@zuplo/runtime 6.70.28 → 6.70.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/out/esm/mcp-gateway/index.js +1 -1
  2. package/out/esm/mcp-gateway/index.js.map +1 -1
  3. package/package.json +1 -1
package/out/esm/mcp-gateway/index.js CHANGED
@@ -53,7 +53,7 @@ Known schemas:
53
53
  `;break;case"id":c=_.includes("\0")?void 0:_;break;case"retry":/^\d+$/.test(_)?n(parseInt(_,10)):r(new qs(`Invalid \`retry\` value: "${_}"`,{type:"invalid-retry",value:_,line:w}));break;default:r(new qs(`Unknown field "${S.length>20?`${S.slice(0,20)}\u2026`:S}"`,{type:"unknown-field",field:S,value:_,line:w}));break}}o(h,"processField");function y(){d.length>0&&t({id:c,event:p||void 0,data:d.endsWith(`
54
54
  `)?d.slice(0,-1):d}),c=void 0,d="",p=""}o(y,"dispatchEvent");function v(S={}){i&&S.consume&&m(i),s=!0,c=void 0,d="",p="",i=""}return o(v,"reset"),{feed:l,reset:v}}o(Uv,"createParser");function _O(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
55
55
  `,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let c=e.slice(n,s);t.push(c),n=s+1,e[n-1]==="\r"&&e[n]===`
56
- `&&n++}}return[t,r]}o(_O,"splitLines");var Ns=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Uv({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var wO={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},$r=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},js=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Ev(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??wO}async _authThenStart(){if(!this._authProvider)throw new wt("No auth provider");let t;try{t=await wr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new wt;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=zs(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new $r(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new Ns({onRetry:o(y=>{this._serverRetryMs=y},"onRetry")})).getReader();for(;;){let{value:y,done:v}=await l.read();if(v)break;if(y.id&&(s=y.id,c=!0,a?.(y.id)),!!y.data&&(!y.event||y.event==="message"))try{let S=Br.parse(JSON.parse(y.data));_t(S)&&(d=!0,i!==void 0&&(S.id=i)),this.onmessage?.(S)}catch(S){this.onerror?.(S)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(y){this.onerror?.(new Error(`Failed to reconnect: ${y instanceof Error?y.message:String(y)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new wt("No auth provider");if(await wr(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new wt("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:Tt(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,s),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new $r(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:y,scope:v}=nd(c);if(this._resourceMetadataUrl=y,this._scope=v,await wr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new wt;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:y,scope:v,error:S}=nd(c);if(S==="insufficient_scope"){let _=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===_)throw new $r(403,"Server returned 403 after trying upscoping");if(v&&(this._scope=v),y&&(this._resourceMetadataUrl=y),this._lastUpscopingHeader=_??void 0,await wr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new wt;return this.send(t)}}throw new $r(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),Ff(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),y=Array.isArray(h)?h.map(v=>Br.parse(v)):[Br.parse(h)];for(let v of y)this.onmessage?.(v)}else throw await c.body?.cancel(),new $r(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new $r(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Ov(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Ov,"resolveNativeMcpRequestHeaders");var bO={name:"zuplo-mcp-gateway",version:"0.1.0"},RO=new uo({draft:"7",shortcircuit:!1}),CO=5,IO=500,zv=3e4,PO=2*1024*1024,xO=2;function $v(){return performance.now()/1e3}o($v,"nowSeconds");function kO(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(kO,"readServerPort");function TO(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:kO(e)}}o(TO,"buildNativeMcpOperationContext");function dn(e){return Tv(e)}o(dn,"withTraceMeta");function Ds(e){if(e>IO)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ds,"assertImportedCapabilityBudget");function Mv(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Mv,"buildRequestInit");function AO(e){return(t,r)=>Dn(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:xO,maxResponseBytes:PO,problemCode:"upstream_capability_invocation_failed",timeoutMs:zv})}o(AO,"createNativeMcpFetch");function EO(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},zv);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(EO,"withNativeMcpRequestTimeout");function UO(e,t=[]){let r=Ov(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:AO(a)};if(!e)return{...i,...Mv(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Mv(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(UO,"buildNativeMcpTransportOptions");async function ln(e,t,r){let{transport:n}=De(e),a=new URL(n.baseUrl),i=new js(a,UO(r,n.requestHeaders)),s=new Ms(bO,{capabilities:{},jsonSchemaValidator:RO});return EO((async()=>{let c=$v();await s.connect(i);let d=i.sessionId,p=TO(a,d);try{return await t(s,p)}finally{if(i.sessionId)try{await i.terminateSession()}catch{}await s.close(),d&&Av(p,$v()-c)}})())}o(ln,"withNativeMcpClient");async function OO(e,t,r){let n=[],a,i=0;do{if(i>=CO)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(OO,"collectPaginatedSdkItems");async function Hs(e){return e.enabled?OO(e.label,e.fetchPage,e.readItems):[]}o(Hs,"listNativeMcpCapabilityItems");async function qv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"tools/list",...r},()=>Hs({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ds(a.length),{tools:a}},e.credential)}o(qv,"listNativeMcpTools");async function Nv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"prompts/list",...r},()=>Hs({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ds(a.length),{prompts:a}},e.credential)}o(Nv,"listNativeMcpPrompts");async function jv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/list",...r},()=>Hs({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ds(a.length),{resources:a}},e.credential)}o(jv,"listNativeMcpResources");async function Dv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/templates/list",...r},()=>Hs({enabled:!!n?.resources,label:"Resource template list",fetchPage:o(i=>t.listResourceTemplates(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resourceTemplates,"readItems")}));return Ds(a.length),{resourceTemplates:a}},e.credential)}o(Dv,"listNativeMcpResourceTemplates");async function Hv(e){return ln(e.upstreamServerId,(t,r)=>Ur({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(dn(e.params))),e.credential)}o(Hv,"callNativeMcpTool");async function Lv(e){return ln(e.upstreamServerId,(t,r)=>Ur({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(dn(e.params))),e.credential)}o(Lv,"getNativeMcpPrompt");async function Bv(e){return ln(e.upstreamServerId,(t,r)=>Ur({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(dn(e.params))),e.credential)}o(Bv,"readNativeMcpResource");var lo=class extends x{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(A.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}},$a=class extends x{static{o(this,"GatewayAuthorizationMcpError")}authorizationFailureKind;constructor(t){super(A.InvalidRequest,qO(t)),this.name="GatewayAuthorizationMcpError",this.authorizationFailureKind=t}};function $O(e){return{content:[{type:"text",text:e}],isError:!0}}o($O,"buildToolErrorResult");function Kv(e){return e.authUrl?new Vt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new lo(e)}o(Kv,"toConnectRequiredError");function MO(e){if(e.type!=="mcp_oauth_provider")return;let{provider:t}=e;if(!("authorizationUrl"in t))return;let{authorizationUrl:r}=t;return typeof r=="string"&&r.length>0?r:void 0}o(MO,"readOAuthAuthorizationUrl");function zO(e,t){return MO(t)===void 0?!1:e instanceof wt||e instanceof Error&&e.message==="Unauthorized"}o(zO,"isOAuthRedirectUnauthorizedError");function qO(e){switch(e){case"resource_mismatch":return"Gateway access token was not issued for this MCP resource.";case"principal_mismatch":return"Gateway access token principal did not match the request.";default:return"Gateway access token is expired, revoked, or invalid."}}o(qO,"readCompositeAuthorizationFailureDetail");function NO(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(NO,"buildCredentialResolvedAttributes");function jO(e){V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:NO(e.credential)})}o(jO,"emitCredentialResolvedAnalyticsEvent");function Jv(e){if(V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}}),e.payload.state==="reconsent_required")V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}});else{let t=DO(e.payload.state);V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:t,reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}}o(Jv,"emitCredentialMissingAnalyticsEvent");function DO(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required";default:{let t=e;return"connect_required"}}}o(DO,"connectRequiredReasonCode");function HO(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):lr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(HO,"readRouteBindingCredentialCacheKey");function dp(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(dp,"readOwnedRouteBindingLookup");async function LO(e){let t=Gc(e.request);if(!t)return new Map;let r=new Map;for(let s of e.routeBindings){let c=dp(s);c!==void 0&&r.set(lr(c),c)}if(r.size===0)return new Map;let n=[...r.values()],a=await K().authorizeAndLoadConnections({accessTokenHash:await le(t),resource:ur(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:n,now:re(new Date)});if(a.kind!=="authorized")throw new $a(a.kind);let i=new Map;return a.upstreamConnections.forEach((s,c)=>{let d=n[c];d!==void 0&&i.set(lr(d),s.connection)}),i}o(LO,"preloadCompositeAuthorizedConnections");function BO(e){let t=new Map;return r=>{let n=HO(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,c=dp(r),d=c===void 0?void 0:lr(c),p=await Hi({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(p.kind==="connect_required")throw Jv({context:e.context,payload:p.payload,routeBinding:r}),Kv(p.payload);return jO({context:e.context,credential:p.credential,routeBinding:r}),p.credential})();return t.set(n,i),i}}o(BO,"createCredentialResolver");var Gv=500;function lp(e){return e.length<=Gv?e:`${e.slice(0,Gv)}...`}o(lp,"truncateAnalyticsDetail");function GO(e){V(e.context,{eventType:B.MCP_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0,latencyMs:e.latencyMs})}o(GO,"emitToolInvocationCompletedAnalyticsEvent");function up(e){V(e.context,{eventType:B.MCP_CAPABILITY_INVOKED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType})}o(up,"emitCapabilityInvokedAnalyticsEvent");function Vv(e){let t={};typeof e.itemCount=="number"&&(t.itemCount=e.itemCount),e.errorDetail!==void 0&&(t.detail=lp(e.errorDetail)),V(e.context,{eventType:B.MCP_CAPABILITY_LISTED,outcome:e.outcome,...e.routeBinding?{routeBinding:e.routeBinding}:{},...e.virtualServerName?{virtualServerName:e.virtualServerName}:{},mcpMethod:e.mcpMethod,capabilityType:e.capabilityType,latencyMs:e.latencyMs,...e.reasonCode?{reasonCode:e.reasonCode}:{},...e.reasonClass?{reasonClass:e.reasonClass}:{},...e.errorType?{errorType:e.errorType}:{},attributes:t})}o(Vv,"emitCapabilityListedAnalyticsEvent");function Fv(e){V(e.context,{eventType:B.MCP_CAPABILITY_COMPLETED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,latencyMs:e.latencyMs})}o(Fv,"emitCapabilityCompletedAnalyticsEvent");function Zv(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=e.error instanceof Vt||e.error instanceof lo,n=e.error instanceof x&&e.error.code===A.InvalidParams,a=r?B.MCP_CAPABILITY_CONNECT_REQUIRED:B.MCP_CAPABILITY_FAILED,i=r?"connect_required":"failure",s=r?"connect_required":n?"invalid_capability_arguments":"upstream_capability_invocation_failed",c=r?"auth":n?"client":"upstream";V(e.context,{eventType:a,outcome:i,routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,reasonCode:s,reasonClass:c,errorType:r?"connect_required":"capability_error",...n?{mcpErrorType:"InvalidParams"}:{},latencyMs:e.latencyMs,attributes:{detail:lp(t)}})}o(Zv,"emitCapabilityFailedAnalyticsEvent");function VO(e){return e instanceof Vt||e instanceof lo?{eventType:B.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof $a?{eventType:B.MCP_CAPABILITY_FAILED,outcome:"denied",reasonCode:`gateway_access_token_${e.authorizationFailureKind}`,reasonClass:"auth",errorType:"auth_error",mcpErrorType:"InvalidRequest"}:e instanceof x&&e.code===A.InvalidParams?{eventType:B.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:B.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(VO,"classifyToolInvocationFailure");function FO(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=VO(e.error);V(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,latencyMs:e.latencyMs,attributes:{detail:lp(t)}})}o(FO,"emitToolInvocationFailedAnalyticsEvent");var ZO=256*1024;function KO(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new x(A.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>ZO)throw new x(A.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(KO,"assertToolArgumentsWithinLimit");function pp(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new x(A.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(pp,"findBindingForPublishedCapability");function pn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new x(A.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(pn,"requireSingleTransparentBinding");function JO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:pn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new x(A.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:pp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(JO,"resolvePublishedToolRoute");function WO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:pn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new x(A.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:pp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(WO,"resolvePublishedPromptRoute");function YO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:pn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new x(A.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:pp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(YO,"resolvePublishedResourceRoute");function Wv(e){let t=LO({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=BO({context:e.context,preloadedConnections:t,request:e.request}),n=e.publishedVirtualServer.virtualServerId;async function a(c){if(!zO(c.error,c.credential)||c.routeBinding.ownerMode==="none")return;let d=dp(c.routeBinding);if(d===void 0)return;let l=(await t).get(lr(d))?.id,m=c.routeBinding.owner.mode==="shared"?qi({upstreamServerId:c.routeBinding.upstreamServerId,authProfileId:c.routeBinding.authProfileId,upstreamDisplayName:c.routeBinding.upstreamDisplayName,virtualServerId:c.routeBinding.virtualServerId,...l===void 0?{}:{connectionId:l},requiresReconsent:!0}):await vr({requestUrl:e.request.url,owner:c.routeBinding.owner,initiatedBySubjectId:c.routeBinding.initiatedBySubjectId,upstreamServerId:c.routeBinding.upstreamServerId,authProfileId:c.routeBinding.authProfileId,upstreamDisplayName:c.routeBinding.upstreamDisplayName,virtualServerId:c.routeBinding.virtualServerId,subject:"tool",...l===void 0?{}:{connectionId:l},requiresReconsent:!0,...c.routeBinding.returnTo===void 0?{}:{returnTo:c.routeBinding.returnTo}});return Jv({context:e.context,payload:m,routeBinding:c.routeBinding}),Kv(m)}o(a,"buildForwardingConnectRequiredError");async function i(c){let d=await r(c.routeBinding);try{return await c.invoke(d)}catch(p){let l=await a({credential:d,error:p,routeBinding:c.routeBinding});throw l!==void 0?l:p}}o(i,"invokeNativeMcpWithCredential");async function s(c){let d=Date.now();try{let p=await c.invoke();return Vv({context:e.context,routeBinding:c.routeBinding,virtualServerName:n,capabilityType:c.capabilityType,mcpMethod:c.mcpMethod,outcome:"success",itemCount:c.countItems(p),latencyMs:Date.now()-d}),p}catch(p){let l=p instanceof Error?p.message:String(p);throw Vv({context:e.context,routeBinding:c.routeBinding,virtualServerName:n,capabilityType:c.capabilityType,mcpMethod:c.mcpMethod,outcome:"failure",latencyMs:Date.now()-d,reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorDetail:l}),p}}return o(s,"listCapability"),{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"tool",mcpMethod:"tools/list",invoke:o(async()=>({tools:e.publishedVirtualServer.catalog.tools.filter(d=>d.enabled!==!1).map(xi)}),"invoke"),countItems:o(d=>d.tools.length,"countItems")});let c=pn(e);return s({capabilityType:"tool",mcpMethod:"tools/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>qv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.tools.length,"countItems")})},async callTool(c){let d=JO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:c.name});up({context:e.context,routeBinding:d.binding,capabilityType:"tool",capabilityName:c.name,mcpMethod:"tools/call"});let p=Date.now();try{KO(c);let l=await i({routeBinding:d.binding,invoke:o(m=>Hv({upstreamServerId:d.binding.upstreamServerId,params:{...c,name:d.upstreamName},credential:m}),"invoke")});return GO({context:e.context,routeBinding:d.binding,toolName:c.name,result:l,latencyMs:Date.now()-p}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:c.name,upstreamName:d.upstreamName,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,isError:l.isError===!0},"Upstream tool invocation completed"),l}catch(l){if(FO({context:e.context,routeBinding:d.binding,toolName:c.name,error:l,latencyMs:Date.now()-p}),l instanceof Vt||l instanceof lo)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:c.name,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,ownerMode:d.binding.ownerMode,hasAuthUrl:l instanceof Vt},"Upstream tool invocation requires user to complete a connect flow"),l;if(l instanceof $a)throw e.context.log.warn({event:"upstream_tool_invocation_gateway_auth_denied",toolName:c.name,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,validationKind:l.authorizationFailureKind},"Gateway access token failed composite authorization; MCP tool invocation denied"),l;let m={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:c.name,upstreamName:d.upstreamName,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId};return l instanceof x&&(m.mcpErrorCode=l.code),l instanceof Error?(m.errorName=l.name,m.errorMessage=l.message,l.cause instanceof Error&&(m.causeName=l.cause.name,m.causeMessage=l.cause.message)):m.errorMessage=String(l),e.context.log.warn(m,"Upstream tool invocation failed; returning generic gateway error to MCP client"),$O(Ke("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"prompt",mcpMethod:"prompts/list",invoke:o(async()=>({prompts:e.publishedVirtualServer.catalog.prompts.filter(d=>d.enabled!==!1).map(ki)}),"invoke"),countItems:o(d=>d.prompts.length,"countItems")});let c=pn(e);return s({capabilityType:"prompt",mcpMethod:"prompts/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>Nv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.prompts.length,"countItems")})},async getPrompt(c){let d=WO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:c.name});up({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get"});let p=Date.now();try{let l=await i({routeBinding:d.binding,invoke:o(m=>Lv({upstreamServerId:d.binding.upstreamServerId,params:{...c,name:d.upstreamName},credential:m}),"invoke")});return Fv({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get",latencyMs:Date.now()-p}),l}catch(l){throw Zv({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get",error:l,latencyMs:Date.now()-p}),l}},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"resource",mcpMethod:"resources/list",invoke:o(async()=>({resources:e.publishedVirtualServer.catalog.resources.filter(d=>d.enabled!==!1).map(Ti)}),"invoke"),countItems:o(d=>d.resources.length,"countItems")});let c=pn(e);return s({capabilityType:"resource",mcpMethod:"resources/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>jv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.resources.length,"countItems")})},async listResourceTemplates(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resourceTemplates:[]};let c=pn(e);return i({routeBinding:c,invoke:o(d=>Dv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")})},async readResource(c){let d=YO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:c.uri});up({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read"});let p=Date.now();try{let l=await i({routeBinding:d.binding,invoke:o(m=>Bv({upstreamServerId:d.binding.upstreamServerId,params:{...c,uri:d.upstreamUri},credential:m}),"invoke")});return Fv({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read",latencyMs:Date.now()-p}),l}catch(l){throw Zv({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read",error:l,latencyMs:Date.now()-p}),l}}}}o(Wv,"createCapabilityDispatcher");var QO="0.1.0",Qv="POST",XO="POST, OPTIONS",e$=new uo({draft:"7",shortcircuit:!1});function mp(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:Qv}})}o(mp,"jsonRpcMethodNotAllowedResponse");function t$(e){let t={Allow:Qv},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=XO;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(t$,"buildOptionsResponse");function mn(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(mn,"readJsonRpcRequestId");function Ls(e){return e&&typeof e=="object"?e.params:void 0}o(Ls,"readMcpRequestParams");function Yv(e,t){return e.headers.get(t)??void 0}o(Yv,"readMcpHeader");function r$(e){return{mcpProtocolVersion:Yv(e,"mcp-protocol-version")??Dr,mcpSessionId:Yv(e,"mcp-session-id")}}o(r$,"buildServerTelemetryBase");function n$(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Dr),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(n$,"ensureProtocolVersionHeader");async function fp(e,t){if(e.method==="OPTIONS")return t$(e);if(e.method==="GET")return mp("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return mp("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return mp("Only POST is supported by this virtual MCP server.");let r=In(t),n=Hr(r.virtualServerId),a=Li(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=r$(e),s=Wv({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=ae(e.url),d=new As({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new Ts(n.catalog.serverInfo??{name:r.virtualServerId,version:QO},{capabilities:{prompts:{},resources:{},tools:{}},jsonSchemaValidator:e$});p.setRequestHandler(wu,async m=>Or({methodName:"tools/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listTools())),p.setRequestHandler(No,async m=>Or({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:mn(m),...i},()=>s.callTool(m.params))),p.setRequestHandler(pu,async m=>Or({methodName:"prompts/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listPrompts())),p.setRequestHandler(fu,async m=>Or({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:mn(m),...i},()=>s.getPrompt(m.params))),p.setRequestHandler(ou,async m=>Or({methodName:"resources/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listResources())),p.setRequestHandler(iu,async m=>Or({methodName:"resources/templates/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listResourceTemplates())),p.setRequestHandler(uu,async m=>Or({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:mn(m),...i},()=>s.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return n$(l)}o(fp,"virtualServerHandler");async function o$(e,t){return xt("handler.mcp-virtual-server"),fp(e,t)}o(o$,"McpVirtualServerHandler");function a$(e){let t=At(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(a$,"buildRouteAuthBaseFromConnection");function e_(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=At(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:Nn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(e_,"buildRouteAuthBaseFromPolicyOptions");function t_(e,t){let n=at().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return a$({connection:a,virtualServerId:t})}o(t_,"resolveRouteAuthBase");function Xv(e,t){switch(e){case"user":return dr(t.subjectId);case"shared":return si()}}o(Xv,"buildOwnerForPrincipal");function Bs(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Xv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:Xv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Bs,"resolveRouteAuthForPrincipal");function i$(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Qa.parse(r)}o(i$,"readSingleAuthMode");async function hp(e,t,r,n){let a=i$({policyName:n,connection:r}),i=In(t),s=e_({connection:r,virtualServerId:i.virtualServerId,authMode:a});if(s.ownerMode==="none")return cd(t,{...s,connectionPolicyName:n}),e;let c=Em(t);return cd(t,{...Bs(s,c),connectionPolicyName:n}),e}o(hp,"mcpUpstreamConnectionPolicy");var gp=class extends Rn{static{o(this,"McpUpstreamConnectionInboundPolicy")}#t;constructor(t,r){let n=Pi(t,r);super(n,r),this.#t=n}async handler(t,r){return xt("policy.inbound.mcp-upstream-connection"),hp(t,r,this.#t,this.policyName)}};ue();var r_="application/json",s$="application/x-www-form-urlencoded";function c$(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(c$,"normalizeContentType");function u$(e,t){return e===t?!0:t===r_&&e.endsWith("+json")}o(u$,"contentTypeMatches");function d$(e,t){if(!t||t.length===0)return;let r=c$(e.headers.get("content-type"));if(!t.some(n=>u$(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(d$,"assertExpectedContentType");function l$(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(l$,"assertContentLengthWithinLimit");async function n_(e,t){let r=t.label??"Request body";d$(e,t.expectedContentTypes),l$(e,t.maxBytes,r);let n=await Ei(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(n_,"readBoundedTextBody");async function o_(e,t){let r=await n_(e,{...t,expectedContentTypes:[r_]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(o_,"readBoundedJsonBody");async function Gs(e,t){let r=await n_(e,{...t,expectedContentTypes:[s$]});return new URLSearchParams(r)}o(Gs,"readBoundedFormUrlEncodedBody");var a_=Symbol("Html");function p$(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(p$,"escapeHtml");function m$(e){return e===null||typeof e!="object"?!1:e[a_]===!0}o(m$,"isHtml");function i_(e){return e==null||e===!1?"":Array.isArray(e)?e.map(i_).join(""):m$(e)?e.value:p$(String(e))}o(i_,"renderValue");function nr(e){return{[a_]:!0,value:e}}o(nr,"trustedHtml");var Ma=nr("");function se(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=i_(t[n]),r+=e[n+1]??"";return nr(r)}o(se,"html");function Mr(e){return e.value}o(Mr,"renderHtml");var or=nr('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function ar(e){return se`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
56
+ `&&n++}}return[t,r]}o(_O,"splitLines");var Ns=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=Uv({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var wO={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},$r=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},js=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Ev(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??wO}async _authThenStart(){if(!this._authProvider)throw new wt("No auth provider");let t;try{t=await wr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new wt;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=zs(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new $r(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new Ns({onRetry:o(y=>{this._serverRetryMs=y},"onRetry")})).getReader();for(;;){let{value:y,done:v}=await l.read();if(v)break;if(y.id&&(s=y.id,c=!0,a?.(y.id)),!!y.data&&(!y.event||y.event==="message"))try{let S=Br.parse(JSON.parse(y.data));_t(S)&&(d=!0,i!==void 0&&(S.id=i)),this.onmessage?.(S)}catch(S){this.onerror?.(S)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(y){this.onerror?.(new Error(`Failed to reconnect: ${y instanceof Error?y.message:String(y)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new wt("No auth provider");if(await wr(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new wt("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:Tt(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,s),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new $r(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:y,scope:v}=nd(c);if(this._resourceMetadataUrl=y,this._scope=v,await wr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new wt;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:y,scope:v,error:S}=nd(c);if(S==="insufficient_scope"){let _=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===_)throw new $r(403,"Server returned 403 after trying upscoping");if(v&&(this._scope=v),y&&(this._resourceMetadataUrl=y),this._lastUpscopingHeader=_??void 0,await wr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new wt;return this.send(t)}}throw new $r(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),Ff(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),y=Array.isArray(h)?h.map(v=>Br.parse(v)):[Br.parse(h)];for(let v of y)this.onmessage?.(v)}else throw await c.body?.cancel(),new $r(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new $r(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Ov(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw g("internal_server_error",`Native MCP transport header ${r.name} is required but has no value configured.`);continue}t[r.name]=r.value}return t}o(Ov,"resolveNativeMcpRequestHeaders");var bO={name:"zuplo-mcp-gateway",version:"0.1.0"},RO=new uo({draft:"7",shortcircuit:!1}),CO=5,IO=500,zv=3e4,PO=2*1024*1024,xO=2;function $v(){return performance.now()/1e3}o($v,"nowSeconds");function kO(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(kO,"readServerPort");function TO(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:kO(e)}}o(TO,"buildNativeMcpOperationContext");function dn(e){return Tv(e)}o(dn,"withTraceMeta");function Ds(e){if(e>IO)throw g("upstream_import_failed","Upstream import exceeded the maximum allowed capability count.")}o(Ds,"assertImportedCapabilityBudget");function Mv(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(Mv,"buildRequestInit");function AO(e){return(t,r)=>Dn(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:xO,maxResponseBytes:PO,problemCode:"upstream_capability_invocation_failed",timeoutMs:zv})}o(AO,"createNativeMcpFetch");function EO(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(g("upstream_capability_invocation_failed","Upstream MCP request exceeded the maximum allowed time."))},zv);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(EO,"withNativeMcpRequestTimeout");function UO(e,t=[]){let r=Ov(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:AO(a)};if(!e)return{...i,...Mv(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...Mv(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(UO,"buildNativeMcpTransportOptions");async function ln(e,t,r){let{transport:n}=De(e),a=new URL(n.baseUrl),i=new js(a,UO(r,n.requestHeaders)),s=new Ms(bO,{capabilities:{},jsonSchemaValidator:RO});return EO((async()=>{let c=$v();await s.connect(i);let d=i.sessionId,p=TO(a,d);try{return await t(s,p)}finally{await s.close(),d&&Av(p,$v()-c)}})())}o(ln,"withNativeMcpClient");async function OO(e,t,r){let n=[],a,i=0;do{if(i>=CO)throw g("upstream_capability_invocation_failed",`${e} pagination exceeded the maximum allowed page count.`);let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(OO,"collectPaginatedSdkItems");async function Hs(e){return e.enabled?OO(e.label,e.fetchPage,e.readItems):[]}o(Hs,"listNativeMcpCapabilityItems");async function qv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"tools/list",...r},()=>Hs({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Ds(a.length),{tools:a}},e.credential)}o(qv,"listNativeMcpTools");async function Nv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"prompts/list",...r},()=>Hs({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Ds(a.length),{prompts:a}},e.credential)}o(Nv,"listNativeMcpPrompts");async function jv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/list",...r},()=>Hs({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Ds(a.length),{resources:a}},e.credential)}o(jv,"listNativeMcpResources");async function Dv(e){return ln(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Ur({methodName:"resources/templates/list",...r},()=>Hs({enabled:!!n?.resources,label:"Resource template list",fetchPage:o(i=>t.listResourceTemplates(dn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resourceTemplates,"readItems")}));return Ds(a.length),{resourceTemplates:a}},e.credential)}o(Dv,"listNativeMcpResourceTemplates");async function Hv(e){return ln(e.upstreamServerId,(t,r)=>Ur({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(dn(e.params))),e.credential)}o(Hv,"callNativeMcpTool");async function Lv(e){return ln(e.upstreamServerId,(t,r)=>Ur({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(dn(e.params))),e.credential)}o(Lv,"getNativeMcpPrompt");async function Bv(e){return ln(e.upstreamServerId,(t,r)=>Ur({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(dn(e.params))),e.credential)}o(Bv,"readNativeMcpResource");var lo=class extends x{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(A.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}},$a=class extends x{static{o(this,"GatewayAuthorizationMcpError")}authorizationFailureKind;constructor(t){super(A.InvalidRequest,qO(t)),this.name="GatewayAuthorizationMcpError",this.authorizationFailureKind=t}};function $O(e){return{content:[{type:"text",text:e}],isError:!0}}o($O,"buildToolErrorResult");function Kv(e){return e.authUrl?new Vt([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new lo(e)}o(Kv,"toConnectRequiredError");function MO(e){if(e.type!=="mcp_oauth_provider")return;let{provider:t}=e;if(!("authorizationUrl"in t))return;let{authorizationUrl:r}=t;return typeof r=="string"&&r.length>0?r:void 0}o(MO,"readOAuthAuthorizationUrl");function zO(e,t){return MO(t)===void 0?!1:e instanceof wt||e instanceof Error&&e.message==="Unauthorized"}o(zO,"isOAuthRedirectUnauthorizedError");function qO(e){switch(e){case"resource_mismatch":return"Gateway access token was not issued for this MCP resource.";case"principal_mismatch":return"Gateway access token principal did not match the request.";default:return"Gateway access token is expired, revoked, or invalid."}}o(qO,"readCompositeAuthorizationFailureDetail");function NO(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(NO,"buildCredentialResolvedAttributes");function jO(e){V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:NO(e.credential)})}o(jO,"emitCredentialResolvedAnalyticsEvent");function Jv(e){if(V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}}),e.payload.state==="reconsent_required")V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}});else{let t=DO(e.payload.state);V(e.context,{eventType:B.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:t,reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}}o(Jv,"emitCredentialMissingAnalyticsEvent");function DO(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required";default:{let t=e;return"connect_required"}}}o(DO,"connectRequiredReasonCode");function HO(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):lr({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(HO,"readRouteBindingCredentialCacheKey");function dp(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(dp,"readOwnedRouteBindingLookup");async function LO(e){let t=Gc(e.request);if(!t)return new Map;let r=new Map;for(let s of e.routeBindings){let c=dp(s);c!==void 0&&r.set(lr(c),c)}if(r.size===0)return new Map;let n=[...r.values()],a=await K().authorizeAndLoadConnections({accessTokenHash:await le(t),resource:ur(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:n,now:re(new Date)});if(a.kind!=="authorized")throw new $a(a.kind);let i=new Map;return a.upstreamConnections.forEach((s,c)=>{let d=n[c];d!==void 0&&i.set(lr(d),s.connection)}),i}o(LO,"preloadCompositeAuthorizedConnections");function BO(e){let t=new Map;return r=>{let n=HO(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,c=dp(r),d=c===void 0?void 0:lr(c),p=await Hi({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(p.kind==="connect_required")throw Jv({context:e.context,payload:p.payload,routeBinding:r}),Kv(p.payload);return jO({context:e.context,credential:p.credential,routeBinding:r}),p.credential})();return t.set(n,i),i}}o(BO,"createCredentialResolver");var Gv=500;function lp(e){return e.length<=Gv?e:`${e.slice(0,Gv)}...`}o(lp,"truncateAnalyticsDetail");function GO(e){V(e.context,{eventType:B.MCP_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0,latencyMs:e.latencyMs})}o(GO,"emitToolInvocationCompletedAnalyticsEvent");function up(e){V(e.context,{eventType:B.MCP_CAPABILITY_INVOKED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType})}o(up,"emitCapabilityInvokedAnalyticsEvent");function Vv(e){let t={};typeof e.itemCount=="number"&&(t.itemCount=e.itemCount),e.errorDetail!==void 0&&(t.detail=lp(e.errorDetail)),V(e.context,{eventType:B.MCP_CAPABILITY_LISTED,outcome:e.outcome,...e.routeBinding?{routeBinding:e.routeBinding}:{},...e.virtualServerName?{virtualServerName:e.virtualServerName}:{},mcpMethod:e.mcpMethod,capabilityType:e.capabilityType,latencyMs:e.latencyMs,...e.reasonCode?{reasonCode:e.reasonCode}:{},...e.reasonClass?{reasonClass:e.reasonClass}:{},...e.errorType?{errorType:e.errorType}:{},attributes:t})}o(Vv,"emitCapabilityListedAnalyticsEvent");function Fv(e){V(e.context,{eventType:B.MCP_CAPABILITY_COMPLETED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,latencyMs:e.latencyMs})}o(Fv,"emitCapabilityCompletedAnalyticsEvent");function Zv(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=e.error instanceof Vt||e.error instanceof lo,n=e.error instanceof x&&e.error.code===A.InvalidParams,a=r?B.MCP_CAPABILITY_CONNECT_REQUIRED:B.MCP_CAPABILITY_FAILED,i=r?"connect_required":"failure",s=r?"connect_required":n?"invalid_capability_arguments":"upstream_capability_invocation_failed",c=r?"auth":n?"client":"upstream";V(e.context,{eventType:a,outcome:i,routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,reasonCode:s,reasonClass:c,errorType:r?"connect_required":"capability_error",...n?{mcpErrorType:"InvalidParams"}:{},latencyMs:e.latencyMs,attributes:{detail:lp(t)}})}o(Zv,"emitCapabilityFailedAnalyticsEvent");function VO(e){return e instanceof Vt||e instanceof lo?{eventType:B.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof $a?{eventType:B.MCP_CAPABILITY_FAILED,outcome:"denied",reasonCode:`gateway_access_token_${e.authorizationFailureKind}`,reasonClass:"auth",errorType:"auth_error",mcpErrorType:"InvalidRequest"}:e instanceof x&&e.code===A.InvalidParams?{eventType:B.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:B.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(VO,"classifyToolInvocationFailure");function FO(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=VO(e.error);V(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,latencyMs:e.latencyMs,attributes:{detail:lp(t)}})}o(FO,"emitToolInvocationFailedAnalyticsEvent");var ZO=256*1024;function KO(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new x(A.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>ZO)throw new x(A.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(KO,"assertToolArgumentsWithinLimit");function pp(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new x(A.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(pp,"findBindingForPublishedCapability");function pn(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new x(A.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(pn,"requireSingleTransparentBinding");function JO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:pn(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new x(A.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:pp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(JO,"resolvePublishedToolRoute");function WO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:pn(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new x(A.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:pp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(WO,"resolvePublishedPromptRoute");function YO(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:pn(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new x(A.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:pp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(YO,"resolvePublishedResourceRoute");function Wv(e){let t=LO({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=BO({context:e.context,preloadedConnections:t,request:e.request}),n=e.publishedVirtualServer.virtualServerId;async function a(c){if(!zO(c.error,c.credential)||c.routeBinding.ownerMode==="none")return;let d=dp(c.routeBinding);if(d===void 0)return;let l=(await t).get(lr(d))?.id,m=c.routeBinding.owner.mode==="shared"?qi({upstreamServerId:c.routeBinding.upstreamServerId,authProfileId:c.routeBinding.authProfileId,upstreamDisplayName:c.routeBinding.upstreamDisplayName,virtualServerId:c.routeBinding.virtualServerId,...l===void 0?{}:{connectionId:l},requiresReconsent:!0}):await vr({requestUrl:e.request.url,owner:c.routeBinding.owner,initiatedBySubjectId:c.routeBinding.initiatedBySubjectId,upstreamServerId:c.routeBinding.upstreamServerId,authProfileId:c.routeBinding.authProfileId,upstreamDisplayName:c.routeBinding.upstreamDisplayName,virtualServerId:c.routeBinding.virtualServerId,subject:"tool",...l===void 0?{}:{connectionId:l},requiresReconsent:!0,...c.routeBinding.returnTo===void 0?{}:{returnTo:c.routeBinding.returnTo}});return Jv({context:e.context,payload:m,routeBinding:c.routeBinding}),Kv(m)}o(a,"buildForwardingConnectRequiredError");async function i(c){let d=await r(c.routeBinding);try{return await c.invoke(d)}catch(p){let l=await a({credential:d,error:p,routeBinding:c.routeBinding});throw l!==void 0?l:p}}o(i,"invokeNativeMcpWithCredential");async function s(c){let d=Date.now();try{let p=await c.invoke();return Vv({context:e.context,routeBinding:c.routeBinding,virtualServerName:n,capabilityType:c.capabilityType,mcpMethod:c.mcpMethod,outcome:"success",itemCount:c.countItems(p),latencyMs:Date.now()-d}),p}catch(p){let l=p instanceof Error?p.message:String(p);throw Vv({context:e.context,routeBinding:c.routeBinding,virtualServerName:n,capabilityType:c.capabilityType,mcpMethod:c.mcpMethod,outcome:"failure",latencyMs:Date.now()-d,reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorDetail:l}),p}}return o(s,"listCapability"),{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"tool",mcpMethod:"tools/list",invoke:o(async()=>({tools:e.publishedVirtualServer.catalog.tools.filter(d=>d.enabled!==!1).map(xi)}),"invoke"),countItems:o(d=>d.tools.length,"countItems")});let c=pn(e);return s({capabilityType:"tool",mcpMethod:"tools/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>qv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.tools.length,"countItems")})},async callTool(c){let d=JO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:c.name});up({context:e.context,routeBinding:d.binding,capabilityType:"tool",capabilityName:c.name,mcpMethod:"tools/call"});let p=Date.now();try{KO(c);let l=await i({routeBinding:d.binding,invoke:o(m=>Hv({upstreamServerId:d.binding.upstreamServerId,params:{...c,name:d.upstreamName},credential:m}),"invoke")});return GO({context:e.context,routeBinding:d.binding,toolName:c.name,result:l,latencyMs:Date.now()-p}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:c.name,upstreamName:d.upstreamName,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,isError:l.isError===!0},"Upstream tool invocation completed"),l}catch(l){if(FO({context:e.context,routeBinding:d.binding,toolName:c.name,error:l,latencyMs:Date.now()-p}),l instanceof Vt||l instanceof lo)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:c.name,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,ownerMode:d.binding.ownerMode,hasAuthUrl:l instanceof Vt},"Upstream tool invocation requires user to complete a connect flow"),l;if(l instanceof $a)throw e.context.log.warn({event:"upstream_tool_invocation_gateway_auth_denied",toolName:c.name,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,validationKind:l.authorizationFailureKind},"Gateway access token failed composite authorization; MCP tool invocation denied"),l;let m={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:c.name,upstreamName:d.upstreamName,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId};return l instanceof x&&(m.mcpErrorCode=l.code),l instanceof Error?(m.errorName=l.name,m.errorMessage=l.message,l.cause instanceof Error&&(m.causeName=l.cause.name,m.causeMessage=l.cause.message)):m.errorMessage=String(l),e.context.log.warn(m,"Upstream tool invocation failed; returning generic gateway error to MCP client"),$O(Ke("upstream_capability_invocation_failed").publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"prompt",mcpMethod:"prompts/list",invoke:o(async()=>({prompts:e.publishedVirtualServer.catalog.prompts.filter(d=>d.enabled!==!1).map(ki)}),"invoke"),countItems:o(d=>d.prompts.length,"countItems")});let c=pn(e);return s({capabilityType:"prompt",mcpMethod:"prompts/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>Nv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.prompts.length,"countItems")})},async getPrompt(c){let d=WO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:c.name});up({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get"});let p=Date.now();try{let l=await i({routeBinding:d.binding,invoke:o(m=>Lv({upstreamServerId:d.binding.upstreamServerId,params:{...c,name:d.upstreamName},credential:m}),"invoke")});return Fv({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get",latencyMs:Date.now()-p}),l}catch(l){throw Zv({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get",error:l,latencyMs:Date.now()-p}),l}},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"resource",mcpMethod:"resources/list",invoke:o(async()=>({resources:e.publishedVirtualServer.catalog.resources.filter(d=>d.enabled!==!1).map(Ti)}),"invoke"),countItems:o(d=>d.resources.length,"countItems")});let c=pn(e);return s({capabilityType:"resource",mcpMethod:"resources/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>jv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.resources.length,"countItems")})},async listResourceTemplates(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resourceTemplates:[]};let c=pn(e);return i({routeBinding:c,invoke:o(d=>Dv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")})},async readResource(c){let d=YO({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:c.uri});up({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read"});let p=Date.now();try{let l=await i({routeBinding:d.binding,invoke:o(m=>Bv({upstreamServerId:d.binding.upstreamServerId,params:{...c,uri:d.upstreamUri},credential:m}),"invoke")});return Fv({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read",latencyMs:Date.now()-p}),l}catch(l){throw Zv({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read",error:l,latencyMs:Date.now()-p}),l}}}}o(Wv,"createCapabilityDispatcher");var QO="0.1.0",Qv="POST",XO="POST, OPTIONS",e$=new uo({draft:"7",shortcircuit:!1});function mp(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:Qv}})}o(mp,"jsonRpcMethodNotAllowedResponse");function t$(e){let t={Allow:Qv},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=XO;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(t$,"buildOptionsResponse");function mn(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(mn,"readJsonRpcRequestId");function Ls(e){return e&&typeof e=="object"?e.params:void 0}o(Ls,"readMcpRequestParams");function Yv(e,t){return e.headers.get(t)??void 0}o(Yv,"readMcpHeader");function r$(e){return{mcpProtocolVersion:Yv(e,"mcp-protocol-version")??Dr,mcpSessionId:Yv(e,"mcp-session-id")}}o(r$,"buildServerTelemetryBase");function n$(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",Dr),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(n$,"ensureProtocolVersionHeader");async function fp(e,t){if(e.method==="OPTIONS")return t$(e);if(e.method==="GET")return mp("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return mp("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return mp("Only POST is supported by this virtual MCP server.");let r=In(t),n=Hr(r.virtualServerId),a=Li(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),g("internal_server_error",`MCP virtual server route requires exactly one upstream binding; found ${a.length}.`);let i=r$(e),s=Wv({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=ae(e.url),d=new As({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new Ts(n.catalog.serverInfo??{name:r.virtualServerId,version:QO},{capabilities:{prompts:{},resources:{},tools:{}},jsonSchemaValidator:e$});p.setRequestHandler(wu,async m=>Or({methodName:"tools/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listTools())),p.setRequestHandler(No,async m=>Or({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:mn(m),...i},()=>s.callTool(m.params))),p.setRequestHandler(pu,async m=>Or({methodName:"prompts/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listPrompts())),p.setRequestHandler(fu,async m=>Or({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:mn(m),...i},()=>s.getPrompt(m.params))),p.setRequestHandler(ou,async m=>Or({methodName:"resources/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listResources())),p.setRequestHandler(iu,async m=>Or({methodName:"resources/templates/list",params:Ls(m),jsonRpcRequestId:mn(m),...i},()=>s.listResourceTemplates())),p.setRequestHandler(uu,async m=>Or({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:mn(m),...i},()=>s.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return n$(l)}o(fp,"virtualServerHandler");async function o$(e,t){return xt("handler.mcp-virtual-server"),fp(e,t)}o(o$,"McpVirtualServerHandler");function a$(e){let t=At(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(a$,"buildRouteAuthBaseFromConnection");function e_(e){if(!e.connection.authProfiles[e.authMode])throw g("internal_server_error",`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`);let r=At(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:Nn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(e_,"buildRouteAuthBaseFromPolicyOptions");function t_(e,t){let n=at().byVirtualServerId.get(t);if(!n)throw g("unknown_virtual_server",`Unknown virtual server: ${t}`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw g("virtual_server_upstream_mismatch",`Virtual server ${t} does not bind upstream ${e}.`);return a$({connection:a,virtualServerId:t})}o(t_,"resolveRouteAuthBase");function Xv(e,t){switch(e){case"user":return dr(t.subjectId);case"shared":return si()}}o(Xv,"buildOwnerForPrincipal");function Bs(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Xv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:Xv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Bs,"resolveRouteAuthForPrincipal");function i$(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw g("internal_server_error",`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw g("internal_server_error",`Upstream policy ${e.policyName} does not declare an auth mode.`);return Qa.parse(r)}o(i$,"readSingleAuthMode");async function hp(e,t,r,n){let a=i$({policyName:n,connection:r}),i=In(t),s=e_({connection:r,virtualServerId:i.virtualServerId,authMode:a});if(s.ownerMode==="none")return cd(t,{...s,connectionPolicyName:n}),e;let c=Em(t);return cd(t,{...Bs(s,c),connectionPolicyName:n}),e}o(hp,"mcpUpstreamConnectionPolicy");var gp=class extends Rn{static{o(this,"McpUpstreamConnectionInboundPolicy")}#t;constructor(t,r){let n=Pi(t,r);super(n,r),this.#t=n}async handler(t,r){return xt("policy.inbound.mcp-upstream-connection"),hp(t,r,this.#t,this.policyName)}};ue();var r_="application/json",s$="application/x-www-form-urlencoded";function c$(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(c$,"normalizeContentType");function u$(e,t){return e===t?!0:t===r_&&e.endsWith("+json")}o(u$,"contentTypeMatches");function d$(e,t){if(!t||t.length===0)return;let r=c$(e.headers.get("content-type"));if(!t.some(n=>u$(r,n)))throw g("invalid_request",`Request body must be ${t.join(" or ")}.`)}o(d$,"assertExpectedContentType");function l$(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw g("invalid_request",`${r} exceeded the maximum allowed size.`)}o(l$,"assertContentLengthWithinLimit");async function n_(e,t){let r=t.label??"Request body";d$(e,t.expectedContentTypes),l$(e,t.maxBytes,r);let n=await Ei(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>g("invalid_request",`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(n_,"readBoundedTextBody");async function o_(e,t){let r=await n_(e,{...t,expectedContentTypes:[r_]});try{return JSON.parse(r)}catch(n){throw g("invalid_request","Request body must be valid JSON.",n)}}o(o_,"readBoundedJsonBody");async function Gs(e,t){let r=await n_(e,{...t,expectedContentTypes:[s$]});return new URLSearchParams(r)}o(Gs,"readBoundedFormUrlEncodedBody");var a_=Symbol("Html");function p$(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(p$,"escapeHtml");function m$(e){return e===null||typeof e!="object"?!1:e[a_]===!0}o(m$,"isHtml");function i_(e){return e==null||e===!1?"":Array.isArray(e)?e.map(i_).join(""):m$(e)?e.value:p$(String(e))}o(i_,"renderValue");function nr(e){return{[a_]:!0,value:e}}o(nr,"trustedHtml");var Ma=nr("");function se(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=i_(t[n]),r+=e[n+1]??"";return nr(r)}o(se,"html");function Mr(e){return e.value}o(Mr,"renderHtml");var or=nr('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function ar(e){return se`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
57
57
  ${e.styles}
58
58
  </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}o(ar,"renderShell");var yp="zuplo.com";function s_(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}o(s_,"s2FaviconHref");function f$(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}o(f$,"strictFaviconHref");var fn=s_(yp);function hn(e){let t=e.toLowerCase();return t===yp||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?s_(yp):f$(e)}o(hn,"resolveIconHref");function gn(e){return se`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}o(gn,"renderShellIcon");function c_(e){return se`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}o(c_,"renderActions");var p3=nr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function u_(){return se`<p>The API key could not be verified. Start the authorization flow again to try
59
59
  once more.</p>`}o(u_,"renderApiKeyLoginFailure");function d_(e){return se`<form class="form" method="post" action="/oauth/api-key-login" autocomplete="off" ><input type="hidden" name="state" value="${e.state}" /><label class="form__label" for="apiKey">API key</label><input class="form__input" id="apiKey" name="apiKey" type="password" required autocomplete="off" /><button class="button button--primary button--block form__submit" type="submit" >Continue</button></form>`}o(d_,"renderApiKeyLoginForm");var m3=nr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),f3=nr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var h3=nr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var h$="text/html; charset=utf-8";function l_(e,t=200){return new Response(Mr(e),{status:t,headers:{"content-type":h$,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(l_,"apiKeyLoginHtmlResponse");function Sp(e,t=401){let r=hn(e);return l_(ar({title:"Sign-in failed",iconHref:r,styles:or,headerIcon:gn({iconHref:r,fallbackIconHref:fn}),heading:"Sign-in failed",subhead:"",body:u_(),footer:""}),t)}o(Sp,"apiKeyLoginFailureResponse");function p_(e,t){let r=hn(e);return l_(ar({title:"Sign in",iconHref:r,styles:or,headerIcon:gn({iconHref:r,fallbackIconHref:fn}),heading:"Sign in",subhead:se`<p class="card__subtitle">Enter your API key to continue.</p>`,body:d_({state:t}),footer:""}))}o(p_,"renderApiKeyLoginForm");ue();ue();import{errors as __,jwtVerify as w_,SignJWT as b_}from"jose";ue();import{errors as x$,jwtVerify as k$,SignJWT as T$}from"jose";function zr(e){let t=ke().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw g("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(zr,"requireBrowserLoginField");ue();import{createRemoteJWKSet as y$,errors as za,jwtVerify as S$}from"jose";var v$=u.object({id_token:u.string().min(1),token_type:u.string().min(1).optional(),expires_in:u.number().optional(),access_token:u.string().min(1).optional(),refresh_token:u.string().min(1).optional(),scope:u.string().min(1).optional()}),_$=u.object({error:u.string().min(1).optional(),error_description:u.string().min(1).optional(),error_uri:u.string().min(1).optional()});function w$(e){let t=_$.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(w$,"readIdpErrorFields");function b$(e){return e instanceof za.JWTExpired?"expired":e instanceof za.JWTClaimValidationFailed?"claim":e instanceof za.JWSSignatureVerificationFailed?"signature":e instanceof za.JWKSNoMatchingKey?"jwks_no_match":e instanceof za.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(b$,"readJwtFailureKind");var R$=u.object({sub:ve,nonce:u.string().min(1)}).catchall(u.unknown()),vp;function C$(e){return e instanceof Error&&"cause"in e?e.cause:e}o(C$,"readErrorCause");function I$(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(I$,"readRuntimeGatewayCode");function P$(){if(!vp){let e=ke();vp=y$(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return vp}o(P$,"readFederatedJwks");async function m_(e){let t=ke(),r=zr("tokenUrl"),n=zr("clientId"),a=zr("clientSecret"),i=new URL("/oauth/callback",vt(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:c,json:d}=await wh(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let h=w$(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:lt(r),idpStatus:c.status,...h},"Federated browser login token exchange returned non-2xx from the identity provider"),g({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${h.idpError?` idp_error=${h.idpError}`:""}${h.idpErrorDescription?` idp_error_description=${h.idpErrorDescription}`:""})`)})}let p=v$.parse(d),l;try{({payload:l}=await S$(p.id_token,P$(),{issuer:t.oidc.issuer,audience:n}))}catch(h){let y={};throw Ye(y,"error",h),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:b$(h),idpHost:lt(r),expectedIssuer:t.oidc.issuer,...y},"Federated id_token failed jose verification"),h}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:lt(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),g("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=R$.parse(l);return xn({sub:m.sub,data:m},e.requestUrl)}catch(c){let d=ge(c)??I$(c);throw d!==void 0&&d!=="browser_login_verification_failed"?c:g("browser_login_verification_failed","Federated browser login callback could not be verified.",C$(c))}}o(m_,"exchangeFederatedAuthorizationCode");var wp="zuplo_mcp_session",A$=u.object({purpose:u.literal("gateway_browser_session"),sub:ve,browserLoginOrigin:u.string().min(1),roles:u.array(u.string().min(1)).optional(),exp:u.number().int().positive(),iat:u.number().int().positive().optional()});function E$(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(E$,"parseCookieHeader");async function f_(){return Et({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Sr(e,"browser-session"),"derive")})}o(f_,"getBrowserSessionKey");function _p(e){let t=new URL(ae(e)),r=[`${wp}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(_p,"buildBrowserSessionEvictionCookie");function U$(e){let t=new URL(ae(e.requestUrl)),r=[`${wp}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(U$,"serializeSessionCookie");function h_(e={}){return new URL(zr("url")).origin}o(h_,"readBrowserLoginOrigin");function bp(){return ke().browserLogin.stateTtlSeconds}o(bp,"readBrowserLoginStateTtlSeconds");function g_(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return xn(e.user,e.url)}o(g_,"resolveCurrentRequestPrincipal");async function Vs(e,t={}){let r=E$(e.headers.get("cookie")).get(wp);if(!r)return{};try{let{payload:n}=await k$(r,await f_(),{algorithms:[st],issuer:Qe,audience:it}),a=A$.parse(n);if(a.browserLoginOrigin!==h_(t))return{evictCookie:_p(e.url)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof x$.JWTExpired?{evictCookie:_p(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:_p(e.url)})}}o(Vs,"readBrowserSession");async function qa(e){let t=ke().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:h_({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new T$(r).setProtectedHeader({alg:st,typ:"JWT"}).setIssuer(Qe).setAudience(it).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await f_());return U$({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(qa,"createBrowserSessionCookie");async function y_(e){throw g("forbidden","API-key browser login is not supported in this gateway.")}o(y_,"resolveApiKeyBrowserLoginPrincipal");async function S_(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Vs(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return m_({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(S_,"resolveBrowserLoginCallbackPrincipal");function v_(e){let t=ke().browserLogin,r=new URL(zr("url")),n=new URL("/oauth/callback",vt(e.requestUrl));return Im(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",zr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(v_,"buildBrowserLoginUrl");var O$={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},M=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=O$[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};var $$=5*60,M$=u.object({purpose:u.literal("gateway_browser_login"),transactionId:pt,stateId:ri,exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),z$=u.object({purpose:u.literal("gateway_authorization_setup"),transactionId:pt,stateId:ri,exp:u.number().int().positive(),iat:u.number().int().positive().optional()});async function R_(){return Et({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Sr(e,"browser-login"),"derive")})}o(R_,"getBrowserLoginKey");async function C_(){return Et({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Sr(e,"authorization-csrf"),"derive")})}o(C_,"getCsrfKey");function I_(e){return{now:e.now??new Date,ttlSeconds:bp()}}o(I_,"readPendingTransactionDependencies");function q$(e,t){return e.subjectId===t.subjectId}o(q$,"principalsMatch");function P_(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}o(P_,"toPendingPrincipal");function x_(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:re(e.now),expiresAt:re(Bt(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:P_(e.principal)}}o(x_,"createTransactionRecord");async function k_(e){let{id:t,...r}=e.record,n=await K().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(n.kind){case"started":return n.transaction;case"already_exists":throw g("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new M("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new M("invalid_request","redirect_uri is not registered for the client.")}}o(k_,"startPendingTransaction");async function N$(e){return new b_({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:st,typ:"JWT"}).setIssuer(Qe).setAudience(it).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await R_())}o(N$,"signBrowserLoginState");async function T_(e){return new b_({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Ic()}).setProtectedHeader({alg:st,typ:"JWT"}).setIssuer(Qe).setAudience(it).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await C_())}o(T_,"signCsrfToken");async function Fs(e){try{let{payload:t}=await w_(e,await R_(),{algorithms:[st],issuer:Qe,audience:it}),r=M$.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof __.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}o(Fs,"verifyBrowserLoginStateToken");async function Rp(e){try{let{payload:t}=await w_(e,await C_(),{algorithms:[st],issuer:Qe,audience:it});return{transactionId:z$.parse(t).transactionId}}catch(t){throw t instanceof __.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(Rp,"verifyCsrfToken");function Zs(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(Zs,"pendingStateErrorCode");function A_(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}o(A_,"toPendingAuthorizationGetResult");function j$(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}o(j$,"toPendingAuthorizationAdvanceResult");function E_(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Zs(e==="consumed_already"?"consumed_already":e)}o(E_,"setupDecisionErrorCode");function D$(e){if(e.kind!=="available")throw g(Zs(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(D$,"requireAwaitingSetup");function H$(e){if(e.kind!=="available")throw g(Zs(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw g("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(H$,"requireAwaitingLogin");function L$(e){if(!q$(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(L$,"requireCurrentPrincipalMatches");async function U_(e){let t=e.now??new Date,r=bp(),n=Cc(),a=Ic(),i=await N$({transactionId:n,stateId:a,ttlSeconds:r}),s=x_({id:n,transaction:e.transaction,currentStateHash:await le(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await k_({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:v_({state:i,nonce:a,virtualServerId:s.virtualServerId,requestUrl:e.requestUrl})}}o(U_,"startAwaitingLogin");async function O_(e){let{now:t,ttlSeconds:r}=I_(e),n=Cc(),a=await T_({transactionId:n,ttlSeconds:r}),i=x_({id:n,transaction:e.transaction,currentStateHash:await le(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await k_({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}o(O_,"startAwaitingSetup");async function Cp(e){let{now:t,ttlSeconds:r}=I_(e),n=await Fs(e.browserLoginStateToken),a=await T_({transactionId:n.transactionId,ttlSeconds:r}),i=j$(await K().advancePendingAuthorization({transactionId:n.transactionId,expectedPhase:"awaiting_login",currentStateHash:await le(e.browserLoginStateToken),nextStateHash:await le(a),nextPhase:"awaiting_setup",principal:P_(e.principal),now:re(t)}));if(i.kind!=="advanced")throw g(Zs(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}o(Cp,"completeLogin");async function $_(e){let t=e.now??new Date,r=await Fs(e.browserLoginStateToken);return H$(A_(await K().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await le(e.browserLoginStateToken),now:re(t)})))}o($_,"getAwaitingLogin");async function M_(e){let t=await Ip(e);return L$({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(M_,"getSetup");async function Ip(e){let t=e.now??new Date,r=await Rp(e.csrfToken);return D$(A_(await K().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await le(e.csrfToken),now:re(t)})))}o(Ip,"getSetupTransaction");async function B$(e){let t=await Rp(e.csrfToken),r=Gt(),n=re(Bt(e.now,$$)),a=await K().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await le(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await le(r),authorizationCodeExpiresAt:n,grantId:Rm(),now:re(e.now)});if(a.kind!=="approved")throw g(a.kind==="cancelled"?"oauth_state_invalid":E_(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(B$,"createAuthorizationCodeRedirectWithDecision");async function G$(e){let t=await Rp(e.csrfToken),r=await K().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await le(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:re(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":E_(r.kind),"Authorization setup state is invalid, expired, or already used.");return V$({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(G$,"createCancelRedirectWithDecision");function V$(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(V$,"buildClientCancelRedirect");async function z_(e){let t=e.now??new Date;return B$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(z_,"approve");async function q_(e){let t=e.now??new Date;return G$({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(q_,"cancel");ue();var F$=1e4,Z$=5*1024,K$=2,J$=90*24*60*60,Pp=["authorization_code","refresh_token"],xp=["code"],W$=u.object({client_name:u.string().min(1).optional(),redirect_uris:u.array(u.string().min(1)).min(1),grant_types:u.array(u.enum(Pp)).min(1).max(2).optional(),response_types:u.array(u.enum(xp)).min(1).max(1).optional(),scope:u.literal(ye).optional(),token_endpoint_auth_method:_m.default("none")});function Y$(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&xe(t))&&t.pathname!=="/"}catch{return!1}}o(Y$,"isCimdClientIdCandidate");function Na(e,t="invalid_request"){if(Q$(e))throw new M(t,"redirect_uris must not include raw whitespace or control characters.");let r;try{r=new URL(e)}catch{throw new M(t,"redirect_uris must be absolute URIs.")}if(r.hash||r.username||r.password)throw new M(t,"redirect_uris must not include credentials or fragments.");if(!(r.protocol==="https:"||xe(r)))throw new M(t,"redirect_uris must use HTTPS except loopback HTTP redirects for local clients.")}o(Na,"assertValidRedirectUri");function Q$(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(Q$,"hasForbiddenRawRedirectUriCharacter");async function X$(e){let{response:t,json:r}=await bh(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:K$,maxResponseBytes:Z$,timeoutMs:F$});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let n=bm.parse(r);if(n.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return n}o(X$,"fetchCimdMetadata");async function eM(e){let t=Ai(e),r=await X$({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(eM,"resolveCimdClient");async function Ks(e,t){let r=Ae.parse(e);if(Y$(r)){if(!ke().gateway.cimdEnabled)throw new M("invalid_client","OAuth client is not registered.");try{return await eM(r)}catch{throw new M("invalid_client","OAuth client is not registered.")}}let n=await K().readClient({clientId:r});if(n.kind==="found"){let a=n.client,i={kind:"dcr",clientId:r,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new M("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(Ks,"resolveClient");function N_(e,t){if(!e.metadata.redirect_uris.some(r=>Cm(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}o(N_,"assertRedirectRegistered");function tM(e){let t=j_(e.grant_types),r=e.response_types??[...xp];if(!rM(t))throw new M("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!nM(r))throw new M("invalid_client_metadata","response_types must be code.");if(!oM(e.scope))throw new M("invalid_client_metadata",`Only the ${ye} scope is supported.`)}o(tM,"assertSupportedDcrRequest");function j_(e){return e===void 0?[...Pp]:Array.from(new Set(e))}o(j_,"normalizeGrantTypes");function rM(e){return e.length===0?!1:e.every(t=>Pp.includes(t))}o(rM,"isSupportedGrantTypes");function nM(e){return e.length===xp.length&&e[0]==="code"}o(nM,"isSupportedResponseTypes");function oM(e){return e===void 0||e===ye}o(oM,"isSupportedDcrScope");function ja(e){if(e===void 0||e===ye)return ye;throw new M("invalid_request",`Only the ${ye} scope is supported.`)}o(ja,"assertSupportedOAuthScope");function po(e,t){let r;try{r=new URL(t)}catch{throw new M("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new M("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!xe(r))throw new M("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=ae(e),a=ph(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new M("invalid_target","resource must match a published virtual MCP server.");return i}o(po,"resolveResource");async function D_(e){let t;try{t=W$.parse(e)}catch(l){if(l instanceof u.ZodError){let m=l.issues.some(h=>h.path[0]==="redirect_uris");throw new M(m?"invalid_redirect_uri":"invalid_client_metadata",l.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:l})}throw l}tM(t);for(let l of t.redirect_uris)Na(l,"invalid_redirect_uri");let r=new Date,n=Ae.parse(`dcr:${crypto.randomUUID()}`),a=Bt(r,J$),i=Math.floor(r.getTime()/1e3),s=Math.floor(a.getTime()/1e3),c={client_id:n,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:j_(t.grant_types),response_types:["code"],scope:ye,token_endpoint_auth_method:t.token_endpoint_auth_method,client_id_issued_at:i},d={clientId:n,clientName:String(c.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:t.token_endpoint_auth_method,createdAt:re(r),clientExpiresAt:re(a)};if(t.token_endpoint_auth_method!=="none"){let l=Gt();d.hashedClientSecret=await le(l),d.clientSecretExpiresAt=re(a),c.client_secret=l,c.client_secret_expires_at=s,c.client_secret_issued_at=i}if((await K().registerClient(d)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");return c}o(D_,"registerDownstreamClient");var aM="data:,",H_=se`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,L_=se`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function iM(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(iM,"safeGatewayConnectHref");function sM(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(sM,"deriveMode");function cM(e){return c_({state:e.state,submitOnceAttrs:H_,authorizeAttrs:Ma})}o(cM,"renderActions");function kp(e,t,r){for(let n of e){if(n.ownerMode!=="user"||n.status!==r)continue;let a=iM(n.connectUrl,t);if(a)return a}}o(kp,"firstUserConnectHref");function uM(e){let t=e.connectHref?se`<a class="button button--primary" href="${e.connectHref}" ${L_}>Connect</a>`:se`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return se`<form class="actions" method="post" action="/oauth/setup" ${H_}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}o(uM,"renderSetupActions");function dM(e){return e?se`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${L_}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Ma}o(dM,"renderReconnectAction");function Tp(e){let t=sM(e.upstreams),r=kp(e.upstreams,e.gatewayOrigin,"not_connected"),n=kp(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=kp(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??n:void 0,s=se`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.virtualServerDisplayName}</strong>' on your behalf?</p>`,c=t==="setup"?se`<footer class="card__footer">${uM({state:e.state,connectHref:i})}</footer>`:se`<footer class="card__footer">${dM(a)}${cM({state:e.state})}</footer>`;return Mr(ar({title:`Authorize access \xB7 ${e.virtualServerDisplayName}`,iconHref:aM,styles:or,headerIcon:Ma,heading:"MCP Gateway",subhead:Ma,body:s,footer:c}))}o(Tp,"renderConsentPage");function lM(e){try{return new URL(e).host}catch{return}}o(lM,"safeUrlHost");function pM(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}o(pM,"readOAuthScopes");function Ap(e){return e!==void 0&&e.length>0}o(Ap,"hasItems");function mM(e){let t=e.registeredConnection.config.serverInfo?.icons;if(Ap(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&Ap(r)?r:void 0}o(mM,"readServerIcons");async function fM(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Lu({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(fM,"readConnectUrl");function yn(e,t){return t===void 0?{}:{[e]:t}}o(yn,"optionalRequirementField");function hM(e){return e.isUserOwned?Nm(e.connection):{connected:!0,status:"active"}}o(hM,"readSetupConnectionStatus");function gM(e){let t=pM(e);return Ap(t)?t:void 0}o(gM,"readScopesRequested");function yM(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(yM,"readUpdatedAt");function SM(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map(xi),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(ki),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Ti)}}o(SM,"readVirtualServerCapabilities");async function vM(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=Oi(r),c=s==="user",d=hM({connection:e.connection,isUserOwned:c}),p=await fM({...e,connected:d.connected,isUserOwned:c});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:SM({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...yn("description",n.description),...yn("transportHost",lM(n.transport.baseUrl)),...yn("scopesRequested",gM(t)),...yn("serverIcons",mM({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...yn("connectUrl",p),...yn("updatedAt",yM({connectionStatus:d,isUserOwned:c})),...yn("expiresAt",e.connection?.expiresAt)}}o(vM,"buildSetupRequirement");function B_(e){let t=at().byVirtualServerId.get(e);if(!t)throw g("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(B_,"requireVirtualServer");async function Ep(e){let t=B_(e.transaction.virtualServerId),r=dr(e.transaction.principal.subjectId),n=[],a=new Map;for(let c of t.connections)Oi(c.authMode)==="user"&&(a.set(c,n.length),n.push({owner:r,upstreamServerId:c.upstreamServerId,authProfileId:c.authProfileId}));let i=await K().batchGetUpstreamConnections(n),s=[];for(let c of t.connections){let d=Oi(c.authMode)==="user",p=a.get(c);s.push(await vM({connection:d&&p!==void 0?i[p]:void 0,registeredConnection:c,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(Ep,"requirementsForSetup");function _M(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(_M,"readVirtualServerDisplayName");async function Up(e){let t=B_(e.transaction.virtualServerId),r=_M({virtualServer:t}),n=await K().readClient({clientId:e.transaction.clientId}),a=n.kind==="found"?n.client:void 0,i={gatewayOrigin:ae(e.requestUrl),virtualServerDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.serverInfo?.title;return s!==void 0&&s!==r&&(i.virtualServerDescription=s),i}o(Up,"consentContext");function G_(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(G_,"hasUnresolvedUserUpstream");var wM=["mcp_user"],bM="dev-browser-user",RM=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),CM=u.object({response_type:u.literal("code"),client_id:u.string().min(1),redirect_uri:u.string().min(1),resource:u.url(),code_challenge:u.string().min(43),code_challenge_method:ei,state:u.string().min(1).optional(),scope:u.literal(ye).default(ye)}),IM=u.enum(["continue","approve","cancel"]).default("continue"),PM=u.object({state:u.string().min(1),decision:IM}),xM=u.object({state:u.string().min(1),apiKey:u.string().min(1)}),Sn=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function V_(e){return typeof e=="string"&&e.length>0?e:void 0}o(V_,"readQueryString");function kM(e){let t=Array.from(at().byVirtualServerId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return ur(r.virtualServerId,e.url)}o(kM,"inferSingleVirtualServerResource");function TM(e,t){let r=V_(e.query.resource);if(t===void 0){if(r!==void 0)return r;let a=kM(e);if(a!==void 0)return a;throw new M("invalid_target",RM)}let n=ur(t,e.url);if(r===void 0||r===n)return n;throw new M("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(TM,"requireAuthorizeResource");async function AM(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Vs(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=g_(e);return{principal:i,setCookie:await qa({principal:i,requestUrl:e.url,virtualServerId:t})}}o(AM,"resolveBrowserPrincipal");async function EM(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await Vs(e,n);if(!a.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(EM,"requireSetupPrincipal");async function F_(e){let t=await Ep({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:`/oauth/setup?state=${encodeURIComponent(e.csrfToken)}`}),r=await Up({transaction:e.transaction,requestUrl:e.requestUrl}),n={kind:"setup_page",html:Tp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(F_,"renderSetup");function UM(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(UM,"toAuthorizationTransactionClient");async function Op(e,t={}){let r=CM.parse({...e.query,resource:TM(e,t.virtualServerId),state:V_(e.query.state)}),n=ja(r.scope);Na(r.redirect_uri);let a=new Date,i=Ae.parse(r.client_id),s=await Ks(r.client_id,a);N_(s,r.redirect_uri);try{let c=po(e.url,r.resource),d=UM(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,virtualServerId:c.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&V(t.context,{eventType:B.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.virtualServerId,attributes:{clientId:i,scope:n,responseType:r.response_type}});let p={clientId:s?.clientId??i,...d===void 0?{}:{client:d},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:c.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:l,setCookie:m}=await AM(e,c.virtualServerId,t.context);if(!l){let y=await U_({transaction:p,requestUrl:e.url,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,virtualServerId:c.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let v={kind:"redirect",location:y.browserLoginUrl};return m!==void 0&&(v.setCookie=m),v}let h=await O_({transaction:p,principal:l,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,virtualServerId:c.virtualServerId,subjectId:l.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&V(t.context,{eventType:B.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.virtualServerId,attributes:{clientId:i,scope:n,responseType:r.response_type,subjectId:l.subjectId}}),F_({transaction:h.transaction,csrfToken:h.csrfToken,requestUrl:e.url,setCookie:m})}catch(c){throw OM({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}o(Op,"authorizeDownstreamClient");function OM(e){if(e.cause instanceof Sn)return e.cause;let t=$M(e.cause);return t?new Sn({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(OM,"toDownstreamAuthorizeRedirectError");function $M(e){if(e instanceof M)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof u.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o($M,"mapToOAuthRedirectError");async function Z_(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,l=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...l===void 0?{}:{idpErrorUri:l}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let a=await Fs(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await S_(i),c=await Cp({browserLoginStateToken:n,principal:s}),d=await F_({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url});return d.setCookie=await qa({principal:s,requestUrl:e.url,virtualServerId:c.transaction.virtualServerId}),d}o(Z_,"completeBrowserLoginCallback");async function K_(e){let t=ke(),r=new URL(e.url);if(!xe(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw g("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",ae(e.url)),i=new URL(ae(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:ve.parse(bM),roles:wM};return{kind:"redirect",location:a,setCookie:await qa({principal:s,requestUrl:e.url})}}o(K_,"completeLocalDevBrowserLogin");async function J_(e){let t=xM.parse(e.body),r=await $_({browserLoginStateToken:t.state}),n=await y_({apiKey:t.apiKey,virtualServerId:r.virtualServerId}),a=await Cp({browserLoginStateToken:t.state,principal:n});await Rg({apiKey:t.apiKey,principal:n,virtualServerId:a.transaction.virtualServerId});let i=new URL("/oauth/setup",vt(e.request.url));return i.searchParams.set("state",a.csrfToken),{kind:"redirect",location:i,setCookie:await qa({principal:n,requestUrl:e.request.url,virtualServerId:a.transaction.virtualServerId})}}o(J_,"completeApiKeyBrowserLogin");function MM(e){let t=e.method==="POST"?e.body:e.query;return PM.parse(t)}o(MM,"readSetupContinueRequest");async function W_(e){let{state:t,decision:r}=MM({method:e.request.method,query:e.request.query,body:e.body}),n=new Date,a=await Ip({csrfToken:t,now:n}),i=await EM(e.request,a.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await q_({csrfToken:t,currentBrowserPrincipal:i,now:n})};let s=await M_({csrfToken:t,currentBrowserPrincipal:i,now:n}),c=await Ep({transaction:s,requestUrl:e.request.url,returnTo:`/oauth/setup?state=${encodeURIComponent(t)}`});if(r==="continue"||G_(c)){let d=await Up({transaction:s,requestUrl:e.request.url});return{kind:"setup_page",html:Tp({state:t,virtualServerId:s.virtualServerId,upstreams:c,...d})}}return{kind:"redirect",location:await z_({csrfToken:t,currentBrowserPrincipal:i,now:n})}}o(W_,"continueDownstreamAuthorizeSetup");ue();import{createLocalJWKSet as zM,decodeJwt as qM,errors as Da,jwtVerify as NM}from"jose";var jM=new Set(["authorization_code","refresh_token"]),DM="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",HM=1e4,LM=32*1024,BM=2,Y_=u.object({client_id:u.string().min(1).optional(),client_secret:u.string().min(1).optional(),client_assertion_type:u.string().min(1).optional(),client_assertion:u.string().min(1).optional()}),GM=u.discriminatedUnion("grant_type",[Y_.extend({grant_type:u.literal("authorization_code"),code:u.string().min(1),redirect_uri:u.string().min(1),code_verifier:ti,resource:u.url().optional(),scope:u.literal(ye).optional()}),Y_.extend({grant_type:u.literal("refresh_token"),refresh_token:u.string().min(1),resource:u.url().optional(),scope:u.literal(ye).optional()})]);function VM(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!jM.has(t)))throw new M("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(VM,"assertSupportedGrantType");var FM=u.object({token:u.string().min(1),client_id:u.string().min(1).optional(),token_type_hint:u.string().optional(),client_secret:u.string().min(1).optional(),client_assertion_type:u.string().min(1).optional(),client_assertion:u.string().min(1).optional()}),ZM=u.object({keys:u.array(u.record(u.string(),u.unknown())).min(1)}).passthrough();function Q_(){return ke().gateway.accessTokenTtlSeconds}o(Q_,"readAccessTokenTtlSeconds");function KM(){return ke().gateway.refreshTokenTtlSeconds}o(KM,"readRefreshTokenTtlSeconds");function JM(e,t){let r=Q_(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:re(Bt(e,a)),expiresIn:a}}o(JM,"calculateAccessTokenExpiresAt");function X_(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new M("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new M("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new M("invalid_client","Malformed HTTP Basic client authentication.")}}o(X_,"readBasicClientSecret");function ew(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new M("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=qM(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new M("invalid_client","Malformed private_key_jwt client assertion.")}throw new M("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new M("invalid_client","Client authentication or client_id is required.")}o(ew,"resolveAuthenticatedClientId");function WM(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new M("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(WM,"resolveClientSecretInput");function YM(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}o(YM,"hasClientAssertion");function QM(e){if(e.requestUrl===void 0)throw new M("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,e.requestUrl);return t.search="",t.hash="",t.toString()}o(QM,"buildEndpointAudience");function XM(e){return e instanceof Da.JWTExpired?"expired":e instanceof Da.JWTClaimValidationFailed?"claim":e instanceof Da.JWSSignatureVerificationFailed?"signature":e instanceof Da.JWKSNoMatchingKey?"jwks_no_match":e instanceof Da.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(XM,"readJwtFailureKind");async function ez(e){let{response:t,json:r}=await Rh(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:BM,maxResponseBytes:LM,timeoutMs:HM});if(!t.ok)throw new M("invalid_client","Client JWKS could not be fetched.");return ZM.parse(r)}o(ez,"fetchClientJwks");async function tz(e){if(e.clientAssertionType!==DM||e.clientAssertion===void 0)throw new M("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=Ae.parse(e.clientId),r=await Ks(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new M("invalid_client","Client is not registered for private_key_jwt authentication.");let n=r.metadata.jwks_uri;if(n===void 0)throw new M("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let a=QM({requestUrl:e.requestUrl,pathname:e.endpointPathname});try{let i=await ez({jwksUri:n,context:e.context});await NM(e.clientAssertion,zM(i),{issuer:t,subject:t,audience:a,currentDate:e.now})}catch(i){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:XM(i)},"OAuth private_key_jwt client authentication failed"),new M("invalid_client","Client authentication failed.")}return{method:"private_key_jwt",clientId:t}}o(tz,"verifyPrivateKeyJwtClientAssertion");async function rz(e){let t=Ae.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await le(e.clientSecret)}}o(rz,"buildRuntimeHttpClientAuth");async function tw(e){if(YM({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new M("invalid_request","Use only one client authentication method per request.");return tz(e)}let t=WM({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return rz({clientId:e.clientId,...t})}o(tw,"resolveRuntimeHttpClientAuth");async function rw(e){VM(e.body);let t=GM.parse(e.body),r=X_(e.authorizationHeader),n=ew({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date,i=await tw({clientId:n,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/token",now:a,context:e.context});return nz({parsed:t,clientId:n,clientAuth:i,now:a,requestUrl:e.requestUrl,context:e.context})}o(rw,"exchangeDownstreamToken");async function nz(e){if(e.parsed.grant_type==="authorization_code"){Na(e.parsed.redirect_uri),ja(e.parsed.scope),e.parsed.resource!==void 0&&po(e.requestUrl??e.parsed.resource,e.parsed.resource);let s=Gt(),c=Gt(),d=re(Bt(e.now,KM())),p=JM(e.now,d),l=await K().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await le(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Ef(e.parsed.code_verifier),currentRefreshTokenHash:await le(s),accessTokenHash:await le(c),grantExpiresAt:d,accessTokenExpiresAt:p.expiresAt,now:re(e.now)});if(l.kind==="invalid_client")throw new M("invalid_client","Client authentication failed.");if(l.kind==="resource_mismatch")throw new M("invalid_target","Token request resource must match the authorization code resource.");if(l.kind!=="exchanged")throw new M("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&V(e.context,{eventType:B.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:p.expiresIn,refresh_token:s,scope:l.grant.scope,resource:l.grant.resource}}ja(e.parsed.scope),e.parsed.resource!==void 0&&po(e.requestUrl??e.parsed.resource,e.parsed.resource);let t=Gt(),r=Gt(),n=re(Bt(e.now,Q_())),a=await K().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await le(e.parsed.refresh_token),nextRefreshTokenHash:await le(t),accessTokenHash:await le(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:n,now:re(e.now)});if(a.kind==="invalid_client")throw new M("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new M("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new M("invalid_grant","Refresh token is invalid, expired, or revoked.");po(e.requestUrl??a.grant.resource,a.grant.resource);let i=a.accessToken.expiresAt;return e.context&&(V(e.context,{eventType:B.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),V(e.context,{eventType:B.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(i).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:a.grant.scope,resource:a.grant.resource}}o(nz,"exchangeDownstreamTokenWithRuntimeHttp");async function nw(e){let t=FM.parse(e.body),r=X_(e.authorizationHeader),n=ew({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date;if((await K().revokeOAuthToken({clientAuth:await tw({clientId:n,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/revoke",now:a,context:e.context}),tokenHash:await le(t.token),now:re(a)})).kind==="invalid_client")throw new M("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&V(e.context,{eventType:B.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}o(nw,"revokeDownstreamToken");var oz=64*1024,az=16*1024,iz="text/html; charset=utf-8";function sz(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(sz,"formDataToObject");async function cz(e){return o_(e,{maxBytes:oz,label:"Request body"})}o(cz,"readJsonBody");async function Js(e){return sz(await Gs(e,{maxBytes:az,label:"Request body"}))}o(Js,"readFormBody");async function Ws(e,t,r){let n=ge(r),a=r instanceof u.ZodError?ow(r):void 0,i={code:n??(r instanceof u.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),dt(e,t,i)}o(Ws,"handleProblem");function Ha(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(Ha,"oauthErrorResponse");function uz(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(uz,"readOAuthProtocolHeaders");function dz(e,t){let r=Ke("internal_server_error");return Ha({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:uz(e,t)})}o(dz,"oauthProtocolErrorResponse");function lz(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(lz,"readZodOAuthErrorCode");function pz(e){let t={error:lz(e)},r=ow(e);return r!==void 0&&(t.errorDescription=r),Ha(t)}o(pz,"oauthZodErrorResponse");function mz(e){let t=ge(e);if(t===void 0)return;let r=Ke(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:hz(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,Ha(n)}o(mz,"oauthGatewayProblemResponse");function fz(){let t={error:"server_error",status:500,errorDescription:Ke("internal_server_error").publicDetail};return Ha(t)}o(fz,"oauthFallbackErrorResponse");function hz(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(hz,"readOAuthStatus");function mo(e,t={}){return e instanceof Sn?gz(e):e instanceof M?dz(e,t):e instanceof u.ZodError?pz(e):mz(e)??fz()}o(mo,"oauthProblemResponse");function jt(e,t,r){let n={event:t},a=!1;if(r instanceof M)n.oauthError=r.errorCode,n.status=r.status,Ye(n,"error",r);else if(r instanceof Sn)n.oauthError=r.errorCode,Ye(n,"error",r);else if(r instanceof u.ZodError){n.code="invalid_request",Ye(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=ge(r);if(i!==void 0){let s=Ke(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Ye(n,"error",r)}else a=!0,Ye(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(jt,"logUnexpectedOAuthHandlerError");function gz(e){let t;try{t=new URL(e.redirectUri)}catch{return Ha({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(gz,"downstreamAuthorizeRedirectErrorResponse");function ow(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(ow,"formatZodErrorDetail");function yz(e,t){let r={event:"browser_login_callback_failed",code:ge(t)??"invalid_request"};Ye(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(yz,"logBrowserLoginCallbackFailure");function $p(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o($p,"redirectResultResponse");function Ys(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":iz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return $p(e)}o(Ys,"authorizeResultResponse");async function aw(e,t){try{return Response.json(xc(e.url))}catch(r){return jt(t,"oauth_authorization_server_metadata_failed",r),Ws(e,t,r)}}o(aw,"authorizationServerMetadataHandler");async function iw(e,t){try{let r=Te.parse(e.params.virtualServerId),n=Hr(r);return Response.json(Pm({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return jt(t,"oauth_authorization_server_metadata_failed",r),Ws(e,t,r)}}o(iw,"scopedAuthorizationServerMetadataHandler");async function sw(e,t){try{let r=await D_(await cz(e)),n=r,a=typeof n.client_id=="string"?n.client_id:void 0,i=typeof n.client_name=="string"?n.client_name:void 0,s=Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,c=typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:i,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),V(t,{eventType:B.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:a,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return jt(t,"oauth_register_failed",r),mo(r)}}o(sw,"registerHandler");async function cw(e,t){try{return Ys(await Op(e,{context:t}))}catch(r){return jt(t,"oauth_authorize_failed",r),mo(r,{includeInvalidClientChallenge:!1})}}o(cw,"authorizeHandler");async function uw(e,t){try{let r=Te.parse(e.params.virtualServerId),n=Hr(r);return Ys(await Op(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return jt(t,"oauth_authorize_scoped_failed",r),mo(r,{includeInvalidClientChallenge:!1})}}o(uw,"scopedAuthorizeHandler");async function dw(e,t){try{let r=await Z_(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Ys(r)}catch(r){return yz(t,r),Ws(e,t,r)}}o(dw,"callbackHandler");async function lw(e,t){try{return $p(await K_(e))}catch(r){return jt(t,"oauth_dev_login_failed",r),mo(r)}}o(lw,"devLoginHandler");async function pw(e,t){let r=(()=>{try{return new URL(e.url).host}catch{return""}})();try{if(e.method==="GET"){let n=typeof e.query.state=="string"?e.query.state:void 0;return n?p_(r,n):Sp(r,400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):$p(await J_({request:e,body:await Js(e)}))}catch(n){return jt(t,"oauth_api_key_login_failed",n),Sp(r)}}o(pw,"apiKeyLoginHandler");async function mw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await W_({request:e,body:e.method==="POST"?await Js(e):void 0,context:t});return Ys(r)}catch(r){return jt(t,"oauth_setup_failed",r),Ws(e,t,r)}}o(mw,"setupHandler");async function fw(e,t){try{return Response.json(await rw({body:await Js(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return jt(t,"oauth_token_failed",r),mo(r)}}o(fw,"tokenHandler");async function hw(e,t){try{return await nw({body:await Js(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return jt(t,"oauth_revoke_failed",r),mo(r)}}o(hw,"revokeHandler");var Sz={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},gw=new kt("upstream-request");function vz(e){let t=gw.get(e);if(!t)throw g("internal_server_error","Upstream request context has not been set");return t}o(vz,"readUpstreamRequestContext");function _z(e,t){return t.some(r=>r===e)}o(_z,"requestContextMatchesKind");function wz(e){return typeof e=="string"?[e]:e}o(wz,"toExpectedKinds");function vn(e,t){gw.set(e,t)}o(vn,"setUpstreamRequestContext");function _n(e,t){let r=vz(e),n=wz(t);if(!_z(r.kind,n)){let a=Sz[n[0]];throw g("internal_server_error",`${a} request context has not been set`)}return r}o(_n,"requireUpstreamRequestContext");function yw(e){return se`<form class="form" method="post" action="${e.action}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}" />${e.fields}<p class="form__note">The gateway stores this encrypted and keeps it out of MCP client