@zuplo/runtime 6.70.16 → 6.70.22

package/out/esm/mcp-gateway/index.js

@@ -22,1254 +22,38 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{$ as pe,H as Sp,I as Ds,J as Yw,K as wp,L as h,M as vp,N as K,O as ee,P as Rp,Q as bp,R as he,S as b,T as C,U as Se,V as se,W as Ms,X as qs,Y as ne,Z as Xe,_ as P,a as Wt,aa as Cp,b as _p,ba as $s,ca as Ip,da as Tp,ea as c,fa as Y,j as Vn,k as yp,q as zs,z as Ut}from"../chunk-STBDRSX7.js";import{d as Ns}from"../chunk-YJ3VHQXF.js";import{a as H}from"../chunk-NJNTFB34.js";import{X as _a,Y as Ot,Z as gp,a as o,c as T,e as fp}from"../chunk-KWR5BV7H.js";var ao=T(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.regexpCode=W.getEsmExportName=W.getProperty=W.safeStringify=W.stringify=W.strConcat=W.addCodeArg=W.str=W._=W.nil=W._Code=W.Name=W.IDENTIFIER=W._CodeOrName=void 0;var no=class{static{o(this,"_CodeOrName")}};W._CodeOrName=no;W.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Rr=class extends no{static{o(this,"Name")}constructor(t){if(super(),!W.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};W.Name=Rr;var rt=class extends no{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Rr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};W._Code=rt;W.nil=new rt("");function Bp(e,...t){let r=[e[0]],n=0;for(;n<t.length;)Sc(r,t[n]),r.push(e[++n]);return new rt(r)}o(Bp,"_");W._=Bp;var yc=new rt("+");function Vp(e,...t){let r=[oo(e[0])],n=0;for(;n<t.length;)r.push(yc),Sc(r,t[n]),r.push(yc,oo(e[++n]));return RR(r),new rt(r)}o(Vp,"str");W.str=Vp;function Sc(e,t){t instanceof rt?e.push(...t._items):t instanceof Rr?e.push(t):e.push(IR(t))}o(Sc,"addCodeArg");W.addCodeArg=Sc;function RR(e){let t=1;for(;t<e.length-1;){if(e[t]===yc){let r=bR(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(RR,"optimize");function bR(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Rr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Rr))return`"${e}${t.slice(1)}`}o(bR,"mergeExprItems");function CR(e,t){return t.emptyStr()?e:e.emptyStr()?t:Vp`${e}${t}`}o(CR,"strConcat");W.strConcat=CR;function IR(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:oo(Array.isArray(e)?e.join(","):e)}o(IR,"interpolate");function TR(e){return new rt(oo(e))}o(TR,"stringify");W.stringify=TR;function oo(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(oo,"safeStringify");W.safeStringify=oo;function AR(e){return typeof e=="string"&&W.IDENTIFIER.test(e)?new rt(`.${e}`):Bp`[${e}]`}o(AR,"getProperty");W.getProperty=AR;function kR(e){if(typeof e=="string"&&W.IDENTIFIER.test(e))return new rt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(kR,"getEsmExportName");W.getEsmExportName=kR;function PR(e){return new rt(e.toString())}o(PR,"regexpCode");W.regexpCode=PR});var Rc=T(Ge=>{"use strict";Object.defineProperty(Ge,"__esModule",{value:!0});Ge.ValueScope=Ge.ValueScopeName=Ge.Scope=Ge.varKinds=Ge.UsedValueState=void 0;var He=ao(),wc=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Ua;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Ua||(Ge.UsedValueState=Ua={}));Ge.varKinds={const:new He.Name("const"),let:new He.Name("let"),var:new He.Name("var")};var za=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof He.Name?t:this.name(t)}name(t){return new He.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Ge.Scope=za;var Na=class extends He.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,He._)`.${new He.Name(r)}[${n}]`}};Ge.ValueScopeName=Na;var ER=(0,He._)`\n`,vc=class extends za{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?ER:He.nil}}get(){return this._scope}name(t){return new Na(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,u=this._values[i];if(u){let p=u.get(s);if(p)return p}else u=this._values[i]=new Map;u.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),l=d.length;return d[l]=r.ref,a.setValue(r,{property:i,itemIndex:l}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,He._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=He.nil;for(let s in t){let u=t[s];if(!u)continue;let d=n[s]=n[s]||new Map;u.forEach(l=>{if(d.has(l))return;d.set(l,Ua.Started);let p=r(l);if(p){let m=this.opts.es5?Ge.varKinds.var:Ge.varKinds.const;i=(0,He._)`${i}${m} ${l} = ${p};${this.opts._n}`}else if(p=a?.(l))i=(0,He._)`${i}${p}${this.opts._n}`;else throw new wc(l);d.set(l,Ua.Completed)})}return i}};Ge.ValueScope=vc});var L=T(j=>{"use strict";Object.defineProperty(j,"__esModule",{value:!0});j.or=j.and=j.not=j.CodeGen=j.operators=j.varKinds=j.ValueScopeName=j.ValueScope=j.Scope=j.Name=j.regexpCode=j.stringify=j.getProperty=j.nil=j.strConcat=j.str=j._=void 0;var B=ao(),dt=Rc(),or=ao();Object.defineProperty(j,"_",{enumerable:!0,get:o(function(){return or._},"get")});Object.defineProperty(j,"str",{enumerable:!0,get:o(function(){return or.str},"get")});Object.defineProperty(j,"strConcat",{enumerable:!0,get:o(function(){return or.strConcat},"get")});Object.defineProperty(j,"nil",{enumerable:!0,get:o(function(){return or.nil},"get")});Object.defineProperty(j,"getProperty",{enumerable:!0,get:o(function(){return or.getProperty},"get")});Object.defineProperty(j,"stringify",{enumerable:!0,get:o(function(){return or.stringify},"get")});Object.defineProperty(j,"regexpCode",{enumerable:!0,get:o(function(){return or.regexpCode},"get")});Object.defineProperty(j,"Name",{enumerable:!0,get:o(function(){return or.Name},"get")});var $a=Rc();Object.defineProperty(j,"Scope",{enumerable:!0,get:o(function(){return $a.Scope},"get")});Object.defineProperty(j,"ValueScope",{enumerable:!0,get:o(function(){return $a.ValueScope},"get")});Object.defineProperty(j,"ValueScopeName",{enumerable:!0,get:o(function(){return $a.ValueScopeName},"get")});Object.defineProperty(j,"varKinds",{enumerable:!0,get:o(function(){return $a.varKinds},"get")});j.operators={GT:new B._Code(">"),GTE:new B._Code(">="),LT:new B._Code("<"),LTE:new B._Code("<="),EQ:new B._Code("==="),NEQ:new B._Code("!=="),NOT:new B._Code("!"),OR:new B._Code("||"),AND:new B._Code("&&"),ADD:new B._Code("+")};var Mt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},bc=class extends Mt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?dt.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=nn(this.rhs,t,r)),this}get names(){return this.rhs instanceof B._CodeOrName?this.rhs.names:{}}},Da=class extends Mt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof B.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=nn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof B.Name?{}:{...this.lhs.names};return qa(t,this.rhs)}},Cc=class extends Da{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Ic=class extends Mt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},Tc=class extends Mt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},Ac=class extends Mt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},kc=class extends Mt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=nn(this.code,t,r),this}get names(){return this.code instanceof B._CodeOrName?this.code.names:{}}},io=class extends Mt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(xR(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Ir(t,r.names),{})}},qt=class extends io{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},Pc=class extends io{static{o(this,"Root")}},rn=class extends qt{static{o(this,"Else")}};rn.kind="else";var br=class e extends qt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new rn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Fp(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=nn(this.condition,t,r),this}get names(){let t=super.names;return qa(t,this.condition),this.else&&Ir(t,this.else.names),t}};br.kind="if";var Cr=class extends qt{static{o(this,"For")}};Cr.kind="for";var Ec=class extends Cr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=nn(this.iteration,t,r),this}get names(){return Ir(super.names,this.iteration.names)}},xc=class extends Cr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?dt.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=qa(super.names,this.from);return qa(t,this.to)}},Ma=class extends Cr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=nn(this.iterable,t,r),this}get names(){return Ir(super.names,this.iterable.names)}},so=class extends qt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};so.kind="func";var co=class extends io{static{o(this,"Return")}render(t){return"return "+super.render(t)}};co.kind="return";var Oc=class extends qt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Ir(t,this.catch.names),this.finally&&Ir(t,this.finally.names),t}},uo=class extends qt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};uo.kind="catch";var lo=class extends qt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};lo.kind="finally";var Uc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
-`:""},this._extScope=t,this._scope=new dt.Scope({parent:t}),this._nodes=[new Pc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new bc(t,i,n)),i}const(t,r,n){return this._def(dt.varKinds.const,t,r,n)}let(t,r,n){return this._def(dt.varKinds.let,t,r,n)}var(t,r,n){return this._def(dt.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new Da(t,r,n))}add(t,r){return this._leafNode(new Cc(t,j.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==B.nil&&this._leafNode(new kc(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,B.addCodeArg)(r,a));return r.push("}"),new B._Code(r)}if(t,r,n){if(this._blockNode(new br(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new br(t))}else(){return this._elseNode(new rn)}endIf(){return this._endBlockNode(br,rn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Ec(t),r)}forRange(t,r,n,a,i=this.opts.es5?dt.varKinds.var:dt.varKinds.let){let s=this._scope.toName(t);return this._for(new xc(i,s,r,n),()=>a(s))}forOf(t,r,n,a=dt.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof B.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,B._)`${s}.length`,u=>{this.var(i,(0,B._)`${s}[${u}]`),n(i)})}return this._for(new Ma("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?dt.varKinds.var:dt.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,B._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new Ma("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Cr)}label(t){return this._leafNode(new Ic(t))}break(t){return this._leafNode(new Tc(t))}return(t){let r=new co;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(co)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Oc;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new uo(i),r(i)}return n&&(this._currNode=a.finally=new lo,this.code(n)),this._endBlockNode(uo,lo)}throw(t){return this._leafNode(new Ac(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=B.nil,n,a){return this._blockNode(new so(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(so)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof br))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};j.CodeGen=Uc;function Ir(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Ir,"addNames");function qa(e,t){return t instanceof B._CodeOrName?Ir(e,t.names):e}o(qa,"addExprNames");function nn(e,t,r){if(e instanceof B.Name)return n(e);if(!a(e))return e;return new B._Code(e._items.reduce((i,s)=>(s instanceof B.Name&&(s=n(s)),s instanceof B._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof B._Code&&i._items.some(s=>s instanceof B.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(nn,"optimizeExpr");function xR(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(xR,"subtractNames");function Fp(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,B._)`!${zc(e)}`}o(Fp,"not");j.not=Fp;var OR=Zp(j.operators.AND);function UR(...e){return e.reduce(OR)}o(UR,"and");j.and=UR;var zR=Zp(j.operators.OR);function NR(...e){return e.reduce(zR)}o(NR,"or");j.or=NR;function Zp(e){return(t,r)=>t===B.nil?r:r===B.nil?t:(0,B._)`${zc(t)} ${e} ${zc(r)}`}o(Zp,"mappend");function zc(e){return e instanceof B.Name?e:(0,B._)`(${e})`}o(zc,"par")});var J=T(G=>{"use strict";Object.defineProperty(G,"__esModule",{value:!0});G.checkStrictMode=G.getErrorPath=G.Type=G.useFunc=G.setEvaluated=G.evaluatedPropsToName=G.mergeEvaluated=G.eachItem=G.unescapeJsonPointer=G.escapeJsonPointer=G.escapeFragment=G.unescapeFragment=G.schemaRefOrVal=G.schemaHasRulesButRef=G.schemaHasRules=G.checkUnknownRules=G.alwaysValidSchema=G.toHash=void 0;var te=L(),DR=ao();function MR(e){let t={};for(let r of e)t[r]=!0;return t}o(MR,"toHash");G.toHash=MR;function qR(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Jp(e,t),!Yp(t,e.self.RULES.all))}o(qR,"alwaysValidSchema");G.alwaysValidSchema=qR;function Jp(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||em(e,`unknown keyword: "${i}"`)}o(Jp,"checkUnknownRules");G.checkUnknownRules=Jp;function Yp(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Yp,"schemaHasRules");G.schemaHasRules=Yp;function $R(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o($R,"schemaHasRulesButRef");G.schemaHasRulesButRef=$R;function LR({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,te._)`${r}`}return(0,te._)`${e}${t}${(0,te.getProperty)(n)}`}o(LR,"schemaRefOrVal");G.schemaRefOrVal=LR;function jR(e){return Xp(decodeURIComponent(e))}o(jR,"unescapeFragment");G.unescapeFragment=jR;function HR(e){return encodeURIComponent(Dc(e))}o(HR,"escapeFragment");G.escapeFragment=HR;function Dc(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Dc,"escapeJsonPointer");G.escapeJsonPointer=Dc;function Xp(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(Xp,"unescapeJsonPointer");G.unescapeJsonPointer=Xp;function GR(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(GR,"eachItem");G.eachItem=GR;function Kp({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,u)=>{let d=s===void 0?i:s instanceof te.Name?(i instanceof te.Name?e(a,i,s):t(a,i,s),s):i instanceof te.Name?(t(a,s,i),i):r(i,s);return u===te.Name&&!(d instanceof te.Name)?n(a,d):d}}o(Kp,"makeMergeEvaluated");G.mergeEvaluated={props:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,te._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,te._)`${r} || {}`).code((0,te._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,te._)`${r} || {}`),Mc(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:Qp}),items:Kp({mergeNames:o((e,t,r)=>e.if((0,te._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,te._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,te._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,te._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function Qp(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,te._)`{}`);return t!==void 0&&Mc(e,r,t),r}o(Qp,"evaluatedPropsToName");G.evaluatedPropsToName=Qp;function Mc(e,t,r){Object.keys(r).forEach(n=>e.assign((0,te._)`${t}${(0,te.getProperty)(n)}`,!0))}o(Mc,"setEvaluated");G.setEvaluated=Mc;var Wp={};function BR(e,t){return e.scopeValue("func",{ref:t,code:Wp[t.code]||(Wp[t.code]=new DR._Code(t.code))})}o(BR,"useFunc");G.useFunc=BR;var Nc;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Nc||(G.Type=Nc={}));function VR(e,t,r){if(e instanceof te.Name){let n=t===Nc.Num;return r?n?(0,te._)`"[" + ${e} + "]"`:(0,te._)`"['" + ${e} + "']"`:n?(0,te._)`"/" + ${e}`:(0,te._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,te.getProperty)(e).toString():"/"+Dc(e)}o(VR,"getErrorPath");G.getErrorPath=VR;function em(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(em,"checkStrictMode");G.checkStrictMode=em});var $t=T(qc=>{"use strict";Object.defineProperty(qc,"__esModule",{value:!0});var Ue=L(),FR={data:new Ue.Name("data"),valCxt:new Ue.Name("valCxt"),instancePath:new Ue.Name("instancePath"),parentData:new Ue.Name("parentData"),parentDataProperty:new Ue.Name("parentDataProperty"),rootData:new Ue.Name("rootData"),dynamicAnchors:new Ue.Name("dynamicAnchors"),vErrors:new Ue.Name("vErrors"),errors:new Ue.Name("errors"),this:new Ue.Name("this"),self:new Ue.Name("self"),scope:new Ue.Name("scope"),json:new Ue.Name("json"),jsonPos:new Ue.Name("jsonPos"),jsonLen:new Ue.Name("jsonLen"),jsonPart:new Ue.Name("jsonPart")};qc.default=FR});var po=T(ze=>{"use strict";Object.defineProperty(ze,"__esModule",{value:!0});ze.extendErrors=ze.resetErrorsCount=ze.reportExtraError=ze.reportError=ze.keyword$DataError=ze.keywordError=void 0;var Z=L(),La=J(),qe=$t();ze.keywordError={message:o(({keyword:e})=>(0,Z.str)`must pass "${e}" keyword validation`,"message")};ze.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,Z.str)`"${e}" keyword must be ${t} ($data)`:(0,Z.str)`"${e}" keyword is invalid ($data)`,"message")};function ZR(e,t=ze.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:u}=a,d=nm(e,t,r);n??(s||u)?tm(i,d):rm(a,(0,Z._)`[${d}]`)}o(ZR,"reportError");ze.reportError=ZR;function KR(e,t=ze.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,u=nm(e,t,r);tm(a,u),i||s||rm(n,qe.default.vErrors)}o(KR,"reportExtraError");ze.reportExtraError=KR;function WR(e,t){e.assign(qe.default.errors,t),e.if((0,Z._)`${qe.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,Z._)`${qe.default.vErrors}.length`,t),()=>e.assign(qe.default.vErrors,null)))}o(WR,"resetErrorsCount");ze.resetErrorsCount=WR;function JR({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,qe.default.errors,u=>{e.const(s,(0,Z._)`${qe.default.vErrors}[${u}]`),e.if((0,Z._)`${s}.instancePath === undefined`,()=>e.assign((0,Z._)`${s}.instancePath`,(0,Z.strConcat)(qe.default.instancePath,i.errorPath))),e.assign((0,Z._)`${s}.schemaPath`,(0,Z.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,Z._)`${s}.schema`,r),e.assign((0,Z._)`${s}.data`,n))})}o(JR,"extendErrors");ze.extendErrors=JR;function tm(e,t){let r=e.const("err",t);e.if((0,Z._)`${qe.default.vErrors} === null`,()=>e.assign(qe.default.vErrors,(0,Z._)`[${r}]`),(0,Z._)`${qe.default.vErrors}.push(${r})`),e.code((0,Z._)`${qe.default.errors}++`)}o(tm,"addError");function rm(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,Z._)`new ${e.ValidationError}(${t})`):(r.assign((0,Z._)`${n}.errors`,t),r.return(!1))}o(rm,"returnErrors");var Tr={keyword:new Z.Name("keyword"),schemaPath:new Z.Name("schemaPath"),params:new Z.Name("params"),propertyName:new Z.Name("propertyName"),message:new Z.Name("message"),schema:new Z.Name("schema"),parentSchema:new Z.Name("parentSchema")};function nm(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,Z._)`{}`:YR(e,t,r)}o(nm,"errorObjectCode");function YR(e,t,r={}){let{gen:n,it:a}=e,i=[XR(a,r),QR(e,r)];return eb(e,t,i),n.object(...i)}o(YR,"errorObject");function XR({errorPath:e},{instancePath:t}){let r=t?(0,Z.str)`${e}${(0,La.getErrorPath)(t,La.Type.Str)}`:e;return[qe.default.instancePath,(0,Z.strConcat)(qe.default.instancePath,r)]}o(XR,"errorInstancePath");function QR({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,Z.str)`${t}/${e}`;return r&&(a=(0,Z.str)`${a}${(0,La.getErrorPath)(r,La.Type.Str)}`),[Tr.schemaPath,a]}o(QR,"errorSchemaPath");function eb(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:u}=e,{opts:d,propertyName:l,topSchemaRef:p,schemaPath:m}=u;n.push([Tr.keyword,a],[Tr.params,typeof t=="function"?t(e):t||(0,Z._)`{}`]),d.messages&&n.push([Tr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Tr.schema,s],[Tr.parentSchema,(0,Z._)`${p}${m}`],[qe.default.data,i]),l&&n.push([Tr.propertyName,l])}o(eb,"extraErrorProps")});var am=T(on=>{"use strict";Object.defineProperty(on,"__esModule",{value:!0});on.boolOrEmptySchema=on.topBoolOrEmptySchema=void 0;var tb=po(),rb=L(),nb=$t(),ob={message:"boolean schema is false"};function ab(e){let{gen:t,schema:r,validateName:n}=e;r===!1?om(e,!1):typeof r=="object"&&r.$async===!0?t.return(nb.default.data):(t.assign((0,rb._)`${n}.errors`,null),t.return(!0))}o(ab,"topBoolOrEmptySchema");on.topBoolOrEmptySchema=ab;function ib(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),om(e)):r.var(t,!0)}o(ib,"boolOrEmptySchema");on.boolOrEmptySchema=ib;function om(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,tb.reportError)(a,ob,void 0,t)}o(om,"falseSchemaError")});var $c=T(an=>{"use strict";Object.defineProperty(an,"__esModule",{value:!0});an.getRules=an.isJSONType=void 0;var sb=["string","number","integer","boolean","null","object","array"],cb=new Set(sb);function ub(e){return typeof e=="string"&&cb.has(e)}o(ub,"isJSONType");an.isJSONType=ub;function db(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(db,"getRules");an.getRules=db});var Lc=T(ar=>{"use strict";Object.defineProperty(ar,"__esModule",{value:!0});ar.shouldUseRule=ar.shouldUseGroup=ar.schemaHasRulesForType=void 0;function lb({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&im(e,n)}o(lb,"schemaHasRulesForType");ar.schemaHasRulesForType=lb;function im(e,t){return t.rules.some(r=>sm(e,r))}o(im,"shouldUseGroup");ar.shouldUseGroup=im;function sm(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(sm,"shouldUseRule");ar.shouldUseRule=sm});var mo=T(Ne=>{"use strict";Object.defineProperty(Ne,"__esModule",{value:!0});Ne.reportTypeError=Ne.checkDataTypes=Ne.checkDataType=Ne.coerceAndCheckDataType=Ne.getJSONTypes=Ne.getSchemaTypes=Ne.DataType=void 0;var pb=$c(),mb=Lc(),hb=po(),$=L(),cm=J(),sn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(sn||(Ne.DataType=sn={}));function fb(e){let t=um(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(fb,"getSchemaTypes");Ne.getSchemaTypes=fb;function um(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(pb.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(um,"getJSONTypes");Ne.getJSONTypes=um;function gb(e,t){let{gen:r,data:n,opts:a}=e,i=_b(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,mb.schemaHasRulesForType)(e,t[0]));if(s){let u=Hc(t,n,a.strictNumbers,sn.Wrong);r.if(u,()=>{i.length?yb(e,t,i):Gc(e)})}return s}o(gb,"coerceAndCheckDataType");Ne.coerceAndCheckDataType=gb;var dm=new Set(["string","number","integer","boolean","null"]);function _b(e,t){return t?e.filter(r=>dm.has(r)||t==="array"&&r==="array"):[]}o(_b,"coerceToTypes");function yb(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,$._)`typeof ${a}`),u=n.let("coerced",(0,$._)`undefined`);i.coerceTypes==="array"&&n.if((0,$._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,$._)`${a}[0]`).assign(s,(0,$._)`typeof ${a}`).if(Hc(t,a,i.strictNumbers),()=>n.assign(u,a))),n.if((0,$._)`${u} !== undefined`);for(let l of r)(dm.has(l)||l==="array"&&i.coerceTypes==="array")&&d(l);n.else(),Gc(e),n.endIf(),n.if((0,$._)`${u} !== undefined`,()=>{n.assign(a,u),Sb(e,u)});function d(l){switch(l){case"string":n.elseIf((0,$._)`${s} == "number" || ${s} == "boolean"`).assign(u,(0,$._)`"" + ${a}`).elseIf((0,$._)`${a} === null`).assign(u,(0,$._)`""`);return;case"number":n.elseIf((0,$._)`${s} == "boolean" || ${a} === null
-              || (${s} == "string" && ${a} && ${a} == +${a})`).assign(u,(0,$._)`+${a}`);return;case"integer":n.elseIf((0,$._)`${s} === "boolean" || ${a} === null
-              || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(u,(0,$._)`+${a}`);return;case"boolean":n.elseIf((0,$._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(u,!1).elseIf((0,$._)`${a} === "true" || ${a} === 1`).assign(u,!0);return;case"null":n.elseIf((0,$._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(u,null);return;case"array":n.elseIf((0,$._)`${s} === "string" || ${s} === "number"
-              || ${s} === "boolean" || ${a} === null`).assign(u,(0,$._)`[${a}]`)}}o(d,"coerceSpecificType")}o(yb,"coerceData");function Sb({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,$._)`${t} !== undefined`,()=>e.assign((0,$._)`${t}[${r}]`,n))}o(Sb,"assignParentData");function jc(e,t,r,n=sn.Correct){let a=n===sn.Correct?$.operators.EQ:$.operators.NEQ,i;switch(e){case"null":return(0,$._)`${t} ${a} null`;case"array":i=(0,$._)`Array.isArray(${t})`;break;case"object":i=(0,$._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,$._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,$._)`typeof ${t} ${a} ${e}`}return n===sn.Correct?i:(0,$.not)(i);function s(u=$.nil){return(0,$.and)((0,$._)`typeof ${t} == "number"`,u,r?(0,$._)`isFinite(${t})`:$.nil)}}o(jc,"checkDataType");Ne.checkDataType=jc;function Hc(e,t,r,n){if(e.length===1)return jc(e[0],t,r,n);let a,i=(0,cm.toHash)(e);if(i.array&&i.object){let s=(0,$._)`typeof ${t} != "object"`;a=i.null?s:(0,$._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=$.nil;i.number&&delete i.integer;for(let s in i)a=(0,$.and)(a,jc(s,t,r,n));return a}o(Hc,"checkDataTypes");Ne.checkDataTypes=Hc;var wb={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,$._)`{type: ${e}}`:(0,$._)`{type: ${t}}`,"params")};function Gc(e){let t=vb(e);(0,hb.reportError)(t,wb)}o(Gc,"reportTypeError");Ne.reportTypeError=Gc;function vb(e){let{gen:t,data:r,schema:n}=e,a=(0,cm.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(vb,"getTypeErrorContext")});var pm=T(ja=>{"use strict";Object.defineProperty(ja,"__esModule",{value:!0});ja.assignDefaults=void 0;var cn=L(),Rb=J();function bb(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)lm(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>lm(e,i,a.default))}o(bb,"assignDefaults");ja.assignDefaults=bb;function lm(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let u=(0,cn._)`${i}${(0,cn.getProperty)(t)}`;if(a){(0,Rb.checkStrictMode)(e,`default is ignored for: ${u}`);return}let d=(0,cn._)`${u} === undefined`;s.useDefaults==="empty"&&(d=(0,cn._)`${d} || ${u} === null || ${u} === ""`),n.if(d,(0,cn._)`${u} = ${(0,cn.stringify)(r)}`)}o(lm,"assignDefault")});var nt=T(Q=>{"use strict";Object.defineProperty(Q,"__esModule",{value:!0});Q.validateUnion=Q.validateArray=Q.usePattern=Q.callValidateCode=Q.schemaProperties=Q.allSchemaProperties=Q.noPropertyInData=Q.propertyInData=Q.isOwnProperty=Q.hasPropFunc=Q.reportMissingProp=Q.checkMissingProp=Q.checkReportMissingProp=void 0;var oe=L(),Bc=J(),ir=$t(),Cb=J();function Ib(e,t){let{gen:r,data:n,it:a}=e;r.if(Fc(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,oe._)`${t}`},!0),e.error()})}o(Ib,"checkReportMissingProp");Q.checkReportMissingProp=Ib;function Tb({gen:e,data:t,it:{opts:r}},n,a){return(0,oe.or)(...n.map(i=>(0,oe.and)(Fc(e,t,i,r.ownProperties),(0,oe._)`${a} = ${i}`)))}o(Tb,"checkMissingProp");Q.checkMissingProp=Tb;function Ab(e,t){e.setParams({missingProperty:t},!0),e.error()}o(Ab,"reportMissingProp");Q.reportMissingProp=Ab;function mm(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,oe._)`Object.prototype.hasOwnProperty`})}o(mm,"hasPropFunc");Q.hasPropFunc=mm;function Vc(e,t,r){return(0,oe._)`${mm(e)}.call(${t}, ${r})`}o(Vc,"isOwnProperty");Q.isOwnProperty=Vc;function kb(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} !== undefined`;return n?(0,oe._)`${a} && ${Vc(e,t,r)}`:a}o(kb,"propertyInData");Q.propertyInData=kb;function Fc(e,t,r,n){let a=(0,oe._)`${t}${(0,oe.getProperty)(r)} === undefined`;return n?(0,oe.or)(a,(0,oe.not)(Vc(e,t,r))):a}o(Fc,"noPropertyInData");Q.noPropertyInData=Fc;function hm(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(hm,"allSchemaProperties");Q.allSchemaProperties=hm;function Pb(e,t){return hm(t).filter(r=>!(0,Bc.alwaysValidSchema)(e,t[r]))}o(Pb,"schemaProperties");Q.schemaProperties=Pb;function Eb({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},u,d,l){let p=l?(0,oe._)`${e}, ${t}, ${n}${a}`:t,m=[[ir.default.instancePath,(0,oe.strConcat)(ir.default.instancePath,i)],[ir.default.parentData,s.parentData],[ir.default.parentDataProperty,s.parentDataProperty],[ir.default.rootData,ir.default.rootData]];s.opts.dynamicRef&&m.push([ir.default.dynamicAnchors,ir.default.dynamicAnchors]);let f=(0,oe._)`${p}, ${r.object(...m)}`;return d!==oe.nil?(0,oe._)`${u}.call(${d}, ${f})`:(0,oe._)`${u}(${f})`}o(Eb,"callValidateCode");Q.callValidateCode=Eb;var xb=(0,oe._)`new RegExp`;function Ob({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,oe._)`${a.code==="new RegExp"?xb:(0,Cb.useFunc)(e,a)}(${r}, ${n})`})}o(Ob,"usePattern");Q.usePattern=Ob;function Ub(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let u=t.let("valid",!0);return s(()=>t.assign(u,!1)),u}return t.var(i,!0),s(()=>t.break()),i;function s(u){let d=t.const("len",(0,oe._)`${r}.length`);t.forRange("i",0,d,l=>{e.subschema({keyword:n,dataProp:l,dataPropType:Bc.Type.Num},i),t.if((0,oe.not)(i),u)})}o(s,"validateItems")}o(Ub,"validateArray");Q.validateArray=Ub;function zb(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Bc.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),u=t.name("_valid");t.block(()=>r.forEach((d,l)=>{let p=e.subschema({keyword:n,schemaProp:l,compositeRule:!0},u);t.assign(s,(0,oe._)`${s} || ${u}`),e.mergeValidEvaluated(p,u)||t.if((0,oe.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(zb,"validateUnion");Q.validateUnion=zb});var _m=T(wt=>{"use strict";Object.defineProperty(wt,"__esModule",{value:!0});wt.validateKeywordUsage=wt.validSchemaType=wt.funcKeywordCode=wt.macroKeywordCode=void 0;var $e=L(),Ar=$t(),Nb=nt(),Db=po();function Mb(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,u=t.macro.call(s.self,a,i,s),d=gm(r,n,u);s.opts.validateSchema!==!1&&s.self.validateSchema(u,!0);let l=r.name("valid");e.subschema({schema:u,schemaPath:$e.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},l),e.pass(l,()=>e.error(!0))}o(Mb,"macroKeywordCode");wt.macroKeywordCode=Mb;function qb(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:u,it:d}=e;Lb(d,t);let l=!u&&t.compile?t.compile.call(d.self,i,s,d):t.validate,p=gm(n,a,l),m=n.let("valid");e.block$data(m,f),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function f(){if(t.errors===!1)y(),t.modifying&&fm(e),w(()=>e.error());else{let v=t.async?_():S();t.modifying&&fm(e),w(()=>$b(e,v))}}o(f,"validateKeyword");function _(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,$e._)`await `),R=>n.assign(m,!1).if((0,$e._)`${R} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,$e._)`${R}.errors`),()=>n.throw(R))),v}o(_,"validateAsync");function S(){let v=(0,$e._)`${p}.errors`;return n.assign(v,null),y($e.nil),v}o(S,"validateSync");function y(v=t.async?(0,$e._)`await `:$e.nil){let R=d.opts.passContext?Ar.default.this:Ar.default.self,I=!("compile"in t&&!u||t.schema===!1);n.assign(m,(0,$e._)`${v}${(0,Nb.callValidateCode)(e,p,R,I)}`,t.modifying)}o(y,"assignValid");function w(v){var R;n.if((0,$e.not)((R=t.valid)!==null&&R!==void 0?R:m),v)}o(w,"reportErrs")}o(qb,"funcKeywordCode");wt.funcKeywordCode=qb;function fm(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,$e._)`${n.parentData}[${n.parentDataProperty}]`))}o(fm,"modifyData");function $b(e,t){let{gen:r}=e;r.if((0,$e._)`Array.isArray(${t})`,()=>{r.assign(Ar.default.vErrors,(0,$e._)`${Ar.default.vErrors} === null ? ${t} : ${Ar.default.vErrors}.concat(${t})`).assign(Ar.default.errors,(0,$e._)`${Ar.default.vErrors}.length`),(0,Db.extendErrors)(e)},()=>e.error())}o($b,"addErrs");function Lb({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(Lb,"checkAsyncKeyword");function gm(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,$e.stringify)(r)})}o(gm,"useKeyword");function jb(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(jb,"validSchemaType");wt.validSchemaType=jb;function Hb({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(u=>!Object.prototype.hasOwnProperty.call(e,u)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(Hb,"validateKeywordUsage");wt.validateKeywordUsage=Hb});var Sm=T(sr=>{"use strict";Object.defineProperty(sr,"__esModule",{value:!0});sr.extendSubschemaMode=sr.extendSubschemaData=sr.getSubschema=void 0;var vt=L(),ym=J();function Gb(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let u=e.schema[t];return r===void 0?{schema:u,schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:u[r],schemaPath:(0,vt._)`${e.schemaPath}${(0,vt.getProperty)(t)}${(0,vt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,ym.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(Gb,"getSubschema");sr.getSubschema=Gb;function Bb(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:u}=t;if(r!==void 0){let{errorPath:l,dataPathArr:p,opts:m}=t,f=u.let("data",(0,vt._)`${t.data}${(0,vt.getProperty)(r)}`,!0);d(f),e.errorPath=(0,vt.str)`${l}${(0,ym.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,vt._)`${r}`,e.dataPathArr=[...p,e.parentDataProperty]}if(a!==void 0){let l=a instanceof vt.Name?a:u.let("data",a,!0);d(l),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(l){e.data=l,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,l]}o(d,"dataContextProps")}o(Bb,"extendSubschemaData");sr.extendSubschemaData=Bb;function Vb(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Vb,"extendSubschemaMode");sr.extendSubschemaMode=Vb});var Zc=T((w1,wm)=>{"use strict";wm.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Rm=T((R1,vm)=>{"use strict";var cr=vm.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Ha(t,n,a,e,"",e)};cr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};cr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};cr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};cr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Ha(e,t,r,n,a,i,s,u,d,l){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,u,d,l);for(var p in n){var m=n[p];if(Array.isArray(m)){if(p in cr.arrayKeywords)for(var f=0;f<m.length;f++)Ha(e,t,r,m[f],a+"/"+p+"/"+f,i,a,p,n,f)}else if(p in cr.propsKeywords){if(m&&typeof m=="object")for(var _ in m)Ha(e,t,r,m[_],a+"/"+p+"/"+Fb(_),i,a,p,n,_)}else(p in cr.keywords||e.allKeys&&!(p in cr.skipKeywords))&&Ha(e,t,r,m,a+"/"+p,i,a,p,n)}r(n,a,i,s,u,d,l)}}o(Ha,"_traverse");function Fb(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Fb,"escapeJsonPtr")});var ho=T(Be=>{"use strict";Object.defineProperty(Be,"__esModule",{value:!0});Be.getSchemaRefs=Be.resolveUrl=Be.normalizeId=Be._getFullPath=Be.getFullPath=Be.inlineRef=void 0;var Zb=J(),Kb=Zc(),Wb=Rm(),Jb=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function Yb(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Kc(e):t?bm(e)<=t:!1}o(Yb,"inlineRef");Be.inlineRef=Yb;var Xb=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Kc(e){for(let t in e){if(Xb.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Kc)||typeof r=="object"&&Kc(r))return!0}return!1}o(Kc,"hasRef");function bm(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!Jb.has(r)&&(typeof e[r]=="object"&&(0,Zb.eachItem)(e[r],n=>t+=bm(n)),t===1/0))return 1/0}return t}o(bm,"countKeys");function Cm(e,t="",r){r!==!1&&(t=un(t));let n=e.parse(t);return Im(e,n)}o(Cm,"getFullPath");Be.getFullPath=Cm;function Im(e,t){return e.serialize(t).split("#")[0]+"#"}o(Im,"_getFullPath");Be._getFullPath=Im;var Qb=/#\/?$/;function un(e){return e?e.replace(Qb,""):""}o(un,"normalizeId");Be.normalizeId=un;function eC(e,t,r){return r=un(r),e.resolve(t,r)}o(eC,"resolveUrl");Be.resolveUrl=eC;var tC=/^[a-z_][-a-z0-9._]*$/i;function rC(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=un(e[r]||t),i={"":a},s=Cm(n,a,!1),u={},d=new Set;return Wb(e,{allKeys:!0},(m,f,_,S)=>{if(S===void 0)return;let y=s+f,w=i[S];typeof m[r]=="string"&&(w=v.call(this,m[r])),R.call(this,m.$anchor),R.call(this,m.$dynamicAnchor),i[f]=w;function v(I){let N=this.opts.uriResolver.resolve;if(I=un(w?N(w,I):I),d.has(I))throw p(I);d.add(I);let M=this.refs[I];return typeof M=="string"&&(M=this.refs[M]),typeof M=="object"?l(m,M.schema,I):I!==un(y)&&(I[0]==="#"?(l(m,u[I],I),u[I]=m):this.refs[I]=y),I}o(v,"addRef");function R(I){if(typeof I=="string"){if(!tC.test(I))throw new Error(`invalid anchor "${I}"`);v.call(this,`#${I}`)}}o(R,"addAnchor")}),u;function l(m,f,_){if(f!==void 0&&!Kb(m,f))throw p(_)}o(l,"checkAmbiguosRef");function p(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(p,"ambiguos")}o(rC,"getSchemaRefs");Be.getSchemaRefs=rC});var _o=T(ur=>{"use strict";Object.defineProperty(ur,"__esModule",{value:!0});ur.getData=ur.KeywordCxt=ur.validateFunctionCode=void 0;var Em=am(),Tm=mo(),Jc=Lc(),Ga=mo(),nC=pm(),go=_m(),Wc=Sm(),E=L(),D=$t(),oC=ho(),Lt=J(),fo=po();function aC(e){if(Um(e)&&(zm(e),Om(e))){cC(e);return}xm(e,()=>(0,Em.topBoolOrEmptySchema)(e))}o(aC,"validateFunctionCode");ur.validateFunctionCode=aC;function xm({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,E._)`${D.default.data}, ${D.default.valCxt}`,n.$async,()=>{e.code((0,E._)`"use strict"; ${Am(r,a)}`),sC(e,a),e.code(i)}):e.func(t,(0,E._)`${D.default.data}, ${iC(a)}`,n.$async,()=>e.code(Am(r,a)).code(i))}o(xm,"validateFunction");function iC(e){return(0,E._)`{${D.default.instancePath}="", ${D.default.parentData}, ${D.default.parentDataProperty}, ${D.default.rootData}=${D.default.data}${e.dynamicRef?(0,E._)`, ${D.default.dynamicAnchors}={}`:E.nil}}={}`}o(iC,"destructureValCxt");function sC(e,t){e.if(D.default.valCxt,()=>{e.var(D.default.instancePath,(0,E._)`${D.default.valCxt}.${D.default.instancePath}`),e.var(D.default.parentData,(0,E._)`${D.default.valCxt}.${D.default.parentData}`),e.var(D.default.parentDataProperty,(0,E._)`${D.default.valCxt}.${D.default.parentDataProperty}`),e.var(D.default.rootData,(0,E._)`${D.default.valCxt}.${D.default.rootData}`),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`${D.default.valCxt}.${D.default.dynamicAnchors}`)},()=>{e.var(D.default.instancePath,(0,E._)`""`),e.var(D.default.parentData,(0,E._)`undefined`),e.var(D.default.parentDataProperty,(0,E._)`undefined`),e.var(D.default.rootData,D.default.data),t.dynamicRef&&e.var(D.default.dynamicAnchors,(0,E._)`{}`)})}o(sC,"destructureValCxtES5");function cC(e){let{schema:t,opts:r,gen:n}=e;xm(e,()=>{r.$comment&&t.$comment&&Dm(e),mC(e),n.let(D.default.vErrors,null),n.let(D.default.errors,0),r.unevaluated&&uC(e),Nm(e),gC(e)})}o(cC,"topSchemaObjCode");function uC(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,E._)`${r}.evaluated`),t.if((0,E._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,E._)`${e.evaluated}.props`,(0,E._)`undefined`)),t.if((0,E._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,E._)`${e.evaluated}.items`,(0,E._)`undefined`))}o(uC,"resetEvaluated");function Am(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,E._)`/*# sourceURL=${r} */`:E.nil}o(Am,"funcSourceUrl");function dC(e,t){if(Um(e)&&(zm(e),Om(e))){lC(e,t);return}(0,Em.boolOrEmptySchema)(e,t)}o(dC,"subschemaCode");function Om({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(Om,"schemaCxtHasRules");function Um(e){return typeof e.schema!="boolean"}o(Um,"isSchemaObj");function lC(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&Dm(e),hC(e),fC(e);let i=n.const("_errs",D.default.errors);Nm(e,i),n.var(t,(0,E._)`${i} === ${D.default.errors}`)}o(lC,"subSchemaObjCode");function zm(e){(0,Lt.checkUnknownRules)(e),pC(e)}o(zm,"checkKeywords");function Nm(e,t){if(e.opts.jtd)return km(e,[],!1,t);let r=(0,Tm.getSchemaTypes)(e.schema),n=(0,Tm.coerceAndCheckDataType)(e,r);km(e,r,!n,t)}o(Nm,"typeAndKeywords");function pC(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Lt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(pC,"checkRefsAndKeywords");function mC(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Lt.checkStrictMode)(e,"default is ignored in the schema root")}o(mC,"checkNoDefault");function hC(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,oC.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(hC,"updateContext");function fC(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(fC,"checkAsyncSchema");function Dm({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,E._)`${D.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,E.str)`${n}/$comment`,u=e.scopeValue("root",{ref:t.root});e.code((0,E._)`${D.default.self}.opts.$comment(${i}, ${s}, ${u}.schema)`)}}o(Dm,"commentKeyword");function gC(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,E._)`${D.default.errors} === 0`,()=>t.return(D.default.data),()=>t.throw((0,E._)`new ${a}(${D.default.vErrors})`)):(t.assign((0,E._)`${n}.errors`,D.default.vErrors),i.unevaluated&&_C(e),t.return((0,E._)`${D.default.errors} === 0`))}o(gC,"returnResults");function _C({gen:e,evaluated:t,props:r,items:n}){r instanceof E.Name&&e.assign((0,E._)`${t}.props`,r),n instanceof E.Name&&e.assign((0,E._)`${t}.items`,n)}o(_C,"assignEvaluated");function km(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:u,opts:d,self:l}=e,{RULES:p}=l;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Lt.schemaHasRulesButRef)(i,p))){a.block(()=>qm(e,"$ref",p.all.$ref.definition));return}d.jtd||yC(e,t),a.block(()=>{for(let f of p.rules)m(f);m(p.post)});function m(f){(0,Jc.shouldUseGroup)(i,f)&&(f.type?(a.if((0,Ga.checkDataType)(f.type,s,d.strictNumbers)),Pm(e,f),t.length===1&&t[0]===f.type&&r&&(a.else(),(0,Ga.reportTypeError)(e)),a.endIf()):Pm(e,f),u||a.if((0,E._)`${D.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(km,"schemaKeywords");function Pm(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,nC.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Jc.shouldUseRule)(n,i)&&qm(e,i.keyword,i.definition,t.type)})}o(Pm,"iterateKeywords");function yC(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(SC(e,t),e.opts.allowUnionTypes||wC(e,t),vC(e,e.dataTypes))}o(yC,"checkStrictTypes");function SC(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{Mm(e.dataTypes,r)||Yc(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),bC(e,t)}}o(SC,"checkContextTypes");function wC(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Yc(e,"use allowUnionTypes to allow union type keyword")}o(wC,"checkMultipleTypes");function vC(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Jc.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>RC(t,s))&&Yc(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(vC,"checkKeywordTypes");function RC(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(RC,"hasApplicableType");function Mm(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(Mm,"includesType");function bC(e,t){let r=[];for(let n of e.dataTypes)Mm(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(bC,"narrowSchemaTypes");function Yc(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Lt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Yc,"strictTypesError");var Ba=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,go.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Lt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",$m(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,go.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",D.default.errors))}result(t,r,n){this.failResult((0,E.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,E.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,E._)`${r} !== undefined && (${(0,E.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?fo.reportExtraError:fo.reportError)(this,this.def.error,r)}$dataError(){(0,fo.reportError)(this,this.def.$dataError||fo.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,fo.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=E.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=E.nil,r=E.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,E.or)((0,E._)`${a} === undefined`,r)),t!==E.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==E.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,E.or)(s(),u());function s(){if(n.length){if(!(r instanceof E.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,E._)`${(0,Ga.checkDataTypes)(d,r,i.opts.strictNumbers,Ga.DataType.Wrong)}`}return E.nil}function u(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,E._)`!${d}(${r})`}return E.nil}}subschema(t,r){let n=(0,Wc.getSubschema)(this.it,t);(0,Wc.extendSubschemaData)(n,this.it,t),(0,Wc.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return dC(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Lt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Lt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,E.Name)),!0}};ur.KeywordCxt=Ba;function qm(e,t,r,n){let a=new Ba(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,go.funcKeywordCode)(a,r):"macro"in r?(0,go.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,go.funcKeywordCode)(a,r)}o(qm,"keywordCode");var CC=/^\/(?:[^~]|~0|~1)*$/,IC=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function $m(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return D.default.rootData;if(e[0]==="/"){if(!CC.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=D.default.rootData}else{let l=IC.exec(e);if(!l)throw new Error(`Invalid JSON-pointer: ${e}`);let p=+l[1];if(a=l[2],a==="#"){if(p>=t)throw new Error(d("property/index",p));return n[t-p]}if(p>t)throw new Error(d("data",p));if(i=r[t-p],!a)return i}let s=i,u=a.split("/");for(let l of u)l&&(i=(0,E._)`${i}${(0,E.getProperty)((0,Lt.unescapeJsonPointer)(l))}`,s=(0,E._)`${s} && ${i}`);return s;function d(l,p){return`Cannot access ${l} ${p} levels up, current level is ${t}`}}o($m,"getData");ur.getData=$m});var Va=T(Qc=>{"use strict";Object.defineProperty(Qc,"__esModule",{value:!0});var Xc=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Qc.default=Xc});var yo=T(ru=>{"use strict";Object.defineProperty(ru,"__esModule",{value:!0});var eu=ho(),tu=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,eu.resolveUrl)(t,r,n),this.missingSchema=(0,eu.normalizeId)((0,eu.getFullPath)(t,this.missingRef))}};ru.default=tu});var Za=T(ot=>{"use strict";Object.defineProperty(ot,"__esModule",{value:!0});ot.resolveSchema=ot.getCompilingSchema=ot.resolveRef=ot.compileSchema=ot.SchemaEnv=void 0;var lt=L(),TC=Va(),kr=$t(),pt=ho(),Lm=J(),AC=_o(),dn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,pt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};ot.SchemaEnv=dn;function ou(e){let t=jm.call(this,e);if(t)return t;let r=(0,pt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new lt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),u;e.$async&&(u=s.scopeValue("Error",{ref:TC.default,code:(0,lt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let l={gen:s,allErrors:this.opts.allErrors,data:kr.default.data,parentData:kr.default.parentData,parentDataProperty:kr.default.parentDataProperty,dataNames:[kr.default.data],dataPathArr:[lt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,lt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:u,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:lt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,lt._)`""`,opts:this.opts,self:this},p;try{this._compilations.add(e),(0,AC.validateFunctionCode)(l),s.optimize(this.opts.code.optimize);let m=s.toString();p=`${s.scopeRefs(kr.default.scope)}return ${m}`,this.opts.code.process&&(p=this.opts.code.process(p,e));let _=new Function(`${kr.default.self}`,`${kr.default.scope}`,p)(this,this.scope.get());if(this.scope.value(d,{ref:_}),_.errors=null,_.schema=e.schema,_.schemaEnv=e,e.$async&&(_.$async=!0),this.opts.code.source===!0&&(_.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:S,items:y}=l;_.evaluated={props:S instanceof lt.Name?void 0:S,items:y instanceof lt.Name?void 0:y,dynamicProps:S instanceof lt.Name,dynamicItems:y instanceof lt.Name},_.source&&(_.source.evaluated=(0,lt.stringify)(_.evaluated))}return e.validate=_,e}catch(m){throw delete e.validate,delete e.validateName,p&&this.logger.error("Error compiling schema, function code:",p),m}finally{this._compilations.delete(e)}}o(ou,"compileSchema");ot.compileSchema=ou;function kC(e,t,r){var n;r=(0,pt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=xC.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:u}=this.opts;s&&(i=new dn({schema:s,schemaId:u,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=PC.call(this,i)}o(kC,"resolveRef");ot.resolveRef=kC;function PC(e){return(0,pt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:ou.call(this,e)}o(PC,"inlineOrCompile");function jm(e){for(let t of this._compilations)if(EC(t,e))return t}o(jm,"getCompilingSchema");ot.getCompilingSchema=jm;function EC(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(EC,"sameSchemaEnv");function xC(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||Fa.call(this,e,t)}o(xC,"resolve");function Fa(e,t){let r=this.opts.uriResolver.parse(t),n=(0,pt._getFullPath)(this.opts.uriResolver,r),a=(0,pt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return nu.call(this,r,e);let i=(0,pt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let u=Fa.call(this,e,s);return typeof u?.schema!="object"?void 0:nu.call(this,r,u)}if(typeof s?.schema=="object"){if(s.validate||ou.call(this,s),i===(0,pt.normalizeId)(t)){let{schema:u}=s,{schemaId:d}=this.opts,l=u[d];return l&&(a=(0,pt.resolveUrl)(this.opts.uriResolver,a,l)),new dn({schema:u,schemaId:d,root:e,baseId:a})}return nu.call(this,r,s)}}o(Fa,"resolveSchema");ot.resolveSchema=Fa;var OC=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function nu(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let u of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,Lm.unescapeFragment)(u)];if(d===void 0)return;r=d;let l=typeof r=="object"&&r[this.opts.schemaId];!OC.has(u)&&l&&(t=(0,pt.resolveUrl)(this.opts.uriResolver,t,l))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,Lm.schemaHasRulesButRef)(r,this.RULES)){let u=(0,pt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=Fa.call(this,n,u)}let{schemaId:s}=this.opts;if(i=i||new dn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(nu,"getJsonPointer")});var Hm=T((z1,UC)=>{UC.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var iu=T((N1,Fm)=>{"use strict";var zC=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),Bm=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function au(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(au,"stringArrayToHexStripped");var NC=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Gm(e){return e.length=0,!0}o(Gm,"consumeIsZone");function DC(e,t,r){if(e.length){let n=au(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(DC,"consumeHextets");function MC(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,u=DC;for(let d=0;d<e.length;d++){let l=e[d];if(!(l==="["||l==="]"))if(l===":"){if(i===!0&&(s=!0),!u(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(l==="%"){if(!u(a,n,r))break;u=Gm}else{a.push(l);continue}}return a.length&&(u===Gm?r.zone=a.join(""):s?n.push(a.join("")):n.push(au(a))),r.address=n.join(""),r}o(MC,"getIPV6");function Vm(e){if(qC(e,":")<2)return{host:e,isIPV6:!1};let t=MC(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(Vm,"normalizeIPv6");function qC(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(qC,"findToken");function $C(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o($C,"removeDotSegments");function LC(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(LC,"normalizeComponentEncoding");function jC(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!Bm(r)){let n=Vm(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(jC,"recomposeAuthority");Fm.exports={nonSimpleDomain:NC,recomposeAuthority:jC,normalizeComponentEncoding:LC,removeDotSegments:$C,isIPv4:Bm,isUUID:zC,normalizeIPv6:Vm,stringArrayToHexStripped:au}});var Ym=T((M1,Jm)=>{"use strict";var{isUUID:HC}=iu(),GC=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,BC=["http","https","ws","wss","urn","urn:uuid"];function VC(e){return BC.indexOf(e)!==-1}o(VC,"isValidSchemeName");function su(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(su,"wsIsSecure");function Zm(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(Zm,"httpParse");function Km(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Km,"httpSerialize");function FC(e){return e.secure=su(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(FC,"wsParse");function ZC(e){if((e.port===(su(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(ZC,"wsSerialize");function KC(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(GC);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=cu(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(KC,"urnParse");function WC(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=cu(a);i&&(e=i.serialize(e,t));let s=e,u=e.nss;return s.path=`${n||t.nid}:${u}`,t.skipEscape=!0,s}o(WC,"urnSerialize");function JC(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!HC(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(JC,"urnuuidParse");function YC(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(YC,"urnuuidSerialize");var Wm={scheme:"http",domainHost:!0,parse:Zm,serialize:Km},XC={scheme:"https",domainHost:Wm.domainHost,parse:Zm,serialize:Km},Ka={scheme:"ws",domainHost:!0,parse:FC,serialize:ZC},QC={scheme:"wss",domainHost:Ka.domainHost,parse:Ka.parse,serialize:Ka.serialize},eI={scheme:"urn",parse:KC,serialize:WC,skipNormalize:!0},tI={scheme:"urn:uuid",parse:JC,serialize:YC,skipNormalize:!0},Wa={http:Wm,https:XC,ws:Ka,wss:QC,urn:eI,"urn:uuid":tI};Object.setPrototypeOf(Wa,null);function cu(e){return e&&(Wa[e]||Wa[e.toLowerCase()])||void 0}o(cu,"getSchemeHandler");Jm.exports={wsIsSecure:su,SCHEMES:Wa,isValidSchemeName:VC,getSchemeHandler:cu}});var eh=T(($1,Ya)=>{"use strict";var{normalizeIPv6:rI,removeDotSegments:So,recomposeAuthority:nI,normalizeComponentEncoding:Ja,isIPv4:oI,nonSimpleDomain:aI}=iu(),{SCHEMES:iI,getSchemeHandler:Xm}=Ym();function sI(e,t){return typeof e=="string"?e=Rt(jt(e,t),t):typeof e=="object"&&(e=jt(Rt(e,t),t)),e}o(sI,"normalize");function cI(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=Qm(jt(e,n),jt(t,n),n,!0);return n.skipEscape=!0,Rt(a,n)}o(cI,"resolve");function Qm(e,t,r,n){let a={};return n||(e=jt(Rt(e,r),r),t=jt(Rt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=So(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=So(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=So(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(Qm,"resolveComponent");function uI(e,t,r){return typeof e=="string"?(e=unescape(e),e=Rt(Ja(jt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=Rt(Ja(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=Rt(Ja(jt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=Rt(Ja(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(uI,"equal");function Rt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=Xm(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=nI(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let u=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(u=So(u)),s===void 0&&u[0]==="/"&&u[1]==="/"&&(u="/%2F"+u.slice(2)),a.push(u)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(Rt,"serialize");var dI=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function jt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(dI);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(oI(n.host)===!1){let d=rI(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=Xm(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&aI(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(u){n.error=n.error||"Host's domain name can not be converted to ASCII: "+u}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(jt,"parse");var uu={SCHEMES:iI,normalize:sI,resolve:cI,resolveComponent:Qm,equal:uI,serialize:Rt,parse:jt};Ya.exports=uu;Ya.exports.default=uu;Ya.exports.fastUri=uu});var rh=T(du=>{"use strict";Object.defineProperty(du,"__esModule",{value:!0});var th=eh();th.code='require("ajv/dist/runtime/uri").default';du.default=th});var dh=T(Ie=>{"use strict";Object.defineProperty(Ie,"__esModule",{value:!0});Ie.CodeGen=Ie.Name=Ie.nil=Ie.stringify=Ie.str=Ie._=Ie.KeywordCxt=void 0;var lI=_o();Object.defineProperty(Ie,"KeywordCxt",{enumerable:!0,get:o(function(){return lI.KeywordCxt},"get")});var ln=L();Object.defineProperty(Ie,"_",{enumerable:!0,get:o(function(){return ln._},"get")});Object.defineProperty(Ie,"str",{enumerable:!0,get:o(function(){return ln.str},"get")});Object.defineProperty(Ie,"stringify",{enumerable:!0,get:o(function(){return ln.stringify},"get")});Object.defineProperty(Ie,"nil",{enumerable:!0,get:o(function(){return ln.nil},"get")});Object.defineProperty(Ie,"Name",{enumerable:!0,get:o(function(){return ln.Name},"get")});Object.defineProperty(Ie,"CodeGen",{enumerable:!0,get:o(function(){return ln.CodeGen},"get")});var pI=Va(),sh=yo(),mI=$c(),wo=Za(),hI=L(),vo=ho(),Xa=mo(),pu=J(),nh=Hm(),fI=rh(),ch=o((e,t)=>new RegExp(e,t),"defaultRegExp");ch.code="new RegExp";var gI=["removeAdditional","useDefaults","coerceTypes"],_I=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),yI={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},SI={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},oh=200;function wI(e){var t,r,n,a,i,s,u,d,l,p,m,f,_,S,y,w,v,R,I,N,M,Ye,xt,xs,Os;let Bn=e.strict,Us=(t=e.code)===null||t===void 0?void 0:t.optimize,mp=Us===!0||Us===void 0?1:Us||0,hp=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:ch,Jw=(a=e.uriResolver)!==null&&a!==void 0?a:fI.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Bn)!==null&&s!==void 0?s:!0,strictNumbers:(d=(u=e.strictNumbers)!==null&&u!==void 0?u:Bn)!==null&&d!==void 0?d:!0,strictTypes:(p=(l=e.strictTypes)!==null&&l!==void 0?l:Bn)!==null&&p!==void 0?p:"log",strictTuples:(f=(m=e.strictTuples)!==null&&m!==void 0?m:Bn)!==null&&f!==void 0?f:"log",strictRequired:(S=(_=e.strictRequired)!==null&&_!==void 0?_:Bn)!==null&&S!==void 0?S:!1,code:e.code?{...e.code,optimize:mp,regExp:hp}:{optimize:mp,regExp:hp},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:oh,loopEnum:(w=e.loopEnum)!==null&&w!==void 0?w:oh,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(R=e.messages)!==null&&R!==void 0?R:!0,inlineRefs:(I=e.inlineRefs)!==null&&I!==void 0?I:!0,schemaId:(N=e.schemaId)!==null&&N!==void 0?N:"$id",addUsedSchema:(M=e.addUsedSchema)!==null&&M!==void 0?M:!0,validateSchema:(Ye=e.validateSchema)!==null&&Ye!==void 0?Ye:!0,validateFormats:(xt=e.validateFormats)!==null&&xt!==void 0?xt:!0,unicodeRegExp:(xs=e.unicodeRegExp)!==null&&xs!==void 0?xs:!0,int32range:(Os=e.int32range)!==null&&Os!==void 0?Os:!0,uriResolver:Jw}}o(wI,"requiredOptions");var Ro=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...wI(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new hI.ValueScope({scope:{},prefixes:_I,es5:r,lines:n}),this.logger=TI(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,mI.getRules)(),ah.call(this,yI,t,"NOT SUPPORTED"),ah.call(this,SI,t,"DEPRECATED","warn"),this._metaOpts=CI.call(this),t.formats&&RI.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&bI.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),vI.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=nh;n==="id"&&(a={...nh},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(p,m){await i.call(this,p.$schema);let f=this._addSchema(p,m);return f.validate||s.call(this,f)}async function i(p){p&&!this.getSchema(p)&&await a.call(this,{$ref:p},!0)}async function s(p){try{return this._compileSchemaEnv(p)}catch(m){if(!(m instanceof sh.default))throw m;return u.call(this,m),await d.call(this,m.missingSchema),s.call(this,p)}}function u({missingSchema:p,missingRef:m}){if(this.refs[p])throw new Error(`AnySchema ${p} is loaded but ${m} cannot be resolved`)}async function d(p){let m=await l.call(this,p);this.refs[p]||await i.call(this,m.$schema),this.refs[p]||this.addSchema(m,p,r)}async function l(p){let m=this._loading[p];if(m)return m;try{return await(this._loading[p]=n(p))}finally{delete this._loading[p]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,vo.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=ih.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new wo.SchemaEnv({schema:{},schemaId:n});if(r=wo.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=ih.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,vo.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(kI.call(this,n,r),!r)return(0,pu.eachItem)(n,i=>lu.call(this,i)),this;EI.call(this,r);let a={...r,type:(0,Xa.getJSONTypes)(r.type),schemaType:(0,Xa.getJSONTypes)(r.schemaType)};return(0,pu.eachItem)(n,a.type.length===0?i=>lu.call(this,i,a):i=>a.type.forEach(s=>lu.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let u of i)s=s[u];for(let u in n){let d=n[u];if(typeof d!="object")continue;let{$data:l}=d.definition,p=s[u];l&&p&&(s[u]=uh(p))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:u}=this.opts;if(typeof t=="object")s=t[u];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,vo.normalizeId)(s||n);let l=vo.getSchemaRefs.call(this,t,n);return d=new wo.SchemaEnv({schema:t,schemaId:u,meta:r,baseId:n,localRefs:l}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):wo.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{wo.compileSchema.call(this,t)}finally{this.opts=r}}};Ro.ValidationError=pI.default;Ro.MissingRefError=sh.default;Ie.default=Ro;function ah(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(ah,"checkOptions");function ih(e){return e=(0,vo.normalizeId)(e),this.schemas[e]||this.refs[e]}o(ih,"getSchEnv");function vI(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(vI,"addInitialSchemas");function RI(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(RI,"addInitialFormats");function bI(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(bI,"addInitialKeywords");function CI(){let e={...this.opts};for(let t of gI)delete e[t];return e}o(CI,"getMetaSchemaOptions");var II={log(){},warn(){},error(){}};function TI(e){if(e===!1)return II;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(TI,"getLogger");var AI=/^[a-z_$][a-z0-9_$:-]*$/i;function kI(e,t){let{RULES:r}=this;if((0,pu.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!AI.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(kI,"checkKeyword");function lu(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let u={keyword:e,definition:{...t,type:(0,Xa.getJSONTypes)(t.type),schemaType:(0,Xa.getJSONTypes)(t.schemaType)}};t.before?PI.call(this,s,u,t.before):s.rules.push(u),i.all[e]=u,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(lu,"addRule");function PI(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(PI,"addBeforeRule");function EI(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=uh(t)),e.validateSchema=this.compile(t,!0))}o(EI,"keywordMetaschema");var xI={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function uh(e){return{anyOf:[e,xI]}}o(uh,"schemaOrData")});var lh=T(mu=>{"use strict";Object.defineProperty(mu,"__esModule",{value:!0});var OI={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};mu.default=OI});var fh=T(Pr=>{"use strict";Object.defineProperty(Pr,"__esModule",{value:!0});Pr.callRef=Pr.getValidate=void 0;var UI=yo(),ph=nt(),Ve=L(),pn=$t(),mh=Za(),Qa=J(),zI={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:u,self:d}=n,{root:l}=i;if((r==="#"||r==="#/")&&a===l.baseId)return m();let p=mh.resolveRef.call(d,l,a,r);if(p===void 0)throw new UI.default(n.opts.uriResolver,a,r);if(p instanceof mh.SchemaEnv)return f(p);return _(p);function m(){if(i===l)return ei(e,s,i,i.$async);let S=t.scopeValue("root",{ref:l});return ei(e,(0,Ve._)`${S}.validate`,l,l.$async)}function f(S){let y=hh(e,S);ei(e,y,S,S.$async)}function _(S){let y=t.scopeValue("schema",u.code.source===!0?{ref:S,code:(0,Ve.stringify)(S)}:{ref:S}),w=t.name("valid"),v=e.subschema({schema:S,dataTypes:[],schemaPath:Ve.nil,topSchemaRef:y,errSchemaPath:r},w);e.mergeEvaluated(v),e.ok(w)}}};function hh(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,Ve._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(hh,"getValidate");Pr.getValidate=hh;function ei(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:u,opts:d}=i,l=d.passContext?pn.default.this:Ve.nil;n?p():m();function p(){if(!u.$async)throw new Error("async schema referenced by sync schema");let S=a.let("valid");a.try(()=>{a.code((0,Ve._)`await ${(0,ph.callValidateCode)(e,t,l)}`),_(t),s||a.assign(S,!0)},y=>{a.if((0,Ve._)`!(${y} instanceof ${i.ValidationError})`,()=>a.throw(y)),f(y),s||a.assign(S,!1)}),e.ok(S)}o(p,"callAsyncRef");function m(){e.result((0,ph.callValidateCode)(e,t,l),()=>_(t),()=>f(t))}o(m,"callSyncRef");function f(S){let y=(0,Ve._)`${S}.errors`;a.assign(pn.default.vErrors,(0,Ve._)`${pn.default.vErrors} === null ? ${y} : ${pn.default.vErrors}.concat(${y})`),a.assign(pn.default.errors,(0,Ve._)`${pn.default.vErrors}.length`)}o(f,"addErrorsFrom");function _(S){var y;if(!i.opts.unevaluated)return;let w=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(i.props!==!0)if(w&&!w.dynamicProps)w.props!==void 0&&(i.props=Qa.mergeEvaluated.props(a,w.props,i.props));else{let v=a.var("props",(0,Ve._)`${S}.evaluated.props`);i.props=Qa.mergeEvaluated.props(a,v,i.props,Ve.Name)}if(i.items!==!0)if(w&&!w.dynamicItems)w.items!==void 0&&(i.items=Qa.mergeEvaluated.items(a,w.items,i.items));else{let v=a.var("items",(0,Ve._)`${S}.evaluated.items`);i.items=Qa.mergeEvaluated.items(a,v,i.items,Ve.Name)}}o(_,"addEvaluatedFrom")}o(ei,"callRef");Pr.callRef=ei;Pr.default=zI});var gh=T(hu=>{"use strict";Object.defineProperty(hu,"__esModule",{value:!0});var NI=lh(),DI=fh(),MI=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",NI.default,DI.default];hu.default=MI});var _h=T(fu=>{"use strict";Object.defineProperty(fu,"__esModule",{value:!0});var ti=L(),dr=ti.operators,ri={maximum:{okStr:"<=",ok:dr.LTE,fail:dr.GT},minimum:{okStr:">=",ok:dr.GTE,fail:dr.LT},exclusiveMaximum:{okStr:"<",ok:dr.LT,fail:dr.GTE},exclusiveMinimum:{okStr:">",ok:dr.GT,fail:dr.LTE}},qI={message:o(({keyword:e,schemaCode:t})=>(0,ti.str)`must be ${ri[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ti._)`{comparison: ${ri[e].okStr}, limit: ${t}}`,"params")},$I={keyword:Object.keys(ri),type:"number",schemaType:"number",$data:!0,error:qI,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,ti._)`${r} ${ri[t].fail} ${n} || isNaN(${r})`)}};fu.default=$I});var yh=T(gu=>{"use strict";Object.defineProperty(gu,"__esModule",{value:!0});var bo=L(),LI={message:o(({schemaCode:e})=>(0,bo.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,bo._)`{multipleOf: ${e}}`,"params")},jI={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:LI,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),u=i?(0,bo._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,bo._)`${s} !== parseInt(${s})`;e.fail$data((0,bo._)`(${n} === 0 || (${s} = ${r}/${n}, ${u}))`)}};gu.default=jI});var wh=T(_u=>{"use strict";Object.defineProperty(_u,"__esModule",{value:!0});function Sh(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Sh,"ucs2length");_u.default=Sh;Sh.code='require("ajv/dist/runtime/ucs2length").default'});var vh=T(yu=>{"use strict";Object.defineProperty(yu,"__esModule",{value:!0});var Er=L(),HI=J(),GI=wh(),BI={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Er.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Er._)`{limit: ${e}}`,"params")},VI={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:BI,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?Er.operators.GT:Er.operators.LT,s=a.opts.unicode===!1?(0,Er._)`${r}.length`:(0,Er._)`${(0,HI.useFunc)(e.gen,GI.default)}(${r})`;e.fail$data((0,Er._)`${s} ${i} ${n}`)}};yu.default=VI});var Rh=T(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var FI=nt(),ni=L(),ZI={message:o(({schemaCode:e})=>(0,ni.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ni._)`{pattern: ${e}}`,"params")},KI={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:ZI,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",u=r?(0,ni._)`(new RegExp(${a}, ${s}))`:(0,FI.usePattern)(e,n);e.fail$data((0,ni._)`!${u}.test(${t})`)}};Su.default=KI});var bh=T(wu=>{"use strict";Object.defineProperty(wu,"__esModule",{value:!0});var Co=L(),WI={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Co.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Co._)`{limit: ${e}}`,"params")},JI={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:WI,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Co.operators.GT:Co.operators.LT;e.fail$data((0,Co._)`Object.keys(${r}).length ${a} ${n}`)}};wu.default=JI});var Ch=T(vu=>{"use strict";Object.defineProperty(vu,"__esModule",{value:!0});var Io=nt(),To=L(),YI=J(),XI={message:o(({params:{missingProperty:e}})=>(0,To.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,To._)`{missingProperty: ${e}}`,"params")},QI={keyword:"required",type:"object",schemaType:"array",$data:!0,error:XI,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:u}=s;if(!i&&r.length===0)return;let d=r.length>=u.loopRequired;if(s.allErrors?l():p(),u.strictRequired){let _=e.parentSchema.properties,{definedProperties:S}=e.it;for(let y of r)if(_?.[y]===void 0&&!S.has(y)){let w=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${y}" is not defined at "${w}" (strictRequired)`;(0,YI.checkStrictMode)(s,v,s.opts.strictRequired)}}function l(){if(d||i)e.block$data(To.nil,m);else for(let _ of r)(0,Io.checkReportMissingProp)(e,_)}o(l,"allErrorsMode");function p(){let _=t.let("missing");if(d||i){let S=t.let("valid",!0);e.block$data(S,()=>f(_,S)),e.ok(S)}else t.if((0,Io.checkMissingProp)(e,r,_)),(0,Io.reportMissingProp)(e,_),t.else()}o(p,"exitOnErrorMode");function m(){t.forOf("prop",n,_=>{e.setParams({missingProperty:_}),t.if((0,Io.noPropertyInData)(t,a,_,u.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function f(_,S){e.setParams({missingProperty:_}),t.forOf(_,n,()=>{t.assign(S,(0,Io.propertyInData)(t,a,_,u.ownProperties)),t.if((0,To.not)(S),()=>{e.error(),t.break()})},To.nil)}o(f,"loopUntilMissing")}};vu.default=QI});var Ih=T(Ru=>{"use strict";Object.defineProperty(Ru,"__esModule",{value:!0});var Ao=L(),eT={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Ao.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Ao._)`{limit: ${e}}`,"params")},tT={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:eT,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Ao.operators.GT:Ao.operators.LT;e.fail$data((0,Ao._)`${r}.length ${a} ${n}`)}};Ru.default=tT});var oi=T(bu=>{"use strict";Object.defineProperty(bu,"__esModule",{value:!0});var Th=Zc();Th.code='require("ajv/dist/runtime/equal").default';bu.default=Th});var Ah=T(Iu=>{"use strict";Object.defineProperty(Iu,"__esModule",{value:!0});var Cu=mo(),Te=L(),rT=J(),nT=oi(),oT={message:o(({params:{i:e,j:t}})=>(0,Te.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,Te._)`{i: ${e}, j: ${t}}`,"params")},aT={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:oT,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:u}=e;if(!n&&!a)return;let d=t.let("valid"),l=i.items?(0,Cu.getSchemaTypes)(i.items):[];e.block$data(d,p,(0,Te._)`${s} === false`),e.ok(d);function p(){let S=t.let("i",(0,Te._)`${r}.length`),y=t.let("j");e.setParams({i:S,j:y}),t.assign(d,!0),t.if((0,Te._)`${S} > 1`,()=>(m()?f:_)(S,y))}o(p,"validateUniqueItems");function m(){return l.length>0&&!l.some(S=>S==="object"||S==="array")}o(m,"canOptimize");function f(S,y){let w=t.name("item"),v=(0,Cu.checkDataTypes)(l,w,u.opts.strictNumbers,Cu.DataType.Wrong),R=t.const("indices",(0,Te._)`{}`);t.for((0,Te._)`;${S}--;`,()=>{t.let(w,(0,Te._)`${r}[${S}]`),t.if(v,(0,Te._)`continue`),l.length>1&&t.if((0,Te._)`typeof ${w} == "string"`,(0,Te._)`${w} += "_"`),t.if((0,Te._)`typeof ${R}[${w}] == "number"`,()=>{t.assign(y,(0,Te._)`${R}[${w}]`),e.error(),t.assign(d,!1).break()}).code((0,Te._)`${R}[${w}] = ${S}`)})}o(f,"loopN");function _(S,y){let w=(0,rT.useFunc)(t,nT.default),v=t.name("outer");t.label(v).for((0,Te._)`;${S}--;`,()=>t.for((0,Te._)`${y} = ${S}; ${y}--;`,()=>t.if((0,Te._)`${w}(${r}[${S}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(_,"loopN2")}};Iu.default=aT});var kh=T(Au=>{"use strict";Object.defineProperty(Au,"__esModule",{value:!0});var Tu=L(),iT=J(),sT=oi(),cT={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,Tu._)`{allowedValue: ${e}}`,"params")},uT={keyword:"const",$data:!0,error:cT,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,Tu._)`!${(0,iT.useFunc)(t,sT.default)}(${r}, ${a})`):e.fail((0,Tu._)`${i} !== ${r}`)}};Au.default=uT});var Ph=T(ku=>{"use strict";Object.defineProperty(ku,"__esModule",{value:!0});var ko=L(),dT=J(),lT=oi(),pT={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,ko._)`{allowedValues: ${e}}`,"params")},mT={keyword:"enum",schemaType:"array",$data:!0,error:pT,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let u=a.length>=s.opts.loopEnum,d,l=o(()=>d??(d=(0,dT.useFunc)(t,lT.default)),"getEql"),p;if(u||n)p=t.let("valid"),e.block$data(p,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let _=t.const("vSchema",i);p=(0,ko.or)(...a.map((S,y)=>f(_,y)))}e.pass(p);function m(){t.assign(p,!1),t.forOf("v",i,_=>t.if((0,ko._)`${l()}(${r}, ${_})`,()=>t.assign(p,!0).break()))}o(m,"loopEnum");function f(_,S){let y=a[S];return typeof y=="object"&&y!==null?(0,ko._)`${l()}(${r}, ${_}[${S}])`:(0,ko._)`${r} === ${y}`}o(f,"equalCode")}};ku.default=mT});var Eh=T(Pu=>{"use strict";Object.defineProperty(Pu,"__esModule",{value:!0});var hT=_h(),fT=yh(),gT=vh(),_T=Rh(),yT=bh(),ST=Ch(),wT=Ih(),vT=Ah(),RT=kh(),bT=Ph(),CT=[hT.default,fT.default,gT.default,_T.default,yT.default,ST.default,wT.default,vT.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},RT.default,bT.default];Pu.default=CT});var xu=T(Po=>{"use strict";Object.defineProperty(Po,"__esModule",{value:!0});Po.validateAdditionalItems=void 0;var xr=L(),Eu=J(),IT={message:o(({params:{len:e}})=>(0,xr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,xr._)`{limit: ${e}}`,"params")},TT={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:IT,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Eu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}xh(e,n)}};function xh(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let u=r.const("len",(0,xr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,xr._)`${u} <= ${t.length}`);else if(typeof n=="object"&&!(0,Eu.alwaysValidSchema)(s,n)){let l=r.var("valid",(0,xr._)`${u} <= ${t.length}`);r.if((0,xr.not)(l),()=>d(l)),e.ok(l)}function d(l){r.forRange("i",t.length,u,p=>{e.subschema({keyword:i,dataProp:p,dataPropType:Eu.Type.Num},l),s.allErrors||r.if((0,xr.not)(l),()=>r.break())})}o(d,"validateItems")}o(xh,"validateAdditionalItems");Po.validateAdditionalItems=xh;Po.default=TT});var Ou=T(Eo=>{"use strict";Object.defineProperty(Eo,"__esModule",{value:!0});Eo.validateTuple=void 0;var Oh=L(),ai=J(),AT=nt(),kT={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return Uh(e,"additionalItems",t);r.items=!0,!(0,ai.alwaysValidSchema)(r,t)&&e.ok((0,AT.validateArray)(e))}};function Uh(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:u}=e;p(a),u.opts.unevaluated&&r.length&&u.items!==!0&&(u.items=ai.mergeEvaluated.items(n,r.length,u.items));let d=n.name("valid"),l=n.const("len",(0,Oh._)`${i}.length`);r.forEach((m,f)=>{(0,ai.alwaysValidSchema)(u,m)||(n.if((0,Oh._)`${l} > ${f}`,()=>e.subschema({keyword:s,schemaProp:f,dataProp:f},d)),e.ok(d))});function p(m){let{opts:f,errSchemaPath:_}=u,S=r.length,y=S===m.minItems&&(S===m.maxItems||m[t]===!1);if(f.strictTuples&&!y){let w=`"${s}" is ${S}-tuple, but minItems or maxItems/${t} are not specified or different at path "${_}"`;(0,ai.checkStrictMode)(u,w,f.strictTuples)}}o(p,"checkStrictTuple")}o(Uh,"validateTuple");Eo.validateTuple=Uh;Eo.default=kT});var zh=T(Uu=>{"use strict";Object.defineProperty(Uu,"__esModule",{value:!0});var PT=Ou(),ET={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,PT.validateTuple)(e,"items"),"code")};Uu.default=ET});var Dh=T(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var Nh=L(),xT=J(),OT=nt(),UT=xu(),zT={message:o(({params:{len:e}})=>(0,Nh.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Nh._)`{limit: ${e}}`,"params")},NT={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:zT,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,xT.alwaysValidSchema)(n,t)&&(a?(0,UT.validateAdditionalItems)(e,a):e.ok((0,OT.validateArray)(e)))}};zu.default=NT});var Mh=T(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var at=L(),ii=J(),DT={message:o(({params:{min:e,max:t}})=>t===void 0?(0,at.str)`must contain at least ${e} valid item(s)`:(0,at.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,at._)`{minContains: ${e}}`:(0,at._)`{minContains: ${e}, maxContains: ${t}}`,"params")},MT={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:DT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,u,{minContains:d,maxContains:l}=n;i.opts.next?(s=d===void 0?1:d,u=l):s=1;let p=t.const("len",(0,at._)`${a}.length`);if(e.setParams({min:s,max:u}),u===void 0&&s===0){(0,ii.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(u!==void 0&&s>u){(0,ii.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,ii.alwaysValidSchema)(i,r)){let y=(0,at._)`${p} >= ${s}`;u!==void 0&&(y=(0,at._)`${y} && ${p} <= ${u}`),e.pass(y);return}i.items=!0;let m=t.name("valid");u===void 0&&s===1?_(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),u!==void 0&&t.if((0,at._)`${a}.length > 0`,f)):(t.let(m,!1),f()),e.result(m,()=>e.reset());function f(){let y=t.name("_valid"),w=t.let("count",0);_(y,()=>t.if(y,()=>S(w)))}o(f,"validateItemsWithCount");function _(y,w){t.forRange("i",0,p,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:ii.Type.Num,compositeRule:!0},y),w()})}o(_,"validateItems");function S(y){t.code((0,at._)`${y}++`),u===void 0?t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,at._)`${y} > ${u}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,at._)`${y} >= ${s}`,()=>t.assign(m,!0)))}o(S,"checkLimits")}};Nu.default=MT});var Lh=T(bt=>{"use strict";Object.defineProperty(bt,"__esModule",{value:!0});bt.validateSchemaDeps=bt.validatePropertyDeps=bt.error=void 0;var Du=L(),qT=J(),xo=nt();bt.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,Du.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,Du._)`{property: ${e},
+import{$ as ge,H as Hp,I as tc,J as Rv,K as Lp,L as f,M as Bp,N as ee,O as ae,P as Gp,Q as Vp,R as we,S as C,T as I,U as Ce,V as me,W as rc,X as nc,Y as ue,Z as nt,_ as O,a as sr,aa as Fp,b as jp,ba as oc,ca as Zp,da as Kp,ea as u,fa as ie,j as uo,k as Dp,q as ec,z as Dt}from"../chunk-UMZORQLU.js";import{d as lo}from"../chunk-2ZQVIVZ3.js";import{a as K}from"../chunk-ZS34EO4B.js";import{X as qa,Y as jt,Z as Np,a as o,c as x,e as qp}from"../chunk-YGYFQCBA.js";var Io=x(te=>{"use strict";Object.defineProperty(te,"__esModule",{value:!0});te.regexpCode=te.getEsmExportName=te.getProperty=te.safeStringify=te.stringify=te.strConcat=te.addCodeArg=te.str=te._=te.nil=te._Code=te.Name=te.IDENTIFIER=te._CodeOrName=void 0;var Ro=class{static{o(this,"_CodeOrName")}};te._CodeOrName=Ro;te.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Mr=class extends Ro{static{o(this,"Name")}constructor(t){if(super(),!te.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};te.Name=Mr;var ut=class extends Ro{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Mr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};te._Code=ut;te.nil=new ut("");function pm(e,...t){let r=[e[0]],n=0;for(;n<t.length;)Nc(r,t[n]),r.push(e[++n]);return new ut(r)}o(pm,"_");te._=pm;var qc=new ut("+");function mm(e,...t){let r=[Co(e[0])],n=0;for(;n<t.length;)r.push(qc),Nc(r,t[n]),r.push(qc,Co(e[++n]));return Kb(r),new ut(r)}o(mm,"str");te.str=mm;function Nc(e,t){t instanceof ut?e.push(...t._items):t instanceof Mr?e.push(t):e.push(Yb(t))}o(Nc,"addCodeArg");te.addCodeArg=Nc;function Kb(e){let t=1;for(;t<e.length-1;){if(e[t]===qc){let r=Wb(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(Kb,"optimize");function Wb(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Mr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Mr))return`"${e}${t.slice(1)}`}o(Wb,"mergeExprItems");function Jb(e,t){return t.emptyStr()?e:e.emptyStr()?t:mm`${e}${t}`}o(Jb,"strConcat");te.strConcat=Jb;function Yb(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:Co(Array.isArray(e)?e.join(","):e)}o(Yb,"interpolate");function Qb(e){return new ut(Co(e))}o(Qb,"stringify");te.stringify=Qb;function Co(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(Co,"safeStringify");te.safeStringify=Co;function Xb(e){return typeof e=="string"&&te.IDENTIFIER.test(e)?new ut(`.${e}`):pm`[${e}]`}o(Xb,"getProperty");te.getProperty=Xb;function eR(e){if(typeof e=="string"&&te.IDENTIFIER.test(e))return new ut(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(eR,"getEsmExportName");te.getEsmExportName=eR;function tR(e){return new ut(e.toString())}o(tR,"regexpCode");te.regexpCode=tR});var Hc=x(We=>{"use strict";Object.defineProperty(We,"__esModule",{value:!0});We.ValueScope=We.ValueScopeName=We.Scope=We.varKinds=We.UsedValueState=void 0;var Ke=Io(),jc=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Xa;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Xa||(We.UsedValueState=Xa={}));We.varKinds={const:new Ke.Name("const"),let:new Ke.Name("let"),var:new Ke.Name("var")};var ei=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof Ke.Name?t:this.name(t)}name(t){return new Ke.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};We.Scope=ei;var ti=class extends Ke.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,Ke._)`.${new Ke.Name(r)}[${n}]`}};We.ValueScopeName=ti;var rR=(0,Ke._)`\n`,Dc=class extends ei{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?rR:Ke.nil}}get(){return this._scope}name(t){return new ti(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,c=this._values[i];if(c){let l=c.get(s);if(l)return l}else c=this._values[i]=new Map;c.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),p=d.length;return d[p]=r.ref,a.setValue(r,{property:i,itemIndex:p}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,Ke._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=Ke.nil;for(let s in t){let c=t[s];if(!c)continue;let d=n[s]=n[s]||new Map;c.forEach(p=>{if(d.has(p))return;d.set(p,Xa.Started);let l=r(p);if(l){let m=this.opts.es5?We.varKinds.var:We.varKinds.const;i=(0,Ke._)`${i}${m} ${p} = ${l};${this.opts._n}`}else if(l=a?.(p))i=(0,Ke._)`${i}${l}${this.opts._n}`;else throw new jc(p);d.set(p,Xa.Completed)})}return i}};We.ValueScope=Dc});var F=x(Z=>{"use strict";Object.defineProperty(Z,"__esModule",{value:!0});Z.or=Z.and=Z.not=Z.CodeGen=Z.operators=Z.varKinds=Z.ValueScopeName=Z.ValueScope=Z.Scope=Z.Name=Z.regexpCode=Z.stringify=Z.getProperty=Z.nil=Z.strConcat=Z.str=Z._=void 0;var Y=Io(),_t=Hc(),gr=Io();Object.defineProperty(Z,"_",{enumerable:!0,get:o(function(){return gr._},"get")});Object.defineProperty(Z,"str",{enumerable:!0,get:o(function(){return gr.str},"get")});Object.defineProperty(Z,"strConcat",{enumerable:!0,get:o(function(){return gr.strConcat},"get")});Object.defineProperty(Z,"nil",{enumerable:!0,get:o(function(){return gr.nil},"get")});Object.defineProperty(Z,"getProperty",{enumerable:!0,get:o(function(){return gr.getProperty},"get")});Object.defineProperty(Z,"stringify",{enumerable:!0,get:o(function(){return gr.stringify},"get")});Object.defineProperty(Z,"regexpCode",{enumerable:!0,get:o(function(){return gr.regexpCode},"get")});Object.defineProperty(Z,"Name",{enumerable:!0,get:o(function(){return gr.Name},"get")});var ai=Hc();Object.defineProperty(Z,"Scope",{enumerable:!0,get:o(function(){return ai.Scope},"get")});Object.defineProperty(Z,"ValueScope",{enumerable:!0,get:o(function(){return ai.ValueScope},"get")});Object.defineProperty(Z,"ValueScopeName",{enumerable:!0,get:o(function(){return ai.ValueScopeName},"get")});Object.defineProperty(Z,"varKinds",{enumerable:!0,get:o(function(){return ai.varKinds},"get")});Z.operators={GT:new Y._Code(">"),GTE:new Y._Code(">="),LT:new Y._Code("<"),LTE:new Y._Code("<="),EQ:new Y._Code("==="),NEQ:new Y._Code("!=="),NOT:new Y._Code("!"),OR:new Y._Code("||"),AND:new Y._Code("&&"),ADD:new Y._Code("+")};var Gt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},Lc=class extends Gt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?_t.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=Sn(this.rhs,t,r)),this}get names(){return this.rhs instanceof Y._CodeOrName?this.rhs.names:{}}},ri=class extends Gt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof Y.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=Sn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof Y.Name?{}:{...this.lhs.names};return oi(t,this.rhs)}},Bc=class extends ri{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Gc=class extends Gt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},Vc=class extends Gt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},Fc=class extends Gt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},Zc=class extends Gt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=Sn(this.code,t,r),this}get names(){return this.code instanceof Y._CodeOrName?this.code.names:{}}},Po=class extends Gt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(nR(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>jr(t,r.names),{})}},Vt=class extends Po{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},Kc=class extends Po{static{o(this,"Root")}},yn=class extends Vt{static{o(this,"Else")}};yn.kind="else";var qr=class e extends Vt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new yn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(fm(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=Sn(this.condition,t,r),this}get names(){let t=super.names;return oi(t,this.condition),this.else&&jr(t,this.else.names),t}};qr.kind="if";var Nr=class extends Vt{static{o(this,"For")}};Nr.kind="for";var Wc=class extends Nr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=Sn(this.iteration,t,r),this}get names(){return jr(super.names,this.iteration.names)}},Jc=class extends Nr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?_t.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=oi(super.names,this.from);return oi(t,this.to)}},ni=class extends Nr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=Sn(this.iterable,t,r),this}get names(){return jr(super.names,this.iterable.names)}},xo=class extends Vt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};xo.kind="func";var Ao=class extends Po{static{o(this,"Return")}render(t){return"return "+super.render(t)}};Ao.kind="return";var Yc=class extends Vt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&jr(t,this.catch.names),this.finally&&jr(t,this.finally.names),t}},To=class extends Vt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};To.kind="catch";var ko=class extends Vt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};ko.kind="finally";var Qc=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
+`:""},this._extScope=t,this._scope=new _t.Scope({parent:t}),this._nodes=[new Kc]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new Lc(t,i,n)),i}const(t,r,n){return this._def(_t.varKinds.const,t,r,n)}let(t,r,n){return this._def(_t.varKinds.let,t,r,n)}var(t,r,n){return this._def(_t.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new ri(t,r,n))}add(t,r){return this._leafNode(new Bc(t,Z.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==Y.nil&&this._leafNode(new Zc(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,Y.addCodeArg)(r,a));return r.push("}"),new Y._Code(r)}if(t,r,n){if(this._blockNode(new qr(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new qr(t))}else(){return this._elseNode(new yn)}endIf(){return this._endBlockNode(qr,yn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Wc(t),r)}forRange(t,r,n,a,i=this.opts.es5?_t.varKinds.var:_t.varKinds.let){let s=this._scope.toName(t);return this._for(new Jc(i,s,r,n),()=>a(s))}forOf(t,r,n,a=_t.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof Y.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,Y._)`${s}.length`,c=>{this.var(i,(0,Y._)`${s}[${c}]`),n(i)})}return this._for(new ni("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?_t.varKinds.var:_t.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,Y._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new ni("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Nr)}label(t){return this._leafNode(new Gc(t))}break(t){return this._leafNode(new Vc(t))}return(t){let r=new Ao;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(Ao)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Yc;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new To(i),r(i)}return n&&(this._currNode=a.finally=new ko,this.code(n)),this._endBlockNode(To,ko)}throw(t){return this._leafNode(new Fc(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=Y.nil,n,a){return this._blockNode(new xo(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(xo)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof qr))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};Z.CodeGen=Qc;function jr(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(jr,"addNames");function oi(e,t){return t instanceof Y._CodeOrName?jr(e,t.names):e}o(oi,"addExprNames");function Sn(e,t,r){if(e instanceof Y.Name)return n(e);if(!a(e))return e;return new Y._Code(e._items.reduce((i,s)=>(s instanceof Y.Name&&(s=n(s)),s instanceof Y._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof Y._Code&&i._items.some(s=>s instanceof Y.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(Sn,"optimizeExpr");function nR(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(nR,"subtractNames");function fm(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,Y._)`!${Xc(e)}`}o(fm,"not");Z.not=fm;var oR=hm(Z.operators.AND);function aR(...e){return e.reduce(oR)}o(aR,"and");Z.and=aR;var iR=hm(Z.operators.OR);function sR(...e){return e.reduce(iR)}o(sR,"or");Z.or=sR;function hm(e){return(t,r)=>t===Y.nil?r:r===Y.nil?t:(0,Y._)`${Xc(t)} ${e} ${Xc(r)}`}o(hm,"mappend");function Xc(e){return e instanceof Y.Name?e:(0,Y._)`(${e})`}o(Xc,"par")});var re=x(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.checkStrictMode=W.getErrorPath=W.Type=W.useFunc=W.setEvaluated=W.evaluatedPropsToName=W.mergeEvaluated=W.eachItem=W.unescapeJsonPointer=W.escapeJsonPointer=W.escapeFragment=W.unescapeFragment=W.schemaRefOrVal=W.schemaHasRulesButRef=W.schemaHasRules=W.checkUnknownRules=W.alwaysValidSchema=W.toHash=void 0;var se=F(),cR=Io();function uR(e){let t={};for(let r of e)t[r]=!0;return t}o(uR,"toHash");W.toHash=uR;function dR(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Sm(e,t),!_m(t,e.self.RULES.all))}o(dR,"alwaysValidSchema");W.alwaysValidSchema=dR;function Sm(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||bm(e,`unknown keyword: "${i}"`)}o(Sm,"checkUnknownRules");W.checkUnknownRules=Sm;function _m(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(_m,"schemaHasRules");W.schemaHasRules=_m;function lR(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(lR,"schemaHasRulesButRef");W.schemaHasRulesButRef=lR;function pR({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,se._)`${r}`}return(0,se._)`${e}${t}${(0,se.getProperty)(n)}`}o(pR,"schemaRefOrVal");W.schemaRefOrVal=pR;function mR(e){return wm(decodeURIComponent(e))}o(mR,"unescapeFragment");W.unescapeFragment=mR;function fR(e){return encodeURIComponent(tu(e))}o(fR,"escapeFragment");W.escapeFragment=fR;function tu(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(tu,"escapeJsonPointer");W.escapeJsonPointer=tu;function wm(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(wm,"unescapeJsonPointer");W.unescapeJsonPointer=wm;function hR(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(hR,"eachItem");W.eachItem=hR;function gm({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,c)=>{let d=s===void 0?i:s instanceof se.Name?(i instanceof se.Name?e(a,i,s):t(a,i,s),s):i instanceof se.Name?(t(a,s,i),i):r(i,s);return c===se.Name&&!(d instanceof se.Name)?n(a,d):d}}o(gm,"makeMergeEvaluated");W.mergeEvaluated={props:gm({mergeNames:o((e,t,r)=>e.if((0,se._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,se._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,se._)`${r} || {}`).code((0,se._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,se._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,se._)`${r} || {}`),ru(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:vm}),items:gm({mergeNames:o((e,t,r)=>e.if((0,se._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,se._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,se._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,se._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function vm(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,se._)`{}`);return t!==void 0&&ru(e,r,t),r}o(vm,"evaluatedPropsToName");W.evaluatedPropsToName=vm;function ru(e,t,r){Object.keys(r).forEach(n=>e.assign((0,se._)`${t}${(0,se.getProperty)(n)}`,!0))}o(ru,"setEvaluated");W.setEvaluated=ru;var ym={};function gR(e,t){return e.scopeValue("func",{ref:t,code:ym[t.code]||(ym[t.code]=new cR._Code(t.code))})}o(gR,"useFunc");W.useFunc=gR;var eu;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(eu||(W.Type=eu={}));function yR(e,t,r){if(e instanceof se.Name){let n=t===eu.Num;return r?n?(0,se._)`"[" + ${e} + "]"`:(0,se._)`"['" + ${e} + "']"`:n?(0,se._)`"/" + ${e}`:(0,se._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,se.getProperty)(e).toString():"/"+tu(e)}o(yR,"getErrorPath");W.getErrorPath=yR;function bm(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(bm,"checkStrictMode");W.checkStrictMode=bm});var Ft=x(nu=>{"use strict";Object.defineProperty(nu,"__esModule",{value:!0});var Ne=F(),SR={data:new Ne.Name("data"),valCxt:new Ne.Name("valCxt"),instancePath:new Ne.Name("instancePath"),parentData:new Ne.Name("parentData"),parentDataProperty:new Ne.Name("parentDataProperty"),rootData:new Ne.Name("rootData"),dynamicAnchors:new Ne.Name("dynamicAnchors"),vErrors:new Ne.Name("vErrors"),errors:new Ne.Name("errors"),this:new Ne.Name("this"),self:new Ne.Name("self"),scope:new Ne.Name("scope"),json:new Ne.Name("json"),jsonPos:new Ne.Name("jsonPos"),jsonLen:new Ne.Name("jsonLen"),jsonPart:new Ne.Name("jsonPart")};nu.default=SR});var Eo=x(je=>{"use strict";Object.defineProperty(je,"__esModule",{value:!0});je.extendErrors=je.resetErrorsCount=je.reportExtraError=je.reportError=je.keyword$DataError=je.keywordError=void 0;var X=F(),ii=re(),Ve=Ft();je.keywordError={message:o(({keyword:e})=>(0,X.str)`must pass "${e}" keyword validation`,"message")};je.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,X.str)`"${e}" keyword must be ${t} ($data)`:(0,X.str)`"${e}" keyword is invalid ($data)`,"message")};function _R(e,t=je.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:c}=a,d=Im(e,t,r);n??(s||c)?Rm(i,d):Cm(a,(0,X._)`[${d}]`)}o(_R,"reportError");je.reportError=_R;function wR(e,t=je.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,c=Im(e,t,r);Rm(a,c),i||s||Cm(n,Ve.default.vErrors)}o(wR,"reportExtraError");je.reportExtraError=wR;function vR(e,t){e.assign(Ve.default.errors,t),e.if((0,X._)`${Ve.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,X._)`${Ve.default.vErrors}.length`,t),()=>e.assign(Ve.default.vErrors,null)))}o(vR,"resetErrorsCount");je.resetErrorsCount=vR;function bR({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,Ve.default.errors,c=>{e.const(s,(0,X._)`${Ve.default.vErrors}[${c}]`),e.if((0,X._)`${s}.instancePath === undefined`,()=>e.assign((0,X._)`${s}.instancePath`,(0,X.strConcat)(Ve.default.instancePath,i.errorPath))),e.assign((0,X._)`${s}.schemaPath`,(0,X.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,X._)`${s}.schema`,r),e.assign((0,X._)`${s}.data`,n))})}o(bR,"extendErrors");je.extendErrors=bR;function Rm(e,t){let r=e.const("err",t);e.if((0,X._)`${Ve.default.vErrors} === null`,()=>e.assign(Ve.default.vErrors,(0,X._)`[${r}]`),(0,X._)`${Ve.default.vErrors}.push(${r})`),e.code((0,X._)`${Ve.default.errors}++`)}o(Rm,"addError");function Cm(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,X._)`new ${e.ValidationError}(${t})`):(r.assign((0,X._)`${n}.errors`,t),r.return(!1))}o(Cm,"returnErrors");var Dr={keyword:new X.Name("keyword"),schemaPath:new X.Name("schemaPath"),params:new X.Name("params"),propertyName:new X.Name("propertyName"),message:new X.Name("message"),schema:new X.Name("schema"),parentSchema:new X.Name("parentSchema")};function Im(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,X._)`{}`:RR(e,t,r)}o(Im,"errorObjectCode");function RR(e,t,r={}){let{gen:n,it:a}=e,i=[CR(a,r),IR(e,r)];return PR(e,t,i),n.object(...i)}o(RR,"errorObject");function CR({errorPath:e},{instancePath:t}){let r=t?(0,X.str)`${e}${(0,ii.getErrorPath)(t,ii.Type.Str)}`:e;return[Ve.default.instancePath,(0,X.strConcat)(Ve.default.instancePath,r)]}o(CR,"errorInstancePath");function IR({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,X.str)`${t}/${e}`;return r&&(a=(0,X.str)`${a}${(0,ii.getErrorPath)(r,ii.Type.Str)}`),[Dr.schemaPath,a]}o(IR,"errorSchemaPath");function PR(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:c}=e,{opts:d,propertyName:p,topSchemaRef:l,schemaPath:m}=c;n.push([Dr.keyword,a],[Dr.params,typeof t=="function"?t(e):t||(0,X._)`{}`]),d.messages&&n.push([Dr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Dr.schema,s],[Dr.parentSchema,(0,X._)`${l}${m}`],[Ve.default.data,i]),p&&n.push([Dr.propertyName,p])}o(PR,"extraErrorProps")});var xm=x(_n=>{"use strict";Object.defineProperty(_n,"__esModule",{value:!0});_n.boolOrEmptySchema=_n.topBoolOrEmptySchema=void 0;var xR=Eo(),AR=F(),TR=Ft(),kR={message:"boolean schema is false"};function ER(e){let{gen:t,schema:r,validateName:n}=e;r===!1?Pm(e,!1):typeof r=="object"&&r.$async===!0?t.return(TR.default.data):(t.assign((0,AR._)`${n}.errors`,null),t.return(!0))}o(ER,"topBoolOrEmptySchema");_n.topBoolOrEmptySchema=ER;function UR(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),Pm(e)):r.var(t,!0)}o(UR,"boolOrEmptySchema");_n.boolOrEmptySchema=UR;function Pm(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,xR.reportError)(a,kR,void 0,t)}o(Pm,"falseSchemaError")});var ou=x(wn=>{"use strict";Object.defineProperty(wn,"__esModule",{value:!0});wn.getRules=wn.isJSONType=void 0;var OR=["string","number","integer","boolean","null","object","array"],$R=new Set(OR);function zR(e){return typeof e=="string"&&$R.has(e)}o(zR,"isJSONType");wn.isJSONType=zR;function MR(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(MR,"getRules");wn.getRules=MR});var au=x(yr=>{"use strict";Object.defineProperty(yr,"__esModule",{value:!0});yr.shouldUseRule=yr.shouldUseGroup=yr.schemaHasRulesForType=void 0;function qR({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&Am(e,n)}o(qR,"schemaHasRulesForType");yr.schemaHasRulesForType=qR;function Am(e,t){return t.rules.some(r=>Tm(e,r))}o(Am,"shouldUseGroup");yr.shouldUseGroup=Am;function Tm(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(Tm,"shouldUseRule");yr.shouldUseRule=Tm});var Uo=x(De=>{"use strict";Object.defineProperty(De,"__esModule",{value:!0});De.reportTypeError=De.checkDataTypes=De.checkDataType=De.coerceAndCheckDataType=De.getJSONTypes=De.getSchemaTypes=De.DataType=void 0;var NR=ou(),jR=au(),DR=Eo(),V=F(),km=re(),vn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(vn||(De.DataType=vn={}));function HR(e){let t=Em(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(HR,"getSchemaTypes");De.getSchemaTypes=HR;function Em(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(NR.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(Em,"getJSONTypes");De.getJSONTypes=Em;function LR(e,t){let{gen:r,data:n,opts:a}=e,i=BR(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,jR.schemaHasRulesForType)(e,t[0]));if(s){let c=su(t,n,a.strictNumbers,vn.Wrong);r.if(c,()=>{i.length?GR(e,t,i):cu(e)})}return s}o(LR,"coerceAndCheckDataType");De.coerceAndCheckDataType=LR;var Um=new Set(["string","number","integer","boolean","null"]);function BR(e,t){return t?e.filter(r=>Um.has(r)||t==="array"&&r==="array"):[]}o(BR,"coerceToTypes");function GR(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,V._)`typeof ${a}`),c=n.let("coerced",(0,V._)`undefined`);i.coerceTypes==="array"&&n.if((0,V._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,V._)`${a}[0]`).assign(s,(0,V._)`typeof ${a}`).if(su(t,a,i.strictNumbers),()=>n.assign(c,a))),n.if((0,V._)`${c} !== undefined`);for(let p of r)(Um.has(p)||p==="array"&&i.coerceTypes==="array")&&d(p);n.else(),cu(e),n.endIf(),n.if((0,V._)`${c} !== undefined`,()=>{n.assign(a,c),VR(e,c)});function d(p){switch(p){case"string":n.elseIf((0,V._)`${s} == "number" || ${s} == "boolean"`).assign(c,(0,V._)`"" + ${a}`).elseIf((0,V._)`${a} === null`).assign(c,(0,V._)`""`);return;case"number":n.elseIf((0,V._)`${s} == "boolean" || ${a} === null
+              || (${s} == "string" && ${a} && ${a} == +${a})`).assign(c,(0,V._)`+${a}`);return;case"integer":n.elseIf((0,V._)`${s} === "boolean" || ${a} === null
+              || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(c,(0,V._)`+${a}`);return;case"boolean":n.elseIf((0,V._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(c,!1).elseIf((0,V._)`${a} === "true" || ${a} === 1`).assign(c,!0);return;case"null":n.elseIf((0,V._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(c,null);return;case"array":n.elseIf((0,V._)`${s} === "string" || ${s} === "number"
+              || ${s} === "boolean" || ${a} === null`).assign(c,(0,V._)`[${a}]`)}}o(d,"coerceSpecificType")}o(GR,"coerceData");function VR({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,V._)`${t} !== undefined`,()=>e.assign((0,V._)`${t}[${r}]`,n))}o(VR,"assignParentData");function iu(e,t,r,n=vn.Correct){let a=n===vn.Correct?V.operators.EQ:V.operators.NEQ,i;switch(e){case"null":return(0,V._)`${t} ${a} null`;case"array":i=(0,V._)`Array.isArray(${t})`;break;case"object":i=(0,V._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,V._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,V._)`typeof ${t} ${a} ${e}`}return n===vn.Correct?i:(0,V.not)(i);function s(c=V.nil){return(0,V.and)((0,V._)`typeof ${t} == "number"`,c,r?(0,V._)`isFinite(${t})`:V.nil)}}o(iu,"checkDataType");De.checkDataType=iu;function su(e,t,r,n){if(e.length===1)return iu(e[0],t,r,n);let a,i=(0,km.toHash)(e);if(i.array&&i.object){let s=(0,V._)`typeof ${t} != "object"`;a=i.null?s:(0,V._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=V.nil;i.number&&delete i.integer;for(let s in i)a=(0,V.and)(a,iu(s,t,r,n));return a}o(su,"checkDataTypes");De.checkDataTypes=su;var FR={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,V._)`{type: ${e}}`:(0,V._)`{type: ${t}}`,"params")};function cu(e){let t=ZR(e);(0,DR.reportError)(t,FR)}o(cu,"reportTypeError");De.reportTypeError=cu;function ZR(e){let{gen:t,data:r,schema:n}=e,a=(0,km.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(ZR,"getTypeErrorContext")});var $m=x(si=>{"use strict";Object.defineProperty(si,"__esModule",{value:!0});si.assignDefaults=void 0;var bn=F(),KR=re();function WR(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)Om(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>Om(e,i,a.default))}o(WR,"assignDefaults");si.assignDefaults=WR;function Om(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let c=(0,bn._)`${i}${(0,bn.getProperty)(t)}`;if(a){(0,KR.checkStrictMode)(e,`default is ignored for: ${c}`);return}let d=(0,bn._)`${c} === undefined`;s.useDefaults==="empty"&&(d=(0,bn._)`${d} || ${c} === null || ${c} === ""`),n.if(d,(0,bn._)`${c} = ${(0,bn.stringify)(r)}`)}o(Om,"assignDefault")});var dt=x(oe=>{"use strict";Object.defineProperty(oe,"__esModule",{value:!0});oe.validateUnion=oe.validateArray=oe.usePattern=oe.callValidateCode=oe.schemaProperties=oe.allSchemaProperties=oe.noPropertyInData=oe.propertyInData=oe.isOwnProperty=oe.hasPropFunc=oe.reportMissingProp=oe.checkMissingProp=oe.checkReportMissingProp=void 0;var de=F(),uu=re(),Sr=Ft(),JR=re();function YR(e,t){let{gen:r,data:n,it:a}=e;r.if(lu(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,de._)`${t}`},!0),e.error()})}o(YR,"checkReportMissingProp");oe.checkReportMissingProp=YR;function QR({gen:e,data:t,it:{opts:r}},n,a){return(0,de.or)(...n.map(i=>(0,de.and)(lu(e,t,i,r.ownProperties),(0,de._)`${a} = ${i}`)))}o(QR,"checkMissingProp");oe.checkMissingProp=QR;function XR(e,t){e.setParams({missingProperty:t},!0),e.error()}o(XR,"reportMissingProp");oe.reportMissingProp=XR;function zm(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,de._)`Object.prototype.hasOwnProperty`})}o(zm,"hasPropFunc");oe.hasPropFunc=zm;function du(e,t,r){return(0,de._)`${zm(e)}.call(${t}, ${r})`}o(du,"isOwnProperty");oe.isOwnProperty=du;function eC(e,t,r,n){let a=(0,de._)`${t}${(0,de.getProperty)(r)} !== undefined`;return n?(0,de._)`${a} && ${du(e,t,r)}`:a}o(eC,"propertyInData");oe.propertyInData=eC;function lu(e,t,r,n){let a=(0,de._)`${t}${(0,de.getProperty)(r)} === undefined`;return n?(0,de.or)(a,(0,de.not)(du(e,t,r))):a}o(lu,"noPropertyInData");oe.noPropertyInData=lu;function Mm(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(Mm,"allSchemaProperties");oe.allSchemaProperties=Mm;function tC(e,t){return Mm(t).filter(r=>!(0,uu.alwaysValidSchema)(e,t[r]))}o(tC,"schemaProperties");oe.schemaProperties=tC;function rC({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},c,d,p){let l=p?(0,de._)`${e}, ${t}, ${n}${a}`:t,m=[[Sr.default.instancePath,(0,de.strConcat)(Sr.default.instancePath,i)],[Sr.default.parentData,s.parentData],[Sr.default.parentDataProperty,s.parentDataProperty],[Sr.default.rootData,Sr.default.rootData]];s.opts.dynamicRef&&m.push([Sr.default.dynamicAnchors,Sr.default.dynamicAnchors]);let h=(0,de._)`${l}, ${r.object(...m)}`;return d!==de.nil?(0,de._)`${c}.call(${d}, ${h})`:(0,de._)`${c}(${h})`}o(rC,"callValidateCode");oe.callValidateCode=rC;var nC=(0,de._)`new RegExp`;function oC({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,de._)`${a.code==="new RegExp"?nC:(0,JR.useFunc)(e,a)}(${r}, ${n})`})}o(oC,"usePattern");oe.usePattern=oC;function aC(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let c=t.let("valid",!0);return s(()=>t.assign(c,!1)),c}return t.var(i,!0),s(()=>t.break()),i;function s(c){let d=t.const("len",(0,de._)`${r}.length`);t.forRange("i",0,d,p=>{e.subschema({keyword:n,dataProp:p,dataPropType:uu.Type.Num},i),t.if((0,de.not)(i),c)})}o(s,"validateItems")}o(aC,"validateArray");oe.validateArray=aC;function iC(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,uu.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),c=t.name("_valid");t.block(()=>r.forEach((d,p)=>{let l=e.subschema({keyword:n,schemaProp:p,compositeRule:!0},c);t.assign(s,(0,de._)`${s} || ${c}`),e.mergeValidEvaluated(l,c)||t.if((0,de.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(iC,"validateUnion");oe.validateUnion=iC});var jm=x(Pt=>{"use strict";Object.defineProperty(Pt,"__esModule",{value:!0});Pt.validateKeywordUsage=Pt.validSchemaType=Pt.funcKeywordCode=Pt.macroKeywordCode=void 0;var Fe=F(),Hr=Ft(),sC=dt(),cC=Eo();function uC(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,c=t.macro.call(s.self,a,i,s),d=Nm(r,n,c);s.opts.validateSchema!==!1&&s.self.validateSchema(c,!0);let p=r.name("valid");e.subschema({schema:c,schemaPath:Fe.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},p),e.pass(p,()=>e.error(!0))}o(uC,"macroKeywordCode");Pt.macroKeywordCode=uC;function dC(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:c,it:d}=e;pC(d,t);let p=!c&&t.compile?t.compile.call(d.self,i,s,d):t.validate,l=Nm(n,a,p),m=n.let("valid");e.block$data(m,h),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function h(){if(t.errors===!1)S(),t.modifying&&qm(e),w(()=>e.error());else{let v=t.async?y():_();t.modifying&&qm(e),w(()=>lC(e,v))}}o(h,"validateKeyword");function y(){let v=n.let("ruleErrs",null);return n.try(()=>S((0,Fe._)`await `),b=>n.assign(m,!1).if((0,Fe._)`${b} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,Fe._)`${b}.errors`),()=>n.throw(b))),v}o(y,"validateAsync");function _(){let v=(0,Fe._)`${l}.errors`;return n.assign(v,null),S(Fe.nil),v}o(_,"validateSync");function S(v=t.async?(0,Fe._)`await `:Fe.nil){let b=d.opts.passContext?Hr.default.this:Hr.default.self,R=!("compile"in t&&!c||t.schema===!1);n.assign(m,(0,Fe._)`${v}${(0,sC.callValidateCode)(e,l,b,R)}`,t.modifying)}o(S,"assignValid");function w(v){var b;n.if((0,Fe.not)((b=t.valid)!==null&&b!==void 0?b:m),v)}o(w,"reportErrs")}o(dC,"funcKeywordCode");Pt.funcKeywordCode=dC;function qm(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,Fe._)`${n.parentData}[${n.parentDataProperty}]`))}o(qm,"modifyData");function lC(e,t){let{gen:r}=e;r.if((0,Fe._)`Array.isArray(${t})`,()=>{r.assign(Hr.default.vErrors,(0,Fe._)`${Hr.default.vErrors} === null ? ${t} : ${Hr.default.vErrors}.concat(${t})`).assign(Hr.default.errors,(0,Fe._)`${Hr.default.vErrors}.length`),(0,cC.extendErrors)(e)},()=>e.error())}o(lC,"addErrs");function pC({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(pC,"checkAsyncKeyword");function Nm(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,Fe.stringify)(r)})}o(Nm,"useKeyword");function mC(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(mC,"validSchemaType");Pt.validSchemaType=mC;function fC({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(c=>!Object.prototype.hasOwnProperty.call(e,c)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(fC,"validateKeywordUsage");Pt.validateKeywordUsage=fC});var Hm=x(_r=>{"use strict";Object.defineProperty(_r,"__esModule",{value:!0});_r.extendSubschemaMode=_r.extendSubschemaData=_r.getSubschema=void 0;var xt=F(),Dm=re();function hC(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let c=e.schema[t];return r===void 0?{schema:c,schemaPath:(0,xt._)`${e.schemaPath}${(0,xt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:c[r],schemaPath:(0,xt._)`${e.schemaPath}${(0,xt.getProperty)(t)}${(0,xt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,Dm.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(hC,"getSubschema");_r.getSubschema=hC;function gC(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:c}=t;if(r!==void 0){let{errorPath:p,dataPathArr:l,opts:m}=t,h=c.let("data",(0,xt._)`${t.data}${(0,xt.getProperty)(r)}`,!0);d(h),e.errorPath=(0,xt.str)`${p}${(0,Dm.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,xt._)`${r}`,e.dataPathArr=[...l,e.parentDataProperty]}if(a!==void 0){let p=a instanceof xt.Name?a:c.let("data",a,!0);d(p),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(p){e.data=p,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,p]}o(d,"dataContextProps")}o(gC,"extendSubschemaData");_r.extendSubschemaData=gC;function yC(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(yC,"extendSubschemaMode");_r.extendSubschemaMode=yC});var pu=x(($H,Lm)=>{"use strict";Lm.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Gm=x((MH,Bm)=>{"use strict";var wr=Bm.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};ci(t,n,a,e,"",e)};wr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};wr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};wr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};wr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function ci(e,t,r,n,a,i,s,c,d,p){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,c,d,p);for(var l in n){var m=n[l];if(Array.isArray(m)){if(l in wr.arrayKeywords)for(var h=0;h<m.length;h++)ci(e,t,r,m[h],a+"/"+l+"/"+h,i,a,l,n,h)}else if(l in wr.propsKeywords){if(m&&typeof m=="object")for(var y in m)ci(e,t,r,m[y],a+"/"+l+"/"+SC(y),i,a,l,n,y)}else(l in wr.keywords||e.allKeys&&!(l in wr.skipKeywords))&&ci(e,t,r,m,a+"/"+l,i,a,l,n)}r(n,a,i,s,c,d,p)}}o(ci,"_traverse");function SC(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(SC,"escapeJsonPtr")});var Oo=x(Je=>{"use strict";Object.defineProperty(Je,"__esModule",{value:!0});Je.getSchemaRefs=Je.resolveUrl=Je.normalizeId=Je._getFullPath=Je.getFullPath=Je.inlineRef=void 0;var _C=re(),wC=pu(),vC=Gm(),bC=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function RC(e,t=!0){return typeof e=="boolean"?!0:t===!0?!mu(e):t?Vm(e)<=t:!1}o(RC,"inlineRef");Je.inlineRef=RC;var CC=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function mu(e){for(let t in e){if(CC.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(mu)||typeof r=="object"&&mu(r))return!0}return!1}o(mu,"hasRef");function Vm(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!bC.has(r)&&(typeof e[r]=="object"&&(0,_C.eachItem)(e[r],n=>t+=Vm(n)),t===1/0))return 1/0}return t}o(Vm,"countKeys");function Fm(e,t="",r){r!==!1&&(t=Rn(t));let n=e.parse(t);return Zm(e,n)}o(Fm,"getFullPath");Je.getFullPath=Fm;function Zm(e,t){return e.serialize(t).split("#")[0]+"#"}o(Zm,"_getFullPath");Je._getFullPath=Zm;var IC=/#\/?$/;function Rn(e){return e?e.replace(IC,""):""}o(Rn,"normalizeId");Je.normalizeId=Rn;function PC(e,t,r){return r=Rn(r),e.resolve(t,r)}o(PC,"resolveUrl");Je.resolveUrl=PC;var xC=/^[a-z_][-a-z0-9._]*$/i;function AC(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=Rn(e[r]||t),i={"":a},s=Fm(n,a,!1),c={},d=new Set;return vC(e,{allKeys:!0},(m,h,y,_)=>{if(_===void 0)return;let S=s+h,w=i[_];typeof m[r]=="string"&&(w=v.call(this,m[r])),b.call(this,m.$anchor),b.call(this,m.$dynamicAnchor),i[h]=w;function v(R){let q=this.opts.uriResolver.resolve;if(R=Rn(w?q(w,R):R),d.has(R))throw l(R);d.add(R);let N=this.refs[R];return typeof N=="string"&&(N=this.refs[N]),typeof N=="object"?p(m,N.schema,R):R!==Rn(S)&&(R[0]==="#"?(p(m,c[R],R),c[R]=m):this.refs[R]=S),R}o(v,"addRef");function b(R){if(typeof R=="string"){if(!xC.test(R))throw new Error(`invalid anchor "${R}"`);v.call(this,`#${R}`)}}o(b,"addAnchor")}),c;function p(m,h,y){if(h!==void 0&&!wC(m,h))throw l(y)}o(p,"checkAmbiguosRef");function l(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(l,"ambiguos")}o(AC,"getSchemaRefs");Je.getSchemaRefs=AC});var Mo=x(vr=>{"use strict";Object.defineProperty(vr,"__esModule",{value:!0});vr.getData=vr.KeywordCxt=vr.validateFunctionCode=void 0;var Qm=xm(),Km=Uo(),hu=au(),ui=Uo(),TC=$m(),zo=jm(),fu=Hm(),$=F(),L=Ft(),kC=Oo(),Zt=re(),$o=Eo();function EC(e){if(tf(e)&&(rf(e),ef(e))){$C(e);return}Xm(e,()=>(0,Qm.topBoolOrEmptySchema)(e))}o(EC,"validateFunctionCode");vr.validateFunctionCode=EC;function Xm({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,$._)`${L.default.data}, ${L.default.valCxt}`,n.$async,()=>{e.code((0,$._)`"use strict"; ${Wm(r,a)}`),OC(e,a),e.code(i)}):e.func(t,(0,$._)`${L.default.data}, ${UC(a)}`,n.$async,()=>e.code(Wm(r,a)).code(i))}o(Xm,"validateFunction");function UC(e){return(0,$._)`{${L.default.instancePath}="", ${L.default.parentData}, ${L.default.parentDataProperty}, ${L.default.rootData}=${L.default.data}${e.dynamicRef?(0,$._)`, ${L.default.dynamicAnchors}={}`:$.nil}}={}`}o(UC,"destructureValCxt");function OC(e,t){e.if(L.default.valCxt,()=>{e.var(L.default.instancePath,(0,$._)`${L.default.valCxt}.${L.default.instancePath}`),e.var(L.default.parentData,(0,$._)`${L.default.valCxt}.${L.default.parentData}`),e.var(L.default.parentDataProperty,(0,$._)`${L.default.valCxt}.${L.default.parentDataProperty}`),e.var(L.default.rootData,(0,$._)`${L.default.valCxt}.${L.default.rootData}`),t.dynamicRef&&e.var(L.default.dynamicAnchors,(0,$._)`${L.default.valCxt}.${L.default.dynamicAnchors}`)},()=>{e.var(L.default.instancePath,(0,$._)`""`),e.var(L.default.parentData,(0,$._)`undefined`),e.var(L.default.parentDataProperty,(0,$._)`undefined`),e.var(L.default.rootData,L.default.data),t.dynamicRef&&e.var(L.default.dynamicAnchors,(0,$._)`{}`)})}o(OC,"destructureValCxtES5");function $C(e){let{schema:t,opts:r,gen:n}=e;Xm(e,()=>{r.$comment&&t.$comment&&of(e),jC(e),n.let(L.default.vErrors,null),n.let(L.default.errors,0),r.unevaluated&&zC(e),nf(e),LC(e)})}o($C,"topSchemaObjCode");function zC(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,$._)`${r}.evaluated`),t.if((0,$._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,$._)`${e.evaluated}.props`,(0,$._)`undefined`)),t.if((0,$._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,$._)`${e.evaluated}.items`,(0,$._)`undefined`))}o(zC,"resetEvaluated");function Wm(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,$._)`/*# sourceURL=${r} */`:$.nil}o(Wm,"funcSourceUrl");function MC(e,t){if(tf(e)&&(rf(e),ef(e))){qC(e,t);return}(0,Qm.boolOrEmptySchema)(e,t)}o(MC,"subschemaCode");function ef({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(ef,"schemaCxtHasRules");function tf(e){return typeof e.schema!="boolean"}o(tf,"isSchemaObj");function qC(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&of(e),DC(e),HC(e);let i=n.const("_errs",L.default.errors);nf(e,i),n.var(t,(0,$._)`${i} === ${L.default.errors}`)}o(qC,"subSchemaObjCode");function rf(e){(0,Zt.checkUnknownRules)(e),NC(e)}o(rf,"checkKeywords");function nf(e,t){if(e.opts.jtd)return Jm(e,[],!1,t);let r=(0,Km.getSchemaTypes)(e.schema),n=(0,Km.coerceAndCheckDataType)(e,r);Jm(e,r,!n,t)}o(nf,"typeAndKeywords");function NC(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Zt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(NC,"checkRefsAndKeywords");function jC(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Zt.checkStrictMode)(e,"default is ignored in the schema root")}o(jC,"checkNoDefault");function DC(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,kC.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(DC,"updateContext");function HC(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(HC,"checkAsyncSchema");function of({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,$._)`${L.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,$.str)`${n}/$comment`,c=e.scopeValue("root",{ref:t.root});e.code((0,$._)`${L.default.self}.opts.$comment(${i}, ${s}, ${c}.schema)`)}}o(of,"commentKeyword");function LC(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,$._)`${L.default.errors} === 0`,()=>t.return(L.default.data),()=>t.throw((0,$._)`new ${a}(${L.default.vErrors})`)):(t.assign((0,$._)`${n}.errors`,L.default.vErrors),i.unevaluated&&BC(e),t.return((0,$._)`${L.default.errors} === 0`))}o(LC,"returnResults");function BC({gen:e,evaluated:t,props:r,items:n}){r instanceof $.Name&&e.assign((0,$._)`${t}.props`,r),n instanceof $.Name&&e.assign((0,$._)`${t}.items`,n)}o(BC,"assignEvaluated");function Jm(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:c,opts:d,self:p}=e,{RULES:l}=p;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Zt.schemaHasRulesButRef)(i,l))){a.block(()=>sf(e,"$ref",l.all.$ref.definition));return}d.jtd||GC(e,t),a.block(()=>{for(let h of l.rules)m(h);m(l.post)});function m(h){(0,hu.shouldUseGroup)(i,h)&&(h.type?(a.if((0,ui.checkDataType)(h.type,s,d.strictNumbers)),Ym(e,h),t.length===1&&t[0]===h.type&&r&&(a.else(),(0,ui.reportTypeError)(e)),a.endIf()):Ym(e,h),c||a.if((0,$._)`${L.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(Jm,"schemaKeywords");function Ym(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,TC.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,hu.shouldUseRule)(n,i)&&sf(e,i.keyword,i.definition,t.type)})}o(Ym,"iterateKeywords");function GC(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(VC(e,t),e.opts.allowUnionTypes||FC(e,t),ZC(e,e.dataTypes))}o(GC,"checkStrictTypes");function VC(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{af(e.dataTypes,r)||gu(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),WC(e,t)}}o(VC,"checkContextTypes");function FC(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&gu(e,"use allowUnionTypes to allow union type keyword")}o(FC,"checkMultipleTypes");function ZC(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,hu.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>KC(t,s))&&gu(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(ZC,"checkKeywordTypes");function KC(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(KC,"hasApplicableType");function af(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(af,"includesType");function WC(e,t){let r=[];for(let n of e.dataTypes)af(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(WC,"narrowSchemaTypes");function gu(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Zt.checkStrictMode)(e,t,e.opts.strictTypes)}o(gu,"strictTypesError");var di=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,zo.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Zt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",cf(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,zo.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",L.default.errors))}result(t,r,n){this.failResult((0,$.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,$.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,$._)`${r} !== undefined && (${(0,$.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?$o.reportExtraError:$o.reportError)(this,this.def.error,r)}$dataError(){(0,$o.reportError)(this,this.def.$dataError||$o.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,$o.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=$.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=$.nil,r=$.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,$.or)((0,$._)`${a} === undefined`,r)),t!==$.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==$.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,$.or)(s(),c());function s(){if(n.length){if(!(r instanceof $.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,$._)`${(0,ui.checkDataTypes)(d,r,i.opts.strictNumbers,ui.DataType.Wrong)}`}return $.nil}function c(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,$._)`!${d}(${r})`}return $.nil}}subschema(t,r){let n=(0,fu.getSubschema)(this.it,t);(0,fu.extendSubschemaData)(n,this.it,t),(0,fu.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return MC(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Zt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Zt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,$.Name)),!0}};vr.KeywordCxt=di;function sf(e,t,r,n){let a=new di(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,zo.funcKeywordCode)(a,r):"macro"in r?(0,zo.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,zo.funcKeywordCode)(a,r)}o(sf,"keywordCode");var JC=/^\/(?:[^~]|~0|~1)*$/,YC=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function cf(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return L.default.rootData;if(e[0]==="/"){if(!JC.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=L.default.rootData}else{let p=YC.exec(e);if(!p)throw new Error(`Invalid JSON-pointer: ${e}`);let l=+p[1];if(a=p[2],a==="#"){if(l>=t)throw new Error(d("property/index",l));return n[t-l]}if(l>t)throw new Error(d("data",l));if(i=r[t-l],!a)return i}let s=i,c=a.split("/");for(let p of c)p&&(i=(0,$._)`${i}${(0,$.getProperty)((0,Zt.unescapeJsonPointer)(p))}`,s=(0,$._)`${s} && ${i}`);return s;function d(p,l){return`Cannot access ${p} ${l} levels up, current level is ${t}`}}o(cf,"getData");vr.getData=cf});var li=x(Su=>{"use strict";Object.defineProperty(Su,"__esModule",{value:!0});var yu=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Su.default=yu});var qo=x(vu=>{"use strict";Object.defineProperty(vu,"__esModule",{value:!0});var _u=Oo(),wu=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,_u.resolveUrl)(t,r,n),this.missingSchema=(0,_u.normalizeId)((0,_u.getFullPath)(t,this.missingRef))}};vu.default=wu});var mi=x(lt=>{"use strict";Object.defineProperty(lt,"__esModule",{value:!0});lt.resolveSchema=lt.getCompilingSchema=lt.resolveRef=lt.compileSchema=lt.SchemaEnv=void 0;var wt=F(),QC=li(),Lr=Ft(),vt=Oo(),uf=re(),XC=Mo(),Cn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,vt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};lt.SchemaEnv=Cn;function Ru(e){let t=df.call(this,e);if(t)return t;let r=(0,vt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new wt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),c;e.$async&&(c=s.scopeValue("Error",{ref:QC.default,code:(0,wt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let p={gen:s,allErrors:this.opts.allErrors,data:Lr.default.data,parentData:Lr.default.parentData,parentDataProperty:Lr.default.parentDataProperty,dataNames:[Lr.default.data],dataPathArr:[wt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,wt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:c,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:wt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,wt._)`""`,opts:this.opts,self:this},l;try{this._compilations.add(e),(0,XC.validateFunctionCode)(p),s.optimize(this.opts.code.optimize);let m=s.toString();l=`${s.scopeRefs(Lr.default.scope)}return ${m}`,this.opts.code.process&&(l=this.opts.code.process(l,e));let y=new Function(`${Lr.default.self}`,`${Lr.default.scope}`,l)(this,this.scope.get());if(this.scope.value(d,{ref:y}),y.errors=null,y.schema=e.schema,y.schemaEnv=e,e.$async&&(y.$async=!0),this.opts.code.source===!0&&(y.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:_,items:S}=p;y.evaluated={props:_ instanceof wt.Name?void 0:_,items:S instanceof wt.Name?void 0:S,dynamicProps:_ instanceof wt.Name,dynamicItems:S instanceof wt.Name},y.source&&(y.source.evaluated=(0,wt.stringify)(y.evaluated))}return e.validate=y,e}catch(m){throw delete e.validate,delete e.validateName,l&&this.logger.error("Error compiling schema, function code:",l),m}finally{this._compilations.delete(e)}}o(Ru,"compileSchema");lt.compileSchema=Ru;function eI(e,t,r){var n;r=(0,vt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=nI.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:c}=this.opts;s&&(i=new Cn({schema:s,schemaId:c,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=tI.call(this,i)}o(eI,"resolveRef");lt.resolveRef=eI;function tI(e){return(0,vt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:Ru.call(this,e)}o(tI,"inlineOrCompile");function df(e){for(let t of this._compilations)if(rI(t,e))return t}o(df,"getCompilingSchema");lt.getCompilingSchema=df;function rI(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(rI,"sameSchemaEnv");function nI(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||pi.call(this,e,t)}o(nI,"resolve");function pi(e,t){let r=this.opts.uriResolver.parse(t),n=(0,vt._getFullPath)(this.opts.uriResolver,r),a=(0,vt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return bu.call(this,r,e);let i=(0,vt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let c=pi.call(this,e,s);return typeof c?.schema!="object"?void 0:bu.call(this,r,c)}if(typeof s?.schema=="object"){if(s.validate||Ru.call(this,s),i===(0,vt.normalizeId)(t)){let{schema:c}=s,{schemaId:d}=this.opts,p=c[d];return p&&(a=(0,vt.resolveUrl)(this.opts.uriResolver,a,p)),new Cn({schema:c,schemaId:d,root:e,baseId:a})}return bu.call(this,r,s)}}o(pi,"resolveSchema");lt.resolveSchema=pi;var oI=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function bu(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let c of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,uf.unescapeFragment)(c)];if(d===void 0)return;r=d;let p=typeof r=="object"&&r[this.opts.schemaId];!oI.has(c)&&p&&(t=(0,vt.resolveUrl)(this.opts.uriResolver,t,p))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,uf.schemaHasRulesButRef)(r,this.RULES)){let c=(0,vt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=pi.call(this,n,c)}let{schemaId:s}=this.opts;if(i=i||new Cn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(bu,"getJsonPointer")});var lf=x((KH,aI)=>{aI.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var Iu=x((WH,hf)=>{"use strict";var iI=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),mf=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function Cu(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(Cu,"stringArrayToHexStripped");var sI=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function pf(e){return e.length=0,!0}o(pf,"consumeIsZone");function cI(e,t,r){if(e.length){let n=Cu(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(cI,"consumeHextets");function uI(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,c=cI;for(let d=0;d<e.length;d++){let p=e[d];if(!(p==="["||p==="]"))if(p===":"){if(i===!0&&(s=!0),!c(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(p==="%"){if(!c(a,n,r))break;c=pf}else{a.push(p);continue}}return a.length&&(c===pf?r.zone=a.join(""):s?n.push(a.join("")):n.push(Cu(a))),r.address=n.join(""),r}o(uI,"getIPV6");function ff(e){if(dI(e,":")<2)return{host:e,isIPV6:!1};let t=uI(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(ff,"normalizeIPv6");function dI(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(dI,"findToken");function lI(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(lI,"removeDotSegments");function pI(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(pI,"normalizeComponentEncoding");function mI(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!mf(r)){let n=ff(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(mI,"recomposeAuthority");hf.exports={nonSimpleDomain:sI,recomposeAuthority:mI,normalizeComponentEncoding:pI,removeDotSegments:lI,isIPv4:mf,isUUID:iI,normalizeIPv6:ff,stringArrayToHexStripped:Cu}});var wf=x((YH,_f)=>{"use strict";var{isUUID:fI}=Iu(),hI=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,gI=["http","https","ws","wss","urn","urn:uuid"];function yI(e){return gI.indexOf(e)!==-1}o(yI,"isValidSchemeName");function Pu(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(Pu,"wsIsSecure");function gf(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(gf,"httpParse");function yf(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(yf,"httpSerialize");function SI(e){return e.secure=Pu(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(SI,"wsParse");function _I(e){if((e.port===(Pu(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(_I,"wsSerialize");function wI(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(hI);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=xu(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(wI,"urnParse");function vI(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=xu(a);i&&(e=i.serialize(e,t));let s=e,c=e.nss;return s.path=`${n||t.nid}:${c}`,t.skipEscape=!0,s}o(vI,"urnSerialize");function bI(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!fI(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(bI,"urnuuidParse");function RI(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(RI,"urnuuidSerialize");var Sf={scheme:"http",domainHost:!0,parse:gf,serialize:yf},CI={scheme:"https",domainHost:Sf.domainHost,parse:gf,serialize:yf},fi={scheme:"ws",domainHost:!0,parse:SI,serialize:_I},II={scheme:"wss",domainHost:fi.domainHost,parse:fi.parse,serialize:fi.serialize},PI={scheme:"urn",parse:wI,serialize:vI,skipNormalize:!0},xI={scheme:"urn:uuid",parse:bI,serialize:RI,skipNormalize:!0},hi={http:Sf,https:CI,ws:fi,wss:II,urn:PI,"urn:uuid":xI};Object.setPrototypeOf(hi,null);function xu(e){return e&&(hi[e]||hi[e.toLowerCase()])||void 0}o(xu,"getSchemeHandler");_f.exports={wsIsSecure:Pu,SCHEMES:hi,isValidSchemeName:yI,getSchemeHandler:xu}});var Rf=x((XH,yi)=>{"use strict";var{normalizeIPv6:AI,removeDotSegments:No,recomposeAuthority:TI,normalizeComponentEncoding:gi,isIPv4:kI,nonSimpleDomain:EI}=Iu(),{SCHEMES:UI,getSchemeHandler:vf}=wf();function OI(e,t){return typeof e=="string"?e=At(Kt(e,t),t):typeof e=="object"&&(e=Kt(At(e,t),t)),e}o(OI,"normalize");function $I(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=bf(Kt(e,n),Kt(t,n),n,!0);return n.skipEscape=!0,At(a,n)}o($I,"resolve");function bf(e,t,r,n){let a={};return n||(e=Kt(At(e,r),r),t=Kt(At(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=No(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=No(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=No(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=No(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(bf,"resolveComponent");function zI(e,t,r){return typeof e=="string"?(e=unescape(e),e=At(gi(Kt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=At(gi(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=At(gi(Kt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=At(gi(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(zI,"equal");function At(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=vf(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=TI(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let c=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(c=No(c)),s===void 0&&c[0]==="/"&&c[1]==="/"&&(c="/%2F"+c.slice(2)),a.push(c)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(At,"serialize");var MI=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function Kt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(MI);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(kI(n.host)===!1){let d=AI(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=vf(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&EI(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(c){n.error=n.error||"Host's domain name can not be converted to ASCII: "+c}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(Kt,"parse");var Au={SCHEMES:UI,normalize:OI,resolve:$I,resolveComponent:bf,equal:zI,serialize:At,parse:Kt};yi.exports=Au;yi.exports.default=Au;yi.exports.fastUri=Au});var If=x(Tu=>{"use strict";Object.defineProperty(Tu,"__esModule",{value:!0});var Cf=Rf();Cf.code='require("ajv/dist/runtime/uri").default';Tu.default=Cf});var Of=x(Ee=>{"use strict";Object.defineProperty(Ee,"__esModule",{value:!0});Ee.CodeGen=Ee.Name=Ee.nil=Ee.stringify=Ee.str=Ee._=Ee.KeywordCxt=void 0;var qI=Mo();Object.defineProperty(Ee,"KeywordCxt",{enumerable:!0,get:o(function(){return qI.KeywordCxt},"get")});var In=F();Object.defineProperty(Ee,"_",{enumerable:!0,get:o(function(){return In._},"get")});Object.defineProperty(Ee,"str",{enumerable:!0,get:o(function(){return In.str},"get")});Object.defineProperty(Ee,"stringify",{enumerable:!0,get:o(function(){return In.stringify},"get")});Object.defineProperty(Ee,"nil",{enumerable:!0,get:o(function(){return In.nil},"get")});Object.defineProperty(Ee,"Name",{enumerable:!0,get:o(function(){return In.Name},"get")});Object.defineProperty(Ee,"CodeGen",{enumerable:!0,get:o(function(){return In.CodeGen},"get")});var NI=li(),kf=qo(),jI=ou(),jo=mi(),DI=F(),Do=Oo(),Si=Uo(),Eu=re(),Pf=lf(),HI=If(),Ef=o((e,t)=>new RegExp(e,t),"defaultRegExp");Ef.code="new RegExp";var LI=["removeAdditional","useDefaults","coerceTypes"],BI=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),GI={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},VI={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},xf=200;function FI(e){var t,r,n,a,i,s,c,d,p,l,m,h,y,_,S,w,v,b,R,q,N,qe,it,dn,ir;let qt=e.strict,Er=(t=e.code)===null||t===void 0?void 0:t.optimize,no=Er===!0||Er===void 0?1:Er||0,oo=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:Ef,ao=(a=e.uriResolver)!==null&&a!==void 0?a:HI.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:qt)!==null&&s!==void 0?s:!0,strictNumbers:(d=(c=e.strictNumbers)!==null&&c!==void 0?c:qt)!==null&&d!==void 0?d:!0,strictTypes:(l=(p=e.strictTypes)!==null&&p!==void 0?p:qt)!==null&&l!==void 0?l:"log",strictTuples:(h=(m=e.strictTuples)!==null&&m!==void 0?m:qt)!==null&&h!==void 0?h:"log",strictRequired:(_=(y=e.strictRequired)!==null&&y!==void 0?y:qt)!==null&&_!==void 0?_:!1,code:e.code?{...e.code,optimize:no,regExp:oo}:{optimize:no,regExp:oo},loopRequired:(S=e.loopRequired)!==null&&S!==void 0?S:xf,loopEnum:(w=e.loopEnum)!==null&&w!==void 0?w:xf,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(b=e.messages)!==null&&b!==void 0?b:!0,inlineRefs:(R=e.inlineRefs)!==null&&R!==void 0?R:!0,schemaId:(q=e.schemaId)!==null&&q!==void 0?q:"$id",addUsedSchema:(N=e.addUsedSchema)!==null&&N!==void 0?N:!0,validateSchema:(qe=e.validateSchema)!==null&&qe!==void 0?qe:!0,validateFormats:(it=e.validateFormats)!==null&&it!==void 0?it:!0,unicodeRegExp:(dn=e.unicodeRegExp)!==null&&dn!==void 0?dn:!0,int32range:(ir=e.int32range)!==null&&ir!==void 0?ir:!0,uriResolver:ao}}o(FI,"requiredOptions");var Ho=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...FI(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new DI.ValueScope({scope:{},prefixes:BI,es5:r,lines:n}),this.logger=QI(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,jI.getRules)(),Af.call(this,GI,t,"NOT SUPPORTED"),Af.call(this,VI,t,"DEPRECATED","warn"),this._metaOpts=JI.call(this),t.formats&&KI.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&WI.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),ZI.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=Pf;n==="id"&&(a={...Pf},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(l,m){await i.call(this,l.$schema);let h=this._addSchema(l,m);return h.validate||s.call(this,h)}async function i(l){l&&!this.getSchema(l)&&await a.call(this,{$ref:l},!0)}async function s(l){try{return this._compileSchemaEnv(l)}catch(m){if(!(m instanceof kf.default))throw m;return c.call(this,m),await d.call(this,m.missingSchema),s.call(this,l)}}function c({missingSchema:l,missingRef:m}){if(this.refs[l])throw new Error(`AnySchema ${l} is loaded but ${m} cannot be resolved`)}async function d(l){let m=await p.call(this,l);this.refs[l]||await i.call(this,m.$schema),this.refs[l]||this.addSchema(m,l,r)}async function p(l){let m=this._loading[l];if(m)return m;try{return await(this._loading[l]=n(l))}finally{delete this._loading[l]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,Do.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=Tf.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new jo.SchemaEnv({schema:{},schemaId:n});if(r=jo.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=Tf.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,Do.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(eP.call(this,n,r),!r)return(0,Eu.eachItem)(n,i=>ku.call(this,i)),this;rP.call(this,r);let a={...r,type:(0,Si.getJSONTypes)(r.type),schemaType:(0,Si.getJSONTypes)(r.schemaType)};return(0,Eu.eachItem)(n,a.type.length===0?i=>ku.call(this,i,a):i=>a.type.forEach(s=>ku.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let c of i)s=s[c];for(let c in n){let d=n[c];if(typeof d!="object")continue;let{$data:p}=d.definition,l=s[c];p&&l&&(s[c]=Uf(l))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:c}=this.opts;if(typeof t=="object")s=t[c];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,Do.normalizeId)(s||n);let p=Do.getSchemaRefs.call(this,t,n);return d=new jo.SchemaEnv({schema:t,schemaId:c,meta:r,baseId:n,localRefs:p}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):jo.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{jo.compileSchema.call(this,t)}finally{this.opts=r}}};Ho.ValidationError=NI.default;Ho.MissingRefError=kf.default;Ee.default=Ho;function Af(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(Af,"checkOptions");function Tf(e){return e=(0,Do.normalizeId)(e),this.schemas[e]||this.refs[e]}o(Tf,"getSchEnv");function ZI(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(ZI,"addInitialSchemas");function KI(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(KI,"addInitialFormats");function WI(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(WI,"addInitialKeywords");function JI(){let e={...this.opts};for(let t of LI)delete e[t];return e}o(JI,"getMetaSchemaOptions");var YI={log(){},warn(){},error(){}};function QI(e){if(e===!1)return YI;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(QI,"getLogger");var XI=/^[a-z_$][a-z0-9_$:-]*$/i;function eP(e,t){let{RULES:r}=this;if((0,Eu.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!XI.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(eP,"checkKeyword");function ku(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let c={keyword:e,definition:{...t,type:(0,Si.getJSONTypes)(t.type),schemaType:(0,Si.getJSONTypes)(t.schemaType)}};t.before?tP.call(this,s,c,t.before):s.rules.push(c),i.all[e]=c,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(ku,"addRule");function tP(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(tP,"addBeforeRule");function rP(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=Uf(t)),e.validateSchema=this.compile(t,!0))}o(rP,"keywordMetaschema");var nP={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function Uf(e){return{anyOf:[e,nP]}}o(Uf,"schemaOrData")});var $f=x(Uu=>{"use strict";Object.defineProperty(Uu,"__esModule",{value:!0});var oP={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};Uu.default=oP});var Nf=x(Br=>{"use strict";Object.defineProperty(Br,"__esModule",{value:!0});Br.callRef=Br.getValidate=void 0;var aP=qo(),zf=dt(),Ye=F(),Pn=Ft(),Mf=mi(),_i=re(),iP={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:c,self:d}=n,{root:p}=i;if((r==="#"||r==="#/")&&a===p.baseId)return m();let l=Mf.resolveRef.call(d,p,a,r);if(l===void 0)throw new aP.default(n.opts.uriResolver,a,r);if(l instanceof Mf.SchemaEnv)return h(l);return y(l);function m(){if(i===p)return wi(e,s,i,i.$async);let _=t.scopeValue("root",{ref:p});return wi(e,(0,Ye._)`${_}.validate`,p,p.$async)}function h(_){let S=qf(e,_);wi(e,S,_,_.$async)}function y(_){let S=t.scopeValue("schema",c.code.source===!0?{ref:_,code:(0,Ye.stringify)(_)}:{ref:_}),w=t.name("valid"),v=e.subschema({schema:_,dataTypes:[],schemaPath:Ye.nil,topSchemaRef:S,errSchemaPath:r},w);e.mergeEvaluated(v),e.ok(w)}}};function qf(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,Ye._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(qf,"getValidate");Br.getValidate=qf;function wi(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:c,opts:d}=i,p=d.passContext?Pn.default.this:Ye.nil;n?l():m();function l(){if(!c.$async)throw new Error("async schema referenced by sync schema");let _=a.let("valid");a.try(()=>{a.code((0,Ye._)`await ${(0,zf.callValidateCode)(e,t,p)}`),y(t),s||a.assign(_,!0)},S=>{a.if((0,Ye._)`!(${S} instanceof ${i.ValidationError})`,()=>a.throw(S)),h(S),s||a.assign(_,!1)}),e.ok(_)}o(l,"callAsyncRef");function m(){e.result((0,zf.callValidateCode)(e,t,p),()=>y(t),()=>h(t))}o(m,"callSyncRef");function h(_){let S=(0,Ye._)`${_}.errors`;a.assign(Pn.default.vErrors,(0,Ye._)`${Pn.default.vErrors} === null ? ${S} : ${Pn.default.vErrors}.concat(${S})`),a.assign(Pn.default.errors,(0,Ye._)`${Pn.default.vErrors}.length`)}o(h,"addErrorsFrom");function y(_){var S;if(!i.opts.unevaluated)return;let w=(S=r?.validate)===null||S===void 0?void 0:S.evaluated;if(i.props!==!0)if(w&&!w.dynamicProps)w.props!==void 0&&(i.props=_i.mergeEvaluated.props(a,w.props,i.props));else{let v=a.var("props",(0,Ye._)`${_}.evaluated.props`);i.props=_i.mergeEvaluated.props(a,v,i.props,Ye.Name)}if(i.items!==!0)if(w&&!w.dynamicItems)w.items!==void 0&&(i.items=_i.mergeEvaluated.items(a,w.items,i.items));else{let v=a.var("items",(0,Ye._)`${_}.evaluated.items`);i.items=_i.mergeEvaluated.items(a,v,i.items,Ye.Name)}}o(y,"addEvaluatedFrom")}o(wi,"callRef");Br.callRef=wi;Br.default=iP});var jf=x(Ou=>{"use strict";Object.defineProperty(Ou,"__esModule",{value:!0});var sP=$f(),cP=Nf(),uP=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",sP.default,cP.default];Ou.default=uP});var Df=x($u=>{"use strict";Object.defineProperty($u,"__esModule",{value:!0});var vi=F(),br=vi.operators,bi={maximum:{okStr:"<=",ok:br.LTE,fail:br.GT},minimum:{okStr:">=",ok:br.GTE,fail:br.LT},exclusiveMaximum:{okStr:"<",ok:br.LT,fail:br.GTE},exclusiveMinimum:{okStr:">",ok:br.GT,fail:br.LTE}},dP={message:o(({keyword:e,schemaCode:t})=>(0,vi.str)`must be ${bi[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,vi._)`{comparison: ${bi[e].okStr}, limit: ${t}}`,"params")},lP={keyword:Object.keys(bi),type:"number",schemaType:"number",$data:!0,error:dP,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,vi._)`${r} ${bi[t].fail} ${n} || isNaN(${r})`)}};$u.default=lP});var Hf=x(zu=>{"use strict";Object.defineProperty(zu,"__esModule",{value:!0});var Lo=F(),pP={message:o(({schemaCode:e})=>(0,Lo.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,Lo._)`{multipleOf: ${e}}`,"params")},mP={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:pP,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),c=i?(0,Lo._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,Lo._)`${s} !== parseInt(${s})`;e.fail$data((0,Lo._)`(${n} === 0 || (${s} = ${r}/${n}, ${c}))`)}};zu.default=mP});var Bf=x(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});function Lf(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Lf,"ucs2length");Mu.default=Lf;Lf.code='require("ajv/dist/runtime/ucs2length").default'});var Gf=x(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var Gr=F(),fP=re(),hP=Bf(),gP={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,Gr.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,Gr._)`{limit: ${e}}`,"params")},yP={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:gP,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?Gr.operators.GT:Gr.operators.LT,s=a.opts.unicode===!1?(0,Gr._)`${r}.length`:(0,Gr._)`${(0,fP.useFunc)(e.gen,hP.default)}(${r})`;e.fail$data((0,Gr._)`${s} ${i} ${n}`)}};qu.default=yP});var Vf=x(Nu=>{"use strict";Object.defineProperty(Nu,"__esModule",{value:!0});var SP=dt(),Ri=F(),_P={message:o(({schemaCode:e})=>(0,Ri.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Ri._)`{pattern: ${e}}`,"params")},wP={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:_P,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",c=r?(0,Ri._)`(new RegExp(${a}, ${s}))`:(0,SP.usePattern)(e,n);e.fail$data((0,Ri._)`!${c}.test(${t})`)}};Nu.default=wP});var Ff=x(ju=>{"use strict";Object.defineProperty(ju,"__esModule",{value:!0});var Bo=F(),vP={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Bo.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Bo._)`{limit: ${e}}`,"params")},bP={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:vP,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Bo.operators.GT:Bo.operators.LT;e.fail$data((0,Bo._)`Object.keys(${r}).length ${a} ${n}`)}};ju.default=bP});var Zf=x(Du=>{"use strict";Object.defineProperty(Du,"__esModule",{value:!0});var Go=dt(),Vo=F(),RP=re(),CP={message:o(({params:{missingProperty:e}})=>(0,Vo.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,Vo._)`{missingProperty: ${e}}`,"params")},IP={keyword:"required",type:"object",schemaType:"array",$data:!0,error:CP,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:c}=s;if(!i&&r.length===0)return;let d=r.length>=c.loopRequired;if(s.allErrors?p():l(),c.strictRequired){let y=e.parentSchema.properties,{definedProperties:_}=e.it;for(let S of r)if(y?.[S]===void 0&&!_.has(S)){let w=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${S}" is not defined at "${w}" (strictRequired)`;(0,RP.checkStrictMode)(s,v,s.opts.strictRequired)}}function p(){if(d||i)e.block$data(Vo.nil,m);else for(let y of r)(0,Go.checkReportMissingProp)(e,y)}o(p,"allErrorsMode");function l(){let y=t.let("missing");if(d||i){let _=t.let("valid",!0);e.block$data(_,()=>h(y,_)),e.ok(_)}else t.if((0,Go.checkMissingProp)(e,r,y)),(0,Go.reportMissingProp)(e,y),t.else()}o(l,"exitOnErrorMode");function m(){t.forOf("prop",n,y=>{e.setParams({missingProperty:y}),t.if((0,Go.noPropertyInData)(t,a,y,c.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function h(y,_){e.setParams({missingProperty:y}),t.forOf(y,n,()=>{t.assign(_,(0,Go.propertyInData)(t,a,y,c.ownProperties)),t.if((0,Vo.not)(_),()=>{e.error(),t.break()})},Vo.nil)}o(h,"loopUntilMissing")}};Du.default=IP});var Kf=x(Hu=>{"use strict";Object.defineProperty(Hu,"__esModule",{value:!0});var Fo=F(),PP={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Fo.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Fo._)`{limit: ${e}}`,"params")},xP={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:PP,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Fo.operators.GT:Fo.operators.LT;e.fail$data((0,Fo._)`${r}.length ${a} ${n}`)}};Hu.default=xP});var Ci=x(Lu=>{"use strict";Object.defineProperty(Lu,"__esModule",{value:!0});var Wf=pu();Wf.code='require("ajv/dist/runtime/equal").default';Lu.default=Wf});var Jf=x(Gu=>{"use strict";Object.defineProperty(Gu,"__esModule",{value:!0});var Bu=Uo(),Ue=F(),AP=re(),TP=Ci(),kP={message:o(({params:{i:e,j:t}})=>(0,Ue.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,Ue._)`{i: ${e}, j: ${t}}`,"params")},EP={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:kP,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:c}=e;if(!n&&!a)return;let d=t.let("valid"),p=i.items?(0,Bu.getSchemaTypes)(i.items):[];e.block$data(d,l,(0,Ue._)`${s} === false`),e.ok(d);function l(){let _=t.let("i",(0,Ue._)`${r}.length`),S=t.let("j");e.setParams({i:_,j:S}),t.assign(d,!0),t.if((0,Ue._)`${_} > 1`,()=>(m()?h:y)(_,S))}o(l,"validateUniqueItems");function m(){return p.length>0&&!p.some(_=>_==="object"||_==="array")}o(m,"canOptimize");function h(_,S){let w=t.name("item"),v=(0,Bu.checkDataTypes)(p,w,c.opts.strictNumbers,Bu.DataType.Wrong),b=t.const("indices",(0,Ue._)`{}`);t.for((0,Ue._)`;${_}--;`,()=>{t.let(w,(0,Ue._)`${r}[${_}]`),t.if(v,(0,Ue._)`continue`),p.length>1&&t.if((0,Ue._)`typeof ${w} == "string"`,(0,Ue._)`${w} += "_"`),t.if((0,Ue._)`typeof ${b}[${w}] == "number"`,()=>{t.assign(S,(0,Ue._)`${b}[${w}]`),e.error(),t.assign(d,!1).break()}).code((0,Ue._)`${b}[${w}] = ${_}`)})}o(h,"loopN");function y(_,S){let w=(0,AP.useFunc)(t,TP.default),v=t.name("outer");t.label(v).for((0,Ue._)`;${_}--;`,()=>t.for((0,Ue._)`${S} = ${_}; ${S}--;`,()=>t.if((0,Ue._)`${w}(${r}[${_}], ${r}[${S}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(y,"loopN2")}};Gu.default=EP});var Yf=x(Fu=>{"use strict";Object.defineProperty(Fu,"__esModule",{value:!0});var Vu=F(),UP=re(),OP=Ci(),$P={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,Vu._)`{allowedValue: ${e}}`,"params")},zP={keyword:"const",$data:!0,error:$P,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,Vu._)`!${(0,UP.useFunc)(t,OP.default)}(${r}, ${a})`):e.fail((0,Vu._)`${i} !== ${r}`)}};Fu.default=zP});var Qf=x(Zu=>{"use strict";Object.defineProperty(Zu,"__esModule",{value:!0});var Zo=F(),MP=re(),qP=Ci(),NP={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,Zo._)`{allowedValues: ${e}}`,"params")},jP={keyword:"enum",schemaType:"array",$data:!0,error:NP,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let c=a.length>=s.opts.loopEnum,d,p=o(()=>d??(d=(0,MP.useFunc)(t,qP.default)),"getEql"),l;if(c||n)l=t.let("valid"),e.block$data(l,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let y=t.const("vSchema",i);l=(0,Zo.or)(...a.map((_,S)=>h(y,S)))}e.pass(l);function m(){t.assign(l,!1),t.forOf("v",i,y=>t.if((0,Zo._)`${p()}(${r}, ${y})`,()=>t.assign(l,!0).break()))}o(m,"loopEnum");function h(y,_){let S=a[_];return typeof S=="object"&&S!==null?(0,Zo._)`${p()}(${r}, ${y}[${_}])`:(0,Zo._)`${r} === ${S}`}o(h,"equalCode")}};Zu.default=jP});var Xf=x(Ku=>{"use strict";Object.defineProperty(Ku,"__esModule",{value:!0});var DP=Df(),HP=Hf(),LP=Gf(),BP=Vf(),GP=Ff(),VP=Zf(),FP=Kf(),ZP=Jf(),KP=Yf(),WP=Qf(),JP=[DP.default,HP.default,LP.default,BP.default,GP.default,VP.default,FP.default,ZP.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},KP.default,WP.default];Ku.default=JP});var Ju=x(Ko=>{"use strict";Object.defineProperty(Ko,"__esModule",{value:!0});Ko.validateAdditionalItems=void 0;var Vr=F(),Wu=re(),YP={message:o(({params:{len:e}})=>(0,Vr.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,Vr._)`{limit: ${e}}`,"params")},QP={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:YP,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Wu.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}eh(e,n)}};function eh(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let c=r.const("len",(0,Vr._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,Vr._)`${c} <= ${t.length}`);else if(typeof n=="object"&&!(0,Wu.alwaysValidSchema)(s,n)){let p=r.var("valid",(0,Vr._)`${c} <= ${t.length}`);r.if((0,Vr.not)(p),()=>d(p)),e.ok(p)}function d(p){r.forRange("i",t.length,c,l=>{e.subschema({keyword:i,dataProp:l,dataPropType:Wu.Type.Num},p),s.allErrors||r.if((0,Vr.not)(p),()=>r.break())})}o(d,"validateItems")}o(eh,"validateAdditionalItems");Ko.validateAdditionalItems=eh;Ko.default=QP});var Yu=x(Wo=>{"use strict";Object.defineProperty(Wo,"__esModule",{value:!0});Wo.validateTuple=void 0;var th=F(),Ii=re(),XP=dt(),ex={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return rh(e,"additionalItems",t);r.items=!0,!(0,Ii.alwaysValidSchema)(r,t)&&e.ok((0,XP.validateArray)(e))}};function rh(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:c}=e;l(a),c.opts.unevaluated&&r.length&&c.items!==!0&&(c.items=Ii.mergeEvaluated.items(n,r.length,c.items));let d=n.name("valid"),p=n.const("len",(0,th._)`${i}.length`);r.forEach((m,h)=>{(0,Ii.alwaysValidSchema)(c,m)||(n.if((0,th._)`${p} > ${h}`,()=>e.subschema({keyword:s,schemaProp:h,dataProp:h},d)),e.ok(d))});function l(m){let{opts:h,errSchemaPath:y}=c,_=r.length,S=_===m.minItems&&(_===m.maxItems||m[t]===!1);if(h.strictTuples&&!S){let w=`"${s}" is ${_}-tuple, but minItems or maxItems/${t} are not specified or different at path "${y}"`;(0,Ii.checkStrictMode)(c,w,h.strictTuples)}}o(l,"checkStrictTuple")}o(rh,"validateTuple");Wo.validateTuple=rh;Wo.default=ex});var nh=x(Qu=>{"use strict";Object.defineProperty(Qu,"__esModule",{value:!0});var tx=Yu(),rx={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,tx.validateTuple)(e,"items"),"code")};Qu.default=rx});var ah=x(Xu=>{"use strict";Object.defineProperty(Xu,"__esModule",{value:!0});var oh=F(),nx=re(),ox=dt(),ax=Ju(),ix={message:o(({params:{len:e}})=>(0,oh.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,oh._)`{limit: ${e}}`,"params")},sx={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:ix,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,nx.alwaysValidSchema)(n,t)&&(a?(0,ax.validateAdditionalItems)(e,a):e.ok((0,ox.validateArray)(e)))}};Xu.default=sx});var ih=x(ed=>{"use strict";Object.defineProperty(ed,"__esModule",{value:!0});var pt=F(),Pi=re(),cx={message:o(({params:{min:e,max:t}})=>t===void 0?(0,pt.str)`must contain at least ${e} valid item(s)`:(0,pt.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,pt._)`{minContains: ${e}}`:(0,pt._)`{minContains: ${e}, maxContains: ${t}}`,"params")},ux={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:cx,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,c,{minContains:d,maxContains:p}=n;i.opts.next?(s=d===void 0?1:d,c=p):s=1;let l=t.const("len",(0,pt._)`${a}.length`);if(e.setParams({min:s,max:c}),c===void 0&&s===0){(0,Pi.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(c!==void 0&&s>c){(0,Pi.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,Pi.alwaysValidSchema)(i,r)){let S=(0,pt._)`${l} >= ${s}`;c!==void 0&&(S=(0,pt._)`${S} && ${l} <= ${c}`),e.pass(S);return}i.items=!0;let m=t.name("valid");c===void 0&&s===1?y(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),c!==void 0&&t.if((0,pt._)`${a}.length > 0`,h)):(t.let(m,!1),h()),e.result(m,()=>e.reset());function h(){let S=t.name("_valid"),w=t.let("count",0);y(S,()=>t.if(S,()=>_(w)))}o(h,"validateItemsWithCount");function y(S,w){t.forRange("i",0,l,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:Pi.Type.Num,compositeRule:!0},S),w()})}o(y,"validateItems");function _(S){t.code((0,pt._)`${S}++`),c===void 0?t.if((0,pt._)`${S} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,pt._)`${S} > ${c}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,pt._)`${S} >= ${s}`,()=>t.assign(m,!0)))}o(_,"checkLimits")}};ed.default=ux});var uh=x(Tt=>{"use strict";Object.defineProperty(Tt,"__esModule",{value:!0});Tt.validateSchemaDeps=Tt.validatePropertyDeps=Tt.error=void 0;var td=F(),dx=re(),Jo=dt();Tt.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,td.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,td._)`{property: ${e},
     missingProperty: ${n},
     depsCount: ${t},
-    deps: ${r}}`,"params")};var $T={keyword:"dependencies",type:"object",schemaType:"object",error:bt.error,code(e){let[t,r]=LT(e);qh(e,t),$h(e,r)}};function LT({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(LT,"splitDependencies");function qh(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let u=t[s];if(u.length===0)continue;let d=(0,xo.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:u.length,deps:u.join(", ")}),a.allErrors?r.if(d,()=>{for(let l of u)(0,xo.checkReportMissingProp)(e,l)}):(r.if((0,Du._)`${d} && (${(0,xo.checkMissingProp)(e,u,i)})`),(0,xo.reportMissingProp)(e,i),r.else())}}o(qh,"validatePropertyDeps");bt.validatePropertyDeps=qh;function $h(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let u in t)(0,qT.alwaysValidSchema)(i,t[u])||(r.if((0,xo.propertyInData)(r,n,u,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:u},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o($h,"validateSchemaDeps");bt.validateSchemaDeps=$h;bt.default=$T});var Hh=T(Mu=>{"use strict";Object.defineProperty(Mu,"__esModule",{value:!0});var jh=L(),jT=J(),HT={message:"property name must be valid",params:o(({params:e})=>(0,jh._)`{propertyName: ${e.propertyName}}`,"params")},GT={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:HT,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,jT.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,jh.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};Mu.default=GT});var $u=T(qu=>{"use strict";Object.defineProperty(qu,"__esModule",{value:!0});var si=nt(),mt=L(),BT=$t(),ci=J(),VT={message:"must NOT have additional properties",params:o(({params:e})=>(0,mt._)`{additionalProperty: ${e.additionalProperty}}`,"params")},FT={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:VT,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:u,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,ci.alwaysValidSchema)(s,r))return;let l=(0,si.allSchemaProperties)(n.properties),p=(0,si.allSchemaProperties)(n.patternProperties);m(),e.ok((0,mt._)`${i} === ${BT.default.errors}`);function m(){t.forIn("key",a,w=>{!l.length&&!p.length?S(w):t.if(f(w),()=>S(w))})}o(m,"checkAdditionalProperties");function f(w){let v;if(l.length>8){let R=(0,ci.schemaRefOrVal)(s,n.properties,"properties");v=(0,si.isOwnProperty)(t,R,w)}else l.length?v=(0,mt.or)(...l.map(R=>(0,mt._)`${w} === ${R}`)):v=mt.nil;return p.length&&(v=(0,mt.or)(v,...p.map(R=>(0,mt._)`${(0,si.usePattern)(e,R)}.test(${w})`))),(0,mt.not)(v)}o(f,"isAdditional");function _(w){t.code((0,mt._)`delete ${a}[${w}]`)}o(_,"deleteAdditional");function S(w){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){_(w);return}if(r===!1){e.setParams({additionalProperty:w}),e.error(),u||t.break();return}if(typeof r=="object"&&!(0,ci.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(w,v,!1),t.if((0,mt.not)(v),()=>{e.reset(),_(w)})):(y(w,v),u||t.if((0,mt.not)(v),()=>t.break()))}}o(S,"additionalPropertyCode");function y(w,v,R){let I={keyword:"additionalProperties",dataProp:w,dataPropType:ci.Type.Str};R===!1&&Object.assign(I,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(I,v)}o(y,"applyAdditionalSchema")}};qu.default=FT});var Vh=T(ju=>{"use strict";Object.defineProperty(ju,"__esModule",{value:!0});var ZT=_o(),Gh=nt(),Lu=J(),Bh=$u(),KT={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&Bh.default.code(new ZT.KeywordCxt(i,Bh.default,"additionalProperties"));let s=(0,Gh.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Lu.mergeEvaluated.props(t,(0,Lu.toHash)(s),i.props));let u=s.filter(m=>!(0,Lu.alwaysValidSchema)(i,r[m]));if(u.length===0)return;let d=t.name("valid");for(let m of u)l(m)?p(m):(t.if((0,Gh.propertyInData)(t,a,m,i.opts.ownProperties)),p(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function l(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(l,"hasDefault");function p(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(p,"applyPropertySchema")}};ju.default=KT});var Wh=T(Hu=>{"use strict";Object.defineProperty(Hu,"__esModule",{value:!0});var Fh=nt(),ui=L(),Zh=J(),Kh=J(),WT={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,u=(0,Fh.allSchemaProperties)(r),d=u.filter(y=>(0,Zh.alwaysValidSchema)(i,r[y]));if(u.length===0||d.length===u.length&&(!i.opts.unevaluated||i.props===!0))return;let l=s.strictSchema&&!s.allowMatchingProperties&&a.properties,p=t.name("valid");i.props!==!0&&!(i.props instanceof ui.Name)&&(i.props=(0,Kh.evaluatedPropsToName)(t,i.props));let{props:m}=i;f();function f(){for(let y of u)l&&_(y),i.allErrors?S(y):(t.var(p,!0),S(y),t.if(p))}o(f,"validatePatternProperties");function _(y){for(let w in l)new RegExp(y).test(w)&&(0,Zh.checkStrictMode)(i,`property ${w} matches pattern ${y} (use allowMatchingProperties)`)}o(_,"checkMatchingProperties");function S(y){t.forIn("key",n,w=>{t.if((0,ui._)`${(0,Fh.usePattern)(e,y)}.test(${w})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:w,dataPropType:Kh.Type.Str},p),i.opts.unevaluated&&m!==!0?t.assign((0,ui._)`${m}[${w}]`,!0):!v&&!i.allErrors&&t.if((0,ui.not)(p),()=>t.break())})})}o(S,"validateProperties")}};Hu.default=WT});var Jh=T(Gu=>{"use strict";Object.defineProperty(Gu,"__esModule",{value:!0});var JT=J(),YT={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,JT.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Gu.default=YT});var Yh=T(Bu=>{"use strict";Object.defineProperty(Bu,"__esModule",{value:!0});var XT=nt(),QT={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:XT.validateUnion,error:{message:"must match a schema in anyOf"}};Bu.default=QT});var Xh=T(Vu=>{"use strict";Object.defineProperty(Vu,"__esModule",{value:!0});var di=L(),eA=J(),tA={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,di._)`{passingSchemas: ${e.passing}}`,"params")},rA={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:tA,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),u=t.let("passing",null),d=t.name("_valid");e.setParams({passing:u}),t.block(l),e.result(s,()=>e.reset(),()=>e.error(!0));function l(){i.forEach((p,m)=>{let f;(0,eA.alwaysValidSchema)(a,p)?t.var(d,!0):f=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,di._)`${d} && ${s}`).assign(s,!1).assign(u,(0,di._)`[${u}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(u,m),f&&e.mergeEvaluated(f,di.Name)})})}o(l,"validateOneOf")}};Vu.default=rA});var Qh=T(Fu=>{"use strict";Object.defineProperty(Fu,"__esModule",{value:!0});var nA=J(),oA={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,nA.alwaysValidSchema)(n,i))return;let u=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(u)})}};Fu.default=oA});var rf=T(Zu=>{"use strict";Object.defineProperty(Zu,"__esModule",{value:!0});var li=L(),tf=J(),aA={message:o(({params:e})=>(0,li.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,li._)`{failingKeyword: ${e.ifClause}}`,"params")},iA={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:aA,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,tf.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=ef(n,"then"),i=ef(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),u=t.name("_valid");if(d(),e.reset(),a&&i){let p=t.let("ifClause");e.setParams({ifClause:p}),t.if(u,l("then",p),l("else",p))}else a?t.if(u,l("then")):t.if((0,li.not)(u),l("else"));e.pass(s,()=>e.error(!0));function d(){let p=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},u);e.mergeEvaluated(p)}o(d,"validateIf");function l(p,m){return()=>{let f=e.subschema({keyword:p},u);t.assign(s,u),e.mergeValidEvaluated(f,s),m?t.assign(m,(0,li._)`${p}`):e.setParams({ifClause:p})}}o(l,"validateClause")}};function ef(e,t){let r=e.schema[t];return r!==void 0&&!(0,tf.alwaysValidSchema)(e,r)}o(ef,"hasSchema");Zu.default=iA});var nf=T(Ku=>{"use strict";Object.defineProperty(Ku,"__esModule",{value:!0});var sA=J(),cA={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,sA.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Ku.default=cA});var of=T(Wu=>{"use strict";Object.defineProperty(Wu,"__esModule",{value:!0});var uA=xu(),dA=zh(),lA=Ou(),pA=Dh(),mA=Mh(),hA=Lh(),fA=Hh(),gA=$u(),_A=Vh(),yA=Wh(),SA=Jh(),wA=Yh(),vA=Xh(),RA=Qh(),bA=rf(),CA=nf();function IA(e=!1){let t=[SA.default,wA.default,vA.default,RA.default,bA.default,CA.default,fA.default,gA.default,hA.default,_A.default,yA.default];return e?t.push(dA.default,pA.default):t.push(uA.default,lA.default),t.push(mA.default),t}o(IA,"getApplicator");Wu.default=IA});var af=T(Ju=>{"use strict";Object.defineProperty(Ju,"__esModule",{value:!0});var fe=L(),TA={message:o(({schemaCode:e})=>(0,fe.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,fe._)`{format: ${e}}`,"params")},AA={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:TA,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:u}=e,{opts:d,errSchemaPath:l,schemaEnv:p,self:m}=u;if(!d.validateFormats)return;a?f():_();function f(){let S=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,fe._)`${S}[${s}]`),w=r.let("fType"),v=r.let("format");r.if((0,fe._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(w,(0,fe._)`${y}.type || "string"`).assign(v,(0,fe._)`${y}.validate`),()=>r.assign(w,(0,fe._)`"string"`).assign(v,y)),e.fail$data((0,fe.or)(R(),I()));function R(){return d.strictSchema===!1?fe.nil:(0,fe._)`${s} && !${v}`}o(R,"unknownFmt");function I(){let N=p.$async?(0,fe._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,fe._)`${v}(${n})`,M=(0,fe._)`(typeof ${v} == "function" ? ${N} : ${v}.test(${n}))`;return(0,fe._)`${v} && ${v} !== true && ${w} === ${t} && !${M}`}o(I,"invalidFmt")}o(f,"validate$DataFormat");function _(){let S=m.formats[i];if(!S){R();return}if(S===!0)return;let[y,w,v]=I(S);y===t&&e.pass(N());function R(){if(d.strictSchema===!1){m.logger.warn(M());return}throw new Error(M());function M(){return`unknown format "${i}" ignored in schema at path "${l}"`}}o(R,"unknownFormat");function I(M){let Ye=M instanceof RegExp?(0,fe.regexpCode)(M):d.code.formats?(0,fe._)`${d.code.formats}${(0,fe.getProperty)(i)}`:void 0,xt=r.scopeValue("formats",{key:i,ref:M,code:Ye});return typeof M=="object"&&!(M instanceof RegExp)?[M.type||"string",M.validate,(0,fe._)`${xt}.validate`]:["string",M,xt]}o(I,"getFormat");function N(){if(typeof S=="object"&&!(S instanceof RegExp)&&S.async){if(!p.$async)throw new Error("async format in sync schema");return(0,fe._)`await ${v}(${n})`}return typeof w=="function"?(0,fe._)`${v}(${n})`:(0,fe._)`${v}.test(${n})`}o(N,"validCondition")}o(_,"validateFormat")}};Ju.default=AA});var sf=T(Yu=>{"use strict";Object.defineProperty(Yu,"__esModule",{value:!0});var kA=af(),PA=[kA.default];Yu.default=PA});var cf=T(mn=>{"use strict";Object.defineProperty(mn,"__esModule",{value:!0});mn.contentVocabulary=mn.metadataVocabulary=void 0;mn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];mn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var df=T(Xu=>{"use strict";Object.defineProperty(Xu,"__esModule",{value:!0});var EA=gh(),xA=Eh(),OA=of(),UA=sf(),uf=cf(),zA=[EA.default,xA.default,(0,OA.default)(),UA.default,uf.metadataVocabulary,uf.contentVocabulary];Xu.default=zA});var pf=T(pi=>{"use strict";Object.defineProperty(pi,"__esModule",{value:!0});pi.DiscrError=void 0;var lf;(function(e){e.Tag="tag",e.Mapping="mapping"})(lf||(pi.DiscrError=lf={}))});var hf=T(ed=>{"use strict";Object.defineProperty(ed,"__esModule",{value:!0});var hn=L(),Qu=pf(),mf=Za(),NA=yo(),DA=J(),MA={message:o(({params:{discrError:e,tagName:t}})=>e===Qu.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,hn._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},qA={keyword:"discriminator",type:"object",schemaType:"object",error:MA,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let u=n.propertyName;if(typeof u!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),l=t.const("tag",(0,hn._)`${r}${(0,hn.getProperty)(u)}`);t.if((0,hn._)`typeof ${l} == "string"`,()=>p(),()=>e.error(!1,{discrError:Qu.DiscrError.Tag,tag:l,tagName:u})),e.ok(d);function p(){let _=f();t.if(!1);for(let S in _)t.elseIf((0,hn._)`${l} === ${S}`),t.assign(d,m(_[S]));t.else(),e.error(!1,{discrError:Qu.DiscrError.Mapping,tag:l,tagName:u}),t.endIf()}o(p,"validateMapping");function m(_){let S=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:_},S);return e.mergeEvaluated(y,hn.Name),S}o(m,"applyTagSchema");function f(){var _;let S={},y=v(a),w=!0;for(let N=0;N<s.length;N++){let M=s[N];if(M?.$ref&&!(0,DA.schemaHasRulesButRef)(M,i.self.RULES)){let xt=M.$ref;if(M=mf.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,xt),M instanceof mf.SchemaEnv&&(M=M.schema),M===void 0)throw new NA.default(i.opts.uriResolver,i.baseId,xt)}let Ye=(_=M?.properties)===null||_===void 0?void 0:_[u];if(typeof Ye!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${u}"`);w=w&&(y||v(M)),R(Ye,N)}if(!w)throw new Error(`discriminator: "${u}" must be required`);return S;function v({required:N}){return Array.isArray(N)&&N.includes(u)}function R(N,M){if(N.const)I(N.const,M);else if(N.enum)for(let Ye of N.enum)I(Ye,M);else throw new Error(`discriminator: "properties/${u}" must have "const" or "enum"`)}function I(N,M){if(typeof N!="string"||N in S)throw new Error(`discriminator: "${u}" values must be unique strings`);S[N]=M}}o(f,"getMapping")}};ed.default=qA});var ff=T((rG,$A)=>{$A.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var rd=T((ae,td)=>{"use strict";Object.defineProperty(ae,"__esModule",{value:!0});ae.MissingRefError=ae.ValidationError=ae.CodeGen=ae.Name=ae.nil=ae.stringify=ae.str=ae._=ae.KeywordCxt=ae.Ajv=void 0;var LA=dh(),jA=df(),HA=hf(),gf=ff(),GA=["/properties"],mi="http://json-schema.org/draft-07/schema",fn=class extends LA.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),jA.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(HA.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(gf,GA):gf;this.addMetaSchema(t,mi,!1),this.refs["http://json-schema.org/schema"]=mi}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(mi)?mi:void 0)}};ae.Ajv=fn;td.exports=ae=fn;td.exports.Ajv=fn;Object.defineProperty(ae,"__esModule",{value:!0});ae.default=fn;var BA=_o();Object.defineProperty(ae,"KeywordCxt",{enumerable:!0,get:o(function(){return BA.KeywordCxt},"get")});var gn=L();Object.defineProperty(ae,"_",{enumerable:!0,get:o(function(){return gn._},"get")});Object.defineProperty(ae,"str",{enumerable:!0,get:o(function(){return gn.str},"get")});Object.defineProperty(ae,"stringify",{enumerable:!0,get:o(function(){return gn.stringify},"get")});Object.defineProperty(ae,"nil",{enumerable:!0,get:o(function(){return gn.nil},"get")});Object.defineProperty(ae,"Name",{enumerable:!0,get:o(function(){return gn.Name},"get")});Object.defineProperty(ae,"CodeGen",{enumerable:!0,get:o(function(){return gn.CodeGen},"get")});var VA=Va();Object.defineProperty(ae,"ValidationError",{enumerable:!0,get:o(function(){return VA.default},"get")});var FA=yo();Object.defineProperty(ae,"MissingRefError",{enumerable:!0,get:o(function(){return FA.default},"get")})});var Cf=T(It=>{"use strict";Object.defineProperty(It,"__esModule",{value:!0});It.formatNames=It.fastFormats=It.fullFormats=void 0;function Ct(e,t){return{validate:e,compare:t}}o(Ct,"fmtDef");It.fullFormats={date:Ct(wf,id),time:Ct(od(!0),sd),"date-time":Ct(_f(!0),Rf),"iso-time":Ct(od(),vf),"iso-date-time":Ct(_f(),bf),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:XA,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:ak,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:QA,int32:{type:"number",validate:rk},int64:{type:"number",validate:nk},float:{type:"number",validate:Sf},double:{type:"number",validate:Sf},password:!0,binary:!0};It.fastFormats={...It.fullFormats,date:Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,id),time:Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,sd),"date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Rf),"iso-time":Ct(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,vf),"iso-date-time":Ct(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,bf),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};It.formatNames=Object.keys(It.fullFormats);function ZA(e){return e%4===0&&(e%100!==0||e%400===0)}o(ZA,"isLeapYear");var KA=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,WA=[0,31,28,31,30,31,30,31,31,30,31,30,31];function wf(e){let t=KA.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&ZA(r)?29:WA[n])}o(wf,"date");function id(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(id,"compareDate");var nd=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function od(e){return o(function(r){let n=nd.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],u=n[4],d=n[5]==="-"?-1:1,l=+(n[6]||0),p=+(n[7]||0);if(l>23||p>59||e&&!u)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-p*d,f=a-l*d-(m<0?1:0);return(f===23||f===-1)&&(m===59||m===-1)&&s<61},"time")}o(od,"getTime");function sd(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(sd,"compareTime");function vf(e,t){if(!(e&&t))return;let r=nd.exec(e),n=nd.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(vf,"compareIsoTime");var ad=/t|\s/i;function _f(e){let t=od(e);return o(function(n){let a=n.split(ad);return a.length===2&&wf(a[0])&&t(a[1])},"date_time")}o(_f,"getDateTime");function Rf(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Rf,"compareDateTime");function bf(e,t){if(!(e&&t))return;let[r,n]=e.split(ad),[a,i]=t.split(ad),s=id(r,a);if(s!==void 0)return s||sd(n,i)}o(bf,"compareIsoDateTime");var JA=/\/|:/,YA=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function XA(e){return JA.test(e)&&YA.test(e)}o(XA,"uri");var yf=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function QA(e){return yf.lastIndex=0,yf.test(e)}o(QA,"byte");var ek=-(2**31),tk=2**31-1;function rk(e){return Number.isInteger(e)&&e<=tk&&e>=ek}o(rk,"validateInt32");function nk(e){return Number.isInteger(e)}o(nk,"validateInt64");function Sf(){return!0}o(Sf,"validateNumber");var ok=/[^\\]\\Z/;function ak(e){if(ok.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(ak,"regex")});var If=T(_n=>{"use strict";Object.defineProperty(_n,"__esModule",{value:!0});_n.formatLimitDefinition=void 0;var ik=rd(),ht=L(),lr=ht.operators,hi={formatMaximum:{okStr:"<=",ok:lr.LTE,fail:lr.GT},formatMinimum:{okStr:">=",ok:lr.GTE,fail:lr.LT},formatExclusiveMaximum:{okStr:"<",ok:lr.LT,fail:lr.GTE},formatExclusiveMinimum:{okStr:">",ok:lr.GT,fail:lr.LTE}},sk={message:o(({keyword:e,schemaCode:t})=>(0,ht.str)`should be ${hi[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ht._)`{comparison: ${hi[e].okStr}, limit: ${t}}`,"params")};_n.formatLimitDefinition={keyword:Object.keys(hi),type:"string",schemaType:"string",$data:!0,error:sk,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:u}=i;if(!s.validateFormats)return;let d=new ik.KeywordCxt(i,u.RULES.all.format.definition,"format");d.$data?l():p();function l(){let f=t.scopeValue("formats",{ref:u.formats,code:s.code.formats}),_=t.const("fmt",(0,ht._)`${f}[${d.schemaCode}]`);e.fail$data((0,ht.or)((0,ht._)`typeof ${_} != "object"`,(0,ht._)`${_} instanceof RegExp`,(0,ht._)`typeof ${_}.compare != "function"`,m(_)))}o(l,"validate$DataFormat");function p(){let f=d.schema,_=u.formats[f];if(!_||_===!0)return;if(typeof _!="object"||_ instanceof RegExp||typeof _.compare!="function")throw new Error(`"${a}": format "${f}" does not define "compare" function`);let S=t.scopeValue("formats",{key:f,ref:_,code:s.code.formats?(0,ht._)`${s.code.formats}${(0,ht.getProperty)(f)}`:void 0});e.fail$data(m(S))}o(p,"validateFormat");function m(f){return(0,ht._)`${f}.compare(${r}, ${n}) ${hi[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var ck=o(e=>(e.addKeyword(_n.formatLimitDefinition),e),"formatLimitPlugin");_n.default=ck});var Pf=T((Oo,kf)=>{"use strict";Object.defineProperty(Oo,"__esModule",{value:!0});var yn=Cf(),uk=If(),cd=L(),Tf=new cd.Name("fullFormats"),dk=new cd.Name("fastFormats"),ud=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Af(e,t,yn.fullFormats,Tf),e;let[r,n]=t.mode==="fast"?[yn.fastFormats,dk]:[yn.fullFormats,Tf],a=t.formats||yn.formatNames;return Af(e,a,r,n),t.keywords&&(0,uk.default)(e),e},"formatsPlugin");ud.get=(e,t="full")=>{let n=(t==="fast"?yn.fastFormats:yn.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Af(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,cd._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(Af,"addFormats");kf.exports=Oo=ud;Object.defineProperty(Oo,"__esModule",{value:!0});Oo.default=ud});Yw();function Jt(e){return!!e._zod}o(Jt,"isZ4Schema");function Me(e,t){return Jt(e)?Ds(e,t):e.safeParse(t)}o(Me,"safeParse");function Jr(e){if(!e)return;let t;if(Jt(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(Jr,"getObjectShape");function Ap(e){if(Jt(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Ap,"getLiteralValue");Y();var Xt="2025-11-25",kp="2025-03-26",Qt=[Xt,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],er="io.modelcontextprotocol/related-task",Sa="2.0",we=Cp(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Pp=se([h(),K().int()]),Ep=h(),wM=Se({ttl:K().optional(),pollInterval:K().optional()}),ev=C({ttl:K().optional()}),tv=C({taskId:h()}),Ls=Se({progressToken:Pp.optional(),[er]:tv.optional()}),Qe=C({_meta:Ls.optional()}),Fn=Qe.extend({task:ev.optional()}),xp=o(e=>Fn.safeParse(e).success,"isTaskAugmentedRequestParams"),Re=C({method:h(),params:Qe.loose().optional()}),et=C({_meta:Ls.optional()}),tt=C({method:h(),params:et.loose().optional()}),be=Se({_meta:Ls.optional()}),wa=se([h(),K().int()]),Op=C({jsonrpc:P(Sa),id:wa,...Re.shape}).strict(),St=o(e=>Op.safeParse(e).success,"isJSONRPCRequest"),Up=C({jsonrpc:P(Sa),...tt.shape}).strict(),zp=o(e=>Up.safeParse(e).success,"isJSONRPCNotification"),js=C({jsonrpc:P(Sa),id:wa,result:be}).strict(),ut=o(e=>js.safeParse(e).success,"isJSONRPCResultResponse");var k;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(k||(k={}));var Hs=C({jsonrpc:P(Sa),id:wa.optional(),error:C({code:K().int(),message:h(),data:he().optional()})}).strict();var Xr=o(e=>Hs.safeParse(e).success,"isJSONRPCErrorResponse");var wr=se([Op,Up,js,Hs]),vM=se([js,Hs]),zt=be.strict(),rv=et.extend({requestId:wa.optional(),reason:h().optional()}),va=tt.extend({method:P("notifications/cancelled"),params:rv}),nv=C({src:h(),mimeType:h().optional(),sizes:b(h()).optional(),theme:Xe(["light","dark"]).optional()}),Zn=C({icons:b(nv).optional()}),Yr=C({name:h(),title:h().optional()}),Qr=Yr.extend({...Yr.shape,...Zn.shape,version:h(),websiteUrl:h().optional(),description:h().optional()}),ov=qs(C({applyDefaults:ee().optional()}),ne(h(),he())),av=$s(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,qs(C({form:ov.optional(),url:we.optional()}),ne(h(),he()).optional())),iv=Se({list:we.optional(),cancel:we.optional(),requests:Se({sampling:Se({createMessage:we.optional()}).optional(),elicitation:Se({create:we.optional()}).optional()}).optional()}),sv=Se({list:we.optional(),cancel:we.optional(),requests:Se({tools:Se({call:we.optional()}).optional()}).optional()}),cv=C({experimental:ne(h(),we).optional(),sampling:C({context:we.optional(),tools:we.optional()}).optional(),elicitation:av.optional(),roots:C({listChanged:ee().optional()}).optional(),tasks:iv.optional(),extensions:ne(h(),we).optional()}),uv=Qe.extend({protocolVersion:h(),capabilities:cv,clientInfo:Qr}),Ra=Re.extend({method:P("initialize"),params:uv}),Gs=o(e=>Ra.safeParse(e).success,"isInitializeRequest"),dv=C({experimental:ne(h(),we).optional(),logging:we.optional(),completions:we.optional(),prompts:C({listChanged:ee().optional()}).optional(),resources:C({subscribe:ee().optional(),listChanged:ee().optional()}).optional(),tools:C({listChanged:ee().optional()}).optional(),tasks:sv.optional(),extensions:ne(h(),we).optional()}),Bs=be.extend({protocolVersion:h(),capabilities:dv,serverInfo:Qr,instructions:h().optional()}),ba=tt.extend({method:P("notifications/initialized"),params:et.optional()}),Np=o(e=>ba.safeParse(e).success,"isInitializedNotification"),Ca=Re.extend({method:P("ping"),params:Qe.optional()}),lv=C({progress:K(),total:pe(K()),message:pe(h())}),pv=C({...et.shape,...lv.shape,progressToken:Pp}),Ia=tt.extend({method:P("notifications/progress"),params:pv}),mv=Qe.extend({cursor:Ep.optional()}),Kn=Re.extend({params:mv.optional()}),Wn=be.extend({nextCursor:Ep.optional()}),hv=Xe(["working","input_required","completed","failed","cancelled"]),Jn=C({taskId:h(),status:hv,ttl:se([K(),Rp()]),createdAt:h(),lastUpdatedAt:h(),pollInterval:pe(K()),statusMessage:pe(h())}),Nt=be.extend({task:Jn}),fv=et.merge(Jn),Yn=tt.extend({method:P("notifications/tasks/status"),params:fv}),Ta=Re.extend({method:P("tasks/get"),params:Qe.extend({taskId:h()})}),Aa=be.merge(Jn),ka=Re.extend({method:P("tasks/result"),params:Qe.extend({taskId:h()})}),RM=be.loose(),Pa=Kn.extend({method:P("tasks/list")}),Ea=Wn.extend({tasks:b(Jn)}),xa=Re.extend({method:P("tasks/cancel"),params:Qe.extend({taskId:h()})}),Dp=be.merge(Jn),Mp=C({uri:h(),mimeType:pe(h()),_meta:ne(h(),he()).optional()}),qp=Mp.extend({text:h()}),Vs=h().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),$p=Mp.extend({blob:Vs}),Xn=Xe(["user","assistant"]),en=C({audience:b(Xn).optional(),priority:K().min(0).max(1).optional(),lastModified:wp.datetime({offset:!0}).optional()}),Lp=C({...Yr.shape,...Zn.shape,uri:h(),description:pe(h()),mimeType:pe(h()),size:pe(K()),annotations:en.optional(),_meta:pe(Se({}))}),gv=C({...Yr.shape,...Zn.shape,uriTemplate:h(),description:pe(h()),mimeType:pe(h()),annotations:en.optional(),_meta:pe(Se({}))}),Fs=Kn.extend({method:P("resources/list")}),Zs=Wn.extend({resources:b(Lp)}),_v=Kn.extend({method:P("resources/templates/list")}),Ks=Wn.extend({resourceTemplates:b(gv)}),Ws=Qe.extend({uri:h()}),yv=Ws,Js=Re.extend({method:P("resources/read"),params:yv}),Ys=be.extend({contents:b(se([qp,$p]))}),Xs=tt.extend({method:P("notifications/resources/list_changed"),params:et.optional()}),Sv=Ws,wv=Re.extend({method:P("resources/subscribe"),params:Sv}),vv=Ws,Rv=Re.extend({method:P("resources/unsubscribe"),params:vv}),bv=et.extend({uri:h()}),Cv=tt.extend({method:P("notifications/resources/updated"),params:bv}),Iv=C({name:h(),description:pe(h()),required:pe(ee())}),Tv=C({...Yr.shape,...Zn.shape,description:pe(h()),arguments:pe(b(Iv)),_meta:pe(Se({}))}),Qs=Kn.extend({method:P("prompts/list")}),ec=Wn.extend({prompts:b(Tv)}),Av=Qe.extend({name:h(),arguments:ne(h(),h()).optional()}),tc=Re.extend({method:P("prompts/get"),params:Av}),rc=C({type:P("text"),text:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),nc=C({type:P("image"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),oc=C({type:P("audio"),data:Vs,mimeType:h(),annotations:en.optional(),_meta:ne(h(),he()).optional()}),kv=C({type:P("tool_use"),name:h(),id:h(),input:ne(h(),he()),_meta:ne(h(),he()).optional()}),Pv=C({type:P("resource"),resource:se([qp,$p]),annotations:en.optional(),_meta:ne(h(),he()).optional()}),Ev=Lp.extend({type:P("resource_link")}),ac=se([rc,nc,oc,Ev,Pv]),xv=C({role:Xn,content:ac}),ic=be.extend({description:h().optional(),messages:b(xv)}),sc=tt.extend({method:P("notifications/prompts/list_changed"),params:et.optional()}),Ov=C({title:h().optional(),readOnlyHint:ee().optional(),destructiveHint:ee().optional(),idempotentHint:ee().optional(),openWorldHint:ee().optional()}),Uv=C({taskSupport:Xe(["required","optional","forbidden"]).optional()}),jp=C({...Yr.shape,...Zn.shape,description:h().optional(),inputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()),outputSchema:C({type:P("object"),properties:ne(h(),we).optional(),required:b(h()).optional()}).catchall(he()).optional(),annotations:Ov.optional(),execution:Uv.optional(),_meta:ne(h(),he()).optional()}),cc=Kn.extend({method:P("tools/list")}),uc=Wn.extend({tools:b(jp)}),tr=be.extend({content:b(ac).default([]),structuredContent:ne(h(),he()).optional(),isError:ee().optional()}),bM=tr.or(be.extend({toolResult:he()})),zv=Fn.extend({name:h(),arguments:ne(h(),he()).optional()}),Qn=Re.extend({method:P("tools/call"),params:zv}),dc=tt.extend({method:P("notifications/tools/list_changed"),params:et.optional()}),Hp=C({autoRefresh:ee().default(!0),debounceMs:K().int().nonnegative().default(300)}),eo=Xe(["debug","info","notice","warning","error","critical","alert","emergency"]),Nv=Qe.extend({level:eo}),lc=Re.extend({method:P("logging/setLevel"),params:Nv}),Dv=et.extend({level:eo,logger:h().optional(),data:he()}),Mv=tt.extend({method:P("notifications/message"),params:Dv}),qv=C({name:h().optional()}),$v=C({hints:b(qv).optional(),costPriority:K().min(0).max(1).optional(),speedPriority:K().min(0).max(1).optional(),intelligencePriority:K().min(0).max(1).optional()}),Lv=C({mode:Xe(["auto","required","none"]).optional()}),jv=C({type:P("tool_result"),toolUseId:h().describe("The unique identifier for the corresponding tool call."),content:b(ac).default([]),structuredContent:C({}).loose().optional(),isError:ee().optional(),_meta:ne(h(),he()).optional()}),Hv=Ms("type",[rc,nc,oc]),ya=Ms("type",[rc,nc,oc,kv,jv]),Gv=C({role:Xn,content:se([ya,b(ya)]),_meta:ne(h(),he()).optional()}),Bv=Fn.extend({messages:b(Gv),modelPreferences:$v.optional(),systemPrompt:h().optional(),includeContext:Xe(["none","thisServer","allServers"]).optional(),temperature:K().optional(),maxTokens:K().int(),stopSequences:b(h()).optional(),metadata:we.optional(),tools:b(jp).optional(),toolChoice:Lv.optional()}),pc=Re.extend({method:P("sampling/createMessage"),params:Bv}),vr=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens"]).or(h())),role:Xn,content:Hv}),to=be.extend({model:h(),stopReason:pe(Xe(["endTurn","stopSequence","maxTokens","toolUse"]).or(h())),role:Xn,content:se([ya,b(ya)])}),Vv=C({type:P("boolean"),title:h().optional(),description:h().optional(),default:ee().optional()}),Fv=C({type:P("string"),title:h().optional(),description:h().optional(),minLength:K().optional(),maxLength:K().optional(),format:Xe(["email","uri","date","date-time"]).optional(),default:h().optional()}),Zv=C({type:Xe(["number","integer"]),title:h().optional(),description:h().optional(),minimum:K().optional(),maximum:K().optional(),default:K().optional()}),Kv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),default:h().optional()}),Wv=C({type:P("string"),title:h().optional(),description:h().optional(),oneOf:b(C({const:h(),title:h()})),default:h().optional()}),Jv=C({type:P("string"),title:h().optional(),description:h().optional(),enum:b(h()),enumNames:b(h()).optional(),default:h().optional()}),Yv=se([Kv,Wv]),Xv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({type:P("string"),enum:b(h())}),default:b(h()).optional()}),Qv=C({type:P("array"),title:h().optional(),description:h().optional(),minItems:K().optional(),maxItems:K().optional(),items:C({anyOf:b(C({const:h(),title:h()}))}),default:b(h()).optional()}),eR=se([Xv,Qv]),tR=se([Jv,Yv,eR]),rR=se([tR,Vv,Fv,Zv]),nR=Fn.extend({mode:P("form").optional(),message:h(),requestedSchema:C({type:P("object"),properties:ne(h(),rR),required:b(h()).optional()})}),oR=Fn.extend({mode:P("url"),message:h(),elicitationId:h(),url:h().url()}),aR=se([nR,oR]),mc=Re.extend({method:P("elicitation/create"),params:aR}),iR=et.extend({elicitationId:h()}),sR=tt.extend({method:P("notifications/elicitation/complete"),params:iR}),rr=be.extend({action:Xe(["accept","decline","cancel"]),content:$s(e=>e===null?void 0:e,ne(h(),se([h(),K(),ee(),b(h())])).optional())}),cR=C({type:P("ref/resource"),uri:h()});var uR=C({type:P("ref/prompt"),name:h()}),dR=Qe.extend({ref:se([uR,cR]),argument:C({name:h(),value:h()}),context:C({arguments:ne(h(),h()).optional()}).optional()}),lR=Re.extend({method:P("completion/complete"),params:dR});var hc=be.extend({completion:Se({values:b(h()).max(100),total:pe(K().int()),hasMore:pe(ee())})}),pR=C({uri:h().startsWith("file://"),name:h().optional(),_meta:ne(h(),he()).optional()}),mR=Re.extend({method:P("roots/list"),params:Qe.optional()}),fc=be.extend({roots:b(pR)}),hR=tt.extend({method:P("notifications/roots/list_changed"),params:et.optional()}),CM=se([Ca,Ra,lR,lc,tc,Qs,Fs,_v,Js,wv,Rv,Qn,cc,Ta,ka,Pa,xa]),IM=se([va,Ia,ba,hR,Yn]),TM=se([zt,vr,to,rr,fc,Aa,Ea,Nt]),AM=se([Ca,pc,mc,mR,Ta,ka,Pa,xa]),kM=se([va,Ia,Mv,Cv,Xs,dc,sc,Yn,sR]),PM=se([zt,Bs,hc,ic,ec,Zs,Ks,Ys,tr,uc,Aa,Ea,Nt]),A=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===k.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Yt(a.elicitations,r)}return new e(t,r,n)}},Yt=class extends A{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(k.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function nr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(nr,"isTerminal");var fR=Symbol("Let zodToJsonSchema decide on which parser to use");var Tq=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function gc(e){let r=Jr(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Ap(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(gc,"getMethodLiteral");function _c(e,t){let r=Me(e,t);if(!r.success)throw r.error;return r.data}o(_c,"parseWithCompat");var vR=6e4,tn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(va,r=>{this._oncancel(r)}),this.setNotificationHandler(Ia,r=>{this._onprogress(r)}),this.setRequestHandler(Ca,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(Ta,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(ka,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let u;for(;u=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(u.type==="response"||u.type==="error"){let d=u.message,l=d.id,p=this._requestResolvers.get(l);if(p)if(this._requestResolvers.delete(l),u.type==="response")p(d);else{let m=d,f=new A(m.error.code,m.error.message,m.error.data);p(f)}else{let m=u.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${l}`))}continue}await this._transport?.send(u.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new A(k.InvalidParams,`Task not found: ${i}`);if(!nr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(nr(s.status)){let u=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...u,_meta:{...u._meta,[er]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(Pa,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new A(k.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(xa,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(k.InvalidParams,`Task not found: ${r.params.taskId}`);if(nr(a.status))throw new A(k.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new A(k.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof A?a:new A(k.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),A.fromError(k.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),ut(i)||Xr(i)?this._onresponse(i):St(i)?this._onrequest(i,s):zp(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=A.fromError(k.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[er]?.taskId;if(n===void 0){let p={jsonrpc:"2.0",id:t.id,error:{code:k.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:p,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(p).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let u=xp(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,l={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async p=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(p,m)},"sendNotification"),sendRequest:o(async(p,m,f)=>{if(s.signal.aborted)throw new A(k.ConnectionClosed,"Request was cancelled");let _={...f,relatedRequestId:t.id};i&&!_.relatedTask&&(_.relatedTask={taskId:i});let S=_.relatedTask?.taskId??i;return S&&d&&await d.updateTaskStatus(S,"input_required"),await this.request(p,m,_)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:u?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{u&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,l)).then(async p=>{if(s.signal.aborted)return;let m={result:p,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async p=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(p.code)?p.code:k.InternalError,message:p.message??"Internal error",...p.data!==void 0&&{data:p.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(p=>this._onerror(new Error(`Failed to send response: ${p}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),u=this._timeoutInfo.get(a);if(u&&s&&u.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),ut(t))n(t);else{let s=new A(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(ut(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let u=s.task;typeof u.taskId=="string"&&(i=!0,this._taskProgressTokens.set(u.taskId,r))}}if(i||this._progressHandlers.delete(r),ut(t))a(t);else{let s=A.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Nt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new A(k.InternalError,"Task creation did not return a task");for(;;){let u=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:u},nr(u.status)){u.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:u.status==="failed"?yield{type:"error",error:new A(k.InternalError,`Task ${i} failed`)}:u.status==="cancelled"&&(yield{type:"error",error:new A(k.InternalError,`Task ${i} was cancelled`)});return}if(u.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=u.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(l=>setTimeout(l,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof A?s:new A(k.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:u,relatedTask:d}=n??{};return new Promise((l,p)=>{let m=o(R=>{p(R)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),u&&this.assertTaskCapability(t.method)}catch(R){m(R);return}n?.signal?.throwIfAborted();let f=this._requestMessageId++,_={...t,jsonrpc:"2.0",id:f};n?.onprogress&&(this._progressHandlers.set(f,n.onprogress),_.params={...t.params,_meta:{...t.params?._meta||{},progressToken:f}}),u&&(_.params={..._.params,task:u}),d&&(_.params={..._.params,_meta:{..._.params?._meta||{},[er]:d}});let S=o(R=>{this._responseHandlers.delete(f),this._progressHandlers.delete(f),this._cleanupTimeout(f),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:f,reason:String(R)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(N=>this._onerror(new Error(`Failed to send cancellation: ${N}`)));let I=R instanceof A?R:new A(k.RequestTimeout,String(R));p(I)},"cancel");this._responseHandlers.set(f,R=>{if(!n?.signal?.aborted){if(R instanceof Error)return p(R);try{let I=Me(r,R.result);I.success?l(I.data):p(I.error)}catch(I){p(I)}}}),n?.signal?.addEventListener("abort",()=>{S(n?.signal?.reason)});let y=n?.timeout??vR,w=o(()=>S(A.fromError(k.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(f,y,n?.maxTotalTimeout,w,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let R=o(I=>{let N=this._responseHandlers.get(f);N?N(I):this._onerror(new Error(`Response handler missing for side-channeled request ${f}`))},"responseResolver");this._requestResolvers.set(f,R),this._enqueueTaskMessage(v,{type:"request",message:_,timestamp:Date.now()}).catch(I=>{this._cleanupTimeout(f),p(I)})}else this._transport.send(_,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(R=>{this._cleanupTimeout(f),p(R)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},Aa,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},Ea,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Dp,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let u={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[er]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:u,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let u={...t,jsonrpc:"2.0"};r?.relatedTask&&(u={...u,params:{...u.params,_meta:{...u.params?._meta||{},[er]:r.relatedTask}}}),this._transport?.send(u,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[er]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=gc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=_c(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=gc(t);this._notificationHandlers.set(n,a=>{let i=_c(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&St(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new A(k.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new A(k.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new A(k.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new A(k.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let u=await n.getTask(a,r);if(u){let d=Yn.parse({method:"notifications/tasks/status",params:u});await this.notification(d),nr(u.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let u=await n.getTask(a,r);if(!u)throw new A(k.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(nr(u.status))throw new A(k.InvalidParams,`Cannot update task "${a}" from terminal status "${u.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let l=Yn.parse({method:"notifications/tasks/status",params:d});await this.notification(l),nr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Gp(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Gp,"isPlainObject");function Oa(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Gp(s)&&Gp(i)?r[a]={...s,...i}:r[a]=i}return r}o(Oa,"mergeCapabilities");var Ef=fp(rd(),1),xf=fp(Pf(),1);function lk(){let e=new Ef.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,xf.default)(e),e}o(lk,"createDefaultAjvInstance");var Sn=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??lk()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var fi=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(p=>p.type==="tool_result"),u=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=u?Array.isArray(u.content)?u.content:[u.content]:[],l=d.some(p=>p.type==="tool_use");if(s){if(i.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!l)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(l){let p=new Set(d.filter(f=>f.type==="tool_use").map(f=>f.id)),m=new Set(i.filter(f=>f.type==="tool_result").map(f=>f.toolUseId));if(p.size!==m.size||![...p].every(f=>m.has(f)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},vr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},rr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function gi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(gi,"assertToolsCallTaskCapability");function _i(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(_i,"assertClientRequestTaskCapability");var yi=class extends tn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(eo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,this.setRequestHandler(Ra,n=>this._oninitialize(n)),this.setNotificationHandler(ba,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(lc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,u=eo.safeParse(s);return u.success&&this._loggingLevels.set(i,u.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new fi(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let u=o(async(d,l)=>{let p=Me(Qn,d);if(!p.success){let S=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid tools/call request: ${S}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let S=Me(Nt,f);if(!S.success){let y=S.error instanceof Error?S.error.message:String(S.error);throw new A(k.InvalidParams,`Invalid task creation result: ${y}`)}return S.data}let _=Me(tr,f);if(!_.success){let S=_.error instanceof Error?_.error.message:String(_.error);throw new A(k.InvalidParams,`Invalid tools/call result: ${S}`)}return _.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){_i(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&gi(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Qt.includes(r)?r:Xt,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},zt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(l=>l.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,u=s?Array.isArray(s.content)?s.content:[s.content]:[],d=u.some(l=>l.type==="tool_use");if(i){if(a.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let l=new Set(u.filter(m=>m.type==="tool_use").map(m=>m.id)),p=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(l.size!==p.size||![...l].every(m=>p.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},to,r):this.request({method:"sampling/createMessage",params:t},vr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},rr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},rr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let u=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!u.valid)throw new A(k.InvalidParams,`Elicitation response content does not match requested schema: ${u.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},fc,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var Si=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
+    deps: ${r}}`,"params")};var lx={keyword:"dependencies",type:"object",schemaType:"object",error:Tt.error,code(e){let[t,r]=px(e);sh(e,t),ch(e,r)}};function px({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(px,"splitDependencies");function sh(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let c=t[s];if(c.length===0)continue;let d=(0,Jo.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:c.length,deps:c.join(", ")}),a.allErrors?r.if(d,()=>{for(let p of c)(0,Jo.checkReportMissingProp)(e,p)}):(r.if((0,td._)`${d} && (${(0,Jo.checkMissingProp)(e,c,i)})`),(0,Jo.reportMissingProp)(e,i),r.else())}}o(sh,"validatePropertyDeps");Tt.validatePropertyDeps=sh;function ch(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let c in t)(0,dx.alwaysValidSchema)(i,t[c])||(r.if((0,Jo.propertyInData)(r,n,c,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:c},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o(ch,"validateSchemaDeps");Tt.validateSchemaDeps=ch;Tt.default=lx});var lh=x(rd=>{"use strict";Object.defineProperty(rd,"__esModule",{value:!0});var dh=F(),mx=re(),fx={message:"property name must be valid",params:o(({params:e})=>(0,dh._)`{propertyName: ${e.propertyName}}`,"params")},hx={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:fx,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,mx.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,dh.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};rd.default=hx});var od=x(nd=>{"use strict";Object.defineProperty(nd,"__esModule",{value:!0});var xi=dt(),bt=F(),gx=Ft(),Ai=re(),yx={message:"must NOT have additional properties",params:o(({params:e})=>(0,bt._)`{additionalProperty: ${e.additionalProperty}}`,"params")},Sx={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:yx,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:c,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,Ai.alwaysValidSchema)(s,r))return;let p=(0,xi.allSchemaProperties)(n.properties),l=(0,xi.allSchemaProperties)(n.patternProperties);m(),e.ok((0,bt._)`${i} === ${gx.default.errors}`);function m(){t.forIn("key",a,w=>{!p.length&&!l.length?_(w):t.if(h(w),()=>_(w))})}o(m,"checkAdditionalProperties");function h(w){let v;if(p.length>8){let b=(0,Ai.schemaRefOrVal)(s,n.properties,"properties");v=(0,xi.isOwnProperty)(t,b,w)}else p.length?v=(0,bt.or)(...p.map(b=>(0,bt._)`${w} === ${b}`)):v=bt.nil;return l.length&&(v=(0,bt.or)(v,...l.map(b=>(0,bt._)`${(0,xi.usePattern)(e,b)}.test(${w})`))),(0,bt.not)(v)}o(h,"isAdditional");function y(w){t.code((0,bt._)`delete ${a}[${w}]`)}o(y,"deleteAdditional");function _(w){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){y(w);return}if(r===!1){e.setParams({additionalProperty:w}),e.error(),c||t.break();return}if(typeof r=="object"&&!(0,Ai.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(S(w,v,!1),t.if((0,bt.not)(v),()=>{e.reset(),y(w)})):(S(w,v),c||t.if((0,bt.not)(v),()=>t.break()))}}o(_,"additionalPropertyCode");function S(w,v,b){let R={keyword:"additionalProperties",dataProp:w,dataPropType:Ai.Type.Str};b===!1&&Object.assign(R,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(R,v)}o(S,"applyAdditionalSchema")}};nd.default=Sx});var fh=x(id=>{"use strict";Object.defineProperty(id,"__esModule",{value:!0});var _x=Mo(),ph=dt(),ad=re(),mh=od(),wx={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&mh.default.code(new _x.KeywordCxt(i,mh.default,"additionalProperties"));let s=(0,ph.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=ad.mergeEvaluated.props(t,(0,ad.toHash)(s),i.props));let c=s.filter(m=>!(0,ad.alwaysValidSchema)(i,r[m]));if(c.length===0)return;let d=t.name("valid");for(let m of c)p(m)?l(m):(t.if((0,ph.propertyInData)(t,a,m,i.opts.ownProperties)),l(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function p(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(p,"hasDefault");function l(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(l,"applyPropertySchema")}};id.default=wx});var Sh=x(sd=>{"use strict";Object.defineProperty(sd,"__esModule",{value:!0});var hh=dt(),Ti=F(),gh=re(),yh=re(),vx={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,c=(0,hh.allSchemaProperties)(r),d=c.filter(S=>(0,gh.alwaysValidSchema)(i,r[S]));if(c.length===0||d.length===c.length&&(!i.opts.unevaluated||i.props===!0))return;let p=s.strictSchema&&!s.allowMatchingProperties&&a.properties,l=t.name("valid");i.props!==!0&&!(i.props instanceof Ti.Name)&&(i.props=(0,yh.evaluatedPropsToName)(t,i.props));let{props:m}=i;h();function h(){for(let S of c)p&&y(S),i.allErrors?_(S):(t.var(l,!0),_(S),t.if(l))}o(h,"validatePatternProperties");function y(S){for(let w in p)new RegExp(S).test(w)&&(0,gh.checkStrictMode)(i,`property ${w} matches pattern ${S} (use allowMatchingProperties)`)}o(y,"checkMatchingProperties");function _(S){t.forIn("key",n,w=>{t.if((0,Ti._)`${(0,hh.usePattern)(e,S)}.test(${w})`,()=>{let v=d.includes(S);v||e.subschema({keyword:"patternProperties",schemaProp:S,dataProp:w,dataPropType:yh.Type.Str},l),i.opts.unevaluated&&m!==!0?t.assign((0,Ti._)`${m}[${w}]`,!0):!v&&!i.allErrors&&t.if((0,Ti.not)(l),()=>t.break())})})}o(_,"validateProperties")}};sd.default=vx});var _h=x(cd=>{"use strict";Object.defineProperty(cd,"__esModule",{value:!0});var bx=re(),Rx={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,bx.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};cd.default=Rx});var wh=x(ud=>{"use strict";Object.defineProperty(ud,"__esModule",{value:!0});var Cx=dt(),Ix={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:Cx.validateUnion,error:{message:"must match a schema in anyOf"}};ud.default=Ix});var vh=x(dd=>{"use strict";Object.defineProperty(dd,"__esModule",{value:!0});var ki=F(),Px=re(),xx={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,ki._)`{passingSchemas: ${e.passing}}`,"params")},Ax={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:xx,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),c=t.let("passing",null),d=t.name("_valid");e.setParams({passing:c}),t.block(p),e.result(s,()=>e.reset(),()=>e.error(!0));function p(){i.forEach((l,m)=>{let h;(0,Px.alwaysValidSchema)(a,l)?t.var(d,!0):h=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,ki._)`${d} && ${s}`).assign(s,!1).assign(c,(0,ki._)`[${c}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(c,m),h&&e.mergeEvaluated(h,ki.Name)})})}o(p,"validateOneOf")}};dd.default=Ax});var bh=x(ld=>{"use strict";Object.defineProperty(ld,"__esModule",{value:!0});var Tx=re(),kx={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,Tx.alwaysValidSchema)(n,i))return;let c=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(c)})}};ld.default=kx});var Ih=x(pd=>{"use strict";Object.defineProperty(pd,"__esModule",{value:!0});var Ei=F(),Ch=re(),Ex={message:o(({params:e})=>(0,Ei.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,Ei._)`{failingKeyword: ${e.ifClause}}`,"params")},Ux={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:Ex,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,Ch.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=Rh(n,"then"),i=Rh(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),c=t.name("_valid");if(d(),e.reset(),a&&i){let l=t.let("ifClause");e.setParams({ifClause:l}),t.if(c,p("then",l),p("else",l))}else a?t.if(c,p("then")):t.if((0,Ei.not)(c),p("else"));e.pass(s,()=>e.error(!0));function d(){let l=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},c);e.mergeEvaluated(l)}o(d,"validateIf");function p(l,m){return()=>{let h=e.subschema({keyword:l},c);t.assign(s,c),e.mergeValidEvaluated(h,s),m?t.assign(m,(0,Ei._)`${l}`):e.setParams({ifClause:l})}}o(p,"validateClause")}};function Rh(e,t){let r=e.schema[t];return r!==void 0&&!(0,Ch.alwaysValidSchema)(e,r)}o(Rh,"hasSchema");pd.default=Ux});var Ph=x(md=>{"use strict";Object.defineProperty(md,"__esModule",{value:!0});var Ox=re(),$x={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,Ox.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};md.default=$x});var xh=x(fd=>{"use strict";Object.defineProperty(fd,"__esModule",{value:!0});var zx=Ju(),Mx=nh(),qx=Yu(),Nx=ah(),jx=ih(),Dx=uh(),Hx=lh(),Lx=od(),Bx=fh(),Gx=Sh(),Vx=_h(),Fx=wh(),Zx=vh(),Kx=bh(),Wx=Ih(),Jx=Ph();function Yx(e=!1){let t=[Vx.default,Fx.default,Zx.default,Kx.default,Wx.default,Jx.default,Hx.default,Lx.default,Dx.default,Bx.default,Gx.default];return e?t.push(Mx.default,Nx.default):t.push(zx.default,qx.default),t.push(jx.default),t}o(Yx,"getApplicator");fd.default=Yx});var Ah=x(hd=>{"use strict";Object.defineProperty(hd,"__esModule",{value:!0});var ve=F(),Qx={message:o(({schemaCode:e})=>(0,ve.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ve._)`{format: ${e}}`,"params")},Xx={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:Qx,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:c}=e,{opts:d,errSchemaPath:p,schemaEnv:l,self:m}=c;if(!d.validateFormats)return;a?h():y();function h(){let _=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),S=r.const("fDef",(0,ve._)`${_}[${s}]`),w=r.let("fType"),v=r.let("format");r.if((0,ve._)`typeof ${S} == "object" && !(${S} instanceof RegExp)`,()=>r.assign(w,(0,ve._)`${S}.type || "string"`).assign(v,(0,ve._)`${S}.validate`),()=>r.assign(w,(0,ve._)`"string"`).assign(v,S)),e.fail$data((0,ve.or)(b(),R()));function b(){return d.strictSchema===!1?ve.nil:(0,ve._)`${s} && !${v}`}o(b,"unknownFmt");function R(){let q=l.$async?(0,ve._)`(${S}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,ve._)`${v}(${n})`,N=(0,ve._)`(typeof ${v} == "function" ? ${q} : ${v}.test(${n}))`;return(0,ve._)`${v} && ${v} !== true && ${w} === ${t} && !${N}`}o(R,"invalidFmt")}o(h,"validate$DataFormat");function y(){let _=m.formats[i];if(!_){b();return}if(_===!0)return;let[S,w,v]=R(_);S===t&&e.pass(q());function b(){if(d.strictSchema===!1){m.logger.warn(N());return}throw new Error(N());function N(){return`unknown format "${i}" ignored in schema at path "${p}"`}}o(b,"unknownFormat");function R(N){let qe=N instanceof RegExp?(0,ve.regexpCode)(N):d.code.formats?(0,ve._)`${d.code.formats}${(0,ve.getProperty)(i)}`:void 0,it=r.scopeValue("formats",{key:i,ref:N,code:qe});return typeof N=="object"&&!(N instanceof RegExp)?[N.type||"string",N.validate,(0,ve._)`${it}.validate`]:["string",N,it]}o(R,"getFormat");function q(){if(typeof _=="object"&&!(_ instanceof RegExp)&&_.async){if(!l.$async)throw new Error("async format in sync schema");return(0,ve._)`await ${v}(${n})`}return typeof w=="function"?(0,ve._)`${v}(${n})`:(0,ve._)`${v}.test(${n})`}o(q,"validCondition")}o(y,"validateFormat")}};hd.default=Xx});var Th=x(gd=>{"use strict";Object.defineProperty(gd,"__esModule",{value:!0});var eA=Ah(),tA=[eA.default];gd.default=tA});var kh=x(xn=>{"use strict";Object.defineProperty(xn,"__esModule",{value:!0});xn.contentVocabulary=xn.metadataVocabulary=void 0;xn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];xn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var Uh=x(yd=>{"use strict";Object.defineProperty(yd,"__esModule",{value:!0});var rA=jf(),nA=Xf(),oA=xh(),aA=Th(),Eh=kh(),iA=[rA.default,nA.default,(0,oA.default)(),aA.default,Eh.metadataVocabulary,Eh.contentVocabulary];yd.default=iA});var $h=x(Ui=>{"use strict";Object.defineProperty(Ui,"__esModule",{value:!0});Ui.DiscrError=void 0;var Oh;(function(e){e.Tag="tag",e.Mapping="mapping"})(Oh||(Ui.DiscrError=Oh={}))});var Mh=x(_d=>{"use strict";Object.defineProperty(_d,"__esModule",{value:!0});var An=F(),Sd=$h(),zh=mi(),sA=qo(),cA=re(),uA={message:o(({params:{discrError:e,tagName:t}})=>e===Sd.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,An._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},dA={keyword:"discriminator",type:"object",schemaType:"object",error:uA,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let c=n.propertyName;if(typeof c!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),p=t.const("tag",(0,An._)`${r}${(0,An.getProperty)(c)}`);t.if((0,An._)`typeof ${p} == "string"`,()=>l(),()=>e.error(!1,{discrError:Sd.DiscrError.Tag,tag:p,tagName:c})),e.ok(d);function l(){let y=h();t.if(!1);for(let _ in y)t.elseIf((0,An._)`${p} === ${_}`),t.assign(d,m(y[_]));t.else(),e.error(!1,{discrError:Sd.DiscrError.Mapping,tag:p,tagName:c}),t.endIf()}o(l,"validateMapping");function m(y){let _=t.name("valid"),S=e.subschema({keyword:"oneOf",schemaProp:y},_);return e.mergeEvaluated(S,An.Name),_}o(m,"applyTagSchema");function h(){var y;let _={},S=v(a),w=!0;for(let q=0;q<s.length;q++){let N=s[q];if(N?.$ref&&!(0,cA.schemaHasRulesButRef)(N,i.self.RULES)){let it=N.$ref;if(N=zh.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,it),N instanceof zh.SchemaEnv&&(N=N.schema),N===void 0)throw new sA.default(i.opts.uriResolver,i.baseId,it)}let qe=(y=N?.properties)===null||y===void 0?void 0:y[c];if(typeof qe!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${c}"`);w=w&&(S||v(N)),b(qe,q)}if(!w)throw new Error(`discriminator: "${c}" must be required`);return _;function v({required:q}){return Array.isArray(q)&&q.includes(c)}function b(q,N){if(q.const)R(q.const,N);else if(q.enum)for(let qe of q.enum)R(qe,N);else throw new Error(`discriminator: "properties/${c}" must have "const" or "enum"`)}function R(q,N){if(typeof q!="string"||q in _)throw new Error(`discriminator: "${c}" values must be unique strings`);_[q]=N}}o(h,"getMapping")}};_d.default=dA});var qh=x((gB,lA)=>{lA.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var vd=x((le,wd)=>{"use strict";Object.defineProperty(le,"__esModule",{value:!0});le.MissingRefError=le.ValidationError=le.CodeGen=le.Name=le.nil=le.stringify=le.str=le._=le.KeywordCxt=le.Ajv=void 0;var pA=Of(),mA=Uh(),fA=Mh(),Nh=qh(),hA=["/properties"],Oi="http://json-schema.org/draft-07/schema",Tn=class extends pA.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),mA.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(fA.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(Nh,hA):Nh;this.addMetaSchema(t,Oi,!1),this.refs["http://json-schema.org/schema"]=Oi}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(Oi)?Oi:void 0)}};le.Ajv=Tn;wd.exports=le=Tn;wd.exports.Ajv=Tn;Object.defineProperty(le,"__esModule",{value:!0});le.default=Tn;var gA=Mo();Object.defineProperty(le,"KeywordCxt",{enumerable:!0,get:o(function(){return gA.KeywordCxt},"get")});var kn=F();Object.defineProperty(le,"_",{enumerable:!0,get:o(function(){return kn._},"get")});Object.defineProperty(le,"str",{enumerable:!0,get:o(function(){return kn.str},"get")});Object.defineProperty(le,"stringify",{enumerable:!0,get:o(function(){return kn.stringify},"get")});Object.defineProperty(le,"nil",{enumerable:!0,get:o(function(){return kn.nil},"get")});Object.defineProperty(le,"Name",{enumerable:!0,get:o(function(){return kn.Name},"get")});Object.defineProperty(le,"CodeGen",{enumerable:!0,get:o(function(){return kn.CodeGen},"get")});var yA=li();Object.defineProperty(le,"ValidationError",{enumerable:!0,get:o(function(){return yA.default},"get")});var SA=qo();Object.defineProperty(le,"MissingRefError",{enumerable:!0,get:o(function(){return SA.default},"get")})});var Fh=x(Et=>{"use strict";Object.defineProperty(Et,"__esModule",{value:!0});Et.formatNames=Et.fastFormats=Et.fullFormats=void 0;function kt(e,t){return{validate:e,compare:t}}o(kt,"fmtDef");Et.fullFormats={date:kt(Lh,Id),time:kt(Rd(!0),Pd),"date-time":kt(jh(!0),Gh),"iso-time":kt(Rd(),Bh),"iso-date-time":kt(jh(),Vh),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:CA,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:EA,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:IA,int32:{type:"number",validate:AA},int64:{type:"number",validate:TA},float:{type:"number",validate:Hh},double:{type:"number",validate:Hh},password:!0,binary:!0};Et.fastFormats={...Et.fullFormats,date:kt(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,Id),time:kt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Pd),"date-time":kt(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,Gh),"iso-time":kt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,Bh),"iso-date-time":kt(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,Vh),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};Et.formatNames=Object.keys(Et.fullFormats);function _A(e){return e%4===0&&(e%100!==0||e%400===0)}o(_A,"isLeapYear");var wA=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,vA=[0,31,28,31,30,31,30,31,31,30,31,30,31];function Lh(e){let t=wA.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&_A(r)?29:vA[n])}o(Lh,"date");function Id(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(Id,"compareDate");var bd=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function Rd(e){return o(function(r){let n=bd.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],c=n[4],d=n[5]==="-"?-1:1,p=+(n[6]||0),l=+(n[7]||0);if(p>23||l>59||e&&!c)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-l*d,h=a-p*d-(m<0?1:0);return(h===23||h===-1)&&(m===59||m===-1)&&s<61},"time")}o(Rd,"getTime");function Pd(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(Pd,"compareTime");function Bh(e,t){if(!(e&&t))return;let r=bd.exec(e),n=bd.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(Bh,"compareIsoTime");var Cd=/t|\s/i;function jh(e){let t=Rd(e);return o(function(n){let a=n.split(Cd);return a.length===2&&Lh(a[0])&&t(a[1])},"date_time")}o(jh,"getDateTime");function Gh(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(Gh,"compareDateTime");function Vh(e,t){if(!(e&&t))return;let[r,n]=e.split(Cd),[a,i]=t.split(Cd),s=Id(r,a);if(s!==void 0)return s||Pd(n,i)}o(Vh,"compareIsoDateTime");var bA=/\/|:/,RA=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function CA(e){return bA.test(e)&&RA.test(e)}o(CA,"uri");var Dh=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function IA(e){return Dh.lastIndex=0,Dh.test(e)}o(IA,"byte");var PA=-(2**31),xA=2**31-1;function AA(e){return Number.isInteger(e)&&e<=xA&&e>=PA}o(AA,"validateInt32");function TA(e){return Number.isInteger(e)}o(TA,"validateInt64");function Hh(){return!0}o(Hh,"validateNumber");var kA=/[^\\]\\Z/;function EA(e){if(kA.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(EA,"regex")});var Zh=x(En=>{"use strict";Object.defineProperty(En,"__esModule",{value:!0});En.formatLimitDefinition=void 0;var UA=vd(),Rt=F(),Rr=Rt.operators,$i={formatMaximum:{okStr:"<=",ok:Rr.LTE,fail:Rr.GT},formatMinimum:{okStr:">=",ok:Rr.GTE,fail:Rr.LT},formatExclusiveMaximum:{okStr:"<",ok:Rr.LT,fail:Rr.GTE},formatExclusiveMinimum:{okStr:">",ok:Rr.GT,fail:Rr.LTE}},OA={message:o(({keyword:e,schemaCode:t})=>(0,Rt.str)`should be ${$i[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,Rt._)`{comparison: ${$i[e].okStr}, limit: ${t}}`,"params")};En.formatLimitDefinition={keyword:Object.keys($i),type:"string",schemaType:"string",$data:!0,error:OA,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:c}=i;if(!s.validateFormats)return;let d=new UA.KeywordCxt(i,c.RULES.all.format.definition,"format");d.$data?p():l();function p(){let h=t.scopeValue("formats",{ref:c.formats,code:s.code.formats}),y=t.const("fmt",(0,Rt._)`${h}[${d.schemaCode}]`);e.fail$data((0,Rt.or)((0,Rt._)`typeof ${y} != "object"`,(0,Rt._)`${y} instanceof RegExp`,(0,Rt._)`typeof ${y}.compare != "function"`,m(y)))}o(p,"validate$DataFormat");function l(){let h=d.schema,y=c.formats[h];if(!y||y===!0)return;if(typeof y!="object"||y instanceof RegExp||typeof y.compare!="function")throw new Error(`"${a}": format "${h}" does not define "compare" function`);let _=t.scopeValue("formats",{key:h,ref:y,code:s.code.formats?(0,Rt._)`${s.code.formats}${(0,Rt.getProperty)(h)}`:void 0});e.fail$data(m(_))}o(l,"validateFormat");function m(h){return(0,Rt._)`${h}.compare(${r}, ${n}) ${$i[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var $A=o(e=>(e.addKeyword(En.formatLimitDefinition),e),"formatLimitPlugin");En.default=$A});var Yh=x((Yo,Jh)=>{"use strict";Object.defineProperty(Yo,"__esModule",{value:!0});var Un=Fh(),zA=Zh(),xd=F(),Kh=new xd.Name("fullFormats"),MA=new xd.Name("fastFormats"),Ad=o((e,t={keywords:!0})=>{if(Array.isArray(t))return Wh(e,t,Un.fullFormats,Kh),e;let[r,n]=t.mode==="fast"?[Un.fastFormats,MA]:[Un.fullFormats,Kh],a=t.formats||Un.formatNames;return Wh(e,a,r,n),t.keywords&&(0,zA.default)(e),e},"formatsPlugin");Ad.get=(e,t="full")=>{let n=(t==="fast"?Un.fastFormats:Un.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function Wh(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,xd._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(Wh,"addFormats");Jh.exports=Yo=Ad;Object.defineProperty(Yo,"__esModule",{value:!0});Yo.default=Ad});Rv();function cr(e){return!!e._zod}o(cr,"isZ4Schema");function Ge(e,t){return cr(e)?tc(e,t):e.safeParse(t)}o(Ge,"safeParse");function ln(e){if(!e)return;let t;if(cr(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(ln,"getObjectShape");function Wp(e){if(cr(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Wp,"getLiteralValue");ie();var dr="2025-11-25",Jp="2025-03-26",lr=[dr,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],pr="io.modelcontextprotocol/related-task",ja="2.0",Ie=Fp(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Yp=me([f(),ee().int()]),Qp=f(),$q=Ce({ttl:ee().optional(),pollInterval:ee().optional()}),Pv=I({ttl:ee().optional()}),xv=I({taskId:f()}),ac=Ce({progressToken:Yp.optional(),[pr]:xv.optional()}),ot=I({_meta:ac.optional()}),po=ot.extend({task:Pv.optional()}),Xp=o(e=>po.safeParse(e).success,"isTaskAugmentedRequestParams"),Ae=I({method:f(),params:ot.loose().optional()}),st=I({_meta:ac.optional()}),ct=I({method:f(),params:st.loose().optional()}),Te=Ce({_meta:ac.optional()}),Da=me([f(),ee().int()]),em=I({jsonrpc:O(ja),id:Da,...Ae.shape}).strict(),It=o(e=>em.safeParse(e).success,"isJSONRPCRequest"),tm=I({jsonrpc:O(ja),...ct.shape}).strict(),rm=o(e=>tm.safeParse(e).success,"isJSONRPCNotification"),ic=I({jsonrpc:O(ja),id:Da,result:Te}).strict(),St=o(e=>ic.safeParse(e).success,"isJSONRPCResultResponse");var U;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(U||(U={}));var sc=I({jsonrpc:O(ja),id:Da.optional(),error:I({code:ee().int(),message:f(),data:we().optional()})}).strict();var mn=o(e=>sc.safeParse(e).success,"isJSONRPCErrorResponse");var $r=me([em,tm,ic,sc]),zq=me([ic,sc]),Ht=Te.strict(),Av=st.extend({requestId:Da.optional(),reason:f().optional()}),Ha=ct.extend({method:O("notifications/cancelled"),params:Av}),Tv=I({src:f(),mimeType:f().optional(),sizes:C(f()).optional(),theme:nt(["light","dark"]).optional()}),mo=I({icons:C(Tv).optional()}),pn=I({name:f(),title:f().optional()}),fn=pn.extend({...pn.shape,...mo.shape,version:f(),websiteUrl:f().optional(),description:f().optional()}),kv=nc(I({applyDefaults:ae().optional()}),ue(f(),we())),Ev=oc(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,nc(I({form:kv.optional(),url:Ie.optional()}),ue(f(),we()).optional())),Uv=Ce({list:Ie.optional(),cancel:Ie.optional(),requests:Ce({sampling:Ce({createMessage:Ie.optional()}).optional(),elicitation:Ce({create:Ie.optional()}).optional()}).optional()}),Ov=Ce({list:Ie.optional(),cancel:Ie.optional(),requests:Ce({tools:Ce({call:Ie.optional()}).optional()}).optional()}),$v=I({experimental:ue(f(),Ie).optional(),sampling:I({context:Ie.optional(),tools:Ie.optional()}).optional(),elicitation:Ev.optional(),roots:I({listChanged:ae().optional()}).optional(),tasks:Uv.optional(),extensions:ue(f(),Ie).optional()}),zv=ot.extend({protocolVersion:f(),capabilities:$v,clientInfo:fn}),La=Ae.extend({method:O("initialize"),params:zv}),cc=o(e=>La.safeParse(e).success,"isInitializeRequest"),Mv=I({experimental:ue(f(),Ie).optional(),logging:Ie.optional(),completions:Ie.optional(),prompts:I({listChanged:ae().optional()}).optional(),resources:I({subscribe:ae().optional(),listChanged:ae().optional()}).optional(),tools:I({listChanged:ae().optional()}).optional(),tasks:Ov.optional(),extensions:ue(f(),Ie).optional()}),uc=Te.extend({protocolVersion:f(),capabilities:Mv,serverInfo:fn,instructions:f().optional()}),Ba=ct.extend({method:O("notifications/initialized"),params:st.optional()}),nm=o(e=>Ba.safeParse(e).success,"isInitializedNotification"),Ga=Ae.extend({method:O("ping"),params:ot.optional()}),qv=I({progress:ee(),total:ge(ee()),message:ge(f())}),Nv=I({...st.shape,...qv.shape,progressToken:Yp}),Va=ct.extend({method:O("notifications/progress"),params:Nv}),jv=ot.extend({cursor:Qp.optional()}),fo=Ae.extend({params:jv.optional()}),ho=Te.extend({nextCursor:Qp.optional()}),Dv=nt(["working","input_required","completed","failed","cancelled"]),go=I({taskId:f(),status:Dv,ttl:me([ee(),Gp()]),createdAt:f(),lastUpdatedAt:f(),pollInterval:ge(ee()),statusMessage:ge(f())}),Lt=Te.extend({task:go}),Hv=st.merge(go),yo=ct.extend({method:O("notifications/tasks/status"),params:Hv}),Fa=Ae.extend({method:O("tasks/get"),params:ot.extend({taskId:f()})}),Za=Te.merge(go),Ka=Ae.extend({method:O("tasks/result"),params:ot.extend({taskId:f()})}),Mq=Te.loose(),Wa=fo.extend({method:O("tasks/list")}),Ja=ho.extend({tasks:C(go)}),Ya=Ae.extend({method:O("tasks/cancel"),params:ot.extend({taskId:f()})}),om=Te.merge(go),am=I({uri:f(),mimeType:ge(f()),_meta:ue(f(),we()).optional()}),im=am.extend({text:f()}),dc=f().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),sm=am.extend({blob:dc}),So=nt(["user","assistant"]),hn=I({audience:C(So).optional(),priority:ee().min(0).max(1).optional(),lastModified:Lp.datetime({offset:!0}).optional()}),cm=I({...pn.shape,...mo.shape,uri:f(),description:ge(f()),mimeType:ge(f()),size:ge(ee()),annotations:hn.optional(),_meta:ge(Ce({}))}),Lv=I({...pn.shape,...mo.shape,uriTemplate:f(),description:ge(f()),mimeType:ge(f()),annotations:hn.optional(),_meta:ge(Ce({}))}),lc=fo.extend({method:O("resources/list")}),pc=ho.extend({resources:C(cm)}),Bv=fo.extend({method:O("resources/templates/list")}),mc=ho.extend({resourceTemplates:C(Lv)}),fc=ot.extend({uri:f()}),Gv=fc,hc=Ae.extend({method:O("resources/read"),params:Gv}),gc=Te.extend({contents:C(me([im,sm]))}),yc=ct.extend({method:O("notifications/resources/list_changed"),params:st.optional()}),Vv=fc,Fv=Ae.extend({method:O("resources/subscribe"),params:Vv}),Zv=fc,Kv=Ae.extend({method:O("resources/unsubscribe"),params:Zv}),Wv=st.extend({uri:f()}),Jv=ct.extend({method:O("notifications/resources/updated"),params:Wv}),Yv=I({name:f(),description:ge(f()),required:ge(ae())}),Qv=I({...pn.shape,...mo.shape,description:ge(f()),arguments:ge(C(Yv)),_meta:ge(Ce({}))}),Sc=fo.extend({method:O("prompts/list")}),_c=ho.extend({prompts:C(Qv)}),Xv=ot.extend({name:f(),arguments:ue(f(),f()).optional()}),wc=Ae.extend({method:O("prompts/get"),params:Xv}),vc=I({type:O("text"),text:f(),annotations:hn.optional(),_meta:ue(f(),we()).optional()}),bc=I({type:O("image"),data:dc,mimeType:f(),annotations:hn.optional(),_meta:ue(f(),we()).optional()}),Rc=I({type:O("audio"),data:dc,mimeType:f(),annotations:hn.optional(),_meta:ue(f(),we()).optional()}),eb=I({type:O("tool_use"),name:f(),id:f(),input:ue(f(),we()),_meta:ue(f(),we()).optional()}),tb=I({type:O("resource"),resource:me([im,sm]),annotations:hn.optional(),_meta:ue(f(),we()).optional()}),rb=cm.extend({type:O("resource_link")}),Cc=me([vc,bc,Rc,rb,tb]),nb=I({role:So,content:Cc}),Ic=Te.extend({description:f().optional(),messages:C(nb)}),Pc=ct.extend({method:O("notifications/prompts/list_changed"),params:st.optional()}),ob=I({title:f().optional(),readOnlyHint:ae().optional(),destructiveHint:ae().optional(),idempotentHint:ae().optional(),openWorldHint:ae().optional()}),ab=I({taskSupport:nt(["required","optional","forbidden"]).optional()}),um=I({...pn.shape,...mo.shape,description:f().optional(),inputSchema:I({type:O("object"),properties:ue(f(),Ie).optional(),required:C(f()).optional()}).catchall(we()),outputSchema:I({type:O("object"),properties:ue(f(),Ie).optional(),required:C(f()).optional()}).catchall(we()).optional(),annotations:ob.optional(),execution:ab.optional(),_meta:ue(f(),we()).optional()}),xc=fo.extend({method:O("tools/list")}),Ac=ho.extend({tools:C(um)}),mr=Te.extend({content:C(Cc).default([]),structuredContent:ue(f(),we()).optional(),isError:ae().optional()}),qq=mr.or(Te.extend({toolResult:we()})),ib=po.extend({name:f(),arguments:ue(f(),we()).optional()}),_o=Ae.extend({method:O("tools/call"),params:ib}),Tc=ct.extend({method:O("notifications/tools/list_changed"),params:st.optional()}),dm=I({autoRefresh:ae().default(!0),debounceMs:ee().int().nonnegative().default(300)}),wo=nt(["debug","info","notice","warning","error","critical","alert","emergency"]),sb=ot.extend({level:wo}),kc=Ae.extend({method:O("logging/setLevel"),params:sb}),cb=st.extend({level:wo,logger:f().optional(),data:we()}),ub=ct.extend({method:O("notifications/message"),params:cb}),db=I({name:f().optional()}),lb=I({hints:C(db).optional(),costPriority:ee().min(0).max(1).optional(),speedPriority:ee().min(0).max(1).optional(),intelligencePriority:ee().min(0).max(1).optional()}),pb=I({mode:nt(["auto","required","none"]).optional()}),mb=I({type:O("tool_result"),toolUseId:f().describe("The unique identifier for the corresponding tool call."),content:C(Cc).default([]),structuredContent:I({}).loose().optional(),isError:ae().optional(),_meta:ue(f(),we()).optional()}),fb=rc("type",[vc,bc,Rc]),Na=rc("type",[vc,bc,Rc,eb,mb]),hb=I({role:So,content:me([Na,C(Na)]),_meta:ue(f(),we()).optional()}),gb=po.extend({messages:C(hb),modelPreferences:lb.optional(),systemPrompt:f().optional(),includeContext:nt(["none","thisServer","allServers"]).optional(),temperature:ee().optional(),maxTokens:ee().int(),stopSequences:C(f()).optional(),metadata:Ie.optional(),tools:C(um).optional(),toolChoice:pb.optional()}),Ec=Ae.extend({method:O("sampling/createMessage"),params:gb}),zr=Te.extend({model:f(),stopReason:ge(nt(["endTurn","stopSequence","maxTokens"]).or(f())),role:So,content:fb}),vo=Te.extend({model:f(),stopReason:ge(nt(["endTurn","stopSequence","maxTokens","toolUse"]).or(f())),role:So,content:me([Na,C(Na)])}),yb=I({type:O("boolean"),title:f().optional(),description:f().optional(),default:ae().optional()}),Sb=I({type:O("string"),title:f().optional(),description:f().optional(),minLength:ee().optional(),maxLength:ee().optional(),format:nt(["email","uri","date","date-time"]).optional(),default:f().optional()}),_b=I({type:nt(["number","integer"]),title:f().optional(),description:f().optional(),minimum:ee().optional(),maximum:ee().optional(),default:ee().optional()}),wb=I({type:O("string"),title:f().optional(),description:f().optional(),enum:C(f()),default:f().optional()}),vb=I({type:O("string"),title:f().optional(),description:f().optional(),oneOf:C(I({const:f(),title:f()})),default:f().optional()}),bb=I({type:O("string"),title:f().optional(),description:f().optional(),enum:C(f()),enumNames:C(f()).optional(),default:f().optional()}),Rb=me([wb,vb]),Cb=I({type:O("array"),title:f().optional(),description:f().optional(),minItems:ee().optional(),maxItems:ee().optional(),items:I({type:O("string"),enum:C(f())}),default:C(f()).optional()}),Ib=I({type:O("array"),title:f().optional(),description:f().optional(),minItems:ee().optional(),maxItems:ee().optional(),items:I({anyOf:C(I({const:f(),title:f()}))}),default:C(f()).optional()}),Pb=me([Cb,Ib]),xb=me([bb,Rb,Pb]),Ab=me([xb,yb,Sb,_b]),Tb=po.extend({mode:O("form").optional(),message:f(),requestedSchema:I({type:O("object"),properties:ue(f(),Ab),required:C(f()).optional()})}),kb=po.extend({mode:O("url"),message:f(),elicitationId:f(),url:f().url()}),Eb=me([Tb,kb]),Uc=Ae.extend({method:O("elicitation/create"),params:Eb}),Ub=st.extend({elicitationId:f()}),Ob=ct.extend({method:O("notifications/elicitation/complete"),params:Ub}),fr=Te.extend({action:nt(["accept","decline","cancel"]),content:oc(e=>e===null?void 0:e,ue(f(),me([f(),ee(),ae(),C(f())])).optional())}),$b=I({type:O("ref/resource"),uri:f()});var zb=I({type:O("ref/prompt"),name:f()}),Mb=ot.extend({ref:me([zb,$b]),argument:I({name:f(),value:f()}),context:I({arguments:ue(f(),f()).optional()}).optional()}),qb=Ae.extend({method:O("completion/complete"),params:Mb});var Oc=Te.extend({completion:Ce({values:C(f()).max(100),total:ge(ee().int()),hasMore:ge(ae())})}),Nb=I({uri:f().startsWith("file://"),name:f().optional(),_meta:ue(f(),we()).optional()}),jb=Ae.extend({method:O("roots/list"),params:ot.optional()}),$c=Te.extend({roots:C(Nb)}),Db=ct.extend({method:O("notifications/roots/list_changed"),params:st.optional()}),Nq=me([Ga,La,qb,kc,wc,Sc,lc,Bv,hc,Fv,Kv,_o,xc,Fa,Ka,Wa,Ya]),jq=me([Ha,Va,Ba,Db,yo]),Dq=me([Ht,zr,vo,fr,$c,Za,Ja,Lt]),Hq=me([Ga,Ec,Uc,jb,Fa,Ka,Wa,Ya]),Lq=me([Ha,Va,ub,Jv,yc,Tc,Pc,yo,Ob]),Bq=me([Ht,uc,Oc,Ic,_c,pc,mc,gc,mr,Ac,Za,Ja,Lt]),A=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===U.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new ur(a.elicitations,r)}return new e(t,r,n)}},ur=class extends A{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(U.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};function hr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(hr,"isTerminal");var Hb=Symbol("Let zodToJsonSchema decide on which parser to use");var DN=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function zc(e){let r=ln(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Wp(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(zc,"getMethodLiteral");function Mc(e,t){let r=Ge(e,t);if(!r.success)throw r.error;return r.data}o(Mc,"parseWithCompat");var Zb=6e4,gn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(Ha,r=>{this._oncancel(r)}),this.setNotificationHandler(Va,r=>{this._onprogress(r)}),this.setRequestHandler(Ga,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(Fa,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(U.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(Ka,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let c;for(;c=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(c.type==="response"||c.type==="error"){let d=c.message,p=d.id,l=this._requestResolvers.get(p);if(l)if(this._requestResolvers.delete(p),c.type==="response")l(d);else{let m=d,h=new A(m.error.code,m.error.message,m.error.data);l(h)}else{let m=c.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${p}`))}continue}await this._transport?.send(c.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new A(U.InvalidParams,`Task not found: ${i}`);if(!hr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(hr(s.status)){let c=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...c,_meta:{...c._meta,[pr]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(Wa,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new A(U.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(Ya,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(U.InvalidParams,`Task not found: ${r.params.taskId}`);if(hr(a.status))throw new A(U.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new A(U.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof A?a:new A(U.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),A.fromError(U.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),St(i)||mn(i)?this._onresponse(i):It(i)?this._onrequest(i,s):rm(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=A.fromError(U.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[pr]?.taskId;if(n===void 0){let l={jsonrpc:"2.0",id:t.id,error:{code:U.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:l,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(l).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let c=Xp(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,p={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async l=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(l,m)},"sendNotification"),sendRequest:o(async(l,m,h)=>{if(s.signal.aborted)throw new A(U.ConnectionClosed,"Request was cancelled");let y={...h,relatedRequestId:t.id};i&&!y.relatedTask&&(y.relatedTask={taskId:i});let _=y.relatedTask?.taskId??i;return _&&d&&await d.updateTaskStatus(_,"input_required"),await this.request(l,m,y)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:c?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{c&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,p)).then(async l=>{if(s.signal.aborted)return;let m={result:l,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async l=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(l.code)?l.code:U.InternalError,message:l.message??"Internal error",...l.data!==void 0&&{data:l.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(l=>this._onerror(new Error(`Failed to send response: ${l}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),c=this._timeoutInfo.get(a);if(c&&s&&c.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),St(t))n(t);else{let s=new A(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(St(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let c=s.task;typeof c.taskId=="string"&&(i=!0,this._taskProgressTokens.set(c.taskId,r))}}if(i||this._progressHandlers.delete(r),St(t))a(t);else{let s=A.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof A?s:new A(U.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Lt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new A(U.InternalError,"Task creation did not return a task");for(;;){let c=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:c},hr(c.status)){c.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:c.status==="failed"?yield{type:"error",error:new A(U.InternalError,`Task ${i} failed`)}:c.status==="cancelled"&&(yield{type:"error",error:new A(U.InternalError,`Task ${i} was cancelled`)});return}if(c.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=c.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(p=>setTimeout(p,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof A?s:new A(U.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:c,relatedTask:d}=n??{};return new Promise((p,l)=>{let m=o(b=>{l(b)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),c&&this.assertTaskCapability(t.method)}catch(b){m(b);return}n?.signal?.throwIfAborted();let h=this._requestMessageId++,y={...t,jsonrpc:"2.0",id:h};n?.onprogress&&(this._progressHandlers.set(h,n.onprogress),y.params={...t.params,_meta:{...t.params?._meta||{},progressToken:h}}),c&&(y.params={...y.params,task:c}),d&&(y.params={...y.params,_meta:{...y.params?._meta||{},[pr]:d}});let _=o(b=>{this._responseHandlers.delete(h),this._progressHandlers.delete(h),this._cleanupTimeout(h),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:h,reason:String(b)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(q=>this._onerror(new Error(`Failed to send cancellation: ${q}`)));let R=b instanceof A?b:new A(U.RequestTimeout,String(b));l(R)},"cancel");this._responseHandlers.set(h,b=>{if(!n?.signal?.aborted){if(b instanceof Error)return l(b);try{let R=Ge(r,b.result);R.success?p(R.data):l(R.error)}catch(R){l(R)}}}),n?.signal?.addEventListener("abort",()=>{_(n?.signal?.reason)});let S=n?.timeout??Zb,w=o(()=>_(A.fromError(U.RequestTimeout,"Request timed out",{timeout:S})),"timeoutHandler");this._setupTimeout(h,S,n?.maxTotalTimeout,w,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let b=o(R=>{let q=this._responseHandlers.get(h);q?q(R):this._onerror(new Error(`Response handler missing for side-channeled request ${h}`))},"responseResolver");this._requestResolvers.set(h,b),this._enqueueTaskMessage(v,{type:"request",message:y,timestamp:Date.now()}).catch(R=>{this._cleanupTimeout(h),l(R)})}else this._transport.send(y,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(b=>{this._cleanupTimeout(h),l(b)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},Za,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},Ja,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},om,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let c={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[pr]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:c,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let c={...t,jsonrpc:"2.0"};r?.relatedTask&&(c={...c,params:{...c.params,_meta:{...c.params?._meta||{},[pr]:r.relatedTask}}}),this._transport?.send(c,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[pr]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=zc(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=Mc(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=zc(t);this._notificationHandlers.set(n,a=>{let i=Mc(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&It(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new A(U.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new A(U.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new A(U.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new A(U.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let c=await n.getTask(a,r);if(c){let d=yo.parse({method:"notifications/tasks/status",params:c});await this.notification(d),hr(c.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let c=await n.getTask(a,r);if(!c)throw new A(U.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(hr(c.status))throw new A(U.InvalidParams,`Cannot update task "${a}" from terminal status "${c.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let p=yo.parse({method:"notifications/tasks/status",params:d});await this.notification(p),hr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function lm(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(lm,"isPlainObject");function Qa(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];lm(s)&&lm(i)?r[a]={...s,...i}:r[a]=i}return r}o(Qa,"mergeCapabilities");var Qh=qp(vd(),1),Xh=qp(Yh(),1);function qA(){let e=new Qh.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,Xh.default)(e),e}o(qA,"createDefaultAjvInstance");var On=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??qA()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var zi=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(l=>l.type==="tool_result"),c=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=c?Array.isArray(c.content)?c.content:[c.content]:[],p=d.some(l=>l.type==="tool_use");if(s){if(i.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!p)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(p){let l=new Set(d.filter(h=>h.type==="tool_use").map(h=>h.id)),m=new Set(i.filter(h=>h.type==="tool_result").map(h=>h.toolUseId));if(l.size!==m.size||![...l].every(h=>m.has(h)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},zr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},fr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function Mi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(Mi,"assertToolsCallTaskCapability");function qi(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(qi,"assertClientRequestTaskCapability");var Ni=class extends gn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(wo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new On,this.setRequestHandler(La,n=>this._oninitialize(n)),this.setNotificationHandler(Ba,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(kc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,c=wo.safeParse(s);return c.success&&this._loggingLevels.set(i,c.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new zi(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Qa(this._capabilities,t)}setRequestHandler(t,r){let a=ln(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(cr(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let c=o(async(d,p)=>{let l=Ge(_o,d);if(!l.success){let _=l.error instanceof Error?l.error.message:String(l.error);throw new A(U.InvalidParams,`Invalid tools/call request: ${_}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let _=Ge(Lt,h);if(!_.success){let S=_.error instanceof Error?_.error.message:String(_.error);throw new A(U.InvalidParams,`Invalid task creation result: ${S}`)}return _.data}let y=Ge(mr,h);if(!y.success){let _=y.error instanceof Error?y.error.message:String(y.error);throw new A(U.InvalidParams,`Invalid tools/call result: ${_}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){qi(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&Mi(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:lr.includes(r)?r:dr,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},Ht)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(p=>p.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,c=s?Array.isArray(s.content)?s.content:[s.content]:[],d=c.some(p=>p.type==="tool_use");if(i){if(a.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let p=new Set(c.filter(m=>m.type==="tool_use").map(m=>m.id)),l=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(p.size!==l.size||![...p].every(m=>l.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},vo,r):this.request({method:"sampling/createMessage",params:t},zr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},fr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},fr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let c=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!c.valid)throw new A(U.InvalidParams,`Elicitation response content does not match requested schema: ${c.errorMessage}`)}catch(s){throw s instanceof A?s:new A(U.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},$c,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var ji=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
 data: 
 
 `;this._retryInterval!==void 0&&(s=`id: ${i}
 retry: ${this._retryInterval}
 data: 
 
-`),t.enqueue(r.encode(s))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let l=t.headers.get("last-event-id");if(l)return this.replayEvents(l)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let i=new TextEncoder,s,u=new ReadableStream({start:o(l=>{s=l},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:s,encoder:i,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{s.close()}catch{}},"cleanup")}),new Response(u,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,i,s=new ReadableStream({start:o(d=>{i=d},"start"),cancel:o(()=>{},"cancel")}),u=await this._eventStore.replayEventsAfter(t,{send:o(async(d,l)=>{if(!this.writeSSEEvent(i,a,l,d)){this.onerror?.(new Error("Failed replay events"));try{i.close()}catch{}}},"send")});return this._streamMapping.set(u,{controller:i,encoder:a,cleanup:o(()=>{this._streamMapping.delete(u);try{i.close()}catch{}},"cleanup")}),new Response(s,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let i=`event: message
+`),t.enqueue(r.encode(s))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let p=t.headers.get("last-event-id");if(p)return this.replayEvents(p)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let i=new TextEncoder,s,c=new ReadableStream({start:o(p=>{s=p},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:s,encoder:i,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{s.close()}catch{}},"cleanup")}),new Response(c,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,i,s=new ReadableStream({start:o(d=>{i=d},"start"),cancel:o(()=>{},"cancel")}),c=await this._eventStore.replayEventsAfter(t,{send:o(async(d,p)=>{if(!this.writeSSEEvent(i,a,p,d)){this.onerror?.(new Error("Failed replay events"));try{i.close()}catch{}}},"send")});return this._streamMapping.set(c,{controller:i,encoder:a,cleanup:o(()=>{this._streamMapping.delete(c);try{i.close()}catch{}},"cleanup")}),new Response(s,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let i=`event: message
 `;return a&&(i+=`id: ${a}
 `),i+=`data: ${JSON.stringify(n)}
 
-`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let u;try{Array.isArray(s)?u=s.map(v=>wr.parse(v)):u=[wr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=u.some(Gs);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(u.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let R=this.validateProtocolVersion(t);if(R)return R}if(!u.some(St)){for(let v of u)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let p=crypto.randomUUID(),m=u.find(v=>Gs(v)),f=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??kp;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(p,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(p)},"cleanup")});for(let R of u)St(R)&&this._requestToStreamMapping.set(R.id,p);for(let R of u)this.onmessage?.(R,{authInfo:r?.authInfo,requestInfo:i})});let _=new TextEncoder,S,y=new ReadableStream({start:o(v=>{S=v},"start"),cancel:o(()=>{this._streamMapping.delete(p)},"cancel")}),w={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(w["mcp-session-id"]=this.sessionId);for(let v of u)St(v)&&(this._streamMapping.set(p,{controller:S,encoder:_,cleanup:o(()=>{this._streamMapping.delete(p);try{S.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,p));await this.writePrimingEvent(S,_,p,f);for(let v of u){let R,I;St(v)&&this._eventStore&&f>="2025-11-25"&&(R=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),I=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:R,closeStandaloneSSEStream:I})}return new Response(y,{status:200,headers:w})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Qt.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Qt.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((ut(t)||Xr(t))&&(n=t.id),n===void 0){if(ut(t)||Xr(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let u=this._streamMapping.get(this._standaloneSseStreamId);if(u===void 0)return;u.controller&&u.encoder&&this.writeSSEEvent(u.controller,u.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(ut(t)||Xr(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,l])=>l===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let l=s.map(p=>this._requestResponseMap.get(p));l.length===1?i.resolveJson(new Response(JSON.stringify(l[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(l),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function dd(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(dd,"truncate");function Of(e){return"cause"in e?e.cause:void 0}o(Of,"readCause");function Ae(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=dd(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=dd(r.message);let n=Of(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=dd(n.message),n=Of(n)}}o(Ae,"addErrorLogFields");function it(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(it,"safeHost");function Uf(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(Uf,"setLogProperties");function ld(e,t){Uf(e,{tenantId:t.tenantId,subjectId:t.subjectId})}o(ld,"applyGatewayPrincipalLogProperties");function zf(e,t){Uf(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(zf,"applyGatewayRouteLogProperties");var wn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},Nf={...wn.runtime,...wn.config,...wn.downstream_auth,...wn.downstream_oauth,...wn.upstream_auth,...wn.upstream_mcp};function Uo(e){return typeof e=="string"&&Object.hasOwn(Nf,e)}o(Uo,"isGatewayProblemCode");function wi(e){return Uo(e)&&Fe(e).callbackFailure===!0}o(wi,"isGatewayCallbackFailureCode");function Fe(e){return Nf[e]}o(Fe,"readGatewayProblemDefinition");function pd(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(pd,"readDefaultGatewayProblemCodeForStatus");var Df="gatewayCode";function Mf(e){let t=Fe(e);return{title:t.title,body:t.publicDetail}}o(Mf,"readGatewayCallbackFailureContent");function de(e){if(!(e instanceof _a))return;let t=e.extensionMembers?.[Df];return Uo(t)?t:void 0}o(de,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Fe(n.code),i=n.privateDetail??(vi(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=mk(n);return new _a({message:i,extensionMembers:{[Df]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function Ze(e,t,r){let n=Fe(r.code),a=hk(r.code,r.detail),i=vi(r.code)?r.title??n.title:n.title,u={problem:{...Vn.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(u.additionalHeaders=r.headers),Vn.format(u,e,t)}o(Ze,"gatewayProblemResponse");function vi(e){return Fe(e).status<500}o(vi,"canExposeGatewayProblemDetail");function mk(e){return!e.privateDetail||vi(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(mk,"readRuntimeErrorCause");function hk(e,t){let r=Fe(e);return vi(e)&&t||r.publicDetail}o(hk,"readSafeGatewayProblemDetail");Y();var fk=["tenant_shared_oauth","user_oauth","static_secret","user_static_secret","tenant_static_secret"],gk=["none","client_secret_basic","client_secret_post"],ke=c.string().min(1).brand(),me=c.string().min(1).brand(),Pe=c.string().min(1).brand(),Tt=c.string().min(1).brand(),Ri=c.enum(fk),md=c.enum(gk),bi=c.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),hd=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict();var fd=new Map;function Ci(e){fd.set(e.policyType,e)}o(Ci,"registerMcpAuthorizationPolicy");function gd(e){if(e!==void 0)return fd.get(e)}o(gd,"getMcpAuthorizationPolicy");function Ii(e){return gd(e)!==void 0}o(Ii,"isRegisteredMcpAuthorizationPolicyType");function _d(){return[...fd.keys()]}o(_d,"listMcpAuthorizationPolicyTypes");Y();var Lf=ke,_k=c.object({mode:c.literal("auto")}).strict(),yk=c.object({mode:c.literal("manual"),clientId:c.string().trim().min(1),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:c.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),jf=c.discriminatedUnion("mode",[_k,yk]),Sk=jf.default({mode:"auto"}),yd=c.object({scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:Sk}).strict(),qf=yd.extend({redirectPath:c.string().startsWith("/auth/connections/")}).strict(),Hf=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),wk=new Set([...Hf,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),vk=c.object({kind:c.literal("bearer_token"),token:c.string().min(1)}).strict(),Rk=c.object({kind:c.literal("headers"),headers:c.array(c.object({name:bi,value:c.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Hf.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),Sd=c.discriminatedUnion("kind",[vk,Rk]),bk=c.object({kind:c.literal("basic_auth_app_password"),usernameLabel:c.string().min(1).default("Username"),passwordLabel:c.string().min(1).default("App password")}).strict(),Ck=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key"),capture:c.enum(["browser_login"]).optional()}).strict(),wd=c.discriminatedUnion("kind",[bk,Ck]),vd=c.object({kind:c.literal("bearer_token"),label:c.string().min(1).default("API key")}).strict(),Ik=c.discriminatedUnion("mode",[c.object({mode:c.literal("tenant_shared_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("user_oauth"),oauth:qf}).strict(),c.object({mode:c.literal("static_secret"),secret:Sd}).strict(),c.object({mode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({mode:c.literal("tenant_static_secret"),secret:vd}).strict()]),Tk=c.object({baseUrl:c.url(),resourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();wk.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:c.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),rB=c.object({displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),authProfiles:c.record(Pe,Ik),transport:Tk}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),Ak=c.object({tenant_shared_oauth:yd.optional(),user_oauth:yd.optional(),static_secret:c.object({secret:Sd}).strict().optional(),user_static_secret:c.object({secret:wd}).strict().optional(),tenant_static_secret:c.object({secret:vd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:c.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),$f=c.object({id:Lf,displayName:c.string().min(1),description:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url(),requestHeaders:c.array(hd).default([]),authProfiles:Ak}).strict(),kk=c.object({name:bi,value:c.string().min(1).optional(),required:c.boolean().default(!0)}).strict(),Ti={id:Lf.optional(),displayName:c.string().min(1),summary:c.string().min(1).optional(),serverInfo:Qr.optional(),mcpUrl:c.url(),protectedResourceMetadataUrl:c.url().optional(),requestHeaders:c.array(kk).default([])},Pk=c.discriminatedUnion("authMode",[c.object({...Ti,authMode:c.enum(["tenant_shared_oauth","user_oauth"]),scopes:c.array(c.string().min(1)).default([]),scopeDelimiter:c.string().min(1).default(" "),clientRegistration:jf.optional(),clientId:c.string().trim().min(1).optional(),clientSecret:c.string().min(1).optional(),tokenEndpointAuthMethod:md.optional()}).strict(),c.object({...Ti,authMode:c.literal("static_secret"),secret:Sd}).strict(),c.object({...Ti,authMode:c.literal("user_static_secret"),secret:wd}).strict(),c.object({...Ti,authMode:c.literal("tenant_static_secret"),secret:vd}).strict()]);function Gf(e){throw g("internal_server_error",e)}o(Gf,"throwGatewayConfigError");function Ek(e){let t="mcp-upstream-";return e.startsWith(t)||Gf(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),ke.parse(e.slice(t.length))}o(Ek,"inferUpstreamConnectionIdFromPolicyName");function xk(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(xk,"buildDefaultProtectedResourceMetadataUrl");function vn(e,t){return Pe.parse(`${e}:${t}`)}o(vn,"buildUpstreamAuthProfileId");function Ai(e,t){let r=$f.safeParse(e);if(r.success)return r.data;let n=Pk.parse(e),a=n.id??(t===void 0?void 0:Ek(t));a===void 0&&Gf("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(u=>({name:u.name,value:u.value,required:u.required})),s=(()=>{switch(n.authMode){case"tenant_shared_oauth":case"user_oauth":{let u=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:u}}}case"static_secret":case"user_static_secret":case"tenant_static_secret":return{[n.authMode]:{secret:n.secret}}}})();return $f.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??xk(n.mcpUrl),requestHeaders:i,authProfiles:s})}o(Ai,"parseUpstreamConnectionPolicyOptions");function Bf(e){return e.mode==="tenant_shared_oauth"||e.mode==="user_oauth"}o(Bf,"isUpstreamOAuthAuthConfig");Y();var Ok=c.looseObject({name:c.string().min(1),version:c.string().min(1).optional()}),Uk=c.looseObject({}),zk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional(),inputSchema:Uk}),Nk=c.looseObject({name:Tt,namespace:Tt.optional(),upstreamPolicy:c.string().min(1).optional(),enabled:c.boolean().optional()}),Dk=c.looseObject({name:Tt,uri:c.string().min(1),upstreamPolicy:c.string().min(1).optional(),upstreamUri:c.string().min(1).optional(),enabled:c.boolean().optional()}),Mk=c.enum(["openapi","upstream_mcp"]),qk=c.object({catalogSource:Mk.default("openapi"),serverInfo:Ok.optional(),tools:c.array(zk).default([]),prompts:c.array(Nk).default([]),resources:c.array(Dk).default([])}).strict();function Vf(e){return qk.parse(e??{})}o(Vf,"parseVirtualServerRouteOptions");function ki(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(ki,"toMcpTool");function Pi(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Pi,"toMcpPrompt");function Ei(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Ei,"toMcpResource");var $k="mcp-upstream-connection-inbound",Ff="/mcp/";function De(e){throw new Ot(e)}o(De,"throwRegistryError");function Zf(e){return e.policyType===$k}o(Zf,"isUpstreamConnectionPolicy");function Lk(e){return Ii(e.policyType)}o(Lk,"isMcpOAuthInboundPolicy");function jk(e){e.startsWith(Ff)||De(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(Ff.length);return(!t||t.includes("/"))&&De(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),me.parse(t)}o(jk,"readVirtualServerIdFromPath");function Hk(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&De(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&De(`Upstream policy ${e.policyName} does not declare an auth mode.`),Ri.parse(r)}o(Hk,"readSingleAuthMode");function Gk(e){let t=e.connection.authProfiles[e.authMode];t||De(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"tenant_shared_oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user_static_secret":return{mode:"user_static_secret",secret:t.secret};case"tenant_static_secret":return{mode:"tenant_static_secret",secret:t.secret}}}o(Gk,"buildResolvedAuthConfig");function Bk(e){let t=Hk({policyName:e.policyName,connection:e.connection}),r=vn(e.connection.id,t),n=Gk({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(Bk,"buildRegisteredConnection");function Vk(e){let t=new Map;for(let r of e)t.has(r.name)&&De(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(Vk,"buildPolicyMap");function Fk(e){let t=new Map,r=new Set;for(let n of e.values()){if(!Zf(n))continue;let a=Ai(n.handler.options,n.name);r.has(a.id)&&De(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let i=Bk({policyName:n.name,connection:a});t.set(n.name,i)}return t}o(Fk,"buildConnectionsByPolicyName");function Zk(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(Zk,"readOperationId");function Kf(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return Tt.parse(t)}catch{De(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(Kf,"buildPublishedCapabilityName");function bd(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||De(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;De(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(bd,"readCapabilityUpstreamPolicy");function Rd(e){e.seen.has(e.key)&&De(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Rd,"assertUniqueCatalogKey");function Kk(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=Kf({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Kk,"normalizeCatalogTool");function Wk(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=Kf({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(Wk,"normalizeCatalogPrompt");function Jk(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:bd({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(Jk,"normalizeCatalogResource");function Yk(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>Kk({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>Wk({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>Jk({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Rd({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Rd({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let u=new Set;for(let d of a)Rd({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:u});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(Yk,"normalizeVirtualServerCatalog");function Xk(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let i=a[0],s=i===void 0?void 0:e.policyByName.get(i);if(!s||!Lk(s))continue;let u=Zk(n);u||De(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(u)&&De(`Duplicate MCP virtual server operationId ${u} across routes.`),r.add(u);let d=jk(n.path);t.has(d)&&De(`Duplicate MCP virtual server id ${d} across routes.`);let l=[];for(let f of a.slice(1)){let _=e.policyByName.get(f);if(!_||!Zf(_))continue;let S=e.connectionsByPolicyName.get(f);S||De(`Upstream connection policy ${f} referenced by route ${n.path} could not be resolved.`),l.push(S)}let p=Vf(n.handler.options),m=Yk({catalog:p,connections:l,routePath:n.path});m.catalogSource==="upstream_mcp"&&l.length!==1&&De(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${l.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:u,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:l})}return t}o(Xk,"buildVirtualServers");function Wf(e){let t=Vk(e.policies),r=Fk(t),n=Xk({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let i of r.values())a.set(i.upstreamServerId,i);return{byVirtualServerId:n,connectionsById:a}}o(Wf,"buildGatewayConnectionRegistry");var xi;function Jf(e){xi=e}o(Jf,"setGatewayConnectionRegistry");function st(){if(!xi)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return xi}o(st,"getGatewayConnectionRegistry");function Yf(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Yf,"getRegisteredVirtualServer");function zo(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(zo,"requireRegisteredVirtualServer");function Xf(){return xi}o(Xf,"tryGetGatewayConnectionRegistry");var Qf=new Ut("gateway-route");function eg(e,t){Qf.set(e,t)}o(eg,"setGatewayRouteContext");function No(e){return Qf.get(e)}o(No,"readGatewayRouteContext");function Rn(e){let t=No(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(Rn,"requireGatewayRouteContext");var Or="2025-06-18";var Qk=new Set(["localhost","::1"]);function ct(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(ct,"normalizeHostname");function Le(e){let t=ct(e.hostname);return e.protocol==="http:"&&(Qk.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Le,"isLoopbackHttpUrl");function re(e){return new URL(e).origin}o(re,"readGatewayRequestOrigin");import{metrics as eP,context as Oi,propagation as rg,SpanKind as ng,SpanStatusCode as Cd,trace as Do}from"@opentelemetry/api";var tP="mcp-gateway",rP="mcp-gateway",nP=Or,oP="2.0",og=Do.getTracer(tP),Id=eP.getMeter(rP),aP=Id.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),iP=Id.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),sP=Id.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),cP=["traceparent","tracestate","baggage"];function Td(){return performance.now()/1e3}o(Td,"nowSeconds");function ag(e,t){t(Math.max(Td()-e,0))}o(ag,"recordDurationSeconds");function tg(e){return e===void 0?void 0:String(e)}o(tg,"stringifyAttribute");function Ee(e,t,r){r!==void 0&&(e[t]=r)}o(Ee,"assignAttribute");function uP(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(uP,"readTargetName");function ig(e){let t=uP({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(ig,"buildMcpOperationSpanName");function Ad(e){let t={"mcp.method.name":e.methodName};return Ee(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??oP),Ee(t,"jsonrpc.request.id",tg(e.jsonRpcRequestId)),Ee(t,"mcp.protocol.version",e.mcpProtocolVersion??nP),Ee(t,"mcp.session.id",e.mcpSessionId),Ee(t,"mcp.resource.uri",e.resourceUri),Ee(t,"rpc.response.status_code",tg(e.rpcResponseStatusCode)),Ee(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Ee(t,"gen_ai.operation.name","execute_tool"),Ee(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Ee(t,"gen_ai.prompt.name",e.capabilityName),Ee(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Ee(t,"network.protocol.version",e.networkProtocolVersion),Ee(t,"network.transport",e.networkTransport),Ee(t,"server.address",e.serverAddress),Ee(t,"server.port",e.serverPort),Ee(t,"client.address",e.clientAddress),Ee(t,"client.port",e.clientPort),t}o(Ad,"buildMcpOperationAttributes");function dP(e){let t=Ad({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(dP,"buildMcpSessionAttributes");function sg(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:Cd.ERROR}),t instanceof Error&&e.recordException(t)}o(sg,"setSpanError");function cg(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(cg,"readErrorType");function lP(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Oi.active():rg.extract(Oi.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(lP,"readServerParentContext");function pP(e){let t=Do.getSpanContext(Oi.active()),r=Do.getSpanContext(e);if(!(!t||!Do.isSpanContextValid(t))&&!(r&&Do.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(pP,"readAmbientSpanLink");function ug(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(ug,"readResultErrorType");async function Ur(e,t){let r=Td(),n=Ad({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return og.startActiveSpan(ig(e),{kind:ng.CLIENT,attributes:n},async a=>{try{let i=await t(),s=ug(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:Cd.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??cg(i);throw n["error.type"]=s,sg(a,i,s),i}finally{ag(r,i=>{aP.record(i,n)}),a.end()}})}o(Ur,"runMcpClientOperation");async function zr(e,t){let r=Td(),n=lP(e.params),a=Ad({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=pP(n);return og.startActiveSpan(ig(e),{kind:ng.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let u=await t(),d=ug(u);return d&&(s.setAttribute("error.type",d),s.setStatus({code:Cd.ERROR}),a["error.type"]=d),u}catch(u){let d=e.errorType??cg(u);throw a["error.type"]=d,sg(s,u,d),u}finally{ag(r,u=>{iP.record(u,a)}),s.end()}})}o(zr,"runMcpServerOperation");function dg(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return rg.inject(Oi.active(),t._meta,{set(r,n,a){cP.includes(n)&&(r[n]=a)}}),t}o(dg,"injectMcpTraceContextIntoParams");function lg(e,t){let r=dP({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});sP.record(Math.max(t,0),r)}o(lg,"recordMcpClientSessionDuration");var kd=new Ut("route-upstream-bindings");function mP(e){let t=kd.get(e);if(t)return t;let r={bindings:[]};return kd.set(e,r),r}o(mP,"readOrCreateRouteUpstreamBindingRegistry");function pg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(pg,"buildRouteBindingDuplicateKey");function Pd(e,t){let r=mP(e),n=pg(t);if(r.bindings.find(i=>pg(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(Pd,"appendResolvedUpstreamBindingContext");function mg(e){return kd.get(e)?.bindings??[]}o(mg,"readResolvedUpstreamBindingContexts");Y();var V=c.string().datetime({offset:!0}).brand();function O(e){return V.parse(e.toISOString())}o(O,"toIsoTimestamp");function ft(e,t){return new Date(e.getTime()+t*1e3)}o(ft,"addSeconds");Y();var bn=c.string().trim().min(1),Mo={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},hP=c.object({issuer:c.url(),jwksUrl:c.url(),audience:bn}),fP=c.object({url:c.url(),tokenUrl:c.url().optional(),clientId:bn.optional(),clientSecret:bn.optional(),scope:bn.default("openid profile email"),audience:bn.optional(),remoteTimeoutMs:c.coerce.number().int().positive().default(1e4),stateTtlSeconds:c.coerce.number().int().positive().default(900),sessionTtlSeconds:c.coerce.number().int().positive().default(28800)}).strict(),gP=c.object({accessTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.accessTokenTtlSeconds),refreshTokenTtlSeconds:c.coerce.number().int().positive().default(Mo.refreshTokenTtlSeconds),cimdEnabled:c.boolean().default(Mo.cimdEnabled)}).strict().default(Mo),_P=c.object({oidc:hP,browserLogin:fP,gateway:gP.optional().default(Mo),devTenantId:bn.optional()}).strict();function hg(e){return yP(e.browserLogin.url)?"local_dev":"federated_oidc"}o(hg,"readBrowserLoginKind");function yP(e){let t;try{t=new URL(e)}catch{return!1}return Le(t)&&t.pathname==="/oauth/dev-login"}o(yP,"isLoopbackDevLoginUrl");function Ui(e){return _P.parse(e)}o(Ui,"parseMcpOAuthRuntimeConfig");var Ed;function fg(e){Ed=e}o(fg,"setGatewayOAuthConfig");function ve(){if(!Ed)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return Ed}o(ve,"getGatewayOAuthConfig");function gt(e){return re(e)}o(gt,"readGatewayOAuthIssuer");Y();var SP=43,wP=128,vP=/^[A-Za-z0-9._~-]+$/,xd="S256",Cn=c.literal(xd),zi=c.string().min(SP).max(wP).regex(vP);Y();var Ni=["none","client_secret_post","client_secret_basic"],RP=[...Ni,"private_key_jwt"],bP=["awaiting_login","awaiting_setup"],CP=c.string().min(1).brand(),IP=c.string().min(1).brand(),le=c.string().min(1).brand(),_t=c.uuid().brand(),je=c.uuid().brand(),Di=c.uuid().brand(),qo=c.enum(Ni),TP=c.enum(RP),Od=c.enum(bP),gg=c.object({client_id:le,client_name:c.string().min(1),redirect_uris:c.array(c.string().min(1)).min(1),token_endpoint_auth_method:TP.default("none")}),$o=c.object({clientId:le,clientName:c.string().min(1),redirectUris:c.array(c.string().min(1)),tokenEndpointAuthMethod:qo,hashedClientSecret:c.string().optional(),clientSecretExpiresAt:V.optional(),clientExpiresAt:V,revokedAt:V.optional(),createdAt:V}),Ud=c.object({clientId:le,resource:c.string(),virtualServerId:me,tenantId:CP,subjectId:IP,scope:c.string(),roles:c.array(c.string()),createdAt:V,expiresAt:V}),_g=Ud.extend({id:je,redirectUri:c.string(),clientState:c.string().optional(),codeChallenge:c.string(),codeChallengeMethod:Cn}),Lo=Ud.extend({id:_t,currentRefreshTokenHash:c.string().optional(),previousRefreshTokenHash:c.string().optional(),revokedAt:V.optional(),revokedReason:c.string().optional()}),In=Ud.extend({tokenHash:c.string(),grantId:_t,revokedAt:V.optional()});function zd(){return je.parse(crypto.randomUUID())}o(zd,"createDownstreamAuthorizationTransactionId");function Nd(){return Di.parse(crypto.randomUUID())}o(Nd,"createDownstreamBrowserLoginStateId");function Dd(){return _t.parse(crypto.randomUUID())}o(Dd,"createDownstreamGrantId");var ce="mcp:tools";function qi(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Le(r)&&Le(n)&&ct(r.hostname)===ct(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(qi,"redirectUriMatchesRegistration");function yg(e){return Le(e)&&e.pathname==="/oauth/dev-login"}o(yg,"isLoopbackDevLoginUrl");function Mi(e,t){return new URL(e,gt(t)).toString()}o(Mi,"buildGatewayOAuthUrl");function Md(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(Md,"buildScopedAuthorizationServerIssuer");function AP(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,re(e.requestUrl)).toString()}o(AP,"buildScopedAuthorizationEndpoint");function qd(e){let t=ve();return{issuer:gt(e),authorization_endpoint:Mi("/oauth/authorize",e),token_endpoint:Mi("/oauth/token",e),registration_endpoint:Mi("/oauth/register",e),revocation_endpoint:Mi("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ce],code_challenge_methods_supported:[xd],token_endpoint_auth_methods_supported:Ni,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":hg(t)}}o(qd,"buildAuthorizationServerMetadata");function Sg(e){let t=Md(e);return{...qd(e.requestUrl),issuer:t,authorization_endpoint:AP(e)}}o(Sg,"buildScopedAuthorizationServerMetadata");async function wg(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(kP(n.virtualServerId,e.url))}catch(r){let n=de(r);return Ze(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(wg,"protectedResourceMetadataHandler");function kP(e,t){return{resource:Nr(e,t),resource_name:e,authorization_servers:[Md({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ce],mcp_protocol_version:Or}}o(kP,"buildProtectedResourceMetadataResponseBody");function Nr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(Nr,"buildCanonicalMcpResourceForVirtualServer");function vg(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,re(t)).toString()}o(vg,"buildProtectedResourceMetadataUrlForVirtualServer");import{base64url as $d}from"jose";var PP="sha256:",EP=32;function Rg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Rg,"copyToArrayBuffer");function xP(e,t){if(e.length!==t.length)return!1;let r=0;for(let n=0;n<e.length;n++)r|=e.charCodeAt(n)^t.charCodeAt(n);return r===0}o(xP,"constantTimeEqual");function Ke(){let e=crypto.getRandomValues(new Uint8Array(EP));return $d.encode(e)}o(Ke,"createOpaqueToken");async function F(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return`${PP}${$d.encode(new Uint8Array(t))}`}o(F,"hashOpaqueValue");async function bg(e){let t=await F(e.value);return xP(t,e.expectedHash)}o(bg,"verifyOpaqueValue");async function Ld(e){let t=await crypto.subtle.digest("SHA-256",Rg(new TextEncoder().encode(e)));return $d.encode(new Uint8Array(t))}o(Ld,"calculatePkceS256Challenge");Y();var OP=c.record(c.string(),c.unknown()),Cg=c.string().min(1),UP=c.union([Cg.transform(e=>[e]),c.array(Cg)]),ue=c.string().min(1).brand(),X=c.string().min(1).brand(),zP=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],NP=["https://zuplo.com/roles","roles","role","permissions","groups"],DP=ue.parse("zuplo-poc"),Ig=new Ut("gateway-principal");function MP(e){let t=OP.safeParse(e);return t.success?t.data:{}}o(MP,"toClaimRecord");function qP(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(qP,"readValidationFailureDetail");function $P(e,t,r){for(let i of zP){let s=X.safeParse(t[i]);if(s.success)return s.data}let n=X.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",qP(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===gt(r)?n.data:X.parse(`${a}|${n.data}`)}o($P,"readNormalizedSubjectId");function LP(e){let t=new Set;for(let r of NP){let n=UP.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(LP,"readRoles");function Tn(e,t){let r=MP(e?.data),n={subjectId:$P(e,r,t),tenantId:DP},a=LP(r);return a&&(n.roles=a),n}o(Tn,"parseGatewayPrincipal");function Tg(e){let t=Hd(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Tg,"requireGatewayPrincipal");function Ag(e,t){Ig.set(e,t)}o(Ag,"setGatewayPrincipal");function Hd(e){return Ig.get(e)}o(Hd,"readGatewayPrincipal");function An(e){let r=['realm="OAuth"',`resource_metadata="${jd(vg(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${jd(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${jd(e.scope)}"`),`Bearer ${r.join(", ")}`}o(An,"buildGatewayBearerChallenge");function jd(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(jd,"sanitizeQuotedHeaderParameter");Y();var Gd=c.string().trim().min(1),jP=c.object({TOKEN_ENCRYPTION_KEY:Gd,OAUTH_STATE_SIGNING_KEY:Gd,TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING:Gd.optional()}),HP=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY","TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING"];function GP(e){let t=Ns[e];return typeof t=="string"?t:void 0}o(GP,"readEnvValue");function BP(){let e={};for(let t of HP){let r=GP(t);r!==void 0&&(e[t]=r)}return e}o(BP,"readRawEnv");var Bd;function VP(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(VP,"formatZodIssues");function FP(e){return new Ot(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...VP(e)].join(`
-`),{cause:e})}o(FP,"createEnvValidationError");function ZP(e){let t=jP.safeParse(e);if(!t.success)throw FP(t.error);return t.data}o(ZP,"parseGatewayEnv");function KP(){return Bd||(Bd=ZP(BP())),Bd}o(KP,"readEnv");function $i(){return KP()}o($i,"getEnv");Y();Y();function WP(e){if(e instanceof Date)return e;let t=new Date(e);if(Number.isNaN(t.getTime()))throw new Error("Expected a valid timestamp",{cause:new Error(`received: ${String(e)}`)});return t}o(WP,"parseDate");function pr(e,t){if(typeof e!="string")return e;try{return JSON.parse(e)}catch(r){throw new Error(`Persisted ${t} must be valid JSON`,{cause:r})}}o(pr,"parseJsonValue");function Vd(e,t){return c.array(c.string()).parse(pr(e,t))}o(Vd,"parseStringArray");var ie=c.union([c.date(),c.string()]).transform(e=>WP(e));var JP=c.object({current_state_hash:c.string(),phase:Od,consumed_at:ie.nullable(),expires_at:ie}),YP=c.object({id:_t,revoked_at:ie.nullable().optional(),expires_at:ie,matched:c.enum(["current","previous"])}),XP=c.object({id:_t,matched:c.literal("current")}),QP=c.object({client_id:le,client_name:c.string(),redirect_uris:c.unknown(),token_endpoint_auth_method:qo,hashed_client_secret:c.string().nullable(),client_secret_expires_at:ie.nullable(),client_expires_at:ie,revoked_at:ie.nullable(),created_at:ie}).transform(e=>{let t={clientId:e.client_id,clientName:e.client_name,redirectUris:Vd(e.redirect_uris,"redirect_uris"),tokenEndpointAuthMethod:e.token_endpoint_auth_method,createdAt:O(e.created_at),clientExpiresAt:O(e.client_expires_at)};return e.hashed_client_secret&&(t.hashedClientSecret=e.hashed_client_secret),e.client_secret_expires_at&&(t.clientSecretExpiresAt=O(e.client_secret_expires_at)),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),$o.parse(t)}),Fd=c.object({id:je,current_state_hash:c.string(),phase:Od,principal_subject_id:X.nullable(),principal_tenant_id:ue.nullable(),principal_roles:c.unknown().nullable(),client_id:le,redirect_uri:c.string(),resource:c.string(),virtual_server_id:me,client_state:c.string().nullable(),scope:c.string(),code_challenge:c.string(),code_challenge_method:Cn,created_at:ie,expires_at:ie,consumed_at:ie.nullable()}).transform(e=>{let t={id:e.id,currentStateHash:e.current_state_hash,clientId:e.client_id,redirectUri:e.redirect_uri,resource:e.resource,virtualServerId:e.virtual_server_id,scope:e.scope,codeChallenge:e.code_challenge,codeChallengeMethod:e.code_challenge_method,createdAt:O(e.created_at),expiresAt:O(e.expires_at)};if(e.client_state&&(t.clientState=e.client_state),e.consumed_at&&(t.consumedAt=O(e.consumed_at)),e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal_subject_id||!e.principal_tenant_id)throw new Error("Awaiting-setup pending authorization row is missing principal.");return{...t,phase:"awaiting_setup",principal:{subjectId:e.principal_subject_id,tenantId:e.principal_tenant_id,...e.principal_roles===null?{}:{roles:c.array(c.string()).parse(pr(e.principal_roles,"principal_roles"))}}}}),eE=c.object({id:je});function Pg(e){return{clientId:e.client_id,resource:e.resource,virtualServerId:e.virtual_server_id,tenantId:e.tenant_id,subjectId:e.subject_id,scope:e.scope,roles:Vd(e.roles,"roles"),createdAt:O(e.created_at),expiresAt:O(e.expires_at)}}o(Pg,"downstreamGrantAccessFields");var kg=c.object({id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),current_refresh_token_hash:c.string().nullable(),previous_refresh_token_hash:c.string().nullable(),created_at:ie,expires_at:ie,revoked_at:ie.nullable(),revoked_reason:c.string().nullable()}).transform(e=>{let t={id:e.id,...Pg(e)};return e.current_refresh_token_hash&&(t.currentRefreshTokenHash=e.current_refresh_token_hash),e.previous_refresh_token_hash&&(t.previousRefreshTokenHash=e.previous_refresh_token_hash),e.revoked_at&&(t.revokedAt=O(e.revoked_at)),e.revoked_reason&&(t.revokedReason=e.revoked_reason),Lo.parse(t)}),tE=c.object({token_hash:c.string(),grant_id:_t,client_id:le,resource:c.string(),virtual_server_id:me,tenant_id:ue,subject_id:X,scope:c.string(),roles:c.unknown(),created_at:ie,expires_at:ie,revoked_at:ie.nullable()}).transform(e=>{let t={tokenHash:e.token_hash,grantId:e.grant_id,...Pg(e)};return e.revoked_at&&(t.revokedAt=O(e.revoked_at)),In.parse(t)});function Eg(e){return[e.clientId,e.redirectUri,e.resource,e.virtualServerId,e.tenantId,e.subjectId,e.scope,JSON.stringify(e.roles),e.codeChallenge,e.codeChallengeMethod,new Date(e.createdAt),new Date(e.expiresAt)]}o(Eg,"authorizationTransactionValues");function rE(e,t){let r=_g.parse(t);return e.query(`INSERT INTO downstream_oauth_authorization_transactions (
-       id, client_id, redirect_uri, resource, virtual_server_id, tenant_id,
-       subject_id, scope, roles, code_challenge, code_challenge_method,
-       created_at, expires_at
-     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12, $13)`,[r.id,...Eg(r)])}o(rE,"insertAuthorizationTransaction");function nE(e,t){return e.query(`INSERT INTO downstream_oauth_authorization_codes (
-       code_hash, transaction_id, grant_id, client_id, redirect_uri, resource,
-       virtual_server_id, tenant_id, subject_id, scope, roles,
-       code_challenge, code_challenge_method, created_at, expires_at
-     ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11::jsonb, $12, $13, $14, $15)`,[t.codeHash,t.id,t.grantId,...Eg(t)])}o(nE,"insertAuthorizationCode");function oE(e,t){return e&&!e.revokedAt?new Date(e.expiresAt).getTime()<=t.getTime()?{kind:"expired"}:void 0:{kind:"revoked"}}o(oE,"accessTokenGrantValidationFailure");var Li=class{constructor(t){this.db=t}static{o(this,"PostgresDownstreamOAuthRepository")}async readPendingAuthorizationStatus(t){return c.array(JP).parse(await this.db.query(`SELECT current_state_hash, phase, consumed_at, expires_at
-         FROM downstream_oauth_pending_authorization_transactions
-         WHERE id = $1
-         LIMIT 1`,[t]))[0]}async readPendingAuthorizationAdvanceFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:r.phase!==t.expectedPhase?{kind:"wrong_phase",current:r.phase}:{kind:"stale_hash"}:{kind:"missing"}}async readPendingAuthorizationConsumeFailure(t){let r=await this.readPendingAuthorizationStatus(t.id);return r?r.consumed_at?{kind:"consumed_already"}:new Date(r.expires_at).getTime()<=t.now.getTime()?{kind:"expired"}:r.current_state_hash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"stale_hash"}:{kind:"missing"}}async getDcrClient(t){return c.array(QP).parse(await this.db.query(`SELECT
-           client_id,
-           client_name,
-           redirect_uris,
-           token_endpoint_auth_method,
-           hashed_client_secret,
-           client_secret_expires_at,
-           client_expires_at,
-           revoked_at,
-           created_at
-         FROM downstream_oauth_dcr_clients
-         WHERE client_id = $1
-           AND revoked_at IS NULL
-           AND client_expires_at > NOW()
-         LIMIT 1`,[t]))[0]}async saveDcrClient(t){await this.db.query(`INSERT INTO downstream_oauth_dcr_clients (
-         client_id,
-         client_name,
-         redirect_uris,
-         token_endpoint_auth_method,
-         hashed_client_secret,
-         client_secret_expires_at,
-         client_expires_at,
-         revoked_at,
-         created_at
-       ) VALUES ($1, $2, $3::jsonb, $4, $5, $6, $7, $8, $9)`,[t.clientId,t.clientName,JSON.stringify(t.redirectUris),t.tokenEndpointAuthMethod,t.hashedClientSecret??null,t.clientSecretExpiresAt?new Date(t.clientSecretExpiresAt):null,new Date(t.clientExpiresAt),t.revokedAt?new Date(t.revokedAt):null,new Date(t.createdAt)])}async savePendingAuthorizationTransaction(t){return c.array(eE).parse(await this.db.query(`INSERT INTO downstream_oauth_pending_authorization_transactions (
-         id, current_state_hash, phase, principal_subject_id,
-         principal_tenant_id, principal_roles, client_id, redirect_uri,
-         resource, virtual_server_id, client_state, scope, code_challenge,
-         code_challenge_method, created_at, expires_at, consumed_at
-       ) VALUES ($1, $2, $3, $4, $5, $6::jsonb, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17)
-       ON CONFLICT (id) DO NOTHING
-       RETURNING id`,[t.id,t.currentStateHash,t.phase,t.phase==="awaiting_setup"?t.principal.subjectId:null,t.phase==="awaiting_setup"?t.principal.tenantId:null,t.phase==="awaiting_setup"&&t.principal.roles!==void 0?JSON.stringify(t.principal.roles):null,t.clientId,t.redirectUri,t.resource,t.virtualServerId,t.clientState??null,t.scope,t.codeChallenge,t.codeChallengeMethod,new Date(t.createdAt),new Date(t.expiresAt),t.consumedAt?new Date(t.consumedAt):null])).length>0?{kind:"saved"}:{kind:"already_exists"}}async advancePendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
-         SET current_state_hash = $4,
-             phase = $5,
-             principal_subject_id = $6,
-             principal_tenant_id = $7,
-             principal_roles = $8::jsonb
-         WHERE id = $1
-           AND current_state_hash = $2
-           AND phase = $3
-           AND consumed_at IS NULL
-           AND expires_at > $9
-         RETURNING *`,[t.id,t.currentStateHash,t.expectedPhase,t.nextStateHash,t.nextPhase,t.principal.subjectId,t.principal.tenantId,t.principal.roles===void 0?null:JSON.stringify(t.principal.roles),t.now]))[0];return n?{kind:"advanced",record:n}:this.readPendingAuthorizationAdvanceFailure(t)}async getPendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`SELECT *
-         FROM downstream_oauth_pending_authorization_transactions
-         WHERE id = $1
-         LIMIT 1`,[t.id]))[0];return n?n.consumedAt?{kind:"consumed"}:new Date(n.expiresAt).getTime()<=t.now.getTime()?{kind:"expired"}:n.currentStateHash!==t.currentStateHash?{kind:"stale_hash"}:{kind:"available",record:n}:{kind:"missing"}}async consumePendingAuthorizationTransaction(t){let n=c.array(Fd).parse(await this.db.query(`UPDATE downstream_oauth_pending_authorization_transactions
-       SET consumed_at = $3
-       WHERE id = $1
-         AND current_state_hash = $2
-         AND consumed_at IS NULL
-         AND expires_at > $3
-       RETURNING *`,[t.id,t.currentStateHash,t.now]))[0];return n?{kind:"consumed",record:n}:this.readPendingAuthorizationConsumeFailure(t)}async issueAuthorizationCode(t){await this.db.transaction(r=>[rE(r,t),nE(r,t)])}async exchangeAuthorizationCode(t){let n=c.array(c.object({redirect_uri:c.string()})).parse(await this.db.query(`SELECT redirect_uri
-       FROM downstream_oauth_authorization_codes
-       WHERE code_hash = $1
-       LIMIT 1`,[t.codeHash]))[0]?.redirect_uri,a=n!==void 0&&qi(n,t.redirectUri)?n:t.redirectUri,s=c.array(c.record(c.string(),c.unknown())).parse(await this.db.query(`WITH candidate AS (
-           SELECT *
-           FROM downstream_oauth_authorization_codes
-           WHERE code_hash = $1
-           LIMIT 1
-         ),
-         claimed AS (
-           UPDATE downstream_oauth_authorization_codes
-           SET consumed_at = $8
-           WHERE code_hash = $1
-             AND consumed_at IS NULL
-             AND expires_at > $8
-             AND client_id = $2
-             AND redirect_uri = $3
-             AND ($4::text IS NULL OR resource = $4)
-             AND code_challenge = $5
-           RETURNING *
-         ),
-         replayed_grant AS (
-           UPDATE downstream_oauth_grants AS grants
-           SET revoked_at = $8,
-               revoked_reason = 'authorization_code_replay'
-           FROM candidate
-           WHERE candidate.consumed_at IS NOT NULL
-             AND grants.id = candidate.grant_id
-             AND grants.revoked_at IS NULL
-           RETURNING grants.id
-         ),
-         replayed_access AS (
-           UPDATE downstream_oauth_access_tokens AS access_tokens
-           SET revoked_at = $8
-           FROM candidate
-           WHERE candidate.consumed_at IS NOT NULL
-             AND access_tokens.grant_id = candidate.grant_id
-             AND access_tokens.revoked_at IS NULL
-           RETURNING access_tokens.token_hash
-         ),
-         replayed_code AS (
-           UPDATE downstream_oauth_authorization_codes AS codes
-           SET replayed_at = COALESCE(codes.replayed_at, $8)
-           FROM candidate
-           WHERE candidate.consumed_at IS NOT NULL
-             AND codes.code_hash = candidate.code_hash
-           RETURNING codes.code_hash
-         ),
-         inserted_grant AS (
-           INSERT INTO downstream_oauth_grants (
-             id, client_id, resource, virtual_server_id, tenant_id, subject_id,
-             scope, roles, current_refresh_token_hash, previous_refresh_token_hash,
-             created_at, expires_at, revoked_at, revoked_reason
-           )
-           SELECT
-             grant_id, client_id, resource, virtual_server_id, tenant_id,
-             subject_id, scope, roles, $6, NULL, $8, $9, NULL, NULL
-           FROM claimed
-           RETURNING *
-         ),
-         revoked_prior_grants AS (
-           UPDATE downstream_oauth_grants AS grants
-           SET revoked_at = $8,
-               revoked_reason = 'reauthorized'
-           FROM inserted_grant
-           WHERE grants.tenant_id = inserted_grant.tenant_id
-             AND grants.subject_id = inserted_grant.subject_id
-             AND grants.client_id = inserted_grant.client_id
-             AND grants.resource = inserted_grant.resource
-             AND grants.id <> inserted_grant.id
-             AND grants.revoked_at IS NULL
-           RETURNING grants.id
-         ),
-         revoked_prior_access AS (
-           UPDATE downstream_oauth_access_tokens AS access_tokens
-           SET revoked_at = $8
-           FROM revoked_prior_grants
-           WHERE access_tokens.grant_id = revoked_prior_grants.id
-             AND access_tokens.revoked_at IS NULL
-           RETURNING access_tokens.token_hash
-         ),
-         inserted_access AS (
-           INSERT INTO downstream_oauth_access_tokens (
-             token_hash, grant_id, client_id, resource, virtual_server_id,
-             tenant_id, subject_id, scope, roles, created_at, expires_at,
-             revoked_at
-           )
-           SELECT
-             $7, id, client_id, resource, virtual_server_id, tenant_id,
-             subject_id, scope, roles, $8, $10, NULL
-           FROM inserted_grant
-           RETURNING token_hash
-         )
-         SELECT
-           CASE
-             WHEN EXISTS (SELECT 1 FROM inserted_grant) THEN 'exchanged'
-             WHEN NOT EXISTS (SELECT 1 FROM candidate) THEN 'missing'
-             WHEN (SELECT consumed_at FROM candidate) IS NOT NULL THEN 'consumed'
-             WHEN (SELECT expires_at FROM candidate) <= $8 THEN 'expired'
-             WHEN (SELECT client_id FROM candidate) = $2
-               AND (SELECT redirect_uri FROM candidate) = $3
-               AND (SELECT code_challenge FROM candidate) = $5
-               AND $4::text IS NOT NULL
-               AND (SELECT resource FROM candidate) <> $4
-             THEN 'resource_mismatch'
-             ELSE 'binding_mismatch'
-           END AS kind,
-           inserted_grant.*
-         FROM (SELECT 1) AS marker
-         LEFT JOIN inserted_grant ON TRUE`,[t.codeHash,t.clientId,a,t.resource,t.codeChallenge,t.currentRefreshTokenHash,t.accessTokenHash,t.now,new Date(t.grantExpiresAt),new Date(t.accessTokenExpiresAt)]))[0],u=c.enum(["exchanged","consumed","missing","expired","resource_mismatch","binding_mismatch"]).parse(s?.kind??"missing");return u!=="exchanged"?{kind:u}:{kind:"exchanged",grant:kg.parse(s)}}async getGrant(t){return c.array(kg).parse(await this.db.query(`SELECT *
-         FROM downstream_oauth_grants
-         WHERE id = $1
-         LIMIT 1`,[t]))[0]}async saveAccessToken(t){await this.db.query(`INSERT INTO downstream_oauth_access_tokens (
-         token_hash, grant_id, client_id, resource, virtual_server_id, tenant_id,
-         subject_id, scope, roles, created_at, expires_at, revoked_at
-       ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb, $10, $11, $12)`,[t.tokenHash,t.grantId,t.clientId,t.resource,t.virtualServerId,t.tenantId,t.subjectId,t.scope,JSON.stringify(t.roles),new Date(t.createdAt),new Date(t.expiresAt),t.revokedAt?new Date(t.revokedAt):null])}async validateAccessToken(t){let n=c.array(tE).parse(await this.db.query(`SELECT access_tokens.*
-         FROM downstream_oauth_access_tokens AS access_tokens
-         JOIN downstream_oauth_grants AS grants
-           ON grants.id = access_tokens.grant_id
-         WHERE access_tokens.token_hash = $1
-         LIMIT 1`,[t.tokenHash]))[0];if(!n)return{kind:"missing"};if(n.revokedAt)return{kind:"revoked"};if(new Date(n.expiresAt).getTime()<=t.now.getTime())return{kind:"expired"};let a=await this.getGrant(n.grantId),i=oE(a,t.now);return i||{kind:"valid",record:n}}async rotateRefreshToken(t){let r=await this.rotateCurrentRefreshToken(t);if(!r)return this.resolveUnrotatedRefreshToken(t);let n=await this.getGrant(r.id);return n?{kind:"rotated",grant:n,matched:r.matched}:{kind:"missing"}}async rotateCurrentRefreshToken(t){return c.array(XP).parse(await this.db.query(`WITH candidate AS (
-           SELECT id,
-             'current' AS matched
-           FROM downstream_oauth_grants
-           WHERE client_id = $3
-             AND revoked_at IS NULL
-             AND expires_at > $4
-             AND ($5::text IS NULL OR resource = $5)
-             AND current_refresh_token_hash = $1
-           ORDER BY created_at DESC
-           LIMIT 1
-         )
-         UPDATE downstream_oauth_grants AS grants
-         SET previous_refresh_token_hash = $1,
-             current_refresh_token_hash = $2
-         FROM candidate
-         WHERE grants.id = candidate.id
-           AND grants.client_id = $3
-           AND grants.revoked_at IS NULL
-           AND grants.expires_at > $4
-           AND ($5::text IS NULL OR grants.resource = $5)
-           AND grants.current_refresh_token_hash = $1
-         RETURNING grants.*, candidate.matched`,[t.currentTokenHash,t.nextTokenHash,t.clientId,t.now,t.resource??null]))[0]}async resolveUnrotatedRefreshToken(t){let r=await this.findRefreshTokenGrantStatus(t,!0),n=await this.refreshTokenGrantFailure(t,r);if(n)return n;if(r)return{kind:"missing"};let a=await this.findRefreshTokenGrantStatus(t,!1),i=await this.refreshTokenGrantFailure(t,a);return i||(a&&t.resource!==void 0?{kind:"resource_mismatch"}:{kind:"missing"})}async findRefreshTokenGrantStatus(t,r){let n=r?"AND ($3::text IS NULL OR resource = $3)":"",a=r?[t.clientId,t.currentTokenHash,t.resource??null]:[t.clientId,t.currentTokenHash];return c.array(YP).parse(await this.db.query(`SELECT id,
-                revoked_at,
-                expires_at,
-                CASE
-                  WHEN current_refresh_token_hash = $2 THEN 'current'
-                  ELSE 'previous'
-                END AS matched
-         FROM downstream_oauth_grants
-         WHERE client_id = $1
-           ${n}
-           AND (
-             current_refresh_token_hash = $2
-             OR previous_refresh_token_hash = $2
-           )
-         LIMIT 1`,a))[0]}async refreshTokenGrantFailure(t,r){if(r){if(r.revoked_at)return{kind:"revoked"};if(r.expires_at.getTime()<=t.now.getTime())return{kind:"expired"};if(r.matched==="previous")return await this.revokeGrant({grantId:r.id,now:t.now,reason:"refresh_token_replay"}),{kind:"revoked"}}}async revokeOAuthToken(t){let n=c.array(c.object({token_hash:c.string(),client_id:le})).parse(await this.db.query(`SELECT token_hash, client_id
-         FROM downstream_oauth_access_tokens
-         WHERE token_hash = $1
-         LIMIT 1`,[t.tokenHash]))[0];if(n)return n.client_id!==t.clientId?{kind:"client_mismatch"}:(await this.db.query(`UPDATE downstream_oauth_access_tokens
-         SET revoked_at = $2
-         WHERE token_hash = $1 AND revoked_at IS NULL`,[t.tokenHash,t.now]),{kind:"revoked_access_token"});let i=c.array(c.object({id:_t,client_id:le})).parse(await this.db.query(`SELECT id, client_id
-         FROM downstream_oauth_grants
-         WHERE current_refresh_token_hash = $1
-            OR previous_refresh_token_hash = $1
-         ORDER BY created_at DESC
-         LIMIT 1`,[t.tokenHash]))[0];return i?this.revokeRefreshTokenGrantForOAuthToken(t,i):{kind:"missing"}}async revokeRefreshTokenGrantForOAuthToken(t,r){return r.client_id!==t.clientId?{kind:"client_mismatch"}:this.revokeGrantForOAuthToken(t,r.id)}async revokeGrantForOAuthToken(t,r){return await this.revokeGrant({grantId:r,now:t.now,reason:"token_revocation"}),{kind:"revoked_grant"}}async revokeGrant(t){await this.db.transaction(r=>[r.query(`UPDATE downstream_oauth_grants
-         SET revoked_at = $2,
-             revoked_reason = $3
-         WHERE id = $1 AND revoked_at IS NULL`,[t.grantId,t.now,t.reason]),r.query(`UPDATE downstream_oauth_access_tokens
-         SET revoked_at = $2
-         WHERE grant_id = $1 AND revoked_at IS NULL`,[t.grantId,t.now])])}};var ji=class{constructor(t,r){this.raw=t;this.singleShotExecutor=r}static{o(this,"HttpPgQuery")}[Symbol.toStringTag]="HttpPgQuery";then(t,r){return this.singleShotExecutor(this.raw).then(t,r)}catch(t){return this.singleShotExecutor(this.raw).catch(t)}finally(t){return this.singleShotExecutor(this.raw).finally(t)}};function aE(e){return e instanceof ji}o(aE,"isHttpPgQuery");function iE(e){let t;try{t=new URL(e)}catch(n){throw new Error("Database connection string is not a valid URL. Expected: postgresql://user:password@host.tld/dbname",{cause:n})}if(t.protocol!=="postgresql:"&&t.protocol!=="postgres:")throw g("internal_server_error",`Database connection string must use postgres:// or postgresql:// (got ${t.protocol})`);if(!t.hostname)throw g("internal_server_error","Database connection string is missing the host.");let r=t.hostname.replace(/^[^.]+\./,"api.");return{host:t.hostname,fetchEndpoint:`https://${r}/sql`}}o(iE,"parseConnectionString");function sE(e){return typeof e=="object"&&e!==null&&typeof e.message=="string"?e.message??"Unknown postgres error":"Unknown postgres error"}o(sE,"readErrorMessage");function cE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.rows)}o(cE,"isSingleResponse");function uE(e){return typeof e=="object"&&e!==null&&Array.isArray(e.results)}o(uE,"isBatchResponse");function xg(e,t={}){let{fetchEndpoint:r}=iE(e),n=t.fetchFn??fetch;async function a(d){let l=await i({query:d.query,params:d.params});if(!cE(l))throw g("internal_server_error","Unexpected postgres response shape: missing `rows`.");return l.rows}o(a,"runSingle");async function i(d){let l=await n(r,{method:"POST",headers:{"content-type":"application/json","Neon-Connection-String":e,"Neon-Raw-Text-Output":"true"},body:JSON.stringify(d)});if(!l.ok){let p;try{p=await l.json()}catch{p=void 0}let m=new Error(sE(p));throw g({code:"internal_server_error",privateDetail:`Postgres HTTP request failed (status ${l.status})`,cause:m})}return l.json()}o(i,"runRequest");function s(){return{query(d,l){return new ji({query:d,params:l??[]},a)}}}o(s,"buildQueryDatabase");let u=s();return{query:u.query,async transaction(d){let p=d(u).map((f,_)=>{if(!aE(f))throw new Error(`transaction callback returned an unexpected query operation at index ${_}. Each statement must be a direct \`db.query(...)\` call (do not \`await\` inside the callback).`);return f.raw}),m=await i({queries:p.map(f=>({query:f.query,params:f.params}))});if(!uE(m))throw new Error("Unexpected postgres response shape: missing `results` for transaction.");return m.results.map(f=>f.rows)}}}o(xg,"createHttpPostgresGatewayDatabase");var dE=`
-DO $$
-BEGIN
-  IF to_regclass('public.downstream_oauth_pending_authorization_transactions') IS NULL THEN
-    -- Fresh DB: 0000_messy_makkari created the right shape already.
-    RETURN;
-  END IF;
-
-  -- Old prototype shape (0000_narrow_cerise) used login_state_hash as part of
-  -- a composite PK. 0004_famous_mastermind renamed it. If we still have the old
-  -- column name, rename it instead of creating a new column so existing rows
-  -- (and any prototype data) survive.
-  IF EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'downstream_oauth_pending_authorization_transactions'
-      AND column_name = 'login_state_hash'
-  ) AND NOT EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'downstream_oauth_pending_authorization_transactions'
-      AND column_name = 'current_state_hash'
-  ) THEN
-    -- 0004_famous_mastermind unconditionally truncated the table on rename
-    -- because the principal/phase columns are NOT NULL on the new shape and
-    -- there is no sane backfill. We mirror that here.
-    EXECUTE 'TRUNCATE TABLE public.downstream_oauth_pending_authorization_transactions';
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions RENAME COLUMN login_state_hash TO current_state_hash';
-  END IF;
-
-  -- If neither column exists, we are in the rewritten-0000_messy_makkari case
-  -- where the prototype edited the migration after applying it, leaving the
-  -- column out entirely. Add it (NOT NULL); the table is dev-only so any rows
-  -- that violate it are fine to drop.
-  IF NOT EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'downstream_oauth_pending_authorization_transactions'
-      AND column_name = 'current_state_hash'
-  ) THEN
-    EXECUTE 'TRUNCATE TABLE public.downstream_oauth_pending_authorization_transactions';
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN current_state_hash text NOT NULL';
-  END IF;
-
-  -- Composite PK (id, login_state_hash) -> single-column PK (id).
-  IF EXISTS (
-    SELECT 1
-    FROM pg_constraint
-    WHERE conname = 'downstream_oauth_pending_authorization_transactions_id_login_state_hash_pk'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions DROP CONSTRAINT downstream_oauth_pending_authorization_transactions_id_login_state_hash_pk';
-  END IF;
-
-  IF NOT EXISTS (
-    SELECT 1
-    FROM pg_constraint
-    WHERE conname = 'downstream_oauth_pending_authorization_transactions_id_pk'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_transactions_id_pk PRIMARY KEY (id)';
-  END IF;
-
-  -- 0004_famous_mastermind columns.
-  IF NOT EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'downstream_oauth_pending_authorization_transactions'
-      AND column_name = 'phase'
-  ) THEN
-    EXECUTE 'TRUNCATE TABLE public.downstream_oauth_pending_authorization_transactions';
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN phase text NOT NULL';
-  END IF;
-
-  IF NOT EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'downstream_oauth_pending_authorization_transactions'
-      AND column_name = 'principal_subject_id'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN principal_subject_id text';
-  END IF;
-
-  IF NOT EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'downstream_oauth_pending_authorization_transactions'
-      AND column_name = 'principal_tenant_id'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN principal_tenant_id text';
-  END IF;
-
-  IF NOT EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'downstream_oauth_pending_authorization_transactions'
-      AND column_name = 'principal_roles'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD COLUMN principal_roles jsonb';
-  END IF;
-
-  -- UNIQUE on current_state_hash.
-  IF NOT EXISTS (
-    SELECT 1
-    FROM pg_constraint
-    WHERE conname = 'downstream_oauth_pending_authorization_current_state_hash_unique'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_current_state_hash_unique UNIQUE (current_state_hash)';
-  END IF;
-
-  -- CHECK constraints from 0004_famous_mastermind.
-  IF NOT EXISTS (
-    SELECT 1
-    FROM pg_constraint
-    WHERE conname = 'downstream_oauth_pending_authorization_phase_check'
-  ) THEN
-    EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_phase_check CHECK ("downstream_oauth_pending_authorization_transactions"."phase" IN ('awaiting_login', 'awaiting_setup'))$check$;
-  END IF;
-
-  IF NOT EXISTS (
-    SELECT 1
-    FROM pg_constraint
-    WHERE conname = 'downstream_oauth_pending_authorization_phase_principal_check'
-  ) THEN
-    EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_phase_principal_check CHECK ((
-        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_login'
-        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NULL
-        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NULL
-        AND "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
-      ) OR (
-        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_setup'
-        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NOT NULL
-        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NOT NULL
-        AND (
-          "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
-          OR jsonb_typeof("downstream_oauth_pending_authorization_transactions"."principal_roles") = 'array'
-        )
-      ))$check$;
-  END IF;
-
-  IF NOT EXISTS (
-    SELECT 1
-    FROM pg_constraint
-    WHERE conname = 'downstream_oauth_pending_authorization_code_challenge_method_check'
-  ) THEN
-    EXECUTE $check$ALTER TABLE public.downstream_oauth_pending_authorization_transactions ADD CONSTRAINT downstream_oauth_pending_authorization_code_challenge_method_check CHECK ("downstream_oauth_pending_authorization_transactions"."code_challenge_method" = 'S256')$check$;
-  END IF;
-END $$;
-`,lE=`
-DROP INDEX IF EXISTS public.downstream_oauth_cimd_metadata_cache_expiry_idx;
-`,pE=`
-DROP TABLE IF EXISTS public.downstream_oauth_cimd_metadata_cache;
-`,mE=`
-DO $$
-BEGIN
-  IF to_regclass('public.upstream_connections') IS NULL THEN
-    RETURN;
-  END IF;
-
-  IF EXISTS (
-    SELECT 1
-    FROM pg_constraint
-    WHERE conname = 'upstream_connections_owner_shape_check'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.upstream_connections DROP CONSTRAINT upstream_connections_owner_shape_check';
-  END IF;
-
-  EXECUTE $check$ALTER TABLE public.upstream_connections ADD CONSTRAINT upstream_connections_owner_shape_check CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NOT NULL)
-        OR ("upstream_connections"."owner_mode" = 'tenant_shared' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NULL))$check$;
-END $$;
-`,hE=[dE,lE,pE,mE].join(`
---> statement-breakpoint
-`),fE=`
-DO $$
-BEGIN
-  IF to_regclass('public.upstream_connections') IS NULL THEN
-    RETURN;
-  END IF;
-
-  IF EXISTS (
-    SELECT 1
-    FROM information_schema.columns
-    WHERE table_schema = 'public'
-      AND table_name = 'upstream_connections'
-      AND column_name = 'id'
-      AND data_type = 'uuid'
-  ) THEN
-    EXECUTE 'ALTER TABLE public.upstream_connections ALTER COLUMN id TYPE text USING id::text';
-  END IF;
-END $$;
-`,Og=[{tag:"0000_messy_makkari",sql:`CREATE TABLE "browser_connect_ticket_consumptions" (
-	"id" uuid PRIMARY KEY NOT NULL,
-	"consumed_at" timestamp with time zone NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL
-);
---> statement-breakpoint
-CREATE TABLE "downstream_oauth_access_tokens" (
-	"token_hash" text PRIMARY KEY NOT NULL,
-	"grant_id" uuid NOT NULL,
-	"client_id" text NOT NULL,
-	"resource" text NOT NULL,
-	"virtual_server_id" text NOT NULL,
-	"tenant_id" text NOT NULL,
-	"subject_id" text NOT NULL,
-	"scope" text NOT NULL,
-	"roles" jsonb NOT NULL,
-	"created_at" timestamp with time zone NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL,
-	"revoked_at" timestamp with time zone,
-	CONSTRAINT "downstream_oauth_access_tokens_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_access_tokens"."roles") = 'array')
-);
---> statement-breakpoint
-CREATE TABLE "downstream_oauth_authorization_codes" (
-	"code_hash" text PRIMARY KEY NOT NULL,
-	"transaction_id" uuid NOT NULL,
-	"grant_id" uuid NOT NULL,
-	"client_id" text NOT NULL,
-	"resource" text NOT NULL,
-	"virtual_server_id" text NOT NULL,
-	"tenant_id" text NOT NULL,
-	"subject_id" text NOT NULL,
-	"scope" text NOT NULL,
-	"roles" jsonb NOT NULL,
-	"redirect_uri" text NOT NULL,
-	"code_challenge" text NOT NULL,
-	"code_challenge_method" text NOT NULL,
-	"created_at" timestamp with time zone NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL,
-	"consumed_at" timestamp with time zone,
-	"replayed_at" timestamp with time zone,
-	CONSTRAINT "downstream_oauth_authorization_codes_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_authorization_codes"."roles") = 'array'),
-	CONSTRAINT "downstream_oauth_authorization_codes_code_challenge_method_check" CHECK ("downstream_oauth_authorization_codes"."code_challenge_method" = 'S256')
-);
---> statement-breakpoint
-CREATE TABLE "downstream_oauth_authorization_transactions" (
-	"id" uuid PRIMARY KEY NOT NULL,
-	"client_id" text NOT NULL,
-	"resource" text NOT NULL,
-	"virtual_server_id" text NOT NULL,
-	"tenant_id" text NOT NULL,
-	"subject_id" text NOT NULL,
-	"scope" text NOT NULL,
-	"roles" jsonb NOT NULL,
-	"redirect_uri" text NOT NULL,
-	"code_challenge" text NOT NULL,
-	"code_challenge_method" text NOT NULL,
-	"created_at" timestamp with time zone NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL,
-	CONSTRAINT "downstream_oauth_authorization_transactions_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_authorization_transactions"."roles") = 'array'),
-	CONSTRAINT "downstream_oauth_authorization_transactions_code_challenge_method_check" CHECK ("downstream_oauth_authorization_transactions"."code_challenge_method" = 'S256')
-);
---> statement-breakpoint
-CREATE TABLE "downstream_oauth_dcr_clients" (
-	"client_id" text PRIMARY KEY NOT NULL,
-	"client_name" text NOT NULL,
-	"redirect_uris" jsonb NOT NULL,
-	"token_endpoint_auth_method" text NOT NULL,
-	"hashed_client_secret" text,
-	"client_secret_expires_at" timestamp with time zone,
-	"client_expires_at" timestamp with time zone NOT NULL,
-	"revoked_at" timestamp with time zone,
-	"created_at" timestamp with time zone NOT NULL,
-	CONSTRAINT "downstream_oauth_dcr_clients_redirect_uris_array_check" CHECK (jsonb_typeof("downstream_oauth_dcr_clients"."redirect_uris") = 'array'),
-	CONSTRAINT "downstream_oauth_dcr_clients_token_endpoint_auth_method_check" CHECK ("downstream_oauth_dcr_clients"."token_endpoint_auth_method" IN ('none', 'client_secret_post', 'client_secret_basic'))
-);
---> statement-breakpoint
-CREATE TABLE "downstream_oauth_grants" (
-	"id" uuid PRIMARY KEY NOT NULL,
-	"client_id" text NOT NULL,
-	"resource" text NOT NULL,
-	"virtual_server_id" text NOT NULL,
-	"tenant_id" text NOT NULL,
-	"subject_id" text NOT NULL,
-	"scope" text NOT NULL,
-	"roles" jsonb NOT NULL,
-	"current_refresh_token_hash" text,
-	"previous_refresh_token_hash" text,
-	"created_at" timestamp with time zone NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL,
-	"revoked_at" timestamp with time zone,
-	"revoked_reason" text,
-	CONSTRAINT "downstream_oauth_grants_roles_array_check" CHECK (jsonb_typeof("downstream_oauth_grants"."roles") = 'array')
-);
---> statement-breakpoint
-CREATE TABLE "downstream_oauth_pending_authorization_transactions" (
-	"id" uuid NOT NULL,
-	"current_state_hash" text NOT NULL,
-	"phase" text NOT NULL,
-	"principal_subject_id" text,
-	"principal_tenant_id" text,
-	"principal_roles" jsonb,
-	"client_id" text NOT NULL,
-	"redirect_uri" text NOT NULL,
-	"resource" text NOT NULL,
-	"virtual_server_id" text NOT NULL,
-	"client_state" text,
-	"scope" text NOT NULL,
-	"code_challenge" text NOT NULL,
-	"code_challenge_method" text NOT NULL,
-	"created_at" timestamp with time zone NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL,
-	"consumed_at" timestamp with time zone,
-	CONSTRAINT "downstream_oauth_pending_authorization_transactions_id_pk" PRIMARY KEY("id"),
-	CONSTRAINT "downstream_oauth_pending_authorization_current_state_hash_unique" UNIQUE("current_state_hash"),
-	CONSTRAINT "downstream_oauth_pending_authorization_phase_check" CHECK ("downstream_oauth_pending_authorization_transactions"."phase" IN ('awaiting_login', 'awaiting_setup')),
-	CONSTRAINT "downstream_oauth_pending_authorization_phase_principal_check" CHECK ((
-        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_login'
-        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NULL
-        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NULL
-        AND "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
-      ) OR (
-        "downstream_oauth_pending_authorization_transactions"."phase" = 'awaiting_setup'
-        AND "downstream_oauth_pending_authorization_transactions"."principal_subject_id" IS NOT NULL
-        AND "downstream_oauth_pending_authorization_transactions"."principal_tenant_id" IS NOT NULL
-        AND (
-          "downstream_oauth_pending_authorization_transactions"."principal_roles" IS NULL
-          OR jsonb_typeof("downstream_oauth_pending_authorization_transactions"."principal_roles") = 'array'
-        )
-      )),
-	CONSTRAINT "downstream_oauth_pending_authorization_code_challenge_method_check" CHECK ("downstream_oauth_pending_authorization_transactions"."code_challenge_method" = 'S256')
-);
---> statement-breakpoint
-CREATE TABLE "upstream_connections" (
-	"id" text PRIMARY KEY NOT NULL,
-	"tenant_id" text,
-	"owner_mode" text NOT NULL,
-	"user_id" text,
-	"upstream_server_id" text NOT NULL,
-	"auth_profile_id" text NOT NULL,
-	"status" text NOT NULL,
-	"encrypted_access_token" text,
-	"encrypted_refresh_token" text,
-	"scopes" jsonb DEFAULT '[]'::jsonb NOT NULL,
-	"expires_at" timestamp with time zone,
-	"metadata" jsonb,
-	"created_at" timestamp with time zone NOT NULL,
-	"updated_at" timestamp with time zone NOT NULL,
-	CONSTRAINT "upstream_connections_owner_key" UNIQUE NULLS NOT DISTINCT("owner_mode","tenant_id","user_id","upstream_server_id","auth_profile_id"),
-	CONSTRAINT "upstream_connections_owner_mode_check" CHECK ("upstream_connections"."owner_mode" IN ('user', 'tenant_shared')),
-	CONSTRAINT "upstream_connections_status_check" CHECK ("upstream_connections"."status" IN ('active', 'not_connected', 'reconsent_required')),
-	CONSTRAINT "upstream_connections_scopes_array_check" CHECK (jsonb_typeof("upstream_connections"."scopes") = 'array'),
-	CONSTRAINT "upstream_connections_owner_shape_check" CHECK (("upstream_connections"."owner_mode" = 'user' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NOT NULL)
-        OR ("upstream_connections"."owner_mode" = 'tenant_shared' AND "upstream_connections"."tenant_id" IS NOT NULL AND "upstream_connections"."user_id" IS NULL))
-);
---> statement-breakpoint
-CREATE TABLE "upstream_oauth_state_consumptions" (
-	"id" uuid PRIMARY KEY NOT NULL,
-	"consumed_at" timestamp with time zone NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL
-);
---> statement-breakpoint
-CREATE TABLE "upstream_oauth_states" (
-	"id" uuid PRIMARY KEY NOT NULL,
-	"record" jsonb NOT NULL,
-	"expires_at" timestamp with time zone NOT NULL,
-	"created_at" timestamp with time zone NOT NULL,
-	"updated_at" timestamp with time zone NOT NULL
-);
---> statement-breakpoint
-ALTER TABLE "downstream_oauth_access_tokens" ADD CONSTRAINT "downstream_oauth_access_tokens_grant_id_downstream_oauth_grants_id_fk" FOREIGN KEY ("grant_id") REFERENCES "public"."downstream_oauth_grants"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "downstream_oauth_authorization_codes" ADD CONSTRAINT "downstream_oauth_authorization_codes_transaction_id_downstream_oauth_authorization_transactions_id_fk" FOREIGN KEY ("transaction_id") REFERENCES "public"."downstream_oauth_authorization_transactions"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
-CREATE INDEX "browser_connect_ticket_consumptions_expiry_idx" ON "browser_connect_ticket_consumptions" USING btree ("expires_at");--> statement-breakpoint
-CREATE INDEX "downstream_oauth_access_tokens_grant_idx" ON "downstream_oauth_access_tokens" USING btree ("grant_id");--> statement-breakpoint
-CREATE INDEX "downstream_oauth_access_tokens_expiry_idx" ON "downstream_oauth_access_tokens" USING btree ("expires_at");--> statement-breakpoint
-CREATE INDEX "downstream_oauth_authorization_codes_grant_idx" ON "downstream_oauth_authorization_codes" USING btree ("grant_id");--> statement-breakpoint
-CREATE INDEX "downstream_oauth_authorization_codes_expiry_idx" ON "downstream_oauth_authorization_codes" USING btree ("expires_at");--> statement-breakpoint
-CREATE INDEX "downstream_oauth_authorization_transactions_expiry_idx" ON "downstream_oauth_authorization_transactions" USING btree ("expires_at");--> statement-breakpoint
-CREATE INDEX "downstream_oauth_dcr_clients_expiry_idx" ON "downstream_oauth_dcr_clients" USING btree ("client_expires_at") WHERE "downstream_oauth_dcr_clients"."revoked_at" IS NULL;--> statement-breakpoint
-CREATE INDEX "downstream_oauth_grants_refresh_current_idx" ON "downstream_oauth_grants" USING btree ("current_refresh_token_hash") WHERE "downstream_oauth_grants"."current_refresh_token_hash" IS NOT NULL;--> statement-breakpoint
-CREATE INDEX "downstream_oauth_grants_refresh_previous_idx" ON "downstream_oauth_grants" USING btree ("previous_refresh_token_hash") WHERE "downstream_oauth_grants"."previous_refresh_token_hash" IS NOT NULL;--> statement-breakpoint
-CREATE INDEX "downstream_oauth_grants_subject_client_resource_idx" ON "downstream_oauth_grants" USING btree ("tenant_id","subject_id","client_id","resource") WHERE "downstream_oauth_grants"."revoked_at" IS NULL;--> statement-breakpoint
-CREATE INDEX "downstream_oauth_grants_expiry_idx" ON "downstream_oauth_grants" USING btree ("expires_at");--> statement-breakpoint
-CREATE INDEX "downstream_oauth_pending_authorization_expiry_idx" ON "downstream_oauth_pending_authorization_transactions" USING btree ("expires_at");--> statement-breakpoint
-CREATE INDEX "upstream_oauth_state_consumptions_expiry_idx" ON "upstream_oauth_state_consumptions" USING btree ("expires_at");--> statement-breakpoint
-CREATE INDEX "upstream_oauth_states_expiry_idx" ON "upstream_oauth_states" USING btree ("expires_at");
-`},{tag:"0001_self_heal_pending_authorization",sql:hE},{tag:"0002_upstream_connection_id_text",sql:fE}];var Ho="_runtime_applied_migrations",gE=`
-  CREATE TABLE IF NOT EXISTS ${Ho} (
-    tag text PRIMARY KEY NOT NULL,
-    applied_at timestamp with time zone NOT NULL DEFAULT now()
-  )
-`,jo;async function _E(e){if(jo)return jo;jo=(async()=>{await e.query(gE),await e.query(`INSERT INTO ${Ho} (tag)
-       SELECT '0000_messy_makkari'
-       WHERE to_regclass('public.audit_events') IS NOT NULL
-         AND NOT EXISTS (
-           SELECT 1 FROM ${Ho}
-           WHERE tag = '0000_messy_makkari'
-         )
-       ON CONFLICT (tag) DO NOTHING`);let t=await e.query(`SELECT tag FROM ${Ho}`),r=new Set(t.map(n=>n.tag));for(let n of Og){if(r.has(n.tag))continue;let a=n.sql.split(/-->\s*statement-breakpoint/g).map(i=>i.trim()).filter(i=>i.length>0);for(let i of a)await e.query(i);await e.query(`INSERT INTO ${Ho} (tag) VALUES ($1)`,[n.tag])}})();try{await jo}catch(t){throw jo=void 0,t}}o(_E,"ensureGatewayMigrationsApplied");function Ug(e){let t=o(()=>_E(e),"ensureReady");return{query:o((n,a)=>(async()=>(await t(),e.query(n,a)))(),"query"),async transaction(n){return await t(),e.transaction(n)}}}o(Ug,"createMigrationGatedDatabase");Y();Y();var yE=["user","tenant_shared"],Ht=c.enum(yE);function mr(e,t){if(!e)throw g("forbidden","User-owned upstream connections require an authenticated tenant.");return{mode:"user",tenantId:e,subjectId:t}}o(mr,"buildUserUpstreamConnectionOwner");function Hi(e){if(!e)throw g("forbidden","Tenant-shared upstream connections require an authenticated tenant.");return{mode:"tenant_shared",tenantId:e}}o(Hi,"buildTenantSharedUpstreamConnectionOwner");Y();Y();function Gi(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(Gi,"parseSafeRelativeReturnTo");var zg=c.object({tenantId:ue.optional(),ownerMode:Ht,initiatedBySubjectId:X,ownerSubjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe,virtualServerId:me,returnTo:c.string().min(1).transform(e=>Gi(e)).optional()});function Ng(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="user"&&!e.tenantId&&t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned state requires tenantId",path:["tenantId"]}),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state requires tenantId",path:["tenantId"]}),e.ownerSubjectId&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared state must not include ownerSubjectId",path:["ownerSubjectId"]}))}o(Ng,"validateUpstreamOwnerState");var kn=zg.superRefine(Ng),Dg=zg.omit({returnTo:!0}).superRefine(Ng);function Go(e){return kn.parse({tenantId:e.owner.tenantId,ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Go,"buildUpstreamOwnerState");function Pn(e){if(e.ownerMode==="tenant_shared")return Hi(e.tenantId);if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");if(!e.tenantId)throw g("oauth_state_invalid","User-owned upstream state is missing the tenant.");return mr(e.tenantId,e.ownerSubjectId)}o(Pn,"resolveUpstreamConnectionOwnerFromState");var SE=["active","not_connected","reconsent_required"],wE=["basic_auth_app_password","bearer_token"],Mg=c.string().trim().min(1).brand(),En=c.uuid().brand(),Bo=c.uuid().brand(),xn=c.enum(SE),vE=c.enum(wE),qg=c.object({encryptedClientInformation:c.string().optional(),encryptedDiscoveryState:c.string().optional(),connectedBySubjectId:X.optional()}),Zd=qg.extend({encryptedStaticSecret:c.string().optional(),staticSecretKind:vE.optional(),staticSecretLabel:c.string().min(1).optional(),staticSecretUsername:c.string().min(1).optional()}).strict(),RE=c.object({id:Mg,tenantId:ue.optional(),subjectId:X.optional(),ownerMode:Ht,upstreamServerId:ke,authProfileId:Pe,status:xn,encryptedAccessToken:c.string().min(1).optional(),encryptedRefreshToken:c.string().min(1).optional(),scopes:c.array(c.string()),expiresAt:V.optional(),metadata:Zd.optional(),createdAt:V,updatedAt:V});function Kd(e,t){e.ownerMode==="user"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require tenantId",path:["tenantId"]}),e.subjectId||t.addIssue({code:c.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="tenant_shared"&&(e.tenantId||t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections require tenantId",path:["tenantId"]}),e.subjectId!==void 0&&t.addIssue({code:c.ZodIssueCode.custom,message:"Tenant-shared upstream connections must not include subjectId",path:["subjectId"]}))}o(Kd,"validateUpstreamConnectionOwnerShape");var Gt=RE.superRefine(Kd);function Dr(e){return JSON.stringify([e.owner.mode,e.owner.tenantId,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Dr,"readUpstreamConnectionLookupKey");var Vo=kn.extend({id:En,callbackPath:c.string().min(1),expiresAt:V,codeVerifier:c.string().optional(),redirectUri:c.url(),returnOrigin:c.url().optional()}).extend(qg.shape);function $g(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o($g,"readUpstreamConnectionStatus");function Bi(){return Mg.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(Bi,"createUpstreamConnectionId");function Lg(){return En.parse(crypto.randomUUID())}o(Lg,"createOAuthStateId");function jg(){return Bo.parse(crypto.randomUUID())}o(jg,"createBrowserConnectTicketId");var Hg=c.unknown().transform(e=>pr(e,"upstream connection scopes")).pipe(c.array(c.string())),Gg=c.unknown().transform(e=>{if(e!=null)return pr(e,"upstream connection metadata")}).transform(e=>{if(!e||typeof e!="object"||Array.isArray(e))return;let t=Zd.safeParse(e);if(t.success)return Object.values(t.data).some(r=>r!==void 0)?t.data:void 0}),bE=c.object({id:c.string().min(1),tenant_id:ue.nullable(),owner_mode:Ht,user_id:X.nullable(),upstream_server_id:ke,auth_profile_id:Pe,status:xn,encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg,expires_at:ie.nullable(),metadata:Gg,created_at:ie,updated_at:ie}).transform(e=>Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes,expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})),CE=c.object({requested_ordinal:c.number(),id:c.string().min(1).nullable(),tenant_id:ue.nullable(),owner_mode:Ht.nullable(),user_id:X.nullable(),upstream_server_id:ke.nullable(),auth_profile_id:Pe.nullable(),status:xn.nullable(),encrypted_access_token:c.string().nullable(),encrypted_refresh_token:c.string().nullable(),scopes:Hg.nullable(),expires_at:ie.nullable(),metadata:Gg,created_at:ie.nullable(),updated_at:ie.nullable()}).transform(e=>{if(e.id!==null)return Gt.parse({id:e.id,tenantId:e.tenant_id??void 0,ownerMode:e.owner_mode,subjectId:e.user_id??void 0,upstreamServerId:e.upstream_server_id,authProfileId:e.auth_profile_id,status:e.status,encryptedAccessToken:e.encrypted_access_token??void 0,encryptedRefreshToken:e.encrypted_refresh_token??void 0,scopes:e.scopes??[],expiresAt:e.expires_at?O(e.expires_at):void 0,metadata:e.metadata,createdAt:O(e.created_at),updatedAt:O(e.updated_at)})});function IE(e){let t=[],r=e.map((n,a)=>{let i=t.length+1;return t.push(a,n.owner.mode,n.owner.tenantId,n.owner.mode==="user"?n.owner.subjectId:null,n.upstreamServerId,n.authProfileId),`($${i}::integer, $${i+1}, $${i+2}, $${i+3}, $${i+4}, $${i+5})`});return{params:t,sql:`WITH requested(
-           requested_ordinal,
-           owner_mode,
-           tenant_id,
-           user_id,
-           upstream_server_id,
-           auth_profile_id
-         ) AS (
-           VALUES ${r.join(", ")}
-         )
-         SELECT
-           requested.requested_ordinal,
-           upstream_connections.id,
-           upstream_connections.tenant_id,
-           upstream_connections.owner_mode,
-           upstream_connections.user_id,
-           upstream_connections.upstream_server_id,
-           upstream_connections.auth_profile_id,
-           upstream_connections.status,
-           upstream_connections.encrypted_access_token,
-           upstream_connections.encrypted_refresh_token,
-           upstream_connections.scopes,
-           upstream_connections.expires_at,
-           upstream_connections.metadata,
-           upstream_connections.created_at,
-           upstream_connections.updated_at
-         FROM requested
-         LEFT JOIN upstream_connections
-           ON upstream_connections.owner_mode = requested.owner_mode
-          AND upstream_connections.tenant_id IS NOT DISTINCT FROM requested.tenant_id
-          AND upstream_connections.user_id IS NOT DISTINCT FROM requested.user_id
-          AND upstream_connections.upstream_server_id = requested.upstream_server_id
-          AND upstream_connections.auth_profile_id = requested.auth_profile_id
-         ORDER BY requested.requested_ordinal`}}o(IE,"buildBatchGetQuery");function TE(e){if(!e)return null;let t={};for(let[r,n]of Object.entries(e))typeof n=="string"&&(t[r]=n);return Object.keys(t).length>0?JSON.stringify(t):null}o(TE,"metadataToDatabaseValue");function AE(e){if(!e)throw g("internal_server_error","Failed to persist upstream connection");return e}o(AE,"requirePersistedUpstreamConnection");var Vi=class{constructor(t){this.db=t}static{o(this,"PostgresUpstreamConnectionRepository")}async batchGet(t){if(t.length===0)return[];let r=IE(t);return c.array(CE).parse(await this.db.query(r.sql,r.params))}async upsert(t){let r=new Date,n=c.array(bE).parse(await this.db.query(`INSERT INTO upstream_connections (
-           id,
-           tenant_id,
-           owner_mode,
-           user_id,
-           upstream_server_id,
-           auth_profile_id,
-           status,
-           encrypted_access_token,
-           encrypted_refresh_token,
-           scopes,
-           expires_at,
-           metadata,
-           created_at,
-           updated_at
-         ) VALUES (
-           $1,
-           $2,
-           $3,
-           $4,
-           $5,
-           $6,
-           $7,
-           $8,
-           $9,
-           $10::jsonb,
-           $11,
-           $12::jsonb,
-           $13,
-           $13
-         )
-         ON CONFLICT ON CONSTRAINT upstream_connections_owner_key
-         DO UPDATE SET
-           status = EXCLUDED.status,
-           encrypted_access_token = EXCLUDED.encrypted_access_token,
-           encrypted_refresh_token = EXCLUDED.encrypted_refresh_token,
-           scopes = EXCLUDED.scopes,
-           expires_at = EXCLUDED.expires_at,
-           metadata = EXCLUDED.metadata,
-           updated_at = EXCLUDED.updated_at
-         RETURNING
-           id,
-           tenant_id,
-           owner_mode,
-           user_id,
-           upstream_server_id,
-           auth_profile_id,
-           status,
-           encrypted_access_token,
-           encrypted_refresh_token,
-           scopes,
-           expires_at,
-           metadata,
-           created_at,
-           updated_at`,[t.id,t.tenantId??null,t.ownerMode,t.subjectId??null,t.upstreamServerId,t.authProfileId,t.status,t.encryptedAccessToken??null,t.encryptedRefreshToken??null,JSON.stringify(t.scopes),t.expiresAt?new Date(t.expiresAt):null,TE(t.metadata),r]));return AE(n[0])}};Y();var kE=60*60*24*1e3,PE=c.object({kind:c.enum(["available","consumed","missing"]),record:c.unknown().nullable()}),EE=c.object({inserted:c.preprocess(e=>{if(typeof e!="string")return e;switch(e.toLowerCase()){case"true":case"t":case"1":return!0;case"false":case"f":case"0":return!1;default:return e}},c.boolean())});function Bg(e,t){let r=e[0];if(!r)throw g("internal_server_error",`Postgres ${t} query returned no result row`);return r}o(Bg,"requireSingleRow");function xE(e){return Vo.parse(pr(e,"upstream OAuth state record"))}o(xE,"parseStoredOAuthStateRecord");var Fi=class{constructor(t){this.db=t}static{o(this,"PostgresOAuthStateStore")}async save(t){let r=new Date;await this.db.query(`INSERT INTO upstream_oauth_states (
-         id,
-         record,
-         expires_at,
-         created_at,
-         updated_at
-       ) VALUES ($1, $2::jsonb, $3, $4, $4)
-       ON CONFLICT (id) DO UPDATE
-       SET record = EXCLUDED.record,
-           expires_at = EXCLUDED.expires_at,
-           updated_at = EXCLUDED.updated_at`,[t.id,JSON.stringify(t),new Date(t.expiresAt),r])}async consumeForCallback(t){let r=new Date,n=new Date(r.getTime()+kE),a=Bg(c.array(PE).parse(await this.db.query(`WITH expired_state_cleanup AS (
-             DELETE FROM upstream_oauth_states
-             WHERE id = $1
-               AND expires_at <= $2
-             RETURNING id
-           ),
-           expired_consumption_cleanup AS (
-             DELETE FROM upstream_oauth_state_consumptions
-             WHERE id = $1
-               AND expires_at <= $2
-             RETURNING id
-           ),
-           candidate AS (
-             SELECT id
-             FROM upstream_oauth_states
-             WHERE id = $1
-               AND expires_at > $2
-               AND (SELECT count(*) FROM expired_state_cleanup) >= 0
-           ),
-           inserted_consumption AS (
-             INSERT INTO upstream_oauth_state_consumptions (
-               id,
-               consumed_at,
-               expires_at
-             )
-             SELECT $1, $2, $3
-             WHERE EXISTS (SELECT 1 FROM candidate)
-               AND (SELECT count(*) FROM expired_consumption_cleanup) >= 0
-             ON CONFLICT (id) DO NOTHING
-             RETURNING id
-           ),
-           deleted_state AS (
-             DELETE FROM upstream_oauth_states
-             WHERE id = $1
-               AND EXISTS (SELECT 1 FROM inserted_consumption)
-             RETURNING record
-           ),
-           existing_consumption AS (
-             SELECT id
-             FROM upstream_oauth_state_consumptions
-             WHERE id = $1
-               AND expires_at > $2
-               AND (SELECT count(*) FROM expired_consumption_cleanup) >= 0
-           )
-           SELECT
-             CASE
-               WHEN EXISTS (SELECT 1 FROM deleted_state) THEN 'available'
-               WHEN EXISTS (SELECT 1 FROM existing_consumption) THEN 'consumed'
-               WHEN EXISTS (SELECT 1 FROM candidate) THEN 'consumed'
-               ELSE 'missing'
-             END AS kind,
-             (SELECT record FROM deleted_state LIMIT 1) AS record`,[t,r,n])),"OAuth state consume");if(a.kind==="available"){if(a.record===null)throw g("internal_server_error","Consumed OAuth state row did not include a record");return{kind:"available",record:xE(a.record)}}return{kind:a.kind}}},Zi=class{constructor(t){this.db=t}static{o(this,"PostgresBrowserConnectTicketStore")}async consume(t,r){let n=new Date;return Bg(c.array(EE).parse(await this.db.query(`WITH expired_consumption_cleanup AS (
-             DELETE FROM browser_connect_ticket_consumptions
-             WHERE id = $1
-               AND expires_at <= $2
-             RETURNING id
-           ),
-           inserted_consumption AS (
-             INSERT INTO browser_connect_ticket_consumptions (
-               id,
-               consumed_at,
-               expires_at
-             )
-             SELECT $1, $2, $3
-             WHERE $3 > $2
-               AND (SELECT count(*) FROM expired_consumption_cleanup) >= 0
-             ON CONFLICT (id) DO NOTHING
-             RETURNING id
-           )
-           SELECT EXISTS (SELECT 1 FROM inserted_consumption) AS inserted`,[t,n,r])),"browser connect ticket consume").inserted?{kind:"available"}:{kind:"consumed"}}};var OE={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},U=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=OE[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};Y();var Jd=c.discriminatedUnion("mode",[c.object({mode:c.literal("user"),tenantId:ue,subjectId:X}).strict(),c.object({mode:c.literal("tenant_shared"),tenantId:ue}).strict()]),Fg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Zg=c.object({items:c.array(Fg).min(1).max(100)}).strict(),Yd=c.object({items:c.array(c.object({key:c.object({ownerMode:Ht,tenantId:ue,subjectId:X.optional(),upstreamServerId:ke,authProfileId:Pe}).strict(),connection:Gt.strict().optional()}).strict())}).strict(),Kg=Gt.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Kd),Wg=Gt.strict(),Jg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe}).strict(),Yg=c.object({owner:Jd,upstreamServerId:ke,authProfileId:Pe,connection:Gt.strict().optional(),connectionStatus:c.object({connected:c.boolean(),status:xn,updatedAt:Gt.shape.updatedAt.optional()}).strict()}).strict(),UE=c.enum(["none","client_secret_basic","client_secret_post"]),Mr=c.object({clientId:le,clientName:c.string().min(1),tokenEndpointAuthMethod:UE}).strict(),Xd=c.discriminatedUnion("method",[c.object({method:c.literal("none"),clientId:le}).strict(),c.object({method:c.enum(["client_secret_basic","client_secret_post"]),clientId:le,clientSecretHashInput:c.string().min(1)}).strict()]),Qd=c.object({id:je,currentStateHash:c.string().min(1),clientId:le,redirectUri:c.string().min(1),resource:c.string().min(1),virtualServerId:me,clientState:c.string().optional(),scope:c.string(),codeChallenge:c.string().min(1),codeChallengeMethod:c.literal("S256"),createdAt:V,expiresAt:V,consumedAt:V.optional()}).strict(),Vg=Qd.omit({id:!0,consumedAt:!0}).extend({transactionId:je,client:Mr.optional()}).strict(),el=c.object({tenantId:ue,subjectId:X,roles:c.array(c.string()).optional()}).strict(),zE=Qd.extend({phase:c.literal("awaiting_login")}).strict(),Wd=Qd.extend({phase:c.literal("awaiting_setup"),principal:el}).strict(),NE=c.discriminatedUnion("phase",[zE,Wd]),tl=c.object({transaction:NE,client:Mr}).strict(),Xg=$o.omit({revokedAt:!0}).strict(),Qg=c.discriminatedUnion("kind",[c.object({kind:c.literal("registered"),client:Mr}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),e_=c.object({clientId:le}).strict(),t_=c.discriminatedUnion("kind",[c.object({kind:c.literal("found"),client:$o.strict()}).strict(),c.object({kind:c.literal("missing")}).strict()]),r_=c.discriminatedUnion("phase",[Vg.extend({phase:c.literal("awaiting_login")}).strict(),Vg.extend({phase:c.literal("awaiting_setup"),principal:el}).strict()]),n_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("started")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("redirect_uri_mismatch")}).strict(),c.object({kind:c.literal("already_exists")}).strict()]),o_=c.object({transactionId:je,currentStateHash:c.string().min(1),now:V}).strict(),a_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("available")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),i_=c.object({transactionId:je,expectedPhase:c.literal("awaiting_login"),currentStateHash:c.string().min(1),nextStateHash:c.string().min(1),nextPhase:c.literal("awaiting_setup"),principal:el,now:V}).strict(),s_=c.discriminatedUnion("kind",[tl.extend({kind:c.literal("advanced")}).strict(),c.object({kind:c.literal("wrong_phase"),current:c.enum(["awaiting_login","awaiting_setup"])}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),c_=c.discriminatedUnion("decision",[c.object({decision:c.literal("approve"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),authorizationCodeHash:c.string().min(1),authorizationCodeExpiresAt:V,grantId:_t,now:V}).strict(),c.object({decision:c.literal("cancel"),transactionId:je,currentStateHash:c.string().min(1),currentPrincipal:c.object({tenantId:ue,subjectId:X}).strict(),now:V}).strict()]),u_=c.discriminatedUnion("kind",[c.object({kind:c.literal("approved"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("cancelled"),transaction:Wd,client:Mr}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict(),c.object({kind:c.literal("stale_hash")}).strict(),c.object({kind:c.literal("consumed_already")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("missing")}).strict()]),d_=c.object({clientAuth:Xd,codeHash:c.string().min(1),redirectUri:c.string().min(1),resource:c.string().min(1).optional(),codeChallenge:c.string().min(1),currentRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),grantExpiresAt:V,accessTokenExpiresAt:V,now:V}).strict(),l_=c.discriminatedUnion("kind",[c.object({kind:c.literal("exchanged"),client:Mr,grant:Lo.strict()}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("binding_mismatch")}).strict()]),p_=c.object({clientAuth:Xd,currentRefreshTokenHash:c.string().min(1),nextRefreshTokenHash:c.string().min(1),accessTokenHash:c.string().min(1),resource:c.string().min(1).optional(),accessTokenExpiresAt:V,now:V}).strict(),m_=c.discriminatedUnion("kind",[c.object({kind:c.literal("rotated"),client:Mr,grant:Lo.strict(),accessToken:In.strict(),matched:c.literal("current")}).strict(),c.object({kind:c.literal("invalid_client")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),h_=c.object({clientAuth:Xd,tokenHash:c.string().min(1),now:V}).strict(),f_=c.discriminatedUnion("kind",[c.object({kind:c.literal("revoked_access_token")}).strict(),c.object({kind:c.literal("revoked_grant")}).strict(),c.object({kind:c.literal("client_mismatch")}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("invalid_client")}).strict()]),g_=c.object({tokenHash:c.string().min(1),now:V}).strict(),__=c.discriminatedUnion("kind",[c.object({kind:c.literal("valid"),record:In.strict()}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict()]),y_=c.object({accessTokenHash:c.string().min(1),resource:c.string().min(1),virtualServerId:me,upstreamConnectionKeys:c.array(Fg).max(100),now:V}).strict(),S_=c.discriminatedUnion("kind",[c.object({kind:c.literal("authorized"),principal:c.object({tenantId:ue,subjectId:X,roles:c.array(c.string())}).strict(),accessToken:In.strict(),upstreamConnections:Yd.shape.items}).strict(),c.object({kind:c.literal("missing")}).strict(),c.object({kind:c.literal("expired")}).strict(),c.object({kind:c.literal("revoked")}).strict(),c.object({kind:c.literal("resource_mismatch")}).strict(),c.object({kind:c.literal("principal_mismatch")}).strict()]),w_=c.object({record:Vo}).strict(),v_=c.object({kind:c.literal("saved")}).strict(),R_=c.object({id:En,now:V}).strict(),b_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available"),record:Vo}).strict(),c.object({kind:c.literal("consumed")}).strict(),c.object({kind:c.literal("missing")}).strict()]),C_=c.object({id:Bo,expiresAt:V,now:V}).strict(),I_=c.discriminatedUnion("kind",[c.object({kind:c.literal("available")}).strict(),c.object({kind:c.literal("consumed")}).strict()]);var T_=100;function A_(e){return e!==null&&typeof e=="object"}o(A_,"isProblemDetailsShape");var DE="/zups/v2/mcp/storage";function xe(e){return`${DE}/${e}`}o(xe,"buildStoragePath");function ME(){return xe("upstream-connections/batch-get")}o(ME,"buildBatchGetUpstreamConnectionsPath");function qE(){return xe("upstream-connections/upsert")}o(qE,"buildUpsertUpstreamConnectionPath");function $E(){return xe("authorization/read-setup")}o($E,"buildReadAuthorizationSetupPath");function LE(){return xe("oauth/register-client")}o(LE,"buildRegisterClientPath");function jE(){return xe("oauth/read-client")}o(jE,"buildReadClientPath");function HE(){return xe("authorization/start")}o(HE,"buildStartAuthorizationPath");function GE(){return xe("authorization/read-pending")}o(GE,"buildReadPendingAuthorizationPath");function BE(){return xe("authorization/advance-pending")}o(BE,"buildAdvancePendingAuthorizationPath");function VE(){return xe("authorization/decide-setup")}o(VE,"buildDecideAuthorizationSetupPath");function FE(){return xe("token/exchange-authorization-code")}o(FE,"buildExchangeAuthorizationCodePath");function ZE(){return xe("token/refresh")}o(ZE,"buildRefreshTokenPath");function KE(){return xe("token/revoke")}o(KE,"buildRevokeOAuthTokenPath");function WE(){return xe("token/validate-access-token")}o(WE,"buildValidateAccessTokenPath");function JE(){return xe("mcp/authorize-and-load-connections")}o(JE,"buildAuthorizeAndLoadConnectionsPath");function YE(){return xe("upstream-oauth-state/save")}o(YE,"buildSaveUpstreamOAuthStatePath");function XE(){return xe("upstream-oauth-state/consume")}o(XE,"buildConsumeUpstreamOAuthStatePath");function QE(){return xe("browser-connect-ticket/consume")}o(QE,"buildConsumeBrowserConnectTicketPath");function ex(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(ex,"responseKeyMatchesLookup");function tx(e,t){return e.owner.mode===t.owner.mode&&e.owner.tenantId===t.owner.tenantId&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(tx,"authorizationSetupMatchesLookup");function E_(e,t){return e.ownerMode===t.owner.mode&&e.tenantId===t.owner.tenantId&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(E_,"connectionMatchesLookup");function rx(e,t){return e.ownerMode===t.ownerMode&&(e.tenantId??"")===(t.tenantId??"")&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&nl(e.scopes,t.scopes)&&rl(e.expiresAt,t.expiresAt)&&ox(e.metadata,t.metadata)}o(rx,"connectionMatchesUpsertRecord");function rl(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(rl,"optionalTimestampInstantsMatch");function nx(e,t){return Date.parse(e)<=Date.parse(t)}o(nx,"timestampInstantIsAtOrBefore");function nl(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(nl,"stringArraysMatch");function ox(e,t){let r=k_(e),n=k_(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(ox,"metadataMatches");function k_(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(k_,"definedMetadataEntries");function ge(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(ge,"throwInvalidStorageResponse");async function ax(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){ge("Gateway Service storage response did not match the runtime storage contract.",r)}}o(ax,"parseRuntimeHttpStorageResponse");function x_(e,t){e.length!==t.length&&ge("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];ex(n.key,a)||ge("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!E_(n.connection,a)&&ge("Gateway Service storage response connection did not match the response key.")}}o(x_,"validateUpstreamConnectionItemsMatchLookups");function ix(e,t){tx(e,t)||ge("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!E_(e.connection,t)&&ge("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!rl(e.connectionStatus.updatedAt,a))&&ge("Gateway Service storage response authorization setup status did not match the connection.")}o(ix,"validateAuthorizationSetupResponseMatchesLookup");function sx(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&ge("Gateway Service storage response registered client did not match the request.")}o(sx,"validateRegisterClientResponseMatchesRequest");function cx(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&ge("Gateway Service storage response client did not match the request.")}o(cx,"validateReadClientResponseMatchesRequest");function ux(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&ge("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response started authorization principal did not match the request."))}o(ux,"validateStartAuthorizationResponseMatchesRequest");function P_(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&ge("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.tenantId!==t.principal.tenantId||e.transaction.principal.subjectId!==t.principal.subjectId)&&ge("Gateway Service storage response advanced authorization did not match the request."))}o(P_,"validatePendingAuthorizationResponseMatchesRequest");function dx(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.tenantId!==t.currentPrincipal.tenantId||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&ge("Gateway Service storage response authorization setup transaction did not match the request.")}o(dx,"validateAuthorizationSetupDecisionResponseMatchesRequest");function lx(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!rl(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response authorization-code exchange did not match the request.")}o(lx,"validateExchangeAuthorizationCodeResponseMatchesRequest");function px(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&ge("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!nx(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!fx(e.accessToken,e.grant))&&ge("Gateway Service storage response token refresh access token did not match the request."))}o(px,"validateRefreshTokenResponseMatchesRequest");function mx(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&ge("Gateway Service storage response access token did not match the request.")}o(mx,"validateAccessTokenValidationResponseMatchesRequest");function hx(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.tenantId!==e.accessToken.tenantId||e.principal.subjectId!==e.accessToken.subjectId||!nl(e.principal.roles,e.accessToken.roles))&&ge("Gateway Service storage response MCP authorization did not match the request."),x_(e.upstreamConnections,t.upstreamConnectionKeys))}o(hx,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function fx(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.tenantId===t.tenantId&&e.subjectId===t.subjectId&&e.scope===t.scope&&nl(e.roles,t.roles)}o(fx,"accessTokenMatchesGrant");async function gx(e){try{return await e.clone().json()}catch{return}}o(gx,"readProblemDetails");async function _x(e){let t=await gx(e),r=A_(t)&&typeof t.status=="number"?t.status:e.status,n=A_(t)&&Uo(t.code)?t.code:pd(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(_x,"throwRuntimeHttpStorageError");var Ki=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??gp.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}async#e(t){let r=t.requestSchema.parse(t.input),n=new URL(t.path,this.#t),a=new Headers({"Content-Type":"application/json"});_p(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await _x(i),{request:r,response:await ax(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let u=Dr(s),d=n.get(u);if(d!==void 0)return d;let l=r.length;return r.push(s),n.set(u,l),l}),i=[];for(let s=0;s<r.length;s+=T_){let u=r.slice(s,s+T_);i.push(...await this.#n(u))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:qE(),requestSchema:Kg,responseSchema:Wg});return rx(n,r)||ge("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:$E(),requestSchema:Jg,responseSchema:Yg});return ix(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:LE(),requestSchema:Xg,responseSchema:Qg});return sx(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:jE(),requestSchema:e_,responseSchema:t_});return cx(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:HE(),requestSchema:r_,responseSchema:n_});return ux(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:GE(),requestSchema:o_,responseSchema:a_});return P_(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:BE(),requestSchema:i_,responseSchema:s_});return P_(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:VE(),requestSchema:c_,responseSchema:u_});return dx(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:YE(),requestSchema:w_,responseSchema:v_});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:XE(),requestSchema:R_,responseSchema:b_});return n.kind==="available"&&n.record.id!==r.id&&ge("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:QE(),requestSchema:C_,responseSchema:I_});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:FE(),requestSchema:d_,responseSchema:l_});return lx(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:ZE(),requestSchema:p_,responseSchema:m_});return px(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:KE(),requestSchema:h_,responseSchema:f_});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:WE(),requestSchema:g_,responseSchema:__});return mx(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:JE(),requestSchema:y_,responseSchema:S_});return hx(n,r),n}async#n(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:ME(),requestSchema:Zg,responseSchema:Yd});return x_(n.items,t),n.items.map(a=>a.connection)}};var ol=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpUpstreamConnectionRepository")}batchGet(t){return this.client.batchGetUpstreamConnections(t)}upsert(t){return this.client.upsertUpstreamConnection(t)}},al=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpDownstreamOAuthRepository")}#t=new Map;#r=new Map;async getDcrClient(t){let r=this.#t.get(t);if(r&&r.redirectUris.length>0)return r;let n=await this.client.readClient({clientId:t});if(n.kind!=="missing")return this.#t.set(t,n.client),n.client}async saveDcrClient(t){if((await this.client.registerClient(t)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");this.#t.set(t.clientId,t)}async savePendingAuthorizationTransaction(t,r){let{id:n,...a}=t,i=await this.client.startAuthorization({...a,transactionId:n,...r?.client===void 0?{}:{client:r.client}});switch(i.kind){case"started":return this.#e(i.client),{kind:"saved"};case"already_exists":return{kind:"already_exists"};case"invalid_client":throw new U("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new U("invalid_request","redirect_uri is not registered for the client.")}}async advancePendingAuthorizationTransaction(t){let r=await this.client.advancePendingAuthorization({transactionId:t.id,expectedPhase:t.expectedPhase,currentStateHash:t.currentStateHash,nextStateHash:t.nextStateHash,nextPhase:t.nextPhase,principal:t.principal,now:O(t.now)});return r.kind==="advanced"?(this.#e(r.client),{kind:"advanced",record:r.transaction}):r}async getPendingAuthorizationTransaction(t){let r=await this.client.readPendingAuthorization({transactionId:t.id,currentStateHash:t.currentStateHash,now:O(t.now)});return r.kind==="available"?(this.#e(r.client),{kind:"available",record:r.transaction}):r}async consumePendingAuthorizationTransaction(t){let r=await this.getPendingAuthorizationTransaction(t);return r.kind!=="available"?r.kind==="consumed"?{kind:"consumed_already"}:r:r.record.phase!=="awaiting_setup"?{kind:"missing"}:(this.#r.set(r.record.id,{currentStateHash:t.currentStateHash,now:t.now,transaction:r.record}),{kind:"consumed",record:r.record})}async issueAuthorizationCode(t){let r=this.#r.get(t.id);if(!r)throw g("internal_server_error","Authorization code issuance requires a pending setup decision.");let n=await this.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:r.currentStateHash,currentPrincipal:{tenantId:r.transaction.principal.tenantId,subjectId:r.transaction.principal.subjectId},authorizationCodeHash:t.codeHash,authorizationCodeExpiresAt:t.expiresAt,grantId:t.grantId,now:O(r.now)});if(this.#r.delete(t.id),n.kind!=="approved")throw g("oauth_state_invalid","Authorization setup state is invalid, expired, or already used.")}async exchangeAuthorizationCode(t){let r=await this.exchangeAuthorizationCodeWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},codeHash:t.codeHash,redirectUri:t.redirectUri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:t.codeChallenge,currentRefreshTokenHash:t.currentRefreshTokenHash,accessTokenHash:t.accessTokenHash,grantExpiresAt:t.grantExpiresAt,accessTokenExpiresAt:t.accessTokenExpiresAt,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r.kind==="exchanged"?{kind:"exchanged",grant:r.grant}:r}async saveAccessToken(t){throw g("internal_server_error","Runtime HTTP access-token save is covered by token exchange/refresh operations.")}async validateAccessToken(t){return this.client.validateAccessToken({tokenHash:t.tokenHash,now:O(t.now)})}async rotateRefreshToken(t){throw g("internal_server_error","Runtime HTTP refresh-token rotation is covered by the token refresh operation.")}async revokeOAuthToken(t){let r=await this.revokeOAuthTokenWithClientAuth({clientAuth:{method:"none",clientId:t.clientId},tokenHash:t.tokenHash,now:O(t.now)});return r.kind==="invalid_client"?{kind:"missing"}:r}async revokeGrant(t){throw g("internal_server_error","Runtime HTTP grant revocation is not exposed as a standalone storage operation.")}decideAuthorizationSetup(t){return this.client.decideAuthorizationSetup(t)}exchangeAuthorizationCodeWithClientAuth(t){return this.client.exchangeAuthorizationCode(t)}refreshTokenWithClientAuth(t){return this.client.refreshToken(t)}revokeOAuthTokenWithClientAuth(t){return this.client.revokeOAuthToken(t)}authorizeAndLoadConnections(t){return this.client.authorizeAndLoadConnections(t)}#e(t){this.#t.has(t.clientId)||this.#t.set(t.clientId,{clientId:t.clientId,clientName:t.clientName,redirectUris:[],tokenEndpointAuthMethod:t.tokenEndpointAuthMethod,clientExpiresAt:O(new Date(864e10)),createdAt:O(new Date(0))})}},il=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpOAuthStateStore")}async save(t){await this.client.saveUpstreamOAuthState({record:t})}consumeForCallback(t){return this.client.consumeUpstreamOAuthState({id:t,now:O(new Date)})}},sl=class{constructor(t){this.client=t}static{o(this,"RuntimeHttpBrowserConnectTicketStore")}consume(t,r){return this.client.consumeBrowserConnectTicket({id:t,expiresAt:O(r),now:O(new Date)})}};function O_(e={}){let t=new Ki(e);return{upstreamConnectionRepository:new ol(t),downstreamOAuthRepository:new al(t),oauthStateStore:new il(t),browserConnectTicketStore:new sl(t)}}o(O_,"createRuntimeHttpStorageBackend");var yx="__zuploMcpGatewayStorageBackend",cl;function Sx(e){return{upstreamConnectionRepository:new Vi(e),downstreamOAuthRepository:new Li(e),oauthStateStore:new Fi(e),browserConnectTicketStore:new Zi(e)}}o(Sx,"createPostgresStorageBackend");function wx(e){let t=xg(e),r=Ug(t);return Sx(r)}o(wx,"buildPostgresStorageBackend");function vx(){let e=$i().TEST_ONLY_DO_NOT_USE_DB_CONNECTION_STRING;return e?wx(e):O_()}o(vx,"buildProductionStorageBackend");function q(){let e=globalThis[yx];return e||(cl||(cl=vx()),cl)}o(q,"getStorage");function ul(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(ul,"readBearerToken");function Rx(e,t,r){return Ze(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(Rx,"gatewayAuthenticationRequiredResponse");async function bx(e,t,r){let n=await q().downstreamOAuthRepository.validateAccessToken({tokenHash:await F(e),now:new Date});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(bx,"validateGatewayAccessToken");function Cx(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(Cx,"assertAccessTokenResource");function Ix(e,t,r){return Ze(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":An({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ce} scope required by this MCP resource.`,scope:ce})}})}o(Ix,"insufficientScopeResponse");function Tx(e){return{subjectId:e.subjectId,tenantId:e.tenantId,roles:e.roles}}o(Tx,"principalFromAccessToken");function Ax(e){let t=de(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),Ze(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":An({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(Ax,"gatewayTokenRejectedResponse");async function dl(e,t){let r=Rn(t),n=Nr(r.virtualServerId,e.url),a=ul(e),i=An({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),Rx(e,t,i);try{let s=await bx(a,t,r.virtualServerId);if(Cx({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ce)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ce,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),Ix(e,t,r.virtualServerId);let u=Tx(s);return Ag(t,u),ld(t,u),e}catch(s){return Ax({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(dl,"gatewayTokenInbound");var kx=2,U_=4,Px=24,Ex=16,z_=512,xx=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,Ox=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,Ux=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,zx=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,Nx=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,Dx=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function N_(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(N_,"readRoute");function Mx(e){let t=N_(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(Mx,"readRoutePath");function qx(e){let t=N_(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(qx,"readRouteOperationId");function $x(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o($x,"deriveStatusClass");function Lx(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="tenant_shared"?"tenant_shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(Lx,"deriveOriginAttributionMode");function jx(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(jx,"deriveClientKind");function Hx(e,t){return t==="success"?"none":e===H.MCP_GATEWAY_REQUEST_RECEIVED||e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===H.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(Hx,"deriveFailureStage");function Gx(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION||e===H.MCP_GATEWAY_GUARDRAIL_DECISION||e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===H.MCP_GATEWAY_CAPABILITY_FAILED||e===H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===H.MCP_GATEWAY_REQUEST_REJECTED||e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(Gx,"deriveFailureOrigin");function Bx(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===H.MCP_GATEWAY_POLICY_DECISION?"policy":e===H.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===H.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===H.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===H.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(Bx,"deriveReasonClass");function Vx(e){return e.length<=z_?e:`${e.slice(0,z_)}...`}o(Vx,"truncateAnalyticsString");function Fx(e){return Vx(e.replace(Ox,"$1[REDACTED]$3").replace(zx,"$1$2[REDACTED]").replace(Ux,"$1$2[REDACTED]").replace(Nx,"Bearer [REDACTED]").replace(Dx,"Basic [REDACTED]"))}o(Fx,"redactAnalyticsString");function D_(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return Fx(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=U_?"[DEPTH_LIMIT]":e.slice(0,Ex).map(r=>D_(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=U_?"[DEPTH_LIMIT]":M_(e,t+1)}}o(D_,"sanitizeAnalyticsValue");function M_(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,Px)){if(xx.test(n)){r[n]="[REDACTED]";continue}let i=D_(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(M_,"sanitizeMcpGatewayAnalyticsAttributes");function z(e){return e===void 0?null:e}o(z,"nullable");function Zx(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(Zx,"readEnvironment");function Kx(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(Kx,"readRequestId");function Wx(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(Wx,"attributesToJsonString");function Jx(e,t){let r=Hd(e),n=No(e),a=M_(t.attributes),i=Kx(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,u=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,l=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,p=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,f=t.clientKind??jx(t.clientName)??null,_=Lx(s??void 0,u??void 0)??null,S=$x(t.httpStatusCode)??null,y=t.reasonClass??Bx(t.eventType,t.outcome),w=t.failureOrigin??Gx(t.eventType,t.outcome),v=t.failureStage??Hx(t.eventType,t.outcome);return{schemaVersion:kx,outcome:t.outcome,tenantId:z(r?.tenantId),subjectId:z(r?.subjectId),environment:Zx(e),traceId:t.traceId??i,spanId:z(t.spanId),parentEventId:z(t.parentEventId),mcpSessionId:z(t.mcpSessionId),routeSurface:z(t.routeSurface),routePath:Mx(e)??null,operationId:qx(e)??null,virtualServerName:d,virtualServerTitle:z(t.virtualServerTitle),upstreamServerName:l,upstreamServerTitle:p,upstreamBindingId:z(t.upstreamBindingId),clientName:z(t.clientName),clientTitle:z(t.clientTitle),clientVersion:z(t.clientVersion),clientKind:f,authProfileId:m,upstreamAuthMode:u,ownerMode:s,authMethod:z(t.authMethod),originAttributionMode:_,httpMethod:z(t.httpMethod),httpStatusCode:z(t.httpStatusCode),statusClass:S,mcpMethod:z(t.mcpMethod),mcpProtocolVersion:z(t.mcpProtocolVersion),mcpStatus:z(t.mcpStatus),mcpErrorType:z(t.mcpErrorType),applicationError:z(t.applicationError),applicationErrorCode:z(t.applicationErrorCode),toolResultIsError:z(t.toolResultIsError),capabilityType:z(t.capabilityType),capabilityName:z(t.capabilityName),capabilityTitle:z(t.capabilityTitle),upstreamCapabilityName:z(t.upstreamCapabilityName),upstreamCapabilityTitle:z(t.upstreamCapabilityTitle),capabilitySchemaHash:z(t.capabilitySchemaHash),policyId:z(t.policyId),policyAction:z(t.policyAction),guardrailType:z(t.guardrailType),guardrailDirection:z(t.guardrailDirection),guardrailFindingCount:z(t.guardrailFindingCount),redactionCount:z(t.redactionCount),requestMutated:z(t.requestMutated),responseMutated:z(t.responseMutated),latencyMs:z(t.latencyMs),gatewayLatencyMs:z(t.gatewayLatencyMs),upstreamLatencyMs:z(t.upstreamLatencyMs),authLatencyMs:z(t.authLatencyMs),policyLatencyMs:z(t.policyLatencyMs),requestBytes:z(t.requestBytes),responseBytes:z(t.responseBytes),estimatedInputTokens:z(t.estimatedInputTokens),estimatedOutputTokens:z(t.estimatedOutputTokens),estimatedContextTokens:z(t.estimatedContextTokens),contextPressureBucket:z(t.contextPressureBucket),responseMimeTypes:z(t.responseMimeTypes),base64Suspected:z(t.base64Suspected),truncated:z(t.truncated),isLargePayloadRequest:z(t.isLargePayloadRequest),isLargePayloadResponse:z(t.isLargePayloadResponse),payloadCaptureMode:z(t.payloadCaptureMode),reasonCode:z(t.reasonCode),reasonClass:y,errorType:t.errorType??t.reasonCode??null,failureOrigin:w,failureStage:v,customMetadataJson:z(t.customMetadataJson),attributesJson:Wx(a)}}o(Jx,"buildMcpGatewayAnalyticsMetadata");function We(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,Jx(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(We,"emitMcpGatewayAnalyticsEvent");function Je(e){let t=st().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(Je,"getUpstreamServerConfig");function Yx(e){let t=st().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(Yx,"resolveUpstreamAuthProfileId");function hr(e){Yx(e);let t=st().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(hr,"getUpstreamAuthConfig");function qr(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(!Bf(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(qr,"requireUpstreamOAuthConfig");var Xx={tenant_shared_oauth:{authMode:"tenant_shared_oauth",ownerMode:"tenant_shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},tenant_static_secret:{authMode:"tenant_static_secret",ownerMode:"tenant_shared",connectSupport:"none",connectUnsupportedDetail:"Tenant static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"tenant_static_secret_connection"},user_static_secret:{authMode:"user_static_secret",ownerMode:"user",connectSupport:"user_static_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_static_secret_connection"}};function At(e){return Xx[e]}o(At,"describeUpstreamAuthMode");function Wi(e){return At(e).ownerMode}o(Wi,"resolveOwnerModeForUpstreamAuthMode");Y();import{errors as B_,jwtVerify as V_,SignJWT as F_}from"jose";import{base64url as Qx}from"jose";var eO=new TextEncoder,ll=32;function q_(e,t={}){let r=[tO(e),eO.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=ll){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<ll){let a=t.name??"secret key material",i=n?.byteLength??0;throw new Error(`${a} must decode to at least ${ll} bytes (got ${i}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(q_,"decodeConfiguredSecretKeyMaterial");function tO(e){try{return Qx.decode(e)}catch{return}}o(tO,"tryDecodeBase64Url");var $_=new Map,L_=new Map;function rO(e){let t=$_.get(e);return t||(t=q_($i()[e],{name:e}),$_.set(e,t)),t}o(rO,"getMasterKeyMaterial");async function kt(e){let t=L_.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(rO(e.envVar));return L_.set(e.purpose,r),r}o(kt,"readCachedDerivedKey");var nO="SHA-256";var oO="zuplo-mcp-gateway:",aO=new TextEncoder,j_=new WeakMap;async function fr(e,t){let r=j_.get(e);r||(r=new Map,j_.set(e,r));let n=r.get(t);if(n)return n;let a=await iO(e,t);return r.set(t,a),a}o(fr,"deriveGatewaySigningKey");async function iO(e,t){let r=H_(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=aO.encode(`${oO}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:nO,salt:new Uint8Array,info:H_(a)},n,32*8);return new Uint8Array(i)}o(iO,"hkdfExpand");function H_(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(H_,"copyToArrayBuffer");var Ji="HS256",Z_=15*60,sO=15*60,Yi="zuplo-mcp-gateway",Xi="zuplo-mcp-gateway",cO=Dg.extend({id:En}),uO=cO.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),K_=kn.extend({id:Bo,purpose:c.literal("browser_connect")}),dO=kn.extend({purpose:c.literal("browser_connect")}),lO=K_.extend({exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),W_=Z_*1e3;async function J_(){return kt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"oauth-state"),"derive")})}o(J_,"getOAuthStateKey");async function Y_(){return kt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-connect"),"derive")})}o(Y_,"getBrowserConnectKey");async function X_(e){let t=Math.floor(Date.now()/1e3)+Z_;return new F_(e).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await J_())}o(X_,"signOAuthState");async function Qi(e){try{let{payload:t}=await V_(e,await J_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return uO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Qi,"verifyOAuthState");async function Q_(e){let t=Math.floor(Date.now()/1e3)+sO,r=dO.parse(e),n=K_.parse({...r,id:jg()});return new F_(n).setProtectedHeader({alg:Ji,typ:"JWT"}).setIssuer(Yi).setAudience(Xi).setIssuedAt().setExpirationTime(t).sign(await Y_())}o(Q_,"signBrowserConnectTicket");async function es(e){try{let{payload:t}=await V_(e,await Y_(),{algorithms:[Ji],issuer:Yi,audience:Xi});return lO.parse(t)}catch(t){throw t instanceof B_.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(es,"verifyBrowserConnectTicket");async function ts(e){if((await q().browserConnectTicketStore.consume(e.id,new Date(e.exp*1e3))).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(ts,"consumeBrowserConnectTicket");function pO(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(pO,"buildConnectRequiredMessage");async function ey(e){let t=re(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Q_({...Go(e),purpose:"browser_connect"})),r.toString()}o(ey,"buildGatewayBrowserTicketUrl");function mO(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(mO,"buildGatewayConnectPath");async function pl(e){return ey({...e,path:mO(e.upstreamServerId),redirect:!0})}o(pl,"buildGatewayConnectUrl");async function ty(e){return ey({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(ty,"buildGatewayAppPasswordCaptureUrl");async function On(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await pl(t),message:pO(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(On,"buildRedirectConnectRequiredResponse");function ry(e){return ny({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(ry,"buildAdminConnectRequiredResponse");function ny(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(ny,"buildAdminSetupRequiredResponse");function oy(e){return ny({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(oy,"buildAdminStaticSecretRequiredResponse");Y();import{base64url as gr}from"jose";var hO="SHA-256",zn="AES-GCM",fO=12,hl="zuplo-secret",fl=1,ay="env:TOKEN_ENCRYPTION_KEY",gO=c.object({version:c.literal(fl),keyId:c.literal(ay),algorithm:c.literal(zn),iv:c.string().min(1),ciphertext:c.string().min(1)}).strict();function Un(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Un,"copyToArrayBuffer");async function ml(){return kt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(hO,Un(e));return crypto.subtle.importKey("raw",t,{name:zn},!1,["encrypt","decrypt"])},"derive")})}o(ml,"getEncryptionKey");function iy(e){return Un(new TextEncoder().encode(`${hl}:v${e.version}:${e.keyId}`))}o(iy,"getAssociatedData");function _O(e){return`${hl}:v${e.version}:${gr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(_O,"encodeEnvelope");function yO(e){let t=`${hl}:v${fl}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(gr.decode(r));return gO.parse(JSON.parse(n))}o(yO,"decodeEnvelope");async function $r(e){let t=await ml(),r=crypto.getRandomValues(new Uint8Array(fO)),n={version:fl,keyId:ay},a=await crypto.subtle.encrypt({name:zn,iv:r,additionalData:iy(n)},t,new TextEncoder().encode(e));return _O({...n,algorithm:zn,iv:gr.encode(r),ciphertext:gr.encode(new Uint8Array(a))})}o($r,"encryptSecret");async function Bt(e){let t=yO(e);if(t){let s=await ml(),u=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(t.iv)),additionalData:iy(t)},s,Un(gr.decode(t.ciphertext)));return new TextDecoder().decode(u)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await ml(),i=await crypto.subtle.decrypt({name:zn,iv:Un(gr.decode(r))},a,Un(gr.decode(n)));return new TextDecoder().decode(i)}o(Bt,"decryptSecret");function SO(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="tenant_static_secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(SO,"requireTenantStaticSecretConfig");function sy(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(sy,"hasUsableTenantStaticSecret");async function wO(e){if(!sy(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)}}o(wO,"resolveTenantStaticSecretCredential");async function cy(e){let t=Je(e.upstreamServerId);SO(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(sy(r))return{kind:"authorized",credential:await wO({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:oy(n)}}o(cy,"resolveTenantStaticSecretCredentialForRequest");Y();async function gl(e){return q().upstreamConnectionRepository.upsert({id:Bi(),tenantId:e.owner.tenantId,ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(gl,"upsertStaticSecretConnection");var vO=c.string().trim().min(1).max(320),RO=c.string().min(1).max(4096),bO=c.string().trim().min(1).max(4096);function _l(e,t){let r=hr({upstreamServerId:e,authProfileId:t});if(r.mode!=="user_static_secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(_l,"requireUserStaticSecretConfig");function CO(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(CO,"encodeBase64Utf8");function IO(e){return`Basic ${CO(`${e.username}:${e.appPassword}`)}`}o(IO,"buildBasicAuthHeader");function uy(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(uy,"hasEncryptedUserStaticSecret");async function TO(e){if(!uy(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Bt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:IO({username:e.connection.metadata.staticSecretUsername,appPassword:await Bt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(TO,"resolveUserStaticSecretCredential");async function dy(e){if(_l(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=vO.parse(e.username),n=RO.parse(e.appPassword);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(dy,"saveUserStaticSecretCredential");async function rs(e){let t=_l(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=bO.parse(e.token);return gl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await $r(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(rs,"saveUserStaticBearerTokenCredential");function yl(e,t){return _l(e,t)}o(yl,"readUserStaticSecretCaptureConfig");async function ly(e){let t=Je(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(uy(r))return{kind:"authorized",credential:await TO({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await On(n)}}o(ly,"resolveUserStaticSecretCredentialForRequest");function py(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return ty({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(py,"buildUserStaticSecretConnectUrl");var Sl;Sl=globalThis.crypto;async function AO(e){return(await Sl).getRandomValues(new Uint8Array(e))}o(AO,"getRandomValues");async function kO(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await AO(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(kO,"random");async function PO(e){return await kO(e)}o(PO,"generateVerifier");async function EO(e){let t=await(await Sl).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(EO,"generateChallenge");async function wl(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await PO(e),r=await EO(t);return{code_verifier:t,code_challenge:r}}o(wl,"pkceChallenge");Y();var Oe=vp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Ip.custom,message:"URL must be parseable",fatal:!0}),Sp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),ns=Se({resource:h().url(),authorization_servers:b(Oe).optional(),jwks_uri:h().url().optional(),scopes_supported:b(h()).optional(),bearer_methods_supported:b(h()).optional(),resource_signing_alg_values_supported:b(h()).optional(),resource_name:h().optional(),resource_documentation:h().optional(),resource_policy_uri:h().url().optional(),resource_tos_uri:h().url().optional(),tls_client_certificate_bound_access_tokens:ee().optional(),authorization_details_types_supported:b(h()).optional(),dpop_signing_alg_values_supported:b(h()).optional(),dpop_bound_access_tokens_required:ee().optional()}),Fo=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),service_documentation:Oe.optional(),revocation_endpoint:Oe.optional(),revocation_endpoint_auth_methods_supported:b(h()).optional(),revocation_endpoint_auth_signing_alg_values_supported:b(h()).optional(),introspection_endpoint:h().optional(),introspection_endpoint_auth_methods_supported:b(h()).optional(),introspection_endpoint_auth_signing_alg_values_supported:b(h()).optional(),code_challenge_methods_supported:b(h()).optional(),client_id_metadata_document_supported:ee().optional()}),xO=Se({issuer:h(),authorization_endpoint:Oe,token_endpoint:Oe,userinfo_endpoint:Oe.optional(),jwks_uri:Oe,registration_endpoint:Oe.optional(),scopes_supported:b(h()).optional(),response_types_supported:b(h()),response_modes_supported:b(h()).optional(),grant_types_supported:b(h()).optional(),acr_values_supported:b(h()).optional(),subject_types_supported:b(h()),id_token_signing_alg_values_supported:b(h()),id_token_encryption_alg_values_supported:b(h()).optional(),id_token_encryption_enc_values_supported:b(h()).optional(),userinfo_signing_alg_values_supported:b(h()).optional(),userinfo_encryption_alg_values_supported:b(h()).optional(),userinfo_encryption_enc_values_supported:b(h()).optional(),request_object_signing_alg_values_supported:b(h()).optional(),request_object_encryption_alg_values_supported:b(h()).optional(),request_object_encryption_enc_values_supported:b(h()).optional(),token_endpoint_auth_methods_supported:b(h()).optional(),token_endpoint_auth_signing_alg_values_supported:b(h()).optional(),display_values_supported:b(h()).optional(),claim_types_supported:b(h()).optional(),claims_supported:b(h()).optional(),service_documentation:h().optional(),claims_locales_supported:b(h()).optional(),ui_locales_supported:b(h()).optional(),claims_parameter_supported:ee().optional(),request_parameter_supported:ee().optional(),request_uri_parameter_supported:ee().optional(),require_request_uri_registration:ee().optional(),op_policy_uri:Oe.optional(),op_tos_uri:Oe.optional(),client_id_metadata_document_supported:ee().optional()}),os=C({...xO.shape,...Fo.pick({code_challenge_methods_supported:!0}).shape}),Zo=C({access_token:h(),id_token:h().optional(),token_type:h(),expires_in:Tp.number().optional(),scope:h().optional(),refresh_token:h().optional()}).strip(),hy=C({error:h(),error_description:h().optional(),error_uri:h().optional()}),my=Oe.optional().or(P("").transform(()=>{})),OO=C({redirect_uris:b(Oe),token_endpoint_auth_method:h().optional(),grant_types:b(h()).optional(),response_types:b(h()).optional(),client_name:h().optional(),client_uri:Oe.optional(),logo_uri:my,scope:h().optional(),contacts:b(h()).optional(),tos_uri:my,policy_uri:h().optional(),jwks_uri:Oe.optional(),jwks:bp().optional(),software_id:h().optional(),software_version:h().optional(),software_statement:h().optional()}).strip(),vl=C({client_id:h(),client_secret:h().optional(),client_id_issued_at:K().optional(),client_secret_expires_at:K().optional()}).strip(),Ko=OO.merge(vl),N4=C({error:h(),error_description:h().optional()}).strip(),D4=C({token:h(),token_type_hint:h().optional()}).strip();function fy(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(fy,"resourceUrlFromServerUrl");function gy({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(gy,"checkResourceAllowed");var _e=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Wo=class extends _e{static{o(this,"InvalidRequestError")}};Wo.errorCode="invalid_request";var Lr=class extends _e{static{o(this,"InvalidClientError")}};Lr.errorCode="invalid_client";var jr=class extends _e{static{o(this,"InvalidGrantError")}};jr.errorCode="invalid_grant";var Hr=class extends _e{static{o(this,"UnauthorizedClientError")}};Hr.errorCode="unauthorized_client";var Jo=class extends _e{static{o(this,"UnsupportedGrantTypeError")}};Jo.errorCode="unsupported_grant_type";var Yo=class extends _e{static{o(this,"InvalidScopeError")}};Yo.errorCode="invalid_scope";var Xo=class extends _e{static{o(this,"AccessDeniedError")}};Xo.errorCode="access_denied";var Vt=class extends _e{static{o(this,"ServerError")}};Vt.errorCode="server_error";var Qo=class extends _e{static{o(this,"TemporarilyUnavailableError")}};Qo.errorCode="temporarily_unavailable";var ea=class extends _e{static{o(this,"UnsupportedResponseTypeError")}};ea.errorCode="unsupported_response_type";var ta=class extends _e{static{o(this,"UnsupportedTokenTypeError")}};ta.errorCode="unsupported_token_type";var ra=class extends _e{static{o(this,"InvalidTokenError")}};ra.errorCode="invalid_token";var na=class extends _e{static{o(this,"MethodNotAllowedError")}};na.errorCode="method_not_allowed";var oa=class extends _e{static{o(this,"TooManyRequestsError")}};oa.errorCode="too_many_requests";var Gr=class extends _e{static{o(this,"InvalidClientMetadataError")}};Gr.errorCode="invalid_client_metadata";var aa=class extends _e{static{o(this,"InsufficientScopeError")}};aa.errorCode="insufficient_scope";var ia=class extends _e{static{o(this,"InvalidTargetError")}};ia.errorCode="invalid_target";var _y={[Wo.errorCode]:Wo,[Lr.errorCode]:Lr,[jr.errorCode]:jr,[Hr.errorCode]:Hr,[Jo.errorCode]:Jo,[Yo.errorCode]:Yo,[Xo.errorCode]:Xo,[Vt.errorCode]:Vt,[Qo.errorCode]:Qo,[ea.errorCode]:ea,[ta.errorCode]:ta,[ra.errorCode]:ra,[na.errorCode]:na,[oa.errorCode]:oa,[Gr.errorCode]:Gr,[aa.errorCode]:aa,[ia.errorCode]:ia};var Ft=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function UO(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(UO,"isClientAuthMethod");var Rl="code",bl="S256";function zO(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&UO(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(zO,"selectClientAuthMethod");function NO(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":DO(a,i,r);return;case"client_secret_post":MO(a,i,n);return;case"none":qO(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(NO,"applyClientAuthentication");function DO(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(DO,"applyBasicAuth");function MO(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(MO,"applyPostAuth");function qO(e,t){t.set("client_id",e)}o(qO,"applyPublicAuth");async function Sy(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=hy.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,u=_y[a]||Vt;return new u(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Vt(a)}}o(Sy,"parseErrorResponse");async function _r(e,t){try{return await Cl(e,t)}catch(r){if(r instanceof Lr||r instanceof Hr)return await e.invalidateCredentials?.("all"),await Cl(e,t);if(r instanceof jr)return await e.invalidateCredentials?.("tokens"),await Cl(e,t);throw r}}o(_r,"auth");async function Cl(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),u,d,l,p=a;if(!p&&s?.resourceMetadataUrl&&(p=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,u=s.resourceMetadata,l=s.authorizationServerMetadata??await vy(d,{fetchFn:i}),!u)try{u=await wy(t,{resourceMetadataUrl:p},i)}catch{}(l!==s.authorizationServerMetadata||u!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}else{let I=await BO(t,{resourceMetadataUrl:p,fetchFn:i});d=I.authorizationServerUrl,l=I.authorizationServerMetadata,u=I.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:p?.toString(),resourceMetadata:u,authorizationServerMetadata:l})}let m=await $O(t,e,u),f=n||u?.scopes_supported?.join(" ")||e.clientMetadata.scope,_=await Promise.resolve(e.clientInformation());if(!_){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let I=l?.client_id_metadata_document_supported===!0,N=e.clientMetadataUrl;if(N&&!Tl(N))throw new Gr(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${N}`);if(I&&N)_={client_id:N},await e.saveClientInformation?.(_);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Ye=await WO(d,{metadata:l,clientMetadata:e.clientMetadata,scope:f,fetchFn:i});await e.saveClientInformation(Ye),_=Ye}}let S=!e.redirectUrl;if(r!==void 0||S){let I=await KO(e,d,{metadata:l,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let I=await ZO(d,{metadata:l,clientInformation:_,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(I),"AUTHORIZED"}catch(I){if(!(!(I instanceof _e)||I instanceof Vt))throw I}let w=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:R}=await VO(d,{metadata:l,clientInformation:_,state:w,redirectUrl:e.redirectUrl,scope:f,resource:m});return await e.saveCodeVerifier(R),await e.redirectToAuthorization(v),"REDIRECT"}o(Cl,"authInternal");function Tl(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Tl,"isHttpsUrl");async function $O(e,t,r){let n=fy(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!gy({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o($O,"selectResourceURL");function Al(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=Il(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=Il(e,"scope")||void 0,u=Il(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:u}}o(Al,"extractWWWAuthenticateParams");function Il(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(Il,"extractFieldFromWwwAuth");async function wy(e,t,r=fetch){let n=await HO(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return ns.parse(await n.json())}o(wy,"discoverOAuthProtectedResourceMetadata");async function kl(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?kl(e,void 0,r):void 0;throw n}}o(kl,"fetchWithCorsRetry");function LO(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(LO,"buildWellKnownPath");async function yy(e,t,r=fetch){return await kl(e,{"MCP-Protocol-Version":t},r)}o(yy,"tryMetadataDiscovery");function jO(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(jO,"shouldAttemptFallback");async function HO(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??Xt,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=LO(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let u=await yy(s,i,r);if(!n?.metadataUrl&&jO(u,a.pathname)){let d=new URL(`/.well-known/${t}`,a);u=await yy(d,i,r)}return u}o(HO,"discoverMetadataWithFallback");function GO(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(GO,"buildDiscoveryUrls");async function vy(e,{fetchFn:t=fetch,protocolVersion:r=Xt}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=GO(e);for(let{url:i,type:s}of a){let u=await kl(i,n,t);if(u){if(!u.ok){if(await u.body?.cancel(),u.status>=400&&u.status<500)continue;throw new Error(`HTTP ${u.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Fo.parse(await u.json()):os.parse(await u.json())}}}o(vy,"discoverAuthorizationServerMetadata");async function BO(e,t){let r,n;try{r=await wy(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await vy(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(BO,"discoverOAuthServerInfo");async function VO(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let u;if(t){if(u=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Rl))throw new Error(`Incompatible auth server: does not support response type ${Rl}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(bl))throw new Error(`Incompatible auth server: does not support code challenge method ${bl}`)}else u=new URL("/authorize",e);let d=await wl(),l=d.code_verifier,p=d.code_challenge;return u.searchParams.set("response_type",Rl),u.searchParams.set("client_id",r.client_id),u.searchParams.set("code_challenge",p),u.searchParams.set("code_challenge_method",bl),u.searchParams.set("redirect_uri",String(n)),i&&u.searchParams.set("state",i),a&&u.searchParams.set("scope",a),a?.includes("offline_access")&&u.searchParams.append("prompt","consent"),s&&u.searchParams.set("resource",s.href),{authorizationUrl:u,codeVerifier:l}}o(VO,"startAuthorization");function FO(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(FO,"prepareAuthorizationCodeRequest");async function Ry(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let u=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,u,t);else if(n){let p=t?.token_endpoint_auth_methods_supported??[],m=zO(n,p);NO(m,n,d,r)}let l=await(s??fetch)(u,{method:"POST",headers:d,body:r});if(!l.ok)throw await Sy(l);return Zo.parse(await l.json())}o(Ry,"executeTokenRequest");async function ZO(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let u=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await Ry(e,{metadata:t,tokenRequestParams:u,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(ZO,"refreshAuthorization");async function KO(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,u;if(e.prepareTokenRequest&&(u=await e.prepareTokenRequest(s)),!u){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let l=await e.codeVerifier();u=FO(a,l,e.redirectUrl)}let d=await e.clientInformation();return Ry(t,{metadata:r,tokenRequestParams:u,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(KO,"fetchToken");async function WO(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await Sy(s);return Ko.parse(await s.json())}o(WO,"registerClient");var JO=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),YO=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function by(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(by,"parseIpv4Octets");function XO([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(XO,"ipv4RangeMatches");function Cy(e){let t=by(e);return t!==void 0&&YO.some(r=>XO(t,r))}o(Cy,"isPrivateIpv4");function Pl(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Pl,"parseIpv6Word");function QO(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(QO,"formatIpv4FromWords");function eU(e){let t=e.slice(7),r=by(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Pl(n),u=Pl(a);return i===void 0&&s!==void 0&&u!==void 0?QO(s,u):void 0}o(eU,"parseIpv6MappedIpv4");function tU(e){return Pl(e.split(":").find(Boolean))}o(tU,"readFirstIpv6Hextet");function rU(e){let t=ct(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=eU(t);return n===void 0||Cy(n)}let r=tU(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(rU,"isPrivateIpv6");function El(e){let t=ct(e);return JO.has(t)||t.endsWith(".internal")||Cy(t)||rU(t)}o(El,"isBlockedOutboundHostname");function Iy(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Le(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=ct(t.hostname);if(!r&&El(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(Iy,"validateConfiguredOutboundUrl");function Ty(e){let t=new URL(e);if(t.protocol!=="https:")throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let r=ct(t.hostname);if(El(r))throw g("invalid_request",`Blocked identity provider host: ${r}`);return t}o(Ty,"validateIdentityProviderUrl");function as(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(El(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(as,"validateCimdClientMetadataUrl");function Ay(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(Ay,"mergeAbortSignals");async function nU(e){try{await e.cancel()}catch{}}o(nU,"cancelReader");async function is(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await nU(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),u=0;for(let d of n)s.set(d,u),u+=d.byteLength;return s}o(is,"readBoundedByteStream");var oU=2,aU=1024*1024,iU=1e4,sU=new Set([301,302,303,307,308]),cU=["authorization","proxy-authorization","cookie","cookie2"];function xl(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(xl,"readRequestUrl");function Nn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Nn,"readRequestMethod");function uU(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(uU,"assertContentLengthWithinLimit");async function dU(e,t,r){return uU(e,t,r),is(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(dU,"readBoundedResponseBody");function lU(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(lU,"responseFromBufferedBody");function pU(e,t){if(!sU.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(pU,"resolveRedirectUrl");function ky(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(ky,"validateOutboundUrl");function mU(e,t){throw de(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(mU,"normalizeFetchError");function sa(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Ae(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(sa,"logOutboundFailure");async function hU(e,t,r,n,a,i,s){let u=Nn(r,n);try{return await t(r,n)}catch(d){let l=d instanceof DOMException&&d.name==="AbortError";sa(e,{event:l?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:u,host:it(i),error:d,extra:{abortReason:s()}}),mU(d,a)}}o(hU,"fetchWithNormalizedError");function fU(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(fU,"assertRedirectAllowed");function gU(e,t){let r=new Headers(e);for(let n of cU)r.delete(n);for(let n of t)r.delete(n);return r}o(gU,"stripCrossOriginHeaders");function _U(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=gU(e.headers,a)),i}o(_U,"buildRedirectInit");function yU(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(yU,"buildInitialRequestInit");function SU(e){let t=Nn(e.currentInput,e.currentInit);fU({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ky(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:_U(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(SU,"followRedirect");async function Ol(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??oU,i=r.maxResponseBytes??aU,s=r.timeoutMs??iU,u=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],l=r.context,p=new AbortController,m=Ay(p,t.signal),f=!1,_=setTimeout(()=>{f=!0,p.abort()},s),S=e,y=yU(e,t,p.signal),w;try{w=ky(xl(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(R){throw sa(l,{event:"outbound_url_blocked",problemCode:n,method:Nn(e,t),host:it(xl(e)),error:R}),clearTimeout(_),m?.(),R}let v=0;try{for(;;){let R=await hU(l,u,S,y,n,w,()=>f?`timeout_after_${s}ms`:void 0),I=pU(R,w);if(I!==void 0)try{let N=SU({currentInput:S,currentInit:y,currentUrl:w,redirectUrl:I,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:p.signal,additionalCrossOriginStrippedHeaders:d});S=N.currentInput,y=N.currentInit,w=N.currentUrl,v=N.redirects;continue}catch(N){throw sa(l,{event:"outbound_redirect_blocked",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{redirects:v,maxRedirects:a,redirectTargetHost:it(I)}}),N}try{return lU(R,await dU(R,i,n))}catch(N){throw sa(l,{event:"outbound_response_size_exceeded",problemCode:n,method:Nn(S,y),host:it(w),error:N,extra:{maxResponseBytes:i,status:R.status}}),N}}}finally{clearTimeout(_),m?.()}}o(Ol,"runSafeOutboundExchange");async function Ul(e,t,r){let n=await Ol(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw sa(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Nn(e,t),host:it(xl(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Ul,"runSafeOutboundJsonExchange");function ss(e,t={},r={}){return Ol(e,t,{...r,validateUrl:Iy})}o(ss,"fetchConfiguredOutbound");function Py(e,t={},r={}){return Ul(e,t,{...r,validateUrl:Ty})}o(Py,"fetchIdentityProviderJson");function Ey(e,t={},r={}){return Ul(e,t,{...r,validateUrl:as})}o(Ey,"fetchCimdClientMetadataJson");Y();function zl(e){return`Zuplo MCP Gateway - ${e}`}o(zl,"buildGatewayOAuthClientName");function xy(e,t){let r=new URL(e,re(t));return Le(r)&&ct(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(xy,"buildGatewayOAuthRedirectUri");function Nl(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(Nl,"buildOAuthClientMetadataDocumentUrl");function Oy(e){return re(e)}o(Oy,"requireOAuthClientMetadataOrigin");function Uy(e,t,r){let n=Je(t),a=qr(t,r);return{client_id:Nl({origin:e,upstreamServerId:t,authProfileId:r}),client_name:zl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(Uy,"buildOAuthClientMetadataDocument");var wU=c.union([Ko,vl]),vU=c.object({authorizationServerUrl:c.url(),resourceMetadataUrl:c.url().optional(),resourceMetadata:ns.optional(),authorizationServerMetadata:c.union([Fo,os]).optional()}).passthrough(),RU="Bearer";function bU(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(bU,"splitScopes");function CU(e){return zi.parse(e)}o(CU,"parsePkceCodeVerifier");function IU(e){if(typeof e.expires_in=="number")return O(new Date(Date.now()+e.expires_in*1e3))}o(IU,"readTokenExpiry");async function zy(e){if(e!==void 0)return $r(JSON.stringify(e))}o(zy,"encryptJson");async function Ny(e,t){if(!e)return;let r=await Bt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(Ny,"decryptJson");function TU(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(TU,"toOAuthDiscoveryState");function AU(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(AU,"clientInformationAllowsRedirectUri");function kU(e,t,r){let n=Je(e),a=qr(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:zl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(kU,"buildOAuthClientMetadata");function PU(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Ko.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(PU,"buildManualOAuthClientInformation");function EU(e,t,r){let n=Nl({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Tl(n)?n:void 0}o(EU,"buildClientMetadataUrl");function Dy(e){for(let t of e)if(t!==void 0)return t}o(Dy,"firstDefined");function xU(e){let t=qr(e.target.upstreamServerId,e.target.authProfileId),r=kU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:PU({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=EU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(xU,"buildInitialOAuthClientSetup");function OU(e,t){if(t===void 0)return Dy([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(OU,"readEncryptedClientInformation");function UU(e){return Dy([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(UU,"readEncryptedDiscoveryState");var Br=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=xU({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=OU(t,this.configuredClientInformation),this.encryptedDiscoveryState=UU(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return X_({id:t.id,...Go({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await zy(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await zy(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Zo.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??Bi(),tenantId:this.target.owner.tenantId,ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await $r(r.access_token),encryptedRefreshToken:r.refresh_token?await $r(r.refresh_token):void 0,scopes:bU(r.scope??this.clientMetadataValue.scope),expiresAt:IU(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await q().upstreamConnectionRepository.upsert(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:CU(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Lg(),...Go({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:O(new Date(Date.now()+W_)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="tenant_shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await q().oauthStateStore.save(t),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ny(this.encryptedClientInformation,wU)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!AU(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=TU(await Ny(this.encryptedDiscoveryState,vU))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Zo.parse({access_token:await Bt(this.connection.encryptedAccessToken),token_type:RU,refresh_token:this.connection.encryptedRefreshToken?await Bt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,tenantId:this.connection.tenantId,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await q().upstreamConnectionRepository.upsert(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var zU=1e4,NU=256*1024,DU=2;function MU(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(MU,"hasUsableAccessToken");var qU="does not support dynamic client registration";function $U(e){return e instanceof Error&&e.message.includes(qU)}o($U,"isDynamicClientRegistrationUnsupported");function LU(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(LU,"readOAuthFetchRequest");function jU(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(jU,"responseLooksJson");function My(e){return async(t,r)=>{let n=LU(t),a=await ss(t,r,{maxRedirects:DU,maxResponseBytes:NU,problemCode:"upstream_token_exchange_failed",timeoutMs:zU}),i=await a.clone().text();if(!jU(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(My,"createUpstreamOAuthFetch");async function qy(e,t){try{return await _r(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}catch(r){throw $U(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(qy,"runUpstreamOAuth");async function HU(e,t){return _r(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:My(t.upstreamServerId)})}o(HU,"exchangeUpstreamAuthorizationCode");async function $y(e,t){let r=await qy(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o($y,"requireUpstreamAuthorizationRedirect");async function Ly(e){if(MU(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await qy(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await ZU({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(Ly,"authorizeUpstreamOAuthSession");async function GU(e){let t=await Qi(e.stateToken),r=await q().oauthStateStore.consumeForCallback(t.id),n=BU(r);return VU({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),FU(n),n}o(GU,"consumeStoredCallbackState");function BU(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(BU,"readConsumedCallbackState");function VU(e){if(![e.storedState.tenantId===e.signedState.tenantId,e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(VU,"assertStoredCallbackStateMatches");function FU(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(FU,"assertStoredCallbackStateFresh");async function ZU(e){if(e.owner.mode==="tenant_shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ry(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),On(t)}o(ZU,"buildOAuthConnectRequiredResponse");async function jy(e){let t=await GU({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Pn(t),[n]=await q().upstreamConnectionRepository.batchGet([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new Br(a),s=await HU(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(jy,"finishUpstreamOAuthCallback");async function Hy(e){let t=Je(e.upstreamServerId),r=qr(e.upstreamServerId,e.authProfileId),n=xy(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await q().upstreamConnectionRepository.batchGet([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:re(e.request.url)}}}o(Hy,"prepareUpstreamOAuthRequest");async function Gy(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return $y(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Gy,"startUpstreamConnect");async function By(e){let t=await Hy(e),r=new Br({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Ly({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(By,"authorizeUpstreamRequest");function KU(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(KU,"resolveStaticSecretCredential");async function Vy(e){let{routeAuth:t}=e;switch(t.authMode){case"tenant_shared_oauth":case"user_oauth":return By({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"tenant_static_secret":return cy({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=hr({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:KU(n.secret,t.upstreamServerId)}}case"user_static_secret":return ly({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(Vy,"resolveUpstreamCredentialForRoute");async function Fy(e){let t=mr(e.principal.tenantId,e.principal.subjectId),r=st().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user_static_secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await rs({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(Fy,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function Zy(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=At(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await Gy(r);break;case"user_static_secret_capture":t=await py(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(Zy,"startUpstreamConnectForRequest");async function Ky(e){let r=(await Qi(e.callbackRequest.state)).authProfileId,n=hr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(At(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return jy({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Je(e.callbackRequest.upstreamServerId)})}o(Ky,"finishUpstreamCallbackForRequest");var cs=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=tr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),u=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&u){let l=d.result;if(!l.structuredContent&&!l.isError){yield{type:"error",error:new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(l.structuredContent)try{let p=u(l.structuredContent);if(!p.valid){yield{type:"error",error:new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${p.errorMessage}`)};return}}catch(p){if(p instanceof A){yield{type:"error",error:p};return}yield{type:"error",error:new A(k.InvalidParams,`Failed to validate structured content: ${p instanceof Error?p.message:String(p)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function us(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&us(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&us(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&us(r,t)}}o(us,"applyElicitationDefaults");function WU(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(WU,"getSupportedElicitationModes");var ds=class extends tn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new Sn,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",dc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",sc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Xs,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new cs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Oa(this._capabilities,t)}setRequestHandler(t,r){let a=Jr(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(Jt(a)){let u=a;i=u._zod?.def?.value??u.value}else{let u=a;i=u._def?.value??u.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let u=o(async(d,l)=>{let p=Me(mc,d);if(!p.success){let R=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid elicitation request: ${R}`)}let{params:m}=p.data;m.mode=m.mode??"form";let{supportsFormMode:f,supportsUrlMode:_}=WU(this._capabilities.elicitation);if(m.mode==="form"&&!f)throw new A(k.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!_)throw new A(k.InvalidParams,"Client does not support URL-mode elicitation requests");let S=await Promise.resolve(r(d,l));if(m.task){let R=Me(Nt,S);if(!R.success){let I=R.error instanceof Error?R.error.message:String(R.error);throw new A(k.InvalidParams,`Invalid task creation result: ${I}`)}return R.data}let y=Me(rr,S);if(!y.success){let R=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid elicitation result: ${R}`)}let w=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&w.action==="accept"&&w.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{us(v,w.content)}catch{}return w},"wrappedHandler");return super.setRequestHandler(t,u)}if(s==="sampling/createMessage"){let u=o(async(d,l)=>{let p=Me(pc,d);if(!p.success){let w=p.error instanceof Error?p.error.message:String(p.error);throw new A(k.InvalidParams,`Invalid sampling request: ${w}`)}let{params:m}=p.data,f=await Promise.resolve(r(d,l));if(m.task){let w=Me(Nt,f);if(!w.success){let v=w.error instanceof Error?w.error.message:String(w.error);throw new A(k.InvalidParams,`Invalid task creation result: ${v}`)}return w.data}let S=m.tools||m.toolChoice?to:vr,y=Me(S,f);if(!y.success){let w=y.error instanceof Error?y.error.message:String(y.error);throw new A(k.InvalidParams,`Invalid sampling result: ${w}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,u)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:Xt,capabilities:this._capabilities,clientInfo:this._clientInfo}},Bs,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Qt.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){gi(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&_i(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},zt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},hc,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},zt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},ic,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},ec,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Zs,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Ks,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},Ys,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},zt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},zt,r)}async callTool(t,r=tr,n){if(this.isToolTaskRequired(t.name))throw new A(k.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new A(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new A(k.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof A?s:new A(k.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},uc,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Hp.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:u}=i.data,{onChanged:d}=n,l=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let f=m instanceof Error?m:new Error(String(m));d(f,null)}},"refresh"),p=o(()=>{if(u){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let f=setTimeout(l,u);this._listChangedDebounceTimers.set(t,f)}else l()},"handler");this.setNotificationHandler(r,p)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function ls(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(ls,"normalizeHeaders");function Wy(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...ls(t.headers),...ls(n.headers)}:t.headers};return e(r,a)}:e}o(Wy,"createFetchWithInit");var ps=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function Dl(e){}o(Dl,"noop");function Jy(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=Dl,onError:r=Dl,onRetry:n=Dl,onComment:a}=e,i="",s=!0,u,d="",l="";function p(y){let w=s?y.replace(/^\xEF\xBB\xBF/,""):y,[v,R]=JU(`${i}${w}`);for(let I of v)m(I);i=R,s=!1}o(p,"feed");function m(y){if(y===""){_();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let w=y.indexOf(":");if(w!==-1){let v=y.slice(0,w),R=y[w+1]===" "?2:1,I=y.slice(w+R);f(v,I,y);return}f(y,"",y)}o(m,"parseLine");function f(y,w,v){switch(y){case"event":l=w;break;case"data":d=`${d}${w}
-`;break;case"id":u=w.includes("\0")?void 0:w;break;case"retry":/^\d+$/.test(w)?n(parseInt(w,10)):r(new ps(`Invalid \`retry\` value: "${w}"`,{type:"invalid-retry",value:w,line:v}));break;default:r(new ps(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:w,line:v}));break}}o(f,"processField");function _(){d.length>0&&t({id:u,event:l||void 0,data:d.endsWith(`
-`)?d.slice(0,-1):d}),u=void 0,d="",l=""}o(_,"dispatchEvent");function S(y={}){i&&y.consume&&m(i),s=!0,u=void 0,d="",l="",i=""}return o(S,"reset"),{feed:p,reset:S}}o(Jy,"createParser");function JU(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
-`,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let u=e.slice(n,s);t.push(u),n=s+1,e[n-1]==="\r"&&e[n]===`
-`&&n++}}return[t,r]}o(JU,"splitLines");var ms=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Jy({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var YU={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},yr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},hs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Wy(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??YU}async _authThenStart(){if(!this._authProvider)throw new Ft("No auth provider");let t;try{t=await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Ft;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=ls(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new yr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,u=!1,d=!1;o(async()=>{try{let p=t.pipeThrough(new TextDecoderStream).pipeThrough(new ms({onRetry:o(_=>{this._serverRetryMs=_},"onRetry")})).getReader();for(;;){let{value:_,done:S}=await p.read();if(S)break;if(_.id&&(s=_.id,u=!0,a?.(_.id)),!!_.data&&(!_.event||_.event==="message"))try{let y=wr.parse(JSON.parse(_.data));ut(y)&&(d=!0,i!==void 0&&(y.id=i)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(p){if(this.onerror?.(new Error(`SSE stream disconnected: ${p}`)),(n||u)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(_){this.onerror?.(new Error(`Failed to reconnect: ${_ instanceof Error?_.message:String(_)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Ft("No auth provider");if(await _r(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:St(t)?t.id:void 0}).catch(f=>this.onerror?.(f));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},u=await(this._fetch??fetch)(this._url,s),d=u.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!u.ok){let f=await u.text().catch(()=>null);if(u.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new yr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:_,scope:S}=Al(u);if(this._resourceMetadataUrl=_,this._scope=S,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft;return this._hasCompletedAuthFlow=!0,this.send(t)}if(u.status===403&&this._authProvider){let{resourceMetadataUrl:_,scope:S,error:y}=Al(u);if(y==="insufficient_scope"){let w=u.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===w)throw new yr(403,"Server returned 403 after trying upscoping");if(S&&(this._scope=S),_&&(this._resourceMetadataUrl=_),this._lastUpscopingHeader=w??void 0,await _r(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Ft;return this.send(t)}}throw new yr(u.status,`Error POSTing to endpoint: ${f}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,u.status===202){await u.body?.cancel(),Np(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(f=>this.onerror?.(f));return}let p=(Array.isArray(t)?t:[t]).filter(f=>"method"in f&&"id"in f&&f.id!==void 0).length>0,m=u.headers.get("content-type");if(p)if(m?.includes("text/event-stream"))this._handleSseStream(u.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let f=await u.json(),_=Array.isArray(f)?f.map(S=>wr.parse(S)):[wr.parse(f)];for(let S of _)this.onmessage?.(S)}else throw await u.body?.cancel(),new yr(-1,`Unexpected content type: ${m}`);else await u.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new yr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Yy(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Yy,"resolveNativeMcpRequestHeaders");var XU={name:"zuplo-mcp-gateway",version:"0.1.0"},QU=5,e0=500,eS=3e4,t0=2*1024*1024,r0=2;function Xy(){return performance.now()/1e3}o(Xy,"nowSeconds");function n0(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(n0,"readServerPort");function o0(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:n0(e)}}o(o0,"buildNativeMcpOperationContext");function Dn(e){return dg(e)}o(Dn,"withTraceMeta");function Ml(e){if(e>e0)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ml,"assertImportedCapabilityBudget");function Qy(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Qy,"buildRequestInit");function a0(e){return(t,r)=>ss(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:r0,maxResponseBytes:t0,problemCode:"upstream_capability_invocation_failed",timeoutMs:eS})}o(a0,"createNativeMcpFetch");function i0(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},eS);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(i0,"withNativeMcpRequestTimeout");function s0(e,t=[]){let r=Yy(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:a0(a)};if(!e)return{...i,...Qy(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Qy(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(s0,"buildNativeMcpTransportOptions");async function Mn(e,t,r){let{transport:n}=Je(e),a=new URL(n.baseUrl),i=new hs(a,s0(r,n.requestHeaders)),s=new ds(XU,{capabilities:{}});return i0((async()=>{let u=Xy();await s.connect(i);let d=i.sessionId,l=o0(a,d);try{return await t(s,l)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&lg(l,Xy()-u)}})())}o(Mn,"withNativeMcpClient");async function c0(e,t,r){let n=[],a,i=0;do{if(i>=QU)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(c0,"collectPaginatedSdkItems");async function ql(e){return e.enabled?c0(e.label,e.fetchPage,e.readItems):[]}o(ql,"listNativeMcpCapabilityItems");async function tS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"tools/list",...r},()=>ql({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ml(a.length),{tools:a}},e.credential)}o(tS,"listNativeMcpTools");async function rS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"prompts/list",...r},()=>ql({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ml(a.length),{prompts:a}},e.credential)}o(rS,"listNativeMcpPrompts");async function nS(e){return Mn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/list",...r},()=>ql({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(Dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ml(a.length),{resources:a}},e.credential)}o(nS,"listNativeMcpResources");async function oS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Dn(e.params))),e.credential)}o(oS,"callNativeMcpTool");async function aS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Dn(e.params))),e.credential)}o(aS,"getNativeMcpPrompt");async function iS(e){return Mn(e.upstreamServerId,(t,r)=>Ur({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Dn(e.params))),e.credential)}o(iS,"readNativeMcpResource");var ca=class extends A{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(k.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function u0(e){return{content:[{type:"text",text:e}],isError:!0}}o(u0,"buildToolErrorResult");function d0(e){return e.authUrl?new Yt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new ca(e)}o(d0,"toConnectRequiredError");function l0(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(l0,"buildCredentialResolvedAttributes");function p0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:l0(e.credential)})}o(p0,"emitCredentialResolvedAnalyticsEvent");function m0(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(m0,"emitCredentialMissingAnalyticsEvent");function h0(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Dr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(h0,"readRouteBindingCredentialCacheKey");function f0(e){return typeof e.authorizeAndLoadConnections=="function"}o(f0,"isRuntimeHttpCompositeAuthorizationRepository");function cS(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(cS,"readOwnedRouteBindingLookup");async function g0(e){let t=q().downstreamOAuthRepository;if(!f0(t))return new Map;let r=ul(e.request);if(!r)return new Map;let n=new Map;for(let u of e.routeBindings){let d=cS(u);d!==void 0&&n.set(Dr(d),d)}if(n.size===0)return new Map;let a=[...n.values()],i=await t.authorizeAndLoadConnections({accessTokenHash:await F(r),resource:Nr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:a,now:O(new Date)});if(i.kind!=="authorized")return new Map;let s=new Map;return i.upstreamConnections.forEach((u,d)=>{let l=a[d];l!==void 0&&s.set(Dr(l),u.connection)}),s}o(g0,"preloadCompositeAuthorizedConnections");function _0(e){let t=new Map;return r=>{let n=h0(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,u=cS(r),d=u===void 0?void 0:Dr(u),l=await Vy({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(l.kind==="connect_required")throw m0({context:e.context,payload:l.payload,routeBinding:r}),d0(l.payload);return p0({context:e.context,credential:l.credential,routeBinding:r}),l.credential})();return t.set(n,i),i}}o(_0,"createCredentialResolver");var sS=500;function y0(e){return e.length<=sS?e:`${e.slice(0,sS)}...`}o(y0,"truncateAnalyticsDetail");function S0(e){We(e.context,{eventType:H.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(S0,"emitToolInvocationCompletedAnalyticsEvent");function w0(e){return e instanceof Yt||e instanceof ca?{eventType:H.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof A&&e.code===k.InvalidParams?{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:H.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(w0,"classifyToolInvocationFailure");function v0(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=w0(e.error);We(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:y0(t)}})}o(v0,"emitToolInvocationFailedAnalyticsEvent");var R0=256*1024;function b0(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new A(k.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>R0)throw new A(k.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(b0,"assertToolArgumentsWithinLimit");function $l(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new A(k.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o($l,"findBindingForPublishedCapability");function qn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new A(k.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(qn,"requireSingleTransparentBinding");function C0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(C0,"resolvePublishedToolRoute");function I0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(I0,"resolvePublishedPromptRoute");function T0(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:qn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new A(k.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:$l({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(T0,"resolvePublishedResourceRoute");function uS(e){let t=g0({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=_0({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(ki)};let n=qn(e);return tS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=C0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{b0(n);let i=await r(a.binding),s=await oS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return S0({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(v0({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof Yt||i instanceof ca)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof Yt},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof A&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),u0(Fe("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(Pi)};let n=qn(e);return rS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=I0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return aS({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(Ei)};let n=qn(e);return nS({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=T0({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return iS({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(uS,"createCapabilityDispatcher");var A0="0.1.0",lS="POST",k0="POST, OPTIONS";function Ll(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:lS}})}o(Ll,"jsonRpcMethodNotAllowedResponse");function P0(e){let t={Allow:lS},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=k0;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(P0,"buildOptionsResponse");function $n(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o($n,"readJsonRpcRequestId");function jl(e){return e&&typeof e=="object"?e.params:void 0}o(jl,"readMcpRequestParams");function dS(e,t){return e.headers.get(t)??void 0}o(dS,"readMcpHeader");function E0(e){return{mcpProtocolVersion:dS(e,"mcp-protocol-version")??Or,mcpSessionId:dS(e,"mcp-session-id")}}o(E0,"buildServerTelemetryBase");function x0(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Or),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(x0,"ensureProtocolVersionHeader");async function Hl(e,t){if(e.method==="OPTIONS")return P0(e);if(e.method==="GET")return Ll("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return Ll("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return Ll("Only POST is supported by this virtual MCP server.");let r=Rn(t),n=Yf(r.virtualServerId),a=mg(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=E0(e),s=uS({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),u=re(e.url),d=new Si({enableDnsRebindingProtection:!0,allowedOrigins:[u]}),l=new yi(n.catalog.serverInfo??{name:r.virtualServerId,version:A0},{capabilities:{prompts:{},resources:{},tools:{}}});l.setRequestHandler(cc,async m=>zr({methodName:"tools/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listTools())),l.setRequestHandler(Qn,async m=>zr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.callTool(m.params))),l.setRequestHandler(Qs,async m=>zr({methodName:"prompts/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listPrompts())),l.setRequestHandler(tc,async m=>zr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.getPrompt(m.params))),l.setRequestHandler(Fs,async m=>zr({methodName:"resources/list",params:jl(m),jsonRpcRequestId:$n(m),...i},()=>s.listResources())),l.setRequestHandler(Js,async m=>zr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:$n(m),...i},()=>s.readResource(m.params))),await l.connect(d);let p=await d.handleRequest(e);return x0(p)}o(Hl,"virtualServerHandler");async function O0(e,t){return Wt("handler.mcp-virtual-server"),Hl(e,t)}o(O0,"McpVirtualServerHandler");var Ln={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},U0="oauth-protected-resource-metadata",z0="/.well-known/oauth-protected-resource/";function N0(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(N0,"readRouteOperationId");function D0(e){return e.hasGatewayRouteContext?Ln.VIRTUAL_MCP_SERVER:e.routeOperationId===U0||e.routeOperationId===void 0&&e.routePath.startsWith(z0)?Ln.OAUTH_PROTECTED_RESOURCE_METADATA:Ln.OTHER}o(D0,"classifyAnalyticsRouteSurface");function M0(e){let t=e.route.path;return{routePath:t,routeSurface:D0({routePath:t,routeOperationId:N0(e),hasGatewayRouteContext:No(e)!==void 0})}}o(M0,"readAnalyticsRequestContext");function q0(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Ln.VIRTUAL_MCP_SERVER}o(q0,"isIntentionalMethodRejection");function $0(e){return q0(e)||e.response.status===401&&e.routeSurface===Ln.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o($0,"classifyRequestCompletedOutcome");async function Gl(e,t){let r=Date.now(),n=M0(t);return t.addResponseSendingFinalHook(a=>{let i=$0({response:a,routeSurface:n.routeSurface});We(t,{eventType:H.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Gl,"analyticsContextInbound");function L0(e){return e instanceof Response}o(L0,"isResponse");var pS="/mcp/";function j0(e){let t=e.route.path;if(!t.startsWith(pS))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(pS.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(j0,"readVirtualServerIdFromRoute");async function ua(e,t){let n={virtualServerId:me.parse(j0(t))};eg(t,n),zf(t,n);let a=await Gl(e,t);return L0(a)?a:dl(a,t)}o(ua,"mcpOAuthInboundPolicy");var H0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-auth0-oauth"),ua(e,t)),"McpAuth0OAuthInboundPolicy");function G0(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return Ui({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway,devTenantId:e.devTenantId})}o(G0,"buildAuth0McpOAuthRuntimeConfig");var B0={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return G0(e)}};Ci(B0);var V0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-oauth"),ua(e,t)),"McpOAuthInboundPolicy"),F0={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return Ui(e)}};Ci(F0);function Z0(e){let t=At(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(Z0,"buildRouteAuthBaseFromConnection");function hS(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=At(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:vn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(hS,"buildRouteAuthBaseFromPolicyOptions");function fS(e,t){let n=st().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return Z0({connection:a,virtualServerId:t})}o(fS,"resolveRouteAuthBase");function mS(e,t){switch(e){case"user":return mr(t.tenantId,t.subjectId);case"tenant_shared":return Hi(t.tenantId)}}o(mS,"buildOwnerForPrincipal");function fs(e,t){switch(e.ownerMode){case"tenant_shared":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:mS(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(fs,"resolveRouteAuthForPrincipal");function K0(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Ri.parse(r)}o(K0,"readSingleAuthMode");function gS(e){return Tt.parse(e)}o(gS,"buildToolNamePrefixFromConnectionId");async function Bl(e,t,r,n){let a=Ai(r,n),i=K0({policyName:n,connection:a}),s=Rn(t),u=hS({connection:a,virtualServerId:s.virtualServerId,authMode:i});if(u.ownerMode==="none")return Pd(t,{...u,connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e;let d=Tg(t);return d.tenantId?(Pd(t,{...fs(u,d),connectionPolicyName:n,toolNamePrefix:gS(a.id)}),e):Ze(e,t,{code:"forbidden",detail:"Upstream credentials for this virtual server require an authenticated tenant.",headers:{"WWW-Authenticate":An({virtualServerId:s.virtualServerId,requestUrl:e.url,error:"insufficient_scope",errorDescription:"The access token is missing tenant context required by this virtual server.",scope:ce})}})}o(Bl,"mcpUpstreamConnectionPolicy");var W0=o(async(e,t,r,n)=>(Wt("policy.inbound.mcp-upstream-connection"),Bl(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");Y();Y();var _S="application/json",J0="application/x-www-form-urlencoded";function Y0(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(Y0,"normalizeContentType");function X0(e,t){return e===t?!0:t===_S&&e.endsWith("+json")}o(X0,"contentTypeMatches");function Q0(e,t){if(!t||t.length===0)return;let r=Y0(e.headers.get("content-type"));if(!t.some(n=>X0(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(Q0,"assertExpectedContentType");function ez(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(ez,"assertContentLengthWithinLimit");async function yS(e,t){let r=t.label??"Request body";Q0(e,t.expectedContentTypes),ez(e,t.maxBytes,r);let n=await is(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(yS,"readBoundedTextBody");async function SS(e,t){let r=await yS(e,{...t,expectedContentTypes:[_S]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(SS,"readBoundedJsonBody");async function gs(e,t){let r=await yS(e,{...t,expectedContentTypes:[J0]});return new URLSearchParams(r)}o(gs,"readBoundedFormUrlEncodedBody");var wS=Symbol("Html");function tz(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(tz,"escapeHtml");function rz(e){return e===null||typeof e!="object"?!1:e[wS]===!0}o(rz,"isHtml");function vS(e){return e==null||e===!1?"":Array.isArray(e)?e.map(vS).join(""):rz(e)?e.value:tz(String(e))}o(vS,"renderValue");function yt(e){return{[wS]:!0,value:e}}o(yt,"trustedHtml");var ye=yt("");function x(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=vS(t[n]),r+=e[n+1]??"";return yt(r)}o(x,"html");function Zt(e){return e.value}o(Zt,"renderHtml");var nz="text/html; charset=utf-8";function RS(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":nz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(RS,"apiKeyLoginHtmlResponse");function Vl(e=401){return RS(x`<!doctype html><html><head><title>Login failed</title></head><body><main><h1>Login failed</h1><p>The API key could not be verified. Start the authorization flow again.</p></main></body></html>`,e)}o(Vl,"apiKeyLoginFailureResponse");function bS(e){return RS(x`<!doctype html><html><head><title>API key login</title></head><body><main><h1>API key login</h1><form method="post" action="/oauth/api-key-login" autocomplete="off"><input type="hidden" name="state" value="${e}"><label for="apiKey">API key</label><input id="apiKey" name="apiKey" type="password" required autocomplete="off"><button type="submit">Continue</button></form></main></body></html>`)}o(bS,"renderApiKeyLoginForm");Y();Y();import{errors as zS,jwtVerify as NS,SignJWT as DS}from"jose";Y();import{errors as hz,jwtVerify as fz,SignJWT as gz}from"jose";function Sr(e){let t=ve().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Sr,"requireBrowserLoginField");function _s(e){if(!e.tenantId)throw g("identity_context_missing","Gateway OAuth browser login requires a tenant-scoped principal.");return{...e,tenantId:e.tenantId}}o(_s,"requireTenantScopedBrowserPrincipal");Y();import{createRemoteJWKSet as oz,errors as da,jwtVerify as az}from"jose";var iz=c.object({id_token:c.string().min(1),token_type:c.string().min(1).optional(),expires_in:c.number().optional(),access_token:c.string().min(1).optional(),refresh_token:c.string().min(1).optional(),scope:c.string().min(1).optional()}),sz=c.object({error:c.string().min(1).optional(),error_description:c.string().min(1).optional(),error_uri:c.string().min(1).optional()});function cz(e){let t=sz.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(cz,"readIdpErrorFields");function uz(e){return e instanceof da.JWTExpired?"expired":e instanceof da.JWTClaimValidationFailed?"claim":e instanceof da.JWSSignatureVerificationFailed?"signature":e instanceof da.JWKSNoMatchingKey?"jwks_no_match":e instanceof da.JWTInvalid?"invalid":e instanceof c.ZodError?"schema":"other"}o(uz,"readJwtFailureKind");var dz=c.object({sub:X,nonce:c.string().min(1)}).catchall(c.unknown()),Fl;function lz(e){return e instanceof Error&&"cause"in e?e.cause:e}o(lz,"readErrorCause");function pz(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(pz,"readRuntimeGatewayCode");function mz(){if(!Fl){let e=ve();Fl=oz(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Fl}o(mz,"readFederatedJwks");async function CS(e){let t=ve(),r=Sr("tokenUrl"),n=Sr("clientId"),a=Sr("clientSecret"),i=new URL("/oauth/callback",gt(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:u,json:d}=await Py(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!u.ok){let f=cz(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:it(r),idpStatus:u.status,...f},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${u.status}${f.idpError?` idp_error=${f.idpError}`:""}${f.idpErrorDescription?` idp_error_description=${f.idpErrorDescription}`:""})`)})}let l=iz.parse(d),p;try{({payload:p}=await az(l.id_token,mz(),{issuer:t.oidc.issuer,audience:n}))}catch(f){let _={};throw Ae(_,"error",f),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:uz(f),idpHost:it(r),expectedIssuer:t.oidc.issuer,..._},"Federated id_token failed jose verification"),f}if(p.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:it(r),nonceMissingFromIdToken:p.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=dz.parse(p);return _s(Tn({sub:m.sub,data:m},e.requestUrl))}catch(u){let d=de(u)??pz(u);throw d!==void 0&&d!=="browser_login_verification_failed"?u:g("browser_login_verification_failed","Federated browser login callback could not be verified.",lz(u))}}o(CS,"exchangeFederatedAuthorizationCode");var Kl="zuplo_mcp_session",IS="HS256",TS="zuplo-mcp-gateway",AS="zuplo-mcp-gateway",_z=c.object({purpose:c.literal("gateway_browser_session"),sub:X,tenantId:ue,browserLoginOrigin:c.string().min(1),roles:c.array(c.string().min(1)).optional(),exp:c.number().int().positive(),iat:c.number().int().positive().optional()});function yz(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(yz,"parseCookieHeader");async function kS(){return kt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-session"),"derive")})}o(kS,"getBrowserSessionKey");function Zl(e){let t=new URL(re(e)),r=[`${Kl}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Zl,"buildBrowserSessionEvictionCookie");function Sz(e){let t=new URL(re(e.requestUrl)),r=[`${Kl}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Sz,"serializeSessionCookie");function PS(e={}){return new URL(Sr("url")).origin}o(PS,"readBrowserLoginOrigin");function Wl(){return ve().browserLogin.stateTtlSeconds}o(Wl,"readBrowserLoginStateTtlSeconds");function ES(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return _s(Tn(e.user,e.url))}o(ES,"resolveCurrentRequestPrincipal");async function ys(e,t={}){let r=yz(e.headers.get("cookie")).get(Kl);if(!r)return{};try{let{payload:n}=await fz(r,await kS(),{algorithms:[IS],issuer:TS,audience:AS}),a=_z.parse(n);if(a.browserLoginOrigin!==PS(t))return{evictCookie:Zl(e.url)};let i={subjectId:a.sub,tenantId:a.tenantId};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof hz.JWTExpired?{evictCookie:Zl(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Zl(e.url)})}}o(ys,"readBrowserSession");async function la(e){let t=ve().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,tenantId:e.principal.tenantId,browserLoginOrigin:PS({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new gz(r).setProtectedHeader({alg:IS,typ:"JWT"}).setIssuer(TS).setAudience(AS).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await kS());return Sz({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(la,"createBrowserSessionCookie");async function xS(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(xS,"resolveApiKeyBrowserLoginPrincipal");async function OS(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await ys(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return CS({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(OS,"resolveBrowserLoginCallbackPrincipal");function US(e){let t=ve().browserLogin,r=new URL(Sr("url")),n=new URL("/oauth/callback",gt(e.requestUrl));return yg(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Sr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(US,"buildBrowserLoginUrl");var MS=5*60,wz=["mcp_user"],Ss="HS256",ws="zuplo-mcp-gateway",vs="zuplo-mcp-gateway",vz=c.object({purpose:c.literal("gateway_browser_login"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()}),Rz=c.object({purpose:c.literal("gateway_authorization_setup"),transactionId:je,stateId:Di,exp:c.number().int().positive(),iat:c.number().int().positive().optional()});async function qS(){return kt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"browser-login"),"derive")})}o(qS,"getBrowserLoginKey");async function $S(){return kt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>fr(e,"authorization-csrf"),"derive")})}o($S,"getCsrfKey");function bz(e){return[...new Set([...wz,...e.roles??[]])]}o(bz,"buildRoles");function LS(e){return{repository:e.repository??q().downstreamOAuthRepository,now:e.now??new Date,ttlSeconds:Wl()}}o(LS,"readPendingTransactionDependencies");function Cz(e,t){return e.subjectId===t.subjectId&&e.tenantId===t.tenantId}o(Cz,"principalsMatch");function jS(e){return{subjectId:e.subjectId,tenantId:e.tenantId,...e.roles===void 0?{}:{roles:e.roles}}}o(jS,"toPendingPrincipal");function HS(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:O(ft(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:jS(e.principal)}}o(HS,"createTransactionRecord");async function GS(e){if((await e.repository.savePendingAuthorizationTransaction(e.record,e.client===void 0?void 0:{client:e.client})).kind==="already_exists")throw g("oauth_state_reused","Authorization transaction state already exists.")}o(GS,"savePendingTransaction");async function Iz(e){return new DS({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await qS())}o(Iz,"signBrowserLoginState");async function BS(e){return new DS({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Nd()}).setProtectedHeader({alg:Ss,typ:"JWT"}).setIssuer(ws).setAudience(vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await $S())}o(BS,"signCsrfToken");async function Rs(e){try{let{payload:t}=await NS(e,await qS(),{algorithms:[Ss],issuer:ws,audience:vs}),r=vz.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Rs,"verifyBrowserLoginStateToken");async function Tz(e){try{let{payload:t}=await NS(e,await $S(),{algorithms:[Ss],issuer:ws,audience:vs});return{transactionId:Rz.parse(t).transactionId}}catch(t){throw t instanceof zS.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(Tz,"verifyCsrfToken");function pa(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(pa,"pendingStateErrorCode");function VS(e){return e==="principal_mismatch"?"oauth_callback_mismatch":pa(e==="consumed_already"?"consumed_already":e)}o(VS,"setupDecisionErrorCode");function Az(e){if(e.kind!=="available")throw g(pa(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Az,"requireAwaitingSetup");function kz(e){if(e.kind!=="available")throw g(pa(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(kz,"requireAwaitingLogin");function Pz(e){if(!Cz(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(Pz,"requireCurrentPrincipalMatches");function FS(e){return typeof e.decideAuthorizationSetup=="function"}o(FS,"hasRuntimeHttpAuthorizationDecision");async function ZS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=Wl(),a=zd(),i=Nd(),s=await Iz({transactionId:a,stateId:i,ttlSeconds:n}),u=HS({id:a,transaction:e.transaction,currentStateHash:await F(s),phase:"awaiting_login",now:r,ttlSeconds:n});if(u.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return await GS({repository:t,record:u,client:e.transaction.client}),{transaction:u,browserLoginStateToken:s,browserLoginUrl:US({state:s,nonce:i,virtualServerId:u.virtualServerId,requestUrl:e.requestUrl})}}o(ZS,"startAwaitingLogin");async function KS(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=zd(),i=await BS({transactionId:a,ttlSeconds:n}),s=HS({id:a,transaction:e.transaction,currentStateHash:await F(i),phase:"awaiting_setup",principal:e.principal,now:r,ttlSeconds:n});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return await GS({repository:t,record:s,client:e.transaction.client}),{transaction:s,csrfToken:i}}o(KS,"startAwaitingSetup");async function Jl(e){let{repository:t,now:r,ttlSeconds:n}=LS(e),a=await Rs(e.browserLoginStateToken),i=await BS({transactionId:a.transactionId,ttlSeconds:n}),s=await t.advancePendingAuthorizationTransaction({id:a.transactionId,expectedPhase:"awaiting_login",currentStateHash:await F(e.browserLoginStateToken),nextStateHash:await F(i),nextPhase:"awaiting_setup",principal:jS(e.principal),now:r});if(s.kind!=="advanced")throw g(pa(s.kind),"Browser login state is invalid, expired, or already used.");if(s.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:s.record,csrfToken:i}}o(Jl,"completeLogin");async function WS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Rs(e.browserLoginStateToken);return kz(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.browserLoginStateToken),now:r}))}o(WS,"getAwaitingLogin");async function ma(e){let t=await Yl(e);return Pz({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(ma,"getSetup");async function Yl(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date,n=await Tz(e.csrfToken);return Az(await t.getPendingAuthorizationTransaction({id:n.transactionId,currentStateHash:await F(e.csrfToken),now:r}))}o(Yl,"getSetupTransaction");async function Ez(e){let t=Ke(),r=await F(t),n=Dd(),a=O(ft(e.now,MS)),i={id:e.transaction.id,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,tenantId:e.transaction.principal.tenantId,subjectId:e.transaction.principal.subjectId,scope:e.transaction.scope,roles:bz(e.transaction.principal),codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:O(e.now),expiresAt:a};await e.repository.issueAuthorizationCode({...i,codeHash:r,grantId:n});let s=new URL(e.transaction.redirectUri);return s.searchParams.set("code",t),e.transaction.clientState&&s.searchParams.set("state",e.transaction.clientState),s}o(Ez,"createAuthorizationCodeRedirect");async function xz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=Ke(),n=O(ft(e.now,MS)),a=await e.repository.decideAuthorizationSetup({decision:"approve",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await F(r),authorizationCodeExpiresAt:n,grantId:Dd(),now:O(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":VS(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(xz,"createAuthorizationCodeRedirectWithDecision");async function Oz(e){let t=await ma({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:e.now,repository:e.repository}),r=await e.repository.decideAuthorizationSetup({decision:"cancel",transactionId:t.id,currentStateHash:await F(e.csrfToken),currentPrincipal:{tenantId:e.currentBrowserPrincipal.tenantId,subjectId:e.currentBrowserPrincipal.subjectId},now:O(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":VS(r.kind),"Authorization setup state is invalid, expired, or already used.");return JS({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(Oz,"createCancelRedirectWithDecision");function JS(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(JS,"buildClientCancelRedirect");async function Uz(e){let t=await ma(e),r=await e.repository.consumePendingAuthorizationTransaction({id:t.id,currentStateHash:await F(e.csrfToken),now:e.now});if(r.kind!=="consumed")throw g(pa(r.kind),"Authorization setup state is invalid, expired, or already used.");if(r.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return r.record}o(Uz,"consumeSetup");async function YS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;return{repository:t,now:r,transaction:await Uz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t})}}o(YS,"consumeSetupForDecision");async function XS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return xz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let n=await YS(e);return Ez({repository:n.repository,transaction:n.transaction,now:n.now})}o(XS,"approve");async function QS(e){let t=e.repository??q().downstreamOAuthRepository,r=e.now??new Date;if(FS(t))return Oz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:r,repository:t});let{transaction:n}=await YS(e);return JS({redirectUri:n.redirectUri,clientState:n.clientState})}o(QS,"cancel");Y();var zz=1e4,Nz=5*1024,Dz=2,Mz=90*24*60*60,Xl=["authorization_code","refresh_token"],Ql=["code"],qz=c.object({client_name:c.string().min(1).optional(),redirect_uris:c.array(c.string().min(1)).min(1),grant_types:c.array(c.enum(Xl)).min(1).max(2).optional(),response_types:c.array(c.enum(Ql)).min(1).max(1).optional(),scope:c.literal(ce).optional(),token_endpoint_auth_method:qo.default("client_secret_basic")});function $z(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o($z,"isCimdClientIdCandidate");function jn(e,t="invalid_request"){if(Lz(e))throw new U(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new U(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new U(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Le(r)))throw new U(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(jn,"assertValidRedirectUri");function Lz(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(Lz,"hasForbiddenRawRedirectUriCharacter");async function jz(e){let{response:t,json:r}=await Ey(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Dz,maxResponseBytes:Nz,timeoutMs:zz});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=gg.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(jz,"fetchCimdMetadata");async function Hz(e){let t=as(e),r=await jz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(Hz,"resolveCimdClient");async function ha(e,t,r){let n=le.parse(t);if($z(n)){if(!ve().gateway.cimdEnabled)throw new U("invalid_client","OAuth client is not registered.");try{return await Hz(n)}catch{throw new U("invalid_client","OAuth client is not registered.")}}let a=await e.getDcrClient(n);if(a){let i={kind:"dcr",clientId:n,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new U("invalid_client",n.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(ha,"resolveClient");function bs(e,t){if(!e.metadata.redirect_uris.some(r=>qi(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(bs,"assertRedirectRegistered");function Gz(e){let t=ew(e.grant_types),r=e.response_types??[...Ql];if(!Bz(t))throw new U("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Vz(r))throw new U("invalid_client_metadata","response_types must be code.");if(!Fz(e.scope))throw new U("invalid_client_metadata",`Only the ${ce} scope is supported.`)}o(Gz,"assertSupportedDcrRequest");function ew(e){return e===void 0?[...Xl]:Array.from(new Set(e))}o(ew,"normalizeGrantTypes");function Bz(e){return e.length===0?!1:e.every(t=>Xl.includes(t))}o(Bz,"isSupportedGrantTypes");function Vz(e){return e.length===Ql.length&&e[0]==="code"}o(Vz,"isSupportedResponseTypes");function Fz(e){return e===void 0||e===ce}o(Fz,"isSupportedDcrScope");function Vr(e){if(e===void 0||e===ce)return ce;throw new U("invalid_request",`Only the ${ce} scope is supported.`)}o(Vr,"assertSupportedOAuthScope");function Pt(e,t){let r;try{r=new URL(t)}catch{throw new U("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new U("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Le(r))throw new U("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=re(e),a=Xf(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new U("invalid_target","resource must match a published virtual MCP server.");return i}o(Pt,"resolveResource");async function tw(e,t={}){let r=Zz(t)?{repository:t}:t,n;try{n=qz.parse(e)}catch(f){if(f instanceof c.ZodError){let _=f.issues.some(S=>S.path[0]==="redirect_uris");throw new U(_?"invalid_redirect_uri":"invalid_client_metadata",f.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:f})}throw f}Gz(n);for(let f of n.redirect_uris)jn(f,"invalid_redirect_uri");let a=r.repository??q().downstreamOAuthRepository,i=new Date,s=le.parse(`dcr:${crypto.randomUUID()}`),u=ft(i,Mz),d=Math.floor(i.getTime()/1e3),l=Math.floor(u.getTime()/1e3),p={client_id:s,client_name:n.client_name??"Dynamically registered MCP client",redirect_uris:n.redirect_uris,grant_types:ew(n.grant_types),response_types:["code"],scope:ce,token_endpoint_auth_method:n.token_endpoint_auth_method,client_id_issued_at:d},m={clientId:s,clientName:String(p.client_name),redirectUris:n.redirect_uris,tokenEndpointAuthMethod:n.token_endpoint_auth_method,createdAt:O(i),clientExpiresAt:O(u)};if(n.token_endpoint_auth_method!=="none"){let f=Ke();m.hashedClientSecret=await F(f),m.clientSecretExpiresAt=O(u),p.client_secret=f,p.client_secret_expires_at=l,p.client_secret_issued_at=d}return await a.saveDcrClient(m),p}o(tw,"registerDownstreamClient");function Zz(e){return typeof e.getDcrClient=="function"}o(Zz,"isOAuthRepository");var Kz=8;function tp(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(tp,"safeIconSrc");function Wz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Wz,"safeGatewayConnectHref");function Jz(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(Jz,"parseIconSize");function Yz(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(Yz,"selectIconCandidates");function Xz(e){return tp(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(Jz)):0:-1}o(Xz,"readIconScore");function ow(e,t){if(!e||e.length===0)return;let r=Yz(e,t),n,a=-1;for(let i of r){let s=Xz(i);s>a&&(n=i,a=s)}return n}o(ow,"pickIcon");var Qz='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>',rw=yt(Qz),eN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>'),tN=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>'),aw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),nw=yt('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M8 1.5 2.5 3.5v4.2c0 3.4 2.4 5.6 5.5 6.8 3.1-1.2 5.5-3.4 5.5-6.8V3.5L8 1.5Z"/><path d="m5.8 8.2 1.6 1.6 3-3"/></svg>');function rN(e,t){let r=ow(e,"light");if(!r)return x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`;let n=tp(r.src);return n?x`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:x`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${rw}</span>`}o(rN,"renderIconFrame");function Is(e,t){let r=ow(e,"light");if(!r)return ye;let n=tp(r.src);return n?x`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:ye}o(Is,"renderInlineIcon");function nN(e){switch(e){case"user":return"your account";case"tenant_shared":return"shared by your team";case"none":return"gateway-managed"}}o(nN,"ownerModeLabel");function oN(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(oN,"authModeLabel");function aN(e){switch(e){case"active":return x`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return x`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return x`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(aN,"statusBadge");function iN(e){if(!e)return ye;let t=[];return e.destructiveHint&&t.push(x`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(x`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(x`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?x`<span class="badge-row">${t}</span>`:ye}o(iN,"annotationBadges");function iw(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(iw,"summarizeCapabilities");function sN(e){let t=e.annotations?.title??e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${iN(e.annotations)}${r}</li>`}o(sN,"renderToolRow");function cN(e){let t=e.title??e.name,r=e.description?x`<span class="capability-row__description">${e.description}</span>`:ye;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(cN,"renderPromptRow");function uN(e){let t=e.title??e.name,r=e.mimeType===void 0?ye:x` · ${e.mimeType}`,n=e.description===void 0?ye:x` — ${e.description}`,a=x`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return x`<li class="capability-row">${Is(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(uN,"renderResourceRow");function ep(e,t,r,n){if(t===0)return ye;let a=r.slice(0,Kz),i=t-a.length,s=i>0?x`<li class="capability-row capability-row--more">+ ${i} more</li>`:ye;return x`<section class="capability-section"><h4 class="capability-section__title">${e} <span class="muted">(${t})</span></h4><ul class="capability-list">${a.map(n)}${s}</ul></section>`}o(ep,"renderCapabilitySection");function Cs(e,t,r=!1){return r?x`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:x`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(Cs,"countPill");function dN(e){let t=iw(e);if(t.tools+t.prompts+t.resources===0)return x`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(Cs(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(Cs(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(Cs(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(Cs("destructive",t.destructiveTools,!0));let a=[ep("Tools",t.tools,e.tools,sN),ep("Prompts",t.prompts,e.prompts,cN),ep("Resources",t.resources,e.resources,uN)];return x`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(dN,"renderUpstreamCapabilities");function lN(e){if(!e||e.length===0)return ye;let t=e.map(n=>x`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return x`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${aw}</span></summary><div class="scopes-list">${t}</div></details>`}o(lN,"renderUpstreamScopes");function pN(e,t){if(e.ownerMode!=="user")return ye;let r=Wz(e.connectUrl,t);if(!r)return ye;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return x`<a class="button button--secondary button--small" href="${r}"${a===void 0?ye:x` title="${a}"`}>${n}</a>`}o(pN,"renderActionButton");function mN(e,t){let r=pN(e,t);return Zt(r)!==""?r:aN(e.status)}o(mN,"renderUpstreamControl");function hN(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?yt('<article class="upstream-card upstream-card--needs-action">'):yt('<article class="upstream-card">'),a=e.description?x`<p class="upstream-card__description">${e.description}</p>`:ye,i=e.transportHost?x`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:ye,s=x`<div class="upstream-card__head">${rN(e.serverIcons,e.upstreamDisplayName)}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${mN(e,t)}</div><div class="upstream-card__meta">${i}<span>${oN(e.authMode)}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${nN(e.ownerMode)}</span></div>${a}</div></div>`,u=dN(e.capabilities),d=lN(e.scopesRequested);return x`${n}${s}${u}${d}</article>`}o(hN,"renderUpstreamCard");function fN(e){return e.reduce((t,r)=>{let n=iw(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(fN,"aggregateCapabilities");function gN(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(gN,"deriveMode");function _N(e){if(e.mode==="setup"){let n=e.upstreams.filter(u=>u.ownerMode==="user"&&u.status!=="active"),a=n.length>0&&n.every(u=>u.status==="reconsent_required"),i=n.length===1?"the service":`the ${n.length} services`,s=a?x`Re-authorize ${i} below to refresh access. Authorization will continue automatically once each is ready.`:x`Connect ${i} below before continuing. Authorization will continue automatically once each is ready.`;return x`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${eN}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${s}</p></div></div>`}let t=fN(e.upstreams);if(t.destructiveTools===0)return ye;let r=t.destructiveTools===1?"tool can":"tools can";return x`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${tN}</span><div class="banner__body"><p class="banner__title">${t.destructiveTools} ${r} modify or delete data</p><p class="banner__message">Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.</p></div></div>`}o(_N,"renderBanner");function yN(e){return e.mode==="grant"?x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve">Authorize</button></form>`:x`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}"><input type="hidden" name="decision" value="continue"><button class="button button--primary" type="submit">Check again</button></form>`}o(yN,"renderActions");var SN=`
-*,*::before,*::after{box-sizing:border-box}
-:root{
-  --bg:#ffffff;
-  --surface:#ffffff;
-  --surface-2:#f1f5f9;
-  --border:#e2e8f0;
-  --border-strong:#c9cace;
-  --text:#20222e;
-  --text-2:#475569;
-  --text-3:#64748b;
-  --brand:#ff00bd;
-  --brand-strong:#d600a0;
-  --brand-soft:#fff0f7;
-  --brand-ring:rgba(255,0,189,.15);
-  --success:#13a688;
-  --success-soft:rgba(19,166,136,.10);
-  --success-border:rgba(19,166,136,.32);
-  --warning:#b45309;
-  --warning-soft:#fff7ed;
-  --warning-border:#fcd9b6;
-  --danger:#d03c38;
-  --danger-soft:rgba(208,60,56,.08);
-  --danger-border:rgba(208,60,56,.28);
-  --radius:2px;
-  --radius-md:6px;
-  --radius-lg:8px;
-  --shadow-sm:0 1px 2px rgba(15,23,42,.04);
-  --shadow-md:0 1px 3px rgba(15,23,42,.06),0 1px 2px rgba(15,23,42,.04);
-  --shadow-lg:0 8px 24px rgba(15,23,42,.08);
-  --font-sans:Inter,"Inter Fallback",-apple-system,BlinkMacSystemFont,"Segoe UI",system-ui,sans-serif;
-  --font-heading:"Readex Pro","Readex Pro Fallback",Inter,system-ui,sans-serif;
-  --font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace;
-}
-@media (prefers-color-scheme: dark){
-  :root{
-    --bg:#0a0c10;
-    --surface:#15171c;
-    --surface-2:#1e2128;
-    --border:#262932;
-    --border-strong:#3a3e48;
-    --text:#fafafa;
-    --text-2:#9ba3b0;
-    --text-3:#71757f;
-    --brand:#ff33c8;
-    --brand-strong:#ff66d4;
-    --brand-soft:rgba(255,0,189,.14);
-    --brand-ring:rgba(255,0,189,.28);
-    --success:#34d399;
-    --success-soft:rgba(19,166,136,.16);
-    --success-border:rgba(52,211,153,.32);
-    --warning:#fbbf24;
-    --warning-soft:rgba(251,191,36,.10);
-    --warning-border:rgba(251,191,36,.32);
-    --danger:#f87171;
-    --danger-soft:rgba(208,60,56,.14);
-    --danger-border:rgba(248,113,113,.32);
-    --shadow-sm:0 1px 2px rgba(0,0,0,.4);
-    --shadow-md:0 1px 3px rgba(0,0,0,.45),0 1px 2px rgba(0,0,0,.3);
-    --shadow-lg:0 12px 28px rgba(0,0,0,.5);
-  }
-}
-html,body{margin:0;padding:0}
-html{background:var(--bg);height:100%}
-body{
-  font-family:var(--font-sans);
-  background:var(--bg);
-  color:var(--text);
-  font-size:14px;
-  line-height:1.5;
-  -webkit-font-smoothing:antialiased;
-  -moz-osx-font-smoothing:grayscale;
-  height:100vh;
-  height:100dvh;
-  display:flex;flex-direction:column;
-  overflow:hidden;
-}
-.topbar{
-  flex-shrink:0;
-  background:var(--surface);
-  border-bottom:1px solid var(--border);
-}
-.topbar__inner{
-  max-width:640px;margin:0 auto;
-  display:flex;align-items:center;justify-content:space-between;
-  gap:16px;padding:14px 24px;
-}
-.brand{
-  display:flex;align-items:center;gap:10px;
-  color:var(--text);font-weight:600;font-size:13px;
-  letter-spacing:-.01em;
-}
-.brand__mark{
-  width:22px;height:22px;border-radius:var(--radius);
-  background:var(--brand);color:#fff;
-  display:inline-flex;align-items:center;justify-content:center;
-  font-weight:700;font-size:12px;letter-spacing:0;
-  font-family:var(--font-heading);
-}
-.brand__name{color:var(--text-2);font-weight:500}
-.principal{
-  display:inline-flex;align-items:center;gap:6px;
-  font-size:12.5px;color:var(--text-3);
-  padding:4px 10px;border-radius:9999px;
-  background:var(--surface-2);
-  max-width:280px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;
-}
-.shell-main{
-  flex:1;min-height:0;
-  display:flex;flex-direction:column;
-  width:100%;
-}
-.static-top{flex-shrink:0;background:var(--bg)}
-.static-top__inner{
-  max-width:640px;margin:0 auto;width:100%;
-  padding:32px 24px 16px;
-  display:flex;flex-direction:column;gap:18px;
-}
-.hero{display:flex;flex-direction:column;gap:6px;margin:0}
-.hero__title{
-  margin:0;font-family:var(--font-heading);
-  font-size:28px;font-weight:600;letter-spacing:-.02em;
-  color:var(--text);line-height:1.2;
-}
-.hero__connection{
-  margin:2px 0 0;font-size:15px;color:var(--text-2);
-  display:flex;align-items:center;gap:10px;flex-wrap:wrap;
-  line-height:1.4;
-}
-.hero__client,.hero__server{
-  color:var(--text);font-weight:600;
-  display:inline-flex;align-items:center;gap:6px;
-  min-width:0;
-}
-.hero__server .inline-icon{
-  width:16px;height:16px;border-radius:3px;margin:0;
-  vertical-align:baseline;
-}
-.hero__arrow{
-  color:var(--text-3);font-weight:500;
-  display:inline-flex;align-items:center;
-}
-.hero__description{
-  margin:6px 0 0;color:var(--text-2);font-size:13.5px;line-height:1.5;
-}
-.banner{
-  display:flex;align-items:flex-start;gap:12px;
-  padding:12px 14px;border-radius:var(--radius-md);
-  border:1px solid;
-  font-size:13.5px;
-}
-.banner__icon{
-  flex-shrink:0;display:inline-flex;align-items:center;justify-content:center;
-  width:18px;height:18px;margin-top:1px;
-}
-.banner__body{flex:1;min-width:0;display:flex;flex-direction:column;gap:2px}
-.banner__title{margin:0;font-weight:600;color:var(--text);font-size:13.5px}
-.banner__message{margin:0;color:var(--text-2);font-size:13px;line-height:1.5}
-.banner--warning{background:var(--warning-soft);border-color:var(--warning-border)}
-.banner--warning .banner__icon{color:var(--warning)}
-.banner--alert{background:var(--danger-soft);border-color:var(--danger-border)}
-.banner--alert .banner__icon{color:var(--danger)}
-.banner--alert .banner__title{color:var(--danger)}
-.upstream-region{
-  flex:1;min-height:0;
-  display:flex;flex-direction:column;
-  background:var(--bg);
-}
-.upstream-region__head{
-  flex-shrink:0;
-  max-width:640px;width:100%;margin:0 auto;
-  padding:8px 24px 8px;
-  display:flex;align-items:center;justify-content:space-between;gap:12px;
-}
-.section-label{
-  margin:0;font-size:11px;font-weight:600;
-  text-transform:uppercase;letter-spacing:.07em;
-  color:var(--text-3);
-}
-.section-label__count{color:var(--text-3);font-weight:500;margin-left:4px}
-.upstream-region__scroll{
-  flex:1;min-height:0;
-  overflow-y:auto;
-  overscroll-behavior:contain;
-  scrollbar-width:thin;
-  scrollbar-color:var(--border-strong) transparent;
-}
-.upstream-region__scroll::-webkit-scrollbar{width:8px}
-.upstream-region__scroll::-webkit-scrollbar-track{background:transparent}
-.upstream-region__scroll::-webkit-scrollbar-thumb{background:var(--border-strong);border-radius:4px;border:2px solid var(--bg)}
-.upstream-region__scroll-inner{
-  max-width:640px;margin:0 auto;width:100%;
-  padding:0 24px 24px;
-}
-.upstream-list{
-  display:flex;flex-direction:column;gap:10px;
-  margin:0;padding:0;list-style:none;
-}
-.upstream-card{
-  background:var(--surface);
-  border:1px solid var(--border);
-  border-radius:var(--radius-md);
-  padding:16px;
-  display:flex;flex-direction:column;gap:12px;
-  transition:border-color .12s ease,background .12s ease;
-}
-.upstream-card--needs-action{
-  border-color:var(--warning-border);
-  background:linear-gradient(to bottom,color-mix(in srgb,var(--warning-soft) 70%,var(--surface)),var(--surface) 56px);
-}
-.upstream-card__head{display:flex;align-items:flex-start;gap:12px}
-.icon-frame{
-  flex-shrink:0;width:36px;height:36px;
-  border-radius:var(--radius-md);border:1px solid var(--border);
-  background:var(--surface-2);color:var(--text-3);
-  display:inline-flex;align-items:center;justify-content:center;
-  overflow:hidden;
-}
-.icon-frame img{max-width:100%;max-height:100%;object-fit:contain}
-.icon-frame--fallback svg{width:20px;height:20px}
-.inline-icon{
-  width:14px;height:14px;border-radius:2px;object-fit:contain;
-  vertical-align:-2px;margin-right:4px;
-}
-.upstream-card__main{flex:1;min-width:0;display:flex;flex-direction:column;gap:4px}
-.upstream-card__title-row{
-  display:flex;align-items:center;gap:10px;justify-content:space-between;
-  min-width:0;
-}
-.upstream-card__title{
-  margin:0;font-family:var(--font-heading);
-  font-size:14.5px;font-weight:600;
-  color:var(--text);letter-spacing:-.005em;line-height:1.3;
-  overflow:hidden;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;
-}
-.upstream-card__meta{
-  display:flex;align-items:center;gap:6px;flex-wrap:wrap;
-  font-size:12px;color:var(--text-3);
-}
-.upstream-card__host{
-  font-family:var(--font-mono);font-size:11.5px;
-  background:var(--surface-2);color:var(--text-2);
-  padding:1px 6px;border-radius:var(--radius);
-}
-.upstream-card__sep{color:var(--border-strong)}
-.upstream-card__description{
-  margin:4px 0 0;font-size:13px;color:var(--text-2);line-height:1.5;
-}
-.status-badge{
-  display:inline-flex;align-items:center;gap:6px;
-  padding:3px 9px;border-radius:9999px;
-  font-size:11.5px;font-weight:600;letter-spacing:.005em;
-  white-space:nowrap;border:1px solid transparent;
-  flex-shrink:0;
-}
-.status-badge::before{
-  content:"";width:6px;height:6px;border-radius:50%;
-  background:currentColor;flex-shrink:0;
-}
-.status-badge--success{
-  background:var(--success-soft);color:var(--success);
-  border-color:var(--success-border);
-}
-.status-badge--warning{
-  background:var(--warning-soft);color:var(--warning);
-  border-color:var(--warning-border);
-}
-.status-badge--neutral{
-  background:var(--surface-2);color:var(--text-2);
-  border-color:var(--border);
-}
-.upstream-card__capabilities{
-  border-top:1px solid var(--border);
-  padding-top:12px;
-}
-.upstream-card__capabilities--empty{
-  font-size:12.5px;color:var(--text-3);font-style:italic;
-}
-.capabilities-summary,.scopes-summary{
-  display:flex;align-items:center;justify-content:space-between;
-  gap:12px;cursor:pointer;list-style:none;user-select:none;
-  font-size:13px;color:var(--text-2);
-  padding:2px 0;
-}
-.capabilities-summary::-webkit-details-marker,
-.scopes-summary::-webkit-details-marker{display:none}
-.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}
-.capabilities-summary:focus-visible,.scopes-summary:focus-visible{
-  outline:2px solid var(--brand);outline-offset:2px;border-radius:var(--radius);
-}
-.capabilities-summary__counts{
-  display:flex;gap:14px;align-items:center;flex-wrap:wrap;
-}
-.count-pill{
-  display:inline-flex;align-items:baseline;gap:4px;
-  font-size:12.5px;color:var(--text-2);
-}
-.count-pill__num{
-  font-weight:600;font-variant-numeric:tabular-nums;
-  color:var(--text);font-size:13px;
-}
-.count-pill--destructive .count-pill__num{color:var(--danger)}
-.count-pill--destructive .count-pill__label{color:var(--danger)}
-.capabilities-summary__chevron{
-  color:var(--text-3);transition:transform .15s ease;
-  display:inline-flex;flex-shrink:0;
-}
-details[open] > .capabilities-summary .capabilities-summary__chevron,
-details[open] > .scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}
-.capabilities-detail{margin-top:12px}
-.capability-section{margin-top:16px}
-.capability-section:first-child{margin-top:8px}
-.capability-section__title{
-  margin:0 0 6px;font-size:11px;font-weight:600;
-  text-transform:uppercase;letter-spacing:.07em;
-  color:var(--text-3);
-}
-.capability-list{
-  list-style:none;margin:0;padding:0;
-  display:flex;flex-direction:column;gap:6px;font-size:13px;
-}
-.capability-row{
-  display:flex;flex-wrap:wrap;align-items:baseline;gap:6px;
-  padding:3px 0;
-}
-.capability-row__name{
-  font-weight:500;font-family:var(--font-mono);
-  font-size:12.5px;color:var(--text);
-}
-.capability-row__description{
-  color:var(--text-3);font-size:12.5px;
-  flex-basis:100%;line-height:1.45;
-}
-.capability-row__description code{
-  font-family:var(--font-mono);background:var(--surface-2);
-  padding:1px 4px;border-radius:var(--radius);color:var(--text-2);
-}
-.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}
-.upstream-card__scopes{
-  border-top:1px solid var(--border);padding-top:12px;
-}
-.scopes-list{
-  display:flex;flex-wrap:wrap;gap:5px;margin-top:10px;
-}
-.scope-chip{
-  font-family:var(--font-mono);font-size:11.5px;
-  background:var(--surface-2);color:var(--text-2);
-  padding:2px 7px;border-radius:var(--radius);
-  border:1px solid var(--border);
-}
-.badge{
-  display:inline-flex;align-items:center;
-  border-radius:var(--radius);padding:1px 5px;
-  font-size:10px;font-weight:600;letter-spacing:.04em;
-  text-transform:uppercase;
-}
-.badge--destructive{background:var(--danger-soft);color:var(--danger)}
-.badge--muted{background:var(--surface-2);color:var(--text-3)}
-.badge-row{display:inline-flex;gap:4px;flex-wrap:wrap}
-.muted{color:var(--text-3)}
-.button{
-  font:inherit;font-weight:500;font-size:14px;
-  padding:9px 16px;border-radius:var(--radius);
-  border:1px solid transparent;cursor:pointer;
-  text-decoration:none;
-  display:inline-flex;align-items:center;justify-content:center;gap:6px;
-  white-space:nowrap;
-  transition:background .12s ease,border-color .12s ease,color .12s ease,box-shadow .12s ease,transform .04s ease;
-}
-.button:active{transform:translateY(1px)}
-.button--small{font-size:13px;padding:6px 12px}
-.button--primary{
-  background:var(--brand);color:#ffffff;
-  border-color:var(--brand);
-}
-.button--primary:hover{background:var(--brand-strong);border-color:var(--brand-strong)}
-.button--primary:focus-visible{
-  outline:0;
-  box-shadow:0 0 0 3px var(--brand-ring);
-}
-.button--secondary{
-  background:var(--surface);color:var(--text);
-  border-color:var(--border-strong);
-}
-.button--secondary:hover{background:var(--surface-2)}
-.button--secondary:focus-visible{
-  outline:0;
-  box-shadow:0 0 0 3px var(--brand-ring);
-  border-color:var(--brand);
-}
-.action-bar{
-  flex-shrink:0;
-  background:var(--surface);
-  border-top:1px solid var(--border);
-}
-.action-bar__inner{
-  max-width:640px;margin:0 auto;
-  display:flex;align-items:center;justify-content:space-between;gap:16px;
-  padding:12px max(24px,env(safe-area-inset-right)) max(12px,env(safe-area-inset-bottom)) max(24px,env(safe-area-inset-left));
-}
-.fineprint{
-  margin:0;flex:1;color:var(--text-3);font-size:12px;
-  line-height:1.45;display:flex;align-items:center;gap:6px;
-}
-.fineprint__icon{
-  flex-shrink:0;display:inline-flex;color:var(--text-3);
-}
-.fineprint strong{color:var(--text-2);font-weight:600}
-.actions{display:flex;gap:8px;margin:0;flex-shrink:0}
-.empty{
-  text-align:center;padding:32px 24px;
-  color:var(--text-3);font-size:13.5px;
-  border:1px dashed var(--border);border-radius:var(--radius-md);
-  background:var(--surface);
-}
-@media (max-width:600px){
-  .topbar__inner{padding:12px 16px}
-  .principal{font-size:11.5px;max-width:160px;padding:3px 8px}
-  .static-top__inner{padding:24px 16px 12px;gap:14px}
-  .upstream-region__head{padding:6px 16px}
-  .upstream-region__scroll-inner{padding:0 16px 20px}
-  .hero__title{font-size:24px}
-  .hero__connection{font-size:14px;gap:6px}
-  .upstream-card{padding:14px}
-  .action-bar__inner{flex-direction:column;align-items:stretch;gap:10px;padding:12px 16px max(12px,env(safe-area-inset-bottom))}
-  .actions{flex-direction:column-reverse;width:100%}
-  .button{width:100%;padding:11px 16px}
-  .fineprint{justify-content:center;text-align:center;font-size:11.5px}
-}
-@media (prefers-reduced-motion: reduce){
-  *{transition:none!important}
-}
-`,wN=yt(SN);function rp(e){let t=gN(e.upstreams),r=[...e.upstreams].sort((m,f)=>{let _=o(y=>y.ownerMode!=="user"?2:y.status==="active"?1:0,"blockedRank"),S=_(m)-_(f);return S!==0?S:m.upstreamDisplayName.localeCompare(f.upstreamDisplayName)}),n=e.principalLabel?x`<span class="principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:ye,a=e.virtualServerDescription?x`<p class="hero__description">${e.virtualServerDescription}</p>`:ye,i=Is(e.virtualServerIcons,e.virtualServerDisplayName),s=_N({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),u=r.length===0?x`<div class="empty">This virtual server does not declare any upstream services.</div>`:x`<ul class="upstream-list">${r.map(m=>x`<li>${hN(m,e.gatewayOrigin)}</li>`)}</ul>`,d=yN({mode:t,state:e.state}),l=t==="grant"?x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</span></p>`:x`<p class="fineprint"><span class="fineprint__icon" aria-hidden="true">${nw}</span><span>Authorization continues automatically once every required service is connected.</span></p>`,p=r.length>0?x`<span class="section-label__count">(${r.length})</span>`:ye;return Zt(x`<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Authorize MCP access · ${e.virtualServerDisplayName}</title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="referrer" content="no-referrer"><meta name="robots" content="noindex"><style>${wN}</style></head><body><header class="topbar"><div class="topbar__inner"><div class="brand"><span class="brand__mark" aria-hidden="true">Z</span><span class="brand__name">Zuplo MCP Gateway</span></div>${n}</div></header><main class="shell-main"><div class="static-top"><div class="static-top__inner"><section class="hero"><h1 class="hero__title">Authorize access</h1><p class="hero__connection"><span class="hero__client">${e.clientDisplayName}</span><span class="hero__arrow" aria-label="will access">→</span><span class="hero__server">${i}${e.virtualServerDisplayName}</span></p>${a}</section>${s}</div></div><section class="upstream-region" aria-labelledby="upstreams-heading"><div class="upstream-region__head"><h2 id="upstreams-heading" class="section-label">Upstream services${p}</h2></div><div class="upstream-region__scroll"><div class="upstream-region__scroll-inner">${u}</div></div></section></main><div class="action-bar" role="region" aria-label="Authorization decision"><div class="action-bar__inner">${l}${d}</div></div></body></html>`)}o(rp,"renderConsentPage");function vN(e){try{return new URL(e).host}catch{return}}o(vN,"safeUrlHost");function RN(e){if(e.mode==="user_oauth"||e.mode==="tenant_shared_oauth")return e.oauth.scopes}o(RN,"readOAuthScopes");function np(e){return e!==void 0&&e.length>0}o(np,"hasItems");function bN(e){let t=e.registeredConnection.config.serverInfo?.icons;if(np(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&np(r)?r:void 0}o(bN,"readServerIcons");async function CN(e){if(!(e.returnTo===void 0||!e.isUserOwned))return pl({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(CN,"readConnectUrl");function Fr(e,t){return t===void 0?{}:{[e]:t}}o(Fr,"optionalRequirementField");function IN(e){return e.isUserOwned?$g(e.connection):{connected:!0,status:"active"}}o(IN,"readSetupConnectionStatus");function TN(e){let t=RN(e);return np(t)?t:void 0}o(TN,"readScopesRequested");function AN(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(AN,"readUpdatedAt");function kN(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(ki),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Pi),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Ei)}}o(kN,"readVirtualServerCapabilities");async function PN(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=Wi(r),u=s==="user",d=IN({connection:e.connection,isUserOwned:u}),l=await CN({...e,connected:d.connected,isUserOwned:u});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:kN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...Fr("description",n.description),...Fr("transportHost",vN(n.transport.baseUrl)),...Fr("scopesRequested",TN(t)),...Fr("serverIcons",bN({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...Fr("connectUrl",l),...Fr("updatedAt",AN({connectionStatus:d,isUserOwned:u})),...Fr("expiresAt",e.connection?.expiresAt)}}o(PN,"buildSetupRequirement");function sw(e){let t=st().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(sw,"requireVirtualServer");async function op(e){let t=sw(e.transaction.virtualServerId),r=mr(e.transaction.principal.tenantId,e.transaction.principal.subjectId),n=[],a=new Map;for(let u of t.connections)Wi(u.authMode)==="user"&&(a.set(u,n.length),n.push({owner:r,upstreamServerId:u.upstreamServerId,authProfileId:u.authProfileId}));let i=await q().upstreamConnectionRepository.batchGet(n),s=[];for(let u of t.connections){let d=Wi(u.authMode)==="user",l=a.get(u);s.push(await PN({connection:d&&l!==void 0?i[l]:void 0,registeredConnection:u,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(op,"requirementsForSetup");function EN(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(EN,"readVirtualServerDisplayName");async function ap(e){let t=e.repository??q().downstreamOAuthRepository,r=sw(e.transaction.virtualServerId),n=EN({virtualServer:r}),a=await t.getDcrClient(e.transaction.clientId),i={gatewayOrigin:re(e.requestUrl),virtualServerDisplayName:n,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:`${e.transaction.principal.subjectId} \xB7 ${e.transaction.principal.tenantId}`},s=r.serverInfo?.title;return s!==void 0&&s!==n&&(i.virtualServerDescription=s),i}o(ap,"consentContext");function cw(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(cw,"hasUnresolvedUserUpstream");var xN=["mcp_user"],ON="dev-browser-user",UN=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),zN=c.object({response_type:c.literal("code"),client_id:c.string().min(1),redirect_uri:c.string().min(1),resource:c.url(),code_challenge:c.string().min(43),code_challenge_method:Cn,state:c.string().min(1).optional(),scope:c.literal(ce).default(ce)}),NN=c.enum(["continue","approve","cancel"]).default("continue"),DN=c.object({state:c.string().min(1),decision:NN}),MN=c.object({state:c.string().min(1),apiKey:c.string().min(1)}),Zr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function uw(e){return typeof e=="string"&&e.length>0?e:void 0}o(uw,"readQueryString");function qN(e,t){let r=uw(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new U("invalid_target",UN)}let n=Nr(t,e.url);if(r===void 0||r===n)return n;throw new U("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(qN,"requireAuthorizeResource");async function $N(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=ES(e);return{principal:i,setCookie:await la({principal:i,requestUrl:e.url,virtualServerId:t})}}o($N,"resolveBrowserPrincipal");async function LN(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await ys(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(LN,"requireSetupPrincipal");async function dw(e){let t=await op({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await ap({transaction:e.transaction,requestUrl:e.requestUrl,...e.repository===void 0?{}:{repository:e.repository}}),n={kind:"setup_page",html:rp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(dw,"renderSetup");function jN(e){return typeof e.decideAuthorizationSetup=="function"}o(jN,"usesRuntimeHttpAuthorizationOperations");function HN(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new U("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(HN,"toAuthorizationTransactionClient");async function ip(e,t={}){let r=zN.parse({...e.query,resource:qN(e,t.virtualServerId),state:uw(e.query.state)}),n=Vr(r.scope);jn(r.redirect_uri);let a=q().downstreamOAuthRepository,i=new Date,s=le.parse(r.client_id),u=jN(a)&&s.startsWith("dcr:")?void 0:await ha(a,r.client_id,i);u!==void 0&&bs(u,r.redirect_uri);let d=u===void 0,l=d?Pt(e.url,r.resource):void 0;try{let p=l??Pt(e.url,r.resource),m=HN(u);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:s,virtualServerId:p.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let f={clientId:u?.clientId??s,...m===void 0?{}:{client:m},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:p.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:_,setCookie:S}=await $N(e,p.virtualServerId,t.context);if(!_){let w=await ZS({transaction:f,requestUrl:e.url,now:i,repository:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:s,virtualServerId:p.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:w.browserLoginUrl};return S!==void 0&&(v.setCookie=S),v}let y=await KS({transaction:f,principal:_,now:i,repository:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:s,virtualServerId:p.virtualServerId,tenantId:_.tenantId,subjectId:_.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),dw({transaction:y.transaction,csrfToken:y.csrfToken,requestUrl:e.url,repository:a,setCookie:S})}catch(p){throw d?p:GN({redirectUri:r.redirect_uri,clientState:r.state,cause:p})}}o(ip,"authorizeDownstreamClient");function GN(e){if(e.cause instanceof Zr)return e.cause;let t=BN(e.cause);return t?new Zr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(GN,"toDownstreamAuthorizeRedirectError");function BN(e){if(e instanceof U)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof c.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(BN,"mapToOAuthRedirectError");async function lw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Rs(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await OS(i),u=q().downstreamOAuthRepository,d=await Jl({browserLoginStateToken:n,principal:s,repository:u}),l=await dw({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url,repository:u});return l.setCookie=await la({principal:s,requestUrl:e.url,virtualServerId:d.transaction.virtualServerId}),l}o(lw,"completeBrowserLoginCallback");async function pw(e){let t=ve();if(!t.devTenantId)throw g("authentication_required","Local browser login requires the `devTenantId` policy option on mcp-oauth-inbound.");let r=new URL(e.url);if(!Le(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",re(e.url)),i=new URL(re(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:X.parse(ON),tenantId:ue.parse(t.devTenantId),roles:xN};return{kind:"redirect",location:a,setCookie:await la({principal:s,requestUrl:e.url})}}o(pw,"completeLocalDevBrowserLogin");async function mw(e){let t=MN.parse(e.body),r=q().downstreamOAuthRepository,n=await WS({browserLoginStateToken:t.state,repository:r}),a=await xS({apiKey:t.apiKey,virtualServerId:n.virtualServerId}),i=await Jl({browserLoginStateToken:t.state,principal:a,repository:r});await Fy({apiKey:t.apiKey,principal:a,virtualServerId:i.transaction.virtualServerId});let s=new URL("/oauth/setup",gt(e.request.url));return s.searchParams.set("state",i.csrfToken),{kind:"redirect",location:s,setCookie:await la({principal:a,requestUrl:e.request.url,virtualServerId:i.transaction.virtualServerId})}}o(mw,"completeApiKeyBrowserLogin");function VN(e){let t=e.method==="POST"?e.body:e.query;return DN.parse(t)}o(VN,"readSetupContinueRequest");async function hw(e){let{state:t,decision:r}=VN({method:e.request.method,query:e.request.query,body:e.body}),n=q().downstreamOAuthRepository,a=new Date,i=await Yl({csrfToken:t,now:a,repository:n}),s=await LN(e.request,i.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await QS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})};let u=await ma({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n}),d=await op({transaction:u,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||cw(d)){let l=await ap({repository:n,transaction:u,requestUrl:e.request.url});return{kind:"setup_page",html:rp({state:t,virtualServerId:u.virtualServerId,upstreams:d,...l})}}return{kind:"redirect",location:await XS({csrfToken:t,currentBrowserPrincipal:s,now:a,repository:n})}}o(hw,"continueDownstreamAuthorizeSetup");Y();var FN=new Set(["authorization_code","refresh_token"]),ZN=c.discriminatedUnion("grant_type",[c.object({grant_type:c.literal("authorization_code"),code:c.string().min(1),redirect_uri:c.string().min(1),client_id:c.string().min(1).optional(),code_verifier:zi,resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()}),c.object({grant_type:c.literal("refresh_token"),refresh_token:c.string().min(1),client_id:c.string().min(1).optional(),resource:c.url().optional(),scope:c.literal(ce).optional(),client_secret:c.string().min(1).optional()})]);function KN(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!FN.has(t)))throw new U("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(KN,"assertSupportedGrantType");var WN=c.object({token:c.string().min(1),client_id:c.string().min(1).optional(),token_type_hint:c.string().optional(),client_secret:c.string().min(1).optional()});function gw(){return ve().gateway.accessTokenTtlSeconds}o(gw,"readAccessTokenTtlSeconds");function _w(){return ve().gateway.refreshTokenTtlSeconds}o(_w,"readRefreshTokenTtlSeconds");async function fw(e){if(!e.client.hashedClientSecret||!e.clientSecret||e.clientSecretSource!==e.requiredSource)throw new U("invalid_client",e.missingMessage);if(!await bg({value:e.clientSecret,expectedHash:e.client.hashedClientSecret}))throw new U("invalid_client","Client authentication failed.")}o(fw,"requireClientSecretAuthentication");async function yw(e){switch(e.client.metadata.token_endpoint_auth_method){case"none":if(e.clientSecret)throw new U("invalid_request","Public clients must not authenticate with client_secret.");return;case"client_secret_basic":await fw({...e,requiredSource:"basic",missingMessage:"Client authentication with HTTP Basic is required."});return;case"client_secret_post":await fw({...e,requiredSource:"post",missingMessage:"Client authentication with client_secret_post is required."});return;case"private_key_jwt":throw new U("invalid_client","private_key_jwt client authentication is not supported.")}}o(yw,"requireClientAuthentication");function sp(e,t){let r=gw(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:O(ft(e,a)),expiresIn:a}}o(sp,"calculateAccessTokenExpiresAt");async function JN(e){let t=Ke(),r=await F(t),n=sp(e.now,e.grant.expiresAt);return await e.repository.saveAccessToken({tokenHash:r,grantId:e.grant.id,clientId:e.grant.clientId,resource:e.grant.resource,virtualServerId:e.grant.virtualServerId,tenantId:e.grant.tenantId,subjectId:e.grant.subjectId,scope:e.grant.scope,roles:e.grant.roles,createdAt:O(e.now),expiresAt:n.expiresAt}),{accessToken:t,expiresIn:n.expiresIn}}o(JN,"issueOpaqueAccessToken");function Sw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new U("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new U("invalid_client","Malformed HTTP Basic client authentication.")}}o(Sw,"readBasicClientSecret");function ww(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new U("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new U("invalid_client","Client authentication or client_id is required.");return t}o(ww,"resolveAuthenticatedClientId");function vw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new U("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(vw,"resolveClientSecretInput");function Rw(e){return typeof e.exchangeAuthorizationCodeWithClientAuth=="function"&&typeof e.refreshTokenWithClientAuth=="function"&&typeof e.revokeOAuthTokenWithClientAuth=="function"}o(Rw,"usesRuntimeHttpTokenOperations");async function bw(e){let t=le.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await F(e.clientSecret)}}o(bw,"buildRuntimeHttpClientAuth");async function Cw(e){KN(e.body);let t=ZN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=new Date,s=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a))return YN({parsed:t,clientId:n,clientSecretInput:s,now:i,repository:a,requestUrl:e.requestUrl});let u=await ha(a,n,i);if(await yw({client:u,...s}),t.grant_type==="authorization_code"){jn(t.redirect_uri),bs(u,t.redirect_uri),Vr(t.scope),t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let S=Ke(),y=Ke(),w=O(ft(i,_w())),v=sp(i,w),R=await a.exchangeAuthorizationCode({codeHash:await F(t.code),clientId:u.clientId,redirectUri:t.redirect_uri,...t.resource===void 0?{}:{resource:t.resource},codeChallenge:await Ld(t.code_verifier),currentRefreshTokenHash:await F(S),accessTokenHash:await F(y),now:i,grantExpiresAt:w,accessTokenExpiresAt:v.expiresAt});if(R.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(R.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context?.log.info({event:"oauth_token_issued",grantType:"authorization_code",clientId:u.clientId,scope:R.grant.scope,resource:R.grant.resource,expiresInSeconds:v.expiresIn},"OAuth access token issued (authorization_code grant)"),{access_token:y,token_type:"Bearer",expires_in:v.expiresIn,refresh_token:S,scope:R.grant.scope,resource:R.grant.resource}}Vr(t.scope);let d=await F(t.refresh_token);t.resource!==void 0&&Pt(e.requestUrl??t.resource,t.resource);let l=Ke(),p=await F(l),m=await a.rotateRefreshToken({currentTokenHash:d,nextTokenHash:p,clientId:u.clientId,...t.resource===void 0?{}:{resource:t.resource},now:i});if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(m.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");let f=m.grant;if(f.revokedAt||f.clientId!==u.clientId)throw new U("invalid_grant","Refresh token grant is invalid or revoked.");Pt(e.requestUrl??f.resource,f.resource);let _=await JN({repository:a,grant:f,now:i});return e.context?.log.info({event:"oauth_token_refresh_rotated",grantType:"refresh_token",clientId:u.clientId,scope:f.scope,resource:f.resource,expiresInSeconds:_.expiresIn},"OAuth refresh token rotated and access token issued"),{access_token:_.accessToken,token_type:"Bearer",expires_in:_.expiresIn,refresh_token:l,scope:f.scope,resource:f.resource}}o(Cw,"exchangeDownstreamToken");async function YN(e){let t=await bw({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){jn(e.parsed.redirect_uri),Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let u=Ke(),d=Ke(),l=O(ft(e.now,_w())),p=sp(e.now,l),m=await e.repository.exchangeAuthorizationCodeWithClientAuth({clientAuth:t,codeHash:await F(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Ld(e.parsed.code_verifier),currentRefreshTokenHash:await F(u),accessTokenHash:await F(d),grantExpiresAt:l,accessTokenExpiresAt:p.expiresAt,now:O(e.now)});if(m.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new U("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:p.expiresIn,refresh_token:u,scope:m.grant.scope,resource:m.grant.resource}}Vr(e.parsed.scope),e.parsed.resource!==void 0&&Pt(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=Ke(),n=Ke(),a=O(ft(e.now,gw())),i=await e.repository.refreshTokenWithClientAuth({clientAuth:t,currentRefreshTokenHash:await F(e.parsed.refresh_token),nextRefreshTokenHash:await F(r),accessTokenHash:await F(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:O(e.now)});if(i.kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new U("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new U("invalid_grant","Refresh token is invalid, expired, or revoked.");Pt(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(YN,"exchangeDownstreamTokenWithRuntimeHttp");async function Iw(e){let t=WN.parse(e.body),r=Sw(e.authorizationHeader),n=ww({basicClientId:r.clientId,bodyClientId:t.client_id}),a=q().downstreamOAuthRepository,i=vw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});if(Rw(a)){let d=new Date;if((await a.revokeOAuthTokenWithClientAuth({clientAuth:await bw({clientId:n,...i}),tokenHash:await F(t.token),now:O(d)})).kind==="invalid_client")throw new U("invalid_client","Client authentication failed.");return}let s=await ha(a,n,new Date);await yw({client:s,...i});let u=await F(t.token);await a.revokeOAuthToken({tokenHash:u,clientId:s.clientId,now:new Date}),e.context?.log.info({event:"oauth_token_revoked",clientId:s.clientId,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(Iw,"revokeDownstreamToken");var XN=64*1024,QN=16*1024,eD="text/html; charset=utf-8";function tD(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(tD,"formDataToObject");async function rD(e){return SS(e,{maxBytes:XN,label:"Request body"})}o(rD,"readJsonBody");async function Ts(e){return tD(await gs(e,{maxBytes:QN,label:"Request body"}))}o(Ts,"readFormBody");async function As(e,t,r){let n=de(r),a=r instanceof c.ZodError?Tw(r):r instanceof Error?r.message:void 0,i={code:n??"invalid_request"};return a!==void 0&&(i.detail=a),Ze(e,t,i)}o(As,"handleProblem");function fa(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(fa,"oauthErrorResponse");function nD(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(nD,"readOAuthProtocolHeaders");function oD(e,t){let r=Fe("internal_server_error");return fa({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:nD(e,t)})}o(oD,"oauthProtocolErrorResponse");function aD(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(aD,"readZodOAuthErrorCode");function iD(e){let t={error:aD(e)},r=Tw(e);return r!==void 0&&(t.errorDescription=r),fa(t)}o(iD,"oauthZodErrorResponse");function sD(e){let t=de(e);if(t===void 0)return;let r=Fe(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:uD(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,fa(n)}o(sD,"oauthGatewayProblemResponse");function cD(){let t={error:"server_error",status:500,errorDescription:Fe("internal_server_error").publicDetail};return fa(t)}o(cD,"oauthFallbackErrorResponse");function uD(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(uD,"readOAuthStatus");function Hn(e,t={}){return e instanceof Zr?dD(e):e instanceof U?oD(e,t):e instanceof c.ZodError?iD(e):sD(e)??cD()}o(Hn,"oauthProblemResponse");function Et(e,t,r){let n={event:t},a=!1;if(r instanceof U)n.oauthError=r.errorCode,n.status=r.status,Ae(n,"error",r);else if(r instanceof Zr)n.oauthError=r.errorCode,Ae(n,"error",r);else if(r instanceof c.ZodError){n.code="invalid_request",Ae(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=de(r);if(i!==void 0){let s=Fe(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Ae(n,"error",r)}else a=!0,Ae(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Et,"logUnexpectedOAuthHandlerError");function dD(e){let t;try{t=new URL(e.redirectUri)}catch{return fa({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(dD,"downstreamAuthorizeRedirectErrorResponse");function Tw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Tw,"formatZodErrorDetail");function lD(e,t){let r={event:"browser_login_callback_failed",code:de(t)??"invalid_request"};Ae(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(lD,"logBrowserLoginCallbackFailure");function cp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(cp,"redirectResultResponse");function ks(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":eD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return cp(e)}o(ks,"authorizeResultResponse");async function Aw(e,t){try{return Response.json(qd(e.url))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(Aw,"authorizationServerMetadataHandler");async function kw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return Response.json(Sg({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Et(t,"oauth_authorization_server_metadata_failed",r),As(e,t,r)}}o(kw,"scopedAuthorizationServerMetadataHandler");async function Pw(e,t){try{let r=await tw(await rD(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_register_failed",r),Hn(r)}}o(Pw,"registerHandler");async function Ew(e,t){try{return ks(await ip(e,{context:t}))}catch(r){return Et(t,"oauth_authorize_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(Ew,"authorizeHandler");async function xw(e,t){try{let r=me.parse(e.params.virtualServerId),n=zo(r);return ks(await ip(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Et(t,"oauth_authorize_scoped_failed",r),Hn(r,{includeInvalidClientChallenge:!1})}}o(xw,"scopedAuthorizeHandler");async function Ow(e,t){try{let r=await lw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),ks(r)}catch(r){return lD(t,r),As(e,t,r)}}o(Ow,"callbackHandler");async function Uw(e,t){try{return cp(await pw(e))}catch(r){return Et(t,"oauth_dev_login_failed",r),Hn(r)}}o(Uw,"devLoginHandler");async function zw(e,t){try{if(e.method==="GET"){let r=typeof e.query.state=="string"?e.query.state:void 0;return r?bS(r):Vl(400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):cp(await mw({request:e,body:await Ts(e)}))}catch(r){return Et(t,"oauth_api_key_login_failed",r),Vl()}}o(zw,"apiKeyLoginHandler");async function Nw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await hw({request:e,body:e.method==="POST"?await Ts(e):void 0,context:t});return ks(r)}catch(r){return Et(t,"oauth_setup_failed",r),As(e,t,r)}}o(Nw,"setupHandler");async function Dw(e,t){try{return Response.json(await Cw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Et(t,"oauth_token_failed",r),Hn(r)}}o(Dw,"tokenHandler");async function Mw(e,t){try{return await Iw({body:await Ts(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Et(t,"oauth_revoke_failed",r),Hn(r)}}o(Mw,"revokeHandler");var pD={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},qw=new Ut("upstream-request");function mD(e){let t=qw.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(mD,"readUpstreamRequestContext");function hD(e,t){return t.some(r=>r===e)}o(hD,"requestContextMatchesKind");function fD(e){return typeof e=="string"?[e]:e}o(fD,"toExpectedKinds");function Kr(e,t){qw.set(e,t)}o(Kr,"setUpstreamRequestContext");function Wr(e,t){let r=mD(e),n=fD(t);if(!hD(r.kind,n)){let a=pD[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(Wr,"requireUpstreamRequestContext");var gD="text/html; charset=utf-8",_D="none";function $w(e){return x`<!doctype html><html><head><title>${e.title}</title><meta name="viewport" content="width=device-width, initial-scale=1"></head><body data-gateway-error-code="${e.code??_D}"><main><h1>${e.title}</h1><p>${e.body}</p></main></body></html>`}o($w,"browserResultHtml");function Lw(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":gD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Lw,"browserResultResponse");function Ps(e){return Lw($w(e))}o(Ps,"browserConnectionSuccessResponse");function Gn(e){let t=Mf(e);return Lw($w({title:t.title,body:t.body,code:e}),400)}o(Gn,"browserConnectionFailureResponse");var yD="text/html; charset=utf-8",SD=16*1024;function wD(e,t=200){return new Response(Zt(e),{status:t,headers:{"content-type":yD,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(wD,"htmlResponse");function vD(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(vD,"safeRedirect");function RD(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(RD,"requireBrowserTicket");function bD(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(bD,"appPasswordTicketMatchesTarget");async function jw(e){let t=RD(e.browserTicket),r=await es(t);if(!bD(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(jw,"readAppPasswordTarget");function CD(e){let t=yl(e.upstreamServerId,e.authProfileId),r=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,n=t.kind==="basic_auth_app_password"?x`<label for="username">${t.usernameLabel}</label><input id="username" name="username" required autocomplete="username"><label for="appPassword">${t.passwordLabel}</label><input id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:x`<label for="token">${t.label}</label><input id="token" name="token" type="password" required autocomplete="off">`;return wD(x`<!doctype html><html><head><title>Connect upstream</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;margin:0;padding:32px;background:#f8fafc;color:#0f172a}main{max-width:440px;margin:0 auto;background:white;border:1px solid #dbe3ee;border-radius:8px;padding:24px;box-shadow:0 1px 2px rgba(15,23,42,.06)}label{display:block;font-size:14px;font-weight:600;margin:16px 0 6px}input{box-sizing:border-box;width:100%;border:1px solid #b8c3d4;border-radius:6px;padding:10px 12px;font:inherit}button{margin-top:20px;border:0;border-radius:6px;background:#0f172a;color:white;padding:10px 14px;font:inherit;font-weight:600;cursor:pointer}p{color:#475569;line-height:1.5}</style></head><body><main><h1>Connect upstream</h1><p>Enter the per-user credential for this approved upstream. The gateway stores it encrypted and keeps it out of MCP client configuration.</p><form method="post" action="${r}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}">${n}<button type="submit">Connect</button></form></main></body></html>`)}o(CD,"renderCaptureForm");function Es(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Es,"readRequiredFormValue");function ID(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(ID,"readCaptureFormTargetInput");async function TD(e){return CD(await jw(ID(e)))}o(TD,"handleCaptureFormRequest");async function AD(e){let t=await gs(e.request,{maxBytes:SD,label:"App password request body"});return{form:t,target:await jw({upstreamServerId:e.upstreamServerId,browserTicket:Es(t,"browserTicket")})}}o(AD,"readSubmittedAppPasswordTarget");async function kD(e){let t=Pn(e.target.ticket);if(await ts(e.target.ticket),yl(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await rs({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Es(e.form,"token")});return}await dy({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Es(e.form,"username"),appPassword:Es(e.form,"appPassword")})}o(kD,"saveSubmittedAppPasswordCredential");function PD(e,t){return t.ticket.returnTo?vD(e,t.ticket.returnTo):Ps({title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(PD,"appPasswordSuccessResponse");async function ED(e){let t=await AD({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await kD(t),PD(e.request.url,t.target)}o(ED,"handleAppPasswordSubmission");function xD(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(xD,"methodNotAllowedResponse");function OD(e){let t=de(e);return Gn(wi(t)?t:"oauth_state_invalid")}o(OD,"appPasswordFailureResponse");async function UD(e){switch(e.request.method){case"GET":return TD(e.appPasswordRequest);case"POST":return ED(e);default:return xD()}}o(UD,"handleAppPasswordMethod");async function up(e,t){let r=Wr(t,"app_password");try{return await UD({request:e,appPasswordRequest:r})}catch(n){return OD(n)}}o(up,"appPasswordHandler");var zD=["callback_authorization_code","callback_provider_error","callback_invalid"];function ND(e){return"cause"in e?e.cause:void 0}o(ND,"readErrorCause");function DD(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}o(DD,"readFirstStackFrame");function Hw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=DD(r))}o(Hw,"addErrorAttributes");function MD(e,t){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),Gn("provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Gn("oauth_state_invalid");case"callback_authorization_code":return t}}o(MD,"requireAuthorizationCallbackRequest");function qD(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(qD,"emitCallbackReceivedAnalyticsEvent");function $D(e,t){We(e,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o($D,"emitTokenExchangeSucceededAnalyticsEvent");function LD(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Ps({title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(LD,"buildSuccessfulCallbackResponse");function jD(e){let t={detail:e instanceof Error?e.message:void 0};return Hw(t,"error",e),e instanceof Error&&Hw(t,"cause",ND(e)),t}o(jD,"buildTokenExchangeFailureAttributes");function HD(e){We(e.context,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:de(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:jD(e.error)})}o(HD,"emitTokenExchangeFailedAnalyticsEvent");function GD(e){let t=de(e);return Gn(wi(t)?t:"upstream_token_exchange_failed")}o(GD,"tokenExchangeFailureResponse");async function dp(e,t){let r=Wr(t,zD),n=MD(t,r);if(n instanceof Response)return n;qD(t,n);try{let a=await Ky({request:e,callbackRequest:n});return $D(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,virtualServerId:a.virtualServerId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),LD(e,a)}catch(a){let i={event:"upstream_oauth_token_exchange_failed",code:de(a)??"upstream_token_exchange_failed",upstreamServerId:n.upstreamServerId};return Ae(i,"error",a),t.log.warn(i,"Upstream OAuth token exchange failed; user shown connection-failure page"),HD({context:t,callbackRequest:n,error:a}),GD(a)}}o(dp,"callbackHandler");function BD(e){let t=de(e);return t==="unknown_upstream_server"?t:"not_found"}o(BD,"clientMetadataProblemCode");function VD(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(VD,"clientMetadataProblemDetail");async function Gw(e,t){let r=Wr(t,"connect"),n=await Zy({request:e,connectRequest:r});if(We(t,{eventType:H.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await On({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(Gw,"connectHandler");async function Bw(e,t){let r=Wr(t,"client_metadata");try{let n=Oy(e.url),a=Uy(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=BD(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),Ze(e,t,{code:a,detail:VD(n)})}}o(Bw,"oauthClientMetadataHandler");function Kt(e){if(typeof e=="string"&&e.length!==0)return e}o(Kt,"readOptionalQueryString");function FD(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(FD,"requirePathString");function Vw(e){let t=Kt(e);return t?me.parse(t):void 0}o(Vw,"readOptionalVirtualServerId");function ZD(e,t){let r=Kt(e);return r?Pe.parse(r):vn(t,"user_oauth")}o(ZD,"readOptionalAuthProfileId");function KD(e){let t=Vw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(KD,"readRequiredVirtualServerId");function WD(e){let t=Kt(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(WD,"readOptionalBrowserTicket");function JD(e){let t=Gi(Kt(e));return t===void 0?{}:{returnTo:t}}o(JD,"readOptionalReturnTo");function YD(e){let t=Vw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(YD,"readOptionalVirtualServerIdContext");function XD(e){let t=Kt(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(XD,"readOptionalProviderErrorDescription");function QD(e){let t=At(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(QD,"requireConnectableRouteAuth");function eM(e,t,r,n){let a=fs(e,t);if(a.ownerMode==="none"||a.authMode==="tenant_static_secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(eM,"buildConnectContextForPrincipal");function tM(e,t,r){let n=Pn(t),a=At(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(tM,"buildConnectContextForTicket");async function rM(e,t){let r=QD(fS(t,KD(e.query.virtualServerId))),n=e.query.redirect==="true",a=Kt(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Tn(e.user,e.url);return eM(r,s,n,JD(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await es(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await ts(i),tM(r,i,n)}o(rM,"resolveConnectContext");async function nM(e,t,r){let n=ke.parse(FD(e,"connection"));switch(r){case"connect":Kr(t,await rM(e,n));return;case"app_password":Kr(t,{kind:"app_password",upstreamServerId:n,...YD(e),...WD(e)});return;case"callback":{let a=Kt(e.query.error);if(a){Kr(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...XD(e)});return}let i=Kt(e.query.code),s=Kt(e.query.state);if(i&&s){Kr(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}Kr(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":Kr(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:ZD(e.query.authProfileId,n)});return}}o(nM,"resolveUpstreamRequestInbound");async function oM(e,t,r){try{await nM(e,t,r);return}catch(n){let a=de(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return Ze(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(oM,"applyUpstreamRequestContext");function ga(e,t){return o(async(n,a)=>{let i=await oM(n,a,e);return i||t(n,a)},"wrapped")}o(ga,"withUpstreamRequestContext");var aM={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function iM(){return new Response(null,{status:204,headers:aM})}o(iM,"buildWellKnownPreflightResponse");function sM(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(sM,"withWellKnownCorsHeaders");function lp(e){return async(t,r)=>t.method==="OPTIONS"?iM():sM(await e(t,r))}o(lp,"wrapWellKnownHandler");var cM=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:lp(Aw)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(kw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:lp(wg)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Pw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ew},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:xw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Ow},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Uw},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:zw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Nw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Dw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Mw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ga("client_metadata",Bw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ga("connect",Gw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ga("callback",dp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ga("app_password",up)}];function Fw(e){if(e)return e.find(t=>Ii(t.policyType))}o(Fw,"findMcpOAuthPolicy");function Zw(e){return Fw(e)!==void 0}o(Zw,"shouldRegisterMcpGatewayInternalRoutes");function uM(e){let t=gd(e.policyType);if(!t){let r=_d();throw new Ot(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof c.ZodError?new Ot(dM(e.name??e.policyType,r),{cause:r}):r}}o(uM,"resolveOAuthConfigFromPolicy");function dM(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
+`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let c;try{Array.isArray(s)?c=s.map(v=>$r.parse(v)):c=[$r.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=c.some(cc);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(c.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let b=this.validateProtocolVersion(t);if(b)return b}if(!c.some(It)){for(let v of c)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let l=crypto.randomUUID(),m=c.find(v=>cc(v)),h=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??Jp;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(l,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(l)},"cleanup")});for(let b of c)It(b)&&this._requestToStreamMapping.set(b.id,l);for(let b of c)this.onmessage?.(b,{authInfo:r?.authInfo,requestInfo:i})});let y=new TextEncoder,_,S=new ReadableStream({start:o(v=>{_=v},"start"),cancel:o(()=>{this._streamMapping.delete(l)},"cancel")}),w={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(w["mcp-session-id"]=this.sessionId);for(let v of c)It(v)&&(this._streamMapping.set(l,{controller:_,encoder:y,cleanup:o(()=>{this._streamMapping.delete(l);try{_.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,l));await this.writePrimingEvent(_,y,l,h);for(let v of c){let b,R;It(v)&&this._eventStore&&h>="2025-11-25"&&(b=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),R=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:b,closeStandaloneSSEStream:R})}return new Response(S,{status:200,headers:w})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!lr.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${lr.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${lr.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((St(t)||mn(t))&&(n=t.id),n===void 0){if(St(t)||mn(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let c=this._streamMapping.get(this._standaloneSseStreamId);if(c===void 0)return;c.controller&&c.encoder&&this.writeSSEEvent(c.controller,c.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(St(t)||mn(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,p])=>p===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let p=s.map(l=>this._requestResponseMap.get(l));p.length===1?i.resolveJson(new Response(JSON.stringify(p[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(p),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function $n(e,t){let r=typeof e;if(r!==typeof t)return!1;if(Array.isArray(e)){if(!Array.isArray(t))return!1;let n=e.length;if(n!==t.length)return!1;for(let a=0;a<n;a++)if(!$n(e[a],t[a]))return!1;return!0}if(r==="object"){if(!e||!t)return e===t;let n=Object.keys(e),a=Object.keys(t);if(n.length!==a.length)return!1;for(let s of n)if(!$n(e[s],t[s]))return!1;return!0}return e===t}o($n,"deepCompareStrict");function at(e){return encodeURI(NA(e))}o(at,"encodePointer");function NA(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(NA,"escapePointer");var jA={prefixItems:!0,items:!0,allOf:!0,anyOf:!0,oneOf:!0},DA={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependentSchemas:!0},HA={id:!0,$id:!0,$ref:!0,$schema:!0,$anchor:!0,$vocabulary:!0,$comment:!0,default:!0,enum:!0,const:!0,required:!0,type:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0},LA=typeof self<"u"&&self.location&&self.location.origin!=="null"?new URL(self.location.origin+self.location.pathname+location.search):new URL("https://github.com/cfworker");function Wt(e,t=Object.create(null),r=LA,n=""){if(e&&typeof e=="object"&&!Array.isArray(e)){let i=e.$id||e.id;if(i){let s=new URL(i,r.href);s.hash.length>1?t[s.href]=e:(s.hash="",n===""?r=s:Wt(e,t,r))}}else if(e!==!0&&e!==!1)return t;let a=r.href+(n?"#"+n:"");if(t[a]!==void 0)throw new Error(`Duplicate schema URI "${a}".`);if(t[a]=e,e===!0||e===!1)return t;if(e.__absolute_uri__===void 0&&Object.defineProperty(e,"__absolute_uri__",{enumerable:!1,value:a}),e.$ref&&e.__absolute_ref__===void 0){let i=new URL(e.$ref,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_ref__",{enumerable:!1,value:i.href})}if(e.$recursiveRef&&e.__absolute_recursive_ref__===void 0){let i=new URL(e.$recursiveRef,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_recursive_ref__",{enumerable:!1,value:i.href})}if(e.$anchor){let i=new URL("#"+e.$anchor,r.href);t[i.href]=e}for(let i in e){if(HA[i])continue;let s=`${n}/${at(i)}`,c=e[i];if(Array.isArray(c)){if(jA[i]){let d=c.length;for(let p=0;p<d;p++)Wt(c[p],t,r,`${s}/${p}`)}}else if(DA[i])for(let d in c)Wt(c[d],t,r,`${s}/${at(d)}`);else Wt(c,t,r,s)}return t}o(Wt,"dereference");var BA=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,GA=[0,31,28,31,30,31,30,31,31,30,31,30,31],VA=/^(\d\d):(\d\d):(\d\d)(\.\d+)?(z|[+-]\d\d(?::?\d\d)?)?$/i,FA=/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ZA=/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,KA=/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,WA=/^(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)(?:\.(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,JA=/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,YA=/^(?:\/(?:[^~/]|~0|~1)*)*$/,QA=/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,XA=/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,eT=o(e=>{if(e[0]==='"')return!1;let[t,r,...n]=e.split("@");return!t||!r||n.length!==0||t.length>64||r.length>253||t[0]==="."||t.endsWith(".")||t.includes("..")||!/^[a-z0-9.-]+$/i.test(r)||!/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+$/i.test(t)?!1:r.split(".").every(a=>/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/i.test(a))},"EMAIL"),tT=/^(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)$/,rT=/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,nT=o(e=>e.length>1&&e.length<80&&(/^P\d+([.,]\d+)?W$/.test(e)||/^P[\dYMDTHS]*(\d[.,]\d+)?[YMDHS]$/.test(e)&&/^P([.,\d]+Y)?([.,\d]+M)?([.,\d]+D)?(T([.,\d]+H)?([.,\d]+M)?([.,\d]+S)?)?$/.test(e)),"DURATION");function Ut(e){return e.test.bind(e)}o(Ut,"bind");var Td={date:eg,time:tg.bind(void 0,!1),"date-time":iT,duration:nT,uri:uT,"uri-reference":Ut(ZA),"uri-template":Ut(KA),url:Ut(WA),email:eT,hostname:Ut(FA),ipv4:Ut(tT),ipv6:Ut(rT),regex:lT,uuid:Ut(JA),"json-pointer":Ut(YA),"json-pointer-uri-fragment":Ut(QA),"relative-json-pointer":Ut(XA)};function oT(e){return e%4===0&&(e%100!==0||e%400===0)}o(oT,"isLeapYear");function eg(e){let t=e.match(BA);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n==2&&oT(r)?29:GA[n])}o(eg,"date");function tg(e,t){let r=t.match(VA);if(!r)return!1;let n=+r[1],a=+r[2],i=+r[3],s=!!r[5];return(n<=23&&a<=59&&i<=59||n==23&&a==59&&i==60)&&(!e||s)}o(tg,"time");var aT=/t|\s/i;function iT(e){let t=e.split(aT);return t.length==2&&eg(t[0])&&tg(!0,t[1])}o(iT,"date_time");var sT=/\/|:/,cT=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function uT(e){return sT.test(e)&&cT.test(e)}o(uT,"uri");var dT=/[^\\]\\Z/;function lT(e){if(dT.test(e))return!1;try{return new RegExp(e,"u"),!0}catch{return!1}}o(lT,"regex");var rg;(function(e){e[e.Flag=1]="Flag",e[e.Basic=2]="Basic",e[e.Detailed=4]="Detailed"})(rg||(rg={}));function ng(e){let t=0,r=e.length,n=0,a;for(;n<r;)t++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<r&&(a=e.charCodeAt(n),(a&64512)==56320&&n++);return t}o(ng,"ucs2length");function fe(e,t,r="2019-09",n=Wt(t),a=!0,i=null,s="#",c="#",d=Object.create(null)){if(t===!0)return{valid:!0,errors:[]};if(t===!1)return{valid:!1,errors:[{instanceLocation:s,keyword:"false",keywordLocation:s,error:"False boolean schema."}]};let p=typeof e,l;switch(p){case"boolean":case"number":case"string":l=p;break;case"object":e===null?l="null":Array.isArray(e)?l="array":l="object";break;default:throw new Error(`Instances of "${p}" type are not supported.`)}let{$ref:m,$recursiveRef:h,$recursiveAnchor:y,type:_,const:S,enum:w,required:v,not:b,anyOf:R,allOf:q,oneOf:N,if:qe,then:it,else:dn,format:ir,properties:qt,patternProperties:Er,additionalProperties:no,unevaluatedProperties:oo,minProperties:ao,maxProperties:Zs,propertyNames:kp,dependentRequired:Ks,dependentSchemas:Ws,dependencies:Js,prefixItems:Ys,items:io,additionalItems:Ep,unevaluatedItems:Up,contains:Op,minContains:Nt,maxContains:Ea,minItems:Qs,maxItems:Xs,uniqueItems:vv,minimum:Ur,maximum:Or,exclusiveMinimum:so,exclusiveMaximum:co,multipleOf:Ua,minLength:Oa,maxLength:$a,pattern:$p,__absolute_ref__:za,__absolute_recursive_ref__:bv}=t,T=[];if(y===!0&&i===null&&(i=t),h==="#"){let j=i===null?n[bv]:i,z=`${c}/$recursiveRef`,B=fe(e,i===null?t:i,r,n,a,j,s,z,d);B.valid||T.push({instanceLocation:s,keyword:"$recursiveRef",keywordLocation:z,error:"A subschema had errors."},...B.errors)}if(m!==void 0){let z=n[za||m];if(z===void 0){let P=`Unresolved $ref "${m}".`;throw za&&za!==m&&(P+=`  Absolute URI "${za}".`),P+=`
+Known schemas:
+- ${Object.keys(n).join(`
+- `)}`,new Error(P)}let B=`${c}/$ref`,E=fe(e,z,r,n,a,i,s,B,d);if(E.valid||T.push({instanceLocation:s,keyword:"$ref",keywordLocation:B,error:"A subschema had errors."},...E.errors),r==="4"||r==="7")return{valid:T.length===0,errors:T}}if(Array.isArray(_)){let j=_.length,z=!1;for(let B=0;B<j;B++)if(l===_[B]||_[B]==="integer"&&l==="number"&&e%1===0&&e===e){z=!0;break}z||T.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${_.join('", "')}".`})}else _==="integer"?(l!=="number"||e%1||e!==e)&&T.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${_}".`}):_!==void 0&&l!==_&&T.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${_}".`});if(S!==void 0&&(l==="object"||l==="array"?$n(e,S)||T.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(S)}.`}):e!==S&&T.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(S)}.`})),w!==void 0&&(l==="object"||l==="array"?w.some(j=>$n(e,j))||T.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(w)}.`}):w.some(j=>e===j)||T.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(w)}.`})),b!==void 0){let j=`${c}/not`;fe(e,b,r,n,a,i,s,j).valid&&T.push({instanceLocation:s,keyword:"not",keywordLocation:j,error:'Instance matched "not" schema.'})}let Ma=[];if(R!==void 0){let j=`${c}/anyOf`,z=T.length,B=!1;for(let E=0;E<R.length;E++){let P=R[E],H=Object.create(d),D=fe(e,P,r,n,a,y===!0?i:null,s,`${j}/${E}`,H);T.push(...D.errors),B=B||D.valid,D.valid&&Ma.push(H)}B?T.length=z:T.splice(z,0,{instanceLocation:s,keyword:"anyOf",keywordLocation:j,error:"Instance does not match any subschemas."})}if(q!==void 0){let j=`${c}/allOf`,z=T.length,B=!0;for(let E=0;E<q.length;E++){let P=q[E],H=Object.create(d),D=fe(e,P,r,n,a,y===!0?i:null,s,`${j}/${E}`,H);T.push(...D.errors),B=B&&D.valid,D.valid&&Ma.push(H)}B?T.length=z:T.splice(z,0,{instanceLocation:s,keyword:"allOf",keywordLocation:j,error:"Instance does not match every subschema."})}if(N!==void 0){let j=`${c}/oneOf`,z=T.length,B=N.filter((E,P)=>{let H=Object.create(d),D=fe(e,E,r,n,a,y===!0?i:null,s,`${j}/${P}`,H);return T.push(...D.errors),D.valid&&Ma.push(H),D.valid}).length;B===1?T.length=z:T.splice(z,0,{instanceLocation:s,keyword:"oneOf",keywordLocation:j,error:`Instance does not match exactly one subschema (${B} matches).`})}if((l==="object"||l==="array")&&Object.assign(d,...Ma),qe!==void 0){let j=`${c}/if`;if(fe(e,qe,r,n,a,i,s,j,d).valid){if(it!==void 0){let B=fe(e,it,r,n,a,i,s,`${c}/then`,d);B.valid||T.push({instanceLocation:s,keyword:"if",keywordLocation:j,error:'Instance does not match "then" schema.'},...B.errors)}}else if(dn!==void 0){let B=fe(e,dn,r,n,a,i,s,`${c}/else`,d);B.valid||T.push({instanceLocation:s,keyword:"if",keywordLocation:j,error:'Instance does not match "else" schema.'},...B.errors)}}if(l==="object"){if(v!==void 0)for(let E of v)E in e||T.push({instanceLocation:s,keyword:"required",keywordLocation:`${c}/required`,error:`Instance does not have required property "${E}".`});let j=Object.keys(e);if(ao!==void 0&&j.length<ao&&T.push({instanceLocation:s,keyword:"minProperties",keywordLocation:`${c}/minProperties`,error:`Instance does not have at least ${ao} properties.`}),Zs!==void 0&&j.length>Zs&&T.push({instanceLocation:s,keyword:"maxProperties",keywordLocation:`${c}/maxProperties`,error:`Instance does not have at least ${Zs} properties.`}),kp!==void 0){let E=`${c}/propertyNames`;for(let P in e){let H=`${s}/${at(P)}`,D=fe(P,kp,r,n,a,i,H,E);D.valid||T.push({instanceLocation:s,keyword:"propertyNames",keywordLocation:E,error:`Property name "${P}" does not match schema.`},...D.errors)}}if(Ks!==void 0){let E=`${c}/dependantRequired`;for(let P in Ks)if(P in e){let H=Ks[P];for(let D of H)D in e||T.push({instanceLocation:s,keyword:"dependentRequired",keywordLocation:E,error:`Instance has "${P}" but does not have "${D}".`})}}if(Ws!==void 0)for(let E in Ws){let P=`${c}/dependentSchemas`;if(E in e){let H=fe(e,Ws[E],r,n,a,i,s,`${P}/${at(E)}`,d);H.valid||T.push({instanceLocation:s,keyword:"dependentSchemas",keywordLocation:P,error:`Instance has "${E}" but does not match dependant schema.`},...H.errors)}}if(Js!==void 0){let E=`${c}/dependencies`;for(let P in Js)if(P in e){let H=Js[P];if(Array.isArray(H))for(let D of H)D in e||T.push({instanceLocation:s,keyword:"dependencies",keywordLocation:E,error:`Instance has "${P}" but does not have "${D}".`});else{let D=fe(e,H,r,n,a,i,s,`${E}/${at(P)}`);D.valid||T.push({instanceLocation:s,keyword:"dependencies",keywordLocation:E,error:`Instance has "${P}" but does not match dependant schema.`},...D.errors)}}}let z=Object.create(null),B=!1;if(qt!==void 0){let E=`${c}/properties`;for(let P in qt){if(!(P in e))continue;let H=`${s}/${at(P)}`,D=fe(e[P],qt[P],r,n,a,i,H,`${E}/${at(P)}`);if(D.valid)d[P]=z[P]=!0;else if(B=a,T.push({instanceLocation:s,keyword:"properties",keywordLocation:E,error:`Property "${P}" does not match schema.`},...D.errors),B)break}}if(!B&&Er!==void 0){let E=`${c}/patternProperties`;for(let P in Er){let H=new RegExp(P,"u"),D=Er[P];for(let Ze in e){if(!H.test(Ze))continue;let zp=`${s}/${at(Ze)}`,Mp=fe(e[Ze],D,r,n,a,i,zp,`${E}/${at(P)}`);Mp.valid?d[Ze]=z[Ze]=!0:(B=a,T.push({instanceLocation:s,keyword:"patternProperties",keywordLocation:E,error:`Property "${Ze}" matches pattern "${P}" but does not match associated schema.`},...Mp.errors))}}}if(!B&&no!==void 0){let E=`${c}/additionalProperties`;for(let P in e){if(z[P])continue;let H=`${s}/${at(P)}`,D=fe(e[P],no,r,n,a,i,H,E);D.valid?d[P]=!0:(B=a,T.push({instanceLocation:s,keyword:"additionalProperties",keywordLocation:E,error:`Property "${P}" does not match additional properties schema.`},...D.errors))}}else if(!B&&oo!==void 0){let E=`${c}/unevaluatedProperties`;for(let P in e)if(!d[P]){let H=`${s}/${at(P)}`,D=fe(e[P],oo,r,n,a,i,H,E);D.valid?d[P]=!0:T.push({instanceLocation:s,keyword:"unevaluatedProperties",keywordLocation:E,error:`Property "${P}" does not match unevaluated properties schema.`},...D.errors)}}}else if(l==="array"){Xs!==void 0&&e.length>Xs&&T.push({instanceLocation:s,keyword:"maxItems",keywordLocation:`${c}/maxItems`,error:`Array has too many items (${e.length} > ${Xs}).`}),Qs!==void 0&&e.length<Qs&&T.push({instanceLocation:s,keyword:"minItems",keywordLocation:`${c}/minItems`,error:`Array has too few items (${e.length} < ${Qs}).`});let j=e.length,z=0,B=!1;if(Ys!==void 0){let E=`${c}/prefixItems`,P=Math.min(Ys.length,j);for(;z<P;z++){let H=fe(e[z],Ys[z],r,n,a,i,`${s}/${z}`,`${E}/${z}`);if(d[z]=!0,!H.valid&&(B=a,T.push({instanceLocation:s,keyword:"prefixItems",keywordLocation:E,error:"Items did not match schema."},...H.errors),B))break}}if(io!==void 0){let E=`${c}/items`;if(Array.isArray(io)){let P=Math.min(io.length,j);for(;z<P;z++){let H=fe(e[z],io[z],r,n,a,i,`${s}/${z}`,`${E}/${z}`);if(d[z]=!0,!H.valid&&(B=a,T.push({instanceLocation:s,keyword:"items",keywordLocation:E,error:"Items did not match schema."},...H.errors),B))break}}else for(;z<j;z++){let P=fe(e[z],io,r,n,a,i,`${s}/${z}`,E);if(d[z]=!0,!P.valid&&(B=a,T.push({instanceLocation:s,keyword:"items",keywordLocation:E,error:"Items did not match schema."},...P.errors),B))break}if(!B&&Ep!==void 0){let P=`${c}/additionalItems`;for(;z<j;z++){let H=fe(e[z],Ep,r,n,a,i,`${s}/${z}`,P);d[z]=!0,H.valid||(B=a,T.push({instanceLocation:s,keyword:"additionalItems",keywordLocation:P,error:"Items did not match additional items schema."},...H.errors))}}}if(Op!==void 0)if(j===0&&Nt===void 0)T.push({instanceLocation:s,keyword:"contains",keywordLocation:`${c}/contains`,error:"Array is empty. It must contain at least one item matching the schema."});else if(Nt!==void 0&&j<Nt)T.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array has less items (${j}) than minContains (${Nt}).`});else{let E=`${c}/contains`,P=T.length,H=0;for(let D=0;D<j;D++){let Ze=fe(e[D],Op,r,n,a,i,`${s}/${D}`,E);Ze.valid?(d[D]=!0,H++):T.push(...Ze.errors)}H>=(Nt||0)&&(T.length=P),Nt===void 0&&Ea===void 0&&H===0?T.splice(P,0,{instanceLocation:s,keyword:"contains",keywordLocation:E,error:"Array does not contain item matching schema."}):Nt!==void 0&&H<Nt?T.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array must contain at least ${Nt} items matching schema. Only ${H} items were found.`}):Ea!==void 0&&H>Ea&&T.push({instanceLocation:s,keyword:"maxContains",keywordLocation:`${c}/maxContains`,error:`Array may contain at most ${Ea} items matching schema. ${H} items were found.`})}if(!B&&Up!==void 0){let E=`${c}/unevaluatedItems`;for(z;z<j;z++){if(d[z])continue;let P=fe(e[z],Up,r,n,a,i,`${s}/${z}`,E);d[z]=!0,P.valid||T.push({instanceLocation:s,keyword:"unevaluatedItems",keywordLocation:E,error:"Items did not match unevaluated items schema."},...P.errors)}}if(vv)for(let E=0;E<j;E++){let P=e[E],H=typeof P=="object"&&P!==null;for(let D=0;D<j;D++){if(E===D)continue;let Ze=e[D];(P===Ze||H&&(typeof Ze=="object"&&Ze!==null)&&$n(P,Ze))&&(T.push({instanceLocation:s,keyword:"uniqueItems",keywordLocation:`${c}/uniqueItems`,error:`Duplicate items at indexes ${E} and ${D}.`}),E=Number.MAX_SAFE_INTEGER,D=Number.MAX_SAFE_INTEGER)}}}else if(l==="number"){if(r==="4"?(Ur!==void 0&&(so===!0&&e<=Ur||e<Ur)&&T.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${so?"or equal to ":""} ${Ur}.`}),Or!==void 0&&(co===!0&&e>=Or||e>Or)&&T.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${co?"or equal to ":""} ${Or}.`})):(Ur!==void 0&&e<Ur&&T.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${Ur}.`}),Or!==void 0&&e>Or&&T.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${Or}.`}),so!==void 0&&e<=so&&T.push({instanceLocation:s,keyword:"exclusiveMinimum",keywordLocation:`${c}/exclusiveMinimum`,error:`${e} is less than ${so}.`}),co!==void 0&&e>=co&&T.push({instanceLocation:s,keyword:"exclusiveMaximum",keywordLocation:`${c}/exclusiveMaximum`,error:`${e} is greater than or equal to ${co}.`})),Ua!==void 0){let j=e%Ua;Math.abs(0-j)>=11920929e-14&&Math.abs(Ua-j)>=11920929e-14&&T.push({instanceLocation:s,keyword:"multipleOf",keywordLocation:`${c}/multipleOf`,error:`${e} is not a multiple of ${Ua}.`})}}else if(l==="string"){let j=Oa===void 0&&$a===void 0?0:ng(e);Oa!==void 0&&j<Oa&&T.push({instanceLocation:s,keyword:"minLength",keywordLocation:`${c}/minLength`,error:`String is too short (${j} < ${Oa}).`}),$a!==void 0&&j>$a&&T.push({instanceLocation:s,keyword:"maxLength",keywordLocation:`${c}/maxLength`,error:`String is too long (${j} > ${$a}).`}),$p!==void 0&&!new RegExp($p,"u").test(e)&&T.push({instanceLocation:s,keyword:"pattern",keywordLocation:`${c}/pattern`,error:"String does not match pattern."}),ir!==void 0&&Td[ir]&&!Td[ir](e)&&T.push({instanceLocation:s,keyword:"format",keywordLocation:`${c}/format`,error:`String does not match format "${ir}".`})}return{valid:T.length===0,errors:T}}o(fe,"validate");var Di=class{static{o(this,"Validator")}schema;draft;shortCircuit;lookup;constructor(t,r="2019-09",n=!0){this.schema=t,this.draft=r,this.shortCircuit=n,this.lookup=Wt(t)}validate(t){return fe(t,this.schema,this.draft,this.lookup,this.shortCircuit)}addSchema(t,r){r&&(t={...t,$id:r}),Wt(t,this.lookup)}};var zn=class{static{o(this,"CfWorkerJsonSchemaValidator")}constructor(t){this.shortcircuit=t?.shortcircuit??!0,this.draft=t?.draft??"2020-12"}getValidator(t){let r=new Di(t,this.draft,this.shortcircuit);return n=>{let a=r.validate(n);return a.valid?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:a.errors.map(i=>`${i.instanceLocation}: ${i.error}`).join("; ")}}}};function kd(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(kd,"truncate");function og(e){return"cause"in e?e.cause:void 0}o(og,"readCause");function Oe(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=kd(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=kd(r.message);let n=og(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=kd(n.message),n=og(n)}}o(Oe,"addErrorLogFields");function mt(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(mt,"safeHost");function ag(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(ag,"setLogProperties");function Ed(e,t){ag(e,{subjectId:t.subjectId})}o(Ed,"applyGatewayPrincipalLogProperties");function ig(e,t){ag(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(ig,"applyGatewayRouteLogProperties");var Mn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},sg={...Mn.runtime,...Mn.config,...Mn.downstream_auth,...Mn.downstream_oauth,...Mn.upstream_auth,...Mn.upstream_mcp};function Qo(e){return typeof e=="string"&&Object.hasOwn(sg,e)}o(Qo,"isGatewayProblemCode");function Hi(e){return Qo(e)&&Qe(e).callbackFailure===!0}o(Hi,"isGatewayCallbackFailureCode");function Qe(e){return sg[e]}o(Qe,"readGatewayProblemDefinition");function Ud(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(Ud,"readDefaultGatewayProblemCodeForStatus");var cg="gatewayCode";function ug(e){let t=Qe(e);return{title:t.title,body:t.publicDetail}}o(ug,"readGatewayCallbackFailureContent");function he(e){if(!(e instanceof qa))return;let t=e.extensionMembers?.[cg];return Qo(t)?t:void 0}o(he,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Qe(n.code),i=n.privateDetail??(Li(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=mT(n);return new qa({message:i,extensionMembers:{[cg]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function ft(e,t,r){let n=Qe(r.code),a=fT(r.code,r.detail),i=Li(r.code)?r.title??n.title:n.title,c={problem:{...uo.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(c.additionalHeaders=r.headers),uo.format(c,e,t)}o(ft,"gatewayProblemResponse");function Li(e){return Qe(e).status<500}o(Li,"canExposeGatewayProblemDetail");function mT(e){return!e.privateDetail||Li(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(mT,"readRuntimeErrorCause");function fT(e,t){let r=Qe(e);return Li(e)&&t||r.publicDetail}o(fT,"readSafeGatewayProblemDetail");ie();var hT=["shared-oauth","user_oauth","static_secret","user-secret","shared-secret"],gT=["none","client_secret_basic","client_secret_post"],Xe=u.string().min(1).brand(),Pe=u.string().min(1).brand(),et=u.string().min(1).brand(),Ot=u.string().min(1).brand(),Bi=u.enum(hT),Od=u.enum(gT),Gi=u.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),$d=u.object({name:Gi,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict();var zd=new Map;function Vi(e){zd.set(e.policyType,e)}o(Vi,"registerMcpAuthorizationPolicy");function Md(e){if(e!==void 0)return zd.get(e)}o(Md,"getMcpAuthorizationPolicy");function Fi(e){return Md(e)!==void 0}o(Fi,"isRegisteredMcpAuthorizationPolicyType");function qd(){return[...zd.keys()]}o(qd,"listMcpAuthorizationPolicyTypes");ie();var pg=Xe,yT=u.object({mode:u.literal("auto")}).strict(),ST=u.object({mode:u.literal("manual"),clientId:u.string().trim().min(1),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:Od.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:u.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),mg=u.discriminatedUnion("mode",[yT,ST]),_T=mg.default({mode:"auto"}),Nd=u.object({scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:_T}).strict(),dg=Nd.extend({redirectPath:u.string().startsWith("/auth/connections/")}).strict(),fg=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),wT=new Set([...fg,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),vT=u.object({kind:u.literal("bearer_token"),token:u.string().min(1)}).strict(),bT=u.object({kind:u.literal("headers"),headers:u.array(u.object({name:Gi,value:u.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();fg.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),jd=u.discriminatedUnion("kind",[vT,bT]),RT=u.object({kind:u.literal("basic_auth_app_password"),usernameLabel:u.string().min(1).default("Username"),passwordLabel:u.string().min(1).default("App password")}).strict(),CT=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key"),capture:u.enum(["browser_login"]).optional()}).strict(),Dd=u.discriminatedUnion("kind",[RT,CT]),Hd=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key")}).strict(),IT=u.discriminatedUnion("mode",[u.object({mode:u.literal("shared-oauth"),oauth:dg}).strict(),u.object({mode:u.literal("user_oauth"),oauth:dg}).strict(),u.object({mode:u.literal("static_secret"),secret:jd}).strict(),u.object({mode:u.literal("user-secret"),secret:Dd}).strict(),u.object({mode:u.literal("shared-secret"),secret:Hd}).strict()]),PT=u.object({baseUrl:u.url(),resourceMetadataUrl:u.url(),requestHeaders:u.array($d).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();wT.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),YG=u.object({displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:fn.optional(),authProfiles:u.record(et,IT),transport:PT}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),xT=u.object({"shared-oauth":Nd.optional(),user_oauth:Nd.optional(),static_secret:u.object({secret:jd}).strict().optional(),"user-secret":u.object({secret:Dd}).strict().optional(),"shared-secret":u.object({secret:Hd}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),lg=u.object({id:pg,displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:fn.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url(),requestHeaders:u.array($d).default([]),authProfiles:xT}).strict(),AT=u.object({name:Gi,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict(),Zi={id:pg.optional(),displayName:u.string().min(1),summary:u.string().min(1).optional(),serverInfo:fn.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url().optional(),requestHeaders:u.array(AT).default([])},TT=u.discriminatedUnion("authMode",[u.object({...Zi,authMode:u.enum(["shared-oauth","user_oauth"]),scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:mg.optional(),clientId:u.string().trim().min(1).optional(),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:Od.optional()}).strict(),u.object({...Zi,authMode:u.literal("static_secret"),secret:jd}).strict(),u.object({...Zi,authMode:u.literal("user-secret"),secret:Dd}).strict(),u.object({...Zi,authMode:u.literal("shared-secret"),secret:Hd}).strict()]);function hg(e){throw g("internal_server_error",e)}o(hg,"throwGatewayConfigError");function kT(e){let t="mcp-upstream-";return e.startsWith(t)||hg(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),Xe.parse(e.slice(t.length))}o(kT,"inferUpstreamConnectionIdFromPolicyName");function ET(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(ET,"buildDefaultProtectedResourceMetadataUrl");function qn(e,t){return et.parse(`${e}:${t}`)}o(qn,"buildUpstreamAuthProfileId");function Ki(e,t){let r=lg.safeParse(e);if(r.success)return r.data;let n=TT.parse(e),a=n.id??(t===void 0?void 0:kT(t));a===void 0&&hg("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(c=>({name:c.name,value:c.value,required:c.required})),s=(()=>{switch(n.authMode){case"shared-oauth":case"user_oauth":{let c=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:c}}}case"static_secret":case"user-secret":case"shared-secret":return{[n.authMode]:{secret:n.secret}}}})();return lg.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??ET(n.mcpUrl),requestHeaders:i,authProfiles:s})}o(Ki,"parseUpstreamConnectionPolicyOptions");function gg(e){return e.mode==="shared-oauth"||e.mode==="user_oauth"}o(gg,"isUpstreamOAuthAuthConfig");ie();var UT=u.looseObject({name:u.string().min(1),version:u.string().min(1).optional()}),OT=u.looseObject({}),$T=u.looseObject({name:Ot,namespace:Ot.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional(),inputSchema:OT}),zT=u.looseObject({name:Ot,namespace:Ot.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional()}),MT=u.looseObject({name:Ot,uri:u.string().min(1),upstreamPolicy:u.string().min(1).optional(),upstreamUri:u.string().min(1).optional(),enabled:u.boolean().optional()}),qT=u.enum(["openapi","upstream_mcp"]),NT=u.object({catalogSource:qT.default("openapi"),serverInfo:UT.optional(),tools:u.array($T).default([]),prompts:u.array(zT).default([]),resources:u.array(MT).default([])}).strict();function yg(e){return NT.parse(e??{})}o(yg,"parseVirtualServerRouteOptions");function Wi(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Wi,"toMcpTool");function Ji(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Ji,"toMcpPrompt");function Yi(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Yi,"toMcpResource");var jT="mcp-upstream-connection-inbound",Sg="/mcp/";function He(e){throw new jt(e)}o(He,"throwRegistryError");function _g(e){return e.policyType===jT}o(_g,"isUpstreamConnectionPolicy");function DT(e){return Fi(e.policyType)}o(DT,"isMcpOAuthInboundPolicy");function HT(e){e.startsWith(Sg)||He(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(Sg.length);return(!t||t.includes("/"))&&He(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),Pe.parse(t)}o(HT,"readVirtualServerIdFromPath");function LT(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&He(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&He(`Upstream policy ${e.policyName} does not declare an auth mode.`),Bi.parse(r)}o(LT,"readSingleAuthMode");function BT(e){let t=e.connection.authProfiles[e.authMode];t||He(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"shared-oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user-secret":return{mode:"user-secret",secret:t.secret};case"shared-secret":return{mode:"shared-secret",secret:t.secret}}}o(BT,"buildResolvedAuthConfig");function GT(e){let t=LT({policyName:e.policyName,connection:e.connection}),r=qn(e.connection.id,t),n=BT({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(GT,"buildRegisteredConnection");function VT(e){let t=new Map;for(let r of e)t.has(r.name)&&He(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(VT,"buildPolicyMap");function FT(e){let t=new Map,r=new Set;for(let n of e.values()){if(!_g(n))continue;let a=Ki(n.handler.options,n.name);r.has(a.id)&&He(`Duplicate upstream MCP connection id ${a.id} in policies.json.`),r.add(a.id);let i=GT({policyName:n.name,connection:a});t.set(n.name,i)}return t}o(FT,"buildConnectionsByPolicyName");function ZT(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(ZT,"readOperationId");function wg(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return Ot.parse(t)}catch{He(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(wg,"buildPublishedCapabilityName");function Bd(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||He(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;He(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(Bd,"readCapabilityUpstreamPolicy");function Ld(e){e.seen.has(e.key)&&He(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Ld,"assertUniqueCatalogKey");function KT(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=wg({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:Bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(KT,"normalizeCatalogTool");function WT(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=wg({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:Bd({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(WT,"normalizeCatalogPrompt");function JT(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:Bd({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(JT,"normalizeCatalogResource");function YT(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>KT({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>WT({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>JT({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Ld({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Ld({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let c=new Set;for(let d of a)Ld({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:c});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(YT,"normalizeVirtualServerCatalog");function QT(e){let t=new Map,r=new Set;for(let n of e.routes){let a=n.policies?.inbound??[];if(a.length===0)continue;let i=a[0],s=i===void 0?void 0:e.policyByName.get(i);if(!s||!DT(s))continue;let c=ZT(n);c||He(`MCP virtual server route ${n.path} must declare an operationId in routes.oas.json.`),r.has(c)&&He(`Duplicate MCP virtual server operationId ${c} across routes.`),r.add(c);let d=HT(n.path);t.has(d)&&He(`Duplicate MCP virtual server id ${d} across routes.`);let p=[];for(let h of a.slice(1)){let y=e.policyByName.get(h);if(!y||!_g(y))continue;let _=e.connectionsByPolicyName.get(h);_||He(`Upstream connection policy ${h} referenced by route ${n.path} could not be resolved.`),p.push(_)}let l=yg(n.handler.options),m=YT({catalog:l,connections:p,routePath:n.path});m.catalogSource==="upstream_mcp"&&p.length!==1&&He(`MCP virtual server route ${n.path} uses upstream MCP catalog mode but declares ${p.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(d,{virtualServerId:d,operationId:c,routePath:n.path,handlerExport:n.handler.export,serverInfo:m.serverInfo,catalog:m,connections:p})}return t}o(QT,"buildVirtualServers");function vg(e){let t=VT(e.policies),r=FT(t),n=QT({routes:e.routes,policyByName:t,connectionsByPolicyName:r}),a=new Map;for(let i of r.values())a.set(i.upstreamServerId,i);return{byVirtualServerId:n,connectionsById:a}}o(vg,"buildGatewayConnectionRegistry");var Qi;function bg(e){Qi=e}o(bg,"setGatewayConnectionRegistry");function ht(){if(!Qi)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return Qi}o(ht,"getGatewayConnectionRegistry");function Rg(e){let t=ht().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return t}o(Rg,"getRegisteredVirtualServer");function Xo(e){let t=ht().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(Xo,"requireRegisteredVirtualServer");function Cg(){return Qi}o(Cg,"tryGetGatewayConnectionRegistry");var Ig=new Dt("gateway-route");function Pg(e,t){Ig.set(e,t)}o(Pg,"setGatewayRouteContext");function ea(e){return Ig.get(e)}o(ea,"readGatewayRouteContext");function Nn(e){let t=ea(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(Nn,"requireGatewayRouteContext");var Fr="2025-06-18";var XT=new Set(["localhost","::1"]);function gt(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(gt,"normalizeHostname");function Le(e){let t=gt(e.hostname);return e.protocol==="http:"&&(XT.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(Le,"isLoopbackHttpUrl");function ce(e){return new URL(e).origin}o(ce,"readGatewayRequestOrigin");import{metrics as ek,context as Xi,propagation as Ag,SpanKind as Tg,SpanStatusCode as Gd,trace as ta}from"@opentelemetry/api";var tk="mcp-gateway",rk="mcp-gateway",nk=Fr,ok="2.0",kg=ta.getTracer(tk),Vd=ek.getMeter(rk),ak=Vd.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),ik=Vd.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),sk=Vd.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),ck=["traceparent","tracestate","baggage"];function Fd(){return performance.now()/1e3}o(Fd,"nowSeconds");function Eg(e,t){t(Math.max(Fd()-e,0))}o(Eg,"recordDurationSeconds");function xg(e){return e===void 0?void 0:String(e)}o(xg,"stringifyAttribute");function $e(e,t,r){r!==void 0&&(e[t]=r)}o($e,"assignAttribute");function uk(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(uk,"readTargetName");function Ug(e){let t=uk({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(Ug,"buildMcpOperationSpanName");function Zd(e){let t={"mcp.method.name":e.methodName};return $e(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??ok),$e(t,"jsonrpc.request.id",xg(e.jsonRpcRequestId)),$e(t,"mcp.protocol.version",e.mcpProtocolVersion??nk),$e(t,"mcp.session.id",e.mcpSessionId),$e(t,"mcp.resource.uri",e.resourceUri),$e(t,"rpc.response.status_code",xg(e.rpcResponseStatusCode)),$e(t,"error.type",e.errorType),e.capabilityType==="tool"&&($e(t,"gen_ai.operation.name","execute_tool"),$e(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&$e(t,"gen_ai.prompt.name",e.capabilityName),$e(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),$e(t,"network.protocol.version",e.networkProtocolVersion),$e(t,"network.transport",e.networkTransport),$e(t,"server.address",e.serverAddress),$e(t,"server.port",e.serverPort),$e(t,"client.address",e.clientAddress),$e(t,"client.port",e.clientPort),t}o(Zd,"buildMcpOperationAttributes");function dk(e){let t=Zd({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(dk,"buildMcpSessionAttributes");function Og(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:Gd.ERROR}),t instanceof Error&&e.recordException(t)}o(Og,"setSpanError");function $g(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o($g,"readErrorType");function lk(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Xi.active():Ag.extract(Xi.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(lk,"readServerParentContext");function pk(e){let t=ta.getSpanContext(Xi.active()),r=ta.getSpanContext(e);if(!(!t||!ta.isSpanContextValid(t))&&!(r&&ta.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(pk,"readAmbientSpanLink");function zg(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(zg,"readResultErrorType");async function Zr(e,t){let r=Fd(),n=Zd({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return kg.startActiveSpan(Ug(e),{kind:Tg.CLIENT,attributes:n},async a=>{try{let i=await t(),s=zg(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:Gd.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??$g(i);throw n["error.type"]=s,Og(a,i,s),i}finally{Eg(r,i=>{ak.record(i,n)}),a.end()}})}o(Zr,"runMcpClientOperation");async function Kr(e,t){let r=Fd(),n=lk(e.params),a=Zd({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=pk(n);return kg.startActiveSpan(Ug(e),{kind:Tg.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let c=await t(),d=zg(c);return d&&(s.setAttribute("error.type",d),s.setStatus({code:Gd.ERROR}),a["error.type"]=d),c}catch(c){let d=e.errorType??$g(c);throw a["error.type"]=d,Og(s,c,d),c}finally{Eg(r,c=>{ik.record(c,a)}),s.end()}})}o(Kr,"runMcpServerOperation");function Mg(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return Ag.inject(Xi.active(),t._meta,{set(r,n,a){ck.includes(n)&&(r[n]=a)}}),t}o(Mg,"injectMcpTraceContextIntoParams");function qg(e,t){let r=dk({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});sk.record(Math.max(t,0),r)}o(qg,"recordMcpClientSessionDuration");var Kd=new Dt("route-upstream-bindings");function mk(e){let t=Kd.get(e);if(t)return t;let r={bindings:[]};return Kd.set(e,r),r}o(mk,"readOrCreateRouteUpstreamBindingRegistry");function Ng(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(Ng,"buildRouteBindingDuplicateKey");function Wd(e,t){let r=mk(e),n=Ng(t);if(r.bindings.find(i=>Ng(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.bindings.push(t)}o(Wd,"appendResolvedUpstreamBindingContext");function jg(e){return Kd.get(e)?.bindings??[]}o(jg,"readResolvedUpstreamBindingContexts");ie();var Q=u.string().datetime({offset:!0}).brand();function ne(e){return Q.parse(e.toISOString())}o(ne,"toIsoTimestamp");function Jt(e,t){return new Date(e.getTime()+t*1e3)}o(Jt,"addSeconds");ie();var ra=u.string().trim().min(1),na={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},fk=u.object({issuer:u.url(),jwksUrl:u.url(),audience:ra}),hk=u.object({url:u.url(),tokenUrl:u.url().optional(),clientId:ra.optional(),clientSecret:ra.optional(),scope:ra.default("openid profile email"),audience:ra.optional(),remoteTimeoutMs:u.coerce.number().int().positive().default(1e4),stateTtlSeconds:u.coerce.number().int().positive().default(900),sessionTtlSeconds:u.coerce.number().int().positive().default(28800)}).strict(),gk=u.object({accessTokenTtlSeconds:u.coerce.number().int().positive().default(na.accessTokenTtlSeconds),refreshTokenTtlSeconds:u.coerce.number().int().positive().default(na.refreshTokenTtlSeconds),cimdEnabled:u.boolean().default(na.cimdEnabled)}).strict().default(na),yk=u.object({oidc:fk,browserLogin:hk,gateway:gk.optional().default(na)}).strict();function Dg(e){return Sk(e.browserLogin.url)?"local_dev":"federated_oidc"}o(Dg,"readBrowserLoginKind");function Sk(e){let t;try{t=new URL(e)}catch{return!1}return Le(t)&&t.pathname==="/oauth/dev-login"}o(Sk,"isLoopbackDevLoginUrl");function es(e){return yk.parse(e)}o(es,"parseMcpOAuthRuntimeConfig");var Jd;function Hg(e){Jd=e}o(Hg,"setGatewayOAuthConfig");function xe(){if(!Jd)throw g("internal_server_error","MCP gateway OAuth config has not been initialized. An `mcp-oauth-inbound` policy (or a provider-specific wrapper such as `mcp-auth0-oauth-inbound`) must be registered in policies.json so the gateway can derive its OAuth runtime configuration from policy options.");return Jd}o(xe,"getGatewayOAuthConfig");function Ct(e){return ce(e)}o(Ct,"readGatewayOAuthIssuer");ie();var _k=43,wk=128,vk=/^[A-Za-z0-9._~-]+$/,Yd="S256",ts=u.literal(Yd),rs=u.string().min(_k).max(wk).regex(vk);ie();var ns=["none","client_secret_post","client_secret_basic"],bk=[...ns,"private_key_jwt"],Rk=["awaiting_login","awaiting_setup"],Ck=u.string().min(1).brand(),Be=u.string().min(1).brand(),oa=u.uuid().brand(),yt=u.uuid().brand(),os=u.uuid().brand(),Qd=u.enum(ns),Ik=u.enum(bk),Z2=u.enum(Rk),Lg=u.object({client_id:Be,client_name:u.string().min(1),redirect_uris:u.array(u.string().min(1)).min(1),token_endpoint_auth_method:Ik.default("none")}),Xd=u.object({clientId:Be,clientName:u.string().min(1),redirectUris:u.array(u.string().min(1)),tokenEndpointAuthMethod:Qd,hashedClientSecret:u.string().optional(),clientSecretExpiresAt:Q.optional(),clientExpiresAt:Q,revokedAt:Q.optional(),createdAt:Q}),el=u.object({clientId:Be,resource:u.string(),virtualServerId:Pe,subjectId:Ck,scope:u.string(),roles:u.array(u.string()),createdAt:Q,expiresAt:Q}),K2=el.extend({id:yt,redirectUri:u.string(),clientState:u.string().optional(),codeChallenge:u.string(),codeChallengeMethod:ts}),tl=el.extend({id:oa,currentRefreshTokenHash:u.string().optional(),previousRefreshTokenHash:u.string().optional(),revokedAt:Q.optional(),revokedReason:u.string().optional()}),as=el.extend({tokenHash:u.string(),grantId:oa,revokedAt:Q.optional()});function rl(){return yt.parse(crypto.randomUUID())}o(rl,"createDownstreamAuthorizationTransactionId");function nl(){return os.parse(crypto.randomUUID())}o(nl,"createDownstreamBrowserLoginStateId");function Bg(){return oa.parse(crypto.randomUUID())}o(Bg,"createDownstreamGrantId");var ye="mcp:tools";function Gg(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return Le(r)&&Le(n)&&gt(r.hostname)===gt(n.hostname)&&r.pathname===n.pathname&&r.search===n.search}o(Gg,"redirectUriMatchesRegistration");function Vg(e){return Le(e)&&e.pathname==="/oauth/dev-login"}o(Vg,"isLoopbackDevLoginUrl");function is(e,t){return new URL(e,Ct(t)).toString()}o(is,"buildGatewayOAuthUrl");function ol(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,ce(e.requestUrl)).toString()}o(ol,"buildScopedAuthorizationServerIssuer");function Pk(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,ce(e.requestUrl)).toString()}o(Pk,"buildScopedAuthorizationEndpoint");function al(e){let t=xe();return{issuer:Ct(e),authorization_endpoint:is("/oauth/authorize",e),token_endpoint:is("/oauth/token",e),registration_endpoint:is("/oauth/register",e),revocation_endpoint:is("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ye],code_challenge_methods_supported:[Yd],token_endpoint_auth_methods_supported:ns,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":Dg(t)}}o(al,"buildAuthorizationServerMetadata");function Fg(e){let t=ol(e);return{...al(e.requestUrl),issuer:t,authorization_endpoint:Pk(e)}}o(Fg,"buildScopedAuthorizationServerMetadata");async function Zg(e,t){try{let r=Pe.parse(e.params.virtualServerId),n=Xo(r);return Response.json(xk(n.virtualServerId,e.url))}catch(r){let n=he(r);return ft(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(Zg,"protectedResourceMetadataHandler");function xk(e,t){return{resource:Wr(e,t),resource_name:e,authorization_servers:[ol({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ye],mcp_protocol_version:Fr}}o(xk,"buildProtectedResourceMetadataResponseBody");function Wr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,ce(t)).toString()}o(Wr,"buildCanonicalMcpResourceForVirtualServer");function Kg(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,ce(t)).toString()}o(Kg,"buildProtectedResourceMetadataUrlForVirtualServer");import{base64url as il}from"jose";var Ak="sha256:",Tk=32;function Wg(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Wg,"copyToArrayBuffer");function Yt(){let e=crypto.getRandomValues(new Uint8Array(Tk));return il.encode(e)}o(Yt,"createOpaqueToken");async function pe(e){let t=await crypto.subtle.digest("SHA-256",Wg(new TextEncoder().encode(e)));return`${Ak}${il.encode(new Uint8Array(t))}`}o(pe,"hashOpaqueValue");async function Jg(e){let t=await crypto.subtle.digest("SHA-256",Wg(new TextEncoder().encode(e)));return il.encode(new Uint8Array(t))}o(Jg,"calculatePkceS256Challenge");ie();var kk=u.record(u.string(),u.unknown()),Yg=u.string().min(1),Ek=u.union([Yg.transform(e=>[e]),u.array(Yg)]),Se=u.string().min(1).brand(),Uk=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],Ok=["https://zuplo.com/roles","roles","role","permissions","groups"],Qg=new Dt("gateway-principal");function $k(e){let t=kk.safeParse(e);return t.success?t.data:{}}o($k,"toClaimRecord");function zk(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(zk,"readValidationFailureDetail");function Mk(e,t,r){for(let i of Uk){let s=Se.safeParse(t[i]);if(s.success)return s.data}let n=Se.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",zk(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===Ct(r)?n.data:Se.parse(`${a}|${n.data}`)}o(Mk,"readNormalizedSubjectId");function qk(e){let t=new Set;for(let r of Ok){let n=Ek.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(qk,"readRoles");function jn(e,t){let r=$k(e?.data),n={subjectId:Mk(e,r,t)},a=qk(r);return a&&(n.roles=a),n}o(jn,"parseGatewayPrincipal");function Xg(e){let t=cl(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Xg,"requireGatewayPrincipal");function ey(e,t){Qg.set(e,t)}o(ey,"setGatewayPrincipal");function cl(e){return Qg.get(e)}o(cl,"readGatewayPrincipal");function ss(e){let r=['realm="OAuth"',`resource_metadata="${sl(Kg(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${sl(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${sl(e.scope)}"`),`Bearer ${r.join(", ")}`}o(ss,"buildGatewayBearerChallenge");function sl(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(sl,"sanitizeQuotedHeaderParameter");ie();ie();function cs(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(cs,"parseSafeRelativeReturnTo");ie();var Nk=["user","shared"],Dn=u.enum(Nk);function Cr(e){return{mode:"user",subjectId:e}}o(Cr,"buildUserUpstreamConnectionOwner");function us(){return{mode:"shared"}}o(us,"buildSharedUpstreamConnectionOwner");var ty=u.object({ownerMode:Dn,initiatedBySubjectId:Se,ownerSubjectId:Se.optional(),upstreamServerId:Xe,authProfileId:et,virtualServerId:Pe,returnTo:u.string().min(1).transform(e=>cs(e)).optional()});function ry(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="shared"&&e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared state must not include ownerSubjectId",path:["ownerSubjectId"]})}o(ry,"validateUpstreamOwnerState");var Hn=ty.superRefine(ry),ny=ty.omit({returnTo:!0}).superRefine(ry);function aa(e){return Hn.parse({ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(aa,"buildUpstreamOwnerState");function Ln(e){if(e.ownerMode==="shared")return us();if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");return Cr(e.ownerSubjectId)}o(Ln,"resolveUpstreamConnectionOwnerFromState");var jk=["active","not_connected","reconsent_required"],Dk=["basic_auth_app_password","bearer_token"],oy=u.string().trim().min(1).brand(),Bn=u.uuid().brand(),ia=u.uuid().brand(),ul=u.enum(jk),Hk=u.enum(Dk),ay=u.object({encryptedClientInformation:u.string().optional(),encryptedDiscoveryState:u.string().optional(),connectedBySubjectId:Se.optional()}),Lk=ay.extend({encryptedStaticSecret:u.string().optional(),staticSecretKind:Hk.optional(),staticSecretLabel:u.string().min(1).optional(),staticSecretUsername:u.string().min(1).optional()}).strict(),Bk=u.object({id:oy,subjectId:Se.optional(),ownerMode:Dn,upstreamServerId:Xe,authProfileId:et,status:ul,encryptedAccessToken:u.string().min(1).optional(),encryptedRefreshToken:u.string().min(1).optional(),scopes:u.array(u.string()),expiresAt:Q.optional(),metadata:Lk.optional(),createdAt:Q,updatedAt:Q});function dl(e,t){e.ownerMode==="user"&&(e.subjectId||t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="shared"&&e.subjectId!==void 0&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared upstream connections must not include subjectId",path:["subjectId"]})}o(dl,"validateUpstreamConnectionOwnerShape");var Gn=Bk.superRefine(dl);function Jr(e){return JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Jr,"readUpstreamConnectionLookupKey");var ll=Hn.extend({id:Bn,callbackPath:u.string().min(1),expiresAt:Q,codeVerifier:u.string().optional(),redirectUri:u.url(),returnOrigin:u.url().optional()}).extend(ay.shape);function iy(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o(iy,"readUpstreamConnectionStatus");function ds(){return oy.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(ds,"createUpstreamConnectionId");function sy(){return Bn.parse(crypto.randomUUID())}o(sy,"createOAuthStateId");function cy(){return ia.parse(crypto.randomUUID())}o(cy,"createBrowserConnectTicketId");ie();var ml=u.discriminatedUnion("mode",[u.object({mode:u.literal("user"),subjectId:Se}).strict(),u.object({mode:u.literal("shared")}).strict()]),dy=u.object({owner:ml,upstreamServerId:Xe,authProfileId:et}).strict(),ly=u.object({items:u.array(dy).min(1).max(100)}).strict(),fl=u.object({items:u.array(u.object({key:u.object({ownerMode:Dn,subjectId:Se.optional(),upstreamServerId:Xe,authProfileId:et}).strict(),connection:Gn.strict().optional()}).strict())}).strict(),py=Gn.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(dl),my=Gn.strict(),fy=u.object({owner:ml,upstreamServerId:Xe,authProfileId:et}).strict(),hy=u.object({owner:ml,upstreamServerId:Xe,authProfileId:et,connection:Gn.strict().optional(),connectionStatus:u.object({connected:u.boolean(),status:ul,updatedAt:Gn.shape.updatedAt.optional()}).strict()}).strict(),Gk=u.enum(["none","client_secret_basic","client_secret_post"]),Yr=u.object({clientId:Be,clientName:u.string().min(1),tokenEndpointAuthMethod:Gk}).strict(),hl=u.discriminatedUnion("method",[u.object({method:u.literal("none"),clientId:Be}).strict(),u.object({method:u.enum(["client_secret_basic","client_secret_post"]),clientId:Be,clientSecretHashInput:u.string().min(1)}).strict()]),gl=u.object({id:yt,currentStateHash:u.string().min(1),clientId:Be,redirectUri:u.string().min(1),resource:u.string().min(1),virtualServerId:Pe,clientState:u.string().optional(),scope:u.string(),codeChallenge:u.string().min(1),codeChallengeMethod:u.literal("S256"),createdAt:Q,expiresAt:Q,consumedAt:Q.optional()}).strict(),uy=gl.omit({id:!0,consumedAt:!0}).extend({transactionId:yt,client:Yr.optional()}).strict(),yl=u.object({subjectId:Se,roles:u.array(u.string()).optional()}).strict(),Vk=gl.extend({phase:u.literal("awaiting_login")}).strict(),pl=gl.extend({phase:u.literal("awaiting_setup"),principal:yl}).strict(),Fk=u.discriminatedUnion("phase",[Vk,pl]),Sl=u.object({transaction:Fk,client:Yr}).strict(),gy=Xd.omit({revokedAt:!0}).strict(),yy=u.discriminatedUnion("kind",[u.object({kind:u.literal("registered"),client:Yr}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),Sy=u.object({clientId:Be}).strict(),_y=u.discriminatedUnion("kind",[u.object({kind:u.literal("found"),client:Xd.strict()}).strict(),u.object({kind:u.literal("missing")}).strict()]),wy=u.discriminatedUnion("phase",[uy.extend({phase:u.literal("awaiting_login")}).strict(),uy.extend({phase:u.literal("awaiting_setup"),principal:yl}).strict()]),vy=u.discriminatedUnion("kind",[Sl.extend({kind:u.literal("started")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("redirect_uri_mismatch")}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),by=u.object({transactionId:yt,currentStateHash:u.string().min(1),now:Q}).strict(),Ry=u.discriminatedUnion("kind",[Sl.extend({kind:u.literal("available")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Cy=u.object({transactionId:yt,expectedPhase:u.literal("awaiting_login"),currentStateHash:u.string().min(1),nextStateHash:u.string().min(1),nextPhase:u.literal("awaiting_setup"),principal:yl,now:Q}).strict(),Iy=u.discriminatedUnion("kind",[Sl.extend({kind:u.literal("advanced")}).strict(),u.object({kind:u.literal("wrong_phase"),current:u.enum(["awaiting_login","awaiting_setup"])}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Py=u.discriminatedUnion("decision",[u.object({decision:u.literal("approve"),transactionId:yt,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:Se}).strict(),authorizationCodeHash:u.string().min(1),authorizationCodeExpiresAt:Q,grantId:oa,now:Q}).strict(),u.object({decision:u.literal("cancel"),transactionId:yt,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:Se}).strict(),now:Q}).strict()]),xy=u.discriminatedUnion("kind",[u.object({kind:u.literal("approved"),transaction:pl,client:Yr}).strict(),u.object({kind:u.literal("cancelled"),transaction:pl,client:Yr}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed_already")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Ay=u.object({clientAuth:hl,codeHash:u.string().min(1),redirectUri:u.string().min(1),resource:u.string().min(1).optional(),codeChallenge:u.string().min(1),currentRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),grantExpiresAt:Q,accessTokenExpiresAt:Q,now:Q}).strict(),Ty=u.discriminatedUnion("kind",[u.object({kind:u.literal("exchanged"),client:Yr,grant:tl.strict()}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("binding_mismatch")}).strict()]),ky=u.object({clientAuth:hl,currentRefreshTokenHash:u.string().min(1),nextRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),resource:u.string().min(1).optional(),accessTokenExpiresAt:Q,now:Q}).strict(),Ey=u.discriminatedUnion("kind",[u.object({kind:u.literal("rotated"),client:Yr,grant:tl.strict(),accessToken:as.strict(),matched:u.literal("current")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),Uy=u.object({clientAuth:hl,tokenHash:u.string().min(1),now:Q}).strict(),Oy=u.discriminatedUnion("kind",[u.object({kind:u.literal("revoked_access_token")}).strict(),u.object({kind:u.literal("revoked_grant")}).strict(),u.object({kind:u.literal("client_mismatch")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("invalid_client")}).strict()]),$y=u.object({tokenHash:u.string().min(1),now:Q}).strict(),zy=u.discriminatedUnion("kind",[u.object({kind:u.literal("valid"),record:as.strict()}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),My=u.object({accessTokenHash:u.string().min(1),resource:u.string().min(1),virtualServerId:Pe,upstreamConnectionKeys:u.array(dy).max(100),now:Q}).strict(),qy=u.discriminatedUnion("kind",[u.object({kind:u.literal("authorized"),principal:u.object({subjectId:Se,roles:u.array(u.string())}).strict(),accessToken:as.strict(),upstreamConnections:fl.shape.items}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict()]),Ny=u.object({record:ll}).strict(),jy=u.object({kind:u.literal("saved")}).strict(),Dy=u.object({id:Bn,now:Q}).strict(),Hy=u.discriminatedUnion("kind",[u.object({kind:u.literal("available"),record:ll}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Ly=u.object({id:ia,expiresAt:Q,now:Q}).strict(),By=u.discriminatedUnion("kind",[u.object({kind:u.literal("available")}).strict(),u.object({kind:u.literal("consumed")}).strict()]);var Gy=100;function Vy(e){return e!==null&&typeof e=="object"}o(Vy,"isProblemDetailsShape");var Zk="/zups/v2/mcp/storage";function ze(e){return`${Zk}/${e}`}o(ze,"buildStoragePath");function Kk(){return ze("upstream-connections/batch-get")}o(Kk,"buildBatchGetUpstreamConnectionsPath");function Wk(){return ze("upstream-connections/upsert")}o(Wk,"buildUpsertUpstreamConnectionPath");function Jk(){return ze("authorization/read-setup")}o(Jk,"buildReadAuthorizationSetupPath");function Yk(){return ze("oauth/register-client")}o(Yk,"buildRegisterClientPath");function Qk(){return ze("oauth/read-client")}o(Qk,"buildReadClientPath");function Xk(){return ze("authorization/start")}o(Xk,"buildStartAuthorizationPath");function e0(){return ze("authorization/read-pending")}o(e0,"buildReadPendingAuthorizationPath");function t0(){return ze("authorization/advance-pending")}o(t0,"buildAdvancePendingAuthorizationPath");function r0(){return ze("authorization/decide-setup")}o(r0,"buildDecideAuthorizationSetupPath");function n0(){return ze("token/exchange-authorization-code")}o(n0,"buildExchangeAuthorizationCodePath");function o0(){return ze("token/refresh")}o(o0,"buildRefreshTokenPath");function a0(){return ze("token/revoke")}o(a0,"buildRevokeOAuthTokenPath");function i0(){return ze("token/validate-access-token")}o(i0,"buildValidateAccessTokenPath");function s0(){return ze("mcp/authorize-and-load-connections")}o(s0,"buildAuthorizeAndLoadConnectionsPath");function c0(){return ze("upstream-oauth-state/save")}o(c0,"buildSaveUpstreamOAuthStatePath");function u0(){return ze("upstream-oauth-state/consume")}o(u0,"buildConsumeUpstreamOAuthStatePath");function d0(){return ze("browser-connect-ticket/consume")}o(d0,"buildConsumeBrowserConnectTicketPath");function l0(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(l0,"responseKeyMatchesLookup");function p0(e,t){return e.owner.mode===t.owner.mode&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(p0,"authorizationSetupMatchesLookup");function Ky(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(Ky,"connectionMatchesLookup");function m0(e,t){return e.ownerMode===t.ownerMode&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&wl(e.scopes,t.scopes)&&_l(e.expiresAt,t.expiresAt)&&h0(e.metadata,t.metadata)}o(m0,"connectionMatchesUpsertRecord");function _l(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(_l,"optionalTimestampInstantsMatch");function f0(e,t){return Date.parse(e)<=Date.parse(t)}o(f0,"timestampInstantIsAtOrBefore");function wl(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(wl,"stringArraysMatch");function h0(e,t){let r=Fy(e),n=Fy(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(h0,"metadataMatches");function Fy(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(Fy,"definedMetadataEntries");function be(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(be,"throwInvalidStorageResponse");async function g0(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){be("Gateway Service storage response did not match the runtime storage contract.",r)}}o(g0,"parseRuntimeHttpStorageResponse");function Wy(e,t){e.length!==t.length&&be("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];l0(n.key,a)||be("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!Ky(n.connection,a)&&be("Gateway Service storage response connection did not match the response key.")}}o(Wy,"validateUpstreamConnectionItemsMatchLookups");function y0(e,t){p0(e,t)||be("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!Ky(e.connection,t)&&be("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!_l(e.connectionStatus.updatedAt,a))&&be("Gateway Service storage response authorization setup status did not match the connection.")}o(y0,"validateAuthorizationSetupResponseMatchesLookup");function S0(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&be("Gateway Service storage response registered client did not match the request.")}o(S0,"validateRegisterClientResponseMatchesRequest");function _0(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&be("Gateway Service storage response client did not match the request.")}o(_0,"validateReadClientResponseMatchesRequest");function w0(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&be("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&be("Gateway Service storage response started authorization principal did not match the request."))}o(w0,"validateStartAuthorizationResponseMatchesRequest");function Zy(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&be("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&be("Gateway Service storage response advanced authorization did not match the request."))}o(Zy,"validatePendingAuthorizationResponseMatchesRequest");function v0(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&be("Gateway Service storage response authorization setup transaction did not match the request.")}o(v0,"validateAuthorizationSetupDecisionResponseMatchesRequest");function b0(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!_l(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&be("Gateway Service storage response authorization-code exchange did not match the request.")}o(b0,"validateExchangeAuthorizationCodeResponseMatchesRequest");function R0(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&be("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!f0(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!P0(e.accessToken,e.grant))&&be("Gateway Service storage response token refresh access token did not match the request."))}o(R0,"validateRefreshTokenResponseMatchesRequest");function C0(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&be("Gateway Service storage response access token did not match the request.")}o(C0,"validateAccessTokenValidationResponseMatchesRequest");function I0(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.subjectId!==e.accessToken.subjectId||!wl(e.principal.roles,e.accessToken.roles))&&be("Gateway Service storage response MCP authorization did not match the request."),Wy(e.upstreamConnections,t.upstreamConnectionKeys))}o(I0,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function P0(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.subjectId===t.subjectId&&e.scope===t.scope&&wl(e.roles,t.roles)}o(P0,"accessTokenMatchesGrant");async function x0(e){try{return await e.clone().json()}catch{return}}o(x0,"readProblemDetails");async function A0(e){let t=await x0(e),r=Vy(t)&&typeof t.status=="number"?t.status:e.status,n=Vy(t)&&Qo(t.code)?t.code:Ud(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(A0,"throwRuntimeHttpStorageError");var ls=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??Np.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}async#e(t){let r=t.requestSchema.parse(t.input),n=new URL(t.path,this.#t),a=new Headers({"Content-Type":"application/json"});jp(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await A0(i),{request:r,response:await g0(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let c=Jr(s),d=n.get(c);if(d!==void 0)return d;let p=r.length;return r.push(s),n.set(c,p),p}),i=[];for(let s=0;s<r.length;s+=Gy){let c=r.slice(s,s+Gy);i.push(...await this.#n(c))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:Wk(),requestSchema:py,responseSchema:my});return m0(n,r)||be("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:Jk(),requestSchema:fy,responseSchema:hy});return y0(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:Yk(),requestSchema:gy,responseSchema:yy});return S0(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:Qk(),requestSchema:Sy,responseSchema:_y});return _0(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:Xk(),requestSchema:wy,responseSchema:vy});return w0(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:e0(),requestSchema:by,responseSchema:Ry});return Zy(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:t0(),requestSchema:Cy,responseSchema:Iy});return Zy(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:r0(),requestSchema:Py,responseSchema:xy});return v0(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:c0(),requestSchema:Ny,responseSchema:jy});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:u0(),requestSchema:Dy,responseSchema:Hy});return n.kind==="available"&&n.record.id!==r.id&&be("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:d0(),requestSchema:Ly,responseSchema:By});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:n0(),requestSchema:Ay,responseSchema:Ty});return b0(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:o0(),requestSchema:ky,responseSchema:Ey});return R0(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:a0(),requestSchema:Uy,responseSchema:Oy});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:i0(),requestSchema:$y,responseSchema:zy});return C0(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:s0(),requestSchema:My,responseSchema:qy});return I0(n,r),n}async#n(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:Kk(),requestSchema:ly,responseSchema:fl});return Wy(n.items,t),n.items.map(a=>a.connection)}};var T0="__zuploMcpGatewayStorageBackend",vl;function k0(){return new ls({})}o(k0,"buildProductionStorageBackend");function J(){let e=globalThis[T0];return e||(vl||(vl=k0()),vl)}o(J,"getStorage");function bl(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(bl,"readBearerToken");function E0(e,t,r){return ft(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(E0,"gatewayAuthenticationRequiredResponse");async function U0(e,t,r){let n=await J().validateAccessToken({tokenHash:await pe(e),now:ne(new Date)});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(U0,"validateGatewayAccessToken");function O0(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(O0,"assertAccessTokenResource");function $0(e,t,r){return ft(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":ss({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ye} scope required by this MCP resource.`,scope:ye})}})}o($0,"insufficientScopeResponse");function z0(e){return{subjectId:e.subjectId,roles:e.roles}}o(z0,"principalFromAccessToken");function M0(e){let t=he(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),ft(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":ss({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(M0,"gatewayTokenRejectedResponse");async function Rl(e,t){let r=Nn(t),n=Wr(r.virtualServerId,e.url),a=bl(e),i=ss({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),E0(e,t,i);try{let s=await U0(a,t,r.virtualServerId);if(O0({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ye)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ye,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),$0(e,t,r.virtualServerId);let c=z0(s);return ey(t,c),Ed(t,c),e}catch(s){return M0({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(Rl,"gatewayTokenInbound");var q0=2,Jy=4,N0=24,j0=16,Yy=512,D0=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,H0=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,L0=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,B0=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,G0=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,V0=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function Qy(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(Qy,"readRoute");function F0(e){let t=Qy(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(F0,"readRoutePath");function Z0(e){let t=Qy(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(Z0,"readRouteOperationId");function K0(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o(K0,"deriveStatusClass");function W0(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="shared"?"shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(W0,"deriveOriginAttributionMode");function J0(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(J0,"deriveClientKind");function Y0(e,t){return t==="success"?"none":e===K.MCP_GATEWAY_REQUEST_RECEIVED||e===K.MCP_GATEWAY_REQUEST_REJECTED||e===K.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===K.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===K.MCP_GATEWAY_POLICY_DECISION?"policy":e===K.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===K.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===K.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(Y0,"deriveFailureStage");function Q0(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===K.MCP_GATEWAY_POLICY_DECISION||e===K.MCP_GATEWAY_GUARDRAIL_DECISION||e===K.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===K.MCP_GATEWAY_CAPABILITY_FAILED||e===K.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===K.MCP_GATEWAY_REQUEST_REJECTED||e===K.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(Q0,"deriveFailureOrigin");function X0(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===K.MCP_GATEWAY_POLICY_DECISION?"policy":e===K.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===K.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===K.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===K.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(X0,"deriveReasonClass");function eE(e){return e.length<=Yy?e:`${e.slice(0,Yy)}...`}o(eE,"truncateAnalyticsString");function tE(e){return eE(e.replace(H0,"$1[REDACTED]$3").replace(B0,"$1$2[REDACTED]").replace(L0,"$1$2[REDACTED]").replace(G0,"Bearer [REDACTED]").replace(V0,"Basic [REDACTED]"))}o(tE,"redactAnalyticsString");function Xy(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return tE(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=Jy?"[DEPTH_LIMIT]":e.slice(0,j0).map(r=>Xy(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=Jy?"[DEPTH_LIMIT]":eS(e,t+1)}}o(Xy,"sanitizeAnalyticsValue");function eS(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,N0)){if(D0.test(n)){r[n]="[REDACTED]";continue}let i=Xy(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(eS,"sanitizeMcpGatewayAnalyticsAttributes");function M(e){return e===void 0?null:e}o(M,"nullable");function rE(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(rE,"readEnvironment");function nE(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(nE,"readRequestId");function oE(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(oE,"attributesToJsonString");function aE(e,t){let r=cl(e),n=ea(e),a=eS(t.attributes),i=nE(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,c=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,p=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,l=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,h=t.clientKind??J0(t.clientName)??null,y=W0(s??void 0,c??void 0)??null,_=K0(t.httpStatusCode)??null,S=t.reasonClass??X0(t.eventType,t.outcome),w=t.failureOrigin??Q0(t.eventType,t.outcome),v=t.failureStage??Y0(t.eventType,t.outcome);return{schemaVersion:q0,outcome:t.outcome,subjectId:M(r?.subjectId),environment:rE(e),traceId:t.traceId??i,spanId:M(t.spanId),parentEventId:M(t.parentEventId),mcpSessionId:M(t.mcpSessionId),routeSurface:M(t.routeSurface),routePath:F0(e)??null,operationId:Z0(e)??null,virtualServerName:d,virtualServerTitle:M(t.virtualServerTitle),upstreamServerName:p,upstreamServerTitle:l,upstreamBindingId:M(t.upstreamBindingId),clientName:M(t.clientName),clientTitle:M(t.clientTitle),clientVersion:M(t.clientVersion),clientKind:h,authProfileId:m,upstreamAuthMode:c,ownerMode:s,authMethod:M(t.authMethod),originAttributionMode:y,httpMethod:M(t.httpMethod),httpStatusCode:M(t.httpStatusCode),statusClass:_,mcpMethod:M(t.mcpMethod),mcpProtocolVersion:M(t.mcpProtocolVersion),mcpStatus:M(t.mcpStatus),mcpErrorType:M(t.mcpErrorType),applicationError:M(t.applicationError),applicationErrorCode:M(t.applicationErrorCode),toolResultIsError:M(t.toolResultIsError),capabilityType:M(t.capabilityType),capabilityName:M(t.capabilityName),capabilityTitle:M(t.capabilityTitle),upstreamCapabilityName:M(t.upstreamCapabilityName),upstreamCapabilityTitle:M(t.upstreamCapabilityTitle),capabilitySchemaHash:M(t.capabilitySchemaHash),policyId:M(t.policyId),policyAction:M(t.policyAction),guardrailType:M(t.guardrailType),guardrailDirection:M(t.guardrailDirection),guardrailFindingCount:M(t.guardrailFindingCount),redactionCount:M(t.redactionCount),requestMutated:M(t.requestMutated),responseMutated:M(t.responseMutated),latencyMs:M(t.latencyMs),gatewayLatencyMs:M(t.gatewayLatencyMs),upstreamLatencyMs:M(t.upstreamLatencyMs),authLatencyMs:M(t.authLatencyMs),policyLatencyMs:M(t.policyLatencyMs),requestBytes:M(t.requestBytes),responseBytes:M(t.responseBytes),estimatedInputTokens:M(t.estimatedInputTokens),estimatedOutputTokens:M(t.estimatedOutputTokens),estimatedContextTokens:M(t.estimatedContextTokens),contextPressureBucket:M(t.contextPressureBucket),responseMimeTypes:M(t.responseMimeTypes),base64Suspected:M(t.base64Suspected),truncated:M(t.truncated),isLargePayloadRequest:M(t.isLargePayloadRequest),isLargePayloadResponse:M(t.isLargePayloadResponse),payloadCaptureMode:M(t.payloadCaptureMode),reasonCode:M(t.reasonCode),reasonClass:S,errorType:t.errorType??t.reasonCode??null,failureOrigin:w,failureStage:v,customMetadataJson:M(t.customMetadataJson),attributesJson:oE(a)}}o(aE,"buildMcpGatewayAnalyticsMetadata");function tt(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,aE(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(tt,"emitMcpGatewayAnalyticsEvent");function rt(e){let t=ht().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(rt,"getUpstreamServerConfig");function iE(e){let t=ht().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(iE,"resolveUpstreamAuthProfileId");function Ir(e){iE(e);let t=ht().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(Ir,"getUpstreamAuthConfig");function Qr(e,t){let r=Ir({upstreamServerId:e,authProfileId:t});if(!gg(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(Qr,"requireUpstreamOAuthConfig");var sE={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},"shared-secret":{authMode:"shared-secret",ownerMode:"shared",connectSupport:"none",connectUnsupportedDetail:"Shared static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"shared_secret_connection"},"user-secret":{authMode:"user-secret",ownerMode:"user",connectSupport:"user_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_secret_connection"}};function $t(e){return sE[e]}o($t,"describeUpstreamAuthMode");function ps(e){return $t(e).ownerMode}o(ps,"resolveOwnerModeForUpstreamAuthMode");ie();import{errors as uS,jwtVerify as dS,SignJWT as lS}from"jose";ie();var tS=u.string().trim().min(1),cE=u.object({TOKEN_ENCRYPTION_KEY:tS,OAUTH_STATE_SIGNING_KEY:tS}),uE=["TOKEN_ENCRYPTION_KEY","OAUTH_STATE_SIGNING_KEY"];function dE(e){let t=lo[e];return typeof t=="string"?t:void 0}o(dE,"readEnvValue");function lE(){let e={};for(let t of uE){let r=dE(t);r!==void 0&&(e[t]=r)}return e}o(lE,"readRawEnv");var Cl;function pE(e){return e.issues.map(t=>`- ${t.path.length>0?t.path.map(String).join("."):"environment"}: ${t.message}`)}o(pE,"formatZodIssues");function mE(e){return new jt(["Invalid MCP gateway environment configuration.","Validation failed for these environment variables:",...pE(e)].join(`
+`),{cause:e})}o(mE,"createEnvValidationError");function fE(e){let t=cE.safeParse(e);if(!t.success)throw mE(t.error);return t.data}o(fE,"parseGatewayEnv");function hE(){return Cl||(Cl=fE(lE())),Cl}o(hE,"readEnv");function rS(){return hE()}o(rS,"getEnv");import{base64url as gE}from"jose";var yE=new TextEncoder,Il=32;function nS(e,t={}){let r=[SE(e),yE.encode(e)],n;for(let a of r)if(a){if(a.byteLength>=Il){n=a;break}(n===void 0||a.byteLength>n.byteLength)&&(n=a)}if(n===void 0||n.byteLength<Il){let a=t.name??"secret key material",i=n?.byteLength??0;throw new Error(`${a} must decode to at least ${Il} bytes (got ${i}). Generate a high-entropy value with for example: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='.`)}return n}o(nS,"decodeConfiguredSecretKeyMaterial");function SE(e){try{return gE.decode(e)}catch{return}}o(SE,"tryDecodeBase64Url");var oS=new Map,aS=new Map;function _E(e){let t=oS.get(e);return t||(t=nS(rS()[e],{name:e}),oS.set(e,t)),t}o(_E,"getMasterKeyMaterial");async function zt(e){let t=aS.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(_E(e.envVar));return aS.set(e.purpose,r),r}o(zt,"readCachedDerivedKey");var wE="SHA-256";var vE="zuplo-mcp-gateway:",bE=new TextEncoder,iS=new WeakMap;async function Pr(e,t){let r=iS.get(e);r||(r=new Map,iS.set(e,r));let n=r.get(t);if(n)return n;let a=await RE(e,t);return r.set(t,a),a}o(Pr,"deriveGatewaySigningKey");async function RE(e,t){let r=sS(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=bE.encode(`${vE}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:wE,salt:new Uint8Array,info:sS(a)},n,32*8);return new Uint8Array(i)}o(RE,"hkdfExpand");function sS(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(sS,"copyToArrayBuffer");var ms="HS256",pS=15*60,CE=15*60,fs="zuplo-mcp-gateway",hs="zuplo-mcp-gateway",IE=ny.extend({id:Bn}),PE=IE.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),mS=Hn.extend({id:ia,purpose:u.literal("browser_connect")}),xE=Hn.extend({purpose:u.literal("browser_connect")}),AE=mS.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),fS=pS*1e3;async function hS(){return zt({purpose:"oauth-state",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>Pr(e,"oauth-state"),"derive")})}o(hS,"getOAuthStateKey");async function gS(){return zt({purpose:"browser-connect",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>Pr(e,"browser-connect"),"derive")})}o(gS,"getBrowserConnectKey");async function yS(e){let t=Math.floor(Date.now()/1e3)+pS;return new lS(e).setProtectedHeader({alg:ms,typ:"JWT"}).setIssuer(fs).setAudience(hs).setIssuedAt().setExpirationTime(t).sign(await hS())}o(yS,"signOAuthState");async function gs(e){try{let{payload:t}=await dS(e,await hS(),{algorithms:[ms],issuer:fs,audience:hs});return PE.parse(t)}catch(t){throw t instanceof uS.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(gs,"verifyOAuthState");async function SS(e){let t=Math.floor(Date.now()/1e3)+CE,r=xE.parse(e),n=mS.parse({...r,id:cy()});return new lS(n).setProtectedHeader({alg:ms,typ:"JWT"}).setIssuer(fs).setAudience(hs).setIssuedAt().setExpirationTime(t).sign(await gS())}o(SS,"signBrowserConnectTicket");async function ys(e){try{let{payload:t}=await dS(e,await gS(),{algorithms:[ms],issuer:fs,audience:hs});return AE.parse(t)}catch(t){throw t instanceof uS.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(ys,"verifyBrowserConnectTicket");async function Ss(e){if((await J().consumeBrowserConnectTicket({id:e.id,expiresAt:ne(new Date(e.exp*1e3)),now:ne(new Date)})).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(Ss,"consumeBrowserConnectTicket");function TE(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(TE,"buildConnectRequiredMessage");async function _S(e){let t=ce(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await SS({...aa(e),purpose:"browser_connect"})),r.toString()}o(_S,"buildGatewayBrowserTicketUrl");function kE(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(kE,"buildGatewayConnectPath");async function Pl(e){return _S({...e,path:kE(e.upstreamServerId),redirect:!0})}o(Pl,"buildGatewayConnectUrl");async function wS(e){return _S({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(wS,"buildGatewayAppPasswordCaptureUrl");async function Vn(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Pl(t),message:TE(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(Vn,"buildRedirectConnectRequiredResponse");function vS(e){return bS({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(vS,"buildAdminConnectRequiredResponse");function bS(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(bS,"buildAdminSetupRequiredResponse");function RS(e){return bS({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(RS,"buildAdminStaticSecretRequiredResponse");ie();import{base64url as xr}from"jose";var EE="SHA-256",Zn="AES-GCM",UE=12,Al="zuplo-secret",Tl=1,CS="env:TOKEN_ENCRYPTION_KEY",OE=u.object({version:u.literal(Tl),keyId:u.literal(CS),algorithm:u.literal(Zn),iv:u.string().min(1),ciphertext:u.string().min(1)}).strict();function Fn(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Fn,"copyToArrayBuffer");async function xl(){return zt({purpose:"token-encryption",envVar:"TOKEN_ENCRYPTION_KEY",derive:o(async e=>{let t=await crypto.subtle.digest(EE,Fn(e));return crypto.subtle.importKey("raw",t,{name:Zn},!1,["encrypt","decrypt"])},"derive")})}o(xl,"getEncryptionKey");function IS(e){return Fn(new TextEncoder().encode(`${Al}:v${e.version}:${e.keyId}`))}o(IS,"getAssociatedData");function $E(e){return`${Al}:v${e.version}:${xr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o($E,"encodeEnvelope");function zE(e){let t=`${Al}:v${Tl}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(xr.decode(r));return OE.parse(JSON.parse(n))}o(zE,"decodeEnvelope");async function Xr(e){let t=await xl(),r=crypto.getRandomValues(new Uint8Array(UE)),n={version:Tl,keyId:CS},a=await crypto.subtle.encrypt({name:Zn,iv:r,additionalData:IS(n)},t,new TextEncoder().encode(e));return $E({...n,algorithm:Zn,iv:xr.encode(r),ciphertext:xr.encode(new Uint8Array(a))})}o(Xr,"encryptSecret");async function Qt(e){let t=zE(e);if(t){let s=await xl(),c=await crypto.subtle.decrypt({name:Zn,iv:Fn(xr.decode(t.iv)),additionalData:IS(t)},s,Fn(xr.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await xl(),i=await crypto.subtle.decrypt({name:Zn,iv:Fn(xr.decode(r))},a,Fn(xr.decode(n)));return new TextDecoder().decode(i)}o(Qt,"decryptSecret");function ME(e,t){let r=Ir({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(ME,"requireTenantStaticSecretConfig");function PS(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(PS,"hasUsableTenantStaticSecret");async function qE(e){if(!PS(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Qt(e.connection.metadata.encryptedStaticSecret)}}o(qE,"resolveTenantStaticSecretCredential");async function xS(e){let t=rt(e.upstreamServerId);ME(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await J().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(PS(r))return{kind:"authorized",credential:await qE({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:RS(n)}}o(xS,"resolveTenantStaticSecretCredentialForRequest");ie();async function kl(e){return J().upsertUpstreamConnection({id:ds(),ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(kl,"upsertStaticSecretConnection");var NE=u.string().trim().min(1).max(320),jE=u.string().min(1).max(4096),DE=u.string().trim().min(1).max(4096);function El(e,t){let r=Ir({upstreamServerId:e,authProfileId:t});if(r.mode!=="user-secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(El,"requireUserStaticSecretConfig");function HE(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(HE,"encodeBase64Utf8");function LE(e){return`Basic ${HE(`${e.username}:${e.appPassword}`)}`}o(LE,"buildBasicAuthHeader");function AS(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(AS,"hasEncryptedUserStaticSecret");async function BE(e){if(!AS(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Qt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:LE({username:e.connection.metadata.staticSecretUsername,appPassword:await Qt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(BE,"resolveUserStaticSecretCredential");async function TS(e){if(El(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=NE.parse(e.username),n=jE.parse(e.appPassword);return kl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await Xr(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(TS,"saveUserStaticSecretCredential");async function _s(e){let t=El(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=DE.parse(e.token);return kl({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await Xr(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(_s,"saveUserStaticBearerTokenCredential");function Ul(e,t){return El(e,t)}o(Ul,"readUserStaticSecretCaptureConfig");async function kS(e){let t=rt(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await J().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(AS(r))return{kind:"authorized",credential:await BE({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await Vn(n)}}o(kS,"resolveUserStaticSecretCredentialForRequest");function ES(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return wS({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(ES,"buildUserStaticSecretConnectUrl");var Ol;Ol=globalThis.crypto;async function GE(e){return(await Ol).getRandomValues(new Uint8Array(e))}o(GE,"getRandomValues");async function VE(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await GE(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(VE,"random");async function FE(e){return await VE(e)}o(FE,"generateVerifier");async function ZE(e){let t=await(await Ol).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(ZE,"generateChallenge");async function $l(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await FE(e),r=await ZE(t);return{code_verifier:t,code_challenge:r}}o($l,"pkceChallenge");ie();var Me=Bp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Zp.custom,message:"URL must be parseable",fatal:!0}),Hp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),ws=Ce({resource:f().url(),authorization_servers:C(Me).optional(),jwks_uri:f().url().optional(),scopes_supported:C(f()).optional(),bearer_methods_supported:C(f()).optional(),resource_signing_alg_values_supported:C(f()).optional(),resource_name:f().optional(),resource_documentation:f().optional(),resource_policy_uri:f().url().optional(),resource_tos_uri:f().url().optional(),tls_client_certificate_bound_access_tokens:ae().optional(),authorization_details_types_supported:C(f()).optional(),dpop_signing_alg_values_supported:C(f()).optional(),dpop_bound_access_tokens_required:ae().optional()}),sa=Ce({issuer:f(),authorization_endpoint:Me,token_endpoint:Me,registration_endpoint:Me.optional(),scopes_supported:C(f()).optional(),response_types_supported:C(f()),response_modes_supported:C(f()).optional(),grant_types_supported:C(f()).optional(),token_endpoint_auth_methods_supported:C(f()).optional(),token_endpoint_auth_signing_alg_values_supported:C(f()).optional(),service_documentation:Me.optional(),revocation_endpoint:Me.optional(),revocation_endpoint_auth_methods_supported:C(f()).optional(),revocation_endpoint_auth_signing_alg_values_supported:C(f()).optional(),introspection_endpoint:f().optional(),introspection_endpoint_auth_methods_supported:C(f()).optional(),introspection_endpoint_auth_signing_alg_values_supported:C(f()).optional(),code_challenge_methods_supported:C(f()).optional(),client_id_metadata_document_supported:ae().optional()}),KE=Ce({issuer:f(),authorization_endpoint:Me,token_endpoint:Me,userinfo_endpoint:Me.optional(),jwks_uri:Me,registration_endpoint:Me.optional(),scopes_supported:C(f()).optional(),response_types_supported:C(f()),response_modes_supported:C(f()).optional(),grant_types_supported:C(f()).optional(),acr_values_supported:C(f()).optional(),subject_types_supported:C(f()),id_token_signing_alg_values_supported:C(f()),id_token_encryption_alg_values_supported:C(f()).optional(),id_token_encryption_enc_values_supported:C(f()).optional(),userinfo_signing_alg_values_supported:C(f()).optional(),userinfo_encryption_alg_values_supported:C(f()).optional(),userinfo_encryption_enc_values_supported:C(f()).optional(),request_object_signing_alg_values_supported:C(f()).optional(),request_object_encryption_alg_values_supported:C(f()).optional(),request_object_encryption_enc_values_supported:C(f()).optional(),token_endpoint_auth_methods_supported:C(f()).optional(),token_endpoint_auth_signing_alg_values_supported:C(f()).optional(),display_values_supported:C(f()).optional(),claim_types_supported:C(f()).optional(),claims_supported:C(f()).optional(),service_documentation:f().optional(),claims_locales_supported:C(f()).optional(),ui_locales_supported:C(f()).optional(),claims_parameter_supported:ae().optional(),request_parameter_supported:ae().optional(),request_uri_parameter_supported:ae().optional(),require_request_uri_registration:ae().optional(),op_policy_uri:Me.optional(),op_tos_uri:Me.optional(),client_id_metadata_document_supported:ae().optional()}),vs=I({...KE.shape,...sa.pick({code_challenge_methods_supported:!0}).shape}),ca=I({access_token:f(),id_token:f().optional(),token_type:f(),expires_in:Kp.number().optional(),scope:f().optional(),refresh_token:f().optional()}).strip(),OS=I({error:f(),error_description:f().optional(),error_uri:f().optional()}),US=Me.optional().or(O("").transform(()=>{})),WE=I({redirect_uris:C(Me),token_endpoint_auth_method:f().optional(),grant_types:C(f()).optional(),response_types:C(f()).optional(),client_name:f().optional(),client_uri:Me.optional(),logo_uri:US,scope:f().optional(),contacts:C(f()).optional(),tos_uri:US,policy_uri:f().optional(),jwks_uri:Me.optional(),jwks:Vp().optional(),software_id:f().optional(),software_version:f().optional(),software_statement:f().optional()}).strip(),zl=I({client_id:f(),client_secret:f().optional(),client_id_issued_at:ee().optional(),client_secret_expires_at:ee().optional()}).strip(),ua=WE.merge(zl),q9=I({error:f(),error_description:f().optional()}).strip(),N9=I({token:f(),token_type_hint:f().optional()}).strip();function $S(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o($S,"resourceUrlFromServerUrl");function zS({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(zS,"checkResourceAllowed");var Re=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},da=class extends Re{static{o(this,"InvalidRequestError")}};da.errorCode="invalid_request";var en=class extends Re{static{o(this,"InvalidClientError")}};en.errorCode="invalid_client";var tn=class extends Re{static{o(this,"InvalidGrantError")}};tn.errorCode="invalid_grant";var rn=class extends Re{static{o(this,"UnauthorizedClientError")}};rn.errorCode="unauthorized_client";var la=class extends Re{static{o(this,"UnsupportedGrantTypeError")}};la.errorCode="unsupported_grant_type";var pa=class extends Re{static{o(this,"InvalidScopeError")}};pa.errorCode="invalid_scope";var ma=class extends Re{static{o(this,"AccessDeniedError")}};ma.errorCode="access_denied";var Xt=class extends Re{static{o(this,"ServerError")}};Xt.errorCode="server_error";var fa=class extends Re{static{o(this,"TemporarilyUnavailableError")}};fa.errorCode="temporarily_unavailable";var ha=class extends Re{static{o(this,"UnsupportedResponseTypeError")}};ha.errorCode="unsupported_response_type";var ga=class extends Re{static{o(this,"UnsupportedTokenTypeError")}};ga.errorCode="unsupported_token_type";var ya=class extends Re{static{o(this,"InvalidTokenError")}};ya.errorCode="invalid_token";var Sa=class extends Re{static{o(this,"MethodNotAllowedError")}};Sa.errorCode="method_not_allowed";var _a=class extends Re{static{o(this,"TooManyRequestsError")}};_a.errorCode="too_many_requests";var nn=class extends Re{static{o(this,"InvalidClientMetadataError")}};nn.errorCode="invalid_client_metadata";var wa=class extends Re{static{o(this,"InsufficientScopeError")}};wa.errorCode="insufficient_scope";var va=class extends Re{static{o(this,"InvalidTargetError")}};va.errorCode="invalid_target";var MS={[da.errorCode]:da,[en.errorCode]:en,[tn.errorCode]:tn,[rn.errorCode]:rn,[la.errorCode]:la,[pa.errorCode]:pa,[ma.errorCode]:ma,[Xt.errorCode]:Xt,[fa.errorCode]:fa,[ha.errorCode]:ha,[ga.errorCode]:ga,[ya.errorCode]:ya,[Sa.errorCode]:Sa,[_a.errorCode]:_a,[nn.errorCode]:nn,[wa.errorCode]:wa,[va.errorCode]:va};var er=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function JE(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(JE,"isClientAuthMethod");var Ml="code",ql="S256";function YE(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&JE(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(YE,"selectClientAuthMethod");function QE(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":XE(a,i,r);return;case"client_secret_post":eU(a,i,n);return;case"none":tU(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(QE,"applyClientAuthentication");function XE(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(XE,"applyBasicAuth");function eU(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(eU,"applyPostAuth");function tU(e,t){t.set("client_id",e)}o(tU,"applyPublicAuth");async function NS(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=OS.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,c=MS[a]||Xt;return new c(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Xt(a)}}o(NS,"parseErrorResponse");async function Ar(e,t){try{return await Nl(e,t)}catch(r){if(r instanceof en||r instanceof rn)return await e.invalidateCredentials?.("all"),await Nl(e,t);if(r instanceof tn)return await e.invalidateCredentials?.("tokens"),await Nl(e,t);throw r}}o(Ar,"auth");async function Nl(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,d,p,l=a;if(!l&&s?.resourceMetadataUrl&&(l=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,c=s.resourceMetadata,p=s.authorizationServerMetadata??await DS(d,{fetchFn:i}),!c)try{c=await jS(t,{resourceMetadataUrl:l},i)}catch{}(p!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let R=await sU(t,{resourceMetadataUrl:l,fetchFn:i});d=R.authorizationServerUrl,p=R.authorizationServerMetadata,c=R.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let m=await rU(t,e,c),h=n||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,y=await Promise.resolve(e.clientInformation());if(!y){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let R=p?.client_id_metadata_document_supported===!0,q=e.clientMetadataUrl;if(q&&!Dl(q))throw new nn(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${q}`);if(R&&q)y={client_id:q},await e.saveClientInformation?.(y);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let qe=await pU(d,{metadata:p,clientMetadata:e.clientMetadata,scope:h,fetchFn:i});await e.saveClientInformation(qe),y=qe}}let _=!e.redirectUrl;if(r!==void 0||_){let R=await lU(e,d,{metadata:p,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(R),"AUTHORIZED"}let S=await e.tokens();if(S?.refresh_token)try{let R=await dU(d,{metadata:p,clientInformation:y,refreshToken:S.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(R),"AUTHORIZED"}catch(R){if(!(!(R instanceof Re)||R instanceof Xt))throw R}let w=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:b}=await cU(d,{metadata:p,clientInformation:y,state:w,redirectUrl:e.redirectUrl,scope:h,resource:m});return await e.saveCodeVerifier(b),await e.redirectToAuthorization(v),"REDIRECT"}o(Nl,"authInternal");function Dl(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(Dl,"isHttpsUrl");async function rU(e,t,r){let n=$S(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!zS({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(rU,"selectResourceURL");function Hl(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=jl(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=jl(e,"scope")||void 0,c=jl(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}o(Hl,"extractWWWAuthenticateParams");function jl(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(jl,"extractFieldFromWwwAuth");async function jS(e,t,r=fetch){let n=await aU(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return ws.parse(await n.json())}o(jS,"discoverOAuthProtectedResourceMetadata");async function Ll(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?Ll(e,void 0,r):void 0;throw n}}o(Ll,"fetchWithCorsRetry");function nU(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(nU,"buildWellKnownPath");async function qS(e,t,r=fetch){return await Ll(e,{"MCP-Protocol-Version":t},r)}o(qS,"tryMetadataDiscovery");function oU(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(oU,"shouldAttemptFallback");async function aU(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??dr,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=nU(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let c=await qS(s,i,r);if(!n?.metadataUrl&&oU(c,a.pathname)){let d=new URL(`/.well-known/${t}`,a);c=await qS(d,i,r)}return c}o(aU,"discoverMetadataWithFallback");function iU(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(iU,"buildDiscoveryUrls");async function DS(e,{fetchFn:t=fetch,protocolVersion:r=dr}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=iU(e);for(let{url:i,type:s}of a){let c=await Ll(i,n,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?sa.parse(await c.json()):vs.parse(await c.json())}}}o(DS,"discoverAuthorizationServerMetadata");async function sU(e,t){let r,n;try{r=await jS(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await DS(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(sU,"discoverOAuthServerInfo");async function cU(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Ml))throw new Error(`Incompatible auth server: does not support response type ${Ml}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(ql))throw new Error(`Incompatible auth server: does not support code challenge method ${ql}`)}else c=new URL("/authorize",e);let d=await $l(),p=d.code_verifier,l=d.code_challenge;return c.searchParams.set("response_type",Ml),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",l),c.searchParams.set("code_challenge_method",ql),c.searchParams.set("redirect_uri",String(n)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:p}}o(cU,"startAuthorization");function uU(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(uU,"prepareAuthorizationCodeRequest");async function HS(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,c,t);else if(n){let l=t?.token_endpoint_auth_methods_supported??[],m=YE(n,l);QE(m,n,d,r)}let p=await(s??fetch)(c,{method:"POST",headers:d,body:r});if(!p.ok)throw await NS(p);return ca.parse(await p.json())}o(HS,"executeTokenRequest");async function dU(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await HS(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(dU,"refreshAuthorization");async function lU(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=uU(a,p,e.redirectUrl)}let d=await e.clientInformation();return HS(t,{metadata:r,tokenRequestParams:c,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(lU,"fetchToken");async function pU(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await NS(s);return ua.parse(await s.json())}o(pU,"registerClient");function mU(){let e=lo.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}o(mU,"isTestOnlyAllowHttpLoopbackIdpEnabled");var fU=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),hU=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function LS(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(LS,"parseIpv4Octets");function gU([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(gU,"ipv4RangeMatches");function BS(e){let t=LS(e);return t!==void 0&&hU.some(r=>gU(t,r))}o(BS,"isPrivateIpv4");function Bl(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Bl,"parseIpv6Word");function yU(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(yU,"formatIpv4FromWords");function SU(e){let t=e.slice(7),r=LS(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Bl(n),c=Bl(a);return i===void 0&&s!==void 0&&c!==void 0?yU(s,c):void 0}o(SU,"parseIpv6MappedIpv4");function _U(e){return Bl(e.split(":").find(Boolean))}o(_U,"readFirstIpv6Hextet");function wU(e){let t=gt(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=SU(t);return n===void 0||BS(n)}let r=_U(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(wU,"isPrivateIpv6");function Gl(e){let t=gt(e);return fU.has(t)||t.endsWith(".internal")||BS(t)||wU(t)}o(Gl,"isBlockedOutboundHostname");function GS(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);let r=Le(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=gt(t.hostname);if(!r&&Gl(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(GS,"validateConfiguredOutboundUrl");function VS(e){let t=new URL(e),r=Le(t),n=r&&mU();if(t.protocol!=="https:"&&!n)throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");let a=gt(t.hostname);if(!r&&Gl(a))throw g("invalid_request",`Blocked identity provider host: ${a}`);return t}o(VS,"validateIdentityProviderUrl");function bs(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(Gl(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(bs,"validateCimdClientMetadataUrl");function FS(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(FS,"mergeAbortSignals");async function vU(e){try{await e.cancel()}catch{}}o(vU,"cancelReader");async function Rs(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await vU(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),c=0;for(let d of n)s.set(d,c),c+=d.byteLength;return s}o(Rs,"readBoundedByteStream");var bU=2,RU=1024*1024,CU=1e4,IU=new Set([301,302,303,307,308]),PU=["authorization","proxy-authorization","cookie","cookie2"];function Vl(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(Vl,"readRequestUrl");function Kn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Kn,"readRequestMethod");function xU(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(xU,"assertContentLengthWithinLimit");async function AU(e,t,r){return xU(e,t,r),Rs(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(AU,"readBoundedResponseBody");function TU(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(TU,"responseFromBufferedBody");function kU(e,t){if(!IU.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(kU,"resolveRedirectUrl");function ZS(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(ZS,"validateOutboundUrl");function EU(e,t){throw he(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(EU,"normalizeFetchError");function ba(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Oe(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(ba,"logOutboundFailure");async function UU(e,t,r,n,a,i,s){let c=Kn(r,n);try{return await t(r,n)}catch(d){let p=d instanceof DOMException&&d.name==="AbortError";ba(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:c,host:mt(i),error:d,extra:{abortReason:s()}}),EU(d,a)}}o(UU,"fetchWithNormalizedError");function OU(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(OU,"assertRedirectAllowed");function $U(e,t){let r=new Headers(e);for(let n of PU)r.delete(n);for(let n of t)r.delete(n);return r}o($U,"stripCrossOriginHeaders");function zU(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=$U(e.headers,a)),i}o(zU,"buildRedirectInit");function MU(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(MU,"buildInitialRequestInit");function qU(e){let t=Kn(e.currentInput,e.currentInit);OU({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ZS(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:zU(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(qU,"followRedirect");async function Fl(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??bU,i=r.maxResponseBytes??RU,s=r.timeoutMs??CU,c=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],p=r.context,l=new AbortController,m=FS(l,t.signal),h=!1,y=setTimeout(()=>{h=!0,l.abort()},s),_=e,S=MU(e,t,l.signal),w;try{w=ZS(Vl(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(b){throw ba(p,{event:"outbound_url_blocked",problemCode:n,method:Kn(e,t),host:mt(Vl(e)),error:b}),clearTimeout(y),m?.(),b}let v=0;try{for(;;){let b=await UU(p,c,_,S,n,w,()=>h?`timeout_after_${s}ms`:void 0),R=kU(b,w);if(R!==void 0)try{let q=qU({currentInput:_,currentInit:S,currentUrl:w,redirectUrl:R,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:l.signal,additionalCrossOriginStrippedHeaders:d});_=q.currentInput,S=q.currentInit,w=q.currentUrl,v=q.redirects;continue}catch(q){throw ba(p,{event:"outbound_redirect_blocked",problemCode:n,method:Kn(_,S),host:mt(w),error:q,extra:{redirects:v,maxRedirects:a,redirectTargetHost:mt(R)}}),q}try{return TU(b,await AU(b,i,n))}catch(q){throw ba(p,{event:"outbound_response_size_exceeded",problemCode:n,method:Kn(_,S),host:mt(w),error:q,extra:{maxResponseBytes:i,status:b.status}}),q}}}finally{clearTimeout(y),m?.()}}o(Fl,"runSafeOutboundExchange");async function Zl(e,t,r){let n=await Fl(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw ba(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Kn(e,t),host:mt(Vl(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Zl,"runSafeOutboundJsonExchange");function Cs(e,t={},r={}){return Fl(e,t,{...r,validateUrl:GS})}o(Cs,"fetchConfiguredOutbound");function KS(e,t={},r={}){return Zl(e,t,{...r,validateUrl:VS})}o(KS,"fetchIdentityProviderJson");function WS(e,t={},r={}){return Zl(e,t,{...r,validateUrl:bs})}o(WS,"fetchCimdClientMetadataJson");ie();function Kl(e){return`Zuplo MCP Gateway - ${e}`}o(Kl,"buildGatewayOAuthClientName");function JS(e,t){let r=new URL(e,ce(t));return Le(r)&&gt(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(JS,"buildGatewayOAuthRedirectUri");function Wl(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(Wl,"buildOAuthClientMetadataDocumentUrl");function YS(e){return ce(e)}o(YS,"requireOAuthClientMetadataOrigin");function QS(e,t,r){let n=rt(t),a=Qr(t,r);return{client_id:Wl({origin:e,upstreamServerId:t,authProfileId:r}),client_name:Kl(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(QS,"buildOAuthClientMetadataDocument");var NU=u.union([ua,zl]),jU=u.object({authorizationServerUrl:u.url(),resourceMetadataUrl:u.url().optional(),resourceMetadata:ws.optional(),authorizationServerMetadata:u.union([sa,vs]).optional()}).passthrough(),DU="Bearer";function HU(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(HU,"splitScopes");function LU(e){return rs.parse(e)}o(LU,"parsePkceCodeVerifier");function BU(e){if(typeof e.expires_in=="number")return ne(new Date(Date.now()+e.expires_in*1e3))}o(BU,"readTokenExpiry");async function XS(e){if(e!==void 0)return Xr(JSON.stringify(e))}o(XS,"encryptJson");async function e_(e,t){if(!e)return;let r=await Qt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(e_,"decryptJson");function GU(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(GU,"toOAuthDiscoveryState");function VU(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(VU,"clientInformationAllowsRedirectUri");function FU(e,t,r){let n=rt(e),a=Qr(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:Kl(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(FU,"buildOAuthClientMetadata");function ZU(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return ua.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(ZU,"buildManualOAuthClientInformation");function KU(e,t,r){let n=Wl({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return Dl(n)?n:void 0}o(KU,"buildClientMetadataUrl");function t_(e){for(let t of e)if(t!==void 0)return t}o(t_,"firstDefined");function WU(e){let t=Qr(e.target.upstreamServerId,e.target.authProfileId),r=FU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:ZU({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=KU(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(WU,"buildInitialOAuthClientSetup");function JU(e,t){if(t===void 0)return t_([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(JU,"readEncryptedClientInformation");function YU(e){return t_([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(YU,"readEncryptedDiscoveryState");var on=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=WU({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=JU(t,this.configuredClientInformation),this.encryptedDiscoveryState=YU(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return yS({id:t.id,...aa({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await XS(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await XS(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=ca.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??ds(),ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Xr(r.access_token),encryptedRefreshToken:r.refresh_token?await Xr(r.refresh_token):void 0,scopes:HU(r.scope??this.clientMetadataValue.scope),expiresAt:BU(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await J().upsertUpstreamConnection(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:LU(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:sy(),...aa({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:ne(new Date(Date.now()+fS)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await J().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await e_(this.encryptedClientInformation,NU)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!VU(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=GU(await e_(this.encryptedDiscoveryState,jU))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=ca.parse({access_token:await Qt(this.connection.encryptedAccessToken),token_type:DU,refresh_token:this.connection.encryptedRefreshToken?await Qt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await J().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var QU=1e4,XU=256*1024,eO=2;function tO(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(tO,"hasUsableAccessToken");var rO="does not support dynamic client registration";function nO(e){return e instanceof Error&&e.message.includes(rO)}o(nO,"isDynamicClientRegistrationUnsupported");function oO(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(oO,"readOAuthFetchRequest");function aO(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(aO,"responseLooksJson");function r_(e){return async(t,r)=>{let n=oO(t),a=await Cs(t,r,{maxRedirects:eO,maxResponseBytes:XU,problemCode:"upstream_token_exchange_failed",timeoutMs:QU}),i=await a.clone().text();if(!aO(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(r_,"createUpstreamOAuthFetch");async function n_(e,t){try{return await Ar(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:r_(t.upstreamServerId)})}catch(r){throw nO(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(n_,"runUpstreamOAuth");async function iO(e,t){return Ar(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:r_(t.upstreamServerId)})}o(iO,"exchangeUpstreamAuthorizationCode");async function o_(e,t){let r=await n_(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o(o_,"requireUpstreamAuthorizationRedirect");async function a_(e){if(tO(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await n_(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await lO({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(a_,"authorizeUpstreamOAuthSession");async function sO(e){let t=await gs(e.stateToken),r=await J().consumeUpstreamOAuthState({id:t.id,now:ne(new Date)}),n=cO(r);return uO({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),dO(n),n}o(sO,"consumeStoredCallbackState");function cO(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(cO,"readConsumedCallbackState");function uO(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(uO,"assertStoredCallbackStateMatches");function dO(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(dO,"assertStoredCallbackStateFresh");async function lO(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),vS(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Vn(t)}o(lO,"buildOAuthConnectRequiredResponse");async function i_(e){let t=await sO({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Ln(t),[n]=await J().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new on(a),s=await iO(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(i_,"finishUpstreamOAuthCallback");async function s_(e){let t=rt(e.upstreamServerId),r=Qr(e.upstreamServerId,e.authProfileId),n=JS(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await J().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:ce(e.request.url)}}}o(s_,"prepareUpstreamOAuthRequest");async function c_(e){let t=await s_(e),r=new on({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return o_(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(c_,"startUpstreamConnect");async function u_(e){let t=await s_(e),r=new on({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return a_({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(u_,"authorizeUpstreamRequest");function pO(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(pO,"resolveStaticSecretCredential");async function d_(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user_oauth":return u_({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"shared-secret":return xS({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=Ir({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:pO(n.secret,t.upstreamServerId)}}case"user-secret":return kS({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(d_,"resolveUpstreamCredentialForRoute");async function l_(e){let t=Cr(e.principal.subjectId),r=ht().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user-secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await _s({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(l_,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function p_(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=$t(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await c_(r);break;case"user_secret_capture":t=await ES(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(p_,"startUpstreamConnectForRequest");async function m_(e){let r=(await gs(e.callbackRequest.state)).authProfileId,n=Ir({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if($t(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return i_({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:rt(e.callbackRequest.upstreamServerId)})}o(m_,"finishUpstreamCallbackForRequest");var Is=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=mr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),c=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&c){let p=d.result;if(!p.structuredContent&&!p.isError){yield{type:"error",error:new A(U.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(p.structuredContent)try{let l=c(p.structuredContent);if(!l.valid){yield{type:"error",error:new A(U.InvalidParams,`Structured content does not match the tool's output schema: ${l.errorMessage}`)};return}}catch(l){if(l instanceof A){yield{type:"error",error:l};return}yield{type:"error",error:new A(U.InvalidParams,`Failed to validate structured content: ${l instanceof Error?l.message:String(l)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function Ps(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&Ps(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&Ps(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&Ps(r,t)}}o(Ps,"applyElicitationDefaults");function mO(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(mO,"getSupportedElicitationModes");var xs=class extends gn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new On,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",Tc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",Pc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",yc,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new Is(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Qa(this._capabilities,t)}setRequestHandler(t,r){let a=ln(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(cr(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let c=o(async(d,p)=>{let l=Ge(Uc,d);if(!l.success){let b=l.error instanceof Error?l.error.message:String(l.error);throw new A(U.InvalidParams,`Invalid elicitation request: ${b}`)}let{params:m}=l.data;m.mode=m.mode??"form";let{supportsFormMode:h,supportsUrlMode:y}=mO(this._capabilities.elicitation);if(m.mode==="form"&&!h)throw new A(U.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!y)throw new A(U.InvalidParams,"Client does not support URL-mode elicitation requests");let _=await Promise.resolve(r(d,p));if(m.task){let b=Ge(Lt,_);if(!b.success){let R=b.error instanceof Error?b.error.message:String(b.error);throw new A(U.InvalidParams,`Invalid task creation result: ${R}`)}return b.data}let S=Ge(fr,_);if(!S.success){let b=S.error instanceof Error?S.error.message:String(S.error);throw new A(U.InvalidParams,`Invalid elicitation result: ${b}`)}let w=S.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&w.action==="accept"&&w.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{Ps(v,w.content)}catch{}return w},"wrappedHandler");return super.setRequestHandler(t,c)}if(s==="sampling/createMessage"){let c=o(async(d,p)=>{let l=Ge(Ec,d);if(!l.success){let w=l.error instanceof Error?l.error.message:String(l.error);throw new A(U.InvalidParams,`Invalid sampling request: ${w}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let w=Ge(Lt,h);if(!w.success){let v=w.error instanceof Error?w.error.message:String(w.error);throw new A(U.InvalidParams,`Invalid task creation result: ${v}`)}return w.data}let _=m.tools||m.toolChoice?vo:zr,S=Ge(_,h);if(!S.success){let w=S.error instanceof Error?S.error.message:String(S.error);throw new A(U.InvalidParams,`Invalid sampling result: ${w}`)}return S.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:dr,capabilities:this._capabilities,clientInfo:this._clientInfo}},uc,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!lr.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){Mi(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&qi(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},Ht,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},Oc,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},Ht,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},Ic,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},_c,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},pc,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},mc,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},gc,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},Ht,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},Ht,r)}async callTool(t,r=mr,n){if(this.isToolTaskRequired(t.name))throw new A(U.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new A(U.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new A(U.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof A?s:new A(U.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},Ac,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=dm.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:c}=i.data,{onChanged:d}=n,p=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let h=m instanceof Error?m:new Error(String(m));d(h,null)}},"refresh"),l=o(()=>{if(c){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let h=setTimeout(p,c);this._listChangedDebounceTimers.set(t,h)}else p()},"handler");this.setNotificationHandler(r,l)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function As(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(As,"normalizeHeaders");function f_(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...As(t.headers),...As(n.headers)}:t.headers};return e(r,a)}:e}o(f_,"createFetchWithInit");var Ts=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function Jl(e){}o(Jl,"noop");function h_(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=Jl,onError:r=Jl,onRetry:n=Jl,onComment:a}=e,i="",s=!0,c,d="",p="";function l(S){let w=s?S.replace(/^\xEF\xBB\xBF/,""):S,[v,b]=fO(`${i}${w}`);for(let R of v)m(R);i=b,s=!1}o(l,"feed");function m(S){if(S===""){y();return}if(S.startsWith(":")){a&&a(S.slice(S.startsWith(": ")?2:1));return}let w=S.indexOf(":");if(w!==-1){let v=S.slice(0,w),b=S[w+1]===" "?2:1,R=S.slice(w+b);h(v,R,S);return}h(S,"",S)}o(m,"parseLine");function h(S,w,v){switch(S){case"event":p=w;break;case"data":d=`${d}${w}
+`;break;case"id":c=w.includes("\0")?void 0:w;break;case"retry":/^\d+$/.test(w)?n(parseInt(w,10)):r(new Ts(`Invalid \`retry\` value: "${w}"`,{type:"invalid-retry",value:w,line:v}));break;default:r(new Ts(`Unknown field "${S.length>20?`${S.slice(0,20)}\u2026`:S}"`,{type:"unknown-field",field:S,value:w,line:v}));break}}o(h,"processField");function y(){d.length>0&&t({id:c,event:p||void 0,data:d.endsWith(`
+`)?d.slice(0,-1):d}),c=void 0,d="",p=""}o(y,"dispatchEvent");function _(S={}){i&&S.consume&&m(i),s=!0,c=void 0,d="",p="",i=""}return o(_,"reset"),{feed:l,reset:_}}o(h_,"createParser");function fO(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
+`,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let c=e.slice(n,s);t.push(c),n=s+1,e[n-1]==="\r"&&e[n]===`
+`&&n++}}return[t,r]}o(fO,"splitLines");var ks=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=h_({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var hO={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},Tr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},Es=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=f_(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??hO}async _authThenStart(){if(!this._authProvider)throw new er("No auth provider");let t;try{t=await Ar(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new er;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=As(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new Tr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new ks({onRetry:o(y=>{this._serverRetryMs=y},"onRetry")})).getReader();for(;;){let{value:y,done:_}=await l.read();if(_)break;if(y.id&&(s=y.id,c=!0,a?.(y.id)),!!y.data&&(!y.event||y.event==="message"))try{let S=$r.parse(JSON.parse(y.data));St(S)&&(d=!0,i!==void 0&&(S.id=i)),this.onmessage?.(S)}catch(S){this.onerror?.(S)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(y){this.onerror?.(new Error(`Failed to reconnect: ${y instanceof Error?y.message:String(y)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new er("No auth provider");if(await Ar(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new er("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:It(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,s),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new Tr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:y,scope:_}=Hl(c);if(this._resourceMetadataUrl=y,this._scope=_,await Ar(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new er;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:y,scope:_,error:S}=Hl(c);if(S==="insufficient_scope"){let w=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===w)throw new Tr(403,"Server returned 403 after trying upscoping");if(_&&(this._scope=_),y&&(this._resourceMetadataUrl=y),this._lastUpscopingHeader=w??void 0,await Ar(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new er;return this.send(t)}}throw new Tr(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),nm(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),y=Array.isArray(h)?h.map(_=>$r.parse(_)):[$r.parse(h)];for(let _ of y)this.onmessage?.(_)}else throw await c.body?.cancel(),new Tr(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new Tr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function g_(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(g_,"resolveNativeMcpRequestHeaders");var gO={name:"zuplo-mcp-gateway",version:"0.1.0"},yO=new zn({draft:"7",shortcircuit:!1}),SO=5,_O=500,__=3e4,wO=2*1024*1024,vO=2;function y_(){return performance.now()/1e3}o(y_,"nowSeconds");function bO(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(bO,"readServerPort");function RO(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:bO(e)}}o(RO,"buildNativeMcpOperationContext");function Wn(e){return Mg(e)}o(Wn,"withTraceMeta");function Yl(e){if(e>_O)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Yl,"assertImportedCapabilityBudget");function S_(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(S_,"buildRequestInit");function CO(e){return(t,r)=>Cs(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:vO,maxResponseBytes:wO,problemCode:"upstream_capability_invocation_failed",timeoutMs:__})}o(CO,"createNativeMcpFetch");function IO(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},__);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(IO,"withNativeMcpRequestTimeout");function PO(e,t=[]){let r=g_(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:CO(a)};if(!e)return{...i,...S_(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...S_(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(PO,"buildNativeMcpTransportOptions");async function Jn(e,t,r){let{transport:n}=rt(e),a=new URL(n.baseUrl),i=new Es(a,PO(r,n.requestHeaders)),s=new xs(gO,{capabilities:{},jsonSchemaValidator:yO});return IO((async()=>{let c=y_();await s.connect(i);let d=i.sessionId,p=RO(a,d);try{return await t(s,p)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&qg(p,y_()-c)}})())}o(Jn,"withNativeMcpClient");async function xO(e,t,r){let n=[],a,i=0;do{if(i>=SO)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(xO,"collectPaginatedSdkItems");async function Ql(e){return e.enabled?xO(e.label,e.fetchPage,e.readItems):[]}o(Ql,"listNativeMcpCapabilityItems");async function w_(e){return Jn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Zr({methodName:"tools/list",...r},()=>Ql({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(Wn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Yl(a.length),{tools:a}},e.credential)}o(w_,"listNativeMcpTools");async function v_(e){return Jn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Zr({methodName:"prompts/list",...r},()=>Ql({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(Wn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Yl(a.length),{prompts:a}},e.credential)}o(v_,"listNativeMcpPrompts");async function b_(e){return Jn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Zr({methodName:"resources/list",...r},()=>Ql({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(Wn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Yl(a.length),{resources:a}},e.credential)}o(b_,"listNativeMcpResources");async function R_(e){return Jn(e.upstreamServerId,(t,r)=>Zr({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Wn(e.params))),e.credential)}o(R_,"callNativeMcpTool");async function C_(e){return Jn(e.upstreamServerId,(t,r)=>Zr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Wn(e.params))),e.credential)}o(C_,"getNativeMcpPrompt");async function I_(e){return Jn(e.upstreamServerId,(t,r)=>Zr({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Wn(e.params))),e.credential)}o(I_,"readNativeMcpResource");var Ra=class extends A{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(U.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function AO(e){return{content:[{type:"text",text:e}],isError:!0}}o(AO,"buildToolErrorResult");function TO(e){return e.authUrl?new ur([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new Ra(e)}o(TO,"toConnectRequiredError");function kO(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(kO,"buildCredentialResolvedAttributes");function EO(e){tt(e.context,{eventType:K.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:kO(e.credential)})}o(EO,"emitCredentialResolvedAnalyticsEvent");function UO(e){tt(e.context,{eventType:K.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(UO,"emitCredentialMissingAnalyticsEvent");function OO(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Jr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(OO,"readRouteBindingCredentialCacheKey");function x_(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(x_,"readOwnedRouteBindingLookup");async function $O(e){let t=bl(e.request);if(!t)return new Map;let r=new Map;for(let s of e.routeBindings){let c=x_(s);c!==void 0&&r.set(Jr(c),c)}if(r.size===0)return new Map;let n=[...r.values()],a=await J().authorizeAndLoadConnections({accessTokenHash:await pe(t),resource:Wr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:n,now:ne(new Date)});if(a.kind!=="authorized")return new Map;let i=new Map;return a.upstreamConnections.forEach((s,c)=>{let d=n[c];d!==void 0&&i.set(Jr(d),s.connection)}),i}o($O,"preloadCompositeAuthorizedConnections");function zO(e){let t=new Map;return r=>{let n=OO(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,c=x_(r),d=c===void 0?void 0:Jr(c),p=await d_({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(p.kind==="connect_required")throw UO({context:e.context,payload:p.payload,routeBinding:r}),TO(p.payload);return EO({context:e.context,credential:p.credential,routeBinding:r}),p.credential})();return t.set(n,i),i}}o(zO,"createCredentialResolver");var P_=500;function MO(e){return e.length<=P_?e:`${e.slice(0,P_)}...`}o(MO,"truncateAnalyticsDetail");function qO(e){tt(e.context,{eventType:K.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(qO,"emitToolInvocationCompletedAnalyticsEvent");function NO(e){return e instanceof ur||e instanceof Ra?{eventType:K.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof A&&e.code===U.InvalidParams?{eventType:K.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:K.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(NO,"classifyToolInvocationFailure");function jO(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=NO(e.error);tt(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:MO(t)}})}o(jO,"emitToolInvocationFailedAnalyticsEvent");var DO=256*1024;function HO(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new A(U.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>DO)throw new A(U.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(HO,"assertToolArgumentsWithinLimit");function Xl(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new A(U.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(Xl,"findBindingForPublishedCapability");function Yn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new A(U.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(Yn,"requireSingleTransparentBinding");function LO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:Yn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new A(U.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Xl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(LO,"resolvePublishedToolRoute");function BO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:Yn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new A(U.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Xl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(BO,"resolvePublishedPromptRoute");function GO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:Yn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new A(U.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Xl({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(GO,"resolvePublishedResourceRoute");function A_(e){let t=$O({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=zO({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(Wi)};let n=Yn(e);return w_({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=LO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{HO(n);let i=await r(a.binding),s=await R_({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return qO({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(jO({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof ur||i instanceof Ra)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof ur},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof A&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),AO(Qe("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(Ji)};let n=Yn(e);return v_({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=BO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return C_({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(Yi)};let n=Yn(e);return b_({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=GO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return I_({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(A_,"createCapabilityDispatcher");var VO="0.1.0",k_="POST",FO="POST, OPTIONS",ZO=new zn({draft:"7",shortcircuit:!1});function ep(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:k_}})}o(ep,"jsonRpcMethodNotAllowedResponse");function KO(e){let t={Allow:k_},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=FO;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(KO,"buildOptionsResponse");function Qn(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(Qn,"readJsonRpcRequestId");function tp(e){return e&&typeof e=="object"?e.params:void 0}o(tp,"readMcpRequestParams");function T_(e,t){return e.headers.get(t)??void 0}o(T_,"readMcpHeader");function WO(e){return{mcpProtocolVersion:T_(e,"mcp-protocol-version")??Fr,mcpSessionId:T_(e,"mcp-session-id")}}o(WO,"buildServerTelemetryBase");function JO(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Fr),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(JO,"ensureProtocolVersionHeader");async function rp(e,t){if(e.method==="OPTIONS")return KO(e);if(e.method==="GET")return ep("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return ep("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return ep("Only POST is supported by this virtual MCP server.");let r=Nn(t),n=Rg(r.virtualServerId),a=jg(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=WO(e),s=A_({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=ce(e.url),d=new ji({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new Ni(n.catalog.serverInfo??{name:r.virtualServerId,version:VO},{capabilities:{prompts:{},resources:{},tools:{}},jsonSchemaValidator:ZO});p.setRequestHandler(xc,async m=>Kr({methodName:"tools/list",params:tp(m),jsonRpcRequestId:Qn(m),...i},()=>s.listTools())),p.setRequestHandler(_o,async m=>Kr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:Qn(m),...i},()=>s.callTool(m.params))),p.setRequestHandler(Sc,async m=>Kr({methodName:"prompts/list",params:tp(m),jsonRpcRequestId:Qn(m),...i},()=>s.listPrompts())),p.setRequestHandler(wc,async m=>Kr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:Qn(m),...i},()=>s.getPrompt(m.params))),p.setRequestHandler(lc,async m=>Kr({methodName:"resources/list",params:tp(m),jsonRpcRequestId:Qn(m),...i},()=>s.listResources())),p.setRequestHandler(hc,async m=>Kr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:Qn(m),...i},()=>s.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return JO(l)}o(rp,"virtualServerHandler");async function YO(e,t){return sr("handler.mcp-virtual-server"),rp(e,t)}o(YO,"McpVirtualServerHandler");var Xn={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},QO="oauth-protected-resource-metadata",XO="/.well-known/oauth-protected-resource/";function e$(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(e$,"readRouteOperationId");function t$(e){return e.hasGatewayRouteContext?Xn.VIRTUAL_MCP_SERVER:e.routeOperationId===QO||e.routeOperationId===void 0&&e.routePath.startsWith(XO)?Xn.OAUTH_PROTECTED_RESOURCE_METADATA:Xn.OTHER}o(t$,"classifyAnalyticsRouteSurface");function r$(e){let t=e.route.path;return{routePath:t,routeSurface:t$({routePath:t,routeOperationId:e$(e),hasGatewayRouteContext:ea(e)!==void 0})}}o(r$,"readAnalyticsRequestContext");function n$(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Xn.VIRTUAL_MCP_SERVER}o(n$,"isIntentionalMethodRejection");function o$(e){return n$(e)||e.response.status===401&&e.routeSurface===Xn.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(o$,"classifyRequestCompletedOutcome");async function np(e,t){let r=Date.now(),n=r$(t);return t.addResponseSendingFinalHook(a=>{let i=o$({response:a,routeSurface:n.routeSurface});tt(t,{eventType:K.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(np,"analyticsContextInbound");function a$(e){return e instanceof Response}o(a$,"isResponse");var E_="/mcp/";function i$(e){let t=e.route.path;if(!t.startsWith(E_))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(E_.length);if(!r||r.includes("/"))throw g("internal_server_error",`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(i$,"readVirtualServerIdFromRoute");async function Ca(e,t){let n={virtualServerId:Pe.parse(i$(t))};Pg(t,n),ig(t,n);let a=await np(e,t);return a$(a)?a:Rl(a,t)}o(Ca,"mcpOAuthInboundPolicy");var s$=o(async(e,t,r,n)=>(sr("policy.inbound.mcp-auth0-oauth"),Ca(e,t)),"McpAuth0OAuthInboundPolicy");function c$(e){let t=`https://${e.auth0Domain}/`,r=`https://${e.auth0Domain}/.well-known/jwks.json`,n=`https://${e.auth0Domain}/authorize`,a=`https://${e.auth0Domain}/oauth/token`;return es({oidc:{issuer:t,jwksUrl:r,audience:e.audience},browserLogin:{url:n,tokenUrl:a,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",audience:e.audience,...e.browserLoginOverrides??{}},gateway:e.gateway})}o(c$,"buildAuth0McpOAuthRuntimeConfig");var u$={policyType:"mcp-auth0-oauth-inbound",displayName:"MCP OAuth (Auth0)",getConfig(e){return c$(e)}};Vi(u$);var d$=o(async(e,t,r,n)=>(sr("policy.inbound.mcp-oauth"),Ca(e,t)),"McpOAuthInboundPolicy"),l$={policyType:"mcp-oauth-inbound",displayName:"MCP OAuth",getConfig(e){return es(e)}};Vi(l$);function p$(e){let t=$t(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(p$,"buildRouteAuthBaseFromConnection");function O_(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=$t(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:qn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(O_,"buildRouteAuthBaseFromPolicyOptions");function $_(e,t){let n=ht().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return p$({connection:a,virtualServerId:t})}o($_,"resolveRouteAuthBase");function U_(e,t){switch(e){case"user":return Cr(t.subjectId);case"shared":return us()}}o(U_,"buildOwnerForPrincipal");function Us(e,t){switch(e.ownerMode){case"shared":return{...e,owner:U_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:U_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Us,"resolveRouteAuthForPrincipal");function m$(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Bi.parse(r)}o(m$,"readSingleAuthMode");function z_(e){return Ot.parse(e)}o(z_,"buildToolNamePrefixFromConnectionId");async function op(e,t,r,n){let a=Ki(r,n),i=m$({policyName:n,connection:a}),s=Nn(t),c=O_({connection:a,virtualServerId:s.virtualServerId,authMode:i});if(c.ownerMode==="none")return Wd(t,{...c,connectionPolicyName:n,toolNamePrefix:z_(a.id)}),e;let d=Xg(t);return Wd(t,{...Us(c,d),connectionPolicyName:n,toolNamePrefix:z_(a.id)}),e}o(op,"mcpUpstreamConnectionPolicy");var f$=o(async(e,t,r,n)=>(sr("policy.inbound.mcp-upstream-connection"),op(e,t,r,n)),"McpUpstreamConnectionInboundPolicy");ie();ie();var M_="application/json",h$="application/x-www-form-urlencoded";function g$(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(g$,"normalizeContentType");function y$(e,t){return e===t?!0:t===M_&&e.endsWith("+json")}o(y$,"contentTypeMatches");function S$(e,t){if(!t||t.length===0)return;let r=g$(e.headers.get("content-type"));if(!t.some(n=>y$(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(S$,"assertExpectedContentType");function _$(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(_$,"assertContentLengthWithinLimit");async function q_(e,t){let r=t.label??"Request body";S$(e,t.expectedContentTypes),_$(e,t.maxBytes,r);let n=await Rs(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(q_,"readBoundedTextBody");async function N_(e,t){let r=await q_(e,{...t,expectedContentTypes:[M_]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(N_,"readBoundedJsonBody");async function Os(e,t){let r=await q_(e,{...t,expectedContentTypes:[h$]});return new URLSearchParams(r)}o(Os,"readBoundedFormUrlEncodedBody");var j_=Symbol("Html");function w$(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(w$,"escapeHtml");function v$(e){return e===null||typeof e!="object"?!1:e[j_]===!0}o(v$,"isHtml");function D_(e){return e==null||e===!1?"":Array.isArray(e)?e.map(D_).join(""):v$(e)?e.value:w$(String(e))}o(D_,"renderValue");function tr(e){return{[j_]:!0,value:e}}o(tr,"trustedHtml");var _e=tr("");function k(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=D_(t[n]),r+=e[n+1]??"";return tr(r)}o(k,"html");function rr(e){return e.value}o(rr,"renderHtml");var nr=tr('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;padding:9px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function or(e){return k`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" type="image/png" href="https://www.google.com/s2/favicons?domain=${e.host}&sz=64" /><style>
+      ${e.styles}
+    </style></head><body><main class="card"><header class="card__head"><img class="card__icon" src="https://www.google.com/s2/favicons?domain=${e.host}&sz=64" alt="" width="48" height="48" referrerpolicy="no-referrer" /><h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}o(or,"renderShell");function H_(e){return k`<form class="actions" method="post" action="/oauth/setup"><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}o(H_,"renderActions");var L_=tr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function B_(){return k`<p>The API key could not be verified. Start the authorization flow again to try
+  once more.</p>`}o(B_,"renderApiKeyLoginFailure");function G_(e){return k`<form class="form" method="post" action="/oauth/api-key-login" autocomplete="off" ><input type="hidden" name="state" value="${e.state}" /><label class="form__label" for="apiKey">API key</label><input class="form__input" id="apiKey" name="apiKey" type="password" required autocomplete="off" /><button class="button button--primary button--block form__submit" type="submit" >Continue</button></form>`}o(G_,"renderApiKeyLoginForm");function V_(e){return k`<div class="banner banner--alert" role="alert"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">${e.title}</p><p class="banner__message">${e.message}</p></div></div>`}o(V_,"renderBannerAlert");function F_(e){return k`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${e.message}</p></div></div>`}o(F_,"renderBannerWarning");function Z_(e){return k`<section class="capability-section"><h4 class="capability-section__title">${e.label} <span class="muted">(${e.total})</span></h4><ul class="capability-list">${e.rows}${e.moreLine}</ul></section>`}o(Z_,"renderCapabilitySection");var ap=tr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),ip=tr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');function K_(e){return k`${e.banner}<section class="upstreams"><header class="section-label">Upstream services <span class="section-label__count">${e.sectionCount}</span></header><ul class="upstream-list">${e.cards}</ul></section>${e.fineprint}`}o(K_,"renderSetupPage");function W_(e){return k`<article class="${e.cardClass}"><div class="upstream-card__head">${e.iconFrame}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${e.control}</div><div class="upstream-card__meta">${e.host}<span>${e.authModeLabel}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${e.ownerModeLabel}</span></div>${e.description}</div></div>${e.capabilities} ${e.scopes}</article>`}o(W_,"renderUpstreamCard");var J_=tr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var b$="text/html; charset=utf-8";function Y_(e,t=200){return new Response(rr(e),{status:t,headers:{"content-type":b$,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Y_,"apiKeyLoginHtmlResponse");function sp(e,t=401){return Y_(or({title:"Sign-in failed",host:e,styles:nr,heading:"Sign-in failed",subhead:"",body:B_(),footer:""}),t)}o(sp,"apiKeyLoginFailureResponse");function Q_(e,t){return Y_(or({title:"Sign in",host:e,styles:nr,heading:"Sign in",subhead:k`<p class="card__subtitle">Enter your API key to continue.</p>`,body:G_({state:t}),footer:""}))}o(Q_,"renderApiKeyLoginForm");ie();ie();import{errors as uw,jwtVerify as dw,SignJWT as lw}from"jose";ie();import{errors as $$,jwtVerify as z$,SignJWT as M$}from"jose";function kr(e){let t=xe().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(kr,"requireBrowserLoginField");ie();import{createRemoteJWKSet as C$,errors as Ia,jwtVerify as I$}from"jose";var P$=u.object({id_token:u.string().min(1),token_type:u.string().min(1).optional(),expires_in:u.number().optional(),access_token:u.string().min(1).optional(),refresh_token:u.string().min(1).optional(),scope:u.string().min(1).optional()}),x$=u.object({error:u.string().min(1).optional(),error_description:u.string().min(1).optional(),error_uri:u.string().min(1).optional()});function A$(e){let t=x$.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(A$,"readIdpErrorFields");function T$(e){return e instanceof Ia.JWTExpired?"expired":e instanceof Ia.JWTClaimValidationFailed?"claim":e instanceof Ia.JWSSignatureVerificationFailed?"signature":e instanceof Ia.JWKSNoMatchingKey?"jwks_no_match":e instanceof Ia.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(T$,"readJwtFailureKind");var k$=u.object({sub:Se,nonce:u.string().min(1)}).catchall(u.unknown()),cp;function E$(e){return e instanceof Error&&"cause"in e?e.cause:e}o(E$,"readErrorCause");function U$(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(U$,"readRuntimeGatewayCode");function O$(){if(!cp){let e=xe();cp=C$(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return cp}o(O$,"readFederatedJwks");async function X_(e){let t=xe(),r=kr("tokenUrl"),n=kr("clientId"),a=kr("clientSecret"),i=new URL("/oauth/callback",Ct(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:c,json:d}=await KS(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let h=A$(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:mt(r),idpStatus:c.status,...h},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${h.idpError?` idp_error=${h.idpError}`:""}${h.idpErrorDescription?` idp_error_description=${h.idpErrorDescription}`:""})`)})}let p=P$.parse(d),l;try{({payload:l}=await I$(p.id_token,O$(),{issuer:t.oidc.issuer,audience:n}))}catch(h){let y={};throw Oe(y,"error",h),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:T$(h),idpHost:mt(r),expectedIssuer:t.oidc.issuer,...y},"Federated id_token failed jose verification"),h}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:mt(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=k$.parse(l);return jn({sub:m.sub,data:m},e.requestUrl)}catch(c){let d=he(c)??U$(c);throw d!==void 0&&d!=="browser_login_verification_failed"?c:g("browser_login_verification_failed","Federated browser login callback could not be verified.",E$(c))}}o(X_,"exchangeFederatedAuthorizationCode");var dp="zuplo_mcp_session",ew="HS256",tw="zuplo-mcp-gateway",rw="zuplo-mcp-gateway",q$=u.object({purpose:u.literal("gateway_browser_session"),sub:Se,browserLoginOrigin:u.string().min(1),roles:u.array(u.string().min(1)).optional(),exp:u.number().int().positive(),iat:u.number().int().positive().optional()});function N$(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(N$,"parseCookieHeader");async function nw(){return zt({purpose:"browser-session",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>Pr(e,"browser-session"),"derive")})}o(nw,"getBrowserSessionKey");function up(e){let t=new URL(ce(e)),r=[`${dp}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(up,"buildBrowserSessionEvictionCookie");function j$(e){let t=new URL(ce(e.requestUrl)),r=[`${dp}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(j$,"serializeSessionCookie");function ow(e={}){return new URL(kr("url")).origin}o(ow,"readBrowserLoginOrigin");function lp(){return xe().browserLogin.stateTtlSeconds}o(lp,"readBrowserLoginStateTtlSeconds");function aw(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return jn(e.user,e.url)}o(aw,"resolveCurrentRequestPrincipal");async function $s(e,t={}){let r=N$(e.headers.get("cookie")).get(dp);if(!r)return{};try{let{payload:n}=await z$(r,await nw(),{algorithms:[ew],issuer:tw,audience:rw}),a=q$.parse(n);if(a.browserLoginOrigin!==ow(t))return{evictCookie:up(e.url)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof $$.JWTExpired?{evictCookie:up(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:up(e.url)})}}o($s,"readBrowserSession");async function Pa(e){let t=xe().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:ow({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new M$(r).setProtectedHeader({alg:ew,typ:"JWT"}).setIssuer(tw).setAudience(rw).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await nw());return j$({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(Pa,"createBrowserSessionCookie");async function iw(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(iw,"resolveApiKeyBrowserLoginPrincipal");async function sw(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await $s(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return X_({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(sw,"resolveBrowserLoginCallbackPrincipal");function cw(e){let t=xe().browserLogin,r=new URL(kr("url")),n=new URL("/oauth/callback",Ct(e.requestUrl));return Vg(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",kr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(cw,"buildBrowserLoginUrl");var D$={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},G=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=D$[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};var H$=5*60,zs="HS256",Ms="zuplo-mcp-gateway",qs="zuplo-mcp-gateway",L$=u.object({purpose:u.literal("gateway_browser_login"),transactionId:yt,stateId:os,exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),B$=u.object({purpose:u.literal("gateway_authorization_setup"),transactionId:yt,stateId:os,exp:u.number().int().positive(),iat:u.number().int().positive().optional()});async function pw(){return zt({purpose:"browser-login",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>Pr(e,"browser-login"),"derive")})}o(pw,"getBrowserLoginKey");async function mw(){return zt({purpose:"authorization-csrf",envVar:"OAUTH_STATE_SIGNING_KEY",derive:o(e=>Pr(e,"authorization-csrf"),"derive")})}o(mw,"getCsrfKey");function fw(e){return{now:e.now??new Date,ttlSeconds:lp()}}o(fw,"readPendingTransactionDependencies");function G$(e,t){return e.subjectId===t.subjectId}o(G$,"principalsMatch");function hw(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}o(hw,"toPendingPrincipal");function gw(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:ne(e.now),expiresAt:ne(Jt(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:hw(e.principal)}}o(gw,"createTransactionRecord");async function yw(e){let{id:t,...r}=e.record,n=await J().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(n.kind){case"started":return n.transaction;case"already_exists":throw g("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new G("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new G("invalid_request","redirect_uri is not registered for the client.")}}o(yw,"startPendingTransaction");async function V$(e){return new lw({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:zs,typ:"JWT"}).setIssuer(Ms).setAudience(qs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await pw())}o(V$,"signBrowserLoginState");async function Sw(e){return new lw({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:nl()}).setProtectedHeader({alg:zs,typ:"JWT"}).setIssuer(Ms).setAudience(qs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await mw())}o(Sw,"signCsrfToken");async function Ns(e){try{let{payload:t}=await dw(e,await pw(),{algorithms:[zs],issuer:Ms,audience:qs}),r=L$.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof uw.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Ns,"verifyBrowserLoginStateToken");async function pp(e){try{let{payload:t}=await dw(e,await mw(),{algorithms:[zs],issuer:Ms,audience:qs});return{transactionId:B$.parse(t).transactionId}}catch(t){throw t instanceof uw.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(pp,"verifyCsrfToken");function js(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(js,"pendingStateErrorCode");function _w(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}o(_w,"toPendingAuthorizationGetResult");function F$(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}o(F$,"toPendingAuthorizationAdvanceResult");function ww(e){return e==="principal_mismatch"?"oauth_callback_mismatch":js(e==="consumed_already"?"consumed_already":e)}o(ww,"setupDecisionErrorCode");function Z$(e){if(e.kind!=="available")throw g(js(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Z$,"requireAwaitingSetup");function K$(e){if(e.kind!=="available")throw g(js(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(K$,"requireAwaitingLogin");function W$(e){if(!G$(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(W$,"requireCurrentPrincipalMatches");async function vw(e){let t=e.now??new Date,r=lp(),n=rl(),a=nl(),i=await V$({transactionId:n,stateId:a,ttlSeconds:r}),s=gw({id:n,transaction:e.transaction,currentStateHash:await pe(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await yw({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:cw({state:i,nonce:a,virtualServerId:s.virtualServerId,requestUrl:e.requestUrl})}}o(vw,"startAwaitingLogin");async function bw(e){let{now:t,ttlSeconds:r}=fw(e),n=rl(),a=await Sw({transactionId:n,ttlSeconds:r}),i=gw({id:n,transaction:e.transaction,currentStateHash:await pe(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await yw({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}o(bw,"startAwaitingSetup");async function mp(e){let{now:t,ttlSeconds:r}=fw(e),n=await Ns(e.browserLoginStateToken),a=await Sw({transactionId:n.transactionId,ttlSeconds:r}),i=F$(await J().advancePendingAuthorization({transactionId:n.transactionId,expectedPhase:"awaiting_login",currentStateHash:await pe(e.browserLoginStateToken),nextStateHash:await pe(a),nextPhase:"awaiting_setup",principal:hw(e.principal),now:ne(t)}));if(i.kind!=="advanced")throw g(js(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}o(mp,"completeLogin");async function Rw(e){let t=e.now??new Date,r=await Ns(e.browserLoginStateToken);return K$(_w(await J().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await pe(e.browserLoginStateToken),now:ne(t)})))}o(Rw,"getAwaitingLogin");async function Cw(e){let t=await fp(e);return W$({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(Cw,"getSetup");async function fp(e){let t=e.now??new Date,r=await pp(e.csrfToken);return Z$(_w(await J().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await pe(e.csrfToken),now:ne(t)})))}o(fp,"getSetupTransaction");async function J$(e){let t=await pp(e.csrfToken),r=Yt(),n=ne(Jt(e.now,H$)),a=await J().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await pe(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await pe(r),authorizationCodeExpiresAt:n,grantId:Bg(),now:ne(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":ww(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(J$,"createAuthorizationCodeRedirectWithDecision");async function Y$(e){let t=await pp(e.csrfToken),r=await J().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await pe(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:ne(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":ww(r.kind),"Authorization setup state is invalid, expired, or already used.");return Q$({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(Y$,"createCancelRedirectWithDecision");function Q$(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(Q$,"buildClientCancelRedirect");async function Iw(e){let t=e.now??new Date;return J$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(Iw,"approve");async function Pw(e){let t=e.now??new Date;return Y$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(Pw,"cancel");ie();var X$=1e4,ez=5*1024,tz=2,rz=90*24*60*60,hp=["authorization_code","refresh_token"],gp=["code"],nz=u.object({client_name:u.string().min(1).optional(),redirect_uris:u.array(u.string().min(1)).min(1),grant_types:u.array(u.enum(hp)).min(1).max(2).optional(),response_types:u.array(u.enum(gp)).min(1).max(1).optional(),scope:u.literal(ye).optional(),token_endpoint_auth_method:Qd.default("client_secret_basic")});function oz(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(oz,"isCimdClientIdCandidate");function xa(e,t="invalid_request"){if(az(e))throw new G(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new G(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new G(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||Le(r)))throw new G(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(xa,"assertValidRedirectUri");function az(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(az,"hasForbiddenRawRedirectUriCharacter");async function iz(e){let{response:t,json:r}=await WS(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:tz,maxResponseBytes:ez,timeoutMs:X$});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=Lg.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(iz,"fetchCimdMetadata");async function sz(e){let t=bs(e),r=await iz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(sz,"resolveCimdClient");async function xw(e,t){let r=Be.parse(e);if(oz(r)){if(!xe().gateway.cimdEnabled)throw new G("invalid_client","OAuth client is not registered.");try{return await sz(r)}catch{throw new G("invalid_client","OAuth client is not registered.")}}let n=await J().readClient({clientId:r});if(n.kind==="found"){let a=n.client,i={kind:"dcr",clientId:r,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new G("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(xw,"resolveClient");function Aw(e,t){if(!e.metadata.redirect_uris.some(r=>Gg(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(Aw,"assertRedirectRegistered");function cz(e){let t=Tw(e.grant_types),r=e.response_types??[...gp];if(!uz(t))throw new G("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!dz(r))throw new G("invalid_client_metadata","response_types must be code.");if(!lz(e.scope))throw new G("invalid_client_metadata",`Only the ${ye} scope is supported.`)}o(cz,"assertSupportedDcrRequest");function Tw(e){return e===void 0?[...hp]:Array.from(new Set(e))}o(Tw,"normalizeGrantTypes");function uz(e){return e.length===0?!1:e.every(t=>hp.includes(t))}o(uz,"isSupportedGrantTypes");function dz(e){return e.length===gp.length&&e[0]==="code"}o(dz,"isSupportedResponseTypes");function lz(e){return e===void 0||e===ye}o(lz,"isSupportedDcrScope");function Aa(e){if(e===void 0||e===ye)return ye;throw new G("invalid_request",`Only the ${ye} scope is supported.`)}o(Aa,"assertSupportedOAuthScope");function eo(e,t){let r;try{r=new URL(t)}catch{throw new G("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new G("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Le(r))throw new G("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=ce(e),a=Cg(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new G("invalid_target","resource must match a published virtual MCP server.");return i}o(eo,"resolveResource");async function kw(e){let t;try{t=nz.parse(e)}catch(l){if(l instanceof u.ZodError){let m=l.issues.some(h=>h.path[0]==="redirect_uris");throw new G(m?"invalid_redirect_uri":"invalid_client_metadata",l.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:l})}throw l}cz(t);for(let l of t.redirect_uris)xa(l,"invalid_redirect_uri");let r=new Date,n=Be.parse(`dcr:${crypto.randomUUID()}`),a=Jt(r,rz),i=Math.floor(r.getTime()/1e3),s=Math.floor(a.getTime()/1e3),c={client_id:n,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:Tw(t.grant_types),response_types:["code"],scope:ye,token_endpoint_auth_method:t.token_endpoint_auth_method,client_id_issued_at:i},d={clientId:n,clientName:String(c.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:t.token_endpoint_auth_method,createdAt:ne(r),clientExpiresAt:ne(a)};if(t.token_endpoint_auth_method!=="none"){let l=Yt();d.hashedClientSecret=await pe(l),d.clientSecretExpiresAt=ne(a),c.client_secret=l,c.client_secret_expires_at=s,c.client_secret_issued_at=i}if((await J().registerClient(d)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");return c}o(kw,"registerDownstreamClient");function pz(e){try{return new URL(e).host}catch{return""}}o(pz,"safeHostFromOrigin");var mz=8;function Sp(e){let t=e.trim();try{let r=new URL(t);if(r.protocol==="https:")return r.toString()}catch{}if(/^data:image\/(?:png|jpe?g|webp);/i.test(t))return t}o(Sp,"safeIconSrc");function fz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(fz,"safeGatewayConnectHref");function hz(e){if(e==="any")return Number.POSITIVE_INFINITY;let t=/^(\d+)x(\d+)$/.exec(e);return t?Math.max(Number(t[1]),Number(t[2])):0}o(hz,"parseIconSize");function gz(e,t){let r=e.filter(a=>a.theme===t);if(r.length>0)return r;let n=e.filter(a=>a.theme===void 0);return n.length>0?n:e}o(gz,"selectIconCandidates");function yz(e){return Sp(e.src)?e.sizes&&e.sizes.length>0?Math.max(...e.sizes.map(hz)):0:-1}o(yz,"readIconScore");function Ew(e,t){if(!e||e.length===0)return;let r=gz(e,t),n,a=-1;for(let i of r){let s=yz(i);s>a&&(n=i,a=s)}return n}o(Ew,"pickIcon");function Sz(e,t){let r=Ew(e,"light");if(!r)return k`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${ip}</span>`;let n=Sp(r.src);return n?k`<span class="icon-frame"><img src="${n}" alt="${t}" loading="lazy" decoding="async"></span>`:k`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${ip}</span>`}o(Sz,"renderIconFrame");function Hs(e,t){let r=Ew(e,"light");if(!r)return _e;let n=Sp(r.src);return n?k`<img class="inline-icon" src="${n}" alt="${t}" loading="lazy" decoding="async">`:_e}o(Hs,"renderInlineIcon");function _z(e){switch(e){case"user":return"your account";case"shared":return"shared by your team";case"none":return"gateway-managed"}}o(_z,"ownerModeLabel");function wz(e){return e.endsWith("_oauth")||e==="oauth"?"OAuth":e.includes("static_secret")?"static credential":e.replaceAll("_"," ")}o(wz,"authModeLabel");function vz(e){switch(e){case"active":return k`<span class="status-badge status-badge--success">Connected</span>`;case"not_connected":return k`<span class="status-badge status-badge--neutral">Not connected</span>`;case"reconsent_required":return k`<span class="status-badge status-badge--warning">Reconnect required</span>`}}o(vz,"statusBadge");function bz(e){if(!e)return _e;let t=[];return e.destructiveHint&&t.push(k`<span class="badge badge--destructive" title="This tool may modify or delete data on your behalf.">destructive</span>`),e.readOnlyHint&&t.push(k`<span class="badge badge--muted" title="This tool only reads data and does not modify state.">read-only</span>`),e.openWorldHint&&t.push(k`<span class="badge badge--muted" title="This tool can access arbitrary URIs supplied at call time.">open-world</span>`),t.length>0?k`<span class="badge-row">${t}</span>`:_e}o(bz,"annotationBadges");function Uw(e){let t=0,r=0;for(let n of e.tools)n.annotations?.destructiveHint===!0&&(t+=1),n.annotations?.readOnlyHint===!0&&(r+=1);return{tools:e.tools.length,prompts:e.prompts.length,resources:e.resources.length,destructiveTools:t,readOnlyTools:r}}o(Uw,"summarizeCapabilities");function Rz(e){let t=e.annotations?.title??e.title??e.name,r=e.description?k`<span class="capability-row__description">${e.description}</span>`:_e;return k`<li class="capability-row">${Hs(e.icons,t)}<span class="capability-row__name">${t}</span>${bz(e.annotations)}${r}</li>`}o(Rz,"renderToolRow");function Cz(e){let t=e.title??e.name,r=e.description?k`<span class="capability-row__description">${e.description}</span>`:_e;return k`<li class="capability-row">${Hs(e.icons,t)}<span class="capability-row__name">${t}</span>${r}</li>`}o(Cz,"renderPromptRow");function Iz(e){let t=e.title??e.name,r=e.mimeType===void 0?_e:k` · ${e.mimeType}`,n=e.description===void 0?_e:k` — ${e.description}`,a=k`<span class="capability-row__description"><code>${e.uri}</code>${r}${n}</span>`;return k`<li class="capability-row">${Hs(e.icons,t)}<span class="capability-row__name">${t}</span>${a}</li>`}o(Iz,"renderResourceRow");function yp(e,t,r,n){if(t===0)return _e;let a=r.slice(0,mz),i=t-a.length,s=i>0?k`<li class="capability-row capability-row--more">+ ${i} more</li>`:_e;return Z_({label:e,total:t,rows:k`${a.map(n)}`,moreLine:s})}o(yp,"renderCapabilitySection");function Ds(e,t,r=!1){return r?k`<span class="count-pill count-pill--destructive"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`:k`<span class="count-pill"><span class="count-pill__num">${t}</span><span class="count-pill__label">${e}</span></span>`}o(Ds,"countPill");function Pz(e){let t=Uw(e);if(t.tools+t.prompts+t.resources===0)return k`<div class="upstream-card__capabilities upstream-card__capabilities--empty">No tools, prompts, or resources advertised.</div>`;let n=[];t.tools>0&&n.push(Ds(t.tools===1?"tool":"tools",t.tools)),t.prompts>0&&n.push(Ds(t.prompts===1?"prompt":"prompts",t.prompts)),t.resources>0&&n.push(Ds(t.resources===1?"resource":"resources",t.resources)),t.destructiveTools>0&&n.push(Ds("destructive",t.destructiveTools,!0));let a=[yp("Tools",t.tools,e.tools,Rz),yp("Prompts",t.prompts,e.prompts,Cz),yp("Resources",t.resources,e.resources,Iz)];return k`<details class="upstream-card__capabilities"><summary class="capabilities-summary"><span class="capabilities-summary__counts">${n}</span><span class="capabilities-summary__chevron" aria-hidden="true">${ap}</span></summary><div class="capabilities-detail">${a}</div></details>`}o(Pz,"renderUpstreamCapabilities");function xz(e){if(!e||e.length===0)return _e;let t=e.map(n=>k`<code class="scope-chip">${n}</code>`),r=e.length===1?"scope":"scopes";return k`<details class="upstream-card__scopes"><summary class="scopes-summary"><span>Requested ${r} <span class="muted">(${e.length})</span></span><span class="capabilities-summary__chevron" aria-hidden="true">${ap}</span></summary><div class="scopes-list">${t}</div></details>`}o(xz,"renderUpstreamScopes");function Az(e,t){if(e.ownerMode!=="user")return _e;let r=fz(e.connectUrl,t);if(!r)return _e;let n=e.status==="active"?"Redo auth":e.status==="reconsent_required"?"Reconnect":"Connect",a=e.status==="active"?"Reconnect this upstream account or approve updated scopes.":void 0;return k`<a class="button button--secondary button--small" href="${r}"${a===void 0?_e:k` title="${a}"`}>${n}</a>`}o(Az,"renderActionButton");function Tz(e,t){let r=Az(e,t);return rr(r)!==""?r:vz(e.status)}o(Tz,"renderUpstreamControl");function kz(e,t){let n=e.ownerMode==="user"&&e.status!=="active"?"upstream-card upstream-card--needs-action":"upstream-card",a=e.description?k`<p class="upstream-card__description">${e.description}</p>`:_e,i=e.transportHost?k`<code class="upstream-card__host">${e.transportHost}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`:_e;return W_({cardClass:n,iconFrame:Sz(e.serverIcons,e.upstreamDisplayName),upstreamDisplayName:e.upstreamDisplayName,control:Tz(e,t),host:i,authModeLabel:wz(e.authMode),ownerModeLabel:_z(e.ownerMode),description:a,capabilities:Pz(e.capabilities),scopes:xz(e.scopesRequested)})}o(kz,"renderUpstreamCard");function Ez(e){return e.reduce((t,r)=>{let n=Uw(r.capabilities);return t.tools+=n.tools,t.prompts+=n.prompts,t.resources+=n.resources,t.destructiveTools+=n.destructiveTools,t.readOnlyTools+=n.readOnlyTools,t},{tools:0,prompts:0,resources:0,destructiveTools:0,readOnlyTools:0})}o(Ez,"aggregateCapabilities");function Uz(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(Uz,"deriveMode");function Oz(e){if(e.mode==="setup"){let n=e.upstreams.filter(c=>c.ownerMode==="user"&&c.status!=="active"),a=n.length>0&&n.every(c=>c.status==="reconsent_required"),i=n.length===1?"the service":`the ${n.length} services`,s=a?k`Re-authorize ${i} below to refresh access. Authorization will continue automatically once each is ready.`:k`Connect ${i} below before continuing. Authorization will continue automatically once each is ready.`;return F_({icon:J_,message:s})}let t=Ez(e.upstreams);if(t.destructiveTools===0)return _e;let r=t.destructiveTools===1?"tool can":"tools can";return V_({icon:L_,title:k`${t.destructiveTools} ${r} modify or delete data`,message:k`Review the destructive tools below before authorizing <strong>${e.clientDisplayName}</strong>.`})}o(Oz,"renderBanner");function $z(e){let t=e.mode==="setup"?k`disabled aria-disabled="true" title="Connect the required upstream services first"`:_e;return H_({state:e.state,authorizeAttrs:t})}o($z,"renderActions");function _p(e){let t=Uz(e.upstreams),r=[...e.upstreams].sort((h,y)=>{let _=o(w=>w.ownerMode!=="user"?2:w.status==="active"?1:0,"blockedRank"),S=_(h)-_(y);return S!==0?S:h.upstreamDisplayName.localeCompare(y.upstreamDisplayName)}),n=Hs(e.virtualServerIcons,e.virtualServerDisplayName),a=Oz({mode:t,upstreams:r,clientDisplayName:e.clientDisplayName}),i=r.length===0?k`<li class="empty">This virtual server does not declare any upstream services.</li>`:k`${r.map(h=>k`<li>${kz(h,e.gatewayOrigin)}</li>`)}`,s=$z({mode:t,state:e.state}),c=t==="grant"?k`<p class="card__fineprint"><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.virtualServerDisplayName}</strong>. You can revoke access at any time.</p>`:k`<p class="card__fineprint">Authorization continues automatically once every required service is connected.</p>`,d=r.length>0?k`(${r.length})`:_e,p=k`<p class="card__subtitle"><strong>${e.clientDisplayName}</strong> wants to access <strong>${n}${e.virtualServerDisplayName}</strong></p>${e.virtualServerDescription?k`<p class="card__description">${e.virtualServerDescription}</p>`:_e}${e.principalLabel?k`<span class="card__principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`:_e}`,l=K_({banner:a,sectionCount:d,cards:i,fineprint:c}),m=k`<footer class="card__footer">${s}</footer>`;return rr(or({title:`Authorize access \xB7 ${e.virtualServerDisplayName}`,host:pz(e.gatewayOrigin),styles:nr,heading:"Authorize access",subhead:p,body:l,footer:m}))}o(_p,"renderConsentPage");function zz(e){try{return new URL(e).host}catch{return}}o(zz,"safeUrlHost");function Mz(e){if(e.mode==="user_oauth"||e.mode==="shared-oauth")return e.oauth.scopes}o(Mz,"readOAuthScopes");function wp(e){return e!==void 0&&e.length>0}o(wp,"hasItems");function qz(e){let t=e.registeredConnection.config.serverInfo?.icons;if(wp(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&wp(r)?r:void 0}o(qz,"readServerIcons");async function Nz(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Pl({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(Nz,"readConnectUrl");function an(e,t){return t===void 0?{}:{[e]:t}}o(an,"optionalRequirementField");function jz(e){return e.isUserOwned?iy(e.connection):{connected:!0,status:"active"}}o(jz,"readSetupConnectionStatus");function Dz(e){let t=Mz(e);return wp(t)?t:void 0}o(Dz,"readScopesRequested");function Hz(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(Hz,"readUpdatedAt");function Lz(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(Wi),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Ji),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Yi)}}o(Lz,"readVirtualServerCapabilities");async function Bz(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=ps(r),c=s==="user",d=jz({connection:e.connection,isUserOwned:c}),p=await Nz({...e,connected:d.connected,isUserOwned:c});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:Lz({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...an("description",n.description),...an("transportHost",zz(n.transport.baseUrl)),...an("scopesRequested",Dz(t)),...an("serverIcons",qz({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...an("connectUrl",p),...an("updatedAt",Hz({connectionStatus:d,isUserOwned:c})),...an("expiresAt",e.connection?.expiresAt)}}o(Bz,"buildSetupRequirement");function Ow(e){let t=ht().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(Ow,"requireVirtualServer");async function vp(e){let t=Ow(e.transaction.virtualServerId),r=Cr(e.transaction.principal.subjectId),n=[],a=new Map;for(let c of t.connections)ps(c.authMode)==="user"&&(a.set(c,n.length),n.push({owner:r,upstreamServerId:c.upstreamServerId,authProfileId:c.authProfileId}));let i=await J().batchGetUpstreamConnections(n),s=[];for(let c of t.connections){let d=ps(c.authMode)==="user",p=a.get(c);s.push(await Bz({connection:d&&p!==void 0?i[p]:void 0,registeredConnection:c,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(vp,"requirementsForSetup");function Gz(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(Gz,"readVirtualServerDisplayName");async function bp(e){let t=Ow(e.transaction.virtualServerId),r=Gz({virtualServer:t}),n=await J().readClient({clientId:e.transaction.clientId}),a=n.kind==="found"?n.client:void 0,i={gatewayOrigin:ce(e.requestUrl),virtualServerDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.serverInfo?.title;return s!==void 0&&s!==r&&(i.virtualServerDescription=s),i}o(bp,"consentContext");function $w(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o($w,"hasUnresolvedUserUpstream");var Vz=["mcp_user"],Fz="dev-browser-user",Zz=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),Kz=u.object({response_type:u.literal("code"),client_id:u.string().min(1),redirect_uri:u.string().min(1),resource:u.url(),code_challenge:u.string().min(43),code_challenge_method:ts,state:u.string().min(1).optional(),scope:u.literal(ye).default(ye)}),Wz=u.enum(["continue","approve","cancel"]).default("continue"),Jz=u.object({state:u.string().min(1),decision:Wz}),Yz=u.object({state:u.string().min(1),apiKey:u.string().min(1)}),sn=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function zw(e){return typeof e=="string"&&e.length>0?e:void 0}o(zw,"readQueryString");function Qz(e,t){let r=zw(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new G("invalid_target",Zz)}let n=Wr(t,e.url);if(r===void 0||r===n)return n;throw new G("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(Qz,"requireAuthorizeResource");async function Xz(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await $s(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=aw(e);return{principal:i,setCookie:await Pa({principal:i,requestUrl:e.url,virtualServerId:t})}}o(Xz,"resolveBrowserPrincipal");async function eM(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await $s(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(eM,"requireSetupPrincipal");async function Mw(e){let t=await vp({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await bp({transaction:e.transaction,requestUrl:e.requestUrl}),n={kind:"setup_page",html:_p({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(Mw,"renderSetup");function tM(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new G("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(tM,"toAuthorizationTransactionClient");async function Rp(e,t={}){let r=Kz.parse({...e.query,resource:Qz(e,t.virtualServerId),state:zw(e.query.state)}),n=Aa(r.scope);xa(r.redirect_uri);let a=new Date,i=Be.parse(r.client_id),s=await xw(r.client_id,a);Aw(s,r.redirect_uri);try{let c=eo(e.url,r.resource),d=tM(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,virtualServerId:c.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let p={clientId:s?.clientId??i,...d===void 0?{}:{client:d},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:c.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:l,setCookie:m}=await Xz(e,c.virtualServerId,t.context);if(!l){let y=await vw({transaction:p,requestUrl:e.url,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,virtualServerId:c.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let _={kind:"redirect",location:y.browserLoginUrl};return m!==void 0&&(_.setCookie=m),_}let h=await bw({transaction:p,principal:l,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,virtualServerId:c.virtualServerId,subjectId:l.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),Mw({transaction:h.transaction,csrfToken:h.csrfToken,requestUrl:e.url,setCookie:m})}catch(c){throw rM({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}o(Rp,"authorizeDownstreamClient");function rM(e){if(e.cause instanceof sn)return e.cause;let t=nM(e.cause);return t?new sn({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(rM,"toDownstreamAuthorizeRedirectError");function nM(e){if(e instanceof G)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof u.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(nM,"mapToOAuthRedirectError");async function qw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,l=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...l===void 0?{}:{idpErrorUri:l}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Ns(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await sw(i),c=await mp({browserLoginStateToken:n,principal:s}),d=await Mw({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url});return d.setCookie=await Pa({principal:s,requestUrl:e.url,virtualServerId:c.transaction.virtualServerId}),d}o(qw,"completeBrowserLoginCallback");async function Nw(e){let t=xe(),r=new URL(e.url);if(!Le(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",ce(e.url)),i=new URL(ce(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:Se.parse(Fz),roles:Vz};return{kind:"redirect",location:a,setCookie:await Pa({principal:s,requestUrl:e.url})}}o(Nw,"completeLocalDevBrowserLogin");async function jw(e){let t=Yz.parse(e.body),r=await Rw({browserLoginStateToken:t.state}),n=await iw({apiKey:t.apiKey,virtualServerId:r.virtualServerId}),a=await mp({browserLoginStateToken:t.state,principal:n});await l_({apiKey:t.apiKey,principal:n,virtualServerId:a.transaction.virtualServerId});let i=new URL("/oauth/setup",Ct(e.request.url));return i.searchParams.set("state",a.csrfToken),{kind:"redirect",location:i,setCookie:await Pa({principal:n,requestUrl:e.request.url,virtualServerId:a.transaction.virtualServerId})}}o(jw,"completeApiKeyBrowserLogin");function oM(e){let t=e.method==="POST"?e.body:e.query;return Jz.parse(t)}o(oM,"readSetupContinueRequest");async function Dw(e){let{state:t,decision:r}=oM({method:e.request.method,query:e.request.query,body:e.body}),n=new Date,a=await fp({csrfToken:t,now:n}),i=await eM(e.request,a.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await Pw({csrfToken:t,currentBrowserPrincipal:i,now:n})};let s=await Cw({csrfToken:t,currentBrowserPrincipal:i,now:n}),c=await vp({transaction:s,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||$w(c)){let d=await bp({transaction:s,requestUrl:e.request.url});return{kind:"setup_page",html:_p({state:t,virtualServerId:s.virtualServerId,upstreams:c,...d})}}return{kind:"redirect",location:await Iw({csrfToken:t,currentBrowserPrincipal:i,now:n})}}o(Dw,"continueDownstreamAuthorizeSetup");ie();var aM=new Set(["authorization_code","refresh_token"]),iM=u.discriminatedUnion("grant_type",[u.object({grant_type:u.literal("authorization_code"),code:u.string().min(1),redirect_uri:u.string().min(1),client_id:u.string().min(1).optional(),code_verifier:rs,resource:u.url(),scope:u.literal(ye).optional(),client_secret:u.string().min(1).optional()}),u.object({grant_type:u.literal("refresh_token"),refresh_token:u.string().min(1),client_id:u.string().min(1).optional(),resource:u.url(),scope:u.literal(ye).optional(),client_secret:u.string().min(1).optional()})]);function sM(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!aM.has(t)))throw new G("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(sM,"assertSupportedGrantType");var cM=u.object({token:u.string().min(1),client_id:u.string().min(1).optional(),token_type_hint:u.string().optional(),client_secret:u.string().min(1).optional()});function Hw(){return xe().gateway.accessTokenTtlSeconds}o(Hw,"readAccessTokenTtlSeconds");function uM(){return xe().gateway.refreshTokenTtlSeconds}o(uM,"readRefreshTokenTtlSeconds");function dM(e,t){let r=Hw(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:ne(Jt(e,a)),expiresIn:a}}o(dM,"calculateAccessTokenExpiresAt");function Lw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new G("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new G("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new G("invalid_client","Malformed HTTP Basic client authentication.")}}o(Lw,"readBasicClientSecret");function Bw(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new G("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new G("invalid_client","Client authentication or client_id is required.");return t}o(Bw,"resolveAuthenticatedClientId");function Gw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new G("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(Gw,"resolveClientSecretInput");async function Vw(e){let t=Be.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await pe(e.clientSecret)}}o(Vw,"buildRuntimeHttpClientAuth");async function Fw(e){sM(e.body);let t=iM.parse(e.body),r=Lw(e.authorizationHeader),n=Bw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=new Date,i=Gw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});return lM({parsed:t,clientId:n,clientSecretInput:i,now:a,requestUrl:e.requestUrl})}o(Fw,"exchangeDownstreamToken");async function lM(e){let t=await Vw({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){xa(e.parsed.redirect_uri),Aa(e.parsed.scope),e.parsed.resource!==void 0&&eo(e.requestUrl??e.parsed.resource,e.parsed.resource);let c=Yt(),d=Yt(),p=ne(Jt(e.now,uM())),l=dM(e.now,p),m=await J().exchangeAuthorizationCode({clientAuth:t,codeHash:await pe(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Jg(e.parsed.code_verifier),currentRefreshTokenHash:await pe(c),accessTokenHash:await pe(d),grantExpiresAt:p,accessTokenExpiresAt:l.expiresAt,now:ne(e.now)});if(m.kind==="invalid_client")throw new G("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new G("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new G("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:l.expiresIn,refresh_token:c,scope:m.grant.scope,resource:m.grant.resource}}Aa(e.parsed.scope),e.parsed.resource!==void 0&&eo(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=Yt(),n=Yt(),a=ne(Jt(e.now,Hw())),i=await J().refreshToken({clientAuth:t,currentRefreshTokenHash:await pe(e.parsed.refresh_token),nextRefreshTokenHash:await pe(r),accessTokenHash:await pe(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:ne(e.now)});if(i.kind==="invalid_client")throw new G("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new G("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new G("invalid_grant","Refresh token is invalid, expired, or revoked.");eo(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(lM,"exchangeDownstreamTokenWithRuntimeHttp");async function Zw(e){let t=cM.parse(e.body),r=Lw(e.authorizationHeader),n=Bw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=Gw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret}),i=new Date;if((await J().revokeOAuthToken({clientAuth:await Vw({clientId:n,...a}),tokenHash:await pe(t.token),now:ne(i)})).kind==="invalid_client")throw new G("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(Zw,"revokeDownstreamToken");var pM=64*1024,mM=16*1024,fM="text/html; charset=utf-8";function hM(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(hM,"formDataToObject");async function gM(e){return N_(e,{maxBytes:pM,label:"Request body"})}o(gM,"readJsonBody");async function Ls(e){return hM(await Os(e,{maxBytes:mM,label:"Request body"}))}o(Ls,"readFormBody");async function Bs(e,t,r){let n=he(r),a=r instanceof u.ZodError?Kw(r):r instanceof Error?r.message:void 0,i={code:n??"invalid_request"};return a!==void 0&&(i.detail=a),ft(e,t,i)}o(Bs,"handleProblem");function Ta(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(Ta,"oauthErrorResponse");function yM(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(yM,"readOAuthProtocolHeaders");function SM(e,t){let r=Qe("internal_server_error");return Ta({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:yM(e,t)})}o(SM,"oauthProtocolErrorResponse");function _M(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(_M,"readZodOAuthErrorCode");function wM(e){let t={error:_M(e)},r=Kw(e);return r!==void 0&&(t.errorDescription=r),Ta(t)}o(wM,"oauthZodErrorResponse");function vM(e){let t=he(e);if(t===void 0)return;let r=Qe(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:RM(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,Ta(n)}o(vM,"oauthGatewayProblemResponse");function bM(){let t={error:"server_error",status:500,errorDescription:Qe("internal_server_error").publicDetail};return Ta(t)}o(bM,"oauthFallbackErrorResponse");function RM(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(RM,"readOAuthStatus");function to(e,t={}){return e instanceof sn?CM(e):e instanceof G?SM(e,t):e instanceof u.ZodError?wM(e):vM(e)??bM()}o(to,"oauthProblemResponse");function Mt(e,t,r){let n={event:t},a=!1;if(r instanceof G)n.oauthError=r.errorCode,n.status=r.status,Oe(n,"error",r);else if(r instanceof sn)n.oauthError=r.errorCode,Oe(n,"error",r);else if(r instanceof u.ZodError){n.code="invalid_request",Oe(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=he(r);if(i!==void 0){let s=Qe(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Oe(n,"error",r)}else a=!0,Oe(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Mt,"logUnexpectedOAuthHandlerError");function CM(e){let t;try{t=new URL(e.redirectUri)}catch{return Ta({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(CM,"downstreamAuthorizeRedirectErrorResponse");function Kw(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Kw,"formatZodErrorDetail");function IM(e,t){let r={event:"browser_login_callback_failed",code:he(t)??"invalid_request"};Oe(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(IM,"logBrowserLoginCallbackFailure");function Cp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(Cp,"redirectResultResponse");function Gs(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":fM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Cp(e)}o(Gs,"authorizeResultResponse");async function Ww(e,t){try{return Response.json(al(e.url))}catch(r){return Mt(t,"oauth_authorization_server_metadata_failed",r),Bs(e,t,r)}}o(Ww,"authorizationServerMetadataHandler");async function Jw(e,t){try{let r=Pe.parse(e.params.virtualServerId),n=Xo(r);return Response.json(Fg({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Mt(t,"oauth_authorization_server_metadata_failed",r),Bs(e,t,r)}}o(Jw,"scopedAuthorizationServerMetadataHandler");async function Yw(e,t){try{let r=await kw(await gM(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Mt(t,"oauth_register_failed",r),to(r)}}o(Yw,"registerHandler");async function Qw(e,t){try{return Gs(await Rp(e,{context:t}))}catch(r){return Mt(t,"oauth_authorize_failed",r),to(r,{includeInvalidClientChallenge:!1})}}o(Qw,"authorizeHandler");async function Xw(e,t){try{let r=Pe.parse(e.params.virtualServerId),n=Xo(r);return Gs(await Rp(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Mt(t,"oauth_authorize_scoped_failed",r),to(r,{includeInvalidClientChallenge:!1})}}o(Xw,"scopedAuthorizeHandler");async function ev(e,t){try{let r=await qw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Gs(r)}catch(r){return IM(t,r),Bs(e,t,r)}}o(ev,"callbackHandler");async function tv(e,t){try{return Cp(await Nw(e))}catch(r){return Mt(t,"oauth_dev_login_failed",r),to(r)}}o(tv,"devLoginHandler");async function rv(e,t){let r=(()=>{try{return new URL(e.url).host}catch{return""}})();try{if(e.method==="GET"){let n=typeof e.query.state=="string"?e.query.state:void 0;return n?Q_(r,n):sp(r,400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):Cp(await jw({request:e,body:await Ls(e)}))}catch(n){return Mt(t,"oauth_api_key_login_failed",n),sp(r)}}o(rv,"apiKeyLoginHandler");async function nv(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Dw({request:e,body:e.method==="POST"?await Ls(e):void 0,context:t});return Gs(r)}catch(r){return Mt(t,"oauth_setup_failed",r),Bs(e,t,r)}}o(nv,"setupHandler");async function ov(e,t){try{return Response.json(await Fw({body:await Ls(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Mt(t,"oauth_token_failed",r),to(r)}}o(ov,"tokenHandler");async function av(e,t){try{return await Zw({body:await Ls(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Mt(t,"oauth_revoke_failed",r),to(r)}}o(av,"revokeHandler");var PM={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},iv=new Dt("upstream-request");function xM(e){let t=iv.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(xM,"readUpstreamRequestContext");function AM(e,t){return t.some(r=>r===e)}o(AM,"requestContextMatchesKind");function TM(e){return typeof e=="string"?[e]:e}o(TM,"toExpectedKinds");function cn(e,t){iv.set(e,t)}o(cn,"setUpstreamRequestContext");function un(e,t){let r=xM(e),n=TM(t);if(!AM(r.kind,n)){let a=PM[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(un,"requireUpstreamRequestContext");function sv(e){return k`<form class="form" method="post" action="${e.action}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}" />${e.fields}<p class="form__note">The gateway stores this encrypted and keeps it out of MCP client
+    configuration.</p><button class="button button--primary button--block form__submit" type="submit" >Connect</button></form>`}o(sv,"renderAppPassword");function cv(e){return k`<p data-gateway-error-code="${e.code}">${e.body}</p>`}o(cv,"renderBrowserResult");var kM="text/html; charset=utf-8",EM="none";function uv(e){return or({title:e.title,host:e.host,styles:nr,heading:e.title,subhead:"",body:cv({body:e.body,code:e.code??EM}),footer:""})}o(uv,"browserResultHtml");function dv(e,t=200){return new Response(rr(e),{status:t,headers:{"content-type":kM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(dv,"browserResultResponse");function Vs(e){return dv(uv(e))}o(Vs,"browserConnectionSuccessResponse");function ro(e,t){let r=ug(t);return dv(uv({host:e,title:r.title,body:r.body,code:t}),400)}o(ro,"browserConnectionFailureResponse");function Ip(e){try{return new URL(e).host}catch{return""}}o(Ip,"safeHostFromUrl");var UM="text/html; charset=utf-8",OM=16*1024;function $M(e,t=200){return new Response(rr(e),{status:t,headers:{"content-type":UM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o($M,"htmlResponse");function zM(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(zM,"safeRedirect");function MM(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(MM,"requireBrowserTicket");function qM(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(qM,"appPasswordTicketMatchesTarget");async function lv(e){let t=MM(e.browserTicket),r=await ys(t);if(!qM(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(lv,"readAppPasswordTarget");function NM(e,t){let r=Ul(e.upstreamServerId,e.authProfileId),n=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,a=r.kind==="basic_auth_app_password"?k`<label class="form__label" for="username">${r.usernameLabel}</label><input class="form__input" id="username" name="username" required autocomplete="username"><label class="form__label" for="appPassword">${r.passwordLabel}</label><input class="form__input" id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:k`<label class="form__label" for="token">${r.label}</label><input class="form__input" id="token" name="token" type="password" required autocomplete="off">`;return $M(or({title:"Connect upstream",host:t,styles:nr,heading:"Connect upstream",subhead:k`<p class="card__subtitle">Enter the per-user credential for this approved upstream.</p>`,body:sv({action:n,browserTicket:e.browserTicket,fields:a}),footer:""}))}o(NM,"renderCaptureForm");function Fs(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Fs,"readRequiredFormValue");function jM(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(jM,"readCaptureFormTargetInput");async function DM(e,t){return NM(await lv(jM(e)),t)}o(DM,"handleCaptureFormRequest");async function HM(e){let t=await Os(e.request,{maxBytes:OM,label:"App password request body"});return{form:t,target:await lv({upstreamServerId:e.upstreamServerId,browserTicket:Fs(t,"browserTicket")})}}o(HM,"readSubmittedAppPasswordTarget");async function LM(e){let t=Ln(e.target.ticket);if(await Ss(e.target.ticket),Ul(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await _s({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Fs(e.form,"token")});return}await TS({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Fs(e.form,"username"),appPassword:Fs(e.form,"appPassword")})}o(LM,"saveSubmittedAppPasswordCredential");function BM(e,t){return t.ticket.returnTo?zM(e,t.ticket.returnTo):Vs({host:Ip(e),title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(BM,"appPasswordSuccessResponse");async function GM(e){let t=await HM({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await LM(t),BM(e.request.url,t.target)}o(GM,"handleAppPasswordSubmission");function VM(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(VM,"methodNotAllowedResponse");function FM(e,t){let r=he(t);return ro(e,Hi(r)?r:"oauth_state_invalid")}o(FM,"appPasswordFailureResponse");async function ZM(e){let t=Ip(e.request.url);switch(e.request.method){case"GET":return DM(e.appPasswordRequest,t);case"POST":return GM(e);default:return VM()}}o(ZM,"handleAppPasswordMethod");async function Pp(e,t){let r=un(t,"app_password");try{return await ZM({request:e,appPasswordRequest:r})}catch(n){return FM(Ip(e.url),n)}}o(Pp,"appPasswordHandler");var KM=["callback_authorization_code","callback_provider_error","callback_invalid"];function WM(e){return"cause"in e?e.cause:void 0}o(WM,"readErrorCause");function JM(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}o(JM,"readFirstStackFrame");function pv(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=JM(r))}o(pv,"addErrorAttributes");function mv(e){try{return new URL(e).host}catch{return""}}o(mv,"safeHostFromUrl");function YM(e,t,r){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),tt(e,{eventType:K.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),ro(r,"provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),ro(r,"oauth_state_invalid");case"callback_authorization_code":return t}}o(YM,"requireAuthorizationCallbackRequest");function QM(e,t){tt(e,{eventType:K.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(QM,"emitCallbackReceivedAnalyticsEvent");function XM(e,t){tt(e,{eventType:K.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(XM,"emitTokenExchangeSucceededAnalyticsEvent");function eq(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Vs({host:mv(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(eq,"buildSuccessfulCallbackResponse");function tq(e){let t={detail:e instanceof Error?e.message:void 0};return pv(t,"error",e),e instanceof Error&&pv(t,"cause",WM(e)),t}o(tq,"buildTokenExchangeFailureAttributes");function rq(e){tt(e.context,{eventType:K.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:he(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:tq(e.error)})}o(rq,"emitTokenExchangeFailedAnalyticsEvent");function nq(e,t){let r=he(t);return ro(e,Hi(r)?r:"upstream_token_exchange_failed")}o(nq,"tokenExchangeFailureResponse");async function xp(e,t){let r=un(t,KM),n=mv(e.url),a=YM(t,r,n);if(a instanceof Response)return a;QM(t,a);try{let i=await m_({request:e,callbackRequest:a});return XM(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,virtualServerId:i.virtualServerId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),eq(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:he(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return Oe(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),rq({context:t,callbackRequest:a,error:i}),nq(n,i)}}o(xp,"callbackHandler");function oq(e){let t=he(e);return t==="unknown_upstream_server"?t:"not_found"}o(oq,"clientMetadataProblemCode");function aq(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(aq,"clientMetadataProblemDetail");async function fv(e,t){let r=un(t,"connect"),n=await p_({request:e,connectRequest:r});if(tt(t,{eventType:K.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await Vn({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(fv,"connectHandler");async function hv(e,t){let r=un(t,"client_metadata");try{let n=YS(e.url),a=QS(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=oq(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),ft(e,t,{code:a,detail:aq(n)})}}o(hv,"oauthClientMetadataHandler");function ar(e){if(typeof e=="string"&&e.length!==0)return e}o(ar,"readOptionalQueryString");function iq(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(iq,"requirePathString");function gv(e){let t=ar(e);return t?Pe.parse(t):void 0}o(gv,"readOptionalVirtualServerId");function sq(e,t){let r=ar(e);return r?et.parse(r):qn(t,"user_oauth")}o(sq,"readOptionalAuthProfileId");function cq(e){let t=gv(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(cq,"readRequiredVirtualServerId");function uq(e){let t=ar(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(uq,"readOptionalBrowserTicket");function dq(e){let t=cs(ar(e));return t===void 0?{}:{returnTo:t}}o(dq,"readOptionalReturnTo");function lq(e){let t=gv(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(lq,"readOptionalVirtualServerIdContext");function pq(e){let t=ar(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(pq,"readOptionalProviderErrorDescription");function mq(e){let t=$t(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(mq,"requireConnectableRouteAuth");function fq(e,t,r,n){let a=Us(e,t);if(a.ownerMode==="none"||a.authMode==="shared-secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(fq,"buildConnectContextForPrincipal");function hq(e,t,r){let n=Ln(t),a=$t(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(hq,"buildConnectContextForTicket");async function gq(e,t){let r=mq($_(t,cq(e.query.virtualServerId))),n=e.query.redirect==="true",a=ar(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=jn(e.user,e.url);return fq(r,s,n,dq(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await ys(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await Ss(i),hq(r,i,n)}o(gq,"resolveConnectContext");async function yq(e,t,r){let n=Xe.parse(iq(e,"connection"));switch(r){case"connect":cn(t,await gq(e,n));return;case"app_password":cn(t,{kind:"app_password",upstreamServerId:n,...lq(e),...uq(e)});return;case"callback":{let a=ar(e.query.error);if(a){cn(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...pq(e)});return}let i=ar(e.query.code),s=ar(e.query.state);if(i&&s){cn(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}cn(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":cn(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:sq(e.query.authProfileId,n)});return}}o(yq,"resolveUpstreamRequestInbound");async function Sq(e,t,r){try{await yq(e,t,r);return}catch(n){let a=he(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return ft(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(Sq,"applyUpstreamRequestContext");function ka(e,t){return o(async(n,a)=>{let i=await Sq(n,a,e);return i||t(n,a)},"wrapped")}o(ka,"withUpstreamRequestContext");var _q={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function wq(){return new Response(null,{status:204,headers:_q})}o(wq,"buildWellKnownPreflightResponse");function vq(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(vq,"withWellKnownCorsHeaders");function Ap(e){return async(t,r)=>t.method==="OPTIONS"?wq():vq(await e(t,r))}o(Ap,"wrapWellKnownHandler");var bq=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Ap(Ww)},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:Ap(Jw)},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:Ap(Zg)},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Yw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Qw},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:Xw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:ev},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:tv},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:rv},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:nv},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:ov},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:av},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ka("client_metadata",hv)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ka("connect",fv)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ka("callback",xp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ka("app_password",Pp)}];function yv(e){if(e)return e.find(t=>Fi(t.policyType))}o(yv,"findMcpOAuthPolicy");function Sv(e){return yv(e)!==void 0}o(Sv,"shouldRegisterMcpGatewayInternalRoutes");function Rq(e){let t=Md(e.policyType);if(!t){let r=qd();throw new jt(`MCP gateway: unknown MCP authorization policy type '${String(e.policyType)}'. Registered policy types: ${r.length>0?r.join(", "):"<none>"}.`)}try{return t.getConfig(e.handler.options)}catch(r){throw r instanceof u.ZodError?new jt(Cq(e.name??e.policyType,r),{cause:r}):r}}o(Rq,"resolveOAuthConfigFromPolicy");function Cq(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
 `);return`MCP OAuth policy "${e}" is misconfigured. Missing/invalid options:
-${r}`}o(dM,"formatPolicyConfigError");function Kw(e){let t=Fw(e.policies);if(!t){let r=_d(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new Ot(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}fg(uM(t)),Jf(Wf({routes:e.routes,policies:e.policies}))}o(Kw,"initializeMcpGatewayState");function lM(e,t){return async(r,n)=>{let a=n,i=r.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let u=await t(r,n);return i||a.log.info({event:`${e}_responded`,status:u.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),u}catch(u){let d={event:`${e}_threw`,durationMs:Date.now()-s};throw Ae(d,"err",u),a.log.error(d,`MCP gateway: ${e} threw`),u}}}o(lM,"wrapInternalHandler");function Ww(e){for(let t of cM){let r=lM(t.routeName,t.handler),n=o((a,i)=>r(a,i),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[zs],corsPolicy:"none"})}}o(Ww,"registerMcpGatewayInternalRoutes");var pp=class extends yp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Zw(r.policies)&&(Kw({routes:r.routes,policies:r.policies}),Ww(t.router))}};export{H0 as McpAuth0OAuthInboundPolicy,pp as McpGatewayPlugin,V0 as McpOAuthInboundPolicy,W0 as McpUpstreamConnectionInboundPolicy,O0 as McpVirtualServerHandler};
+${r}`}o(Cq,"formatPolicyConfigError");function _v(e){let t=yv(e.policies);if(!t){let r=qd(),n=r.length>0?`Add one of [${r.map(a=>`\`${a}\``).join(", ")}] and reference it on your MCP routes.`:"Register an MCP authorization policy descriptor and reference it on your MCP routes.";throw new jt(`MCP gateway: could not find an MCP authorization policy in policies.json. ${n}`)}Hg(Rq(t)),bg(vg({routes:e.routes,policies:e.policies}))}o(_v,"initializeMcpGatewayState");function Iq(e,t){return async(r,n)=>{let a=n,i=r.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:r.method},`MCP gateway: ${e} received`);try{let c=await t(r,n);return i||a.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}catch(c){let d={event:`${e}_threw`,durationMs:Date.now()-s};throw Oe(d,"err",c),a.log.error(d,`MCP gateway: ${e} threw`),c}}}o(Iq,"wrapInternalHandler");function wv(e){for(let t of bq){let r=Iq(t.routeName,t.handler),n=o((a,i)=>r(a,i),"handler");e.addPluginRoute({path:t.path,methods:t.methods,handler:n,processors:[ec],corsPolicy:"none"})}}o(wv,"registerMcpGatewayInternalRoutes");var Tp=class extends Dp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;r&&Sv(r.policies)&&(_v({routes:r.routes,policies:r.policies}),wv(t.router))}};export{s$ as McpAuth0OAuthInboundPolicy,Tp as McpGatewayPlugin,d$ as McpOAuthInboundPolicy,f$ as McpUpstreamConnectionInboundPolicy,YO as McpVirtualServerHandler};
 //# sourceMappingURL=index.js.map