.resource===void 0?{}:{resource:t.resource},now:i});if(m.kind==="resource_mismatch")throw new D("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new D("invalid_grant","Refresh token is invalid, expired, or revoked.");let f=m.grant;if(f.revokedAt||f.clientId!==u.clientId)throw new D("invalid_grant","Refresh token grant is invalid or revoked.");jt(e.requestUrl??f.resource,f.resource);let _=await wD({repository:a,grant:f,now:i});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:u.clientId,scope:f.scope,resource:f.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:p,scope:f.scope,resource:f.resource}}o(gv,"exchangeDownstreamToken");async function SD(e){let t=await fv({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){ao(e.parsed.redirect_uri),dn(e.parsed.scope),e.parsed.resource!==void 0&&jt(e.requestUrl??e.parsed.resource,e.parsed.resource);let u=nt(),d=nt(),p=z(Tt(e.now,uv())),l=Bp(e.now,p),m=await e.repository.exchangeAuthorizationCodeWithClientAuth({clientAuth:t,codeHash:await ee(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Rl(e.parsed.code_verifier),currentRefreshTokenHash:await ee(u),accessTokenHash:await ee(d),grantExpiresAt:p,accessTokenExpiresAt:l.expiresAt,now:z(e.now)});if(m.kind==="invalid_client")throw new D("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new D("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new D("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:l.expiresIn,refresh_token:u,scope:m.grant.scope,resource:m.grant.resource}}dn(e.parsed.scope),e.parsed.resource!==void 0&&jt(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=nt(),n=nt(),a=z(Tt(e.now,cv())),i=await e.repository.refreshTokenWithClientAuth({clientAuth:t,currentRefreshTokenHash:await ee(e.parsed.refresh_token),nextRefreshTokenHash:await ee(r),accessTokenHash:await ee(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:z(e.now)});if(i.kind==="invalid_client")throw new D("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new D("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new D("invalid_grant","Refresh token is invalid, expired, or revoked.");jt(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(SD,"exchangeDownstreamTokenWithRuntimeHttp");async function _v(e){let t=yD.parse(e.body),r=lv(e.authorizationHeader),n=pv({basicClientId:r.clientId,bodyClientId:t.client_id}),a=V().downstreamOAuthRepository,i=mv({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(hv(a)){let d=new Date;if((await a.revokeOAuthTokenWithClientAuth({clientAuth:await fv({clientId:n,...i}),tokenHash:await ee(t.token),now:z(d)})).kind==="invalid_client")throw new D("invalid_client","Client authentication failed.");return}let s=await qa(a,n,new Date);await dv({client:s,...i});let u=await ee(t.token);await a.revokeOAuthToken({tokenHash:u,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(_v,"revokeDownstreamToken");var vD=64*1024,RD=16*1024,bD="text/html; charset=utf-8";function CD(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(CD,"formDataToObject");async function ID(e){return lS(e,{maxBytes:vD,label:"Request body"})}o(ID,"readJsonBody");async function ac(e){return CD(await Js(e,{maxBytes:RD,label:"Request body"}))}o(ac,"readFormBody");async function ic(e,t,r){let n=_e(r),a=r instanceof c.ZodError?yv(r):r instanceof Error?r.message:void 0,i={code:n??"invalid_request"};return a!==void 0&&(i.detail=a),_t(e,t,i)}o(ic,"handleProblem");function La(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(La,"oauthErrorResponse");function TD(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(TD,"readOAuthProtocolHeaders");function AD(e,t){let r=rt("internal_server_error");return La({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:TD(e,t)})}o(AD,"oauthProtocolErrorResponse");function kD(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(kD,"readZodOAuthErrorCode");function ED(e){let t={error:kD(e)},r=yv(e);return r!==void 0&&(t.errorDescription=r),La(t)}o(ED,"oauthZodErrorResponse");function xD(e){let t=_e(e);if(t===void 0)return;let r=rt(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:OD(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,La(n)}o(xD,"oauthGatewayProblemResponse");function PD(){let t={error:"server_error",status:500,errorDescription:rt("internal_server_error").publicDetail};return La(t)}o(PD,"oauthFallbackErrorResponse");function OD(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(OD,"readOAuthStatus");function io(e,t={}){return e instanceof pn?UD(e):e instanceof D?AD(e,t):e instanceof c.ZodError?ED(e):xD(e)??PD()}o(io,"oauthProblemResponse");function Ht(e,t,r){let n={event:t},a=!1;if(r instanceof D)n.oauthError=r.errorCode,n.status=r.status,ze(n,"error",r);else if(r instanceof pn)n.oauthError=r.errorCode,ze(n,"error",r);else if(r instanceof c.ZodError){n.code="invalid_request",ze(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=_e(r);if(i!==void 0){let s=rt(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",ze(n,"error",r)}else a=!0,ze(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Ht,"logUnexpectedOAuthHandlerError");function UD(e){let t;try{t=new URL(e.redirectUri)}catch{return La({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(UD,"downstreamAuthorizeRedirectErrorResponse");function yv(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(yv,"formatZodErrorDetail");function ND(e,t){let r={event:"browser_login_callback_failed",code:_e(t)??"invalid_request"};ze(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(ND,"logBrowserLoginCallbackFailure");function Fp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(Fp,"redirectResultResponse");function sc(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":bD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Fp(e)}o(sc,"authorizeResultResponse");async function wv(e,t){try{return Response.json(Sl(e.url))}catch(r){return Ht(t,"oauth_authorization_server_metadata_failed",r),ic(e,t,r)}}o(wv,"authorizationServerMetadataHandler");async function Sv(e,t){try{let r=Se.parse(e.params.virtualServerId),n=oa(r);return Response.json(s_({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Ht(t,"oauth_authorization_server_metadata_failed",r),ic(e,t,r)}}o(Sv,"scopedAuthorizationServerMetadataHandler");async function vv(e,t){try{let r=await KS(await ID(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Ht(t,"oauth_register_failed",r),io(r)}}o(vv,"registerHandler");async function Rv(e,t){try{return sc(await Gp(e,{context:t}))}catch(r){return Ht(t,"oauth_authorize_failed",r),io(r,{includeInvalidClientChallenge:!1})}}o(Rv,"authorizeHandler");async function bv(e,t){try{let r=Se.parse(e.params.virtualServerId),n=oa(r);return sc(await Gp(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Ht(t,"oauth_authorize_scoped_failed",r),io(r,{includeInvalidClientChallenge:!1})}}o(bv,"scopedAuthorizeHandler");async function Cv(e,t){try{let r=await nv(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),sc(r)}catch(r){return ND(t,r),ic(e,t,r)}}o(Cv,"callbackHandler");async function Iv(e,t){try{return Fp(await ov(e))}catch(r){return Ht(t,"oauth_dev_login_failed",r),io(r)}}o(Iv,"devLoginHandler");async function Tv(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?fS(r):kp(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):Fp(await av({request:e,body:await ac(e)}))}catch(r){return Ht(t,"oauth_api_key_login_failed",r),kp()}}o(Tv,"apiKeyLoginHandler");async function Av(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await iv({request:e,body:e.method==="POST"?await ac(e):void 0,context:t});return sc(r)}catch(r){return Ht(t,"oauth_setup_failed",r),ic(e,t,r)}}o(Av,"setupHandler");async function kv(e,t){try{return Response.json(await gv({body:await ac(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Ht(t,"oauth_token_failed",r),io(r)}}o(kv,"tokenHandler");async function Ev(e,t){try{return await _v({body:await ac(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Ht(t,"oauth_revoke_failed",r),io(r)}}o(Ev,"revokeHandler");var zD={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},xv=new Vt("upstream-request");function $D(e){let t=xv.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o($D,"readUpstreamRequestContext");function DD(e,t){return t.some(r=>r===e)}o(DD,"requestContextMatchesKind");function MD(e){return typeof e=="string"?[e]:e}o(MD,"toExpectedKinds");function mn(e,t){xv.set(e,t)}o(mn,"setUpstreamRequestContext");function hn(e,t){let r=$D(e),n=MD(t);if(!DD(r.kind,n)){let a=zD[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(hn,"requireUpstreamRequestContext");var qD="text/html; charset=utf-8",LD="none";function Pv(e){return N`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??LD}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o(Pv,"browserResultHtml");function Ov(e,t=200){return new Response(sr(e),{status:t,headers:{"content-type":qD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Ov,"browserResultResponse");function cc(e){return Ov(Pv(e))}o(cc,"browserConnectionSuccessResponse");function so(e){let t=Ig(e);return Ov(Pv({title:t.title,body:t.body,code:e}),400)}o(so,"browserConnectionFailureResponse");var jD="text/html; charset=utf-8",HD=16*1024;function GD(e,t=200){return new Response(sr(e),{status:t,headers:{"content-type":jD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(GD,"htmlResponse");function BD(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(BD,"safeRedirect");function FD(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(FD,"requireBrowserTicket");function VD(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(VD,"appPasswordTicketMatchesTarget");async function Uv(e){let t=FD(e.browserTicket),r=await Os(t);if(!VD(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(Uv,"readAppPasswordTarget");function KD(e){let t=ep(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?N`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:N`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return GD(N`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(KD,"renderCaptureForm");function uc(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(uc,"readRequiredFormValue");function ZD(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(ZD,"readCaptureFormTargetInput");async function WD(e){return KD(await Uv(ZD(e)))}o(WD,"handleCaptureFormRequest");async function JD(e){let t=await Js(e.request,{maxBytes:HD,label:"App password request body"});return{form:t,target:await Uv({upstreamServerId:e.upstreamServerId,browserTicket:uc(t,"browserTicket")})}}o(JD,"readSubmittedAppPasswordTarget");async function YD(e){let t=Vn(e.target.ticket);if(await Us(e.target.ticket),ep(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await Ns({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:uc(e.form,"token")});return}await Xy({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:uc(e.form,"username"),appPassword:uc(e.form,"appPassword")})}o(YD,"saveSubmittedAppPasswordCredential");function XD(e,t){return t.ticket.returnTo?BD(e,t.ticket.returnTo):cc({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(XD,"appPasswordSuccessResponse");async function QD(e){let t=await JD({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await YD(t),XD(e.request.url,t.target)}o(QD,"handleAppPasswordSubmission");function eM(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(eM,"methodNotAllowedResponse");function tM(e){let t=_e(e);return so(Yi(t)?t:"oauth_state_invalid")}o(tM,"appPasswordFailureResponse");async function rM(e){switch(e.request.method){case"GET":return WD(e.appPasswordRequest);case"POST":return QD(e);default:return eM()}}o(rM,"handleAppPasswordMethod");async function Vp(e,t){let r=hn(t,"app_password");try{return await rM({request:e,appPasswordRequest:r})}catch(n){return tM(n)}}o(Vp,"appPasswordHandler");var nM=["callback_authorization_code","callback_provider_error","callback_invalid"];function oM(e){return"cause"in e?e.cause:void 0}o(oM,"readErrorCause");function aM(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}o(aM,"readFirstStackFrame");function Nv(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=aM(r))}o(Nv,"addErrorAttributes");function iM(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),ot(e,{eventType:J.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),so("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),so("oauth_state_invalid");case"callback_authorization_code":return t}}o(iM,"requireAuthorizationCallbackRequest");function sM(e,t){ot(e,{eventType:J.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(sM,"emitCallbackReceivedAnalyticsEvent");function cM(e,t){ot(e,{eventType:J.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(cM,"emitTokenExchangeSucceededAnalyticsEvent");function uM(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return cc({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(uM,"buildSuccessfulCallbackResponse");function dM(e){let t={detail:e instanceof Error?e.message:void 0};return Nv(t,"error",e),e instanceof Error&&Nv(t,"cause",oM(e)),t}o(dM,"buildTokenExchangeFailureAttributes");function lM(e){ot(e.context,{eventType:J.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:_e(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:dM(e.error)})}o(lM,"emitTokenExchangeFailedAnalyticsEvent");function pM(e){let t=_e(e);return so(Yi(t)?t:"upstream_token_exchange_failed")}o(pM,"tokenExchangeFailureResponse");async function Kp(e,t){let r=hn(t,nM),n=iM(t,r);if(n instanceof Response)return n;sM(t,n);try{let a=await $w({request:e,callbackRequest:n});return cM(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),uM(e,a)}catch(a){let i={event:"upstream_oauth_token_exchange_failed",code:_e(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return ze(i,"error",a),t.log.warn(i,"Upstream OAuth token exchange failed; user shown connection-failure page"),lM({context:t,callbackRequest:n,error:a}),pM(a)}}o(Kp,"callbackHandler");function mM(e){let t=_e(e);return t==="unknown_upstream_server"?t:"not_found"}o(mM,"clientMetadataProblemCode");function hM(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(hM,"clientMetadataProblemDetail");async function zv(e,t){let r=hn(t,"connect"),n=await zw({request:e,connectRequest:r});if(ot(t,{eventType:J.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await Wn({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(zv,"connectHandler");async function $v(e,t){let r=hn(t,"client_metadata");try{let n=Sw(e.url),a=vw(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=mM(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),_t(e,t,{code:a,detail:hM(n)})}}o($v,"oauthClientMetadataHandler");function cr(e){if(typeof e=="string"&&e.length!==0)return e}o(cr,"readOptionalQueryString");function fM(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(fM,"requirePathString");function Dv(e){let t=cr(e);return t?Se.parse(t):void 0}o(Dv,"readOptionalVirtualServerId");function gM(e,t){let r=cr(e);return r?De.parse(r):Ln(t,"user_oauth")}o(gM,"readOptionalAuthProfileId");function _M(e){let t=Dv(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(_M,"readRequiredVirtualServerId");function yM(e){let t=cr(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(yM,"readOptionalBrowserTicket");function wM(e){let t=vs(cr(e));return t===void 0?{}:{returnTo:t}}o(wM,"readOptionalReturnTo");function SM(e){let t=Dv(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(SM,"readOptionalVirtualServerIdContext");function vM(e){let t=cr(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(vM,"readOptionalProviderErrorDescription");function RM(e){let t=Mt(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(RM,"requireConnectableRouteAuth");function bM(e,t,r,n){let a=Ws(e,t);if(a.ownerMode==="none"||a.authMode==="shared-secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(bM,"buildConnectContextForPrincipal");function CM(e,t,r){let n=Vn(t),a=Mt(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(CM,"buildConnectContextForTicket");async function IM(e,t){let r=RM(sS(t,_M(e.query.virtualServerId))),n=e.query.redirect==="true",a=cr(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Bn(e.user,e.url);return bM(r,s,n,wM(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await Os(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await Us(i),CM(r,i,n)}o(IM,"resolveConnectContext");async function TM(e,t,r){let n=$e.parse(fM(e,"connection"));switch(r){case"connect":mn(t,await IM(e,n));return;case"app_password":mn(t,{kind:"app_password",upstreamServerId:n,...SM(e),...yM(e)});return;case"callback":{let a=cr(e.query.error);if(a){mn(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...vM(e)});return}let i=cr(e.query.code),s=cr(e.query.state);if(i&&s){mn(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}mn(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":mn(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:gM(e.query.authProfileId,n)});return}}o(TM,"resolveUpstreamRequestInbound");async function AM(e,t,r){try{await TM(e,t,r);return}catch(n){let a=_e(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return _t(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(AM,"applyUpstreamRequestContext");function ja(e,t){return o(async(n,a)=>{let i=await AM(n,a,e);return i||t(n,a)},"wrapped")}o(ja,"withUpstreamRequestContext");var kM={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function EM(){return new Response(null,{status:204,headers:kM})}o(EM,"buildWellKnownPreflightResponse");function xM(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(xM,"withWellKnownCorsHeaders");function Zp(e){return async(t,r)=>t.method==="OPTIONS"?EM():xM(await e(t,r))}o(Zp,"wrapWellKnownHandler");var PM=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Zp(wv)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:Zp(Sv)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:Zp(c_)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:vv},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Rv},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:bv},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Cv},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Iv},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:Tv},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Av},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:kv},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Ev},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ja("client_metadata",$v)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ja("connect",zv)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ja("callback",Kp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ja("app_password",Vp)}];function Mv(e){if(e)return e.find(t=>rs(t.policyType))}o(Mv,"findMcpOAuthPolicy");function qv(e){return Mv(e)!==void 0}o(qv,"shouldRegisterMcpGatewayInternalRoutes");function OM(e){let t=Xd(e.policyType);if(!t){let r=Qd();throw new Ft(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof c.ZodError?new Ft(UM(e.name??e.policyType,r),{cause:r}):r}}o(OM,"resolveOAuthConfigFromPolicy");function UM(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
 `);return`MCP OAuth policy "${e}" is misconfigured. Missing/invalid options:
-${r}`}o(dM,"formatPolicyConfigError");function Kw(e){let t=Fw(e.policies);if(!t){let r=_d(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new Ot(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}fg(uM(t)),Jf(Wf({routes:e.routes,policies:e.policies}))}o(Kw,"initializeMcpGatewayState");function lM(e,t){return async(r,n)=>{let a=n,i=r.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let u=await t(r,n);return i||a.log.info({event:`${e}_responded`,status:u.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),u}catch(u){let d={event:`${e}_threw`,durationMs:Date.now()-s};throw Ae(d,"err",u),a.log.error(d,`MCP gateway: ${e} threw`),u}}}o(lM,"wrapInternalHandler");function Ww(e){for(let t of cM){let r=lM(t.routeName,t.handler),n=o((a,i)=>r(a,i),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[zs],corsPolicy:"none"})}}o(Ww,"registerMcpGatewayInternalRoutes");var pp=class extends yp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Zw(r.policies)&&(Kw({routes:r.routes,policies:r.policies}),Ww(t.router))}};export{H0 as McpAuth0OAuthInboundPolicy,pp as McpGatewayPlugin,V0 as McpOAuthInboundPolicy,W0 as McpUpstreamConnectionInboundPolicy,O0 as McpVirtualServerHandler};
+${r}`}o(UM,"formatPolicyConfigError");function Lv(e){let t=Mv(e.policies);if(!t){let r=Qd(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new Ft(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}n_(OM(t)),Mg(Dg({routes:e.routes,policies:e.policies}))}o(Lv,"initializeMcpGatewayState");function NM(e,t){return async(r,n)=>{let a=n,i=r.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let u=await t(r,n);return i||a.log.info({event:`${e}_responded`,status:u.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),u}catch(u){let d={event:`${e}_threw`,durationMs:Date.now()-s};throw ze(d,"err",u),a.log.error(d,`MCP gateway: ${e} threw`),u}}}o(NM,"wrapInternalHandler");function jv(e){for(let t of PM){let r=NM(t.routeName,t.handler),n=o((a,i)=>r(a,i),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[_c],corsPolicy:"none"})}}o(jv,"registerMcpGatewayInternalRoutes");var Wp=class extends im{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&qv(r.policies)&&(Lv({routes:r.routes,policies:r.policies}),jv(t.router))}};export{dz as McpAuth0OAuthInboundPolicy,Wp as McpGatewayPlugin,mz as McpOAuthInboundPolicy,_z as McpUpstreamConnectionInboundPolicy,ez as McpVirtualServerHandler};
 //# sourceMappingURL=index.js.map