npm - @zuplo/runtime - Versions diffs - 6.70.26 → 6.70.27 - Mend

@zuplo/runtime 6.70.26 → 6.70.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/out/esm/chunk-H7UGARU6.js +26 -0
package/out/esm/chunk-H7UGARU6.js.map +1 -0
package/out/esm/chunk-P4G7GA42.js +318 -0
package/out/esm/chunk-P4G7GA42.js.map +1 -0
package/out/esm/index.js +1 -1
package/out/esm/mcp-gateway/index.js +20 -20
package/out/esm/mcp-gateway/index.js.map +1 -1
package/out/esm/mocks/index.js +1 -1
package/out/types/index.d.ts +26 -42
package/out/types/mcp-gateway/index.d.ts +30 -46
package/out/types/mocks/index.d.ts +26 -42
package/package.json +1 -1
package/out/esm/chunk-LCNCH3K2.js +0 -318
package/out/esm/chunk-LCNCH3K2.js.map +0 -1
package/out/esm/chunk-NW4YQXGC.js +0 -26
package/out/esm/chunk-NW4YQXGC.js.map +0 -1
/package/out/esm/{chunk-LCNCH3K2.js.LEGAL.txt → chunk-P4G7GA42.js.LEGAL.txt} +0 -0

package/out/esm/mcp-gateway/index.js CHANGED Viewed

@@ -22,22 +22,22 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
-import{$ as U,A as It,I as Zp,J as dc,K as Cv,L as Kp,M as f,N as Jp,O as X,P as oe,Q as Wp,R as Yp,S as we,T as C,U as I,V as Ce,W as fe,X as lc,Y as pc,Z as de,_ as nt,a as Ct,aa as ye,b as Vp,ba as Qp,ca as mc,da as Xp,ea as em,fa as u,ga as ae,j as _o,k as Fp,q as sc,s as wn,x as cc}from"../chunk-LCNCH3K2.js";import{d as uc}from"../chunk-W6JQ5D4W.js";import{a as Z}from"../chunk-NW4YQXGC.js";import{X as _n,Y as ue,Z as So,a as o,c as x,e as Gp}from"../chunk-JAEQKE5H.js";var oa=x(ee=>{"use strict";Object.defineProperty(ee,"__esModule",{value:!0});ee.regexpCode=ee.getEsmExportName=ee.getProperty=ee.safeStringify=ee.stringify=ee.strConcat=ee.addCodeArg=ee.str=ee._=ee.nil=ee._Code=ee.Name=ee.IDENTIFIER=ee._CodeOrName=void 0;var ra=class{static{o(this,"_CodeOrName")}};ee._CodeOrName=ra;ee.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Wr=class extends ra{static{o(this,"Name")}constructor(t){if(super(),!ee.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};ee.Name=Wr;var pt=class extends ra{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Wr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};ee._Code=pt;ee.nil=new pt("");function vg(e,...t){let r=[e[0]],n=0;for(;n<t.length;)pd(r,t[n]),r.push(e[++n]);return new pt(r)}o(vg,"_");ee._=vg;var ld=new pt("+");function bg(e,...t){let r=[na(e[0])],n=0;for(;n<t.length;)r.push(ld),pd(r,t[n]),r.push(ld,na(e[++n]));return tA(r),new pt(r)}o(bg,"str");ee.str=bg;function pd(e,t){t instanceof pt?e.push(...t._items):t instanceof Wr?e.push(t):e.push(oA(t))}o(pd,"addCodeArg");ee.addCodeArg=pd;function tA(e){let t=1;for(;t<e.length-1;){if(e[t]===ld){let r=rA(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(tA,"optimize");function rA(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Wr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Wr))return`"${e}${t.slice(1)}`}o(rA,"mergeExprItems");function nA(e,t){return t.emptyStr()?e:e.emptyStr()?t:bg`${e}${t}`}o(nA,"strConcat");ee.strConcat=nA;function oA(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:na(Array.isArray(e)?e.join(","):e)}o(oA,"interpolate");function aA(e){return new pt(na(e))}o(aA,"stringify");ee.stringify=aA;function na(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(na,"safeStringify");ee.safeStringify=na;function iA(e){return typeof e=="string"&&ee.IDENTIFIER.test(e)?new pt(`.${e}`):vg`[${e}]`}o(iA,"getProperty");ee.getProperty=iA;function sA(e){if(typeof e=="string"&&ee.IDENTIFIER.test(e))return new pt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(sA,"getEsmExportName");ee.getEsmExportName=sA;function cA(e){return new pt(e.toString())}o(cA,"regexpCode");ee.regexpCode=cA});var hd=x(et=>{"use strict";Object.defineProperty(et,"__esModule",{value:!0});et.ValueScope=et.ValueScopeName=et.Scope=et.varKinds=et.UsedValueState=void 0;var Xe=oa(),md=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Li;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Li||(et.UsedValueState=Li={}));et.varKinds={const:new Xe.Name("const"),let:new Xe.Name("let"),var:new Xe.Name("var")};var Bi=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof Xe.Name?t:this.name(t)}name(t){return new Xe.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};et.Scope=Bi;var Gi=class extends Xe.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,Xe._)`.${new Xe.Name(r)}[${n}]`}};et.ValueScopeName=Gi;var uA=(0,Xe._)`\n`,fd=class extends Bi{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?uA:Xe.nil}}get(){return this._scope}name(t){return new Gi(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,c=this._values[i];if(c){let l=c.get(s);if(l)return l}else c=this._values[i]=new Map;c.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),p=d.length;return d[p]=r.ref,a.setValue(r,{property:i,itemIndex:p}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,Xe._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=Xe.nil;for(let s in t){let c=t[s];if(!c)continue;let d=n[s]=n[s]||new Map;c.forEach(p=>{if(d.has(p))return;d.set(p,Li.Started);let l=r(p);if(l){let m=this.opts.es5?et.varKinds.var:et.varKinds.const;i=(0,Xe._)`${i}${m} ${p} = ${l};${this.opts._n}`}else if(l=a?.(p))i=(0,Xe._)`${i}${l}${this.opts._n}`;else throw new md(p);d.set(p,Li.Completed)})}return i}};et.ValueScope=fd});var V=x(F=>{"use strict";Object.defineProperty(F,"__esModule",{value:!0});F.or=F.and=F.not=F.CodeGen=F.operators=F.varKinds=F.ValueScopeName=F.ValueScope=F.Scope=F.Name=F.regexpCode=F.stringify=F.getProperty=F.nil=F.strConcat=F.str=F._=void 0;var Y=oa(),_t=hd(),_r=oa();Object.defineProperty(F,"_",{enumerable:!0,get:o(function(){return _r._},"get")});Object.defineProperty(F,"str",{enumerable:!0,get:o(function(){return _r.str},"get")});Object.defineProperty(F,"strConcat",{enumerable:!0,get:o(function(){return _r.strConcat},"get")});Object.defineProperty(F,"nil",{enumerable:!0,get:o(function(){return _r.nil},"get")});Object.defineProperty(F,"getProperty",{enumerable:!0,get:o(function(){return _r.getProperty},"get")});Object.defineProperty(F,"stringify",{enumerable:!0,get:o(function(){return _r.stringify},"get")});Object.defineProperty(F,"regexpCode",{enumerable:!0,get:o(function(){return _r.regexpCode},"get")});Object.defineProperty(F,"Name",{enumerable:!0,get:o(function(){return _r.Name},"get")});var Ki=hd();Object.defineProperty(F,"Scope",{enumerable:!0,get:o(function(){return Ki.Scope},"get")});Object.defineProperty(F,"ValueScope",{enumerable:!0,get:o(function(){return Ki.ValueScope},"get")});Object.defineProperty(F,"ValueScopeName",{enumerable:!0,get:o(function(){return Ki.ValueScopeName},"get")});Object.defineProperty(F,"varKinds",{enumerable:!0,get:o(function(){return Ki.varKinds},"get")});F.operators={GT:new Y._Code(">"),GTE:new Y._Code(">="),LT:new Y._Code("<"),LTE:new Y._Code("<="),EQ:new Y._Code("==="),NEQ:new Y._Code("!=="),NOT:new Y._Code("!"),OR:new Y._Code("||"),AND:new Y._Code("&&"),ADD:new Y._Code("+")};var Kt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},gd=class extends Kt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?_t.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=Gn(this.rhs,t,r)),this}get names(){return this.rhs instanceof Y._CodeOrName?this.rhs.names:{}}},Vi=class extends Kt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof Y.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=Gn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof Y.Name?{}:{...this.lhs.names};return Zi(t,this.rhs)}},yd=class extends Vi{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Sd=class extends Kt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},_d=class extends Kt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},wd=class extends Kt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},vd=class extends Kt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=Gn(this.code,t,r),this}get names(){return this.code instanceof Y._CodeOrName?this.code.names:{}}},aa=class extends Kt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(dA(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Xr(t,r.names),{})}},Jt=class extends aa{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},bd=class extends aa{static{o(this,"Root")}},Bn=class extends Jt{static{o(this,"Else")}};Bn.kind="else";var Yr=class e extends Jt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new Bn(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Rg(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=Gn(this.condition,t,r),this}get names(){let t=super.names;return Zi(t,this.condition),this.else&&Xr(t,this.else.names),t}};Yr.kind="if";var Qr=class extends Jt{static{o(this,"For")}};Qr.kind="for";var Rd=class extends Qr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=Gn(this.iteration,t,r),this}get names(){return Xr(super.names,this.iteration.names)}},Cd=class extends Qr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?_t.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=Zi(super.names,this.from);return Zi(t,this.to)}},Fi=class extends Qr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=Gn(this.iterable,t,r),this}get names(){return Xr(super.names,this.iterable.names)}},ia=class extends Jt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};ia.kind="func";var sa=class extends aa{static{o(this,"Return")}render(t){return"return "+super.render(t)}};sa.kind="return";var Id=class extends Jt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Xr(t,this.catch.names),this.finally&&Xr(t,this.finally.names),t}},ca=class extends Jt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};ca.kind="catch";var ua=class extends Jt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};ua.kind="finally";var Pd=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
-`:""},this._extScope=t,this._scope=new _t.Scope({parent:t}),this._nodes=[new bd]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new gd(t,i,n)),i}const(t,r,n){return this._def(_t.varKinds.const,t,r,n)}let(t,r,n){return this._def(_t.varKinds.let,t,r,n)}var(t,r,n){return this._def(_t.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new Vi(t,r,n))}add(t,r){return this._leafNode(new yd(t,F.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==Y.nil&&this._leafNode(new vd(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,Y.addCodeArg)(r,a));return r.push("}"),new Y._Code(r)}if(t,r,n){if(this._blockNode(new Yr(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new Yr(t))}else(){return this._elseNode(new Bn)}endIf(){return this._endBlockNode(Yr,Bn)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Rd(t),r)}forRange(t,r,n,a,i=this.opts.es5?_t.varKinds.var:_t.varKinds.let){let s=this._scope.toName(t);return this._for(new Cd(i,s,r,n),()=>a(s))}forOf(t,r,n,a=_t.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof Y.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,Y._)`${s}.length`,c=>{this.var(i,(0,Y._)`${s}[${c}]`),n(i)})}return this._for(new Fi("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?_t.varKinds.var:_t.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,Y._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new Fi("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Qr)}label(t){return this._leafNode(new Sd(t))}break(t){return this._leafNode(new _d(t))}return(t){let r=new sa;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(sa)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Id;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new ca(i),r(i)}return n&&(this._currNode=a.finally=new ua,this.code(n)),this._endBlockNode(ca,ua)}throw(t){return this._leafNode(new wd(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=Y.nil,n,a){return this._blockNode(new ia(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(ia)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof Yr))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};F.CodeGen=Pd;function Xr(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Xr,"addNames");function Zi(e,t){return t instanceof Y._CodeOrName?Xr(e,t.names):e}o(Zi,"addExprNames");function Gn(e,t,r){if(e instanceof Y.Name)return n(e);if(!a(e))return e;return new Y._Code(e._items.reduce((i,s)=>(s instanceof Y.Name&&(s=n(s)),s instanceof Y._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof Y._Code&&i._items.some(s=>s instanceof Y.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(Gn,"optimizeExpr");function dA(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(dA,"subtractNames");function Rg(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,Y._)`!${xd(e)}`}o(Rg,"not");F.not=Rg;var lA=Cg(F.operators.AND);function pA(...e){return e.reduce(lA)}o(pA,"and");F.and=pA;var mA=Cg(F.operators.OR);function fA(...e){return e.reduce(mA)}o(fA,"or");F.or=fA;function Cg(e){return(t,r)=>t===Y.nil?r:r===Y.nil?t:(0,Y._)`${xd(t)} ${e} ${xd(r)}`}o(Cg,"mappend");function xd(e){return e instanceof Y.Name?e:(0,Y._)`(${e})`}o(xd,"par")});var te=x(J=>{"use strict";Object.defineProperty(J,"__esModule",{value:!0});J.checkStrictMode=J.getErrorPath=J.Type=J.useFunc=J.setEvaluated=J.evaluatedPropsToName=J.mergeEvaluated=J.eachItem=J.unescapeJsonPointer=J.escapeJsonPointer=J.escapeFragment=J.unescapeFragment=J.schemaRefOrVal=J.schemaHasRulesButRef=J.schemaHasRules=J.checkUnknownRules=J.alwaysValidSchema=J.toHash=void 0;var se=V(),hA=oa();function gA(e){let t={};for(let r of e)t[r]=!0;return t}o(gA,"toHash");J.toHash=gA;function yA(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(xg(e,t),!Ag(t,e.self.RULES.all))}o(yA,"alwaysValidSchema");J.alwaysValidSchema=yA;function xg(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||Eg(e,`unknown keyword: "${i}"`)}o(xg,"checkUnknownRules");J.checkUnknownRules=xg;function Ag(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Ag,"schemaHasRules");J.schemaHasRules=Ag;function SA(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(SA,"schemaHasRulesButRef");J.schemaHasRulesButRef=SA;function _A({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,se._)`${r}`}return(0,se._)`${e}${t}${(0,se.getProperty)(n)}`}o(_A,"schemaRefOrVal");J.schemaRefOrVal=_A;function wA(e){return kg(decodeURIComponent(e))}o(wA,"unescapeFragment");J.unescapeFragment=wA;function vA(e){return encodeURIComponent(kd(e))}o(vA,"escapeFragment");J.escapeFragment=vA;function kd(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(kd,"escapeJsonPointer");J.escapeJsonPointer=kd;function kg(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(kg,"unescapeJsonPointer");J.unescapeJsonPointer=kg;function bA(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(bA,"eachItem");J.eachItem=bA;function Ig({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,c)=>{let d=s===void 0?i:s instanceof se.Name?(i instanceof se.Name?e(a,i,s):t(a,i,s),s):i instanceof se.Name?(t(a,s,i),i):r(i,s);return c===se.Name&&!(d instanceof se.Name)?n(a,d):d}}o(Ig,"makeMergeEvaluated");J.mergeEvaluated={props:Ig({mergeNames:o((e,t,r)=>e.if((0,se._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,se._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,se._)`${r} || {}`).code((0,se._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,se._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,se._)`${r} || {}`),Td(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:Tg}),items:Ig({mergeNames:o((e,t,r)=>e.if((0,se._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,se._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,se._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,se._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function Tg(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,se._)`{}`);return t!==void 0&&Td(e,r,t),r}o(Tg,"evaluatedPropsToName");J.evaluatedPropsToName=Tg;function Td(e,t,r){Object.keys(r).forEach(n=>e.assign((0,se._)`${t}${(0,se.getProperty)(n)}`,!0))}o(Td,"setEvaluated");J.setEvaluated=Td;var Pg={};function RA(e,t){return e.scopeValue("func",{ref:t,code:Pg[t.code]||(Pg[t.code]=new hA._Code(t.code))})}o(RA,"useFunc");J.useFunc=RA;var Ad;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Ad||(J.Type=Ad={}));function CA(e,t,r){if(e instanceof se.Name){let n=t===Ad.Num;return r?n?(0,se._)`"[" + ${e} + "]"`:(0,se._)`"['" + ${e} + "']"`:n?(0,se._)`"/" + ${e}`:(0,se._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,se.getProperty)(e).toString():"/"+kd(e)}o(CA,"getErrorPath");J.getErrorPath=CA;function Eg(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(Eg,"checkStrictMode");J.checkStrictMode=Eg});var Wt=x(Ed=>{"use strict";Object.defineProperty(Ed,"__esModule",{value:!0});var De=V(),IA={data:new De.Name("data"),valCxt:new De.Name("valCxt"),instancePath:new De.Name("instancePath"),parentData:new De.Name("parentData"),parentDataProperty:new De.Name("parentDataProperty"),rootData:new De.Name("rootData"),dynamicAnchors:new De.Name("dynamicAnchors"),vErrors:new De.Name("vErrors"),errors:new De.Name("errors"),this:new De.Name("this"),self:new De.Name("self"),scope:new De.Name("scope"),json:new De.Name("json"),jsonPos:new De.Name("jsonPos"),jsonLen:new De.Name("jsonLen"),jsonPart:new De.Name("jsonPart")};Ed.default=IA});var da=x(He=>{"use strict";Object.defineProperty(He,"__esModule",{value:!0});He.extendErrors=He.resetErrorsCount=He.reportExtraError=He.reportError=He.keyword$DataError=He.keywordError=void 0;var Q=V(),Ji=te(),Ve=Wt();He.keywordError={message:o(({keyword:e})=>(0,Q.str)`must pass "${e}" keyword validation`,"message")};He.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,Q.str)`"${e}" keyword must be ${t} ($data)`:(0,Q.str)`"${e}" keyword is invalid ($data)`,"message")};function PA(e,t=He.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:c}=a,d=$g(e,t,r);n??(s||c)?Ug(i,d):Og(a,(0,Q._)`[${d}]`)}o(PA,"reportError");He.reportError=PA;function xA(e,t=He.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,c=$g(e,t,r);Ug(a,c),i||s||Og(n,Ve.default.vErrors)}o(xA,"reportExtraError");He.reportExtraError=xA;function AA(e,t){e.assign(Ve.default.errors,t),e.if((0,Q._)`${Ve.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,Q._)`${Ve.default.vErrors}.length`,t),()=>e.assign(Ve.default.vErrors,null)))}o(AA,"resetErrorsCount");He.resetErrorsCount=AA;function kA({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,Ve.default.errors,c=>{e.const(s,(0,Q._)`${Ve.default.vErrors}[${c}]`),e.if((0,Q._)`${s}.instancePath === undefined`,()=>e.assign((0,Q._)`${s}.instancePath`,(0,Q.strConcat)(Ve.default.instancePath,i.errorPath))),e.assign((0,Q._)`${s}.schemaPath`,(0,Q.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,Q._)`${s}.schema`,r),e.assign((0,Q._)`${s}.data`,n))})}o(kA,"extendErrors");He.extendErrors=kA;function Ug(e,t){let r=e.const("err",t);e.if((0,Q._)`${Ve.default.vErrors} === null`,()=>e.assign(Ve.default.vErrors,(0,Q._)`[${r}]`),(0,Q._)`${Ve.default.vErrors}.push(${r})`),e.code((0,Q._)`${Ve.default.errors}++`)}o(Ug,"addError");function Og(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,Q._)`new ${e.ValidationError}(${t})`):(r.assign((0,Q._)`${n}.errors`,t),r.return(!1))}o(Og,"returnErrors");var en={keyword:new Q.Name("keyword"),schemaPath:new Q.Name("schemaPath"),params:new Q.Name("params"),propertyName:new Q.Name("propertyName"),message:new Q.Name("message"),schema:new Q.Name("schema"),parentSchema:new Q.Name("parentSchema")};function $g(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,Q._)`{}`:TA(e,t,r)}o($g,"errorObjectCode");function TA(e,t,r={}){let{gen:n,it:a}=e,i=[EA(a,r),UA(e,r)];return OA(e,t,i),n.object(...i)}o(TA,"errorObject");function EA({errorPath:e},{instancePath:t}){let r=t?(0,Q.str)`${e}${(0,Ji.getErrorPath)(t,Ji.Type.Str)}`:e;return[Ve.default.instancePath,(0,Q.strConcat)(Ve.default.instancePath,r)]}o(EA,"errorInstancePath");function UA({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,Q.str)`${t}/${e}`;return r&&(a=(0,Q.str)`${a}${(0,Ji.getErrorPath)(r,Ji.Type.Str)}`),[en.schemaPath,a]}o(UA,"errorSchemaPath");function OA(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:c}=e,{opts:d,propertyName:p,topSchemaRef:l,schemaPath:m}=c;n.push([en.keyword,a],[en.params,typeof t=="function"?t(e):t||(0,Q._)`{}`]),d.messages&&n.push([en.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([en.schema,s],[en.parentSchema,(0,Q._)`${l}${m}`],[Ve.default.data,i]),p&&n.push([en.propertyName,p])}o(OA,"extraErrorProps")});var Mg=x(Vn=>{"use strict";Object.defineProperty(Vn,"__esModule",{value:!0});Vn.boolOrEmptySchema=Vn.topBoolOrEmptySchema=void 0;var $A=da(),zA=V(),MA=Wt(),qA={message:"boolean schema is false"};function NA(e){let{gen:t,schema:r,validateName:n}=e;r===!1?zg(e,!1):typeof r=="object"&&r.$async===!0?t.return(MA.default.data):(t.assign((0,zA._)`${n}.errors`,null),t.return(!0))}o(NA,"topBoolOrEmptySchema");Vn.topBoolOrEmptySchema=NA;function jA(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),zg(e)):r.var(t,!0)}o(jA,"boolOrEmptySchema");Vn.boolOrEmptySchema=jA;function zg(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,$A.reportError)(a,qA,void 0,t)}o(zg,"falseSchemaError")});var Ud=x(Fn=>{"use strict";Object.defineProperty(Fn,"__esModule",{value:!0});Fn.getRules=Fn.isJSONType=void 0;var DA=["string","number","integer","boolean","null","object","array"],HA=new Set(DA);function LA(e){return typeof e=="string"&&HA.has(e)}o(LA,"isJSONType");Fn.isJSONType=LA;function BA(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(BA,"getRules");Fn.getRules=BA});var Od=x(wr=>{"use strict";Object.defineProperty(wr,"__esModule",{value:!0});wr.shouldUseRule=wr.shouldUseGroup=wr.schemaHasRulesForType=void 0;function GA({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&qg(e,n)}o(GA,"schemaHasRulesForType");wr.schemaHasRulesForType=GA;function qg(e,t){return t.rules.some(r=>Ng(e,r))}o(qg,"shouldUseGroup");wr.shouldUseGroup=qg;function Ng(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(Ng,"shouldUseRule");wr.shouldUseRule=Ng});var la=x(Le=>{"use strict";Object.defineProperty(Le,"__esModule",{value:!0});Le.reportTypeError=Le.checkDataTypes=Le.checkDataType=Le.coerceAndCheckDataType=Le.getJSONTypes=Le.getSchemaTypes=Le.DataType=void 0;var VA=Ud(),FA=Od(),ZA=da(),G=V(),jg=te(),Zn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(Zn||(Le.DataType=Zn={}));function KA(e){let t=Dg(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(KA,"getSchemaTypes");Le.getSchemaTypes=KA;function Dg(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(VA.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(Dg,"getJSONTypes");Le.getJSONTypes=Dg;function JA(e,t){let{gen:r,data:n,opts:a}=e,i=WA(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,FA.schemaHasRulesForType)(e,t[0]));if(s){let c=zd(t,n,a.strictNumbers,Zn.Wrong);r.if(c,()=>{i.length?YA(e,t,i):Md(e)})}return s}o(JA,"coerceAndCheckDataType");Le.coerceAndCheckDataType=JA;var Hg=new Set(["string","number","integer","boolean","null"]);function WA(e,t){return t?e.filter(r=>Hg.has(r)||t==="array"&&r==="array"):[]}o(WA,"coerceToTypes");function YA(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,G._)`typeof ${a}`),c=n.let("coerced",(0,G._)`undefined`);i.coerceTypes==="array"&&n.if((0,G._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,G._)`${a}[0]`).assign(s,(0,G._)`typeof ${a}`).if(zd(t,a,i.strictNumbers),()=>n.assign(c,a))),n.if((0,G._)`${c} !== undefined`);for(let p of r)(Hg.has(p)||p==="array"&&i.coerceTypes==="array")&&d(p);n.else(),Md(e),n.endIf(),n.if((0,G._)`${c} !== undefined`,()=>{n.assign(a,c),QA(e,c)});function d(p){switch(p){case"string":n.elseIf((0,G._)`${s} == "number" || ${s} == "boolean"`).assign(c,(0,G._)`"" + ${a}`).elseIf((0,G._)`${a} === null`).assign(c,(0,G._)`""`);return;case"number":n.elseIf((0,G._)`${s} == "boolean" || ${a} === null
+import{$ as rt,A as cc,B as Ct,J as Jp,K as dc,L as Iw,M as Wp,N as f,O as Yp,P as X,Q as oe,R as Qp,S as Xp,T as _e,U as C,V as I,W as Ce,X as fe,Y as lc,Z as pc,_ as de,a as Rt,aa as U,b as Zp,ba as Se,ca as em,da as mc,ea as tm,fa as rm,ga as u,ha as ae,ia as nm,j as vo,k as Kp,q as ic,s as vn,x as sc}from"../chunk-P4G7GA42.js";import{d as uc}from"../chunk-W6JQ5D4W.js";import{a as B}from"../chunk-H7UGARU6.js";import{X as Sn,Y as ue,Z as So,a as o,c as k,e as Fp}from"../chunk-JAEQKE5H.js";var oa=k(ee=>{"use strict";Object.defineProperty(ee,"__esModule",{value:!0});ee.regexpCode=ee.getEsmExportName=ee.getProperty=ee.safeStringify=ee.stringify=ee.strConcat=ee.addCodeArg=ee.str=ee._=ee.nil=ee._Code=ee.Name=ee.IDENTIFIER=ee._CodeOrName=void 0;var ra=class{static{o(this,"_CodeOrName")}};ee._CodeOrName=ra;ee.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var Jr=class extends ra{static{o(this,"Name")}constructor(t){if(super(),!ee.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};ee.Name=Jr;var lt=class extends ra{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof Jr&&(r[n.str]=(r[n.str]||0)+1),r),{})}};ee._Code=lt;ee.nil=new lt("");function vg(e,...t){let r=[e[0]],n=0;for(;n<t.length;)pd(r,t[n]),r.push(e[++n]);return new lt(r)}o(vg,"_");ee._=vg;var ld=new lt("+");function _g(e,...t){let r=[na(e[0])],n=0;for(;n<t.length;)r.push(ld),pd(r,t[n]),r.push(ld,na(e[++n]));return zx(r),new lt(r)}o(_g,"str");ee.str=_g;function pd(e,t){t instanceof lt?e.push(...t._items):t instanceof Jr?e.push(t):e.push(Nx(t))}o(pd,"addCodeArg");ee.addCodeArg=pd;function zx(e){let t=1;for(;t<e.length-1;){if(e[t]===ld){let r=Mx(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(zx,"optimize");function Mx(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof Jr||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof Jr))return`"${e}${t.slice(1)}`}o(Mx,"mergeExprItems");function qx(e,t){return t.emptyStr()?e:e.emptyStr()?t:_g`${e}${t}`}o(qx,"strConcat");ee.strConcat=qx;function Nx(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:na(Array.isArray(e)?e.join(","):e)}o(Nx,"interpolate");function Dx(e){return new lt(na(e))}o(Dx,"stringify");ee.stringify=Dx;function na(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(na,"safeStringify");ee.safeStringify=na;function jx(e){return typeof e=="string"&&ee.IDENTIFIER.test(e)?new lt(`.${e}`):vg`[${e}]`}o(jx,"getProperty");ee.getProperty=jx;function Hx(e){if(typeof e=="string"&&ee.IDENTIFIER.test(e))return new lt(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(Hx,"getEsmExportName");ee.getEsmExportName=Hx;function Lx(e){return new lt(e.toString())}o(Lx,"regexpCode");ee.regexpCode=Lx});var hd=k(Xe=>{"use strict";Object.defineProperty(Xe,"__esModule",{value:!0});Xe.ValueScope=Xe.ValueScopeName=Xe.Scope=Xe.varKinds=Xe.UsedValueState=void 0;var Qe=oa(),md=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Hi;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Hi||(Xe.UsedValueState=Hi={}));Xe.varKinds={const:new Qe.Name("const"),let:new Qe.Name("let"),var:new Qe.Name("var")};var Li=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof Qe.Name?t:this.name(t)}name(t){return new Qe.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};Xe.Scope=Li;var Bi=class extends Qe.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,Qe._)`.${new Qe.Name(r)}[${n}]`}};Xe.ValueScopeName=Bi;var Bx=(0,Qe._)`\n`,fd=class extends Li{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?Bx:Qe.nil}}get(){return this._scope}name(t){return new Bi(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,c=this._values[i];if(c){let l=c.get(s);if(l)return l}else c=this._values[i]=new Map;c.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),p=d.length;return d[p]=r.ref,a.setValue(r,{property:i,itemIndex:p}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,Qe._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=Qe.nil;for(let s in t){let c=t[s];if(!c)continue;let d=n[s]=n[s]||new Map;c.forEach(p=>{if(d.has(p))return;d.set(p,Hi.Started);let l=r(p);if(l){let m=this.opts.es5?Xe.varKinds.var:Xe.varKinds.const;i=(0,Qe._)`${i}${m} ${p} = ${l};${this.opts._n}`}else if(l=a?.(p))i=(0,Qe._)`${i}${l}${this.opts._n}`;else throw new md(p);d.set(p,Hi.Completed)})}return i}};Xe.ValueScope=fd});var F=k(Z=>{"use strict";Object.defineProperty(Z,"__esModule",{value:!0});Z.or=Z.and=Z.not=Z.CodeGen=Z.operators=Z.varKinds=Z.ValueScopeName=Z.ValueScope=Z.Scope=Z.Name=Z.regexpCode=Z.stringify=Z.getProperty=Z.nil=Z.strConcat=Z.str=Z._=void 0;var Y=oa(),St=hd(),Sr=oa();Object.defineProperty(Z,"_",{enumerable:!0,get:o(function(){return Sr._},"get")});Object.defineProperty(Z,"str",{enumerable:!0,get:o(function(){return Sr.str},"get")});Object.defineProperty(Z,"strConcat",{enumerable:!0,get:o(function(){return Sr.strConcat},"get")});Object.defineProperty(Z,"nil",{enumerable:!0,get:o(function(){return Sr.nil},"get")});Object.defineProperty(Z,"getProperty",{enumerable:!0,get:o(function(){return Sr.getProperty},"get")});Object.defineProperty(Z,"stringify",{enumerable:!0,get:o(function(){return Sr.stringify},"get")});Object.defineProperty(Z,"regexpCode",{enumerable:!0,get:o(function(){return Sr.regexpCode},"get")});Object.defineProperty(Z,"Name",{enumerable:!0,get:o(function(){return Sr.Name},"get")});var Zi=hd();Object.defineProperty(Z,"Scope",{enumerable:!0,get:o(function(){return Zi.Scope},"get")});Object.defineProperty(Z,"ValueScope",{enumerable:!0,get:o(function(){return Zi.ValueScope},"get")});Object.defineProperty(Z,"ValueScopeName",{enumerable:!0,get:o(function(){return Zi.ValueScopeName},"get")});Object.defineProperty(Z,"varKinds",{enumerable:!0,get:o(function(){return Zi.varKinds},"get")});Z.operators={GT:new Y._Code(">"),GTE:new Y._Code(">="),LT:new Y._Code("<"),LTE:new Y._Code("<="),EQ:new Y._Code("==="),NEQ:new Y._Code("!=="),NOT:new Y._Code("!"),OR:new Y._Code("||"),AND:new Y._Code("&&"),ADD:new Y._Code("+")};var Kt=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},gd=class extends Kt{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?St.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=Bn(this.rhs,t,r)),this}get names(){return this.rhs instanceof Y._CodeOrName?this.rhs.names:{}}},Gi=class extends Kt{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof Y.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=Bn(this.rhs,t,r),this}get names(){let t=this.lhs instanceof Y.Name?{}:{...this.lhs.names};return Fi(t,this.rhs)}},yd=class extends Gi{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Sd=class extends Kt{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},vd=class extends Kt{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},_d=class extends Kt{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},wd=class extends Kt{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=Bn(this.code,t,r),this}get names(){return this.code instanceof Y._CodeOrName?this.code.names:{}}},aa=class extends Kt{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(Gx(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>Qr(t,r.names),{})}},Jt=class extends aa{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},bd=class extends aa{static{o(this,"Root")}},Ln=class extends Jt{static{o(this,"Else")}};Ln.kind="else";var Wr=class e extends Jt{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new Ln(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(wg(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=Bn(this.condition,t,r),this}get names(){let t=super.names;return Fi(t,this.condition),this.else&&Qr(t,this.else.names),t}};Wr.kind="if";var Yr=class extends Jt{static{o(this,"For")}};Yr.kind="for";var Rd=class extends Yr{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=Bn(this.iteration,t,r),this}get names(){return Qr(super.names,this.iteration.names)}},Cd=class extends Yr{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?St.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=Fi(super.names,this.from);return Fi(t,this.to)}},Vi=class extends Yr{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=Bn(this.iterable,t,r),this}get names(){return Qr(super.names,this.iterable.names)}},ia=class extends Jt{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};ia.kind="func";var sa=class extends aa{static{o(this,"Return")}render(t){return"return "+super.render(t)}};sa.kind="return";var Id=class extends Jt{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&Qr(t,this.catch.names),this.finally&&Qr(t,this.finally.names),t}},ca=class extends Jt{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};ca.kind="catch";var ua=class extends Jt{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};ua.kind="finally";var Pd=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
+`:""},this._extScope=t,this._scope=new St.Scope({parent:t}),this._nodes=[new bd]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new gd(t,i,n)),i}const(t,r,n){return this._def(St.varKinds.const,t,r,n)}let(t,r,n){return this._def(St.varKinds.let,t,r,n)}var(t,r,n){return this._def(St.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new Gi(t,r,n))}add(t,r){return this._leafNode(new yd(t,Z.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==Y.nil&&this._leafNode(new wd(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,Y.addCodeArg)(r,a));return r.push("}"),new Y._Code(r)}if(t,r,n){if(this._blockNode(new Wr(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new Wr(t))}else(){return this._elseNode(new Ln)}endIf(){return this._endBlockNode(Wr,Ln)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Rd(t),r)}forRange(t,r,n,a,i=this.opts.es5?St.varKinds.var:St.varKinds.let){let s=this._scope.toName(t);return this._for(new Cd(i,s,r,n),()=>a(s))}forOf(t,r,n,a=St.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof Y.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,Y._)`${s}.length`,c=>{this.var(i,(0,Y._)`${s}[${c}]`),n(i)})}return this._for(new Vi("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?St.varKinds.var:St.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,Y._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new Vi("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(Yr)}label(t){return this._leafNode(new Sd(t))}break(t){return this._leafNode(new vd(t))}return(t){let r=new sa;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(sa)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new Id;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new ca(i),r(i)}return n&&(this._currNode=a.finally=new ua,this.code(n)),this._endBlockNode(ca,ua)}throw(t){return this._leafNode(new _d(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=Y.nil,n,a){return this._blockNode(new ia(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(ia)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof Wr))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};Z.CodeGen=Pd;function Qr(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(Qr,"addNames");function Fi(e,t){return t instanceof Y._CodeOrName?Qr(e,t.names):e}o(Fi,"addExprNames");function Bn(e,t,r){if(e instanceof Y.Name)return n(e);if(!a(e))return e;return new Y._Code(e._items.reduce((i,s)=>(s instanceof Y.Name&&(s=n(s)),s instanceof Y._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof Y._Code&&i._items.some(s=>s instanceof Y.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(Bn,"optimizeExpr");function Gx(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(Gx,"subtractNames");function wg(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,Y._)`!${xd(e)}`}o(wg,"not");Z.not=wg;var Vx=bg(Z.operators.AND);function Fx(...e){return e.reduce(Vx)}o(Fx,"and");Z.and=Fx;var Zx=bg(Z.operators.OR);function Kx(...e){return e.reduce(Zx)}o(Kx,"or");Z.or=Kx;function bg(e){return(t,r)=>t===Y.nil?r:r===Y.nil?t:(0,Y._)`${xd(t)} ${e} ${xd(r)}`}o(bg,"mappend");function xd(e){return e instanceof Y.Name?e:(0,Y._)`(${e})`}o(xd,"par")});var te=k(J=>{"use strict";Object.defineProperty(J,"__esModule",{value:!0});J.checkStrictMode=J.getErrorPath=J.Type=J.useFunc=J.setEvaluated=J.evaluatedPropsToName=J.mergeEvaluated=J.eachItem=J.unescapeJsonPointer=J.escapeJsonPointer=J.escapeFragment=J.unescapeFragment=J.schemaRefOrVal=J.schemaHasRulesButRef=J.schemaHasRules=J.checkUnknownRules=J.alwaysValidSchema=J.toHash=void 0;var se=F(),Jx=oa();function Wx(e){let t={};for(let r of e)t[r]=!0;return t}o(Wx,"toHash");J.toHash=Wx;function Yx(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(Ig(e,t),!Pg(t,e.self.RULES.all))}o(Yx,"alwaysValidSchema");J.alwaysValidSchema=Yx;function Ig(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||Tg(e,`unknown keyword: "${i}"`)}o(Ig,"checkUnknownRules");J.checkUnknownRules=Ig;function Pg(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(Pg,"schemaHasRules");J.schemaHasRules=Pg;function Qx(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(Qx,"schemaHasRulesButRef");J.schemaHasRulesButRef=Qx;function Xx({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,se._)`${r}`}return(0,se._)`${e}${t}${(0,se.getProperty)(n)}`}o(Xx,"schemaRefOrVal");J.schemaRefOrVal=Xx;function ek(e){return xg(decodeURIComponent(e))}o(ek,"unescapeFragment");J.unescapeFragment=ek;function tk(e){return encodeURIComponent(Td(e))}o(tk,"escapeFragment");J.escapeFragment=tk;function Td(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Td,"escapeJsonPointer");J.escapeJsonPointer=Td;function xg(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(xg,"unescapeJsonPointer");J.unescapeJsonPointer=xg;function rk(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(rk,"eachItem");J.eachItem=rk;function Rg({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,c)=>{let d=s===void 0?i:s instanceof se.Name?(i instanceof se.Name?e(a,i,s):t(a,i,s),s):i instanceof se.Name?(t(a,s,i),i):r(i,s);return c===se.Name&&!(d instanceof se.Name)?n(a,d):d}}o(Rg,"makeMergeEvaluated");J.mergeEvaluated={props:Rg({mergeNames:o((e,t,r)=>e.if((0,se._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,se._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,se._)`${r} || {}`).code((0,se._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,se._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,se._)`${r} || {}`),Ad(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:kg}),items:Rg({mergeNames:o((e,t,r)=>e.if((0,se._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,se._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,se._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,se._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function kg(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,se._)`{}`);return t!==void 0&&Ad(e,r,t),r}o(kg,"evaluatedPropsToName");J.evaluatedPropsToName=kg;function Ad(e,t,r){Object.keys(r).forEach(n=>e.assign((0,se._)`${t}${(0,se.getProperty)(n)}`,!0))}o(Ad,"setEvaluated");J.setEvaluated=Ad;var Cg={};function nk(e,t){return e.scopeValue("func",{ref:t,code:Cg[t.code]||(Cg[t.code]=new Jx._Code(t.code))})}o(nk,"useFunc");J.useFunc=nk;var kd;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(kd||(J.Type=kd={}));function ok(e,t,r){if(e instanceof se.Name){let n=t===kd.Num;return r?n?(0,se._)`"[" + ${e} + "]"`:(0,se._)`"['" + ${e} + "']"`:n?(0,se._)`"/" + ${e}`:(0,se._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,se.getProperty)(e).toString():"/"+Td(e)}o(ok,"getErrorPath");J.getErrorPath=ok;function Tg(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(Tg,"checkStrictMode");J.checkStrictMode=Tg});var Wt=k(Ed=>{"use strict";Object.defineProperty(Ed,"__esModule",{value:!0});var je=F(),ak={data:new je.Name("data"),valCxt:new je.Name("valCxt"),instancePath:new je.Name("instancePath"),parentData:new je.Name("parentData"),parentDataProperty:new je.Name("parentDataProperty"),rootData:new je.Name("rootData"),dynamicAnchors:new je.Name("dynamicAnchors"),vErrors:new je.Name("vErrors"),errors:new je.Name("errors"),this:new je.Name("this"),self:new je.Name("self"),scope:new je.Name("scope"),json:new je.Name("json"),jsonPos:new je.Name("jsonPos"),jsonLen:new je.Name("jsonLen"),jsonPart:new je.Name("jsonPart")};Ed.default=ak});var da=k(He=>{"use strict";Object.defineProperty(He,"__esModule",{value:!0});He.extendErrors=He.resetErrorsCount=He.reportExtraError=He.reportError=He.keyword$DataError=He.keywordError=void 0;var Q=F(),Ki=te(),Ve=Wt();He.keywordError={message:o(({keyword:e})=>(0,Q.str)`must pass "${e}" keyword validation`,"message")};He.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,Q.str)`"${e}" keyword must be ${t} ($data)`:(0,Q.str)`"${e}" keyword is invalid ($data)`,"message")};function ik(e,t=He.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:c}=a,d=Ug(e,t,r);n??(s||c)?Ag(i,d):Eg(a,(0,Q._)`[${d}]`)}o(ik,"reportError");He.reportError=ik;function sk(e,t=He.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,c=Ug(e,t,r);Ag(a,c),i||s||Eg(n,Ve.default.vErrors)}o(sk,"reportExtraError");He.reportExtraError=sk;function ck(e,t){e.assign(Ve.default.errors,t),e.if((0,Q._)`${Ve.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,Q._)`${Ve.default.vErrors}.length`,t),()=>e.assign(Ve.default.vErrors,null)))}o(ck,"resetErrorsCount");He.resetErrorsCount=ck;function uk({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,Ve.default.errors,c=>{e.const(s,(0,Q._)`${Ve.default.vErrors}[${c}]`),e.if((0,Q._)`${s}.instancePath === undefined`,()=>e.assign((0,Q._)`${s}.instancePath`,(0,Q.strConcat)(Ve.default.instancePath,i.errorPath))),e.assign((0,Q._)`${s}.schemaPath`,(0,Q.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,Q._)`${s}.schema`,r),e.assign((0,Q._)`${s}.data`,n))})}o(uk,"extendErrors");He.extendErrors=uk;function Ag(e,t){let r=e.const("err",t);e.if((0,Q._)`${Ve.default.vErrors} === null`,()=>e.assign(Ve.default.vErrors,(0,Q._)`[${r}]`),(0,Q._)`${Ve.default.vErrors}.push(${r})`),e.code((0,Q._)`${Ve.default.errors}++`)}o(Ag,"addError");function Eg(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,Q._)`new ${e.ValidationError}(${t})`):(r.assign((0,Q._)`${n}.errors`,t),r.return(!1))}o(Eg,"returnErrors");var Xr={keyword:new Q.Name("keyword"),schemaPath:new Q.Name("schemaPath"),params:new Q.Name("params"),propertyName:new Q.Name("propertyName"),message:new Q.Name("message"),schema:new Q.Name("schema"),parentSchema:new Q.Name("parentSchema")};function Ug(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,Q._)`{}`:dk(e,t,r)}o(Ug,"errorObjectCode");function dk(e,t,r={}){let{gen:n,it:a}=e,i=[lk(a,r),pk(e,r)];return mk(e,t,i),n.object(...i)}o(dk,"errorObject");function lk({errorPath:e},{instancePath:t}){let r=t?(0,Q.str)`${e}${(0,Ki.getErrorPath)(t,Ki.Type.Str)}`:e;return[Ve.default.instancePath,(0,Q.strConcat)(Ve.default.instancePath,r)]}o(lk,"errorInstancePath");function pk({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,Q.str)`${t}/${e}`;return r&&(a=(0,Q.str)`${a}${(0,Ki.getErrorPath)(r,Ki.Type.Str)}`),[Xr.schemaPath,a]}o(pk,"errorSchemaPath");function mk(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:c}=e,{opts:d,propertyName:p,topSchemaRef:l,schemaPath:m}=c;n.push([Xr.keyword,a],[Xr.params,typeof t=="function"?t(e):t||(0,Q._)`{}`]),d.messages&&n.push([Xr.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([Xr.schema,s],[Xr.parentSchema,(0,Q._)`${l}${m}`],[Ve.default.data,i]),p&&n.push([Xr.propertyName,p])}o(mk,"extraErrorProps")});var $g=k(Gn=>{"use strict";Object.defineProperty(Gn,"__esModule",{value:!0});Gn.boolOrEmptySchema=Gn.topBoolOrEmptySchema=void 0;var fk=da(),hk=F(),gk=Wt(),yk={message:"boolean schema is false"};function Sk(e){let{gen:t,schema:r,validateName:n}=e;r===!1?Og(e,!1):typeof r=="object"&&r.$async===!0?t.return(gk.default.data):(t.assign((0,hk._)`${n}.errors`,null),t.return(!0))}o(Sk,"topBoolOrEmptySchema");Gn.topBoolOrEmptySchema=Sk;function vk(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),Og(e)):r.var(t,!0)}o(vk,"boolOrEmptySchema");Gn.boolOrEmptySchema=vk;function Og(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,fk.reportError)(a,yk,void 0,t)}o(Og,"falseSchemaError")});var Ud=k(Vn=>{"use strict";Object.defineProperty(Vn,"__esModule",{value:!0});Vn.getRules=Vn.isJSONType=void 0;var _k=["string","number","integer","boolean","null","object","array"],wk=new Set(_k);function bk(e){return typeof e=="string"&&wk.has(e)}o(bk,"isJSONType");Vn.isJSONType=bk;function Rk(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(Rk,"getRules");Vn.getRules=Rk});var Od=k(vr=>{"use strict";Object.defineProperty(vr,"__esModule",{value:!0});vr.shouldUseRule=vr.shouldUseGroup=vr.schemaHasRulesForType=void 0;function Ck({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&zg(e,n)}o(Ck,"schemaHasRulesForType");vr.schemaHasRulesForType=Ck;function zg(e,t){return t.rules.some(r=>Mg(e,r))}o(zg,"shouldUseGroup");vr.shouldUseGroup=zg;function Mg(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(Mg,"shouldUseRule");vr.shouldUseRule=Mg});var la=k(Le=>{"use strict";Object.defineProperty(Le,"__esModule",{value:!0});Le.reportTypeError=Le.checkDataTypes=Le.checkDataType=Le.coerceAndCheckDataType=Le.getJSONTypes=Le.getSchemaTypes=Le.DataType=void 0;var Ik=Ud(),Pk=Od(),xk=da(),G=F(),qg=te(),Fn;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(Fn||(Le.DataType=Fn={}));function kk(e){let t=Ng(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(kk,"getSchemaTypes");Le.getSchemaTypes=kk;function Ng(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(Ik.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(Ng,"getJSONTypes");Le.getJSONTypes=Ng;function Tk(e,t){let{gen:r,data:n,opts:a}=e,i=Ak(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,Pk.schemaHasRulesForType)(e,t[0]));if(s){let c=zd(t,n,a.strictNumbers,Fn.Wrong);r.if(c,()=>{i.length?Ek(e,t,i):Md(e)})}return s}o(Tk,"coerceAndCheckDataType");Le.coerceAndCheckDataType=Tk;var Dg=new Set(["string","number","integer","boolean","null"]);function Ak(e,t){return t?e.filter(r=>Dg.has(r)||t==="array"&&r==="array"):[]}o(Ak,"coerceToTypes");function Ek(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,G._)`typeof ${a}`),c=n.let("coerced",(0,G._)`undefined`);i.coerceTypes==="array"&&n.if((0,G._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,G._)`${a}[0]`).assign(s,(0,G._)`typeof ${a}`).if(zd(t,a,i.strictNumbers),()=>n.assign(c,a))),n.if((0,G._)`${c} !== undefined`);for(let p of r)(Dg.has(p)||p==="array"&&i.coerceTypes==="array")&&d(p);n.else(),Md(e),n.endIf(),n.if((0,G._)`${c} !== undefined`,()=>{n.assign(a,c),Uk(e,c)});function d(p){switch(p){case"string":n.elseIf((0,G._)`${s} == "number" || ${s} == "boolean"`).assign(c,(0,G._)`"" + ${a}`).elseIf((0,G._)`${a} === null`).assign(c,(0,G._)`""`);return;case"number":n.elseIf((0,G._)`${s} == "boolean" || ${a} === null
               || (${s} == "string" && ${a} && ${a} == +${a})`).assign(c,(0,G._)`+${a}`);return;case"integer":n.elseIf((0,G._)`${s} === "boolean" || ${a} === null
               || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(c,(0,G._)`+${a}`);return;case"boolean":n.elseIf((0,G._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(c,!1).elseIf((0,G._)`${a} === "true" || ${a} === 1`).assign(c,!0);return;case"null":n.elseIf((0,G._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(c,null);return;case"array":n.elseIf((0,G._)`${s} === "string" || ${s} === "number"
-              || ${s} === "boolean" || ${a} === null`).assign(c,(0,G._)`[${a}]`)}}o(d,"coerceSpecificType")}o(YA,"coerceData");function QA({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,G._)`${t} !== undefined`,()=>e.assign((0,G._)`${t}[${r}]`,n))}o(QA,"assignParentData");function $d(e,t,r,n=Zn.Correct){let a=n===Zn.Correct?G.operators.EQ:G.operators.NEQ,i;switch(e){case"null":return(0,G._)`${t} ${a} null`;case"array":i=(0,G._)`Array.isArray(${t})`;break;case"object":i=(0,G._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,G._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,G._)`typeof ${t} ${a} ${e}`}return n===Zn.Correct?i:(0,G.not)(i);function s(c=G.nil){return(0,G.and)((0,G._)`typeof ${t} == "number"`,c,r?(0,G._)`isFinite(${t})`:G.nil)}}o($d,"checkDataType");Le.checkDataType=$d;function zd(e,t,r,n){if(e.length===1)return $d(e[0],t,r,n);let a,i=(0,jg.toHash)(e);if(i.array&&i.object){let s=(0,G._)`typeof ${t} != "object"`;a=i.null?s:(0,G._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=G.nil;i.number&&delete i.integer;for(let s in i)a=(0,G.and)(a,$d(s,t,r,n));return a}o(zd,"checkDataTypes");Le.checkDataTypes=zd;var XA={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,G._)`{type: ${e}}`:(0,G._)`{type: ${t}}`,"params")};function Md(e){let t=ek(e);(0,ZA.reportError)(t,XA)}o(Md,"reportTypeError");Le.reportTypeError=Md;function ek(e){let{gen:t,data:r,schema:n}=e,a=(0,jg.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(ek,"getTypeErrorContext")});var Bg=x(Wi=>{"use strict";Object.defineProperty(Wi,"__esModule",{value:!0});Wi.assignDefaults=void 0;var Kn=V(),tk=te();function rk(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)Lg(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>Lg(e,i,a.default))}o(rk,"assignDefaults");Wi.assignDefaults=rk;function Lg(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let c=(0,Kn._)`${i}${(0,Kn.getProperty)(t)}`;if(a){(0,tk.checkStrictMode)(e,`default is ignored for: ${c}`);return}let d=(0,Kn._)`${c} === undefined`;s.useDefaults==="empty"&&(d=(0,Kn._)`${d} || ${c} === null || ${c} === ""`),n.if(d,(0,Kn._)`${c} = ${(0,Kn.stringify)(r)}`)}o(Lg,"assignDefault")});var mt=x(ne=>{"use strict";Object.defineProperty(ne,"__esModule",{value:!0});ne.validateUnion=ne.validateArray=ne.usePattern=ne.callValidateCode=ne.schemaProperties=ne.allSchemaProperties=ne.noPropertyInData=ne.propertyInData=ne.isOwnProperty=ne.hasPropFunc=ne.reportMissingProp=ne.checkMissingProp=ne.checkReportMissingProp=void 0;var pe=V(),qd=te(),vr=Wt(),nk=te();function ok(e,t){let{gen:r,data:n,it:a}=e;r.if(jd(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,pe._)`${t}`},!0),e.error()})}o(ok,"checkReportMissingProp");ne.checkReportMissingProp=ok;function ak({gen:e,data:t,it:{opts:r}},n,a){return(0,pe.or)(...n.map(i=>(0,pe.and)(jd(e,t,i,r.ownProperties),(0,pe._)`${a} = ${i}`)))}o(ak,"checkMissingProp");ne.checkMissingProp=ak;function ik(e,t){e.setParams({missingProperty:t},!0),e.error()}o(ik,"reportMissingProp");ne.reportMissingProp=ik;function Gg(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,pe._)`Object.prototype.hasOwnProperty`})}o(Gg,"hasPropFunc");ne.hasPropFunc=Gg;function Nd(e,t,r){return(0,pe._)`${Gg(e)}.call(${t}, ${r})`}o(Nd,"isOwnProperty");ne.isOwnProperty=Nd;function sk(e,t,r,n){let a=(0,pe._)`${t}${(0,pe.getProperty)(r)} !== undefined`;return n?(0,pe._)`${a} && ${Nd(e,t,r)}`:a}o(sk,"propertyInData");ne.propertyInData=sk;function jd(e,t,r,n){let a=(0,pe._)`${t}${(0,pe.getProperty)(r)} === undefined`;return n?(0,pe.or)(a,(0,pe.not)(Nd(e,t,r))):a}o(jd,"noPropertyInData");ne.noPropertyInData=jd;function Vg(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(Vg,"allSchemaProperties");ne.allSchemaProperties=Vg;function ck(e,t){return Vg(t).filter(r=>!(0,qd.alwaysValidSchema)(e,t[r]))}o(ck,"schemaProperties");ne.schemaProperties=ck;function uk({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},c,d,p){let l=p?(0,pe._)`${e}, ${t}, ${n}${a}`:t,m=[[vr.default.instancePath,(0,pe.strConcat)(vr.default.instancePath,i)],[vr.default.parentData,s.parentData],[vr.default.parentDataProperty,s.parentDataProperty],[vr.default.rootData,vr.default.rootData]];s.opts.dynamicRef&&m.push([vr.default.dynamicAnchors,vr.default.dynamicAnchors]);let h=(0,pe._)`${l}, ${r.object(...m)}`;return d!==pe.nil?(0,pe._)`${c}.call(${d}, ${h})`:(0,pe._)`${c}(${h})`}o(uk,"callValidateCode");ne.callValidateCode=uk;var dk=(0,pe._)`new RegExp`;function lk({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,pe._)`${a.code==="new RegExp"?dk:(0,nk.useFunc)(e,a)}(${r}, ${n})`})}o(lk,"usePattern");ne.usePattern=lk;function pk(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let c=t.let("valid",!0);return s(()=>t.assign(c,!1)),c}return t.var(i,!0),s(()=>t.break()),i;function s(c){let d=t.const("len",(0,pe._)`${r}.length`);t.forRange("i",0,d,p=>{e.subschema({keyword:n,dataProp:p,dataPropType:qd.Type.Num},i),t.if((0,pe.not)(i),c)})}o(s,"validateItems")}o(pk,"validateArray");ne.validateArray=pk;function mk(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,qd.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),c=t.name("_valid");t.block(()=>r.forEach((d,p)=>{let l=e.subschema({keyword:n,schemaProp:p,compositeRule:!0},c);t.assign(s,(0,pe._)`${s} || ${c}`),e.mergeValidEvaluated(l,c)||t.if((0,pe.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(mk,"validateUnion");ne.validateUnion=mk});var Kg=x(kt=>{"use strict";Object.defineProperty(kt,"__esModule",{value:!0});kt.validateKeywordUsage=kt.validSchemaType=kt.funcKeywordCode=kt.macroKeywordCode=void 0;var Fe=V(),tn=Wt(),fk=mt(),hk=da();function gk(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,c=t.macro.call(s.self,a,i,s),d=Zg(r,n,c);s.opts.validateSchema!==!1&&s.self.validateSchema(c,!0);let p=r.name("valid");e.subschema({schema:c,schemaPath:Fe.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},p),e.pass(p,()=>e.error(!0))}o(gk,"macroKeywordCode");kt.macroKeywordCode=gk;function yk(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:c,it:d}=e;_k(d,t);let p=!c&&t.compile?t.compile.call(d.self,i,s,d):t.validate,l=Zg(n,a,p),m=n.let("valid");e.block$data(m,h),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function h(){if(t.errors===!1)S(),t.modifying&&Fg(e),w(()=>e.error());else{let v=t.async?y():_();t.modifying&&Fg(e),w(()=>Sk(e,v))}}o(h,"validateKeyword");function y(){let v=n.let("ruleErrs",null);return n.try(()=>S((0,Fe._)`await `),b=>n.assign(m,!1).if((0,Fe._)`${b} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,Fe._)`${b}.errors`),()=>n.throw(b))),v}o(y,"validateAsync");function _(){let v=(0,Fe._)`${l}.errors`;return n.assign(v,null),S(Fe.nil),v}o(_,"validateSync");function S(v=t.async?(0,Fe._)`await `:Fe.nil){let b=d.opts.passContext?tn.default.this:tn.default.self,R=!("compile"in t&&!c||t.schema===!1);n.assign(m,(0,Fe._)`${v}${(0,fk.callValidateCode)(e,l,b,R)}`,t.modifying)}o(S,"assignValid");function w(v){var b;n.if((0,Fe.not)((b=t.valid)!==null&&b!==void 0?b:m),v)}o(w,"reportErrs")}o(yk,"funcKeywordCode");kt.funcKeywordCode=yk;function Fg(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,Fe._)`${n.parentData}[${n.parentDataProperty}]`))}o(Fg,"modifyData");function Sk(e,t){let{gen:r}=e;r.if((0,Fe._)`Array.isArray(${t})`,()=>{r.assign(tn.default.vErrors,(0,Fe._)`${tn.default.vErrors} === null ? ${t} : ${tn.default.vErrors}.concat(${t})`).assign(tn.default.errors,(0,Fe._)`${tn.default.vErrors}.length`),(0,hk.extendErrors)(e)},()=>e.error())}o(Sk,"addErrs");function _k({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(_k,"checkAsyncKeyword");function Zg(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,Fe.stringify)(r)})}o(Zg,"useKeyword");function wk(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(wk,"validSchemaType");kt.validSchemaType=wk;function vk({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(c=>!Object.prototype.hasOwnProperty.call(e,c)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(vk,"validateKeywordUsage");kt.validateKeywordUsage=vk});var Wg=x(br=>{"use strict";Object.defineProperty(br,"__esModule",{value:!0});br.extendSubschemaMode=br.extendSubschemaData=br.getSubschema=void 0;var Tt=V(),Jg=te();function bk(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let c=e.schema[t];return r===void 0?{schema:c,schemaPath:(0,Tt._)`${e.schemaPath}${(0,Tt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:c[r],schemaPath:(0,Tt._)`${e.schemaPath}${(0,Tt.getProperty)(t)}${(0,Tt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,Jg.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(bk,"getSubschema");br.getSubschema=bk;function Rk(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:c}=t;if(r!==void 0){let{errorPath:p,dataPathArr:l,opts:m}=t,h=c.let("data",(0,Tt._)`${t.data}${(0,Tt.getProperty)(r)}`,!0);d(h),e.errorPath=(0,Tt.str)`${p}${(0,Jg.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,Tt._)`${r}`,e.dataPathArr=[...l,e.parentDataProperty]}if(a!==void 0){let p=a instanceof Tt.Name?a:c.let("data",a,!0);d(p),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(p){e.data=p,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,p]}o(d,"dataContextProps")}o(Rk,"extendSubschemaData");br.extendSubschemaData=Rk;function Ck(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(Ck,"extendSubschemaMode");br.extendSubschemaMode=Ck});var Dd=x((X4,Yg)=>{"use strict";Yg.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Xg=x((t9,Qg)=>{"use strict";var Rr=Qg.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Yi(t,n,a,e,"",e)};Rr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};Rr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};Rr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};Rr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Yi(e,t,r,n,a,i,s,c,d,p){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,c,d,p);for(var l in n){var m=n[l];if(Array.isArray(m)){if(l in Rr.arrayKeywords)for(var h=0;h<m.length;h++)Yi(e,t,r,m[h],a+"/"+l+"/"+h,i,a,l,n,h)}else if(l in Rr.propsKeywords){if(m&&typeof m=="object")for(var y in m)Yi(e,t,r,m[y],a+"/"+l+"/"+Ik(y),i,a,l,n,y)}else(l in Rr.keywords||e.allKeys&&!(l in Rr.skipKeywords))&&Yi(e,t,r,m,a+"/"+l,i,a,l,n)}r(n,a,i,s,c,d,p)}}o(Yi,"_traverse");function Ik(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(Ik,"escapeJsonPtr")});var pa=x(tt=>{"use strict";Object.defineProperty(tt,"__esModule",{value:!0});tt.getSchemaRefs=tt.resolveUrl=tt.normalizeId=tt._getFullPath=tt.getFullPath=tt.inlineRef=void 0;var Pk=te(),xk=Dd(),Ak=Xg(),kk=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function Tk(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Hd(e):t?ey(e)<=t:!1}o(Tk,"inlineRef");tt.inlineRef=Tk;var Ek=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Hd(e){for(let t in e){if(Ek.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Hd)||typeof r=="object"&&Hd(r))return!0}return!1}o(Hd,"hasRef");function ey(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!kk.has(r)&&(typeof e[r]=="object"&&(0,Pk.eachItem)(e[r],n=>t+=ey(n)),t===1/0))return 1/0}return t}o(ey,"countKeys");function ty(e,t="",r){r!==!1&&(t=Jn(t));let n=e.parse(t);return ry(e,n)}o(ty,"getFullPath");tt.getFullPath=ty;function ry(e,t){return e.serialize(t).split("#")[0]+"#"}o(ry,"_getFullPath");tt._getFullPath=ry;var Uk=/#\/?$/;function Jn(e){return e?e.replace(Uk,""):""}o(Jn,"normalizeId");tt.normalizeId=Jn;function Ok(e,t,r){return r=Jn(r),e.resolve(t,r)}o(Ok,"resolveUrl");tt.resolveUrl=Ok;var $k=/^[a-z_][-a-z0-9._]*$/i;function zk(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=Jn(e[r]||t),i={"":a},s=ty(n,a,!1),c={},d=new Set;return Ak(e,{allKeys:!0},(m,h,y,_)=>{if(_===void 0)return;let S=s+h,w=i[_];typeof m[r]=="string"&&(w=v.call(this,m[r])),b.call(this,m.$anchor),b.call(this,m.$dynamicAnchor),i[h]=w;function v(R){let M=this.opts.uriResolver.resolve;if(R=Jn(w?M(w,R):R),d.has(R))throw l(R);d.add(R);let q=this.refs[R];return typeof q=="string"&&(q=this.refs[q]),typeof q=="object"?p(m,q.schema,R):R!==Jn(S)&&(R[0]==="#"?(p(m,c[R],R),c[R]=m):this.refs[R]=S),R}o(v,"addRef");function b(R){if(typeof R=="string"){if(!$k.test(R))throw new Error(`invalid anchor "${R}"`);v.call(this,`#${R}`)}}o(b,"addAnchor")}),c;function p(m,h,y){if(h!==void 0&&!xk(m,h))throw l(y)}o(p,"checkAmbiguosRef");function l(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(l,"ambiguos")}o(zk,"getSchemaRefs");tt.getSchemaRefs=zk});var ha=x(Cr=>{"use strict";Object.defineProperty(Cr,"__esModule",{value:!0});Cr.getData=Cr.KeywordCxt=Cr.validateFunctionCode=void 0;var sy=Mg(),ny=la(),Bd=Od(),Qi=la(),Mk=Bg(),fa=Kg(),Ld=Wg(),O=V(),H=Wt(),qk=pa(),Yt=te(),ma=da();function Nk(e){if(dy(e)&&(ly(e),uy(e))){Hk(e);return}cy(e,()=>(0,sy.topBoolOrEmptySchema)(e))}o(Nk,"validateFunctionCode");Cr.validateFunctionCode=Nk;function cy({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,O._)`${H.default.data}, ${H.default.valCxt}`,n.$async,()=>{e.code((0,O._)`"use strict"; ${oy(r,a)}`),Dk(e,a),e.code(i)}):e.func(t,(0,O._)`${H.default.data}, ${jk(a)}`,n.$async,()=>e.code(oy(r,a)).code(i))}o(cy,"validateFunction");function jk(e){return(0,O._)`{${H.default.instancePath}="", ${H.default.parentData}, ${H.default.parentDataProperty}, ${H.default.rootData}=${H.default.data}${e.dynamicRef?(0,O._)`, ${H.default.dynamicAnchors}={}`:O.nil}}={}`}o(jk,"destructureValCxt");function Dk(e,t){e.if(H.default.valCxt,()=>{e.var(H.default.instancePath,(0,O._)`${H.default.valCxt}.${H.default.instancePath}`),e.var(H.default.parentData,(0,O._)`${H.default.valCxt}.${H.default.parentData}`),e.var(H.default.parentDataProperty,(0,O._)`${H.default.valCxt}.${H.default.parentDataProperty}`),e.var(H.default.rootData,(0,O._)`${H.default.valCxt}.${H.default.rootData}`),t.dynamicRef&&e.var(H.default.dynamicAnchors,(0,O._)`${H.default.valCxt}.${H.default.dynamicAnchors}`)},()=>{e.var(H.default.instancePath,(0,O._)`""`),e.var(H.default.parentData,(0,O._)`undefined`),e.var(H.default.parentDataProperty,(0,O._)`undefined`),e.var(H.default.rootData,H.default.data),t.dynamicRef&&e.var(H.default.dynamicAnchors,(0,O._)`{}`)})}o(Dk,"destructureValCxtES5");function Hk(e){let{schema:t,opts:r,gen:n}=e;cy(e,()=>{r.$comment&&t.$comment&&my(e),Fk(e),n.let(H.default.vErrors,null),n.let(H.default.errors,0),r.unevaluated&&Lk(e),py(e),Jk(e)})}o(Hk,"topSchemaObjCode");function Lk(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,O._)`${r}.evaluated`),t.if((0,O._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,O._)`${e.evaluated}.props`,(0,O._)`undefined`)),t.if((0,O._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,O._)`${e.evaluated}.items`,(0,O._)`undefined`))}o(Lk,"resetEvaluated");function oy(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,O._)`/*# sourceURL=${r} */`:O.nil}o(oy,"funcSourceUrl");function Bk(e,t){if(dy(e)&&(ly(e),uy(e))){Gk(e,t);return}(0,sy.boolOrEmptySchema)(e,t)}o(Bk,"subschemaCode");function uy({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(uy,"schemaCxtHasRules");function dy(e){return typeof e.schema!="boolean"}o(dy,"isSchemaObj");function Gk(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&my(e),Zk(e),Kk(e);let i=n.const("_errs",H.default.errors);py(e,i),n.var(t,(0,O._)`${i} === ${H.default.errors}`)}o(Gk,"subSchemaObjCode");function ly(e){(0,Yt.checkUnknownRules)(e),Vk(e)}o(ly,"checkKeywords");function py(e,t){if(e.opts.jtd)return ay(e,[],!1,t);let r=(0,ny.getSchemaTypes)(e.schema),n=(0,ny.coerceAndCheckDataType)(e,r);ay(e,r,!n,t)}o(py,"typeAndKeywords");function Vk(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Yt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(Vk,"checkRefsAndKeywords");function Fk(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Yt.checkStrictMode)(e,"default is ignored in the schema root")}o(Fk,"checkNoDefault");function Zk(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,qk.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(Zk,"updateContext");function Kk(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(Kk,"checkAsyncSchema");function my({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,O._)`${H.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,O.str)`${n}/$comment`,c=e.scopeValue("root",{ref:t.root});e.code((0,O._)`${H.default.self}.opts.$comment(${i}, ${s}, ${c}.schema)`)}}o(my,"commentKeyword");function Jk(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,O._)`${H.default.errors} === 0`,()=>t.return(H.default.data),()=>t.throw((0,O._)`new ${a}(${H.default.vErrors})`)):(t.assign((0,O._)`${n}.errors`,H.default.vErrors),i.unevaluated&&Wk(e),t.return((0,O._)`${H.default.errors} === 0`))}o(Jk,"returnResults");function Wk({gen:e,evaluated:t,props:r,items:n}){r instanceof O.Name&&e.assign((0,O._)`${t}.props`,r),n instanceof O.Name&&e.assign((0,O._)`${t}.items`,n)}o(Wk,"assignEvaluated");function ay(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:c,opts:d,self:p}=e,{RULES:l}=p;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Yt.schemaHasRulesButRef)(i,l))){a.block(()=>hy(e,"$ref",l.all.$ref.definition));return}d.jtd||Yk(e,t),a.block(()=>{for(let h of l.rules)m(h);m(l.post)});function m(h){(0,Bd.shouldUseGroup)(i,h)&&(h.type?(a.if((0,Qi.checkDataType)(h.type,s,d.strictNumbers)),iy(e,h),t.length===1&&t[0]===h.type&&r&&(a.else(),(0,Qi.reportTypeError)(e)),a.endIf()):iy(e,h),c||a.if((0,O._)`${H.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(ay,"schemaKeywords");function iy(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,Mk.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Bd.shouldUseRule)(n,i)&&hy(e,i.keyword,i.definition,t.type)})}o(iy,"iterateKeywords");function Yk(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(Qk(e,t),e.opts.allowUnionTypes||Xk(e,t),eT(e,e.dataTypes))}o(Yk,"checkStrictTypes");function Qk(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{fy(e.dataTypes,r)||Gd(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),rT(e,t)}}o(Qk,"checkContextTypes");function Xk(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Gd(e,"use allowUnionTypes to allow union type keyword")}o(Xk,"checkMultipleTypes");function eT(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Bd.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>tT(t,s))&&Gd(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(eT,"checkKeywordTypes");function tT(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(tT,"hasApplicableType");function fy(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(fy,"includesType");function rT(e,t){let r=[];for(let n of e.dataTypes)fy(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(rT,"narrowSchemaTypes");function Gd(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Yt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Gd,"strictTypesError");var Xi=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,fa.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Yt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",gy(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,fa.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",H.default.errors))}result(t,r,n){this.failResult((0,O.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,O.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,O._)`${r} !== undefined && (${(0,O.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?ma.reportExtraError:ma.reportError)(this,this.def.error,r)}$dataError(){(0,ma.reportError)(this,this.def.$dataError||ma.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,ma.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=O.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=O.nil,r=O.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,O.or)((0,O._)`${a} === undefined`,r)),t!==O.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==O.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,O.or)(s(),c());function s(){if(n.length){if(!(r instanceof O.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,O._)`${(0,Qi.checkDataTypes)(d,r,i.opts.strictNumbers,Qi.DataType.Wrong)}`}return O.nil}function c(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,O._)`!${d}(${r})`}return O.nil}}subschema(t,r){let n=(0,Ld.getSubschema)(this.it,t);(0,Ld.extendSubschemaData)(n,this.it,t),(0,Ld.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return Bk(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Yt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Yt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,O.Name)),!0}};Cr.KeywordCxt=Xi;function hy(e,t,r,n){let a=new Xi(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,fa.funcKeywordCode)(a,r):"macro"in r?(0,fa.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,fa.funcKeywordCode)(a,r)}o(hy,"keywordCode");var nT=/^\/(?:[^~]|~0|~1)*$/,oT=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function gy(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return H.default.rootData;if(e[0]==="/"){if(!nT.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=H.default.rootData}else{let p=oT.exec(e);if(!p)throw new Error(`Invalid JSON-pointer: ${e}`);let l=+p[1];if(a=p[2],a==="#"){if(l>=t)throw new Error(d("property/index",l));return n[t-l]}if(l>t)throw new Error(d("data",l));if(i=r[t-l],!a)return i}let s=i,c=a.split("/");for(let p of c)p&&(i=(0,O._)`${i}${(0,O.getProperty)((0,Yt.unescapeJsonPointer)(p))}`,s=(0,O._)`${s} && ${i}`);return s;function d(p,l){return`Cannot access ${p} ${l} levels up, current level is ${t}`}}o(gy,"getData");Cr.getData=gy});var es=x(Fd=>{"use strict";Object.defineProperty(Fd,"__esModule",{value:!0});var Vd=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Fd.default=Vd});var ga=x(Jd=>{"use strict";Object.defineProperty(Jd,"__esModule",{value:!0});var Zd=pa(),Kd=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,Zd.resolveUrl)(t,r,n),this.missingSchema=(0,Zd.normalizeId)((0,Zd.getFullPath)(t,this.missingRef))}};Jd.default=Kd});var rs=x(ft=>{"use strict";Object.defineProperty(ft,"__esModule",{value:!0});ft.resolveSchema=ft.getCompilingSchema=ft.resolveRef=ft.compileSchema=ft.SchemaEnv=void 0;var wt=V(),aT=es(),rn=Wt(),vt=pa(),yy=te(),iT=ha(),Wn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,vt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};ft.SchemaEnv=Wn;function Yd(e){let t=Sy.call(this,e);if(t)return t;let r=(0,vt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new wt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),c;e.$async&&(c=s.scopeValue("Error",{ref:aT.default,code:(0,wt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let p={gen:s,allErrors:this.opts.allErrors,data:rn.default.data,parentData:rn.default.parentData,parentDataProperty:rn.default.parentDataProperty,dataNames:[rn.default.data],dataPathArr:[wt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,wt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:c,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:wt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,wt._)`""`,opts:this.opts,self:this},l;try{this._compilations.add(e),(0,iT.validateFunctionCode)(p),s.optimize(this.opts.code.optimize);let m=s.toString();l=`${s.scopeRefs(rn.default.scope)}return ${m}`,this.opts.code.process&&(l=this.opts.code.process(l,e));let y=new Function(`${rn.default.self}`,`${rn.default.scope}`,l)(this,this.scope.get());if(this.scope.value(d,{ref:y}),y.errors=null,y.schema=e.schema,y.schemaEnv=e,e.$async&&(y.$async=!0),this.opts.code.source===!0&&(y.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:_,items:S}=p;y.evaluated={props:_ instanceof wt.Name?void 0:_,items:S instanceof wt.Name?void 0:S,dynamicProps:_ instanceof wt.Name,dynamicItems:S instanceof wt.Name},y.source&&(y.source.evaluated=(0,wt.stringify)(y.evaluated))}return e.validate=y,e}catch(m){throw delete e.validate,delete e.validateName,l&&this.logger.error("Error compiling schema, function code:",l),m}finally{this._compilations.delete(e)}}o(Yd,"compileSchema");ft.compileSchema=Yd;function sT(e,t,r){var n;r=(0,vt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=dT.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:c}=this.opts;s&&(i=new Wn({schema:s,schemaId:c,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=cT.call(this,i)}o(sT,"resolveRef");ft.resolveRef=sT;function cT(e){return(0,vt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:Yd.call(this,e)}o(cT,"inlineOrCompile");function Sy(e){for(let t of this._compilations)if(uT(t,e))return t}o(Sy,"getCompilingSchema");ft.getCompilingSchema=Sy;function uT(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(uT,"sameSchemaEnv");function dT(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||ts.call(this,e,t)}o(dT,"resolve");function ts(e,t){let r=this.opts.uriResolver.parse(t),n=(0,vt._getFullPath)(this.opts.uriResolver,r),a=(0,vt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return Wd.call(this,r,e);let i=(0,vt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let c=ts.call(this,e,s);return typeof c?.schema!="object"?void 0:Wd.call(this,r,c)}if(typeof s?.schema=="object"){if(s.validate||Yd.call(this,s),i===(0,vt.normalizeId)(t)){let{schema:c}=s,{schemaId:d}=this.opts,p=c[d];return p&&(a=(0,vt.resolveUrl)(this.opts.uriResolver,a,p)),new Wn({schema:c,schemaId:d,root:e,baseId:a})}return Wd.call(this,r,s)}}o(ts,"resolveSchema");ft.resolveSchema=ts;var lT=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function Wd(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let c of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,yy.unescapeFragment)(c)];if(d===void 0)return;r=d;let p=typeof r=="object"&&r[this.opts.schemaId];!lT.has(c)&&p&&(t=(0,vt.resolveUrl)(this.opts.uriResolver,t,p))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,yy.schemaHasRulesButRef)(r,this.RULES)){let c=(0,vt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=ts.call(this,n,c)}let{schemaId:s}=this.opts;if(i=i||new Wn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(Wd,"getJsonPointer")});var _y=x((m9,pT)=>{pT.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var Xd=x((f9,Ry)=>{"use strict";var mT=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),vy=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function Qd(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(Qd,"stringArrayToHexStripped");var fT=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function wy(e){return e.length=0,!0}o(wy,"consumeIsZone");function hT(e,t,r){if(e.length){let n=Qd(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(hT,"consumeHextets");function gT(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,c=hT;for(let d=0;d<e.length;d++){let p=e[d];if(!(p==="["||p==="]"))if(p===":"){if(i===!0&&(s=!0),!c(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(p==="%"){if(!c(a,n,r))break;c=wy}else{a.push(p);continue}}return a.length&&(c===wy?r.zone=a.join(""):s?n.push(a.join("")):n.push(Qd(a))),r.address=n.join(""),r}o(gT,"getIPV6");function by(e){if(yT(e,":")<2)return{host:e,isIPV6:!1};let t=gT(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(by,"normalizeIPv6");function yT(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(yT,"findToken");function ST(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(ST,"removeDotSegments");function _T(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(_T,"normalizeComponentEncoding");function wT(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!vy(r)){let n=by(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(wT,"recomposeAuthority");Ry.exports={nonSimpleDomain:fT,recomposeAuthority:wT,normalizeComponentEncoding:_T,removeDotSegments:ST,isIPv4:vy,isUUID:mT,normalizeIPv6:by,stringArrayToHexStripped:Qd}});var Ay=x((g9,xy)=>{"use strict";var{isUUID:vT}=Xd(),bT=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,RT=["http","https","ws","wss","urn","urn:uuid"];function CT(e){return RT.indexOf(e)!==-1}o(CT,"isValidSchemeName");function el(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(el,"wsIsSecure");function Cy(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(Cy,"httpParse");function Iy(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Iy,"httpSerialize");function IT(e){return e.secure=el(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(IT,"wsParse");function PT(e){if((e.port===(el(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(PT,"wsSerialize");function xT(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(bT);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=tl(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(xT,"urnParse");function AT(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=tl(a);i&&(e=i.serialize(e,t));let s=e,c=e.nss;return s.path=`${n||t.nid}:${c}`,t.skipEscape=!0,s}o(AT,"urnSerialize");function kT(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!vT(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(kT,"urnuuidParse");function TT(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(TT,"urnuuidSerialize");var Py={scheme:"http",domainHost:!0,parse:Cy,serialize:Iy},ET={scheme:"https",domainHost:Py.domainHost,parse:Cy,serialize:Iy},ns={scheme:"ws",domainHost:!0,parse:IT,serialize:PT},UT={scheme:"wss",domainHost:ns.domainHost,parse:ns.parse,serialize:ns.serialize},OT={scheme:"urn",parse:xT,serialize:AT,skipNormalize:!0},$T={scheme:"urn:uuid",parse:kT,serialize:TT,skipNormalize:!0},os={http:Py,https:ET,ws:ns,wss:UT,urn:OT,"urn:uuid":$T};Object.setPrototypeOf(os,null);function tl(e){return e&&(os[e]||os[e.toLowerCase()])||void 0}o(tl,"getSchemeHandler");xy.exports={wsIsSecure:el,SCHEMES:os,isValidSchemeName:CT,getSchemeHandler:tl}});var Ey=x((S9,is)=>{"use strict";var{normalizeIPv6:zT,removeDotSegments:ya,recomposeAuthority:MT,normalizeComponentEncoding:as,isIPv4:qT,nonSimpleDomain:NT}=Xd(),{SCHEMES:jT,getSchemeHandler:ky}=Ay();function DT(e,t){return typeof e=="string"?e=Et(Qt(e,t),t):typeof e=="object"&&(e=Qt(Et(e,t),t)),e}o(DT,"normalize");function HT(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=Ty(Qt(e,n),Qt(t,n),n,!0);return n.skipEscape=!0,Et(a,n)}o(HT,"resolve");function Ty(e,t,r,n){let a={};return n||(e=Qt(Et(e,r),r),t=Qt(Et(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=ya(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=ya(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=ya(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=ya(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(Ty,"resolveComponent");function LT(e,t,r){return typeof e=="string"?(e=unescape(e),e=Et(as(Qt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=Et(as(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=Et(as(Qt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=Et(as(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(LT,"equal");function Et(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=ky(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=MT(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let c=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(c=ya(c)),s===void 0&&c[0]==="/"&&c[1]==="/"&&(c="/%2F"+c.slice(2)),a.push(c)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(Et,"serialize");var BT=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function Qt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(BT);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(qT(n.host)===!1){let d=zT(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=ky(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&NT(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(c){n.error=n.error||"Host's domain name can not be converted to ASCII: "+c}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(Qt,"parse");var rl={SCHEMES:jT,normalize:DT,resolve:HT,resolveComponent:Ty,equal:LT,serialize:Et,parse:Qt};is.exports=rl;is.exports.default=rl;is.exports.fastUri=rl});var Oy=x(nl=>{"use strict";Object.defineProperty(nl,"__esModule",{value:!0});var Uy=Ey();Uy.code='require("ajv/dist/runtime/uri").default';nl.default=Uy});var Hy=x(Oe=>{"use strict";Object.defineProperty(Oe,"__esModule",{value:!0});Oe.CodeGen=Oe.Name=Oe.nil=Oe.stringify=Oe.str=Oe._=Oe.KeywordCxt=void 0;var GT=ha();Object.defineProperty(Oe,"KeywordCxt",{enumerable:!0,get:o(function(){return GT.KeywordCxt},"get")});var Yn=V();Object.defineProperty(Oe,"_",{enumerable:!0,get:o(function(){return Yn._},"get")});Object.defineProperty(Oe,"str",{enumerable:!0,get:o(function(){return Yn.str},"get")});Object.defineProperty(Oe,"stringify",{enumerable:!0,get:o(function(){return Yn.stringify},"get")});Object.defineProperty(Oe,"nil",{enumerable:!0,get:o(function(){return Yn.nil},"get")});Object.defineProperty(Oe,"Name",{enumerable:!0,get:o(function(){return Yn.Name},"get")});Object.defineProperty(Oe,"CodeGen",{enumerable:!0,get:o(function(){return Yn.CodeGen},"get")});var VT=es(),Ny=ga(),FT=Ud(),Sa=rs(),ZT=V(),_a=pa(),ss=la(),al=te(),$y=_y(),KT=Oy(),jy=o((e,t)=>new RegExp(e,t),"defaultRegExp");jy.code="new RegExp";var JT=["removeAdditional","useDefaults","coerceTypes"],WT=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),YT={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},QT={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},zy=200;function XT(e){var t,r,n,a,i,s,c,d,p,l,m,h,y,_,S,w,v,b,R,M,q,Me,it,Sn,or;let qt=e.strict,Ur=(t=e.code)===null||t===void 0?void 0:t.optimize,po=Ur===!0||Ur===void 0?1:Ur||0,mo=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:jy,fo=(a=e.uriResolver)!==null&&a!==void 0?a:KT.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:qt)!==null&&s!==void 0?s:!0,strictNumbers:(d=(c=e.strictNumbers)!==null&&c!==void 0?c:qt)!==null&&d!==void 0?d:!0,strictTypes:(l=(p=e.strictTypes)!==null&&p!==void 0?p:qt)!==null&&l!==void 0?l:"log",strictTuples:(h=(m=e.strictTuples)!==null&&m!==void 0?m:qt)!==null&&h!==void 0?h:"log",strictRequired:(_=(y=e.strictRequired)!==null&&y!==void 0?y:qt)!==null&&_!==void 0?_:!1,code:e.code?{...e.code,optimize:po,regExp:mo}:{optimize:po,regExp:mo},loopRequired:(S=e.loopRequired)!==null&&S!==void 0?S:zy,loopEnum:(w=e.loopEnum)!==null&&w!==void 0?w:zy,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(b=e.messages)!==null&&b!==void 0?b:!0,inlineRefs:(R=e.inlineRefs)!==null&&R!==void 0?R:!0,schemaId:(M=e.schemaId)!==null&&M!==void 0?M:"$id",addUsedSchema:(q=e.addUsedSchema)!==null&&q!==void 0?q:!0,validateSchema:(Me=e.validateSchema)!==null&&Me!==void 0?Me:!0,validateFormats:(it=e.validateFormats)!==null&&it!==void 0?it:!0,unicodeRegExp:(Sn=e.unicodeRegExp)!==null&&Sn!==void 0?Sn:!0,int32range:(or=e.int32range)!==null&&or!==void 0?or:!0,uriResolver:fo}}o(XT,"requiredOptions");var wa=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...XT(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new ZT.ValueScope({scope:{},prefixes:WT,es5:r,lines:n}),this.logger=a0(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,FT.getRules)(),My.call(this,YT,t,"NOT SUPPORTED"),My.call(this,QT,t,"DEPRECATED","warn"),this._metaOpts=n0.call(this),t.formats&&t0.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&r0.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),e0.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=$y;n==="id"&&(a={...$y},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(l,m){await i.call(this,l.$schema);let h=this._addSchema(l,m);return h.validate||s.call(this,h)}async function i(l){l&&!this.getSchema(l)&&await a.call(this,{$ref:l},!0)}async function s(l){try{return this._compileSchemaEnv(l)}catch(m){if(!(m instanceof Ny.default))throw m;return c.call(this,m),await d.call(this,m.missingSchema),s.call(this,l)}}function c({missingSchema:l,missingRef:m}){if(this.refs[l])throw new Error(`AnySchema ${l} is loaded but ${m} cannot be resolved`)}async function d(l){let m=await p.call(this,l);this.refs[l]||await i.call(this,m.$schema),this.refs[l]||this.addSchema(m,l,r)}async function p(l){let m=this._loading[l];if(m)return m;try{return await(this._loading[l]=n(l))}finally{delete this._loading[l]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,_a.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=qy.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new Sa.SchemaEnv({schema:{},schemaId:n});if(r=Sa.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=qy.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,_a.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(s0.call(this,n,r),!r)return(0,al.eachItem)(n,i=>ol.call(this,i)),this;u0.call(this,r);let a={...r,type:(0,ss.getJSONTypes)(r.type),schemaType:(0,ss.getJSONTypes)(r.schemaType)};return(0,al.eachItem)(n,a.type.length===0?i=>ol.call(this,i,a):i=>a.type.forEach(s=>ol.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let c of i)s=s[c];for(let c in n){let d=n[c];if(typeof d!="object")continue;let{$data:p}=d.definition,l=s[c];p&&l&&(s[c]=Dy(l))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:c}=this.opts;if(typeof t=="object")s=t[c];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,_a.normalizeId)(s||n);let p=_a.getSchemaRefs.call(this,t,n);return d=new Sa.SchemaEnv({schema:t,schemaId:c,meta:r,baseId:n,localRefs:p}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):Sa.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{Sa.compileSchema.call(this,t)}finally{this.opts=r}}};wa.ValidationError=VT.default;wa.MissingRefError=Ny.default;Oe.default=wa;function My(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(My,"checkOptions");function qy(e){return e=(0,_a.normalizeId)(e),this.schemas[e]||this.refs[e]}o(qy,"getSchEnv");function e0(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(e0,"addInitialSchemas");function t0(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(t0,"addInitialFormats");function r0(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(r0,"addInitialKeywords");function n0(){let e={...this.opts};for(let t of JT)delete e[t];return e}o(n0,"getMetaSchemaOptions");var o0={log(){},warn(){},error(){}};function a0(e){if(e===!1)return o0;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(a0,"getLogger");var i0=/^[a-z_$][a-z0-9_$:-]*$/i;function s0(e,t){let{RULES:r}=this;if((0,al.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!i0.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(s0,"checkKeyword");function ol(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let c={keyword:e,definition:{...t,type:(0,ss.getJSONTypes)(t.type),schemaType:(0,ss.getJSONTypes)(t.schemaType)}};t.before?c0.call(this,s,c,t.before):s.rules.push(c),i.all[e]=c,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(ol,"addRule");function c0(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(c0,"addBeforeRule");function u0(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=Dy(t)),e.validateSchema=this.compile(t,!0))}o(u0,"keywordMetaschema");var d0={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function Dy(e){return{anyOf:[e,d0]}}o(Dy,"schemaOrData")});var Ly=x(il=>{"use strict";Object.defineProperty(il,"__esModule",{value:!0});var l0={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};il.default=l0});var Fy=x(nn=>{"use strict";Object.defineProperty(nn,"__esModule",{value:!0});nn.callRef=nn.getValidate=void 0;var p0=ga(),By=mt(),rt=V(),Qn=Wt(),Gy=rs(),cs=te(),m0={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:c,self:d}=n,{root:p}=i;if((r==="#"||r==="#/")&&a===p.baseId)return m();let l=Gy.resolveRef.call(d,p,a,r);if(l===void 0)throw new p0.default(n.opts.uriResolver,a,r);if(l instanceof Gy.SchemaEnv)return h(l);return y(l);function m(){if(i===p)return us(e,s,i,i.$async);let _=t.scopeValue("root",{ref:p});return us(e,(0,rt._)`${_}.validate`,p,p.$async)}function h(_){let S=Vy(e,_);us(e,S,_,_.$async)}function y(_){let S=t.scopeValue("schema",c.code.source===!0?{ref:_,code:(0,rt.stringify)(_)}:{ref:_}),w=t.name("valid"),v=e.subschema({schema:_,dataTypes:[],schemaPath:rt.nil,topSchemaRef:S,errSchemaPath:r},w);e.mergeEvaluated(v),e.ok(w)}}};function Vy(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,rt._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(Vy,"getValidate");nn.getValidate=Vy;function us(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:c,opts:d}=i,p=d.passContext?Qn.default.this:rt.nil;n?l():m();function l(){if(!c.$async)throw new Error("async schema referenced by sync schema");let _=a.let("valid");a.try(()=>{a.code((0,rt._)`await ${(0,By.callValidateCode)(e,t,p)}`),y(t),s||a.assign(_,!0)},S=>{a.if((0,rt._)`!(${S} instanceof ${i.ValidationError})`,()=>a.throw(S)),h(S),s||a.assign(_,!1)}),e.ok(_)}o(l,"callAsyncRef");function m(){e.result((0,By.callValidateCode)(e,t,p),()=>y(t),()=>h(t))}o(m,"callSyncRef");function h(_){let S=(0,rt._)`${_}.errors`;a.assign(Qn.default.vErrors,(0,rt._)`${Qn.default.vErrors} === null ? ${S} : ${Qn.default.vErrors}.concat(${S})`),a.assign(Qn.default.errors,(0,rt._)`${Qn.default.vErrors}.length`)}o(h,"addErrorsFrom");function y(_){var S;if(!i.opts.unevaluated)return;let w=(S=r?.validate)===null||S===void 0?void 0:S.evaluated;if(i.props!==!0)if(w&&!w.dynamicProps)w.props!==void 0&&(i.props=cs.mergeEvaluated.props(a,w.props,i.props));else{let v=a.var("props",(0,rt._)`${_}.evaluated.props`);i.props=cs.mergeEvaluated.props(a,v,i.props,rt.Name)}if(i.items!==!0)if(w&&!w.dynamicItems)w.items!==void 0&&(i.items=cs.mergeEvaluated.items(a,w.items,i.items));else{let v=a.var("items",(0,rt._)`${_}.evaluated.items`);i.items=cs.mergeEvaluated.items(a,v,i.items,rt.Name)}}o(y,"addEvaluatedFrom")}o(us,"callRef");nn.callRef=us;nn.default=m0});var Zy=x(sl=>{"use strict";Object.defineProperty(sl,"__esModule",{value:!0});var f0=Ly(),h0=Fy(),g0=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",f0.default,h0.default];sl.default=g0});var Ky=x(cl=>{"use strict";Object.defineProperty(cl,"__esModule",{value:!0});var ds=V(),Ir=ds.operators,ls={maximum:{okStr:"<=",ok:Ir.LTE,fail:Ir.GT},minimum:{okStr:">=",ok:Ir.GTE,fail:Ir.LT},exclusiveMaximum:{okStr:"<",ok:Ir.LT,fail:Ir.GTE},exclusiveMinimum:{okStr:">",ok:Ir.GT,fail:Ir.LTE}},y0={message:o(({keyword:e,schemaCode:t})=>(0,ds.str)`must be ${ls[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ds._)`{comparison: ${ls[e].okStr}, limit: ${t}}`,"params")},S0={keyword:Object.keys(ls),type:"number",schemaType:"number",$data:!0,error:y0,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,ds._)`${r} ${ls[t].fail} ${n} || isNaN(${r})`)}};cl.default=S0});var Jy=x(ul=>{"use strict";Object.defineProperty(ul,"__esModule",{value:!0});var va=V(),_0={message:o(({schemaCode:e})=>(0,va.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,va._)`{multipleOf: ${e}}`,"params")},w0={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:_0,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),c=i?(0,va._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,va._)`${s} !== parseInt(${s})`;e.fail$data((0,va._)`(${n} === 0 || (${s} = ${r}/${n}, ${c}))`)}};ul.default=w0});var Yy=x(dl=>{"use strict";Object.defineProperty(dl,"__esModule",{value:!0});function Wy(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Wy,"ucs2length");dl.default=Wy;Wy.code='require("ajv/dist/runtime/ucs2length").default'});var Qy=x(ll=>{"use strict";Object.defineProperty(ll,"__esModule",{value:!0});var on=V(),v0=te(),b0=Yy(),R0={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,on.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,on._)`{limit: ${e}}`,"params")},C0={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:R0,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?on.operators.GT:on.operators.LT,s=a.opts.unicode===!1?(0,on._)`${r}.length`:(0,on._)`${(0,v0.useFunc)(e.gen,b0.default)}(${r})`;e.fail$data((0,on._)`${s} ${i} ${n}`)}};ll.default=C0});var Xy=x(pl=>{"use strict";Object.defineProperty(pl,"__esModule",{value:!0});var I0=mt(),ps=V(),P0={message:o(({schemaCode:e})=>(0,ps.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ps._)`{pattern: ${e}}`,"params")},x0={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:P0,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",c=r?(0,ps._)`(new RegExp(${a}, ${s}))`:(0,I0.usePattern)(e,n);e.fail$data((0,ps._)`!${c}.test(${t})`)}};pl.default=x0});var eS=x(ml=>{"use strict";Object.defineProperty(ml,"__esModule",{value:!0});var ba=V(),A0={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,ba.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,ba._)`{limit: ${e}}`,"params")},k0={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:A0,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?ba.operators.GT:ba.operators.LT;e.fail$data((0,ba._)`Object.keys(${r}).length ${a} ${n}`)}};ml.default=k0});var tS=x(fl=>{"use strict";Object.defineProperty(fl,"__esModule",{value:!0});var Ra=mt(),Ca=V(),T0=te(),E0={message:o(({params:{missingProperty:e}})=>(0,Ca.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,Ca._)`{missingProperty: ${e}}`,"params")},U0={keyword:"required",type:"object",schemaType:"array",$data:!0,error:E0,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:c}=s;if(!i&&r.length===0)return;let d=r.length>=c.loopRequired;if(s.allErrors?p():l(),c.strictRequired){let y=e.parentSchema.properties,{definedProperties:_}=e.it;for(let S of r)if(y?.[S]===void 0&&!_.has(S)){let w=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${S}" is not defined at "${w}" (strictRequired)`;(0,T0.checkStrictMode)(s,v,s.opts.strictRequired)}}function p(){if(d||i)e.block$data(Ca.nil,m);else for(let y of r)(0,Ra.checkReportMissingProp)(e,y)}o(p,"allErrorsMode");function l(){let y=t.let("missing");if(d||i){let _=t.let("valid",!0);e.block$data(_,()=>h(y,_)),e.ok(_)}else t.if((0,Ra.checkMissingProp)(e,r,y)),(0,Ra.reportMissingProp)(e,y),t.else()}o(l,"exitOnErrorMode");function m(){t.forOf("prop",n,y=>{e.setParams({missingProperty:y}),t.if((0,Ra.noPropertyInData)(t,a,y,c.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function h(y,_){e.setParams({missingProperty:y}),t.forOf(y,n,()=>{t.assign(_,(0,Ra.propertyInData)(t,a,y,c.ownProperties)),t.if((0,Ca.not)(_),()=>{e.error(),t.break()})},Ca.nil)}o(h,"loopUntilMissing")}};fl.default=U0});var rS=x(hl=>{"use strict";Object.defineProperty(hl,"__esModule",{value:!0});var Ia=V(),O0={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Ia.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Ia._)`{limit: ${e}}`,"params")},$0={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:O0,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Ia.operators.GT:Ia.operators.LT;e.fail$data((0,Ia._)`${r}.length ${a} ${n}`)}};hl.default=$0});var ms=x(gl=>{"use strict";Object.defineProperty(gl,"__esModule",{value:!0});var nS=Dd();nS.code='require("ajv/dist/runtime/equal").default';gl.default=nS});var oS=x(Sl=>{"use strict";Object.defineProperty(Sl,"__esModule",{value:!0});var yl=la(),$e=V(),z0=te(),M0=ms(),q0={message:o(({params:{i:e,j:t}})=>(0,$e.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,$e._)`{i: ${e}, j: ${t}}`,"params")},N0={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:q0,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:c}=e;if(!n&&!a)return;let d=t.let("valid"),p=i.items?(0,yl.getSchemaTypes)(i.items):[];e.block$data(d,l,(0,$e._)`${s} === false`),e.ok(d);function l(){let _=t.let("i",(0,$e._)`${r}.length`),S=t.let("j");e.setParams({i:_,j:S}),t.assign(d,!0),t.if((0,$e._)`${_} > 1`,()=>(m()?h:y)(_,S))}o(l,"validateUniqueItems");function m(){return p.length>0&&!p.some(_=>_==="object"||_==="array")}o(m,"canOptimize");function h(_,S){let w=t.name("item"),v=(0,yl.checkDataTypes)(p,w,c.opts.strictNumbers,yl.DataType.Wrong),b=t.const("indices",(0,$e._)`{}`);t.for((0,$e._)`;${_}--;`,()=>{t.let(w,(0,$e._)`${r}[${_}]`),t.if(v,(0,$e._)`continue`),p.length>1&&t.if((0,$e._)`typeof ${w} == "string"`,(0,$e._)`${w} += "_"`),t.if((0,$e._)`typeof ${b}[${w}] == "number"`,()=>{t.assign(S,(0,$e._)`${b}[${w}]`),e.error(),t.assign(d,!1).break()}).code((0,$e._)`${b}[${w}] = ${_}`)})}o(h,"loopN");function y(_,S){let w=(0,z0.useFunc)(t,M0.default),v=t.name("outer");t.label(v).for((0,$e._)`;${_}--;`,()=>t.for((0,$e._)`${S} = ${_}; ${S}--;`,()=>t.if((0,$e._)`${w}(${r}[${_}], ${r}[${S}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(y,"loopN2")}};Sl.default=N0});var aS=x(wl=>{"use strict";Object.defineProperty(wl,"__esModule",{value:!0});var _l=V(),j0=te(),D0=ms(),H0={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,_l._)`{allowedValue: ${e}}`,"params")},L0={keyword:"const",$data:!0,error:H0,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,_l._)`!${(0,j0.useFunc)(t,D0.default)}(${r}, ${a})`):e.fail((0,_l._)`${i} !== ${r}`)}};wl.default=L0});var iS=x(vl=>{"use strict";Object.defineProperty(vl,"__esModule",{value:!0});var Pa=V(),B0=te(),G0=ms(),V0={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,Pa._)`{allowedValues: ${e}}`,"params")},F0={keyword:"enum",schemaType:"array",$data:!0,error:V0,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let c=a.length>=s.opts.loopEnum,d,p=o(()=>d??(d=(0,B0.useFunc)(t,G0.default)),"getEql"),l;if(c||n)l=t.let("valid"),e.block$data(l,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let y=t.const("vSchema",i);l=(0,Pa.or)(...a.map((_,S)=>h(y,S)))}e.pass(l);function m(){t.assign(l,!1),t.forOf("v",i,y=>t.if((0,Pa._)`${p()}(${r}, ${y})`,()=>t.assign(l,!0).break()))}o(m,"loopEnum");function h(y,_){let S=a[_];return typeof S=="object"&&S!==null?(0,Pa._)`${p()}(${r}, ${y}[${_}])`:(0,Pa._)`${r} === ${S}`}o(h,"equalCode")}};vl.default=F0});var sS=x(bl=>{"use strict";Object.defineProperty(bl,"__esModule",{value:!0});var Z0=Ky(),K0=Jy(),J0=Qy(),W0=Xy(),Y0=eS(),Q0=tS(),X0=rS(),eE=oS(),tE=aS(),rE=iS(),nE=[Z0.default,K0.default,J0.default,W0.default,Y0.default,Q0.default,X0.default,eE.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},tE.default,rE.default];bl.default=nE});var Cl=x(xa=>{"use strict";Object.defineProperty(xa,"__esModule",{value:!0});xa.validateAdditionalItems=void 0;var an=V(),Rl=te(),oE={message:o(({params:{len:e}})=>(0,an.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,an._)`{limit: ${e}}`,"params")},aE={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:oE,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Rl.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}cS(e,n)}};function cS(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let c=r.const("len",(0,an._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,an._)`${c} <= ${t.length}`);else if(typeof n=="object"&&!(0,Rl.alwaysValidSchema)(s,n)){let p=r.var("valid",(0,an._)`${c} <= ${t.length}`);r.if((0,an.not)(p),()=>d(p)),e.ok(p)}function d(p){r.forRange("i",t.length,c,l=>{e.subschema({keyword:i,dataProp:l,dataPropType:Rl.Type.Num},p),s.allErrors||r.if((0,an.not)(p),()=>r.break())})}o(d,"validateItems")}o(cS,"validateAdditionalItems");xa.validateAdditionalItems=cS;xa.default=aE});var Il=x(Aa=>{"use strict";Object.defineProperty(Aa,"__esModule",{value:!0});Aa.validateTuple=void 0;var uS=V(),fs=te(),iE=mt(),sE={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return dS(e,"additionalItems",t);r.items=!0,!(0,fs.alwaysValidSchema)(r,t)&&e.ok((0,iE.validateArray)(e))}};function dS(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:c}=e;l(a),c.opts.unevaluated&&r.length&&c.items!==!0&&(c.items=fs.mergeEvaluated.items(n,r.length,c.items));let d=n.name("valid"),p=n.const("len",(0,uS._)`${i}.length`);r.forEach((m,h)=>{(0,fs.alwaysValidSchema)(c,m)||(n.if((0,uS._)`${p} > ${h}`,()=>e.subschema({keyword:s,schemaProp:h,dataProp:h},d)),e.ok(d))});function l(m){let{opts:h,errSchemaPath:y}=c,_=r.length,S=_===m.minItems&&(_===m.maxItems||m[t]===!1);if(h.strictTuples&&!S){let w=`"${s}" is ${_}-tuple, but minItems or maxItems/${t} are not specified or different at path "${y}"`;(0,fs.checkStrictMode)(c,w,h.strictTuples)}}o(l,"checkStrictTuple")}o(dS,"validateTuple");Aa.validateTuple=dS;Aa.default=sE});var lS=x(Pl=>{"use strict";Object.defineProperty(Pl,"__esModule",{value:!0});var cE=Il(),uE={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,cE.validateTuple)(e,"items"),"code")};Pl.default=uE});var mS=x(xl=>{"use strict";Object.defineProperty(xl,"__esModule",{value:!0});var pS=V(),dE=te(),lE=mt(),pE=Cl(),mE={message:o(({params:{len:e}})=>(0,pS.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,pS._)`{limit: ${e}}`,"params")},fE={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:mE,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,dE.alwaysValidSchema)(n,t)&&(a?(0,pE.validateAdditionalItems)(e,a):e.ok((0,lE.validateArray)(e)))}};xl.default=fE});var fS=x(Al=>{"use strict";Object.defineProperty(Al,"__esModule",{value:!0});var ht=V(),hs=te(),hE={message:o(({params:{min:e,max:t}})=>t===void 0?(0,ht.str)`must contain at least ${e} valid item(s)`:(0,ht.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,ht._)`{minContains: ${e}}`:(0,ht._)`{minContains: ${e}, maxContains: ${t}}`,"params")},gE={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:hE,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,c,{minContains:d,maxContains:p}=n;i.opts.next?(s=d===void 0?1:d,c=p):s=1;let l=t.const("len",(0,ht._)`${a}.length`);if(e.setParams({min:s,max:c}),c===void 0&&s===0){(0,hs.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(c!==void 0&&s>c){(0,hs.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,hs.alwaysValidSchema)(i,r)){let S=(0,ht._)`${l} >= ${s}`;c!==void 0&&(S=(0,ht._)`${S} && ${l} <= ${c}`),e.pass(S);return}i.items=!0;let m=t.name("valid");c===void 0&&s===1?y(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),c!==void 0&&t.if((0,ht._)`${a}.length > 0`,h)):(t.let(m,!1),h()),e.result(m,()=>e.reset());function h(){let S=t.name("_valid"),w=t.let("count",0);y(S,()=>t.if(S,()=>_(w)))}o(h,"validateItemsWithCount");function y(S,w){t.forRange("i",0,l,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:hs.Type.Num,compositeRule:!0},S),w()})}o(y,"validateItems");function _(S){t.code((0,ht._)`${S}++`),c===void 0?t.if((0,ht._)`${S} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,ht._)`${S} > ${c}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,ht._)`${S} >= ${s}`,()=>t.assign(m,!0)))}o(_,"checkLimits")}};Al.default=gE});var yS=x(Ut=>{"use strict";Object.defineProperty(Ut,"__esModule",{value:!0});Ut.validateSchemaDeps=Ut.validatePropertyDeps=Ut.error=void 0;var kl=V(),yE=te(),ka=mt();Ut.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,kl.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,kl._)`{property: ${e},
+              || ${s} === "boolean" || ${a} === null`).assign(c,(0,G._)`[${a}]`)}}o(d,"coerceSpecificType")}o(Ek,"coerceData");function Uk({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,G._)`${t} !== undefined`,()=>e.assign((0,G._)`${t}[${r}]`,n))}o(Uk,"assignParentData");function $d(e,t,r,n=Fn.Correct){let a=n===Fn.Correct?G.operators.EQ:G.operators.NEQ,i;switch(e){case"null":return(0,G._)`${t} ${a} null`;case"array":i=(0,G._)`Array.isArray(${t})`;break;case"object":i=(0,G._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,G._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,G._)`typeof ${t} ${a} ${e}`}return n===Fn.Correct?i:(0,G.not)(i);function s(c=G.nil){return(0,G.and)((0,G._)`typeof ${t} == "number"`,c,r?(0,G._)`isFinite(${t})`:G.nil)}}o($d,"checkDataType");Le.checkDataType=$d;function zd(e,t,r,n){if(e.length===1)return $d(e[0],t,r,n);let a,i=(0,qg.toHash)(e);if(i.array&&i.object){let s=(0,G._)`typeof ${t} != "object"`;a=i.null?s:(0,G._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=G.nil;i.number&&delete i.integer;for(let s in i)a=(0,G.and)(a,$d(s,t,r,n));return a}o(zd,"checkDataTypes");Le.checkDataTypes=zd;var Ok={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,G._)`{type: ${e}}`:(0,G._)`{type: ${t}}`,"params")};function Md(e){let t=$k(e);(0,xk.reportError)(t,Ok)}o(Md,"reportTypeError");Le.reportTypeError=Md;function $k(e){let{gen:t,data:r,schema:n}=e,a=(0,qg.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o($k,"getTypeErrorContext")});var Hg=k(Ji=>{"use strict";Object.defineProperty(Ji,"__esModule",{value:!0});Ji.assignDefaults=void 0;var Zn=F(),zk=te();function Mk(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)jg(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>jg(e,i,a.default))}o(Mk,"assignDefaults");Ji.assignDefaults=Mk;function jg(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let c=(0,Zn._)`${i}${(0,Zn.getProperty)(t)}`;if(a){(0,zk.checkStrictMode)(e,`default is ignored for: ${c}`);return}let d=(0,Zn._)`${c} === undefined`;s.useDefaults==="empty"&&(d=(0,Zn._)`${d} || ${c} === null || ${c} === ""`),n.if(d,(0,Zn._)`${c} = ${(0,Zn.stringify)(r)}`)}o(jg,"assignDefault")});var pt=k(ne=>{"use strict";Object.defineProperty(ne,"__esModule",{value:!0});ne.validateUnion=ne.validateArray=ne.usePattern=ne.callValidateCode=ne.schemaProperties=ne.allSchemaProperties=ne.noPropertyInData=ne.propertyInData=ne.isOwnProperty=ne.hasPropFunc=ne.reportMissingProp=ne.checkMissingProp=ne.checkReportMissingProp=void 0;var pe=F(),qd=te(),_r=Wt(),qk=te();function Nk(e,t){let{gen:r,data:n,it:a}=e;r.if(Dd(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,pe._)`${t}`},!0),e.error()})}o(Nk,"checkReportMissingProp");ne.checkReportMissingProp=Nk;function Dk({gen:e,data:t,it:{opts:r}},n,a){return(0,pe.or)(...n.map(i=>(0,pe.and)(Dd(e,t,i,r.ownProperties),(0,pe._)`${a} = ${i}`)))}o(Dk,"checkMissingProp");ne.checkMissingProp=Dk;function jk(e,t){e.setParams({missingProperty:t},!0),e.error()}o(jk,"reportMissingProp");ne.reportMissingProp=jk;function Lg(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,pe._)`Object.prototype.hasOwnProperty`})}o(Lg,"hasPropFunc");ne.hasPropFunc=Lg;function Nd(e,t,r){return(0,pe._)`${Lg(e)}.call(${t}, ${r})`}o(Nd,"isOwnProperty");ne.isOwnProperty=Nd;function Hk(e,t,r,n){let a=(0,pe._)`${t}${(0,pe.getProperty)(r)} !== undefined`;return n?(0,pe._)`${a} && ${Nd(e,t,r)}`:a}o(Hk,"propertyInData");ne.propertyInData=Hk;function Dd(e,t,r,n){let a=(0,pe._)`${t}${(0,pe.getProperty)(r)} === undefined`;return n?(0,pe.or)(a,(0,pe.not)(Nd(e,t,r))):a}o(Dd,"noPropertyInData");ne.noPropertyInData=Dd;function Bg(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(Bg,"allSchemaProperties");ne.allSchemaProperties=Bg;function Lk(e,t){return Bg(t).filter(r=>!(0,qd.alwaysValidSchema)(e,t[r]))}o(Lk,"schemaProperties");ne.schemaProperties=Lk;function Bk({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},c,d,p){let l=p?(0,pe._)`${e}, ${t}, ${n}${a}`:t,m=[[_r.default.instancePath,(0,pe.strConcat)(_r.default.instancePath,i)],[_r.default.parentData,s.parentData],[_r.default.parentDataProperty,s.parentDataProperty],[_r.default.rootData,_r.default.rootData]];s.opts.dynamicRef&&m.push([_r.default.dynamicAnchors,_r.default.dynamicAnchors]);let h=(0,pe._)`${l}, ${r.object(...m)}`;return d!==pe.nil?(0,pe._)`${c}.call(${d}, ${h})`:(0,pe._)`${c}(${h})`}o(Bk,"callValidateCode");ne.callValidateCode=Bk;var Gk=(0,pe._)`new RegExp`;function Vk({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,pe._)`${a.code==="new RegExp"?Gk:(0,qk.useFunc)(e,a)}(${r}, ${n})`})}o(Vk,"usePattern");ne.usePattern=Vk;function Fk(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let c=t.let("valid",!0);return s(()=>t.assign(c,!1)),c}return t.var(i,!0),s(()=>t.break()),i;function s(c){let d=t.const("len",(0,pe._)`${r}.length`);t.forRange("i",0,d,p=>{e.subschema({keyword:n,dataProp:p,dataPropType:qd.Type.Num},i),t.if((0,pe.not)(i),c)})}o(s,"validateItems")}o(Fk,"validateArray");ne.validateArray=Fk;function Zk(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,qd.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),c=t.name("_valid");t.block(()=>r.forEach((d,p)=>{let l=e.subschema({keyword:n,schemaProp:p,compositeRule:!0},c);t.assign(s,(0,pe._)`${s} || ${c}`),e.mergeValidEvaluated(l,c)||t.if((0,pe.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(Zk,"validateUnion");ne.validateUnion=Zk});var Fg=k(kt=>{"use strict";Object.defineProperty(kt,"__esModule",{value:!0});kt.validateKeywordUsage=kt.validSchemaType=kt.funcKeywordCode=kt.macroKeywordCode=void 0;var Fe=F(),en=Wt(),Kk=pt(),Jk=da();function Wk(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,c=t.macro.call(s.self,a,i,s),d=Vg(r,n,c);s.opts.validateSchema!==!1&&s.self.validateSchema(c,!0);let p=r.name("valid");e.subschema({schema:c,schemaPath:Fe.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},p),e.pass(p,()=>e.error(!0))}o(Wk,"macroKeywordCode");kt.macroKeywordCode=Wk;function Yk(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:c,it:d}=e;Xk(d,t);let p=!c&&t.compile?t.compile.call(d.self,i,s,d):t.validate,l=Vg(n,a,p),m=n.let("valid");e.block$data(m,h),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function h(){if(t.errors===!1)S(),t.modifying&&Gg(e),_(()=>e.error());else{let w=t.async?y():v();t.modifying&&Gg(e),_(()=>Qk(e,w))}}o(h,"validateKeyword");function y(){let w=n.let("ruleErrs",null);return n.try(()=>S((0,Fe._)`await `),b=>n.assign(m,!1).if((0,Fe._)`${b} instanceof ${d.ValidationError}`,()=>n.assign(w,(0,Fe._)`${b}.errors`),()=>n.throw(b))),w}o(y,"validateAsync");function v(){let w=(0,Fe._)`${l}.errors`;return n.assign(w,null),S(Fe.nil),w}o(v,"validateSync");function S(w=t.async?(0,Fe._)`await `:Fe.nil){let b=d.opts.passContext?en.default.this:en.default.self,R=!("compile"in t&&!c||t.schema===!1);n.assign(m,(0,Fe._)`${w}${(0,Kk.callValidateCode)(e,l,b,R)}`,t.modifying)}o(S,"assignValid");function _(w){var b;n.if((0,Fe.not)((b=t.valid)!==null&&b!==void 0?b:m),w)}o(_,"reportErrs")}o(Yk,"funcKeywordCode");kt.funcKeywordCode=Yk;function Gg(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,Fe._)`${n.parentData}[${n.parentDataProperty}]`))}o(Gg,"modifyData");function Qk(e,t){let{gen:r}=e;r.if((0,Fe._)`Array.isArray(${t})`,()=>{r.assign(en.default.vErrors,(0,Fe._)`${en.default.vErrors} === null ? ${t} : ${en.default.vErrors}.concat(${t})`).assign(en.default.errors,(0,Fe._)`${en.default.vErrors}.length`),(0,Jk.extendErrors)(e)},()=>e.error())}o(Qk,"addErrs");function Xk({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(Xk,"checkAsyncKeyword");function Vg(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,Fe.stringify)(r)})}o(Vg,"useKeyword");function eT(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(eT,"validSchemaType");kt.validSchemaType=eT;function tT({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(c=>!Object.prototype.hasOwnProperty.call(e,c)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(tT,"validateKeywordUsage");kt.validateKeywordUsage=tT});var Kg=k(wr=>{"use strict";Object.defineProperty(wr,"__esModule",{value:!0});wr.extendSubschemaMode=wr.extendSubschemaData=wr.getSubschema=void 0;var Tt=F(),Zg=te();function rT(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let c=e.schema[t];return r===void 0?{schema:c,schemaPath:(0,Tt._)`${e.schemaPath}${(0,Tt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:c[r],schemaPath:(0,Tt._)`${e.schemaPath}${(0,Tt.getProperty)(t)}${(0,Tt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,Zg.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(rT,"getSubschema");wr.getSubschema=rT;function nT(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:c}=t;if(r!==void 0){let{errorPath:p,dataPathArr:l,opts:m}=t,h=c.let("data",(0,Tt._)`${t.data}${(0,Tt.getProperty)(r)}`,!0);d(h),e.errorPath=(0,Tt.str)`${p}${(0,Zg.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,Tt._)`${r}`,e.dataPathArr=[...l,e.parentDataProperty]}if(a!==void 0){let p=a instanceof Tt.Name?a:c.let("data",a,!0);d(p),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(p){e.data=p,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,p]}o(d,"dataContextProps")}o(nT,"extendSubschemaData");wr.extendSubschemaData=nT;function oT(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(oT,"extendSubschemaMode");wr.extendSubschemaMode=oT});var jd=k((J4,Jg)=>{"use strict";Jg.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var Yg=k((Y4,Wg)=>{"use strict";var br=Wg.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};Wi(t,n,a,e,"",e)};br.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};br.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};br.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};br.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function Wi(e,t,r,n,a,i,s,c,d,p){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,c,d,p);for(var l in n){var m=n[l];if(Array.isArray(m)){if(l in br.arrayKeywords)for(var h=0;h<m.length;h++)Wi(e,t,r,m[h],a+"/"+l+"/"+h,i,a,l,n,h)}else if(l in br.propsKeywords){if(m&&typeof m=="object")for(var y in m)Wi(e,t,r,m[y],a+"/"+l+"/"+aT(y),i,a,l,n,y)}else(l in br.keywords||e.allKeys&&!(l in br.skipKeywords))&&Wi(e,t,r,m,a+"/"+l,i,a,l,n)}r(n,a,i,s,c,d,p)}}o(Wi,"_traverse");function aT(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(aT,"escapeJsonPtr")});var pa=k(et=>{"use strict";Object.defineProperty(et,"__esModule",{value:!0});et.getSchemaRefs=et.resolveUrl=et.normalizeId=et._getFullPath=et.getFullPath=et.inlineRef=void 0;var iT=te(),sT=jd(),cT=Yg(),uT=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function dT(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Hd(e):t?Qg(e)<=t:!1}o(dT,"inlineRef");et.inlineRef=dT;var lT=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Hd(e){for(let t in e){if(lT.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Hd)||typeof r=="object"&&Hd(r))return!0}return!1}o(Hd,"hasRef");function Qg(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!uT.has(r)&&(typeof e[r]=="object"&&(0,iT.eachItem)(e[r],n=>t+=Qg(n)),t===1/0))return 1/0}return t}o(Qg,"countKeys");function Xg(e,t="",r){r!==!1&&(t=Kn(t));let n=e.parse(t);return ey(e,n)}o(Xg,"getFullPath");et.getFullPath=Xg;function ey(e,t){return e.serialize(t).split("#")[0]+"#"}o(ey,"_getFullPath");et._getFullPath=ey;var pT=/#\/?$/;function Kn(e){return e?e.replace(pT,""):""}o(Kn,"normalizeId");et.normalizeId=Kn;function mT(e,t,r){return r=Kn(r),e.resolve(t,r)}o(mT,"resolveUrl");et.resolveUrl=mT;var fT=/^[a-z_][-a-z0-9._]*$/i;function hT(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=Kn(e[r]||t),i={"":a},s=Xg(n,a,!1),c={},d=new Set;return cT(e,{allKeys:!0},(m,h,y,v)=>{if(v===void 0)return;let S=s+h,_=i[v];typeof m[r]=="string"&&(_=w.call(this,m[r])),b.call(this,m.$anchor),b.call(this,m.$dynamicAnchor),i[h]=_;function w(R){let z=this.opts.uriResolver.resolve;if(R=Kn(_?z(_,R):R),d.has(R))throw l(R);d.add(R);let M=this.refs[R];return typeof M=="string"&&(M=this.refs[M]),typeof M=="object"?p(m,M.schema,R):R!==Kn(S)&&(R[0]==="#"?(p(m,c[R],R),c[R]=m):this.refs[R]=S),R}o(w,"addRef");function b(R){if(typeof R=="string"){if(!fT.test(R))throw new Error(`invalid anchor "${R}"`);w.call(this,`#${R}`)}}o(b,"addAnchor")}),c;function p(m,h,y){if(h!==void 0&&!sT(m,h))throw l(y)}o(p,"checkAmbiguosRef");function l(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(l,"ambiguos")}o(hT,"getSchemaRefs");et.getSchemaRefs=hT});var ha=k(Rr=>{"use strict";Object.defineProperty(Rr,"__esModule",{value:!0});Rr.getData=Rr.KeywordCxt=Rr.validateFunctionCode=void 0;var ay=$g(),ty=la(),Bd=Od(),Yi=la(),gT=Hg(),fa=Fg(),Ld=Kg(),O=F(),j=Wt(),yT=pa(),Yt=te(),ma=da();function ST(e){if(cy(e)&&(uy(e),sy(e))){wT(e);return}iy(e,()=>(0,ay.topBoolOrEmptySchema)(e))}o(ST,"validateFunctionCode");Rr.validateFunctionCode=ST;function iy({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,O._)`${j.default.data}, ${j.default.valCxt}`,n.$async,()=>{e.code((0,O._)`"use strict"; ${ry(r,a)}`),_T(e,a),e.code(i)}):e.func(t,(0,O._)`${j.default.data}, ${vT(a)}`,n.$async,()=>e.code(ry(r,a)).code(i))}o(iy,"validateFunction");function vT(e){return(0,O._)`{${j.default.instancePath}="", ${j.default.parentData}, ${j.default.parentDataProperty}, ${j.default.rootData}=${j.default.data}${e.dynamicRef?(0,O._)`, ${j.default.dynamicAnchors}={}`:O.nil}}={}`}o(vT,"destructureValCxt");function _T(e,t){e.if(j.default.valCxt,()=>{e.var(j.default.instancePath,(0,O._)`${j.default.valCxt}.${j.default.instancePath}`),e.var(j.default.parentData,(0,O._)`${j.default.valCxt}.${j.default.parentData}`),e.var(j.default.parentDataProperty,(0,O._)`${j.default.valCxt}.${j.default.parentDataProperty}`),e.var(j.default.rootData,(0,O._)`${j.default.valCxt}.${j.default.rootData}`),t.dynamicRef&&e.var(j.default.dynamicAnchors,(0,O._)`${j.default.valCxt}.${j.default.dynamicAnchors}`)},()=>{e.var(j.default.instancePath,(0,O._)`""`),e.var(j.default.parentData,(0,O._)`undefined`),e.var(j.default.parentDataProperty,(0,O._)`undefined`),e.var(j.default.rootData,j.default.data),t.dynamicRef&&e.var(j.default.dynamicAnchors,(0,O._)`{}`)})}o(_T,"destructureValCxtES5");function wT(e){let{schema:t,opts:r,gen:n}=e;iy(e,()=>{r.$comment&&t.$comment&&ly(e),PT(e),n.let(j.default.vErrors,null),n.let(j.default.errors,0),r.unevaluated&&bT(e),dy(e),TT(e)})}o(wT,"topSchemaObjCode");function bT(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,O._)`${r}.evaluated`),t.if((0,O._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,O._)`${e.evaluated}.props`,(0,O._)`undefined`)),t.if((0,O._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,O._)`${e.evaluated}.items`,(0,O._)`undefined`))}o(bT,"resetEvaluated");function ry(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,O._)`/*# sourceURL=${r} */`:O.nil}o(ry,"funcSourceUrl");function RT(e,t){if(cy(e)&&(uy(e),sy(e))){CT(e,t);return}(0,ay.boolOrEmptySchema)(e,t)}o(RT,"subschemaCode");function sy({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(sy,"schemaCxtHasRules");function cy(e){return typeof e.schema!="boolean"}o(cy,"isSchemaObj");function CT(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&ly(e),xT(e),kT(e);let i=n.const("_errs",j.default.errors);dy(e,i),n.var(t,(0,O._)`${i} === ${j.default.errors}`)}o(CT,"subSchemaObjCode");function uy(e){(0,Yt.checkUnknownRules)(e),IT(e)}o(uy,"checkKeywords");function dy(e,t){if(e.opts.jtd)return ny(e,[],!1,t);let r=(0,ty.getSchemaTypes)(e.schema),n=(0,ty.coerceAndCheckDataType)(e,r);ny(e,r,!n,t)}o(dy,"typeAndKeywords");function IT(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,Yt.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(IT,"checkRefsAndKeywords");function PT(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,Yt.checkStrictMode)(e,"default is ignored in the schema root")}o(PT,"checkNoDefault");function xT(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,yT.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(xT,"updateContext");function kT(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(kT,"checkAsyncSchema");function ly({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,O._)`${j.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,O.str)`${n}/$comment`,c=e.scopeValue("root",{ref:t.root});e.code((0,O._)`${j.default.self}.opts.$comment(${i}, ${s}, ${c}.schema)`)}}o(ly,"commentKeyword");function TT(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,O._)`${j.default.errors} === 0`,()=>t.return(j.default.data),()=>t.throw((0,O._)`new ${a}(${j.default.vErrors})`)):(t.assign((0,O._)`${n}.errors`,j.default.vErrors),i.unevaluated&&AT(e),t.return((0,O._)`${j.default.errors} === 0`))}o(TT,"returnResults");function AT({gen:e,evaluated:t,props:r,items:n}){r instanceof O.Name&&e.assign((0,O._)`${t}.props`,r),n instanceof O.Name&&e.assign((0,O._)`${t}.items`,n)}o(AT,"assignEvaluated");function ny(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:c,opts:d,self:p}=e,{RULES:l}=p;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,Yt.schemaHasRulesButRef)(i,l))){a.block(()=>my(e,"$ref",l.all.$ref.definition));return}d.jtd||ET(e,t),a.block(()=>{for(let h of l.rules)m(h);m(l.post)});function m(h){(0,Bd.shouldUseGroup)(i,h)&&(h.type?(a.if((0,Yi.checkDataType)(h.type,s,d.strictNumbers)),oy(e,h),t.length===1&&t[0]===h.type&&r&&(a.else(),(0,Yi.reportTypeError)(e)),a.endIf()):oy(e,h),c||a.if((0,O._)`${j.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(ny,"schemaKeywords");function oy(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,gT.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,Bd.shouldUseRule)(n,i)&&my(e,i.keyword,i.definition,t.type)})}o(oy,"iterateKeywords");function ET(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(UT(e,t),e.opts.allowUnionTypes||OT(e,t),$T(e,e.dataTypes))}o(ET,"checkStrictTypes");function UT(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{py(e.dataTypes,r)||Gd(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),MT(e,t)}}o(UT,"checkContextTypes");function OT(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&Gd(e,"use allowUnionTypes to allow union type keyword")}o(OT,"checkMultipleTypes");function $T(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,Bd.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>zT(t,s))&&Gd(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o($T,"checkKeywordTypes");function zT(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(zT,"hasApplicableType");function py(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(py,"includesType");function MT(e,t){let r=[];for(let n of e.dataTypes)py(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(MT,"narrowSchemaTypes");function Gd(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,Yt.checkStrictMode)(e,t,e.opts.strictTypes)}o(Gd,"strictTypesError");var Qi=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,fa.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,Yt.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",fy(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,fa.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",j.default.errors))}result(t,r,n){this.failResult((0,O.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,O.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,O._)`${r} !== undefined && (${(0,O.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?ma.reportExtraError:ma.reportError)(this,this.def.error,r)}$dataError(){(0,ma.reportError)(this,this.def.$dataError||ma.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,ma.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=O.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=O.nil,r=O.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,O.or)((0,O._)`${a} === undefined`,r)),t!==O.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==O.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,O.or)(s(),c());function s(){if(n.length){if(!(r instanceof O.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,O._)`${(0,Yi.checkDataTypes)(d,r,i.opts.strictNumbers,Yi.DataType.Wrong)}`}return O.nil}function c(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,O._)`!${d}(${r})`}return O.nil}}subschema(t,r){let n=(0,Ld.getSubschema)(this.it,t);(0,Ld.extendSubschemaData)(n,this.it,t),(0,Ld.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return RT(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=Yt.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=Yt.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,O.Name)),!0}};Rr.KeywordCxt=Qi;function my(e,t,r,n){let a=new Qi(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,fa.funcKeywordCode)(a,r):"macro"in r?(0,fa.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,fa.funcKeywordCode)(a,r)}o(my,"keywordCode");var qT=/^\/(?:[^~]|~0|~1)*$/,NT=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function fy(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return j.default.rootData;if(e[0]==="/"){if(!qT.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=j.default.rootData}else{let p=NT.exec(e);if(!p)throw new Error(`Invalid JSON-pointer: ${e}`);let l=+p[1];if(a=p[2],a==="#"){if(l>=t)throw new Error(d("property/index",l));return n[t-l]}if(l>t)throw new Error(d("data",l));if(i=r[t-l],!a)return i}let s=i,c=a.split("/");for(let p of c)p&&(i=(0,O._)`${i}${(0,O.getProperty)((0,Yt.unescapeJsonPointer)(p))}`,s=(0,O._)`${s} && ${i}`);return s;function d(p,l){return`Cannot access ${p} ${l} levels up, current level is ${t}`}}o(fy,"getData");Rr.getData=fy});var Xi=k(Fd=>{"use strict";Object.defineProperty(Fd,"__esModule",{value:!0});var Vd=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};Fd.default=Vd});var ga=k(Jd=>{"use strict";Object.defineProperty(Jd,"__esModule",{value:!0});var Zd=pa(),Kd=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,Zd.resolveUrl)(t,r,n),this.missingSchema=(0,Zd.normalizeId)((0,Zd.getFullPath)(t,this.missingRef))}};Jd.default=Kd});var ts=k(mt=>{"use strict";Object.defineProperty(mt,"__esModule",{value:!0});mt.resolveSchema=mt.getCompilingSchema=mt.resolveRef=mt.compileSchema=mt.SchemaEnv=void 0;var vt=F(),DT=Xi(),tn=Wt(),_t=pa(),hy=te(),jT=ha(),Jn=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,_t.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};mt.SchemaEnv=Jn;function Yd(e){let t=gy.call(this,e);if(t)return t;let r=(0,_t.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new vt.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),c;e.$async&&(c=s.scopeValue("Error",{ref:DT.default,code:(0,vt._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let p={gen:s,allErrors:this.opts.allErrors,data:tn.default.data,parentData:tn.default.parentData,parentDataProperty:tn.default.parentDataProperty,dataNames:[tn.default.data],dataPathArr:[vt.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,vt.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:c,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:vt.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,vt._)`""`,opts:this.opts,self:this},l;try{this._compilations.add(e),(0,jT.validateFunctionCode)(p),s.optimize(this.opts.code.optimize);let m=s.toString();l=`${s.scopeRefs(tn.default.scope)}return ${m}`,this.opts.code.process&&(l=this.opts.code.process(l,e));let y=new Function(`${tn.default.self}`,`${tn.default.scope}`,l)(this,this.scope.get());if(this.scope.value(d,{ref:y}),y.errors=null,y.schema=e.schema,y.schemaEnv=e,e.$async&&(y.$async=!0),this.opts.code.source===!0&&(y.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:v,items:S}=p;y.evaluated={props:v instanceof vt.Name?void 0:v,items:S instanceof vt.Name?void 0:S,dynamicProps:v instanceof vt.Name,dynamicItems:S instanceof vt.Name},y.source&&(y.source.evaluated=(0,vt.stringify)(y.evaluated))}return e.validate=y,e}catch(m){throw delete e.validate,delete e.validateName,l&&this.logger.error("Error compiling schema, function code:",l),m}finally{this._compilations.delete(e)}}o(Yd,"compileSchema");mt.compileSchema=Yd;function HT(e,t,r){var n;r=(0,_t.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=GT.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:c}=this.opts;s&&(i=new Jn({schema:s,schemaId:c,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=LT.call(this,i)}o(HT,"resolveRef");mt.resolveRef=HT;function LT(e){return(0,_t.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:Yd.call(this,e)}o(LT,"inlineOrCompile");function gy(e){for(let t of this._compilations)if(BT(t,e))return t}o(gy,"getCompilingSchema");mt.getCompilingSchema=gy;function BT(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(BT,"sameSchemaEnv");function GT(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||es.call(this,e,t)}o(GT,"resolve");function es(e,t){let r=this.opts.uriResolver.parse(t),n=(0,_t._getFullPath)(this.opts.uriResolver,r),a=(0,_t.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return Wd.call(this,r,e);let i=(0,_t.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let c=es.call(this,e,s);return typeof c?.schema!="object"?void 0:Wd.call(this,r,c)}if(typeof s?.schema=="object"){if(s.validate||Yd.call(this,s),i===(0,_t.normalizeId)(t)){let{schema:c}=s,{schemaId:d}=this.opts,p=c[d];return p&&(a=(0,_t.resolveUrl)(this.opts.uriResolver,a,p)),new Jn({schema:c,schemaId:d,root:e,baseId:a})}return Wd.call(this,r,s)}}o(es,"resolveSchema");mt.resolveSchema=es;var VT=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function Wd(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let c of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,hy.unescapeFragment)(c)];if(d===void 0)return;r=d;let p=typeof r=="object"&&r[this.opts.schemaId];!VT.has(c)&&p&&(t=(0,_t.resolveUrl)(this.opts.uriResolver,t,p))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,hy.schemaHasRulesButRef)(r,this.RULES)){let c=(0,_t.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=es.call(this,n,c)}let{schemaId:s}=this.opts;if(i=i||new Jn({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(Wd,"getJsonPointer")});var yy=k((u9,FT)=>{FT.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var Xd=k((d9,wy)=>{"use strict";var ZT=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),vy=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function Qd(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(Qd,"stringArrayToHexStripped");var KT=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Sy(e){return e.length=0,!0}o(Sy,"consumeIsZone");function JT(e,t,r){if(e.length){let n=Qd(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(JT,"consumeHextets");function WT(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,c=JT;for(let d=0;d<e.length;d++){let p=e[d];if(!(p==="["||p==="]"))if(p===":"){if(i===!0&&(s=!0),!c(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(p==="%"){if(!c(a,n,r))break;c=Sy}else{a.push(p);continue}}return a.length&&(c===Sy?r.zone=a.join(""):s?n.push(a.join("")):n.push(Qd(a))),r.address=n.join(""),r}o(WT,"getIPV6");function _y(e){if(YT(e,":")<2)return{host:e,isIPV6:!1};let t=WT(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(_y,"normalizeIPv6");function YT(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(YT,"findToken");function QT(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(QT,"removeDotSegments");function XT(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(XT,"normalizeComponentEncoding");function eA(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!vy(r)){let n=_y(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(eA,"recomposeAuthority");wy.exports={nonSimpleDomain:KT,recomposeAuthority:eA,normalizeComponentEncoding:XT,removeDotSegments:QT,isIPv4:vy,isUUID:ZT,normalizeIPv6:_y,stringArrayToHexStripped:Qd}});var Py=k((p9,Iy)=>{"use strict";var{isUUID:tA}=Xd(),rA=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,nA=["http","https","ws","wss","urn","urn:uuid"];function oA(e){return nA.indexOf(e)!==-1}o(oA,"isValidSchemeName");function el(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(el,"wsIsSecure");function by(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(by,"httpParse");function Ry(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Ry,"httpSerialize");function aA(e){return e.secure=el(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(aA,"wsParse");function iA(e){if((e.port===(el(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(iA,"wsSerialize");function sA(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(rA);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=tl(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(sA,"urnParse");function cA(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=tl(a);i&&(e=i.serialize(e,t));let s=e,c=e.nss;return s.path=`${n||t.nid}:${c}`,t.skipEscape=!0,s}o(cA,"urnSerialize");function uA(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!tA(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(uA,"urnuuidParse");function dA(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(dA,"urnuuidSerialize");var Cy={scheme:"http",domainHost:!0,parse:by,serialize:Ry},lA={scheme:"https",domainHost:Cy.domainHost,parse:by,serialize:Ry},rs={scheme:"ws",domainHost:!0,parse:aA,serialize:iA},pA={scheme:"wss",domainHost:rs.domainHost,parse:rs.parse,serialize:rs.serialize},mA={scheme:"urn",parse:sA,serialize:cA,skipNormalize:!0},fA={scheme:"urn:uuid",parse:uA,serialize:dA,skipNormalize:!0},ns={http:Cy,https:lA,ws:rs,wss:pA,urn:mA,"urn:uuid":fA};Object.setPrototypeOf(ns,null);function tl(e){return e&&(ns[e]||ns[e.toLowerCase()])||void 0}o(tl,"getSchemeHandler");Iy.exports={wsIsSecure:el,SCHEMES:ns,isValidSchemeName:oA,getSchemeHandler:tl}});var Ty=k((f9,as)=>{"use strict";var{normalizeIPv6:hA,removeDotSegments:ya,recomposeAuthority:gA,normalizeComponentEncoding:os,isIPv4:yA,nonSimpleDomain:SA}=Xd(),{SCHEMES:vA,getSchemeHandler:xy}=Py();function _A(e,t){return typeof e=="string"?e=At(Qt(e,t),t):typeof e=="object"&&(e=Qt(At(e,t),t)),e}o(_A,"normalize");function wA(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=ky(Qt(e,n),Qt(t,n),n,!0);return n.skipEscape=!0,At(a,n)}o(wA,"resolve");function ky(e,t,r,n){let a={};return n||(e=Qt(At(e,r),r),t=Qt(At(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=ya(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=ya(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=ya(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=ya(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(ky,"resolveComponent");function bA(e,t,r){return typeof e=="string"?(e=unescape(e),e=At(os(Qt(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=At(os(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=At(os(Qt(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=At(os(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(bA,"equal");function At(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=xy(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=gA(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let c=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(c=ya(c)),s===void 0&&c[0]==="/"&&c[1]==="/"&&(c="/%2F"+c.slice(2)),a.push(c)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(At,"serialize");var RA=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function Qt(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(RA);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(yA(n.host)===!1){let d=hA(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=xy(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&SA(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(c){n.error=n.error||"Host's domain name can not be converted to ASCII: "+c}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(Qt,"parse");var rl={SCHEMES:vA,normalize:_A,resolve:wA,resolveComponent:ky,equal:bA,serialize:At,parse:Qt};as.exports=rl;as.exports.default=rl;as.exports.fastUri=rl});var Ey=k(nl=>{"use strict";Object.defineProperty(nl,"__esModule",{value:!0});var Ay=Ty();Ay.code='require("ajv/dist/runtime/uri").default';nl.default=Ay});var Dy=k(Oe=>{"use strict";Object.defineProperty(Oe,"__esModule",{value:!0});Oe.CodeGen=Oe.Name=Oe.nil=Oe.stringify=Oe.str=Oe._=Oe.KeywordCxt=void 0;var CA=ha();Object.defineProperty(Oe,"KeywordCxt",{enumerable:!0,get:o(function(){return CA.KeywordCxt},"get")});var Wn=F();Object.defineProperty(Oe,"_",{enumerable:!0,get:o(function(){return Wn._},"get")});Object.defineProperty(Oe,"str",{enumerable:!0,get:o(function(){return Wn.str},"get")});Object.defineProperty(Oe,"stringify",{enumerable:!0,get:o(function(){return Wn.stringify},"get")});Object.defineProperty(Oe,"nil",{enumerable:!0,get:o(function(){return Wn.nil},"get")});Object.defineProperty(Oe,"Name",{enumerable:!0,get:o(function(){return Wn.Name},"get")});Object.defineProperty(Oe,"CodeGen",{enumerable:!0,get:o(function(){return Wn.CodeGen},"get")});var IA=Xi(),My=ga(),PA=Ud(),Sa=ts(),xA=F(),va=pa(),is=la(),al=te(),Uy=yy(),kA=Ey(),qy=o((e,t)=>new RegExp(e,t),"defaultRegExp");qy.code="new RegExp";var TA=["removeAdditional","useDefaults","coerceTypes"],AA=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),EA={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},UA={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},Oy=200;function OA(e){var t,r,n,a,i,s,c,d,p,l,m,h,y,v,S,_,w,b,R,z,M,Me,at,yn,or;let Mt=e.strict,Er=(t=e.code)===null||t===void 0?void 0:t.optimize,po=Er===!0||Er===void 0?1:Er||0,mo=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:qy,fo=(a=e.uriResolver)!==null&&a!==void 0?a:kA.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Mt)!==null&&s!==void 0?s:!0,strictNumbers:(d=(c=e.strictNumbers)!==null&&c!==void 0?c:Mt)!==null&&d!==void 0?d:!0,strictTypes:(l=(p=e.strictTypes)!==null&&p!==void 0?p:Mt)!==null&&l!==void 0?l:"log",strictTuples:(h=(m=e.strictTuples)!==null&&m!==void 0?m:Mt)!==null&&h!==void 0?h:"log",strictRequired:(v=(y=e.strictRequired)!==null&&y!==void 0?y:Mt)!==null&&v!==void 0?v:!1,code:e.code?{...e.code,optimize:po,regExp:mo}:{optimize:po,regExp:mo},loopRequired:(S=e.loopRequired)!==null&&S!==void 0?S:Oy,loopEnum:(_=e.loopEnum)!==null&&_!==void 0?_:Oy,meta:(w=e.meta)!==null&&w!==void 0?w:!0,messages:(b=e.messages)!==null&&b!==void 0?b:!0,inlineRefs:(R=e.inlineRefs)!==null&&R!==void 0?R:!0,schemaId:(z=e.schemaId)!==null&&z!==void 0?z:"$id",addUsedSchema:(M=e.addUsedSchema)!==null&&M!==void 0?M:!0,validateSchema:(Me=e.validateSchema)!==null&&Me!==void 0?Me:!0,validateFormats:(at=e.validateFormats)!==null&&at!==void 0?at:!0,unicodeRegExp:(yn=e.unicodeRegExp)!==null&&yn!==void 0?yn:!0,int32range:(or=e.int32range)!==null&&or!==void 0?or:!0,uriResolver:fo}}o(OA,"requiredOptions");var _a=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...OA(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new xA.ValueScope({scope:{},prefixes:AA,es5:r,lines:n}),this.logger=DA(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,PA.getRules)(),$y.call(this,EA,t,"NOT SUPPORTED"),$y.call(this,UA,t,"DEPRECATED","warn"),this._metaOpts=qA.call(this),t.formats&&zA.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&MA.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),$A.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=Uy;n==="id"&&(a={...Uy},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(l,m){await i.call(this,l.$schema);let h=this._addSchema(l,m);return h.validate||s.call(this,h)}async function i(l){l&&!this.getSchema(l)&&await a.call(this,{$ref:l},!0)}async function s(l){try{return this._compileSchemaEnv(l)}catch(m){if(!(m instanceof My.default))throw m;return c.call(this,m),await d.call(this,m.missingSchema),s.call(this,l)}}function c({missingSchema:l,missingRef:m}){if(this.refs[l])throw new Error(`AnySchema ${l} is loaded but ${m} cannot be resolved`)}async function d(l){let m=await p.call(this,l);this.refs[l]||await i.call(this,m.$schema),this.refs[l]||this.addSchema(m,l,r)}async function p(l){let m=this._loading[l];if(m)return m;try{return await(this._loading[l]=n(l))}finally{delete this._loading[l]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,va.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=zy.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new Sa.SchemaEnv({schema:{},schemaId:n});if(r=Sa.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=zy.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,va.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(HA.call(this,n,r),!r)return(0,al.eachItem)(n,i=>ol.call(this,i)),this;BA.call(this,r);let a={...r,type:(0,is.getJSONTypes)(r.type),schemaType:(0,is.getJSONTypes)(r.schemaType)};return(0,al.eachItem)(n,a.type.length===0?i=>ol.call(this,i,a):i=>a.type.forEach(s=>ol.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let c of i)s=s[c];for(let c in n){let d=n[c];if(typeof d!="object")continue;let{$data:p}=d.definition,l=s[c];p&&l&&(s[c]=Ny(l))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:c}=this.opts;if(typeof t=="object")s=t[c];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,va.normalizeId)(s||n);let p=va.getSchemaRefs.call(this,t,n);return d=new Sa.SchemaEnv({schema:t,schemaId:c,meta:r,baseId:n,localRefs:p}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):Sa.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{Sa.compileSchema.call(this,t)}finally{this.opts=r}}};_a.ValidationError=IA.default;_a.MissingRefError=My.default;Oe.default=_a;function $y(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o($y,"checkOptions");function zy(e){return e=(0,va.normalizeId)(e),this.schemas[e]||this.refs[e]}o(zy,"getSchEnv");function $A(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o($A,"addInitialSchemas");function zA(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(zA,"addInitialFormats");function MA(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(MA,"addInitialKeywords");function qA(){let e={...this.opts};for(let t of TA)delete e[t];return e}o(qA,"getMetaSchemaOptions");var NA={log(){},warn(){},error(){}};function DA(e){if(e===!1)return NA;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(DA,"getLogger");var jA=/^[a-z_$][a-z0-9_$:-]*$/i;function HA(e,t){let{RULES:r}=this;if((0,al.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!jA.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(HA,"checkKeyword");function ol(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let c={keyword:e,definition:{...t,type:(0,is.getJSONTypes)(t.type),schemaType:(0,is.getJSONTypes)(t.schemaType)}};t.before?LA.call(this,s,c,t.before):s.rules.push(c),i.all[e]=c,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(ol,"addRule");function LA(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(LA,"addBeforeRule");function BA(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=Ny(t)),e.validateSchema=this.compile(t,!0))}o(BA,"keywordMetaschema");var GA={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function Ny(e){return{anyOf:[e,GA]}}o(Ny,"schemaOrData")});var jy=k(il=>{"use strict";Object.defineProperty(il,"__esModule",{value:!0});var VA={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};il.default=VA});var Gy=k(rn=>{"use strict";Object.defineProperty(rn,"__esModule",{value:!0});rn.callRef=rn.getValidate=void 0;var FA=ga(),Hy=pt(),tt=F(),Yn=Wt(),Ly=ts(),ss=te(),ZA={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:c,self:d}=n,{root:p}=i;if((r==="#"||r==="#/")&&a===p.baseId)return m();let l=Ly.resolveRef.call(d,p,a,r);if(l===void 0)throw new FA.default(n.opts.uriResolver,a,r);if(l instanceof Ly.SchemaEnv)return h(l);return y(l);function m(){if(i===p)return cs(e,s,i,i.$async);let v=t.scopeValue("root",{ref:p});return cs(e,(0,tt._)`${v}.validate`,p,p.$async)}function h(v){let S=By(e,v);cs(e,S,v,v.$async)}function y(v){let S=t.scopeValue("schema",c.code.source===!0?{ref:v,code:(0,tt.stringify)(v)}:{ref:v}),_=t.name("valid"),w=e.subschema({schema:v,dataTypes:[],schemaPath:tt.nil,topSchemaRef:S,errSchemaPath:r},_);e.mergeEvaluated(w),e.ok(_)}}};function By(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,tt._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(By,"getValidate");rn.getValidate=By;function cs(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:c,opts:d}=i,p=d.passContext?Yn.default.this:tt.nil;n?l():m();function l(){if(!c.$async)throw new Error("async schema referenced by sync schema");let v=a.let("valid");a.try(()=>{a.code((0,tt._)`await ${(0,Hy.callValidateCode)(e,t,p)}`),y(t),s||a.assign(v,!0)},S=>{a.if((0,tt._)`!(${S} instanceof ${i.ValidationError})`,()=>a.throw(S)),h(S),s||a.assign(v,!1)}),e.ok(v)}o(l,"callAsyncRef");function m(){e.result((0,Hy.callValidateCode)(e,t,p),()=>y(t),()=>h(t))}o(m,"callSyncRef");function h(v){let S=(0,tt._)`${v}.errors`;a.assign(Yn.default.vErrors,(0,tt._)`${Yn.default.vErrors} === null ? ${S} : ${Yn.default.vErrors}.concat(${S})`),a.assign(Yn.default.errors,(0,tt._)`${Yn.default.vErrors}.length`)}o(h,"addErrorsFrom");function y(v){var S;if(!i.opts.unevaluated)return;let _=(S=r?.validate)===null||S===void 0?void 0:S.evaluated;if(i.props!==!0)if(_&&!_.dynamicProps)_.props!==void 0&&(i.props=ss.mergeEvaluated.props(a,_.props,i.props));else{let w=a.var("props",(0,tt._)`${v}.evaluated.props`);i.props=ss.mergeEvaluated.props(a,w,i.props,tt.Name)}if(i.items!==!0)if(_&&!_.dynamicItems)_.items!==void 0&&(i.items=ss.mergeEvaluated.items(a,_.items,i.items));else{let w=a.var("items",(0,tt._)`${v}.evaluated.items`);i.items=ss.mergeEvaluated.items(a,w,i.items,tt.Name)}}o(y,"addEvaluatedFrom")}o(cs,"callRef");rn.callRef=cs;rn.default=ZA});var Vy=k(sl=>{"use strict";Object.defineProperty(sl,"__esModule",{value:!0});var KA=jy(),JA=Gy(),WA=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",KA.default,JA.default];sl.default=WA});var Fy=k(cl=>{"use strict";Object.defineProperty(cl,"__esModule",{value:!0});var us=F(),Cr=us.operators,ds={maximum:{okStr:"<=",ok:Cr.LTE,fail:Cr.GT},minimum:{okStr:">=",ok:Cr.GTE,fail:Cr.LT},exclusiveMaximum:{okStr:"<",ok:Cr.LT,fail:Cr.GTE},exclusiveMinimum:{okStr:">",ok:Cr.GT,fail:Cr.LTE}},YA={message:o(({keyword:e,schemaCode:t})=>(0,us.str)`must be ${ds[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,us._)`{comparison: ${ds[e].okStr}, limit: ${t}}`,"params")},QA={keyword:Object.keys(ds),type:"number",schemaType:"number",$data:!0,error:YA,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,us._)`${r} ${ds[t].fail} ${n} || isNaN(${r})`)}};cl.default=QA});var Zy=k(ul=>{"use strict";Object.defineProperty(ul,"__esModule",{value:!0});var wa=F(),XA={message:o(({schemaCode:e})=>(0,wa.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,wa._)`{multipleOf: ${e}}`,"params")},e0={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:XA,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),c=i?(0,wa._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,wa._)`${s} !== parseInt(${s})`;e.fail$data((0,wa._)`(${n} === 0 || (${s} = ${r}/${n}, ${c}))`)}};ul.default=e0});var Jy=k(dl=>{"use strict";Object.defineProperty(dl,"__esModule",{value:!0});function Ky(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(Ky,"ucs2length");dl.default=Ky;Ky.code='require("ajv/dist/runtime/ucs2length").default'});var Wy=k(ll=>{"use strict";Object.defineProperty(ll,"__esModule",{value:!0});var nn=F(),t0=te(),r0=Jy(),n0={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,nn.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,nn._)`{limit: ${e}}`,"params")},o0={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:n0,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?nn.operators.GT:nn.operators.LT,s=a.opts.unicode===!1?(0,nn._)`${r}.length`:(0,nn._)`${(0,t0.useFunc)(e.gen,r0.default)}(${r})`;e.fail$data((0,nn._)`${s} ${i} ${n}`)}};ll.default=o0});var Yy=k(pl=>{"use strict";Object.defineProperty(pl,"__esModule",{value:!0});var a0=pt(),ls=F(),i0={message:o(({schemaCode:e})=>(0,ls.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,ls._)`{pattern: ${e}}`,"params")},s0={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:i0,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",c=r?(0,ls._)`(new RegExp(${a}, ${s}))`:(0,a0.usePattern)(e,n);e.fail$data((0,ls._)`!${c}.test(${t})`)}};pl.default=s0});var Qy=k(ml=>{"use strict";Object.defineProperty(ml,"__esModule",{value:!0});var ba=F(),c0={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,ba.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,ba._)`{limit: ${e}}`,"params")},u0={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:c0,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?ba.operators.GT:ba.operators.LT;e.fail$data((0,ba._)`Object.keys(${r}).length ${a} ${n}`)}};ml.default=u0});var Xy=k(fl=>{"use strict";Object.defineProperty(fl,"__esModule",{value:!0});var Ra=pt(),Ca=F(),d0=te(),l0={message:o(({params:{missingProperty:e}})=>(0,Ca.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,Ca._)`{missingProperty: ${e}}`,"params")},p0={keyword:"required",type:"object",schemaType:"array",$data:!0,error:l0,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:c}=s;if(!i&&r.length===0)return;let d=r.length>=c.loopRequired;if(s.allErrors?p():l(),c.strictRequired){let y=e.parentSchema.properties,{definedProperties:v}=e.it;for(let S of r)if(y?.[S]===void 0&&!v.has(S)){let _=s.schemaEnv.baseId+s.errSchemaPath,w=`required property "${S}" is not defined at "${_}" (strictRequired)`;(0,d0.checkStrictMode)(s,w,s.opts.strictRequired)}}function p(){if(d||i)e.block$data(Ca.nil,m);else for(let y of r)(0,Ra.checkReportMissingProp)(e,y)}o(p,"allErrorsMode");function l(){let y=t.let("missing");if(d||i){let v=t.let("valid",!0);e.block$data(v,()=>h(y,v)),e.ok(v)}else t.if((0,Ra.checkMissingProp)(e,r,y)),(0,Ra.reportMissingProp)(e,y),t.else()}o(l,"exitOnErrorMode");function m(){t.forOf("prop",n,y=>{e.setParams({missingProperty:y}),t.if((0,Ra.noPropertyInData)(t,a,y,c.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function h(y,v){e.setParams({missingProperty:y}),t.forOf(y,n,()=>{t.assign(v,(0,Ra.propertyInData)(t,a,y,c.ownProperties)),t.if((0,Ca.not)(v),()=>{e.error(),t.break()})},Ca.nil)}o(h,"loopUntilMissing")}};fl.default=p0});var eS=k(hl=>{"use strict";Object.defineProperty(hl,"__esModule",{value:!0});var Ia=F(),m0={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,Ia.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,Ia._)`{limit: ${e}}`,"params")},f0={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:m0,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?Ia.operators.GT:Ia.operators.LT;e.fail$data((0,Ia._)`${r}.length ${a} ${n}`)}};hl.default=f0});var ps=k(gl=>{"use strict";Object.defineProperty(gl,"__esModule",{value:!0});var tS=jd();tS.code='require("ajv/dist/runtime/equal").default';gl.default=tS});var rS=k(Sl=>{"use strict";Object.defineProperty(Sl,"__esModule",{value:!0});var yl=la(),$e=F(),h0=te(),g0=ps(),y0={message:o(({params:{i:e,j:t}})=>(0,$e.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,$e._)`{i: ${e}, j: ${t}}`,"params")},S0={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:y0,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:c}=e;if(!n&&!a)return;let d=t.let("valid"),p=i.items?(0,yl.getSchemaTypes)(i.items):[];e.block$data(d,l,(0,$e._)`${s} === false`),e.ok(d);function l(){let v=t.let("i",(0,$e._)`${r}.length`),S=t.let("j");e.setParams({i:v,j:S}),t.assign(d,!0),t.if((0,$e._)`${v} > 1`,()=>(m()?h:y)(v,S))}o(l,"validateUniqueItems");function m(){return p.length>0&&!p.some(v=>v==="object"||v==="array")}o(m,"canOptimize");function h(v,S){let _=t.name("item"),w=(0,yl.checkDataTypes)(p,_,c.opts.strictNumbers,yl.DataType.Wrong),b=t.const("indices",(0,$e._)`{}`);t.for((0,$e._)`;${v}--;`,()=>{t.let(_,(0,$e._)`${r}[${v}]`),t.if(w,(0,$e._)`continue`),p.length>1&&t.if((0,$e._)`typeof ${_} == "string"`,(0,$e._)`${_} += "_"`),t.if((0,$e._)`typeof ${b}[${_}] == "number"`,()=>{t.assign(S,(0,$e._)`${b}[${_}]`),e.error(),t.assign(d,!1).break()}).code((0,$e._)`${b}[${_}] = ${v}`)})}o(h,"loopN");function y(v,S){let _=(0,h0.useFunc)(t,g0.default),w=t.name("outer");t.label(w).for((0,$e._)`;${v}--;`,()=>t.for((0,$e._)`${S} = ${v}; ${S}--;`,()=>t.if((0,$e._)`${_}(${r}[${v}], ${r}[${S}])`,()=>{e.error(),t.assign(d,!1).break(w)})))}o(y,"loopN2")}};Sl.default=S0});var nS=k(_l=>{"use strict";Object.defineProperty(_l,"__esModule",{value:!0});var vl=F(),v0=te(),_0=ps(),w0={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,vl._)`{allowedValue: ${e}}`,"params")},b0={keyword:"const",$data:!0,error:w0,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,vl._)`!${(0,v0.useFunc)(t,_0.default)}(${r}, ${a})`):e.fail((0,vl._)`${i} !== ${r}`)}};_l.default=b0});var oS=k(wl=>{"use strict";Object.defineProperty(wl,"__esModule",{value:!0});var Pa=F(),R0=te(),C0=ps(),I0={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,Pa._)`{allowedValues: ${e}}`,"params")},P0={keyword:"enum",schemaType:"array",$data:!0,error:I0,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let c=a.length>=s.opts.loopEnum,d,p=o(()=>d??(d=(0,R0.useFunc)(t,C0.default)),"getEql"),l;if(c||n)l=t.let("valid"),e.block$data(l,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let y=t.const("vSchema",i);l=(0,Pa.or)(...a.map((v,S)=>h(y,S)))}e.pass(l);function m(){t.assign(l,!1),t.forOf("v",i,y=>t.if((0,Pa._)`${p()}(${r}, ${y})`,()=>t.assign(l,!0).break()))}o(m,"loopEnum");function h(y,v){let S=a[v];return typeof S=="object"&&S!==null?(0,Pa._)`${p()}(${r}, ${y}[${v}])`:(0,Pa._)`${r} === ${S}`}o(h,"equalCode")}};wl.default=P0});var aS=k(bl=>{"use strict";Object.defineProperty(bl,"__esModule",{value:!0});var x0=Fy(),k0=Zy(),T0=Wy(),A0=Yy(),E0=Qy(),U0=Xy(),O0=eS(),$0=rS(),z0=nS(),M0=oS(),q0=[x0.default,k0.default,T0.default,A0.default,E0.default,U0.default,O0.default,$0.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},z0.default,M0.default];bl.default=q0});var Cl=k(xa=>{"use strict";Object.defineProperty(xa,"__esModule",{value:!0});xa.validateAdditionalItems=void 0;var on=F(),Rl=te(),N0={message:o(({params:{len:e}})=>(0,on.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,on._)`{limit: ${e}}`,"params")},D0={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:N0,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Rl.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}iS(e,n)}};function iS(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let c=r.const("len",(0,on._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,on._)`${c} <= ${t.length}`);else if(typeof n=="object"&&!(0,Rl.alwaysValidSchema)(s,n)){let p=r.var("valid",(0,on._)`${c} <= ${t.length}`);r.if((0,on.not)(p),()=>d(p)),e.ok(p)}function d(p){r.forRange("i",t.length,c,l=>{e.subschema({keyword:i,dataProp:l,dataPropType:Rl.Type.Num},p),s.allErrors||r.if((0,on.not)(p),()=>r.break())})}o(d,"validateItems")}o(iS,"validateAdditionalItems");xa.validateAdditionalItems=iS;xa.default=D0});var Il=k(ka=>{"use strict";Object.defineProperty(ka,"__esModule",{value:!0});ka.validateTuple=void 0;var sS=F(),ms=te(),j0=pt(),H0={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return cS(e,"additionalItems",t);r.items=!0,!(0,ms.alwaysValidSchema)(r,t)&&e.ok((0,j0.validateArray)(e))}};function cS(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:c}=e;l(a),c.opts.unevaluated&&r.length&&c.items!==!0&&(c.items=ms.mergeEvaluated.items(n,r.length,c.items));let d=n.name("valid"),p=n.const("len",(0,sS._)`${i}.length`);r.forEach((m,h)=>{(0,ms.alwaysValidSchema)(c,m)||(n.if((0,sS._)`${p} > ${h}`,()=>e.subschema({keyword:s,schemaProp:h,dataProp:h},d)),e.ok(d))});function l(m){let{opts:h,errSchemaPath:y}=c,v=r.length,S=v===m.minItems&&(v===m.maxItems||m[t]===!1);if(h.strictTuples&&!S){let _=`"${s}" is ${v}-tuple, but minItems or maxItems/${t} are not specified or different at path "${y}"`;(0,ms.checkStrictMode)(c,_,h.strictTuples)}}o(l,"checkStrictTuple")}o(cS,"validateTuple");ka.validateTuple=cS;ka.default=H0});var uS=k(Pl=>{"use strict";Object.defineProperty(Pl,"__esModule",{value:!0});var L0=Il(),B0={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,L0.validateTuple)(e,"items"),"code")};Pl.default=B0});var lS=k(xl=>{"use strict";Object.defineProperty(xl,"__esModule",{value:!0});var dS=F(),G0=te(),V0=pt(),F0=Cl(),Z0={message:o(({params:{len:e}})=>(0,dS.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,dS._)`{limit: ${e}}`,"params")},K0={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:Z0,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,G0.alwaysValidSchema)(n,t)&&(a?(0,F0.validateAdditionalItems)(e,a):e.ok((0,V0.validateArray)(e)))}};xl.default=K0});var pS=k(kl=>{"use strict";Object.defineProperty(kl,"__esModule",{value:!0});var ft=F(),fs=te(),J0={message:o(({params:{min:e,max:t}})=>t===void 0?(0,ft.str)`must contain at least ${e} valid item(s)`:(0,ft.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,ft._)`{minContains: ${e}}`:(0,ft._)`{minContains: ${e}, maxContains: ${t}}`,"params")},W0={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:J0,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,c,{minContains:d,maxContains:p}=n;i.opts.next?(s=d===void 0?1:d,c=p):s=1;let l=t.const("len",(0,ft._)`${a}.length`);if(e.setParams({min:s,max:c}),c===void 0&&s===0){(0,fs.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(c!==void 0&&s>c){(0,fs.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,fs.alwaysValidSchema)(i,r)){let S=(0,ft._)`${l} >= ${s}`;c!==void 0&&(S=(0,ft._)`${S} && ${l} <= ${c}`),e.pass(S);return}i.items=!0;let m=t.name("valid");c===void 0&&s===1?y(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),c!==void 0&&t.if((0,ft._)`${a}.length > 0`,h)):(t.let(m,!1),h()),e.result(m,()=>e.reset());function h(){let S=t.name("_valid"),_=t.let("count",0);y(S,()=>t.if(S,()=>v(_)))}o(h,"validateItemsWithCount");function y(S,_){t.forRange("i",0,l,w=>{e.subschema({keyword:"contains",dataProp:w,dataPropType:fs.Type.Num,compositeRule:!0},S),_()})}o(y,"validateItems");function v(S){t.code((0,ft._)`${S}++`),c===void 0?t.if((0,ft._)`${S} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,ft._)`${S} > ${c}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,ft._)`${S} >= ${s}`,()=>t.assign(m,!0)))}o(v,"checkLimits")}};kl.default=W0});var hS=k(Et=>{"use strict";Object.defineProperty(Et,"__esModule",{value:!0});Et.validateSchemaDeps=Et.validatePropertyDeps=Et.error=void 0;var Tl=F(),Y0=te(),Ta=pt();Et.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,Tl.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,Tl._)`{property: ${e},
     missingProperty: ${n},
     depsCount: ${t},
-    deps: ${r}}`,"params")};var SE={keyword:"dependencies",type:"object",schemaType:"object",error:Ut.error,code(e){let[t,r]=_E(e);hS(e,t),gS(e,r)}};function _E({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(_E,"splitDependencies");function hS(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let c=t[s];if(c.length===0)continue;let d=(0,ka.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:c.length,deps:c.join(", ")}),a.allErrors?r.if(d,()=>{for(let p of c)(0,ka.checkReportMissingProp)(e,p)}):(r.if((0,kl._)`${d} && (${(0,ka.checkMissingProp)(e,c,i)})`),(0,ka.reportMissingProp)(e,i),r.else())}}o(hS,"validatePropertyDeps");Ut.validatePropertyDeps=hS;function gS(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let c in t)(0,yE.alwaysValidSchema)(i,t[c])||(r.if((0,ka.propertyInData)(r,n,c,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:c},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o(gS,"validateSchemaDeps");Ut.validateSchemaDeps=gS;Ut.default=SE});var _S=x(Tl=>{"use strict";Object.defineProperty(Tl,"__esModule",{value:!0});var SS=V(),wE=te(),vE={message:"property name must be valid",params:o(({params:e})=>(0,SS._)`{propertyName: ${e.propertyName}}`,"params")},bE={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:vE,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,wE.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,SS.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};Tl.default=bE});var Ul=x(El=>{"use strict";Object.defineProperty(El,"__esModule",{value:!0});var gs=mt(),bt=V(),RE=Wt(),ys=te(),CE={message:"must NOT have additional properties",params:o(({params:e})=>(0,bt._)`{additionalProperty: ${e.additionalProperty}}`,"params")},IE={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:CE,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:c,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,ys.alwaysValidSchema)(s,r))return;let p=(0,gs.allSchemaProperties)(n.properties),l=(0,gs.allSchemaProperties)(n.patternProperties);m(),e.ok((0,bt._)`${i} === ${RE.default.errors}`);function m(){t.forIn("key",a,w=>{!p.length&&!l.length?_(w):t.if(h(w),()=>_(w))})}o(m,"checkAdditionalProperties");function h(w){let v;if(p.length>8){let b=(0,ys.schemaRefOrVal)(s,n.properties,"properties");v=(0,gs.isOwnProperty)(t,b,w)}else p.length?v=(0,bt.or)(...p.map(b=>(0,bt._)`${w} === ${b}`)):v=bt.nil;return l.length&&(v=(0,bt.or)(v,...l.map(b=>(0,bt._)`${(0,gs.usePattern)(e,b)}.test(${w})`))),(0,bt.not)(v)}o(h,"isAdditional");function y(w){t.code((0,bt._)`delete ${a}[${w}]`)}o(y,"deleteAdditional");function _(w){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){y(w);return}if(r===!1){e.setParams({additionalProperty:w}),e.error(),c||t.break();return}if(typeof r=="object"&&!(0,ys.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(S(w,v,!1),t.if((0,bt.not)(v),()=>{e.reset(),y(w)})):(S(w,v),c||t.if((0,bt.not)(v),()=>t.break()))}}o(_,"additionalPropertyCode");function S(w,v,b){let R={keyword:"additionalProperties",dataProp:w,dataPropType:ys.Type.Str};b===!1&&Object.assign(R,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(R,v)}o(S,"applyAdditionalSchema")}};El.default=IE});var bS=x($l=>{"use strict";Object.defineProperty($l,"__esModule",{value:!0});var PE=ha(),wS=mt(),Ol=te(),vS=Ul(),xE={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&vS.default.code(new PE.KeywordCxt(i,vS.default,"additionalProperties"));let s=(0,wS.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Ol.mergeEvaluated.props(t,(0,Ol.toHash)(s),i.props));let c=s.filter(m=>!(0,Ol.alwaysValidSchema)(i,r[m]));if(c.length===0)return;let d=t.name("valid");for(let m of c)p(m)?l(m):(t.if((0,wS.propertyInData)(t,a,m,i.opts.ownProperties)),l(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function p(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(p,"hasDefault");function l(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(l,"applyPropertySchema")}};$l.default=xE});var PS=x(zl=>{"use strict";Object.defineProperty(zl,"__esModule",{value:!0});var RS=mt(),Ss=V(),CS=te(),IS=te(),AE={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,c=(0,RS.allSchemaProperties)(r),d=c.filter(S=>(0,CS.alwaysValidSchema)(i,r[S]));if(c.length===0||d.length===c.length&&(!i.opts.unevaluated||i.props===!0))return;let p=s.strictSchema&&!s.allowMatchingProperties&&a.properties,l=t.name("valid");i.props!==!0&&!(i.props instanceof Ss.Name)&&(i.props=(0,IS.evaluatedPropsToName)(t,i.props));let{props:m}=i;h();function h(){for(let S of c)p&&y(S),i.allErrors?_(S):(t.var(l,!0),_(S),t.if(l))}o(h,"validatePatternProperties");function y(S){for(let w in p)new RegExp(S).test(w)&&(0,CS.checkStrictMode)(i,`property ${w} matches pattern ${S} (use allowMatchingProperties)`)}o(y,"checkMatchingProperties");function _(S){t.forIn("key",n,w=>{t.if((0,Ss._)`${(0,RS.usePattern)(e,S)}.test(${w})`,()=>{let v=d.includes(S);v||e.subschema({keyword:"patternProperties",schemaProp:S,dataProp:w,dataPropType:IS.Type.Str},l),i.opts.unevaluated&&m!==!0?t.assign((0,Ss._)`${m}[${w}]`,!0):!v&&!i.allErrors&&t.if((0,Ss.not)(l),()=>t.break())})})}o(_,"validateProperties")}};zl.default=AE});var xS=x(Ml=>{"use strict";Object.defineProperty(Ml,"__esModule",{value:!0});var kE=te(),TE={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,kE.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Ml.default=TE});var AS=x(ql=>{"use strict";Object.defineProperty(ql,"__esModule",{value:!0});var EE=mt(),UE={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:EE.validateUnion,error:{message:"must match a schema in anyOf"}};ql.default=UE});var kS=x(Nl=>{"use strict";Object.defineProperty(Nl,"__esModule",{value:!0});var _s=V(),OE=te(),$E={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,_s._)`{passingSchemas: ${e.passing}}`,"params")},zE={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:$E,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),c=t.let("passing",null),d=t.name("_valid");e.setParams({passing:c}),t.block(p),e.result(s,()=>e.reset(),()=>e.error(!0));function p(){i.forEach((l,m)=>{let h;(0,OE.alwaysValidSchema)(a,l)?t.var(d,!0):h=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,_s._)`${d} && ${s}`).assign(s,!1).assign(c,(0,_s._)`[${c}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(c,m),h&&e.mergeEvaluated(h,_s.Name)})})}o(p,"validateOneOf")}};Nl.default=zE});var TS=x(jl=>{"use strict";Object.defineProperty(jl,"__esModule",{value:!0});var ME=te(),qE={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,ME.alwaysValidSchema)(n,i))return;let c=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(c)})}};jl.default=qE});var OS=x(Dl=>{"use strict";Object.defineProperty(Dl,"__esModule",{value:!0});var ws=V(),US=te(),NE={message:o(({params:e})=>(0,ws.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,ws._)`{failingKeyword: ${e.ifClause}}`,"params")},jE={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:NE,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,US.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=ES(n,"then"),i=ES(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),c=t.name("_valid");if(d(),e.reset(),a&&i){let l=t.let("ifClause");e.setParams({ifClause:l}),t.if(c,p("then",l),p("else",l))}else a?t.if(c,p("then")):t.if((0,ws.not)(c),p("else"));e.pass(s,()=>e.error(!0));function d(){let l=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},c);e.mergeEvaluated(l)}o(d,"validateIf");function p(l,m){return()=>{let h=e.subschema({keyword:l},c);t.assign(s,c),e.mergeValidEvaluated(h,s),m?t.assign(m,(0,ws._)`${l}`):e.setParams({ifClause:l})}}o(p,"validateClause")}};function ES(e,t){let r=e.schema[t];return r!==void 0&&!(0,US.alwaysValidSchema)(e,r)}o(ES,"hasSchema");Dl.default=jE});var $S=x(Hl=>{"use strict";Object.defineProperty(Hl,"__esModule",{value:!0});var DE=te(),HE={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,DE.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Hl.default=HE});var zS=x(Ll=>{"use strict";Object.defineProperty(Ll,"__esModule",{value:!0});var LE=Cl(),BE=lS(),GE=Il(),VE=mS(),FE=fS(),ZE=yS(),KE=_S(),JE=Ul(),WE=bS(),YE=PS(),QE=xS(),XE=AS(),eU=kS(),tU=TS(),rU=OS(),nU=$S();function oU(e=!1){let t=[QE.default,XE.default,eU.default,tU.default,rU.default,nU.default,KE.default,JE.default,ZE.default,WE.default,YE.default];return e?t.push(BE.default,VE.default):t.push(LE.default,GE.default),t.push(FE.default),t}o(oU,"getApplicator");Ll.default=oU});var MS=x(Bl=>{"use strict";Object.defineProperty(Bl,"__esModule",{value:!0});var Re=V(),aU={message:o(({schemaCode:e})=>(0,Re.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Re._)`{format: ${e}}`,"params")},iU={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:aU,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:c}=e,{opts:d,errSchemaPath:p,schemaEnv:l,self:m}=c;if(!d.validateFormats)return;a?h():y();function h(){let _=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),S=r.const("fDef",(0,Re._)`${_}[${s}]`),w=r.let("fType"),v=r.let("format");r.if((0,Re._)`typeof ${S} == "object" && !(${S} instanceof RegExp)`,()=>r.assign(w,(0,Re._)`${S}.type || "string"`).assign(v,(0,Re._)`${S}.validate`),()=>r.assign(w,(0,Re._)`"string"`).assign(v,S)),e.fail$data((0,Re.or)(b(),R()));function b(){return d.strictSchema===!1?Re.nil:(0,Re._)`${s} && !${v}`}o(b,"unknownFmt");function R(){let M=l.$async?(0,Re._)`(${S}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,Re._)`${v}(${n})`,q=(0,Re._)`(typeof ${v} == "function" ? ${M} : ${v}.test(${n}))`;return(0,Re._)`${v} && ${v} !== true && ${w} === ${t} && !${q}`}o(R,"invalidFmt")}o(h,"validate$DataFormat");function y(){let _=m.formats[i];if(!_){b();return}if(_===!0)return;let[S,w,v]=R(_);S===t&&e.pass(M());function b(){if(d.strictSchema===!1){m.logger.warn(q());return}throw new Error(q());function q(){return`unknown format "${i}" ignored in schema at path "${p}"`}}o(b,"unknownFormat");function R(q){let Me=q instanceof RegExp?(0,Re.regexpCode)(q):d.code.formats?(0,Re._)`${d.code.formats}${(0,Re.getProperty)(i)}`:void 0,it=r.scopeValue("formats",{key:i,ref:q,code:Me});return typeof q=="object"&&!(q instanceof RegExp)?[q.type||"string",q.validate,(0,Re._)`${it}.validate`]:["string",q,it]}o(R,"getFormat");function M(){if(typeof _=="object"&&!(_ instanceof RegExp)&&_.async){if(!l.$async)throw new Error("async format in sync schema");return(0,Re._)`await ${v}(${n})`}return typeof w=="function"?(0,Re._)`${v}(${n})`:(0,Re._)`${v}.test(${n})`}o(M,"validCondition")}o(y,"validateFormat")}};Bl.default=iU});var qS=x(Gl=>{"use strict";Object.defineProperty(Gl,"__esModule",{value:!0});var sU=MS(),cU=[sU.default];Gl.default=cU});var NS=x(Xn=>{"use strict";Object.defineProperty(Xn,"__esModule",{value:!0});Xn.contentVocabulary=Xn.metadataVocabulary=void 0;Xn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];Xn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var DS=x(Vl=>{"use strict";Object.defineProperty(Vl,"__esModule",{value:!0});var uU=Zy(),dU=sS(),lU=zS(),pU=qS(),jS=NS(),mU=[uU.default,dU.default,(0,lU.default)(),pU.default,jS.metadataVocabulary,jS.contentVocabulary];Vl.default=mU});var LS=x(vs=>{"use strict";Object.defineProperty(vs,"__esModule",{value:!0});vs.DiscrError=void 0;var HS;(function(e){e.Tag="tag",e.Mapping="mapping"})(HS||(vs.DiscrError=HS={}))});var GS=x(Zl=>{"use strict";Object.defineProperty(Zl,"__esModule",{value:!0});var eo=V(),Fl=LS(),BS=rs(),fU=ga(),hU=te(),gU={message:o(({params:{discrError:e,tagName:t}})=>e===Fl.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,eo._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},yU={keyword:"discriminator",type:"object",schemaType:"object",error:gU,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let c=n.propertyName;if(typeof c!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),p=t.const("tag",(0,eo._)`${r}${(0,eo.getProperty)(c)}`);t.if((0,eo._)`typeof ${p} == "string"`,()=>l(),()=>e.error(!1,{discrError:Fl.DiscrError.Tag,tag:p,tagName:c})),e.ok(d);function l(){let y=h();t.if(!1);for(let _ in y)t.elseIf((0,eo._)`${p} === ${_}`),t.assign(d,m(y[_]));t.else(),e.error(!1,{discrError:Fl.DiscrError.Mapping,tag:p,tagName:c}),t.endIf()}o(l,"validateMapping");function m(y){let _=t.name("valid"),S=e.subschema({keyword:"oneOf",schemaProp:y},_);return e.mergeEvaluated(S,eo.Name),_}o(m,"applyTagSchema");function h(){var y;let _={},S=v(a),w=!0;for(let M=0;M<s.length;M++){let q=s[M];if(q?.$ref&&!(0,hU.schemaHasRulesButRef)(q,i.self.RULES)){let it=q.$ref;if(q=BS.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,it),q instanceof BS.SchemaEnv&&(q=q.schema),q===void 0)throw new fU.default(i.opts.uriResolver,i.baseId,it)}let Me=(y=q?.properties)===null||y===void 0?void 0:y[c];if(typeof Me!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${c}"`);w=w&&(S||v(q)),b(Me,M)}if(!w)throw new Error(`discriminator: "${c}" must be required`);return _;function v({required:M}){return Array.isArray(M)&&M.includes(c)}function b(M,q){if(M.const)R(M.const,q);else if(M.enum)for(let Me of M.enum)R(Me,q);else throw new Error(`discriminator: "properties/${c}" must have "const" or "enum"`)}function R(M,q){if(typeof M!="string"||M in _)throw new Error(`discriminator: "${c}" values must be unique strings`);_[M]=q}}o(h,"getMapping")}};Zl.default=yU});var VS=x((zF,SU)=>{SU.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var Jl=x((me,Kl)=>{"use strict";Object.defineProperty(me,"__esModule",{value:!0});me.MissingRefError=me.ValidationError=me.CodeGen=me.Name=me.nil=me.stringify=me.str=me._=me.KeywordCxt=me.Ajv=void 0;var _U=Hy(),wU=DS(),vU=GS(),FS=VS(),bU=["/properties"],bs="http://json-schema.org/draft-07/schema",to=class extends _U.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),wU.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(vU.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(FS,bU):FS;this.addMetaSchema(t,bs,!1),this.refs["http://json-schema.org/schema"]=bs}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(bs)?bs:void 0)}};me.Ajv=to;Kl.exports=me=to;Kl.exports.Ajv=to;Object.defineProperty(me,"__esModule",{value:!0});me.default=to;var RU=ha();Object.defineProperty(me,"KeywordCxt",{enumerable:!0,get:o(function(){return RU.KeywordCxt},"get")});var ro=V();Object.defineProperty(me,"_",{enumerable:!0,get:o(function(){return ro._},"get")});Object.defineProperty(me,"str",{enumerable:!0,get:o(function(){return ro.str},"get")});Object.defineProperty(me,"stringify",{enumerable:!0,get:o(function(){return ro.stringify},"get")});Object.defineProperty(me,"nil",{enumerable:!0,get:o(function(){return ro.nil},"get")});Object.defineProperty(me,"Name",{enumerable:!0,get:o(function(){return ro.Name},"get")});Object.defineProperty(me,"CodeGen",{enumerable:!0,get:o(function(){return ro.CodeGen},"get")});var CU=es();Object.defineProperty(me,"ValidationError",{enumerable:!0,get:o(function(){return CU.default},"get")});var IU=ga();Object.defineProperty(me,"MissingRefError",{enumerable:!0,get:o(function(){return IU.default},"get")})});var e_=x($t=>{"use strict";Object.defineProperty($t,"__esModule",{value:!0});$t.formatNames=$t.fastFormats=$t.fullFormats=void 0;function Ot(e,t){return{validate:e,compare:t}}o(Ot,"fmtDef");$t.fullFormats={date:Ot(WS,Xl),time:Ot(Yl(!0),ep),"date-time":Ot(ZS(!0),QS),"iso-time":Ot(Yl(),YS),"iso-date-time":Ot(ZS(),XS),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:EU,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:NU,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:UU,int32:{type:"number",validate:zU},int64:{type:"number",validate:MU},float:{type:"number",validate:JS},double:{type:"number",validate:JS},password:!0,binary:!0};$t.fastFormats={...$t.fullFormats,date:Ot(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,Xl),time:Ot(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,ep),"date-time":Ot(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,QS),"iso-time":Ot(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,YS),"iso-date-time":Ot(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,XS),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};$t.formatNames=Object.keys($t.fullFormats);function PU(e){return e%4===0&&(e%100!==0||e%400===0)}o(PU,"isLeapYear");var xU=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,AU=[0,31,28,31,30,31,30,31,31,30,31,30,31];function WS(e){let t=xU.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&PU(r)?29:AU[n])}o(WS,"date");function Xl(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(Xl,"compareDate");var Wl=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function Yl(e){return o(function(r){let n=Wl.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],c=n[4],d=n[5]==="-"?-1:1,p=+(n[6]||0),l=+(n[7]||0);if(p>23||l>59||e&&!c)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-l*d,h=a-p*d-(m<0?1:0);return(h===23||h===-1)&&(m===59||m===-1)&&s<61},"time")}o(Yl,"getTime");function ep(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(ep,"compareTime");function YS(e,t){if(!(e&&t))return;let r=Wl.exec(e),n=Wl.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(YS,"compareIsoTime");var Ql=/t|\s/i;function ZS(e){let t=Yl(e);return o(function(n){let a=n.split(Ql);return a.length===2&&WS(a[0])&&t(a[1])},"date_time")}o(ZS,"getDateTime");function QS(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(QS,"compareDateTime");function XS(e,t){if(!(e&&t))return;let[r,n]=e.split(Ql),[a,i]=t.split(Ql),s=Xl(r,a);if(s!==void 0)return s||ep(n,i)}o(XS,"compareIsoDateTime");var kU=/\/|:/,TU=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function EU(e){return kU.test(e)&&TU.test(e)}o(EU,"uri");var KS=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function UU(e){return KS.lastIndex=0,KS.test(e)}o(UU,"byte");var OU=-(2**31),$U=2**31-1;function zU(e){return Number.isInteger(e)&&e<=$U&&e>=OU}o(zU,"validateInt32");function MU(e){return Number.isInteger(e)}o(MU,"validateInt64");function JS(){return!0}o(JS,"validateNumber");var qU=/[^\\]\\Z/;function NU(e){if(qU.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(NU,"regex")});var t_=x(no=>{"use strict";Object.defineProperty(no,"__esModule",{value:!0});no.formatLimitDefinition=void 0;var jU=Jl(),Rt=V(),Pr=Rt.operators,Rs={formatMaximum:{okStr:"<=",ok:Pr.LTE,fail:Pr.GT},formatMinimum:{okStr:">=",ok:Pr.GTE,fail:Pr.LT},formatExclusiveMaximum:{okStr:"<",ok:Pr.LT,fail:Pr.GTE},formatExclusiveMinimum:{okStr:">",ok:Pr.GT,fail:Pr.LTE}},DU={message:o(({keyword:e,schemaCode:t})=>(0,Rt.str)`should be ${Rs[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,Rt._)`{comparison: ${Rs[e].okStr}, limit: ${t}}`,"params")};no.formatLimitDefinition={keyword:Object.keys(Rs),type:"string",schemaType:"string",$data:!0,error:DU,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:c}=i;if(!s.validateFormats)return;let d=new jU.KeywordCxt(i,c.RULES.all.format.definition,"format");d.$data?p():l();function p(){let h=t.scopeValue("formats",{ref:c.formats,code:s.code.formats}),y=t.const("fmt",(0,Rt._)`${h}[${d.schemaCode}]`);e.fail$data((0,Rt.or)((0,Rt._)`typeof ${y} != "object"`,(0,Rt._)`${y} instanceof RegExp`,(0,Rt._)`typeof ${y}.compare != "function"`,m(y)))}o(p,"validate$DataFormat");function l(){let h=d.schema,y=c.formats[h];if(!y||y===!0)return;if(typeof y!="object"||y instanceof RegExp||typeof y.compare!="function")throw new Error(`"${a}": format "${h}" does not define "compare" function`);let _=t.scopeValue("formats",{key:h,ref:y,code:s.code.formats?(0,Rt._)`${s.code.formats}${(0,Rt.getProperty)(h)}`:void 0});e.fail$data(m(_))}o(l,"validateFormat");function m(h){return(0,Rt._)`${h}.compare(${r}, ${n}) ${Rs[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var HU=o(e=>(e.addKeyword(no.formatLimitDefinition),e),"formatLimitPlugin");no.default=HU});var a_=x((Ta,o_)=>{"use strict";Object.defineProperty(Ta,"__esModule",{value:!0});var oo=e_(),LU=t_(),tp=V(),r_=new tp.Name("fullFormats"),BU=new tp.Name("fastFormats"),rp=o((e,t={keywords:!0})=>{if(Array.isArray(t))return n_(e,t,oo.fullFormats,r_),e;let[r,n]=t.mode==="fast"?[oo.fastFormats,BU]:[oo.fullFormats,r_],a=t.formats||oo.formatNames;return n_(e,a,r,n),t.keywords&&(0,LU.default)(e),e},"formatsPlugin");rp.get=(e,t="full")=>{let n=(t==="fast"?oo.fastFormats:oo.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function n_(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,tp._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(n_,"addFormats");o_.exports=Ta=rp;Object.defineProperty(Ta,"__esModule",{value:!0});Ta.default=rp});var vn={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},tm={...vn.runtime,...vn.config,...vn.downstream_auth,...vn.downstream_oauth,...vn.upstream_auth,...vn.upstream_mcp};function wo(e){return typeof e=="string"&&Object.hasOwn(tm,e)}o(wo,"isGatewayProblemCode");function Fa(e){return wo(e)&&Ke(e).callbackFailure===!0}o(Fa,"isGatewayCallbackFailureCode");function Ke(e){return tm[e]}o(Ke,"readGatewayProblemDefinition");function rm(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(rm,"readDefaultGatewayProblemCodeForStatus");var nm="gatewayCode";function om(e){let t=Ke(e);return{title:t.title,body:t.publicDetail}}o(om,"readGatewayCallbackFailureContent");function ge(e){if(!(e instanceof _n))return;let t=e.extensionMembers?.[nm];return wo(t)?t:void 0}o(ge,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Ke(n.code),i=n.privateDetail??(Za(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=Pv(n);return new _n({message:i,extensionMembers:{[nm]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function st(e,t,r){let n=Ke(r.code),a=xv(r.code,r.detail),i=Za(r.code)?r.title??n.title:n.title,c={problem:{..._o.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(c.additionalHeaders=r.headers),_o.format(c,e,t)}o(st,"gatewayProblemResponse");function Za(e){return Ke(e).status<500}o(Za,"canExposeGatewayProblemDetail");function Pv(e){return!e.privateDetail||Za(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(Pv,"readRuntimeErrorCause");function xv(e,t){let r=Ke(e);return Za(e)&&t||r.publicDetail}o(xv,"readSafeGatewayProblemDetail");ae();ae();ae();var Av=new Set(["localhost","::1"]);function jt(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(jt,"normalizeHostname");function qe(e){let t=jt(e.hostname);return e.protocol==="http:"&&(Av.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(qe,"isLoopbackHttpUrl");var am=new It("gateway-route");function im(e,t){am.set(e,t)}o(im,"setGatewayRouteContext");function vo(e){return am.get(e)}o(vo,"readGatewayRouteContext");function bn(e){let t=vo(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(bn,"requireGatewayRouteContext");var sm=new It("mcp-oauth-runtime-config");function Rn(e,t){sm.set(e,t)}o(Rn,"setMcpOAuthRuntimeConfig");function cm(e){let t=sm.get(e);if(!t)throw g("internal_server_error","MCP gateway OAuth config has not been set on the request context. An `mcp-oauth-inbound` policy (or `mcp-auth0-oauth-inbound`) must run before this handler, or the internal OAuth route wrapper must have populated the context.");return t}o(cm,"requireMcpOAuthRuntimeConfig");var bo=u.string().trim().min(1),Ro={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},kv=u.object({issuer:u.url(),jwksUrl:u.url(),audience:bo.optional()}),Tv=u.object({url:u.url(),tokenUrl:u.url().optional(),clientId:bo.optional(),clientSecret:bo.optional(),scope:bo.default("openid profile email"),audience:bo.optional(),remoteTimeoutMs:u.coerce.number().int().positive().default(1e4),stateTtlSeconds:u.coerce.number().int().positive().default(900),sessionTtlSeconds:u.coerce.number().int().positive().default(28800)}).strict(),Ev=u.object({accessTokenTtlSeconds:u.coerce.number().int().positive().default(Ro.accessTokenTtlSeconds),refreshTokenTtlSeconds:u.coerce.number().int().positive().default(Ro.refreshTokenTtlSeconds),cimdEnabled:u.boolean().default(Ro.cimdEnabled)}).strict().default(Ro),fc=u.object({oidc:kv,browserLogin:Tv,gateway:Ev.optional().default(Ro)}).strict();function um(e){return Uv(e.browserLogin.url)?"local_dev":"federated_oidc"}o(um,"readBrowserLoginKind");function Uv(e){let t;try{t=new URL(e)}catch{return!1}return qe(t)&&t.pathname==="/oauth/dev-login"}o(Uv,"isLoopbackDevLoginUrl");function dm(e){return fc.parse(e)}o(dm,"parseMcpOAuthRuntimeConfig");function Pe(){let e;try{e=cc()}catch(t){throw g("internal_server_error","MCP gateway OAuth config can only be read during a request. Wrap tests in `runWithRequestContext` and ensure MCP OAuth routes are registered through `McpGatewayPlugin`.",t)}return cm(e)}o(Pe,"getGatewayOAuthConfig");ae();var Ov=["shared-oauth","user_oauth","static_secret","user-secret","shared-secret"],$v=["none","client_secret_basic","client_secret_post"],Je=u.string().min(1).brand(),xe=u.string().min(1).brand(),We=u.string().min(1).brand(),ar=u.string().min(1).brand(),Ka=u.enum(Ov),hc=u.enum($v),Ja=u.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),gc=u.object({name:Ja,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict();ae();var W=u.string().datetime({offset:!0}).brand();function re(e){return W.parse(e.toISOString())}o(re,"toIsoTimestamp");function Dt(e,t){return new Date(e.getTime()+t*1e3)}o(Dt,"addSeconds");ae();function ie(e){return new URL(e).origin}o(ie,"readGatewayRequestOrigin");function gt(e){return ie(e)}o(gt,"readGatewayOAuthIssuer");function yc(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(yc,"truncate");function lm(e){return"cause"in e?e.cause:void 0}o(lm,"readCause");function Ye(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=yc(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=yc(r.message);let n=lm(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=yc(n.message),n=lm(n)}}o(Ye,"addErrorLogFields");function ct(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(ct,"safeHost");function pm(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(pm,"setLogProperties");function Sc(e,t){pm(e,{subjectId:t.subjectId})}o(Sc,"applyGatewayPrincipalLogProperties");function mm(e,t){pm(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(mm,"applyGatewayRouteLogProperties");ae();var zv=43,Mv=128,qv=/^[A-Za-z0-9._~-]+$/,_c="S256",Wa=u.literal(_c),Ya=u.string().min(zv).max(Mv).regex(qv);ae();var Qa=["none","client_secret_post","client_secret_basic"],Nv=[...Qa,"private_key_jwt"],jv=["awaiting_login","awaiting_setup"],Dv=u.string().min(1).brand(),Ne=u.string().min(1).brand(),Co=u.uuid().brand(),ut=u.uuid().brand(),Xa=u.uuid().brand(),wc=u.enum(Qa),Hv=u.enum(Nv),p1=u.enum(jv),fm=u.object({client_id:Ne,client_name:u.string().min(1),redirect_uris:u.array(u.string().min(1)).min(1),token_endpoint_auth_method:Hv.default("none")}),vc=u.object({clientId:Ne,clientName:u.string().min(1),redirectUris:u.array(u.string().min(1)),tokenEndpointAuthMethod:wc,hashedClientSecret:u.string().optional(),clientSecretExpiresAt:W.optional(),clientExpiresAt:W,revokedAt:W.optional(),createdAt:W}),bc=u.object({clientId:Ne,resource:u.string(),virtualServerId:xe,subjectId:Dv,scope:u.string(),roles:u.array(u.string()),createdAt:W,expiresAt:W}),m1=bc.extend({id:ut,redirectUri:u.string(),clientState:u.string().optional(),codeChallenge:u.string(),codeChallengeMethod:Wa}),Rc=bc.extend({id:Co,currentRefreshTokenHash:u.string().optional(),previousRefreshTokenHash:u.string().optional(),revokedAt:W.optional(),revokedReason:u.string().optional()}),ei=bc.extend({tokenHash:u.string(),grantId:Co,revokedAt:W.optional()});function Cc(){return ut.parse(crypto.randomUUID())}o(Cc,"createDownstreamAuthorizationTransactionId");function Ic(){return Xa.parse(crypto.randomUUID())}o(Ic,"createDownstreamBrowserLoginStateId");function hm(){return Co.parse(crypto.randomUUID())}o(hm,"createDownstreamGrantId");var Se="mcp:tools";function gm(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return qe(r)&&qe(n)&&r.pathname===n.pathname&&r.search===n.search}o(gm,"redirectUriMatchesRegistration");function ym(e){return qe(e)&&e.pathname==="/oauth/dev-login"}o(ym,"isLoopbackDevLoginUrl");function ti(e,t){return new URL(e,gt(t)).toString()}o(ti,"buildGatewayOAuthUrl");function Pc(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,ie(e.requestUrl)).toString()}o(Pc,"buildScopedAuthorizationServerIssuer");function Lv(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,ie(e.requestUrl)).toString()}o(Lv,"buildScopedAuthorizationEndpoint");function xc(e){let t=Pe();return{issuer:gt(e),authorization_endpoint:ti("/oauth/authorize",e),token_endpoint:ti("/oauth/token",e),registration_endpoint:ti("/oauth/register",e),revocation_endpoint:ti("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[Se],code_challenge_methods_supported:[_c],token_endpoint_auth_methods_supported:Qa,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":um(t)}}o(xc,"buildAuthorizationServerMetadata");function Sm(e){let t=Pc(e);return{...xc(e.requestUrl),issuer:t,authorization_endpoint:Lv(e)}}o(Sm,"buildScopedAuthorizationServerMetadata");var zr="2025-06-18";async function _m(e,t){try{let r=xe.parse(e.params.virtualServerId),n=qr(r);return Response.json(Bv(n.virtualServerId,e.url))}catch(r){let n=ge(r);return st(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(_m,"protectedResourceMetadataHandler");function Bv(e,t){return{resource:Mr(e,t),resource_name:e,authorization_servers:[Pc({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[Se],mcp_protocol_version:zr}}o(Bv,"buildProtectedResourceMetadataResponseBody");function Mr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,ie(t)).toString()}o(Mr,"buildCanonicalMcpResourceForVirtualServer");function wm(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,ie(t)).toString()}o(wm,"buildProtectedResourceMetadataUrlForVirtualServer");var Gv=u.record(u.string(),u.unknown()),vm=u.string().min(1),Vv=u.union([vm.transform(e=>[e]),u.array(vm)]),_e=u.string().min(1).brand(),Fv=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],Zv=["https://zuplo.com/roles","roles","role","permissions","groups"],bm=new It("gateway-principal");function Kv(e){let t=Gv.safeParse(e);return t.success?t.data:{}}o(Kv,"toClaimRecord");function Jv(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(Jv,"readValidationFailureDetail");function Wv(e,t,r){for(let i of Fv){let s=_e.safeParse(t[i]);if(s.success)return s.data}let n=_e.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",Jv(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===gt(r)?n.data:_e.parse(`${a}|${n.data}`)}o(Wv,"readNormalizedSubjectId");function Yv(e){let t=new Set;for(let r of Zv){let n=Vv.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(Yv,"readRoles");function Cn(e,t){let r=Kv(e?.data),n={subjectId:Wv(e,r,t)},a=Yv(r);return a&&(n.roles=a),n}o(Cn,"parseGatewayPrincipal");function Rm(e){let t=kc(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Rm,"requireGatewayPrincipal");function Cm(e,t){bm.set(e,t)}o(Cm,"setGatewayPrincipal");function kc(e){return bm.get(e)}o(kc,"readGatewayPrincipal");function ri(e){let r=['realm="OAuth"',`resource_metadata="${Ac(wm(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${Ac(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${Ac(e.scope)}"`),`Bearer ${r.join(", ")}`}o(ri,"buildGatewayBearerChallenge");function Ac(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(Ac,"sanitizeQuotedHeaderParameter");ae();ae();function ni(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(ni,"parseSafeRelativeReturnTo");ae();var Qv=["user","shared"],In=u.enum(Qv);function ir(e){return{mode:"user",subjectId:e}}o(ir,"buildUserUpstreamConnectionOwner");function oi(){return{mode:"shared"}}o(oi,"buildSharedUpstreamConnectionOwner");var Im=u.object({ownerMode:In,initiatedBySubjectId:_e,ownerSubjectId:_e.optional(),upstreamServerId:Je,authProfileId:We,virtualServerId:xe,returnTo:u.string().min(1).transform(e=>ni(e)).optional()});function Pm(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="shared"&&e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared state must not include ownerSubjectId",path:["ownerSubjectId"]})}o(Pm,"validateUpstreamOwnerState");var Pn=Im.superRefine(Pm),xm=Im.omit({returnTo:!0}).superRefine(Pm);function Io(e){return Pn.parse({ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Io,"buildUpstreamOwnerState");function xn(e){if(e.ownerMode==="shared")return oi();if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");return ir(e.ownerSubjectId)}o(xn,"resolveUpstreamConnectionOwnerFromState");var Xv=["active","not_connected","reconsent_required"],eb=["basic_auth_app_password","bearer_token"],Am=u.string().trim().min(1).brand(),An=u.uuid().brand(),Po=u.uuid().brand(),Tc=u.enum(Xv),tb=u.enum(eb),km=u.object({encryptedClientInformation:u.string().optional(),encryptedDiscoveryState:u.string().optional(),connectedBySubjectId:_e.optional()}),rb=km.extend({encryptedStaticSecret:u.string().optional(),staticSecretKind:tb.optional(),staticSecretLabel:u.string().min(1).optional(),staticSecretUsername:u.string().min(1).optional()}).strict(),nb=u.object({id:Am,subjectId:_e.optional(),ownerMode:In,upstreamServerId:Je,authProfileId:We,status:Tc,encryptedAccessToken:u.string().min(1).optional(),encryptedRefreshToken:u.string().min(1).optional(),scopes:u.array(u.string()),expiresAt:W.optional(),metadata:rb.optional(),createdAt:W,updatedAt:W});function Ec(e,t){e.ownerMode==="user"&&(e.subjectId||t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="shared"&&e.subjectId!==void 0&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared upstream connections must not include subjectId",path:["subjectId"]})}o(Ec,"validateUpstreamConnectionOwnerShape");var kn=nb.superRefine(Ec);function Nr(e){return JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Nr,"readUpstreamConnectionLookupKey");var Uc=Pn.extend({id:An,callbackPath:u.string().min(1),expiresAt:W,codeVerifier:u.string().optional(),redirectUri:u.url(),returnOrigin:u.url().optional()}).extend(km.shape);function Tm(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o(Tm,"readUpstreamConnectionStatus");function ai(){return Am.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(ai,"createUpstreamConnectionId");function Em(){return An.parse(crypto.randomUUID())}o(Em,"createOAuthStateId");function Um(){return Po.parse(crypto.randomUUID())}o(Um,"createBrowserConnectTicketId");ae();var $c=u.discriminatedUnion("mode",[u.object({mode:u.literal("user"),subjectId:_e}).strict(),u.object({mode:u.literal("shared")}).strict()]),$m=u.object({owner:$c,upstreamServerId:Je,authProfileId:We}).strict(),zm=u.object({items:u.array($m).min(1).max(100)}).strict(),zc=u.object({items:u.array(u.object({key:u.object({ownerMode:In,subjectId:_e.optional(),upstreamServerId:Je,authProfileId:We}).strict(),connection:kn.strict().optional()}).strict())}).strict(),Mm=kn.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Ec),qm=kn.strict(),Nm=u.object({owner:$c,upstreamServerId:Je,authProfileId:We}).strict(),jm=u.object({owner:$c,upstreamServerId:Je,authProfileId:We,connection:kn.strict().optional(),connectionStatus:u.object({connected:u.boolean(),status:Tc,updatedAt:kn.shape.updatedAt.optional()}).strict()}).strict(),ob=u.enum(["none","client_secret_basic","client_secret_post"]),jr=u.object({clientId:Ne,clientName:u.string().min(1),tokenEndpointAuthMethod:ob}).strict(),Mc=u.discriminatedUnion("method",[u.object({method:u.literal("none"),clientId:Ne}).strict(),u.object({method:u.enum(["client_secret_basic","client_secret_post"]),clientId:Ne,clientSecretHashInput:u.string().min(1)}).strict()]),qc=u.object({id:ut,currentStateHash:u.string().min(1),clientId:Ne,redirectUri:u.string().min(1),resource:u.string().min(1),virtualServerId:xe,clientState:u.string().optional(),scope:u.string(),codeChallenge:u.string().min(1),codeChallengeMethod:u.literal("S256"),createdAt:W,expiresAt:W,consumedAt:W.optional()}).strict(),Om=qc.omit({id:!0,consumedAt:!0}).extend({transactionId:ut,client:jr.optional()}).strict(),Nc=u.object({subjectId:_e,roles:u.array(u.string()).optional()}).strict(),ab=qc.extend({phase:u.literal("awaiting_login")}).strict(),Oc=qc.extend({phase:u.literal("awaiting_setup"),principal:Nc}).strict(),ib=u.discriminatedUnion("phase",[ab,Oc]),jc=u.object({transaction:ib,client:jr}).strict(),Dm=vc.omit({revokedAt:!0}).strict(),Hm=u.discriminatedUnion("kind",[u.object({kind:u.literal("registered"),client:jr}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),Lm=u.object({clientId:Ne}).strict(),Bm=u.discriminatedUnion("kind",[u.object({kind:u.literal("found"),client:vc.strict()}).strict(),u.object({kind:u.literal("missing")}).strict()]),Gm=u.discriminatedUnion("phase",[Om.extend({phase:u.literal("awaiting_login")}).strict(),Om.extend({phase:u.literal("awaiting_setup"),principal:Nc}).strict()]),Vm=u.discriminatedUnion("kind",[jc.extend({kind:u.literal("started")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("redirect_uri_mismatch")}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),Fm=u.object({transactionId:ut,currentStateHash:u.string().min(1),now:W}).strict(),Zm=u.discriminatedUnion("kind",[jc.extend({kind:u.literal("available")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Km=u.object({transactionId:ut,expectedPhase:u.literal("awaiting_login"),currentStateHash:u.string().min(1),nextStateHash:u.string().min(1),nextPhase:u.literal("awaiting_setup"),principal:Nc,now:W}).strict(),Jm=u.discriminatedUnion("kind",[jc.extend({kind:u.literal("advanced")}).strict(),u.object({kind:u.literal("wrong_phase"),current:u.enum(["awaiting_login","awaiting_setup"])}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Wm=u.discriminatedUnion("decision",[u.object({decision:u.literal("approve"),transactionId:ut,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:_e}).strict(),authorizationCodeHash:u.string().min(1),authorizationCodeExpiresAt:W,grantId:Co,now:W}).strict(),u.object({decision:u.literal("cancel"),transactionId:ut,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:_e}).strict(),now:W}).strict()]),Ym=u.discriminatedUnion("kind",[u.object({kind:u.literal("approved"),transaction:Oc,client:jr}).strict(),u.object({kind:u.literal("cancelled"),transaction:Oc,client:jr}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed_already")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Qm=u.object({clientAuth:Mc,codeHash:u.string().min(1),redirectUri:u.string().min(1),resource:u.string().min(1).optional(),codeChallenge:u.string().min(1),currentRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),grantExpiresAt:W,accessTokenExpiresAt:W,now:W}).strict(),Xm=u.discriminatedUnion("kind",[u.object({kind:u.literal("exchanged"),client:jr,grant:Rc.strict()}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("binding_mismatch")}).strict()]),ef=u.object({clientAuth:Mc,currentRefreshTokenHash:u.string().min(1),nextRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),resource:u.string().min(1).optional(),accessTokenExpiresAt:W,now:W}).strict(),tf=u.discriminatedUnion("kind",[u.object({kind:u.literal("rotated"),client:jr,grant:Rc.strict(),accessToken:ei.strict(),matched:u.literal("current")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),rf=u.object({clientAuth:Mc,tokenHash:u.string().min(1),now:W}).strict(),nf=u.discriminatedUnion("kind",[u.object({kind:u.literal("revoked_access_token")}).strict(),u.object({kind:u.literal("revoked_grant")}).strict(),u.object({kind:u.literal("client_mismatch")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("invalid_client")}).strict()]),of=u.object({tokenHash:u.string().min(1),now:W}).strict(),af=u.discriminatedUnion("kind",[u.object({kind:u.literal("valid"),record:ei.strict()}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),sf=u.object({accessTokenHash:u.string().min(1),resource:u.string().min(1),virtualServerId:xe,upstreamConnectionKeys:u.array($m).max(100),now:W}).strict(),cf=u.discriminatedUnion("kind",[u.object({kind:u.literal("authorized"),principal:u.object({subjectId:_e,roles:u.array(u.string())}).strict(),accessToken:ei.strict(),upstreamConnections:zc.shape.items}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict()]),uf=u.object({record:Uc}).strict(),df=u.object({kind:u.literal("saved")}).strict(),lf=u.object({id:An,now:W}).strict(),pf=u.discriminatedUnion("kind",[u.object({kind:u.literal("available"),record:Uc}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict()]),mf=u.object({id:Po,expiresAt:W,now:W}).strict(),ff=u.discriminatedUnion("kind",[u.object({kind:u.literal("available")}).strict(),u.object({kind:u.literal("consumed")}).strict()]);var hf=100,sb=new Set(["undefined","null","nan"]);function gf(e){return e!==null&&typeof e=="object"}o(gf,"isProblemDetailsShape");var cb="/zups/v2/mcp/storage";function Ae(e){return`${cb}/${e}`}o(Ae,"buildStoragePath");function ub(){return Ae("upstream-connections/batch-get")}o(ub,"buildBatchGetUpstreamConnectionsPath");function db(){return Ae("upstream-connections/upsert")}o(db,"buildUpsertUpstreamConnectionPath");function lb(){return Ae("authorization/read-setup")}o(lb,"buildReadAuthorizationSetupPath");function pb(){return Ae("oauth/register-client")}o(pb,"buildRegisterClientPath");function mb(){return Ae("oauth/read-client")}o(mb,"buildReadClientPath");function fb(){return Ae("authorization/start")}o(fb,"buildStartAuthorizationPath");function hb(){return Ae("authorization/read-pending")}o(hb,"buildReadPendingAuthorizationPath");function gb(){return Ae("authorization/advance-pending")}o(gb,"buildAdvancePendingAuthorizationPath");function yb(){return Ae("authorization/decide-setup")}o(yb,"buildDecideAuthorizationSetupPath");function Sb(){return Ae("token/exchange-authorization-code")}o(Sb,"buildExchangeAuthorizationCodePath");function _b(){return Ae("token/refresh")}o(_b,"buildRefreshTokenPath");function wb(){return Ae("token/revoke")}o(wb,"buildRevokeOAuthTokenPath");function vb(){return Ae("token/validate-access-token")}o(vb,"buildValidateAccessTokenPath");function bb(){return Ae("mcp/authorize-and-load-connections")}o(bb,"buildAuthorizeAndLoadConnectionsPath");function Rb(){return Ae("upstream-oauth-state/save")}o(Rb,"buildSaveUpstreamOAuthStatePath");function Cb(){return Ae("upstream-oauth-state/consume")}o(Cb,"buildConsumeUpstreamOAuthStatePath");function Ib(){return Ae("browser-connect-ticket/consume")}o(Ib,"buildConsumeBrowserConnectTicketPath");function Pb(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(Pb,"responseKeyMatchesLookup");function xb(e,t){return e.owner.mode===t.owner.mode&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(xb,"authorizationSetupMatchesLookup");function _f(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(_f,"connectionMatchesLookup");function Ab(e,t){return e.ownerMode===t.ownerMode&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&Hc(e.scopes,t.scopes)&&Dc(e.expiresAt,t.expiresAt)&&Tb(e.metadata,t.metadata)}o(Ab,"connectionMatchesUpsertRecord");function Dc(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(Dc,"optionalTimestampInstantsMatch");function kb(e,t){return Date.parse(e)<=Date.parse(t)}o(kb,"timestampInstantIsAtOrBefore");function Hc(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(Hc,"stringArraysMatch");function Tb(e,t){let r=yf(e),n=yf(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(Tb,"metadataMatches");function yf(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(yf,"definedMetadataEntries");function ve(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(ve,"throwInvalidStorageResponse");async function Eb(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){ve("Gateway Service storage response did not match the runtime storage contract.",r)}}o(Eb,"parseRuntimeHttpStorageResponse");function wf(e,t){e.length!==t.length&&ve("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];Pb(n.key,a)||ve("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!_f(n.connection,a)&&ve("Gateway Service storage response connection did not match the response key.")}}o(wf,"validateUpstreamConnectionItemsMatchLookups");function Ub(e,t){xb(e,t)||ve("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!_f(e.connection,t)&&ve("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!Dc(e.connectionStatus.updatedAt,a))&&ve("Gateway Service storage response authorization setup status did not match the connection.")}o(Ub,"validateAuthorizationSetupResponseMatchesLookup");function Ob(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&ve("Gateway Service storage response registered client did not match the request.")}o(Ob,"validateRegisterClientResponseMatchesRequest");function $b(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&ve("Gateway Service storage response client did not match the request.")}o($b,"validateReadClientResponseMatchesRequest");function zb(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&ve("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&ve("Gateway Service storage response started authorization principal did not match the request."))}o(zb,"validateStartAuthorizationResponseMatchesRequest");function Sf(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&ve("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&ve("Gateway Service storage response advanced authorization did not match the request."))}o(Sf,"validatePendingAuthorizationResponseMatchesRequest");function Mb(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&ve("Gateway Service storage response authorization setup transaction did not match the request.")}o(Mb,"validateAuthorizationSetupDecisionResponseMatchesRequest");function qb(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!Dc(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&ve("Gateway Service storage response authorization-code exchange did not match the request.")}o(qb,"validateExchangeAuthorizationCodeResponseMatchesRequest");function Nb(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&ve("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!kb(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!Hb(e.accessToken,e.grant))&&ve("Gateway Service storage response token refresh access token did not match the request."))}o(Nb,"validateRefreshTokenResponseMatchesRequest");function jb(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&ve("Gateway Service storage response access token did not match the request.")}o(jb,"validateAccessTokenValidationResponseMatchesRequest");function Db(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.subjectId!==e.accessToken.subjectId||!Hc(e.principal.roles,e.accessToken.roles))&&ve("Gateway Service storage response MCP authorization did not match the request."),wf(e.upstreamConnections,t.upstreamConnectionKeys))}o(Db,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function Hb(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.subjectId===t.subjectId&&e.scope===t.scope&&Hc(e.roles,t.roles)}o(Hb,"accessTokenMatchesGrant");async function Lb(e){try{return await e.clone().json()}catch{return}}o(Lb,"readProblemDetails");async function Bb(e){let t=await Lb(e),r=gf(t)&&typeof t.status=="number"?t.status:e.status,n=gf(t)&&wo(t.code)?t.code:rm(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(Bb,"throwRuntimeHttpStorageError");var ii=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??So.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}#n(t){let r;try{r=new URL(t,this.#t)}catch(n){throw g("internal_server_error",`Gateway Service storage base URL is not a valid URL. Got ${JSON.stringify(this.#t)}. Verify the gateway runtime configuration.`,n)}if(r.protocol!=="https:"&&r.protocol!=="http:")throw g("internal_server_error",`Gateway Service storage base URL must use http(s); got protocol "${r.protocol}" from ${JSON.stringify(this.#t)}.`);if(!r.hostname||sb.has(r.hostname))throw g("internal_server_error",`Gateway Service storage base URL has an invalid hostname "${r.hostname}" (parsed from ${JSON.stringify(this.#t)}). The configured value is likely coerced from an unset environment variable.`);return r}async#e(t){let r=t.requestSchema.parse(t.input),n=this.#n(t.path),a=new Headers({"Content-Type":"application/json"});Vp(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await Bb(i),{request:r,response:await Eb(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let c=Nr(s),d=n.get(c);if(d!==void 0)return d;let p=r.length;return r.push(s),n.set(c,p),p}),i=[];for(let s=0;s<r.length;s+=hf){let c=r.slice(s,s+hf);i.push(...await this.#o(c))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:db(),requestSchema:Mm,responseSchema:qm});return Ab(n,r)||ve("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:lb(),requestSchema:Nm,responseSchema:jm});return Ub(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:pb(),requestSchema:Dm,responseSchema:Hm});return Ob(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:mb(),requestSchema:Lm,responseSchema:Bm});return $b(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:fb(),requestSchema:Gm,responseSchema:Vm});return zb(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:hb(),requestSchema:Fm,responseSchema:Zm});return Sf(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:gb(),requestSchema:Km,responseSchema:Jm});return Sf(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:yb(),requestSchema:Wm,responseSchema:Ym});return Mb(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:Rb(),requestSchema:uf,responseSchema:df});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:Cb(),requestSchema:lf,responseSchema:pf});return n.kind==="available"&&n.record.id!==r.id&&ve("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:Ib(),requestSchema:mf,responseSchema:ff});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:Sb(),requestSchema:Qm,responseSchema:Xm});return qb(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:_b(),requestSchema:ef,responseSchema:tf});return Nb(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:wb(),requestSchema:rf,responseSchema:nf});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:vb(),requestSchema:of,responseSchema:af});return jb(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:bb(),requestSchema:sf,responseSchema:cf});return Db(n,r),n}async#o(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:ub(),requestSchema:zm,responseSchema:zc});return wf(n.items,t),n.items.map(a=>a.connection)}};var Gb="__zuploMcpGatewayStorageBackend",Lc;function Vb(){return new ii({})}o(Vb,"buildProductionStorageBackend");function K(){let e=globalThis[Gb];return e||(Lc||(Lc=Vb()),Lc)}o(K,"getStorage");import{base64url as Bc}from"jose";var Fb="sha256:",Zb=32;function vf(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(vf,"copyToArrayBuffer");function Ht(){let e=crypto.getRandomValues(new Uint8Array(Zb));return Bc.encode(e)}o(Ht,"createOpaqueToken");async function le(e){let t=await crypto.subtle.digest("SHA-256",vf(new TextEncoder().encode(e)));return`${Fb}${Bc.encode(new Uint8Array(t))}`}o(le,"hashOpaqueValue");async function bf(e){let t=await crypto.subtle.digest("SHA-256",vf(new TextEncoder().encode(e)));return Bc.encode(new Uint8Array(t))}o(bf,"calculatePkceS256Challenge");function Gc(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(Gc,"readBearerToken");function Kb(e,t,r){return st(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(Kb,"gatewayAuthenticationRequiredResponse");async function Jb(e,t,r){let n=await K().validateAccessToken({tokenHash:await le(e),now:re(new Date)});if(n.kind!=="valid")throw t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed"),g("authentication_required","Gateway access token is expired, revoked, or invalid.");return n.record}o(Jb,"validateGatewayAccessToken");function Wb(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(Wb,"assertAccessTokenResource");function Yb(e,t,r){return st(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":ri({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${Se} scope required by this MCP resource.`,scope:Se})}})}o(Yb,"insufficientScopeResponse");function Qb(e){return{subjectId:e.subjectId,roles:e.roles}}o(Qb,"principalFromAccessToken");function Xb(e){let t=ge(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),st(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":ri({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(Xb,"gatewayTokenRejectedResponse");async function Vc(e,t){let r=bn(t),n=Mr(r.virtualServerId,e.url),a=Gc(e),i=ri({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),Kb(e,t,i);try{let s=await Jb(a,t,r.virtualServerId);if(Wb({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==Se)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:Se,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),Yb(e,t,r.virtualServerId);let c=Qb(s);return Cm(t,c),Sc(t,c),e}catch(s){return Xb({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(Vc,"gatewayTokenInbound");var eR=2,Rf=4,tR=24,rR=16,Cf=512,nR=/(token|secret|authorization|password|cookie|credential|client[_-]?secret|code[_-]?verifier|(^|[_-])(code|state|verifier)($|[_-]))/i,oR=/("(?:access_token|refresh_token|id_token|client_secret|authorization|password|cookie|code|state|code_verifier)"\s*:\s*")([^"]*)(")/gi,aR=/\b(access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|cookie|code|state|code[_-]?verifier)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|[^\s,;&]+)/gi,iR=/\b(authorization)(\s*[:=]\s*)(?:"[^"]*"|'[^']*'|(?:Bearer|Basic)\s+[^\s,;]+|[^\s,;]+)/gi,sR=/\bBearer\s+[A-Za-z0-9._~+/=-]+/gi,cR=/\bBasic\s+[A-Za-z0-9+/=-]+/gi;function If(e){let t=e.route;return t&&typeof t=="object"?t:void 0}o(If,"readRoute");function uR(e){let t=If(e)?.path;return typeof t=="string"&&t.length>0?t:void 0}o(uR,"readRoutePath");function dR(e){let t=If(e)?.raw;if(typeof t!="function")return;let r=t();if(!r||typeof r!="object")return;let n=r.operationId;return typeof n=="string"&&n.length>0?n:void 0}o(dR,"readRouteOperationId");function lR(e){if(!(e===void 0||!Number.isFinite(e)||e<100))return`${Math.trunc(e/100)}xx`}o(lR,"deriveStatusClass");function pR(e,t){if(!(!e&&!t))return e==="user"?t==="user_oauth"?"upstream_user_attributed":"gateway_user_attributed_only":e==="shared"?"shared_upstream_identity":e==="none"?"machine_identity":"unknown"}o(pR,"deriveOriginAttributionMode");function mR(e){if(!e)return;let t=e.toLowerCase();return t.includes("desktop")||t.includes("claude")||t.includes("chatgpt")?"desktop":t.includes("vscode")||t.includes("cursor")||t.includes("zed")||t.includes("jetbrains")||t.includes("ide")?"ide":t.includes("extension")?"extension":t.includes("agent")||t.includes("bot")||t.includes("worker")||t.includes("service")?"service":"unknown"}o(mR,"deriveClientKind");function fR(e,t){return t==="success"?"none":e===Z.MCP_GATEWAY_REQUEST_RECEIVED||e===Z.MCP_GATEWAY_REQUEST_REJECTED||e===Z.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"ingress":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===Z.MCP_GATEWAY_INITIALIZE_NEGOTIATED?"routing":e===Z.MCP_GATEWAY_POLICY_DECISION?"policy":e===Z.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===Z.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e.startsWith("mcp_gateway_capability_")||e.startsWith("mcp_gateway_catalog_")?"upstream":e===Z.MCP_GATEWAY_REQUEST_COMPLETED?"egress":"none"}o(fR,"deriveFailureStage");function hR(e,t){return t==="success"?"none":t==="application_error"?"mcp_application":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===Z.MCP_GATEWAY_POLICY_DECISION||e===Z.MCP_GATEWAY_GUARDRAIL_DECISION||e===Z.MCP_GATEWAY_RATE_LIMIT_DECISION?"policy":e.startsWith("mcp_gateway_upstream_")||e===Z.MCP_GATEWAY_CAPABILITY_FAILED||e===Z.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED?"upstream":e===Z.MCP_GATEWAY_REQUEST_REJECTED||e===Z.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR?"client":"gateway"}o(hR,"deriveFailureOrigin");function gR(e,t){return t==="success"?"none":e.startsWith("mcp_gateway_auth_")||e.startsWith("mcp_gateway_oauth_")?"auth":e===Z.MCP_GATEWAY_POLICY_DECISION?"policy":e===Z.MCP_GATEWAY_GUARDRAIL_DECISION?"guardrail":e===Z.MCP_GATEWAY_RATE_LIMIT_DECISION?"rate_limit":e.startsWith("mcp_gateway_upstream_")?"upstream":e===Z.MCP_GATEWAY_CLIENT_UNSUPPORTED_BEHAVIOR||e===Z.MCP_GATEWAY_REQUEST_REJECTED?"protocol":"none"}o(gR,"deriveReasonClass");function yR(e){return e.length<=Cf?e:`${e.slice(0,Cf)}...`}o(yR,"truncateAnalyticsString");function SR(e){return yR(e.replace(oR,"$1[REDACTED]$3").replace(iR,"$1$2[REDACTED]").replace(aR,"$1$2[REDACTED]").replace(sR,"Bearer [REDACTED]").replace(cR,"Basic [REDACTED]"))}o(SR,"redactAnalyticsString");function Pf(e,t){if(e!==void 0){if(e===null||typeof e=="boolean")return e;if(typeof e=="string")return SR(e);if(typeof e=="number")return Number.isFinite(e)?e:void 0;if(Array.isArray(e))return t>=Rf?"[DEPTH_LIMIT]":e.slice(0,rR).map(r=>Pf(r,t+1)).filter(r=>r!==void 0);if(typeof e=="object")return e instanceof Date?e.toISOString():t>=Rf?"[DEPTH_LIMIT]":xf(e,t+1)}}o(Pf,"sanitizeAnalyticsValue");function xf(e,t=0){if(!e)return;let r={};for(let[n,a]of Object.entries(e).slice(0,tR)){if(nR.test(n)){r[n]="[REDACTED]";continue}let i=Pf(a,t);i!==void 0&&(r[n]=i)}return Object.keys(r).length===0?void 0:r}o(xf,"sanitizeMcpGatewayAnalyticsAttributes");function z(e){return e===void 0?null:e}o(z,"nullable");function _R(e){let t=e.environment;return t&&typeof t=="object"&&typeof t.name=="string"?t.name:null}o(_R,"readEnvironment");function wR(e){let t=e.requestId;return typeof t=="string"&&t.length>0?t:null}o(wR,"readRequestId");function vR(e){if(e===void 0)return null;try{return JSON.stringify(e)}catch{return null}}o(vR,"attributesToJsonString");function bR(e,t){let r=kc(e),n=vo(e),a=xf(t.attributes),i=wR(e),s=t.ownerMode??t.routeBinding?.ownerMode??null,c=t.upstreamAuthMode??t.routeBinding?.authMode??null,d=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId??null,p=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId??null,l=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName??null,m=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId??null,h=t.clientKind??mR(t.clientName)??null,y=pR(s??void 0,c??void 0)??null,_=lR(t.httpStatusCode)??null,S=t.reasonClass??gR(t.eventType,t.outcome),w=t.failureOrigin??hR(t.eventType,t.outcome),v=t.failureStage??fR(t.eventType,t.outcome);return{schemaVersion:eR,outcome:t.outcome,subjectId:z(r?.subjectId),environment:_R(e),traceId:t.traceId??i,spanId:z(t.spanId),parentEventId:z(t.parentEventId),mcpSessionId:z(t.mcpSessionId),routeSurface:z(t.routeSurface),routePath:uR(e)??null,operationId:dR(e)??null,virtualServerName:d,virtualServerTitle:z(t.virtualServerTitle),upstreamServerName:p,upstreamServerTitle:l,upstreamBindingId:z(t.upstreamBindingId),clientName:z(t.clientName),clientTitle:z(t.clientTitle),clientVersion:z(t.clientVersion),clientKind:h,authProfileId:m,upstreamAuthMode:c,ownerMode:s,authMethod:z(t.authMethod),originAttributionMode:y,httpMethod:z(t.httpMethod),httpStatusCode:z(t.httpStatusCode),statusClass:_,mcpMethod:z(t.mcpMethod),mcpProtocolVersion:z(t.mcpProtocolVersion),mcpStatus:z(t.mcpStatus),mcpErrorType:z(t.mcpErrorType),applicationError:z(t.applicationError),applicationErrorCode:z(t.applicationErrorCode),toolResultIsError:z(t.toolResultIsError),capabilityType:z(t.capabilityType),capabilityName:z(t.capabilityName),capabilityTitle:z(t.capabilityTitle),upstreamCapabilityName:z(t.upstreamCapabilityName),upstreamCapabilityTitle:z(t.upstreamCapabilityTitle),capabilitySchemaHash:z(t.capabilitySchemaHash),policyId:z(t.policyId),policyAction:z(t.policyAction),guardrailType:z(t.guardrailType),guardrailDirection:z(t.guardrailDirection),guardrailFindingCount:z(t.guardrailFindingCount),redactionCount:z(t.redactionCount),requestMutated:z(t.requestMutated),responseMutated:z(t.responseMutated),latencyMs:z(t.latencyMs),gatewayLatencyMs:z(t.gatewayLatencyMs),upstreamLatencyMs:z(t.upstreamLatencyMs),authLatencyMs:z(t.authLatencyMs),policyLatencyMs:z(t.policyLatencyMs),requestBytes:z(t.requestBytes),responseBytes:z(t.responseBytes),estimatedInputTokens:z(t.estimatedInputTokens),estimatedOutputTokens:z(t.estimatedOutputTokens),estimatedContextTokens:z(t.estimatedContextTokens),contextPressureBucket:z(t.contextPressureBucket),responseMimeTypes:z(t.responseMimeTypes),base64Suspected:z(t.base64Suspected),truncated:z(t.truncated),isLargePayloadRequest:z(t.isLargePayloadRequest),isLargePayloadResponse:z(t.isLargePayloadResponse),payloadCaptureMode:z(t.payloadCaptureMode),reasonCode:z(t.reasonCode),reasonClass:S,errorType:t.errorType??t.reasonCode??null,failureOrigin:w,failureStage:v,customMetadataJson:z(t.customMetadataJson),attributesJson:vR(a)}}o(bR,"buildMcpGatewayAnalyticsMetadata");function Qe(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,bR(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_gateway_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(Qe,"emitMcpGatewayAnalyticsEvent");var Tn={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},RR="oauth-protected-resource-metadata",CR="/.well-known/oauth-protected-resource/";function IR(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(IR,"readRouteOperationId");function PR(e){return e.hasGatewayRouteContext?Tn.VIRTUAL_MCP_SERVER:e.routeOperationId===RR||e.routeOperationId===void 0&&e.routePath.startsWith(CR)?Tn.OAUTH_PROTECTED_RESOURCE_METADATA:Tn.OTHER}o(PR,"classifyAnalyticsRouteSurface");function xR(e){let t=e.route.path;return{routePath:t,routeSurface:PR({routePath:t,routeOperationId:IR(e),hasGatewayRouteContext:vo(e)!==void 0})}}o(xR,"readAnalyticsRequestContext");function AR(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Tn.VIRTUAL_MCP_SERVER}o(AR,"isIntentionalMethodRejection");function kR(e){return AR(e)||e.response.status===401&&e.routeSurface===Tn.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(kR,"classifyRequestCompletedOutcome");async function Fc(e,t){let r=Date.now(),n=xR(t);return t.addResponseSendingFinalHook(a=>{let i=kR({response:a,routeSurface:n.routeSurface});Qe(t,{eventType:Z.MCP_GATEWAY_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Fc,"analyticsContextInbound");function TR(e){return e instanceof Response}o(TR,"isResponse");var Af="/mcp/";function ER(e){let t=e.route.path;if(!t.startsWith(Af))throw new ue(`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(Af.length);if(!r||r.includes("/"))throw new ue(`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(ER,"readVirtualServerIdFromRoute");async function xo(e,t){let n={virtualServerId:xe.parse(ER(t))};im(t,n),mm(t,n);let a=await Fc(e,t);return TR(a)?a:Vc(a,t)}o(xo,"mcpOAuthInboundPolicy");function si(e,t,r){let n=e.safeParse(t);if(n.success)return n.data;throw new ue(`${r} is misconfigured. Validation failed:
-${UR(n.error)}`,{cause:n.error})}o(si,"parseConfigOrThrow");function UR(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
-`)}o(UR,"formatZodIssues");var OR=u.string({error:"auth0Domain is required and must be a string"}).trim().min(1,"auth0Domain is required (commonly set via $env(AUTH0_DOMAIN))").refine(e=>!/[:/]/.test(e),{message:'auth0Domain must be a bare hostname (e.g. "tenant.us.auth0.com"); drop the "https://" prefix and any trailing path'}).refine(e=>e.includes("."),{message:'auth0Domain must be a fully-qualified domain name with at least one dot (e.g. "tenant.us.auth0.com"). If the value looks like "undefined" or is empty, the configured environment variable is likely unset.'}),$R=u.object({auth0Domain:OR,audience:u.string().trim().min(1).optional(),clientId:u.string({error:"clientId is required and must be a string"}).trim().min(1,"clientId is required (commonly set via $env(AUTH0_CLIENT_ID))"),clientSecret:u.string().trim().min(1).optional(),scope:u.string().trim().min(1).optional(),gateway:u.object({accessTokenTtlSeconds:u.number().int().positive().optional(),refreshTokenTtlSeconds:u.number().int().positive().optional(),cimdEnabled:u.boolean().optional()}).strict().optional(),browserLoginOverrides:u.object({remoteTimeoutMs:u.number().int().positive().optional(),stateTtlSeconds:u.number().int().positive().optional(),sessionTtlSeconds:u.number().int().positive().optional()}).strict().optional()}).strict(),Zc=class extends wn{static{o(this,"McpAuth0OAuthInboundPolicy")}#t;constructor(t,r){let n=kf(t,r);super(n,r),this.#t=Ef(n,r)}async handler(t,r){return Ct("policy.inbound.mcp-auth0-oauth"),Rn(r,this.#t),xo(t,r)}};function kf(e,t){return si($R,e,`MCP Auth0 OAuth policy "${t}"`)}o(kf,"parseAuth0OAuthOptions");function Tf(e,t="mcp-auth0-oauth-inbound"){let r=kf(e,t);return Ef(r,t)}o(Tf,"auth0OptionsToMcpOAuthRuntimeConfig");function Ef(e,t){let r=`https://${e.auth0Domain}/`,n=`https://${e.auth0Domain}/.well-known/jwks.json`,a=`https://${e.auth0Domain}/authorize`,i=`https://${e.auth0Domain}/oauth/token`;try{return dm({oidc:{issuer:r,jwksUrl:n,...e.audience===void 0?{}:{audience:e.audience}},browserLogin:{url:a,tokenUrl:i,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",...e.audience===void 0?{}:{audience:e.audience},...e.browserLoginOverrides??{}},gateway:e.gateway})}catch(s){let c=s instanceof Error?` Validation failed: ${s.message}`:"";throw new ue(`MCP Auth0 OAuth policy "${t}" is misconfigured. Check the policy options in policies.json.${c}`,s instanceof Error?{cause:s}:void 0)}}o(Ef,"buildAuth0McpOAuthRuntimeConfig");var Kc=class extends wn{static{o(this,"McpOAuthInboundPolicy")}#t;constructor(t,r){let n=Jc(t,r);super(n,r),this.#t=n}async handler(t,r){return Ct("policy.inbound.mcp-oauth"),Rn(r,this.#t),xo(t,r)}};function Jc(e,t="mcp-oauth-inbound"){return si(fc,e,`MCP OAuth policy "${t}"`)}o(Jc,"mcpOAuthOptionsToRuntimeConfig");var Wc=["mcp-oauth-inbound","mcp-auth0-oauth-inbound"];function zR(e,t){switch(e){case"mcp-oauth-inbound":return Jc(t);case"mcp-auth0-oauth-inbound":return Tf(t);default:return}}o(zR,"parseMcpOAuthPolicyConfig");function Ao(e){return e!==void 0&&Wc.some(t=>t===e)}o(Ao,"isMcpOAuthInboundPolicyType");function Uf(e){if(e){for(let t of e)if(Ao(t.policyType))try{let r=zR(t.policyType,t.handler.options);if(!r)throw new ue(`MCP gateway: policy '${t.name}' has unsupported MCP OAuth policy type '${t.policyType}'.`);return{policyName:t.name,config:r}}catch(r){throw r instanceof u.ZodError?new ue(MR(t.name,r),{cause:r}):r}}}o(Uf,"resolveMcpOAuthRuntimeConfigFromPolicies");function MR(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
+    deps: ${r}}`,"params")};var Q0={keyword:"dependencies",type:"object",schemaType:"object",error:Et.error,code(e){let[t,r]=X0(e);mS(e,t),fS(e,r)}};function X0({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(X0,"splitDependencies");function mS(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let c=t[s];if(c.length===0)continue;let d=(0,Ta.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:c.length,deps:c.join(", ")}),a.allErrors?r.if(d,()=>{for(let p of c)(0,Ta.checkReportMissingProp)(e,p)}):(r.if((0,Tl._)`${d} && (${(0,Ta.checkMissingProp)(e,c,i)})`),(0,Ta.reportMissingProp)(e,i),r.else())}}o(mS,"validatePropertyDeps");Et.validatePropertyDeps=mS;function fS(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let c in t)(0,Y0.alwaysValidSchema)(i,t[c])||(r.if((0,Ta.propertyInData)(r,n,c,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:c},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o(fS,"validateSchemaDeps");Et.validateSchemaDeps=fS;Et.default=Q0});var yS=k(Al=>{"use strict";Object.defineProperty(Al,"__esModule",{value:!0});var gS=F(),eE=te(),tE={message:"property name must be valid",params:o(({params:e})=>(0,gS._)`{propertyName: ${e.propertyName}}`,"params")},rE={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:tE,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,eE.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,gS.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};Al.default=rE});var Ul=k(El=>{"use strict";Object.defineProperty(El,"__esModule",{value:!0});var hs=pt(),wt=F(),nE=Wt(),gs=te(),oE={message:"must NOT have additional properties",params:o(({params:e})=>(0,wt._)`{additionalProperty: ${e.additionalProperty}}`,"params")},aE={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:oE,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:c,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,gs.alwaysValidSchema)(s,r))return;let p=(0,hs.allSchemaProperties)(n.properties),l=(0,hs.allSchemaProperties)(n.patternProperties);m(),e.ok((0,wt._)`${i} === ${nE.default.errors}`);function m(){t.forIn("key",a,_=>{!p.length&&!l.length?v(_):t.if(h(_),()=>v(_))})}o(m,"checkAdditionalProperties");function h(_){let w;if(p.length>8){let b=(0,gs.schemaRefOrVal)(s,n.properties,"properties");w=(0,hs.isOwnProperty)(t,b,_)}else p.length?w=(0,wt.or)(...p.map(b=>(0,wt._)`${_} === ${b}`)):w=wt.nil;return l.length&&(w=(0,wt.or)(w,...l.map(b=>(0,wt._)`${(0,hs.usePattern)(e,b)}.test(${_})`))),(0,wt.not)(w)}o(h,"isAdditional");function y(_){t.code((0,wt._)`delete ${a}[${_}]`)}o(y,"deleteAdditional");function v(_){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){y(_);return}if(r===!1){e.setParams({additionalProperty:_}),e.error(),c||t.break();return}if(typeof r=="object"&&!(0,gs.alwaysValidSchema)(s,r)){let w=t.name("valid");d.removeAdditional==="failing"?(S(_,w,!1),t.if((0,wt.not)(w),()=>{e.reset(),y(_)})):(S(_,w),c||t.if((0,wt.not)(w),()=>t.break()))}}o(v,"additionalPropertyCode");function S(_,w,b){let R={keyword:"additionalProperties",dataProp:_,dataPropType:gs.Type.Str};b===!1&&Object.assign(R,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(R,w)}o(S,"applyAdditionalSchema")}};El.default=aE});var _S=k($l=>{"use strict";Object.defineProperty($l,"__esModule",{value:!0});var iE=ha(),SS=pt(),Ol=te(),vS=Ul(),sE={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&vS.default.code(new iE.KeywordCxt(i,vS.default,"additionalProperties"));let s=(0,SS.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Ol.mergeEvaluated.props(t,(0,Ol.toHash)(s),i.props));let c=s.filter(m=>!(0,Ol.alwaysValidSchema)(i,r[m]));if(c.length===0)return;let d=t.name("valid");for(let m of c)p(m)?l(m):(t.if((0,SS.propertyInData)(t,a,m,i.opts.ownProperties)),l(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function p(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(p,"hasDefault");function l(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(l,"applyPropertySchema")}};$l.default=sE});var CS=k(zl=>{"use strict";Object.defineProperty(zl,"__esModule",{value:!0});var wS=pt(),ys=F(),bS=te(),RS=te(),cE={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,c=(0,wS.allSchemaProperties)(r),d=c.filter(S=>(0,bS.alwaysValidSchema)(i,r[S]));if(c.length===0||d.length===c.length&&(!i.opts.unevaluated||i.props===!0))return;let p=s.strictSchema&&!s.allowMatchingProperties&&a.properties,l=t.name("valid");i.props!==!0&&!(i.props instanceof ys.Name)&&(i.props=(0,RS.evaluatedPropsToName)(t,i.props));let{props:m}=i;h();function h(){for(let S of c)p&&y(S),i.allErrors?v(S):(t.var(l,!0),v(S),t.if(l))}o(h,"validatePatternProperties");function y(S){for(let _ in p)new RegExp(S).test(_)&&(0,bS.checkStrictMode)(i,`property ${_} matches pattern ${S} (use allowMatchingProperties)`)}o(y,"checkMatchingProperties");function v(S){t.forIn("key",n,_=>{t.if((0,ys._)`${(0,wS.usePattern)(e,S)}.test(${_})`,()=>{let w=d.includes(S);w||e.subschema({keyword:"patternProperties",schemaProp:S,dataProp:_,dataPropType:RS.Type.Str},l),i.opts.unevaluated&&m!==!0?t.assign((0,ys._)`${m}[${_}]`,!0):!w&&!i.allErrors&&t.if((0,ys.not)(l),()=>t.break())})})}o(v,"validateProperties")}};zl.default=cE});var IS=k(Ml=>{"use strict";Object.defineProperty(Ml,"__esModule",{value:!0});var uE=te(),dE={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,uE.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Ml.default=dE});var PS=k(ql=>{"use strict";Object.defineProperty(ql,"__esModule",{value:!0});var lE=pt(),pE={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:lE.validateUnion,error:{message:"must match a schema in anyOf"}};ql.default=pE});var xS=k(Nl=>{"use strict";Object.defineProperty(Nl,"__esModule",{value:!0});var Ss=F(),mE=te(),fE={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,Ss._)`{passingSchemas: ${e.passing}}`,"params")},hE={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:fE,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),c=t.let("passing",null),d=t.name("_valid");e.setParams({passing:c}),t.block(p),e.result(s,()=>e.reset(),()=>e.error(!0));function p(){i.forEach((l,m)=>{let h;(0,mE.alwaysValidSchema)(a,l)?t.var(d,!0):h=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,Ss._)`${d} && ${s}`).assign(s,!1).assign(c,(0,Ss._)`[${c}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(c,m),h&&e.mergeEvaluated(h,Ss.Name)})})}o(p,"validateOneOf")}};Nl.default=hE});var kS=k(Dl=>{"use strict";Object.defineProperty(Dl,"__esModule",{value:!0});var gE=te(),yE={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,gE.alwaysValidSchema)(n,i))return;let c=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(c)})}};Dl.default=yE});var ES=k(jl=>{"use strict";Object.defineProperty(jl,"__esModule",{value:!0});var vs=F(),AS=te(),SE={message:o(({params:e})=>(0,vs.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,vs._)`{failingKeyword: ${e.ifClause}}`,"params")},vE={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:SE,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,AS.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=TS(n,"then"),i=TS(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),c=t.name("_valid");if(d(),e.reset(),a&&i){let l=t.let("ifClause");e.setParams({ifClause:l}),t.if(c,p("then",l),p("else",l))}else a?t.if(c,p("then")):t.if((0,vs.not)(c),p("else"));e.pass(s,()=>e.error(!0));function d(){let l=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},c);e.mergeEvaluated(l)}o(d,"validateIf");function p(l,m){return()=>{let h=e.subschema({keyword:l},c);t.assign(s,c),e.mergeValidEvaluated(h,s),m?t.assign(m,(0,vs._)`${l}`):e.setParams({ifClause:l})}}o(p,"validateClause")}};function TS(e,t){let r=e.schema[t];return r!==void 0&&!(0,AS.alwaysValidSchema)(e,r)}o(TS,"hasSchema");jl.default=vE});var US=k(Hl=>{"use strict";Object.defineProperty(Hl,"__esModule",{value:!0});var _E=te(),wE={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,_E.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Hl.default=wE});var OS=k(Ll=>{"use strict";Object.defineProperty(Ll,"__esModule",{value:!0});var bE=Cl(),RE=uS(),CE=Il(),IE=lS(),PE=pS(),xE=hS(),kE=yS(),TE=Ul(),AE=_S(),EE=CS(),UE=IS(),OE=PS(),$E=xS(),zE=kS(),ME=ES(),qE=US();function NE(e=!1){let t=[UE.default,OE.default,$E.default,zE.default,ME.default,qE.default,kE.default,TE.default,xE.default,AE.default,EE.default];return e?t.push(RE.default,IE.default):t.push(bE.default,CE.default),t.push(PE.default),t}o(NE,"getApplicator");Ll.default=NE});var $S=k(Bl=>{"use strict";Object.defineProperty(Bl,"__esModule",{value:!0});var Re=F(),DE={message:o(({schemaCode:e})=>(0,Re.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Re._)`{format: ${e}}`,"params")},jE={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:DE,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:c}=e,{opts:d,errSchemaPath:p,schemaEnv:l,self:m}=c;if(!d.validateFormats)return;a?h():y();function h(){let v=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),S=r.const("fDef",(0,Re._)`${v}[${s}]`),_=r.let("fType"),w=r.let("format");r.if((0,Re._)`typeof ${S} == "object" && !(${S} instanceof RegExp)`,()=>r.assign(_,(0,Re._)`${S}.type || "string"`).assign(w,(0,Re._)`${S}.validate`),()=>r.assign(_,(0,Re._)`"string"`).assign(w,S)),e.fail$data((0,Re.or)(b(),R()));function b(){return d.strictSchema===!1?Re.nil:(0,Re._)`${s} && !${w}`}o(b,"unknownFmt");function R(){let z=l.$async?(0,Re._)`(${S}.async ? await ${w}(${n}) : ${w}(${n}))`:(0,Re._)`${w}(${n})`,M=(0,Re._)`(typeof ${w} == "function" ? ${z} : ${w}.test(${n}))`;return(0,Re._)`${w} && ${w} !== true && ${_} === ${t} && !${M}`}o(R,"invalidFmt")}o(h,"validate$DataFormat");function y(){let v=m.formats[i];if(!v){b();return}if(v===!0)return;let[S,_,w]=R(v);S===t&&e.pass(z());function b(){if(d.strictSchema===!1){m.logger.warn(M());return}throw new Error(M());function M(){return`unknown format "${i}" ignored in schema at path "${p}"`}}o(b,"unknownFormat");function R(M){let Me=M instanceof RegExp?(0,Re.regexpCode)(M):d.code.formats?(0,Re._)`${d.code.formats}${(0,Re.getProperty)(i)}`:void 0,at=r.scopeValue("formats",{key:i,ref:M,code:Me});return typeof M=="object"&&!(M instanceof RegExp)?[M.type||"string",M.validate,(0,Re._)`${at}.validate`]:["string",M,at]}o(R,"getFormat");function z(){if(typeof v=="object"&&!(v instanceof RegExp)&&v.async){if(!l.$async)throw new Error("async format in sync schema");return(0,Re._)`await ${w}(${n})`}return typeof _=="function"?(0,Re._)`${w}(${n})`:(0,Re._)`${w}.test(${n})`}o(z,"validCondition")}o(y,"validateFormat")}};Bl.default=jE});var zS=k(Gl=>{"use strict";Object.defineProperty(Gl,"__esModule",{value:!0});var HE=$S(),LE=[HE.default];Gl.default=LE});var MS=k(Qn=>{"use strict";Object.defineProperty(Qn,"__esModule",{value:!0});Qn.contentVocabulary=Qn.metadataVocabulary=void 0;Qn.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];Qn.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var NS=k(Vl=>{"use strict";Object.defineProperty(Vl,"__esModule",{value:!0});var BE=Vy(),GE=aS(),VE=OS(),FE=zS(),qS=MS(),ZE=[BE.default,GE.default,(0,VE.default)(),FE.default,qS.metadataVocabulary,qS.contentVocabulary];Vl.default=ZE});var jS=k(_s=>{"use strict";Object.defineProperty(_s,"__esModule",{value:!0});_s.DiscrError=void 0;var DS;(function(e){e.Tag="tag",e.Mapping="mapping"})(DS||(_s.DiscrError=DS={}))});var LS=k(Zl=>{"use strict";Object.defineProperty(Zl,"__esModule",{value:!0});var Xn=F(),Fl=jS(),HS=ts(),KE=ga(),JE=te(),WE={message:o(({params:{discrError:e,tagName:t}})=>e===Fl.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,Xn._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},YE={keyword:"discriminator",type:"object",schemaType:"object",error:WE,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let c=n.propertyName;if(typeof c!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),p=t.const("tag",(0,Xn._)`${r}${(0,Xn.getProperty)(c)}`);t.if((0,Xn._)`typeof ${p} == "string"`,()=>l(),()=>e.error(!1,{discrError:Fl.DiscrError.Tag,tag:p,tagName:c})),e.ok(d);function l(){let y=h();t.if(!1);for(let v in y)t.elseIf((0,Xn._)`${p} === ${v}`),t.assign(d,m(y[v]));t.else(),e.error(!1,{discrError:Fl.DiscrError.Mapping,tag:p,tagName:c}),t.endIf()}o(l,"validateMapping");function m(y){let v=t.name("valid"),S=e.subschema({keyword:"oneOf",schemaProp:y},v);return e.mergeEvaluated(S,Xn.Name),v}o(m,"applyTagSchema");function h(){var y;let v={},S=w(a),_=!0;for(let z=0;z<s.length;z++){let M=s[z];if(M?.$ref&&!(0,JE.schemaHasRulesButRef)(M,i.self.RULES)){let at=M.$ref;if(M=HS.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,at),M instanceof HS.SchemaEnv&&(M=M.schema),M===void 0)throw new KE.default(i.opts.uriResolver,i.baseId,at)}let Me=(y=M?.properties)===null||y===void 0?void 0:y[c];if(typeof Me!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${c}"`);_=_&&(S||w(M)),b(Me,z)}if(!_)throw new Error(`discriminator: "${c}" must be required`);return v;function w({required:z}){return Array.isArray(z)&&z.includes(c)}function b(z,M){if(z.const)R(z.const,M);else if(z.enum)for(let Me of z.enum)R(Me,M);else throw new Error(`discriminator: "properties/${c}" must have "const" or "enum"`)}function R(z,M){if(typeof z!="string"||z in v)throw new Error(`discriminator: "${c}" values must be unique strings`);v[z]=M}}o(h,"getMapping")}};Zl.default=YE});var BS=k((EF,QE)=>{QE.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var Jl=k((me,Kl)=>{"use strict";Object.defineProperty(me,"__esModule",{value:!0});me.MissingRefError=me.ValidationError=me.CodeGen=me.Name=me.nil=me.stringify=me.str=me._=me.KeywordCxt=me.Ajv=void 0;var XE=Dy(),eU=NS(),tU=LS(),GS=BS(),rU=["/properties"],ws="http://json-schema.org/draft-07/schema",eo=class extends XE.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),eU.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(tU.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(GS,rU):GS;this.addMetaSchema(t,ws,!1),this.refs["http://json-schema.org/schema"]=ws}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(ws)?ws:void 0)}};me.Ajv=eo;Kl.exports=me=eo;Kl.exports.Ajv=eo;Object.defineProperty(me,"__esModule",{value:!0});me.default=eo;var nU=ha();Object.defineProperty(me,"KeywordCxt",{enumerable:!0,get:o(function(){return nU.KeywordCxt},"get")});var to=F();Object.defineProperty(me,"_",{enumerable:!0,get:o(function(){return to._},"get")});Object.defineProperty(me,"str",{enumerable:!0,get:o(function(){return to.str},"get")});Object.defineProperty(me,"stringify",{enumerable:!0,get:o(function(){return to.stringify},"get")});Object.defineProperty(me,"nil",{enumerable:!0,get:o(function(){return to.nil},"get")});Object.defineProperty(me,"Name",{enumerable:!0,get:o(function(){return to.Name},"get")});Object.defineProperty(me,"CodeGen",{enumerable:!0,get:o(function(){return to.CodeGen},"get")});var oU=Xi();Object.defineProperty(me,"ValidationError",{enumerable:!0,get:o(function(){return oU.default},"get")});var aU=ga();Object.defineProperty(me,"MissingRefError",{enumerable:!0,get:o(function(){return aU.default},"get")})});var QS=k(Ot=>{"use strict";Object.defineProperty(Ot,"__esModule",{value:!0});Ot.formatNames=Ot.fastFormats=Ot.fullFormats=void 0;function Ut(e,t){return{validate:e,compare:t}}o(Ut,"fmtDef");Ot.fullFormats={date:Ut(KS,Xl),time:Ut(Yl(!0),ep),"date-time":Ut(VS(!0),WS),"iso-time":Ut(Yl(),JS),"iso-date-time":Ut(VS(),YS),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:lU,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:SU,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:pU,int32:{type:"number",validate:hU},int64:{type:"number",validate:gU},float:{type:"number",validate:ZS},double:{type:"number",validate:ZS},password:!0,binary:!0};Ot.fastFormats={...Ot.fullFormats,date:Ut(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,Xl),time:Ut(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,ep),"date-time":Ut(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,WS),"iso-time":Ut(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,JS),"iso-date-time":Ut(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,YS),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};Ot.formatNames=Object.keys(Ot.fullFormats);function iU(e){return e%4===0&&(e%100!==0||e%400===0)}o(iU,"isLeapYear");var sU=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,cU=[0,31,28,31,30,31,30,31,31,30,31,30,31];function KS(e){let t=sU.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&iU(r)?29:cU[n])}o(KS,"date");function Xl(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(Xl,"compareDate");var Wl=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function Yl(e){return o(function(r){let n=Wl.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],c=n[4],d=n[5]==="-"?-1:1,p=+(n[6]||0),l=+(n[7]||0);if(p>23||l>59||e&&!c)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-l*d,h=a-p*d-(m<0?1:0);return(h===23||h===-1)&&(m===59||m===-1)&&s<61},"time")}o(Yl,"getTime");function ep(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(ep,"compareTime");function JS(e,t){if(!(e&&t))return;let r=Wl.exec(e),n=Wl.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(JS,"compareIsoTime");var Ql=/t|\s/i;function VS(e){let t=Yl(e);return o(function(n){let a=n.split(Ql);return a.length===2&&KS(a[0])&&t(a[1])},"date_time")}o(VS,"getDateTime");function WS(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(WS,"compareDateTime");function YS(e,t){if(!(e&&t))return;let[r,n]=e.split(Ql),[a,i]=t.split(Ql),s=Xl(r,a);if(s!==void 0)return s||ep(n,i)}o(YS,"compareIsoDateTime");var uU=/\/|:/,dU=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function lU(e){return uU.test(e)&&dU.test(e)}o(lU,"uri");var FS=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function pU(e){return FS.lastIndex=0,FS.test(e)}o(pU,"byte");var mU=-(2**31),fU=2**31-1;function hU(e){return Number.isInteger(e)&&e<=fU&&e>=mU}o(hU,"validateInt32");function gU(e){return Number.isInteger(e)}o(gU,"validateInt64");function ZS(){return!0}o(ZS,"validateNumber");var yU=/[^\\]\\Z/;function SU(e){if(yU.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(SU,"regex")});var XS=k(ro=>{"use strict";Object.defineProperty(ro,"__esModule",{value:!0});ro.formatLimitDefinition=void 0;var vU=Jl(),bt=F(),Ir=bt.operators,bs={formatMaximum:{okStr:"<=",ok:Ir.LTE,fail:Ir.GT},formatMinimum:{okStr:">=",ok:Ir.GTE,fail:Ir.LT},formatExclusiveMaximum:{okStr:"<",ok:Ir.LT,fail:Ir.GTE},formatExclusiveMinimum:{okStr:">",ok:Ir.GT,fail:Ir.LTE}},_U={message:o(({keyword:e,schemaCode:t})=>(0,bt.str)`should be ${bs[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,bt._)`{comparison: ${bs[e].okStr}, limit: ${t}}`,"params")};ro.formatLimitDefinition={keyword:Object.keys(bs),type:"string",schemaType:"string",$data:!0,error:_U,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:c}=i;if(!s.validateFormats)return;let d=new vU.KeywordCxt(i,c.RULES.all.format.definition,"format");d.$data?p():l();function p(){let h=t.scopeValue("formats",{ref:c.formats,code:s.code.formats}),y=t.const("fmt",(0,bt._)`${h}[${d.schemaCode}]`);e.fail$data((0,bt.or)((0,bt._)`typeof ${y} != "object"`,(0,bt._)`${y} instanceof RegExp`,(0,bt._)`typeof ${y}.compare != "function"`,m(y)))}o(p,"validate$DataFormat");function l(){let h=d.schema,y=c.formats[h];if(!y||y===!0)return;if(typeof y!="object"||y instanceof RegExp||typeof y.compare!="function")throw new Error(`"${a}": format "${h}" does not define "compare" function`);let v=t.scopeValue("formats",{key:h,ref:y,code:s.code.formats?(0,bt._)`${s.code.formats}${(0,bt.getProperty)(h)}`:void 0});e.fail$data(m(v))}o(l,"validateFormat");function m(h){return(0,bt._)`${h}.compare(${r}, ${n}) ${bs[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var wU=o(e=>(e.addKeyword(ro.formatLimitDefinition),e),"formatLimitPlugin");ro.default=wU});var nv=k((Aa,rv)=>{"use strict";Object.defineProperty(Aa,"__esModule",{value:!0});var no=QS(),bU=XS(),tp=F(),ev=new tp.Name("fullFormats"),RU=new tp.Name("fastFormats"),rp=o((e,t={keywords:!0})=>{if(Array.isArray(t))return tv(e,t,no.fullFormats,ev),e;let[r,n]=t.mode==="fast"?[no.fastFormats,RU]:[no.fullFormats,ev],a=t.formats||no.formatNames;return tv(e,a,r,n),t.keywords&&(0,bU.default)(e),e},"formatsPlugin");rp.get=(e,t="full")=>{let n=(t==="fast"?no.fastFormats:no.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function tv(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,tp._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(tv,"addFormats");rv.exports=Aa=rp;Object.defineProperty(Aa,"__esModule",{value:!0});Aa.default=rp});var _n={runtime:{invalid_request:{code:"invalid_request",seam:"runtime",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",seam:"runtime",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",seam:"runtime",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",seam:"runtime",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",seam:"config",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",seam:"config",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",seam:"downstream_auth",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",seam:"downstream_auth",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",seam:"downstream_oauth",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",seam:"upstream_auth",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",seam:"upstream_auth",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",seam:"upstream_mcp",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},om={..._n.runtime,..._n.config,..._n.downstream_auth,..._n.downstream_oauth,..._n.upstream_auth,..._n.upstream_mcp};function _o(e){return typeof e=="string"&&Object.hasOwn(om,e)}o(_o,"isGatewayProblemCode");function Va(e){return _o(e)&&Ke(e).callbackFailure===!0}o(Va,"isGatewayCallbackFailureCode");function Ke(e){return om[e]}o(Ke,"readGatewayProblemDefinition");function am(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";default:return"internal_server_error"}}o(am,"readDefaultGatewayProblemCodeForStatus");var im="gatewayCode";function sm(e){let t=Ke(e);return{title:t.title,body:t.publicDetail}}o(sm,"readGatewayCallbackFailureContent");function ge(e){if(!(e instanceof Sn))return;let t=e.extensionMembers?.[im];return _o(t)?t:void 0}o(ge,"readGatewayProblemCode");function g(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Ke(n.code),i=n.privateDetail??(Fa(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=xw(n);return new Sn({message:i,extensionMembers:{[im]:n.code}},s===void 0?void 0:{cause:s})}o(g,"createGatewayRuntimeError");async function it(e,t,r){let n=Ke(r.code),a=kw(r.code,r.detail),i=Fa(r.code)?r.title??n.title:n.title,c={problem:{...vo.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(c.additionalHeaders=r.headers),vo.format(c,e,t)}o(it,"gatewayProblemResponse");function Fa(e){return Ke(e).status<500}o(Fa,"canExposeGatewayProblemDetail");function xw(e){return!e.privateDetail||Fa(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(xw,"readRuntimeErrorCause");function kw(e,t){let r=Ke(e);return Fa(e)&&t||r.publicDetail}o(kw,"readSafeGatewayProblemDetail");ae();ae();ae();var Tw=new Set(["localhost","::1"]);function Nt(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(Nt,"normalizeHostname");function qe(e){let t=Nt(e.hostname);return e.protocol==="http:"&&(Tw.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(qe,"isLoopbackHttpUrl");var cm=new Ct("gateway-route");function um(e,t){cm.set(e,t)}o(um,"setGatewayRouteContext");function wo(e){return cm.get(e)}o(wo,"readGatewayRouteContext");function wn(e){let t=wo(e);if(!t)throw g("internal_server_error","Gateway route context has not been set");return t}o(wn,"requireGatewayRouteContext");var dm=new Ct("mcp-oauth-runtime-config");function bn(e,t){dm.set(e,t)}o(bn,"setMcpOAuthRuntimeConfig");function lm(e){let t=dm.get(e);if(!t)throw g("internal_server_error","MCP gateway OAuth config has not been set on the request context. An `mcp-oauth-inbound` policy (or `mcp-auth0-oauth-inbound`) must run before this handler, or the internal OAuth route wrapper must have populated the context.");return t}o(lm,"requireMcpOAuthRuntimeConfig");var bo=u.string().trim().min(1),Ro={accessTokenTtlSeconds:900,refreshTokenTtlSeconds:2592e3,cimdEnabled:!0},Aw=u.object({issuer:u.url(),jwksUrl:u.url(),audience:bo.optional()}),Ew=u.object({url:u.url(),tokenUrl:u.url().optional(),clientId:bo.optional(),clientSecret:bo.optional(),scope:bo.default("openid profile email"),audience:bo.optional(),remoteTimeoutMs:u.coerce.number().int().positive().default(1e4),stateTtlSeconds:u.coerce.number().int().positive().default(900),sessionTtlSeconds:u.coerce.number().int().positive().default(28800)}).strict(),Uw=u.object({accessTokenTtlSeconds:u.coerce.number().int().positive().default(Ro.accessTokenTtlSeconds),refreshTokenTtlSeconds:u.coerce.number().int().positive().default(Ro.refreshTokenTtlSeconds),cimdEnabled:u.boolean().default(Ro.cimdEnabled)}).strict().default(Ro),fc=u.object({oidc:Aw,browserLogin:Ew,gateway:Uw.optional().default(Ro)}).strict();function pm(e){return Ow(e.browserLogin.url)?"local_dev":"federated_oidc"}o(pm,"readBrowserLoginKind");function Ow(e){let t;try{t=new URL(e)}catch{return!1}return qe(t)&&t.pathname==="/oauth/dev-login"}o(Ow,"isLoopbackDevLoginUrl");function mm(e){return fc.parse(e)}o(mm,"parseMcpOAuthRuntimeConfig");function Pe(){let e;try{e=sc()}catch(t){throw g("internal_server_error","MCP gateway OAuth config can only be read during a request. Wrap tests in `runWithRequestContext` and ensure MCP OAuth routes are registered through `McpGatewayPlugin`.",t)}return lm(e)}o(Pe,"getGatewayOAuthConfig");ae();var $w=["shared-oauth","user-oauth","static-secret","user-secret","shared-secret"],zw=["none","client_secret_basic","client_secret_post"],Je=u.string().min(1).brand(),xe=u.string().min(1).brand(),We=u.string().min(1).brand(),ar=u.string().min(1).brand(),Za=u.enum($w),hc=u.enum(zw),Ka=u.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),gc=u.object({name:Ka,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict();ae();var W=u.string().datetime({offset:!0}).brand();function re(e){return W.parse(e.toISOString())}o(re,"toIsoTimestamp");function Dt(e,t){return new Date(e.getTime()+t*1e3)}o(Dt,"addSeconds");ae();function ie(e){return new URL(e).origin}o(ie,"readGatewayRequestOrigin");function ht(e){return ie(e)}o(ht,"readGatewayOAuthIssuer");function yc(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(yc,"truncate");function fm(e){return"cause"in e?e.cause:void 0}o(fm,"readCause");function Ye(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=yc(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=yc(r.message);let n=fm(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=yc(n.message),n=fm(n)}}o(Ye,"addErrorLogFields");function st(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(st,"safeHost");function hm(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(hm,"setLogProperties");function Sc(e,t){hm(e,{subjectId:t.subjectId})}o(Sc,"applyGatewayPrincipalLogProperties");function gm(e,t){hm(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(gm,"applyGatewayRouteLogProperties");ae();var Mw=43,qw=128,Nw=/^[A-Za-z0-9._~-]+$/,vc="S256",Ja=u.literal(vc),Wa=u.string().min(Mw).max(qw).regex(Nw);ae();var Ya=["none","client_secret_post","client_secret_basic"],Dw=[...Ya,"private_key_jwt"],jw=["awaiting_login","awaiting_setup"],Hw=u.string().min(1).brand(),Ne=u.string().min(1).brand(),Co=u.uuid().brand(),ct=u.uuid().brand(),Qa=u.uuid().brand(),_c=u.enum(Ya),Lw=u.enum(Dw),Zq=u.enum(jw),ym=u.object({client_id:Ne,client_name:u.string().min(1),redirect_uris:u.array(u.string().min(1)).min(1),token_endpoint_auth_method:Lw.default("none")}),wc=u.object({clientId:Ne,clientName:u.string().min(1),redirectUris:u.array(u.string().min(1)),tokenEndpointAuthMethod:_c,hashedClientSecret:u.string().optional(),clientSecretExpiresAt:W.optional(),clientExpiresAt:W,revokedAt:W.optional(),createdAt:W}),bc=u.object({clientId:Ne,resource:u.string(),virtualServerId:xe,subjectId:Hw,scope:u.string(),roles:u.array(u.string()),createdAt:W,expiresAt:W}),Kq=bc.extend({id:ct,redirectUri:u.string(),clientState:u.string().optional(),codeChallenge:u.string(),codeChallengeMethod:Ja}),Rc=bc.extend({id:Co,currentRefreshTokenHash:u.string().optional(),previousRefreshTokenHash:u.string().optional(),revokedAt:W.optional(),revokedReason:u.string().optional()}),Xa=bc.extend({tokenHash:u.string(),grantId:Co,revokedAt:W.optional()});function Cc(){return ct.parse(crypto.randomUUID())}o(Cc,"createDownstreamAuthorizationTransactionId");function Ic(){return Qa.parse(crypto.randomUUID())}o(Ic,"createDownstreamBrowserLoginStateId");function Sm(){return Co.parse(crypto.randomUUID())}o(Sm,"createDownstreamGrantId");var ye="mcp:tools";function vm(e,t){if(e===t)return!0;let r=new URL(e),n=new URL(t);return qe(r)&&qe(n)&&r.pathname===n.pathname&&r.search===n.search}o(vm,"redirectUriMatchesRegistration");function _m(e){return qe(e)&&e.pathname==="/oauth/dev-login"}o(_m,"isLoopbackDevLoginUrl");function ei(e,t){return new URL(e,ht(t)).toString()}o(ei,"buildGatewayOAuthUrl");function Pc(e){return new URL(`/mcp/${encodeURIComponent(e.virtualServerId)}`,ie(e.requestUrl)).toString()}o(Pc,"buildScopedAuthorizationServerIssuer");function Bw(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,ie(e.requestUrl)).toString()}o(Bw,"buildScopedAuthorizationEndpoint");function xc(e){let t=Pe();return{issuer:ht(e),authorization_endpoint:ei("/oauth/authorize",e),token_endpoint:ei("/oauth/token",e),registration_endpoint:ei("/oauth/register",e),revocation_endpoint:ei("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[ye],code_challenge_methods_supported:[vc],token_endpoint_auth_methods_supported:Ya,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":pm(t)}}o(xc,"buildAuthorizationServerMetadata");function wm(e){let t=Pc(e);return{...xc(e.requestUrl),issuer:t,authorization_endpoint:Bw(e)}}o(wm,"buildScopedAuthorizationServerMetadata");var $r="2025-06-18";async function bm(e,t){try{let r=xe.parse(e.params.virtualServerId),n=Mr(r);return Response.json(Gw(n.virtualServerId,e.url))}catch(r){let n=ge(r);return it(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(bm,"protectedResourceMetadataHandler");function Gw(e,t){return{resource:zr(e,t),resource_name:e,authorization_servers:[Pc({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[ye],mcp_protocol_version:$r}}o(Gw,"buildProtectedResourceMetadataResponseBody");function zr(e,t){return new URL(`/mcp/${encodeURIComponent(e)}`,ie(t)).toString()}o(zr,"buildCanonicalMcpResourceForVirtualServer");function Rm(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,ie(t)).toString()}o(Rm,"buildProtectedResourceMetadataUrlForVirtualServer");var Vw=u.record(u.string(),u.unknown()),Cm=u.string().min(1),Fw=u.union([Cm.transform(e=>[e]),u.array(Cm)]),ve=u.string().min(1).brand(),Zw=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],Kw=["https://zuplo.com/roles","roles","role","permissions","groups"],Im=new Ct("gateway-principal");function Jw(e){let t=Vw.safeParse(e);return t.success?t.data:{}}o(Jw,"toClaimRecord");function Ww(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(Ww,"readValidationFailureDetail");function Yw(e,t,r){for(let i of Zw){let s=ve.safeParse(t[i]);if(s.success)return s.data}let n=ve.safeParse(e?.sub);if(!n.success)throw g("identity_context_missing",Ww(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===ht(r)?n.data:ve.parse(`${a}|${n.data}`)}o(Yw,"readNormalizedSubjectId");function Qw(e){let t=new Set;for(let r of Kw){let n=Fw.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(Qw,"readRoles");function Rn(e,t){let r=Jw(e?.data),n={subjectId:Yw(e,r,t)},a=Qw(r);return a&&(n.roles=a),n}o(Rn,"parseGatewayPrincipal");function Pm(e){let t=Tc(e);if(!t)throw g("identity_context_missing","Gateway principal has not been hydrated");return t}o(Pm,"requireGatewayPrincipal");function xm(e,t){Im.set(e,t)}o(xm,"setGatewayPrincipal");function Tc(e){return Im.get(e)}o(Tc,"readGatewayPrincipal");function ti(e){let r=['realm="OAuth"',`resource_metadata="${kc(Rm(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${kc(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${kc(e.scope)}"`),`Bearer ${r.join(", ")}`}o(ti,"buildGatewayBearerChallenge");function kc(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(kc,"sanitizeQuotedHeaderParameter");ae();ae();function ri(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw g("invalid_request","returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(ri,"parseSafeRelativeReturnTo");ae();var Xw=["user","shared"],Cn=u.enum(Xw);function ir(e){return{mode:"user",subjectId:e}}o(ir,"buildUserUpstreamConnectionOwner");function ni(){return{mode:"shared"}}o(ni,"buildSharedUpstreamConnectionOwner");var km=u.object({ownerMode:Cn,initiatedBySubjectId:ve,ownerSubjectId:ve.optional(),upstreamServerId:Je,authProfileId:We,virtualServerId:xe,returnTo:u.string().min(1).transform(e=>ri(e)).optional()});function Tm(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="shared"&&e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared state must not include ownerSubjectId",path:["ownerSubjectId"]})}o(Tm,"validateUpstreamOwnerState");var In=km.superRefine(Tm),Am=km.omit({returnTo:!0}).superRefine(Tm);function Io(e){return In.parse({ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Io,"buildUpstreamOwnerState");function Pn(e){if(e.ownerMode==="shared")return ni();if(!e.ownerSubjectId)throw g("oauth_state_invalid","User-owned upstream state is missing the owner subject.");return ir(e.ownerSubjectId)}o(Pn,"resolveUpstreamConnectionOwnerFromState");var eb=["active","not_connected","reconsent_required"],tb=["basic_auth_app_password","bearer_token"],Em=u.string().trim().min(1).brand(),xn=u.uuid().brand(),Po=u.uuid().brand(),Ac=u.enum(eb),rb=u.enum(tb),Um=u.object({encryptedClientInformation:u.string().optional(),encryptedDiscoveryState:u.string().optional(),connectedBySubjectId:ve.optional()}),nb=Um.extend({encryptedStaticSecret:u.string().optional(),staticSecretKind:rb.optional(),staticSecretLabel:u.string().min(1).optional(),staticSecretUsername:u.string().min(1).optional()}).strict(),ob=u.object({id:Em,subjectId:ve.optional(),ownerMode:Cn,upstreamServerId:Je,authProfileId:We,status:Ac,encryptedAccessToken:u.string().min(1).optional(),encryptedRefreshToken:u.string().min(1).optional(),scopes:u.array(u.string()),expiresAt:W.optional(),metadata:nb.optional(),createdAt:W,updatedAt:W});function Ec(e,t){e.ownerMode==="user"&&(e.subjectId||t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="shared"&&e.subjectId!==void 0&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared upstream connections must not include subjectId",path:["subjectId"]})}o(Ec,"validateUpstreamConnectionOwnerShape");var kn=ob.superRefine(Ec);function qr(e){return JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(qr,"readUpstreamConnectionLookupKey");var Uc=In.extend({id:xn,callbackPath:u.string().min(1),expiresAt:W,codeVerifier:u.string().optional(),redirectUri:u.url(),returnOrigin:u.url().optional()}).extend(Um.shape);function Om(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o(Om,"readUpstreamConnectionStatus");function oi(){return Em.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(oi,"createUpstreamConnectionId");function $m(){return xn.parse(crypto.randomUUID())}o($m,"createOAuthStateId");function zm(){return Po.parse(crypto.randomUUID())}o(zm,"createBrowserConnectTicketId");ae();var $c=u.discriminatedUnion("mode",[u.object({mode:u.literal("user"),subjectId:ve}).strict(),u.object({mode:u.literal("shared")}).strict()]),qm=u.object({owner:$c,upstreamServerId:Je,authProfileId:We}).strict(),Nm=u.object({items:u.array(qm).min(1).max(100)}).strict(),zc=u.object({items:u.array(u.object({key:u.object({ownerMode:Cn,subjectId:ve.optional(),upstreamServerId:Je,authProfileId:We}).strict(),connection:kn.strict().optional()}).strict())}).strict(),Dm=kn.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Ec),jm=kn.strict(),Hm=u.object({owner:$c,upstreamServerId:Je,authProfileId:We}).strict(),Lm=u.object({owner:$c,upstreamServerId:Je,authProfileId:We,connection:kn.strict().optional(),connectionStatus:u.object({connected:u.boolean(),status:Ac,updatedAt:kn.shape.updatedAt.optional()}).strict()}).strict(),ab=u.enum(["none","client_secret_basic","client_secret_post"]),Nr=u.object({clientId:Ne,clientName:u.string().min(1),tokenEndpointAuthMethod:ab}).strict(),Mc=u.discriminatedUnion("method",[u.object({method:u.literal("none"),clientId:Ne}).strict(),u.object({method:u.enum(["client_secret_basic","client_secret_post"]),clientId:Ne,clientSecretHashInput:u.string().min(1)}).strict()]),qc=u.object({id:ct,currentStateHash:u.string().min(1),clientId:Ne,redirectUri:u.string().min(1),resource:u.string().min(1),virtualServerId:xe,clientState:u.string().optional(),scope:u.string(),codeChallenge:u.string().min(1),codeChallengeMethod:u.literal("S256"),createdAt:W,expiresAt:W,consumedAt:W.optional()}).strict(),Mm=qc.omit({id:!0,consumedAt:!0}).extend({transactionId:ct,client:Nr.optional()}).strict(),Nc=u.object({subjectId:ve,roles:u.array(u.string()).optional()}).strict(),ib=qc.extend({phase:u.literal("awaiting_login")}).strict(),Oc=qc.extend({phase:u.literal("awaiting_setup"),principal:Nc}).strict(),sb=u.discriminatedUnion("phase",[ib,Oc]),Dc=u.object({transaction:sb,client:Nr}).strict(),Bm=wc.omit({revokedAt:!0}).strict(),Gm=u.discriminatedUnion("kind",[u.object({kind:u.literal("registered"),client:Nr}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),Vm=u.object({clientId:Ne}).strict(),Fm=u.discriminatedUnion("kind",[u.object({kind:u.literal("found"),client:wc.strict()}).strict(),u.object({kind:u.literal("missing")}).strict()]),Zm=u.discriminatedUnion("phase",[Mm.extend({phase:u.literal("awaiting_login")}).strict(),Mm.extend({phase:u.literal("awaiting_setup"),principal:Nc}).strict()]),Km=u.discriminatedUnion("kind",[Dc.extend({kind:u.literal("started")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("redirect_uri_mismatch")}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),Jm=u.object({transactionId:ct,currentStateHash:u.string().min(1),now:W}).strict(),Wm=u.discriminatedUnion("kind",[Dc.extend({kind:u.literal("available")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Ym=u.object({transactionId:ct,expectedPhase:u.literal("awaiting_login"),currentStateHash:u.string().min(1),nextStateHash:u.string().min(1),nextPhase:u.literal("awaiting_setup"),principal:Nc,now:W}).strict(),Qm=u.discriminatedUnion("kind",[Dc.extend({kind:u.literal("advanced")}).strict(),u.object({kind:u.literal("wrong_phase"),current:u.enum(["awaiting_login","awaiting_setup"])}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Xm=u.discriminatedUnion("decision",[u.object({decision:u.literal("approve"),transactionId:ct,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:ve}).strict(),authorizationCodeHash:u.string().min(1),authorizationCodeExpiresAt:W,grantId:Co,now:W}).strict(),u.object({decision:u.literal("cancel"),transactionId:ct,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:ve}).strict(),now:W}).strict()]),ef=u.discriminatedUnion("kind",[u.object({kind:u.literal("approved"),transaction:Oc,client:Nr}).strict(),u.object({kind:u.literal("cancelled"),transaction:Oc,client:Nr}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed_already")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),tf=u.object({clientAuth:Mc,codeHash:u.string().min(1),redirectUri:u.string().min(1),resource:u.string().min(1).optional(),codeChallenge:u.string().min(1),currentRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),grantExpiresAt:W,accessTokenExpiresAt:W,now:W}).strict(),rf=u.discriminatedUnion("kind",[u.object({kind:u.literal("exchanged"),client:Nr,grant:Rc.strict()}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("binding_mismatch")}).strict()]),nf=u.object({clientAuth:Mc,currentRefreshTokenHash:u.string().min(1),nextRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),resource:u.string().min(1).optional(),accessTokenExpiresAt:W,now:W}).strict(),of=u.discriminatedUnion("kind",[u.object({kind:u.literal("rotated"),client:Nr,grant:Rc.strict(),accessToken:Xa.strict(),matched:u.literal("current")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),af=u.object({clientAuth:Mc,tokenHash:u.string().min(1),now:W}).strict(),sf=u.discriminatedUnion("kind",[u.object({kind:u.literal("revoked_access_token")}).strict(),u.object({kind:u.literal("revoked_grant")}).strict(),u.object({kind:u.literal("client_mismatch")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("invalid_client")}).strict()]),cf=u.object({tokenHash:u.string().min(1),now:W}).strict(),uf=u.discriminatedUnion("kind",[u.object({kind:u.literal("valid"),record:Xa.strict()}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),df=u.object({accessTokenHash:u.string().min(1),resource:u.string().min(1),virtualServerId:xe,upstreamConnectionKeys:u.array(qm).max(100),now:W}).strict(),lf=u.discriminatedUnion("kind",[u.object({kind:u.literal("authorized"),principal:u.object({subjectId:ve,roles:u.array(u.string())}).strict(),accessToken:Xa.strict(),upstreamConnections:zc.shape.items}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict()]),pf=u.object({record:Uc}).strict(),mf=u.object({kind:u.literal("saved")}).strict(),ff=u.object({id:xn,now:W}).strict(),hf=u.discriminatedUnion("kind",[u.object({kind:u.literal("available"),record:Uc}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict()]),gf=u.object({id:Po,expiresAt:W,now:W}).strict(),yf=u.discriminatedUnion("kind",[u.object({kind:u.literal("available")}).strict(),u.object({kind:u.literal("consumed")}).strict()]);var Sf=100,cb=new Set(["undefined","null","nan"]);function vf(e){return e!==null&&typeof e=="object"}o(vf,"isProblemDetailsShape");var ub="/zups/v2/mcp/storage";function ke(e){return`${ub}/${e}`}o(ke,"buildStoragePath");function db(){return ke("upstream-connections/batch-get")}o(db,"buildBatchGetUpstreamConnectionsPath");function lb(){return ke("upstream-connections/upsert")}o(lb,"buildUpsertUpstreamConnectionPath");function pb(){return ke("authorization/read-setup")}o(pb,"buildReadAuthorizationSetupPath");function mb(){return ke("oauth/register-client")}o(mb,"buildRegisterClientPath");function fb(){return ke("oauth/read-client")}o(fb,"buildReadClientPath");function hb(){return ke("authorization/start")}o(hb,"buildStartAuthorizationPath");function gb(){return ke("authorization/read-pending")}o(gb,"buildReadPendingAuthorizationPath");function yb(){return ke("authorization/advance-pending")}o(yb,"buildAdvancePendingAuthorizationPath");function Sb(){return ke("authorization/decide-setup")}o(Sb,"buildDecideAuthorizationSetupPath");function vb(){return ke("token/exchange-authorization-code")}o(vb,"buildExchangeAuthorizationCodePath");function _b(){return ke("token/refresh")}o(_b,"buildRefreshTokenPath");function wb(){return ke("token/revoke")}o(wb,"buildRevokeOAuthTokenPath");function bb(){return ke("token/validate-access-token")}o(bb,"buildValidateAccessTokenPath");function Rb(){return ke("mcp/authorize-and-load-connections")}o(Rb,"buildAuthorizeAndLoadConnectionsPath");function Cb(){return ke("upstream-oauth-state/save")}o(Cb,"buildSaveUpstreamOAuthStatePath");function Ib(){return ke("upstream-oauth-state/consume")}o(Ib,"buildConsumeUpstreamOAuthStatePath");function Pb(){return ke("browser-connect-ticket/consume")}o(Pb,"buildConsumeBrowserConnectTicketPath");function xb(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(xb,"responseKeyMatchesLookup");function kb(e,t){return e.owner.mode===t.owner.mode&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(kb,"authorizationSetupMatchesLookup");function bf(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(bf,"connectionMatchesLookup");function Tb(e,t){return e.ownerMode===t.ownerMode&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&Hc(e.scopes,t.scopes)&&jc(e.expiresAt,t.expiresAt)&&Eb(e.metadata,t.metadata)}o(Tb,"connectionMatchesUpsertRecord");function jc(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(jc,"optionalTimestampInstantsMatch");function Ab(e,t){return Date.parse(e)<=Date.parse(t)}o(Ab,"timestampInstantIsAtOrBefore");function Hc(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(Hc,"stringArraysMatch");function Eb(e,t){let r=_f(e),n=_f(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(Eb,"metadataMatches");function _f(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(_f,"definedMetadataEntries");function we(e,t){throw g({code:"internal_server_error",privateDetail:e,cause:t})}o(we,"throwInvalidStorageResponse");async function Ub(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){we("Gateway Service storage response did not match the runtime storage contract.",r)}}o(Ub,"parseRuntimeHttpStorageResponse");function Rf(e,t){e.length!==t.length&&we("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];xb(n.key,a)||we("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!bf(n.connection,a)&&we("Gateway Service storage response connection did not match the response key.")}}o(Rf,"validateUpstreamConnectionItemsMatchLookups");function Ob(e,t){kb(e,t)||we("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!bf(e.connection,t)&&we("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!jc(e.connectionStatus.updatedAt,a))&&we("Gateway Service storage response authorization setup status did not match the connection.")}o(Ob,"validateAuthorizationSetupResponseMatchesLookup");function $b(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&we("Gateway Service storage response registered client did not match the request.")}o($b,"validateRegisterClientResponseMatchesRequest");function zb(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&we("Gateway Service storage response client did not match the request.")}o(zb,"validateReadClientResponseMatchesRequest");function Mb(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&we("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&we("Gateway Service storage response started authorization principal did not match the request."))}o(Mb,"validateStartAuthorizationResponseMatchesRequest");function wf(e,t){e.kind!=="available"&&e.kind!=="advanced"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&we("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&we("Gateway Service storage response advanced authorization did not match the request."))}o(wf,"validatePendingAuthorizationResponseMatchesRequest");function qb(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&we("Gateway Service storage response authorization setup transaction did not match the request.")}o(qb,"validateAuthorizationSetupDecisionResponseMatchesRequest");function Nb(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!jc(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&we("Gateway Service storage response authorization-code exchange did not match the request.")}o(Nb,"validateExchangeAuthorizationCodeResponseMatchesRequest");function Db(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&we("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!Ab(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!Lb(e.accessToken,e.grant))&&we("Gateway Service storage response token refresh access token did not match the request."))}o(Db,"validateRefreshTokenResponseMatchesRequest");function jb(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&we("Gateway Service storage response access token did not match the request.")}o(jb,"validateAccessTokenValidationResponseMatchesRequest");function Hb(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.subjectId!==e.accessToken.subjectId||!Hc(e.principal.roles,e.accessToken.roles))&&we("Gateway Service storage response MCP authorization did not match the request."),Rf(e.upstreamConnections,t.upstreamConnectionKeys))}o(Hb,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function Lb(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.subjectId===t.subjectId&&e.scope===t.scope&&Hc(e.roles,t.roles)}o(Lb,"accessTokenMatchesGrant");async function Bb(e){try{return await e.clone().json()}catch{return}}o(Bb,"readProblemDetails");async function Gb(e){let t=await Bb(e),r=vf(t)&&typeof t.status=="number"?t.status:e.status,n=vf(t)&&_o(t.code)?t.code:am(r);throw g({code:n,privateDetail:`Gateway Service storage request failed with HTTP ${r}.`})}o(Gb,"throwRuntimeHttpStorageError");var ai=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??So.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}#n(t){let r;try{r=new URL(t,this.#t)}catch(n){throw g("internal_server_error",`Gateway Service storage base URL is not a valid URL. Got ${JSON.stringify(this.#t)}. Verify the gateway runtime configuration.`,n)}if(r.protocol!=="https:"&&r.protocol!=="http:")throw g("internal_server_error",`Gateway Service storage base URL must use http(s); got protocol "${r.protocol}" from ${JSON.stringify(this.#t)}.`);if(!r.hostname||cb.has(r.hostname))throw g("internal_server_error",`Gateway Service storage base URL has an invalid hostname "${r.hostname}" (parsed from ${JSON.stringify(this.#t)}). The configured value is likely coerced from an unset environment variable.`);return r}async#e(t){let r=t.requestSchema.parse(t.input),n=this.#n(t.path),a=new Headers({"Content-Type":"application/json"});Zp(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await Gb(i),{request:r,response:await Ub(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let c=qr(s),d=n.get(c);if(d!==void 0)return d;let p=r.length;return r.push(s),n.set(c,p),p}),i=[];for(let s=0;s<r.length;s+=Sf){let c=r.slice(s,s+Sf);i.push(...await this.#o(c))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:lb(),requestSchema:Dm,responseSchema:jm});return Tb(n,r)||we("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:pb(),requestSchema:Hm,responseSchema:Lm});return Ob(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:mb(),requestSchema:Bm,responseSchema:Gm});return $b(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:fb(),requestSchema:Vm,responseSchema:Fm});return zb(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:hb(),requestSchema:Zm,responseSchema:Km});return Mb(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:gb(),requestSchema:Jm,responseSchema:Wm});return wf(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:yb(),requestSchema:Ym,responseSchema:Qm});return wf(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:Sb(),requestSchema:Xm,responseSchema:ef});return qb(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:Cb(),requestSchema:pf,responseSchema:mf});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:Ib(),requestSchema:ff,responseSchema:hf});return n.kind==="available"&&n.record.id!==r.id&&we("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:Pb(),requestSchema:gf,responseSchema:yf});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:vb(),requestSchema:tf,responseSchema:rf});return Nb(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:_b(),requestSchema:nf,responseSchema:of});return Db(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:wb(),requestSchema:af,responseSchema:sf});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:bb(),requestSchema:cf,responseSchema:uf});return jb(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:Rb(),requestSchema:df,responseSchema:lf});return Hb(n,r),n}async#o(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:db(),requestSchema:Nm,responseSchema:zc});return Rf(n.items,t),n.items.map(a=>a.connection)}};var Vb="__zuploMcpGatewayStorageBackend",Lc;function Fb(){return new ai({})}o(Fb,"buildProductionStorageBackend");function K(){let e=globalThis[Vb];return e||(Lc||(Lc=Fb()),Lc)}o(K,"getStorage");function Zb(e,t){let r=Tc(e),n=wo(e),a=t.ownerMode??t.routeBinding?.ownerMode,i=t.upstreamAuthMode??t.routeBinding?.authMode,s=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId,c=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId,d=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName,p=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId;return nm(e,{...t,subjectId:r?.subjectId,ownerMode:a,upstreamAuthMode:i,virtualServerName:s,upstreamServerName:c,upstreamServerTitle:d,authProfileId:p})}o(Zb,"buildMcpAnalyticsMetadata");function V(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,Zb(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(V,"emitMcpAnalyticsEvent");import{base64url as Bc}from"jose";var Kb="sha256:",Jb=32;function Cf(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Cf,"copyToArrayBuffer");function jt(){let e=crypto.getRandomValues(new Uint8Array(Jb));return Bc.encode(e)}o(jt,"createOpaqueToken");async function le(e){let t=await crypto.subtle.digest("SHA-256",Cf(new TextEncoder().encode(e)));return`${Kb}${Bc.encode(new Uint8Array(t))}`}o(le,"hashOpaqueValue");async function If(e){let t=await crypto.subtle.digest("SHA-256",Cf(new TextEncoder().encode(e)));return Bc.encode(new Uint8Array(t))}o(If,"calculatePkceS256Challenge");function Gc(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(Gc,"readBearerToken");function Wb(e,t,r){return it(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(Wb,"gatewayAuthenticationRequiredResponse");function Yb(e){switch(e){case"expired":return"expired_token";case"revoked":return"revoked_token";case"missing":return"invalid_token";default:{let t=e;return"invalid_token"}}}o(Yb,"tokenValidationReasonCode");async function Qb(e,t,r){let n=await K().validateAccessToken({tokenHash:await le(e),now:re(new Date)});if(n.kind!=="valid"){t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed");let a=Yb(n.kind);throw V(t,{eventType:B.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:r,reasonClass:"auth",reasonCode:a,attributes:{validationKind:n.kind}}),V(t,{eventType:B.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r,httpStatusCode:401,reasonClass:"auth",reasonCode:a}),g("authentication_required","Gateway access token is expired, revoked, or invalid.")}return n.record}o(Qb,"validateGatewayAccessToken");function Xb(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),V(t,{eventType:B.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:e.virtualServerId,reasonClass:"auth",reasonCode:"invalid_audience"}),V(t,{eventType:B.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:e.virtualServerId,httpStatusCode:401,reasonClass:"auth",reasonCode:"invalid_audience"}),g("authentication_required","Gateway access token was not issued for this MCP resource.")}o(Xb,"assertAccessTokenResource");function eR(e,t,r){return it(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":ti({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${ye} scope required by this MCP resource.`,scope:ye})}})}o(eR,"insufficientScopeResponse");function tR(e){return{subjectId:e.subjectId,roles:e.roles}}o(tR,"principalFromAccessToken");function rR(e){let t=ge(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),it(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":ti({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(rR,"gatewayTokenRejectedResponse");async function Vc(e,t){let r=wn(t),n=zr(r.virtualServerId,e.url),a=Gc(e),i=ti({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),V(t,{eventType:B.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r.virtualServerId,httpStatusCode:401,reasonClass:"auth",reasonCode:"missing_token"}),Wb(e,t,i);try{let s=await Qb(a,t,r.virtualServerId);if(Xb({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==ye)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:ye,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),V(t,{eventType:B.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:r.virtualServerId,reasonClass:"auth",reasonCode:"insufficient_scope",attributes:{tokenScope:s.scope,requiredScope:ye,clientId:s.clientId}}),V(t,{eventType:B.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r.virtualServerId,httpStatusCode:403,reasonClass:"auth",reasonCode:"insufficient_scope"}),eR(e,t,r.virtualServerId);let c=tR(s);return xm(t,c),Sc(t,c),V(t,{eventType:B.MCP_AUTH_DOWNSTREAM_TOKEN_VALIDATED,outcome:"success",virtualServerName:r.virtualServerId,attributes:{clientId:s.clientId}}),e}catch(s){return rR({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(Vc,"gatewayTokenInbound");var Tn={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},nR="oauth-protected-resource-metadata",oR="/.well-known/oauth-protected-resource/";function aR(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(aR,"readRouteOperationId");function iR(e){return e.hasGatewayRouteContext?Tn.VIRTUAL_MCP_SERVER:e.routeOperationId===nR||e.routeOperationId===void 0&&e.routePath.startsWith(oR)?Tn.OAUTH_PROTECTED_RESOURCE_METADATA:Tn.OTHER}o(iR,"classifyAnalyticsRouteSurface");function sR(e){let t=e.route.path;return{routePath:t,routeSurface:iR({routePath:t,routeOperationId:aR(e),hasGatewayRouteContext:wo(e)!==void 0})}}o(sR,"readAnalyticsRequestContext");function cR(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Tn.VIRTUAL_MCP_SERVER}o(cR,"isIntentionalMethodRejection");function uR(e){return cR(e)||e.response.status===401&&e.routeSurface===Tn.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(uR,"classifyRequestCompletedOutcome");async function Fc(e,t){let r=Date.now(),n=sR(t);return V(t,{eventType:B.MCP_REQUEST_RECEIVED,outcome:"success",routeSurface:n.routeSurface,httpMethod:e.method}),cc.getContextExtensions(t).addHandlerResponseHook(a=>{let i=uR({response:a,routeSurface:n.routeSurface});V(t,{eventType:B.MCP_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Fc,"analyticsContextInbound");function dR(e){return e instanceof Response}o(dR,"isResponse");var Pf="/mcp/";function lR(e){let t=e.route.path;if(!t.startsWith(Pf))throw new ue(`Route ${t} is bound to mcp-oauth-inbound but does not match the /mcp/{virtualServerId} convention.`);let r=t.slice(Pf.length);if(!r||r.includes("/"))throw new ue(`Route ${t} is bound to mcp-oauth-inbound but must use exactly one /mcp/{virtualServerId} segment.`);return r}o(lR,"readVirtualServerIdFromRoute");async function xo(e,t){let n={virtualServerId:xe.parse(lR(t))};um(t,n),gm(t,n);let a=await Fc(e,t);return dR(a)?a:Vc(a,t)}o(xo,"mcpOAuthInboundPolicy");function ii(e,t,r){let n=e.safeParse(t);if(n.success)return n.data;throw new ue(`${r} is misconfigured. Validation failed:
+${pR(n.error)}`,{cause:n.error})}o(ii,"parseConfigOrThrow");function pR(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
+`)}o(pR,"formatZodIssues");var mR=u.string({error:"auth0Domain is required and must be a string"}).trim().min(1,"auth0Domain is required (commonly set via $env(AUTH0_DOMAIN))").refine(e=>!/[:/]/.test(e),{message:'auth0Domain must be a bare hostname (e.g. "tenant.us.auth0.com"); drop the "https://" prefix and any trailing path'}).refine(e=>e.includes("."),{message:'auth0Domain must be a fully-qualified domain name with at least one dot (e.g. "tenant.us.auth0.com"). If the value looks like "undefined" or is empty, the configured environment variable is likely unset.'}),fR=u.object({auth0Domain:mR,audience:u.string().trim().min(1).optional(),clientId:u.string({error:"clientId is required and must be a string"}).trim().min(1,"clientId is required (commonly set via $env(AUTH0_CLIENT_ID))"),clientSecret:u.string().trim().min(1).optional(),scope:u.string().trim().min(1).optional(),gateway:u.object({accessTokenTtlSeconds:u.number().int().positive().optional(),refreshTokenTtlSeconds:u.number().int().positive().optional(),cimdEnabled:u.boolean().optional()}).strict().optional(),browserLoginOverrides:u.object({remoteTimeoutMs:u.number().int().positive().optional(),stateTtlSeconds:u.number().int().positive().optional(),sessionTtlSeconds:u.number().int().positive().optional()}).strict().optional()}).strict(),Zc=class extends vn{static{o(this,"McpAuth0OAuthInboundPolicy")}#t;constructor(t,r){let n=xf(t,r);super(n,r),this.#t=Tf(n,r)}async handler(t,r){return Rt("policy.inbound.mcp-auth0-oauth"),bn(r,this.#t),xo(t,r)}};function xf(e,t){return ii(fR,e,`MCP Auth0 OAuth policy "${t}"`)}o(xf,"parseAuth0OAuthOptions");function kf(e,t="mcp-auth0-oauth-inbound"){let r=xf(e,t);return Tf(r,t)}o(kf,"auth0OptionsToMcpOAuthRuntimeConfig");function Tf(e,t){let r=`https://${e.auth0Domain}/`,n=`https://${e.auth0Domain}/.well-known/jwks.json`,a=`https://${e.auth0Domain}/authorize`,i=`https://${e.auth0Domain}/oauth/token`;try{return mm({oidc:{issuer:r,jwksUrl:n,...e.audience===void 0?{}:{audience:e.audience}},browserLogin:{url:a,tokenUrl:i,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",...e.audience===void 0?{}:{audience:e.audience},...e.browserLoginOverrides??{}},gateway:e.gateway})}catch(s){let c=s instanceof Error?` Validation failed: ${s.message}`:"";throw new ue(`MCP Auth0 OAuth policy "${t}" is misconfigured. Check the policy options in policies.json.${c}`,s instanceof Error?{cause:s}:void 0)}}o(Tf,"buildAuth0McpOAuthRuntimeConfig");var Kc=class extends vn{static{o(this,"McpOAuthInboundPolicy")}#t;constructor(t,r){let n=Jc(t,r);super(n,r),this.#t=n}async handler(t,r){return Rt("policy.inbound.mcp-oauth"),bn(r,this.#t),xo(t,r)}};function Jc(e,t="mcp-oauth-inbound"){return ii(fc,e,`MCP OAuth policy "${t}"`)}o(Jc,"mcpOAuthOptionsToRuntimeConfig");var Wc=["mcp-oauth-inbound","mcp-auth0-oauth-inbound"];function hR(e,t){switch(e){case"mcp-oauth-inbound":return Jc(t);case"mcp-auth0-oauth-inbound":return kf(t);default:return}}o(hR,"parseMcpOAuthPolicyConfig");function ko(e){return e!==void 0&&Wc.some(t=>t===e)}o(ko,"isMcpOAuthInboundPolicyType");function Af(e){if(e){for(let t of e)if(ko(t.policyType))try{let r=hR(t.policyType,t.handler.options);if(!r)throw new ue(`MCP gateway: policy '${t.name}' has unsupported MCP OAuth policy type '${t.policyType}'.`);return{policyName:t.name,config:r}}catch(r){throw r instanceof u.ZodError?new ue(gR(t.name,r),{cause:r}):r}}}o(Af,"resolveMcpOAuthRuntimeConfigFromPolicies");function gR(e,t){let r=t.issues.map(n=>`  - ${n.path.length>0?n.path.join("."):"<root>"}: ${n.message}`).join(`
 `);return`MCP OAuth policy "${e}" is misconfigured. Missing/invalid options:
-${r}`}o(MR,"formatPolicyConfigError");ae();var cr="2025-11-25",Of="2025-03-26",ur=[cr,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],dr="io.modelcontextprotocol/related-task",ui="2.0",Ie=Qp(e=>e!==null&&(typeof e=="object"||typeof e=="function")),$f=fe([f(),X().int()]),zf=f(),Oj=Ce({ttl:X().optional(),pollInterval:X().optional()}),NR=I({ttl:X().optional()}),jR=I({taskId:f()}),Yc=Ce({progressToken:$f.optional(),[dr]:jR.optional()}),ot=I({_meta:Yc.optional()}),ko=ot.extend({task:NR.optional()}),Mf=o(e=>ko.safeParse(e).success,"isTaskAugmentedRequestParams"),ke=I({method:f(),params:ot.loose().optional()}),dt=I({_meta:Yc.optional()}),lt=I({method:f(),params:dt.loose().optional()}),Te=Ce({_meta:Yc.optional()}),di=fe([f(),X().int()]),qf=I({jsonrpc:U(ui),id:di,...ke.shape}).strict(),Pt=o(e=>qf.safeParse(e).success,"isJSONRPCRequest"),Nf=I({jsonrpc:U(ui),...lt.shape}).strict(),jf=o(e=>Nf.safeParse(e).success,"isJSONRPCNotification"),Qc=I({jsonrpc:U(ui),id:di,result:Te}).strict(),yt=o(e=>Qc.safeParse(e).success,"isJSONRPCResultResponse");var E;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(E||(E={}));var Xc=I({jsonrpc:U(ui),id:di.optional(),error:I({code:X().int(),message:f(),data:we().optional()})}).strict();var Un=o(e=>Xc.safeParse(e).success,"isJSONRPCErrorResponse");var Dr=fe([qf,Nf,Qc,Xc]),$j=fe([Qc,Xc]),Lt=Te.strict(),DR=dt.extend({requestId:di.optional(),reason:f().optional()}),li=lt.extend({method:U("notifications/cancelled"),params:DR}),HR=I({src:f(),mimeType:f().optional(),sizes:C(f()).optional(),theme:nt(["light","dark"]).optional()}),To=I({icons:C(HR).optional()}),En=I({name:f(),title:f().optional()}),On=En.extend({...En.shape,...To.shape,version:f(),websiteUrl:f().optional(),description:f().optional()}),LR=pc(I({applyDefaults:oe().optional()}),de(f(),we())),BR=mc(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,pc(I({form:LR.optional(),url:Ie.optional()}),de(f(),we()).optional())),GR=Ce({list:Ie.optional(),cancel:Ie.optional(),requests:Ce({sampling:Ce({createMessage:Ie.optional()}).optional(),elicitation:Ce({create:Ie.optional()}).optional()}).optional()}),VR=Ce({list:Ie.optional(),cancel:Ie.optional(),requests:Ce({tools:Ce({call:Ie.optional()}).optional()}).optional()}),FR=I({experimental:de(f(),Ie).optional(),sampling:I({context:Ie.optional(),tools:Ie.optional()}).optional(),elicitation:BR.optional(),roots:I({listChanged:oe().optional()}).optional(),tasks:GR.optional(),extensions:de(f(),Ie).optional()}),ZR=ot.extend({protocolVersion:f(),capabilities:FR,clientInfo:On}),pi=ke.extend({method:U("initialize"),params:ZR}),eu=o(e=>pi.safeParse(e).success,"isInitializeRequest"),KR=I({experimental:de(f(),Ie).optional(),logging:Ie.optional(),completions:Ie.optional(),prompts:I({listChanged:oe().optional()}).optional(),resources:I({subscribe:oe().optional(),listChanged:oe().optional()}).optional(),tools:I({listChanged:oe().optional()}).optional(),tasks:VR.optional(),extensions:de(f(),Ie).optional()}),tu=Te.extend({protocolVersion:f(),capabilities:KR,serverInfo:On,instructions:f().optional()}),mi=lt.extend({method:U("notifications/initialized"),params:dt.optional()}),Df=o(e=>mi.safeParse(e).success,"isInitializedNotification"),fi=ke.extend({method:U("ping"),params:ot.optional()}),JR=I({progress:X(),total:ye(X()),message:ye(f())}),WR=I({...dt.shape,...JR.shape,progressToken:$f}),hi=lt.extend({method:U("notifications/progress"),params:WR}),YR=ot.extend({cursor:zf.optional()}),Eo=ke.extend({params:YR.optional()}),Uo=Te.extend({nextCursor:zf.optional()}),QR=nt(["working","input_required","completed","failed","cancelled"]),Oo=I({taskId:f(),status:QR,ttl:fe([X(),Wp()]),createdAt:f(),lastUpdatedAt:f(),pollInterval:ye(X()),statusMessage:ye(f())}),Bt=Te.extend({task:Oo}),XR=dt.merge(Oo),$o=lt.extend({method:U("notifications/tasks/status"),params:XR}),gi=ke.extend({method:U("tasks/get"),params:ot.extend({taskId:f()})}),yi=Te.merge(Oo),Si=ke.extend({method:U("tasks/result"),params:ot.extend({taskId:f()})}),zj=Te.loose(),_i=Eo.extend({method:U("tasks/list")}),wi=Uo.extend({tasks:C(Oo)}),vi=ke.extend({method:U("tasks/cancel"),params:ot.extend({taskId:f()})}),Hf=Te.merge(Oo),Lf=I({uri:f(),mimeType:ye(f()),_meta:de(f(),we()).optional()}),Bf=Lf.extend({text:f()}),ru=f().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),Gf=Lf.extend({blob:ru}),zo=nt(["user","assistant"]),$n=I({audience:C(zo).optional(),priority:X().min(0).max(1).optional(),lastModified:Kp.datetime({offset:!0}).optional()}),Vf=I({...En.shape,...To.shape,uri:f(),description:ye(f()),mimeType:ye(f()),size:ye(X()),annotations:$n.optional(),_meta:ye(Ce({}))}),eC=I({...En.shape,...To.shape,uriTemplate:f(),description:ye(f()),mimeType:ye(f()),annotations:$n.optional(),_meta:ye(Ce({}))}),nu=Eo.extend({method:U("resources/list")}),ou=Uo.extend({resources:C(Vf)}),au=Eo.extend({method:U("resources/templates/list")}),iu=Uo.extend({resourceTemplates:C(eC)}),su=ot.extend({uri:f()}),tC=su,cu=ke.extend({method:U("resources/read"),params:tC}),uu=Te.extend({contents:C(fe([Bf,Gf]))}),du=lt.extend({method:U("notifications/resources/list_changed"),params:dt.optional()}),rC=su,nC=ke.extend({method:U("resources/subscribe"),params:rC}),oC=su,aC=ke.extend({method:U("resources/unsubscribe"),params:oC}),iC=dt.extend({uri:f()}),sC=lt.extend({method:U("notifications/resources/updated"),params:iC}),cC=I({name:f(),description:ye(f()),required:ye(oe())}),uC=I({...En.shape,...To.shape,description:ye(f()),arguments:ye(C(cC)),_meta:ye(Ce({}))}),lu=Eo.extend({method:U("prompts/list")}),pu=Uo.extend({prompts:C(uC)}),dC=ot.extend({name:f(),arguments:de(f(),f()).optional()}),mu=ke.extend({method:U("prompts/get"),params:dC}),fu=I({type:U("text"),text:f(),annotations:$n.optional(),_meta:de(f(),we()).optional()}),hu=I({type:U("image"),data:ru,mimeType:f(),annotations:$n.optional(),_meta:de(f(),we()).optional()}),gu=I({type:U("audio"),data:ru,mimeType:f(),annotations:$n.optional(),_meta:de(f(),we()).optional()}),lC=I({type:U("tool_use"),name:f(),id:f(),input:de(f(),we()),_meta:de(f(),we()).optional()}),pC=I({type:U("resource"),resource:fe([Bf,Gf]),annotations:$n.optional(),_meta:de(f(),we()).optional()}),mC=Vf.extend({type:U("resource_link")}),yu=fe([fu,hu,gu,mC,pC]),fC=I({role:zo,content:yu}),Su=Te.extend({description:f().optional(),messages:C(fC)}),_u=lt.extend({method:U("notifications/prompts/list_changed"),params:dt.optional()}),hC=I({title:f().optional(),readOnlyHint:oe().optional(),destructiveHint:oe().optional(),idempotentHint:oe().optional(),openWorldHint:oe().optional()}),gC=I({taskSupport:nt(["required","optional","forbidden"]).optional()}),Ff=I({...En.shape,...To.shape,description:f().optional(),inputSchema:I({type:U("object"),properties:de(f(),Ie).optional(),required:C(f()).optional()}).catchall(we()),outputSchema:I({type:U("object"),properties:de(f(),Ie).optional(),required:C(f()).optional()}).catchall(we()).optional(),annotations:hC.optional(),execution:gC.optional(),_meta:de(f(),we()).optional()}),wu=Eo.extend({method:U("tools/list")}),vu=Uo.extend({tools:C(Ff)}),lr=Te.extend({content:C(yu).default([]),structuredContent:de(f(),we()).optional(),isError:oe().optional()}),Mj=lr.or(Te.extend({toolResult:we()})),yC=ko.extend({name:f(),arguments:de(f(),we()).optional()}),Mo=ke.extend({method:U("tools/call"),params:yC}),bu=lt.extend({method:U("notifications/tools/list_changed"),params:dt.optional()}),Zf=I({autoRefresh:oe().default(!0),debounceMs:X().int().nonnegative().default(300)}),qo=nt(["debug","info","notice","warning","error","critical","alert","emergency"]),SC=ot.extend({level:qo}),Ru=ke.extend({method:U("logging/setLevel"),params:SC}),_C=dt.extend({level:qo,logger:f().optional(),data:we()}),wC=lt.extend({method:U("notifications/message"),params:_C}),vC=I({name:f().optional()}),bC=I({hints:C(vC).optional(),costPriority:X().min(0).max(1).optional(),speedPriority:X().min(0).max(1).optional(),intelligencePriority:X().min(0).max(1).optional()}),RC=I({mode:nt(["auto","required","none"]).optional()}),CC=I({type:U("tool_result"),toolUseId:f().describe("The unique identifier for the corresponding tool call."),content:C(yu).default([]),structuredContent:I({}).loose().optional(),isError:oe().optional(),_meta:de(f(),we()).optional()}),IC=lc("type",[fu,hu,gu]),ci=lc("type",[fu,hu,gu,lC,CC]),PC=I({role:zo,content:fe([ci,C(ci)]),_meta:de(f(),we()).optional()}),xC=ko.extend({messages:C(PC),modelPreferences:bC.optional(),systemPrompt:f().optional(),includeContext:nt(["none","thisServer","allServers"]).optional(),temperature:X().optional(),maxTokens:X().int(),stopSequences:C(f()).optional(),metadata:Ie.optional(),tools:C(Ff).optional(),toolChoice:RC.optional()}),Cu=ke.extend({method:U("sampling/createMessage"),params:xC}),Hr=Te.extend({model:f(),stopReason:ye(nt(["endTurn","stopSequence","maxTokens"]).or(f())),role:zo,content:IC}),No=Te.extend({model:f(),stopReason:ye(nt(["endTurn","stopSequence","maxTokens","toolUse"]).or(f())),role:zo,content:fe([ci,C(ci)])}),AC=I({type:U("boolean"),title:f().optional(),description:f().optional(),default:oe().optional()}),kC=I({type:U("string"),title:f().optional(),description:f().optional(),minLength:X().optional(),maxLength:X().optional(),format:nt(["email","uri","date","date-time"]).optional(),default:f().optional()}),TC=I({type:nt(["number","integer"]),title:f().optional(),description:f().optional(),minimum:X().optional(),maximum:X().optional(),default:X().optional()}),EC=I({type:U("string"),title:f().optional(),description:f().optional(),enum:C(f()),default:f().optional()}),UC=I({type:U("string"),title:f().optional(),description:f().optional(),oneOf:C(I({const:f(),title:f()})),default:f().optional()}),OC=I({type:U("string"),title:f().optional(),description:f().optional(),enum:C(f()),enumNames:C(f()).optional(),default:f().optional()}),$C=fe([EC,UC]),zC=I({type:U("array"),title:f().optional(),description:f().optional(),minItems:X().optional(),maxItems:X().optional(),items:I({type:U("string"),enum:C(f())}),default:C(f()).optional()}),MC=I({type:U("array"),title:f().optional(),description:f().optional(),minItems:X().optional(),maxItems:X().optional(),items:I({anyOf:C(I({const:f(),title:f()}))}),default:C(f()).optional()}),qC=fe([zC,MC]),NC=fe([OC,$C,qC]),jC=fe([NC,AC,kC,TC]),DC=ko.extend({mode:U("form").optional(),message:f(),requestedSchema:I({type:U("object"),properties:de(f(),jC),required:C(f()).optional()})}),HC=ko.extend({mode:U("url"),message:f(),elicitationId:f(),url:f().url()}),LC=fe([DC,HC]),Iu=ke.extend({method:U("elicitation/create"),params:LC}),BC=dt.extend({elicitationId:f()}),GC=lt.extend({method:U("notifications/elicitation/complete"),params:BC}),pr=Te.extend({action:nt(["accept","decline","cancel"]),content:mc(e=>e===null?void 0:e,de(f(),fe([f(),X(),oe(),C(f())])).optional())}),VC=I({type:U("ref/resource"),uri:f()});var FC=I({type:U("ref/prompt"),name:f()}),ZC=ot.extend({ref:fe([FC,VC]),argument:I({name:f(),value:f()}),context:I({arguments:de(f(),f()).optional()}).optional()}),KC=ke.extend({method:U("completion/complete"),params:ZC});var Pu=Te.extend({completion:Ce({values:C(f()).max(100),total:ye(X().int()),hasMore:ye(oe())})}),JC=I({uri:f().startsWith("file://"),name:f().optional(),_meta:de(f(),we()).optional()}),WC=ke.extend({method:U("roots/list"),params:ot.optional()}),xu=Te.extend({roots:C(JC)}),YC=lt.extend({method:U("notifications/roots/list_changed"),params:dt.optional()}),qj=fe([fi,pi,KC,Ru,mu,lu,nu,au,cu,nC,aC,Mo,wu,gi,Si,_i,vi]),Nj=fe([li,hi,mi,YC,$o]),jj=fe([Lt,Hr,No,pr,xu,yi,wi,Bt]),Dj=fe([fi,Cu,Iu,WC,gi,Si,_i,vi]),Hj=fe([li,hi,wC,sC,du,bu,_u,$o,GC]),Lj=fe([Lt,tu,Pu,Su,pu,ou,iu,uu,lr,vu,yi,wi,Bt]),A=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===E.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new sr(a.elicitations,r)}return new e(t,r,n)}},sr=class extends A{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(E.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};ae();var Wf=Je,QC=u.object({mode:u.literal("auto")}).strict(),XC=u.object({mode:u.literal("manual"),clientId:u.string().trim().min(1),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:hc.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:u.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),Yf=u.discriminatedUnion("mode",[QC,XC]),eI=Yf.default({mode:"auto"}),Au=u.object({scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:eI}).strict(),Kf=Au.extend({redirectPath:u.string().startsWith("/auth/connections/")}).strict(),Qf=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),tI=new Set([...Qf,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),rI=u.object({kind:u.literal("bearer_token"),token:u.string().min(1)}).strict(),nI=u.object({kind:u.literal("headers"),headers:u.array(u.object({name:Ja,value:u.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Qf.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),ku=u.discriminatedUnion("kind",[rI,nI]),oI=u.object({kind:u.literal("basic_auth_app_password"),usernameLabel:u.string().min(1).default("Username"),passwordLabel:u.string().min(1).default("App password")}).strict(),aI=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key"),capture:u.enum(["browser_login"]).optional()}).strict(),Tu=u.discriminatedUnion("kind",[oI,aI]),Eu=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key")}).strict(),iI=u.discriminatedUnion("mode",[u.object({mode:u.literal("shared-oauth"),oauth:Kf}).strict(),u.object({mode:u.literal("user_oauth"),oauth:Kf}).strict(),u.object({mode:u.literal("static_secret"),secret:ku}).strict(),u.object({mode:u.literal("user-secret"),secret:Tu}).strict(),u.object({mode:u.literal("shared-secret"),secret:Eu}).strict()]),sI=u.object({baseUrl:u.url(),resourceMetadataUrl:u.url(),requestHeaders:u.array(gc).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();tI.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),Jj=u.object({displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:On.optional(),authProfiles:u.record(We,iI),transport:sI}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),cI=u.object({"shared-oauth":Au.optional(),user_oauth:Au.optional(),static_secret:u.object({secret:ku}).strict().optional(),"user-secret":u.object({secret:Tu}).strict().optional(),"shared-secret":u.object({secret:Eu}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),Jf=u.object({id:Wf,displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:On.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url(),requestHeaders:u.array(gc).default([]),authProfiles:cI}).strict(),uI=u.object({name:Ja,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict(),bi={id:Wf.optional(),displayName:u.string().min(1),summary:u.string().min(1).optional(),serverInfo:On.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url().optional(),requestHeaders:u.array(uI).default([])},dI=u.discriminatedUnion("authMode",[u.object({...bi,authMode:u.enum(["shared-oauth","user_oauth"]),scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:Yf.optional(),clientId:u.string().trim().min(1).optional(),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:hc.optional()}).strict(),u.object({...bi,authMode:u.literal("static_secret"),secret:ku}).strict(),u.object({...bi,authMode:u.literal("user-secret"),secret:Tu}).strict(),u.object({...bi,authMode:u.literal("shared-secret"),secret:Eu}).strict()]);function lI(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
-`)}o(lI,"formatZodIssues");function Xf(e){throw new ue(e)}o(Xf,"throwGatewayConfigError");function pI(e){let t="mcp-upstream-";return e.startsWith(t)||Xf(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),Je.parse(e.slice(t.length))}o(pI,"inferUpstreamConnectionIdFromPolicyName");function mI(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(mI,"buildDefaultProtectedResourceMetadataUrl");function zn(e,t){return We.parse(`${e}:${t}`)}o(zn,"buildUpstreamAuthProfileId");function Ri(e,t){try{let r=Jf.safeParse(e);if(r.success)return r.data;let n=dI.parse(e),a=n.id??(t===void 0?void 0:pI(t));a===void 0&&Xf("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(c=>({name:c.name,value:c.value,required:c.required})),s=(()=>{switch(n.authMode){case"shared-oauth":case"user_oauth":{let c=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:c}}}case"static_secret":case"user-secret":case"shared-secret":return{[n.authMode]:{secret:n.secret}}}})();return Jf.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??mI(n.mcpUrl),requestHeaders:i,authProfiles:s})}catch(r){if(r instanceof ue)throw r;if(r instanceof u.ZodError){let n=t===void 0?"MCP upstream policy":`Policy "${t}"`;throw new ue(`${n} is misconfigured. Missing/invalid options in policies.json:
-${lI(r)}`,{cause:r})}throw r}}o(Ri,"parseUpstreamConnectionPolicyOptions");function eh(e){return e.mode==="shared-oauth"||e.mode==="user_oauth"}o(eh,"isUpstreamOAuthAuthConfig");ae();var fI=u.looseObject({name:u.string().min(1),version:u.string().min(1).optional()}),hI=u.looseObject({}),gI=u.looseObject({name:ar,namespace:ar.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional(),inputSchema:hI}),yI=u.looseObject({name:ar,namespace:ar.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional()}),SI=u.looseObject({name:ar,uri:u.string().min(1),upstreamPolicy:u.string().min(1).optional(),upstreamUri:u.string().min(1).optional(),enabled:u.boolean().optional()}),_I=u.enum(["openapi","upstream_mcp"]),wI=u.object({catalogSource:_I.default("openapi"),serverInfo:fI.optional(),tools:u.array(gI).default([]),prompts:u.array(yI).default([]),resources:u.array(SI).default([])}).strict();function vI(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
-`)}o(vI,"formatZodIssues");function th(e,t){try{return wI.parse(e??{})}catch(r){if(r instanceof u.ZodError){let n=t===void 0?"MCP virtual server route":`MCP virtual server route ${t}`;throw new ue(`${n} is misconfigured. Missing/invalid handler options in routes.oas.json:
-${vI(r)}`,{cause:r})}throw r}}o(th,"parseVirtualServerRouteOptions");function Ci(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Ci,"toMcpTool");function Ii(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Ii,"toMcpPrompt");function Pi(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Pi,"toMcpResource");var bI="mcp-upstream-connection-inbound",rh="/mcp/";function Be(e){throw new ue(e)}o(Be,"throwRegistryError");function RI(e){return e.policyType===bI}o(RI,"isUpstreamConnectionPolicy");function CI(e){return Ao(e.policyType)}o(CI,"isMcpOAuthInboundPolicy");function II(e){return e instanceof ue?e:new ue(e instanceof Error?e.message:"MCP virtual server route is misconfigured.",e instanceof Error?{cause:e}:void 0)}o(II,"toRouteConfigurationError");function PI(e){e.startsWith(rh)||Be(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(rh.length);return(!t||t.includes("/"))&&Be(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),xe.parse(t)}o(PI,"readVirtualServerIdFromPath");function xI(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&Be(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&Be(`Upstream policy ${e.policyName} does not declare an auth mode.`),Ka.parse(r)}o(xI,"readSingleAuthMode");function AI(e){let t=e.connection.authProfiles[e.authMode];t||Be(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"shared-oauth":case"user_oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static_secret":return{mode:"static_secret",secret:t.secret};case"user-secret":return{mode:"user-secret",secret:t.secret};case"shared-secret":return{mode:"shared-secret",secret:t.secret}}}o(AI,"buildResolvedAuthConfig");function kI(e){let t=xI({policyName:e.policyName,connection:e.connection}),r=zn(e.connection.id,t),n=AI({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(kI,"buildRegisteredConnection");function TI(e){let t=new Map;for(let r of e)t.has(r.name)&&Be(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(TI,"buildPolicyMap");function EI(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(EI,"readOperationId");function nh(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return ar.parse(t)}catch{Be(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(nh,"buildPublishedCapabilityName");function $u(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||Be(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;Be(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o($u,"readCapabilityUpstreamPolicy");function Uu(e){e.seen.has(e.key)&&Be(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Uu,"assertUniqueCatalogKey");function UI(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=nh({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:$u({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(UI,"normalizeCatalogTool");function OI(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=nh({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:$u({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(OI,"normalizeCatalogPrompt");function $I(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:$u({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o($I,"normalizeCatalogResource");function zI(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>UI({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>OI({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>$I({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Uu({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Uu({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let c=new Set;for(let d of a)Uu({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:c});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(zI,"normalizeVirtualServerCatalog");function MI(e){let t=new Map,r=new Map,n=new Map,a=new Set,i=new Set;function s(c){let d=n.get(c.name);if(d)return d;let p=Ri(c.handler.options,c.name);a.has(p.id)&&Be(`Duplicate upstream MCP connection id ${p.id} in policies.json.`),a.add(p.id);let l=kI({policyName:c.name,connection:p});return n.set(c.name,l),l}o(s,"readConnectionForPolicy");for(let c of e.routes){let d=c.policies?.inbound??[];if(d.length===0)continue;let p=d[0],l=p===void 0?void 0:e.policyByName.get(p);if(!l||!CI(l))continue;let m=EI(c),h;try{h=PI(c.path),m||Be(`MCP virtual server route ${c.path} must declare an operationId in routes.oas.json.`),i.has(m)&&Be(`Duplicate MCP virtual server operationId ${m} across routes.`),t.has(h)&&Be(`Duplicate MCP virtual server id ${h} across routes.`);let y=[];for(let w of d.slice(1)){let v=e.policyByName.get(w);!v||!RI(v)||y.push(s(v))}let _=th(c.handler.options,c.path),S=zI({catalog:_,connections:y,routePath:c.path});S.catalogSource==="upstream_mcp"&&y.length!==1&&Be(`MCP virtual server route ${c.path} uses upstream MCP catalog mode but declares ${y.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(h,{virtualServerId:h,operationId:m,routePath:c.path,handlerExport:c.handler.export,serverInfo:S.serverInfo,catalog:S,connections:y}),i.add(m)}catch(y){h!==void 0&&r.set(h,II(y))}}return{byVirtualServerId:t,virtualServerErrorsById:r,connectionsByPolicyName:n}}o(MI,"buildVirtualServers");function zu(e){let t=TI(e.policies),{byVirtualServerId:r,virtualServerErrorsById:n,connectionsByPolicyName:a}=MI({routes:e.routes,policyByName:t}),i=new Map;for(let s of a.values())i.set(s.upstreamServerId,s);return{byVirtualServerId:r,connectionsById:i,virtualServerErrorsById:n}}o(zu,"buildGatewayConnectionRegistry");var Lr,Ou;function oh(e){Ou=e,Lr=void 0}o(oh,"configureGatewayConnectionRegistrySource");function ah(e){Lr=e}o(ah,"setGatewayConnectionRegistry");function St(){if(!Lr&&Ou&&(Lr=zu(Ou)),!Lr)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return Lr}o(St,"getGatewayConnectionRegistry");function qr(e){let t=St(),r=t.virtualServerErrorsById?.get(e);if(r)throw r;let n=t.byVirtualServerId.get(e);if(!n)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return n}o(qr,"getRegisteredVirtualServer");function ih(){return Lr}o(ih,"tryGetGatewayConnectionRegistry");function je(e){let t=St().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(je,"getUpstreamServerConfig");function qI(e){let t=St().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(qI,"resolveUpstreamAuthProfileId");function mr(e){qI(e);let t=St().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(mr,"getUpstreamAuthConfig");function Br(e,t){let r=mr({upstreamServerId:e,authProfileId:t});if(!eh(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(Br,"requireUpstreamOAuthConfig");function NI(){let e=uc.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}o(NI,"isTestOnlyAllowHttpLoopbackIdpEnabled");var jI=new Set(["undefined","null","nan"]);function qu(e,t){if(!e.hostname)throw g("invalid_request",`Outbound URL has an empty hostname (got ${JSON.stringify(t)}). This typically indicates an unset $env(...) reference or a JS template literal coercing \`undefined\` into a URL. Check the policy options or runtime config that produced this URL.`);if(jI.has(e.hostname.toLowerCase()))throw g("invalid_request",`Outbound URL hostname is ${JSON.stringify(e.hostname)} (from ${JSON.stringify(t)}). This almost always means an environment variable referenced by $env(...) is unset and a JS value was string-coerced into a URL. Set the missing env var or fix the policy option that produced this URL.`)}o(qu,"assertSafeOutboundHostname");var DI=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),HI=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function sh(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(sh,"parseIpv4Octets");function LI([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(LI,"ipv4RangeMatches");function ch(e){let t=sh(e);return t!==void 0&&HI.some(r=>LI(t,r))}o(ch,"isPrivateIpv4");function Mu(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Mu,"parseIpv6Word");function BI(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(BI,"formatIpv4FromWords");function GI(e){let t=e.slice(7),r=sh(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Mu(n),c=Mu(a);return i===void 0&&s!==void 0&&c!==void 0?BI(s,c):void 0}o(GI,"parseIpv6MappedIpv4");function VI(e){return Mu(e.split(":").find(Boolean))}o(VI,"readFirstIpv6Hextet");function FI(e){let t=jt(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=GI(t);return n===void 0||ch(n)}let r=VI(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(FI,"isPrivateIpv6");function Nu(e){let t=jt(e);return DI.has(t)||t.endsWith(".internal")||ch(t)||FI(t)}o(Nu,"isBlockedOutboundHostname");function uh(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);qu(t,e);let r=qe(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=jt(t.hostname);if(!r&&Nu(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(uh,"validateConfiguredOutboundUrl");function dh(e){let t=new URL(e),r=qe(t),n=r&&NI();if(t.protocol!=="https:"&&!n)throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");qu(t,e);let a=jt(t.hostname);if(!r&&Nu(a))throw g("invalid_request",`Blocked identity provider host: ${a}`);return t}o(dh,"validateIdentityProviderUrl");function xi(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(qu(t,e),Nu(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(xi,"validateCimdClientMetadataUrl");function lh(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(lh,"mergeAbortSignals");async function ZI(e){try{await e.cancel()}catch{}}o(ZI,"cancelReader");async function Ai(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await ZI(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),c=0;for(let d of n)s.set(d,c),c+=d.byteLength;return s}o(Ai,"readBoundedByteStream");var KI=2,JI=1024*1024,WI=1e4,YI=new Set([301,302,303,307,308]),QI=["authorization","proxy-authorization","cookie","cookie2"];function ju(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(ju,"readRequestUrl");function Mn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Mn,"readRequestMethod");function XI(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(XI,"assertContentLengthWithinLimit");async function eP(e,t,r){return XI(e,t,r),Ai(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o(eP,"readBoundedResponseBody");function tP(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(tP,"responseFromBufferedBody");function rP(e,t){if(!YI.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(rP,"resolveRedirectUrl");function ph(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(ph,"validateOutboundUrl");function nP(e,t){throw ge(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(nP,"normalizeFetchError");function jo(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Ye(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(jo,"logOutboundFailure");async function oP(e,t,r,n,a,i,s){let c=Mn(r,n);try{return await t(r,n)}catch(d){let p=d instanceof DOMException&&d.name==="AbortError";jo(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:c,host:ct(i),error:d,extra:{abortReason:s()}}),nP(d,a)}}o(oP,"fetchWithNormalizedError");function aP(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(aP,"assertRedirectAllowed");function iP(e,t){let r=new Headers(e);for(let n of QI)r.delete(n);for(let n of t)r.delete(n);return r}o(iP,"stripCrossOriginHeaders");function sP(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=iP(e.headers,a)),i}o(sP,"buildRedirectInit");function cP(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(cP,"buildInitialRequestInit");function uP(e){let t=Mn(e.currentInput,e.currentInit);aP({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ph(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:sP(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(uP,"followRedirect");async function Du(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??KI,i=r.maxResponseBytes??JI,s=r.timeoutMs??WI,c=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],p=r.context,l=new AbortController,m=lh(l,t.signal),h=!1,y=setTimeout(()=>{h=!0,l.abort()},s),_=e,S=cP(e,t,l.signal),w;try{w=ph(ju(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(b){throw jo(p,{event:"outbound_url_blocked",problemCode:n,method:Mn(e,t),host:ct(ju(e)),error:b}),clearTimeout(y),m?.(),b}let v=0;try{for(;;){let b=await oP(p,c,_,S,n,w,()=>h?`timeout_after_${s}ms`:void 0),R=rP(b,w);if(R!==void 0)try{let M=uP({currentInput:_,currentInit:S,currentUrl:w,redirectUrl:R,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:l.signal,additionalCrossOriginStrippedHeaders:d});_=M.currentInput,S=M.currentInit,w=M.currentUrl,v=M.redirects;continue}catch(M){throw jo(p,{event:"outbound_redirect_blocked",problemCode:n,method:Mn(_,S),host:ct(w),error:M,extra:{redirects:v,maxRedirects:a,redirectTargetHost:ct(R)}}),M}try{return tP(b,await eP(b,i,n))}catch(M){throw jo(p,{event:"outbound_response_size_exceeded",problemCode:n,method:Mn(_,S),host:ct(w),error:M,extra:{maxResponseBytes:i,status:b.status}}),M}}}finally{clearTimeout(y),m?.()}}o(Du,"runSafeOutboundExchange");async function Hu(e,t,r){let n=await Du(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw jo(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Mn(e,t),host:ct(ju(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Hu,"runSafeOutboundJsonExchange");function qn(e,t={},r={}){return Du(e,t,{...r,validateUrl:uh})}o(qn,"fetchConfiguredOutbound");function mh(e,t={},r={}){return Hu(e,t,{...r,validateUrl:dh})}o(mh,"fetchIdentityProviderJson");function fh(e,t={},r={}){return Hu(e,t,{...r,validateUrl:xi})}o(fh,"fetchCimdClientMetadataJson");var dP={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},user_oauth:{authMode:"user_oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},static_secret:{authMode:"static_secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured_static_secret"},"shared-secret":{authMode:"shared-secret",ownerMode:"shared",connectSupport:"none",connectUnsupportedDetail:"Shared static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"shared_secret_connection"},"user-secret":{authMode:"user-secret",ownerMode:"user",connectSupport:"user_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_secret_connection"}};function xt(e){return dP[e]}o(xt,"describeUpstreamAuthMode");function ki(e){return xt(e).ownerMode}o(ki,"resolveOwnerModeForUpstreamAuthMode");ae();import{errors as bh,jwtVerify as Rh,SignJWT as Ch}from"jose";import{base64url as lP}from"jose";var pP=new TextEncoder,mP="MCP gateway could not initialize secure key material.",fP=32,hh=new Map,gh=new Map,hP;function gP(){return hP??So.instance.authPrivateKey}o(gP,"readAuthPrivateKey");function yh(e){return new _n(mP,e===void 0?void 0:{cause:e})}o(yh,"createGeneratedKeyMaterialError");function Sh(e,t){let r=lP.decode(t);if(r.byteLength!==fP)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}o(Sh,"decodeJwkKeyField");function yP(e){let t=gP();if(!t)throw yh();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let n=Sh("d",r.d);Sh("x",r.x);let a=pP.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),i=new Uint8Array(a.byteLength+n.byteLength);return i.set(a),i.set(n,a.byteLength),i}catch(r){throw yh(r)}}o(yP,"decodeGeneratedKeyMaterial");function SP(e){let t=hh.get(e);return t||(t=yP(e),hh.set(e,t)),t}o(SP,"getMasterKeyMaterial");async function At(e){let t=gh.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(SP(e.keyMaterialPurpose));return gh.set(e.purpose,r),r}o(At,"readCachedDerivedKey");var _P="SHA-256";var wP="zuplo-mcp-gateway:",vP=new TextEncoder,_h=new WeakMap;async function fr(e,t){let r=_h.get(e);r||(r=new Map,_h.set(e,r));let n=r.get(t);if(n)return n;let a=await bP(e,t);return r.set(t,a),a}o(fr,"deriveGatewaySigningKey");async function bP(e,t){let r=wh(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=vP.encode(`${wP}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:_P,salt:new Uint8Array,info:wh(a)},n,32*8);return new Uint8Array(i)}o(bP,"hkdfExpand");function wh(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(wh,"copyToArrayBuffer");var Ti="HS256",Ih=15*60,RP=15*60,Ei="zuplo-mcp-gateway",Ui="zuplo-mcp-gateway",CP=xm.extend({id:An}),IP=CP.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),Ph=Pn.extend({id:Po,purpose:u.literal("browser_connect")}),PP=Pn.extend({purpose:u.literal("browser_connect")}),xP=Ph.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),xh=Ih*1e3;async function Ah(){return At({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>fr(e,"oauth-state"),"derive")})}o(Ah,"getOAuthStateKey");async function kh(){return At({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>fr(e,"browser-connect"),"derive")})}o(kh,"getBrowserConnectKey");async function Th(e){let t=Math.floor(Date.now()/1e3)+Ih;return new Ch(e).setProtectedHeader({alg:Ti,typ:"JWT"}).setIssuer(Ei).setAudience(Ui).setIssuedAt().setExpirationTime(t).sign(await Ah())}o(Th,"signOAuthState");async function Oi(e){try{let{payload:t}=await Rh(e,await Ah(),{algorithms:[Ti],issuer:Ei,audience:Ui});return IP.parse(t)}catch(t){throw t instanceof bh.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Oi,"verifyOAuthState");async function Eh(e){let t=Math.floor(Date.now()/1e3)+RP,r=PP.parse(e),n=Ph.parse({...r,id:Um()});return new Ch(n).setProtectedHeader({alg:Ti,typ:"JWT"}).setIssuer(Ei).setAudience(Ui).setIssuedAt().setExpirationTime(t).sign(await kh())}o(Eh,"signBrowserConnectTicket");async function $i(e){try{let{payload:t}=await Rh(e,await kh(),{algorithms:[Ti],issuer:Ei,audience:Ui});return xP.parse(t)}catch(t){throw t instanceof bh.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o($i,"verifyBrowserConnectTicket");async function zi(e){if((await K().consumeBrowserConnectTicket({id:e.id,expiresAt:re(new Date(e.exp*1e3)),now:re(new Date)})).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o(zi,"consumeBrowserConnectTicket");function AP(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(AP,"buildConnectRequiredMessage");async function Uh(e){let t=ie(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Eh({...Io(e),purpose:"browser_connect"})),r.toString()}o(Uh,"buildGatewayBrowserTicketUrl");function kP(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(kP,"buildGatewayConnectPath");async function Lu(e){return Uh({...e,path:kP(e.upstreamServerId),redirect:!0})}o(Lu,"buildGatewayConnectUrl");async function Oh(e){return Uh({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(Oh,"buildGatewayAppPasswordCaptureUrl");async function Nn(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Lu(t),message:AP(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(Nn,"buildRedirectConnectRequiredResponse");function $h(e){return zh({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o($h,"buildAdminConnectRequiredResponse");function zh(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(zh,"buildAdminSetupRequiredResponse");function Mh(e){return zh({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(Mh,"buildAdminStaticSecretRequiredResponse");ae();import{base64url as hr}from"jose";var TP="SHA-256",Dn="AES-GCM",EP=12,Gu="zuplo-secret",Vu=1,qh="generated:auth_private_key:token-encryption",UP=u.object({version:u.literal(Vu),keyId:u.literal(qh),algorithm:u.literal(Dn),iv:u.string().min(1),ciphertext:u.string().min(1)}).strict();function jn(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(jn,"copyToArrayBuffer");async function Bu(){return At({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:o(async e=>{let t=await crypto.subtle.digest(TP,jn(e));return crypto.subtle.importKey("raw",t,{name:Dn},!1,["encrypt","decrypt"])},"derive")})}o(Bu,"getEncryptionKey");function Nh(e){return jn(new TextEncoder().encode(`${Gu}:v${e.version}:${e.keyId}`))}o(Nh,"getAssociatedData");function OP(e){return`${Gu}:v${e.version}:${hr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(OP,"encodeEnvelope");function $P(e){let t=`${Gu}:v${Vu}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(hr.decode(r));return UP.parse(JSON.parse(n))}o($P,"decodeEnvelope");async function Gr(e){let t=await Bu(),r=crypto.getRandomValues(new Uint8Array(EP)),n={version:Vu,keyId:qh},a=await crypto.subtle.encrypt({name:Dn,iv:r,additionalData:Nh(n)},t,new TextEncoder().encode(e));return OP({...n,algorithm:Dn,iv:hr.encode(r),ciphertext:hr.encode(new Uint8Array(a))})}o(Gr,"encryptSecret");async function Gt(e){let t=$P(e);if(t){let s=await Bu(),c=await crypto.subtle.decrypt({name:Dn,iv:jn(hr.decode(t.iv)),additionalData:Nh(t)},s,jn(hr.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await Bu(),i=await crypto.subtle.decrypt({name:Dn,iv:jn(hr.decode(r))},a,jn(hr.decode(n)));return new TextDecoder().decode(i)}o(Gt,"decryptSecret");function zP(e,t){let r=mr({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(zP,"requireTenantStaticSecretConfig");function jh(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(jh,"hasUsableTenantStaticSecret");async function MP(e){if(!jh(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Gt(e.connection.metadata.encryptedStaticSecret)}}o(MP,"resolveTenantStaticSecretCredential");async function Dh(e){let t=je(e.upstreamServerId);zP(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await K().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(jh(r))return{kind:"authorized",credential:await MP({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:Mh(n)}}o(Dh,"resolveTenantStaticSecretCredentialForRequest");ae();async function Fu(e){return K().upsertUpstreamConnection({id:ai(),ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(Fu,"upsertStaticSecretConnection");var qP=u.string().trim().min(1).max(320),NP=u.string().min(1).max(4096),jP=u.string().trim().min(1).max(4096);function Zu(e,t){let r=mr({upstreamServerId:e,authProfileId:t});if(r.mode!=="user-secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(Zu,"requireUserStaticSecretConfig");function DP(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(DP,"encodeBase64Utf8");function HP(e){return`Basic ${DP(`${e.username}:${e.appPassword}`)}`}o(HP,"buildBasicAuthHeader");function Hh(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(Hh,"hasEncryptedUserStaticSecret");async function LP(e){if(!Hh(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Gt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:HP({username:e.connection.metadata.staticSecretUsername,appPassword:await Gt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(LP,"resolveUserStaticSecretCredential");async function Lh(e){if(Zu(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=qP.parse(e.username),n=NP.parse(e.appPassword);return Fu({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await Gr(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(Lh,"saveUserStaticSecretCredential");async function Mi(e){let t=Zu(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=jP.parse(e.token);return Fu({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await Gr(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(Mi,"saveUserStaticBearerTokenCredential");function Ku(e,t){return Zu(e,t)}o(Ku,"readUserStaticSecretCaptureConfig");async function Bh(e){let t=je(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await K().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(Hh(r))return{kind:"authorized",credential:await LP({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await Nn(n)}}o(Bh,"resolveUserStaticSecretCredentialForRequest");function Gh(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return Oh({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(Gh,"buildUserStaticSecretConnectUrl");var Ju;Ju=globalThis.crypto;async function BP(e){return(await Ju).getRandomValues(new Uint8Array(e))}o(BP,"getRandomValues");async function GP(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await BP(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(GP,"random");async function VP(e){return await GP(e)}o(VP,"generateVerifier");async function FP(e){let t=await(await Ju).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(FP,"generateChallenge");async function Wu(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await VP(e),r=await FP(t);return{code_verifier:t,code_challenge:r}}o(Wu,"pkceChallenge");ae();var Ee=Jp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Xp.custom,message:"URL must be parseable",fatal:!0}),Zp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),qi=Ce({resource:f().url(),authorization_servers:C(Ee).optional(),jwks_uri:f().url().optional(),scopes_supported:C(f()).optional(),bearer_methods_supported:C(f()).optional(),resource_signing_alg_values_supported:C(f()).optional(),resource_name:f().optional(),resource_documentation:f().optional(),resource_policy_uri:f().url().optional(),resource_tos_uri:f().url().optional(),tls_client_certificate_bound_access_tokens:oe().optional(),authorization_details_types_supported:C(f()).optional(),dpop_signing_alg_values_supported:C(f()).optional(),dpop_bound_access_tokens_required:oe().optional()}),Do=Ce({issuer:f(),authorization_endpoint:Ee,token_endpoint:Ee,registration_endpoint:Ee.optional(),scopes_supported:C(f()).optional(),response_types_supported:C(f()),response_modes_supported:C(f()).optional(),grant_types_supported:C(f()).optional(),token_endpoint_auth_methods_supported:C(f()).optional(),token_endpoint_auth_signing_alg_values_supported:C(f()).optional(),service_documentation:Ee.optional(),revocation_endpoint:Ee.optional(),revocation_endpoint_auth_methods_supported:C(f()).optional(),revocation_endpoint_auth_signing_alg_values_supported:C(f()).optional(),introspection_endpoint:f().optional(),introspection_endpoint_auth_methods_supported:C(f()).optional(),introspection_endpoint_auth_signing_alg_values_supported:C(f()).optional(),code_challenge_methods_supported:C(f()).optional(),client_id_metadata_document_supported:oe().optional()}),ZP=Ce({issuer:f(),authorization_endpoint:Ee,token_endpoint:Ee,userinfo_endpoint:Ee.optional(),jwks_uri:Ee,registration_endpoint:Ee.optional(),scopes_supported:C(f()).optional(),response_types_supported:C(f()),response_modes_supported:C(f()).optional(),grant_types_supported:C(f()).optional(),acr_values_supported:C(f()).optional(),subject_types_supported:C(f()),id_token_signing_alg_values_supported:C(f()),id_token_encryption_alg_values_supported:C(f()).optional(),id_token_encryption_enc_values_supported:C(f()).optional(),userinfo_signing_alg_values_supported:C(f()).optional(),userinfo_encryption_alg_values_supported:C(f()).optional(),userinfo_encryption_enc_values_supported:C(f()).optional(),request_object_signing_alg_values_supported:C(f()).optional(),request_object_encryption_alg_values_supported:C(f()).optional(),request_object_encryption_enc_values_supported:C(f()).optional(),token_endpoint_auth_methods_supported:C(f()).optional(),token_endpoint_auth_signing_alg_values_supported:C(f()).optional(),display_values_supported:C(f()).optional(),claim_types_supported:C(f()).optional(),claims_supported:C(f()).optional(),service_documentation:f().optional(),claims_locales_supported:C(f()).optional(),ui_locales_supported:C(f()).optional(),claims_parameter_supported:oe().optional(),request_parameter_supported:oe().optional(),request_uri_parameter_supported:oe().optional(),require_request_uri_registration:oe().optional(),op_policy_uri:Ee.optional(),op_tos_uri:Ee.optional(),client_id_metadata_document_supported:oe().optional()}),Ni=I({...ZP.shape,...Do.pick({code_challenge_methods_supported:!0}).shape}),Ho=I({access_token:f(),id_token:f().optional(),token_type:f(),expires_in:em.number().optional(),scope:f().optional(),refresh_token:f().optional()}).strip(),Fh=I({error:f(),error_description:f().optional(),error_uri:f().optional()}),Vh=Ee.optional().or(U("").transform(()=>{})),KP=I({redirect_uris:C(Ee),token_endpoint_auth_method:f().optional(),grant_types:C(f()).optional(),response_types:C(f()).optional(),client_name:f().optional(),client_uri:Ee.optional(),logo_uri:Vh,scope:f().optional(),contacts:C(f()).optional(),tos_uri:Vh,policy_uri:f().optional(),jwks_uri:Ee.optional(),jwks:Yp().optional(),software_id:f().optional(),software_version:f().optional(),software_statement:f().optional()}).strip(),Yu=I({client_id:f(),client_secret:f().optional(),client_id_issued_at:X().optional(),client_secret_expires_at:X().optional()}).strip(),Lo=KP.merge(Yu),OH=I({error:f(),error_description:f().optional()}).strip(),$H=I({token:f(),token_type_hint:f().optional()}).strip();function Zh(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(Zh,"resourceUrlFromServerUrl");function Kh({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(Kh,"checkResourceAllowed");var be=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Bo=class extends be{static{o(this,"InvalidRequestError")}};Bo.errorCode="invalid_request";var Vr=class extends be{static{o(this,"InvalidClientError")}};Vr.errorCode="invalid_client";var Fr=class extends be{static{o(this,"InvalidGrantError")}};Fr.errorCode="invalid_grant";var Zr=class extends be{static{o(this,"UnauthorizedClientError")}};Zr.errorCode="unauthorized_client";var Go=class extends be{static{o(this,"UnsupportedGrantTypeError")}};Go.errorCode="unsupported_grant_type";var Vo=class extends be{static{o(this,"InvalidScopeError")}};Vo.errorCode="invalid_scope";var Fo=class extends be{static{o(this,"AccessDeniedError")}};Fo.errorCode="access_denied";var Vt=class extends be{static{o(this,"ServerError")}};Vt.errorCode="server_error";var Zo=class extends be{static{o(this,"TemporarilyUnavailableError")}};Zo.errorCode="temporarily_unavailable";var Ko=class extends be{static{o(this,"UnsupportedResponseTypeError")}};Ko.errorCode="unsupported_response_type";var Jo=class extends be{static{o(this,"UnsupportedTokenTypeError")}};Jo.errorCode="unsupported_token_type";var Wo=class extends be{static{o(this,"InvalidTokenError")}};Wo.errorCode="invalid_token";var Yo=class extends be{static{o(this,"MethodNotAllowedError")}};Yo.errorCode="method_not_allowed";var Qo=class extends be{static{o(this,"TooManyRequestsError")}};Qo.errorCode="too_many_requests";var Kr=class extends be{static{o(this,"InvalidClientMetadataError")}};Kr.errorCode="invalid_client_metadata";var Xo=class extends be{static{o(this,"InsufficientScopeError")}};Xo.errorCode="insufficient_scope";var ea=class extends be{static{o(this,"InvalidTargetError")}};ea.errorCode="invalid_target";var Jh={[Bo.errorCode]:Bo,[Vr.errorCode]:Vr,[Fr.errorCode]:Fr,[Zr.errorCode]:Zr,[Go.errorCode]:Go,[Vo.errorCode]:Vo,[Fo.errorCode]:Fo,[Vt.errorCode]:Vt,[Zo.errorCode]:Zo,[Ko.errorCode]:Ko,[Jo.errorCode]:Jo,[Wo.errorCode]:Wo,[Yo.errorCode]:Yo,[Qo.errorCode]:Qo,[Kr.errorCode]:Kr,[Xo.errorCode]:Xo,[ea.errorCode]:ea};var Ft=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function JP(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(JP,"isClientAuthMethod");var Qu="code",Xu="S256";function WP(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&JP(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(WP,"selectClientAuthMethod");function YP(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":QP(a,i,r);return;case"client_secret_post":XP(a,i,n);return;case"none":ex(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(YP,"applyClientAuthentication");function QP(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(QP,"applyBasicAuth");function XP(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(XP,"applyPostAuth");function ex(e,t){t.set("client_id",e)}o(ex,"applyPublicAuth");async function Yh(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=Fh.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,c=Jh[a]||Vt;return new c(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Vt(a)}}o(Yh,"parseErrorResponse");async function gr(e,t){try{return await ed(e,t)}catch(r){if(r instanceof Vr||r instanceof Zr)return await e.invalidateCredentials?.("all"),await ed(e,t);if(r instanceof Fr)return await e.invalidateCredentials?.("tokens"),await ed(e,t);throw r}}o(gr,"auth");async function ed(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,d,p,l=a;if(!l&&s?.resourceMetadataUrl&&(l=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,c=s.resourceMetadata,p=s.authorizationServerMetadata??await Xh(d,{fetchFn:i}),!c)try{c=await Qh(t,{resourceMetadataUrl:l},i)}catch{}(p!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let R=await ix(t,{resourceMetadataUrl:l,fetchFn:i});d=R.authorizationServerUrl,p=R.authorizationServerMetadata,c=R.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let m=await tx(t,e,c),h=n||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,y=await Promise.resolve(e.clientInformation());if(!y){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let R=p?.client_id_metadata_document_supported===!0,M=e.clientMetadataUrl;if(M&&!rd(M))throw new Kr(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${M}`);if(R&&M)y={client_id:M},await e.saveClientInformation?.(y);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Me=await lx(d,{metadata:p,clientMetadata:e.clientMetadata,scope:h,fetchFn:i});await e.saveClientInformation(Me),y=Me}}let _=!e.redirectUrl;if(r!==void 0||_){let R=await dx(e,d,{metadata:p,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(R),"AUTHORIZED"}let S=await e.tokens();if(S?.refresh_token)try{let R=await ux(d,{metadata:p,clientInformation:y,refreshToken:S.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(R),"AUTHORIZED"}catch(R){if(!(!(R instanceof be)||R instanceof Vt))throw R}let w=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:b}=await sx(d,{metadata:p,clientInformation:y,state:w,redirectUrl:e.redirectUrl,scope:h,resource:m});return await e.saveCodeVerifier(b),await e.redirectToAuthorization(v),"REDIRECT"}o(ed,"authInternal");function rd(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(rd,"isHttpsUrl");async function tx(e,t,r){let n=Zh(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!Kh({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(tx,"selectResourceURL");function nd(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=td(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=td(e,"scope")||void 0,c=td(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}o(nd,"extractWWWAuthenticateParams");function td(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(td,"extractFieldFromWwwAuth");async function Qh(e,t,r=fetch){let n=await ox(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return qi.parse(await n.json())}o(Qh,"discoverOAuthProtectedResourceMetadata");async function od(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?od(e,void 0,r):void 0;throw n}}o(od,"fetchWithCorsRetry");function rx(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(rx,"buildWellKnownPath");async function Wh(e,t,r=fetch){return await od(e,{"MCP-Protocol-Version":t},r)}o(Wh,"tryMetadataDiscovery");function nx(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(nx,"shouldAttemptFallback");async function ox(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??cr,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=rx(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let c=await Wh(s,i,r);if(!n?.metadataUrl&&nx(c,a.pathname)){let d=new URL(`/.well-known/${t}`,a);c=await Wh(d,i,r)}return c}o(ox,"discoverMetadataWithFallback");function ax(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(ax,"buildDiscoveryUrls");async function Xh(e,{fetchFn:t=fetch,protocolVersion:r=cr}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=ax(e);for(let{url:i,type:s}of a){let c=await od(i,n,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Do.parse(await c.json()):Ni.parse(await c.json())}}}o(Xh,"discoverAuthorizationServerMetadata");async function ix(e,t){let r,n;try{r=await Qh(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await Xh(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(ix,"discoverOAuthServerInfo");async function sx(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Qu))throw new Error(`Incompatible auth server: does not support response type ${Qu}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Xu))throw new Error(`Incompatible auth server: does not support code challenge method ${Xu}`)}else c=new URL("/authorize",e);let d=await Wu(),p=d.code_verifier,l=d.code_challenge;return c.searchParams.set("response_type",Qu),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",l),c.searchParams.set("code_challenge_method",Xu),c.searchParams.set("redirect_uri",String(n)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:p}}o(sx,"startAuthorization");function cx(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(cx,"prepareAuthorizationCodeRequest");async function eg(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,c,t);else if(n){let l=t?.token_endpoint_auth_methods_supported??[],m=WP(n,l);YP(m,n,d,r)}let p=await(s??fetch)(c,{method:"POST",headers:d,body:r});if(!p.ok)throw await Yh(p);return Ho.parse(await p.json())}o(eg,"executeTokenRequest");async function ux(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await eg(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(ux,"refreshAuthorization");async function dx(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=cx(a,p,e.redirectUrl)}let d=await e.clientInformation();return eg(t,{metadata:r,tokenRequestParams:c,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(dx,"fetchToken");async function lx(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await Yh(s);return Lo.parse(await s.json())}o(lx,"registerClient");ae();function ad(e){return`Zuplo MCP Gateway - ${e}`}o(ad,"buildGatewayOAuthClientName");function tg(e,t){let r=new URL(e,ie(t));return qe(r)&&jt(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(tg,"buildGatewayOAuthRedirectUri");function id(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(id,"buildOAuthClientMetadataDocumentUrl");function rg(e){return ie(e)}o(rg,"requireOAuthClientMetadataOrigin");function ng(e,t,r){let n=je(t),a=Br(t,r);return{client_id:id({origin:e,upstreamServerId:t,authProfileId:r}),client_name:ad(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(ng,"buildOAuthClientMetadataDocument");var px=u.union([Lo,Yu]),mx=u.object({authorizationServerUrl:u.url(),resourceMetadataUrl:u.url().optional(),resourceMetadata:qi.optional(),authorizationServerMetadata:u.union([Do,Ni]).optional()}).passthrough(),fx="Bearer";function hx(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(hx,"splitScopes");function gx(e){return Ya.parse(e)}o(gx,"parsePkceCodeVerifier");function yx(e){if(typeof e.expires_in=="number")return re(new Date(Date.now()+e.expires_in*1e3))}o(yx,"readTokenExpiry");async function og(e){if(e!==void 0)return Gr(JSON.stringify(e))}o(og,"encryptJson");async function ag(e,t){if(!e)return;let r=await Gt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(ag,"decryptJson");function Sx(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(Sx,"toOAuthDiscoveryState");function _x(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(_x,"clientInformationAllowsRedirectUri");function wx(e,t,r){let n=je(e),a=Br(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:ad(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(wx,"buildOAuthClientMetadata");function vx(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Lo.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(vx,"buildManualOAuthClientInformation");function bx(e,t,r){let n=id({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return rd(n)?n:void 0}o(bx,"buildClientMetadataUrl");function ig(e){for(let t of e)if(t!==void 0)return t}o(ig,"firstDefined");function Rx(e){let t=Br(e.target.upstreamServerId,e.target.authProfileId),r=wx(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:vx({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=bx(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(Rx,"buildInitialOAuthClientSetup");function Cx(e,t){if(t===void 0)return ig([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(Cx,"readEncryptedClientInformation");function Ix(e){return ig([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(Ix,"readEncryptedDiscoveryState");var Jr=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=Rx({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=Cx(t,this.configuredClientInformation),this.encryptedDiscoveryState=Ix(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return Th({id:t.id,...Io({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await og(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await og(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ho.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??ai(),ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Gr(r.access_token),encryptedRefreshToken:r.refresh_token?await Gr(r.refresh_token):void 0,scopes:hx(r.scope??this.clientMetadataValue.scope),expiresAt:yx(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await K().upsertUpstreamConnection(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:gx(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Em(),...Io({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:re(new Date(Date.now()+xh)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await K().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await ag(this.encryptedClientInformation,px)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!_x(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=Sx(await ag(this.encryptedDiscoveryState,mx))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Ho.parse({access_token:await Gt(this.connection.encryptedAccessToken),token_type:fx,refresh_token:this.connection.encryptedRefreshToken?await Gt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await K().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Px=1e4,xx=256*1024,Ax=2;function kx(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(kx,"hasUsableAccessToken");var Tx="does not support dynamic client registration";function Ex(e){return e instanceof Error&&e.message.includes(Tx)}o(Ex,"isDynamicClientRegistrationUnsupported");function Ux(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(Ux,"readOAuthFetchRequest");function Ox(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(Ox,"responseLooksJson");function sg(e){return async(t,r)=>{let n=Ux(t),a=await qn(t,r,{maxRedirects:Ax,maxResponseBytes:xx,problemCode:"upstream_token_exchange_failed",timeoutMs:Px}),i=await a.clone().text();if(!Ox(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(sg,"createUpstreamOAuthFetch");async function cg(e,t){try{return await gr(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:sg(t.upstreamServerId)})}catch(r){throw Ex(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(cg,"runUpstreamOAuth");async function $x(e,t){return gr(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:sg(t.upstreamServerId)})}o($x,"exchangeUpstreamAuthorizationCode");async function ug(e,t){let r=await cg(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o(ug,"requireUpstreamAuthorizationRedirect");async function dg(e){if(kx(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await cg(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await jx({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(dg,"authorizeUpstreamOAuthSession");async function zx(e){let t=await Oi(e.stateToken),r=await K().consumeUpstreamOAuthState({id:t.id,now:re(new Date)}),n=Mx(r);return qx({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Nx(n),n}o(zx,"consumeStoredCallbackState");function Mx(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(Mx,"readConsumedCallbackState");function qx(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(qx,"assertStoredCallbackStateMatches");function Nx(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(Nx,"assertStoredCallbackStateFresh");async function jx(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),$h(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Nn(t)}o(jx,"buildOAuthConnectRequiredResponse");async function lg(e){let t=await zx({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=xn(t),[n]=await K().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new Jr(a),s=await $x(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(lg,"finishUpstreamOAuthCallback");async function pg(e){let t=je(e.upstreamServerId),r=Br(e.upstreamServerId,e.authProfileId),n=tg(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await K().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:ie(e.request.url)}}}o(pg,"prepareUpstreamOAuthRequest");async function mg(e){let t=await pg(e),r=new Jr({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return ug(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(mg,"startUpstreamConnect");async function fg(e){let t=await pg(e),r=new Jr({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return dg({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(fg,"authorizeUpstreamRequest");function Dx(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(Dx,"resolveStaticSecretCredential");async function ji(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user_oauth":return fg({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"shared-secret":return Dh({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static_secret":{let n=mr({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static_secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:Dx(n.secret,t.upstreamServerId)}}case"user-secret":return Bh({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(ji,"resolveUpstreamCredentialForRoute");async function hg(e){let t=ir(e.principal.subjectId),r=St().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user-secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await Mi({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(hg,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function gg(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=xt(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await mg(r);break;case"user_secret_capture":t=await Gh(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(gg,"startUpstreamConnectForRequest");async function yg(e){let r=(await Oi(e.callbackRequest.state)).authProfileId,n=mr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(xt(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return lg({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:je(e.callbackRequest.upstreamServerId)})}o(yg,"finishUpstreamCallbackForRequest");var sd=new It("route-upstream-bindings");function Sg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(Sg,"buildRouteBindingDuplicateKey");function cd(e,t){let r=sd.get(e)??[],n=Sg(t);if(r.find(i=>Sg(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.push(t),sd.set(e,r)}o(cd,"appendResolvedUpstreamBindingContext");function Di(e){return sd.get(e)??[]}o(Di,"readResolvedUpstreamBindingContexts");var Hx=new Set(["authorization","connection","content-length","cookie","cookie2","host","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade"]),Lx=3e4,Bx=2*1024*1024,Gx=2;function Vx(e){return e.kind!=="authorized"||e.credential.type!=="headers"?[]:Object.keys(e.credential.headers)}o(Vx,"readCredentialHeaderNames");async function Fx(e,t){Ct("handler.mcp-upstream");let r=Di(t);if(r.length!==1)throw new ue(`mcpUpstreamHandler requires exactly one upstream binding on the route (found ${r.length}). Attach a single \`mcp-upstream-connection-inbound\` policy or use \`McpVirtualServerHandler\` for multi-upstream routes.`);let[n]=r,a=await ji({request:e,routeAuth:n});if(a.kind==="connect_required")return t.log.info({event:"mcp_upstream_connect_required",upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId},"MCP upstream proxy: upstream connection required"),Response.json({error:"connect_required",payload:a.payload},{status:401,headers:{"www-authenticate":'Bearer realm="upstream", error="invalid_token"'}});let i=je(n.upstreamServerId),s=i.transport.baseUrl,c=new Headers;for(let[h,y]of e.headers.entries())Hx.has(h.toLowerCase())||c.set(h,y);let d=[];for(let h of i.transport.requestHeaders??[]){if(h.value===void 0){if(h.required)throw new ue(`mcpUpstreamHandler: configured request header '${h.name}' is required but its value is unset. Set the env var that backs the header or mark the header optional.`);continue}c.set(h.name,h.value),d.push(h.name)}let p=a.credential;switch(p.type){case"bearer_token":c.set("authorization",`Bearer ${p.token}`);break;case"headers":for(let[h,y]of Object.entries(p.headers))c.set(h,y);break;case"mcp_oauth_provider":{let h=await p.provider.tokens();if(!h)return t.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:n.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401});c.set("authorization",`${h.token_type??"Bearer"} ${h.access_token}`);break}}let l=[...d,...Vx(a)],m={method:e.method,headers:c,body:e.method==="GET"||e.method==="HEAD"?void 0:e.body,duplex:"half"};return t.log.info({event:"mcp_upstream_handler_proxy",upstreamServerId:n.upstreamServerId,upstreamUrl:s,method:e.method},"MCP upstream proxy: forwarding request"),qn(s,m,{additionalCrossOriginStrippedHeaders:l,context:t,maxRedirects:Gx,maxResponseBytes:Bx,problemCode:"upstream_capability_invocation_failed",timeoutMs:Lx})}o(Fx,"mcpUpstreamHandler");Cv();function yr(e){return!!e._zod}o(yr,"isZ4Schema");function Ge(e,t){return yr(e)?dc(e,t):e.safeParse(t)}o(Ge,"safeParse");function Hn(e){if(!e)return;let t;if(yr(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(Hn,"getObjectShape");function _g(e){if(yr(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(_g,"getLiteralValue");function Sr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(Sr,"isTerminal");var Kx=Symbol("Let zodToJsonSchema decide on which parser to use");var aG=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function ud(e){let r=Hn(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=_g(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(ud,"getMethodLiteral");function dd(e,t){let r=Ge(e,t);if(!r.success)throw r.error;return r.data}o(dd,"parseWithCompat");var eA=6e4,Ln=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(li,r=>{this._oncancel(r)}),this.setNotificationHandler(hi,r=>{this._onprogress(r)}),this.setRequestHandler(fi,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(gi,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(E.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(Si,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let c;for(;c=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(c.type==="response"||c.type==="error"){let d=c.message,p=d.id,l=this._requestResolvers.get(p);if(l)if(this._requestResolvers.delete(p),c.type==="response")l(d);else{let m=d,h=new A(m.error.code,m.error.message,m.error.data);l(h)}else{let m=c.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${p}`))}continue}await this._transport?.send(c.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new A(E.InvalidParams,`Task not found: ${i}`);if(!Sr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(Sr(s.status)){let c=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...c,_meta:{...c._meta,[dr]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(_i,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new A(E.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(vi,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new A(E.InvalidParams,`Task not found: ${r.params.taskId}`);if(Sr(a.status))throw new A(E.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new A(E.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof A?a:new A(E.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),A.fromError(E.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),yt(i)||Un(i)?this._onresponse(i):Pt(i)?this._onrequest(i,s):jf(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=A.fromError(E.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[dr]?.taskId;if(n===void 0){let l={jsonrpc:"2.0",id:t.id,error:{code:E.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:l,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(l).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let c=Mf(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,p={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async l=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(l,m)},"sendNotification"),sendRequest:o(async(l,m,h)=>{if(s.signal.aborted)throw new A(E.ConnectionClosed,"Request was cancelled");let y={...h,relatedRequestId:t.id};i&&!y.relatedTask&&(y.relatedTask={taskId:i});let _=y.relatedTask?.taskId??i;return _&&d&&await d.updateTaskStatus(_,"input_required"),await this.request(l,m,y)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:c?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{c&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,p)).then(async l=>{if(s.signal.aborted)return;let m={result:l,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async l=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(l.code)?l.code:E.InternalError,message:l.message??"Internal error",...l.data!==void 0&&{data:l.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(l=>this._onerror(new Error(`Failed to send response: ${l}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),c=this._timeoutInfo.get(a);if(c&&s&&c.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),yt(t))n(t);else{let s=new A(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(yt(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let c=s.task;typeof c.taskId=="string"&&(i=!0,this._taskProgressTokens.set(c.taskId,r))}}if(i||this._progressHandlers.delete(r),yt(t))a(t);else{let s=A.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof A?s:new A(E.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Bt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new A(E.InternalError,"Task creation did not return a task");for(;;){let c=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:c},Sr(c.status)){c.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:c.status==="failed"?yield{type:"error",error:new A(E.InternalError,`Task ${i} failed`)}:c.status==="cancelled"&&(yield{type:"error",error:new A(E.InternalError,`Task ${i} was cancelled`)});return}if(c.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=c.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(p=>setTimeout(p,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof A?s:new A(E.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:c,relatedTask:d}=n??{};return new Promise((p,l)=>{let m=o(b=>{l(b)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),c&&this.assertTaskCapability(t.method)}catch(b){m(b);return}n?.signal?.throwIfAborted();let h=this._requestMessageId++,y={...t,jsonrpc:"2.0",id:h};n?.onprogress&&(this._progressHandlers.set(h,n.onprogress),y.params={...t.params,_meta:{...t.params?._meta||{},progressToken:h}}),c&&(y.params={...y.params,task:c}),d&&(y.params={...y.params,_meta:{...y.params?._meta||{},[dr]:d}});let _=o(b=>{this._responseHandlers.delete(h),this._progressHandlers.delete(h),this._cleanupTimeout(h),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:h,reason:String(b)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(M=>this._onerror(new Error(`Failed to send cancellation: ${M}`)));let R=b instanceof A?b:new A(E.RequestTimeout,String(b));l(R)},"cancel");this._responseHandlers.set(h,b=>{if(!n?.signal?.aborted){if(b instanceof Error)return l(b);try{let R=Ge(r,b.result);R.success?p(R.data):l(R.error)}catch(R){l(R)}}}),n?.signal?.addEventListener("abort",()=>{_(n?.signal?.reason)});let S=n?.timeout??eA,w=o(()=>_(A.fromError(E.RequestTimeout,"Request timed out",{timeout:S})),"timeoutHandler");this._setupTimeout(h,S,n?.maxTotalTimeout,w,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let b=o(R=>{let M=this._responseHandlers.get(h);M?M(R):this._onerror(new Error(`Response handler missing for side-channeled request ${h}`))},"responseResolver");this._requestResolvers.set(h,b),this._enqueueTaskMessage(v,{type:"request",message:y,timestamp:Date.now()}).catch(R=>{this._cleanupTimeout(h),l(R)})}else this._transport.send(y,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(b=>{this._cleanupTimeout(h),l(b)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},yi,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},wi,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Hf,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let c={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[dr]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:c,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let c={...t,jsonrpc:"2.0"};r?.relatedTask&&(c={...c,params:{...c.params,_meta:{...c.params?._meta||{},[dr]:r.relatedTask}}}),this._transport?.send(c,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[dr]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=ud(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=dd(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=ud(t);this._notificationHandlers.set(n,a=>{let i=dd(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&Pt(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new A(E.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new A(E.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new A(E.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new A(E.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let c=await n.getTask(a,r);if(c){let d=$o.parse({method:"notifications/tasks/status",params:c});await this.notification(d),Sr(c.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let c=await n.getTask(a,r);if(!c)throw new A(E.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(Sr(c.status))throw new A(E.InvalidParams,`Cannot update task "${a}" from terminal status "${c.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let p=$o.parse({method:"notifications/tasks/status",params:d});await this.notification(p),Sr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function wg(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(wg,"isPlainObject");function Hi(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];wg(s)&&wg(i)?r[a]={...s,...i}:r[a]=i}return r}o(Hi,"mergeCapabilities");var i_=Gp(Jl(),1),s_=Gp(a_(),1);function GU(){let e=new i_.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,s_.default)(e),e}o(GU,"createDefaultAjvInstance");var ao=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??GU()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var Cs=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(l=>l.type==="tool_result"),c=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=c?Array.isArray(c.content)?c.content:[c.content]:[],p=d.some(l=>l.type==="tool_use");if(s){if(i.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!p)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(p){let l=new Set(d.filter(h=>h.type==="tool_use").map(h=>h.id)),m=new Set(i.filter(h=>h.type==="tool_result").map(h=>h.toolUseId));if(l.size!==m.size||![...l].every(h=>m.has(h)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},Hr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},pr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function Is(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(Is,"assertToolsCallTaskCapability");function Ps(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(Ps,"assertClientRequestTaskCapability");var xs=class extends Ln{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(qo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new ao,this.setRequestHandler(pi,n=>this._oninitialize(n)),this.setNotificationHandler(mi,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(Ru,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,c=qo.safeParse(s);return c.success&&this._loggingLevels.set(i,c.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new Cs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Hi(this._capabilities,t)}setRequestHandler(t,r){let a=Hn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(yr(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let c=o(async(d,p)=>{let l=Ge(Mo,d);if(!l.success){let _=l.error instanceof Error?l.error.message:String(l.error);throw new A(E.InvalidParams,`Invalid tools/call request: ${_}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let _=Ge(Bt,h);if(!_.success){let S=_.error instanceof Error?_.error.message:String(_.error);throw new A(E.InvalidParams,`Invalid task creation result: ${S}`)}return _.data}let y=Ge(lr,h);if(!y.success){let _=y.error instanceof Error?y.error.message:String(y.error);throw new A(E.InvalidParams,`Invalid tools/call result: ${_}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){Ps(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&Is(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:ur.includes(r)?r:cr,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},Lt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(p=>p.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,c=s?Array.isArray(s.content)?s.content:[s.content]:[],d=c.some(p=>p.type==="tool_use");if(i){if(a.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let p=new Set(c.filter(m=>m.type==="tool_use").map(m=>m.id)),l=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(p.size!==l.size||![...p].every(m=>l.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},No,r):this.request({method:"sampling/createMessage",params:t},Hr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},pr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},pr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let c=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!c.valid)throw new A(E.InvalidParams,`Elicitation response content does not match requested schema: ${c.errorMessage}`)}catch(s){throw s instanceof A?s:new A(E.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},xu,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var As=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
+${r}`}o(gR,"formatPolicyConfigError");ae();var sr="2025-11-25",Ef="2025-03-26",cr=[sr,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],ur="io.modelcontextprotocol/related-task",ci="2.0",Ie=em(e=>e!==null&&(typeof e=="object"||typeof e=="function")),Uf=fe([f(),X().int()]),Of=f(),TD=Ce({ttl:X().optional(),pollInterval:X().optional()}),SR=I({ttl:X().optional()}),vR=I({taskId:f()}),Yc=Ce({progressToken:Uf.optional(),[ur]:vR.optional()}),nt=I({_meta:Yc.optional()}),To=nt.extend({task:SR.optional()}),$f=o(e=>To.safeParse(e).success,"isTaskAugmentedRequestParams"),Te=I({method:f(),params:nt.loose().optional()}),ut=I({_meta:Yc.optional()}),dt=I({method:f(),params:ut.loose().optional()}),Ae=Ce({_meta:Yc.optional()}),ui=fe([f(),X().int()]),zf=I({jsonrpc:U(ci),id:ui,...Te.shape}).strict(),It=o(e=>zf.safeParse(e).success,"isJSONRPCRequest"),Mf=I({jsonrpc:U(ci),...dt.shape}).strict(),qf=o(e=>Mf.safeParse(e).success,"isJSONRPCNotification"),Qc=I({jsonrpc:U(ci),id:ui,result:Ae}).strict(),gt=o(e=>Qc.safeParse(e).success,"isJSONRPCResultResponse");var E;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(E||(E={}));var Xc=I({jsonrpc:U(ci),id:ui.optional(),error:I({code:X().int(),message:f(),data:_e().optional()})}).strict();var En=o(e=>Xc.safeParse(e).success,"isJSONRPCErrorResponse");var Dr=fe([zf,Mf,Qc,Xc]),AD=fe([Qc,Xc]),Lt=Ae.strict(),_R=ut.extend({requestId:ui.optional(),reason:f().optional()}),di=dt.extend({method:U("notifications/cancelled"),params:_R}),wR=I({src:f(),mimeType:f().optional(),sizes:C(f()).optional(),theme:rt(["light","dark"]).optional()}),Ao=I({icons:C(wR).optional()}),An=I({name:f(),title:f().optional()}),Un=An.extend({...An.shape,...Ao.shape,version:f(),websiteUrl:f().optional(),description:f().optional()}),bR=pc(I({applyDefaults:oe().optional()}),de(f(),_e())),RR=mc(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,pc(I({form:bR.optional(),url:Ie.optional()}),de(f(),_e()).optional())),CR=Ce({list:Ie.optional(),cancel:Ie.optional(),requests:Ce({sampling:Ce({createMessage:Ie.optional()}).optional(),elicitation:Ce({create:Ie.optional()}).optional()}).optional()}),IR=Ce({list:Ie.optional(),cancel:Ie.optional(),requests:Ce({tools:Ce({call:Ie.optional()}).optional()}).optional()}),PR=I({experimental:de(f(),Ie).optional(),sampling:I({context:Ie.optional(),tools:Ie.optional()}).optional(),elicitation:RR.optional(),roots:I({listChanged:oe().optional()}).optional(),tasks:CR.optional(),extensions:de(f(),Ie).optional()}),xR=nt.extend({protocolVersion:f(),capabilities:PR,clientInfo:Un}),li=Te.extend({method:U("initialize"),params:xR}),eu=o(e=>li.safeParse(e).success,"isInitializeRequest"),kR=I({experimental:de(f(),Ie).optional(),logging:Ie.optional(),completions:Ie.optional(),prompts:I({listChanged:oe().optional()}).optional(),resources:I({subscribe:oe().optional(),listChanged:oe().optional()}).optional(),tools:I({listChanged:oe().optional()}).optional(),tasks:IR.optional(),extensions:de(f(),Ie).optional()}),tu=Ae.extend({protocolVersion:f(),capabilities:kR,serverInfo:Un,instructions:f().optional()}),pi=dt.extend({method:U("notifications/initialized"),params:ut.optional()}),Nf=o(e=>pi.safeParse(e).success,"isInitializedNotification"),mi=Te.extend({method:U("ping"),params:nt.optional()}),TR=I({progress:X(),total:Se(X()),message:Se(f())}),AR=I({...ut.shape,...TR.shape,progressToken:Uf}),fi=dt.extend({method:U("notifications/progress"),params:AR}),ER=nt.extend({cursor:Of.optional()}),Eo=Te.extend({params:ER.optional()}),Uo=Ae.extend({nextCursor:Of.optional()}),UR=rt(["working","input_required","completed","failed","cancelled"]),Oo=I({taskId:f(),status:UR,ttl:fe([X(),Qp()]),createdAt:f(),lastUpdatedAt:f(),pollInterval:Se(X()),statusMessage:Se(f())}),Bt=Ae.extend({task:Oo}),OR=ut.merge(Oo),$o=dt.extend({method:U("notifications/tasks/status"),params:OR}),hi=Te.extend({method:U("tasks/get"),params:nt.extend({taskId:f()})}),gi=Ae.merge(Oo),yi=Te.extend({method:U("tasks/result"),params:nt.extend({taskId:f()})}),ED=Ae.loose(),Si=Eo.extend({method:U("tasks/list")}),vi=Uo.extend({tasks:C(Oo)}),_i=Te.extend({method:U("tasks/cancel"),params:nt.extend({taskId:f()})}),Df=Ae.merge(Oo),jf=I({uri:f(),mimeType:Se(f()),_meta:de(f(),_e()).optional()}),Hf=jf.extend({text:f()}),ru=f().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),Lf=jf.extend({blob:ru}),zo=rt(["user","assistant"]),On=I({audience:C(zo).optional(),priority:X().min(0).max(1).optional(),lastModified:Wp.datetime({offset:!0}).optional()}),Bf=I({...An.shape,...Ao.shape,uri:f(),description:Se(f()),mimeType:Se(f()),size:Se(X()),annotations:On.optional(),_meta:Se(Ce({}))}),$R=I({...An.shape,...Ao.shape,uriTemplate:f(),description:Se(f()),mimeType:Se(f()),annotations:On.optional(),_meta:Se(Ce({}))}),nu=Eo.extend({method:U("resources/list")}),ou=Uo.extend({resources:C(Bf)}),au=Eo.extend({method:U("resources/templates/list")}),iu=Uo.extend({resourceTemplates:C($R)}),su=nt.extend({uri:f()}),zR=su,cu=Te.extend({method:U("resources/read"),params:zR}),uu=Ae.extend({contents:C(fe([Hf,Lf]))}),du=dt.extend({method:U("notifications/resources/list_changed"),params:ut.optional()}),MR=su,qR=Te.extend({method:U("resources/subscribe"),params:MR}),NR=su,DR=Te.extend({method:U("resources/unsubscribe"),params:NR}),jR=ut.extend({uri:f()}),HR=dt.extend({method:U("notifications/resources/updated"),params:jR}),LR=I({name:f(),description:Se(f()),required:Se(oe())}),BR=I({...An.shape,...Ao.shape,description:Se(f()),arguments:Se(C(LR)),_meta:Se(Ce({}))}),lu=Eo.extend({method:U("prompts/list")}),pu=Uo.extend({prompts:C(BR)}),GR=nt.extend({name:f(),arguments:de(f(),f()).optional()}),mu=Te.extend({method:U("prompts/get"),params:GR}),fu=I({type:U("text"),text:f(),annotations:On.optional(),_meta:de(f(),_e()).optional()}),hu=I({type:U("image"),data:ru,mimeType:f(),annotations:On.optional(),_meta:de(f(),_e()).optional()}),gu=I({type:U("audio"),data:ru,mimeType:f(),annotations:On.optional(),_meta:de(f(),_e()).optional()}),VR=I({type:U("tool_use"),name:f(),id:f(),input:de(f(),_e()),_meta:de(f(),_e()).optional()}),FR=I({type:U("resource"),resource:fe([Hf,Lf]),annotations:On.optional(),_meta:de(f(),_e()).optional()}),ZR=Bf.extend({type:U("resource_link")}),yu=fe([fu,hu,gu,ZR,FR]),KR=I({role:zo,content:yu}),Su=Ae.extend({description:f().optional(),messages:C(KR)}),vu=dt.extend({method:U("notifications/prompts/list_changed"),params:ut.optional()}),JR=I({title:f().optional(),readOnlyHint:oe().optional(),destructiveHint:oe().optional(),idempotentHint:oe().optional(),openWorldHint:oe().optional()}),WR=I({taskSupport:rt(["required","optional","forbidden"]).optional()}),Gf=I({...An.shape,...Ao.shape,description:f().optional(),inputSchema:I({type:U("object"),properties:de(f(),Ie).optional(),required:C(f()).optional()}).catchall(_e()),outputSchema:I({type:U("object"),properties:de(f(),Ie).optional(),required:C(f()).optional()}).catchall(_e()).optional(),annotations:JR.optional(),execution:WR.optional(),_meta:de(f(),_e()).optional()}),_u=Eo.extend({method:U("tools/list")}),wu=Uo.extend({tools:C(Gf)}),dr=Ae.extend({content:C(yu).default([]),structuredContent:de(f(),_e()).optional(),isError:oe().optional()}),UD=dr.or(Ae.extend({toolResult:_e()})),YR=To.extend({name:f(),arguments:de(f(),_e()).optional()}),Mo=Te.extend({method:U("tools/call"),params:YR}),bu=dt.extend({method:U("notifications/tools/list_changed"),params:ut.optional()}),Vf=I({autoRefresh:oe().default(!0),debounceMs:X().int().nonnegative().default(300)}),qo=rt(["debug","info","notice","warning","error","critical","alert","emergency"]),QR=nt.extend({level:qo}),Ru=Te.extend({method:U("logging/setLevel"),params:QR}),XR=ut.extend({level:qo,logger:f().optional(),data:_e()}),eC=dt.extend({method:U("notifications/message"),params:XR}),tC=I({name:f().optional()}),rC=I({hints:C(tC).optional(),costPriority:X().min(0).max(1).optional(),speedPriority:X().min(0).max(1).optional(),intelligencePriority:X().min(0).max(1).optional()}),nC=I({mode:rt(["auto","required","none"]).optional()}),oC=I({type:U("tool_result"),toolUseId:f().describe("The unique identifier for the corresponding tool call."),content:C(yu).default([]),structuredContent:I({}).loose().optional(),isError:oe().optional(),_meta:de(f(),_e()).optional()}),aC=lc("type",[fu,hu,gu]),si=lc("type",[fu,hu,gu,VR,oC]),iC=I({role:zo,content:fe([si,C(si)]),_meta:de(f(),_e()).optional()}),sC=To.extend({messages:C(iC),modelPreferences:rC.optional(),systemPrompt:f().optional(),includeContext:rt(["none","thisServer","allServers"]).optional(),temperature:X().optional(),maxTokens:X().int(),stopSequences:C(f()).optional(),metadata:Ie.optional(),tools:C(Gf).optional(),toolChoice:nC.optional()}),Cu=Te.extend({method:U("sampling/createMessage"),params:sC}),jr=Ae.extend({model:f(),stopReason:Se(rt(["endTurn","stopSequence","maxTokens"]).or(f())),role:zo,content:aC}),No=Ae.extend({model:f(),stopReason:Se(rt(["endTurn","stopSequence","maxTokens","toolUse"]).or(f())),role:zo,content:fe([si,C(si)])}),cC=I({type:U("boolean"),title:f().optional(),description:f().optional(),default:oe().optional()}),uC=I({type:U("string"),title:f().optional(),description:f().optional(),minLength:X().optional(),maxLength:X().optional(),format:rt(["email","uri","date","date-time"]).optional(),default:f().optional()}),dC=I({type:rt(["number","integer"]),title:f().optional(),description:f().optional(),minimum:X().optional(),maximum:X().optional(),default:X().optional()}),lC=I({type:U("string"),title:f().optional(),description:f().optional(),enum:C(f()),default:f().optional()}),pC=I({type:U("string"),title:f().optional(),description:f().optional(),oneOf:C(I({const:f(),title:f()})),default:f().optional()}),mC=I({type:U("string"),title:f().optional(),description:f().optional(),enum:C(f()),enumNames:C(f()).optional(),default:f().optional()}),fC=fe([lC,pC]),hC=I({type:U("array"),title:f().optional(),description:f().optional(),minItems:X().optional(),maxItems:X().optional(),items:I({type:U("string"),enum:C(f())}),default:C(f()).optional()}),gC=I({type:U("array"),title:f().optional(),description:f().optional(),minItems:X().optional(),maxItems:X().optional(),items:I({anyOf:C(I({const:f(),title:f()}))}),default:C(f()).optional()}),yC=fe([hC,gC]),SC=fe([mC,fC,yC]),vC=fe([SC,cC,uC,dC]),_C=To.extend({mode:U("form").optional(),message:f(),requestedSchema:I({type:U("object"),properties:de(f(),vC),required:C(f()).optional()})}),wC=To.extend({mode:U("url"),message:f(),elicitationId:f(),url:f().url()}),bC=fe([_C,wC]),Iu=Te.extend({method:U("elicitation/create"),params:bC}),RC=ut.extend({elicitationId:f()}),CC=dt.extend({method:U("notifications/elicitation/complete"),params:RC}),lr=Ae.extend({action:rt(["accept","decline","cancel"]),content:mc(e=>e===null?void 0:e,de(f(),fe([f(),X(),oe(),C(f())])).optional())}),IC=I({type:U("ref/resource"),uri:f()});var PC=I({type:U("ref/prompt"),name:f()}),xC=nt.extend({ref:fe([PC,IC]),argument:I({name:f(),value:f()}),context:I({arguments:de(f(),f()).optional()}).optional()}),kC=Te.extend({method:U("completion/complete"),params:xC});var Pu=Ae.extend({completion:Ce({values:C(f()).max(100),total:Se(X().int()),hasMore:Se(oe())})}),TC=I({uri:f().startsWith("file://"),name:f().optional(),_meta:de(f(),_e()).optional()}),AC=Te.extend({method:U("roots/list"),params:nt.optional()}),xu=Ae.extend({roots:C(TC)}),EC=dt.extend({method:U("notifications/roots/list_changed"),params:ut.optional()}),OD=fe([mi,li,kC,Ru,mu,lu,nu,au,cu,qR,DR,Mo,_u,hi,yi,Si,_i]),$D=fe([di,fi,pi,EC,$o]),zD=fe([Lt,jr,No,lr,xu,gi,vi,Bt]),MD=fe([mi,Cu,Iu,AC,hi,yi,Si,_i]),qD=fe([di,fi,eC,HR,du,bu,vu,$o,CC]),ND=fe([Lt,tu,Pu,Su,pu,ou,iu,uu,dr,wu,gi,vi,Bt]),x=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===E.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Ht(a.elicitations,r)}return new e(t,r,n)}},Ht=class extends x{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(E.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};ae();var Kf=Je,UC=u.object({mode:u.literal("auto")}).strict(),OC=u.object({mode:u.literal("manual"),clientId:u.string().trim().min(1),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:hc.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:u.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),Jf=u.discriminatedUnion("mode",[UC,OC]),$C=Jf.default({mode:"auto"}),ku=u.object({scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:$C}).strict(),Ff=ku.extend({redirectPath:u.string().startsWith("/auth/connections/")}).strict(),Wf=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),zC=new Set([...Wf,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),MC=u.object({kind:u.literal("bearer_token"),token:u.string().min(1)}).strict(),qC=u.object({kind:u.literal("headers"),headers:u.array(u.object({name:Ka,value:u.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Wf.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),Tu=u.discriminatedUnion("kind",[MC,qC]),NC=u.object({kind:u.literal("basic_auth_app_password"),usernameLabel:u.string().min(1).default("Username"),passwordLabel:u.string().min(1).default("App password")}).strict(),DC=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key"),capture:u.enum(["browser_login"]).optional()}).strict(),Au=u.discriminatedUnion("kind",[NC,DC]),Eu=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key")}).strict(),jC=u.discriminatedUnion("mode",[u.object({mode:u.literal("shared-oauth"),oauth:Ff}).strict(),u.object({mode:u.literal("user-oauth"),oauth:Ff}).strict(),u.object({mode:u.literal("static-secret"),secret:Tu}).strict(),u.object({mode:u.literal("user-secret"),secret:Au}).strict(),u.object({mode:u.literal("shared-secret"),secret:Eu}).strict()]),HC=u.object({baseUrl:u.url(),resourceMetadataUrl:u.url(),requestHeaders:u.array(gc).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();zC.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),VD=u.object({displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:Un.optional(),authProfiles:u.record(We,jC),transport:HC}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),LC=u.object({"shared-oauth":ku.optional(),"user-oauth":ku.optional(),"static-secret":u.object({secret:Tu}).strict().optional(),"user-secret":u.object({secret:Au}).strict().optional(),"shared-secret":u.object({secret:Eu}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),Zf=u.object({id:Kf,displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:Un.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url(),requestHeaders:u.array(gc).default([]),authProfiles:LC}).strict(),BC=u.object({name:Ka,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict(),wi={id:Kf.optional(),displayName:u.string().min(1),summary:u.string().min(1).optional(),serverInfo:Un.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url().optional(),requestHeaders:u.array(BC).default([])},GC=u.discriminatedUnion("authMode",[u.object({...wi,authMode:u.enum(["shared-oauth","user-oauth"]),scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:Jf.optional(),clientId:u.string().trim().min(1).optional(),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:hc.optional()}).strict(),u.object({...wi,authMode:u.literal("static-secret"),secret:Tu}).strict(),u.object({...wi,authMode:u.literal("user-secret"),secret:Au}).strict(),u.object({...wi,authMode:u.literal("shared-secret"),secret:Eu}).strict()]);function VC(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
+`)}o(VC,"formatZodIssues");function Yf(e){throw new ue(e)}o(Yf,"throwGatewayConfigError");function FC(e){let t="mcp-upstream-";return e.startsWith(t)||Yf(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),Je.parse(e.slice(t.length))}o(FC,"inferUpstreamConnectionIdFromPolicyName");function ZC(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(ZC,"buildDefaultProtectedResourceMetadataUrl");function $n(e,t){return We.parse(`${e}:${t}`)}o($n,"buildUpstreamAuthProfileId");function bi(e,t){try{let r=Zf.safeParse(e);if(r.success)return r.data;let n=GC.parse(e),a=n.id??(t===void 0?void 0:FC(t));a===void 0&&Yf("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(c=>({name:c.name,value:c.value,required:c.required})),s=(()=>{switch(n.authMode){case"shared-oauth":case"user-oauth":{let c=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:c}}}case"static-secret":case"user-secret":case"shared-secret":return{[n.authMode]:{secret:n.secret}}}})();return Zf.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??ZC(n.mcpUrl),requestHeaders:i,authProfiles:s})}catch(r){if(r instanceof ue)throw r;if(r instanceof u.ZodError){let n=t===void 0?"MCP upstream policy":`Policy "${t}"`;throw new ue(`${n} is misconfigured. Missing/invalid options in policies.json:
+${VC(r)}`,{cause:r})}throw r}}o(bi,"parseUpstreamConnectionPolicyOptions");function Qf(e){return e.mode==="shared-oauth"||e.mode==="user-oauth"}o(Qf,"isUpstreamOAuthAuthConfig");ae();var KC=u.looseObject({name:u.string().min(1),version:u.string().min(1).optional()}),JC=u.looseObject({}),WC=u.looseObject({name:ar,namespace:ar.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional(),inputSchema:JC}),YC=u.looseObject({name:ar,namespace:ar.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional()}),QC=u.looseObject({name:ar,uri:u.string().min(1),upstreamPolicy:u.string().min(1).optional(),upstreamUri:u.string().min(1).optional(),enabled:u.boolean().optional()}),XC=u.enum(["openapi","upstream_mcp"]),eI=u.object({catalogSource:XC.default("openapi"),serverInfo:KC.optional(),tools:u.array(WC).default([]),prompts:u.array(YC).default([]),resources:u.array(QC).default([])}).strict();function tI(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
+`)}o(tI,"formatZodIssues");function Xf(e,t){try{return eI.parse(e??{})}catch(r){if(r instanceof u.ZodError){let n=t===void 0?"MCP virtual server route":`MCP virtual server route ${t}`;throw new ue(`${n} is misconfigured. Missing/invalid handler options in routes.oas.json:
+${tI(r)}`,{cause:r})}throw r}}o(Xf,"parseVirtualServerRouteOptions");function Ri(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Ri,"toMcpTool");function Ci(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(Ci,"toMcpPrompt");function Ii(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Ii,"toMcpResource");var rI="mcp-upstream-connection-inbound",eh="/mcp/";function Be(e){throw new ue(e)}o(Be,"throwRegistryError");function nI(e){return e.policyType===rI}o(nI,"isUpstreamConnectionPolicy");function oI(e){return ko(e.policyType)}o(oI,"isMcpOAuthInboundPolicy");function aI(e){return e instanceof ue?e:new ue(e instanceof Error?e.message:"MCP virtual server route is misconfigured.",e instanceof Error?{cause:e}:void 0)}o(aI,"toRouteConfigurationError");function iI(e){e.startsWith(eh)||Be(`MCP virtual server route ${e} must use a /mcp/{virtualServerId} path.`);let t=e.slice(eh.length);return(!t||t.includes("/"))&&Be(`MCP virtual server route ${e} must use exactly one /mcp/{virtualServerId} path segment.`),xe.parse(t)}o(iI,"readVirtualServerIdFromPath");function sI(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&Be(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&Be(`Upstream policy ${e.policyName} does not declare an auth mode.`),Za.parse(r)}o(sI,"readSingleAuthMode");function cI(e){let t=e.connection.authProfiles[e.authMode];t||Be(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"shared-oauth":case"user-oauth":{let n=t;return{mode:e.authMode,oauth:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,redirectPath:r,clientRegistration:n.clientRegistration}}}case"static-secret":return{mode:"static-secret",secret:t.secret};case"user-secret":return{mode:"user-secret",secret:t.secret};case"shared-secret":return{mode:"shared-secret",secret:t.secret}}}o(cI,"buildResolvedAuthConfig");function uI(e){let t=sI({policyName:e.policyName,connection:e.connection}),r=$n(e.connection.id,t),n=cI({connection:e.connection,authMode:t,authProfileId:r}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(uI,"buildRegisteredConnection");function dI(e){let t=new Map;for(let r of e)t.has(r.name)&&Be(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(dI,"buildPolicyMap");function lI(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(lI,"readOperationId");function th(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`;try{return ar.parse(t)}catch{Be(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`)}}o(th,"buildPublishedCapabilityName");function $u(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||Be(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;Be(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o($u,"readCapabilityUpstreamPolicy");function Uu(e){e.seen.has(e.key)&&Be(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Uu,"assertUniqueCatalogKey");function pI(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=th({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:$u({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(pI,"normalizeCatalogTool");function mI(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=th({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:$u({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(mI,"normalizeCatalogPrompt");function fI(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:$u({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(fI,"normalizeCatalogResource");function hI(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>pI({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>mI({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>fI({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Uu({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Uu({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let c=new Set;for(let d of a)Uu({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:c});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(hI,"normalizeVirtualServerCatalog");function gI(e){let t=new Map,r=new Map,n=new Map,a=new Set,i=new Set;function s(c){let d=n.get(c.name);if(d)return d;let p=bi(c.handler.options,c.name);a.has(p.id)&&Be(`Duplicate upstream MCP connection id ${p.id} in policies.json.`),a.add(p.id);let l=uI({policyName:c.name,connection:p});return n.set(c.name,l),l}o(s,"readConnectionForPolicy");for(let c of e.routes){let d=c.policies?.inbound??[];if(d.length===0)continue;let p=d[0],l=p===void 0?void 0:e.policyByName.get(p);if(!l||!oI(l))continue;let m=lI(c),h;try{h=iI(c.path),m||Be(`MCP virtual server route ${c.path} must declare an operationId in routes.oas.json.`),i.has(m)&&Be(`Duplicate MCP virtual server operationId ${m} across routes.`),t.has(h)&&Be(`Duplicate MCP virtual server id ${h} across routes.`);let y=[];for(let _ of d.slice(1)){let w=e.policyByName.get(_);!w||!nI(w)||y.push(s(w))}let v=Xf(c.handler.options,c.path),S=hI({catalog:v,connections:y,routePath:c.path});S.catalogSource==="upstream_mcp"&&y.length!==1&&Be(`MCP virtual server route ${c.path} uses upstream MCP catalog mode but declares ${y.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`),t.set(h,{virtualServerId:h,operationId:m,routePath:c.path,handlerExport:c.handler.export,serverInfo:S.serverInfo,catalog:S,connections:y}),i.add(m)}catch(y){h!==void 0&&r.set(h,aI(y))}}return{byVirtualServerId:t,virtualServerErrorsById:r,connectionsByPolicyName:n}}o(gI,"buildVirtualServers");function zu(e){let t=dI(e.policies),{byVirtualServerId:r,virtualServerErrorsById:n,connectionsByPolicyName:a}=gI({routes:e.routes,policyByName:t}),i=new Map;for(let s of a.values())i.set(s.upstreamServerId,s);return{byVirtualServerId:r,connectionsById:i,virtualServerErrorsById:n}}o(zu,"buildGatewayConnectionRegistry");var Hr,Ou;function rh(e){Ou=e,Hr=void 0}o(rh,"configureGatewayConnectionRegistrySource");function nh(e){Hr=e}o(nh,"setGatewayConnectionRegistry");function yt(){if(!Hr&&Ou&&(Hr=zu(Ou)),!Hr)throw g("internal_server_error","MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return Hr}o(yt,"getGatewayConnectionRegistry");function Mr(e){let t=yt(),r=t.virtualServerErrorsById?.get(e);if(r)throw r;let n=t.byVirtualServerId.get(e);if(!n)throw g("unknown_virtual_server",`Unknown MCP virtual server: ${e}`);return n}o(Mr,"getRegisteredVirtualServer");function oh(){return Hr}o(oh,"tryGetGatewayConnectionRegistry");function De(e){let t=yt().connectionsById.get(e);if(!t)throw g("unknown_upstream_server",`Unknown upstream server: ${e}`);return t.config}o(De,"getUpstreamServerConfig");function yI(e){let t=yt().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw g("unknown_auth_profile",`Unknown auth profile ${String(e.authProfileId)} for upstream server ${e.upstreamServerId}.`);return t.authProfileId}o(yI,"resolveUpstreamAuthProfileId");function pr(e){yI(e);let t=yt().connectionsById.get(e.upstreamServerId);if(!t)throw g("unknown_auth_profile",`Auth profile could not be resolved for upstream server ${e.upstreamServerId}.`);return t.authConfig}o(pr,"getUpstreamAuthConfig");function Lr(e,t){let r=pr({upstreamServerId:e,authProfileId:t});if(!Qf(r))throw g("invalid_request",`Upstream server ${e} does not use upstream OAuth.`);return r.oauth}o(Lr,"requireUpstreamOAuthConfig");function SI(){let e=uc.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}o(SI,"isTestOnlyAllowHttpLoopbackIdpEnabled");var vI=new Set(["undefined","null","nan"]);function qu(e,t){if(!e.hostname)throw g("invalid_request",`Outbound URL has an empty hostname (got ${JSON.stringify(t)}). This typically indicates an unset $env(...) reference or a JS template literal coercing \`undefined\` into a URL. Check the policy options or runtime config that produced this URL.`);if(vI.has(e.hostname.toLowerCase()))throw g("invalid_request",`Outbound URL hostname is ${JSON.stringify(e.hostname)} (from ${JSON.stringify(t)}). This almost always means an environment variable referenced by $env(...) is unset and a JS value was string-coerced into a URL. Set the missing env var or fix the policy option that produced this URL.`)}o(qu,"assertSafeOutboundHostname");var _I=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),wI=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function ah(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(ah,"parseIpv4Octets");function bI([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(bI,"ipv4RangeMatches");function ih(e){let t=ah(e);return t!==void 0&&wI.some(r=>bI(t,r))}o(ih,"isPrivateIpv4");function Mu(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Mu,"parseIpv6Word");function RI(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(RI,"formatIpv4FromWords");function CI(e){let t=e.slice(7),r=ah(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Mu(n),c=Mu(a);return i===void 0&&s!==void 0&&c!==void 0?RI(s,c):void 0}o(CI,"parseIpv6MappedIpv4");function II(e){return Mu(e.split(":").find(Boolean))}o(II,"readFirstIpv6Hextet");function PI(e){let t=Nt(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=CI(t);return n===void 0||ih(n)}let r=II(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(PI,"isPrivateIpv6");function Nu(e){let t=Nt(e);return _I.has(t)||t.endsWith(".internal")||ih(t)||PI(t)}o(Nu,"isBlockedOutboundHostname");function sh(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw g("invalid_request",`Unsupported outbound protocol: ${t.protocol}`);qu(t,e);let r=qe(t);if(t.protocol==="http:"&&!r)throw g("invalid_request","Configured outbound HTTP URLs must target loopback hosts.");let n=Nt(t.hostname);if(!r&&Nu(n))throw g("invalid_request",`Blocked outbound host: ${n}`);return t}o(sh,"validateConfiguredOutboundUrl");function ch(e){let t=new URL(e),r=qe(t),n=r&&SI();if(t.protocol!=="https:"&&!n)throw g("invalid_request","Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw g("invalid_request","Identity provider URLs must not include credentials, query params, or fragments.");qu(t,e);let a=Nt(t.hostname);if(!r&&Nu(a))throw g("invalid_request",`Blocked identity provider host: ${a}`);return t}o(ch,"validateIdentityProviderUrl");function Pi(e){let t=new URL(e);if(t.protocol!=="https:"||t.pathname==="/"||t.username||t.password||t.search||t.hash)throw g("invalid_request","CIMD client_id must be an HTTPS URL with a path and no credentials, query, or fragment.");if(qu(t,e),Nu(t.hostname))throw g("invalid_request","CIMD client_id points at a blocked host.");return t}o(Pi,"validateCimdClientMetadataUrl");function uh(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(uh,"mergeAbortSignals");async function xI(e){try{await e.cancel()}catch{}}o(xI,"cancelReader");async function xi(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await xI(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),c=0;for(let d of n)s.set(d,c),c+=d.byteLength;return s}o(xi,"readBoundedByteStream");var kI=2,TI=1024*1024,AI=1e4,EI=new Set([301,302,303,307,308]),UI=["authorization","proxy-authorization","cookie","cookie2"];function Du(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(Du,"readRequestUrl");function zn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(zn,"readRequestMethod");function OI(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g(r,"Outbound response exceeded the maximum allowed size.")}o(OI,"assertContentLengthWithinLimit");async function $I(e,t,r){return OI(e,t,r),xi(e.body,{maxBytes:t,createLimitError:o(()=>g(r,"Outbound response exceeded the maximum allowed size."),"createLimitError")})}o($I,"readBoundedResponseBody");function zI(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(zI,"responseFromBufferedBody");function MI(e,t){if(!EI.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(MI,"resolveRedirectUrl");function dh(e,t){try{return t.validateUrl(e)}catch(r){throw g(t.problemCode,"Outbound URL was not allowed.",r)}}o(dh,"validateOutboundUrl");function qI(e,t){throw ge(e)!==void 0?e:g(t,"Outbound fetch failed.",e)}o(qI,"normalizeFetchError");function Do(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Ye(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(Do,"logOutboundFailure");async function NI(e,t,r,n,a,i,s){let c=zn(r,n);try{return await t(r,n)}catch(d){let p=d instanceof DOMException&&d.name==="AbortError";Do(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:c,host:st(i),error:d,extra:{abortReason:s()}}),qI(d,a)}}o(NI,"fetchWithNormalizedError");function DI(e){if(e.redirects>=e.maxRedirects)throw g(e.problemCode,"Outbound redirects exceeded the maximum allowed depth.");if(e.method!=="GET"&&e.method!=="HEAD")throw g(e.problemCode,"Outbound redirect after a non-idempotent request was blocked.")}o(DI,"assertRedirectAllowed");function jI(e,t){let r=new Headers(e);for(let n of UI)r.delete(n);for(let n of t)r.delete(n);return r}o(jI,"stripCrossOriginHeaders");function HI(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=jI(e.headers,a)),i}o(HI,"buildRedirectInit");function LI(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(LI,"buildInitialRequestInit");function BI(e){let t=zn(e.currentInput,e.currentInit);DI({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=dh(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:HI(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(BI,"followRedirect");async function ju(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??kI,i=r.maxResponseBytes??TI,s=r.timeoutMs??AI,c=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],p=r.context,l=new AbortController,m=uh(l,t.signal),h=!1,y=setTimeout(()=>{h=!0,l.abort()},s),v=e,S=LI(e,t,l.signal),_;try{_=dh(Du(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(b){throw Do(p,{event:"outbound_url_blocked",problemCode:n,method:zn(e,t),host:st(Du(e)),error:b}),clearTimeout(y),m?.(),b}let w=0;try{for(;;){let b=await NI(p,c,v,S,n,_,()=>h?`timeout_after_${s}ms`:void 0),R=MI(b,_);if(R!==void 0)try{let z=BI({currentInput:v,currentInit:S,currentUrl:_,redirectUrl:R,redirects:w,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:l.signal,additionalCrossOriginStrippedHeaders:d});v=z.currentInput,S=z.currentInit,_=z.currentUrl,w=z.redirects;continue}catch(z){throw Do(p,{event:"outbound_redirect_blocked",problemCode:n,method:zn(v,S),host:st(_),error:z,extra:{redirects:w,maxRedirects:a,redirectTargetHost:st(R)}}),z}try{return zI(b,await $I(b,i,n))}catch(z){throw Do(p,{event:"outbound_response_size_exceeded",problemCode:n,method:zn(v,S),host:st(_),error:z,extra:{maxResponseBytes:i,status:b.status}}),z}}}finally{clearTimeout(y),m?.()}}o(ju,"runSafeOutboundExchange");async function Hu(e,t,r){let n=await ju(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw Do(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:zn(e,t),host:st(Du(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),g(r.problemCode??"invalid_request","Outbound JSON response could not be parsed.",a)}}o(Hu,"runSafeOutboundJsonExchange");function Mn(e,t={},r={}){return ju(e,t,{...r,validateUrl:sh})}o(Mn,"fetchConfiguredOutbound");function lh(e,t={},r={}){return Hu(e,t,{...r,validateUrl:ch})}o(lh,"fetchIdentityProviderJson");function ph(e,t={},r={}){return Hu(e,t,{...r,validateUrl:Pi})}o(ph,"fetchCimdClientMetadataJson");var GI={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"static-secret":{authMode:"static-secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured-static-secret"},"shared-secret":{authMode:"shared-secret",ownerMode:"shared",connectSupport:"none",connectUnsupportedDetail:"Shared static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"shared_secret_connection"},"user-secret":{authMode:"user-secret",ownerMode:"user",connectSupport:"user_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_secret_connection"}};function Pt(e){return GI[e]}o(Pt,"describeUpstreamAuthMode");function ki(e){return Pt(e).ownerMode}o(ki,"resolveOwnerModeForUpstreamAuthMode");ae();import{errors as _h,jwtVerify as wh,SignJWT as bh}from"jose";import{base64url as VI}from"jose";var FI=new TextEncoder,ZI="MCP gateway could not initialize secure key material.",KI=32,mh=new Map,fh=new Map,JI;function WI(){return JI??So.instance.authPrivateKey}o(WI,"readAuthPrivateKey");function hh(e){return new Sn(ZI,e===void 0?void 0:{cause:e})}o(hh,"createGeneratedKeyMaterialError");function gh(e,t){let r=VI.decode(t);if(r.byteLength!==KI)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}o(gh,"decodeJwkKeyField");function YI(e){let t=WI();if(!t)throw hh();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let n=gh("d",r.d);gh("x",r.x);let a=FI.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),i=new Uint8Array(a.byteLength+n.byteLength);return i.set(a),i.set(n,a.byteLength),i}catch(r){throw hh(r)}}o(YI,"decodeGeneratedKeyMaterial");function QI(e){let t=mh.get(e);return t||(t=YI(e),mh.set(e,t)),t}o(QI,"getMasterKeyMaterial");async function xt(e){let t=fh.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(QI(e.keyMaterialPurpose));return fh.set(e.purpose,r),r}o(xt,"readCachedDerivedKey");var XI="SHA-256";var eP="zuplo-mcp-gateway:",tP=new TextEncoder,yh=new WeakMap;async function mr(e,t){let r=yh.get(e);r||(r=new Map,yh.set(e,r));let n=r.get(t);if(n)return n;let a=await rP(e,t);return r.set(t,a),a}o(mr,"deriveGatewaySigningKey");async function rP(e,t){let r=Sh(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=tP.encode(`${eP}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:XI,salt:new Uint8Array,info:Sh(a)},n,32*8);return new Uint8Array(i)}o(rP,"hkdfExpand");function Sh(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Sh,"copyToArrayBuffer");var Ti="HS256",Rh=15*60,nP=15*60,Ai="zuplo-mcp-gateway",Ei="zuplo-mcp-gateway",oP=Am.extend({id:xn}),aP=oP.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),Ch=In.extend({id:Po,purpose:u.literal("browser_connect")}),iP=In.extend({purpose:u.literal("browser_connect")}),sP=Ch.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),Ih=Rh*1e3;async function Ph(){return xt({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>mr(e,"oauth-state"),"derive")})}o(Ph,"getOAuthStateKey");async function xh(){return xt({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>mr(e,"browser-connect"),"derive")})}o(xh,"getBrowserConnectKey");async function kh(e){let t=Math.floor(Date.now()/1e3)+Rh;return new bh(e).setProtectedHeader({alg:Ti,typ:"JWT"}).setIssuer(Ai).setAudience(Ei).setIssuedAt().setExpirationTime(t).sign(await Ph())}o(kh,"signOAuthState");async function Ui(e){try{let{payload:t}=await wh(e,await Ph(),{algorithms:[Ti],issuer:Ai,audience:Ei});return aP.parse(t)}catch(t){throw t instanceof _h.JWTExpired?g("oauth_state_expired","OAuth state has expired",t):g("oauth_state_invalid","OAuth state could not be verified",t)}}o(Ui,"verifyOAuthState");async function Th(e){let t=Math.floor(Date.now()/1e3)+nP,r=iP.parse(e),n=Ch.parse({...r,id:zm()});return new bh(n).setProtectedHeader({alg:Ti,typ:"JWT"}).setIssuer(Ai).setAudience(Ei).setIssuedAt().setExpirationTime(t).sign(await xh())}o(Th,"signBrowserConnectTicket");async function Oi(e){try{let{payload:t}=await wh(e,await xh(),{algorithms:[Ti],issuer:Ai,audience:Ei});return sP.parse(t)}catch(t){throw t instanceof _h.JWTExpired?g("oauth_state_expired","Browser connect ticket has expired",t):g("oauth_state_invalid","Browser connect ticket could not be verified",t)}}o(Oi,"verifyBrowserConnectTicket");async function $i(e){if((await K().consumeBrowserConnectTicket({id:e.id,expiresAt:re(new Date(e.exp*1e3)),now:re(new Date)})).kind==="consumed")throw g("oauth_state_reused","Browser connect ticket has already been used")}o($i,"consumeBrowserConnectTicket");function cP(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(cP,"buildConnectRequiredMessage");async function Ah(e){let t=ie(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await Th({...Io(e),purpose:"browser_connect"})),r.toString()}o(Ah,"buildGatewayBrowserTicketUrl");function uP(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(uP,"buildGatewayConnectPath");async function Lu(e){return Ah({...e,path:uP(e.upstreamServerId),redirect:!0})}o(Lu,"buildGatewayConnectUrl");async function Eh(e){return Ah({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(Eh,"buildGatewayAppPasswordCaptureUrl");async function qn(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Lu(t),message:cP(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(qn,"buildRedirectConnectRequiredResponse");function Uh(e){return Oh({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(Uh,"buildAdminConnectRequiredResponse");function Oh(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(Oh,"buildAdminSetupRequiredResponse");function $h(e){return Oh({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o($h,"buildAdminStaticSecretRequiredResponse");ae();import{base64url as fr}from"jose";var dP="SHA-256",Dn="AES-GCM",lP=12,Gu="zuplo-secret",Vu=1,zh="generated:auth_private_key:token-encryption",pP=u.object({version:u.literal(Vu),keyId:u.literal(zh),algorithm:u.literal(Dn),iv:u.string().min(1),ciphertext:u.string().min(1)}).strict();function Nn(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Nn,"copyToArrayBuffer");async function Bu(){return xt({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:o(async e=>{let t=await crypto.subtle.digest(dP,Nn(e));return crypto.subtle.importKey("raw",t,{name:Dn},!1,["encrypt","decrypt"])},"derive")})}o(Bu,"getEncryptionKey");function Mh(e){return Nn(new TextEncoder().encode(`${Gu}:v${e.version}:${e.keyId}`))}o(Mh,"getAssociatedData");function mP(e){return`${Gu}:v${e.version}:${fr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(mP,"encodeEnvelope");function fP(e){let t=`${Gu}:v${Vu}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(fr.decode(r));return pP.parse(JSON.parse(n))}o(fP,"decodeEnvelope");async function Br(e){let t=await Bu(),r=crypto.getRandomValues(new Uint8Array(lP)),n={version:Vu,keyId:zh},a=await crypto.subtle.encrypt({name:Dn,iv:r,additionalData:Mh(n)},t,new TextEncoder().encode(e));return mP({...n,algorithm:Dn,iv:fr.encode(r),ciphertext:fr.encode(new Uint8Array(a))})}o(Br,"encryptSecret");async function Gt(e){let t=fP(e);if(t){let s=await Bu(),c=await crypto.subtle.decrypt({name:Dn,iv:Nn(fr.decode(t.iv)),additionalData:Mh(t)},s,Nn(fr.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,n]=e.split(".");if(!r||!n)throw g("internal_server_error","Encrypted payload is malformed");let a=await Bu(),i=await crypto.subtle.decrypt({name:Dn,iv:Nn(fr.decode(r))},a,Nn(fr.decode(n)));return new TextDecoder().decode(i)}o(Gt,"decryptSecret");function hP(e,t){let r=pr({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-secret")throw g("invalid_request",`Upstream server ${e} does not use tenant static credentials.`);return r.secret}o(hP,"requireTenantStaticSecretConfig");function qh(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(qh,"hasUsableTenantStaticSecret");async function gP(e){if(!qh(e.connection))throw g("internal_server_error","Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await Gt(e.connection.metadata.encryptedStaticSecret)}}o(gP,"resolveTenantStaticSecretCredential");async function Nh(e){let t=De(e.upstreamServerId);hP(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await K().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(qh(r))return{kind:"authorized",credential:await gP({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:$h(n)}}o(Nh,"resolveTenantStaticSecretCredentialForRequest");ae();async function Fu(e){return K().upsertUpstreamConnection({id:oi(),ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(Fu,"upsertStaticSecretConnection");var yP=u.string().trim().min(1).max(320),SP=u.string().min(1).max(4096),vP=u.string().trim().min(1).max(4096);function Zu(e,t){let r=pr({upstreamServerId:e,authProfileId:t});if(r.mode!=="user-secret")throw g("invalid_request",`Upstream server ${e} does not use user static credentials.`);return r.secret}o(Zu,"requireUserStaticSecretConfig");function _P(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(_P,"encodeBase64Utf8");function wP(e){return`Basic ${_P(`${e.username}:${e.appPassword}`)}`}o(wP,"buildBasicAuthHeader");function Dh(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(Dh,"hasEncryptedUserStaticSecret");async function bP(e){if(!Dh(e.connection))throw g("internal_server_error","Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await Gt(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:wP({username:e.connection.metadata.staticSecretUsername,appPassword:await Gt(e.connection.metadata.encryptedStaticSecret)})}};throw g("internal_server_error","Stored user static credential kind is unsupported.")}o(bP,"resolveUserStaticSecretCredential");async function jh(e){if(Zu(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw g("invalid_request","This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=yP.parse(e.username),n=SP.parse(e.appPassword);return Fu({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await Br(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(jh,"saveUserStaticSecretCredential");async function zi(e){let t=Zu(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw g("invalid_request","This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw g("invalid_request","User static credentials must be stored under a user-owned connection.");let r=vP.parse(e.token);return Fu({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await Br(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(zi,"saveUserStaticBearerTokenCredential");function Ku(e,t){return Zu(e,t)}o(Ku,"readUserStaticSecretCaptureConfig");async function Hh(e){let t=De(e.upstreamServerId);if(e.owner.mode!=="user")throw g("internal_server_error","User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await K().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(Dh(r))return{kind:"authorized",credential:await bP({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await qn(n)}}o(Hh,"resolveUserStaticSecretCredentialForRequest");function Lh(e){if(e.owner.mode!=="user")throw g("invalid_request","User static credential capture requires a user-owned connection.");return Eh({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(Lh,"buildUserStaticSecretConnectUrl");var Ju;Ju=globalThis.crypto;async function RP(e){return(await Ju).getRandomValues(new Uint8Array(e))}o(RP,"getRandomValues");async function CP(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await RP(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(CP,"random");async function IP(e){return await CP(e)}o(IP,"generateVerifier");async function PP(e){let t=await(await Ju).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(PP,"generateChallenge");async function Wu(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await IP(e),r=await PP(t);return{code_verifier:t,code_challenge:r}}o(Wu,"pkceChallenge");ae();var Ee=Yp().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:tm.custom,message:"URL must be parseable",fatal:!0}),Jp}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Mi=Ce({resource:f().url(),authorization_servers:C(Ee).optional(),jwks_uri:f().url().optional(),scopes_supported:C(f()).optional(),bearer_methods_supported:C(f()).optional(),resource_signing_alg_values_supported:C(f()).optional(),resource_name:f().optional(),resource_documentation:f().optional(),resource_policy_uri:f().url().optional(),resource_tos_uri:f().url().optional(),tls_client_certificate_bound_access_tokens:oe().optional(),authorization_details_types_supported:C(f()).optional(),dpop_signing_alg_values_supported:C(f()).optional(),dpop_bound_access_tokens_required:oe().optional()}),jo=Ce({issuer:f(),authorization_endpoint:Ee,token_endpoint:Ee,registration_endpoint:Ee.optional(),scopes_supported:C(f()).optional(),response_types_supported:C(f()),response_modes_supported:C(f()).optional(),grant_types_supported:C(f()).optional(),token_endpoint_auth_methods_supported:C(f()).optional(),token_endpoint_auth_signing_alg_values_supported:C(f()).optional(),service_documentation:Ee.optional(),revocation_endpoint:Ee.optional(),revocation_endpoint_auth_methods_supported:C(f()).optional(),revocation_endpoint_auth_signing_alg_values_supported:C(f()).optional(),introspection_endpoint:f().optional(),introspection_endpoint_auth_methods_supported:C(f()).optional(),introspection_endpoint_auth_signing_alg_values_supported:C(f()).optional(),code_challenge_methods_supported:C(f()).optional(),client_id_metadata_document_supported:oe().optional()}),xP=Ce({issuer:f(),authorization_endpoint:Ee,token_endpoint:Ee,userinfo_endpoint:Ee.optional(),jwks_uri:Ee,registration_endpoint:Ee.optional(),scopes_supported:C(f()).optional(),response_types_supported:C(f()),response_modes_supported:C(f()).optional(),grant_types_supported:C(f()).optional(),acr_values_supported:C(f()).optional(),subject_types_supported:C(f()),id_token_signing_alg_values_supported:C(f()),id_token_encryption_alg_values_supported:C(f()).optional(),id_token_encryption_enc_values_supported:C(f()).optional(),userinfo_signing_alg_values_supported:C(f()).optional(),userinfo_encryption_alg_values_supported:C(f()).optional(),userinfo_encryption_enc_values_supported:C(f()).optional(),request_object_signing_alg_values_supported:C(f()).optional(),request_object_encryption_alg_values_supported:C(f()).optional(),request_object_encryption_enc_values_supported:C(f()).optional(),token_endpoint_auth_methods_supported:C(f()).optional(),token_endpoint_auth_signing_alg_values_supported:C(f()).optional(),display_values_supported:C(f()).optional(),claim_types_supported:C(f()).optional(),claims_supported:C(f()).optional(),service_documentation:f().optional(),claims_locales_supported:C(f()).optional(),ui_locales_supported:C(f()).optional(),claims_parameter_supported:oe().optional(),request_parameter_supported:oe().optional(),request_uri_parameter_supported:oe().optional(),require_request_uri_registration:oe().optional(),op_policy_uri:Ee.optional(),op_tos_uri:Ee.optional(),client_id_metadata_document_supported:oe().optional()}),qi=I({...xP.shape,...jo.pick({code_challenge_methods_supported:!0}).shape}),Ho=I({access_token:f(),id_token:f().optional(),token_type:f(),expires_in:rm.number().optional(),scope:f().optional(),refresh_token:f().optional()}).strip(),Gh=I({error:f(),error_description:f().optional(),error_uri:f().optional()}),Bh=Ee.optional().or(U("").transform(()=>{})),kP=I({redirect_uris:C(Ee),token_endpoint_auth_method:f().optional(),grant_types:C(f()).optional(),response_types:C(f()).optional(),client_name:f().optional(),client_uri:Ee.optional(),logo_uri:Bh,scope:f().optional(),contacts:C(f()).optional(),tos_uri:Bh,policy_uri:f().optional(),jwks_uri:Ee.optional(),jwks:Xp().optional(),software_id:f().optional(),software_version:f().optional(),software_statement:f().optional()}).strip(),Yu=I({client_id:f(),client_secret:f().optional(),client_id_issued_at:X().optional(),client_secret_expires_at:X().optional()}).strip(),Lo=kP.merge(Yu),TH=I({error:f(),error_description:f().optional()}).strip(),AH=I({token:f(),token_type_hint:f().optional()}).strip();function Vh(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(Vh,"resourceUrlFromServerUrl");function Fh({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(Fh,"checkResourceAllowed");var be=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Bo=class extends be{static{o(this,"InvalidRequestError")}};Bo.errorCode="invalid_request";var Gr=class extends be{static{o(this,"InvalidClientError")}};Gr.errorCode="invalid_client";var Vr=class extends be{static{o(this,"InvalidGrantError")}};Vr.errorCode="invalid_grant";var Fr=class extends be{static{o(this,"UnauthorizedClientError")}};Fr.errorCode="unauthorized_client";var Go=class extends be{static{o(this,"UnsupportedGrantTypeError")}};Go.errorCode="unsupported_grant_type";var Vo=class extends be{static{o(this,"InvalidScopeError")}};Vo.errorCode="invalid_scope";var Fo=class extends be{static{o(this,"AccessDeniedError")}};Fo.errorCode="access_denied";var Vt=class extends be{static{o(this,"ServerError")}};Vt.errorCode="server_error";var Zo=class extends be{static{o(this,"TemporarilyUnavailableError")}};Zo.errorCode="temporarily_unavailable";var Ko=class extends be{static{o(this,"UnsupportedResponseTypeError")}};Ko.errorCode="unsupported_response_type";var Jo=class extends be{static{o(this,"UnsupportedTokenTypeError")}};Jo.errorCode="unsupported_token_type";var Wo=class extends be{static{o(this,"InvalidTokenError")}};Wo.errorCode="invalid_token";var Yo=class extends be{static{o(this,"MethodNotAllowedError")}};Yo.errorCode="method_not_allowed";var Qo=class extends be{static{o(this,"TooManyRequestsError")}};Qo.errorCode="too_many_requests";var Zr=class extends be{static{o(this,"InvalidClientMetadataError")}};Zr.errorCode="invalid_client_metadata";var Xo=class extends be{static{o(this,"InsufficientScopeError")}};Xo.errorCode="insufficient_scope";var ea=class extends be{static{o(this,"InvalidTargetError")}};ea.errorCode="invalid_target";var Zh={[Bo.errorCode]:Bo,[Gr.errorCode]:Gr,[Vr.errorCode]:Vr,[Fr.errorCode]:Fr,[Go.errorCode]:Go,[Vo.errorCode]:Vo,[Fo.errorCode]:Fo,[Vt.errorCode]:Vt,[Zo.errorCode]:Zo,[Ko.errorCode]:Ko,[Jo.errorCode]:Jo,[Wo.errorCode]:Wo,[Yo.errorCode]:Yo,[Qo.errorCode]:Qo,[Zr.errorCode]:Zr,[Xo.errorCode]:Xo,[ea.errorCode]:ea};var Ft=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function TP(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(TP,"isClientAuthMethod");var Qu="code",Xu="S256";function AP(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&TP(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(AP,"selectClientAuthMethod");function EP(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":UP(a,i,r);return;case"client_secret_post":OP(a,i,n);return;case"none":$P(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(EP,"applyClientAuthentication");function UP(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(UP,"applyBasicAuth");function OP(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(OP,"applyPostAuth");function $P(e,t){t.set("client_id",e)}o($P,"applyPublicAuth");async function Jh(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=Gh.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,c=Zh[a]||Vt;return new c(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new Vt(a)}}o(Jh,"parseErrorResponse");async function hr(e,t){try{return await ed(e,t)}catch(r){if(r instanceof Gr||r instanceof Fr)return await e.invalidateCredentials?.("all"),await ed(e,t);if(r instanceof Vr)return await e.invalidateCredentials?.("tokens"),await ed(e,t);throw r}}o(hr,"auth");async function ed(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,d,p,l=a;if(!l&&s?.resourceMetadataUrl&&(l=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,c=s.resourceMetadata,p=s.authorizationServerMetadata??await Yh(d,{fetchFn:i}),!c)try{c=await Wh(t,{resourceMetadataUrl:l},i)}catch{}(p!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let R=await jP(t,{resourceMetadataUrl:l,fetchFn:i});d=R.authorizationServerUrl,p=R.authorizationServerMetadata,c=R.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let m=await zP(t,e,c),h=n||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,y=await Promise.resolve(e.clientInformation());if(!y){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let R=p?.client_id_metadata_document_supported===!0,z=e.clientMetadataUrl;if(z&&!rd(z))throw new Zr(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${z}`);if(R&&z)y={client_id:z},await e.saveClientInformation?.(y);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Me=await VP(d,{metadata:p,clientMetadata:e.clientMetadata,scope:h,fetchFn:i});await e.saveClientInformation(Me),y=Me}}let v=!e.redirectUrl;if(r!==void 0||v){let R=await GP(e,d,{metadata:p,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(R),"AUTHORIZED"}let S=await e.tokens();if(S?.refresh_token)try{let R=await BP(d,{metadata:p,clientInformation:y,refreshToken:S.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(R),"AUTHORIZED"}catch(R){if(!(!(R instanceof be)||R instanceof Vt))throw R}let _=e.state?await e.state():void 0,{authorizationUrl:w,codeVerifier:b}=await HP(d,{metadata:p,clientInformation:y,state:_,redirectUrl:e.redirectUrl,scope:h,resource:m});return await e.saveCodeVerifier(b),await e.redirectToAuthorization(w),"REDIRECT"}o(ed,"authInternal");function rd(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(rd,"isHttpsUrl");async function zP(e,t,r){let n=Vh(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!Fh({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(zP,"selectResourceURL");function nd(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=td(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=td(e,"scope")||void 0,c=td(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}o(nd,"extractWWWAuthenticateParams");function td(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(td,"extractFieldFromWwwAuth");async function Wh(e,t,r=fetch){let n=await NP(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return Mi.parse(await n.json())}o(Wh,"discoverOAuthProtectedResourceMetadata");async function od(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?od(e,void 0,r):void 0;throw n}}o(od,"fetchWithCorsRetry");function MP(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(MP,"buildWellKnownPath");async function Kh(e,t,r=fetch){return await od(e,{"MCP-Protocol-Version":t},r)}o(Kh,"tryMetadataDiscovery");function qP(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(qP,"shouldAttemptFallback");async function NP(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??sr,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=MP(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let c=await Kh(s,i,r);if(!n?.metadataUrl&&qP(c,a.pathname)){let d=new URL(`/.well-known/${t}`,a);c=await Kh(d,i,r)}return c}o(NP,"discoverMetadataWithFallback");function DP(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(DP,"buildDiscoveryUrls");async function Yh(e,{fetchFn:t=fetch,protocolVersion:r=sr}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=DP(e);for(let{url:i,type:s}of a){let c=await od(i,n,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?jo.parse(await c.json()):qi.parse(await c.json())}}}o(Yh,"discoverAuthorizationServerMetadata");async function jP(e,t){let r,n;try{r=await Wh(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await Yh(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(jP,"discoverOAuthServerInfo");async function HP(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Qu))throw new Error(`Incompatible auth server: does not support response type ${Qu}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Xu))throw new Error(`Incompatible auth server: does not support code challenge method ${Xu}`)}else c=new URL("/authorize",e);let d=await Wu(),p=d.code_verifier,l=d.code_challenge;return c.searchParams.set("response_type",Qu),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",l),c.searchParams.set("code_challenge_method",Xu),c.searchParams.set("redirect_uri",String(n)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:p}}o(HP,"startAuthorization");function LP(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(LP,"prepareAuthorizationCodeRequest");async function Qh(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,c,t);else if(n){let l=t?.token_endpoint_auth_methods_supported??[],m=AP(n,l);EP(m,n,d,r)}let p=await(s??fetch)(c,{method:"POST",headers:d,body:r});if(!p.ok)throw await Jh(p);return Ho.parse(await p.json())}o(Qh,"executeTokenRequest");async function BP(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await Qh(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(BP,"refreshAuthorization");async function GP(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=LP(a,p,e.redirectUrl)}let d=await e.clientInformation();return Qh(t,{metadata:r,tokenRequestParams:c,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(GP,"fetchToken");async function VP(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await Jh(s);return Lo.parse(await s.json())}o(VP,"registerClient");ae();function ad(e){return`Zuplo MCP Gateway - ${e}`}o(ad,"buildGatewayOAuthClientName");function Xh(e,t){let r=new URL(e,ie(t));return qe(r)&&Nt(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(Xh,"buildGatewayOAuthRedirectUri");function id(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(id,"buildOAuthClientMetadataDocumentUrl");function eg(e){return ie(e)}o(eg,"requireOAuthClientMetadataOrigin");function tg(e,t,r){let n=De(t),a=Lr(t,r);return{client_id:id({origin:e,upstreamServerId:t,authProfileId:r}),client_name:ad(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(tg,"buildOAuthClientMetadataDocument");var FP=u.union([Lo,Yu]),ZP=u.object({authorizationServerUrl:u.url(),resourceMetadataUrl:u.url().optional(),resourceMetadata:Mi.optional(),authorizationServerMetadata:u.union([jo,qi]).optional()}).passthrough(),KP="Bearer";function JP(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(JP,"splitScopes");function WP(e){return Wa.parse(e)}o(WP,"parsePkceCodeVerifier");function YP(e){if(typeof e.expires_in=="number")return re(new Date(Date.now()+e.expires_in*1e3))}o(YP,"readTokenExpiry");async function rg(e){if(e!==void 0)return Br(JSON.stringify(e))}o(rg,"encryptJson");async function ng(e,t){if(!e)return;let r=await Gt(e);try{return t.parse(JSON.parse(r))}catch(n){throw g("oauth_state_invalid","Stored upstream OAuth JSON state is invalid.",n)}}o(ng,"decryptJson");function QP(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(QP,"toOAuthDiscoveryState");function XP(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(XP,"clientInformationAllowsRedirectUri");function ex(e,t,r){let n=De(e),a=Lr(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:ad(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o(ex,"buildOAuthClientMetadata");function tx(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw g("internal_server_error",`Manual OAuth registration for ${e.upstreamServerId} requires clientSecret.`);return Lo.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(tx,"buildManualOAuthClientInformation");function rx(e,t,r){let n=id({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return rd(n)?n:void 0}o(rx,"buildClientMetadataUrl");function og(e){for(let t of e)if(t!==void 0)return t}o(og,"firstDefined");function nx(e){let t=Lr(e.target.upstreamServerId,e.target.authProfileId),r=ex(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:tx({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=rx(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(nx,"buildInitialOAuthClientSetup");function ox(e,t){if(t===void 0)return og([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(ox,"readEncryptedClientInformation");function ax(e){return og([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(ax,"readEncryptedDiscoveryState");var Kr=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=nx({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=ox(t,this.configuredClientInformation),this.encryptedDiscoveryState=ax(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return kh({id:t.id,...Io({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await rg(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await rg(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ho.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??oi(),ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Br(r.access_token),encryptedRefreshToken:r.refresh_token?await Br(r.refresh_token):void 0,scopes:JP(r.scope??this.clientMetadataValue.scope),expiresAt:YP(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await K().upsertUpstreamConnection(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:WP(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw g("oauth_state_invalid","OAuth code verifier is missing");return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:$m(),...Io({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:re(new Date(Date.now()+Ih)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await K().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await ng(this.encryptedClientInformation,FP)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!XP(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=QP(await ng(this.encryptedDiscoveryState,ZP))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection?.encryptedAccessToken||this.connection.status!=="active")return;let t=Ho.parse({access_token:await Gt(this.connection.encryptedAccessToken),token_type:KP,refresh_token:this.connection.encryptedRefreshToken?await Gt(this.connection.encryptedRefreshToken):void 0,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=t,t}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await K().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var ix=1e4,sx=256*1024,cx=2;function ux(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(ux,"hasUsableAccessToken");var dx="does not support dynamic client registration";function lx(e){return e instanceof Error&&e.message.includes(dx)}o(lx,"isDynamicClientRegistrationUnsupported");function px(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(px,"readOAuthFetchRequest");function mx(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(mx,"responseLooksJson");function ag(e){return async(t,r)=>{let n=px(t),a=await Mn(t,r,{maxRedirects:cx,maxResponseBytes:sx,problemCode:"upstream_token_exchange_failed",timeoutMs:ix}),i=await a.clone().text();if(!mx(a,i))return a;try{JSON.parse(i)}catch(s){throw g("upstream_token_exchange_failed",`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,s)}return a}}o(ag,"createUpstreamOAuthFetch");async function ig(e,t){try{return await hr(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ag(t.upstreamServerId)})}catch(r){throw lx(r)?g("upstream_client_registration_required",`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,r):r}}o(ig,"runUpstreamOAuth");async function fx(e,t){return hr(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ag(t.upstreamServerId)})}o(fx,"exchangeUpstreamAuthorizationCode");async function sg(e,t){let r=await ig(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?g("upstream_token_exchange_failed",`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`):g("upstream_token_exchange_failed",`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`)}o(sg,"requireUpstreamAuthorizationRedirect");async function cg(e){if(ux(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await ig(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`);if(!e.provider.authorizationUrl)throw g("upstream_token_exchange_failed",`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`);return{kind:"connect_required",payload:await vx({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(cg,"authorizeUpstreamOAuthSession");async function hx(e){let t=await Ui(e.stateToken),r=await K().consumeUpstreamOAuthState({id:t.id,now:re(new Date)}),n=gx(r);return yx({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Sx(n),n}o(hx,"consumeStoredCallbackState");function gx(e){switch(e.kind){case"consumed":throw g("oauth_state_reused","OAuth state has already been used");case"missing":throw g("oauth_state_expired","OAuth state is missing or expired");case"available":return e.record}}o(gx,"readConsumedCallbackState");function yx(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw g("oauth_callback_mismatch","OAuth callback did not match the initiating request")}o(yx,"assertStoredCallbackStateMatches");function Sx(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw g("oauth_state_expired","OAuth state has expired")}o(Sx,"assertStoredCallbackStateFresh");async function vx(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Uh(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),qn(t)}o(vx,"buildOAuthConnectRequiredResponse");async function ug(e){let t=await hx({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Pn(t),[n]=await K().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new Kr(a),s=await fx(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?g("upstream_token_exchange_failed",`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`):g("upstream_token_exchange_failed",`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`)}o(ug,"finishUpstreamOAuthCallback");async function dg(e){let t=De(e.upstreamServerId),r=Lr(e.upstreamServerId,e.authProfileId),n=Xh(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await K().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:ie(e.request.url)}}}o(dg,"prepareUpstreamOAuthRequest");async function lg(e){let t=await dg(e),r=new Kr({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return sg(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(lg,"startUpstreamConnect");async function pg(e){let t=await dg(e),r=new Kr({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return cg({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(pg,"authorizeUpstreamRequest");function _x(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw g("internal_server_error",`Static bearer token is not configured for upstream ${t}.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw g("internal_server_error",`Static header ${n.name} is not configured for upstream ${t}.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(_x,"resolveStaticSecretCredential");async function Ni(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return pg({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"shared-secret":return Nh({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static-secret":{let n=pr({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static-secret")throw g("internal_server_error",`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:_x(n.secret,t.upstreamServerId)}}case"user-secret":return Hh({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}throw g("internal_server_error",`Unsupported upstream auth route context ${JSON.stringify(t)}.`)}o(Ni,"resolveUpstreamCredentialForRoute");async function mg(e){let t=ir(e.principal.subjectId),r=yt().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user-secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await zi({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(mg,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function fg(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=Pt(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await lg(r);break;case"user_secret_capture":t=await Lh(r);break;case"none":throw g("invalid_request",n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(fg,"startUpstreamConnectForRequest");async function hg(e){let r=(await Ui(e.callbackRequest.state)).authProfileId,n=pr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(Pt(n.mode).callbackSupport!=="authorization_code")throw g("invalid_request",`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return ug({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:De(e.callbackRequest.upstreamServerId)})}o(hg,"finishUpstreamCallbackForRequest");var sd=new Ct("route-upstream-bindings");function gg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(gg,"buildRouteBindingDuplicateKey");function cd(e,t){let r=sd.get(e)??[],n=gg(t);if(r.find(i=>gg(i)===n)!==void 0)throw g("internal_server_error",`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.push(t),sd.set(e,r)}o(cd,"appendResolvedUpstreamBindingContext");function Di(e){return sd.get(e)??[]}o(Di,"readResolvedUpstreamBindingContexts");var wx=new Set(["authorization","connection","content-length","cookie","cookie2","host","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade"]),bx=3e4,Rx=2*1024*1024,Cx=2;function Ix(e){return e.kind!=="authorized"||e.credential.type!=="headers"?[]:Object.keys(e.credential.headers)}o(Ix,"readCredentialHeaderNames");async function Px(e,t){Rt("handler.mcp-upstream");let r=Di(t);if(r.length!==1)throw new ue(`mcpUpstreamHandler requires exactly one upstream binding on the route (found ${r.length}). Attach a single \`mcp-upstream-connection-inbound\` policy or use \`McpVirtualServerHandler\` for multi-upstream routes.`);let[n]=r,a=await Ni({request:e,routeAuth:n});if(a.kind==="connect_required")return t.log.info({event:"mcp_upstream_connect_required",upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId},"MCP upstream proxy: upstream connection required"),Response.json({error:"connect_required",payload:a.payload},{status:401,headers:{"www-authenticate":'Bearer realm="upstream", error="invalid_token"'}});let i=De(n.upstreamServerId),s=i.transport.baseUrl,c=new Headers;for(let[h,y]of e.headers.entries())wx.has(h.toLowerCase())||c.set(h,y);let d=[];for(let h of i.transport.requestHeaders??[]){if(h.value===void 0){if(h.required)throw new ue(`mcpUpstreamHandler: configured request header '${h.name}' is required but its value is unset. Set the env var that backs the header or mark the header optional.`);continue}c.set(h.name,h.value),d.push(h.name)}let p=a.credential;switch(p.type){case"bearer_token":c.set("authorization",`Bearer ${p.token}`);break;case"headers":for(let[h,y]of Object.entries(p.headers))c.set(h,y);break;case"mcp_oauth_provider":{let h=await p.provider.tokens();if(!h)return t.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:n.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401});c.set("authorization",`${h.token_type??"Bearer"} ${h.access_token}`);break}}let l=[...d,...Ix(a)],m={method:e.method,headers:c,body:e.method==="GET"||e.method==="HEAD"?void 0:e.body,duplex:"half"};return t.log.info({event:"mcp_upstream_handler_proxy",upstreamServerId:n.upstreamServerId,upstreamUrl:s,method:e.method},"MCP upstream proxy: forwarding request"),Mn(s,m,{additionalCrossOriginStrippedHeaders:l,context:t,maxRedirects:Cx,maxResponseBytes:Rx,problemCode:"upstream_capability_invocation_failed",timeoutMs:bx})}o(Px,"mcpUpstreamHandler");Iw();function gr(e){return!!e._zod}o(gr,"isZ4Schema");function Ge(e,t){return gr(e)?dc(e,t):e.safeParse(t)}o(Ge,"safeParse");function jn(e){if(!e)return;let t;if(gr(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(jn,"getObjectShape");function yg(e){if(gr(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(yg,"getLiteralValue");function yr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(yr,"isTerminal");var kx=Symbol("Let zodToJsonSchema decide on which parser to use");var t2=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function ud(e){let r=jn(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=yg(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(ud,"getMethodLiteral");function dd(e,t){let r=Ge(e,t);if(!r.success)throw r.error;return r.data}o(dd,"parseWithCompat");var $x=6e4,Hn=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(di,r=>{this._oncancel(r)}),this.setNotificationHandler(fi,r=>{this._onprogress(r)}),this.setRequestHandler(mi,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(hi,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new x(E.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(yi,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let c;for(;c=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(c.type==="response"||c.type==="error"){let d=c.message,p=d.id,l=this._requestResolvers.get(p);if(l)if(this._requestResolvers.delete(p),c.type==="response")l(d);else{let m=d,h=new x(m.error.code,m.error.message,m.error.data);l(h)}else{let m=c.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${p}`))}continue}await this._transport?.send(c.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new x(E.InvalidParams,`Task not found: ${i}`);if(!yr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(yr(s.status)){let c=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...c,_meta:{...c._meta,[ur]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(Si,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new x(E.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(_i,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new x(E.InvalidParams,`Task not found: ${r.params.taskId}`);if(yr(a.status))throw new x(E.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new x(E.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof x?a:new x(E.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),x.fromError(E.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),gt(i)||En(i)?this._onresponse(i):It(i)?this._onrequest(i,s):qf(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=x.fromError(E.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[ur]?.taskId;if(n===void 0){let l={jsonrpc:"2.0",id:t.id,error:{code:E.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:l,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(l).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let c=$f(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,p={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async l=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(l,m)},"sendNotification"),sendRequest:o(async(l,m,h)=>{if(s.signal.aborted)throw new x(E.ConnectionClosed,"Request was cancelled");let y={...h,relatedRequestId:t.id};i&&!y.relatedTask&&(y.relatedTask={taskId:i});let v=y.relatedTask?.taskId??i;return v&&d&&await d.updateTaskStatus(v,"input_required"),await this.request(l,m,y)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:c?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{c&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,p)).then(async l=>{if(s.signal.aborted)return;let m={result:l,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async l=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(l.code)?l.code:E.InternalError,message:l.message??"Internal error",...l.data!==void 0&&{data:l.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(l=>this._onerror(new Error(`Failed to send response: ${l}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),c=this._timeoutInfo.get(a);if(c&&s&&c.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),gt(t))n(t);else{let s=new x(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(gt(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let c=s.task;typeof c.taskId=="string"&&(i=!0,this._taskProgressTokens.set(c.taskId,r))}}if(i||this._progressHandlers.delete(r),gt(t))a(t);else{let s=x.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof x?s:new x(E.InternalError,String(s))}}return}let i;try{let s=await this.request(t,Bt,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new x(E.InternalError,"Task creation did not return a task");for(;;){let c=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:c},yr(c.status)){c.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:c.status==="failed"?yield{type:"error",error:new x(E.InternalError,`Task ${i} failed`)}:c.status==="cancelled"&&(yield{type:"error",error:new x(E.InternalError,`Task ${i} was cancelled`)});return}if(c.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=c.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(p=>setTimeout(p,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof x?s:new x(E.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:c,relatedTask:d}=n??{};return new Promise((p,l)=>{let m=o(b=>{l(b)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),c&&this.assertTaskCapability(t.method)}catch(b){m(b);return}n?.signal?.throwIfAborted();let h=this._requestMessageId++,y={...t,jsonrpc:"2.0",id:h};n?.onprogress&&(this._progressHandlers.set(h,n.onprogress),y.params={...t.params,_meta:{...t.params?._meta||{},progressToken:h}}),c&&(y.params={...y.params,task:c}),d&&(y.params={...y.params,_meta:{...y.params?._meta||{},[ur]:d}});let v=o(b=>{this._responseHandlers.delete(h),this._progressHandlers.delete(h),this._cleanupTimeout(h),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:h,reason:String(b)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(z=>this._onerror(new Error(`Failed to send cancellation: ${z}`)));let R=b instanceof x?b:new x(E.RequestTimeout,String(b));l(R)},"cancel");this._responseHandlers.set(h,b=>{if(!n?.signal?.aborted){if(b instanceof Error)return l(b);try{let R=Ge(r,b.result);R.success?p(R.data):l(R.error)}catch(R){l(R)}}}),n?.signal?.addEventListener("abort",()=>{v(n?.signal?.reason)});let S=n?.timeout??$x,_=o(()=>v(x.fromError(E.RequestTimeout,"Request timed out",{timeout:S})),"timeoutHandler");this._setupTimeout(h,S,n?.maxTotalTimeout,_,n?.resetTimeoutOnProgress??!1);let w=d?.taskId;if(w){let b=o(R=>{let z=this._responseHandlers.get(h);z?z(R):this._onerror(new Error(`Response handler missing for side-channeled request ${h}`))},"responseResolver");this._requestResolvers.set(h,b),this._enqueueTaskMessage(w,{type:"request",message:y,timestamp:Date.now()}).catch(R=>{this._cleanupTimeout(h),l(R)})}else this._transport.send(y,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(b=>{this._cleanupTimeout(h),l(b)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},gi,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},vi,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},Df,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let c={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[ur]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:c,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let c={...t,jsonrpc:"2.0"};r?.relatedTask&&(c={...c,params:{...c.params,_meta:{...c.params?._meta||{},[ur]:r.relatedTask}}}),this._transport?.send(c,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[ur]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=ud(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=dd(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=ud(t);this._notificationHandlers.set(n,a=>{let i=dd(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&It(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new x(E.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new x(E.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new x(E.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new x(E.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let c=await n.getTask(a,r);if(c){let d=$o.parse({method:"notifications/tasks/status",params:c});await this.notification(d),yr(c.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let c=await n.getTask(a,r);if(!c)throw new x(E.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(yr(c.status))throw new x(E.InvalidParams,`Cannot update task "${a}" from terminal status "${c.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let p=$o.parse({method:"notifications/tasks/status",params:d});await this.notification(p),yr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Sg(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Sg,"isPlainObject");function ji(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Sg(s)&&Sg(i)?r[a]={...s,...i}:r[a]=i}return r}o(ji,"mergeCapabilities");var ov=Fp(Jl(),1),av=Fp(nv(),1);function CU(){let e=new ov.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,av.default)(e),e}o(CU,"createDefaultAjvInstance");var oo=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??CU()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var Rs=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(l=>l.type==="tool_result"),c=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=c?Array.isArray(c.content)?c.content:[c.content]:[],p=d.some(l=>l.type==="tool_use");if(s){if(i.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!p)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(p){let l=new Set(d.filter(h=>h.type==="tool_use").map(h=>h.id)),m=new Set(i.filter(h=>h.type==="tool_result").map(h=>h.toolUseId));if(l.size!==m.size||![...l].every(h=>m.has(h)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},jr,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},lr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function Cs(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o(Cs,"assertToolsCallTaskCapability");function Is(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(Is,"assertClientRequestTaskCapability");var Ps=class extends Hn{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(qo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new oo,this.setRequestHandler(li,n=>this._oninitialize(n)),this.setNotificationHandler(pi,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(Ru,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,c=qo.safeParse(s);return c.success&&this._loggingLevels.set(i,c.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new Rs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=ji(this._capabilities,t)}setRequestHandler(t,r){let a=jn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(gr(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let c=o(async(d,p)=>{let l=Ge(Mo,d);if(!l.success){let v=l.error instanceof Error?l.error.message:String(l.error);throw new x(E.InvalidParams,`Invalid tools/call request: ${v}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let v=Ge(Bt,h);if(!v.success){let S=v.error instanceof Error?v.error.message:String(v.error);throw new x(E.InvalidParams,`Invalid task creation result: ${S}`)}return v.data}let y=Ge(dr,h);if(!y.success){let v=y.error instanceof Error?y.error.message:String(y.error);throw new x(E.InvalidParams,`Invalid tools/call result: ${v}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){Is(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&Cs(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:cr.includes(r)?r:sr,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},Lt)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(p=>p.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,c=s?Array.isArray(s.content)?s.content:[s.content]:[],d=c.some(p=>p.type==="tool_use");if(i){if(a.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let p=new Set(c.filter(m=>m.type==="tool_use").map(m=>m.id)),l=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(p.size!==l.size||![...p].every(m=>l.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},No,r):this.request({method:"sampling/createMessage",params:t},jr,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},lr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},lr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let c=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!c.valid)throw new x(E.InvalidParams,`Elicitation response content does not match requested schema: ${c.errorMessage}`)}catch(s){throw s instanceof x?s:new x(E.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},xu,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var xs=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
 data:
 `;this._retryInterval!==void 0&&(s=`id: ${i}
@@ -48,17 +48,17 @@ data:
 `;return a&&(i+=`id: ${a}
 `),i+=`data: ${JSON.stringify(n)}
-`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let c;try{Array.isArray(s)?c=s.map(v=>Dr.parse(v)):c=[Dr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=c.some(eu);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(c.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let b=this.validateProtocolVersion(t);if(b)return b}if(!c.some(Pt)){for(let v of c)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let l=crypto.randomUUID(),m=c.find(v=>eu(v)),h=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??Of;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(l,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(l)},"cleanup")});for(let b of c)Pt(b)&&this._requestToStreamMapping.set(b.id,l);for(let b of c)this.onmessage?.(b,{authInfo:r?.authInfo,requestInfo:i})});let y=new TextEncoder,_,S=new ReadableStream({start:o(v=>{_=v},"start"),cancel:o(()=>{this._streamMapping.delete(l)},"cancel")}),w={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(w["mcp-session-id"]=this.sessionId);for(let v of c)Pt(v)&&(this._streamMapping.set(l,{controller:_,encoder:y,cleanup:o(()=>{this._streamMapping.delete(l);try{_.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,l));await this.writePrimingEvent(_,y,l,h);for(let v of c){let b,R;Pt(v)&&this._eventStore&&h>="2025-11-25"&&(b=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),R=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:b,closeStandaloneSSEStream:R})}return new Response(S,{status:200,headers:w})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!ur.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${ur.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${ur.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((yt(t)||Un(t))&&(n=t.id),n===void 0){if(yt(t)||Un(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let c=this._streamMapping.get(this._standaloneSseStreamId);if(c===void 0)return;c.controller&&c.encoder&&this.writeSSEEvent(c.controller,c.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(yt(t)||Un(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,p])=>p===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let p=s.map(l=>this._requestResponseMap.get(l));p.length===1?i.resolveJson(new Response(JSON.stringify(p[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(p),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function io(e,t){let r=typeof e;if(r!==typeof t)return!1;if(Array.isArray(e)){if(!Array.isArray(t))return!1;let n=e.length;if(n!==t.length)return!1;for(let a=0;a<n;a++)if(!io(e[a],t[a]))return!1;return!0}if(r==="object"){if(!e||!t)return e===t;let n=Object.keys(e),a=Object.keys(t);if(n.length!==a.length)return!1;for(let s of n)if(!io(e[s],t[s]))return!1;return!0}return e===t}o(io,"deepCompareStrict");function at(e){return encodeURI(VU(e))}o(at,"encodePointer");function VU(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(VU,"escapePointer");var FU={prefixItems:!0,items:!0,allOf:!0,anyOf:!0,oneOf:!0},ZU={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependentSchemas:!0},KU={id:!0,$id:!0,$ref:!0,$schema:!0,$anchor:!0,$vocabulary:!0,$comment:!0,default:!0,enum:!0,const:!0,required:!0,type:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0},JU=typeof self<"u"&&self.location&&self.location.origin!=="null"?new URL(self.location.origin+self.location.pathname+location.search):new URL("https://github.com/cfworker");function Xt(e,t=Object.create(null),r=JU,n=""){if(e&&typeof e=="object"&&!Array.isArray(e)){let i=e.$id||e.id;if(i){let s=new URL(i,r.href);s.hash.length>1?t[s.href]=e:(s.hash="",n===""?r=s:Xt(e,t,r))}}else if(e!==!0&&e!==!1)return t;let a=r.href+(n?"#"+n:"");if(t[a]!==void 0)throw new Error(`Duplicate schema URI "${a}".`);if(t[a]=e,e===!0||e===!1)return t;if(e.__absolute_uri__===void 0&&Object.defineProperty(e,"__absolute_uri__",{enumerable:!1,value:a}),e.$ref&&e.__absolute_ref__===void 0){let i=new URL(e.$ref,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_ref__",{enumerable:!1,value:i.href})}if(e.$recursiveRef&&e.__absolute_recursive_ref__===void 0){let i=new URL(e.$recursiveRef,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_recursive_ref__",{enumerable:!1,value:i.href})}if(e.$anchor){let i=new URL("#"+e.$anchor,r.href);t[i.href]=e}for(let i in e){if(KU[i])continue;let s=`${n}/${at(i)}`,c=e[i];if(Array.isArray(c)){if(FU[i]){let d=c.length;for(let p=0;p<d;p++)Xt(c[p],t,r,`${s}/${p}`)}}else if(ZU[i])for(let d in c)Xt(c[d],t,r,`${s}/${at(d)}`);else Xt(c,t,r,s)}return t}o(Xt,"dereference");var WU=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,YU=[0,31,28,31,30,31,30,31,31,30,31,30,31],QU=/^(\d\d):(\d\d):(\d\d)(\.\d+)?(z|[+-]\d\d(?::?\d\d)?)?$/i,XU=/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,eO=/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,tO=/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,rO=/^(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)(?:\.(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,nO=/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,oO=/^(?:\/(?:[^~/]|~0|~1)*)*$/,aO=/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,iO=/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,sO=o(e=>{if(e[0]==='"')return!1;let[t,r,...n]=e.split("@");return!t||!r||n.length!==0||t.length>64||r.length>253||t[0]==="."||t.endsWith(".")||t.includes("..")||!/^[a-z0-9.-]+$/i.test(r)||!/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+$/i.test(t)?!1:r.split(".").every(a=>/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/i.test(a))},"EMAIL"),cO=/^(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)$/,uO=/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,dO=o(e=>e.length>1&&e.length<80&&(/^P\d+([.,]\d+)?W$/.test(e)||/^P[\dYMDTHS]*(\d[.,]\d+)?[YMDHS]$/.test(e)&&/^P([.,\d]+Y)?([.,\d]+M)?([.,\d]+D)?(T([.,\d]+H)?([.,\d]+M)?([.,\d]+S)?)?$/.test(e)),"DURATION");function zt(e){return e.test.bind(e)}o(zt,"bind");var np={date:c_,time:u_.bind(void 0,!1),"date-time":mO,duration:dO,uri:gO,"uri-reference":zt(eO),"uri-template":zt(tO),url:zt(rO),email:sO,hostname:zt(XU),ipv4:zt(cO),ipv6:zt(uO),regex:SO,uuid:zt(nO),"json-pointer":zt(oO),"json-pointer-uri-fragment":zt(aO),"relative-json-pointer":zt(iO)};function lO(e){return e%4===0&&(e%100!==0||e%400===0)}o(lO,"isLeapYear");function c_(e){let t=e.match(WU);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n==2&&lO(r)?29:YU[n])}o(c_,"date");function u_(e,t){let r=t.match(QU);if(!r)return!1;let n=+r[1],a=+r[2],i=+r[3],s=!!r[5];return(n<=23&&a<=59&&i<=59||n==23&&a==59&&i==60)&&(!e||s)}o(u_,"time");var pO=/t|\s/i;function mO(e){let t=e.split(pO);return t.length==2&&c_(t[0])&&u_(!0,t[1])}o(mO,"date_time");var fO=/\/|:/,hO=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function gO(e){return fO.test(e)&&hO.test(e)}o(gO,"uri");var yO=/[^\\]\\Z/;function SO(e){if(yO.test(e))return!1;try{return new RegExp(e,"u"),!0}catch{return!1}}o(SO,"regex");var d_;(function(e){e[e.Flag=1]="Flag",e[e.Basic=2]="Basic",e[e.Detailed=4]="Detailed"})(d_||(d_={}));function l_(e){let t=0,r=e.length,n=0,a;for(;n<r;)t++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<r&&(a=e.charCodeAt(n),(a&64512)==56320&&n++);return t}o(l_,"ucs2length");function he(e,t,r="2019-09",n=Xt(t),a=!0,i=null,s="#",c="#",d=Object.create(null)){if(t===!0)return{valid:!0,errors:[]};if(t===!1)return{valid:!1,errors:[{instanceLocation:s,keyword:"false",keywordLocation:s,error:"False boolean schema."}]};let p=typeof e,l;switch(p){case"boolean":case"number":case"string":l=p;break;case"object":e===null?l="null":Array.isArray(e)?l="array":l="object";break;default:throw new Error(`Instances of "${p}" type are not supported.`)}let{$ref:m,$recursiveRef:h,$recursiveAnchor:y,type:_,const:S,enum:w,required:v,not:b,anyOf:R,allOf:M,oneOf:q,if:Me,then:it,else:Sn,format:or,properties:qt,patternProperties:Ur,additionalProperties:po,unevaluatedProperties:mo,minProperties:fo,maxProperties:ec,propertyNames:qp,dependentRequired:tc,dependentSchemas:rc,dependencies:nc,prefixItems:oc,items:ho,additionalItems:Np,unevaluatedItems:jp,contains:Dp,minContains:Nt,maxContains:Da,minItems:ac,maxItems:ic,uniqueItems:bv,minimum:Or,maximum:$r,exclusiveMinimum:go,exclusiveMaximum:yo,multipleOf:Ha,minLength:La,maxLength:Ba,pattern:Hp,__absolute_ref__:Ga,__absolute_recursive_ref__:Rv}=t,k=[];if(y===!0&&i===null&&(i=t),h==="#"){let N=i===null?n[Rv]:i,$=`${c}/$recursiveRef`,L=he(e,i===null?t:i,r,n,a,N,s,$,d);L.valid||k.push({instanceLocation:s,keyword:"$recursiveRef",keywordLocation:$,error:"A subschema had errors."},...L.errors)}if(m!==void 0){let $=n[Ga||m];if($===void 0){let P=`Unresolved $ref "${m}".`;throw Ga&&Ga!==m&&(P+=`  Absolute URI "${Ga}".`),P+=`
+`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let c;try{Array.isArray(s)?c=s.map(w=>Dr.parse(w)):c=[Dr.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=c.some(eu);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(c.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let w=this.validateSession(t);if(w)return w;let b=this.validateProtocolVersion(t);if(b)return b}if(!c.some(It)){for(let w of c)this.onmessage?.(w,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let l=crypto.randomUUID(),m=c.find(w=>eu(w)),h=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??Ef;if(this._enableJsonResponse)return new Promise(w=>{this._streamMapping.set(l,{resolveJson:w,cleanup:o(()=>{this._streamMapping.delete(l)},"cleanup")});for(let b of c)It(b)&&this._requestToStreamMapping.set(b.id,l);for(let b of c)this.onmessage?.(b,{authInfo:r?.authInfo,requestInfo:i})});let y=new TextEncoder,v,S=new ReadableStream({start:o(w=>{v=w},"start"),cancel:o(()=>{this._streamMapping.delete(l)},"cancel")}),_={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(_["mcp-session-id"]=this.sessionId);for(let w of c)It(w)&&(this._streamMapping.set(l,{controller:v,encoder:y,cleanup:o(()=>{this._streamMapping.delete(l);try{v.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(w.id,l));await this.writePrimingEvent(v,y,l,h);for(let w of c){let b,R;It(w)&&this._eventStore&&h>="2025-11-25"&&(b=o(()=>{this.closeSSEStream(w.id)},"closeSSEStream"),R=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(w,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:b,closeStandaloneSSEStream:R})}return new Response(S,{status:200,headers:_})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!cr.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${cr.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${cr.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((gt(t)||En(t))&&(n=t.id),n===void 0){if(gt(t)||En(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let c=this._streamMapping.get(this._standaloneSseStreamId);if(c===void 0)return;c.controller&&c.encoder&&this.writeSSEEvent(c.controller,c.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(gt(t)||En(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,p])=>p===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let p=s.map(l=>this._requestResponseMap.get(l));p.length===1?i.resolveJson(new Response(JSON.stringify(p[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(p),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function ao(e,t){let r=typeof e;if(r!==typeof t)return!1;if(Array.isArray(e)){if(!Array.isArray(t))return!1;let n=e.length;if(n!==t.length)return!1;for(let a=0;a<n;a++)if(!ao(e[a],t[a]))return!1;return!0}if(r==="object"){if(!e||!t)return e===t;let n=Object.keys(e),a=Object.keys(t);if(n.length!==a.length)return!1;for(let s of n)if(!ao(e[s],t[s]))return!1;return!0}return e===t}o(ao,"deepCompareStrict");function ot(e){return encodeURI(IU(e))}o(ot,"encodePointer");function IU(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(IU,"escapePointer");var PU={prefixItems:!0,items:!0,allOf:!0,anyOf:!0,oneOf:!0},xU={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependentSchemas:!0},kU={id:!0,$id:!0,$ref:!0,$schema:!0,$anchor:!0,$vocabulary:!0,$comment:!0,default:!0,enum:!0,const:!0,required:!0,type:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0},TU=typeof self<"u"&&self.location&&self.location.origin!=="null"?new URL(self.location.origin+self.location.pathname+location.search):new URL("https://github.com/cfworker");function Xt(e,t=Object.create(null),r=TU,n=""){if(e&&typeof e=="object"&&!Array.isArray(e)){let i=e.$id||e.id;if(i){let s=new URL(i,r.href);s.hash.length>1?t[s.href]=e:(s.hash="",n===""?r=s:Xt(e,t,r))}}else if(e!==!0&&e!==!1)return t;let a=r.href+(n?"#"+n:"");if(t[a]!==void 0)throw new Error(`Duplicate schema URI "${a}".`);if(t[a]=e,e===!0||e===!1)return t;if(e.__absolute_uri__===void 0&&Object.defineProperty(e,"__absolute_uri__",{enumerable:!1,value:a}),e.$ref&&e.__absolute_ref__===void 0){let i=new URL(e.$ref,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_ref__",{enumerable:!1,value:i.href})}if(e.$recursiveRef&&e.__absolute_recursive_ref__===void 0){let i=new URL(e.$recursiveRef,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_recursive_ref__",{enumerable:!1,value:i.href})}if(e.$anchor){let i=new URL("#"+e.$anchor,r.href);t[i.href]=e}for(let i in e){if(kU[i])continue;let s=`${n}/${ot(i)}`,c=e[i];if(Array.isArray(c)){if(PU[i]){let d=c.length;for(let p=0;p<d;p++)Xt(c[p],t,r,`${s}/${p}`)}}else if(xU[i])for(let d in c)Xt(c[d],t,r,`${s}/${ot(d)}`);else Xt(c,t,r,s)}return t}o(Xt,"dereference");var AU=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,EU=[0,31,28,31,30,31,30,31,31,30,31,30,31],UU=/^(\d\d):(\d\d):(\d\d)(\.\d+)?(z|[+-]\d\d(?::?\d\d)?)?$/i,OU=/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,$U=/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,zU=/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,MU=/^(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)(?:\.(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,qU=/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,NU=/^(?:\/(?:[^~/]|~0|~1)*)*$/,DU=/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,jU=/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,HU=o(e=>{if(e[0]==='"')return!1;let[t,r,...n]=e.split("@");return!t||!r||n.length!==0||t.length>64||r.length>253||t[0]==="."||t.endsWith(".")||t.includes("..")||!/^[a-z0-9.-]+$/i.test(r)||!/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+$/i.test(t)?!1:r.split(".").every(a=>/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/i.test(a))},"EMAIL"),LU=/^(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)$/,BU=/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,GU=o(e=>e.length>1&&e.length<80&&(/^P\d+([.,]\d+)?W$/.test(e)||/^P[\dYMDTHS]*(\d[.,]\d+)?[YMDHS]$/.test(e)&&/^P([.,\d]+Y)?([.,\d]+M)?([.,\d]+D)?(T([.,\d]+H)?([.,\d]+M)?([.,\d]+S)?)?$/.test(e)),"DURATION");function $t(e){return e.test.bind(e)}o($t,"bind");var np={date:iv,time:sv.bind(void 0,!1),"date-time":ZU,duration:GU,uri:WU,"uri-reference":$t($U),"uri-template":$t(zU),url:$t(MU),email:HU,hostname:$t(OU),ipv4:$t(LU),ipv6:$t(BU),regex:QU,uuid:$t(qU),"json-pointer":$t(NU),"json-pointer-uri-fragment":$t(DU),"relative-json-pointer":$t(jU)};function VU(e){return e%4===0&&(e%100!==0||e%400===0)}o(VU,"isLeapYear");function iv(e){let t=e.match(AU);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n==2&&VU(r)?29:EU[n])}o(iv,"date");function sv(e,t){let r=t.match(UU);if(!r)return!1;let n=+r[1],a=+r[2],i=+r[3],s=!!r[5];return(n<=23&&a<=59&&i<=59||n==23&&a==59&&i==60)&&(!e||s)}o(sv,"time");var FU=/t|\s/i;function ZU(e){let t=e.split(FU);return t.length==2&&iv(t[0])&&sv(!0,t[1])}o(ZU,"date_time");var KU=/\/|:/,JU=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function WU(e){return KU.test(e)&&JU.test(e)}o(WU,"uri");var YU=/[^\\]\\Z/;function QU(e){if(YU.test(e))return!1;try{return new RegExp(e,"u"),!0}catch{return!1}}o(QU,"regex");var cv;(function(e){e[e.Flag=1]="Flag",e[e.Basic=2]="Basic",e[e.Detailed=4]="Detailed"})(cv||(cv={}));function uv(e){let t=0,r=e.length,n=0,a;for(;n<r;)t++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<r&&(a=e.charCodeAt(n),(a&64512)==56320&&n++);return t}o(uv,"ucs2length");function he(e,t,r="2019-09",n=Xt(t),a=!0,i=null,s="#",c="#",d=Object.create(null)){if(t===!0)return{valid:!0,errors:[]};if(t===!1)return{valid:!1,errors:[{instanceLocation:s,keyword:"false",keywordLocation:s,error:"False boolean schema."}]};let p=typeof e,l;switch(p){case"boolean":case"number":case"string":l=p;break;case"object":e===null?l="null":Array.isArray(e)?l="array":l="object";break;default:throw new Error(`Instances of "${p}" type are not supported.`)}let{$ref:m,$recursiveRef:h,$recursiveAnchor:y,type:v,const:S,enum:_,required:w,not:b,anyOf:R,allOf:z,oneOf:M,if:Me,then:at,else:yn,format:or,properties:Mt,patternProperties:Er,additionalProperties:po,unevaluatedProperties:mo,minProperties:fo,maxProperties:Xs,propertyNames:Dp,dependentRequired:ec,dependentSchemas:tc,dependencies:rc,prefixItems:nc,items:ho,additionalItems:jp,unevaluatedItems:Hp,contains:Lp,minContains:qt,maxContains:Da,minItems:oc,maxItems:ac,uniqueItems:Rw,minimum:Ur,maximum:Or,exclusiveMinimum:go,exclusiveMaximum:yo,multipleOf:ja,minLength:Ha,maxLength:La,pattern:Bp,__absolute_ref__:Ba,__absolute_recursive_ref__:Cw}=t,T=[];if(y===!0&&i===null&&(i=t),h==="#"){let q=i===null?n[Cw]:i,$=`${c}/$recursiveRef`,H=he(e,i===null?t:i,r,n,a,q,s,$,d);H.valid||T.push({instanceLocation:s,keyword:"$recursiveRef",keywordLocation:$,error:"A subschema had errors."},...H.errors)}if(m!==void 0){let $=n[Ba||m];if($===void 0){let P=`Unresolved $ref "${m}".`;throw Ba&&Ba!==m&&(P+=`  Absolute URI "${Ba}".`),P+=`
 Known schemas:
 - ${Object.keys(n).join(`
-- `)}`,new Error(P)}let L=`${c}/$ref`,T=he(e,$,r,n,a,i,s,L,d);if(T.valid||k.push({instanceLocation:s,keyword:"$ref",keywordLocation:L,error:"A subschema had errors."},...T.errors),r==="4"||r==="7")return{valid:k.length===0,errors:k}}if(Array.isArray(_)){let N=_.length,$=!1;for(let L=0;L<N;L++)if(l===_[L]||_[L]==="integer"&&l==="number"&&e%1===0&&e===e){$=!0;break}$||k.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${_.join('", "')}".`})}else _==="integer"?(l!=="number"||e%1||e!==e)&&k.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${_}".`}):_!==void 0&&l!==_&&k.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${_}".`});if(S!==void 0&&(l==="object"||l==="array"?io(e,S)||k.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(S)}.`}):e!==S&&k.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(S)}.`})),w!==void 0&&(l==="object"||l==="array"?w.some(N=>io(e,N))||k.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(w)}.`}):w.some(N=>e===N)||k.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(w)}.`})),b!==void 0){let N=`${c}/not`;he(e,b,r,n,a,i,s,N).valid&&k.push({instanceLocation:s,keyword:"not",keywordLocation:N,error:'Instance matched "not" schema.'})}let Va=[];if(R!==void 0){let N=`${c}/anyOf`,$=k.length,L=!1;for(let T=0;T<R.length;T++){let P=R[T],D=Object.create(d),j=he(e,P,r,n,a,y===!0?i:null,s,`${N}/${T}`,D);k.push(...j.errors),L=L||j.valid,j.valid&&Va.push(D)}L?k.length=$:k.splice($,0,{instanceLocation:s,keyword:"anyOf",keywordLocation:N,error:"Instance does not match any subschemas."})}if(M!==void 0){let N=`${c}/allOf`,$=k.length,L=!0;for(let T=0;T<M.length;T++){let P=M[T],D=Object.create(d),j=he(e,P,r,n,a,y===!0?i:null,s,`${N}/${T}`,D);k.push(...j.errors),L=L&&j.valid,j.valid&&Va.push(D)}L?k.length=$:k.splice($,0,{instanceLocation:s,keyword:"allOf",keywordLocation:N,error:"Instance does not match every subschema."})}if(q!==void 0){let N=`${c}/oneOf`,$=k.length,L=q.filter((T,P)=>{let D=Object.create(d),j=he(e,T,r,n,a,y===!0?i:null,s,`${N}/${P}`,D);return k.push(...j.errors),j.valid&&Va.push(D),j.valid}).length;L===1?k.length=$:k.splice($,0,{instanceLocation:s,keyword:"oneOf",keywordLocation:N,error:`Instance does not match exactly one subschema (${L} matches).`})}if((l==="object"||l==="array")&&Object.assign(d,...Va),Me!==void 0){let N=`${c}/if`;if(he(e,Me,r,n,a,i,s,N,d).valid){if(it!==void 0){let L=he(e,it,r,n,a,i,s,`${c}/then`,d);L.valid||k.push({instanceLocation:s,keyword:"if",keywordLocation:N,error:'Instance does not match "then" schema.'},...L.errors)}}else if(Sn!==void 0){let L=he(e,Sn,r,n,a,i,s,`${c}/else`,d);L.valid||k.push({instanceLocation:s,keyword:"if",keywordLocation:N,error:'Instance does not match "else" schema.'},...L.errors)}}if(l==="object"){if(v!==void 0)for(let T of v)T in e||k.push({instanceLocation:s,keyword:"required",keywordLocation:`${c}/required`,error:`Instance does not have required property "${T}".`});let N=Object.keys(e);if(fo!==void 0&&N.length<fo&&k.push({instanceLocation:s,keyword:"minProperties",keywordLocation:`${c}/minProperties`,error:`Instance does not have at least ${fo} properties.`}),ec!==void 0&&N.length>ec&&k.push({instanceLocation:s,keyword:"maxProperties",keywordLocation:`${c}/maxProperties`,error:`Instance does not have at least ${ec} properties.`}),qp!==void 0){let T=`${c}/propertyNames`;for(let P in e){let D=`${s}/${at(P)}`,j=he(P,qp,r,n,a,i,D,T);j.valid||k.push({instanceLocation:s,keyword:"propertyNames",keywordLocation:T,error:`Property name "${P}" does not match schema.`},...j.errors)}}if(tc!==void 0){let T=`${c}/dependantRequired`;for(let P in tc)if(P in e){let D=tc[P];for(let j of D)j in e||k.push({instanceLocation:s,keyword:"dependentRequired",keywordLocation:T,error:`Instance has "${P}" but does not have "${j}".`})}}if(rc!==void 0)for(let T in rc){let P=`${c}/dependentSchemas`;if(T in e){let D=he(e,rc[T],r,n,a,i,s,`${P}/${at(T)}`,d);D.valid||k.push({instanceLocation:s,keyword:"dependentSchemas",keywordLocation:P,error:`Instance has "${T}" but does not match dependant schema.`},...D.errors)}}if(nc!==void 0){let T=`${c}/dependencies`;for(let P in nc)if(P in e){let D=nc[P];if(Array.isArray(D))for(let j of D)j in e||k.push({instanceLocation:s,keyword:"dependencies",keywordLocation:T,error:`Instance has "${P}" but does not have "${j}".`});else{let j=he(e,D,r,n,a,i,s,`${T}/${at(P)}`);j.valid||k.push({instanceLocation:s,keyword:"dependencies",keywordLocation:T,error:`Instance has "${P}" but does not match dependant schema.`},...j.errors)}}}let $=Object.create(null),L=!1;if(qt!==void 0){let T=`${c}/properties`;for(let P in qt){if(!(P in e))continue;let D=`${s}/${at(P)}`,j=he(e[P],qt[P],r,n,a,i,D,`${T}/${at(P)}`);if(j.valid)d[P]=$[P]=!0;else if(L=a,k.push({instanceLocation:s,keyword:"properties",keywordLocation:T,error:`Property "${P}" does not match schema.`},...j.errors),L)break}}if(!L&&Ur!==void 0){let T=`${c}/patternProperties`;for(let P in Ur){let D=new RegExp(P,"u"),j=Ur[P];for(let Ze in e){if(!D.test(Ze))continue;let Lp=`${s}/${at(Ze)}`,Bp=he(e[Ze],j,r,n,a,i,Lp,`${T}/${at(P)}`);Bp.valid?d[Ze]=$[Ze]=!0:(L=a,k.push({instanceLocation:s,keyword:"patternProperties",keywordLocation:T,error:`Property "${Ze}" matches pattern "${P}" but does not match associated schema.`},...Bp.errors))}}}if(!L&&po!==void 0){let T=`${c}/additionalProperties`;for(let P in e){if($[P])continue;let D=`${s}/${at(P)}`,j=he(e[P],po,r,n,a,i,D,T);j.valid?d[P]=!0:(L=a,k.push({instanceLocation:s,keyword:"additionalProperties",keywordLocation:T,error:`Property "${P}" does not match additional properties schema.`},...j.errors))}}else if(!L&&mo!==void 0){let T=`${c}/unevaluatedProperties`;for(let P in e)if(!d[P]){let D=`${s}/${at(P)}`,j=he(e[P],mo,r,n,a,i,D,T);j.valid?d[P]=!0:k.push({instanceLocation:s,keyword:"unevaluatedProperties",keywordLocation:T,error:`Property "${P}" does not match unevaluated properties schema.`},...j.errors)}}}else if(l==="array"){ic!==void 0&&e.length>ic&&k.push({instanceLocation:s,keyword:"maxItems",keywordLocation:`${c}/maxItems`,error:`Array has too many items (${e.length} > ${ic}).`}),ac!==void 0&&e.length<ac&&k.push({instanceLocation:s,keyword:"minItems",keywordLocation:`${c}/minItems`,error:`Array has too few items (${e.length} < ${ac}).`});let N=e.length,$=0,L=!1;if(oc!==void 0){let T=`${c}/prefixItems`,P=Math.min(oc.length,N);for(;$<P;$++){let D=he(e[$],oc[$],r,n,a,i,`${s}/${$}`,`${T}/${$}`);if(d[$]=!0,!D.valid&&(L=a,k.push({instanceLocation:s,keyword:"prefixItems",keywordLocation:T,error:"Items did not match schema."},...D.errors),L))break}}if(ho!==void 0){let T=`${c}/items`;if(Array.isArray(ho)){let P=Math.min(ho.length,N);for(;$<P;$++){let D=he(e[$],ho[$],r,n,a,i,`${s}/${$}`,`${T}/${$}`);if(d[$]=!0,!D.valid&&(L=a,k.push({instanceLocation:s,keyword:"items",keywordLocation:T,error:"Items did not match schema."},...D.errors),L))break}}else for(;$<N;$++){let P=he(e[$],ho,r,n,a,i,`${s}/${$}`,T);if(d[$]=!0,!P.valid&&(L=a,k.push({instanceLocation:s,keyword:"items",keywordLocation:T,error:"Items did not match schema."},...P.errors),L))break}if(!L&&Np!==void 0){let P=`${c}/additionalItems`;for(;$<N;$++){let D=he(e[$],Np,r,n,a,i,`${s}/${$}`,P);d[$]=!0,D.valid||(L=a,k.push({instanceLocation:s,keyword:"additionalItems",keywordLocation:P,error:"Items did not match additional items schema."},...D.errors))}}}if(Dp!==void 0)if(N===0&&Nt===void 0)k.push({instanceLocation:s,keyword:"contains",keywordLocation:`${c}/contains`,error:"Array is empty. It must contain at least one item matching the schema."});else if(Nt!==void 0&&N<Nt)k.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array has less items (${N}) than minContains (${Nt}).`});else{let T=`${c}/contains`,P=k.length,D=0;for(let j=0;j<N;j++){let Ze=he(e[j],Dp,r,n,a,i,`${s}/${j}`,T);Ze.valid?(d[j]=!0,D++):k.push(...Ze.errors)}D>=(Nt||0)&&(k.length=P),Nt===void 0&&Da===void 0&&D===0?k.splice(P,0,{instanceLocation:s,keyword:"contains",keywordLocation:T,error:"Array does not contain item matching schema."}):Nt!==void 0&&D<Nt?k.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array must contain at least ${Nt} items matching schema. Only ${D} items were found.`}):Da!==void 0&&D>Da&&k.push({instanceLocation:s,keyword:"maxContains",keywordLocation:`${c}/maxContains`,error:`Array may contain at most ${Da} items matching schema. ${D} items were found.`})}if(!L&&jp!==void 0){let T=`${c}/unevaluatedItems`;for($;$<N;$++){if(d[$])continue;let P=he(e[$],jp,r,n,a,i,`${s}/${$}`,T);d[$]=!0,P.valid||k.push({instanceLocation:s,keyword:"unevaluatedItems",keywordLocation:T,error:"Items did not match unevaluated items schema."},...P.errors)}}if(bv)for(let T=0;T<N;T++){let P=e[T],D=typeof P=="object"&&P!==null;for(let j=0;j<N;j++){if(T===j)continue;let Ze=e[j];(P===Ze||D&&(typeof Ze=="object"&&Ze!==null)&&io(P,Ze))&&(k.push({instanceLocation:s,keyword:"uniqueItems",keywordLocation:`${c}/uniqueItems`,error:`Duplicate items at indexes ${T} and ${j}.`}),T=Number.MAX_SAFE_INTEGER,j=Number.MAX_SAFE_INTEGER)}}}else if(l==="number"){if(r==="4"?(Or!==void 0&&(go===!0&&e<=Or||e<Or)&&k.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${go?"or equal to ":""} ${Or}.`}),$r!==void 0&&(yo===!0&&e>=$r||e>$r)&&k.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${yo?"or equal to ":""} ${$r}.`})):(Or!==void 0&&e<Or&&k.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${Or}.`}),$r!==void 0&&e>$r&&k.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${$r}.`}),go!==void 0&&e<=go&&k.push({instanceLocation:s,keyword:"exclusiveMinimum",keywordLocation:`${c}/exclusiveMinimum`,error:`${e} is less than ${go}.`}),yo!==void 0&&e>=yo&&k.push({instanceLocation:s,keyword:"exclusiveMaximum",keywordLocation:`${c}/exclusiveMaximum`,error:`${e} is greater than or equal to ${yo}.`})),Ha!==void 0){let N=e%Ha;Math.abs(0-N)>=11920929e-14&&Math.abs(Ha-N)>=11920929e-14&&k.push({instanceLocation:s,keyword:"multipleOf",keywordLocation:`${c}/multipleOf`,error:`${e} is not a multiple of ${Ha}.`})}}else if(l==="string"){let N=La===void 0&&Ba===void 0?0:l_(e);La!==void 0&&N<La&&k.push({instanceLocation:s,keyword:"minLength",keywordLocation:`${c}/minLength`,error:`String is too short (${N} < ${La}).`}),Ba!==void 0&&N>Ba&&k.push({instanceLocation:s,keyword:"maxLength",keywordLocation:`${c}/maxLength`,error:`String is too long (${N} > ${Ba}).`}),Hp!==void 0&&!new RegExp(Hp,"u").test(e)&&k.push({instanceLocation:s,keyword:"pattern",keywordLocation:`${c}/pattern`,error:"String does not match pattern."}),or!==void 0&&np[or]&&!np[or](e)&&k.push({instanceLocation:s,keyword:"format",keywordLocation:`${c}/format`,error:`String does not match format "${or}".`})}return{valid:k.length===0,errors:k}}o(he,"validate");var ks=class{static{o(this,"Validator")}schema;draft;shortCircuit;lookup;constructor(t,r="2019-09",n=!0){this.schema=t,this.draft=r,this.shortCircuit=n,this.lookup=Xt(t)}validate(t){return he(t,this.schema,this.draft,this.lookup,this.shortCircuit)}addSchema(t,r){r&&(t={...t,$id:r}),Xt(t,this.lookup)}};var so=class{static{o(this,"CfWorkerJsonSchemaValidator")}constructor(t){this.shortcircuit=t?.shortcircuit??!0,this.draft=t?.draft??"2020-12"}getValidator(t){let r=new ks(t,this.draft,this.shortcircuit);return n=>{let a=r.validate(n);return a.valid?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:a.errors.map(i=>`${i.instanceLocation}: ${i.error}`).join("; ")}}}};import{metrics as _O,context as Ts,propagation as m_,SpanKind as f_,SpanStatusCode as op,trace as Ea}from"@opentelemetry/api";var wO="mcp-gateway",vO="mcp-gateway",bO=zr,RO="2.0",h_=Ea.getTracer(wO),ap=_O.getMeter(vO),CO=ap.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),IO=ap.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),PO=ap.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),xO=["traceparent","tracestate","baggage"];function ip(){return performance.now()/1e3}o(ip,"nowSeconds");function g_(e,t){t(Math.max(ip()-e,0))}o(g_,"recordDurationSeconds");function p_(e){return e===void 0?void 0:String(e)}o(p_,"stringifyAttribute");function ze(e,t,r){r!==void 0&&(e[t]=r)}o(ze,"assignAttribute");function AO(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(AO,"readTargetName");function y_(e){let t=AO({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(y_,"buildMcpOperationSpanName");function sp(e){let t={"mcp.method.name":e.methodName};return ze(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??RO),ze(t,"jsonrpc.request.id",p_(e.jsonRpcRequestId)),ze(t,"mcp.protocol.version",e.mcpProtocolVersion??bO),ze(t,"mcp.session.id",e.mcpSessionId),ze(t,"mcp.resource.uri",e.resourceUri),ze(t,"rpc.response.status_code",p_(e.rpcResponseStatusCode)),ze(t,"error.type",e.errorType),e.capabilityType==="tool"&&(ze(t,"gen_ai.operation.name","execute_tool"),ze(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&ze(t,"gen_ai.prompt.name",e.capabilityName),ze(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),ze(t,"network.protocol.version",e.networkProtocolVersion),ze(t,"network.transport",e.networkTransport),ze(t,"server.address",e.serverAddress),ze(t,"server.port",e.serverPort),ze(t,"client.address",e.clientAddress),ze(t,"client.port",e.clientPort),t}o(sp,"buildMcpOperationAttributes");function kO(e){let t=sp({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(kO,"buildMcpSessionAttributes");function S_(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:op.ERROR}),t instanceof Error&&e.recordException(t)}o(S_,"setSpanError");function __(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(__,"readErrorType");function TO(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Ts.active():m_.extract(Ts.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(TO,"readServerParentContext");function EO(e){let t=Ea.getSpanContext(Ts.active()),r=Ea.getSpanContext(e);if(!(!t||!Ea.isSpanContextValid(t))&&!(r&&Ea.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(EO,"readAmbientSpanLink");function w_(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(w_,"readResultErrorType");async function xr(e,t){let r=ip(),n=sp({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return h_.startActiveSpan(y_(e),{kind:f_.CLIENT,attributes:n},async a=>{try{let i=await t(),s=w_(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:op.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??__(i);throw n["error.type"]=s,S_(a,i,s),i}finally{g_(r,i=>{CO.record(i,n)}),a.end()}})}o(xr,"runMcpClientOperation");async function Ar(e,t){let r=ip(),n=TO(e.params),a=sp({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=EO(n);return h_.startActiveSpan(y_(e),{kind:f_.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let c=await t(),d=w_(c);return d&&(s.setAttribute("error.type",d),s.setStatus({code:op.ERROR}),a["error.type"]=d),c}catch(c){let d=e.errorType??__(c);throw a["error.type"]=d,S_(s,c,d),c}finally{g_(r,c=>{IO.record(c,a)}),s.end()}})}o(Ar,"runMcpServerOperation");function v_(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return m_.inject(Ts.active(),t._meta,{set(r,n,a){xO.includes(n)&&(r[n]=a)}}),t}o(v_,"injectMcpTraceContextIntoParams");function b_(e,t){let r=kO({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});PO.record(Math.max(t,0),r)}o(b_,"recordMcpClientSessionDuration");var Es=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=lr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),c=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&c){let p=d.result;if(!p.structuredContent&&!p.isError){yield{type:"error",error:new A(E.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(p.structuredContent)try{let l=c(p.structuredContent);if(!l.valid){yield{type:"error",error:new A(E.InvalidParams,`Structured content does not match the tool's output schema: ${l.errorMessage}`)};return}}catch(l){if(l instanceof A){yield{type:"error",error:l};return}yield{type:"error",error:new A(E.InvalidParams,`Failed to validate structured content: ${l instanceof Error?l.message:String(l)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function Us(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&Us(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&Us(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&Us(r,t)}}o(Us,"applyElicitationDefaults");function UO(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(UO,"getSupportedElicitationModes");var Os=class extends Ln{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new ao,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",bu,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",_u,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",du,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new Es(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Hi(this._capabilities,t)}setRequestHandler(t,r){let a=Hn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(yr(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let c=o(async(d,p)=>{let l=Ge(Iu,d);if(!l.success){let b=l.error instanceof Error?l.error.message:String(l.error);throw new A(E.InvalidParams,`Invalid elicitation request: ${b}`)}let{params:m}=l.data;m.mode=m.mode??"form";let{supportsFormMode:h,supportsUrlMode:y}=UO(this._capabilities.elicitation);if(m.mode==="form"&&!h)throw new A(E.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!y)throw new A(E.InvalidParams,"Client does not support URL-mode elicitation requests");let _=await Promise.resolve(r(d,p));if(m.task){let b=Ge(Bt,_);if(!b.success){let R=b.error instanceof Error?b.error.message:String(b.error);throw new A(E.InvalidParams,`Invalid task creation result: ${R}`)}return b.data}let S=Ge(pr,_);if(!S.success){let b=S.error instanceof Error?S.error.message:String(S.error);throw new A(E.InvalidParams,`Invalid elicitation result: ${b}`)}let w=S.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&w.action==="accept"&&w.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{Us(v,w.content)}catch{}return w},"wrappedHandler");return super.setRequestHandler(t,c)}if(s==="sampling/createMessage"){let c=o(async(d,p)=>{let l=Ge(Cu,d);if(!l.success){let w=l.error instanceof Error?l.error.message:String(l.error);throw new A(E.InvalidParams,`Invalid sampling request: ${w}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let w=Ge(Bt,h);if(!w.success){let v=w.error instanceof Error?w.error.message:String(w.error);throw new A(E.InvalidParams,`Invalid task creation result: ${v}`)}return w.data}let _=m.tools||m.toolChoice?No:Hr,S=Ge(_,h);if(!S.success){let w=S.error instanceof Error?S.error.message:String(S.error);throw new A(E.InvalidParams,`Invalid sampling result: ${w}`)}return S.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:cr,capabilities:this._capabilities,clientInfo:this._clientInfo}},tu,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!ur.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){Is(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&Ps(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},Lt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},Pu,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},Lt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},Su,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},pu,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},ou,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},iu,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},uu,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},Lt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},Lt,r)}async callTool(t,r=lr,n){if(this.isToolTaskRequired(t.name))throw new A(E.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new A(E.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new A(E.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof A?s:new A(E.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},vu,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Zf.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:c}=i.data,{onChanged:d}=n,p=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let h=m instanceof Error?m:new Error(String(m));d(h,null)}},"refresh"),l=o(()=>{if(c){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let h=setTimeout(p,c);this._listChangedDebounceTimers.set(t,h)}else p()},"handler");this.setNotificationHandler(r,l)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function $s(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o($s,"normalizeHeaders");function R_(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...$s(t.headers),...$s(n.headers)}:t.headers};return e(r,a)}:e}o(R_,"createFetchWithInit");var zs=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function cp(e){}o(cp,"noop");function C_(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=cp,onError:r=cp,onRetry:n=cp,onComment:a}=e,i="",s=!0,c,d="",p="";function l(S){let w=s?S.replace(/^\xEF\xBB\xBF/,""):S,[v,b]=OO(`${i}${w}`);for(let R of v)m(R);i=b,s=!1}o(l,"feed");function m(S){if(S===""){y();return}if(S.startsWith(":")){a&&a(S.slice(S.startsWith(": ")?2:1));return}let w=S.indexOf(":");if(w!==-1){let v=S.slice(0,w),b=S[w+1]===" "?2:1,R=S.slice(w+b);h(v,R,S);return}h(S,"",S)}o(m,"parseLine");function h(S,w,v){switch(S){case"event":p=w;break;case"data":d=`${d}${w}
-`;break;case"id":c=w.includes("\0")?void 0:w;break;case"retry":/^\d+$/.test(w)?n(parseInt(w,10)):r(new zs(`Invalid \`retry\` value: "${w}"`,{type:"invalid-retry",value:w,line:v}));break;default:r(new zs(`Unknown field "${S.length>20?`${S.slice(0,20)}\u2026`:S}"`,{type:"unknown-field",field:S,value:w,line:v}));break}}o(h,"processField");function y(){d.length>0&&t({id:c,event:p||void 0,data:d.endsWith(`
-`)?d.slice(0,-1):d}),c=void 0,d="",p=""}o(y,"dispatchEvent");function _(S={}){i&&S.consume&&m(i),s=!0,c=void 0,d="",p="",i=""}return o(_,"reset"),{feed:l,reset:_}}o(C_,"createParser");function OO(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
+- `)}`,new Error(P)}let H=`${c}/$ref`,A=he(e,$,r,n,a,i,s,H,d);if(A.valid||T.push({instanceLocation:s,keyword:"$ref",keywordLocation:H,error:"A subschema had errors."},...A.errors),r==="4"||r==="7")return{valid:T.length===0,errors:T}}if(Array.isArray(v)){let q=v.length,$=!1;for(let H=0;H<q;H++)if(l===v[H]||v[H]==="integer"&&l==="number"&&e%1===0&&e===e){$=!0;break}$||T.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${v.join('", "')}".`})}else v==="integer"?(l!=="number"||e%1||e!==e)&&T.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${v}".`}):v!==void 0&&l!==v&&T.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${v}".`});if(S!==void 0&&(l==="object"||l==="array"?ao(e,S)||T.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(S)}.`}):e!==S&&T.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(S)}.`})),_!==void 0&&(l==="object"||l==="array"?_.some(q=>ao(e,q))||T.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(_)}.`}):_.some(q=>e===q)||T.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(_)}.`})),b!==void 0){let q=`${c}/not`;he(e,b,r,n,a,i,s,q).valid&&T.push({instanceLocation:s,keyword:"not",keywordLocation:q,error:'Instance matched "not" schema.'})}let Ga=[];if(R!==void 0){let q=`${c}/anyOf`,$=T.length,H=!1;for(let A=0;A<R.length;A++){let P=R[A],D=Object.create(d),N=he(e,P,r,n,a,y===!0?i:null,s,`${q}/${A}`,D);T.push(...N.errors),H=H||N.valid,N.valid&&Ga.push(D)}H?T.length=$:T.splice($,0,{instanceLocation:s,keyword:"anyOf",keywordLocation:q,error:"Instance does not match any subschemas."})}if(z!==void 0){let q=`${c}/allOf`,$=T.length,H=!0;for(let A=0;A<z.length;A++){let P=z[A],D=Object.create(d),N=he(e,P,r,n,a,y===!0?i:null,s,`${q}/${A}`,D);T.push(...N.errors),H=H&&N.valid,N.valid&&Ga.push(D)}H?T.length=$:T.splice($,0,{instanceLocation:s,keyword:"allOf",keywordLocation:q,error:"Instance does not match every subschema."})}if(M!==void 0){let q=`${c}/oneOf`,$=T.length,H=M.filter((A,P)=>{let D=Object.create(d),N=he(e,A,r,n,a,y===!0?i:null,s,`${q}/${P}`,D);return T.push(...N.errors),N.valid&&Ga.push(D),N.valid}).length;H===1?T.length=$:T.splice($,0,{instanceLocation:s,keyword:"oneOf",keywordLocation:q,error:`Instance does not match exactly one subschema (${H} matches).`})}if((l==="object"||l==="array")&&Object.assign(d,...Ga),Me!==void 0){let q=`${c}/if`;if(he(e,Me,r,n,a,i,s,q,d).valid){if(at!==void 0){let H=he(e,at,r,n,a,i,s,`${c}/then`,d);H.valid||T.push({instanceLocation:s,keyword:"if",keywordLocation:q,error:'Instance does not match "then" schema.'},...H.errors)}}else if(yn!==void 0){let H=he(e,yn,r,n,a,i,s,`${c}/else`,d);H.valid||T.push({instanceLocation:s,keyword:"if",keywordLocation:q,error:'Instance does not match "else" schema.'},...H.errors)}}if(l==="object"){if(w!==void 0)for(let A of w)A in e||T.push({instanceLocation:s,keyword:"required",keywordLocation:`${c}/required`,error:`Instance does not have required property "${A}".`});let q=Object.keys(e);if(fo!==void 0&&q.length<fo&&T.push({instanceLocation:s,keyword:"minProperties",keywordLocation:`${c}/minProperties`,error:`Instance does not have at least ${fo} properties.`}),Xs!==void 0&&q.length>Xs&&T.push({instanceLocation:s,keyword:"maxProperties",keywordLocation:`${c}/maxProperties`,error:`Instance does not have at least ${Xs} properties.`}),Dp!==void 0){let A=`${c}/propertyNames`;for(let P in e){let D=`${s}/${ot(P)}`,N=he(P,Dp,r,n,a,i,D,A);N.valid||T.push({instanceLocation:s,keyword:"propertyNames",keywordLocation:A,error:`Property name "${P}" does not match schema.`},...N.errors)}}if(ec!==void 0){let A=`${c}/dependantRequired`;for(let P in ec)if(P in e){let D=ec[P];for(let N of D)N in e||T.push({instanceLocation:s,keyword:"dependentRequired",keywordLocation:A,error:`Instance has "${P}" but does not have "${N}".`})}}if(tc!==void 0)for(let A in tc){let P=`${c}/dependentSchemas`;if(A in e){let D=he(e,tc[A],r,n,a,i,s,`${P}/${ot(A)}`,d);D.valid||T.push({instanceLocation:s,keyword:"dependentSchemas",keywordLocation:P,error:`Instance has "${A}" but does not match dependant schema.`},...D.errors)}}if(rc!==void 0){let A=`${c}/dependencies`;for(let P in rc)if(P in e){let D=rc[P];if(Array.isArray(D))for(let N of D)N in e||T.push({instanceLocation:s,keyword:"dependencies",keywordLocation:A,error:`Instance has "${P}" but does not have "${N}".`});else{let N=he(e,D,r,n,a,i,s,`${A}/${ot(P)}`);N.valid||T.push({instanceLocation:s,keyword:"dependencies",keywordLocation:A,error:`Instance has "${P}" but does not match dependant schema.`},...N.errors)}}}let $=Object.create(null),H=!1;if(Mt!==void 0){let A=`${c}/properties`;for(let P in Mt){if(!(P in e))continue;let D=`${s}/${ot(P)}`,N=he(e[P],Mt[P],r,n,a,i,D,`${A}/${ot(P)}`);if(N.valid)d[P]=$[P]=!0;else if(H=a,T.push({instanceLocation:s,keyword:"properties",keywordLocation:A,error:`Property "${P}" does not match schema.`},...N.errors),H)break}}if(!H&&Er!==void 0){let A=`${c}/patternProperties`;for(let P in Er){let D=new RegExp(P,"u"),N=Er[P];for(let Ze in e){if(!D.test(Ze))continue;let Gp=`${s}/${ot(Ze)}`,Vp=he(e[Ze],N,r,n,a,i,Gp,`${A}/${ot(P)}`);Vp.valid?d[Ze]=$[Ze]=!0:(H=a,T.push({instanceLocation:s,keyword:"patternProperties",keywordLocation:A,error:`Property "${Ze}" matches pattern "${P}" but does not match associated schema.`},...Vp.errors))}}}if(!H&&po!==void 0){let A=`${c}/additionalProperties`;for(let P in e){if($[P])continue;let D=`${s}/${ot(P)}`,N=he(e[P],po,r,n,a,i,D,A);N.valid?d[P]=!0:(H=a,T.push({instanceLocation:s,keyword:"additionalProperties",keywordLocation:A,error:`Property "${P}" does not match additional properties schema.`},...N.errors))}}else if(!H&&mo!==void 0){let A=`${c}/unevaluatedProperties`;for(let P in e)if(!d[P]){let D=`${s}/${ot(P)}`,N=he(e[P],mo,r,n,a,i,D,A);N.valid?d[P]=!0:T.push({instanceLocation:s,keyword:"unevaluatedProperties",keywordLocation:A,error:`Property "${P}" does not match unevaluated properties schema.`},...N.errors)}}}else if(l==="array"){ac!==void 0&&e.length>ac&&T.push({instanceLocation:s,keyword:"maxItems",keywordLocation:`${c}/maxItems`,error:`Array has too many items (${e.length} > ${ac}).`}),oc!==void 0&&e.length<oc&&T.push({instanceLocation:s,keyword:"minItems",keywordLocation:`${c}/minItems`,error:`Array has too few items (${e.length} < ${oc}).`});let q=e.length,$=0,H=!1;if(nc!==void 0){let A=`${c}/prefixItems`,P=Math.min(nc.length,q);for(;$<P;$++){let D=he(e[$],nc[$],r,n,a,i,`${s}/${$}`,`${A}/${$}`);if(d[$]=!0,!D.valid&&(H=a,T.push({instanceLocation:s,keyword:"prefixItems",keywordLocation:A,error:"Items did not match schema."},...D.errors),H))break}}if(ho!==void 0){let A=`${c}/items`;if(Array.isArray(ho)){let P=Math.min(ho.length,q);for(;$<P;$++){let D=he(e[$],ho[$],r,n,a,i,`${s}/${$}`,`${A}/${$}`);if(d[$]=!0,!D.valid&&(H=a,T.push({instanceLocation:s,keyword:"items",keywordLocation:A,error:"Items did not match schema."},...D.errors),H))break}}else for(;$<q;$++){let P=he(e[$],ho,r,n,a,i,`${s}/${$}`,A);if(d[$]=!0,!P.valid&&(H=a,T.push({instanceLocation:s,keyword:"items",keywordLocation:A,error:"Items did not match schema."},...P.errors),H))break}if(!H&&jp!==void 0){let P=`${c}/additionalItems`;for(;$<q;$++){let D=he(e[$],jp,r,n,a,i,`${s}/${$}`,P);d[$]=!0,D.valid||(H=a,T.push({instanceLocation:s,keyword:"additionalItems",keywordLocation:P,error:"Items did not match additional items schema."},...D.errors))}}}if(Lp!==void 0)if(q===0&&qt===void 0)T.push({instanceLocation:s,keyword:"contains",keywordLocation:`${c}/contains`,error:"Array is empty. It must contain at least one item matching the schema."});else if(qt!==void 0&&q<qt)T.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array has less items (${q}) than minContains (${qt}).`});else{let A=`${c}/contains`,P=T.length,D=0;for(let N=0;N<q;N++){let Ze=he(e[N],Lp,r,n,a,i,`${s}/${N}`,A);Ze.valid?(d[N]=!0,D++):T.push(...Ze.errors)}D>=(qt||0)&&(T.length=P),qt===void 0&&Da===void 0&&D===0?T.splice(P,0,{instanceLocation:s,keyword:"contains",keywordLocation:A,error:"Array does not contain item matching schema."}):qt!==void 0&&D<qt?T.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array must contain at least ${qt} items matching schema. Only ${D} items were found.`}):Da!==void 0&&D>Da&&T.push({instanceLocation:s,keyword:"maxContains",keywordLocation:`${c}/maxContains`,error:`Array may contain at most ${Da} items matching schema. ${D} items were found.`})}if(!H&&Hp!==void 0){let A=`${c}/unevaluatedItems`;for($;$<q;$++){if(d[$])continue;let P=he(e[$],Hp,r,n,a,i,`${s}/${$}`,A);d[$]=!0,P.valid||T.push({instanceLocation:s,keyword:"unevaluatedItems",keywordLocation:A,error:"Items did not match unevaluated items schema."},...P.errors)}}if(Rw)for(let A=0;A<q;A++){let P=e[A],D=typeof P=="object"&&P!==null;for(let N=0;N<q;N++){if(A===N)continue;let Ze=e[N];(P===Ze||D&&(typeof Ze=="object"&&Ze!==null)&&ao(P,Ze))&&(T.push({instanceLocation:s,keyword:"uniqueItems",keywordLocation:`${c}/uniqueItems`,error:`Duplicate items at indexes ${A} and ${N}.`}),A=Number.MAX_SAFE_INTEGER,N=Number.MAX_SAFE_INTEGER)}}}else if(l==="number"){if(r==="4"?(Ur!==void 0&&(go===!0&&e<=Ur||e<Ur)&&T.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${go?"or equal to ":""} ${Ur}.`}),Or!==void 0&&(yo===!0&&e>=Or||e>Or)&&T.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${yo?"or equal to ":""} ${Or}.`})):(Ur!==void 0&&e<Ur&&T.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${Ur}.`}),Or!==void 0&&e>Or&&T.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${Or}.`}),go!==void 0&&e<=go&&T.push({instanceLocation:s,keyword:"exclusiveMinimum",keywordLocation:`${c}/exclusiveMinimum`,error:`${e} is less than ${go}.`}),yo!==void 0&&e>=yo&&T.push({instanceLocation:s,keyword:"exclusiveMaximum",keywordLocation:`${c}/exclusiveMaximum`,error:`${e} is greater than or equal to ${yo}.`})),ja!==void 0){let q=e%ja;Math.abs(0-q)>=11920929e-14&&Math.abs(ja-q)>=11920929e-14&&T.push({instanceLocation:s,keyword:"multipleOf",keywordLocation:`${c}/multipleOf`,error:`${e} is not a multiple of ${ja}.`})}}else if(l==="string"){let q=Ha===void 0&&La===void 0?0:uv(e);Ha!==void 0&&q<Ha&&T.push({instanceLocation:s,keyword:"minLength",keywordLocation:`${c}/minLength`,error:`String is too short (${q} < ${Ha}).`}),La!==void 0&&q>La&&T.push({instanceLocation:s,keyword:"maxLength",keywordLocation:`${c}/maxLength`,error:`String is too long (${q} > ${La}).`}),Bp!==void 0&&!new RegExp(Bp,"u").test(e)&&T.push({instanceLocation:s,keyword:"pattern",keywordLocation:`${c}/pattern`,error:"String does not match pattern."}),or!==void 0&&np[or]&&!np[or](e)&&T.push({instanceLocation:s,keyword:"format",keywordLocation:`${c}/format`,error:`String does not match format "${or}".`})}return{valid:T.length===0,errors:T}}o(he,"validate");var ks=class{static{o(this,"Validator")}schema;draft;shortCircuit;lookup;constructor(t,r="2019-09",n=!0){this.schema=t,this.draft=r,this.shortCircuit=n,this.lookup=Xt(t)}validate(t){return he(t,this.schema,this.draft,this.lookup,this.shortCircuit)}addSchema(t,r){r&&(t={...t,$id:r}),Xt(t,this.lookup)}};var io=class{static{o(this,"CfWorkerJsonSchemaValidator")}constructor(t){this.shortcircuit=t?.shortcircuit??!0,this.draft=t?.draft??"2020-12"}getValidator(t){let r=new ks(t,this.draft,this.shortcircuit);return n=>{let a=r.validate(n);return a.valid?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:a.errors.map(i=>`${i.instanceLocation}: ${i.error}`).join("; ")}}}};import{metrics as XU,context as Ts,propagation as lv,SpanKind as pv,SpanStatusCode as op,trace as Ea}from"@opentelemetry/api";var eO="mcp-gateway",tO="mcp-gateway",rO=$r,nO="2.0",mv=Ea.getTracer(eO),ap=XU.getMeter(tO),oO=ap.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),aO=ap.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),iO=ap.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),sO=["traceparent","tracestate","baggage"];function ip(){return performance.now()/1e3}o(ip,"nowSeconds");function fv(e,t){t(Math.max(ip()-e,0))}o(fv,"recordDurationSeconds");function dv(e){return e===void 0?void 0:String(e)}o(dv,"stringifyAttribute");function ze(e,t,r){r!==void 0&&(e[t]=r)}o(ze,"assignAttribute");function cO(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(cO,"readTargetName");function hv(e){let t=cO({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(hv,"buildMcpOperationSpanName");function sp(e){let t={"mcp.method.name":e.methodName};return ze(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??nO),ze(t,"jsonrpc.request.id",dv(e.jsonRpcRequestId)),ze(t,"mcp.protocol.version",e.mcpProtocolVersion??rO),ze(t,"mcp.session.id",e.mcpSessionId),ze(t,"mcp.resource.uri",e.resourceUri),ze(t,"rpc.response.status_code",dv(e.rpcResponseStatusCode)),ze(t,"error.type",e.errorType),e.capabilityType==="tool"&&(ze(t,"gen_ai.operation.name","execute_tool"),ze(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&ze(t,"gen_ai.prompt.name",e.capabilityName),ze(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),ze(t,"network.protocol.version",e.networkProtocolVersion),ze(t,"network.transport",e.networkTransport),ze(t,"server.address",e.serverAddress),ze(t,"server.port",e.serverPort),ze(t,"client.address",e.clientAddress),ze(t,"client.port",e.clientPort),t}o(sp,"buildMcpOperationAttributes");function uO(e){let t=sp({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(uO,"buildMcpSessionAttributes");function gv(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:op.ERROR}),t instanceof Error&&e.recordException(t)}o(gv,"setSpanError");function yv(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(yv,"readErrorType");function dO(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Ts.active():lv.extract(Ts.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(dO,"readServerParentContext");function lO(e){let t=Ea.getSpanContext(Ts.active()),r=Ea.getSpanContext(e);if(!(!t||!Ea.isSpanContextValid(t))&&!(r&&Ea.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(lO,"readAmbientSpanLink");function Sv(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(Sv,"readResultErrorType");async function Pr(e,t){let r=ip(),n=sp({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return mv.startActiveSpan(hv(e),{kind:pv.CLIENT,attributes:n},async a=>{try{let i=await t(),s=Sv(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:op.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??yv(i);throw n["error.type"]=s,gv(a,i,s),i}finally{fv(r,i=>{oO.record(i,n)}),a.end()}})}o(Pr,"runMcpClientOperation");async function xr(e,t){let r=ip(),n=dO(e.params),a=sp({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=lO(n);return mv.startActiveSpan(hv(e),{kind:pv.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let c=await t(),d=Sv(c);return d&&(s.setAttribute("error.type",d),s.setStatus({code:op.ERROR}),a["error.type"]=d),c}catch(c){let d=e.errorType??yv(c);throw a["error.type"]=d,gv(s,c,d),c}finally{fv(r,c=>{aO.record(c,a)}),s.end()}})}o(xr,"runMcpServerOperation");function vv(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return lv.inject(Ts.active(),t._meta,{set(r,n,a){sO.includes(n)&&(r[n]=a)}}),t}o(vv,"injectMcpTraceContextIntoParams");function _v(e,t){let r=uO({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});iO.record(Math.max(t,0),r)}o(_v,"recordMcpClientSessionDuration");var As=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=dr,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),c=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&c){let p=d.result;if(!p.structuredContent&&!p.isError){yield{type:"error",error:new x(E.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(p.structuredContent)try{let l=c(p.structuredContent);if(!l.valid){yield{type:"error",error:new x(E.InvalidParams,`Structured content does not match the tool's output schema: ${l.errorMessage}`)};return}}catch(l){if(l instanceof x){yield{type:"error",error:l};return}yield{type:"error",error:new x(E.InvalidParams,`Failed to validate structured content: ${l instanceof Error?l.message:String(l)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function Es(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&Es(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&Es(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&Es(r,t)}}o(Es,"applyElicitationDefaults");function pO(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(pO,"getSupportedElicitationModes");var Us=class extends Hn{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new oo,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",bu,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",vu,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",du,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new As(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=ji(this._capabilities,t)}setRequestHandler(t,r){let a=jn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if(gr(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let c=o(async(d,p)=>{let l=Ge(Iu,d);if(!l.success){let b=l.error instanceof Error?l.error.message:String(l.error);throw new x(E.InvalidParams,`Invalid elicitation request: ${b}`)}let{params:m}=l.data;m.mode=m.mode??"form";let{supportsFormMode:h,supportsUrlMode:y}=pO(this._capabilities.elicitation);if(m.mode==="form"&&!h)throw new x(E.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!y)throw new x(E.InvalidParams,"Client does not support URL-mode elicitation requests");let v=await Promise.resolve(r(d,p));if(m.task){let b=Ge(Bt,v);if(!b.success){let R=b.error instanceof Error?b.error.message:String(b.error);throw new x(E.InvalidParams,`Invalid task creation result: ${R}`)}return b.data}let S=Ge(lr,v);if(!S.success){let b=S.error instanceof Error?S.error.message:String(S.error);throw new x(E.InvalidParams,`Invalid elicitation result: ${b}`)}let _=S.data,w=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&_.action==="accept"&&_.content&&w&&this._capabilities.elicitation?.form?.applyDefaults)try{Es(w,_.content)}catch{}return _},"wrappedHandler");return super.setRequestHandler(t,c)}if(s==="sampling/createMessage"){let c=o(async(d,p)=>{let l=Ge(Cu,d);if(!l.success){let _=l.error instanceof Error?l.error.message:String(l.error);throw new x(E.InvalidParams,`Invalid sampling request: ${_}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let _=Ge(Bt,h);if(!_.success){let w=_.error instanceof Error?_.error.message:String(_.error);throw new x(E.InvalidParams,`Invalid task creation result: ${w}`)}return _.data}let v=m.tools||m.toolChoice?No:jr,S=Ge(v,h);if(!S.success){let _=S.error instanceof Error?S.error.message:String(S.error);throw new x(E.InvalidParams,`Invalid sampling result: ${_}`)}return S.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:sr,capabilities:this._capabilities,clientInfo:this._clientInfo}},tu,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!cr.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){Cs(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&Is(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},Lt,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},Pu,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},Lt,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},Su,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},pu,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},ou,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},iu,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},uu,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},Lt,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},Lt,r)}async callTool(t,r=dr,n){if(this.isToolTaskRequired(t.name))throw new x(E.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new x(E.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new x(E.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof x?s:new x(E.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},wu,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Vf.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:c}=i.data,{onChanged:d}=n,p=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let h=m instanceof Error?m:new Error(String(m));d(h,null)}},"refresh"),l=o(()=>{if(c){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let h=setTimeout(p,c);this._listChangedDebounceTimers.set(t,h)}else p()},"handler");this.setNotificationHandler(r,l)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function Os(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(Os,"normalizeHeaders");function wv(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...Os(t.headers),...Os(n.headers)}:t.headers};return e(r,a)}:e}o(wv,"createFetchWithInit");var $s=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function cp(e){}o(cp,"noop");function bv(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=cp,onError:r=cp,onRetry:n=cp,onComment:a}=e,i="",s=!0,c,d="",p="";function l(S){let _=s?S.replace(/^\xEF\xBB\xBF/,""):S,[w,b]=mO(`${i}${_}`);for(let R of w)m(R);i=b,s=!1}o(l,"feed");function m(S){if(S===""){y();return}if(S.startsWith(":")){a&&a(S.slice(S.startsWith(": ")?2:1));return}let _=S.indexOf(":");if(_!==-1){let w=S.slice(0,_),b=S[_+1]===" "?2:1,R=S.slice(_+b);h(w,R,S);return}h(S,"",S)}o(m,"parseLine");function h(S,_,w){switch(S){case"event":p=_;break;case"data":d=`${d}${_}
+`;break;case"id":c=_.includes("\0")?void 0:_;break;case"retry":/^\d+$/.test(_)?n(parseInt(_,10)):r(new $s(`Invalid \`retry\` value: "${_}"`,{type:"invalid-retry",value:_,line:w}));break;default:r(new $s(`Unknown field "${S.length>20?`${S.slice(0,20)}\u2026`:S}"`,{type:"unknown-field",field:S,value:_,line:w}));break}}o(h,"processField");function y(){d.length>0&&t({id:c,event:p||void 0,data:d.endsWith(`
+`)?d.slice(0,-1):d}),c=void 0,d="",p=""}o(y,"dispatchEvent");function v(S={}){i&&S.consume&&m(i),s=!0,c=void 0,d="",p="",i=""}return o(v,"reset"),{feed:l,reset:v}}o(bv,"createParser");function mO(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
 `,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let c=e.slice(n,s);t.push(c),n=s+1,e[n-1]==="\r"&&e[n]===`
-`&&n++}}return[t,r]}o(OO,"splitLines");var Ms=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=C_({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var $O={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},kr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},qs=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=R_(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??$O}async _authThenStart(){if(!this._authProvider)throw new Ft("No auth provider");let t;try{t=await gr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Ft;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=$s(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new kr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new Ms({onRetry:o(y=>{this._serverRetryMs=y},"onRetry")})).getReader();for(;;){let{value:y,done:_}=await l.read();if(_)break;if(y.id&&(s=y.id,c=!0,a?.(y.id)),!!y.data&&(!y.event||y.event==="message"))try{let S=Dr.parse(JSON.parse(y.data));yt(S)&&(d=!0,i!==void 0&&(S.id=i)),this.onmessage?.(S)}catch(S){this.onerror?.(S)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(y){this.onerror?.(new Error(`Failed to reconnect: ${y instanceof Error?y.message:String(y)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Ft("No auth provider");if(await gr(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:Pt(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,s),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new kr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:y,scope:_}=nd(c);if(this._resourceMetadataUrl=y,this._scope=_,await gr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:y,scope:_,error:S}=nd(c);if(S==="insufficient_scope"){let w=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===w)throw new kr(403,"Server returned 403 after trying upscoping");if(_&&(this._scope=_),y&&(this._resourceMetadataUrl=y),this._lastUpscopingHeader=w??void 0,await gr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Ft;return this.send(t)}}throw new kr(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),Df(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),y=Array.isArray(h)?h.map(_=>Dr.parse(_)):[Dr.parse(h)];for(let _ of y)this.onmessage?.(_)}else throw await c.body?.cancel(),new kr(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new kr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function I_(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(I_,"resolveNativeMcpRequestHeaders");var zO={name:"zuplo-mcp-gateway",version:"0.1.0"},MO=new so({draft:"7",shortcircuit:!1}),qO=5,NO=500,A_=3e4,jO=2*1024*1024,DO=2;function P_(){return performance.now()/1e3}o(P_,"nowSeconds");function HO(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(HO,"readServerPort");function LO(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:HO(e)}}o(LO,"buildNativeMcpOperationContext");function sn(e){return v_(e)}o(sn,"withTraceMeta");function Ns(e){if(e>NO)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ns,"assertImportedCapabilityBudget");function x_(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(x_,"buildRequestInit");function BO(e){return(t,r)=>qn(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:DO,maxResponseBytes:jO,problemCode:"upstream_capability_invocation_failed",timeoutMs:A_})}o(BO,"createNativeMcpFetch");function GO(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},A_);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(GO,"withNativeMcpRequestTimeout");function VO(e,t=[]){let r=I_(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:BO(a)};if(!e)return{...i,...x_(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...x_(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(VO,"buildNativeMcpTransportOptions");async function cn(e,t,r){let{transport:n}=je(e),a=new URL(n.baseUrl),i=new qs(a,VO(r,n.requestHeaders)),s=new Os(zO,{capabilities:{},jsonSchemaValidator:MO});return GO((async()=>{let c=P_();await s.connect(i);let d=i.sessionId,p=LO(a,d);try{return await t(s,p)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&b_(p,P_()-c)}})())}o(cn,"withNativeMcpClient");async function FO(e,t,r){let n=[],a,i=0;do{if(i>=qO)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(FO,"collectPaginatedSdkItems");async function js(e){return e.enabled?FO(e.label,e.fetchPage,e.readItems):[]}o(js,"listNativeMcpCapabilityItems");async function k_(e){return cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await xr({methodName:"tools/list",...r},()=>js({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(sn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ns(a.length),{tools:a}},e.credential)}o(k_,"listNativeMcpTools");async function T_(e){return cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await xr({methodName:"prompts/list",...r},()=>js({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(sn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ns(a.length),{prompts:a}},e.credential)}o(T_,"listNativeMcpPrompts");async function E_(e){return cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await xr({methodName:"resources/list",...r},()=>js({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(sn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ns(a.length),{resources:a}},e.credential)}o(E_,"listNativeMcpResources");async function U_(e){return cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await xr({methodName:"resources/templates/list",...r},()=>js({enabled:!!n?.resources,label:"Resource template list",fetchPage:o(i=>t.listResourceTemplates(sn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resourceTemplates,"readItems")}));return Ns(a.length),{resourceTemplates:a}},e.credential)}o(U_,"listNativeMcpResourceTemplates");async function O_(e){return cn(e.upstreamServerId,(t,r)=>xr({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(sn(e.params))),e.credential)}o(O_,"callNativeMcpTool");async function $_(e){return cn(e.upstreamServerId,(t,r)=>xr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(sn(e.params))),e.credential)}o($_,"getNativeMcpPrompt");async function z_(e){return cn(e.upstreamServerId,(t,r)=>xr({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(sn(e.params))),e.credential)}o(z_,"readNativeMcpResource");var Ua=class extends A{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(E.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function ZO(e){return{content:[{type:"text",text:e}],isError:!0}}o(ZO,"buildToolErrorResult");function KO(e){return e.authUrl?new sr([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new Ua(e)}o(KO,"toConnectRequiredError");function JO(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(JO,"buildCredentialResolvedAttributes");function WO(e){Qe(e.context,{eventType:Z.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:JO(e.credential)})}o(WO,"emitCredentialResolvedAnalyticsEvent");function YO(e){Qe(e.context,{eventType:Z.MCP_GATEWAY_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}o(YO,"emitCredentialMissingAnalyticsEvent");function QO(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Nr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(QO,"readRouteBindingCredentialCacheKey");function q_(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(q_,"readOwnedRouteBindingLookup");async function XO(e){let t=Gc(e.request);if(!t)return new Map;let r=new Map;for(let s of e.routeBindings){let c=q_(s);c!==void 0&&r.set(Nr(c),c)}if(r.size===0)return new Map;let n=[...r.values()],a=await K().authorizeAndLoadConnections({accessTokenHash:await le(t),resource:Mr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:n,now:re(new Date)});if(a.kind!=="authorized")return new Map;let i=new Map;return a.upstreamConnections.forEach((s,c)=>{let d=n[c];d!==void 0&&i.set(Nr(d),s.connection)}),i}o(XO,"preloadCompositeAuthorizedConnections");function e$(e){let t=new Map;return r=>{let n=QO(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,c=q_(r),d=c===void 0?void 0:Nr(c),p=await ji({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(p.kind==="connect_required")throw YO({context:e.context,payload:p.payload,routeBinding:r}),KO(p.payload);return WO({context:e.context,credential:p.credential,routeBinding:r}),p.credential})();return t.set(n,i),i}}o(e$,"createCredentialResolver");var M_=500;function t$(e){return e.length<=M_?e:`${e.slice(0,M_)}...`}o(t$,"truncateAnalyticsDetail");function r$(e){Qe(e.context,{eventType:Z.MCP_GATEWAY_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0})}o(r$,"emitToolInvocationCompletedAnalyticsEvent");function n$(e){return e instanceof sr||e instanceof Ua?{eventType:Z.MCP_GATEWAY_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof A&&e.code===E.InvalidParams?{eventType:Z.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:Z.MCP_GATEWAY_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(n$,"classifyToolInvocationFailure");function o$(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=n$(e.error);Qe(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,attributes:{detail:t$(t)}})}o(o$,"emitToolInvocationFailedAnalyticsEvent");var a$=256*1024;function i$(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new A(E.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>a$)throw new A(E.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(i$,"assertToolArgumentsWithinLimit");function up(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new A(E.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(up,"findBindingForPublishedCapability");function un(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new A(E.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(un,"requireSingleTransparentBinding");function s$(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:un(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new A(E.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:up({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(s$,"resolvePublishedToolRoute");function c$(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:un(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new A(E.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:up({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(c$,"resolvePublishedPromptRoute");function u$(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:un(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new A(E.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:up({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(u$,"resolvePublishedResourceRoute");function N_(e){let t=XO({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=e$({context:e.context,preloadedConnections:t,request:e.request});return{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{tools:e.publishedVirtualServer.catalog.tools.filter(a=>a.enabled!==!1).map(Ci)};let n=un(e);return k_({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async callTool(n){let a=s$({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:n.name});try{i$(n);let i=await r(a.binding),s=await O_({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:i});return r$({context:e.context,routeBinding:a.binding,toolName:n.name,result:s}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,isError:s.isError===!0},"Upstream tool invocation completed"),s}catch(i){if(o$({context:e.context,routeBinding:a.binding,toolName:n.name,error:i}),i instanceof sr||i instanceof Ua)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:n.name,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId,ownerMode:a.binding.ownerMode,hasAuthUrl:i instanceof sr},"Upstream tool invocation requires user to complete a connect flow"),i;let s={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:n.name,upstreamName:a.upstreamName,upstreamServerId:a.binding.upstreamServerId,authProfileId:a.binding.authProfileId};return i instanceof A&&(s.mcpErrorCode=i.code),i instanceof Error?(s.errorName=i.name,s.errorMessage=i.message,i.cause instanceof Error&&(s.causeName=i.cause.name,s.causeMessage=i.cause.message)):s.errorMessage=String(i),e.context.log.warn(s,"Upstream tool invocation failed; returning generic gateway error to MCP client"),ZO(Ke("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{prompts:e.publishedVirtualServer.catalog.prompts.filter(a=>a.enabled!==!1).map(Ii)};let n=un(e);return T_({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async getPrompt(n){let a=c$({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:n.name});return $_({upstreamServerId:a.binding.upstreamServerId,params:{...n,name:a.upstreamName},credential:await r(a.binding)})},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resources:e.publishedVirtualServer.catalog.resources.filter(a=>a.enabled!==!1).map(Pi)};let n=un(e);return E_({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async listResourceTemplates(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resourceTemplates:[]};let n=un(e);return U_({upstreamServerId:n.upstreamServerId,credential:await r(n)})},async readResource(n){let a=u$({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:n.uri});return z_({upstreamServerId:a.binding.upstreamServerId,params:{...n,uri:a.upstreamUri},credential:await r(a.binding)})}}}o(N_,"createCapabilityDispatcher");var d$="0.1.0",D_="POST",l$="POST, OPTIONS",p$=new so({draft:"7",shortcircuit:!1});function dp(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:D_}})}o(dp,"jsonRpcMethodNotAllowedResponse");function m$(e){let t={Allow:D_},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=l$;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(m$,"buildOptionsResponse");function dn(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(dn,"readJsonRpcRequestId");function Ds(e){return e&&typeof e=="object"?e.params:void 0}o(Ds,"readMcpRequestParams");function j_(e,t){return e.headers.get(t)??void 0}o(j_,"readMcpHeader");function f$(e){return{mcpProtocolVersion:j_(e,"mcp-protocol-version")??zr,mcpSessionId:j_(e,"mcp-session-id")}}o(f$,"buildServerTelemetryBase");function h$(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",zr),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(h$,"ensureProtocolVersionHeader");async function lp(e,t){if(e.method==="OPTIONS")return m$(e);if(e.method==="GET")return dp("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return dp("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return dp("Only POST is supported by this virtual MCP server.");let r=bn(t),n=qr(r.virtualServerId),a=Di(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=f$(e),s=N_({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=ie(e.url),d=new As({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new xs(n.catalog.serverInfo??{name:r.virtualServerId,version:d$},{capabilities:{prompts:{},resources:{},tools:{}},jsonSchemaValidator:p$});p.setRequestHandler(wu,async m=>Ar({methodName:"tools/list",params:Ds(m),jsonRpcRequestId:dn(m),...i},()=>s.listTools())),p.setRequestHandler(Mo,async m=>Ar({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:dn(m),...i},()=>s.callTool(m.params))),p.setRequestHandler(lu,async m=>Ar({methodName:"prompts/list",params:Ds(m),jsonRpcRequestId:dn(m),...i},()=>s.listPrompts())),p.setRequestHandler(mu,async m=>Ar({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:dn(m),...i},()=>s.getPrompt(m.params))),p.setRequestHandler(nu,async m=>Ar({methodName:"resources/list",params:Ds(m),jsonRpcRequestId:dn(m),...i},()=>s.listResources())),p.setRequestHandler(au,async m=>Ar({methodName:"resources/templates/list",params:Ds(m),jsonRpcRequestId:dn(m),...i},()=>s.listResourceTemplates())),p.setRequestHandler(cu,async m=>Ar({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:dn(m),...i},()=>s.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return h$(l)}o(lp,"virtualServerHandler");async function g$(e,t){return Ct("handler.mcp-virtual-server"),lp(e,t)}o(g$,"McpVirtualServerHandler");function y$(e){let t=xt(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(y$,"buildRouteAuthBaseFromConnection");function L_(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=xt(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:zn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(L_,"buildRouteAuthBaseFromPolicyOptions");function B_(e,t){let n=St().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return y$({connection:a,virtualServerId:t})}o(B_,"resolveRouteAuthBase");function H_(e,t){switch(e){case"user":return ir(t.subjectId);case"shared":return oi()}}o(H_,"buildOwnerForPrincipal");function Hs(e,t){switch(e.ownerMode){case"shared":return{...e,owner:H_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:H_(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Hs,"resolveRouteAuthForPrincipal");function S$(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Ka.parse(r)}o(S$,"readSingleAuthMode");async function pp(e,t,r,n){let a=S$({policyName:n,connection:r}),i=bn(t),s=L_({connection:r,virtualServerId:i.virtualServerId,authMode:a});if(s.ownerMode==="none")return cd(t,{...s,connectionPolicyName:n}),e;let c=Rm(t);return cd(t,{...Hs(s,c),connectionPolicyName:n}),e}o(pp,"mcpUpstreamConnectionPolicy");var mp=class extends wn{static{o(this,"McpUpstreamConnectionInboundPolicy")}#t;constructor(t,r){let n=Ri(t,r);super(n,r),this.#t=n}async handler(t,r){return Ct("policy.inbound.mcp-upstream-connection"),pp(t,r,this.#t,this.policyName)}};ae();var G_="application/json",_$="application/x-www-form-urlencoded";function w$(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(w$,"normalizeContentType");function v$(e,t){return e===t?!0:t===G_&&e.endsWith("+json")}o(v$,"contentTypeMatches");function b$(e,t){if(!t||t.length===0)return;let r=w$(e.headers.get("content-type"));if(!t.some(n=>v$(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(b$,"assertExpectedContentType");function R$(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(R$,"assertContentLengthWithinLimit");async function V_(e,t){let r=t.label??"Request body";b$(e,t.expectedContentTypes),R$(e,t.maxBytes,r);let n=await Ai(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(V_,"readBoundedTextBody");async function F_(e,t){let r=await V_(e,{...t,expectedContentTypes:[G_]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(F_,"readBoundedJsonBody");async function Ls(e,t){let r=await V_(e,{...t,expectedContentTypes:[_$]});return new URLSearchParams(r)}o(Ls,"readBoundedFormUrlEncodedBody");var Z_=Symbol("Html");function C$(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(C$,"escapeHtml");function I$(e){return e===null||typeof e!="object"?!1:e[Z_]===!0}o(I$,"isHtml");function K_(e){return e==null||e===!1?"":Array.isArray(e)?e.map(K_).join(""):I$(e)?e.value:C$(String(e))}o(K_,"renderValue");function er(e){return{[Z_]:!0,value:e}}o(er,"trustedHtml");var Oa=er("");function ce(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=K_(t[n]),r+=e[n+1]??"";return er(r)}o(ce,"html");function Tr(e){return e.value}o(Tr,"renderHtml");var tr=er('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function rr(e){return ce`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
+`&&n++}}return[t,r]}o(mO,"splitLines");var zs=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=bv({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var fO={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},kr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},Ms=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=wv(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??fO}async _authThenStart(){if(!this._authProvider)throw new Ft("No auth provider");let t;try{t=await hr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new Ft;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=Os(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new kr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new zs({onRetry:o(y=>{this._serverRetryMs=y},"onRetry")})).getReader();for(;;){let{value:y,done:v}=await l.read();if(v)break;if(y.id&&(s=y.id,c=!0,a?.(y.id)),!!y.data&&(!y.event||y.event==="message"))try{let S=Dr.parse(JSON.parse(y.data));gt(S)&&(d=!0,i!==void 0&&(S.id=i)),this.onmessage?.(S)}catch(S){this.onerror?.(S)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(y){this.onerror?.(new Error(`Failed to reconnect: ${y instanceof Error?y.message:String(y)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new Ft("No auth provider");if(await hr(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:It(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,s),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new kr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:y,scope:v}=nd(c);if(this._resourceMetadataUrl=y,this._scope=v,await hr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new Ft;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:y,scope:v,error:S}=nd(c);if(S==="insufficient_scope"){let _=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===_)throw new kr(403,"Server returned 403 after trying upscoping");if(v&&(this._scope=v),y&&(this._resourceMetadataUrl=y),this._lastUpscopingHeader=_??void 0,await hr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new Ft;return this.send(t)}}throw new kr(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),Nf(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),y=Array.isArray(h)?h.map(v=>Dr.parse(v)):[Dr.parse(h)];for(let v of y)this.onmessage?.(v)}else throw await c.body?.cancel(),new kr(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new kr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Rv(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Rv,"resolveNativeMcpRequestHeaders");var hO={name:"zuplo-mcp-gateway",version:"0.1.0"},gO=new io({draft:"7",shortcircuit:!1}),yO=5,SO=500,Pv=3e4,vO=2*1024*1024,_O=2;function Cv(){return performance.now()/1e3}o(Cv,"nowSeconds");function wO(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(wO,"readServerPort");function bO(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:wO(e)}}o(bO,"buildNativeMcpOperationContext");function an(e){return vv(e)}o(an,"withTraceMeta");function qs(e){if(e>SO)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(qs,"assertImportedCapabilityBudget");function Iv(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Iv,"buildRequestInit");function RO(e){return(t,r)=>Mn(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:_O,maxResponseBytes:vO,problemCode:"upstream_capability_invocation_failed",timeoutMs:Pv})}o(RO,"createNativeMcpFetch");function CO(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},Pv);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(CO,"withNativeMcpRequestTimeout");function IO(e,t=[]){let r=Rv(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:RO(a)};if(!e)return{...i,...Iv(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Iv(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(IO,"buildNativeMcpTransportOptions");async function sn(e,t,r){let{transport:n}=De(e),a=new URL(n.baseUrl),i=new Ms(a,IO(r,n.requestHeaders)),s=new Us(hO,{capabilities:{},jsonSchemaValidator:gO});return CO((async()=>{let c=Cv();await s.connect(i);let d=i.sessionId,p=bO(a,d);try{return await t(s,p)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&_v(p,Cv()-c)}})())}o(sn,"withNativeMcpClient");async function PO(e,t,r){let n=[],a,i=0;do{if(i>=yO)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(PO,"collectPaginatedSdkItems");async function Ns(e){return e.enabled?PO(e.label,e.fetchPage,e.readItems):[]}o(Ns,"listNativeMcpCapabilityItems");async function xv(e){return sn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Pr({methodName:"tools/list",...r},()=>Ns({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(an(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return qs(a.length),{tools:a}},e.credential)}o(xv,"listNativeMcpTools");async function kv(e){return sn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Pr({methodName:"prompts/list",...r},()=>Ns({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(an(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return qs(a.length),{prompts:a}},e.credential)}o(kv,"listNativeMcpPrompts");async function Tv(e){return sn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Pr({methodName:"resources/list",...r},()=>Ns({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(an(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return qs(a.length),{resources:a}},e.credential)}o(Tv,"listNativeMcpResources");async function Av(e){return sn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Pr({methodName:"resources/templates/list",...r},()=>Ns({enabled:!!n?.resources,label:"Resource template list",fetchPage:o(i=>t.listResourceTemplates(an(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resourceTemplates,"readItems")}));return qs(a.length),{resourceTemplates:a}},e.credential)}o(Av,"listNativeMcpResourceTemplates");async function Ev(e){return sn(e.upstreamServerId,(t,r)=>Pr({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(an(e.params))),e.credential)}o(Ev,"callNativeMcpTool");async function Uv(e){return sn(e.upstreamServerId,(t,r)=>Pr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(an(e.params))),e.credential)}o(Uv,"getNativeMcpPrompt");async function Ov(e){return sn(e.upstreamServerId,(t,r)=>Pr({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(an(e.params))),e.credential)}o(Ov,"readNativeMcpResource");var so=class extends x{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(E.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}};function xO(e){return{content:[{type:"text",text:e}],isError:!0}}o(xO,"buildToolErrorResult");function kO(e){return e.authUrl?new Ht([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new so(e)}o(kO,"toConnectRequiredError");function TO(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(TO,"buildCredentialResolvedAttributes");function AO(e){V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:TO(e.credential)})}o(AO,"emitCredentialResolvedAnalyticsEvent");function EO(e){if(V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}}),e.payload.state==="reconsent_required")V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}});else{let t=UO(e.payload.state);V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:t,reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}}o(EO,"emitCredentialMissingAnalyticsEvent");function UO(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required";default:{let t=e;return"connect_required"}}}o(UO,"connectRequiredReasonCode");function OO(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):qr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(OO,"readRouteBindingCredentialCacheKey");function Nv(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(Nv,"readOwnedRouteBindingLookup");async function $O(e){let t=Gc(e.request);if(!t)return new Map;let r=new Map;for(let s of e.routeBindings){let c=Nv(s);c!==void 0&&r.set(qr(c),c)}if(r.size===0)return new Map;let n=[...r.values()],a=await K().authorizeAndLoadConnections({accessTokenHash:await le(t),resource:zr(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:n,now:re(new Date)});if(a.kind!=="authorized")return new Map;let i=new Map;return a.upstreamConnections.forEach((s,c)=>{let d=n[c];d!==void 0&&i.set(qr(d),s.connection)}),i}o($O,"preloadCompositeAuthorizedConnections");function zO(e){let t=new Map;return r=>{let n=OO(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,c=Nv(r),d=c===void 0?void 0:qr(c),p=await Ni({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(p.kind==="connect_required")throw EO({context:e.context,payload:p.payload,routeBinding:r}),kO(p.payload);return AO({context:e.context,credential:p.credential,routeBinding:r}),p.credential})();return t.set(n,i),i}}o(zO,"createCredentialResolver");var $v=500;function dp(e){return e.length<=$v?e:`${e.slice(0,$v)}...`}o(dp,"truncateAnalyticsDetail");function MO(e){V(e.context,{eventType:B.MCP_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0,latencyMs:e.latencyMs})}o(MO,"emitToolInvocationCompletedAnalyticsEvent");function up(e){V(e.context,{eventType:B.MCP_CAPABILITY_INVOKED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType})}o(up,"emitCapabilityInvokedAnalyticsEvent");function zv(e){let t={};typeof e.itemCount=="number"&&(t.itemCount=e.itemCount),e.errorDetail!==void 0&&(t.detail=dp(e.errorDetail)),V(e.context,{eventType:B.MCP_CAPABILITY_LISTED,outcome:e.outcome,...e.routeBinding?{routeBinding:e.routeBinding}:{},...e.virtualServerName?{virtualServerName:e.virtualServerName}:{},mcpMethod:e.mcpMethod,capabilityType:e.capabilityType,latencyMs:e.latencyMs,...e.reasonCode?{reasonCode:e.reasonCode}:{},...e.reasonClass?{reasonClass:e.reasonClass}:{},...e.errorType?{errorType:e.errorType}:{},attributes:t})}o(zv,"emitCapabilityListedAnalyticsEvent");function Mv(e){V(e.context,{eventType:B.MCP_CAPABILITY_COMPLETED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,latencyMs:e.latencyMs})}o(Mv,"emitCapabilityCompletedAnalyticsEvent");function qv(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=e.error instanceof Ht||e.error instanceof so,n=e.error instanceof x&&e.error.code===E.InvalidParams,a=r?B.MCP_CAPABILITY_CONNECT_REQUIRED:B.MCP_CAPABILITY_FAILED,i=r?"connect_required":"failure",s=r?"connect_required":n?"invalid_capability_arguments":"upstream_capability_invocation_failed",c=r?"auth":n?"client":"upstream";V(e.context,{eventType:a,outcome:i,routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,reasonCode:s,reasonClass:c,errorType:r?"connect_required":"capability_error",...n?{mcpErrorType:"InvalidParams"}:{},latencyMs:e.latencyMs,attributes:{detail:dp(t)}})}o(qv,"emitCapabilityFailedAnalyticsEvent");function qO(e){return e instanceof Ht||e instanceof so?{eventType:B.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof x&&e.code===E.InvalidParams?{eventType:B.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:B.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(qO,"classifyToolInvocationFailure");function NO(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=qO(e.error);V(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,latencyMs:e.latencyMs,attributes:{detail:dp(t)}})}o(NO,"emitToolInvocationFailedAnalyticsEvent");var DO=256*1024;function jO(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new x(E.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>DO)throw new x(E.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(jO,"assertToolArgumentsWithinLimit");function lp(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new x(E.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(lp,"findBindingForPublishedCapability");function cn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new x(E.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(cn,"requireSingleTransparentBinding");function HO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:cn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new x(E.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:lp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(HO,"resolvePublishedToolRoute");function LO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:cn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new x(E.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:lp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(LO,"resolvePublishedPromptRoute");function BO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:cn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new x(E.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:lp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(BO,"resolvePublishedResourceRoute");function Dv(e){let t=$O({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=zO({context:e.context,preloadedConnections:t,request:e.request}),n=e.publishedVirtualServer.virtualServerId;async function a(i){let s=Date.now();try{let c=await i.invoke();return zv({context:e.context,routeBinding:i.routeBinding,virtualServerName:n,capabilityType:i.capabilityType,mcpMethod:i.mcpMethod,outcome:"success",itemCount:i.countItems(c),latencyMs:Date.now()-s}),c}catch(c){let d=c instanceof Error?c.message:String(c);throw zv({context:e.context,routeBinding:i.routeBinding,virtualServerName:n,capabilityType:i.capabilityType,mcpMethod:i.mcpMethod,outcome:"failure",latencyMs:Date.now()-s,reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorDetail:d}),c}}return o(a,"listCapability"),{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return a({capabilityType:"tool",mcpMethod:"tools/list",invoke:o(async()=>({tools:e.publishedVirtualServer.catalog.tools.filter(s=>s.enabled!==!1).map(Ri)}),"invoke"),countItems:o(s=>s.tools.length,"countItems")});let i=cn(e);return a({capabilityType:"tool",mcpMethod:"tools/list",routeBinding:i,invoke:o(async()=>xv({upstreamServerId:i.upstreamServerId,credential:await r(i)}),"invoke"),countItems:o(s=>s.tools.length,"countItems")})},async callTool(i){let s=HO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:i.name});up({context:e.context,routeBinding:s.binding,capabilityType:"tool",capabilityName:i.name,mcpMethod:"tools/call"});let c=Date.now();try{jO(i);let d=await r(s.binding),p=await Ev({upstreamServerId:s.binding.upstreamServerId,params:{...i,name:s.upstreamName},credential:d});return MO({context:e.context,routeBinding:s.binding,toolName:i.name,result:p,latencyMs:Date.now()-c}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:i.name,upstreamName:s.upstreamName,upstreamServerId:s.binding.upstreamServerId,authProfileId:s.binding.authProfileId,isError:p.isError===!0},"Upstream tool invocation completed"),p}catch(d){if(NO({context:e.context,routeBinding:s.binding,toolName:i.name,error:d,latencyMs:Date.now()-c}),d instanceof Ht||d instanceof so)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:i.name,upstreamServerId:s.binding.upstreamServerId,authProfileId:s.binding.authProfileId,ownerMode:s.binding.ownerMode,hasAuthUrl:d instanceof Ht},"Upstream tool invocation requires user to complete a connect flow"),d;let p={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:i.name,upstreamName:s.upstreamName,upstreamServerId:s.binding.upstreamServerId,authProfileId:s.binding.authProfileId};return d instanceof x&&(p.mcpErrorCode=d.code),d instanceof Error?(p.errorName=d.name,p.errorMessage=d.message,d.cause instanceof Error&&(p.causeName=d.cause.name,p.causeMessage=d.cause.message)):p.errorMessage=String(d),e.context.log.warn(p,"Upstream tool invocation failed; returning generic gateway error to MCP client"),xO(Ke("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return a({capabilityType:"prompt",mcpMethod:"prompts/list",invoke:o(async()=>({prompts:e.publishedVirtualServer.catalog.prompts.filter(s=>s.enabled!==!1).map(Ci)}),"invoke"),countItems:o(s=>s.prompts.length,"countItems")});let i=cn(e);return a({capabilityType:"prompt",mcpMethod:"prompts/list",routeBinding:i,invoke:o(async()=>kv({upstreamServerId:i.upstreamServerId,credential:await r(i)}),"invoke"),countItems:o(s=>s.prompts.length,"countItems")})},async getPrompt(i){let s=LO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:i.name});up({context:e.context,routeBinding:s.binding,capabilityType:"prompt",capabilityName:i.name,mcpMethod:"prompts/get"});let c=Date.now();try{let d=await Uv({upstreamServerId:s.binding.upstreamServerId,params:{...i,name:s.upstreamName},credential:await r(s.binding)});return Mv({context:e.context,routeBinding:s.binding,capabilityType:"prompt",capabilityName:i.name,mcpMethod:"prompts/get",latencyMs:Date.now()-c}),d}catch(d){throw qv({context:e.context,routeBinding:s.binding,capabilityType:"prompt",capabilityName:i.name,mcpMethod:"prompts/get",error:d,latencyMs:Date.now()-c}),d}},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return a({capabilityType:"resource",mcpMethod:"resources/list",invoke:o(async()=>({resources:e.publishedVirtualServer.catalog.resources.filter(s=>s.enabled!==!1).map(Ii)}),"invoke"),countItems:o(s=>s.resources.length,"countItems")});let i=cn(e);return a({capabilityType:"resource",mcpMethod:"resources/list",routeBinding:i,invoke:o(async()=>Tv({upstreamServerId:i.upstreamServerId,credential:await r(i)}),"invoke"),countItems:o(s=>s.resources.length,"countItems")})},async listResourceTemplates(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resourceTemplates:[]};let i=cn(e);return Av({upstreamServerId:i.upstreamServerId,credential:await r(i)})},async readResource(i){let s=BO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:i.uri});up({context:e.context,routeBinding:s.binding,capabilityType:"resource",capabilityName:i.uri,mcpMethod:"resources/read"});let c=Date.now();try{let d=await Ov({upstreamServerId:s.binding.upstreamServerId,params:{...i,uri:s.upstreamUri},credential:await r(s.binding)});return Mv({context:e.context,routeBinding:s.binding,capabilityType:"resource",capabilityName:i.uri,mcpMethod:"resources/read",latencyMs:Date.now()-c}),d}catch(d){throw qv({context:e.context,routeBinding:s.binding,capabilityType:"resource",capabilityName:i.uri,mcpMethod:"resources/read",error:d,latencyMs:Date.now()-c}),d}}}}o(Dv,"createCapabilityDispatcher");var GO="0.1.0",Hv="POST",VO="POST, OPTIONS",FO=new io({draft:"7",shortcircuit:!1});function pp(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:Hv}})}o(pp,"jsonRpcMethodNotAllowedResponse");function ZO(e){let t={Allow:Hv},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=VO;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(ZO,"buildOptionsResponse");function un(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(un,"readJsonRpcRequestId");function Ds(e){return e&&typeof e=="object"?e.params:void 0}o(Ds,"readMcpRequestParams");function jv(e,t){return e.headers.get(t)??void 0}o(jv,"readMcpHeader");function KO(e){return{mcpProtocolVersion:jv(e,"mcp-protocol-version")??$r,mcpSessionId:jv(e,"mcp-session-id")}}o(KO,"buildServerTelemetryBase");function JO(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",$r),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(JO,"ensureProtocolVersionHeader");async function mp(e,t){if(e.method==="OPTIONS")return ZO(e);if(e.method==="GET")return pp("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return pp("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return pp("Only POST is supported by this virtual MCP server.");let r=wn(t),n=Mr(r.virtualServerId),a=Di(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=KO(e),s=Dv({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=ie(e.url),d=new xs({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new Ps(n.catalog.serverInfo??{name:r.virtualServerId,version:GO},{capabilities:{prompts:{},resources:{},tools:{}},jsonSchemaValidator:FO});p.setRequestHandler(_u,async m=>xr({methodName:"tools/list",params:Ds(m),jsonRpcRequestId:un(m),...i},()=>s.listTools())),p.setRequestHandler(Mo,async m=>xr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:un(m),...i},()=>s.callTool(m.params))),p.setRequestHandler(lu,async m=>xr({methodName:"prompts/list",params:Ds(m),jsonRpcRequestId:un(m),...i},()=>s.listPrompts())),p.setRequestHandler(mu,async m=>xr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:un(m),...i},()=>s.getPrompt(m.params))),p.setRequestHandler(nu,async m=>xr({methodName:"resources/list",params:Ds(m),jsonRpcRequestId:un(m),...i},()=>s.listResources())),p.setRequestHandler(au,async m=>xr({methodName:"resources/templates/list",params:Ds(m),jsonRpcRequestId:un(m),...i},()=>s.listResourceTemplates())),p.setRequestHandler(cu,async m=>xr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:un(m),...i},()=>s.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return JO(l)}o(mp,"virtualServerHandler");async function WO(e,t){return Rt("handler.mcp-virtual-server"),mp(e,t)}o(WO,"McpVirtualServerHandler");function YO(e){let t=Pt(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(YO,"buildRouteAuthBaseFromConnection");function Bv(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=Pt(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:$n(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(Bv,"buildRouteAuthBaseFromPolicyOptions");function Gv(e,t){let n=yt().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return YO({connection:a,virtualServerId:t})}o(Gv,"resolveRouteAuthBase");function Lv(e,t){switch(e){case"user":return ir(t.subjectId);case"shared":return ni()}}o(Lv,"buildOwnerForPrincipal");function js(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Lv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:Lv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(js,"resolveRouteAuthForPrincipal");function QO(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Za.parse(r)}o(QO,"readSingleAuthMode");async function fp(e,t,r,n){let a=QO({policyName:n,connection:r}),i=wn(t),s=Bv({connection:r,virtualServerId:i.virtualServerId,authMode:a});if(s.ownerMode==="none")return cd(t,{...s,connectionPolicyName:n}),e;let c=Pm(t);return cd(t,{...js(s,c),connectionPolicyName:n}),e}o(fp,"mcpUpstreamConnectionPolicy");var hp=class extends vn{static{o(this,"McpUpstreamConnectionInboundPolicy")}#t;constructor(t,r){let n=bi(t,r);super(n,r),this.#t=n}async handler(t,r){return Rt("policy.inbound.mcp-upstream-connection"),fp(t,r,this.#t,this.policyName)}};ae();var Vv="application/json",XO="application/x-www-form-urlencoded";function e$(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(e$,"normalizeContentType");function t$(e,t){return e===t?!0:t===Vv&&e.endsWith("+json")}o(t$,"contentTypeMatches");function r$(e,t){if(!t||t.length===0)return;let r=e$(e.headers.get("content-type"));if(!t.some(n=>t$(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(r$,"assertExpectedContentType");function n$(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(n$,"assertContentLengthWithinLimit");async function Fv(e,t){let r=t.label??"Request body";r$(e,t.expectedContentTypes),n$(e,t.maxBytes,r);let n=await xi(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(Fv,"readBoundedTextBody");async function Zv(e,t){let r=await Fv(e,{...t,expectedContentTypes:[Vv]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(Zv,"readBoundedJsonBody");async function Hs(e,t){let r=await Fv(e,{...t,expectedContentTypes:[XO]});return new URLSearchParams(r)}o(Hs,"readBoundedFormUrlEncodedBody");var Kv=Symbol("Html");function o$(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(o$,"escapeHtml");function a$(e){return e===null||typeof e!="object"?!1:e[Kv]===!0}o(a$,"isHtml");function Jv(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Jv).join(""):a$(e)?e.value:o$(String(e))}o(Jv,"renderValue");function er(e){return{[Kv]:!0,value:e}}o(er,"trustedHtml");var Ua=er("");function ce(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=Jv(t[n]),r+=e[n+1]??"";return er(r)}o(ce,"html");function Tr(e){return e.value}o(Tr,"renderHtml");var tr=er('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function rr(e){return ce`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
       ${e.styles}
-    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}o(rr,"renderShell");var fp="zuplo.com";function J_(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}o(J_,"s2FaviconHref");function P$(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}o(P$,"strictFaviconHref");var ln=J_(fp);function pn(e){let t=e.toLowerCase();return t===fp||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?J_(fp):P$(e)}o(pn,"resolveIconHref");function mn(e){return ce`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}o(mn,"renderShellIcon");function W_(e){return ce`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}o(W_,"renderActions");var B5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function Y_(){return ce`<p>The API key could not be verified. Start the authorization flow again to try
-  once more.</p>`}o(Y_,"renderApiKeyLoginFailure");function Q_(e){return ce`<form class="form" method="post" action="/oauth/api-key-login" autocomplete="off" ><input type="hidden" name="state" value="${e.state}" /><label class="form__label" for="apiKey">API key</label><input class="form__input" id="apiKey" name="apiKey" type="password" required autocomplete="off" /><button class="button button--primary button--block form__submit" type="submit" >Continue</button></form>`}o(Q_,"renderApiKeyLoginForm");var G5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),V5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var F5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var x$="text/html; charset=utf-8";function X_(e,t=200){return new Response(Tr(e),{status:t,headers:{"content-type":x$,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(X_,"apiKeyLoginHtmlResponse");function hp(e,t=401){let r=pn(e);return X_(rr({title:"Sign-in failed",iconHref:r,styles:tr,headerIcon:mn({iconHref:r,fallbackIconHref:ln}),heading:"Sign-in failed",subhead:"",body:Y_(),footer:""}),t)}o(hp,"apiKeyLoginFailureResponse");function ew(e,t){let r=pn(e);return X_(rr({title:"Sign in",iconHref:r,styles:tr,headerIcon:mn({iconHref:r,fallbackIconHref:ln}),heading:"Sign in",subhead:ce`<p class="card__subtitle">Enter your API key to continue.</p>`,body:Q_({state:t}),footer:""}))}o(ew,"renderApiKeyLoginForm");ae();ae();import{errors as lw,jwtVerify as pw,SignJWT as mw}from"jose";ae();import{errors as j$,jwtVerify as D$,SignJWT as H$}from"jose";function Er(e){let t=Pe().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Er,"requireBrowserLoginField");ae();import{createRemoteJWKSet as k$,errors as $a,jwtVerify as T$}from"jose";var E$=u.object({id_token:u.string().min(1),token_type:u.string().min(1).optional(),expires_in:u.number().optional(),access_token:u.string().min(1).optional(),refresh_token:u.string().min(1).optional(),scope:u.string().min(1).optional()}),U$=u.object({error:u.string().min(1).optional(),error_description:u.string().min(1).optional(),error_uri:u.string().min(1).optional()});function O$(e){let t=U$.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(O$,"readIdpErrorFields");function $$(e){return e instanceof $a.JWTExpired?"expired":e instanceof $a.JWTClaimValidationFailed?"claim":e instanceof $a.JWSSignatureVerificationFailed?"signature":e instanceof $a.JWKSNoMatchingKey?"jwks_no_match":e instanceof $a.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o($$,"readJwtFailureKind");var z$=u.object({sub:_e,nonce:u.string().min(1)}).catchall(u.unknown()),gp;function M$(e){return e instanceof Error&&"cause"in e?e.cause:e}o(M$,"readErrorCause");function q$(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(q$,"readRuntimeGatewayCode");function N$(){if(!gp){let e=Pe();gp=k$(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return gp}o(N$,"readFederatedJwks");async function tw(e){let t=Pe(),r=Er("tokenUrl"),n=Er("clientId"),a=Er("clientSecret"),i=new URL("/oauth/callback",gt(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:c,json:d}=await mh(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let h=O$(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:ct(r),idpStatus:c.status,...h},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${h.idpError?` idp_error=${h.idpError}`:""}${h.idpErrorDescription?` idp_error_description=${h.idpErrorDescription}`:""})`)})}let p=E$.parse(d),l;try{({payload:l}=await T$(p.id_token,N$(),{issuer:t.oidc.issuer,audience:n}))}catch(h){let y={};throw Ye(y,"error",h),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:$$(h),idpHost:ct(r),expectedIssuer:t.oidc.issuer,...y},"Federated id_token failed jose verification"),h}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:ct(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=z$.parse(l);return Cn({sub:m.sub,data:m},e.requestUrl)}catch(c){let d=ge(c)??q$(c);throw d!==void 0&&d!=="browser_login_verification_failed"?c:g("browser_login_verification_failed","Federated browser login callback could not be verified.",M$(c))}}o(tw,"exchangeFederatedAuthorizationCode");var Sp="zuplo_mcp_session",rw="HS256",nw="zuplo-mcp-gateway",ow="zuplo-mcp-gateway",L$=u.object({purpose:u.literal("gateway_browser_session"),sub:_e,browserLoginOrigin:u.string().min(1),roles:u.array(u.string().min(1)).optional(),exp:u.number().int().positive(),iat:u.number().int().positive().optional()});function B$(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(B$,"parseCookieHeader");async function aw(){return At({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>fr(e,"browser-session"),"derive")})}o(aw,"getBrowserSessionKey");function yp(e){let t=new URL(ie(e)),r=[`${Sp}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(yp,"buildBrowserSessionEvictionCookie");function G$(e){let t=new URL(ie(e.requestUrl)),r=[`${Sp}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(G$,"serializeSessionCookie");function iw(e={}){return new URL(Er("url")).origin}o(iw,"readBrowserLoginOrigin");function _p(){return Pe().browserLogin.stateTtlSeconds}o(_p,"readBrowserLoginStateTtlSeconds");function sw(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Cn(e.user,e.url)}o(sw,"resolveCurrentRequestPrincipal");async function Bs(e,t={}){let r=B$(e.headers.get("cookie")).get(Sp);if(!r)return{};try{let{payload:n}=await D$(r,await aw(),{algorithms:[rw],issuer:nw,audience:ow}),a=L$.parse(n);if(a.browserLoginOrigin!==iw(t))return{evictCookie:yp(e.url)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof j$.JWTExpired?{evictCookie:yp(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:yp(e.url)})}}o(Bs,"readBrowserSession");async function za(e){let t=Pe().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:iw({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new H$(r).setProtectedHeader({alg:rw,typ:"JWT"}).setIssuer(nw).setAudience(ow).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await aw());return G$({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(za,"createBrowserSessionCookie");async function cw(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(cw,"resolveApiKeyBrowserLoginPrincipal");async function uw(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Bs(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return tw({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(uw,"resolveBrowserLoginCallbackPrincipal");function dw(e){let t=Pe().browserLogin,r=new URL(Er("url")),n=new URL("/oauth/callback",gt(e.requestUrl));return ym(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Er("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(dw,"buildBrowserLoginUrl");var V$={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},B=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=V$[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};var F$=5*60,Gs="HS256",Vs="zuplo-mcp-gateway",Fs="zuplo-mcp-gateway",Z$=u.object({purpose:u.literal("gateway_browser_login"),transactionId:ut,stateId:Xa,exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),K$=u.object({purpose:u.literal("gateway_authorization_setup"),transactionId:ut,stateId:Xa,exp:u.number().int().positive(),iat:u.number().int().positive().optional()});async function fw(){return At({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>fr(e,"browser-login"),"derive")})}o(fw,"getBrowserLoginKey");async function hw(){return At({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>fr(e,"authorization-csrf"),"derive")})}o(hw,"getCsrfKey");function gw(e){return{now:e.now??new Date,ttlSeconds:_p()}}o(gw,"readPendingTransactionDependencies");function J$(e,t){return e.subjectId===t.subjectId}o(J$,"principalsMatch");function yw(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}o(yw,"toPendingPrincipal");function Sw(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:re(e.now),expiresAt:re(Dt(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:yw(e.principal)}}o(Sw,"createTransactionRecord");async function _w(e){let{id:t,...r}=e.record,n=await K().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(n.kind){case"started":return n.transaction;case"already_exists":throw g("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new B("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new B("invalid_request","redirect_uri is not registered for the client.")}}o(_w,"startPendingTransaction");async function W$(e){return new mw({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:Gs,typ:"JWT"}).setIssuer(Vs).setAudience(Fs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await fw())}o(W$,"signBrowserLoginState");async function ww(e){return new mw({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Ic()}).setProtectedHeader({alg:Gs,typ:"JWT"}).setIssuer(Vs).setAudience(Fs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await hw())}o(ww,"signCsrfToken");async function Zs(e){try{let{payload:t}=await pw(e,await fw(),{algorithms:[Gs],issuer:Vs,audience:Fs}),r=Z$.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof lw.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Zs,"verifyBrowserLoginStateToken");async function wp(e){try{let{payload:t}=await pw(e,await hw(),{algorithms:[Gs],issuer:Vs,audience:Fs});return{transactionId:K$.parse(t).transactionId}}catch(t){throw t instanceof lw.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(wp,"verifyCsrfToken");function Ks(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(Ks,"pendingStateErrorCode");function vw(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}o(vw,"toPendingAuthorizationGetResult");function Y$(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}o(Y$,"toPendingAuthorizationAdvanceResult");function bw(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Ks(e==="consumed_already"?"consumed_already":e)}o(bw,"setupDecisionErrorCode");function Q$(e){if(e.kind!=="available")throw g(Ks(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(Q$,"requireAwaitingSetup");function X$(e){if(e.kind!=="available")throw g(Ks(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(X$,"requireAwaitingLogin");function ez(e){if(!J$(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(ez,"requireCurrentPrincipalMatches");async function Rw(e){let t=e.now??new Date,r=_p(),n=Cc(),a=Ic(),i=await W$({transactionId:n,stateId:a,ttlSeconds:r}),s=Sw({id:n,transaction:e.transaction,currentStateHash:await le(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await _w({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:dw({state:i,nonce:a,virtualServerId:s.virtualServerId,requestUrl:e.requestUrl})}}o(Rw,"startAwaitingLogin");async function Cw(e){let{now:t,ttlSeconds:r}=gw(e),n=Cc(),a=await ww({transactionId:n,ttlSeconds:r}),i=Sw({id:n,transaction:e.transaction,currentStateHash:await le(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await _w({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}o(Cw,"startAwaitingSetup");async function vp(e){let{now:t,ttlSeconds:r}=gw(e),n=await Zs(e.browserLoginStateToken),a=await ww({transactionId:n.transactionId,ttlSeconds:r}),i=Y$(await K().advancePendingAuthorization({transactionId:n.transactionId,expectedPhase:"awaiting_login",currentStateHash:await le(e.browserLoginStateToken),nextStateHash:await le(a),nextPhase:"awaiting_setup",principal:yw(e.principal),now:re(t)}));if(i.kind!=="advanced")throw g(Ks(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}o(vp,"completeLogin");async function Iw(e){let t=e.now??new Date,r=await Zs(e.browserLoginStateToken);return X$(vw(await K().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await le(e.browserLoginStateToken),now:re(t)})))}o(Iw,"getAwaitingLogin");async function Pw(e){let t=await bp(e);return ez({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(Pw,"getSetup");async function bp(e){let t=e.now??new Date,r=await wp(e.csrfToken);return Q$(vw(await K().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await le(e.csrfToken),now:re(t)})))}o(bp,"getSetupTransaction");async function tz(e){let t=await wp(e.csrfToken),r=Ht(),n=re(Dt(e.now,F$)),a=await K().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await le(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await le(r),authorizationCodeExpiresAt:n,grantId:hm(),now:re(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":bw(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(tz,"createAuthorizationCodeRedirectWithDecision");async function rz(e){let t=await wp(e.csrfToken),r=await K().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await le(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:re(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":bw(r.kind),"Authorization setup state is invalid, expired, or already used.");return nz({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(rz,"createCancelRedirectWithDecision");function nz(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(nz,"buildClientCancelRedirect");async function xw(e){let t=e.now??new Date;return tz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(xw,"approve");async function Aw(e){let t=e.now??new Date;return rz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(Aw,"cancel");ae();var oz=1e4,az=5*1024,iz=2,sz=90*24*60*60,Rp=["authorization_code","refresh_token"],Cp=["code"],cz=u.object({client_name:u.string().min(1).optional(),redirect_uris:u.array(u.string().min(1)).min(1),grant_types:u.array(u.enum(Rp)).min(1).max(2).optional(),response_types:u.array(u.enum(Cp)).min(1).max(1).optional(),scope:u.literal(Se).optional(),token_endpoint_auth_method:wc.default("none")});function uz(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(uz,"isCimdClientIdCandidate");function Ma(e,t="invalid_request"){if(dz(e))throw new B(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new B(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new B(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||qe(r)))throw new B(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(Ma,"assertValidRedirectUri");function dz(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(dz,"hasForbiddenRawRedirectUriCharacter");async function lz(e){let{response:t,json:r}=await fh(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:iz,maxResponseBytes:az,timeoutMs:oz});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=fm.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(lz,"fetchCimdMetadata");async function pz(e){let t=xi(e),r=await lz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(pz,"resolveCimdClient");async function kw(e,t){let r=Ne.parse(e);if(uz(r)){if(!Pe().gateway.cimdEnabled)throw new B("invalid_client","OAuth client is not registered.");try{return await pz(r)}catch{throw new B("invalid_client","OAuth client is not registered.")}}let n=await K().readClient({clientId:r});if(n.kind==="found"){let a=n.client,i={kind:"dcr",clientId:r,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new B("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(kw,"resolveClient");function Tw(e,t){if(!e.metadata.redirect_uris.some(r=>gm(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(Tw,"assertRedirectRegistered");function mz(e){let t=Ew(e.grant_types),r=e.response_types??[...Cp];if(!fz(t))throw new B("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!hz(r))throw new B("invalid_client_metadata","response_types must be code.");if(!gz(e.scope))throw new B("invalid_client_metadata",`Only the ${Se} scope is supported.`)}o(mz,"assertSupportedDcrRequest");function Ew(e){return e===void 0?[...Rp]:Array.from(new Set(e))}o(Ew,"normalizeGrantTypes");function fz(e){return e.length===0?!1:e.every(t=>Rp.includes(t))}o(fz,"isSupportedGrantTypes");function hz(e){return e.length===Cp.length&&e[0]==="code"}o(hz,"isSupportedResponseTypes");function gz(e){return e===void 0||e===Se}o(gz,"isSupportedDcrScope");function qa(e){if(e===void 0||e===Se)return Se;throw new B("invalid_request",`Only the ${Se} scope is supported.`)}o(qa,"assertSupportedOAuthScope");function co(e,t){let r;try{r=new URL(t)}catch{throw new B("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new B("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!qe(r))throw new B("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=ie(e),a=ih(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new B("invalid_target","resource must match a published virtual MCP server.");return i}o(co,"resolveResource");async function Uw(e){let t;try{t=cz.parse(e)}catch(l){if(l instanceof u.ZodError){let m=l.issues.some(h=>h.path[0]==="redirect_uris");throw new B(m?"invalid_redirect_uri":"invalid_client_metadata",l.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:l})}throw l}mz(t);for(let l of t.redirect_uris)Ma(l,"invalid_redirect_uri");let r=new Date,n=Ne.parse(`dcr:${crypto.randomUUID()}`),a=Dt(r,sz),i=Math.floor(r.getTime()/1e3),s=Math.floor(a.getTime()/1e3),c={client_id:n,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:Ew(t.grant_types),response_types:["code"],scope:Se,token_endpoint_auth_method:t.token_endpoint_auth_method,client_id_issued_at:i},d={clientId:n,clientName:String(c.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:t.token_endpoint_auth_method,createdAt:re(r),clientExpiresAt:re(a)};if(t.token_endpoint_auth_method!=="none"){let l=Ht();d.hashedClientSecret=await le(l),d.clientSecretExpiresAt=re(a),c.client_secret=l,c.client_secret_expires_at=s,c.client_secret_issued_at=i}if((await K().registerClient(d)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");return c}o(Uw,"registerDownstreamClient");var yz="data:,",Ow=ce`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,$w=ce`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function Sz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Sz,"safeGatewayConnectHref");function _z(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(_z,"deriveMode");function wz(e){return W_({state:e.state,submitOnceAttrs:Ow,authorizeAttrs:Oa})}o(wz,"renderActions");function Ip(e,t,r){for(let n of e){if(n.ownerMode!=="user"||n.status!==r)continue;let a=Sz(n.connectUrl,t);if(a)return a}}o(Ip,"firstUserConnectHref");function vz(e){let t=e.connectHref?ce`<a class="button button--primary" href="${e.connectHref}" ${$w}>Connect</a>`:ce`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return ce`<form class="actions" method="post" action="/oauth/setup" ${Ow}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}o(vz,"renderSetupActions");function bz(e){return e?ce`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${$w}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Oa}o(bz,"renderReconnectAction");function Pp(e){let t=_z(e.upstreams),r=Ip(e.upstreams,e.gatewayOrigin,"not_connected"),n=Ip(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=Ip(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??n:void 0,s=ce`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.virtualServerDisplayName}</strong>' on your behalf?</p>`,c=t==="setup"?ce`<footer class="card__footer">${vz({state:e.state,connectHref:i})}</footer>`:ce`<footer class="card__footer">${bz(a)}${wz({state:e.state})}</footer>`;return Tr(rr({title:`Authorize access \xB7 ${e.virtualServerDisplayName}`,iconHref:yz,styles:tr,headerIcon:Oa,heading:"MCP Gateway",subhead:Oa,body:s,footer:c}))}o(Pp,"renderConsentPage");function Rz(e){try{return new URL(e).host}catch{return}}o(Rz,"safeUrlHost");function Cz(e){if(e.mode==="user_oauth"||e.mode==="shared-oauth")return e.oauth.scopes}o(Cz,"readOAuthScopes");function xp(e){return e!==void 0&&e.length>0}o(xp,"hasItems");function Iz(e){let t=e.registeredConnection.config.serverInfo?.icons;if(xp(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&xp(r)?r:void 0}o(Iz,"readServerIcons");async function Pz(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Lu({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(Pz,"readConnectUrl");function fn(e,t){return t===void 0?{}:{[e]:t}}o(fn,"optionalRequirementField");function xz(e){return e.isUserOwned?Tm(e.connection):{connected:!0,status:"active"}}o(xz,"readSetupConnectionStatus");function Az(e){let t=Cz(e);return xp(t)?t:void 0}o(Az,"readScopesRequested");function kz(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(kz,"readUpdatedAt");function Tz(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(Ci),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Ii),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Pi)}}o(Tz,"readVirtualServerCapabilities");async function Ez(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=ki(r),c=s==="user",d=xz({connection:e.connection,isUserOwned:c}),p=await Pz({...e,connected:d.connected,isUserOwned:c});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:Tz({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...fn("description",n.description),...fn("transportHost",Rz(n.transport.baseUrl)),...fn("scopesRequested",Az(t)),...fn("serverIcons",Iz({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...fn("connectUrl",p),...fn("updatedAt",kz({connectionStatus:d,isUserOwned:c})),...fn("expiresAt",e.connection?.expiresAt)}}o(Ez,"buildSetupRequirement");function zw(e){let t=St().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(zw,"requireVirtualServer");async function Ap(e){let t=zw(e.transaction.virtualServerId),r=ir(e.transaction.principal.subjectId),n=[],a=new Map;for(let c of t.connections)ki(c.authMode)==="user"&&(a.set(c,n.length),n.push({owner:r,upstreamServerId:c.upstreamServerId,authProfileId:c.authProfileId}));let i=await K().batchGetUpstreamConnections(n),s=[];for(let c of t.connections){let d=ki(c.authMode)==="user",p=a.get(c);s.push(await Ez({connection:d&&p!==void 0?i[p]:void 0,registeredConnection:c,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(Ap,"requirementsForSetup");function Uz(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(Uz,"readVirtualServerDisplayName");async function kp(e){let t=zw(e.transaction.virtualServerId),r=Uz({virtualServer:t}),n=await K().readClient({clientId:e.transaction.clientId}),a=n.kind==="found"?n.client:void 0,i={gatewayOrigin:ie(e.requestUrl),virtualServerDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.serverInfo?.title;return s!==void 0&&s!==r&&(i.virtualServerDescription=s),i}o(kp,"consentContext");function Mw(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(Mw,"hasUnresolvedUserUpstream");var Oz=["mcp_user"],$z="dev-browser-user",zz=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),Mz=u.object({response_type:u.literal("code"),client_id:u.string().min(1),redirect_uri:u.string().min(1),resource:u.url(),code_challenge:u.string().min(43),code_challenge_method:Wa,state:u.string().min(1).optional(),scope:u.literal(Se).default(Se)}),qz=u.enum(["continue","approve","cancel"]).default("continue"),Nz=u.object({state:u.string().min(1),decision:qz}),jz=u.object({state:u.string().min(1),apiKey:u.string().min(1)}),hn=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function qw(e){return typeof e=="string"&&e.length>0?e:void 0}o(qw,"readQueryString");function Dz(e,t){let r=qw(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new B("invalid_target",zz)}let n=Mr(t,e.url);if(r===void 0||r===n)return n;throw new B("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(Dz,"requireAuthorizeResource");async function Hz(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Bs(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=sw(e);return{principal:i,setCookie:await za({principal:i,requestUrl:e.url,virtualServerId:t})}}o(Hz,"resolveBrowserPrincipal");async function Lz(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Bs(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(Lz,"requireSetupPrincipal");async function Nw(e){let t=await Ap({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await kp({transaction:e.transaction,requestUrl:e.requestUrl}),n={kind:"setup_page",html:Pp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(Nw,"renderSetup");function Bz(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new B("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(Bz,"toAuthorizationTransactionClient");async function Tp(e,t={}){let r=Mz.parse({...e.query,resource:Dz(e,t.virtualServerId),state:qw(e.query.state)}),n=qa(r.scope);Ma(r.redirect_uri);let a=new Date,i=Ne.parse(r.client_id),s=await kw(r.client_id,a);Tw(s,r.redirect_uri);try{let c=co(e.url,r.resource),d=Bz(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,virtualServerId:c.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved");let p={clientId:s?.clientId??i,...d===void 0?{}:{client:d},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:c.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:l,setCookie:m}=await Hz(e,c.virtualServerId,t.context);if(!l){let y=await Rw({transaction:p,requestUrl:e.url,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,virtualServerId:c.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let _={kind:"redirect",location:y.browserLoginUrl};return m!==void 0&&(_.setCookie=m),_}let h=await Cw({transaction:p,principal:l,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,virtualServerId:c.virtualServerId,subjectId:l.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),Nw({transaction:h.transaction,csrfToken:h.csrfToken,requestUrl:e.url,setCookie:m})}catch(c){throw Gz({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}o(Tp,"authorizeDownstreamClient");function Gz(e){if(e.cause instanceof hn)return e.cause;let t=Vz(e.cause);return t?new hn({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(Gz,"toDownstreamAuthorizeRedirectError");function Vz(e){if(e instanceof B)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof u.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(Vz,"mapToOAuthRedirectError");async function jw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,l=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...l===void 0?{}:{idpErrorUri:l}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Zs(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await uw(i),c=await vp({browserLoginStateToken:n,principal:s}),d=await Nw({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url});return d.setCookie=await za({principal:s,requestUrl:e.url,virtualServerId:c.transaction.virtualServerId}),d}o(jw,"completeBrowserLoginCallback");async function Dw(e){let t=Pe(),r=new URL(e.url);if(!qe(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",ie(e.url)),i=new URL(ie(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:_e.parse($z),roles:Oz};return{kind:"redirect",location:a,setCookie:await za({principal:s,requestUrl:e.url})}}o(Dw,"completeLocalDevBrowserLogin");async function Hw(e){let t=jz.parse(e.body),r=await Iw({browserLoginStateToken:t.state}),n=await cw({apiKey:t.apiKey,virtualServerId:r.virtualServerId}),a=await vp({browserLoginStateToken:t.state,principal:n});await hg({apiKey:t.apiKey,principal:n,virtualServerId:a.transaction.virtualServerId});let i=new URL("/oauth/setup",gt(e.request.url));return i.searchParams.set("state",a.csrfToken),{kind:"redirect",location:i,setCookie:await za({principal:n,requestUrl:e.request.url,virtualServerId:a.transaction.virtualServerId})}}o(Hw,"completeApiKeyBrowserLogin");function Fz(e){let t=e.method==="POST"?e.body:e.query;return Nz.parse(t)}o(Fz,"readSetupContinueRequest");async function Lw(e){let{state:t,decision:r}=Fz({method:e.request.method,query:e.request.query,body:e.body}),n=new Date,a=await bp({csrfToken:t,now:n}),i=await Lz(e.request,a.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await Aw({csrfToken:t,currentBrowserPrincipal:i,now:n})};let s=await Pw({csrfToken:t,currentBrowserPrincipal:i,now:n}),c=await Ap({transaction:s,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||Mw(c)){let d=await kp({transaction:s,requestUrl:e.request.url});return{kind:"setup_page",html:Pp({state:t,virtualServerId:s.virtualServerId,upstreams:c,...d})}}return{kind:"redirect",location:await xw({csrfToken:t,currentBrowserPrincipal:i,now:n})}}o(Lw,"continueDownstreamAuthorizeSetup");ae();var Zz=new Set(["authorization_code","refresh_token"]),Kz=u.discriminatedUnion("grant_type",[u.object({grant_type:u.literal("authorization_code"),code:u.string().min(1),redirect_uri:u.string().min(1),client_id:u.string().min(1).optional(),code_verifier:Ya,resource:u.url().optional(),scope:u.literal(Se).optional(),client_secret:u.string().min(1).optional()}),u.object({grant_type:u.literal("refresh_token"),refresh_token:u.string().min(1),client_id:u.string().min(1).optional(),resource:u.url().optional(),scope:u.literal(Se).optional(),client_secret:u.string().min(1).optional()})]);function Jz(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!Zz.has(t)))throw new B("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(Jz,"assertSupportedGrantType");var Wz=u.object({token:u.string().min(1),client_id:u.string().min(1).optional(),token_type_hint:u.string().optional(),client_secret:u.string().min(1).optional()});function Bw(){return Pe().gateway.accessTokenTtlSeconds}o(Bw,"readAccessTokenTtlSeconds");function Yz(){return Pe().gateway.refreshTokenTtlSeconds}o(Yz,"readRefreshTokenTtlSeconds");function Qz(e,t){let r=Bw(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:re(Dt(e,a)),expiresIn:a}}o(Qz,"calculateAccessTokenExpiresAt");function Gw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new B("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new B("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new B("invalid_client","Malformed HTTP Basic client authentication.")}}o(Gw,"readBasicClientSecret");function Vw(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new B("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new B("invalid_client","Client authentication or client_id is required.");return t}o(Vw,"resolveAuthenticatedClientId");function Fw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new B("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(Fw,"resolveClientSecretInput");async function Zw(e){let t=Ne.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await le(e.clientSecret)}}o(Zw,"buildRuntimeHttpClientAuth");async function Kw(e){Jz(e.body);let t=Kz.parse(e.body),r=Gw(e.authorizationHeader),n=Vw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=new Date,i=Fw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});return Xz({parsed:t,clientId:n,clientSecretInput:i,now:a,requestUrl:e.requestUrl})}o(Kw,"exchangeDownstreamToken");async function Xz(e){let t=await Zw({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){Ma(e.parsed.redirect_uri),qa(e.parsed.scope),e.parsed.resource!==void 0&&co(e.requestUrl??e.parsed.resource,e.parsed.resource);let c=Ht(),d=Ht(),p=re(Dt(e.now,Yz())),l=Qz(e.now,p),m=await K().exchangeAuthorizationCode({clientAuth:t,codeHash:await le(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await bf(e.parsed.code_verifier),currentRefreshTokenHash:await le(c),accessTokenHash:await le(d),grantExpiresAt:p,accessTokenExpiresAt:l.expiresAt,now:re(e.now)});if(m.kind==="invalid_client")throw new B("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new B("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new B("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return{access_token:d,token_type:"Bearer",expires_in:l.expiresIn,refresh_token:c,scope:m.grant.scope,resource:m.grant.resource}}qa(e.parsed.scope),e.parsed.resource!==void 0&&co(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=Ht(),n=Ht(),a=re(Dt(e.now,Bw())),i=await K().refreshToken({clientAuth:t,currentRefreshTokenHash:await le(e.parsed.refresh_token),nextRefreshTokenHash:await le(r),accessTokenHash:await le(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:re(e.now)});if(i.kind==="invalid_client")throw new B("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new B("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new B("invalid_grant","Refresh token is invalid, expired, or revoked.");co(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(Xz,"exchangeDownstreamTokenWithRuntimeHttp");async function Jw(e){let t=Wz.parse(e.body),r=Gw(e.authorizationHeader),n=Vw({basicClientId:r.clientId,bodyClientId:t.client_id}),a=Fw({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret}),i=new Date;if((await K().revokeOAuthToken({clientAuth:await Zw({clientId:n,...a}),tokenHash:await le(t.token),now:re(i)})).kind==="invalid_client")throw new B("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed")}o(Jw,"revokeDownstreamToken");var eM=64*1024,tM=16*1024,rM="text/html; charset=utf-8";function nM(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(nM,"formDataToObject");async function oM(e){return F_(e,{maxBytes:eM,label:"Request body"})}o(oM,"readJsonBody");async function Js(e){return nM(await Ls(e,{maxBytes:tM,label:"Request body"}))}o(Js,"readFormBody");async function Ws(e,t,r){let n=ge(r),a=r instanceof u.ZodError?Ww(r):void 0,i={code:n??(r instanceof u.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),st(e,t,i)}o(Ws,"handleProblem");function Na(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(Na,"oauthErrorResponse");function aM(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(aM,"readOAuthProtocolHeaders");function iM(e,t){let r=Ke("internal_server_error");return Na({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:aM(e,t)})}o(iM,"oauthProtocolErrorResponse");function sM(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(sM,"readZodOAuthErrorCode");function cM(e){let t={error:sM(e)},r=Ww(e);return r!==void 0&&(t.errorDescription=r),Na(t)}o(cM,"oauthZodErrorResponse");function uM(e){let t=ge(e);if(t===void 0)return;let r=Ke(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:lM(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,Na(n)}o(uM,"oauthGatewayProblemResponse");function dM(){let t={error:"server_error",status:500,errorDescription:Ke("internal_server_error").publicDetail};return Na(t)}o(dM,"oauthFallbackErrorResponse");function lM(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(lM,"readOAuthStatus");function uo(e,t={}){return e instanceof hn?pM(e):e instanceof B?iM(e,t):e instanceof u.ZodError?cM(e):uM(e)??dM()}o(uo,"oauthProblemResponse");function Mt(e,t,r){let n={event:t},a=!1;if(r instanceof B)n.oauthError=r.errorCode,n.status=r.status,Ye(n,"error",r);else if(r instanceof hn)n.oauthError=r.errorCode,Ye(n,"error",r);else if(r instanceof u.ZodError){n.code="invalid_request",Ye(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=ge(r);if(i!==void 0){let s=Ke(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Ye(n,"error",r)}else a=!0,Ye(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Mt,"logUnexpectedOAuthHandlerError");function pM(e){let t;try{t=new URL(e.redirectUri)}catch{return Na({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(pM,"downstreamAuthorizeRedirectErrorResponse");function Ww(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Ww,"formatZodErrorDetail");function mM(e,t){let r={event:"browser_login_callback_failed",code:ge(t)??"invalid_request"};Ye(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(mM,"logBrowserLoginCallbackFailure");function Ep(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(Ep,"redirectResultResponse");function Ys(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":rM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Ep(e)}o(Ys,"authorizeResultResponse");async function Yw(e,t){try{return Response.json(xc(e.url))}catch(r){return Mt(t,"oauth_authorization_server_metadata_failed",r),Ws(e,t,r)}}o(Yw,"authorizationServerMetadataHandler");async function Qw(e,t){try{let r=xe.parse(e.params.virtualServerId),n=qr(r);return Response.json(Sm({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Mt(t,"oauth_authorization_server_metadata_failed",r),Ws(e,t,r)}}o(Qw,"scopedAuthorizationServerMetadataHandler");async function Xw(e,t){try{let r=await Uw(await oM(e)),n=r;return t.log.info({event:"oauth_dcr_client_registered",clientId:typeof n.client_id=="string"?n.client_id:void 0,clientName:typeof n.client_name=="string"?n.client_name:void 0,redirectUriCount:Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,tokenEndpointAuthMethod:typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0},"OAuth Dynamic Client Registration completed"),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Mt(t,"oauth_register_failed",r),uo(r)}}o(Xw,"registerHandler");async function ev(e,t){try{return Ys(await Tp(e,{context:t}))}catch(r){return Mt(t,"oauth_authorize_failed",r),uo(r,{includeInvalidClientChallenge:!1})}}o(ev,"authorizeHandler");async function tv(e,t){try{let r=xe.parse(e.params.virtualServerId),n=qr(r);return Ys(await Tp(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Mt(t,"oauth_authorize_scoped_failed",r),uo(r,{includeInvalidClientChallenge:!1})}}o(tv,"scopedAuthorizeHandler");async function rv(e,t){try{let r=await jw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Ys(r)}catch(r){return mM(t,r),Ws(e,t,r)}}o(rv,"callbackHandler");async function nv(e,t){try{return Ep(await Dw(e))}catch(r){return Mt(t,"oauth_dev_login_failed",r),uo(r)}}o(nv,"devLoginHandler");async function ov(e,t){let r=(()=>{try{return new URL(e.url).host}catch{return""}})();try{if(e.method==="GET"){let n=typeof e.query.state=="string"?e.query.state:void 0;return n?ew(r,n):hp(r,400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):Ep(await Hw({request:e,body:await Js(e)}))}catch(n){return Mt(t,"oauth_api_key_login_failed",n),hp(r)}}o(ov,"apiKeyLoginHandler");async function av(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Lw({request:e,body:e.method==="POST"?await Js(e):void 0,context:t});return Ys(r)}catch(r){return Mt(t,"oauth_setup_failed",r),Ws(e,t,r)}}o(av,"setupHandler");async function iv(e,t){try{return Response.json(await Kw({body:await Js(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Mt(t,"oauth_token_failed",r),uo(r)}}o(iv,"tokenHandler");async function sv(e,t){try{return await Jw({body:await Js(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Mt(t,"oauth_revoke_failed",r),uo(r)}}o(sv,"revokeHandler");var fM={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},cv=new It("upstream-request");function hM(e){let t=cv.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(hM,"readUpstreamRequestContext");function gM(e,t){return t.some(r=>r===e)}o(gM,"requestContextMatchesKind");function yM(e){return typeof e=="string"?[e]:e}o(yM,"toExpectedKinds");function gn(e,t){cv.set(e,t)}o(gn,"setUpstreamRequestContext");function yn(e,t){let r=hM(e),n=yM(t);if(!gM(r.kind,n)){let a=fM[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(yn,"requireUpstreamRequestContext");function uv(e){return ce`<form class="form" method="post" action="${e.action}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}" />${e.fields}<p class="form__note">The gateway stores this encrypted and keeps it out of MCP client
-    configuration.</p><button class="button button--primary button--block form__submit" type="submit" >Connect</button></form>`}o(uv,"renderAppPassword");function dv(e){return ce`<p data-gateway-error-code="${e.code}">${e.body}</p>`}o(dv,"renderBrowserResult");var SM="text/html; charset=utf-8",_M="none";function lv(e){let t=pn(e.host);return rr({title:e.title,iconHref:t,styles:tr,headerIcon:mn({iconHref:t,fallbackIconHref:ln}),heading:e.title,subhead:"",body:dv({body:e.body,code:e.code??_M}),footer:""})}o(lv,"browserResultHtml");function pv(e,t=200){return new Response(Tr(e),{status:t,headers:{"content-type":SM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(pv,"browserResultResponse");function Qs(e){return pv(lv(e))}o(Qs,"browserConnectionSuccessResponse");function lo(e,t){let r=om(t);return pv(lv({host:e,title:r.title,body:r.body,code:t}),400)}o(lo,"browserConnectionFailureResponse");function Up(e){try{return new URL(e).host}catch{return""}}o(Up,"safeHostFromUrl");var wM="text/html; charset=utf-8",vM=16*1024;function bM(e,t=200){return new Response(Tr(e),{status:t,headers:{"content-type":wM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(bM,"htmlResponse");function RM(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(RM,"safeRedirect");function CM(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(CM,"requireBrowserTicket");function IM(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(IM,"appPasswordTicketMatchesTarget");async function mv(e){let t=CM(e.browserTicket),r=await $i(t);if(!IM(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(mv,"readAppPasswordTarget");function PM(e,t){let r=Ku(e.upstreamServerId,e.authProfileId),n=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,a=pn(t),i=r.kind==="basic_auth_app_password"?ce`<label class="form__label" for="username">${r.usernameLabel}</label><input class="form__input" id="username" name="username" required autocomplete="username"><label class="form__label" for="appPassword">${r.passwordLabel}</label><input class="form__input" id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:ce`<label class="form__label" for="token">${r.label}</label><input class="form__input" id="token" name="token" type="password" required autocomplete="off">`;return bM(rr({title:"Connect upstream",iconHref:a,styles:tr,headerIcon:mn({iconHref:a,fallbackIconHref:ln}),heading:"Connect upstream",subhead:ce`<p class="card__subtitle">Enter the per-user credential for this approved upstream.</p>`,body:uv({action:n,browserTicket:e.browserTicket,fields:i}),footer:""}))}o(PM,"renderCaptureForm");function Xs(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Xs,"readRequiredFormValue");function xM(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(xM,"readCaptureFormTargetInput");async function AM(e,t){return PM(await mv(xM(e)),t)}o(AM,"handleCaptureFormRequest");async function kM(e){let t=await Ls(e.request,{maxBytes:vM,label:"App password request body"});return{form:t,target:await mv({upstreamServerId:e.upstreamServerId,browserTicket:Xs(t,"browserTicket")})}}o(kM,"readSubmittedAppPasswordTarget");async function TM(e){let t=xn(e.target.ticket);if(await zi(e.target.ticket),Ku(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await Mi({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Xs(e.form,"token")});return}await Lh({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Xs(e.form,"username"),appPassword:Xs(e.form,"appPassword")})}o(TM,"saveSubmittedAppPasswordCredential");function EM(e,t){return t.ticket.returnTo?RM(e,t.ticket.returnTo):Qs({host:Up(e),title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(EM,"appPasswordSuccessResponse");async function UM(e){let t=await kM({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await TM(t),EM(e.request.url,t.target)}o(UM,"handleAppPasswordSubmission");function OM(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(OM,"methodNotAllowedResponse");function $M(e,t){let r=ge(t);return lo(e,Fa(r)?r:"oauth_state_invalid")}o($M,"appPasswordFailureResponse");async function zM(e){let t=Up(e.request.url);switch(e.request.method){case"GET":return AM(e.appPasswordRequest,t);case"POST":return UM(e);default:return OM()}}o(zM,"handleAppPasswordMethod");async function Op(e,t){let r=yn(t,"app_password");try{return await zM({request:e,appPasswordRequest:r})}catch(n){return $M(Up(e.url),n)}}o(Op,"appPasswordHandler");var MM=["callback_authorization_code","callback_provider_error","callback_invalid"];function qM(e){return"cause"in e?e.cause:void 0}o(qM,"readErrorCause");function NM(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}o(NM,"readFirstStackFrame");function fv(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=NM(r))}o(fv,"addErrorAttributes");function hv(e){try{return new URL(e).host}catch{return""}}o(hv,"safeHostFromUrl");function jM(e,t,r){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),Qe(e,{eventType:Z.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),lo(r,"provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),lo(r,"oauth_state_invalid");case"callback_authorization_code":return t}}o(jM,"requireAuthorizationCallbackRequest");function DM(e,t){Qe(e,{eventType:Z.MCP_GATEWAY_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(DM,"emitCallbackReceivedAnalyticsEvent");function HM(e,t){Qe(e,{eventType:Z.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(HM,"emitTokenExchangeSucceededAnalyticsEvent");function LM(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Qs({host:hv(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(LM,"buildSuccessfulCallbackResponse");function BM(e){let t={detail:e instanceof Error?e.message:void 0};return fv(t,"error",e),e instanceof Error&&fv(t,"cause",qM(e)),t}o(BM,"buildTokenExchangeFailureAttributes");function GM(e){Qe(e.context,{eventType:Z.MCP_GATEWAY_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:ge(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:BM(e.error)})}o(GM,"emitTokenExchangeFailedAnalyticsEvent");function VM(e,t){let r=ge(t);return lo(e,Fa(r)?r:"upstream_token_exchange_failed")}o(VM,"tokenExchangeFailureResponse");async function $p(e,t){let r=yn(t,MM),n=hv(e.url),a=jM(t,r,n);if(a instanceof Response)return a;DM(t,a);try{let i=await yg({request:e,callbackRequest:a});return HM(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,virtualServerId:i.virtualServerId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),LM(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:ge(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return Ye(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),GM({context:t,callbackRequest:a,error:i}),VM(n,i)}}o($p,"callbackHandler");function FM(e){let t=ge(e);return t==="unknown_upstream_server"?t:"not_found"}o(FM,"clientMetadataProblemCode");function ZM(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(ZM,"clientMetadataProblemDetail");async function gv(e,t){let r=yn(t,"connect"),n=await gg({request:e,connectRequest:r});if(Qe(t,{eventType:Z.MCP_GATEWAY_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await Nn({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(gv,"connectHandler");async function yv(e,t){let r=yn(t,"client_metadata");try{let n=rg(e.url),a=ng(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=FM(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),st(e,t,{code:a,detail:ZM(n)})}}o(yv,"oauthClientMetadataHandler");function nr(e){if(typeof e=="string"&&e.length!==0)return e}o(nr,"readOptionalQueryString");function KM(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(KM,"requirePathString");function Sv(e){let t=nr(e);return t?xe.parse(t):void 0}o(Sv,"readOptionalVirtualServerId");function JM(e,t){let r=nr(e);return r?We.parse(r):zn(t,"user_oauth")}o(JM,"readOptionalAuthProfileId");function WM(e){let t=Sv(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(WM,"readRequiredVirtualServerId");function YM(e){let t=nr(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(YM,"readOptionalBrowserTicket");function QM(e){let t=ni(nr(e));return t===void 0?{}:{returnTo:t}}o(QM,"readOptionalReturnTo");function XM(e){let t=Sv(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(XM,"readOptionalVirtualServerIdContext");function eq(e){let t=nr(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(eq,"readOptionalProviderErrorDescription");function tq(e){let t=xt(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(tq,"requireConnectableRouteAuth");function rq(e,t,r,n){let a=Hs(e,t);if(a.ownerMode==="none"||a.authMode==="shared-secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(rq,"buildConnectContextForPrincipal");function nq(e,t,r){let n=xn(t),a=xt(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(nq,"buildConnectContextForTicket");async function oq(e,t){let r=tq(B_(t,WM(e.query.virtualServerId))),n=e.query.redirect==="true",a=nr(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Cn(e.user,e.url);return rq(r,s,n,QM(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await $i(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await zi(i),nq(r,i,n)}o(oq,"resolveConnectContext");async function aq(e,t,r){let n=Je.parse(KM(e,"connection"));switch(r){case"connect":gn(t,await oq(e,n));return;case"app_password":gn(t,{kind:"app_password",upstreamServerId:n,...XM(e),...YM(e)});return;case"callback":{let a=nr(e.query.error);if(a){gn(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...eq(e)});return}let i=nr(e.query.code),s=nr(e.query.state);if(i&&s){gn(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}gn(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":gn(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:JM(e.query.authProfileId,n)});return}}o(aq,"resolveUpstreamRequestInbound");async function iq(e,t,r){try{await aq(e,t,r);return}catch(n){let a=ge(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return st(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(iq,"applyUpstreamRequestContext");function ja(e,t){return o(async(n,a)=>{let i=await iq(n,a,e);return i||t(n,a)},"wrapped")}o(ja,"withUpstreamRequestContext");var sq={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function cq(){return new Response(null,{status:204,headers:sq})}o(cq,"buildWellKnownPreflightResponse");function uq(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(uq,"withWellKnownCorsHeaders");function zp(e){return async(t,r)=>t.method==="OPTIONS"?cq():uq(await e(t,r))}o(zp,"wrapWellKnownHandler");var dq=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:zp(Yw),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:zp(Qw),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:zp(_m),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Xw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:ev},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:tv},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:rv},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:nv},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:ov},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:av},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:iv},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:sv},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:ja("client_metadata",yv)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:ja("connect",gv)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:ja("callback",$p)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:ja("app_password",Op)}];function _v(e){return e?.some(t=>Ao(t.policyType))??!1}o(_v,"shouldRegisterMcpGatewayInternalRoutes");function lq(e){let t=Uf(e.policies);if(!t){let r=[...Wc].map(n=>`\`${n}\``).join(", ");throw new ue(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return ah(zu({routes:e.routes,policies:e.policies})),t.config}o(lq,"initializeMcpGatewayState");function pq(e,t,r){return async(n,a)=>{let i=a;Rn(i,r());let s=n.method==="OPTIONS",c=Date.now();s||i.log.info({event:`${e}_received`,method:n.method},`MCP gateway: ${e} received`);let d=await t(n,a);return s||i.log.info({event:`${e}_responded`,status:d.status,durationMs:Date.now()-c},`MCP gateway: ${e} responded`),d}}o(pq,"wrapInternalHandler");function wv(e,t){let r,n=o(()=>(r===void 0&&(r=lq(t)),r),"readOAuthConfig");for(let a of dq){let i=pq(a.routeName,a.handler,n),s=o((c,d)=>i(c,d),"handler");e.addPluginRoute({path:a.path,methods:a.methods,handler:s,processors:[sc],corsPolicy:a.corsPolicy??"none"})}}o(wv,"registerMcpGatewayInternalRoutes");function vv(e){oh(e)}o(vv,"configureLazyMcpGatewayState");var Mp=class extends Fp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!_v(r.policies))return;let n={routes:r.routes,policies:r.policies};vv(n),wv(t.router,n)}};export{Zc as McpAuth0OAuthInboundPolicy,Mp as McpGatewayPlugin,Kc as McpOAuthInboundPolicy,mp as McpUpstreamConnectionInboundPolicy,g$ as McpVirtualServerHandler,Fx as mcpUpstreamHandler};
+    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}o(rr,"renderShell");var gp="zuplo.com";function Wv(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}o(Wv,"s2FaviconHref");function i$(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}o(i$,"strictFaviconHref");var dn=Wv(gp);function ln(e){let t=e.toLowerCase();return t===gp||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Wv(gp):i$(e)}o(ln,"resolveIconHref");function pn(e){return ce`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}o(pn,"renderShellIcon");function Yv(e){return ce`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}o(Yv,"renderActions");var D5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function Qv(){return ce`<p>The API key could not be verified. Start the authorization flow again to try
+  once more.</p>`}o(Qv,"renderApiKeyLoginFailure");function Xv(e){return ce`<form class="form" method="post" action="/oauth/api-key-login" autocomplete="off" ><input type="hidden" name="state" value="${e.state}" /><label class="form__label" for="apiKey">API key</label><input class="form__input" id="apiKey" name="apiKey" type="password" required autocomplete="off" /><button class="button button--primary button--block form__submit" type="submit" >Continue</button></form>`}o(Xv,"renderApiKeyLoginForm");var j5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),H5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var L5=er('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var s$="text/html; charset=utf-8";function e_(e,t=200){return new Response(Tr(e),{status:t,headers:{"content-type":s$,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(e_,"apiKeyLoginHtmlResponse");function yp(e,t=401){let r=ln(e);return e_(rr({title:"Sign-in failed",iconHref:r,styles:tr,headerIcon:pn({iconHref:r,fallbackIconHref:dn}),heading:"Sign-in failed",subhead:"",body:Qv(),footer:""}),t)}o(yp,"apiKeyLoginFailureResponse");function t_(e,t){let r=ln(e);return e_(rr({title:"Sign in",iconHref:r,styles:tr,headerIcon:pn({iconHref:r,fallbackIconHref:dn}),heading:"Sign in",subhead:ce`<p class="card__subtitle">Enter your API key to continue.</p>`,body:Xv({state:t}),footer:""}))}o(t_,"renderApiKeyLoginForm");ae();ae();import{errors as p_,jwtVerify as m_,SignJWT as f_}from"jose";ae();import{errors as v$,jwtVerify as _$,SignJWT as w$}from"jose";function Ar(e){let t=Pe().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Ar,"requireBrowserLoginField");ae();import{createRemoteJWKSet as u$,errors as Oa,jwtVerify as d$}from"jose";var l$=u.object({id_token:u.string().min(1),token_type:u.string().min(1).optional(),expires_in:u.number().optional(),access_token:u.string().min(1).optional(),refresh_token:u.string().min(1).optional(),scope:u.string().min(1).optional()}),p$=u.object({error:u.string().min(1).optional(),error_description:u.string().min(1).optional(),error_uri:u.string().min(1).optional()});function m$(e){let t=p$.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(m$,"readIdpErrorFields");function f$(e){return e instanceof Oa.JWTExpired?"expired":e instanceof Oa.JWTClaimValidationFailed?"claim":e instanceof Oa.JWSSignatureVerificationFailed?"signature":e instanceof Oa.JWKSNoMatchingKey?"jwks_no_match":e instanceof Oa.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(f$,"readJwtFailureKind");var h$=u.object({sub:ve,nonce:u.string().min(1)}).catchall(u.unknown()),Sp;function g$(e){return e instanceof Error&&"cause"in e?e.cause:e}o(g$,"readErrorCause");function y$(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(y$,"readRuntimeGatewayCode");function S$(){if(!Sp){let e=Pe();Sp=u$(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Sp}o(S$,"readFederatedJwks");async function r_(e){let t=Pe(),r=Ar("tokenUrl"),n=Ar("clientId"),a=Ar("clientSecret"),i=new URL("/oauth/callback",ht(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:c,json:d}=await lh(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let h=m$(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:st(r),idpStatus:c.status,...h},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${h.idpError?` idp_error=${h.idpError}`:""}${h.idpErrorDescription?` idp_error_description=${h.idpErrorDescription}`:""})`)})}let p=l$.parse(d),l;try{({payload:l}=await d$(p.id_token,S$(),{issuer:t.oidc.issuer,audience:n}))}catch(h){let y={};throw Ye(y,"error",h),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:f$(h),idpHost:st(r),expectedIssuer:t.oidc.issuer,...y},"Federated id_token failed jose verification"),h}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:st(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=h$.parse(l);return Rn({sub:m.sub,data:m},e.requestUrl)}catch(c){let d=ge(c)??y$(c);throw d!==void 0&&d!=="browser_login_verification_failed"?c:g("browser_login_verification_failed","Federated browser login callback could not be verified.",g$(c))}}o(r_,"exchangeFederatedAuthorizationCode");var _p="zuplo_mcp_session",n_="HS256",o_="zuplo-mcp-gateway",a_="zuplo-mcp-gateway",b$=u.object({purpose:u.literal("gateway_browser_session"),sub:ve,browserLoginOrigin:u.string().min(1),roles:u.array(u.string().min(1)).optional(),exp:u.number().int().positive(),iat:u.number().int().positive().optional()});function R$(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(R$,"parseCookieHeader");async function i_(){return xt({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>mr(e,"browser-session"),"derive")})}o(i_,"getBrowserSessionKey");function vp(e){let t=new URL(ie(e)),r=[`${_p}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(vp,"buildBrowserSessionEvictionCookie");function C$(e){let t=new URL(ie(e.requestUrl)),r=[`${_p}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(C$,"serializeSessionCookie");function s_(e={}){return new URL(Ar("url")).origin}o(s_,"readBrowserLoginOrigin");function wp(){return Pe().browserLogin.stateTtlSeconds}o(wp,"readBrowserLoginStateTtlSeconds");function c_(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Rn(e.user,e.url)}o(c_,"resolveCurrentRequestPrincipal");async function Ls(e,t={}){let r=R$(e.headers.get("cookie")).get(_p);if(!r)return{};try{let{payload:n}=await _$(r,await i_(),{algorithms:[n_],issuer:o_,audience:a_}),a=b$.parse(n);if(a.browserLoginOrigin!==s_(t))return{evictCookie:vp(e.url)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof v$.JWTExpired?{evictCookie:vp(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:vp(e.url)})}}o(Ls,"readBrowserSession");async function $a(e){let t=Pe().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:s_({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new w$(r).setProtectedHeader({alg:n_,typ:"JWT"}).setIssuer(o_).setAudience(a_).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await i_());return C$({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o($a,"createBrowserSessionCookie");async function u_(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(u_,"resolveApiKeyBrowserLoginPrincipal");async function d_(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Ls(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return r_({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(d_,"resolveBrowserLoginCallbackPrincipal");function l_(e){let t=Pe().browserLogin,r=new URL(Ar("url")),n=new URL("/oauth/callback",ht(e.requestUrl));return _m(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Ar("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(l_,"buildBrowserLoginUrl");var I$={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},L=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=I$[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};var P$=5*60,Bs="HS256",Gs="zuplo-mcp-gateway",Vs="zuplo-mcp-gateway",x$=u.object({purpose:u.literal("gateway_browser_login"),transactionId:ct,stateId:Qa,exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),k$=u.object({purpose:u.literal("gateway_authorization_setup"),transactionId:ct,stateId:Qa,exp:u.number().int().positive(),iat:u.number().int().positive().optional()});async function h_(){return xt({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>mr(e,"browser-login"),"derive")})}o(h_,"getBrowserLoginKey");async function g_(){return xt({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>mr(e,"authorization-csrf"),"derive")})}o(g_,"getCsrfKey");function y_(e){return{now:e.now??new Date,ttlSeconds:wp()}}o(y_,"readPendingTransactionDependencies");function T$(e,t){return e.subjectId===t.subjectId}o(T$,"principalsMatch");function S_(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}o(S_,"toPendingPrincipal");function v_(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:re(e.now),expiresAt:re(Dt(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:S_(e.principal)}}o(v_,"createTransactionRecord");async function __(e){let{id:t,...r}=e.record,n=await K().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(n.kind){case"started":return n.transaction;case"already_exists":throw g("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new L("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new L("invalid_request","redirect_uri is not registered for the client.")}}o(__,"startPendingTransaction");async function A$(e){return new f_({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:Bs,typ:"JWT"}).setIssuer(Gs).setAudience(Vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await h_())}o(A$,"signBrowserLoginState");async function w_(e){return new f_({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Ic()}).setProtectedHeader({alg:Bs,typ:"JWT"}).setIssuer(Gs).setAudience(Vs).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await g_())}o(w_,"signCsrfToken");async function Fs(e){try{let{payload:t}=await m_(e,await h_(),{algorithms:[Bs],issuer:Gs,audience:Vs}),r=x$.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof p_.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Fs,"verifyBrowserLoginStateToken");async function bp(e){try{let{payload:t}=await m_(e,await g_(),{algorithms:[Bs],issuer:Gs,audience:Vs});return{transactionId:k$.parse(t).transactionId}}catch(t){throw t instanceof p_.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(bp,"verifyCsrfToken");function Zs(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(Zs,"pendingStateErrorCode");function b_(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}o(b_,"toPendingAuthorizationGetResult");function E$(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}o(E$,"toPendingAuthorizationAdvanceResult");function R_(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Zs(e==="consumed_already"?"consumed_already":e)}o(R_,"setupDecisionErrorCode");function U$(e){if(e.kind!=="available")throw g(Zs(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(U$,"requireAwaitingSetup");function O$(e){if(e.kind!=="available")throw g(Zs(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(O$,"requireAwaitingLogin");function $$(e){if(!T$(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o($$,"requireCurrentPrincipalMatches");async function C_(e){let t=e.now??new Date,r=wp(),n=Cc(),a=Ic(),i=await A$({transactionId:n,stateId:a,ttlSeconds:r}),s=v_({id:n,transaction:e.transaction,currentStateHash:await le(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await __({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:l_({state:i,nonce:a,virtualServerId:s.virtualServerId,requestUrl:e.requestUrl})}}o(C_,"startAwaitingLogin");async function I_(e){let{now:t,ttlSeconds:r}=y_(e),n=Cc(),a=await w_({transactionId:n,ttlSeconds:r}),i=v_({id:n,transaction:e.transaction,currentStateHash:await le(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await __({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}o(I_,"startAwaitingSetup");async function Rp(e){let{now:t,ttlSeconds:r}=y_(e),n=await Fs(e.browserLoginStateToken),a=await w_({transactionId:n.transactionId,ttlSeconds:r}),i=E$(await K().advancePendingAuthorization({transactionId:n.transactionId,expectedPhase:"awaiting_login",currentStateHash:await le(e.browserLoginStateToken),nextStateHash:await le(a),nextPhase:"awaiting_setup",principal:S_(e.principal),now:re(t)}));if(i.kind!=="advanced")throw g(Zs(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}o(Rp,"completeLogin");async function P_(e){let t=e.now??new Date,r=await Fs(e.browserLoginStateToken);return O$(b_(await K().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await le(e.browserLoginStateToken),now:re(t)})))}o(P_,"getAwaitingLogin");async function x_(e){let t=await Cp(e);return $$({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(x_,"getSetup");async function Cp(e){let t=e.now??new Date,r=await bp(e.csrfToken);return U$(b_(await K().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await le(e.csrfToken),now:re(t)})))}o(Cp,"getSetupTransaction");async function z$(e){let t=await bp(e.csrfToken),r=jt(),n=re(Dt(e.now,P$)),a=await K().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await le(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await le(r),authorizationCodeExpiresAt:n,grantId:Sm(),now:re(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":R_(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(z$,"createAuthorizationCodeRedirectWithDecision");async function M$(e){let t=await bp(e.csrfToken),r=await K().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await le(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:re(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":R_(r.kind),"Authorization setup state is invalid, expired, or already used.");return q$({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(M$,"createCancelRedirectWithDecision");function q$(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(q$,"buildClientCancelRedirect");async function k_(e){let t=e.now??new Date;return z$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(k_,"approve");async function T_(e){let t=e.now??new Date;return M$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(T_,"cancel");ae();var N$=1e4,D$=5*1024,j$=2,H$=90*24*60*60,Ip=["authorization_code","refresh_token"],Pp=["code"],L$=u.object({client_name:u.string().min(1).optional(),redirect_uris:u.array(u.string().min(1)).min(1),grant_types:u.array(u.enum(Ip)).min(1).max(2).optional(),response_types:u.array(u.enum(Pp)).min(1).max(1).optional(),scope:u.literal(ye).optional(),token_endpoint_auth_method:_c.default("none")});function B$(e){try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(B$,"isCimdClientIdCandidate");function za(e,t="invalid_request"){if(G$(e))throw new L(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new L(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new L(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||qe(r)))throw new L(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(za,"assertValidRedirectUri");function G$(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(G$,"hasForbiddenRawRedirectUriCharacter");async function V$(e){let{response:t,json:r}=await ph(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:j$,maxResponseBytes:D$,timeoutMs:N$});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=ym.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");if(n.token_endpoint_auth_method!=="none")throw g("invalid_request","CIMD clients must use token_endpoint_auth_method none until private_key_jwt is implemented.");return n}o(V$,"fetchCimdMetadata");async function F$(e){let t=Pi(e),r=await V$({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(F$,"resolveCimdClient");async function A_(e,t){let r=Ne.parse(e);if(B$(r)){if(!Pe().gateway.cimdEnabled)throw new L("invalid_client","OAuth client is not registered.");try{return await F$(r)}catch{throw new L("invalid_client","OAuth client is not registered.")}}let n=await K().readClient({clientId:r});if(n.kind==="found"){let a=n.client,i={kind:"dcr",clientId:r,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new L("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(A_,"resolveClient");function E_(e,t){if(!e.metadata.redirect_uris.some(r=>vm(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(E_,"assertRedirectRegistered");function Z$(e){let t=U_(e.grant_types),r=e.response_types??[...Pp];if(!K$(t))throw new L("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!J$(r))throw new L("invalid_client_metadata","response_types must be code.");if(!W$(e.scope))throw new L("invalid_client_metadata",`Only the ${ye} scope is supported.`)}o(Z$,"assertSupportedDcrRequest");function U_(e){return e===void 0?[...Ip]:Array.from(new Set(e))}o(U_,"normalizeGrantTypes");function K$(e){return e.length===0?!1:e.every(t=>Ip.includes(t))}o(K$,"isSupportedGrantTypes");function J$(e){return e.length===Pp.length&&e[0]==="code"}o(J$,"isSupportedResponseTypes");function W$(e){return e===void 0||e===ye}o(W$,"isSupportedDcrScope");function Ma(e){if(e===void 0||e===ye)return ye;throw new L("invalid_request",`Only the ${ye} scope is supported.`)}o(Ma,"assertSupportedOAuthScope");function co(e,t){let r;try{r=new URL(t)}catch{throw new L("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new L("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!qe(r))throw new L("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=ie(e),a=oh(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new L("invalid_target","resource must match a published virtual MCP server.");return i}o(co,"resolveResource");async function O_(e){let t;try{t=L$.parse(e)}catch(l){if(l instanceof u.ZodError){let m=l.issues.some(h=>h.path[0]==="redirect_uris");throw new L(m?"invalid_redirect_uri":"invalid_client_metadata",l.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:l})}throw l}Z$(t);for(let l of t.redirect_uris)za(l,"invalid_redirect_uri");let r=new Date,n=Ne.parse(`dcr:${crypto.randomUUID()}`),a=Dt(r,H$),i=Math.floor(r.getTime()/1e3),s=Math.floor(a.getTime()/1e3),c={client_id:n,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:U_(t.grant_types),response_types:["code"],scope:ye,token_endpoint_auth_method:t.token_endpoint_auth_method,client_id_issued_at:i},d={clientId:n,clientName:String(c.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:t.token_endpoint_auth_method,createdAt:re(r),clientExpiresAt:re(a)};if(t.token_endpoint_auth_method!=="none"){let l=jt();d.hashedClientSecret=await le(l),d.clientSecretExpiresAt=re(a),c.client_secret=l,c.client_secret_expires_at=s,c.client_secret_issued_at=i}if((await K().registerClient(d)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");return c}o(O_,"registerDownstreamClient");var Y$="data:,",$_=ce`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,z_=ce`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function Q$(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Q$,"safeGatewayConnectHref");function X$(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(X$,"deriveMode");function ez(e){return Yv({state:e.state,submitOnceAttrs:$_,authorizeAttrs:Ua})}o(ez,"renderActions");function xp(e,t,r){for(let n of e){if(n.ownerMode!=="user"||n.status!==r)continue;let a=Q$(n.connectUrl,t);if(a)return a}}o(xp,"firstUserConnectHref");function tz(e){let t=e.connectHref?ce`<a class="button button--primary" href="${e.connectHref}" ${z_}>Connect</a>`:ce`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return ce`<form class="actions" method="post" action="/oauth/setup" ${$_}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}o(tz,"renderSetupActions");function rz(e){return e?ce`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${z_}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Ua}o(rz,"renderReconnectAction");function kp(e){let t=X$(e.upstreams),r=xp(e.upstreams,e.gatewayOrigin,"not_connected"),n=xp(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=xp(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??n:void 0,s=ce`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.virtualServerDisplayName}</strong>' on your behalf?</p>`,c=t==="setup"?ce`<footer class="card__footer">${tz({state:e.state,connectHref:i})}</footer>`:ce`<footer class="card__footer">${rz(a)}${ez({state:e.state})}</footer>`;return Tr(rr({title:`Authorize access \xB7 ${e.virtualServerDisplayName}`,iconHref:Y$,styles:tr,headerIcon:Ua,heading:"MCP Gateway",subhead:Ua,body:s,footer:c}))}o(kp,"renderConsentPage");function nz(e){try{return new URL(e).host}catch{return}}o(nz,"safeUrlHost");function oz(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}o(oz,"readOAuthScopes");function Tp(e){return e!==void 0&&e.length>0}o(Tp,"hasItems");function az(e){let t=e.registeredConnection.config.serverInfo?.icons;if(Tp(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&Tp(r)?r:void 0}o(az,"readServerIcons");async function iz(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Lu({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(iz,"readConnectUrl");function mn(e,t){return t===void 0?{}:{[e]:t}}o(mn,"optionalRequirementField");function sz(e){return e.isUserOwned?Om(e.connection):{connected:!0,status:"active"}}o(sz,"readSetupConnectionStatus");function cz(e){let t=oz(e);return Tp(t)?t:void 0}o(cz,"readScopesRequested");function uz(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(uz,"readUpdatedAt");function dz(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(Ri),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(Ci),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Ii)}}o(dz,"readVirtualServerCapabilities");async function lz(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=ki(r),c=s==="user",d=sz({connection:e.connection,isUserOwned:c}),p=await iz({...e,connected:d.connected,isUserOwned:c});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:dz({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...mn("description",n.description),...mn("transportHost",nz(n.transport.baseUrl)),...mn("scopesRequested",cz(t)),...mn("serverIcons",az({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...mn("connectUrl",p),...mn("updatedAt",uz({connectionStatus:d,isUserOwned:c})),...mn("expiresAt",e.connection?.expiresAt)}}o(lz,"buildSetupRequirement");function M_(e){let t=yt().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(M_,"requireVirtualServer");async function Ap(e){let t=M_(e.transaction.virtualServerId),r=ir(e.transaction.principal.subjectId),n=[],a=new Map;for(let c of t.connections)ki(c.authMode)==="user"&&(a.set(c,n.length),n.push({owner:r,upstreamServerId:c.upstreamServerId,authProfileId:c.authProfileId}));let i=await K().batchGetUpstreamConnections(n),s=[];for(let c of t.connections){let d=ki(c.authMode)==="user",p=a.get(c);s.push(await lz({connection:d&&p!==void 0?i[p]:void 0,registeredConnection:c,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(Ap,"requirementsForSetup");function pz(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(pz,"readVirtualServerDisplayName");async function Ep(e){let t=M_(e.transaction.virtualServerId),r=pz({virtualServer:t}),n=await K().readClient({clientId:e.transaction.clientId}),a=n.kind==="found"?n.client:void 0,i={gatewayOrigin:ie(e.requestUrl),virtualServerDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.serverInfo?.title;return s!==void 0&&s!==r&&(i.virtualServerDescription=s),i}o(Ep,"consentContext");function q_(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(q_,"hasUnresolvedUserUpstream");var mz=["mcp_user"],fz="dev-browser-user",hz=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),gz=u.object({response_type:u.literal("code"),client_id:u.string().min(1),redirect_uri:u.string().min(1),resource:u.url(),code_challenge:u.string().min(43),code_challenge_method:Ja,state:u.string().min(1).optional(),scope:u.literal(ye).default(ye)}),yz=u.enum(["continue","approve","cancel"]).default("continue"),Sz=u.object({state:u.string().min(1),decision:yz}),vz=u.object({state:u.string().min(1),apiKey:u.string().min(1)}),fn=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function N_(e){return typeof e=="string"&&e.length>0?e:void 0}o(N_,"readQueryString");function _z(e,t){let r=N_(e.query.resource);if(t===void 0){if(r!==void 0)return r;throw new L("invalid_target",hz)}let n=zr(t,e.url);if(r===void 0||r===n)return n;throw new L("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(_z,"requireAuthorizeResource");async function wz(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Ls(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=c_(e);return{principal:i,setCookie:await $a({principal:i,requestUrl:e.url,virtualServerId:t})}}o(wz,"resolveBrowserPrincipal");async function bz(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Ls(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(bz,"requireSetupPrincipal");async function D_(e){let t=await Ap({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await Ep({transaction:e.transaction,requestUrl:e.requestUrl}),n={kind:"setup_page",html:kp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(D_,"renderSetup");function Rz(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;if(t==="private_key_jwt")throw new L("invalid_client","OAuth client authentication method is not supported.");return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(Rz,"toAuthorizationTransactionClient");async function Up(e,t={}){let r=gz.parse({...e.query,resource:_z(e,t.virtualServerId),state:N_(e.query.state)}),n=Ma(r.scope);za(r.redirect_uri);let a=new Date,i=Ne.parse(r.client_id),s=await A_(r.client_id,a);E_(s,r.redirect_uri);try{let c=co(e.url,r.resource),d=Rz(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,virtualServerId:c.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&V(t.context,{eventType:B.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.virtualServerId,attributes:{clientId:i,scope:n,responseType:r.response_type}});let p={clientId:s?.clientId??i,...d===void 0?{}:{client:d},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:c.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:l,setCookie:m}=await wz(e,c.virtualServerId,t.context);if(!l){let y=await C_({transaction:p,requestUrl:e.url,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,virtualServerId:c.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:y.browserLoginUrl};return m!==void 0&&(v.setCookie=m),v}let h=await I_({transaction:p,principal:l,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,virtualServerId:c.virtualServerId,subjectId:l.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&V(t.context,{eventType:B.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.virtualServerId,attributes:{clientId:i,scope:n,responseType:r.response_type,subjectId:l.subjectId}}),D_({transaction:h.transaction,csrfToken:h.csrfToken,requestUrl:e.url,setCookie:m})}catch(c){throw Cz({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}o(Up,"authorizeDownstreamClient");function Cz(e){if(e.cause instanceof fn)return e.cause;let t=Iz(e.cause);return t?new fn({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(Cz,"toDownstreamAuthorizeRedirectError");function Iz(e){if(e instanceof L)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof u.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(Iz,"mapToOAuthRedirectError");async function j_(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,l=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...l===void 0?{}:{idpErrorUri:l}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Fs(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await d_(i),c=await Rp({browserLoginStateToken:n,principal:s}),d=await D_({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url});return d.setCookie=await $a({principal:s,requestUrl:e.url,virtualServerId:c.transaction.virtualServerId}),d}o(j_,"completeBrowserLoginCallback");async function H_(e){let t=Pe(),r=new URL(e.url);if(!qe(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",ie(e.url)),i=new URL(ie(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:ve.parse(fz),roles:mz};return{kind:"redirect",location:a,setCookie:await $a({principal:s,requestUrl:e.url})}}o(H_,"completeLocalDevBrowserLogin");async function L_(e){let t=vz.parse(e.body),r=await P_({browserLoginStateToken:t.state}),n=await u_({apiKey:t.apiKey,virtualServerId:r.virtualServerId}),a=await Rp({browserLoginStateToken:t.state,principal:n});await mg({apiKey:t.apiKey,principal:n,virtualServerId:a.transaction.virtualServerId});let i=new URL("/oauth/setup",ht(e.request.url));return i.searchParams.set("state",a.csrfToken),{kind:"redirect",location:i,setCookie:await $a({principal:n,requestUrl:e.request.url,virtualServerId:a.transaction.virtualServerId})}}o(L_,"completeApiKeyBrowserLogin");function Pz(e){let t=e.method==="POST"?e.body:e.query;return Sz.parse(t)}o(Pz,"readSetupContinueRequest");async function B_(e){let{state:t,decision:r}=Pz({method:e.request.method,query:e.request.query,body:e.body}),n=new Date,a=await Cp({csrfToken:t,now:n}),i=await bz(e.request,a.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await T_({csrfToken:t,currentBrowserPrincipal:i,now:n})};let s=await x_({csrfToken:t,currentBrowserPrincipal:i,now:n}),c=await Ap({transaction:s,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||q_(c)){let d=await Ep({transaction:s,requestUrl:e.request.url});return{kind:"setup_page",html:kp({state:t,virtualServerId:s.virtualServerId,upstreams:c,...d})}}return{kind:"redirect",location:await k_({csrfToken:t,currentBrowserPrincipal:i,now:n})}}o(B_,"continueDownstreamAuthorizeSetup");ae();var xz=new Set(["authorization_code","refresh_token"]),kz=u.discriminatedUnion("grant_type",[u.object({grant_type:u.literal("authorization_code"),code:u.string().min(1),redirect_uri:u.string().min(1),client_id:u.string().min(1).optional(),code_verifier:Wa,resource:u.url().optional(),scope:u.literal(ye).optional(),client_secret:u.string().min(1).optional()}),u.object({grant_type:u.literal("refresh_token"),refresh_token:u.string().min(1),client_id:u.string().min(1).optional(),resource:u.url().optional(),scope:u.literal(ye).optional(),client_secret:u.string().min(1).optional()})]);function Tz(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!xz.has(t)))throw new L("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(Tz,"assertSupportedGrantType");var Az=u.object({token:u.string().min(1),client_id:u.string().min(1).optional(),token_type_hint:u.string().optional(),client_secret:u.string().min(1).optional()});function G_(){return Pe().gateway.accessTokenTtlSeconds}o(G_,"readAccessTokenTtlSeconds");function Ez(){return Pe().gateway.refreshTokenTtlSeconds}o(Ez,"readRefreshTokenTtlSeconds");function Uz(e,t){let r=G_(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:re(Dt(e,a)),expiresIn:a}}o(Uz,"calculateAccessTokenExpiresAt");function V_(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new L("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new L("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new L("invalid_client","Malformed HTTP Basic client authentication.")}}o(V_,"readBasicClientSecret");function F_(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new L("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t===void 0)throw new L("invalid_client","Client authentication or client_id is required.");return t}o(F_,"resolveAuthenticatedClientId");function Z_(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new L("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(Z_,"resolveClientSecretInput");async function K_(e){let t=Ne.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await le(e.clientSecret)}}o(K_,"buildRuntimeHttpClientAuth");async function J_(e){Tz(e.body);let t=kz.parse(e.body),r=V_(e.authorizationHeader),n=F_({basicClientId:r.clientId,bodyClientId:t.client_id}),a=new Date,i=Z_({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret});return Oz({parsed:t,clientId:n,clientSecretInput:i,now:a,requestUrl:e.requestUrl,context:e.context})}o(J_,"exchangeDownstreamToken");async function Oz(e){let t=await K_({clientId:e.clientId,...e.clientSecretInput});if(e.parsed.grant_type==="authorization_code"){za(e.parsed.redirect_uri),Ma(e.parsed.scope),e.parsed.resource!==void 0&&co(e.requestUrl??e.parsed.resource,e.parsed.resource);let c=jt(),d=jt(),p=re(Dt(e.now,Ez())),l=Uz(e.now,p),m=await K().exchangeAuthorizationCode({clientAuth:t,codeHash:await le(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await If(e.parsed.code_verifier),currentRefreshTokenHash:await le(c),accessTokenHash:await le(d),grantExpiresAt:p,accessTokenExpiresAt:l.expiresAt,now:re(e.now)});if(m.kind==="invalid_client")throw new L("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new L("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new L("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&V(e.context,{eventType:B.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:d,token_type:"Bearer",expires_in:l.expiresIn,refresh_token:c,scope:m.grant.scope,resource:m.grant.resource}}Ma(e.parsed.scope),e.parsed.resource!==void 0&&co(e.requestUrl??e.parsed.resource,e.parsed.resource);let r=jt(),n=jt(),a=re(Dt(e.now,G_())),i=await K().refreshToken({clientAuth:t,currentRefreshTokenHash:await le(e.parsed.refresh_token),nextRefreshTokenHash:await le(r),accessTokenHash:await le(n),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:a,now:re(e.now)});if(i.kind==="invalid_client")throw new L("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new L("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new L("invalid_grant","Refresh token is invalid, expired, or revoked.");co(e.requestUrl??i.grant.resource,i.grant.resource);let s=i.accessToken.expiresAt;return e.context&&(V(e.context,{eventType:B.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),V(e.context,{eventType:B.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:n,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:r,scope:i.grant.scope,resource:i.grant.resource}}o(Oz,"exchangeDownstreamTokenWithRuntimeHttp");async function W_(e){let t=Az.parse(e.body),r=V_(e.authorizationHeader),n=F_({basicClientId:r.clientId,bodyClientId:t.client_id}),a=Z_({basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret}),i=new Date;if((await K().revokeOAuthToken({clientAuth:await K_({clientId:n,...a}),tokenHash:await le(t.token),now:re(i)})).kind==="invalid_client")throw new L("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&V(e.context,{eventType:B.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}o(W_,"revokeDownstreamToken");var $z=64*1024,zz=16*1024,Mz="text/html; charset=utf-8";function qz(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(qz,"formDataToObject");async function Nz(e){return Zv(e,{maxBytes:$z,label:"Request body"})}o(Nz,"readJsonBody");async function Ks(e){return qz(await Hs(e,{maxBytes:zz,label:"Request body"}))}o(Ks,"readFormBody");async function Js(e,t,r){let n=ge(r),a=r instanceof u.ZodError?Y_(r):void 0,i={code:n??(r instanceof u.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),it(e,t,i)}o(Js,"handleProblem");function qa(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(qa,"oauthErrorResponse");function Dz(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(Dz,"readOAuthProtocolHeaders");function jz(e,t){let r=Ke("internal_server_error");return qa({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Dz(e,t)})}o(jz,"oauthProtocolErrorResponse");function Hz(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(Hz,"readZodOAuthErrorCode");function Lz(e){let t={error:Hz(e)},r=Y_(e);return r!==void 0&&(t.errorDescription=r),qa(t)}o(Lz,"oauthZodErrorResponse");function Bz(e){let t=ge(e);if(t===void 0)return;let r=Ke(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:Vz(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,qa(n)}o(Bz,"oauthGatewayProblemResponse");function Gz(){let t={error:"server_error",status:500,errorDescription:Ke("internal_server_error").publicDetail};return qa(t)}o(Gz,"oauthFallbackErrorResponse");function Vz(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(Vz,"readOAuthStatus");function uo(e,t={}){return e instanceof fn?Fz(e):e instanceof L?jz(e,t):e instanceof u.ZodError?Lz(e):Bz(e)??Gz()}o(uo,"oauthProblemResponse");function zt(e,t,r){let n={event:t},a=!1;if(r instanceof L)n.oauthError=r.errorCode,n.status=r.status,Ye(n,"error",r);else if(r instanceof fn)n.oauthError=r.errorCode,Ye(n,"error",r);else if(r instanceof u.ZodError){n.code="invalid_request",Ye(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=ge(r);if(i!==void 0){let s=Ke(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Ye(n,"error",r)}else a=!0,Ye(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(zt,"logUnexpectedOAuthHandlerError");function Fz(e){let t;try{t=new URL(e.redirectUri)}catch{return qa({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(Fz,"downstreamAuthorizeRedirectErrorResponse");function Y_(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(Y_,"formatZodErrorDetail");function Zz(e,t){let r={event:"browser_login_callback_failed",code:ge(t)??"invalid_request"};Ye(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(Zz,"logBrowserLoginCallbackFailure");function Op(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(Op,"redirectResultResponse");function Ws(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Mz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Op(e)}o(Ws,"authorizeResultResponse");async function Q_(e,t){try{return Response.json(xc(e.url))}catch(r){return zt(t,"oauth_authorization_server_metadata_failed",r),Js(e,t,r)}}o(Q_,"authorizationServerMetadataHandler");async function X_(e,t){try{let r=xe.parse(e.params.virtualServerId),n=Mr(r);return Response.json(wm({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return zt(t,"oauth_authorization_server_metadata_failed",r),Js(e,t,r)}}o(X_,"scopedAuthorizationServerMetadataHandler");async function ew(e,t){try{let r=await O_(await Nz(e)),n=r,a=typeof n.client_id=="string"?n.client_id:void 0,i=typeof n.client_name=="string"?n.client_name:void 0,s=Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,c=typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:i,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),V(t,{eventType:B.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:a,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return zt(t,"oauth_register_failed",r),uo(r)}}o(ew,"registerHandler");async function tw(e,t){try{return Ws(await Up(e,{context:t}))}catch(r){return zt(t,"oauth_authorize_failed",r),uo(r,{includeInvalidClientChallenge:!1})}}o(tw,"authorizeHandler");async function rw(e,t){try{let r=xe.parse(e.params.virtualServerId),n=Mr(r);return Ws(await Up(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return zt(t,"oauth_authorize_scoped_failed",r),uo(r,{includeInvalidClientChallenge:!1})}}o(rw,"scopedAuthorizeHandler");async function nw(e,t){try{let r=await j_(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Ws(r)}catch(r){return Zz(t,r),Js(e,t,r)}}o(nw,"callbackHandler");async function ow(e,t){try{return Op(await H_(e))}catch(r){return zt(t,"oauth_dev_login_failed",r),uo(r)}}o(ow,"devLoginHandler");async function aw(e,t){let r=(()=>{try{return new URL(e.url).host}catch{return""}})();try{if(e.method==="GET"){let n=typeof e.query.state=="string"?e.query.state:void 0;return n?t_(r,n):yp(r,400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):Op(await L_({request:e,body:await Ks(e)}))}catch(n){return zt(t,"oauth_api_key_login_failed",n),yp(r)}}o(aw,"apiKeyLoginHandler");async function iw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await B_({request:e,body:e.method==="POST"?await Ks(e):void 0,context:t});return Ws(r)}catch(r){return zt(t,"oauth_setup_failed",r),Js(e,t,r)}}o(iw,"setupHandler");async function sw(e,t){try{return Response.json(await J_({body:await Ks(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return zt(t,"oauth_token_failed",r),uo(r)}}o(sw,"tokenHandler");async function cw(e,t){try{return await W_({body:await Ks(e),authorizationHeader:e.headers.get("authorization"),context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return zt(t,"oauth_revoke_failed",r),uo(r)}}o(cw,"revokeHandler");var Kz={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},uw=new Ct("upstream-request");function Jz(e){let t=uw.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(Jz,"readUpstreamRequestContext");function Wz(e,t){return t.some(r=>r===e)}o(Wz,"requestContextMatchesKind");function Yz(e){return typeof e=="string"?[e]:e}o(Yz,"toExpectedKinds");function hn(e,t){uw.set(e,t)}o(hn,"setUpstreamRequestContext");function gn(e,t){let r=Jz(e),n=Yz(t);if(!Wz(r.kind,n)){let a=Kz[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(gn,"requireUpstreamRequestContext");function dw(e){return ce`<form class="form" method="post" action="${e.action}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}" />${e.fields}<p class="form__note">The gateway stores this encrypted and keeps it out of MCP client
+    configuration.</p><button class="button button--primary button--block form__submit" type="submit" >Connect</button></form>`}o(dw,"renderAppPassword");function lw(e){return ce`<p data-gateway-error-code="${e.code}">${e.body}</p>`}o(lw,"renderBrowserResult");var Qz="text/html; charset=utf-8",Xz="none";function pw(e){let t=ln(e.host);return rr({title:e.title,iconHref:t,styles:tr,headerIcon:pn({iconHref:t,fallbackIconHref:dn}),heading:e.title,subhead:"",body:lw({body:e.body,code:e.code??Xz}),footer:""})}o(pw,"browserResultHtml");function mw(e,t=200){return new Response(Tr(e),{status:t,headers:{"content-type":Qz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(mw,"browserResultResponse");function Ys(e){return mw(pw(e))}o(Ys,"browserConnectionSuccessResponse");function lo(e,t){let r=sm(t);return mw(pw({host:e,title:r.title,body:r.body,code:t}),400)}o(lo,"browserConnectionFailureResponse");function $p(e){try{return new URL(e).host}catch{return""}}o($p,"safeHostFromUrl");var eM="text/html; charset=utf-8",tM=16*1024;function rM(e,t=200){return new Response(Tr(e),{status:t,headers:{"content-type":eM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(rM,"htmlResponse");function nM(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(nM,"safeRedirect");function oM(e){if(!e)throw g("oauth_state_invalid","App password capture requires a signed browser ticket.");return e}o(oM,"requireBrowserTicket");function aM(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(aM,"appPasswordTicketMatchesTarget");async function fw(e){let t=oM(e.browserTicket),r=await Oi(t);if(!aM(r,e))throw g("oauth_callback_mismatch","App password capture ticket did not match the requested upstream flow.");return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(fw,"readAppPasswordTarget");function iM(e,t){let r=Ku(e.upstreamServerId,e.authProfileId),n=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,a=ln(t),i=r.kind==="basic_auth_app_password"?ce`<label class="form__label" for="username">${r.usernameLabel}</label><input class="form__input" id="username" name="username" required autocomplete="username"><label class="form__label" for="appPassword">${r.passwordLabel}</label><input class="form__input" id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:ce`<label class="form__label" for="token">${r.label}</label><input class="form__input" id="token" name="token" type="password" required autocomplete="off">`;return rM(rr({title:"Connect upstream",iconHref:a,styles:tr,headerIcon:pn({iconHref:a,fallbackIconHref:dn}),heading:"Connect upstream",subhead:ce`<p class="card__subtitle">Enter the per-user credential for this approved upstream.</p>`,body:dw({action:n,browserTicket:e.browserTicket,fields:i}),footer:""}))}o(iM,"renderCaptureForm");function Qs(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw g("invalid_request",`Missing form field: ${t}`);return r}o(Qs,"readRequiredFormValue");function sM(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(sM,"readCaptureFormTargetInput");async function cM(e,t){return iM(await fw(sM(e)),t)}o(cM,"handleCaptureFormRequest");async function uM(e){let t=await Hs(e.request,{maxBytes:tM,label:"App password request body"});return{form:t,target:await fw({upstreamServerId:e.upstreamServerId,browserTicket:Qs(t,"browserTicket")})}}o(uM,"readSubmittedAppPasswordTarget");async function dM(e){let t=Pn(e.target.ticket);if(await $i(e.target.ticket),Ku(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await zi({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:Qs(e.form,"token")});return}await jh({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:Qs(e.form,"username"),appPassword:Qs(e.form,"appPassword")})}o(dM,"saveSubmittedAppPasswordCredential");function lM(e,t){return t.ticket.returnTo?nM(e,t.ticket.returnTo):Ys({host:$p(e),title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(lM,"appPasswordSuccessResponse");async function pM(e){let t=await uM({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await dM(t),lM(e.request.url,t.target)}o(pM,"handleAppPasswordSubmission");function mM(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(mM,"methodNotAllowedResponse");function fM(e,t){let r=ge(t);return lo(e,Va(r)?r:"oauth_state_invalid")}o(fM,"appPasswordFailureResponse");async function hM(e){let t=$p(e.request.url);switch(e.request.method){case"GET":return cM(e.appPasswordRequest,t);case"POST":return pM(e);default:return mM()}}o(hM,"handleAppPasswordMethod");async function zp(e,t){let r=gn(t,"app_password");try{return await hM({request:e,appPasswordRequest:r})}catch(n){return fM($p(e.url),n)}}o(zp,"appPasswordHandler");var gM=["callback_authorization_code","callback_provider_error","callback_invalid"];function yM(e){return"cause"in e?e.cause:void 0}o(yM,"readErrorCause");function SM(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}o(SM,"readFirstStackFrame");function hw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=SM(r))}o(hw,"addErrorAttributes");function gw(e){try{return new URL(e).host}catch{return""}}o(gw,"safeHostFromUrl");function vM(e,t,r){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),V(e,{eventType:B.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),lo(r,"provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),lo(r,"oauth_state_invalid");case"callback_authorization_code":return t}}o(vM,"requireAuthorizationCallbackRequest");function _M(e,t){V(e,{eventType:B.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(_M,"emitCallbackReceivedAnalyticsEvent");function wM(e,t){V(e,{eventType:B.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(wM,"emitTokenExchangeSucceededAnalyticsEvent");function bM(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Ys({host:gw(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(bM,"buildSuccessfulCallbackResponse");function RM(e){let t={detail:e instanceof Error?e.message:void 0};return hw(t,"error",e),e instanceof Error&&hw(t,"cause",yM(e)),t}o(RM,"buildTokenExchangeFailureAttributes");function CM(e){V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:ge(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:RM(e.error)})}o(CM,"emitTokenExchangeFailedAnalyticsEvent");function IM(e,t){let r=ge(t);return lo(e,Va(r)?r:"upstream_token_exchange_failed")}o(IM,"tokenExchangeFailureResponse");async function Mp(e,t){let r=gn(t,gM),n=gw(e.url),a=vM(t,r,n);if(a instanceof Response)return a;_M(t,a);try{let i=await hg({request:e,callbackRequest:a});return wM(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,virtualServerId:i.virtualServerId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),bM(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:ge(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return Ye(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),CM({context:t,callbackRequest:a,error:i}),IM(n,i)}}o(Mp,"callbackHandler");function PM(e){let t=ge(e);return t==="unknown_upstream_server"?t:"not_found"}o(PM,"clientMetadataProblemCode");function xM(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(xM,"clientMetadataProblemDetail");async function yw(e,t){let r=gn(t,"connect"),n=await fg({request:e,connectRequest:r});if(V(t,{eventType:B.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await qn({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(yw,"connectHandler");async function Sw(e,t){let r=gn(t,"client_metadata");try{let n=eg(e.url),a=tg(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){let a=PM(n),i=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",code:a,upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),it(e,t,{code:a,detail:xM(n)})}}o(Sw,"oauthClientMetadataHandler");function nr(e){if(typeof e=="string"&&e.length!==0)return e}o(nr,"readOptionalQueryString");function kM(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw g("internal_server_error",`Validated path parameter ${t} is missing`);return r}o(kM,"requirePathString");function vw(e){let t=nr(e);return t?xe.parse(t):void 0}o(vw,"readOptionalVirtualServerId");function TM(e,t){let r=nr(e);return r?We.parse(r):$n(t,"user-oauth")}o(TM,"readOptionalAuthProfileId");function AM(e){let t=vw(e);if(!t)throw g("invalid_request","virtualServerId query parameter is required.");return t}o(AM,"readRequiredVirtualServerId");function EM(e){let t=nr(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(EM,"readOptionalBrowserTicket");function UM(e){let t=ri(nr(e));return t===void 0?{}:{returnTo:t}}o(UM,"readOptionalReturnTo");function OM(e){let t=vw(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(OM,"readOptionalVirtualServerIdContext");function $M(e){let t=nr(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o($M,"readOptionalProviderErrorDescription");function zM(e){let t=Pt(e.authMode);if(t.connectSupport!=="none")return e;throw g("invalid_request",t.connectUnsupportedDetail??"This upstream does not support browser connection flows.")}o(zM,"requireConnectableRouteAuth");function MM(e,t,r,n){let a=js(e,t);if(a.ownerMode==="none"||a.authMode==="shared-secret")throw g("invalid_request","Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(MM,"buildConnectContextForPrincipal");function qM(e,t,r){let n=Pn(t),a=Pt(e.authMode);if(n.mode!==a.ownerMode)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(qM,"buildConnectContextForTicket");async function NM(e,t){let r=zM(Gv(t,AM(e.query.virtualServerId))),n=e.query.redirect==="true",a=nr(e.query.browserTicket);if(e.user){if(a)throw g("invalid_request","Use either an authenticated gateway request or a browser connect ticket, not both.");let s=Rn(e.user,e.url);return MM(r,s,n,UM(e.query.returnTo).returnTo)}if(!a)throw g("authentication_required","Authentication is required to start the upstream connection flow.");let i=await Oi(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw g("oauth_callback_mismatch","Browser connect ticket did not match the requested upstream flow");return await $i(i),qM(r,i,n)}o(NM,"resolveConnectContext");async function DM(e,t,r){let n=Je.parse(kM(e,"connection"));switch(r){case"connect":hn(t,await NM(e,n));return;case"app_password":hn(t,{kind:"app_password",upstreamServerId:n,...OM(e),...EM(e)});return;case"callback":{let a=nr(e.query.error);if(a){hn(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...$M(e)});return}let i=nr(e.query.code),s=nr(e.query.state);if(i&&s){hn(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}hn(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":hn(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:TM(e.query.authProfileId,n)});return}}o(DM,"resolveUpstreamRequestInbound");async function jM(e,t,r){try{await DM(e,t,r);return}catch(n){let a=ge(n);if(!a)throw n;let i=n instanceof Error?n.message:void 0;return it(e,t,{code:a,...i===void 0?{}:{detail:i}})}}o(jM,"applyUpstreamRequestContext");function Na(e,t){return o(async(n,a)=>{let i=await jM(n,a,e);return i||t(n,a)},"wrapped")}o(Na,"withUpstreamRequestContext");var HM={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function LM(){return new Response(null,{status:204,headers:HM})}o(LM,"buildWellKnownPreflightResponse");function BM(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(BM,"withWellKnownCorsHeaders");function qp(e){return async(t,r)=>t.method==="OPTIONS"?LM():BM(await e(t,r))}o(qp,"wrapWellKnownHandler");var GM=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:qp(Q_),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:qp(X_),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:qp(bm),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:ew},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:tw},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:rw},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:nw},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:ow},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:aw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:iw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:sw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:cw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:Na("client_metadata",Sw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:Na("connect",yw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:Na("callback",Mp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:Na("app_password",zp)}];function _w(e){return e?.some(t=>ko(t.policyType))??!1}o(_w,"shouldRegisterMcpGatewayInternalRoutes");function VM(e){let t=Af(e.policies);if(!t){let r=[...Wc].map(n=>`\`${n}\``).join(", ");throw new ue(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return nh(zu({routes:e.routes,policies:e.policies})),t.config}o(VM,"initializeMcpGatewayState");function FM(e,t,r){return async(n,a)=>{let i=a;bn(i,r());let s=n.method==="OPTIONS",c=Date.now();s||i.log.info({event:`${e}_received`,method:n.method},`MCP gateway: ${e} received`);let d=await t(n,a);return s||i.log.info({event:`${e}_responded`,status:d.status,durationMs:Date.now()-c},`MCP gateway: ${e} responded`),d}}o(FM,"wrapInternalHandler");function ww(e,t){let r,n=o(()=>(r===void 0&&(r=VM(t)),r),"readOAuthConfig");for(let a of GM){let i=FM(a.routeName,a.handler,n),s=o((c,d)=>i(c,d),"handler");e.addPluginRoute({path:a.path,methods:a.methods,handler:s,processors:[ic],corsPolicy:a.corsPolicy??"none"})}}o(ww,"registerMcpGatewayInternalRoutes");function bw(e){rh(e)}o(bw,"configureLazyMcpGatewayState");var Np=class extends Kp{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!_w(r.policies))return;let n={routes:r.routes,policies:r.policies};bw(n),ww(t.router,n)}};export{Zc as McpAuth0OAuthInboundPolicy,Np as McpGatewayPlugin,Kc as McpOAuthInboundPolicy,hp as McpUpstreamConnectionInboundPolicy,WO as McpVirtualServerHandler,Px as mcpUpstreamHandler};
 //# sourceMappingURL=index.js.map