@zuplo/runtime 6.70.33 → 6.70.35

package/out/esm/mcp-gateway/index.js

@@ -22,41 +22,12 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{$ as ct,A as vc,B as $t,J as lm,K as wc,L as rb,M as pm,N as f,O as mm,P as ne,Q as ue,R as fm,S as hm,T as Re,U as R,V as C,W as Pe,X as ye,Y as bc,Z as Rc,_ as me,a as zt,aa as O,b as um,ba as be,ca as gm,da as Cc,ea as ym,fa as Sm,ga as u,ha as de,ia as _m,j as Ae,k as dm,q as Sc,s as Un,x as _c}from"../chunk-SFFHEDT5.js";import{d as ni}from"../chunk-TOF2KNST.js";import{a as F}from"../chunk-A2CSR4RF.js";import{$ as K,a as o,aa as E,ba as q,c as x,ca as Eo,e as cm}from"../chunk-2VLXJLVI.js";var ha=x(ae=>{"use strict";Object.defineProperty(ae,"__esModule",{value:!0});ae.regexpCode=ae.getEsmExportName=ae.getProperty=ae.safeStringify=ae.stringify=ae.strConcat=ae.addCodeArg=ae.str=ae._=ae.nil=ae._Code=ae.Name=ae.IDENTIFIER=ae._CodeOrName=void 0;var ma=class{static{o(this,"_CodeOrName")}};ae._CodeOrName=ma;ae.IDENTIFIER=/^[a-z$_][a-z$_0-9]*$/i;var mn=class extends ma{static{o(this,"Name")}constructor(t){if(super(),!ae.IDENTIFIER.test(t))throw new Error("CodeGen: name must be a valid identifier");this.str=t}toString(){return this.str}emptyStr(){return!1}get names(){return{[this.str]:1}}};ae.Name=mn;var _t=class extends ma{static{o(this,"_Code")}constructor(t){super(),this._items=typeof t=="string"?[t]:t}toString(){return this.str}emptyStr(){if(this._items.length>1)return!1;let t=this._items[0];return t===""||t==='""'}get str(){var t;return(t=this._str)!==null&&t!==void 0?t:this._str=this._items.reduce((r,n)=>`${r}${n}`,"")}get names(){var t;return(t=this._names)!==null&&t!==void 0?t:this._names=this._items.reduce((r,n)=>(n instanceof mn&&(r[n.str]=(r[n.str]||0)+1),r),{})}};ae._Code=_t;ae.nil=new _t("");function Jg(e,...t){let r=[e[0]],n=0;for(;n<t.length;)Rd(r,t[n]),r.push(e[++n]);return new _t(r)}o(Jg,"_");ae._=Jg;var bd=new _t("+");function Wg(e,...t){let r=[fa(e[0])],n=0;for(;n<t.length;)r.push(bd),Rd(r,t[n]),r.push(bd,fa(e[++n]));return Ik(r),new _t(r)}o(Wg,"str");ae.str=Wg;function Rd(e,t){t instanceof _t?e.push(...t._items):t instanceof mn?e.push(t):e.push(kk(t))}o(Rd,"addCodeArg");ae.addCodeArg=Rd;function Ik(e){let t=1;for(;t<e.length-1;){if(e[t]===bd){let r=Pk(e[t-1],e[t+1]);if(r!==void 0){e.splice(t-1,3,r);continue}e[t++]="+"}t++}}o(Ik,"optimize");function Pk(e,t){if(t==='""')return e;if(e==='""')return t;if(typeof e=="string")return t instanceof mn||e[e.length-1]!=='"'?void 0:typeof t!="string"?`${e.slice(0,-1)}${t}"`:t[0]==='"'?e.slice(0,-1)+t.slice(1):void 0;if(typeof t=="string"&&t[0]==='"'&&!(e instanceof mn))return`"${e}${t.slice(1)}`}o(Pk,"mergeExprItems");function xk(e,t){return t.emptyStr()?e:e.emptyStr()?t:Wg`${e}${t}`}o(xk,"strConcat");ae.strConcat=xk;function kk(e){return typeof e=="number"||typeof e=="boolean"||e===null?e:fa(Array.isArray(e)?e.join(","):e)}o(kk,"interpolate");function Ak(e){return new _t(fa(e))}o(Ak,"stringify");ae.stringify=Ak;function fa(e){return JSON.stringify(e).replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}o(fa,"safeStringify");ae.safeStringify=fa;function Tk(e){return typeof e=="string"&&ae.IDENTIFIER.test(e)?new _t(`.${e}`):Jg`[${e}]`}o(Tk,"getProperty");ae.getProperty=Tk;function Ek(e){if(typeof e=="string"&&ae.IDENTIFIER.test(e))return new _t(`${e}`);throw new Error(`CodeGen: invalid export name: ${e}, use explicit $id name mapping`)}o(Ek,"getEsmExportName");ae.getEsmExportName=Ek;function Uk(e){return new _t(e.toString())}o(Uk,"regexpCode");ae.regexpCode=Uk});var Pd=x(at=>{"use strict";Object.defineProperty(at,"__esModule",{value:!0});at.ValueScope=at.ValueScopeName=at.Scope=at.varKinds=at.UsedValueState=void 0;var ot=ha(),Cd=class extends Error{static{o(this,"ValueError")}constructor(t){super(`CodeGen: "code" for ${t} not defined`),this.value=t.value}},Qi;(function(e){e[e.Started=0]="Started",e[e.Completed=1]="Completed"})(Qi||(at.UsedValueState=Qi={}));at.varKinds={const:new ot.Name("const"),let:new ot.Name("let"),var:new ot.Name("var")};var es=class{static{o(this,"Scope")}constructor({prefixes:t,parent:r}={}){this._names={},this._prefixes=t,this._parent=r}toName(t){return t instanceof ot.Name?t:this.name(t)}name(t){return new ot.Name(this._newName(t))}_newName(t){let r=this._names[t]||this._nameGroup(t);return`${t}${r.index++}`}_nameGroup(t){var r,n;if(!((n=(r=this._parent)===null||r===void 0?void 0:r._prefixes)===null||n===void 0)&&n.has(t)||this._prefixes&&!this._prefixes.has(t))throw new Error(`CodeGen: prefix "${t}" is not allowed in this scope`);return this._names[t]={prefix:t,index:0}}};at.Scope=es;var ts=class extends ot.Name{static{o(this,"ValueScopeName")}constructor(t,r){super(r),this.prefix=t}setValue(t,{property:r,itemIndex:n}){this.value=t,this.scopePath=(0,ot._)`.${new ot.Name(r)}[${n}]`}};at.ValueScopeName=ts;var Ok=(0,ot._)`\n`,Id=class extends es{static{o(this,"ValueScope")}constructor(t){super(t),this._values={},this._scope=t.scope,this.opts={...t,_n:t.lines?Ok:ot.nil}}get(){return this._scope}name(t){return new ts(t,this._newName(t))}value(t,r){var n;if(r.ref===void 0)throw new Error("CodeGen: ref must be passed in value");let a=this.toName(t),{prefix:i}=a,s=(n=r.key)!==null&&n!==void 0?n:r.ref,c=this._values[i];if(c){let l=c.get(s);if(l)return l}else c=this._values[i]=new Map;c.set(s,a);let d=this._scope[i]||(this._scope[i]=[]),p=d.length;return d[p]=r.ref,a.setValue(r,{property:i,itemIndex:p}),a}getValue(t,r){let n=this._values[t];if(n)return n.get(r)}scopeRefs(t,r=this._values){return this._reduceValues(r,n=>{if(n.scopePath===void 0)throw new Error(`CodeGen: name "${n}" has no value`);return(0,ot._)`${t}${n.scopePath}`})}scopeCode(t=this._values,r,n){return this._reduceValues(t,a=>{if(a.value===void 0)throw new Error(`CodeGen: name "${a}" has no value`);return a.value.code},r,n)}_reduceValues(t,r,n={},a){let i=ot.nil;for(let s in t){let c=t[s];if(!c)continue;let d=n[s]=n[s]||new Map;c.forEach(p=>{if(d.has(p))return;d.set(p,Qi.Started);let l=r(p);if(l){let m=this.opts.es5?at.varKinds.var:at.varKinds.const;i=(0,ot._)`${i}${m} ${p} = ${l};${this.opts._n}`}else if(l=a?.(p))i=(0,ot._)`${i}${l}${this.opts._n}`;else throw new Cd(p);d.set(p,Qi.Completed)})}return i}};at.ValueScope=Id});var W=x(X=>{"use strict";Object.defineProperty(X,"__esModule",{value:!0});X.or=X.and=X.not=X.CodeGen=X.operators=X.varKinds=X.ValueScopeName=X.ValueScope=X.Scope=X.Name=X.regexpCode=X.stringify=X.getProperty=X.nil=X.strConcat=X.str=X._=void 0;var te=ha(),kt=Pd(),Nr=ha();Object.defineProperty(X,"_",{enumerable:!0,get:o(function(){return Nr._},"get")});Object.defineProperty(X,"str",{enumerable:!0,get:o(function(){return Nr.str},"get")});Object.defineProperty(X,"strConcat",{enumerable:!0,get:o(function(){return Nr.strConcat},"get")});Object.defineProperty(X,"nil",{enumerable:!0,get:o(function(){return Nr.nil},"get")});Object.defineProperty(X,"getProperty",{enumerable:!0,get:o(function(){return Nr.getProperty},"get")});Object.defineProperty(X,"stringify",{enumerable:!0,get:o(function(){return Nr.stringify},"get")});Object.defineProperty(X,"regexpCode",{enumerable:!0,get:o(function(){return Nr.regexpCode},"get")});Object.defineProperty(X,"Name",{enumerable:!0,get:o(function(){return Nr.Name},"get")});var as=Pd();Object.defineProperty(X,"Scope",{enumerable:!0,get:o(function(){return as.Scope},"get")});Object.defineProperty(X,"ValueScope",{enumerable:!0,get:o(function(){return as.ValueScope},"get")});Object.defineProperty(X,"ValueScopeName",{enumerable:!0,get:o(function(){return as.ValueScopeName},"get")});Object.defineProperty(X,"varKinds",{enumerable:!0,get:o(function(){return as.varKinds},"get")});X.operators={GT:new te._Code(">"),GTE:new te._Code(">="),LT:new te._Code("<"),LTE:new te._Code("<="),EQ:new te._Code("==="),NEQ:new te._Code("!=="),NOT:new te._Code("!"),OR:new te._Code("||"),AND:new te._Code("&&"),ADD:new te._Code("+")};var dr=class{static{o(this,"Node")}optimizeNodes(){return this}optimizeNames(t,r){return this}},xd=class extends dr{static{o(this,"Def")}constructor(t,r,n){super(),this.varKind=t,this.name=r,this.rhs=n}render({es5:t,_n:r}){let n=t?kt.varKinds.var:this.varKind,a=this.rhs===void 0?"":` = ${this.rhs}`;return`${n} ${this.name}${a};`+r}optimizeNames(t,r){if(t[this.name.str])return this.rhs&&(this.rhs=ro(this.rhs,t,r)),this}get names(){return this.rhs instanceof te._CodeOrName?this.rhs.names:{}}},rs=class extends dr{static{o(this,"Assign")}constructor(t,r,n){super(),this.lhs=t,this.rhs=r,this.sideEffects=n}render({_n:t}){return`${this.lhs} = ${this.rhs};`+t}optimizeNames(t,r){if(!(this.lhs instanceof te.Name&&!t[this.lhs.str]&&!this.sideEffects))return this.rhs=ro(this.rhs,t,r),this}get names(){let t=this.lhs instanceof te.Name?{}:{...this.lhs.names};return os(t,this.rhs)}},kd=class extends rs{static{o(this,"AssignOp")}constructor(t,r,n,a){super(t,n,a),this.op=r}render({_n:t}){return`${this.lhs} ${this.op}= ${this.rhs};`+t}},Ad=class extends dr{static{o(this,"Label")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`${this.label}:`+t}},Td=class extends dr{static{o(this,"Break")}constructor(t){super(),this.label=t,this.names={}}render({_n:t}){return`break${this.label?` ${this.label}`:""};`+t}},Ed=class extends dr{static{o(this,"Throw")}constructor(t){super(),this.error=t}render({_n:t}){return`throw ${this.error};`+t}get names(){return this.error.names}},Ud=class extends dr{static{o(this,"AnyCode")}constructor(t){super(),this.code=t}render({_n:t}){return`${this.code};`+t}optimizeNodes(){return`${this.code}`?this:void 0}optimizeNames(t,r){return this.code=ro(this.code,t,r),this}get names(){return this.code instanceof te._CodeOrName?this.code.names:{}}},ga=class extends dr{static{o(this,"ParentNode")}constructor(t=[]){super(),this.nodes=t}render(t){return this.nodes.reduce((r,n)=>r+n.render(t),"")}optimizeNodes(){let{nodes:t}=this,r=t.length;for(;r--;){let n=t[r].optimizeNodes();Array.isArray(n)?t.splice(r,1,...n):n?t[r]=n:t.splice(r,1)}return t.length>0?this:void 0}optimizeNames(t,r){let{nodes:n}=this,a=n.length;for(;a--;){let i=n[a];i.optimizeNames(t,r)||(Mk(t,i.names),n.splice(a,1))}return n.length>0?this:void 0}get names(){return this.nodes.reduce((t,r)=>gn(t,r.names),{})}},lr=class extends ga{static{o(this,"BlockNode")}render(t){return"{"+t._n+super.render(t)+"}"+t._n}},Od=class extends ga{static{o(this,"Root")}},to=class extends lr{static{o(this,"Else")}};to.kind="else";var fn=class e extends lr{static{o(this,"If")}constructor(t,r){super(r),this.condition=t}render(t){let r=`if(${this.condition})`+super.render(t);return this.else&&(r+="else "+this.else.render(t)),r}optimizeNodes(){super.optimizeNodes();let t=this.condition;if(t===!0)return this.nodes;let r=this.else;if(r){let n=r.optimizeNodes();r=this.else=Array.isArray(n)?new to(n):n}if(r)return t===!1?r instanceof e?r:r.nodes:this.nodes.length?this:new e(Yg(t),r instanceof e?[r]:r.nodes);if(!(t===!1||!this.nodes.length))return this}optimizeNames(t,r){var n;if(this.else=(n=this.else)===null||n===void 0?void 0:n.optimizeNames(t,r),!!(super.optimizeNames(t,r)||this.else))return this.condition=ro(this.condition,t,r),this}get names(){let t=super.names;return os(t,this.condition),this.else&&gn(t,this.else.names),t}};fn.kind="if";var hn=class extends lr{static{o(this,"For")}};hn.kind="for";var Md=class extends hn{static{o(this,"ForLoop")}constructor(t){super(),this.iteration=t}render(t){return`for(${this.iteration})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iteration=ro(this.iteration,t,r),this}get names(){return gn(super.names,this.iteration.names)}},zd=class extends hn{static{o(this,"ForRange")}constructor(t,r,n,a){super(),this.varKind=t,this.name=r,this.from=n,this.to=a}render(t){let r=t.es5?kt.varKinds.var:this.varKind,{name:n,from:a,to:i}=this;return`for(${r} ${n}=${a}; ${n}<${i}; ${n}++)`+super.render(t)}get names(){let t=os(super.names,this.from);return os(t,this.to)}},ns=class extends hn{static{o(this,"ForIter")}constructor(t,r,n,a){super(),this.loop=t,this.varKind=r,this.name=n,this.iterable=a}render(t){return`for(${this.varKind} ${this.name} ${this.loop} ${this.iterable})`+super.render(t)}optimizeNames(t,r){if(super.optimizeNames(t,r))return this.iterable=ro(this.iterable,t,r),this}get names(){return gn(super.names,this.iterable.names)}},ya=class extends lr{static{o(this,"Func")}constructor(t,r,n){super(),this.name=t,this.args=r,this.async=n}render(t){return`${this.async?"async ":""}function ${this.name}(${this.args})`+super.render(t)}};ya.kind="func";var Sa=class extends ga{static{o(this,"Return")}render(t){return"return "+super.render(t)}};Sa.kind="return";var $d=class extends lr{static{o(this,"Try")}render(t){let r="try"+super.render(t);return this.catch&&(r+=this.catch.render(t)),this.finally&&(r+=this.finally.render(t)),r}optimizeNodes(){var t,r;return super.optimizeNodes(),(t=this.catch)===null||t===void 0||t.optimizeNodes(),(r=this.finally)===null||r===void 0||r.optimizeNodes(),this}optimizeNames(t,r){var n,a;return super.optimizeNames(t,r),(n=this.catch)===null||n===void 0||n.optimizeNames(t,r),(a=this.finally)===null||a===void 0||a.optimizeNames(t,r),this}get names(){let t=super.names;return this.catch&&gn(t,this.catch.names),this.finally&&gn(t,this.finally.names),t}},_a=class extends lr{static{o(this,"Catch")}constructor(t){super(),this.error=t}render(t){return`catch(${this.error})`+super.render(t)}};_a.kind="catch";var va=class extends lr{static{o(this,"Finally")}render(t){return"finally"+super.render(t)}};va.kind="finally";var qd=class{static{o(this,"CodeGen")}constructor(t,r={}){this._values={},this._blockStarts=[],this._constants={},this.opts={...r,_n:r.lines?`
-`:""},this._extScope=t,this._scope=new kt.Scope({parent:t}),this._nodes=[new Od]}toString(){return this._root.render(this.opts)}name(t){return this._scope.name(t)}scopeName(t){return this._extScope.name(t)}scopeValue(t,r){let n=this._extScope.value(t,r);return(this._values[n.prefix]||(this._values[n.prefix]=new Set)).add(n),n}getScopeValue(t,r){return this._extScope.getValue(t,r)}scopeRefs(t){return this._extScope.scopeRefs(t,this._values)}scopeCode(){return this._extScope.scopeCode(this._values)}_def(t,r,n,a){let i=this._scope.toName(r);return n!==void 0&&a&&(this._constants[i.str]=n),this._leafNode(new xd(t,i,n)),i}const(t,r,n){return this._def(kt.varKinds.const,t,r,n)}let(t,r,n){return this._def(kt.varKinds.let,t,r,n)}var(t,r,n){return this._def(kt.varKinds.var,t,r,n)}assign(t,r,n){return this._leafNode(new rs(t,r,n))}add(t,r){return this._leafNode(new kd(t,X.operators.ADD,r))}code(t){return typeof t=="function"?t():t!==te.nil&&this._leafNode(new Ud(t)),this}object(...t){let r=["{"];for(let[n,a]of t)r.length>1&&r.push(","),r.push(n),(n!==a||this.opts.es5)&&(r.push(":"),(0,te.addCodeArg)(r,a));return r.push("}"),new te._Code(r)}if(t,r,n){if(this._blockNode(new fn(t)),r&&n)this.code(r).else().code(n).endIf();else if(r)this.code(r).endIf();else if(n)throw new Error('CodeGen: "else" body without "then" body');return this}elseIf(t){return this._elseNode(new fn(t))}else(){return this._elseNode(new to)}endIf(){return this._endBlockNode(fn,to)}_for(t,r){return this._blockNode(t),r&&this.code(r).endFor(),this}for(t,r){return this._for(new Md(t),r)}forRange(t,r,n,a,i=this.opts.es5?kt.varKinds.var:kt.varKinds.let){let s=this._scope.toName(t);return this._for(new zd(i,s,r,n),()=>a(s))}forOf(t,r,n,a=kt.varKinds.const){let i=this._scope.toName(t);if(this.opts.es5){let s=r instanceof te.Name?r:this.var("_arr",r);return this.forRange("_i",0,(0,te._)`${s}.length`,c=>{this.var(i,(0,te._)`${s}[${c}]`),n(i)})}return this._for(new ns("of",a,i,r),()=>n(i))}forIn(t,r,n,a=this.opts.es5?kt.varKinds.var:kt.varKinds.const){if(this.opts.ownProperties)return this.forOf(t,(0,te._)`Object.keys(${r})`,n);let i=this._scope.toName(t);return this._for(new ns("in",a,i,r),()=>n(i))}endFor(){return this._endBlockNode(hn)}label(t){return this._leafNode(new Ad(t))}break(t){return this._leafNode(new Td(t))}return(t){let r=new Sa;if(this._blockNode(r),this.code(t),r.nodes.length!==1)throw new Error('CodeGen: "return" should have one node');return this._endBlockNode(Sa)}try(t,r,n){if(!r&&!n)throw new Error('CodeGen: "try" without "catch" and "finally"');let a=new $d;if(this._blockNode(a),this.code(t),r){let i=this.name("e");this._currNode=a.catch=new _a(i),r(i)}return n&&(this._currNode=a.finally=new va,this.code(n)),this._endBlockNode(_a,va)}throw(t){return this._leafNode(new Ed(t))}block(t,r){return this._blockStarts.push(this._nodes.length),t&&this.code(t).endBlock(r),this}endBlock(t){let r=this._blockStarts.pop();if(r===void 0)throw new Error("CodeGen: not in self-balancing block");let n=this._nodes.length-r;if(n<0||t!==void 0&&n!==t)throw new Error(`CodeGen: wrong number of nodes: ${n} vs ${t} expected`);return this._nodes.length=r,this}func(t,r=te.nil,n,a){return this._blockNode(new ya(t,r,n)),a&&this.code(a).endFunc(),this}endFunc(){return this._endBlockNode(ya)}optimize(t=1){for(;t-- >0;)this._root.optimizeNodes(),this._root.optimizeNames(this._root.names,this._constants)}_leafNode(t){return this._currNode.nodes.push(t),this}_blockNode(t){this._currNode.nodes.push(t),this._nodes.push(t)}_endBlockNode(t,r){let n=this._currNode;if(n instanceof t||r&&n instanceof r)return this._nodes.pop(),this;throw new Error(`CodeGen: not in block "${r?`${t.kind}/${r.kind}`:t.kind}"`)}_elseNode(t){let r=this._currNode;if(!(r instanceof fn))throw new Error('CodeGen: "else" without "if"');return this._currNode=r.else=t,this}get _root(){return this._nodes[0]}get _currNode(){let t=this._nodes;return t[t.length-1]}set _currNode(t){let r=this._nodes;r[r.length-1]=t}};X.CodeGen=qd;function gn(e,t){for(let r in t)e[r]=(e[r]||0)+(t[r]||0);return e}o(gn,"addNames");function os(e,t){return t instanceof te._CodeOrName?gn(e,t.names):e}o(os,"addExprNames");function ro(e,t,r){if(e instanceof te.Name)return n(e);if(!a(e))return e;return new te._Code(e._items.reduce((i,s)=>(s instanceof te.Name&&(s=n(s)),s instanceof te._Code?i.push(...s._items):i.push(s),i),[]));function n(i){let s=r[i.str];return s===void 0||t[i.str]!==1?i:(delete t[i.str],s)}function a(i){return i instanceof te._Code&&i._items.some(s=>s instanceof te.Name&&t[s.str]===1&&r[s.str]!==void 0)}}o(ro,"optimizeExpr");function Mk(e,t){for(let r in t)e[r]=(e[r]||0)-(t[r]||0)}o(Mk,"subtractNames");function Yg(e){return typeof e=="boolean"||typeof e=="number"||e===null?!e:(0,te._)`!${Nd(e)}`}o(Yg,"not");X.not=Yg;var zk=Xg(X.operators.AND);function $k(...e){return e.reduce(zk)}o($k,"and");X.and=$k;var qk=Xg(X.operators.OR);function Nk(...e){return e.reduce(qk)}o(Nk,"or");X.or=Nk;function Xg(e){return(t,r)=>t===te.nil?r:r===te.nil?t:(0,te._)`${Nd(t)} ${e} ${Nd(r)}`}o(Xg,"mappend");function Nd(e){return e instanceof te.Name?e:(0,te._)`(${e})`}o(Nd,"par")});var ie=x(ee=>{"use strict";Object.defineProperty(ee,"__esModule",{value:!0});ee.checkStrictMode=ee.getErrorPath=ee.Type=ee.useFunc=ee.setEvaluated=ee.evaluatedPropsToName=ee.mergeEvaluated=ee.eachItem=ee.unescapeJsonPointer=ee.escapeJsonPointer=ee.escapeFragment=ee.unescapeFragment=ee.schemaRefOrVal=ee.schemaHasRulesButRef=ee.schemaHasRules=ee.checkUnknownRules=ee.alwaysValidSchema=ee.toHash=void 0;var pe=W(),Dk=ha();function jk(e){let t={};for(let r of e)t[r]=!0;return t}o(jk,"toHash");ee.toHash=jk;function Hk(e,t){return typeof t=="boolean"?t:Object.keys(t).length===0?!0:(ty(e,t),!ry(t,e.self.RULES.all))}o(Hk,"alwaysValidSchema");ee.alwaysValidSchema=Hk;function ty(e,t=e.schema){let{opts:r,self:n}=e;if(!r.strictSchema||typeof t=="boolean")return;let a=n.RULES.keywords;for(let i in t)a[i]||ay(e,`unknown keyword: "${i}"`)}o(ty,"checkUnknownRules");ee.checkUnknownRules=ty;function ry(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(t[r])return!0;return!1}o(ry,"schemaHasRules");ee.schemaHasRules=ry;function Lk(e,t){if(typeof e=="boolean")return!e;for(let r in e)if(r!=="$ref"&&t.all[r])return!0;return!1}o(Lk,"schemaHasRulesButRef");ee.schemaHasRulesButRef=Lk;function Bk({topSchemaRef:e,schemaPath:t},r,n,a){if(!a){if(typeof r=="number"||typeof r=="boolean")return r;if(typeof r=="string")return(0,pe._)`${r}`}return(0,pe._)`${e}${t}${(0,pe.getProperty)(n)}`}o(Bk,"schemaRefOrVal");ee.schemaRefOrVal=Bk;function Gk(e){return ny(decodeURIComponent(e))}o(Gk,"unescapeFragment");ee.unescapeFragment=Gk;function Vk(e){return encodeURIComponent(jd(e))}o(Vk,"escapeFragment");ee.escapeFragment=Vk;function jd(e){return typeof e=="number"?`${e}`:e.replace(/~/g,"~0").replace(/\//g,"~1")}o(jd,"escapeJsonPointer");ee.escapeJsonPointer=jd;function ny(e){return e.replace(/~1/g,"/").replace(/~0/g,"~")}o(ny,"unescapeJsonPointer");ee.unescapeJsonPointer=ny;function Fk(e,t){if(Array.isArray(e))for(let r of e)t(r);else t(e)}o(Fk,"eachItem");ee.eachItem=Fk;function Qg({mergeNames:e,mergeToName:t,mergeValues:r,resultToName:n}){return(a,i,s,c)=>{let d=s===void 0?i:s instanceof pe.Name?(i instanceof pe.Name?e(a,i,s):t(a,i,s),s):i instanceof pe.Name?(t(a,s,i),i):r(i,s);return c===pe.Name&&!(d instanceof pe.Name)?n(a,d):d}}o(Qg,"makeMergeEvaluated");ee.mergeEvaluated={props:Qg({mergeNames:o((e,t,r)=>e.if((0,pe._)`${r} !== true && ${t} !== undefined`,()=>{e.if((0,pe._)`${t} === true`,()=>e.assign(r,!0),()=>e.assign(r,(0,pe._)`${r} || {}`).code((0,pe._)`Object.assign(${r}, ${t})`))}),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,pe._)`${r} !== true`,()=>{t===!0?e.assign(r,!0):(e.assign(r,(0,pe._)`${r} || {}`),Hd(e,r,t))}),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:{...e,...t},"mergeValues"),resultToName:oy}),items:Qg({mergeNames:o((e,t,r)=>e.if((0,pe._)`${r} !== true && ${t} !== undefined`,()=>e.assign(r,(0,pe._)`${t} === true ? true : ${r} > ${t} ? ${r} : ${t}`)),"mergeNames"),mergeToName:o((e,t,r)=>e.if((0,pe._)`${r} !== true`,()=>e.assign(r,t===!0?!0:(0,pe._)`${r} > ${t} ? ${r} : ${t}`)),"mergeToName"),mergeValues:o((e,t)=>e===!0?!0:Math.max(e,t),"mergeValues"),resultToName:o((e,t)=>e.var("items",t),"resultToName")})};function oy(e,t){if(t===!0)return e.var("props",!0);let r=e.var("props",(0,pe._)`{}`);return t!==void 0&&Hd(e,r,t),r}o(oy,"evaluatedPropsToName");ee.evaluatedPropsToName=oy;function Hd(e,t,r){Object.keys(r).forEach(n=>e.assign((0,pe._)`${t}${(0,pe.getProperty)(n)}`,!0))}o(Hd,"setEvaluated");ee.setEvaluated=Hd;var ey={};function Zk(e,t){return e.scopeValue("func",{ref:t,code:ey[t.code]||(ey[t.code]=new Dk._Code(t.code))})}o(Zk,"useFunc");ee.useFunc=Zk;var Dd;(function(e){e[e.Num=0]="Num",e[e.Str=1]="Str"})(Dd||(ee.Type=Dd={}));function Kk(e,t,r){if(e instanceof pe.Name){let n=t===Dd.Num;return r?n?(0,pe._)`"[" + ${e} + "]"`:(0,pe._)`"['" + ${e} + "']"`:n?(0,pe._)`"/" + ${e}`:(0,pe._)`"/" + ${e}.replace(/~/g, "~0").replace(/\\//g, "~1")`}return r?(0,pe.getProperty)(e).toString():"/"+jd(e)}o(Kk,"getErrorPath");ee.getErrorPath=Kk;function ay(e,t,r=e.opts.strictSchema){if(r){if(t=`strict mode: ${t}`,r===!0)throw new Error(t);e.self.logger.warn(t)}}o(ay,"checkStrictMode");ee.checkStrictMode=ay});var pr=x(Ld=>{"use strict";Object.defineProperty(Ld,"__esModule",{value:!0});var Ve=W(),Jk={data:new Ve.Name("data"),valCxt:new Ve.Name("valCxt"),instancePath:new Ve.Name("instancePath"),parentData:new Ve.Name("parentData"),parentDataProperty:new Ve.Name("parentDataProperty"),rootData:new Ve.Name("rootData"),dynamicAnchors:new Ve.Name("dynamicAnchors"),vErrors:new Ve.Name("vErrors"),errors:new Ve.Name("errors"),this:new Ve.Name("this"),self:new Ve.Name("self"),scope:new Ve.Name("scope"),json:new Ve.Name("json"),jsonPos:new Ve.Name("jsonPos"),jsonLen:new Ve.Name("jsonLen"),jsonPart:new Ve.Name("jsonPart")};Ld.default=Jk});var wa=x(Fe=>{"use strict";Object.defineProperty(Fe,"__esModule",{value:!0});Fe.extendErrors=Fe.resetErrorsCount=Fe.reportExtraError=Fe.reportError=Fe.keyword$DataError=Fe.keywordError=void 0;var re=W(),is=ie(),Je=pr();Fe.keywordError={message:o(({keyword:e})=>(0,re.str)`must pass "${e}" keyword validation`,"message")};Fe.keyword$DataError={message:o(({keyword:e,schemaType:t})=>t?(0,re.str)`"${e}" keyword must be ${t} ($data)`:(0,re.str)`"${e}" keyword is invalid ($data)`,"message")};function Wk(e,t=Fe.keywordError,r,n){let{it:a}=e,{gen:i,compositeRule:s,allErrors:c}=a,d=cy(e,t,r);n??(s||c)?iy(i,d):sy(a,(0,re._)`[${d}]`)}o(Wk,"reportError");Fe.reportError=Wk;function Yk(e,t=Fe.keywordError,r){let{it:n}=e,{gen:a,compositeRule:i,allErrors:s}=n,c=cy(e,t,r);iy(a,c),i||s||sy(n,Je.default.vErrors)}o(Yk,"reportExtraError");Fe.reportExtraError=Yk;function Xk(e,t){e.assign(Je.default.errors,t),e.if((0,re._)`${Je.default.vErrors} !== null`,()=>e.if(t,()=>e.assign((0,re._)`${Je.default.vErrors}.length`,t),()=>e.assign(Je.default.vErrors,null)))}o(Xk,"resetErrorsCount");Fe.resetErrorsCount=Xk;function Qk({gen:e,keyword:t,schemaValue:r,data:n,errsCount:a,it:i}){if(a===void 0)throw new Error("ajv implementation error");let s=e.name("err");e.forRange("i",a,Je.default.errors,c=>{e.const(s,(0,re._)`${Je.default.vErrors}[${c}]`),e.if((0,re._)`${s}.instancePath === undefined`,()=>e.assign((0,re._)`${s}.instancePath`,(0,re.strConcat)(Je.default.instancePath,i.errorPath))),e.assign((0,re._)`${s}.schemaPath`,(0,re.str)`${i.errSchemaPath}/${t}`),i.opts.verbose&&(e.assign((0,re._)`${s}.schema`,r),e.assign((0,re._)`${s}.data`,n))})}o(Qk,"extendErrors");Fe.extendErrors=Qk;function iy(e,t){let r=e.const("err",t);e.if((0,re._)`${Je.default.vErrors} === null`,()=>e.assign(Je.default.vErrors,(0,re._)`[${r}]`),(0,re._)`${Je.default.vErrors}.push(${r})`),e.code((0,re._)`${Je.default.errors}++`)}o(iy,"addError");function sy(e,t){let{gen:r,validateName:n,schemaEnv:a}=e;a.$async?r.throw((0,re._)`new ${e.ValidationError}(${t})`):(r.assign((0,re._)`${n}.errors`,t),r.return(!1))}o(sy,"returnErrors");var yn={keyword:new re.Name("keyword"),schemaPath:new re.Name("schemaPath"),params:new re.Name("params"),propertyName:new re.Name("propertyName"),message:new re.Name("message"),schema:new re.Name("schema"),parentSchema:new re.Name("parentSchema")};function cy(e,t,r){let{createErrors:n}=e.it;return n===!1?(0,re._)`{}`:eA(e,t,r)}o(cy,"errorObjectCode");function eA(e,t,r={}){let{gen:n,it:a}=e,i=[tA(a,r),rA(e,r)];return nA(e,t,i),n.object(...i)}o(eA,"errorObject");function tA({errorPath:e},{instancePath:t}){let r=t?(0,re.str)`${e}${(0,is.getErrorPath)(t,is.Type.Str)}`:e;return[Je.default.instancePath,(0,re.strConcat)(Je.default.instancePath,r)]}o(tA,"errorInstancePath");function rA({keyword:e,it:{errSchemaPath:t}},{schemaPath:r,parentSchema:n}){let a=n?t:(0,re.str)`${t}/${e}`;return r&&(a=(0,re.str)`${a}${(0,is.getErrorPath)(r,is.Type.Str)}`),[yn.schemaPath,a]}o(rA,"errorSchemaPath");function nA(e,{params:t,message:r},n){let{keyword:a,data:i,schemaValue:s,it:c}=e,{opts:d,propertyName:p,topSchemaRef:l,schemaPath:m}=c;n.push([yn.keyword,a],[yn.params,typeof t=="function"?t(e):t||(0,re._)`{}`]),d.messages&&n.push([yn.message,typeof r=="function"?r(e):r]),d.verbose&&n.push([yn.schema,s],[yn.parentSchema,(0,re._)`${l}${m}`],[Je.default.data,i]),p&&n.push([yn.propertyName,p])}o(nA,"extraErrorProps")});var dy=x(no=>{"use strict";Object.defineProperty(no,"__esModule",{value:!0});no.boolOrEmptySchema=no.topBoolOrEmptySchema=void 0;var oA=wa(),aA=W(),iA=pr(),sA={message:"boolean schema is false"};function cA(e){let{gen:t,schema:r,validateName:n}=e;r===!1?uy(e,!1):typeof r=="object"&&r.$async===!0?t.return(iA.default.data):(t.assign((0,aA._)`${n}.errors`,null),t.return(!0))}o(cA,"topBoolOrEmptySchema");no.topBoolOrEmptySchema=cA;function uA(e,t){let{gen:r,schema:n}=e;n===!1?(r.var(t,!1),uy(e)):r.var(t,!0)}o(uA,"boolOrEmptySchema");no.boolOrEmptySchema=uA;function uy(e,t){let{gen:r,data:n}=e,a={gen:r,keyword:"false schema",data:n,schema:!1,schemaCode:!1,schemaValue:!1,params:{},it:e};(0,oA.reportError)(a,sA,void 0,t)}o(uy,"falseSchemaError")});var Bd=x(oo=>{"use strict";Object.defineProperty(oo,"__esModule",{value:!0});oo.getRules=oo.isJSONType=void 0;var dA=["string","number","integer","boolean","null","object","array"],lA=new Set(dA);function pA(e){return typeof e=="string"&&lA.has(e)}o(pA,"isJSONType");oo.isJSONType=pA;function mA(){let e={number:{type:"number",rules:[]},string:{type:"string",rules:[]},array:{type:"array",rules:[]},object:{type:"object",rules:[]}};return{types:{...e,integer:!0,boolean:!0,null:!0},rules:[{rules:[]},e.number,e.string,e.array,e.object],post:{rules:[]},all:{},keywords:{}}}o(mA,"getRules");oo.getRules=mA});var Gd=x(Dr=>{"use strict";Object.defineProperty(Dr,"__esModule",{value:!0});Dr.shouldUseRule=Dr.shouldUseGroup=Dr.schemaHasRulesForType=void 0;function fA({schema:e,self:t},r){let n=t.RULES.types[r];return n&&n!==!0&&ly(e,n)}o(fA,"schemaHasRulesForType");Dr.schemaHasRulesForType=fA;function ly(e,t){return t.rules.some(r=>py(e,r))}o(ly,"shouldUseGroup");Dr.shouldUseGroup=ly;function py(e,t){var r;return e[t.keyword]!==void 0||((r=t.definition.implements)===null||r===void 0?void 0:r.some(n=>e[n]!==void 0))}o(py,"shouldUseRule");Dr.shouldUseRule=py});var ba=x(Ze=>{"use strict";Object.defineProperty(Ze,"__esModule",{value:!0});Ze.reportTypeError=Ze.checkDataTypes=Ze.checkDataType=Ze.coerceAndCheckDataType=Ze.getJSONTypes=Ze.getSchemaTypes=Ze.DataType=void 0;var hA=Bd(),gA=Gd(),yA=wa(),Z=W(),my=ie(),ao;(function(e){e[e.Correct=0]="Correct",e[e.Wrong=1]="Wrong"})(ao||(Ze.DataType=ao={}));function SA(e){let t=fy(e.type);if(t.includes("null")){if(e.nullable===!1)throw new Error("type: null contradicts nullable: false")}else{if(!t.length&&e.nullable!==void 0)throw new Error('"nullable" cannot be used without "type"');e.nullable===!0&&t.push("null")}return t}o(SA,"getSchemaTypes");Ze.getSchemaTypes=SA;function fy(e){let t=Array.isArray(e)?e:e?[e]:[];if(t.every(hA.isJSONType))return t;throw new Error("type must be JSONType or JSONType[]: "+t.join(","))}o(fy,"getJSONTypes");Ze.getJSONTypes=fy;function _A(e,t){let{gen:r,data:n,opts:a}=e,i=vA(t,a.coerceTypes),s=t.length>0&&!(i.length===0&&t.length===1&&(0,gA.schemaHasRulesForType)(e,t[0]));if(s){let c=Fd(t,n,a.strictNumbers,ao.Wrong);r.if(c,()=>{i.length?wA(e,t,i):Zd(e)})}return s}o(_A,"coerceAndCheckDataType");Ze.coerceAndCheckDataType=_A;var hy=new Set(["string","number","integer","boolean","null"]);function vA(e,t){return t?e.filter(r=>hy.has(r)||t==="array"&&r==="array"):[]}o(vA,"coerceToTypes");function wA(e,t,r){let{gen:n,data:a,opts:i}=e,s=n.let("dataType",(0,Z._)`typeof ${a}`),c=n.let("coerced",(0,Z._)`undefined`);i.coerceTypes==="array"&&n.if((0,Z._)`${s} == 'object' && Array.isArray(${a}) && ${a}.length == 1`,()=>n.assign(a,(0,Z._)`${a}[0]`).assign(s,(0,Z._)`typeof ${a}`).if(Fd(t,a,i.strictNumbers),()=>n.assign(c,a))),n.if((0,Z._)`${c} !== undefined`);for(let p of r)(hy.has(p)||p==="array"&&i.coerceTypes==="array")&&d(p);n.else(),Zd(e),n.endIf(),n.if((0,Z._)`${c} !== undefined`,()=>{n.assign(a,c),bA(e,c)});function d(p){switch(p){case"string":n.elseIf((0,Z._)`${s} == "number" || ${s} == "boolean"`).assign(c,(0,Z._)`"" + ${a}`).elseIf((0,Z._)`${a} === null`).assign(c,(0,Z._)`""`);return;case"number":n.elseIf((0,Z._)`${s} == "boolean" || ${a} === null
-              || (${s} == "string" && ${a} && ${a} == +${a})`).assign(c,(0,Z._)`+${a}`);return;case"integer":n.elseIf((0,Z._)`${s} === "boolean" || ${a} === null
-              || (${s} === "string" && ${a} && ${a} == +${a} && !(${a} % 1))`).assign(c,(0,Z._)`+${a}`);return;case"boolean":n.elseIf((0,Z._)`${a} === "false" || ${a} === 0 || ${a} === null`).assign(c,!1).elseIf((0,Z._)`${a} === "true" || ${a} === 1`).assign(c,!0);return;case"null":n.elseIf((0,Z._)`${a} === "" || ${a} === 0 || ${a} === false`),n.assign(c,null);return;case"array":n.elseIf((0,Z._)`${s} === "string" || ${s} === "number"
-              || ${s} === "boolean" || ${a} === null`).assign(c,(0,Z._)`[${a}]`)}}o(d,"coerceSpecificType")}o(wA,"coerceData");function bA({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,Z._)`${t} !== undefined`,()=>e.assign((0,Z._)`${t}[${r}]`,n))}o(bA,"assignParentData");function Vd(e,t,r,n=ao.Correct){let a=n===ao.Correct?Z.operators.EQ:Z.operators.NEQ,i;switch(e){case"null":return(0,Z._)`${t} ${a} null`;case"array":i=(0,Z._)`Array.isArray(${t})`;break;case"object":i=(0,Z._)`${t} && typeof ${t} == "object" && !Array.isArray(${t})`;break;case"integer":i=s((0,Z._)`!(${t} % 1) && !isNaN(${t})`);break;case"number":i=s();break;default:return(0,Z._)`typeof ${t} ${a} ${e}`}return n===ao.Correct?i:(0,Z.not)(i);function s(c=Z.nil){return(0,Z.and)((0,Z._)`typeof ${t} == "number"`,c,r?(0,Z._)`isFinite(${t})`:Z.nil)}}o(Vd,"checkDataType");Ze.checkDataType=Vd;function Fd(e,t,r,n){if(e.length===1)return Vd(e[0],t,r,n);let a,i=(0,my.toHash)(e);if(i.array&&i.object){let s=(0,Z._)`typeof ${t} != "object"`;a=i.null?s:(0,Z._)`!${t} || ${s}`,delete i.null,delete i.array,delete i.object}else a=Z.nil;i.number&&delete i.integer;for(let s in i)a=(0,Z.and)(a,Vd(s,t,r,n));return a}o(Fd,"checkDataTypes");Ze.checkDataTypes=Fd;var RA={message:o(({schema:e})=>`must be ${e}`,"message"),params:o(({schema:e,schemaValue:t})=>typeof e=="string"?(0,Z._)`{type: ${e}}`:(0,Z._)`{type: ${t}}`,"params")};function Zd(e){let t=CA(e);(0,yA.reportError)(t,RA)}o(Zd,"reportTypeError");Ze.reportTypeError=Zd;function CA(e){let{gen:t,data:r,schema:n}=e,a=(0,my.schemaRefOrVal)(e,n,"type");return{gen:t,keyword:"type",data:r,schema:n.type,schemaCode:a,schemaValue:a,parentSchema:n,params:{},it:e}}o(CA,"getTypeErrorContext")});var yy=x(ss=>{"use strict";Object.defineProperty(ss,"__esModule",{value:!0});ss.assignDefaults=void 0;var io=W(),IA=ie();function PA(e,t){let{properties:r,items:n}=e.schema;if(t==="object"&&r)for(let a in r)gy(e,a,r[a].default);else t==="array"&&Array.isArray(n)&&n.forEach((a,i)=>gy(e,i,a.default))}o(PA,"assignDefaults");ss.assignDefaults=PA;function gy(e,t,r){let{gen:n,compositeRule:a,data:i,opts:s}=e;if(r===void 0)return;let c=(0,io._)`${i}${(0,io.getProperty)(t)}`;if(a){(0,IA.checkStrictMode)(e,`default is ignored for: ${c}`);return}let d=(0,io._)`${c} === undefined`;s.useDefaults==="empty"&&(d=(0,io._)`${d} || ${c} === null || ${c} === ""`),n.if(d,(0,io._)`${c} = ${(0,io.stringify)(r)}`)}o(gy,"assignDefault")});var vt=x(ce=>{"use strict";Object.defineProperty(ce,"__esModule",{value:!0});ce.validateUnion=ce.validateArray=ce.usePattern=ce.callValidateCode=ce.schemaProperties=ce.allSchemaProperties=ce.noPropertyInData=ce.propertyInData=ce.isOwnProperty=ce.hasPropFunc=ce.reportMissingProp=ce.checkMissingProp=ce.checkReportMissingProp=void 0;var he=W(),Kd=ie(),jr=pr(),xA=ie();function kA(e,t){let{gen:r,data:n,it:a}=e;r.if(Wd(r,n,t,a.opts.ownProperties),()=>{e.setParams({missingProperty:(0,he._)`${t}`},!0),e.error()})}o(kA,"checkReportMissingProp");ce.checkReportMissingProp=kA;function AA({gen:e,data:t,it:{opts:r}},n,a){return(0,he.or)(...n.map(i=>(0,he.and)(Wd(e,t,i,r.ownProperties),(0,he._)`${a} = ${i}`)))}o(AA,"checkMissingProp");ce.checkMissingProp=AA;function TA(e,t){e.setParams({missingProperty:t},!0),e.error()}o(TA,"reportMissingProp");ce.reportMissingProp=TA;function Sy(e){return e.scopeValue("func",{ref:Object.prototype.hasOwnProperty,code:(0,he._)`Object.prototype.hasOwnProperty`})}o(Sy,"hasPropFunc");ce.hasPropFunc=Sy;function Jd(e,t,r){return(0,he._)`${Sy(e)}.call(${t}, ${r})`}o(Jd,"isOwnProperty");ce.isOwnProperty=Jd;function EA(e,t,r,n){let a=(0,he._)`${t}${(0,he.getProperty)(r)} !== undefined`;return n?(0,he._)`${a} && ${Jd(e,t,r)}`:a}o(EA,"propertyInData");ce.propertyInData=EA;function Wd(e,t,r,n){let a=(0,he._)`${t}${(0,he.getProperty)(r)} === undefined`;return n?(0,he.or)(a,(0,he.not)(Jd(e,t,r))):a}o(Wd,"noPropertyInData");ce.noPropertyInData=Wd;function _y(e){return e?Object.keys(e).filter(t=>t!=="__proto__"):[]}o(_y,"allSchemaProperties");ce.allSchemaProperties=_y;function UA(e,t){return _y(t).filter(r=>!(0,Kd.alwaysValidSchema)(e,t[r]))}o(UA,"schemaProperties");ce.schemaProperties=UA;function OA({schemaCode:e,data:t,it:{gen:r,topSchemaRef:n,schemaPath:a,errorPath:i},it:s},c,d,p){let l=p?(0,he._)`${e}, ${t}, ${n}${a}`:t,m=[[jr.default.instancePath,(0,he.strConcat)(jr.default.instancePath,i)],[jr.default.parentData,s.parentData],[jr.default.parentDataProperty,s.parentDataProperty],[jr.default.rootData,jr.default.rootData]];s.opts.dynamicRef&&m.push([jr.default.dynamicAnchors,jr.default.dynamicAnchors]);let h=(0,he._)`${l}, ${r.object(...m)}`;return d!==he.nil?(0,he._)`${c}.call(${d}, ${h})`:(0,he._)`${c}(${h})`}o(OA,"callValidateCode");ce.callValidateCode=OA;var MA=(0,he._)`new RegExp`;function zA({gen:e,it:{opts:t}},r){let n=t.unicodeRegExp?"u":"",{regExp:a}=t.code,i=a(r,n);return e.scopeValue("pattern",{key:i.toString(),ref:i,code:(0,he._)`${a.code==="new RegExp"?MA:(0,xA.useFunc)(e,a)}(${r}, ${n})`})}o(zA,"usePattern");ce.usePattern=zA;function $A(e){let{gen:t,data:r,keyword:n,it:a}=e,i=t.name("valid");if(a.allErrors){let c=t.let("valid",!0);return s(()=>t.assign(c,!1)),c}return t.var(i,!0),s(()=>t.break()),i;function s(c){let d=t.const("len",(0,he._)`${r}.length`);t.forRange("i",0,d,p=>{e.subschema({keyword:n,dataProp:p,dataPropType:Kd.Type.Num},i),t.if((0,he.not)(i),c)})}o(s,"validateItems")}o($A,"validateArray");ce.validateArray=$A;function qA(e){let{gen:t,schema:r,keyword:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(r.some(d=>(0,Kd.alwaysValidSchema)(a,d))&&!a.opts.unevaluated)return;let s=t.let("valid",!1),c=t.name("_valid");t.block(()=>r.forEach((d,p)=>{let l=e.subschema({keyword:n,schemaProp:p,compositeRule:!0},c);t.assign(s,(0,he._)`${s} || ${c}`),e.mergeValidEvaluated(l,c)||t.if((0,he.not)(s))})),e.result(s,()=>e.reset(),()=>e.error(!0))}o(qA,"validateUnion");ce.validateUnion=qA});var by=x(Bt=>{"use strict";Object.defineProperty(Bt,"__esModule",{value:!0});Bt.validateKeywordUsage=Bt.validSchemaType=Bt.funcKeywordCode=Bt.macroKeywordCode=void 0;var We=W(),Sn=pr(),NA=vt(),DA=wa();function jA(e,t){let{gen:r,keyword:n,schema:a,parentSchema:i,it:s}=e,c=t.macro.call(s.self,a,i,s),d=wy(r,n,c);s.opts.validateSchema!==!1&&s.self.validateSchema(c,!0);let p=r.name("valid");e.subschema({schema:c,schemaPath:We.nil,errSchemaPath:`${s.errSchemaPath}/${n}`,topSchemaRef:d,compositeRule:!0},p),e.pass(p,()=>e.error(!0))}o(jA,"macroKeywordCode");Bt.macroKeywordCode=jA;function HA(e,t){var r;let{gen:n,keyword:a,schema:i,parentSchema:s,$data:c,it:d}=e;BA(d,t);let p=!c&&t.compile?t.compile.call(d.self,i,s,d):t.validate,l=wy(n,a,p),m=n.let("valid");e.block$data(m,h),e.ok((r=t.valid)!==null&&r!==void 0?r:m);function h(){if(t.errors===!1)y(),t.modifying&&vy(e),_(()=>e.error());else{let v=t.async?g():S();t.modifying&&vy(e),_(()=>LA(e,v))}}o(h,"validateKeyword");function g(){let v=n.let("ruleErrs",null);return n.try(()=>y((0,We._)`await `),w=>n.assign(m,!1).if((0,We._)`${w} instanceof ${d.ValidationError}`,()=>n.assign(v,(0,We._)`${w}.errors`),()=>n.throw(w))),v}o(g,"validateAsync");function S(){let v=(0,We._)`${l}.errors`;return n.assign(v,null),y(We.nil),v}o(S,"validateSync");function y(v=t.async?(0,We._)`await `:We.nil){let w=d.opts.passContext?Sn.default.this:Sn.default.self,b=!("compile"in t&&!c||t.schema===!1);n.assign(m,(0,We._)`${v}${(0,NA.callValidateCode)(e,l,w,b)}`,t.modifying)}o(y,"assignValid");function _(v){var w;n.if((0,We.not)((w=t.valid)!==null&&w!==void 0?w:m),v)}o(_,"reportErrs")}o(HA,"funcKeywordCode");Bt.funcKeywordCode=HA;function vy(e){let{gen:t,data:r,it:n}=e;t.if(n.parentData,()=>t.assign(r,(0,We._)`${n.parentData}[${n.parentDataProperty}]`))}o(vy,"modifyData");function LA(e,t){let{gen:r}=e;r.if((0,We._)`Array.isArray(${t})`,()=>{r.assign(Sn.default.vErrors,(0,We._)`${Sn.default.vErrors} === null ? ${t} : ${Sn.default.vErrors}.concat(${t})`).assign(Sn.default.errors,(0,We._)`${Sn.default.vErrors}.length`),(0,DA.extendErrors)(e)},()=>e.error())}o(LA,"addErrs");function BA({schemaEnv:e},t){if(t.async&&!e.$async)throw new Error("async keyword in sync schema")}o(BA,"checkAsyncKeyword");function wy(e,t,r){if(r===void 0)throw new Error(`keyword "${t}" failed to compile`);return e.scopeValue("keyword",typeof r=="function"?{ref:r}:{ref:r,code:(0,We.stringify)(r)})}o(wy,"useKeyword");function GA(e,t,r=!1){return!t.length||t.some(n=>n==="array"?Array.isArray(e):n==="object"?e&&typeof e=="object"&&!Array.isArray(e):typeof e==n||r&&typeof e>"u")}o(GA,"validSchemaType");Bt.validSchemaType=GA;function VA({schema:e,opts:t,self:r,errSchemaPath:n},a,i){if(Array.isArray(a.keyword)?!a.keyword.includes(i):a.keyword!==i)throw new Error("ajv implementation error");let s=a.dependencies;if(s?.some(c=>!Object.prototype.hasOwnProperty.call(e,c)))throw new Error(`parent schema must have dependencies of ${i}: ${s.join(",")}`);if(a.validateSchema&&!a.validateSchema(e[i])){let d=`keyword "${i}" value is invalid at path "${n}": `+r.errorsText(a.validateSchema.errors);if(t.validateSchema==="log")r.logger.error(d);else throw new Error(d)}}o(VA,"validateKeywordUsage");Bt.validateKeywordUsage=VA});var Cy=x(Hr=>{"use strict";Object.defineProperty(Hr,"__esModule",{value:!0});Hr.extendSubschemaMode=Hr.extendSubschemaData=Hr.getSubschema=void 0;var Gt=W(),Ry=ie();function FA(e,{keyword:t,schemaProp:r,schema:n,schemaPath:a,errSchemaPath:i,topSchemaRef:s}){if(t!==void 0&&n!==void 0)throw new Error('both "keyword" and "schema" passed, only one allowed');if(t!==void 0){let c=e.schema[t];return r===void 0?{schema:c,schemaPath:(0,Gt._)`${e.schemaPath}${(0,Gt.getProperty)(t)}`,errSchemaPath:`${e.errSchemaPath}/${t}`}:{schema:c[r],schemaPath:(0,Gt._)`${e.schemaPath}${(0,Gt.getProperty)(t)}${(0,Gt.getProperty)(r)}`,errSchemaPath:`${e.errSchemaPath}/${t}/${(0,Ry.escapeFragment)(r)}`}}if(n!==void 0){if(a===void 0||i===void 0||s===void 0)throw new Error('"schemaPath", "errSchemaPath" and "topSchemaRef" are required with "schema"');return{schema:n,schemaPath:a,topSchemaRef:s,errSchemaPath:i}}throw new Error('either "keyword" or "schema" must be passed')}o(FA,"getSubschema");Hr.getSubschema=FA;function ZA(e,t,{dataProp:r,dataPropType:n,data:a,dataTypes:i,propertyName:s}){if(a!==void 0&&r!==void 0)throw new Error('both "data" and "dataProp" passed, only one allowed');let{gen:c}=t;if(r!==void 0){let{errorPath:p,dataPathArr:l,opts:m}=t,h=c.let("data",(0,Gt._)`${t.data}${(0,Gt.getProperty)(r)}`,!0);d(h),e.errorPath=(0,Gt.str)`${p}${(0,Ry.getErrorPath)(r,n,m.jsPropertySyntax)}`,e.parentDataProperty=(0,Gt._)`${r}`,e.dataPathArr=[...l,e.parentDataProperty]}if(a!==void 0){let p=a instanceof Gt.Name?a:c.let("data",a,!0);d(p),s!==void 0&&(e.propertyName=s)}i&&(e.dataTypes=i);function d(p){e.data=p,e.dataLevel=t.dataLevel+1,e.dataTypes=[],t.definedProperties=new Set,e.parentData=t.data,e.dataNames=[...t.dataNames,p]}o(d,"dataContextProps")}o(ZA,"extendSubschemaData");Hr.extendSubschemaData=ZA;function KA(e,{jtdDiscriminator:t,jtdMetadata:r,compositeRule:n,createErrors:a,allErrors:i}){n!==void 0&&(e.compositeRule=n),a!==void 0&&(e.createErrors=a),i!==void 0&&(e.allErrors=i),e.jtdDiscriminator=t,e.jtdMetadata=r}o(KA,"extendSubschemaMode");Hr.extendSubschemaMode=KA});var Yd=x((_F,Iy)=>{"use strict";Iy.exports=o(function e(t,r){if(t===r)return!0;if(t&&r&&typeof t=="object"&&typeof r=="object"){if(t.constructor!==r.constructor)return!1;var n,a,i;if(Array.isArray(t)){if(n=t.length,n!=r.length)return!1;for(a=n;a--!==0;)if(!e(t[a],r[a]))return!1;return!0}if(t.constructor===RegExp)return t.source===r.source&&t.flags===r.flags;if(t.valueOf!==Object.prototype.valueOf)return t.valueOf()===r.valueOf();if(t.toString!==Object.prototype.toString)return t.toString()===r.toString();if(i=Object.keys(t),n=i.length,n!==Object.keys(r).length)return!1;for(a=n;a--!==0;)if(!Object.prototype.hasOwnProperty.call(r,i[a]))return!1;for(a=n;a--!==0;){var s=i[a];if(!e(t[s],r[s]))return!1}return!0}return t!==t&&r!==r},"equal")});var xy=x((wF,Py)=>{"use strict";var Lr=Py.exports=function(e,t,r){typeof t=="function"&&(r=t,t={}),r=t.cb||r;var n=typeof r=="function"?r:r.pre||function(){},a=r.post||function(){};cs(t,n,a,e,"",e)};Lr.keywords={additionalItems:!0,items:!0,contains:!0,additionalProperties:!0,propertyNames:!0,not:!0,if:!0,then:!0,else:!0};Lr.arrayKeywords={items:!0,allOf:!0,anyOf:!0,oneOf:!0};Lr.propsKeywords={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependencies:!0};Lr.skipKeywords={default:!0,enum:!0,const:!0,required:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0};function cs(e,t,r,n,a,i,s,c,d,p){if(n&&typeof n=="object"&&!Array.isArray(n)){t(n,a,i,s,c,d,p);for(var l in n){var m=n[l];if(Array.isArray(m)){if(l in Lr.arrayKeywords)for(var h=0;h<m.length;h++)cs(e,t,r,m[h],a+"/"+l+"/"+h,i,a,l,n,h)}else if(l in Lr.propsKeywords){if(m&&typeof m=="object")for(var g in m)cs(e,t,r,m[g],a+"/"+l+"/"+JA(g),i,a,l,n,g)}else(l in Lr.keywords||e.allKeys&&!(l in Lr.skipKeywords))&&cs(e,t,r,m,a+"/"+l,i,a,l,n)}r(n,a,i,s,c,d,p)}}o(cs,"_traverse");function JA(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(JA,"escapeJsonPtr")});var Ra=x(it=>{"use strict";Object.defineProperty(it,"__esModule",{value:!0});it.getSchemaRefs=it.resolveUrl=it.normalizeId=it._getFullPath=it.getFullPath=it.inlineRef=void 0;var WA=ie(),YA=Yd(),XA=xy(),QA=new Set(["type","format","pattern","maxLength","minLength","maxProperties","minProperties","maxItems","minItems","maximum","minimum","uniqueItems","multipleOf","required","enum","const"]);function eT(e,t=!0){return typeof e=="boolean"?!0:t===!0?!Xd(e):t?ky(e)<=t:!1}o(eT,"inlineRef");it.inlineRef=eT;var tT=new Set(["$ref","$recursiveRef","$recursiveAnchor","$dynamicRef","$dynamicAnchor"]);function Xd(e){for(let t in e){if(tT.has(t))return!0;let r=e[t];if(Array.isArray(r)&&r.some(Xd)||typeof r=="object"&&Xd(r))return!0}return!1}o(Xd,"hasRef");function ky(e){let t=0;for(let r in e){if(r==="$ref")return 1/0;if(t++,!QA.has(r)&&(typeof e[r]=="object"&&(0,WA.eachItem)(e[r],n=>t+=ky(n)),t===1/0))return 1/0}return t}o(ky,"countKeys");function Ay(e,t="",r){r!==!1&&(t=so(t));let n=e.parse(t);return Ty(e,n)}o(Ay,"getFullPath");it.getFullPath=Ay;function Ty(e,t){return e.serialize(t).split("#")[0]+"#"}o(Ty,"_getFullPath");it._getFullPath=Ty;var rT=/#\/?$/;function so(e){return e?e.replace(rT,""):""}o(so,"normalizeId");it.normalizeId=so;function nT(e,t,r){return r=so(r),e.resolve(t,r)}o(nT,"resolveUrl");it.resolveUrl=nT;var oT=/^[a-z_][-a-z0-9._]*$/i;function aT(e,t){if(typeof e=="boolean")return{};let{schemaId:r,uriResolver:n}=this.opts,a=so(e[r]||t),i={"":a},s=Ay(n,a,!1),c={},d=new Set;return XA(e,{allKeys:!0},(m,h,g,S)=>{if(S===void 0)return;let y=s+h,_=i[S];typeof m[r]=="string"&&(_=v.call(this,m[r])),w.call(this,m.$anchor),w.call(this,m.$dynamicAnchor),i[h]=_;function v(b){let N=this.opts.uriResolver.resolve;if(b=so(_?N(_,b):b),d.has(b))throw l(b);d.add(b);let j=this.refs[b];return typeof j=="string"&&(j=this.refs[j]),typeof j=="object"?p(m,j.schema,b):b!==so(y)&&(b[0]==="#"?(p(m,c[b],b),c[b]=m):this.refs[b]=y),b}o(v,"addRef");function w(b){if(typeof b=="string"){if(!oT.test(b))throw new Error(`invalid anchor "${b}"`);v.call(this,`#${b}`)}}o(w,"addAnchor")}),c;function p(m,h,g){if(h!==void 0&&!YA(m,h))throw l(g)}o(p,"checkAmbiguosRef");function l(m){return new Error(`reference "${m}" resolves to more than one schema`)}o(l,"ambiguos")}o(aT,"getSchemaRefs");it.getSchemaRefs=aT});var Pa=x(Br=>{"use strict";Object.defineProperty(Br,"__esModule",{value:!0});Br.getData=Br.KeywordCxt=Br.validateFunctionCode=void 0;var zy=dy(),Ey=ba(),el=Gd(),us=ba(),iT=yy(),Ia=by(),Qd=Cy(),M=W(),G=pr(),sT=Ra(),mr=ie(),Ca=wa();function cT(e){if(Ny(e)&&(Dy(e),qy(e))){lT(e);return}$y(e,()=>(0,zy.topBoolOrEmptySchema)(e))}o(cT,"validateFunctionCode");Br.validateFunctionCode=cT;function $y({gen:e,validateName:t,schema:r,schemaEnv:n,opts:a},i){a.code.es5?e.func(t,(0,M._)`${G.default.data}, ${G.default.valCxt}`,n.$async,()=>{e.code((0,M._)`"use strict"; ${Uy(r,a)}`),dT(e,a),e.code(i)}):e.func(t,(0,M._)`${G.default.data}, ${uT(a)}`,n.$async,()=>e.code(Uy(r,a)).code(i))}o($y,"validateFunction");function uT(e){return(0,M._)`{${G.default.instancePath}="", ${G.default.parentData}, ${G.default.parentDataProperty}, ${G.default.rootData}=${G.default.data}${e.dynamicRef?(0,M._)`, ${G.default.dynamicAnchors}={}`:M.nil}}={}`}o(uT,"destructureValCxt");function dT(e,t){e.if(G.default.valCxt,()=>{e.var(G.default.instancePath,(0,M._)`${G.default.valCxt}.${G.default.instancePath}`),e.var(G.default.parentData,(0,M._)`${G.default.valCxt}.${G.default.parentData}`),e.var(G.default.parentDataProperty,(0,M._)`${G.default.valCxt}.${G.default.parentDataProperty}`),e.var(G.default.rootData,(0,M._)`${G.default.valCxt}.${G.default.rootData}`),t.dynamicRef&&e.var(G.default.dynamicAnchors,(0,M._)`${G.default.valCxt}.${G.default.dynamicAnchors}`)},()=>{e.var(G.default.instancePath,(0,M._)`""`),e.var(G.default.parentData,(0,M._)`undefined`),e.var(G.default.parentDataProperty,(0,M._)`undefined`),e.var(G.default.rootData,G.default.data),t.dynamicRef&&e.var(G.default.dynamicAnchors,(0,M._)`{}`)})}o(dT,"destructureValCxtES5");function lT(e){let{schema:t,opts:r,gen:n}=e;$y(e,()=>{r.$comment&&t.$comment&&Hy(e),gT(e),n.let(G.default.vErrors,null),n.let(G.default.errors,0),r.unevaluated&&pT(e),jy(e),_T(e)})}o(lT,"topSchemaObjCode");function pT(e){let{gen:t,validateName:r}=e;e.evaluated=t.const("evaluated",(0,M._)`${r}.evaluated`),t.if((0,M._)`${e.evaluated}.dynamicProps`,()=>t.assign((0,M._)`${e.evaluated}.props`,(0,M._)`undefined`)),t.if((0,M._)`${e.evaluated}.dynamicItems`,()=>t.assign((0,M._)`${e.evaluated}.items`,(0,M._)`undefined`))}o(pT,"resetEvaluated");function Uy(e,t){let r=typeof e=="object"&&e[t.schemaId];return r&&(t.code.source||t.code.process)?(0,M._)`/*# sourceURL=${r} */`:M.nil}o(Uy,"funcSourceUrl");function mT(e,t){if(Ny(e)&&(Dy(e),qy(e))){fT(e,t);return}(0,zy.boolOrEmptySchema)(e,t)}o(mT,"subschemaCode");function qy({schema:e,self:t}){if(typeof e=="boolean")return!e;for(let r in e)if(t.RULES.all[r])return!0;return!1}o(qy,"schemaCxtHasRules");function Ny(e){return typeof e.schema!="boolean"}o(Ny,"isSchemaObj");function fT(e,t){let{schema:r,gen:n,opts:a}=e;a.$comment&&r.$comment&&Hy(e),yT(e),ST(e);let i=n.const("_errs",G.default.errors);jy(e,i),n.var(t,(0,M._)`${i} === ${G.default.errors}`)}o(fT,"subSchemaObjCode");function Dy(e){(0,mr.checkUnknownRules)(e),hT(e)}o(Dy,"checkKeywords");function jy(e,t){if(e.opts.jtd)return Oy(e,[],!1,t);let r=(0,Ey.getSchemaTypes)(e.schema),n=(0,Ey.coerceAndCheckDataType)(e,r);Oy(e,r,!n,t)}o(jy,"typeAndKeywords");function hT(e){let{schema:t,errSchemaPath:r,opts:n,self:a}=e;t.$ref&&n.ignoreKeywordsWithRef&&(0,mr.schemaHasRulesButRef)(t,a.RULES)&&a.logger.warn(`$ref: keywords ignored in schema at path "${r}"`)}o(hT,"checkRefsAndKeywords");function gT(e){let{schema:t,opts:r}=e;t.default!==void 0&&r.useDefaults&&r.strictSchema&&(0,mr.checkStrictMode)(e,"default is ignored in the schema root")}o(gT,"checkNoDefault");function yT(e){let t=e.schema[e.opts.schemaId];t&&(e.baseId=(0,sT.resolveUrl)(e.opts.uriResolver,e.baseId,t))}o(yT,"updateContext");function ST(e){if(e.schema.$async&&!e.schemaEnv.$async)throw new Error("async schema in sync schema")}o(ST,"checkAsyncSchema");function Hy({gen:e,schemaEnv:t,schema:r,errSchemaPath:n,opts:a}){let i=r.$comment;if(a.$comment===!0)e.code((0,M._)`${G.default.self}.logger.log(${i})`);else if(typeof a.$comment=="function"){let s=(0,M.str)`${n}/$comment`,c=e.scopeValue("root",{ref:t.root});e.code((0,M._)`${G.default.self}.opts.$comment(${i}, ${s}, ${c}.schema)`)}}o(Hy,"commentKeyword");function _T(e){let{gen:t,schemaEnv:r,validateName:n,ValidationError:a,opts:i}=e;r.$async?t.if((0,M._)`${G.default.errors} === 0`,()=>t.return(G.default.data),()=>t.throw((0,M._)`new ${a}(${G.default.vErrors})`)):(t.assign((0,M._)`${n}.errors`,G.default.vErrors),i.unevaluated&&vT(e),t.return((0,M._)`${G.default.errors} === 0`))}o(_T,"returnResults");function vT({gen:e,evaluated:t,props:r,items:n}){r instanceof M.Name&&e.assign((0,M._)`${t}.props`,r),n instanceof M.Name&&e.assign((0,M._)`${t}.items`,n)}o(vT,"assignEvaluated");function Oy(e,t,r,n){let{gen:a,schema:i,data:s,allErrors:c,opts:d,self:p}=e,{RULES:l}=p;if(i.$ref&&(d.ignoreKeywordsWithRef||!(0,mr.schemaHasRulesButRef)(i,l))){a.block(()=>By(e,"$ref",l.all.$ref.definition));return}d.jtd||wT(e,t),a.block(()=>{for(let h of l.rules)m(h);m(l.post)});function m(h){(0,el.shouldUseGroup)(i,h)&&(h.type?(a.if((0,us.checkDataType)(h.type,s,d.strictNumbers)),My(e,h),t.length===1&&t[0]===h.type&&r&&(a.else(),(0,us.reportTypeError)(e)),a.endIf()):My(e,h),c||a.if((0,M._)`${G.default.errors} === ${n||0}`))}o(m,"groupKeywords")}o(Oy,"schemaKeywords");function My(e,t){let{gen:r,schema:n,opts:{useDefaults:a}}=e;a&&(0,iT.assignDefaults)(e,t.type),r.block(()=>{for(let i of t.rules)(0,el.shouldUseRule)(n,i)&&By(e,i.keyword,i.definition,t.type)})}o(My,"iterateKeywords");function wT(e,t){e.schemaEnv.meta||!e.opts.strictTypes||(bT(e,t),e.opts.allowUnionTypes||RT(e,t),CT(e,e.dataTypes))}o(wT,"checkStrictTypes");function bT(e,t){if(t.length){if(!e.dataTypes.length){e.dataTypes=t;return}t.forEach(r=>{Ly(e.dataTypes,r)||tl(e,`type "${r}" not allowed by context "${e.dataTypes.join(",")}"`)}),PT(e,t)}}o(bT,"checkContextTypes");function RT(e,t){t.length>1&&!(t.length===2&&t.includes("null"))&&tl(e,"use allowUnionTypes to allow union type keyword")}o(RT,"checkMultipleTypes");function CT(e,t){let r=e.self.RULES.all;for(let n in r){let a=r[n];if(typeof a=="object"&&(0,el.shouldUseRule)(e.schema,a)){let{type:i}=a.definition;i.length&&!i.some(s=>IT(t,s))&&tl(e,`missing type "${i.join(",")}" for keyword "${n}"`)}}}o(CT,"checkKeywordTypes");function IT(e,t){return e.includes(t)||t==="number"&&e.includes("integer")}o(IT,"hasApplicableType");function Ly(e,t){return e.includes(t)||t==="integer"&&e.includes("number")}o(Ly,"includesType");function PT(e,t){let r=[];for(let n of e.dataTypes)Ly(t,n)?r.push(n):t.includes("integer")&&n==="number"&&r.push("integer");e.dataTypes=r}o(PT,"narrowSchemaTypes");function tl(e,t){let r=e.schemaEnv.baseId+e.errSchemaPath;t+=` at "${r}" (strictTypes)`,(0,mr.checkStrictMode)(e,t,e.opts.strictTypes)}o(tl,"strictTypesError");var ds=class{static{o(this,"KeywordCxt")}constructor(t,r,n){if((0,Ia.validateKeywordUsage)(t,r,n),this.gen=t.gen,this.allErrors=t.allErrors,this.keyword=n,this.data=t.data,this.schema=t.schema[n],this.$data=r.$data&&t.opts.$data&&this.schema&&this.schema.$data,this.schemaValue=(0,mr.schemaRefOrVal)(t,this.schema,n,this.$data),this.schemaType=r.schemaType,this.parentSchema=t.schema,this.params={},this.it=t,this.def=r,this.$data)this.schemaCode=t.gen.const("vSchema",Gy(this.$data,t));else if(this.schemaCode=this.schemaValue,!(0,Ia.validSchemaType)(this.schema,r.schemaType,r.allowUndefined))throw new Error(`${n} value must be ${JSON.stringify(r.schemaType)}`);("code"in r?r.trackErrors:r.errors!==!1)&&(this.errsCount=t.gen.const("_errs",G.default.errors))}result(t,r,n){this.failResult((0,M.not)(t),r,n)}failResult(t,r,n){this.gen.if(t),n?n():this.error(),r?(this.gen.else(),r(),this.allErrors&&this.gen.endIf()):this.allErrors?this.gen.endIf():this.gen.else()}pass(t,r){this.failResult((0,M.not)(t),void 0,r)}fail(t){if(t===void 0){this.error(),this.allErrors||this.gen.if(!1);return}this.gen.if(t),this.error(),this.allErrors?this.gen.endIf():this.gen.else()}fail$data(t){if(!this.$data)return this.fail(t);let{schemaCode:r}=this;this.fail((0,M._)`${r} !== undefined && (${(0,M.or)(this.invalid$data(),t)})`)}error(t,r,n){if(r){this.setParams(r),this._error(t,n),this.setParams({});return}this._error(t,n)}_error(t,r){(t?Ca.reportExtraError:Ca.reportError)(this,this.def.error,r)}$dataError(){(0,Ca.reportError)(this,this.def.$dataError||Ca.keyword$DataError)}reset(){if(this.errsCount===void 0)throw new Error('add "trackErrors" to keyword definition');(0,Ca.resetErrorsCount)(this.gen,this.errsCount)}ok(t){this.allErrors||this.gen.if(t)}setParams(t,r){r?Object.assign(this.params,t):this.params=t}block$data(t,r,n=M.nil){this.gen.block(()=>{this.check$data(t,n),r()})}check$data(t=M.nil,r=M.nil){if(!this.$data)return;let{gen:n,schemaCode:a,schemaType:i,def:s}=this;n.if((0,M.or)((0,M._)`${a} === undefined`,r)),t!==M.nil&&n.assign(t,!0),(i.length||s.validateSchema)&&(n.elseIf(this.invalid$data()),this.$dataError(),t!==M.nil&&n.assign(t,!1)),n.else()}invalid$data(){let{gen:t,schemaCode:r,schemaType:n,def:a,it:i}=this;return(0,M.or)(s(),c());function s(){if(n.length){if(!(r instanceof M.Name))throw new Error("ajv implementation error");let d=Array.isArray(n)?n:[n];return(0,M._)`${(0,us.checkDataTypes)(d,r,i.opts.strictNumbers,us.DataType.Wrong)}`}return M.nil}function c(){if(a.validateSchema){let d=t.scopeValue("validate$data",{ref:a.validateSchema});return(0,M._)`!${d}(${r})`}return M.nil}}subschema(t,r){let n=(0,Qd.getSubschema)(this.it,t);(0,Qd.extendSubschemaData)(n,this.it,t),(0,Qd.extendSubschemaMode)(n,t);let a={...this.it,...n,items:void 0,props:void 0};return mT(a,r),a}mergeEvaluated(t,r){let{it:n,gen:a}=this;n.opts.unevaluated&&(n.props!==!0&&t.props!==void 0&&(n.props=mr.mergeEvaluated.props(a,t.props,n.props,r)),n.items!==!0&&t.items!==void 0&&(n.items=mr.mergeEvaluated.items(a,t.items,n.items,r)))}mergeValidEvaluated(t,r){let{it:n,gen:a}=this;if(n.opts.unevaluated&&(n.props!==!0||n.items!==!0))return a.if(r,()=>this.mergeEvaluated(t,M.Name)),!0}};Br.KeywordCxt=ds;function By(e,t,r,n){let a=new ds(e,r,t);"code"in r?r.code(a,n):a.$data&&r.validate?(0,Ia.funcKeywordCode)(a,r):"macro"in r?(0,Ia.macroKeywordCode)(a,r):(r.compile||r.validate)&&(0,Ia.funcKeywordCode)(a,r)}o(By,"keywordCode");var xT=/^\/(?:[^~]|~0|~1)*$/,kT=/^([0-9]+)(#|\/(?:[^~]|~0|~1)*)?$/;function Gy(e,{dataLevel:t,dataNames:r,dataPathArr:n}){let a,i;if(e==="")return G.default.rootData;if(e[0]==="/"){if(!xT.test(e))throw new Error(`Invalid JSON-pointer: ${e}`);a=e,i=G.default.rootData}else{let p=kT.exec(e);if(!p)throw new Error(`Invalid JSON-pointer: ${e}`);let l=+p[1];if(a=p[2],a==="#"){if(l>=t)throw new Error(d("property/index",l));return n[t-l]}if(l>t)throw new Error(d("data",l));if(i=r[t-l],!a)return i}let s=i,c=a.split("/");for(let p of c)p&&(i=(0,M._)`${i}${(0,M.getProperty)((0,mr.unescapeJsonPointer)(p))}`,s=(0,M._)`${s} && ${i}`);return s;function d(p,l){return`Cannot access ${p} ${l} levels up, current level is ${t}`}}o(Gy,"getData");Br.getData=Gy});var ls=x(nl=>{"use strict";Object.defineProperty(nl,"__esModule",{value:!0});var rl=class extends Error{static{o(this,"ValidationError")}constructor(t){super("validation failed"),this.errors=t,this.ajv=this.validation=!0}};nl.default=rl});var xa=x(il=>{"use strict";Object.defineProperty(il,"__esModule",{value:!0});var ol=Ra(),al=class extends Error{static{o(this,"MissingRefError")}constructor(t,r,n,a){super(a||`can't resolve reference ${n} from id ${r}`),this.missingRef=(0,ol.resolveUrl)(t,r,n),this.missingSchema=(0,ol.normalizeId)((0,ol.getFullPath)(t,this.missingRef))}};il.default=al});var ms=x(wt=>{"use strict";Object.defineProperty(wt,"__esModule",{value:!0});wt.resolveSchema=wt.getCompilingSchema=wt.resolveRef=wt.compileSchema=wt.SchemaEnv=void 0;var At=W(),AT=ls(),_n=pr(),Tt=Ra(),Vy=ie(),TT=Pa(),co=class{static{o(this,"SchemaEnv")}constructor(t){var r;this.refs={},this.dynamicAnchors={};let n;typeof t.schema=="object"&&(n=t.schema),this.schema=t.schema,this.schemaId=t.schemaId,this.root=t.root||this,this.baseId=(r=t.baseId)!==null&&r!==void 0?r:(0,Tt.normalizeId)(n?.[t.schemaId||"$id"]),this.schemaPath=t.schemaPath,this.localRefs=t.localRefs,this.meta=t.meta,this.$async=n?.$async,this.refs={}}};wt.SchemaEnv=co;function cl(e){let t=Fy.call(this,e);if(t)return t;let r=(0,Tt.getFullPath)(this.opts.uriResolver,e.root.baseId),{es5:n,lines:a}=this.opts.code,{ownProperties:i}=this.opts,s=new At.CodeGen(this.scope,{es5:n,lines:a,ownProperties:i}),c;e.$async&&(c=s.scopeValue("Error",{ref:AT.default,code:(0,At._)`require("ajv/dist/runtime/validation_error").default`}));let d=s.scopeName("validate");e.validateName=d;let p={gen:s,allErrors:this.opts.allErrors,data:_n.default.data,parentData:_n.default.parentData,parentDataProperty:_n.default.parentDataProperty,dataNames:[_n.default.data],dataPathArr:[At.nil],dataLevel:0,dataTypes:[],definedProperties:new Set,topSchemaRef:s.scopeValue("schema",this.opts.code.source===!0?{ref:e.schema,code:(0,At.stringify)(e.schema)}:{ref:e.schema}),validateName:d,ValidationError:c,schema:e.schema,schemaEnv:e,rootId:r,baseId:e.baseId||r,schemaPath:At.nil,errSchemaPath:e.schemaPath||(this.opts.jtd?"":"#"),errorPath:(0,At._)`""`,opts:this.opts,self:this},l;try{this._compilations.add(e),(0,TT.validateFunctionCode)(p),s.optimize(this.opts.code.optimize);let m=s.toString();l=`${s.scopeRefs(_n.default.scope)}return ${m}`,this.opts.code.process&&(l=this.opts.code.process(l,e));let g=new Function(`${_n.default.self}`,`${_n.default.scope}`,l)(this,this.scope.get());if(this.scope.value(d,{ref:g}),g.errors=null,g.schema=e.schema,g.schemaEnv=e,e.$async&&(g.$async=!0),this.opts.code.source===!0&&(g.source={validateName:d,validateCode:m,scopeValues:s._values}),this.opts.unevaluated){let{props:S,items:y}=p;g.evaluated={props:S instanceof At.Name?void 0:S,items:y instanceof At.Name?void 0:y,dynamicProps:S instanceof At.Name,dynamicItems:y instanceof At.Name},g.source&&(g.source.evaluated=(0,At.stringify)(g.evaluated))}return e.validate=g,e}catch(m){throw delete e.validate,delete e.validateName,l&&this.logger.error("Error compiling schema, function code:",l),m}finally{this._compilations.delete(e)}}o(cl,"compileSchema");wt.compileSchema=cl;function ET(e,t,r){var n;r=(0,Tt.resolveUrl)(this.opts.uriResolver,t,r);let a=e.refs[r];if(a)return a;let i=MT.call(this,e,r);if(i===void 0){let s=(n=e.localRefs)===null||n===void 0?void 0:n[r],{schemaId:c}=this.opts;s&&(i=new co({schema:s,schemaId:c,root:e,baseId:t}))}if(i!==void 0)return e.refs[r]=UT.call(this,i)}o(ET,"resolveRef");wt.resolveRef=ET;function UT(e){return(0,Tt.inlineRef)(e.schema,this.opts.inlineRefs)?e.schema:e.validate?e:cl.call(this,e)}o(UT,"inlineOrCompile");function Fy(e){for(let t of this._compilations)if(OT(t,e))return t}o(Fy,"getCompilingSchema");wt.getCompilingSchema=Fy;function OT(e,t){return e.schema===t.schema&&e.root===t.root&&e.baseId===t.baseId}o(OT,"sameSchemaEnv");function MT(e,t){let r;for(;typeof(r=this.refs[t])=="string";)t=r;return r||this.schemas[t]||ps.call(this,e,t)}o(MT,"resolve");function ps(e,t){let r=this.opts.uriResolver.parse(t),n=(0,Tt._getFullPath)(this.opts.uriResolver,r),a=(0,Tt.getFullPath)(this.opts.uriResolver,e.baseId,void 0);if(Object.keys(e.schema).length>0&&n===a)return sl.call(this,r,e);let i=(0,Tt.normalizeId)(n),s=this.refs[i]||this.schemas[i];if(typeof s=="string"){let c=ps.call(this,e,s);return typeof c?.schema!="object"?void 0:sl.call(this,r,c)}if(typeof s?.schema=="object"){if(s.validate||cl.call(this,s),i===(0,Tt.normalizeId)(t)){let{schema:c}=s,{schemaId:d}=this.opts,p=c[d];return p&&(a=(0,Tt.resolveUrl)(this.opts.uriResolver,a,p)),new co({schema:c,schemaId:d,root:e,baseId:a})}return sl.call(this,r,s)}}o(ps,"resolveSchema");wt.resolveSchema=ps;var zT=new Set(["properties","patternProperties","enum","dependencies","definitions"]);function sl(e,{baseId:t,schema:r,root:n}){var a;if(((a=e.fragment)===null||a===void 0?void 0:a[0])!=="/")return;for(let c of e.fragment.slice(1).split("/")){if(typeof r=="boolean")return;let d=r[(0,Vy.unescapeFragment)(c)];if(d===void 0)return;r=d;let p=typeof r=="object"&&r[this.opts.schemaId];!zT.has(c)&&p&&(t=(0,Tt.resolveUrl)(this.opts.uriResolver,t,p))}let i;if(typeof r!="boolean"&&r.$ref&&!(0,Vy.schemaHasRulesButRef)(r,this.RULES)){let c=(0,Tt.resolveUrl)(this.opts.uriResolver,t,r.$ref);i=ps.call(this,n,c)}let{schemaId:s}=this.opts;if(i=i||new co({schema:r,schemaId:s,root:n,baseId:t}),i.schema!==i.root.schema)return i}o(sl,"getJsonPointer")});var Zy=x((OF,$T)=>{$T.exports={$id:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#",description:"Meta-schema for $data reference (JSON AnySchema extension proposal)",type:"object",required:["$data"],properties:{$data:{type:"string",anyOf:[{format:"relative-json-pointer"},{format:"json-pointer"}]}},additionalProperties:!1}});var dl=x((MF,Yy)=>{"use strict";var qT=RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu),Jy=RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);function ul(e){let t="",r=0,n=0;for(n=0;n<e.length;n++)if(r=e[n].charCodeAt(0),r!==48){if(!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n];break}for(n+=1;n<e.length;n++){if(r=e[n].charCodeAt(0),!(r>=48&&r<=57||r>=65&&r<=70||r>=97&&r<=102))return"";t+=e[n]}return t}o(ul,"stringArrayToHexStripped");var NT=RegExp.prototype.test.bind(/[^!"$&'()*+,\-.;=_`a-z{}~]/u);function Ky(e){return e.length=0,!0}o(Ky,"consumeIsZone");function DT(e,t,r){if(e.length){let n=ul(e);if(n!=="")t.push(n);else return r.error=!0,!1;e.length=0}return!0}o(DT,"consumeHextets");function jT(e){let t=0,r={error:!1,address:"",zone:""},n=[],a=[],i=!1,s=!1,c=DT;for(let d=0;d<e.length;d++){let p=e[d];if(!(p==="["||p==="]"))if(p===":"){if(i===!0&&(s=!0),!c(a,n,r))break;if(++t>7){r.error=!0;break}d>0&&e[d-1]===":"&&(i=!0),n.push(":");continue}else if(p==="%"){if(!c(a,n,r))break;c=Ky}else{a.push(p);continue}}return a.length&&(c===Ky?r.zone=a.join(""):s?n.push(a.join("")):n.push(ul(a))),r.address=n.join(""),r}o(jT,"getIPV6");function Wy(e){if(HT(e,":")<2)return{host:e,isIPV6:!1};let t=jT(e);if(t.error)return{host:e,isIPV6:!1};{let r=t.address,n=t.address;return t.zone&&(r+="%"+t.zone,n+="%25"+t.zone),{host:r,isIPV6:!0,escapedHost:n}}}o(Wy,"normalizeIPv6");function HT(e,t){let r=0;for(let n=0;n<e.length;n++)e[n]===t&&r++;return r}o(HT,"findToken");function LT(e){let t=e,r=[],n=-1,a=0;for(;a=t.length;){if(a===1){if(t===".")break;if(t==="/"){r.push("/");break}else{r.push(t);break}}else if(a===2){if(t[0]==="."){if(t[1]===".")break;if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&(t[1]==="."||t[1]==="/")){r.push("/");break}}else if(a===3&&t==="/.."){r.length!==0&&r.pop(),r.push("/");break}if(t[0]==="."){if(t[1]==="."){if(t[2]==="/"){t=t.slice(3);continue}}else if(t[1]==="/"){t=t.slice(2);continue}}else if(t[0]==="/"&&t[1]==="."){if(t[2]==="/"){t=t.slice(2);continue}else if(t[2]==="."&&t[3]==="/"){t=t.slice(3),r.length!==0&&r.pop();continue}}if((n=t.indexOf("/",1))===-1){r.push(t);break}else r.push(t.slice(0,n)),t=t.slice(n)}return r.join("")}o(LT,"removeDotSegments");function BT(e,t){let r=t!==!0?escape:unescape;return e.scheme!==void 0&&(e.scheme=r(e.scheme)),e.userinfo!==void 0&&(e.userinfo=r(e.userinfo)),e.host!==void 0&&(e.host=r(e.host)),e.path!==void 0&&(e.path=r(e.path)),e.query!==void 0&&(e.query=r(e.query)),e.fragment!==void 0&&(e.fragment=r(e.fragment)),e}o(BT,"normalizeComponentEncoding");function GT(e){let t=[];if(e.userinfo!==void 0&&(t.push(e.userinfo),t.push("@")),e.host!==void 0){let r=unescape(e.host);if(!Jy(r)){let n=Wy(r);n.isIPV6===!0?r=`[${n.escapedHost}]`:r=e.host}t.push(r)}return(typeof e.port=="number"||typeof e.port=="string")&&(t.push(":"),t.push(String(e.port))),t.length?t.join(""):void 0}o(GT,"recomposeAuthority");Yy.exports={nonSimpleDomain:NT,recomposeAuthority:GT,normalizeComponentEncoding:BT,removeDotSegments:LT,isIPv4:Jy,isUUID:qT,normalizeIPv6:Wy,stringArrayToHexStripped:ul}});var rS=x(($F,tS)=>{"use strict";var{isUUID:VT}=dl(),FT=/([\da-z][\d\-a-z]{0,31}):((?:[\w!$'()*+,\-.:;=@]|%[\da-f]{2})+)/iu,ZT=["http","https","ws","wss","urn","urn:uuid"];function KT(e){return ZT.indexOf(e)!==-1}o(KT,"isValidSchemeName");function ll(e){return e.secure===!0?!0:e.secure===!1?!1:e.scheme?e.scheme.length===3&&(e.scheme[0]==="w"||e.scheme[0]==="W")&&(e.scheme[1]==="s"||e.scheme[1]==="S")&&(e.scheme[2]==="s"||e.scheme[2]==="S"):!1}o(ll,"wsIsSecure");function Xy(e){return e.host||(e.error=e.error||"HTTP URIs must have a host."),e}o(Xy,"httpParse");function Qy(e){let t=String(e.scheme).toLowerCase()==="https";return(e.port===(t?443:80)||e.port==="")&&(e.port=void 0),e.path||(e.path="/"),e}o(Qy,"httpSerialize");function JT(e){return e.secure=ll(e),e.resourceName=(e.path||"/")+(e.query?"?"+e.query:""),e.path=void 0,e.query=void 0,e}o(JT,"wsParse");function WT(e){if((e.port===(ll(e)?443:80)||e.port==="")&&(e.port=void 0),typeof e.secure=="boolean"&&(e.scheme=e.secure?"wss":"ws",e.secure=void 0),e.resourceName){let[t,r]=e.resourceName.split("?");e.path=t&&t!=="/"?t:void 0,e.query=r,e.resourceName=void 0}return e.fragment=void 0,e}o(WT,"wsSerialize");function YT(e,t){if(!e.path)return e.error="URN can not be parsed",e;let r=e.path.match(FT);if(r){let n=t.scheme||e.scheme||"urn";e.nid=r[1].toLowerCase(),e.nss=r[2];let a=`${n}:${t.nid||e.nid}`,i=pl(a);e.path=void 0,i&&(e=i.parse(e,t))}else e.error=e.error||"URN can not be parsed.";return e}o(YT,"urnParse");function XT(e,t){if(e.nid===void 0)throw new Error("URN without nid cannot be serialized");let r=t.scheme||e.scheme||"urn",n=e.nid.toLowerCase(),a=`${r}:${t.nid||n}`,i=pl(a);i&&(e=i.serialize(e,t));let s=e,c=e.nss;return s.path=`${n||t.nid}:${c}`,t.skipEscape=!0,s}o(XT,"urnSerialize");function QT(e,t){let r=e;return r.uuid=r.nss,r.nss=void 0,!t.tolerant&&(!r.uuid||!VT(r.uuid))&&(r.error=r.error||"UUID is not valid."),r}o(QT,"urnuuidParse");function eE(e){let t=e;return t.nss=(e.uuid||"").toLowerCase(),t}o(eE,"urnuuidSerialize");var eS={scheme:"http",domainHost:!0,parse:Xy,serialize:Qy},tE={scheme:"https",domainHost:eS.domainHost,parse:Xy,serialize:Qy},fs={scheme:"ws",domainHost:!0,parse:JT,serialize:WT},rE={scheme:"wss",domainHost:fs.domainHost,parse:fs.parse,serialize:fs.serialize},nE={scheme:"urn",parse:YT,serialize:XT,skipNormalize:!0},oE={scheme:"urn:uuid",parse:QT,serialize:eE,skipNormalize:!0},hs={http:eS,https:tE,ws:fs,wss:rE,urn:nE,"urn:uuid":oE};Object.setPrototypeOf(hs,null);function pl(e){return e&&(hs[e]||hs[e.toLowerCase()])||void 0}o(pl,"getSchemeHandler");tS.exports={wsIsSecure:ll,SCHEMES:hs,isValidSchemeName:KT,getSchemeHandler:pl}});var aS=x((NF,ys)=>{"use strict";var{normalizeIPv6:aE,removeDotSegments:ka,recomposeAuthority:iE,normalizeComponentEncoding:gs,isIPv4:sE,nonSimpleDomain:cE}=dl(),{SCHEMES:uE,getSchemeHandler:nS}=rS();function dE(e,t){return typeof e=="string"?e=Vt(fr(e,t),t):typeof e=="object"&&(e=fr(Vt(e,t),t)),e}o(dE,"normalize");function lE(e,t,r){let n=r?Object.assign({scheme:"null"},r):{scheme:"null"},a=oS(fr(e,n),fr(t,n),n,!0);return n.skipEscape=!0,Vt(a,n)}o(lE,"resolve");function oS(e,t,r,n){let a={};return n||(e=fr(Vt(e,r),r),t=fr(Vt(t,r),r)),r=r||{},!r.tolerant&&t.scheme?(a.scheme=t.scheme,a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=ka(t.path||""),a.query=t.query):(t.userinfo!==void 0||t.host!==void 0||t.port!==void 0?(a.userinfo=t.userinfo,a.host=t.host,a.port=t.port,a.path=ka(t.path||""),a.query=t.query):(t.path?(t.path[0]==="/"?a.path=ka(t.path):((e.userinfo!==void 0||e.host!==void 0||e.port!==void 0)&&!e.path?a.path="/"+t.path:e.path?a.path=e.path.slice(0,e.path.lastIndexOf("/")+1)+t.path:a.path=t.path,a.path=ka(a.path)),a.query=t.query):(a.path=e.path,t.query!==void 0?a.query=t.query:a.query=e.query),a.userinfo=e.userinfo,a.host=e.host,a.port=e.port),a.scheme=e.scheme),a.fragment=t.fragment,a}o(oS,"resolveComponent");function pE(e,t,r){return typeof e=="string"?(e=unescape(e),e=Vt(gs(fr(e,r),!0),{...r,skipEscape:!0})):typeof e=="object"&&(e=Vt(gs(e,!0),{...r,skipEscape:!0})),typeof t=="string"?(t=unescape(t),t=Vt(gs(fr(t,r),!0),{...r,skipEscape:!0})):typeof t=="object"&&(t=Vt(gs(t,!0),{...r,skipEscape:!0})),e.toLowerCase()===t.toLowerCase()}o(pE,"equal");function Vt(e,t){let r={host:e.host,scheme:e.scheme,userinfo:e.userinfo,port:e.port,path:e.path,query:e.query,nid:e.nid,nss:e.nss,uuid:e.uuid,fragment:e.fragment,reference:e.reference,resourceName:e.resourceName,secure:e.secure,error:""},n=Object.assign({},t),a=[],i=nS(n.scheme||r.scheme);i&&i.serialize&&i.serialize(r,n),r.path!==void 0&&(n.skipEscape?r.path=unescape(r.path):(r.path=escape(r.path),r.scheme!==void 0&&(r.path=r.path.split("%3A").join(":")))),n.reference!=="suffix"&&r.scheme&&a.push(r.scheme,":");let s=iE(r);if(s!==void 0&&(n.reference!=="suffix"&&a.push("//"),a.push(s),r.path&&r.path[0]!=="/"&&a.push("/")),r.path!==void 0){let c=r.path;!n.absolutePath&&(!i||!i.absolutePath)&&(c=ka(c)),s===void 0&&c[0]==="/"&&c[1]==="/"&&(c="/%2F"+c.slice(2)),a.push(c)}return r.query!==void 0&&a.push("?",r.query),r.fragment!==void 0&&a.push("#",r.fragment),a.join("")}o(Vt,"serialize");var mE=/^(?:([^#/:?]+):)?(?:\/\/((?:([^#/?@]*)@)?(\[[^#/?\]]+\]|[^#/:?]*)(?::(\d*))?))?([^#?]*)(?:\?([^#]*))?(?:#((?:.|[\n\r])*))?/u;function fr(e,t){let r=Object.assign({},t),n={scheme:void 0,userinfo:void 0,host:"",port:void 0,path:"",query:void 0,fragment:void 0},a=!1;r.reference==="suffix"&&(r.scheme?e=r.scheme+":"+e:e="//"+e);let i=e.match(mE);if(i){if(n.scheme=i[1],n.userinfo=i[3],n.host=i[4],n.port=parseInt(i[5],10),n.path=i[6]||"",n.query=i[7],n.fragment=i[8],isNaN(n.port)&&(n.port=i[5]),n.host)if(sE(n.host)===!1){let d=aE(n.host);n.host=d.host.toLowerCase(),a=d.isIPV6}else a=!0;n.scheme===void 0&&n.userinfo===void 0&&n.host===void 0&&n.port===void 0&&n.query===void 0&&!n.path?n.reference="same-document":n.scheme===void 0?n.reference="relative":n.fragment===void 0?n.reference="absolute":n.reference="uri",r.reference&&r.reference!=="suffix"&&r.reference!==n.reference&&(n.error=n.error||"URI is not a "+r.reference+" reference.");let s=nS(r.scheme||n.scheme);if(!r.unicodeSupport&&(!s||!s.unicodeSupport)&&n.host&&(r.domainHost||s&&s.domainHost)&&a===!1&&cE(n.host))try{n.host=URL.domainToASCII(n.host.toLowerCase())}catch(c){n.error=n.error||"Host's domain name can not be converted to ASCII: "+c}(!s||s&&!s.skipNormalize)&&(e.indexOf("%")!==-1&&(n.scheme!==void 0&&(n.scheme=unescape(n.scheme)),n.host!==void 0&&(n.host=unescape(n.host))),n.path&&(n.path=escape(unescape(n.path))),n.fragment&&(n.fragment=encodeURI(decodeURIComponent(n.fragment)))),s&&s.parse&&s.parse(n,r)}else n.error=n.error||"URI can not be parsed.";return n}o(fr,"parse");var ml={SCHEMES:uE,normalize:dE,resolve:lE,resolveComponent:oS,equal:pE,serialize:Vt,parse:fr};ys.exports=ml;ys.exports.default=ml;ys.exports.fastUri=ml});var sS=x(fl=>{"use strict";Object.defineProperty(fl,"__esModule",{value:!0});var iS=aS();iS.code='require("ajv/dist/runtime/uri").default';fl.default=iS});var hS=x(je=>{"use strict";Object.defineProperty(je,"__esModule",{value:!0});je.CodeGen=je.Name=je.nil=je.stringify=je.str=je._=je.KeywordCxt=void 0;var fE=Pa();Object.defineProperty(je,"KeywordCxt",{enumerable:!0,get:o(function(){return fE.KeywordCxt},"get")});var uo=W();Object.defineProperty(je,"_",{enumerable:!0,get:o(function(){return uo._},"get")});Object.defineProperty(je,"str",{enumerable:!0,get:o(function(){return uo.str},"get")});Object.defineProperty(je,"stringify",{enumerable:!0,get:o(function(){return uo.stringify},"get")});Object.defineProperty(je,"nil",{enumerable:!0,get:o(function(){return uo.nil},"get")});Object.defineProperty(je,"Name",{enumerable:!0,get:o(function(){return uo.Name},"get")});Object.defineProperty(je,"CodeGen",{enumerable:!0,get:o(function(){return uo.CodeGen},"get")});var hE=ls(),pS=xa(),gE=Bd(),Aa=ms(),yE=W(),Ta=Ra(),Ss=ba(),gl=ie(),cS=Zy(),SE=sS(),mS=o((e,t)=>new RegExp(e,t),"defaultRegExp");mS.code="new RegExp";var _E=["removeAdditional","useDefaults","coerceTypes"],vE=new Set(["validate","serialize","parse","wrapper","root","schema","keyword","pattern","formats","validate$data","func","obj","Error"]),wE={errorDataPath:"",format:"`validateFormats: false` can be used instead.",nullable:'"nullable" keyword is supported by default.',jsonPointers:"Deprecated jsPropertySyntax can be used instead.",extendRefs:"Deprecated ignoreKeywordsWithRef can be used instead.",missingRefs:"Pass empty schema with $id that should be ignored to ajv.addSchema.",processCode:"Use option `code: {process: (code, schemaEnv: object) => string}`",sourceCode:"Use option `code: {source: true}`",strictDefaults:"It is default now, see option `strict`.",strictKeywords:"It is default now, see option `strict`.",uniqueItems:'"uniqueItems" keyword is always validated.',unknownFormats:"Disable strict mode or pass `true` to `ajv.addFormat` (or `formats` option).",cache:"Map is used as cache, schema object as key.",serialize:"Map is used as cache, schema object as key.",ajvErrors:"It is default now."},bE={ignoreKeywordsWithRef:"",jsPropertySyntax:"",unicode:'"minLength"/"maxLength" account for unicode characters by default.'},uS=200;function RE(e){var t,r,n,a,i,s,c,d,p,l,m,h,g,S,y,_,v,w,b,N,j,Be,ht,En,wr;let Qt=e.strict,Yr=(t=e.code)===null||t===void 0?void 0:t.optimize,Io=Yr===!0||Yr===void 0?1:Yr||0,Po=(n=(r=e.code)===null||r===void 0?void 0:r.regExp)!==null&&n!==void 0?n:mS,xo=(a=e.uriResolver)!==null&&a!==void 0?a:SE.default;return{strictSchema:(s=(i=e.strictSchema)!==null&&i!==void 0?i:Qt)!==null&&s!==void 0?s:!0,strictNumbers:(d=(c=e.strictNumbers)!==null&&c!==void 0?c:Qt)!==null&&d!==void 0?d:!0,strictTypes:(l=(p=e.strictTypes)!==null&&p!==void 0?p:Qt)!==null&&l!==void 0?l:"log",strictTuples:(h=(m=e.strictTuples)!==null&&m!==void 0?m:Qt)!==null&&h!==void 0?h:"log",strictRequired:(S=(g=e.strictRequired)!==null&&g!==void 0?g:Qt)!==null&&S!==void 0?S:!1,code:e.code?{...e.code,optimize:Io,regExp:Po}:{optimize:Io,regExp:Po},loopRequired:(y=e.loopRequired)!==null&&y!==void 0?y:uS,loopEnum:(_=e.loopEnum)!==null&&_!==void 0?_:uS,meta:(v=e.meta)!==null&&v!==void 0?v:!0,messages:(w=e.messages)!==null&&w!==void 0?w:!0,inlineRefs:(b=e.inlineRefs)!==null&&b!==void 0?b:!0,schemaId:(N=e.schemaId)!==null&&N!==void 0?N:"$id",addUsedSchema:(j=e.addUsedSchema)!==null&&j!==void 0?j:!0,validateSchema:(Be=e.validateSchema)!==null&&Be!==void 0?Be:!0,validateFormats:(ht=e.validateFormats)!==null&&ht!==void 0?ht:!0,unicodeRegExp:(En=e.unicodeRegExp)!==null&&En!==void 0?En:!0,int32range:(wr=e.int32range)!==null&&wr!==void 0?wr:!0,uriResolver:xo}}o(RE,"requiredOptions");var Ea=class{static{o(this,"Ajv")}constructor(t={}){this.schemas={},this.refs={},this.formats={},this._compilations=new Set,this._loading={},this._cache=new Map,t=this.opts={...t,...RE(t)};let{es5:r,lines:n}=this.opts.code;this.scope=new yE.ValueScope({scope:{},prefixes:vE,es5:r,lines:n}),this.logger=AE(t.logger);let a=t.validateFormats;t.validateFormats=!1,this.RULES=(0,gE.getRules)(),dS.call(this,wE,t,"NOT SUPPORTED"),dS.call(this,bE,t,"DEPRECATED","warn"),this._metaOpts=xE.call(this),t.formats&&IE.call(this),this._addVocabularies(),this._addDefaultMetaSchema(),t.keywords&&PE.call(this,t.keywords),typeof t.meta=="object"&&this.addMetaSchema(t.meta),CE.call(this),t.validateFormats=a}_addVocabularies(){this.addKeyword("$async")}_addDefaultMetaSchema(){let{$data:t,meta:r,schemaId:n}=this.opts,a=cS;n==="id"&&(a={...cS},a.id=a.$id,delete a.$id),r&&t&&this.addMetaSchema(a,a[n],!1)}defaultMeta(){let{meta:t,schemaId:r}=this.opts;return this.opts.defaultMeta=typeof t=="object"?t[r]||t:void 0}validate(t,r){let n;if(typeof t=="string"){if(n=this.getSchema(t),!n)throw new Error(`no schema with key or ref "${t}"`)}else n=this.compile(t);let a=n(r);return"$async"in n||(this.errors=n.errors),a}compile(t,r){let n=this._addSchema(t,r);return n.validate||this._compileSchemaEnv(n)}compileAsync(t,r){if(typeof this.opts.loadSchema!="function")throw new Error("options.loadSchema should be a function");let{loadSchema:n}=this.opts;return a.call(this,t,r);async function a(l,m){await i.call(this,l.$schema);let h=this._addSchema(l,m);return h.validate||s.call(this,h)}async function i(l){l&&!this.getSchema(l)&&await a.call(this,{$ref:l},!0)}async function s(l){try{return this._compileSchemaEnv(l)}catch(m){if(!(m instanceof pS.default))throw m;return c.call(this,m),await d.call(this,m.missingSchema),s.call(this,l)}}function c({missingSchema:l,missingRef:m}){if(this.refs[l])throw new Error(`AnySchema ${l} is loaded but ${m} cannot be resolved`)}async function d(l){let m=await p.call(this,l);this.refs[l]||await i.call(this,m.$schema),this.refs[l]||this.addSchema(m,l,r)}async function p(l){let m=this._loading[l];if(m)return m;try{return await(this._loading[l]=n(l))}finally{delete this._loading[l]}}}addSchema(t,r,n,a=this.opts.validateSchema){if(Array.isArray(t)){for(let s of t)this.addSchema(s,void 0,n,a);return this}let i;if(typeof t=="object"){let{schemaId:s}=this.opts;if(i=t[s],i!==void 0&&typeof i!="string")throw new Error(`schema ${s} must be string`)}return r=(0,Ta.normalizeId)(r||i),this._checkUnique(r),this.schemas[r]=this._addSchema(t,n,r,a,!0),this}addMetaSchema(t,r,n=this.opts.validateSchema){return this.addSchema(t,r,!0,n),this}validateSchema(t,r){if(typeof t=="boolean")return!0;let n;if(n=t.$schema,n!==void 0&&typeof n!="string")throw new Error("$schema must be a string");if(n=n||this.opts.defaultMeta||this.defaultMeta(),!n)return this.logger.warn("meta-schema not available"),this.errors=null,!0;let a=this.validate(n,t);if(!a&&r){let i="schema is invalid: "+this.errorsText();if(this.opts.validateSchema==="log")this.logger.error(i);else throw new Error(i)}return a}getSchema(t){let r;for(;typeof(r=lS.call(this,t))=="string";)t=r;if(r===void 0){let{schemaId:n}=this.opts,a=new Aa.SchemaEnv({schema:{},schemaId:n});if(r=Aa.resolveSchema.call(this,a,t),!r)return;this.refs[t]=r}return r.validate||this._compileSchemaEnv(r)}removeSchema(t){if(t instanceof RegExp)return this._removeAllSchemas(this.schemas,t),this._removeAllSchemas(this.refs,t),this;switch(typeof t){case"undefined":return this._removeAllSchemas(this.schemas),this._removeAllSchemas(this.refs),this._cache.clear(),this;case"string":{let r=lS.call(this,t);return typeof r=="object"&&this._cache.delete(r.schema),delete this.schemas[t],delete this.refs[t],this}case"object":{let r=t;this._cache.delete(r);let n=t[this.opts.schemaId];return n&&(n=(0,Ta.normalizeId)(n),delete this.schemas[n],delete this.refs[n]),this}default:throw new Error("ajv.removeSchema: invalid parameter")}}addVocabulary(t){for(let r of t)this.addKeyword(r);return this}addKeyword(t,r){let n;if(typeof t=="string")n=t,typeof r=="object"&&(this.logger.warn("these parameters are deprecated, see docs for addKeyword"),r.keyword=n);else if(typeof t=="object"&&r===void 0){if(r=t,n=r.keyword,Array.isArray(n)&&!n.length)throw new Error("addKeywords: keyword must be string or non-empty array")}else throw new Error("invalid addKeywords parameters");if(EE.call(this,n,r),!r)return(0,gl.eachItem)(n,i=>hl.call(this,i)),this;OE.call(this,r);let a={...r,type:(0,Ss.getJSONTypes)(r.type),schemaType:(0,Ss.getJSONTypes)(r.schemaType)};return(0,gl.eachItem)(n,a.type.length===0?i=>hl.call(this,i,a):i=>a.type.forEach(s=>hl.call(this,i,a,s))),this}getKeyword(t){let r=this.RULES.all[t];return typeof r=="object"?r.definition:!!r}removeKeyword(t){let{RULES:r}=this;delete r.keywords[t],delete r.all[t];for(let n of r.rules){let a=n.rules.findIndex(i=>i.keyword===t);a>=0&&n.rules.splice(a,1)}return this}addFormat(t,r){return typeof r=="string"&&(r=new RegExp(r)),this.formats[t]=r,this}errorsText(t=this.errors,{separator:r=", ",dataVar:n="data"}={}){return!t||t.length===0?"No errors":t.map(a=>`${n}${a.instancePath} ${a.message}`).reduce((a,i)=>a+r+i)}$dataMetaSchema(t,r){let n=this.RULES.all;t=JSON.parse(JSON.stringify(t));for(let a of r){let i=a.split("/").slice(1),s=t;for(let c of i)s=s[c];for(let c in n){let d=n[c];if(typeof d!="object")continue;let{$data:p}=d.definition,l=s[c];p&&l&&(s[c]=fS(l))}}return t}_removeAllSchemas(t,r){for(let n in t){let a=t[n];(!r||r.test(n))&&(typeof a=="string"?delete t[n]:a&&!a.meta&&(this._cache.delete(a.schema),delete t[n]))}}_addSchema(t,r,n,a=this.opts.validateSchema,i=this.opts.addUsedSchema){let s,{schemaId:c}=this.opts;if(typeof t=="object")s=t[c];else{if(this.opts.jtd)throw new Error("schema must be object");if(typeof t!="boolean")throw new Error("schema must be object or boolean")}let d=this._cache.get(t);if(d!==void 0)return d;n=(0,Ta.normalizeId)(s||n);let p=Ta.getSchemaRefs.call(this,t,n);return d=new Aa.SchemaEnv({schema:t,schemaId:c,meta:r,baseId:n,localRefs:p}),this._cache.set(d.schema,d),i&&!n.startsWith("#")&&(n&&this._checkUnique(n),this.refs[n]=d),a&&this.validateSchema(t,!0),d}_checkUnique(t){if(this.schemas[t]||this.refs[t])throw new Error(`schema with key or id "${t}" already exists`)}_compileSchemaEnv(t){if(t.meta?this._compileMetaSchema(t):Aa.compileSchema.call(this,t),!t.validate)throw new Error("ajv implementation error");return t.validate}_compileMetaSchema(t){let r=this.opts;this.opts=this._metaOpts;try{Aa.compileSchema.call(this,t)}finally{this.opts=r}}};Ea.ValidationError=hE.default;Ea.MissingRefError=pS.default;je.default=Ea;function dS(e,t,r,n="error"){for(let a in e){let i=a;i in t&&this.logger[n](`${r}: option ${a}. ${e[i]}`)}}o(dS,"checkOptions");function lS(e){return e=(0,Ta.normalizeId)(e),this.schemas[e]||this.refs[e]}o(lS,"getSchEnv");function CE(){let e=this.opts.schemas;if(e)if(Array.isArray(e))this.addSchema(e);else for(let t in e)this.addSchema(e[t],t)}o(CE,"addInitialSchemas");function IE(){for(let e in this.opts.formats){let t=this.opts.formats[e];t&&this.addFormat(e,t)}}o(IE,"addInitialFormats");function PE(e){if(Array.isArray(e)){this.addVocabulary(e);return}this.logger.warn("keywords option as map is deprecated, pass array");for(let t in e){let r=e[t];r.keyword||(r.keyword=t),this.addKeyword(r)}}o(PE,"addInitialKeywords");function xE(){let e={...this.opts};for(let t of _E)delete e[t];return e}o(xE,"getMetaSchemaOptions");var kE={log(){},warn(){},error(){}};function AE(e){if(e===!1)return kE;if(e===void 0)return console;if(e.log&&e.warn&&e.error)return e;throw new Error("logger must implement log, warn and error methods")}o(AE,"getLogger");var TE=/^[a-z_$][a-z0-9_$:-]*$/i;function EE(e,t){let{RULES:r}=this;if((0,gl.eachItem)(e,n=>{if(r.keywords[n])throw new Error(`Keyword ${n} is already defined`);if(!TE.test(n))throw new Error(`Keyword ${n} has invalid name`)}),!!t&&t.$data&&!("code"in t||"validate"in t))throw new Error('$data keyword must have "code" or "validate" function')}o(EE,"checkKeyword");function hl(e,t,r){var n;let a=t?.post;if(r&&a)throw new Error('keyword with "post" flag cannot have "type"');let{RULES:i}=this,s=a?i.post:i.rules.find(({type:d})=>d===r);if(s||(s={type:r,rules:[]},i.rules.push(s)),i.keywords[e]=!0,!t)return;let c={keyword:e,definition:{...t,type:(0,Ss.getJSONTypes)(t.type),schemaType:(0,Ss.getJSONTypes)(t.schemaType)}};t.before?UE.call(this,s,c,t.before):s.rules.push(c),i.all[e]=c,(n=t.implements)===null||n===void 0||n.forEach(d=>this.addKeyword(d))}o(hl,"addRule");function UE(e,t,r){let n=e.rules.findIndex(a=>a.keyword===r);n>=0?e.rules.splice(n,0,t):(e.rules.push(t),this.logger.warn(`rule ${r} is not defined`))}o(UE,"addBeforeRule");function OE(e){let{metaSchema:t}=e;t!==void 0&&(e.$data&&this.opts.$data&&(t=fS(t)),e.validateSchema=this.compile(t,!0))}o(OE,"keywordMetaschema");var ME={$ref:"https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#"};function fS(e){return{anyOf:[e,ME]}}o(fS,"schemaOrData")});var gS=x(yl=>{"use strict";Object.defineProperty(yl,"__esModule",{value:!0});var zE={keyword:"id",code(){throw new Error('NOT SUPPORTED: keyword "id", use "$id" for schema ID')}};yl.default=zE});var vS=x(vn=>{"use strict";Object.defineProperty(vn,"__esModule",{value:!0});vn.callRef=vn.getValidate=void 0;var $E=xa(),yS=vt(),st=W(),lo=pr(),SS=ms(),_s=ie(),qE={keyword:"$ref",schemaType:"string",code(e){let{gen:t,schema:r,it:n}=e,{baseId:a,schemaEnv:i,validateName:s,opts:c,self:d}=n,{root:p}=i;if((r==="#"||r==="#/")&&a===p.baseId)return m();let l=SS.resolveRef.call(d,p,a,r);if(l===void 0)throw new $E.default(n.opts.uriResolver,a,r);if(l instanceof SS.SchemaEnv)return h(l);return g(l);function m(){if(i===p)return vs(e,s,i,i.$async);let S=t.scopeValue("root",{ref:p});return vs(e,(0,st._)`${S}.validate`,p,p.$async)}function h(S){let y=_S(e,S);vs(e,y,S,S.$async)}function g(S){let y=t.scopeValue("schema",c.code.source===!0?{ref:S,code:(0,st.stringify)(S)}:{ref:S}),_=t.name("valid"),v=e.subschema({schema:S,dataTypes:[],schemaPath:st.nil,topSchemaRef:y,errSchemaPath:r},_);e.mergeEvaluated(v),e.ok(_)}}};function _S(e,t){let{gen:r}=e;return t.validate?r.scopeValue("validate",{ref:t.validate}):(0,st._)`${r.scopeValue("wrapper",{ref:t})}.validate`}o(_S,"getValidate");vn.getValidate=_S;function vs(e,t,r,n){let{gen:a,it:i}=e,{allErrors:s,schemaEnv:c,opts:d}=i,p=d.passContext?lo.default.this:st.nil;n?l():m();function l(){if(!c.$async)throw new Error("async schema referenced by sync schema");let S=a.let("valid");a.try(()=>{a.code((0,st._)`await ${(0,yS.callValidateCode)(e,t,p)}`),g(t),s||a.assign(S,!0)},y=>{a.if((0,st._)`!(${y} instanceof ${i.ValidationError})`,()=>a.throw(y)),h(y),s||a.assign(S,!1)}),e.ok(S)}o(l,"callAsyncRef");function m(){e.result((0,yS.callValidateCode)(e,t,p),()=>g(t),()=>h(t))}o(m,"callSyncRef");function h(S){let y=(0,st._)`${S}.errors`;a.assign(lo.default.vErrors,(0,st._)`${lo.default.vErrors} === null ? ${y} : ${lo.default.vErrors}.concat(${y})`),a.assign(lo.default.errors,(0,st._)`${lo.default.vErrors}.length`)}o(h,"addErrorsFrom");function g(S){var y;if(!i.opts.unevaluated)return;let _=(y=r?.validate)===null||y===void 0?void 0:y.evaluated;if(i.props!==!0)if(_&&!_.dynamicProps)_.props!==void 0&&(i.props=_s.mergeEvaluated.props(a,_.props,i.props));else{let v=a.var("props",(0,st._)`${S}.evaluated.props`);i.props=_s.mergeEvaluated.props(a,v,i.props,st.Name)}if(i.items!==!0)if(_&&!_.dynamicItems)_.items!==void 0&&(i.items=_s.mergeEvaluated.items(a,_.items,i.items));else{let v=a.var("items",(0,st._)`${S}.evaluated.items`);i.items=_s.mergeEvaluated.items(a,v,i.items,st.Name)}}o(g,"addEvaluatedFrom")}o(vs,"callRef");vn.callRef=vs;vn.default=qE});var wS=x(Sl=>{"use strict";Object.defineProperty(Sl,"__esModule",{value:!0});var NE=gS(),DE=vS(),jE=["$schema","$id","$defs","$vocabulary",{keyword:"$comment"},"definitions",NE.default,DE.default];Sl.default=jE});var bS=x(_l=>{"use strict";Object.defineProperty(_l,"__esModule",{value:!0});var ws=W(),Gr=ws.operators,bs={maximum:{okStr:"<=",ok:Gr.LTE,fail:Gr.GT},minimum:{okStr:">=",ok:Gr.GTE,fail:Gr.LT},exclusiveMaximum:{okStr:"<",ok:Gr.LT,fail:Gr.GTE},exclusiveMinimum:{okStr:">",ok:Gr.GT,fail:Gr.LTE}},HE={message:o(({keyword:e,schemaCode:t})=>(0,ws.str)`must be ${bs[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,ws._)`{comparison: ${bs[e].okStr}, limit: ${t}}`,"params")},LE={keyword:Object.keys(bs),type:"number",schemaType:"number",$data:!0,error:HE,code(e){let{keyword:t,data:r,schemaCode:n}=e;e.fail$data((0,ws._)`${r} ${bs[t].fail} ${n} || isNaN(${r})`)}};_l.default=LE});var RS=x(vl=>{"use strict";Object.defineProperty(vl,"__esModule",{value:!0});var Ua=W(),BE={message:o(({schemaCode:e})=>(0,Ua.str)`must be multiple of ${e}`,"message"),params:o(({schemaCode:e})=>(0,Ua._)`{multipleOf: ${e}}`,"params")},GE={keyword:"multipleOf",type:"number",schemaType:"number",$data:!0,error:BE,code(e){let{gen:t,data:r,schemaCode:n,it:a}=e,i=a.opts.multipleOfPrecision,s=t.let("res"),c=i?(0,Ua._)`Math.abs(Math.round(${s}) - ${s}) > 1e-${i}`:(0,Ua._)`${s} !== parseInt(${s})`;e.fail$data((0,Ua._)`(${n} === 0 || (${s} = ${r}/${n}, ${c}))`)}};vl.default=GE});var IS=x(wl=>{"use strict";Object.defineProperty(wl,"__esModule",{value:!0});function CS(e){let t=e.length,r=0,n=0,a;for(;n<t;)r++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<t&&(a=e.charCodeAt(n),(a&64512)===56320&&n++);return r}o(CS,"ucs2length");wl.default=CS;CS.code='require("ajv/dist/runtime/ucs2length").default'});var PS=x(bl=>{"use strict";Object.defineProperty(bl,"__esModule",{value:!0});var wn=W(),VE=ie(),FE=IS(),ZE={message({keyword:e,schemaCode:t}){let r=e==="maxLength"?"more":"fewer";return(0,wn.str)`must NOT have ${r} than ${t} characters`},params:o(({schemaCode:e})=>(0,wn._)`{limit: ${e}}`,"params")},KE={keyword:["maxLength","minLength"],type:"string",schemaType:"number",$data:!0,error:ZE,code(e){let{keyword:t,data:r,schemaCode:n,it:a}=e,i=t==="maxLength"?wn.operators.GT:wn.operators.LT,s=a.opts.unicode===!1?(0,wn._)`${r}.length`:(0,wn._)`${(0,VE.useFunc)(e.gen,FE.default)}(${r})`;e.fail$data((0,wn._)`${s} ${i} ${n}`)}};bl.default=KE});var xS=x(Rl=>{"use strict";Object.defineProperty(Rl,"__esModule",{value:!0});var JE=vt(),Rs=W(),WE={message:o(({schemaCode:e})=>(0,Rs.str)`must match pattern "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Rs._)`{pattern: ${e}}`,"params")},YE={keyword:"pattern",type:"string",schemaType:"string",$data:!0,error:WE,code(e){let{data:t,$data:r,schema:n,schemaCode:a,it:i}=e,s=i.opts.unicodeRegExp?"u":"",c=r?(0,Rs._)`(new RegExp(${a}, ${s}))`:(0,JE.usePattern)(e,n);e.fail$data((0,Rs._)`!${c}.test(${t})`)}};Rl.default=YE});var kS=x(Cl=>{"use strict";Object.defineProperty(Cl,"__esModule",{value:!0});var Oa=W(),XE={message({keyword:e,schemaCode:t}){let r=e==="maxProperties"?"more":"fewer";return(0,Oa.str)`must NOT have ${r} than ${t} properties`},params:o(({schemaCode:e})=>(0,Oa._)`{limit: ${e}}`,"params")},QE={keyword:["maxProperties","minProperties"],type:"object",schemaType:"number",$data:!0,error:XE,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxProperties"?Oa.operators.GT:Oa.operators.LT;e.fail$data((0,Oa._)`Object.keys(${r}).length ${a} ${n}`)}};Cl.default=QE});var AS=x(Il=>{"use strict";Object.defineProperty(Il,"__esModule",{value:!0});var Ma=vt(),za=W(),e0=ie(),t0={message:o(({params:{missingProperty:e}})=>(0,za.str)`must have required property '${e}'`,"message"),params:o(({params:{missingProperty:e}})=>(0,za._)`{missingProperty: ${e}}`,"params")},r0={keyword:"required",type:"object",schemaType:"array",$data:!0,error:t0,code(e){let{gen:t,schema:r,schemaCode:n,data:a,$data:i,it:s}=e,{opts:c}=s;if(!i&&r.length===0)return;let d=r.length>=c.loopRequired;if(s.allErrors?p():l(),c.strictRequired){let g=e.parentSchema.properties,{definedProperties:S}=e.it;for(let y of r)if(g?.[y]===void 0&&!S.has(y)){let _=s.schemaEnv.baseId+s.errSchemaPath,v=`required property "${y}" is not defined at "${_}" (strictRequired)`;(0,e0.checkStrictMode)(s,v,s.opts.strictRequired)}}function p(){if(d||i)e.block$data(za.nil,m);else for(let g of r)(0,Ma.checkReportMissingProp)(e,g)}o(p,"allErrorsMode");function l(){let g=t.let("missing");if(d||i){let S=t.let("valid",!0);e.block$data(S,()=>h(g,S)),e.ok(S)}else t.if((0,Ma.checkMissingProp)(e,r,g)),(0,Ma.reportMissingProp)(e,g),t.else()}o(l,"exitOnErrorMode");function m(){t.forOf("prop",n,g=>{e.setParams({missingProperty:g}),t.if((0,Ma.noPropertyInData)(t,a,g,c.ownProperties),()=>e.error())})}o(m,"loopAllRequired");function h(g,S){e.setParams({missingProperty:g}),t.forOf(g,n,()=>{t.assign(S,(0,Ma.propertyInData)(t,a,g,c.ownProperties)),t.if((0,za.not)(S),()=>{e.error(),t.break()})},za.nil)}o(h,"loopUntilMissing")}};Il.default=r0});var TS=x(Pl=>{"use strict";Object.defineProperty(Pl,"__esModule",{value:!0});var $a=W(),n0={message({keyword:e,schemaCode:t}){let r=e==="maxItems"?"more":"fewer";return(0,$a.str)`must NOT have ${r} than ${t} items`},params:o(({schemaCode:e})=>(0,$a._)`{limit: ${e}}`,"params")},o0={keyword:["maxItems","minItems"],type:"array",schemaType:"number",$data:!0,error:n0,code(e){let{keyword:t,data:r,schemaCode:n}=e,a=t==="maxItems"?$a.operators.GT:$a.operators.LT;e.fail$data((0,$a._)`${r}.length ${a} ${n}`)}};Pl.default=o0});var Cs=x(xl=>{"use strict";Object.defineProperty(xl,"__esModule",{value:!0});var ES=Yd();ES.code='require("ajv/dist/runtime/equal").default';xl.default=ES});var US=x(Al=>{"use strict";Object.defineProperty(Al,"__esModule",{value:!0});var kl=ba(),He=W(),a0=ie(),i0=Cs(),s0={message:o(({params:{i:e,j:t}})=>(0,He.str)`must NOT have duplicate items (items ## ${t} and ${e} are identical)`,"message"),params:o(({params:{i:e,j:t}})=>(0,He._)`{i: ${e}, j: ${t}}`,"params")},c0={keyword:"uniqueItems",type:"array",schemaType:"boolean",$data:!0,error:s0,code(e){let{gen:t,data:r,$data:n,schema:a,parentSchema:i,schemaCode:s,it:c}=e;if(!n&&!a)return;let d=t.let("valid"),p=i.items?(0,kl.getSchemaTypes)(i.items):[];e.block$data(d,l,(0,He._)`${s} === false`),e.ok(d);function l(){let S=t.let("i",(0,He._)`${r}.length`),y=t.let("j");e.setParams({i:S,j:y}),t.assign(d,!0),t.if((0,He._)`${S} > 1`,()=>(m()?h:g)(S,y))}o(l,"validateUniqueItems");function m(){return p.length>0&&!p.some(S=>S==="object"||S==="array")}o(m,"canOptimize");function h(S,y){let _=t.name("item"),v=(0,kl.checkDataTypes)(p,_,c.opts.strictNumbers,kl.DataType.Wrong),w=t.const("indices",(0,He._)`{}`);t.for((0,He._)`;${S}--;`,()=>{t.let(_,(0,He._)`${r}[${S}]`),t.if(v,(0,He._)`continue`),p.length>1&&t.if((0,He._)`typeof ${_} == "string"`,(0,He._)`${_} += "_"`),t.if((0,He._)`typeof ${w}[${_}] == "number"`,()=>{t.assign(y,(0,He._)`${w}[${_}]`),e.error(),t.assign(d,!1).break()}).code((0,He._)`${w}[${_}] = ${S}`)})}o(h,"loopN");function g(S,y){let _=(0,a0.useFunc)(t,i0.default),v=t.name("outer");t.label(v).for((0,He._)`;${S}--;`,()=>t.for((0,He._)`${y} = ${S}; ${y}--;`,()=>t.if((0,He._)`${_}(${r}[${S}], ${r}[${y}])`,()=>{e.error(),t.assign(d,!1).break(v)})))}o(g,"loopN2")}};Al.default=c0});var OS=x(El=>{"use strict";Object.defineProperty(El,"__esModule",{value:!0});var Tl=W(),u0=ie(),d0=Cs(),l0={message:"must be equal to constant",params:o(({schemaCode:e})=>(0,Tl._)`{allowedValue: ${e}}`,"params")},p0={keyword:"const",$data:!0,error:l0,code(e){let{gen:t,data:r,$data:n,schemaCode:a,schema:i}=e;n||i&&typeof i=="object"?e.fail$data((0,Tl._)`!${(0,u0.useFunc)(t,d0.default)}(${r}, ${a})`):e.fail((0,Tl._)`${i} !== ${r}`)}};El.default=p0});var MS=x(Ul=>{"use strict";Object.defineProperty(Ul,"__esModule",{value:!0});var qa=W(),m0=ie(),f0=Cs(),h0={message:"must be equal to one of the allowed values",params:o(({schemaCode:e})=>(0,qa._)`{allowedValues: ${e}}`,"params")},g0={keyword:"enum",schemaType:"array",$data:!0,error:h0,code(e){let{gen:t,data:r,$data:n,schema:a,schemaCode:i,it:s}=e;if(!n&&a.length===0)throw new Error("enum must have non-empty array");let c=a.length>=s.opts.loopEnum,d,p=o(()=>d??(d=(0,m0.useFunc)(t,f0.default)),"getEql"),l;if(c||n)l=t.let("valid"),e.block$data(l,m);else{if(!Array.isArray(a))throw new Error("ajv implementation error");let g=t.const("vSchema",i);l=(0,qa.or)(...a.map((S,y)=>h(g,y)))}e.pass(l);function m(){t.assign(l,!1),t.forOf("v",i,g=>t.if((0,qa._)`${p()}(${r}, ${g})`,()=>t.assign(l,!0).break()))}o(m,"loopEnum");function h(g,S){let y=a[S];return typeof y=="object"&&y!==null?(0,qa._)`${p()}(${r}, ${g}[${S}])`:(0,qa._)`${r} === ${y}`}o(h,"equalCode")}};Ul.default=g0});var zS=x(Ol=>{"use strict";Object.defineProperty(Ol,"__esModule",{value:!0});var y0=bS(),S0=RS(),_0=PS(),v0=xS(),w0=kS(),b0=AS(),R0=TS(),C0=US(),I0=OS(),P0=MS(),x0=[y0.default,S0.default,_0.default,v0.default,w0.default,b0.default,R0.default,C0.default,{keyword:"type",schemaType:["string","array"]},{keyword:"nullable",schemaType:"boolean"},I0.default,P0.default];Ol.default=x0});var zl=x(Na=>{"use strict";Object.defineProperty(Na,"__esModule",{value:!0});Na.validateAdditionalItems=void 0;var bn=W(),Ml=ie(),k0={message:o(({params:{len:e}})=>(0,bn.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,bn._)`{limit: ${e}}`,"params")},A0={keyword:"additionalItems",type:"array",schemaType:["boolean","object"],before:"uniqueItems",error:k0,code(e){let{parentSchema:t,it:r}=e,{items:n}=t;if(!Array.isArray(n)){(0,Ml.checkStrictMode)(r,'"additionalItems" is ignored when "items" is not an array of schemas');return}$S(e,n)}};function $S(e,t){let{gen:r,schema:n,data:a,keyword:i,it:s}=e;s.items=!0;let c=r.const("len",(0,bn._)`${a}.length`);if(n===!1)e.setParams({len:t.length}),e.pass((0,bn._)`${c} <= ${t.length}`);else if(typeof n=="object"&&!(0,Ml.alwaysValidSchema)(s,n)){let p=r.var("valid",(0,bn._)`${c} <= ${t.length}`);r.if((0,bn.not)(p),()=>d(p)),e.ok(p)}function d(p){r.forRange("i",t.length,c,l=>{e.subschema({keyword:i,dataProp:l,dataPropType:Ml.Type.Num},p),s.allErrors||r.if((0,bn.not)(p),()=>r.break())})}o(d,"validateItems")}o($S,"validateAdditionalItems");Na.validateAdditionalItems=$S;Na.default=A0});var $l=x(Da=>{"use strict";Object.defineProperty(Da,"__esModule",{value:!0});Da.validateTuple=void 0;var qS=W(),Is=ie(),T0=vt(),E0={keyword:"items",type:"array",schemaType:["object","array","boolean"],before:"uniqueItems",code(e){let{schema:t,it:r}=e;if(Array.isArray(t))return NS(e,"additionalItems",t);r.items=!0,!(0,Is.alwaysValidSchema)(r,t)&&e.ok((0,T0.validateArray)(e))}};function NS(e,t,r=e.schema){let{gen:n,parentSchema:a,data:i,keyword:s,it:c}=e;l(a),c.opts.unevaluated&&r.length&&c.items!==!0&&(c.items=Is.mergeEvaluated.items(n,r.length,c.items));let d=n.name("valid"),p=n.const("len",(0,qS._)`${i}.length`);r.forEach((m,h)=>{(0,Is.alwaysValidSchema)(c,m)||(n.if((0,qS._)`${p} > ${h}`,()=>e.subschema({keyword:s,schemaProp:h,dataProp:h},d)),e.ok(d))});function l(m){let{opts:h,errSchemaPath:g}=c,S=r.length,y=S===m.minItems&&(S===m.maxItems||m[t]===!1);if(h.strictTuples&&!y){let _=`"${s}" is ${S}-tuple, but minItems or maxItems/${t} are not specified or different at path "${g}"`;(0,Is.checkStrictMode)(c,_,h.strictTuples)}}o(l,"checkStrictTuple")}o(NS,"validateTuple");Da.validateTuple=NS;Da.default=E0});var DS=x(ql=>{"use strict";Object.defineProperty(ql,"__esModule",{value:!0});var U0=$l(),O0={keyword:"prefixItems",type:"array",schemaType:["array"],before:"uniqueItems",code:o(e=>(0,U0.validateTuple)(e,"items"),"code")};ql.default=O0});var HS=x(Nl=>{"use strict";Object.defineProperty(Nl,"__esModule",{value:!0});var jS=W(),M0=ie(),z0=vt(),$0=zl(),q0={message:o(({params:{len:e}})=>(0,jS.str)`must NOT have more than ${e} items`,"message"),params:o(({params:{len:e}})=>(0,jS._)`{limit: ${e}}`,"params")},N0={keyword:"items",type:"array",schemaType:["object","boolean"],before:"uniqueItems",error:q0,code(e){let{schema:t,parentSchema:r,it:n}=e,{prefixItems:a}=r;n.items=!0,!(0,M0.alwaysValidSchema)(n,t)&&(a?(0,$0.validateAdditionalItems)(e,a):e.ok((0,z0.validateArray)(e)))}};Nl.default=N0});var LS=x(Dl=>{"use strict";Object.defineProperty(Dl,"__esModule",{value:!0});var bt=W(),Ps=ie(),D0={message:o(({params:{min:e,max:t}})=>t===void 0?(0,bt.str)`must contain at least ${e} valid item(s)`:(0,bt.str)`must contain at least ${e} and no more than ${t} valid item(s)`,"message"),params:o(({params:{min:e,max:t}})=>t===void 0?(0,bt._)`{minContains: ${e}}`:(0,bt._)`{minContains: ${e}, maxContains: ${t}}`,"params")},j0={keyword:"contains",type:"array",schemaType:["object","boolean"],before:"uniqueItems",trackErrors:!0,error:D0,code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e,s,c,{minContains:d,maxContains:p}=n;i.opts.next?(s=d===void 0?1:d,c=p):s=1;let l=t.const("len",(0,bt._)`${a}.length`);if(e.setParams({min:s,max:c}),c===void 0&&s===0){(0,Ps.checkStrictMode)(i,'"minContains" == 0 without "maxContains": "contains" keyword ignored');return}if(c!==void 0&&s>c){(0,Ps.checkStrictMode)(i,'"minContains" > "maxContains" is always invalid'),e.fail();return}if((0,Ps.alwaysValidSchema)(i,r)){let y=(0,bt._)`${l} >= ${s}`;c!==void 0&&(y=(0,bt._)`${y} && ${l} <= ${c}`),e.pass(y);return}i.items=!0;let m=t.name("valid");c===void 0&&s===1?g(m,()=>t.if(m,()=>t.break())):s===0?(t.let(m,!0),c!==void 0&&t.if((0,bt._)`${a}.length > 0`,h)):(t.let(m,!1),h()),e.result(m,()=>e.reset());function h(){let y=t.name("_valid"),_=t.let("count",0);g(y,()=>t.if(y,()=>S(_)))}o(h,"validateItemsWithCount");function g(y,_){t.forRange("i",0,l,v=>{e.subschema({keyword:"contains",dataProp:v,dataPropType:Ps.Type.Num,compositeRule:!0},y),_()})}o(g,"validateItems");function S(y){t.code((0,bt._)`${y}++`),c===void 0?t.if((0,bt._)`${y} >= ${s}`,()=>t.assign(m,!0).break()):(t.if((0,bt._)`${y} > ${c}`,()=>t.assign(m,!1).break()),s===1?t.assign(m,!0):t.if((0,bt._)`${y} >= ${s}`,()=>t.assign(m,!0)))}o(S,"checkLimits")}};Dl.default=j0});var VS=x(Ft=>{"use strict";Object.defineProperty(Ft,"__esModule",{value:!0});Ft.validateSchemaDeps=Ft.validatePropertyDeps=Ft.error=void 0;var jl=W(),H0=ie(),ja=vt();Ft.error={message:o(({params:{property:e,depsCount:t,deps:r}})=>{let n=t===1?"property":"properties";return(0,jl.str)`must have ${n} ${r} when property ${e} is present`},"message"),params:o(({params:{property:e,depsCount:t,deps:r,missingProperty:n}})=>(0,jl._)`{property: ${e},
-    missingProperty: ${n},
-    depsCount: ${t},
-    deps: ${r}}`,"params")};var L0={keyword:"dependencies",type:"object",schemaType:"object",error:Ft.error,code(e){let[t,r]=B0(e);BS(e,t),GS(e,r)}};function B0({schema:e}){let t={},r={};for(let n in e){if(n==="__proto__")continue;let a=Array.isArray(e[n])?t:r;a[n]=e[n]}return[t,r]}o(B0,"splitDependencies");function BS(e,t=e.schema){let{gen:r,data:n,it:a}=e;if(Object.keys(t).length===0)return;let i=r.let("missing");for(let s in t){let c=t[s];if(c.length===0)continue;let d=(0,ja.propertyInData)(r,n,s,a.opts.ownProperties);e.setParams({property:s,depsCount:c.length,deps:c.join(", ")}),a.allErrors?r.if(d,()=>{for(let p of c)(0,ja.checkReportMissingProp)(e,p)}):(r.if((0,jl._)`${d} && (${(0,ja.checkMissingProp)(e,c,i)})`),(0,ja.reportMissingProp)(e,i),r.else())}}o(BS,"validatePropertyDeps");Ft.validatePropertyDeps=BS;function GS(e,t=e.schema){let{gen:r,data:n,keyword:a,it:i}=e,s=r.name("valid");for(let c in t)(0,H0.alwaysValidSchema)(i,t[c])||(r.if((0,ja.propertyInData)(r,n,c,i.opts.ownProperties),()=>{let d=e.subschema({keyword:a,schemaProp:c},s);e.mergeValidEvaluated(d,s)},()=>r.var(s,!0)),e.ok(s))}o(GS,"validateSchemaDeps");Ft.validateSchemaDeps=GS;Ft.default=L0});var ZS=x(Hl=>{"use strict";Object.defineProperty(Hl,"__esModule",{value:!0});var FS=W(),G0=ie(),V0={message:"property name must be valid",params:o(({params:e})=>(0,FS._)`{propertyName: ${e.propertyName}}`,"params")},F0={keyword:"propertyNames",type:"object",schemaType:["object","boolean"],error:V0,code(e){let{gen:t,schema:r,data:n,it:a}=e;if((0,G0.alwaysValidSchema)(a,r))return;let i=t.name("valid");t.forIn("key",n,s=>{e.setParams({propertyName:s}),e.subschema({keyword:"propertyNames",data:s,dataTypes:["string"],propertyName:s,compositeRule:!0},i),t.if((0,FS.not)(i),()=>{e.error(!0),a.allErrors||t.break()})}),e.ok(i)}};Hl.default=F0});var Bl=x(Ll=>{"use strict";Object.defineProperty(Ll,"__esModule",{value:!0});var xs=vt(),Et=W(),Z0=pr(),ks=ie(),K0={message:"must NOT have additional properties",params:o(({params:e})=>(0,Et._)`{additionalProperty: ${e.additionalProperty}}`,"params")},J0={keyword:"additionalProperties",type:["object"],schemaType:["boolean","object"],allowUndefined:!0,trackErrors:!0,error:K0,code(e){let{gen:t,schema:r,parentSchema:n,data:a,errsCount:i,it:s}=e;if(!i)throw new Error("ajv implementation error");let{allErrors:c,opts:d}=s;if(s.props=!0,d.removeAdditional!=="all"&&(0,ks.alwaysValidSchema)(s,r))return;let p=(0,xs.allSchemaProperties)(n.properties),l=(0,xs.allSchemaProperties)(n.patternProperties);m(),e.ok((0,Et._)`${i} === ${Z0.default.errors}`);function m(){t.forIn("key",a,_=>{!p.length&&!l.length?S(_):t.if(h(_),()=>S(_))})}o(m,"checkAdditionalProperties");function h(_){let v;if(p.length>8){let w=(0,ks.schemaRefOrVal)(s,n.properties,"properties");v=(0,xs.isOwnProperty)(t,w,_)}else p.length?v=(0,Et.or)(...p.map(w=>(0,Et._)`${_} === ${w}`)):v=Et.nil;return l.length&&(v=(0,Et.or)(v,...l.map(w=>(0,Et._)`${(0,xs.usePattern)(e,w)}.test(${_})`))),(0,Et.not)(v)}o(h,"isAdditional");function g(_){t.code((0,Et._)`delete ${a}[${_}]`)}o(g,"deleteAdditional");function S(_){if(d.removeAdditional==="all"||d.removeAdditional&&r===!1){g(_);return}if(r===!1){e.setParams({additionalProperty:_}),e.error(),c||t.break();return}if(typeof r=="object"&&!(0,ks.alwaysValidSchema)(s,r)){let v=t.name("valid");d.removeAdditional==="failing"?(y(_,v,!1),t.if((0,Et.not)(v),()=>{e.reset(),g(_)})):(y(_,v),c||t.if((0,Et.not)(v),()=>t.break()))}}o(S,"additionalPropertyCode");function y(_,v,w){let b={keyword:"additionalProperties",dataProp:_,dataPropType:ks.Type.Str};w===!1&&Object.assign(b,{compositeRule:!0,createErrors:!1,allErrors:!1}),e.subschema(b,v)}o(y,"applyAdditionalSchema")}};Ll.default=J0});var WS=x(Vl=>{"use strict";Object.defineProperty(Vl,"__esModule",{value:!0});var W0=Pa(),KS=vt(),Gl=ie(),JS=Bl(),Y0={keyword:"properties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,parentSchema:n,data:a,it:i}=e;i.opts.removeAdditional==="all"&&n.additionalProperties===void 0&&JS.default.code(new W0.KeywordCxt(i,JS.default,"additionalProperties"));let s=(0,KS.allSchemaProperties)(r);for(let m of s)i.definedProperties.add(m);i.opts.unevaluated&&s.length&&i.props!==!0&&(i.props=Gl.mergeEvaluated.props(t,(0,Gl.toHash)(s),i.props));let c=s.filter(m=>!(0,Gl.alwaysValidSchema)(i,r[m]));if(c.length===0)return;let d=t.name("valid");for(let m of c)p(m)?l(m):(t.if((0,KS.propertyInData)(t,a,m,i.opts.ownProperties)),l(m),i.allErrors||t.else().var(d,!0),t.endIf()),e.it.definedProperties.add(m),e.ok(d);function p(m){return i.opts.useDefaults&&!i.compositeRule&&r[m].default!==void 0}o(p,"hasDefault");function l(m){e.subschema({keyword:"properties",schemaProp:m,dataProp:m},d)}o(l,"applyPropertySchema")}};Vl.default=Y0});var e_=x(Fl=>{"use strict";Object.defineProperty(Fl,"__esModule",{value:!0});var YS=vt(),As=W(),XS=ie(),QS=ie(),X0={keyword:"patternProperties",type:"object",schemaType:"object",code(e){let{gen:t,schema:r,data:n,parentSchema:a,it:i}=e,{opts:s}=i,c=(0,YS.allSchemaProperties)(r),d=c.filter(y=>(0,XS.alwaysValidSchema)(i,r[y]));if(c.length===0||d.length===c.length&&(!i.opts.unevaluated||i.props===!0))return;let p=s.strictSchema&&!s.allowMatchingProperties&&a.properties,l=t.name("valid");i.props!==!0&&!(i.props instanceof As.Name)&&(i.props=(0,QS.evaluatedPropsToName)(t,i.props));let{props:m}=i;h();function h(){for(let y of c)p&&g(y),i.allErrors?S(y):(t.var(l,!0),S(y),t.if(l))}o(h,"validatePatternProperties");function g(y){for(let _ in p)new RegExp(y).test(_)&&(0,XS.checkStrictMode)(i,`property ${_} matches pattern ${y} (use allowMatchingProperties)`)}o(g,"checkMatchingProperties");function S(y){t.forIn("key",n,_=>{t.if((0,As._)`${(0,YS.usePattern)(e,y)}.test(${_})`,()=>{let v=d.includes(y);v||e.subschema({keyword:"patternProperties",schemaProp:y,dataProp:_,dataPropType:QS.Type.Str},l),i.opts.unevaluated&&m!==!0?t.assign((0,As._)`${m}[${_}]`,!0):!v&&!i.allErrors&&t.if((0,As.not)(l),()=>t.break())})})}o(S,"validateProperties")}};Fl.default=X0});var t_=x(Zl=>{"use strict";Object.defineProperty(Zl,"__esModule",{value:!0});var Q0=ie(),eU={keyword:"not",schemaType:["object","boolean"],trackErrors:!0,code(e){let{gen:t,schema:r,it:n}=e;if((0,Q0.alwaysValidSchema)(n,r)){e.fail();return}let a=t.name("valid");e.subschema({keyword:"not",compositeRule:!0,createErrors:!1,allErrors:!1},a),e.failResult(a,()=>e.reset(),()=>e.error())},error:{message:"must NOT be valid"}};Zl.default=eU});var r_=x(Kl=>{"use strict";Object.defineProperty(Kl,"__esModule",{value:!0});var tU=vt(),rU={keyword:"anyOf",schemaType:"array",trackErrors:!0,code:tU.validateUnion,error:{message:"must match a schema in anyOf"}};Kl.default=rU});var n_=x(Jl=>{"use strict";Object.defineProperty(Jl,"__esModule",{value:!0});var Ts=W(),nU=ie(),oU={message:"must match exactly one schema in oneOf",params:o(({params:e})=>(0,Ts._)`{passingSchemas: ${e.passing}}`,"params")},aU={keyword:"oneOf",schemaType:"array",trackErrors:!0,error:oU,code(e){let{gen:t,schema:r,parentSchema:n,it:a}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");if(a.opts.discriminator&&n.discriminator)return;let i=r,s=t.let("valid",!1),c=t.let("passing",null),d=t.name("_valid");e.setParams({passing:c}),t.block(p),e.result(s,()=>e.reset(),()=>e.error(!0));function p(){i.forEach((l,m)=>{let h;(0,nU.alwaysValidSchema)(a,l)?t.var(d,!0):h=e.subschema({keyword:"oneOf",schemaProp:m,compositeRule:!0},d),m>0&&t.if((0,Ts._)`${d} && ${s}`).assign(s,!1).assign(c,(0,Ts._)`[${c}, ${m}]`).else(),t.if(d,()=>{t.assign(s,!0),t.assign(c,m),h&&e.mergeEvaluated(h,Ts.Name)})})}o(p,"validateOneOf")}};Jl.default=aU});var o_=x(Wl=>{"use strict";Object.defineProperty(Wl,"__esModule",{value:!0});var iU=ie(),sU={keyword:"allOf",schemaType:"array",code(e){let{gen:t,schema:r,it:n}=e;if(!Array.isArray(r))throw new Error("ajv implementation error");let a=t.name("valid");r.forEach((i,s)=>{if((0,iU.alwaysValidSchema)(n,i))return;let c=e.subschema({keyword:"allOf",schemaProp:s},a);e.ok(a),e.mergeEvaluated(c)})}};Wl.default=sU});var s_=x(Yl=>{"use strict";Object.defineProperty(Yl,"__esModule",{value:!0});var Es=W(),i_=ie(),cU={message:o(({params:e})=>(0,Es.str)`must match "${e.ifClause}" schema`,"message"),params:o(({params:e})=>(0,Es._)`{failingKeyword: ${e.ifClause}}`,"params")},uU={keyword:"if",schemaType:["object","boolean"],trackErrors:!0,error:cU,code(e){let{gen:t,parentSchema:r,it:n}=e;r.then===void 0&&r.else===void 0&&(0,i_.checkStrictMode)(n,'"if" without "then" and "else" is ignored');let a=a_(n,"then"),i=a_(n,"else");if(!a&&!i)return;let s=t.let("valid",!0),c=t.name("_valid");if(d(),e.reset(),a&&i){let l=t.let("ifClause");e.setParams({ifClause:l}),t.if(c,p("then",l),p("else",l))}else a?t.if(c,p("then")):t.if((0,Es.not)(c),p("else"));e.pass(s,()=>e.error(!0));function d(){let l=e.subschema({keyword:"if",compositeRule:!0,createErrors:!1,allErrors:!1},c);e.mergeEvaluated(l)}o(d,"validateIf");function p(l,m){return()=>{let h=e.subschema({keyword:l},c);t.assign(s,c),e.mergeValidEvaluated(h,s),m?t.assign(m,(0,Es._)`${l}`):e.setParams({ifClause:l})}}o(p,"validateClause")}};function a_(e,t){let r=e.schema[t];return r!==void 0&&!(0,i_.alwaysValidSchema)(e,r)}o(a_,"hasSchema");Yl.default=uU});var c_=x(Xl=>{"use strict";Object.defineProperty(Xl,"__esModule",{value:!0});var dU=ie(),lU={keyword:["then","else"],schemaType:["object","boolean"],code({keyword:e,parentSchema:t,it:r}){t.if===void 0&&(0,dU.checkStrictMode)(r,`"${e}" without "if" is ignored`)}};Xl.default=lU});var u_=x(Ql=>{"use strict";Object.defineProperty(Ql,"__esModule",{value:!0});var pU=zl(),mU=DS(),fU=$l(),hU=HS(),gU=LS(),yU=VS(),SU=ZS(),_U=Bl(),vU=WS(),wU=e_(),bU=t_(),RU=r_(),CU=n_(),IU=o_(),PU=s_(),xU=c_();function kU(e=!1){let t=[bU.default,RU.default,CU.default,IU.default,PU.default,xU.default,SU.default,_U.default,yU.default,vU.default,wU.default];return e?t.push(mU.default,hU.default):t.push(pU.default,fU.default),t.push(gU.default),t}o(kU,"getApplicator");Ql.default=kU});var d_=x(ep=>{"use strict";Object.defineProperty(ep,"__esModule",{value:!0});var Ie=W(),AU={message:o(({schemaCode:e})=>(0,Ie.str)`must match format "${e}"`,"message"),params:o(({schemaCode:e})=>(0,Ie._)`{format: ${e}}`,"params")},TU={keyword:"format",type:["number","string"],schemaType:"string",$data:!0,error:AU,code(e,t){let{gen:r,data:n,$data:a,schema:i,schemaCode:s,it:c}=e,{opts:d,errSchemaPath:p,schemaEnv:l,self:m}=c;if(!d.validateFormats)return;a?h():g();function h(){let S=r.scopeValue("formats",{ref:m.formats,code:d.code.formats}),y=r.const("fDef",(0,Ie._)`${S}[${s}]`),_=r.let("fType"),v=r.let("format");r.if((0,Ie._)`typeof ${y} == "object" && !(${y} instanceof RegExp)`,()=>r.assign(_,(0,Ie._)`${y}.type || "string"`).assign(v,(0,Ie._)`${y}.validate`),()=>r.assign(_,(0,Ie._)`"string"`).assign(v,y)),e.fail$data((0,Ie.or)(w(),b()));function w(){return d.strictSchema===!1?Ie.nil:(0,Ie._)`${s} && !${v}`}o(w,"unknownFmt");function b(){let N=l.$async?(0,Ie._)`(${y}.async ? await ${v}(${n}) : ${v}(${n}))`:(0,Ie._)`${v}(${n})`,j=(0,Ie._)`(typeof ${v} == "function" ? ${N} : ${v}.test(${n}))`;return(0,Ie._)`${v} && ${v} !== true && ${_} === ${t} && !${j}`}o(b,"invalidFmt")}o(h,"validate$DataFormat");function g(){let S=m.formats[i];if(!S){w();return}if(S===!0)return;let[y,_,v]=b(S);y===t&&e.pass(N());function w(){if(d.strictSchema===!1){m.logger.warn(j());return}throw new Error(j());function j(){return`unknown format "${i}" ignored in schema at path "${p}"`}}o(w,"unknownFormat");function b(j){let Be=j instanceof RegExp?(0,Ie.regexpCode)(j):d.code.formats?(0,Ie._)`${d.code.formats}${(0,Ie.getProperty)(i)}`:void 0,ht=r.scopeValue("formats",{key:i,ref:j,code:Be});return typeof j=="object"&&!(j instanceof RegExp)?[j.type||"string",j.validate,(0,Ie._)`${ht}.validate`]:["string",j,ht]}o(b,"getFormat");function N(){if(typeof S=="object"&&!(S instanceof RegExp)&&S.async){if(!l.$async)throw new Error("async format in sync schema");return(0,Ie._)`await ${v}(${n})`}return typeof _=="function"?(0,Ie._)`${v}(${n})`:(0,Ie._)`${v}.test(${n})`}o(N,"validCondition")}o(g,"validateFormat")}};ep.default=TU});var l_=x(tp=>{"use strict";Object.defineProperty(tp,"__esModule",{value:!0});var EU=d_(),UU=[EU.default];tp.default=UU});var p_=x(po=>{"use strict";Object.defineProperty(po,"__esModule",{value:!0});po.contentVocabulary=po.metadataVocabulary=void 0;po.metadataVocabulary=["title","description","default","deprecated","readOnly","writeOnly","examples"];po.contentVocabulary=["contentMediaType","contentEncoding","contentSchema"]});var f_=x(rp=>{"use strict";Object.defineProperty(rp,"__esModule",{value:!0});var OU=wS(),MU=zS(),zU=u_(),$U=l_(),m_=p_(),qU=[OU.default,MU.default,(0,zU.default)(),$U.default,m_.metadataVocabulary,m_.contentVocabulary];rp.default=qU});var g_=x(Us=>{"use strict";Object.defineProperty(Us,"__esModule",{value:!0});Us.DiscrError=void 0;var h_;(function(e){e.Tag="tag",e.Mapping="mapping"})(h_||(Us.DiscrError=h_={}))});var S_=x(op=>{"use strict";Object.defineProperty(op,"__esModule",{value:!0});var mo=W(),np=g_(),y_=ms(),NU=xa(),DU=ie(),jU={message:o(({params:{discrError:e,tagName:t}})=>e===np.DiscrError.Tag?`tag "${t}" must be string`:`value of tag "${t}" must be in oneOf`,"message"),params:o(({params:{discrError:e,tag:t,tagName:r}})=>(0,mo._)`{error: ${e}, tag: ${r}, tagValue: ${t}}`,"params")},HU={keyword:"discriminator",type:"object",schemaType:"object",error:jU,code(e){let{gen:t,data:r,schema:n,parentSchema:a,it:i}=e,{oneOf:s}=a;if(!i.opts.discriminator)throw new Error("discriminator: requires discriminator option");let c=n.propertyName;if(typeof c!="string")throw new Error("discriminator: requires propertyName");if(n.mapping)throw new Error("discriminator: mapping is not supported");if(!s)throw new Error("discriminator: requires oneOf keyword");let d=t.let("valid",!1),p=t.const("tag",(0,mo._)`${r}${(0,mo.getProperty)(c)}`);t.if((0,mo._)`typeof ${p} == "string"`,()=>l(),()=>e.error(!1,{discrError:np.DiscrError.Tag,tag:p,tagName:c})),e.ok(d);function l(){let g=h();t.if(!1);for(let S in g)t.elseIf((0,mo._)`${p} === ${S}`),t.assign(d,m(g[S]));t.else(),e.error(!1,{discrError:np.DiscrError.Mapping,tag:p,tagName:c}),t.endIf()}o(l,"validateMapping");function m(g){let S=t.name("valid"),y=e.subschema({keyword:"oneOf",schemaProp:g},S);return e.mergeEvaluated(y,mo.Name),S}o(m,"applyTagSchema");function h(){var g;let S={},y=v(a),_=!0;for(let N=0;N<s.length;N++){let j=s[N];if(j?.$ref&&!(0,DU.schemaHasRulesButRef)(j,i.self.RULES)){let ht=j.$ref;if(j=y_.resolveRef.call(i.self,i.schemaEnv.root,i.baseId,ht),j instanceof y_.SchemaEnv&&(j=j.schema),j===void 0)throw new NU.default(i.opts.uriResolver,i.baseId,ht)}let Be=(g=j?.properties)===null||g===void 0?void 0:g[c];if(typeof Be!="object")throw new Error(`discriminator: oneOf subschemas (or referenced schemas) must have "properties/${c}"`);_=_&&(y||v(j)),w(Be,N)}if(!_)throw new Error(`discriminator: "${c}" must be required`);return S;function v({required:N}){return Array.isArray(N)&&N.includes(c)}function w(N,j){if(N.const)b(N.const,j);else if(N.enum)for(let Be of N.enum)b(Be,j);else throw new Error(`discriminator: "properties/${c}" must have "const" or "enum"`)}function b(N,j){if(typeof N!="string"||N in S)throw new Error(`discriminator: "${c}" values must be unique strings`);S[N]=j}}o(h,"getMapping")}};op.default=HU});var __=x((tK,LU)=>{LU.exports={$schema:"http://json-schema.org/draft-07/schema#",$id:"http://json-schema.org/draft-07/schema#",title:"Core schema meta-schema",definitions:{schemaArray:{type:"array",minItems:1,items:{$ref:"#"}},nonNegativeInteger:{type:"integer",minimum:0},nonNegativeIntegerDefault0:{allOf:[{$ref:"#/definitions/nonNegativeInteger"},{default:0}]},simpleTypes:{enum:["array","boolean","integer","null","number","object","string"]},stringArray:{type:"array",items:{type:"string"},uniqueItems:!0,default:[]}},type:["object","boolean"],properties:{$id:{type:"string",format:"uri-reference"},$schema:{type:"string",format:"uri"},$ref:{type:"string",format:"uri-reference"},$comment:{type:"string"},title:{type:"string"},description:{type:"string"},default:!0,readOnly:{type:"boolean",default:!1},examples:{type:"array",items:!0},multipleOf:{type:"number",exclusiveMinimum:0},maximum:{type:"number"},exclusiveMaximum:{type:"number"},minimum:{type:"number"},exclusiveMinimum:{type:"number"},maxLength:{$ref:"#/definitions/nonNegativeInteger"},minLength:{$ref:"#/definitions/nonNegativeIntegerDefault0"},pattern:{type:"string",format:"regex"},additionalItems:{$ref:"#"},items:{anyOf:[{$ref:"#"},{$ref:"#/definitions/schemaArray"}],default:!0},maxItems:{$ref:"#/definitions/nonNegativeInteger"},minItems:{$ref:"#/definitions/nonNegativeIntegerDefault0"},uniqueItems:{type:"boolean",default:!1},contains:{$ref:"#"},maxProperties:{$ref:"#/definitions/nonNegativeInteger"},minProperties:{$ref:"#/definitions/nonNegativeIntegerDefault0"},required:{$ref:"#/definitions/stringArray"},additionalProperties:{$ref:"#"},definitions:{type:"object",additionalProperties:{$ref:"#"},default:{}},properties:{type:"object",additionalProperties:{$ref:"#"},default:{}},patternProperties:{type:"object",additionalProperties:{$ref:"#"},propertyNames:{format:"regex"},default:{}},dependencies:{type:"object",additionalProperties:{anyOf:[{$ref:"#"},{$ref:"#/definitions/stringArray"}]}},propertyNames:{$ref:"#"},const:!0,enum:{type:"array",items:!0,minItems:1,uniqueItems:!0},type:{anyOf:[{$ref:"#/definitions/simpleTypes"},{type:"array",items:{$ref:"#/definitions/simpleTypes"},minItems:1,uniqueItems:!0}]},format:{type:"string"},contentMediaType:{type:"string"},contentEncoding:{type:"string"},if:{$ref:"#"},then:{$ref:"#"},else:{$ref:"#"},allOf:{$ref:"#/definitions/schemaArray"},anyOf:{$ref:"#/definitions/schemaArray"},oneOf:{$ref:"#/definitions/schemaArray"},not:{$ref:"#"}},default:!0}});var ip=x((ge,ap)=>{"use strict";Object.defineProperty(ge,"__esModule",{value:!0});ge.MissingRefError=ge.ValidationError=ge.CodeGen=ge.Name=ge.nil=ge.stringify=ge.str=ge._=ge.KeywordCxt=ge.Ajv=void 0;var BU=hS(),GU=f_(),VU=S_(),v_=__(),FU=["/properties"],Os="http://json-schema.org/draft-07/schema",fo=class extends BU.default{static{o(this,"Ajv")}_addVocabularies(){super._addVocabularies(),GU.default.forEach(t=>this.addVocabulary(t)),this.opts.discriminator&&this.addKeyword(VU.default)}_addDefaultMetaSchema(){if(super._addDefaultMetaSchema(),!this.opts.meta)return;let t=this.opts.$data?this.$dataMetaSchema(v_,FU):v_;this.addMetaSchema(t,Os,!1),this.refs["http://json-schema.org/schema"]=Os}defaultMeta(){return this.opts.defaultMeta=super.defaultMeta()||(this.getSchema(Os)?Os:void 0)}};ge.Ajv=fo;ap.exports=ge=fo;ap.exports.Ajv=fo;Object.defineProperty(ge,"__esModule",{value:!0});ge.default=fo;var ZU=Pa();Object.defineProperty(ge,"KeywordCxt",{enumerable:!0,get:o(function(){return ZU.KeywordCxt},"get")});var ho=W();Object.defineProperty(ge,"_",{enumerable:!0,get:o(function(){return ho._},"get")});Object.defineProperty(ge,"str",{enumerable:!0,get:o(function(){return ho.str},"get")});Object.defineProperty(ge,"stringify",{enumerable:!0,get:o(function(){return ho.stringify},"get")});Object.defineProperty(ge,"nil",{enumerable:!0,get:o(function(){return ho.nil},"get")});Object.defineProperty(ge,"Name",{enumerable:!0,get:o(function(){return ho.Name},"get")});Object.defineProperty(ge,"CodeGen",{enumerable:!0,get:o(function(){return ho.CodeGen},"get")});var KU=ls();Object.defineProperty(ge,"ValidationError",{enumerable:!0,get:o(function(){return KU.default},"get")});var JU=xa();Object.defineProperty(ge,"MissingRefError",{enumerable:!0,get:o(function(){return JU.default},"get")})});var k_=x(Kt=>{"use strict";Object.defineProperty(Kt,"__esModule",{value:!0});Kt.formatNames=Kt.fastFormats=Kt.fullFormats=void 0;function Zt(e,t){return{validate:e,compare:t}}o(Zt,"fmtDef");Kt.fullFormats={date:Zt(C_,dp),time:Zt(cp(!0),lp),"date-time":Zt(w_(!0),P_),"iso-time":Zt(cp(),I_),"iso-date-time":Zt(w_(),x_),duration:/^P(?!$)((\d+Y)?(\d+M)?(\d+D)?(T(?=\d)(\d+H)?(\d+M)?(\d+S)?)?|(\d+W)?)$/,uri:tO,"uri-reference":/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,"uri-template":/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,url:/^(?:https?|ftp):\/\/(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,email:/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i,hostname:/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,ipv4:/^(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)$/,ipv6:/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,regex:cO,uuid:/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,"json-pointer":/^(?:\/(?:[^~/]|~0|~1)*)*$/,"json-pointer-uri-fragment":/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,"relative-json-pointer":/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,byte:rO,int32:{type:"number",validate:aO},int64:{type:"number",validate:iO},float:{type:"number",validate:R_},double:{type:"number",validate:R_},password:!0,binary:!0};Kt.fastFormats={...Kt.fullFormats,date:Zt(/^\d\d\d\d-[0-1]\d-[0-3]\d$/,dp),time:Zt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,lp),"date-time":Zt(/^\d\d\d\d-[0-1]\d-[0-3]\dt(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)$/i,P_),"iso-time":Zt(/^(?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,I_),"iso-date-time":Zt(/^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d(?::?\d\d)?)?$/i,x_),uri:/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/)?[^\s]*$/i,"uri-reference":/^(?:(?:[a-z][a-z0-9+\-.]*:)?\/?\/)?(?:[^\\\s#][^\s#]*)?(?:#[^\\\s]*)?$/i,email:/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)*$/i};Kt.formatNames=Object.keys(Kt.fullFormats);function WU(e){return e%4===0&&(e%100!==0||e%400===0)}o(WU,"isLeapYear");var YU=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,XU=[0,31,28,31,30,31,30,31,31,30,31,30,31];function C_(e){let t=YU.exec(e);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n===2&&WU(r)?29:XU[n])}o(C_,"date");function dp(e,t){if(e&&t)return e>t?1:e<t?-1:0}o(dp,"compareDate");var sp=/^(\d\d):(\d\d):(\d\d(?:\.\d+)?)(z|([+-])(\d\d)(?::?(\d\d))?)?$/i;function cp(e){return o(function(r){let n=sp.exec(r);if(!n)return!1;let a=+n[1],i=+n[2],s=+n[3],c=n[4],d=n[5]==="-"?-1:1,p=+(n[6]||0),l=+(n[7]||0);if(p>23||l>59||e&&!c)return!1;if(a<=23&&i<=59&&s<60)return!0;let m=i-l*d,h=a-p*d-(m<0?1:0);return(h===23||h===-1)&&(m===59||m===-1)&&s<61},"time")}o(cp,"getTime");function lp(e,t){if(!(e&&t))return;let r=new Date("2020-01-01T"+e).valueOf(),n=new Date("2020-01-01T"+t).valueOf();if(r&&n)return r-n}o(lp,"compareTime");function I_(e,t){if(!(e&&t))return;let r=sp.exec(e),n=sp.exec(t);if(r&&n)return e=r[1]+r[2]+r[3],t=n[1]+n[2]+n[3],e>t?1:e<t?-1:0}o(I_,"compareIsoTime");var up=/t|\s/i;function w_(e){let t=cp(e);return o(function(n){let a=n.split(up);return a.length===2&&C_(a[0])&&t(a[1])},"date_time")}o(w_,"getDateTime");function P_(e,t){if(!(e&&t))return;let r=new Date(e).valueOf(),n=new Date(t).valueOf();if(r&&n)return r-n}o(P_,"compareDateTime");function x_(e,t){if(!(e&&t))return;let[r,n]=e.split(up),[a,i]=t.split(up),s=dp(r,a);if(s!==void 0)return s||lp(n,i)}o(x_,"compareIsoDateTime");var QU=/\/|:/,eO=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function tO(e){return QU.test(e)&&eO.test(e)}o(tO,"uri");var b_=/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm;function rO(e){return b_.lastIndex=0,b_.test(e)}o(rO,"byte");var nO=-(2**31),oO=2**31-1;function aO(e){return Number.isInteger(e)&&e<=oO&&e>=nO}o(aO,"validateInt32");function iO(e){return Number.isInteger(e)}o(iO,"validateInt64");function R_(){return!0}o(R_,"validateNumber");var sO=/[^\\]\\Z/;function cO(e){if(sO.test(e))return!1;try{return new RegExp(e),!0}catch{return!1}}o(cO,"regex")});var A_=x(go=>{"use strict";Object.defineProperty(go,"__esModule",{value:!0});go.formatLimitDefinition=void 0;var uO=ip(),Ut=W(),Vr=Ut.operators,Ms={formatMaximum:{okStr:"<=",ok:Vr.LTE,fail:Vr.GT},formatMinimum:{okStr:">=",ok:Vr.GTE,fail:Vr.LT},formatExclusiveMaximum:{okStr:"<",ok:Vr.LT,fail:Vr.GTE},formatExclusiveMinimum:{okStr:">",ok:Vr.GT,fail:Vr.LTE}},dO={message:o(({keyword:e,schemaCode:t})=>(0,Ut.str)`should be ${Ms[e].okStr} ${t}`,"message"),params:o(({keyword:e,schemaCode:t})=>(0,Ut._)`{comparison: ${Ms[e].okStr}, limit: ${t}}`,"params")};go.formatLimitDefinition={keyword:Object.keys(Ms),type:"string",schemaType:"string",$data:!0,error:dO,code(e){let{gen:t,data:r,schemaCode:n,keyword:a,it:i}=e,{opts:s,self:c}=i;if(!s.validateFormats)return;let d=new uO.KeywordCxt(i,c.RULES.all.format.definition,"format");d.$data?p():l();function p(){let h=t.scopeValue("formats",{ref:c.formats,code:s.code.formats}),g=t.const("fmt",(0,Ut._)`${h}[${d.schemaCode}]`);e.fail$data((0,Ut.or)((0,Ut._)`typeof ${g} != "object"`,(0,Ut._)`${g} instanceof RegExp`,(0,Ut._)`typeof ${g}.compare != "function"`,m(g)))}o(p,"validate$DataFormat");function l(){let h=d.schema,g=c.formats[h];if(!g||g===!0)return;if(typeof g!="object"||g instanceof RegExp||typeof g.compare!="function")throw new Error(`"${a}": format "${h}" does not define "compare" function`);let S=t.scopeValue("formats",{key:h,ref:g,code:s.code.formats?(0,Ut._)`${s.code.formats}${(0,Ut.getProperty)(h)}`:void 0});e.fail$data(m(S))}o(l,"validateFormat");function m(h){return(0,Ut._)`${h}.compare(${r}, ${n}) ${Ms[a].fail} 0`}o(m,"compareCode")},dependencies:["format"]};var lO=o(e=>(e.addKeyword(go.formatLimitDefinition),e),"formatLimitPlugin");go.default=lO});var O_=x((Ha,U_)=>{"use strict";Object.defineProperty(Ha,"__esModule",{value:!0});var yo=k_(),pO=A_(),pp=W(),T_=new pp.Name("fullFormats"),mO=new pp.Name("fastFormats"),mp=o((e,t={keywords:!0})=>{if(Array.isArray(t))return E_(e,t,yo.fullFormats,T_),e;let[r,n]=t.mode==="fast"?[yo.fastFormats,mO]:[yo.fullFormats,T_],a=t.formats||yo.formatNames;return E_(e,a,r,n),t.keywords&&(0,pO.default)(e),e},"formatsPlugin");mp.get=(e,t="full")=>{let n=(t==="fast"?yo.fastFormats:yo.fullFormats)[e];if(!n)throw new Error(`Unknown format "${e}"`);return n};function E_(e,t,r,n){var a,i;(a=(i=e.opts.code).formats)!==null&&a!==void 0||(i.formats=(0,pp._)`require("ajv-formats/dist/formats").${n}`);for(let s of t)e.addFormat(s,r[s])}o(E_,"addFormats");U_.exports=Ha=mp;Object.defineProperty(Ha,"__esModule",{value:!0});Ha.default=mp});de();var br="2025-11-25",vm="2025-03-26",Rr=[br,"2025-06-18","2025-03-26","2024-11-05","2024-10-07"],Cr="io.modelcontextprotocol/related-task",ai="2.0",xe=gm(e=>e!==null&&(typeof e=="object"||typeof e=="function")),wm=ye([f(),ne().int()]),bm=f(),nN=Pe({ttl:ne().optional(),pollInterval:ne().optional()}),ob=C({ttl:ne().optional()}),ab=C({taskId:f()}),Ic=Pe({progressToken:wm.optional(),[Cr]:ab.optional()}),ut=C({_meta:Ic.optional()}),Uo=ut.extend({task:ob.optional()}),Rm=o(e=>Uo.safeParse(e).success,"isTaskAugmentedRequestParams"),$e=C({method:f(),params:ut.loose().optional()}),gt=C({_meta:Ic.optional()}),yt=C({method:f(),params:gt.loose().optional()}),qe=Pe({_meta:Ic.optional()}),ii=ye([f(),ne().int()]),Cm=C({jsonrpc:O(ai),id:ii,...$e.shape}).strict(),qt=o(e=>Cm.safeParse(e).success,"isJSONRPCRequest"),Im=C({jsonrpc:O(ai),...yt.shape}).strict(),Pm=o(e=>Im.safeParse(e).success,"isJSONRPCNotification"),Pc=C({jsonrpc:O(ai),id:ii,result:qe}).strict(),It=o(e=>Pc.safeParse(e).success,"isJSONRPCResultResponse");var k;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(k||(k={}));var xc=C({jsonrpc:O(ai),id:ii.optional(),error:C({code:ne().int(),message:f(),data:Re().optional()})}).strict();var Mn=o(e=>xc.safeParse(e).success,"isJSONRPCErrorResponse");var en=ye([Cm,Im,Pc,xc]),oN=ye([Pc,xc]),tr=qe.strict(),ib=gt.extend({requestId:ii.optional(),reason:f().optional()}),si=yt.extend({method:O("notifications/cancelled"),params:ib}),sb=C({src:f(),mimeType:f().optional(),sizes:R(f()).optional(),theme:ct(["light","dark"]).optional()}),Oo=C({icons:R(sb).optional()}),On=C({name:f(),title:f().optional()}),zn=On.extend({...On.shape,...Oo.shape,version:f(),websiteUrl:f().optional(),description:f().optional()}),cb=Rc(C({applyDefaults:ue().optional()}),me(f(),Re())),ub=Cc(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,Rc(C({form:cb.optional(),url:xe.optional()}),me(f(),Re()).optional())),db=Pe({list:xe.optional(),cancel:xe.optional(),requests:Pe({sampling:Pe({createMessage:xe.optional()}).optional(),elicitation:Pe({create:xe.optional()}).optional()}).optional()}),lb=Pe({list:xe.optional(),cancel:xe.optional(),requests:Pe({tools:Pe({call:xe.optional()}).optional()}).optional()}),pb=C({experimental:me(f(),xe).optional(),sampling:C({context:xe.optional(),tools:xe.optional()}).optional(),elicitation:ub.optional(),roots:C({listChanged:ue().optional()}).optional(),tasks:db.optional(),extensions:me(f(),xe).optional()}),mb=ut.extend({protocolVersion:f(),capabilities:pb,clientInfo:zn}),ci=$e.extend({method:O("initialize"),params:mb}),kc=o(e=>ci.safeParse(e).success,"isInitializeRequest"),fb=C({experimental:me(f(),xe).optional(),logging:xe.optional(),completions:xe.optional(),prompts:C({listChanged:ue().optional()}).optional(),resources:C({subscribe:ue().optional(),listChanged:ue().optional()}).optional(),tools:C({listChanged:ue().optional()}).optional(),tasks:lb.optional(),extensions:me(f(),xe).optional()}),Ac=qe.extend({protocolVersion:f(),capabilities:fb,serverInfo:zn,instructions:f().optional()}),ui=yt.extend({method:O("notifications/initialized"),params:gt.optional()}),xm=o(e=>ui.safeParse(e).success,"isInitializedNotification"),di=$e.extend({method:O("ping"),params:ut.optional()}),hb=C({progress:ne(),total:be(ne()),message:be(f())}),gb=C({...gt.shape,...hb.shape,progressToken:wm}),li=yt.extend({method:O("notifications/progress"),params:gb}),yb=ut.extend({cursor:bm.optional()}),Mo=$e.extend({params:yb.optional()}),zo=qe.extend({nextCursor:bm.optional()}),Sb=ct(["working","input_required","completed","failed","cancelled"]),$o=C({taskId:f(),status:Sb,ttl:ye([ne(),fm()]),createdAt:f(),lastUpdatedAt:f(),pollInterval:be(ne()),statusMessage:be(f())}),rr=qe.extend({task:$o}),_b=gt.merge($o),qo=yt.extend({method:O("notifications/tasks/status"),params:_b}),pi=$e.extend({method:O("tasks/get"),params:ut.extend({taskId:f()})}),mi=qe.merge($o),fi=$e.extend({method:O("tasks/result"),params:ut.extend({taskId:f()})}),aN=qe.loose(),hi=Mo.extend({method:O("tasks/list")}),gi=zo.extend({tasks:R($o)}),yi=$e.extend({method:O("tasks/cancel"),params:ut.extend({taskId:f()})}),km=qe.merge($o),Am=C({uri:f(),mimeType:be(f()),_meta:me(f(),Re()).optional()}),Tm=Am.extend({text:f()}),Tc=f().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),Em=Am.extend({blob:Tc}),No=ct(["user","assistant"]),$n=C({audience:R(No).optional(),priority:ne().min(0).max(1).optional(),lastModified:pm.datetime({offset:!0}).optional()}),Um=C({...On.shape,...Oo.shape,uri:f(),description:be(f()),mimeType:be(f()),size:be(ne()),annotations:$n.optional(),_meta:be(Pe({}))}),vb=C({...On.shape,...Oo.shape,uriTemplate:f(),description:be(f()),mimeType:be(f()),annotations:$n.optional(),_meta:be(Pe({}))}),Ec=Mo.extend({method:O("resources/list")}),Uc=zo.extend({resources:R(Um)}),Oc=Mo.extend({method:O("resources/templates/list")}),Mc=zo.extend({resourceTemplates:R(vb)}),zc=ut.extend({uri:f()}),wb=zc,$c=$e.extend({method:O("resources/read"),params:wb}),qc=qe.extend({contents:R(ye([Tm,Em]))}),Nc=yt.extend({method:O("notifications/resources/list_changed"),params:gt.optional()}),bb=zc,Rb=$e.extend({method:O("resources/subscribe"),params:bb}),Cb=zc,Ib=$e.extend({method:O("resources/unsubscribe"),params:Cb}),Pb=gt.extend({uri:f()}),xb=yt.extend({method:O("notifications/resources/updated"),params:Pb}),kb=C({name:f(),description:be(f()),required:be(ue())}),Ab=C({...On.shape,...Oo.shape,description:be(f()),arguments:be(R(kb)),_meta:be(Pe({}))}),Dc=Mo.extend({method:O("prompts/list")}),jc=zo.extend({prompts:R(Ab)}),Tb=ut.extend({name:f(),arguments:me(f(),f()).optional()}),Hc=$e.extend({method:O("prompts/get"),params:Tb}),Lc=C({type:O("text"),text:f(),annotations:$n.optional(),_meta:me(f(),Re()).optional()}),Bc=C({type:O("image"),data:Tc,mimeType:f(),annotations:$n.optional(),_meta:me(f(),Re()).optional()}),Gc=C({type:O("audio"),data:Tc,mimeType:f(),annotations:$n.optional(),_meta:me(f(),Re()).optional()}),Eb=C({type:O("tool_use"),name:f(),id:f(),input:me(f(),Re()),_meta:me(f(),Re()).optional()}),Ub=C({type:O("resource"),resource:ye([Tm,Em]),annotations:$n.optional(),_meta:me(f(),Re()).optional()}),Ob=Um.extend({type:O("resource_link")}),Vc=ye([Lc,Bc,Gc,Ob,Ub]),Mb=C({role:No,content:Vc}),Fc=qe.extend({description:f().optional(),messages:R(Mb)}),Zc=yt.extend({method:O("notifications/prompts/list_changed"),params:gt.optional()}),zb=C({title:f().optional(),readOnlyHint:ue().optional(),destructiveHint:ue().optional(),idempotentHint:ue().optional(),openWorldHint:ue().optional()}),$b=C({taskSupport:ct(["required","optional","forbidden"]).optional()}),Om=C({...On.shape,...Oo.shape,description:f().optional(),inputSchema:C({type:O("object"),properties:me(f(),xe).optional(),required:R(f()).optional()}).catchall(Re()),outputSchema:C({type:O("object"),properties:me(f(),xe).optional(),required:R(f()).optional()}).catchall(Re()).optional(),annotations:zb.optional(),execution:$b.optional(),_meta:me(f(),Re()).optional()}),Kc=Mo.extend({method:O("tools/list")}),Jc=zo.extend({tools:R(Om)}),Ir=qe.extend({content:R(Vc).default([]),structuredContent:me(f(),Re()).optional(),isError:ue().optional()}),iN=Ir.or(qe.extend({toolResult:Re()})),qb=Uo.extend({name:f(),arguments:me(f(),Re()).optional()}),Do=$e.extend({method:O("tools/call"),params:qb}),Wc=yt.extend({method:O("notifications/tools/list_changed"),params:gt.optional()}),Mm=C({autoRefresh:ue().default(!0),debounceMs:ne().int().nonnegative().default(300)}),jo=ct(["debug","info","notice","warning","error","critical","alert","emergency"]),Nb=ut.extend({level:jo}),Yc=$e.extend({method:O("logging/setLevel"),params:Nb}),Db=gt.extend({level:jo,logger:f().optional(),data:Re()}),jb=yt.extend({method:O("notifications/message"),params:Db}),Hb=C({name:f().optional()}),Lb=C({hints:R(Hb).optional(),costPriority:ne().min(0).max(1).optional(),speedPriority:ne().min(0).max(1).optional(),intelligencePriority:ne().min(0).max(1).optional()}),Bb=C({mode:ct(["auto","required","none"]).optional()}),Gb=C({type:O("tool_result"),toolUseId:f().describe("The unique identifier for the corresponding tool call."),content:R(Vc).default([]),structuredContent:C({}).loose().optional(),isError:ue().optional(),_meta:me(f(),Re()).optional()}),Vb=bc("type",[Lc,Bc,Gc]),oi=bc("type",[Lc,Bc,Gc,Eb,Gb]),Fb=C({role:No,content:ye([oi,R(oi)]),_meta:me(f(),Re()).optional()}),Zb=Uo.extend({messages:R(Fb),modelPreferences:Lb.optional(),systemPrompt:f().optional(),includeContext:ct(["none","thisServer","allServers"]).optional(),temperature:ne().optional(),maxTokens:ne().int(),stopSequences:R(f()).optional(),metadata:xe.optional(),tools:R(Om).optional(),toolChoice:Bb.optional()}),Xc=$e.extend({method:O("sampling/createMessage"),params:Zb}),tn=qe.extend({model:f(),stopReason:be(ct(["endTurn","stopSequence","maxTokens"]).or(f())),role:No,content:Vb}),Ho=qe.extend({model:f(),stopReason:be(ct(["endTurn","stopSequence","maxTokens","toolUse"]).or(f())),role:No,content:ye([oi,R(oi)])}),Kb=C({type:O("boolean"),title:f().optional(),description:f().optional(),default:ue().optional()}),Jb=C({type:O("string"),title:f().optional(),description:f().optional(),minLength:ne().optional(),maxLength:ne().optional(),format:ct(["email","uri","date","date-time"]).optional(),default:f().optional()}),Wb=C({type:ct(["number","integer"]),title:f().optional(),description:f().optional(),minimum:ne().optional(),maximum:ne().optional(),default:ne().optional()}),Yb=C({type:O("string"),title:f().optional(),description:f().optional(),enum:R(f()),default:f().optional()}),Xb=C({type:O("string"),title:f().optional(),description:f().optional(),oneOf:R(C({const:f(),title:f()})),default:f().optional()}),Qb=C({type:O("string"),title:f().optional(),description:f().optional(),enum:R(f()),enumNames:R(f()).optional(),default:f().optional()}),eR=ye([Yb,Xb]),tR=C({type:O("array"),title:f().optional(),description:f().optional(),minItems:ne().optional(),maxItems:ne().optional(),items:C({type:O("string"),enum:R(f())}),default:R(f()).optional()}),rR=C({type:O("array"),title:f().optional(),description:f().optional(),minItems:ne().optional(),maxItems:ne().optional(),items:C({anyOf:R(C({const:f(),title:f()}))}),default:R(f()).optional()}),nR=ye([tR,rR]),oR=ye([Qb,eR,nR]),aR=ye([oR,Kb,Jb,Wb]),iR=Uo.extend({mode:O("form").optional(),message:f(),requestedSchema:C({type:O("object"),properties:me(f(),aR),required:R(f()).optional()})}),sR=Uo.extend({mode:O("url"),message:f(),elicitationId:f(),url:f().url()}),cR=ye([iR,sR]),Qc=$e.extend({method:O("elicitation/create"),params:cR}),uR=gt.extend({elicitationId:f()}),dR=yt.extend({method:O("notifications/elicitation/complete"),params:uR}),Pr=qe.extend({action:ct(["accept","decline","cancel"]),content:Cc(e=>e===null?void 0:e,me(f(),ye([f(),ne(),ue(),R(f())])).optional())}),lR=C({type:O("ref/resource"),uri:f()});var pR=C({type:O("ref/prompt"),name:f()}),mR=ut.extend({ref:ye([pR,lR]),argument:C({name:f(),value:f()}),context:C({arguments:me(f(),f()).optional()}).optional()}),fR=$e.extend({method:O("completion/complete"),params:mR});var eu=qe.extend({completion:Pe({values:R(f()).max(100),total:be(ne().int()),hasMore:be(ue())})}),hR=C({uri:f().startsWith("file://"),name:f().optional(),_meta:me(f(),Re()).optional()}),gR=$e.extend({method:O("roots/list"),params:ut.optional()}),tu=qe.extend({roots:R(hR)}),yR=yt.extend({method:O("notifications/roots/list_changed"),params:gt.optional()}),sN=ye([di,ci,fR,Yc,Hc,Dc,Ec,Oc,$c,Rb,Ib,Do,Kc,pi,fi,hi,yi]),cN=ye([si,li,ui,yR,qo]),uN=ye([tr,tn,Ho,Pr,tu,mi,gi,rr]),dN=ye([di,Xc,Qc,gR,pi,fi,hi,yi]),lN=ye([si,li,jb,xb,Nc,Wc,Zc,qo,dR]),pN=ye([tr,Ac,eu,Fc,jc,Uc,Mc,qc,Ir,Jc,mi,gi,rr]),I=class e extends Error{static{o(this,"McpError")}constructor(t,r,n){super(`MCP error ${t}: ${r}`),this.code=t,this.data=n,this.name="McpError"}static fromError(t,r,n){if(t===k.UrlElicitationRequired&&n){let a=n;if(a.elicitations)return new Ct(a.elicitations,r)}return new e(t,r,n)}},Ct=class extends I{static{o(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(k.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};de();de();de();var _R=new Set(["localhost","::1"]);function nr(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}o(nr,"normalizeHostname");function ke(e){let t=nr(e.hostname);return e.protocol==="http:"&&(_R.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}o(ke,"isLoopbackHttpUrl");var zm=new $t("gateway-route");function $m(e,t){zm.set(e,t)}o($m,"setGatewayRouteContext");function Lo(e){return zm.get(e)}o(Lo,"readGatewayRouteContext");function qn(e){let t=Lo(e);if(!t)throw new K("Gateway route context has not been set");return t}o(qn,"requireGatewayRouteContext");var qm=new $t("mcp-oauth-runtime-config");function Nn(e,t){qm.set(e,t)}o(Nn,"setMcpOAuthRuntimeConfig");function Nm(e){let t=qm.get(e);if(!t)throw new q("MCP gateway OAuth config has not been set on the request context. An `mcp-oauth-inbound` policy (or `mcp-auth0-oauth-inbound`) must run before this handler, or the internal OAuth route wrapper must have populated the context.");return t}o(Nm,"requireMcpOAuthRuntimeConfig");var Bo=u.string().trim().min(1),vR=60,wR=24*60*60,bR=15*vR,RR=10*365*wR,Go={accessTokenTtlSeconds:bR,refreshTokenTtlSeconds:RR,cimdEnabled:!0},CR=u.object({issuer:u.url(),jwksUrl:u.url(),audience:Bo.optional()}),IR=u.object({url:u.url(),tokenUrl:u.url().optional(),clientId:Bo.optional(),clientSecret:Bo.optional(),scope:Bo.default("openid profile email"),audience:Bo.optional(),remoteTimeoutMs:u.coerce.number().int().positive().default(1e4),stateTtlSeconds:u.coerce.number().int().positive().default(900),sessionTtlSeconds:u.coerce.number().int().positive().default(28800)}).strict().superRefine((e,t)=>{if(!jm(e.url))for(let r of["tokenUrl","clientId","clientSecret"])e[r]||t.addIssue({code:u.ZodIssueCode.custom,message:`${r} is required for federated browser login`,path:[r]})}),PR=u.object({accessTokenTtlSeconds:u.coerce.number().int().positive().default(Go.accessTokenTtlSeconds),refreshTokenTtlSeconds:u.coerce.number().int().positive().default(Go.refreshTokenTtlSeconds),cimdEnabled:u.boolean().default(Go.cimdEnabled)}).strict().default(Go),ru=u.object({oidc:CR,browserLogin:IR,gateway:PR.optional().default(Go)}).strict();function Dm(e){return jm(e.browserLogin.url)?"local_dev":"federated_oidc"}o(Dm,"readBrowserLoginKind");function jm(e){let t;try{t=new URL(e)}catch{return!1}return ke(t)&&t.pathname==="/oauth/dev-login"}o(jm,"isLoopbackDevLoginUrl");function Hm(e){return ru.parse(e)}o(Hm,"parseMcpOAuthRuntimeConfig");function Te(){let e;try{e=_c()}catch(t){throw new K("MCP gateway OAuth config can only be read during a request. Wrap tests in `runWithRequestContext` and ensure MCP OAuth routes are registered through `McpGatewayPlugin`.",{cause:t})}return Nm(e)}o(Te,"getGatewayOAuthConfig");de();var Q=u.string().datetime({offset:!0}).brand();function oe(e){return Q.parse(e.toISOString())}o(oe,"toIsoTimestamp");function or(e,t){return new Date(e.getTime()+t*1e3)}o(or,"addSeconds");de();function le(e){return new URL(e).origin}o(le,"readGatewayRequestOrigin");function Pt(e){return le(e)}o(Pt,"readGatewayOAuthIssuer");function nu(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}o(nu,"truncate");function Lm(e){return"cause"in e?e.cause:void 0}o(Lm,"readCause");function Xe(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=nu(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=nu(r.message);let n=Lm(r);for(let a=1;a<=4&&n instanceof Error;a+=1){let i=a===1?"cause":`cause${a}`;e[`${i}Name`]=n.name,e[`${i}Message`]=nu(n.message),n=Lm(n)}}o(Xe,"addErrorLogFields");function St(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}o(St,"safeHost");function Bm(e,t){let r=Object.entries(t).filter(n=>n[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}o(Bm,"setLogProperties");function ou(e,t){Bm(e,{subjectId:t.subjectId})}o(ou,"applyGatewayPrincipalLogProperties");function Gm(e,t){Bm(e,{upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId})}o(Gm,"applyGatewayRouteLogProperties");var T="gatewayCode",Dn={runtime:{invalid_request:{code:"invalid_request",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},too_many_requests:{code:"too_many_requests",status:429,title:"Too Many Requests",publicDetail:"The request exceeded the allowed rate.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{virtual_server_not_enabled:{code:"virtual_server_not_enabled",status:404,title:"Not Found",publicDetail:"The requested virtual server is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_virtual_server:{code:"unknown_virtual_server",status:400,title:"Bad Request",publicDetail:"The requested virtual server is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},virtual_server_upstream_mismatch:{code:"virtual_server_upstream_mismatch",status:400,title:"Bad Request",publicDetail:"The requested virtual server does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_capability_unavailable:{code:"upstream_capability_unavailable",status:503,title:"Service Unavailable",publicDetail:"The upstream capability is unavailable. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},Qe={...Dn.runtime,...Dn.config,...Dn.downstream_auth,...Dn.downstream_oauth,...Dn.upstream_auth,...Dn.upstream_mcp};function ar(e){return typeof e=="string"&&Object.hasOwn(Qe,e)}o(ar,"isGatewayProblemCode");function Si(e){return ar(e)&&Ee(e).callbackFailure===!0}o(Si,"isGatewayCallbackFailureCode");function Ee(e){return Qe[e]}o(Ee,"readGatewayProblemDefinition");function Vm(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";case 429:return"too_many_requests";default:return"internal_server_error"}}o(Vm,"readDefaultGatewayProblemCodeForStatus");function Fm(e){let t=Ee(e);return{title:t.title,body:t.publicDetail}}o(Fm,"readGatewayCallbackFailureContent");function dt(e){if(!(e instanceof E))return;let t=e.extensionMembers?.[T];return ar(t)?t:void 0}o(dt,"readGatewayProblemCode");function D(e,t,r){let n=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=Ee(n.code),i=n.privateDetail??(_i(n.code)?n.publicDetail??a.publicDetail:a.publicDetail),s=xR(n);return new E({message:i,extensionMembers:{[T]:n.code}},s===void 0?void 0:{cause:s})}o(D,"createGatewayRuntimeError");async function xr(e,t,r){let n=Ee(r.code),a=kR(r.code,r.detail),i=_i(r.code)?r.title??n.title:n.title,c={problem:{...Ae.getProblemFromStatus(n.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:n.status,title:i,detail:a,code:r.code}};return r.headers!==void 0&&(c.additionalHeaders=r.headers),Ae.format(c,e,t)}o(xr,"gatewayProblemResponse");function _i(e){return Ee(e).status<500}o(_i,"canExposeGatewayProblemDetail");function xR(e){return!e.privateDetail||_i(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}o(xR,"readRuntimeErrorCause");function kR(e,t){let r=Ee(e);return _i(e)&&t||r.publicDetail}o(kR,"readSafeGatewayProblemDetail");de();var AR=["shared-oauth","user-oauth","static-secret","user-secret","shared-secret"],TR=["none","client_secret_basic","client_secret_post"],et=u.string().min(1).brand(),Ue=u.string().min(1).brand(),tt=u.string().min(1).brand(),kr=u.string().min(1).brand(),vi=u.enum(AR),au=u.enum(TR),wi=u.string().trim().min(1).regex(/^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/,"must be a valid HTTP header name"),iu=u.object({name:wi,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict();var ER=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function UR(e){return e.protocol.replace(/:$/u,"").toLowerCase()}o(UR,"readScheme");function OR(e){return e.protocol==="https:"}o(OR,"isSpecCompliantRedirectUri");function MR(e){let t=UR(e);return t.length>0&&t!=="http"&&t!=="https"&&!ER.has(t)}o(MR,"isNativeAppCustomSchemeRedirectUri");var Km=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:o(e=>OR(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:o(e=>ke(e),"accepts"),matches:o((e,t)=>ke(e)&&ke(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:o(e=>MR(e),"accepts")}];function Jm(e){let t=Km.find(r=>r.accepts(e.url,e.context));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}o(Jm,"evaluateBuiltInRedirectUriCompatibility");function Zm(e){try{return new URL(e)}catch{return}}o(Zm,"parseUrl");function Wm(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=Zm(e.registeredRedirectUri),r=Zm(e.requestedRedirectUri);if(t===void 0||r===void 0)return!1;let n=e.context??{source:"registration_match"};return Km.some(a=>a.matches?.(t,r,n))}o(Wm,"redirectUriMatchesBuiltInCompatibility");de();var zR=43,$R=128,qR=/^[A-Za-z0-9._~-]+$/,su="S256",bi=u.literal(su),Ri=u.string().min(zR).max($R).regex(qR);de();var Ym=["none","client_secret_post","client_secret_basic"],cu=[...Ym,"private_key_jwt"],NR=["awaiting_login","awaiting_setup"],DR=u.string().min(1).brand(),Oe=u.string().min(1).brand(),Vo=u.uuid().brand(),lt=u.uuid().brand(),Ci=u.uuid().brand(),Xm=u.enum(Ym),Qm=u.enum(cu),gD=u.enum(NR),ef=u.object({client_id:Oe,client_name:u.string().min(1),redirect_uris:u.array(u.string().min(1)).min(1),jwks_uri:u.string().min(1).optional(),token_endpoint_auth_method:Qm.default("none")}).superRefine((e,t)=>{e.token_endpoint_auth_method==="private_key_jwt"&&e.jwks_uri===void 0&&t.addIssue({code:"custom",path:["jwks_uri"],message:"jwks_uri is required for private_key_jwt clients."})}),uu=u.object({clientId:Oe,clientName:u.string().min(1),redirectUris:u.array(u.string().min(1)),tokenEndpointAuthMethod:Qm,hashedClientSecret:u.string().optional(),clientSecretExpiresAt:Q.optional(),clientExpiresAt:Q,revokedAt:Q.optional(),createdAt:Q}),du=u.object({clientId:Oe,resource:u.string(),virtualServerId:Ue,subjectId:DR,scope:u.string(),roles:u.array(u.string()),createdAt:Q,expiresAt:Q}),yD=du.extend({id:lt,redirectUri:u.string(),clientState:u.string().optional(),codeChallenge:u.string(),codeChallengeMethod:bi}),lu=du.extend({id:Vo,currentRefreshTokenHash:u.string().optional(),previousRefreshTokenHash:u.string().optional(),previousRefreshTokenRotatedAt:Q.optional(),revokedAt:Q.optional(),revokedReason:u.string().optional()}),Ii=du.extend({tokenHash:u.string(),grantId:Vo,revokedAt:Q.optional()});function pu(){return lt.parse(crypto.randomUUID())}o(pu,"createDownstreamAuthorizationTransactionId");function mu(){return Ci.parse(crypto.randomUUID())}o(mu,"createDownstreamBrowserLoginStateId");function tf(){return Vo.parse(crypto.randomUUID())}o(tf,"createDownstreamGrantId");var _e="mcp:tools";function rf(e,t){return Wm({registeredRedirectUri:e,requestedRedirectUri:t,context:{source:"registration_match"}})}o(rf,"redirectUriMatchesRegistration");function nf(e){return ke(e)&&e.pathname==="/oauth/dev-login"}o(nf,"isLoopbackDevLoginUrl");function Pi(e,t){return new URL(e,Pt(t)).toString()}o(Pi,"buildGatewayOAuthUrl");function fu(e){let t=Nt(Ue.parse(e.virtualServerId));return new URL(t.routePath,le(e.requestUrl)).toString()}o(fu,"buildScopedAuthorizationServerIssuer");function jR(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.virtualServerId)}`,le(e.requestUrl)).toString()}o(jR,"buildScopedAuthorizationEndpoint");function hu(e){let t=Te();return{issuer:Pt(e),authorization_endpoint:Pi("/oauth/authorize",e),token_endpoint:Pi("/oauth/token",e),registration_endpoint:Pi("/oauth/register",e),revocation_endpoint:Pi("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[_e],code_challenge_methods_supported:[su],token_endpoint_auth_methods_supported:cu,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","private_key_jwt","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":Dm(t)}}o(hu,"buildAuthorizationServerMetadata");function of(e){let t=fu(e);return{...hu(e.requestUrl),issuer:t,authorization_endpoint:jR(e)}}o(of,"buildScopedAuthorizationServerMetadata");var rn="2025-06-18";async function af(e,t){try{let r=Ue.parse(e.params.virtualServerId),n=Nt(r);return Response.json(HR(n.virtualServerId,e.url))}catch(r){let n=dt(r);return xr(e,t,{code:n==="unknown_virtual_server"?n:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}o(af,"protectedResourceMetadataHandler");function HR(e,t){return{resource:Ar(e,t),resource_name:e,authorization_servers:[fu({virtualServerId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[_e],mcp_protocol_version:rn}}o(HR,"buildProtectedResourceMetadataResponseBody");function Ar(e,t){let r=Nt(e);return new URL(r.routePath,le(t)).toString()}o(Ar,"buildCanonicalMcpResourceForVirtualServer");function sf(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,le(t)).toString()}o(sf,"buildProtectedResourceMetadataUrlForVirtualServer");var LR=u.record(u.string(),u.unknown()),cf=u.string().min(1),BR=u.union([cf.transform(e=>[e]),u.array(cf)]),ve=u.string().min(1).brand(),GR=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],VR=["https://zuplo.com/roles","roles","role","permissions","groups"],uf=new $t("gateway-principal");function FR(e){let t=LR.safeParse(e);return t.success?t.data:{}}o(FR,"toClaimRecord");function ZR(e){return e.issues[0]?.message??"Gateway principal is invalid"}o(ZR,"readValidationFailureDetail");function KR(e,t,r){for(let i of GR){let s=ve.safeParse(t[i]);if(s.success)return s.data}let n=ve.safeParse(e?.sub);if(!n.success)throw D("identity_context_missing",ZR(n.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===Pt(r)?n.data:ve.parse(`${a}|${n.data}`)}o(KR,"readNormalizedSubjectId");function JR(e){let t=new Set;for(let r of VR){let n=BR.safeParse(e[r]);if(n.success)for(let a of n.data)t.add(a)}return t.size>0?[...t]:void 0}o(JR,"readRoles");function jn(e,t){let r=FR(e?.data),n={subjectId:KR(e,r,t)},a=JR(r);return a&&(n.roles=a),n}o(jn,"parseGatewayPrincipal");function df(e){let t=yu(e);if(!t)throw D("identity_context_missing","Gateway principal has not been hydrated");return t}o(df,"requireGatewayPrincipal");function lf(e,t){uf.set(e,t)}o(lf,"setGatewayPrincipal");function yu(e){return uf.get(e)}o(yu,"readGatewayPrincipal");function xi(e){let r=['realm="OAuth"',`resource_metadata="${gu(sf(e.virtualServerId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${gu(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${gu(e.scope)}"`),`Bearer ${r.join(", ")}`}o(xi,"buildGatewayBearerChallenge");function gu(e){let t="";for(let r=0;r<e.length;r+=1){let n=e.charCodeAt(r);n<=31||n===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}o(gu,"sanitizeQuotedHeaderParameter");de();de();function pf(e){return new E({message:e,extensionMembers:{[T]:"invalid_request"}})}o(pf,"invalidReturnTo");function ki(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw pf("returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw pf("returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}o(ki,"parseSafeRelativeReturnTo");de();var WR=["user","shared"],Hn=u.enum(WR);function Tr(e){return{mode:"user",subjectId:e}}o(Tr,"buildUserUpstreamConnectionOwner");function Ai(){return{mode:"shared"}}o(Ai,"buildSharedUpstreamConnectionOwner");var mf=u.object({ownerMode:Hn,initiatedBySubjectId:ve,ownerSubjectId:ve.optional(),upstreamServerId:et,authProfileId:tt,virtualServerId:Ue,returnTo:u.string().min(1).transform(e=>ki(e)).optional()});function ff(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="shared"&&e.ownerSubjectId&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared state must not include ownerSubjectId",path:["ownerSubjectId"]})}o(ff,"validateUpstreamOwnerState");var Ln=mf.superRefine(ff),hf=mf.omit({returnTo:!0}).superRefine(ff);function Fo(e){return Ln.parse({ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,returnTo:e.returnTo})}o(Fo,"buildUpstreamOwnerState");function Bn(e){if(e.ownerMode==="shared")return Ai();if(!e.ownerSubjectId)throw new E({message:"User-owned upstream state is missing the owner subject.",extensionMembers:{[T]:"oauth_state_invalid"}});return Tr(e.ownerSubjectId)}o(Bn,"resolveUpstreamConnectionOwnerFromState");var YR=["active","not_connected","reconsent_required"],XR=["basic_auth_app_password","bearer_token"],gf=u.string().trim().min(1).brand(),Gn=u.uuid().brand(),Zo=u.uuid().brand(),Su=u.enum(YR),QR=u.enum(XR),yf=u.object({encryptedClientInformation:u.string().optional(),encryptedDiscoveryState:u.string().optional(),connectedBySubjectId:ve.optional()}),eC=yf.extend({encryptedStaticSecret:u.string().optional(),staticSecretKind:QR.optional(),staticSecretLabel:u.string().min(1).optional(),staticSecretUsername:u.string().min(1).optional()}).strict(),tC=u.object({id:gf,subjectId:ve.optional(),ownerMode:Hn,upstreamServerId:et,authProfileId:tt,status:Su,encryptedAccessToken:u.string().min(1).optional(),encryptedRefreshToken:u.string().min(1).optional(),scopes:u.array(u.string()),expiresAt:Q.optional(),metadata:eC.optional(),createdAt:Q,updatedAt:Q});function _u(e,t){e.ownerMode==="user"&&(e.subjectId||t.addIssue({code:u.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="shared"&&e.subjectId!==void 0&&t.addIssue({code:u.ZodIssueCode.custom,message:"Shared upstream connections must not include subjectId",path:["subjectId"]})}o(_u,"validateUpstreamConnectionOwnerShape");var Vn=tC.superRefine(_u);function Er(e){return JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}o(Er,"readUpstreamConnectionLookupKey");var vu=Ln.extend({id:Gn,callbackPath:u.string().min(1),expiresAt:Q,codeVerifier:u.string().optional(),redirectUri:u.url(),returnOrigin:u.url().optional()}).extend(yf.shape);function Sf(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}o(Sf,"readUpstreamConnectionStatus");function Ti(){return gf.parse(`mcpgw2uc_${crypto.randomUUID()}`)}o(Ti,"createUpstreamConnectionId");function _f(){return Gn.parse(crypto.randomUUID())}o(_f,"createOAuthStateId");function vf(){return Zo.parse(crypto.randomUUID())}o(vf,"createBrowserConnectTicketId");de();var bu=u.discriminatedUnion("mode",[u.object({mode:u.literal("user"),subjectId:ve}).strict(),u.object({mode:u.literal("shared")}).strict()]),bf=u.object({owner:bu,upstreamServerId:et,authProfileId:tt}).strict(),Rf=u.object({items:u.array(bf).min(1).max(100)}).strict(),Ru=u.object({items:u.array(u.object({key:u.object({ownerMode:Hn,subjectId:ve.optional(),upstreamServerId:et,authProfileId:tt}).strict(),connection:Vn.strict().optional()}).strict())}).strict(),Cf=Vn.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(_u),If=Vn.strict(),Pf=u.object({owner:bu,upstreamServerId:et,authProfileId:tt}).strict(),xf=u.object({owner:bu,upstreamServerId:et,authProfileId:tt,connection:Vn.strict().optional(),connectionStatus:u.object({connected:u.boolean(),status:Su,updatedAt:Vn.shape.updatedAt.optional()}).strict()}).strict(),rC=u.enum(["none","client_secret_basic","client_secret_post","private_key_jwt"]),nn=u.object({clientId:Oe,clientName:u.string().min(1),tokenEndpointAuthMethod:rC}).strict(),Cu=u.discriminatedUnion("method",[u.object({method:u.literal("none"),clientId:Oe}).strict(),u.object({method:u.enum(["client_secret_basic","client_secret_post"]),clientId:Oe,clientSecretHashInput:u.string().min(1)}).strict(),u.object({method:u.literal("private_key_jwt"),clientId:Oe}).strict()]),Iu=u.object({id:lt,currentStateHash:u.string().min(1),clientId:Oe,redirectUri:u.string().min(1),resource:u.string().min(1),virtualServerId:Ue,clientState:u.string().optional(),scope:u.string(),codeChallenge:u.string().min(1),codeChallengeMethod:u.literal("S256"),setupApprovedAt:Q.optional(),createdAt:Q,expiresAt:Q,consumedAt:Q.optional()}).strict(),wf=Iu.omit({id:!0,consumedAt:!0}).extend({transactionId:lt,client:nn.optional()}).strict(),Pu=u.object({subjectId:ve,roles:u.array(u.string()).optional()}).strict(),nC=Iu.extend({phase:u.literal("awaiting_login")}).strict(),wu=Iu.extend({phase:u.literal("awaiting_setup"),principal:Pu}).strict(),oC=u.discriminatedUnion("phase",[nC,wu]),Ei=u.object({transaction:oC,client:nn}).strict(),kf=uu.omit({revokedAt:!0}).strict(),Af=u.discriminatedUnion("kind",[u.object({kind:u.literal("registered"),client:nn}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),Tf=u.object({clientId:Oe}).strict(),Ef=u.discriminatedUnion("kind",[u.object({kind:u.literal("found"),client:uu.strict()}).strict(),u.object({kind:u.literal("missing")}).strict()]),Uf=u.discriminatedUnion("phase",[wf.extend({phase:u.literal("awaiting_login")}).strict(),wf.extend({phase:u.literal("awaiting_setup"),principal:Pu}).strict()]),Of=u.discriminatedUnion("kind",[Ei.extend({kind:u.literal("started")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("redirect_uri_mismatch")}).strict(),u.object({kind:u.literal("already_exists")}).strict()]),Mf=u.object({transactionId:lt,currentStateHash:u.string().min(1),now:Q}).strict(),zf=u.discriminatedUnion("kind",[Ei.extend({kind:u.literal("available")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),$f=u.object({transactionId:lt,expectedPhase:u.literal("awaiting_login"),currentStateHash:u.string().min(1),nextStateHash:u.string().min(1),nextPhase:u.literal("awaiting_setup"),principal:Pu,now:Q}).strict(),qf=u.discriminatedUnion("kind",[Ei.extend({kind:u.literal("advanced")}).strict(),u.object({kind:u.literal("wrong_phase"),current:u.enum(["awaiting_login","awaiting_setup"])}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Nf=u.object({transactionId:lt,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:ve}).strict(),now:Q}).strict(),Df=u.discriminatedUnion("kind",[Ei.extend({kind:u.literal("marked")}).strict(),u.object({kind:u.literal("wrong_phase"),current:u.enum(["awaiting_login","awaiting_setup"])}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),jf=u.discriminatedUnion("decision",[u.object({decision:u.literal("approve"),transactionId:lt,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:ve}).strict(),authorizationCodeHash:u.string().min(1),authorizationCodeExpiresAt:Q,grantId:Vo,now:Q}).strict(),u.object({decision:u.literal("cancel"),transactionId:lt,currentStateHash:u.string().min(1),currentPrincipal:u.object({subjectId:ve}).strict(),now:Q}).strict()]),Hf=u.discriminatedUnion("kind",[u.object({kind:u.literal("approved"),transaction:wu,client:nn}).strict(),u.object({kind:u.literal("cancelled"),transaction:wu,client:nn}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict(),u.object({kind:u.literal("stale_hash")}).strict(),u.object({kind:u.literal("consumed_already")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("missing")}).strict()]),Lf=u.object({clientAuth:Cu,codeHash:u.string().min(1),redirectUri:u.string().min(1),resource:u.string().min(1).optional(),codeChallenge:u.string().min(1),currentRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),grantExpiresAt:Q,accessTokenExpiresAt:Q,now:Q}).strict(),Bf=u.discriminatedUnion("kind",[u.object({kind:u.literal("exchanged"),client:nn,grant:lu.strict()}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("binding_mismatch")}).strict()]),Gf=u.object({clientAuth:Cu,currentRefreshTokenHash:u.string().min(1),nextRefreshTokenHash:u.string().min(1),accessTokenHash:u.string().min(1),resource:u.string().min(1).optional(),accessTokenExpiresAt:Q,now:Q}).strict(),Vf=u.discriminatedUnion("kind",[u.object({kind:u.literal("rotated"),client:nn,grant:lu.strict(),accessToken:Ii.strict(),matched:u.literal("current")}).strict(),u.object({kind:u.literal("invalid_client")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("previous_token_grace")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),Ff=u.object({clientAuth:Cu,tokenHash:u.string().min(1),now:Q}).strict(),Zf=u.discriminatedUnion("kind",[u.object({kind:u.literal("revoked_access_token")}).strict(),u.object({kind:u.literal("revoked_grant")}).strict(),u.object({kind:u.literal("client_mismatch")}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("invalid_client")}).strict()]),Kf=u.object({tokenHash:u.string().min(1),now:Q}).strict(),Jf=u.discriminatedUnion("kind",[u.object({kind:u.literal("valid"),record:Ii.strict()}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict()]),Wf=u.object({accessTokenHash:u.string().min(1),resource:u.string().min(1),virtualServerId:Ue,upstreamConnectionKeys:u.array(bf).max(100),now:Q}).strict(),Yf=u.discriminatedUnion("kind",[u.object({kind:u.literal("authorized"),principal:u.object({subjectId:ve,roles:u.array(u.string())}).strict(),accessToken:Ii.strict(),upstreamConnections:Ru.shape.items}).strict(),u.object({kind:u.literal("missing")}).strict(),u.object({kind:u.literal("expired")}).strict(),u.object({kind:u.literal("revoked")}).strict(),u.object({kind:u.literal("resource_mismatch")}).strict(),u.object({kind:u.literal("principal_mismatch")}).strict()]),Xf=u.object({record:vu}).strict(),Qf=u.object({kind:u.literal("saved")}).strict(),eh=u.object({id:Gn,now:Q}).strict(),th=u.discriminatedUnion("kind",[u.object({kind:u.literal("available"),record:vu}).strict(),u.object({kind:u.literal("consumed")}).strict(),u.object({kind:u.literal("missing")}).strict()]),rh=u.object({id:Zo,expiresAt:Q,now:Q}).strict(),nh=u.discriminatedUnion("kind",[u.object({kind:u.literal("available")}).strict(),u.object({kind:u.literal("consumed")}).strict()]);var oh=100,aC=new Set(["undefined","null","nan"]);function ah(e){return e!==null&&typeof e=="object"}o(ah,"isProblemDetailsShape");var iC="/zups/v2/mcp/storage";function Me(e){return`${iC}/${e}`}o(Me,"buildStoragePath");function sC(){return Me("upstream-connections/batch-get")}o(sC,"buildBatchGetUpstreamConnectionsPath");function cC(){return Me("upstream-connections/upsert")}o(cC,"buildUpsertUpstreamConnectionPath");function uC(){return Me("authorization/read-setup")}o(uC,"buildReadAuthorizationSetupPath");function dC(){return Me("oauth/register-client")}o(dC,"buildRegisterClientPath");function lC(){return Me("oauth/read-client")}o(lC,"buildReadClientPath");function pC(){return Me("authorization/start")}o(pC,"buildStartAuthorizationPath");function mC(){return Me("authorization/read-pending")}o(mC,"buildReadPendingAuthorizationPath");function fC(){return Me("authorization/advance-pending")}o(fC,"buildAdvancePendingAuthorizationPath");function hC(){return Me("authorization/mark-setup-approved")}o(hC,"buildMarkAuthorizationSetupApprovedPath");function gC(){return Me("authorization/decide-setup")}o(gC,"buildDecideAuthorizationSetupPath");function yC(){return Me("token/exchange-authorization-code")}o(yC,"buildExchangeAuthorizationCodePath");function SC(){return Me("token/refresh")}o(SC,"buildRefreshTokenPath");function _C(){return Me("token/revoke")}o(_C,"buildRevokeOAuthTokenPath");function vC(){return Me("token/validate-access-token")}o(vC,"buildValidateAccessTokenPath");function wC(){return Me("mcp/authorize-and-load-connections")}o(wC,"buildAuthorizeAndLoadConnectionsPath");function bC(){return Me("upstream-oauth-state/save")}o(bC,"buildSaveUpstreamOAuthStatePath");function RC(){return Me("upstream-oauth-state/consume")}o(RC,"buildConsumeUpstreamOAuthStatePath");function CC(){return Me("browser-connect-ticket/consume")}o(CC,"buildConsumeBrowserConnectTicketPath");function IC(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(IC,"responseKeyMatchesLookup");function PC(e,t){return e.owner.mode===t.owner.mode&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(PC,"authorizationSetupMatchesLookup");function ch(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}o(ch,"connectionMatchesLookup");function xC(e,t){return e.ownerMode===t.ownerMode&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&Au(e.scopes,t.scopes)&&ku(e.expiresAt,t.expiresAt)&&kC(e.metadata,t.metadata)}o(xC,"connectionMatchesUpsertRecord");function ku(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}o(ku,"optionalTimestampInstantsMatch");function ih(e,t){return Date.parse(e)<=Date.parse(t)}o(ih,"timestampInstantIsAtOrBefore");function Au(e,t){return e.length===t.length&&e.every((r,n)=>r===t[n])}o(Au,"stringArraysMatch");function kC(e,t){let r=sh(e),n=sh(t),a=Object.fromEntries(n);return r.length===n.length&&r.every(([i,s])=>a[i]===s)}o(kC,"metadataMatches");function sh(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}o(sh,"definedMetadataEntries");function we(e,t){throw Ko("internal_server_error",e,t)}o(we,"throwInvalidStorageResponse");function Ko(e,t,r){let n=Qe[e],a=n.status<500,i=a?r:new Error(t,r===void 0?void 0:{cause:r});return new E({message:a?t:n.publicDetail,extensionMembers:{[T]:e}},i===void 0?void 0:{cause:i})}o(Ko,"storageRuntimeError");async function AC(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){we("Gateway Service storage response did not match the runtime storage contract.",r)}}o(AC,"parseRuntimeHttpStorageResponse");function uh(e,t){e.length!==t.length&&we("Gateway Service storage response item count did not match the request.");for(let[r,n]of e.entries()){let a=t[r];IC(n.key,a)||we("Gateway Service storage response key did not match the request."),n.connection!==void 0&&!ch(n.connection,a)&&we("Gateway Service storage response connection did not match the response key.")}}o(uh,"validateUpstreamConnectionItemsMatchLookups");function TC(e,t){PC(e,t)||we("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!ch(e.connection,t)&&we("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",n=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==n||!ku(e.connectionStatus.updatedAt,a))&&we("Gateway Service storage response authorization setup status did not match the connection.")}o(TC,"validateAuthorizationSetupResponseMatchesLookup");function EC(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&we("Gateway Service storage response registered client did not match the request.")}o(EC,"validateRegisterClientResponseMatchesRequest");function UC(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&we("Gateway Service storage response client did not match the request.")}o(UC,"validateReadClientResponseMatchesRequest");function OC(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.virtualServerId!==t.virtualServerId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&we("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&we("Gateway Service storage response started authorization principal did not match the request."))}o(OC,"validateStartAuthorizationResponseMatchesRequest");function xu(e,t){e.kind!=="available"&&e.kind!=="advanced"&&e.kind!=="marked"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&we("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&we("Gateway Service storage response advanced authorization did not match the request."),"currentPrincipal"in t&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&we("Gateway Service storage response marked authorization principal did not match the request."),e.kind==="marked"&&"currentPrincipal"in t&&e.transaction.setupApprovedAt!==t.now&&we("Gateway Service storage response marked authorization setup approval timestamp did not match the request."))}o(xu,"validatePendingAuthorizationResponseMatchesRequest");function MC(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&we("Gateway Service storage response authorization setup transaction did not match the request.")}o(MC,"validateAuthorizationSetupDecisionResponseMatchesRequest");function zC(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!ku(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&we("Gateway Service storage response authorization-code exchange did not match the request.")}o(zC,"validateExchangeAuthorizationCodeResponseMatchesRequest");function $C(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&we("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!ih(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!ih(e.accessToken.expiresAt,e.grant.expiresAt)||!DC(e.accessToken,e.grant))&&we("Gateway Service storage response token refresh access token did not match the request."))}o($C,"validateRefreshTokenResponseMatchesRequest");function qC(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&we("Gateway Service storage response access token did not match the request.")}o(qC,"validateAccessTokenValidationResponseMatchesRequest");function NC(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.virtualServerId!==t.virtualServerId||e.principal.subjectId!==e.accessToken.subjectId||!Au(e.principal.roles,e.accessToken.roles))&&we("Gateway Service storage response MCP authorization did not match the request."),uh(e.upstreamConnections,t.upstreamConnectionKeys))}o(NC,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function DC(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.virtualServerId===t.virtualServerId&&e.subjectId===t.subjectId&&e.scope===t.scope&&Au(e.roles,t.roles)}o(DC,"accessTokenMatchesGrant");async function jC(e){try{return await e.clone().json()}catch{return}}o(jC,"readProblemDetails");async function HC(e){let t=await jC(e),r=ah(t)&&typeof t.status=="number"?t.status:e.status,n=ah(t)&&ar(t.code)?t.code:Vm(r);throw Ko(n,`Gateway Service storage request failed with HTTP ${r}.`)}o(HC,"throwRuntimeHttpStorageError");var Ui=class{static{o(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??Eo.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}#n(t){let r;try{r=new URL(t,this.#t)}catch(n){throw Ko("internal_server_error",`Gateway Service storage base URL is not a valid URL. Got ${JSON.stringify(this.#t)}. Verify the gateway runtime configuration.`,n)}if(r.protocol!=="https:"&&r.protocol!=="http:")throw Ko("internal_server_error",`Gateway Service storage base URL must use http(s); got protocol "${r.protocol}" from ${JSON.stringify(this.#t)}.`);if(!r.hostname||aC.has(r.hostname))throw Ko("internal_server_error",`Gateway Service storage base URL has an invalid hostname "${r.hostname}" (parsed from ${JSON.stringify(this.#t)}). The configured value is likely coerced from an unset environment variable.`);return r}async#e(t){let r=t.requestSchema.parse(t.input),n=this.#n(t.path),a=new Headers({"Content-Type":"application/json"});um(a);let i=await this.#r(n,{method:"POST",headers:a,body:JSON.stringify(r)});return i.ok||await HC(i),{request:r,response:await AC(i,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],n=new Map,a=t.map(s=>{let c=Er(s),d=n.get(c);if(d!==void 0)return d;let p=r.length;return r.push(s),n.set(c,p),p}),i=[];for(let s=0;s<r.length;s+=oh){let c=r.slice(s,s+oh);i.push(...await this.#o(c))}return a.map(s=>i[s])}async upsertUpstreamConnection(t){let{request:r,response:n}=await this.#e({input:t,path:cC(),requestSchema:Cf,responseSchema:If});return xC(n,r)||we("Gateway Service storage response connection did not match the request."),n}async readAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:uC(),requestSchema:Pf,responseSchema:xf});return TC(n,r),n}async registerClient(t){let{request:r,response:n}=await this.#e({input:t,path:dC(),requestSchema:kf,responseSchema:Af});return EC(n,r),n}async readClient(t){let{request:r,response:n}=await this.#e({input:t,path:lC(),requestSchema:Tf,responseSchema:Ef});return UC(n,r),n}async startAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:pC(),requestSchema:Uf,responseSchema:Of});return OC(n,r),n}async readPendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:mC(),requestSchema:Mf,responseSchema:zf});return xu(n,r),n}async advancePendingAuthorization(t){let{request:r,response:n}=await this.#e({input:t,path:fC(),requestSchema:$f,responseSchema:qf});return xu(n,r),n}async markAuthorizationSetupApproved(t){let{request:r,response:n}=await this.#e({input:t,path:hC(),requestSchema:Nf,responseSchema:Df});return xu(n,r),n}async decideAuthorizationSetup(t){let{request:r,response:n}=await this.#e({input:t,path:gC(),requestSchema:jf,responseSchema:Hf});return MC(n,r),n}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:bC(),requestSchema:Xf,responseSchema:Qf});return r}async consumeUpstreamOAuthState(t){let{request:r,response:n}=await this.#e({input:t,path:RC(),requestSchema:eh,responseSchema:th});return n.kind==="available"&&n.record.id!==r.id&&we("Gateway Service storage response upstream OAuth state did not match the request."),n}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:CC(),requestSchema:rh,responseSchema:nh});return r}async exchangeAuthorizationCode(t){let{request:r,response:n}=await this.#e({input:t,path:yC(),requestSchema:Lf,responseSchema:Bf});return zC(n,r),n}async refreshToken(t){let{request:r,response:n}=await this.#e({input:t,path:SC(),requestSchema:Gf,responseSchema:Vf});return $C(n,r),n}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:_C(),requestSchema:Ff,responseSchema:Zf});return r}async validateAccessToken(t){let{request:r,response:n}=await this.#e({input:t,path:vC(),requestSchema:Kf,responseSchema:Jf});return qC(n,r),n}async authorizeAndLoadConnections(t){let{request:r,response:n}=await this.#e({input:t,path:wC(),requestSchema:Wf,responseSchema:Yf});return NC(n,r),n}async#o(t){let r={items:[...t]},{response:n}=await this.#e({input:r,path:sC(),requestSchema:Rf,responseSchema:Ru});return uh(n.items,t),n.items.map(a=>a.connection)}};var LC="__zuploMcpGatewayStorageBackend",Tu;function BC(){return new Ui({})}o(BC,"buildProductionStorageBackend");function Y(){let e=globalThis[LC];return e||(Tu||(Tu=BC()),Tu)}o(Y,"getStorage");function GC(e,t){let r=yu(e),n=Lo(e),a=t.ownerMode??t.routeBinding?.ownerMode,i=t.upstreamAuthMode??t.routeBinding?.authMode,s=t.virtualServerName??t.routeBinding?.virtualServerId??n?.virtualServerId,c=t.upstreamServerName??t.routeBinding?.upstreamServerId??n?.upstreamServerId,d=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName,p=t.authProfileId??t.routeBinding?.authProfileId??n?.authProfileId;return _m(e,{...t,subjectId:r?.subjectId,ownerMode:a,upstreamAuthMode:i,virtualServerName:s,upstreamServerName:c,upstreamServerTitle:d,authProfileId:p})}o(GC,"buildMcpAnalyticsMetadata");function J(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,GC(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}o(J,"emitMcpAnalyticsEvent");import{base64url as Eu}from"jose";var VC="sha256:",FC=32;function dh(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(dh,"copyToArrayBuffer");function ir(){let e=crypto.getRandomValues(new Uint8Array(FC));return Eu.encode(e)}o(ir,"createOpaqueToken");async function fe(e){let t=await crypto.subtle.digest("SHA-256",dh(new TextEncoder().encode(e)));return`${VC}${Eu.encode(new Uint8Array(t))}`}o(fe,"hashOpaqueValue");async function lh(e){let t=await crypto.subtle.digest("SHA-256",dh(new TextEncoder().encode(e)));return Eu.encode(new Uint8Array(t))}o(lh,"calculatePkceS256Challenge");function Uu(e){let t=e.headers.get("authorization"),[r,n]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!n))return n}o(Uu,"readBearerToken");function ZC(e,t,r){return xr(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}o(ZC,"gatewayAuthenticationRequiredResponse");function KC(e){switch(e){case"expired":return"expired_token";case"revoked":return"revoked_token";case"missing":return"invalid_token";default:{let t=e;return"invalid_token"}}}o(KC,"tokenValidationReasonCode");async function JC(e,t,r){let n=await Y().validateAccessToken({tokenHash:await fe(e),now:oe(new Date)});if(n.kind!=="valid"){t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:n.kind,virtualServerId:r},"Gateway access token validation failed");let a=KC(n.kind);throw J(t,{eventType:F.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:r,reasonClass:"auth",reasonCode:a,attributes:{validationKind:n.kind}}),J(t,{eventType:F.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r,httpStatusCode:401,reasonClass:"auth",reasonCode:a}),D("authentication_required","Gateway access token is expired, revoked, or invalid.")}return n.record}o(JC,"validateGatewayAccessToken");function WC(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.virtualServerId!==e.virtualServerId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedVirtualServerId:e.virtualServerId,tokenVirtualServerId:e.accessToken.virtualServerId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),J(t,{eventType:F.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:e.virtualServerId,reasonClass:"auth",reasonCode:"invalid_audience"}),J(t,{eventType:F.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:e.virtualServerId,httpStatusCode:401,reasonClass:"auth",reasonCode:"invalid_audience"}),D("authentication_required","Gateway access token was not issued for this MCP resource.")}o(WC,"assertAccessTokenResource");function YC(e,t,r){return xr(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":xi({virtualServerId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${_e} scope required by this MCP resource.`,scope:_e})}})}o(YC,"insufficientScopeResponse");function XC(e){return{subjectId:e.subjectId,roles:e.roles}}o(XC,"principalFromAccessToken");function QC(e){let t=dt(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",virtualServerId:e.virtualServerId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),xr(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":xi({virtualServerId:e.virtualServerId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}o(QC,"gatewayTokenRejectedResponse");async function Ou(e,t){let r=qn(t),n=Ar(r.virtualServerId,e.url),a=Uu(e),i=xi({virtualServerId:r.virtualServerId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",virtualServerId:r.virtualServerId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),J(t,{eventType:F.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r.virtualServerId,httpStatusCode:401,reasonClass:"auth",reasonCode:"missing_token"}),ZC(e,t,i);try{let s=await JC(a,t,r.virtualServerId);if(WC({accessToken:s,resource:n,virtualServerId:r.virtualServerId},t),s.scope!==_e)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:s.scope,requiredScope:_e,virtualServerId:r.virtualServerId,clientId:s.clientId},"Gateway access token does not have the required MCP scope"),J(t,{eventType:F.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:r.virtualServerId,reasonClass:"auth",reasonCode:"insufficient_scope",attributes:{tokenScope:s.scope,requiredScope:_e,clientId:s.clientId}}),J(t,{eventType:F.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r.virtualServerId,httpStatusCode:403,reasonClass:"auth",reasonCode:"insufficient_scope"}),YC(e,t,r.virtualServerId);let c=XC(s);return lf(t,c),ou(t,c),J(t,{eventType:F.MCP_AUTH_DOWNSTREAM_TOKEN_VALIDATED,outcome:"success",virtualServerName:r.virtualServerId,attributes:{clientId:s.clientId}}),e}catch(s){return QC({request:e,context:t,error:s,virtualServerId:r.virtualServerId})}}o(Ou,"gatewayTokenInbound");var Fn={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},eI="oauth-protected-resource-metadata",tI="/.well-known/oauth-protected-resource/";function rI(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}o(rI,"readRouteOperationId");function nI(e){return e.hasGatewayRouteContext?Fn.VIRTUAL_MCP_SERVER:e.routeOperationId===eI||e.routeOperationId===void 0&&e.routePath.startsWith(tI)?Fn.OAUTH_PROTECTED_RESOURCE_METADATA:Fn.OTHER}o(nI,"classifyAnalyticsRouteSurface");function oI(e){let t=e.route.path;return{routePath:t,routeSurface:nI({routePath:t,routeOperationId:rI(e),hasGatewayRouteContext:Lo(e)!==void 0})}}o(oI,"readAnalyticsRequestContext");function aI(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Fn.VIRTUAL_MCP_SERVER}o(aI,"isIntentionalMethodRejection");function iI(e){return aI(e)||e.response.status===401&&e.routeSurface===Fn.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}o(iI,"classifyRequestCompletedOutcome");async function Mu(e,t){let r=Date.now(),n=oI(t);return J(t,{eventType:F.MCP_REQUEST_RECEIVED,outcome:"success",routeSurface:n.routeSurface,httpMethod:e.method}),vc.getContextExtensions(t).addHandlerResponseHook(a=>{let i=iI({response:a,routeSurface:n.routeSurface});J(t,{eventType:F.MCP_REQUEST_COMPLETED,outcome:i,routeSurface:n.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}o(Mu,"analyticsContextInbound");function sI(e){return e instanceof Response}o(sI,"isResponse");async function Jo(e,t){let n={virtualServerId:ph(t.route.path).virtualServerId};$m(t,n),Gm(t,n);let a=await Mu(e,t);return sI(a)?a:Ou(a,t)}o(Jo,"mcpOAuthInboundPolicy");function Oi(e,t,r){let n=e.safeParse(t);if(n.success)return n.data;throw new q(`${r} is misconfigured. Validation failed:
-${cI(n.error)}`,{cause:n.error})}o(Oi,"parseConfigOrThrow");function cI(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
-`)}o(cI,"formatZodIssues");var uI=u.string({error:"auth0Domain is required and must be a string"}).trim().min(1,"auth0Domain is required (commonly set via $env(AUTH0_DOMAIN))").refine(e=>!/[:/]/.test(e),{message:'auth0Domain must be a bare hostname (e.g. "tenant.us.auth0.com"); drop the "https://" prefix and any trailing path'}).refine(e=>e.includes("."),{message:'auth0Domain must be a fully-qualified domain name with at least one dot (e.g. "tenant.us.auth0.com"). If the value looks like "undefined" or is empty, the configured environment variable is likely unset.'}),dI=u.object({auth0Domain:uI,audience:u.string().trim().min(1).optional(),clientId:u.string({error:"clientId is required and must be a string"}).trim().min(1,"clientId is required (commonly set via $env(AUTH0_CLIENT_ID))"),clientSecret:u.string({error:"clientSecret is required and must be a string"}).trim().min(1,"clientSecret is required (commonly set via $env(AUTH0_CLIENT_SECRET))"),scope:u.string().trim().min(1).optional(),gateway:u.object({accessTokenTtlSeconds:u.number().int().positive().optional(),refreshTokenTtlSeconds:u.number().int().positive().optional(),cimdEnabled:u.boolean().optional()}).strict().optional(),browserLoginOverrides:u.object({remoteTimeoutMs:u.number().int().positive().optional(),stateTtlSeconds:u.number().int().positive().optional(),sessionTtlSeconds:u.number().int().positive().optional()}).strict().optional()}).strict(),zu=class extends Un{static{o(this,"McpAuth0OAuthInboundPolicy")}#t;constructor(t,r){let n=mh(t,r);super(n,r),this.#t=hh(n,r)}async handler(t,r){return zt("policy.inbound.mcp-auth0-oauth"),Nn(r,this.#t),Jo(t,r)}};function mh(e,t){return Oi(dI,e,`MCP Auth0 OAuth policy "${t}"`)}o(mh,"parseAuth0OAuthOptions");function fh(e,t="mcp-auth0-oauth-inbound"){let r=mh(e,t);return hh(r,t)}o(fh,"auth0OptionsToMcpOAuthRuntimeConfig");function hh(e,t){let r=`https://${e.auth0Domain}/`,n=`https://${e.auth0Domain}/.well-known/jwks.json`,a=`https://${e.auth0Domain}/authorize`,i=`https://${e.auth0Domain}/oauth/token`;try{return Hm({oidc:{issuer:r,jwksUrl:n,...e.audience===void 0?{}:{audience:e.audience}},browserLogin:{url:a,tokenUrl:i,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",...e.audience===void 0?{}:{audience:e.audience},...e.browserLoginOverrides??{}},gateway:e.gateway})}catch(s){let c=s instanceof Error?` Validation failed: ${s.message}`:"";throw new q(`MCP Auth0 OAuth policy "${t}" is misconfigured. Check the policy options in policies.json.${c}`,s instanceof Error?{cause:s}:void 0)}}o(hh,"buildAuth0McpOAuthRuntimeConfig");var $u=class extends Un{static{o(this,"McpOAuthInboundPolicy")}#t;constructor(t,r){let n=qu(t,r);super(n,r),this.#t=n}async handler(t,r){return zt("policy.inbound.mcp-oauth"),Nn(r,this.#t),Jo(t,r)}};function qu(e,t="mcp-oauth-inbound"){return Oi(ru,e,`MCP OAuth policy "${t}"`)}o(qu,"mcpOAuthOptionsToRuntimeConfig");var Nu=["mcp-oauth-inbound","mcp-auth0-oauth-inbound"],gh={"mcp-oauth-inbound":"McpOAuthInboundPolicy","mcp-auth0-oauth-inbound":"McpAuth0OAuthInboundPolicy"};function lI(e,t,r){switch(e){case"mcp-oauth-inbound":return qu(r,t);case"mcp-auth0-oauth-inbound":return fh(r,t);default:return}}o(lI,"parseMcpOAuthPolicyConfig");function yh(e){return e!==void 0&&Nu.some(t=>t===e)}o(yh,"isMcpOAuthInboundPolicyType");function Du(e){switch(e.policyType){case"mcp-oauth-inbound":return e.handler.export===gh["mcp-oauth-inbound"];case"mcp-auth0-oauth-inbound":return e.handler.export===gh["mcp-auth0-oauth-inbound"];default:return!1}}o(Du,"isMcpOAuthRuntimeConfigPolicy");function Sh(e){if(!e)return;let t=e.filter(Du);if(t.length>1){let a=t.map(i=>`"${i.name}" (${i.policyType})`).join(", ");throw new q(`MCP gateway found multiple OAuth policies in policies.json: ${a}. Use exactly one MCP OAuth policy for the gateway so internal OAuth routes resolve a single runtime config.`)}let r=t[0];if(!r)return;let n=lI(r.policyType,r.name,r.handler.options);if(!n)throw new q(`MCP gateway: policy '${r.name}' has unsupported MCP OAuth policy type '${r.policyType}'.`);return{policyName:r.name,config:n}}o(Sh,"resolveMcpOAuthRuntimeConfigFromPolicies");de();var wh=et,pI=u.object({mode:u.literal("auto")}).strict(),mI=u.object({mode:u.literal("manual"),clientId:u.string().trim().min(1),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:au.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:u.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),bh=u.discriminatedUnion("mode",[pI,mI]),fI=bh.default({mode:"auto"}),ju=u.object({scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:fI}).strict(),_h=ju.extend({redirectPath:u.string().startsWith("/auth/connections/")}).strict(),Rh=new Set(["connection","content-length","cookie","host","proxy-authenticate","proxy-authorization","sec-websocket-key","set-cookie","te","trailer","transfer-encoding","upgrade"]),hI=new Set([...Rh,"accept","authorization","content-type","mcp-protocol-version","mcp-session-id","proxy-connection"]),gI=u.object({kind:u.literal("bearer_token"),token:u.string().min(1)}).strict(),yI=u.object({kind:u.literal("headers"),headers:u.array(u.object({name:wi,value:u.string().min(1)}).strict()).min(1)}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.headers.entries()){let i=a.name.toLowerCase();Rh.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for static secret injection`,path:["headers",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate static secret header ${a.name}`,path:["headers",n,"name"]}),r.add(i)}}),Hu=u.discriminatedUnion("kind",[gI,yI]),SI=u.object({kind:u.literal("basic_auth_app_password"),usernameLabel:u.string().min(1).default("Username"),passwordLabel:u.string().min(1).default("App password")}).strict(),_I=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key"),capture:u.enum(["browser_login"]).optional()}).strict(),Lu=u.discriminatedUnion("kind",[SI,_I]),Bu=u.object({kind:u.literal("bearer_token"),label:u.string().min(1).default("API key")}).strict(),vI=u.discriminatedUnion("mode",[u.object({mode:u.literal("shared-oauth"),oauth:_h}).strict(),u.object({mode:u.literal("user-oauth"),oauth:_h}).strict(),u.object({mode:u.literal("static-secret"),secret:Hu}).strict(),u.object({mode:u.literal("user-secret"),secret:Lu}).strict(),u.object({mode:u.literal("shared-secret"),secret:Bu}).strict()]),wI=u.object({baseUrl:u.url(),resourceMetadataUrl:u.url(),requestHeaders:u.array(iu).default([])}).strict().superRefine((e,t)=>{let r=new Set;for(let[n,a]of e.requestHeaders.entries()){let i=a.name.toLowerCase();hI.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Header ${a.name} is not allowed for native MCP transport request headers`,path:["requestHeaders",n,"name"]}),r.has(i)&&t.addIssue({code:u.ZodIssueCode.custom,message:`Duplicate native MCP transport request header ${a.name}`,path:["requestHeaders",n,"name"]}),r.add(i)}}),aH=u.object({displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:zn.optional(),authProfiles:u.record(tt,vI),transport:wI}).strict().superRefine((e,t)=>{Object.keys(e.authProfiles).length===0&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one profile",path:["authProfiles"]})}),bI=u.object({"shared-oauth":ju.optional(),"user-oauth":ju.optional(),"static-secret":u.object({secret:Hu}).strict().optional(),"user-secret":u.object({secret:Lu}).strict().optional(),"shared-secret":u.object({secret:Bu}).strict().optional()}).strict().superRefine((e,t)=>{Object.values(e).every(r=>r===void 0)&&t.addIssue({code:u.ZodIssueCode.custom,message:"authProfiles must contain at least one upstream auth profile"})}),vh=u.object({id:wh,displayName:u.string().min(1),description:u.string().min(1).optional(),serverInfo:zn.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url(),requestHeaders:u.array(iu).default([]),authProfiles:bI}).strict(),RI=u.object({name:wi,value:u.string().min(1).optional(),required:u.boolean().default(!0)}).strict(),Mi={id:wh.optional(),displayName:u.string().min(1),summary:u.string().min(1).optional(),serverInfo:zn.optional(),mcpUrl:u.url(),protectedResourceMetadataUrl:u.url().optional(),requestHeaders:u.array(RI).default([])},CI=u.discriminatedUnion("authMode",[u.object({...Mi,authMode:u.enum(["shared-oauth","user-oauth"]),scopes:u.array(u.string().min(1)).default([]),scopeDelimiter:u.string().min(1).default(" "),clientRegistration:bh.optional(),clientId:u.string().trim().min(1).optional(),clientSecret:u.string().min(1).optional(),tokenEndpointAuthMethod:au.optional()}).strict(),u.object({...Mi,authMode:u.literal("static-secret"),secret:Hu}).strict(),u.object({...Mi,authMode:u.literal("user-secret"),secret:Lu}).strict(),u.object({...Mi,authMode:u.literal("shared-secret"),secret:Bu}).strict()]);function II(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
-`)}o(II,"formatZodIssues");function Ch(e){throw new q(e)}o(Ch,"throwGatewayConfigError");function PI(e){let t="mcp-upstream-";return e.startsWith(t)||Ch(`Upstream policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`),et.parse(e.slice(t.length))}o(PI,"inferUpstreamConnectionIdFromPolicyName");function xI(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}o(xI,"buildDefaultProtectedResourceMetadataUrl");function Zn(e,t){return tt.parse(`${e}:${t}`)}o(Zn,"buildUpstreamAuthProfileId");function zi(e,t){try{let r=vh.safeParse(e);if(r.success)return r.data;let n=CI.parse(e),a=n.id??(t===void 0?void 0:PI(t));a===void 0&&Ch("Upstream policy options must include id when policy name is unavailable.");let i=n.requestHeaders.map(c=>({name:c.name,value:c.value,required:c.required})),s=(()=>{switch(n.authMode){case"shared-oauth":case"user-oauth":{let c=n.clientRegistration??(n.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:n.clientId,...n.clientSecret===void 0?{}:{clientSecret:n.clientSecret},...n.tokenEndpointAuthMethod===void 0?{}:{tokenEndpointAuthMethod:n.tokenEndpointAuthMethod}});return{[n.authMode]:{scopes:n.scopes,scopeDelimiter:n.scopeDelimiter,clientRegistration:c}}}case"static-secret":case"user-secret":case"shared-secret":return{[n.authMode]:{secret:n.secret}}}})();return vh.parse({id:a,displayName:n.displayName,...n.summary===void 0?{}:{description:n.summary},...n.serverInfo===void 0?{}:{serverInfo:n.serverInfo},mcpUrl:n.mcpUrl,protectedResourceMetadataUrl:n.protectedResourceMetadataUrl??xI(n.mcpUrl),requestHeaders:i,authProfiles:s})}catch(r){if(r instanceof u.ZodError){let n=t===void 0?"MCP upstream policy":`Policy "${t}"`;throw new q(`${n} is misconfigured. Missing/invalid options in policies.json:
-${II(r)}`,{cause:r})}throw r}}o(zi,"parseUpstreamConnectionPolicyOptions");function Ih(e){return e.mode==="shared-oauth"||e.mode==="user-oauth"}o(Ih,"isUpstreamOAuthAuthConfig");de();var kI=u.looseObject({name:u.string().min(1),version:u.string().min(1).optional()}),AI=u.looseObject({}),TI=u.looseObject({name:kr,namespace:kr.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional(),inputSchema:AI}),EI=u.looseObject({name:kr,namespace:kr.optional(),upstreamPolicy:u.string().min(1).optional(),enabled:u.boolean().optional()}),UI=u.looseObject({name:kr,uri:u.string().min(1),upstreamPolicy:u.string().min(1).optional(),upstreamUri:u.string().min(1).optional(),enabled:u.boolean().optional()}),OI=u.enum(["openapi","upstream_mcp"]),MI=u.object({catalogSource:OI.default("openapi"),serverInfo:kI.optional(),tools:u.array(TI).default([]),prompts:u.array(EI).default([]),resources:u.array(UI).default([])}).strict();function zI(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
-`)}o(zI,"formatZodIssues");function Ph(e,t){let r=MI.safeParse(e??{});if(!r.success){let n=t===void 0?"MCP virtual server route":`MCP virtual server route ${t}`;throw new q(`${n} is misconfigured. Missing/invalid handler options in routes.oas.json:
-${zI(r.error)}`,{cause:r.error})}return r.data}o(Ph,"parseVirtualServerRouteOptions");function $i(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o($i,"toMcpTool");function qi(e){let{enabled:t,upstreamName:r,upstreamPolicyName:n,...a}=e;return a}o(qi,"toMcpPrompt");function Ni(e){let{enabled:t,upstreamPolicyName:r,upstreamUri:n,...a}=e;return a}o(Ni,"toMcpResource");var $I="mcp-upstream-connection-inbound";function ze(e){throw new q(e)}o(ze,"throwRegistryError");function qI(e,t,r){let n=new q(t,r===void 0?void 0:{cause:r});return n.extensionMembers={[T]:e},n}o(qI,"configurationProblem");function NI(e){return e.policyType===$I}o(NI,"isUpstreamConnectionPolicy");function DI(e){return yh(e.policyType)}o(DI,"isMcpOAuthInboundPolicy");function xh(e){if(e instanceof q)return e;if(e instanceof u.ZodError)return new q("MCP virtual server route is misconfigured. Check routes.oas.json for invalid MCP virtual server ids, upstream auth modes, or handler options.",{cause:e});throw new K("MCP virtual server route registration failed unexpectedly.",e instanceof Error?{cause:e}:void 0)}o(xh,"toRouteConfigurationError");function jI(e){let t=Object.keys(e.connection.authProfiles);t.length!==1&&ze(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];return r===void 0&&ze(`Upstream policy ${e.policyName} does not declare an auth mode.`),vi.parse(r)}o(jI,"readSingleAuthMode");function HI(e){let t=`/auth/connections/${encodeURIComponent(e.connection.id)}/callback`;switch(e.authMode){case"shared-oauth":{let r=e.connection.authProfiles["shared-oauth"];return r||ze(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`),{mode:e.authMode,oauth:{scopes:r.scopes,scopeDelimiter:r.scopeDelimiter,redirectPath:t,clientRegistration:r.clientRegistration}}}case"user-oauth":{let r=e.connection.authProfiles["user-oauth"];return r||ze(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`),{mode:e.authMode,oauth:{scopes:r.scopes,scopeDelimiter:r.scopeDelimiter,redirectPath:t,clientRegistration:r.clientRegistration}}}case"static-secret":{let r=e.connection.authProfiles["static-secret"];return r||ze(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`),{mode:"static-secret",secret:r.secret}}case"user-secret":{let r=e.connection.authProfiles["user-secret"];return r||ze(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`),{mode:"user-secret",secret:r.secret}}case"shared-secret":{let r=e.connection.authProfiles["shared-secret"];return r||ze(`Upstream connection ${e.connection.id} does not declare auth mode ${e.authMode}.`),{mode:"shared-secret",secret:r.secret}}}}o(HI,"buildResolvedAuthConfig");function LI(e){let t=jI({policyName:e.policyName,connection:e.connection}),r=Zn(e.connection.id,t),n=HI({connection:e.connection,authMode:t}),a={displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},authProfiles:{[r]:n},transport:{baseUrl:e.connection.mcpUrl,resourceMetadataUrl:e.connection.protectedResourceMetadataUrl,requestHeaders:e.connection.requestHeaders}};return{policyName:e.policyName,upstreamServerId:e.connection.id,config:a,authMode:t,authProfileId:r,authConfig:n}}o(LI,"buildRegisteredConnection");function BI(e){let t=new Map;for(let r of e)t.has(r.name)&&ze(`Duplicate policy name ${r.name} in policies.json.`),t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}});return t}o(BI,"buildPolicyMap");function GI(e){if(typeof e.raw!="function")return;let t=e.raw();if(!(!t||typeof t.operationId!="string"||t.operationId===""))return t.operationId}o(GI,"readOperationId");function VI(e){let t=GI(e);return t||ze(`MCP virtual server route ${e.path} must declare operationId in routes.oas.json. The operationId is used as the stable MCP server identity for OAuth tokens, storage, upstream auth state, and analytics.`),Ue.parse(t)}o(VI,"readVirtualServerIdFromOperationId");function kh(e){let t=e.namespace===void 0?e.name:`${e.namespace}.${e.name}`,r=kr.safeParse(t);return r.success||ze(`MCP virtual server route ${e.routePath} declares invalid published capability name ${t}.`),r.data}o(kh,"buildPublishedCapabilityName");function Fu(e){if(e.authoredPolicyName!==void 0)return e.connections.find(r=>r.policyName===e.authoredPolicyName)||ze(`MCP virtual server route ${e.routePath} declares capability ${e.capabilityName} for upstream policy ${e.authoredPolicyName}, but that policy is not bound to the route.`),e.authoredPolicyName;if(e.connections.length===1)return e.connections[0]?.policyName;ze(`MCP virtual server route ${e.routePath} declares aggregate capability ${e.capabilityName} without upstreamPolicy.`)}o(Fu,"readCapabilityUpstreamPolicy");function Gu(e){e.seen.has(e.key)&&ze(`MCP virtual server route ${e.routePath} declares duplicate ${e.kind} ${e.key}.`),e.seen.add(e.key)}o(Gu,"assertUniqueCatalogKey");function FI(e){let{namespace:t,upstreamPolicy:r,...n}=e.tool,a=kh({name:e.tool.name,namespace:e.tool.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.tool.name,upstreamPolicyName:Fu({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(FI,"normalizeCatalogTool");function ZI(e){let{namespace:t,upstreamPolicy:r,...n}=e.prompt,a=kh({name:e.prompt.name,namespace:e.prompt.namespace,routePath:e.routePath});return{...n,name:a,upstreamName:e.prompt.name,upstreamPolicyName:Fu({authoredPolicyName:r,capabilityName:a,connections:e.connections,routePath:e.routePath})}}o(ZI,"normalizeCatalogPrompt");function KI(e){let{upstreamPolicy:t,...r}=e.resource;return{...r,upstreamUri:e.resource.upstreamUri??e.resource.uri,upstreamPolicyName:Fu({authoredPolicyName:t,capabilityName:e.resource.uri,connections:e.connections,routePath:e.routePath})}}o(KI,"normalizeCatalogResource");function JI(e){let t=e.catalog.catalogSource,r=e.catalog.tools.map(d=>FI({tool:d,connections:e.connections,routePath:e.routePath})),n=e.catalog.prompts.map(d=>ZI({prompt:d,connections:e.connections,routePath:e.routePath})),a=e.catalog.resources.map(d=>KI({resource:d,connections:e.connections,routePath:e.routePath})),i=new Set;for(let d of r)Gu({kind:"tool",key:d.name,routePath:e.routePath,seen:i});let s=new Set;for(let d of n)Gu({kind:"prompt",key:d.name,routePath:e.routePath,seen:s});let c=new Set;for(let d of a)Gu({kind:"resource",key:String(d.uri),routePath:e.routePath,seen:c});return{catalogSource:t,...e.catalog.serverInfo===void 0?{}:{serverInfo:e.catalog.serverInfo},tools:r,prompts:n,resources:a}}o(JI,"normalizeVirtualServerCatalog");function WI(e){let t=new Map,r=new Map,n=new Map,a=new Map,i=new Set,s=new Set;function c(d){let p=a.get(d.name);if(p)return p;let l=zi(d.handler.options,d.name);i.has(l.id)&&ze(`Duplicate upstream MCP connection id ${l.id} in policies.json.`),i.add(l.id);let m=LI({policyName:d.name,connection:l});return a.set(d.name,m),m}o(c,"readConnectionForPolicy");for(let d of e.routes){let p=d.policies?.inbound??[];if(p.length===0)continue;let l=p[0],m=l===void 0?void 0:e.policyByName.get(l);if(!m||!DI(m))continue;let h;try{h=VI(d),s.has(h)&&ze(`Duplicate MCP virtual server operationId ${h} across routes.`),t.has(h)&&ze(`Duplicate MCP virtual server id ${h} across routes.`),r.has(d.path)&&ze(`Duplicate MCP virtual server route path ${d.path} across routes.`);let g=[];for(let v of p.slice(1)){let w=e.policyByName.get(v);!w||!NI(w)||g.push(c(w))}let S=Ph(d.handler.options,d.path),y=JI({catalog:S,connections:g,routePath:d.path});y.catalogSource==="upstream_mcp"&&g.length!==1&&ze(`MCP virtual server route ${d.path} uses upstream MCP catalog mode but declares ${g.length} upstream bindings; upstream MCP catalog mode requires exactly one upstream binding.`);let _={virtualServerId:h,operationId:h,routePath:d.path,handlerExport:d.handler.export,serverInfo:y.serverInfo,catalog:y,connections:g};t.set(h,_),r.set(d.path,_),s.add(h)}catch(g){if(h!==void 0)n.set(h,xh(g));else throw xh(g)}}return{byVirtualServerId:t,byRoutePath:r,virtualServerErrorsById:n,connectionsByPolicyName:a}}o(WI,"buildVirtualServers");function Zu(e){let t=BI(e.policies),{byVirtualServerId:r,byRoutePath:n,virtualServerErrorsById:a,connectionsByPolicyName:i}=WI({routes:e.routes,policyByName:t}),s=new Map;for(let c of i.values())s.set(c.upstreamServerId,c);return{byVirtualServerId:r,byRoutePath:n,connectionsById:s,virtualServerErrorsById:a}}o(Zu,"buildGatewayConnectionRegistry");var on,Vu;function Ah(e){Vu=e,on=void 0}o(Ah,"configureGatewayConnectionRegistrySource");function Th(e){on=e}o(Th,"setGatewayConnectionRegistry");function rt(){if(!on&&Vu&&(on=Zu(Vu)),!on)throw new q("MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one MCP virtual server route and policies.json registers an `mcp-oauth-inbound` (or wrapper) policy.");return on}o(rt,"getGatewayConnectionRegistry");function Nt(e){let t=rt(),r=t.virtualServerErrorsById?.get(e);if(r)throw r;let n=t.byVirtualServerId.get(e);if(!n)throw qI("unknown_virtual_server",`Unknown MCP virtual server: ${e}`,new Error(`Unknown MCP virtual server "${e}". Ensure routes.oas.json declares an MCP route for this virtual server and policies.json registers the matching MCP upstream connection policy.`));return n}o(Nt,"getRegisteredVirtualServer");function ph(e){let t=rt(),r=t.byRoutePath?.get(e)??[...t.byVirtualServerId.values()].find(n=>n.routePath===e);if(!r)throw new q(`MCP virtual server route ${e} is not registered. Ensure routes.oas.json declares operationId on this MCP route and its first inbound policy is an MCP OAuth policy.`);return r}o(ph,"getRegisteredVirtualServerByRoutePath");function Eh(){return on}o(Eh,"tryGetGatewayConnectionRegistry");function Ge(e){let t=rt().connectionsById.get(e);if(!t)throw new q(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return t.config}o(Ge,"getUpstreamServerConfig");function YI(e){let t=rt().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new q(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}o(YI,"resolveUpstreamAuthProfileId");function Ur(e){YI(e);let t=rt().connectionsById.get(e.upstreamServerId);if(!t)throw new q(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}o(Ur,"getUpstreamAuthConfig");function an(e,t){let r=Ur({upstreamServerId:e,authProfileId:t});if(!Ih(r))throw new q(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}o(an,"requireUpstreamOAuthConfig");function Dt(e){return new E({message:e,extensionMembers:{[T]:"invalid_request"}})}o(Dt,"invalidOutboundUrl");function XI(){let e=ni.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}o(XI,"isTestOnlyAllowHttpLoopbackIdpEnabled");function QI(){let e=ni.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD;return typeof e=="string"&&e==="1"}o(QI,"isTestOnlyAllowHttpLoopbackCimdEnabled");var eP=new Set(["undefined","null","nan"]);function Ju(e,t){if(!e.hostname)throw Dt(`Outbound URL has an empty hostname (got ${JSON.stringify(t)}). This typically indicates an unset $env(...) reference or a JS template literal coercing \`undefined\` into a URL. Check the policy options or runtime config that produced this URL.`);if(eP.has(e.hostname.toLowerCase()))throw Dt(`Outbound URL hostname is ${JSON.stringify(e.hostname)} (from ${JSON.stringify(t)}). This almost always means an environment variable referenced by $env(...) is unset and a JS value was string-coerced into a URL. Set the missing env var or fix the policy option that produced this URL.`)}o(Ju,"assertSafeOutboundHostname");var tP=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),rP=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function Uh(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}o(Uh,"parseIpv4Octets");function nP([e,t],r){let n=r.firstMax??r.first;return e<r.first||e>n?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}o(nP,"ipv4RangeMatches");function Oh(e){let t=Uh(e);return t!==void 0&&rP.some(r=>nP(t,r))}o(Oh,"isPrivateIpv4");function Ku(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}o(Ku,"parseIpv6Word");function oP(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}o(oP,"formatIpv4FromWords");function aP(e){let t=e.slice(7),r=Uh(t);if(r!==void 0)return r.join(".");let[n,a,i]=t.split(":"),s=Ku(n),c=Ku(a);return i===void 0&&s!==void 0&&c!==void 0?oP(s,c):void 0}o(aP,"parseIpv6MappedIpv4");function iP(e){return Ku(e.split(":").find(Boolean))}o(iP,"readFirstIpv6Hextet");function sP(e){let t=nr(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let n=aP(t);return n===void 0||Oh(n)}let r=iP(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}o(sP,"isPrivateIpv6");function Wu(e){let t=nr(e);return tP.has(t)||t.endsWith(".internal")||Oh(t)||sP(t)}o(Wu,"isBlockedOutboundHostname");function Mh(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw Dt(`Unsupported outbound protocol: ${t.protocol}`);Ju(t,e);let r=ke(t);if(t.protocol==="http:"&&!r)throw Dt("Configured outbound HTTP URLs must target loopback hosts.");let n=nr(t.hostname);if(!r&&Wu(n))throw Dt(`Blocked outbound host: ${n}`);return t}o(Mh,"validateConfiguredOutboundUrl");function zh(e){let t=new URL(e),r=ke(t),n=r&&XI();if(t.protocol!=="https:"&&!n)throw Dt("Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw Dt("Identity provider URLs must not include credentials, query params, or fragments.");Ju(t,e);let a=nr(t.hostname);if(!r&&Wu(a))throw Dt(`Blocked identity provider host: ${a}`);return t}o(zh,"validateIdentityProviderUrl");function $h(e,t){let r=new URL(e),n=r.protocol==="http:"&&ke(r)&&QI();if(r.protocol!=="https:"&&!n||r.pathname==="/"||r.username||r.password||r.search||r.hash)throw Dt(`CIMD ${t} must be an HTTPS URL with a path and no credentials, query, or fragment.`);if(Ju(r,e),!n&&Wu(r.hostname))throw Dt(`CIMD ${t} points at a blocked host.`);return r}o($h,"validateCimdUrl");function Di(e){return $h(e,"client_id")}o(Di,"validateCimdClientMetadataUrl");function qh(e){return $h(e,"jwks_uri")}o(qh,"validateCimdClientJwksUrl");function Nh(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=o(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}o(Nh,"mergeAbortSignals");async function cP(e){try{await e.cancel()}catch{}}o(cP,"cancelReader");async function ji(e,t){if(!e)return new Uint8Array;let r=e.getReader(),n=[],a=0,i=await r.read();for(;!i.done;){let d=i.value;if(a+=d.byteLength,a>t.maxBytes)throw await cP(r),t.createLimitError();n.push(d),i=await r.read()}let s=new Uint8Array(a),c=0;for(let d of n)s.set(d,c),c+=d.byteLength;return s}o(ji,"readBoundedByteStream");var uP=2,dP=1024*1024,lP=1e4,pP=new Set([301,302,303,307,308]),mP=["authorization","proxy-authorization","cookie","cookie2"];function Yu(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}o(Yu,"readRequestUrl");function Kn(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}o(Kn,"readRequestMethod");function fP(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw new E({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[T]:r}})}o(fP,"assertContentLengthWithinLimit");async function hP(e,t,r){return fP(e,t,r),ji(e.body,{maxBytes:t,createLimitError:o(()=>new E({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[T]:r}}),"createLimitError")})}o(hP,"readBoundedResponseBody");function gP(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}o(gP,"responseFromBufferedBody");function yP(e,t){if(!pP.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}o(yP,"resolveRedirectUrl");function Dh(e,t){try{return t.validateUrl(e)}catch(r){throw new E({message:"Outbound URL was not allowed.",extensionMembers:{[T]:t.problemCode}},{cause:r})}}o(Dh,"validateOutboundUrl");function SP(e,t){throw e instanceof E&&ar(e.extensionMembers?.[T])?e:new E({message:"Outbound fetch failed.",extensionMembers:{[T]:t}},{cause:e})}o(SP,"normalizeFetchError");function Wo(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[n,a]of Object.entries(t.extra))a!==void 0&&(r[n]=a);t.error!==void 0&&Xe(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}o(Wo,"logOutboundFailure");async function _P(e,t,r,n,a,i,s){let c=Kn(r,n);try{return await t(r,n)}catch(d){let p=d instanceof DOMException&&d.name==="AbortError";Wo(e,{event:p?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:c,host:St(i),error:d,extra:{abortReason:s()}}),SP(d,a)}}o(_P,"fetchWithNormalizedError");function vP(e){if(e.redirects>=e.maxRedirects)throw new E({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[T]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new E({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[T]:e.problemCode}})}o(vP,"assertRedirectAllowed");function wP(e,t){let r=new Headers(e);for(let n of mP)r.delete(n);for(let n of t)r.delete(n);return r}o(wP,"stripCrossOriginHeaders");function bP(e,t,r,n,a){let i={...e,method:t,redirect:"manual",signal:r};return n&&(i.headers=wP(e.headers,a)),i}o(bP,"buildRedirectInit");function RP(e,t,r){let n={...t,redirect:"manual",signal:r};return n.headers===void 0&&e instanceof Request&&(n.headers=e.headers),n}o(RP,"buildInitialRequestInit");function CP(e){let t=Kn(e.currentInput,e.currentInit);vP({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=Dh(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),n=new URL(e.currentUrl),a=r.origin!==n.origin,i=r.toString();return{currentInput:i,currentUrl:i,currentInit:bP(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}o(CP,"followRedirect");async function Xu(e,t,r){let n=r.problemCode??"invalid_request",a=r.maxRedirects??uP,i=r.maxResponseBytes??dP,s=r.timeoutMs??lP,c=r.fetchImpl??fetch,d=r.additionalCrossOriginStrippedHeaders??[],p=r.context,l=new AbortController,m=Nh(l,t.signal),h=!1,g=setTimeout(()=>{h=!0,l.abort()},s),S=e,y=RP(e,t,l.signal),_;try{_=Dh(Yu(e),{problemCode:n,validateUrl:r.validateUrl}).toString()}catch(w){throw Wo(p,{event:"outbound_url_blocked",problemCode:n,method:Kn(e,t),host:St(Yu(e)),error:w}),clearTimeout(g),m?.(),w}let v=0;try{for(;;){let w=await _P(p,c,S,y,n,_,()=>h?`timeout_after_${s}ms`:void 0),b=yP(w,_);if(b!==void 0)try{let N=CP({currentInput:S,currentInit:y,currentUrl:_,redirectUrl:b,redirects:v,maxRedirects:a,problemCode:n,validateUrl:r.validateUrl,signal:l.signal,additionalCrossOriginStrippedHeaders:d});S=N.currentInput,y=N.currentInit,_=N.currentUrl,v=N.redirects;continue}catch(N){throw Wo(p,{event:"outbound_redirect_blocked",problemCode:n,method:Kn(S,y),host:St(_),error:N,extra:{redirects:v,maxRedirects:a,redirectTargetHost:St(b)}}),N}try{return gP(w,await hP(w,i,n))}catch(N){throw Wo(p,{event:"outbound_response_size_exceeded",problemCode:n,method:Kn(S,y),host:St(_),error:N,extra:{maxResponseBytes:i,status:w.status}}),N}}}finally{clearTimeout(g),m?.()}}o(Xu,"runSafeOutboundExchange");async function Hi(e,t,r){let n=await Xu(e,t,r);try{return{response:n,json:await n.clone().json()}}catch(a){throw Wo(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:Kn(e,t),host:St(Yu(e)),error:a,extra:{status:n.status,contentType:n.headers.get("content-type")??void 0}}),new E({message:"Outbound JSON response could not be parsed.",extensionMembers:{[T]:r.problemCode??"invalid_request"}},{cause:a})}}o(Hi,"runSafeOutboundJsonExchange");function Jn(e,t={},r={}){return Xu(e,t,{...r,validateUrl:Mh})}o(Jn,"fetchConfiguredOutbound");function jh(e,t={},r={}){return Hi(e,t,{...r,validateUrl:zh})}o(jh,"fetchIdentityProviderJson");function Hh(e,t={},r={}){return Hi(e,t,{...r,validateUrl:Di})}o(Hh,"fetchCimdClientMetadataJson");function Lh(e,t={},r={}){return Hi(e,t,{...r,validateUrl:qh})}o(Lh,"fetchCimdClientJwksJson");var IP={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"static-secret":{authMode:"static-secret",ownerMode:"none",connectSupport:"none",connectUnsupportedDetail:"Static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"configured-static-secret"},"shared-secret":{authMode:"shared-secret",ownerMode:"shared",connectSupport:"none",connectUnsupportedDetail:"Shared static-secret upstreams do not support browser connection flows.",callbackSupport:"none",credentialAcquisition:"shared_secret_connection"},"user-secret":{authMode:"user-secret",ownerMode:"user",connectSupport:"user_secret_capture",connectUnsupportedDetail:void 0,callbackSupport:"none",credentialAcquisition:"user_secret_connection"}};function jt(e){return IP[e]}o(jt,"describeUpstreamAuthMode");function Li(e){return jt(e).ownerMode}o(Li,"resolveOwnerModeForUpstreamAuthMode");de();import{errors as Wh,jwtVerify as Yh,SignJWT as Xh}from"jose";var nt="zuplo-mcp-gateway",pt=nt,mt="HS256";import{base64url as PP}from"jose";var xP=new TextEncoder,kP="MCP gateway could not initialize secure key material.",AP=32,Bh=new Map,Gh=new Map,TP;function EP(){return TP??Eo.instance.authPrivateKey}o(EP,"readAuthPrivateKey");function Vh(e){return new K(kP,e===void 0?void 0:{cause:e})}o(Vh,"createGeneratedKeyMaterialError");function Fh(e,t){let r=PP.decode(t);if(r.byteLength!==AP)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}o(Fh,"decodeJwkKeyField");function UP(e){let t=EP();if(!t)throw Vh();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let n=Fh("d",r.d);Fh("x",r.x);let a=xP.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),i=new Uint8Array(a.byteLength+n.byteLength);return i.set(a),i.set(n,a.byteLength),i}catch(r){throw Vh(r)}}o(UP,"decodeGeneratedKeyMaterial");function OP(e){let t=Bh.get(e);return t||(t=UP(e),Bh.set(e,t)),t}o(OP,"getMasterKeyMaterial");async function Ht(e){let t=Gh.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(OP(e.keyMaterialPurpose));return Gh.set(e.purpose,r),r}o(Ht,"readCachedDerivedKey");var MP="SHA-256";var zP="zuplo-mcp-gateway:",$P=new TextEncoder,Zh=new WeakMap;async function Or(e,t){let r=Zh.get(e);r||(r=new Map,Zh.set(e,r));let n=r.get(t);if(n)return n;let a=await qP(e,t);return r.set(t,a),a}o(Or,"deriveGatewaySigningKey");async function qP(e,t){let r=Kh(e),n=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=$P.encode(`${zP}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:MP,salt:new Uint8Array,info:Kh(a)},n,32*8);return new Uint8Array(i)}o(qP,"hkdfExpand");function Kh(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Kh,"copyToArrayBuffer");var Qh=15*60,NP=15*60,DP=hf.extend({id:Gn}),jP=DP.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),eg=Ln.extend({id:Zo,purpose:u.literal("browser_connect")}),HP=Ln.extend({purpose:u.literal("browser_connect")}),LP=eg.extend({exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),tg=Qh*1e3;async function rg(){return Ht({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Or(e,"oauth-state"),"derive")})}o(rg,"getOAuthStateKey");async function ng(){return Ht({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Or(e,"browser-connect"),"derive")})}o(ng,"getBrowserConnectKey");async function og(e){let t=Math.floor(Date.now()/1e3)+Qh;return new Xh(e).setProtectedHeader({alg:mt,typ:"JWT"}).setIssuer(nt).setAudience(pt).setIssuedAt().setExpirationTime(t).sign(await rg())}o(og,"signOAuthState");async function Bi(e){try{let{payload:t}=await Yh(e,await rg(),{algorithms:[mt],issuer:nt,audience:pt});return jP.parse(t)}catch(t){throw t instanceof Wh.JWTExpired?new E({message:"OAuth state has expired",extensionMembers:{[T]:"oauth_state_expired"}},{cause:t}):new E({message:"OAuth state could not be verified",extensionMembers:{[T]:"oauth_state_invalid"}},{cause:t})}}o(Bi,"verifyOAuthState");async function ag(e){let t=Math.floor(Date.now()/1e3)+NP,r=HP.parse(e),n=eg.parse({...r,id:vf()});return new Xh(n).setProtectedHeader({alg:mt,typ:"JWT"}).setIssuer(nt).setAudience(pt).setIssuedAt().setExpirationTime(t).sign(await ng())}o(ag,"signBrowserConnectTicket");async function Gi(e){try{let{payload:t}=await Yh(e,await ng(),{algorithms:[mt],issuer:nt,audience:pt});return LP.parse(t)}catch(t){throw t instanceof Wh.JWTExpired?new E({message:"Browser connect ticket has expired",extensionMembers:{[T]:"oauth_state_expired"}},{cause:t}):new E({message:"Browser connect ticket could not be verified",extensionMembers:{[T]:"oauth_state_invalid"}},{cause:t})}}o(Gi,"verifyBrowserConnectTicket");async function Vi(e){if((await Y().consumeBrowserConnectTicket({id:e.id,expiresAt:oe(new Date(e.exp*1e3)),now:oe(new Date)})).kind==="consumed")throw new E({message:"Browser connect ticket has already been used",extensionMembers:{[T]:"oauth_state_reused"}})}o(Vi,"consumeBrowserConnectTicket");function BP(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}o(BP,"buildConnectRequiredMessage");async function ig(e){let t=le(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("virtualServerId",e.virtualServerId),r.searchParams.set("browserTicket",await ag({...Fo(e),purpose:"browser_connect"})),r.toString()}o(ig,"buildGatewayBrowserTicketUrl");function GP(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}o(GP,"buildGatewayConnectPath");async function Qu(e){return ig({...e,path:GP(e.upstreamServerId),redirect:!0})}o(Qu,"buildGatewayConnectUrl");async function sg(e){return ig({...e,path:`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`})}o(sg,"buildGatewayAppPasswordCaptureUrl");async function Lt(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await Qu(t),message:BP(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}o(Lt,"buildRedirectConnectRequiredResponse");function Wn(e){return cg({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}o(Wn,"buildAdminConnectRequiredResponse");function cg(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}o(cg,"buildAdminSetupRequiredResponse");function ug(e){return cg({...e,message:e.requiresReconsent?`An administrator must replace the ${e.upstreamDisplayName} static credential before this tool can be used.`:`An administrator must configure the ${e.upstreamDisplayName} static credential before this tool can be used.`})}o(ug,"buildAdminStaticSecretRequiredResponse");de();import{base64url as Mr}from"jose";var VP="SHA-256",Xn="AES-GCM",FP=12,td="zuplo-secret",rd=1,dg="generated:auth_private_key:token-encryption",ZP=u.object({version:u.literal(rd),keyId:u.literal(dg),algorithm:u.literal(Xn),iv:u.string().min(1),ciphertext:u.string().min(1)}).strict();function Yn(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}o(Yn,"copyToArrayBuffer");async function ed(){return Ht({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:o(async e=>{let t=await crypto.subtle.digest(VP,Yn(e));return crypto.subtle.importKey("raw",t,{name:Xn},!1,["encrypt","decrypt"])},"derive")})}o(ed,"getEncryptionKey");function lg(e){return Yn(new TextEncoder().encode(`${td}:v${e.version}:${e.keyId}`))}o(lg,"getAssociatedData");function KP(e){return`${td}:v${e.version}:${Mr.encode(new TextEncoder().encode(JSON.stringify(e)))}`}o(KP,"encodeEnvelope");function JP(e){let t=`${td}:v${rd}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),n=new TextDecoder().decode(Mr.decode(r));return ZP.parse(JSON.parse(n))}o(JP,"decodeEnvelope");async function sn(e){let t=await ed(),r=crypto.getRandomValues(new Uint8Array(FP)),n={version:rd,keyId:dg},a=await crypto.subtle.encrypt({name:Xn,iv:r,additionalData:lg(n)},t,new TextEncoder().encode(e));return KP({...n,algorithm:Xn,iv:Mr.encode(r),ciphertext:Mr.encode(new Uint8Array(a))})}o(sn,"encryptSecret");async function sr(e){let t=JP(e);if(t){let s=await ed(),c=await crypto.subtle.decrypt({name:Xn,iv:Yn(Mr.decode(t.iv)),additionalData:lg(t)},s,Yn(Mr.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,n]=e.split(".");if(!r||!n)throw new K("Encrypted payload is malformed");let a=await ed(),i=await crypto.subtle.decrypt({name:Xn,iv:Yn(Mr.decode(r))},a,Yn(Mr.decode(n)));return new TextDecoder().decode(i)}o(sr,"decryptSecret");function WP(e,t){let r=Ur({upstreamServerId:e,authProfileId:t});if(r.mode!=="shared-secret")throw new q(`Upstream server "${e}" does not use tenant static credentials. Select the shared-secret auth mode for this upstream connection or remove the tenant static credential route.`);return r.secret}o(WP,"requireTenantStaticSecretConfig");function pg(e){return e?.status==="active"&&e.metadata?.staticSecretKind==="bearer_token"&&!!e.metadata.encryptedStaticSecret}o(pg,"hasUsableTenantStaticSecret");async function YP(e){if(!pg(e.connection))throw new K("Stored tenant static credential is incomplete.");return{type:"bearer_token",token:await sr(e.connection.metadata.encryptedStaticSecret)}}o(YP,"resolveTenantStaticSecretCredential");async function mg(e){let t=Ge(e.upstreamServerId);WP(e.upstreamServerId,e.authProfileId);let r="preloadedConnection"in e?e.preloadedConnection:(await Y().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(pg(r))return{kind:"authorized",credential:await YP({connection:r})};let n={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:ug(n)}}o(mg,"resolveTenantStaticSecretCredentialForRequest");de();async function nd(e){return Y().upsertUpstreamConnection({id:Ti(),ownerMode:e.owner.mode,subjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,status:"active",encryptedAccessToken:void 0,encryptedRefreshToken:void 0,scopes:[],expiresAt:void 0,metadata:e.metadata})}o(nd,"upsertStaticSecretConnection");var XP=u.string().trim().min(1).max(320),QP=u.string().min(1).max(4096),ex=u.string().trim().min(1).max(4096);function od(e,t){let r=Ur({upstreamServerId:e,authProfileId:t});if(r.mode!=="user-secret")throw new q(`Upstream server "${e}" does not use user static credentials. Select the user-secret auth mode for this upstream connection or remove the user static credential route.`);return r.secret}o(od,"requireUserStaticSecretConfig");function tx(e){let t=new TextEncoder().encode(e),r="";for(let n of t)r+=String.fromCharCode(n);return btoa(r)}o(tx,"encodeBase64Utf8");function rx(e){return`Basic ${tx(`${e.username}:${e.appPassword}`)}`}o(rx,"buildBasicAuthHeader");function fg(e){return e?.status==="active"&&!!e.metadata?.encryptedStaticSecret}o(fg,"hasEncryptedUserStaticSecret");async function nx(e){if(!fg(e.connection))throw new K("Stored user static credential is incomplete.");if(e.connection.metadata.staticSecretKind==="bearer_token")return{type:"bearer_token",token:await sr(e.connection.metadata.encryptedStaticSecret)};if(e.connection.metadata.staticSecretKind==="basic_auth_app_password"&&e.connection.metadata.staticSecretUsername)return{type:"headers",headers:{Authorization:rx({username:e.connection.metadata.staticSecretUsername,appPassword:await sr(e.connection.metadata.encryptedStaticSecret)})}};throw new K("Stored user static credential kind is unsupported.")}o(nx,"resolveUserStaticSecretCredential");async function hg(e){if(od(e.upstreamServerId,e.authProfileId).kind!=="basic_auth_app_password")throw new K("This upstream does not use username and app-password credentials.");if(e.owner.mode!=="user")throw new K("User static credentials must be stored under a user-owned connection.");let r=XP.parse(e.username),n=QP.parse(e.appPassword);return nd({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await sn(n),staticSecretKind:"basic_auth_app_password",staticSecretUsername:r}})}o(hg,"saveUserStaticSecretCredential");async function Fi(e){let t=od(e.upstreamServerId,e.authProfileId);if(t.kind!=="bearer_token")throw new K("This upstream does not use bearer token credentials.");if(e.owner.mode!=="user")throw new K("User static credentials must be stored under a user-owned connection.");let r=ex.parse(e.token);return nd({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,metadata:{connectedBySubjectId:e.initiatedBySubjectId,encryptedStaticSecret:await sn(r),staticSecretKind:t.kind,staticSecretLabel:t.label}})}o(Fi,"saveUserStaticBearerTokenCredential");function ad(e,t){return od(e,t)}o(ad,"readUserStaticSecretCaptureConfig");async function gg(e){let t=Ge(e.upstreamServerId);if(e.owner.mode!=="user")throw new K("User static credential flow resolved a non-user owner.");let r="preloadedConnection"in e?e.preloadedConnection:(await Y().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];if(fg(r))return{kind:"authorized",credential:await nx({connection:r})};let n={requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:t.displayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!r};return r!==void 0&&(n.connectionId=r.id),{kind:"connect_required",payload:await Lt(n)}}o(gg,"resolveUserStaticSecretCredentialForRequest");function yg(e){if(e.owner.mode!=="user")throw new K("User static credential capture requires a user-owned connection.");return sg({requestUrl:e.request.url,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}})}o(yg,"buildUserStaticSecretConnectUrl");var id;id=globalThis.crypto;async function ox(e){return(await id).getRandomValues(new Uint8Array(e))}o(ox,"getRandomValues");async function ax(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,n="";for(;n.length<e;){let a=await ox(e-n.length);for(let i of a)i<r&&(n+=t[i%t.length])}return n}o(ax,"random");async function ix(e){return await ax(e)}o(ix,"generateVerifier");async function sx(e){let t=await(await id).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}o(sx,"generateChallenge");async function sd(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await ix(e),r=await sx(t);return{code_verifier:t,code_challenge:r}}o(sd,"pkceChallenge");de();var Ne=mm().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:ym.custom,message:"URL must be parseable",fatal:!0}),lm}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Zi=Pe({resource:f().url(),authorization_servers:R(Ne).optional(),jwks_uri:f().url().optional(),scopes_supported:R(f()).optional(),bearer_methods_supported:R(f()).optional(),resource_signing_alg_values_supported:R(f()).optional(),resource_name:f().optional(),resource_documentation:f().optional(),resource_policy_uri:f().url().optional(),resource_tos_uri:f().url().optional(),tls_client_certificate_bound_access_tokens:ue().optional(),authorization_details_types_supported:R(f()).optional(),dpop_signing_alg_values_supported:R(f()).optional(),dpop_bound_access_tokens_required:ue().optional()}),Yo=Pe({issuer:f(),authorization_endpoint:Ne,token_endpoint:Ne,registration_endpoint:Ne.optional(),scopes_supported:R(f()).optional(),response_types_supported:R(f()),response_modes_supported:R(f()).optional(),grant_types_supported:R(f()).optional(),token_endpoint_auth_methods_supported:R(f()).optional(),token_endpoint_auth_signing_alg_values_supported:R(f()).optional(),service_documentation:Ne.optional(),revocation_endpoint:Ne.optional(),revocation_endpoint_auth_methods_supported:R(f()).optional(),revocation_endpoint_auth_signing_alg_values_supported:R(f()).optional(),introspection_endpoint:f().optional(),introspection_endpoint_auth_methods_supported:R(f()).optional(),introspection_endpoint_auth_signing_alg_values_supported:R(f()).optional(),code_challenge_methods_supported:R(f()).optional(),client_id_metadata_document_supported:ue().optional()}),cx=Pe({issuer:f(),authorization_endpoint:Ne,token_endpoint:Ne,userinfo_endpoint:Ne.optional(),jwks_uri:Ne,registration_endpoint:Ne.optional(),scopes_supported:R(f()).optional(),response_types_supported:R(f()),response_modes_supported:R(f()).optional(),grant_types_supported:R(f()).optional(),acr_values_supported:R(f()).optional(),subject_types_supported:R(f()),id_token_signing_alg_values_supported:R(f()),id_token_encryption_alg_values_supported:R(f()).optional(),id_token_encryption_enc_values_supported:R(f()).optional(),userinfo_signing_alg_values_supported:R(f()).optional(),userinfo_encryption_alg_values_supported:R(f()).optional(),userinfo_encryption_enc_values_supported:R(f()).optional(),request_object_signing_alg_values_supported:R(f()).optional(),request_object_encryption_alg_values_supported:R(f()).optional(),request_object_encryption_enc_values_supported:R(f()).optional(),token_endpoint_auth_methods_supported:R(f()).optional(),token_endpoint_auth_signing_alg_values_supported:R(f()).optional(),display_values_supported:R(f()).optional(),claim_types_supported:R(f()).optional(),claims_supported:R(f()).optional(),service_documentation:f().optional(),claims_locales_supported:R(f()).optional(),ui_locales_supported:R(f()).optional(),claims_parameter_supported:ue().optional(),request_parameter_supported:ue().optional(),request_uri_parameter_supported:ue().optional(),require_request_uri_registration:ue().optional(),op_policy_uri:Ne.optional(),op_tos_uri:Ne.optional(),client_id_metadata_document_supported:ue().optional()}),Ki=C({...cx.shape,...Yo.pick({code_challenge_methods_supported:!0}).shape}),Xo=C({access_token:f(),id_token:f().optional(),token_type:f(),expires_in:Sm.number().optional(),scope:f().optional(),refresh_token:f().optional()}).strip(),_g=C({error:f(),error_description:f().optional(),error_uri:f().optional()}),Sg=Ne.optional().or(O("").transform(()=>{})),ux=C({redirect_uris:R(Ne),token_endpoint_auth_method:f().optional(),grant_types:R(f()).optional(),response_types:R(f()).optional(),client_name:f().optional(),client_uri:Ne.optional(),logo_uri:Sg,scope:f().optional(),contacts:R(f()).optional(),tos_uri:Sg,policy_uri:f().optional(),jwks_uri:Ne.optional(),jwks:hm().optional(),software_id:f().optional(),software_version:f().optional(),software_statement:f().optional()}).strip(),cd=C({client_id:f(),client_secret:f().optional(),client_id_issued_at:ne().optional(),client_secret_expires_at:ne().optional()}).strip(),Qo=ux.merge(cd),KL=C({error:f(),error_description:f().optional()}).strip(),JL=C({token:f(),token_type_hint:f().optional()}).strip();function vg(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}o(vg,"resourceUrlFromServerUrl");function wg({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),n=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==n.origin||r.pathname.length<n.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=n.pathname.endsWith("/")?n.pathname:n.pathname+"/";return a.startsWith(i)}o(wg,"checkResourceAllowed");var Ce=class extends Error{static{o(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},ea=class extends Ce{static{o(this,"InvalidRequestError")}};ea.errorCode="invalid_request";var cn=class extends Ce{static{o(this,"InvalidClientError")}};cn.errorCode="invalid_client";var un=class extends Ce{static{o(this,"InvalidGrantError")}};un.errorCode="invalid_grant";var dn=class extends Ce{static{o(this,"UnauthorizedClientError")}};dn.errorCode="unauthorized_client";var ta=class extends Ce{static{o(this,"UnsupportedGrantTypeError")}};ta.errorCode="unsupported_grant_type";var ra=class extends Ce{static{o(this,"InvalidScopeError")}};ra.errorCode="invalid_scope";var na=class extends Ce{static{o(this,"AccessDeniedError")}};na.errorCode="access_denied";var cr=class extends Ce{static{o(this,"ServerError")}};cr.errorCode="server_error";var oa=class extends Ce{static{o(this,"TemporarilyUnavailableError")}};oa.errorCode="temporarily_unavailable";var aa=class extends Ce{static{o(this,"UnsupportedResponseTypeError")}};aa.errorCode="unsupported_response_type";var ia=class extends Ce{static{o(this,"UnsupportedTokenTypeError")}};ia.errorCode="unsupported_token_type";var sa=class extends Ce{static{o(this,"InvalidTokenError")}};sa.errorCode="invalid_token";var ca=class extends Ce{static{o(this,"MethodNotAllowedError")}};ca.errorCode="method_not_allowed";var ua=class extends Ce{static{o(this,"TooManyRequestsError")}};ua.errorCode="too_many_requests";var ln=class extends Ce{static{o(this,"InvalidClientMetadataError")}};ln.errorCode="invalid_client_metadata";var da=class extends Ce{static{o(this,"InsufficientScopeError")}};da.errorCode="insufficient_scope";var la=class extends Ce{static{o(this,"InvalidTargetError")}};la.errorCode="invalid_target";var bg={[ea.errorCode]:ea,[cn.errorCode]:cn,[un.errorCode]:un,[dn.errorCode]:dn,[ta.errorCode]:ta,[ra.errorCode]:ra,[na.errorCode]:na,[cr.errorCode]:cr,[oa.errorCode]:oa,[aa.errorCode]:aa,[ia.errorCode]:ia,[sa.errorCode]:sa,[ca.errorCode]:ca,[ua.errorCode]:ua,[ln.errorCode]:ln,[da.errorCode]:da,[la.errorCode]:la};var xt=class extends Error{static{o(this,"UnauthorizedError")}constructor(t){super(t??"Unauthorized")}};function dx(e){return["client_secret_basic","client_secret_post","none"].includes(e)}o(dx,"isClientAuthMethod");var ud="code",dd="S256";function lx(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&dx(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}o(lx,"selectClientAuthMethod");function px(e,t,r,n){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":mx(a,i,r);return;case"client_secret_post":fx(a,i,n);return;case"none":hx(a,n);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}o(px,"applyClientAuthentication");function mx(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let n=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${n}`)}o(mx,"applyBasicAuth");function fx(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}o(fx,"applyPostAuth");function hx(e,t){t.set("client_id",e)}o(hx,"applyPublicAuth");async function Cg(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let n=_g.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=n,c=bg[a]||cr;return new c(i||"",s)}catch(n){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${n}. Raw body: ${r}`;return new cr(a)}}o(Cg,"parseErrorResponse");async function zr(e,t){try{return await ld(e,t)}catch(r){if(r instanceof cn||r instanceof dn)return await e.invalidateCredentials?.("all"),await ld(e,t);if(r instanceof un)return await e.invalidateCredentials?.("tokens"),await ld(e,t);throw r}}o(zr,"auth");async function ld(e,{serverUrl:t,authorizationCode:r,scope:n,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,d,p,l=a;if(!l&&s?.resourceMetadataUrl&&(l=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(d=s.authorizationServerUrl,c=s.resourceMetadata,p=s.authorizationServerMetadata??await Pg(d,{fetchFn:i}),!c)try{c=await Ig(t,{resourceMetadataUrl:l},i)}catch{}(p!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}else{let b=await wx(t,{resourceMetadataUrl:l,fetchFn:i});d=b.authorizationServerUrl,p=b.authorizationServerMetadata,c=b.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(d),resourceMetadataUrl:l?.toString(),resourceMetadata:c,authorizationServerMetadata:p})}let m=await gx(t,e,c),h=n||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,g=await Promise.resolve(e.clientInformation());if(!g){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let b=p?.client_id_metadata_document_supported===!0,N=e.clientMetadataUrl;if(N&&!md(N))throw new ln(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${N}`);if(b&&N)g={client_id:N},await e.saveClientInformation?.(g);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Be=await Px(d,{metadata:p,clientMetadata:e.clientMetadata,scope:h,fetchFn:i});await e.saveClientInformation(Be),g=Be}}let S=!e.redirectUrl;if(r!==void 0||S){let b=await Ix(e,d,{metadata:p,resource:m,authorizationCode:r,fetchFn:i});return await e.saveTokens(b),"AUTHORIZED"}let y=await e.tokens();if(y?.refresh_token)try{let b=await Cx(d,{metadata:p,clientInformation:g,refreshToken:y.refresh_token,resource:m,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(b),"AUTHORIZED"}catch(b){if(!(!(b instanceof Ce)||b instanceof cr))throw b}let _=e.state?await e.state():void 0,{authorizationUrl:v,codeVerifier:w}=await bx(d,{metadata:p,clientInformation:g,state:_,redirectUrl:e.redirectUrl,scope:h,resource:m});return await e.saveCodeVerifier(w),await e.redirectToAuthorization(v),"REDIRECT"}o(ld,"authInternal");function md(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}o(md,"isHttpsUrl");async function gx(e,t,r){let n=vg(e);if(t.validateResourceURL)return await t.validateResourceURL(n,r?.resource);if(r){if(!wg({requestedResource:n,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${n} (or origin)`);return new URL(r.resource)}}o(gx,"selectResourceURL");function fd(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,n]=t.split(" ");if(r.toLowerCase()!=="bearer"||!n)return{};let a=pd(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=pd(e,"scope")||void 0,c=pd(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}o(fd,"extractWWWAuthenticateParams");function pd(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let n=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(n);return a?a[1]||a[2]:null}o(pd,"extractFieldFromWwwAuth");async function Ig(e,t,r=fetch){let n=await _x(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!n||n.status===404)throw await n?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!n.ok)throw await n.body?.cancel(),new Error(`HTTP ${n.status} trying to load well-known OAuth protected resource metadata.`);return Zi.parse(await n.json())}o(Ig,"discoverOAuthProtectedResourceMetadata");async function hd(e,t,r=fetch){try{return await r(e,{headers:t})}catch(n){if(n instanceof TypeError)return t?hd(e,void 0,r):void 0;throw n}}o(hd,"fetchWithCorsRetry");function yx(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}o(yx,"buildWellKnownPath");async function Rg(e,t,r=fetch){return await hd(e,{"MCP-Protocol-Version":t},r)}o(Rg,"tryMetadataDiscovery");function Sx(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}o(Sx,"shouldAttemptFallback");async function _x(e,t,r,n){let a=new URL(e),i=n?.protocolVersion??br,s;if(n?.metadataUrl)s=new URL(n.metadataUrl);else{let d=yx(t,a.pathname);s=new URL(d,n?.metadataServerUrl??a),s.search=a.search}let c=await Rg(s,i,r);if(!n?.metadataUrl&&Sx(c,a.pathname)){let d=new URL(`/.well-known/${t}`,a);c=await Rg(d,i,r)}return c}o(_x,"discoverMetadataWithFallback");function vx(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",n=[];if(!r)return n.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),n.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),n;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),n.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),n.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),n.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),n}o(vx,"buildDiscoveryUrls");async function Pg(e,{fetchFn:t=fetch,protocolVersion:r=br}={}){let n={"MCP-Protocol-Version":r,Accept:"application/json"},a=vx(e);for(let{url:i,type:s}of a){let c=await hd(i,n,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Yo.parse(await c.json()):Ki.parse(await c.json())}}}o(Pg,"discoverAuthorizationServerMetadata");async function wx(e,t){let r,n;try{r=await Ig(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(n=r.authorization_servers[0])}catch{}n||(n=String(new URL("/",e)));let a=await Pg(n,{fetchFn:t?.fetchFn});return{authorizationServerUrl:n,authorizationServerMetadata:a,resourceMetadata:r}}o(wx,"discoverOAuthServerInfo");async function bx(e,{metadata:t,clientInformation:r,redirectUrl:n,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(ud))throw new Error(`Incompatible auth server: does not support response type ${ud}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(dd))throw new Error(`Incompatible auth server: does not support code challenge method ${dd}`)}else c=new URL("/authorize",e);let d=await sd(),p=d.code_verifier,l=d.code_challenge;return c.searchParams.set("response_type",ud),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",l),c.searchParams.set("code_challenge_method",dd),c.searchParams.set("redirect_uri",String(n)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:p}}o(bx,"startAuthorization");function Rx(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}o(Rx,"prepareAuthorizationCodeRequest");async function xg(e,{metadata:t,tokenRequestParams:r,clientInformation:n,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),d=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(d,r,c,t);else if(n){let l=t?.token_endpoint_auth_methods_supported??[],m=lx(n,l);px(m,n,d,r)}let p=await(s??fetch)(c,{method:"POST",headers:d,body:r});if(!p.ok)throw await Cg(p);return Xo.parse(await p.json())}o(xg,"executeTokenRequest");async function Cx(e,{metadata:t,clientInformation:r,refreshToken:n,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:n}),d=await xg(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:n,...d}}o(Cx,"refreshAuthorization");async function Ix(e,t,{metadata:r,resource:n,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let p=await e.codeVerifier();c=Rx(a,p,e.redirectUrl)}let d=await e.clientInformation();return xg(t,{metadata:r,tokenRequestParams:c,clientInformation:d??void 0,addClientAuthentication:e.addClientAuthentication,resource:n,fetchFn:i})}o(Ix,"fetchToken");async function Px(e,{metadata:t,clientMetadata:r,scope:n,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...n!==void 0?{scope:n}:{}})});if(!s.ok)throw await Cg(s);return Qo.parse(await s.json())}o(Px,"registerClient");de();function gd(e){return`Zuplo MCP Gateway - ${e}`}o(gd,"buildGatewayOAuthClientName");function kg(e,t){let r=new URL(e,le(t));return ke(r)&&nr(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}o(kg,"buildGatewayOAuthRedirectUri");function yd(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}o(yd,"buildOAuthClientMetadataDocumentUrl");function Ag(e){return le(e)}o(Ag,"requireOAuthClientMetadataOrigin");function Tg(e,t,r){let n=Ge(t),a=an(t,r);return{client_id:yd({origin:e,upstreamServerId:t,authProfileId:r}),client_name:gd(n.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}o(Tg,"buildOAuthClientMetadataDocument");var xx=u.union([Qo,cd]),kx=u.object({authorizationServerUrl:u.url(),resourceMetadataUrl:u.url().optional(),resourceMetadata:Zi.optional(),authorizationServerMetadata:u.union([Yo,Ki]).optional()}).passthrough(),Ax="Bearer",Tx="__zuplo_refresh_only_upstream_access_token__";function Ex(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}o(Ex,"splitScopes");function Ux(e){return Ri.parse(e)}o(Ux,"parsePkceCodeVerifier");function Ox(e){if(typeof e.expires_in=="number")return oe(new Date(Date.now()+e.expires_in*1e3))}o(Ox,"readTokenExpiry");async function Eg(e){if(e!==void 0)return sn(JSON.stringify(e))}o(Eg,"encryptJson");async function Ug(e,t){if(!e)return;let r=await sr(e);try{return t.parse(JSON.parse(r))}catch(n){throw new E({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[T]:"oauth_state_invalid"}},{cause:n})}}o(Ug,"decryptJson");function Mx(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}o(Mx,"toOAuthDiscoveryState");function zx(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}o(zx,"clientInformationAllowsRedirectUri");function $x(e,t,r){let n=Ge(e),a=an(e,t),i;return a.scopes.length>0&&(i=a.scopes.join(a.scopeDelimiter)),{client_name:gd(n.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}o($x,"buildOAuthClientMetadata");function qx(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new q(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Qo.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}o(qx,"buildManualOAuthClientInformation");function Nx(e,t,r){let n=yd({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return md(n)?n:void 0}o(Nx,"buildClientMetadataUrl");function Og(e){for(let t of e)if(t!==void 0)return t}o(Og,"firstDefined");function Dx(e){let t=an(e.target.upstreamServerId,e.target.authProfileId),r=$x(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:qx({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let n=Nx(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return n===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:n}}o(Dx,"buildInitialOAuthClientSetup");function jx(e,t){if(t===void 0)return Og([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}o(jx,"readEncryptedClientInformation");function Hx(e){return Og([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}o(Hx,"readEncryptedDiscoveryState");var pn=class{static{o(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=Dx({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=jx(t,this.configuredClientInformation),this.encryptedDiscoveryState=Hx(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return og({id:t.id,...Fo({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await Eg(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await Eg(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Xo.parse(t),n=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0;this.cachedTokens=r,this.tokensLoaded=!0;let a={id:this.connection?.id??Ti(),ownerMode:this.target.owner.mode,subjectId:n,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await sn(r.access_token),encryptedRefreshToken:r.refresh_token?await sn(r.refresh_token):void 0,scopes:Ex(r.scope??this.clientMetadataValue.scope),expiresAt:Ox(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await Y().upsertUpstreamConnection(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:Ux(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new E({message:"OAuth code verifier is missing",extensionMembers:{[T]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",n=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";n&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:_f(),...Fo({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,virtualServerId:this.target.virtualServerId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:oe(new Date(Date.now()+tg)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await Y().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await Ug(this.encryptedClientInformation,xx)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!zx(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=Mx(await Ug(this.encryptedDiscoveryState,kx))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await sr(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await sr(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let n=Xo.parse({access_token:t??Tx,token_type:Ax,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=n,n}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await Y().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Lx=3e4,Bx=256*1024,Gx=2;function Vx(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}o(Vx,"hasUsableAccessToken");var Fx="does not support dynamic client registration";function Zx(e){return e instanceof Error&&e.message.includes(Fx)}o(Zx,"isDynamicClientRegistrationUnsupported");function Kx(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}o(Kx,"readOAuthFetchRequest");function Jx(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}o(Jx,"responseLooksJson");function Mg(e){return async(t,r)=>{let n=Kx(t),a=await Jn(t,r,{maxRedirects:Gx,maxResponseBytes:Bx,problemCode:"upstream_token_exchange_failed",timeoutMs:Lx}),i=await a.clone().text();if(!Jx(a,i))return a;try{JSON.parse(i)}catch(s){throw new E({message:`Upstream OAuth fetch ${n.url.origin}${n.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[T]:"upstream_token_exchange_failed"}},{cause:s})}return a}}o(Mg,"createUpstreamOAuthFetch");async function zg(e,t){try{return await zr(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Mg(t.upstreamServerId)})}catch(r){throw Zx(r)?new E({message:`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,extensionMembers:{[T]:"upstream_client_registration_required"}},{cause:r}):r}}o(zg,"runUpstreamOAuth");async function Wx(e,t){return zr(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Mg(t.upstreamServerId)})}o(Wx,"exchangeUpstreamAuthorizationCode");async function $g(e,t){let r=await zg(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new E({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[T]:"upstream_token_exchange_failed"}}):new E({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[T]:"upstream_token_exchange_failed"}})}o($g,"requireUpstreamAuthorizationRedirect");async function qg(e){if(Vx(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await zg(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new E({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[T]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new E({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[T]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await tk({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.target.virtualServerId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}o(qg,"authorizeUpstreamOAuthSession");async function Yx(e){let t=await Bi(e.stateToken),r=await Y().consumeUpstreamOAuthState({id:t.id,now:oe(new Date)}),n=Xx(r);return Qx({storedState:n,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),ek(n),n}o(Yx,"consumeStoredCallbackState");function Xx(e){switch(e.kind){case"consumed":throw new E({message:"OAuth state has already been used",extensionMembers:{[T]:"oauth_state_reused"}});case"missing":throw new E({message:"OAuth state is missing or expired",extensionMembers:{[T]:"oauth_state_expired"}});case"available":return e.record}}o(Xx,"readConsumedCallbackState");function Qx(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.virtualServerId===e.signedState.virtualServerId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new E({message:"OAuth callback did not match the initiating request",extensionMembers:{[T]:"oauth_callback_mismatch"}})}o(Qx,"assertStoredCallbackStateMatches");function ek(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new E({message:"OAuth state has expired",extensionMembers:{[T]:"oauth_state_expired"}})}o(ek,"assertStoredCallbackStateFresh");async function tk(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Wn(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,virtualServerId:e.virtualServerId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Lt(t)}o(tk,"buildOAuthConnectRequiredResponse");async function Ng(e){let t=await Yx({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=Bn(t),[n]=await Y().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};n!==void 0&&(a.connection=n);let i=new pn(a),s=await Wx(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new E({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[T]:"upstream_token_exchange_failed"}}):new E({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[T]:"upstream_token_exchange_failed"}})}o(Ng,"finishUpstreamOAuthCallback");async function Dg(e){let t=Ge(e.upstreamServerId),r=an(e.upstreamServerId,e.authProfileId),n=kg(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await Y().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,virtualServerId:e.virtualServerId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:n,returnOrigin:le(e.request.url)}}}o(Dg,"prepareUpstreamOAuthRequest");async function jg(e){let t=await Dg(e),r=new pn({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return $g(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(jg,"startUpstreamConnect");async function Hg(e){let t=await Dg(e),r=new pn({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return qg({target:e,provider:r,connection:t.connection,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}o(Hg,"authorizeUpstreamRequest");function rk(e,t){switch(e.kind){case"bearer_token":{if(!e.token)throw new q(`Static bearer token is not configured for upstream "${t}". Set the env var that backs the token or update the upstream connection policy to use a configured secret.`);return{type:"bearer_token",token:e.token}}case"headers":{let r={};for(let n of e.headers){if(!n.value)throw new q(`Static header "${n.name}" is not configured for upstream "${t}". Set the env var that backs the header or mark the header optional.`);r[n.name]=n.value}return{type:"headers",headers:r}}}}o(rk,"resolveStaticSecretCredential");async function Ji(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return Hg({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"shared-secret":return mg({owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}});case"static-secret":{let n=Ur({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId});if(n.mode!=="static-secret")throw new K(`Resolved static-secret credential context loaded ${n.mode} config.`);return{kind:"authorized",credential:rk(n.secret,t.upstreamServerId)}}case"user-secret":return gg({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,authProfileId:t.authProfileId,upstreamServerId:t.upstreamServerId,virtualServerId:t.virtualServerId,..."preloadedConnection"in e?{preloadedConnection:e.preloadedConnection}:{}})}let r=t;throw new K(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}o(Ji,"resolveUpstreamCredentialForRoute");async function Lg(e){let t=Tr(e.principal.subjectId),r=rt().byVirtualServerId.get(e.virtualServerId);if(r)for(let n of r.connections)n.authConfig.mode!=="user-secret"||n.authConfig.secret.kind!=="bearer_token"||n.authConfig.secret.capture!=="browser_login"||await Fi({owner:t,initiatedBySubjectId:e.principal.subjectId,upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId,token:e.apiKey})}o(Lg,"saveBrowserLoginApiKeyCredentialsForVirtualServer");async function Bg(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,virtualServerId:e.connectRequest.virtualServerId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},n=jt(e.connectRequest.authMode);switch(n.connectSupport){case"oauth_authorization":t=await jg(r);break;case"user_secret_capture":t=await yg(r);break;case"none":throw new K(n.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,virtualServerId:e.connectRequest.virtualServerId}}o(Bg,"startUpstreamConnectForRequest");async function Gg(e){let r=(await Bi(e.callbackRequest.state)).authProfileId,n=Ur({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(jt(n.mode).callbackSupport!=="authorization_code")throw new K(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return Ng({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:Ge(e.callbackRequest.upstreamServerId)})}o(Gg,"finishUpstreamCallbackForRequest");var Sd=new $t("route-upstream-bindings");function Vg(e){return`${e.upstreamServerId}:${e.authProfileId}`}o(Vg,"buildRouteBindingDuplicateKey");function _d(e,t){let r=Sd.get(e)??[],n=Vg(t);if(r.find(i=>Vg(i)===n)!==void 0)throw new K(`Route declares duplicate upstream binding ${t.upstreamServerId} + ${t.authProfileId}.`);r.push(t),Sd.set(e,r)}o(_d,"appendResolvedUpstreamBindingContext");function Wi(e){return Sd.get(e)??[]}o(Wi,"readResolvedUpstreamBindingContexts");var nk=new Set(["authorization","connection","content-length","cookie","cookie2","host","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade"]),ok=3e4,ak=2*1024*1024,ik=2,Yi="upstream_capability_invocation_failed",sk="upstream_capability_unavailable",ck="application/json";function uk(e){if(!e.authUrl)return{code:k.InvalidRequest,message:e.message};let t=new Ct([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message);return{code:t.code,message:t.message,data:t.data}}o(uk,"buildUrlElicitationError");async function dk(e){try{let t=await e.clone().json();return typeof t.id=="string"||typeof t.id=="number"?t.id:null}catch{return null}}o(dk,"readJsonRpcRequestId");async function Fg(e,t){return Response.json({jsonrpc:"2.0",id:await dk(e),error:uk(t)},{status:200,headers:{"content-type":ck}})}o(Fg,"connectRequiredMcpResponse");async function lk(e){let{routeBinding:t}=e;if(t.ownerMode!=="none")return t.owner.mode==="shared"?Wn({upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,upstreamDisplayName:t.upstreamDisplayName,virtualServerId:t.virtualServerId,requiresReconsent:!0}):Lt({requestUrl:e.request.url,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,upstreamDisplayName:t.upstreamDisplayName,virtualServerId:t.virtualServerId,subject:"virtual server",requiresReconsent:!0,...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}o(lk,"buildReconsentPayload");function pk(e){return e.kind!=="authorized"||e.credential.type!=="headers"?[]:Object.keys(e.credential.headers)}o(pk,"readCredentialHeaderNames");function mk(e){let t=e.headers.get("retry-after");if(t!==null)return{"retry-after":t}}o(mk,"readRetryAfterHeaders");function fk(e,t,r){let n=mk(r),a=hk(r.status),i={code:a,detail:Qe[a].publicDetail};switch(a){case"authentication_required":return Ae.unauthorized(e,t,i,n);case"forbidden":return Ae.forbidden(e,t,i,n);case"not_found":return Ae.notFound(e,t,i,n);case"too_many_requests":return Ae.tooManyRequests(e,t,i,n);case"upstream_capability_unavailable":return Ae.serviceUnavailable(e,t,i,n);default:return Ae.badGateway(e,t,i,n)}}o(fk,"proxyUpstreamErrorResponse");function hk(e){switch(e){case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";case 429:return"too_many_requests";case 503:return sk;default:return"upstream_capability_invocation_failed"}}o(hk,"readProxyProblemCode");async function gk(e,t){zt("handler.mcp-upstream");let r=Wi(t);if(r.length!==1)throw new q(`mcpUpstreamHandler requires exactly one upstream binding on the route (found ${r.length}). Attach a single \`mcp-upstream-connection-inbound\` policy or use \`McpVirtualServerHandler\` for multi-upstream routes.`);let[n]=r,a=await Ji({request:e,routeAuth:n});if(a.kind==="connect_required")return t.log.info({event:"mcp_upstream_connect_required",upstreamServerId:n.upstreamServerId,authProfileId:n.authProfileId},"MCP upstream proxy: upstream connection required"),Fg(e,a.payload);let i=Ge(n.upstreamServerId),s=i.transport.baseUrl,c=new Headers;for(let[h,g]of e.headers.entries())nk.has(h.toLowerCase())||c.set(h,g);let d=[];for(let h of i.transport.requestHeaders??[]){if(h.value===void 0){if(h.required)throw new q(`mcpUpstreamHandler: configured request header '${h.name}' is required but its value is unset. Set the env var that backs the header or mark the header optional.`);continue}c.set(h.name,h.value),d.push(h.name)}let p=a.credential;switch(p.type){case"bearer_token":c.set("authorization",`Bearer ${p.token}`);break;case"headers":for(let[h,g]of Object.entries(p.headers))c.set(h,g);break;case"mcp_oauth_provider":{let h=await p.provider.tokens();if(!h){t.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:n.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens");let g=await lk({request:e,routeBinding:n});return g!==void 0?Fg(e,g):Response.json({error:"no_upstream_tokens"},{status:401})}c.set("authorization",`${h.token_type??"Bearer"} ${h.access_token}`);break}}let l=[...d,...pk(a)],m={method:e.method,headers:c,body:e.method==="GET"||e.method==="HEAD"?void 0:e.body,duplex:"half"};t.log.info({event:"mcp_upstream_handler_proxy",upstreamServerId:n.upstreamServerId,upstreamUrl:s,method:e.method},"MCP upstream proxy: forwarding request");try{let h=await Jn(s,m,{additionalCrossOriginStrippedHeaders:l,context:t,maxRedirects:ik,maxResponseBytes:ak,problemCode:Yi,timeoutMs:ok});return h.ok?h:fk(e,t,h)}catch(h){if(!(h instanceof E)||h.extensionMembers?.[T]!==Yi)throw h;return Ae.badGateway(e,t,{code:Yi,detail:Qe[Yi].publicDetail})}}o(gk,"mcpUpstreamHandler");rb();function $r(e){return!!e._zod}o($r,"isZ4Schema");function Ke(e,t){return $r(e)?wc(e,t):e.safeParse(t)}o(Ke,"safeParse");function Qn(e){if(!e)return;let t;if($r(e)?t=e._zod?.def?.shape:t=e.shape,!!t){if(typeof t=="function")try{return t()}catch{return}return t}}o(Qn,"getObjectShape");function Zg(e){if($r(e)){let i=e._zod?.def;if(i){if(i.value!==void 0)return i.value;if(Array.isArray(i.values)&&i.values.length>0)return i.values[0]}}let r=e._def;if(r){if(r.value!==void 0)return r.value;if(Array.isArray(r.values)&&r.values.length>0)return r.values[0]}let n=e.value;if(n!==void 0)return n}o(Zg,"getLiteralValue");function qr(e){return e==="completed"||e==="failed"||e==="cancelled"}o(qr,"isTerminal");var Sk=Symbol("Let zodToJsonSchema decide on which parser to use");var IG=new Set("ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz0123456789");function vd(e){let r=Qn(e)?.method;if(!r)throw new Error("Schema is missing a method literal");let n=Zg(r);if(typeof n!="string")throw new Error("Schema method literal must be a string");return n}o(vd,"getMethodLiteral");function wd(e,t){let r=Ke(e,t);if(!r.success)throw r.error;return r.data}o(wd,"parseWithCompat");var Ck=6e4,eo=class{static{o(this,"Protocol")}constructor(t){this._options=t,this._requestMessageId=0,this._requestHandlers=new Map,this._requestHandlerAbortControllers=new Map,this._notificationHandlers=new Map,this._responseHandlers=new Map,this._progressHandlers=new Map,this._timeoutInfo=new Map,this._pendingDebouncedNotifications=new Set,this._taskProgressTokens=new Map,this._requestResolvers=new Map,this.setNotificationHandler(si,r=>{this._oncancel(r)}),this.setNotificationHandler(li,r=>{this._onprogress(r)}),this.setRequestHandler(di,r=>({})),this._taskStore=t?.taskStore,this._taskMessageQueue=t?.taskMessageQueue,this._taskStore&&(this.setRequestHandler(pi,async(r,n)=>{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new I(k.InvalidParams,"Failed to retrieve task: Task not found");return{...a}}),this.setRequestHandler(fi,async(r,n)=>{let a=o(async()=>{let i=r.params.taskId;if(this._taskMessageQueue){let c;for(;c=await this._taskMessageQueue.dequeue(i,n.sessionId);){if(c.type==="response"||c.type==="error"){let d=c.message,p=d.id,l=this._requestResolvers.get(p);if(l)if(this._requestResolvers.delete(p),c.type==="response")l(d);else{let m=d,h=new I(m.error.code,m.error.message,m.error.data);l(h)}else{let m=c.type==="response"?"Response":"Error";this._onerror(new Error(`${m} handler missing for request ${p}`))}continue}await this._transport?.send(c.message,{relatedRequestId:n.requestId})}}let s=await this._taskStore.getTask(i,n.sessionId);if(!s)throw new I(k.InvalidParams,`Task not found: ${i}`);if(!qr(s.status))return await this._waitForTaskUpdate(i,n.signal),await a();if(qr(s.status)){let c=await this._taskStore.getTaskResult(i,n.sessionId);return this._clearTaskQueue(i),{...c,_meta:{...c._meta,[Cr]:{taskId:i}}}}return await a()},"handleTaskResult");return await a()}),this.setRequestHandler(hi,async(r,n)=>{try{let{tasks:a,nextCursor:i}=await this._taskStore.listTasks(r.params?.cursor,n.sessionId);return{tasks:a,nextCursor:i,_meta:{}}}catch(a){throw new I(k.InvalidParams,`Failed to list tasks: ${a instanceof Error?a.message:String(a)}`)}}),this.setRequestHandler(yi,async(r,n)=>{try{let a=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!a)throw new I(k.InvalidParams,`Task not found: ${r.params.taskId}`);if(qr(a.status))throw new I(k.InvalidParams,`Cannot cancel task in terminal status: ${a.status}`);await this._taskStore.updateTaskStatus(r.params.taskId,"cancelled","Client cancelled task execution.",n.sessionId),this._clearTaskQueue(r.params.taskId);let i=await this._taskStore.getTask(r.params.taskId,n.sessionId);if(!i)throw new I(k.InvalidParams,`Task not found after cancellation: ${r.params.taskId}`);return{_meta:{},...i}}catch(a){throw a instanceof I?a:new I(k.InvalidRequest,`Failed to cancel task: ${a instanceof Error?a.message:String(a)}`)}}))}async _oncancel(t){if(!t.params.requestId)return;this._requestHandlerAbortControllers.get(t.params.requestId)?.abort(t.params.reason)}_setupTimeout(t,r,n,a,i=!1){this._timeoutInfo.set(t,{timeoutId:setTimeout(a,r),startTime:Date.now(),timeout:r,maxTotalTimeout:n,resetTimeoutOnProgress:i,onTimeout:a})}_resetTimeout(t){let r=this._timeoutInfo.get(t);if(!r)return!1;let n=Date.now()-r.startTime;if(r.maxTotalTimeout&&n>=r.maxTotalTimeout)throw this._timeoutInfo.delete(t),I.fromError(k.RequestTimeout,"Maximum total timeout exceeded",{maxTotalTimeout:r.maxTotalTimeout,totalElapsed:n});return clearTimeout(r.timeoutId),r.timeoutId=setTimeout(r.onTimeout,r.timeout),!0}_cleanupTimeout(t){let r=this._timeoutInfo.get(t);r&&(clearTimeout(r.timeoutId),this._timeoutInfo.delete(t))}async connect(t){if(this._transport)throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");this._transport=t;let r=this.transport?.onclose;this._transport.onclose=()=>{r?.(),this._onclose()};let n=this.transport?.onerror;this._transport.onerror=i=>{n?.(i),this._onerror(i)};let a=this._transport?.onmessage;this._transport.onmessage=(i,s)=>{a?.(i,s),It(i)||Mn(i)?this._onresponse(i):qt(i)?this._onrequest(i,s):Pm(i)?this._onnotification(i):this._onerror(new Error(`Unknown message type: ${JSON.stringify(i)}`))},await this._transport.start()}_onclose(){let t=this._responseHandlers;this._responseHandlers=new Map,this._progressHandlers.clear(),this._taskProgressTokens.clear(),this._pendingDebouncedNotifications.clear();for(let n of this._timeoutInfo.values())clearTimeout(n.timeoutId);this._timeoutInfo.clear();for(let n of this._requestHandlerAbortControllers.values())n.abort();this._requestHandlerAbortControllers.clear();let r=I.fromError(k.ConnectionClosed,"Connection closed");this._transport=void 0,this.onclose?.();for(let n of t.values())n(r)}_onerror(t){this.onerror?.(t)}_onnotification(t){let r=this._notificationHandlers.get(t.method)??this.fallbackNotificationHandler;r!==void 0&&Promise.resolve().then(()=>r(t)).catch(n=>this._onerror(new Error(`Uncaught error in notification handler: ${n}`)))}_onrequest(t,r){let n=this._requestHandlers.get(t.method)??this.fallbackRequestHandler,a=this._transport,i=t.params?._meta?.[Cr]?.taskId;if(n===void 0){let l={jsonrpc:"2.0",id:t.id,error:{code:k.MethodNotFound,message:"Method not found"}};i&&this._taskMessageQueue?this._enqueueTaskMessage(i,{type:"error",message:l,timestamp:Date.now()},a?.sessionId).catch(m=>this._onerror(new Error(`Failed to enqueue error response: ${m}`))):a?.send(l).catch(m=>this._onerror(new Error(`Failed to send an error response: ${m}`)));return}let s=new AbortController;this._requestHandlerAbortControllers.set(t.id,s);let c=Rm(t.params)?t.params.task:void 0,d=this._taskStore?this.requestTaskStore(t,a?.sessionId):void 0,p={signal:s.signal,sessionId:a?.sessionId,_meta:t.params?._meta,sendNotification:o(async l=>{if(s.signal.aborted)return;let m={relatedRequestId:t.id};i&&(m.relatedTask={taskId:i}),await this.notification(l,m)},"sendNotification"),sendRequest:o(async(l,m,h)=>{if(s.signal.aborted)throw new I(k.ConnectionClosed,"Request was cancelled");let g={...h,relatedRequestId:t.id};i&&!g.relatedTask&&(g.relatedTask={taskId:i});let S=g.relatedTask?.taskId??i;return S&&d&&await d.updateTaskStatus(S,"input_required"),await this.request(l,m,g)},"sendRequest"),authInfo:r?.authInfo,requestId:t.id,requestInfo:r?.requestInfo,taskId:i,taskStore:d,taskRequestedTtl:c?.ttl,closeSSEStream:r?.closeSSEStream,closeStandaloneSSEStream:r?.closeStandaloneSSEStream};Promise.resolve().then(()=>{c&&this.assertTaskHandlerCapability(t.method)}).then(()=>n(t,p)).then(async l=>{if(s.signal.aborted)return;let m={result:l,jsonrpc:"2.0",id:t.id};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"response",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)},async l=>{if(s.signal.aborted)return;let m={jsonrpc:"2.0",id:t.id,error:{code:Number.isSafeInteger(l.code)?l.code:k.InternalError,message:l.message??"Internal error",...l.data!==void 0&&{data:l.data}}};i&&this._taskMessageQueue?await this._enqueueTaskMessage(i,{type:"error",message:m,timestamp:Date.now()},a?.sessionId):await a?.send(m)}).catch(l=>this._onerror(new Error(`Failed to send response: ${l}`))).finally(()=>{this._requestHandlerAbortControllers.get(t.id)===s&&this._requestHandlerAbortControllers.delete(t.id)})}_onprogress(t){let{progressToken:r,...n}=t.params,a=Number(r),i=this._progressHandlers.get(a);if(!i){this._onerror(new Error(`Received a progress notification for an unknown token: ${JSON.stringify(t)}`));return}let s=this._responseHandlers.get(a),c=this._timeoutInfo.get(a);if(c&&s&&c.resetTimeoutOnProgress)try{this._resetTimeout(a)}catch(d){this._responseHandlers.delete(a),this._progressHandlers.delete(a),this._cleanupTimeout(a),s(d);return}i(n)}_onresponse(t){let r=Number(t.id),n=this._requestResolvers.get(r);if(n){if(this._requestResolvers.delete(r),It(t))n(t);else{let s=new I(t.error.code,t.error.message,t.error.data);n(s)}return}let a=this._responseHandlers.get(r);if(a===void 0){this._onerror(new Error(`Received a response for an unknown message ID: ${JSON.stringify(t)}`));return}this._responseHandlers.delete(r),this._cleanupTimeout(r);let i=!1;if(It(t)&&t.result&&typeof t.result=="object"){let s=t.result;if(s.task&&typeof s.task=="object"){let c=s.task;typeof c.taskId=="string"&&(i=!0,this._taskProgressTokens.set(c.taskId,r))}}if(i||this._progressHandlers.delete(r),It(t))a(t);else{let s=I.fromError(t.error.code,t.error.message,t.error.data);a(s)}}get transport(){return this._transport}async close(){await this._transport?.close()}async*requestStream(t,r,n){let{task:a}=n??{};if(!a){try{yield{type:"result",result:await this.request(t,r,n)}}catch(s){yield{type:"error",error:s instanceof I?s:new I(k.InternalError,String(s))}}return}let i;try{let s=await this.request(t,rr,n);if(s.task)i=s.task.taskId,yield{type:"taskCreated",task:s.task};else throw new I(k.InternalError,"Task creation did not return a task");for(;;){let c=await this.getTask({taskId:i},n);if(yield{type:"taskStatus",task:c},qr(c.status)){c.status==="completed"?yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)}:c.status==="failed"?yield{type:"error",error:new I(k.InternalError,`Task ${i} failed`)}:c.status==="cancelled"&&(yield{type:"error",error:new I(k.InternalError,`Task ${i} was cancelled`)});return}if(c.status==="input_required"){yield{type:"result",result:await this.getTaskResult({taskId:i},r,n)};return}let d=c.pollInterval??this._options?.defaultTaskPollInterval??1e3;await new Promise(p=>setTimeout(p,d)),n?.signal?.throwIfAborted()}}catch(s){yield{type:"error",error:s instanceof I?s:new I(k.InternalError,String(s))}}}request(t,r,n){let{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s,task:c,relatedTask:d}=n??{};return new Promise((p,l)=>{let m=o(w=>{l(w)},"earlyReject");if(!this._transport){m(new Error("Not connected"));return}if(this._options?.enforceStrictCapabilities===!0)try{this.assertCapabilityForMethod(t.method),c&&this.assertTaskCapability(t.method)}catch(w){m(w);return}n?.signal?.throwIfAborted();let h=this._requestMessageId++,g={...t,jsonrpc:"2.0",id:h};n?.onprogress&&(this._progressHandlers.set(h,n.onprogress),g.params={...t.params,_meta:{...t.params?._meta||{},progressToken:h}}),c&&(g.params={...g.params,task:c}),d&&(g.params={...g.params,_meta:{...g.params?._meta||{},[Cr]:d}});let S=o(w=>{this._responseHandlers.delete(h),this._progressHandlers.delete(h),this._cleanupTimeout(h),this._transport?.send({jsonrpc:"2.0",method:"notifications/cancelled",params:{requestId:h,reason:String(w)}},{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(N=>this._onerror(new Error(`Failed to send cancellation: ${N}`)));let b=w instanceof I?w:new I(k.RequestTimeout,String(w));l(b)},"cancel");this._responseHandlers.set(h,w=>{if(!n?.signal?.aborted){if(w instanceof Error)return l(w);try{let b=Ke(r,w.result);b.success?p(b.data):l(b.error)}catch(b){l(b)}}}),n?.signal?.addEventListener("abort",()=>{S(n?.signal?.reason)});let y=n?.timeout??Ck,_=o(()=>S(I.fromError(k.RequestTimeout,"Request timed out",{timeout:y})),"timeoutHandler");this._setupTimeout(h,y,n?.maxTotalTimeout,_,n?.resetTimeoutOnProgress??!1);let v=d?.taskId;if(v){let w=o(b=>{let N=this._responseHandlers.get(h);N?N(b):this._onerror(new Error(`Response handler missing for side-channeled request ${h}`))},"responseResolver");this._requestResolvers.set(h,w),this._enqueueTaskMessage(v,{type:"request",message:g,timestamp:Date.now()}).catch(b=>{this._cleanupTimeout(h),l(b)})}else this._transport.send(g,{relatedRequestId:a,resumptionToken:i,onresumptiontoken:s}).catch(w=>{this._cleanupTimeout(h),l(w)})})}async getTask(t,r){return this.request({method:"tasks/get",params:t},mi,r)}async getTaskResult(t,r,n){return this.request({method:"tasks/result",params:t},r,n)}async listTasks(t,r){return this.request({method:"tasks/list",params:t},gi,r)}async cancelTask(t,r){return this.request({method:"tasks/cancel",params:t},km,r)}async notification(t,r){if(!this._transport)throw new Error("Not connected");this.assertNotificationCapability(t.method);let n=r?.relatedTask?.taskId;if(n){let c={...t,jsonrpc:"2.0",params:{...t.params,_meta:{...t.params?._meta||{},[Cr]:r.relatedTask}}};await this._enqueueTaskMessage(n,{type:"notification",message:c,timestamp:Date.now()});return}if((this._options?.debouncedNotificationMethods??[]).includes(t.method)&&!t.params&&!r?.relatedRequestId&&!r?.relatedTask){if(this._pendingDebouncedNotifications.has(t.method))return;this._pendingDebouncedNotifications.add(t.method),Promise.resolve().then(()=>{if(this._pendingDebouncedNotifications.delete(t.method),!this._transport)return;let c={...t,jsonrpc:"2.0"};r?.relatedTask&&(c={...c,params:{...c.params,_meta:{...c.params?._meta||{},[Cr]:r.relatedTask}}}),this._transport?.send(c,r).catch(d=>this._onerror(d))});return}let s={...t,jsonrpc:"2.0"};r?.relatedTask&&(s={...s,params:{...s.params,_meta:{...s.params?._meta||{},[Cr]:r.relatedTask}}}),await this._transport.send(s,r)}setRequestHandler(t,r){let n=vd(t);this.assertRequestHandlerCapability(n),this._requestHandlers.set(n,(a,i)=>{let s=wd(t,a);return Promise.resolve(r(s,i))})}removeRequestHandler(t){this._requestHandlers.delete(t)}assertCanSetRequestHandler(t){if(this._requestHandlers.has(t))throw new Error(`A request handler for ${t} already exists, which would be overridden`)}setNotificationHandler(t,r){let n=vd(t);this._notificationHandlers.set(n,a=>{let i=wd(t,a);return Promise.resolve(r(i))})}removeNotificationHandler(t){this._notificationHandlers.delete(t)}_cleanupTaskProgressHandler(t){let r=this._taskProgressTokens.get(t);r!==void 0&&(this._progressHandlers.delete(r),this._taskProgressTokens.delete(t))}async _enqueueTaskMessage(t,r,n){if(!this._taskStore||!this._taskMessageQueue)throw new Error("Cannot enqueue task message: taskStore and taskMessageQueue are not configured");let a=this._options?.maxTaskQueueSize;await this._taskMessageQueue.enqueue(t,r,n,a)}async _clearTaskQueue(t,r){if(this._taskMessageQueue){let n=await this._taskMessageQueue.dequeueAll(t,r);for(let a of n)if(a.type==="request"&&qt(a.message)){let i=a.message.id,s=this._requestResolvers.get(i);s?(s(new I(k.InternalError,"Task cancelled or completed")),this._requestResolvers.delete(i)):this._onerror(new Error(`Resolver missing for request ${i} during task ${t} cleanup`))}}}async _waitForTaskUpdate(t,r){let n=this._options?.defaultTaskPollInterval??1e3;try{let a=await this._taskStore?.getTask(t);a?.pollInterval&&(n=a.pollInterval)}catch{}return new Promise((a,i)=>{if(r.aborted){i(new I(k.InvalidRequest,"Request cancelled"));return}let s=setTimeout(a,n);r.addEventListener("abort",()=>{clearTimeout(s),i(new I(k.InvalidRequest,"Request cancelled"))},{once:!0})})}requestTaskStore(t,r){let n=this._taskStore;if(!n)throw new Error("No task store configured");return{createTask:o(async a=>{if(!t)throw new Error("No request provided");return await n.createTask(a,t.id,{method:t.method,params:t.params},r)},"createTask"),getTask:o(async a=>{let i=await n.getTask(a,r);if(!i)throw new I(k.InvalidParams,"Failed to retrieve task: Task not found");return i},"getTask"),storeTaskResult:o(async(a,i,s)=>{await n.storeTaskResult(a,i,s,r);let c=await n.getTask(a,r);if(c){let d=qo.parse({method:"notifications/tasks/status",params:c});await this.notification(d),qr(c.status)&&this._cleanupTaskProgressHandler(a)}},"storeTaskResult"),getTaskResult:o(a=>n.getTaskResult(a,r),"getTaskResult"),updateTaskStatus:o(async(a,i,s)=>{let c=await n.getTask(a,r);if(!c)throw new I(k.InvalidParams,`Task "${a}" not found - it may have been cleaned up`);if(qr(c.status))throw new I(k.InvalidParams,`Cannot update task "${a}" from terminal status "${c.status}" to "${i}". Terminal states (completed, failed, cancelled) cannot transition to other states.`);await n.updateTaskStatus(a,i,s,r);let d=await n.getTask(a,r);if(d){let p=qo.parse({method:"notifications/tasks/status",params:d});await this.notification(p),qr(d.status)&&this._cleanupTaskProgressHandler(a)}},"updateTaskStatus"),listTasks:o(a=>n.listTasks(a,r),"listTasks")}}};function Kg(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}o(Kg,"isPlainObject");function Xi(e,t){let r={...e};for(let n in t){let a=n,i=t[a];if(i===void 0)continue;let s=r[a];Kg(s)&&Kg(i)?r[a]={...s,...i}:r[a]=i}return r}o(Xi,"mergeCapabilities");var M_=cm(ip(),1),z_=cm(O_(),1);function fO(){let e=new M_.default({strict:!1,validateFormats:!0,validateSchema:!1,allErrors:!0});return(0,z_.default)(e),e}o(fO,"createDefaultAjvInstance");var So=class{static{o(this,"AjvJsonSchemaValidator")}constructor(t){this._ajv=t??fO()}getValidator(t){let r="$id"in t&&typeof t.$id=="string"?this._ajv.getSchema(t.$id)??this._ajv.compile(t):this._ajv.compile(t);return n=>r(n)?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:this._ajv.errorsText(r.errors)}}};var zs=class{static{o(this,"ExperimentalServerTasks")}constructor(t){this._server=t}requestStream(t,r,n){return this._server.requestStream(t,r,n)}createMessageStream(t,r){let n=this._server.getClientCapabilities();if((t.tools||t.toolChoice)&&!n?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let a=t.messages[t.messages.length-1],i=Array.isArray(a.content)?a.content:[a.content],s=i.some(l=>l.type==="tool_result"),c=t.messages.length>1?t.messages[t.messages.length-2]:void 0,d=c?Array.isArray(c.content)?c.content:[c.content]:[],p=d.some(l=>l.type==="tool_use");if(s){if(i.some(l=>l.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!p)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(p){let l=new Set(d.filter(h=>h.type==="tool_use").map(h=>h.id)),m=new Set(i.filter(h=>h.type==="tool_result").map(h=>h.toolUseId));if(l.size!==m.size||![...l].every(h=>m.has(h)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return this.requestStream({method:"sampling/createMessage",params:t},tn,r)}elicitInputStream(t,r){let n=this._server.getClientCapabilities(),a=t.mode??"form";switch(a){case"url":{if(!n?.elicitation?.url)throw new Error("Client does not support url elicitation.");break}case"form":{if(!n?.elicitation?.form)throw new Error("Client does not support form elicitation.");break}}let i=a==="form"&&t.mode===void 0?{...t,mode:"form"}:t;return this.requestStream({method:"elicitation/create",params:i},Pr,r)}async getTask(t,r){return this._server.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._server.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._server.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._server.cancelTask({taskId:t},r)}};function $s(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"tools/call":if(!e.tools?.call)throw new Error(`${r} does not support task creation for tools/call (required for ${t})`);break;default:break}}o($s,"assertToolsCallTaskCapability");function qs(e,t,r){if(!e)throw new Error(`${r} does not support task creation (required for ${t})`);switch(t){case"sampling/createMessage":if(!e.sampling?.createMessage)throw new Error(`${r} does not support task creation for sampling/createMessage (required for ${t})`);break;case"elicitation/create":if(!e.elicitation?.create)throw new Error(`${r} does not support task creation for elicitation/create (required for ${t})`);break;default:break}}o(qs,"assertClientRequestTaskCapability");var Ns=class extends eo{static{o(this,"Server")}constructor(t,r){super(r),this._serverInfo=t,this._loggingLevels=new Map,this.LOG_LEVEL_SEVERITY=new Map(jo.options.map((n,a)=>[n,a])),this.isMessageIgnored=(n,a)=>{let i=this._loggingLevels.get(a);return i?this.LOG_LEVEL_SEVERITY.get(n)<this.LOG_LEVEL_SEVERITY.get(i):!1},this._capabilities=r?.capabilities??{},this._instructions=r?.instructions,this._jsonSchemaValidator=r?.jsonSchemaValidator??new So,this.setRequestHandler(ci,n=>this._oninitialize(n)),this.setNotificationHandler(ui,()=>this.oninitialized?.()),this._capabilities.logging&&this.setRequestHandler(Yc,async(n,a)=>{let i=a.sessionId||a.requestInfo?.headers["mcp-session-id"]||void 0,{level:s}=n.params,c=jo.safeParse(s);return c.success&&this._loggingLevels.set(i,c.data),{}})}get experimental(){return this._experimental||(this._experimental={tasks:new zs(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Xi(this._capabilities,t)}setRequestHandler(t,r){let a=Qn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if($r(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");if(i==="tools/call"){let c=o(async(d,p)=>{let l=Ke(Do,d);if(!l.success){let S=l.error instanceof Error?l.error.message:String(l.error);throw new I(k.InvalidParams,`Invalid tools/call request: ${S}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let S=Ke(rr,h);if(!S.success){let y=S.error instanceof Error?S.error.message:String(S.error);throw new I(k.InvalidParams,`Invalid task creation result: ${y}`)}return S.data}let g=Ke(Ir,h);if(!g.success){let S=g.error instanceof Error?g.error.message:String(g.error);throw new I(k.InvalidParams,`Invalid tools/call result: ${S}`)}return g.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapabilityForMethod(t){switch(t){case"sampling/createMessage":if(!this._clientCapabilities?.sampling)throw new Error(`Client does not support sampling (required for ${t})`);break;case"elicitation/create":if(!this._clientCapabilities?.elicitation)throw new Error(`Client does not support elicitation (required for ${t})`);break;case"roots/list":if(!this._clientCapabilities?.roots)throw new Error(`Client does not support listing roots (required for ${t})`);break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/message":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"notifications/resources/updated":case"notifications/resources/list_changed":if(!this._capabilities.resources)throw new Error(`Server does not support notifying about resources (required for ${t})`);break;case"notifications/tools/list_changed":if(!this._capabilities.tools)throw new Error(`Server does not support notifying of tool list changes (required for ${t})`);break;case"notifications/prompts/list_changed":if(!this._capabilities.prompts)throw new Error(`Server does not support notifying of prompt list changes (required for ${t})`);break;case"notifications/elicitation/complete":if(!this._clientCapabilities?.elicitation?.url)throw new Error(`Client does not support URL elicitation (required for ${t})`);break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"completion/complete":if(!this._capabilities.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"logging/setLevel":if(!this._capabilities.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._capabilities.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":if(!this._capabilities.resources)throw new Error(`Server does not support resources (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._capabilities.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Server does not support tasks capability (required for ${t})`);break;case"ping":case"initialize":break}}assertTaskCapability(t){qs(this._clientCapabilities?.tasks?.requests,t,"Client")}assertTaskHandlerCapability(t){this._capabilities&&$s(this._capabilities.tasks?.requests,t,"Server")}async _oninitialize(t){let r=t.params.protocolVersion;return this._clientCapabilities=t.params.capabilities,this._clientVersion=t.params.clientInfo,{protocolVersion:Rr.includes(r)?r:br,capabilities:this.getCapabilities(),serverInfo:this._serverInfo,...this._instructions&&{instructions:this._instructions}}}getClientCapabilities(){return this._clientCapabilities}getClientVersion(){return this._clientVersion}getCapabilities(){return this._capabilities}async ping(){return this.request({method:"ping"},tr)}async createMessage(t,r){if((t.tools||t.toolChoice)&&!this._clientCapabilities?.sampling?.tools)throw new Error("Client does not support sampling tools capability.");if(t.messages.length>0){let n=t.messages[t.messages.length-1],a=Array.isArray(n.content)?n.content:[n.content],i=a.some(p=>p.type==="tool_result"),s=t.messages.length>1?t.messages[t.messages.length-2]:void 0,c=s?Array.isArray(s.content)?s.content:[s.content]:[],d=c.some(p=>p.type==="tool_use");if(i){if(a.some(p=>p.type!=="tool_result"))throw new Error("The last message must contain only tool_result content if any is present");if(!d)throw new Error("tool_result blocks are not matching any tool_use from the previous message")}if(d){let p=new Set(c.filter(m=>m.type==="tool_use").map(m=>m.id)),l=new Set(a.filter(m=>m.type==="tool_result").map(m=>m.toolUseId));if(p.size!==l.size||![...p].every(m=>l.has(m)))throw new Error("ids of tool_result blocks and tool_use blocks from previous message do not match")}}return t.tools?this.request({method:"sampling/createMessage",params:t},Ho,r):this.request({method:"sampling/createMessage",params:t},tn,r)}async elicitInput(t,r){switch(t.mode??"form"){case"url":{if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support url elicitation.");let a=t;return this.request({method:"elicitation/create",params:a},Pr,r)}case"form":{if(!this._clientCapabilities?.elicitation?.form)throw new Error("Client does not support form elicitation.");let a=t.mode==="form"?t:{...t,mode:"form"},i=await this.request({method:"elicitation/create",params:a},Pr,r);if(i.action==="accept"&&i.content&&a.requestedSchema)try{let c=this._jsonSchemaValidator.getValidator(a.requestedSchema)(i.content);if(!c.valid)throw new I(k.InvalidParams,`Elicitation response content does not match requested schema: ${c.errorMessage}`)}catch(s){throw s instanceof I?s:new I(k.InternalError,`Error validating elicitation response: ${s instanceof Error?s.message:String(s)}`)}return i}}}createElicitationCompletionNotifier(t,r){if(!this._clientCapabilities?.elicitation?.url)throw new Error("Client does not support URL elicitation (required for notifications/elicitation/complete)");return()=>this.notification({method:"notifications/elicitation/complete",params:{elicitationId:t}},r)}async listRoots(t,r){return this.request({method:"roots/list",params:t},tu,r)}async sendLoggingMessage(t,r){if(this._capabilities.logging&&!this.isMessageIgnored(t.level,r))return this.notification({method:"notifications/message",params:t})}async sendResourceUpdated(t){return this.notification({method:"notifications/resources/updated",params:t})}async sendResourceListChanged(){return this.notification({method:"notifications/resources/list_changed"})}async sendToolListChanged(){return this.notification({method:"notifications/tools/list_changed"})}async sendPromptListChanged(){return this.notification({method:"notifications/prompts/list_changed"})}};var Ds=class{static{o(this,"WebStandardStreamableHTTPServerTransport")}constructor(t={}){this._started=!1,this._hasHandledRequest=!1,this._streamMapping=new Map,this._requestToStreamMapping=new Map,this._requestResponseMap=new Map,this._initialized=!1,this._enableJsonResponse=!1,this._standaloneSseStreamId="_GET_stream",this.sessionIdGenerator=t.sessionIdGenerator,this._enableJsonResponse=t.enableJsonResponse??!1,this._eventStore=t.eventStore,this._onsessioninitialized=t.onsessioninitialized,this._onsessionclosed=t.onsessionclosed,this._allowedHosts=t.allowedHosts,this._allowedOrigins=t.allowedOrigins,this._enableDnsRebindingProtection=t.enableDnsRebindingProtection??!1,this._retryInterval=t.retryInterval}async start(){if(this._started)throw new Error("Transport already started");this._started=!0}createJsonErrorResponse(t,r,n,a){let i={code:r,message:n};return a?.data!==void 0&&(i.data=a.data),new Response(JSON.stringify({jsonrpc:"2.0",error:i,id:null}),{status:t,headers:{"Content-Type":"application/json",...a?.headers}})}validateRequestHeaders(t){if(this._enableDnsRebindingProtection){if(this._allowedHosts&&this._allowedHosts.length>0){let r=t.headers.get("host");if(!r||!this._allowedHosts.includes(r)){let n=`Invalid Host header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}if(this._allowedOrigins&&this._allowedOrigins.length>0){let r=t.headers.get("origin");if(r&&!this._allowedOrigins.includes(r)){let n=`Invalid Origin header: ${r}`;return this.onerror?.(new Error(n)),this.createJsonErrorResponse(403,-32e3,n)}}}}async handleRequest(t,r){if(!this.sessionIdGenerator&&this._hasHandledRequest)throw new Error("Stateless transport cannot be reused across requests. Create a new transport per request.");this._hasHandledRequest=!0;let n=this.validateRequestHeaders(t);if(n)return n;switch(t.method){case"POST":return this.handlePostRequest(t,r);case"GET":return this.handleGetRequest(t);case"DELETE":return this.handleDeleteRequest(t);default:return this.handleUnsupportedRequest()}}async writePrimingEvent(t,r,n,a){if(!this._eventStore||a<"2025-11-25")return;let i=await this._eventStore.storeEvent(n,{}),s=`id: ${i}
-data: 
-
-`;this._retryInterval!==void 0&&(s=`id: ${i}
-retry: ${this._retryInterval}
-data: 
-
-`),t.enqueue(r.encode(s))}async handleGetRequest(t){if(!t.headers.get("accept")?.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept text/event-stream");let n=this.validateSession(t);if(n)return n;let a=this.validateProtocolVersion(t);if(a)return a;if(this._eventStore){let p=t.headers.get("last-event-id");if(p)return this.replayEvents(p)}if(this._streamMapping.get(this._standaloneSseStreamId)!==void 0)return this.onerror?.(new Error("Conflict: Only one SSE stream is allowed per session")),this.createJsonErrorResponse(409,-32e3,"Conflict: Only one SSE stream is allowed per session");let i=new TextEncoder,s,c=new ReadableStream({start:o(p=>{s=p},"start"),cancel:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId)},"cancel")}),d={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};return this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId),this._streamMapping.set(this._standaloneSseStreamId,{controller:s,encoder:i,cleanup:o(()=>{this._streamMapping.delete(this._standaloneSseStreamId);try{s.close()}catch{}},"cleanup")}),new Response(c,{headers:d})}async replayEvents(t){if(!this._eventStore)return this.onerror?.(new Error("Event store not configured")),this.createJsonErrorResponse(400,-32e3,"Event store not configured");try{let r;if(this._eventStore.getStreamIdForEventId){if(r=await this._eventStore.getStreamIdForEventId(t),!r)return this.onerror?.(new Error("Invalid event ID format")),this.createJsonErrorResponse(400,-32e3,"Invalid event ID format");if(this._streamMapping.get(r)!==void 0)return this.onerror?.(new Error("Conflict: Stream already has an active connection")),this.createJsonErrorResponse(409,-32e3,"Conflict: Stream already has an active connection")}let n={"Content-Type":"text/event-stream","Cache-Control":"no-cache, no-transform",Connection:"keep-alive"};this.sessionId!==void 0&&(n["mcp-session-id"]=this.sessionId);let a=new TextEncoder,i,s=new ReadableStream({start:o(d=>{i=d},"start"),cancel:o(()=>{},"cancel")}),c=await this._eventStore.replayEventsAfter(t,{send:o(async(d,p)=>{if(!this.writeSSEEvent(i,a,p,d)){this.onerror?.(new Error("Failed replay events"));try{i.close()}catch{}}},"send")});return this._streamMapping.set(c,{controller:i,encoder:a,cleanup:o(()=>{this._streamMapping.delete(c);try{i.close()}catch{}},"cleanup")}),new Response(s,{headers:n})}catch(r){return this.onerror?.(r),this.createJsonErrorResponse(500,-32e3,"Error replaying events")}}writeSSEEvent(t,r,n,a){try{let i=`event: message
-`;return a&&(i+=`id: ${a}
-`),i+=`data: ${JSON.stringify(n)}
-
-`,t.enqueue(r.encode(i)),!0}catch(i){return this.onerror?.(i),!1}}handleUnsupportedRequest(){return this.onerror?.(new Error("Method not allowed.")),new Response(JSON.stringify({jsonrpc:"2.0",error:{code:-32e3,message:"Method not allowed."},id:null}),{status:405,headers:{Allow:"GET, POST, DELETE","Content-Type":"application/json"}})}async handlePostRequest(t,r){try{let n=t.headers.get("accept");if(!n?.includes("application/json")||!n.includes("text/event-stream"))return this.onerror?.(new Error("Not Acceptable: Client must accept both application/json and text/event-stream")),this.createJsonErrorResponse(406,-32e3,"Not Acceptable: Client must accept both application/json and text/event-stream");let a=t.headers.get("content-type");if(!a||!a.includes("application/json"))return this.onerror?.(new Error("Unsupported Media Type: Content-Type must be application/json")),this.createJsonErrorResponse(415,-32e3,"Unsupported Media Type: Content-Type must be application/json");let i={headers:Object.fromEntries(t.headers.entries()),url:new URL(t.url)},s;if(r?.parsedBody!==void 0)s=r.parsedBody;else try{s=await t.json()}catch{return this.onerror?.(new Error("Parse error: Invalid JSON")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON")}let c;try{Array.isArray(s)?c=s.map(v=>en.parse(v)):c=[en.parse(s)]}catch{return this.onerror?.(new Error("Parse error: Invalid JSON-RPC message")),this.createJsonErrorResponse(400,-32700,"Parse error: Invalid JSON-RPC message")}let d=c.some(kc);if(d){if(this._initialized&&this.sessionId!==void 0)return this.onerror?.(new Error("Invalid Request: Server already initialized")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Server already initialized");if(c.length>1)return this.onerror?.(new Error("Invalid Request: Only one initialization request is allowed")),this.createJsonErrorResponse(400,-32600,"Invalid Request: Only one initialization request is allowed");this.sessionId=this.sessionIdGenerator?.(),this._initialized=!0,this.sessionId&&this._onsessioninitialized&&await Promise.resolve(this._onsessioninitialized(this.sessionId))}if(!d){let v=this.validateSession(t);if(v)return v;let w=this.validateProtocolVersion(t);if(w)return w}if(!c.some(qt)){for(let v of c)this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i});return new Response(null,{status:202})}let l=crypto.randomUUID(),m=c.find(v=>kc(v)),h=m?m.params.protocolVersion:t.headers.get("mcp-protocol-version")??vm;if(this._enableJsonResponse)return new Promise(v=>{this._streamMapping.set(l,{resolveJson:v,cleanup:o(()=>{this._streamMapping.delete(l)},"cleanup")});for(let w of c)qt(w)&&this._requestToStreamMapping.set(w.id,l);for(let w of c)this.onmessage?.(w,{authInfo:r?.authInfo,requestInfo:i})});let g=new TextEncoder,S,y=new ReadableStream({start:o(v=>{S=v},"start"),cancel:o(()=>{this._streamMapping.delete(l)},"cancel")}),_={"Content-Type":"text/event-stream","Cache-Control":"no-cache",Connection:"keep-alive"};this.sessionId!==void 0&&(_["mcp-session-id"]=this.sessionId);for(let v of c)qt(v)&&(this._streamMapping.set(l,{controller:S,encoder:g,cleanup:o(()=>{this._streamMapping.delete(l);try{S.close()}catch{}},"cleanup")}),this._requestToStreamMapping.set(v.id,l));await this.writePrimingEvent(S,g,l,h);for(let v of c){let w,b;qt(v)&&this._eventStore&&h>="2025-11-25"&&(w=o(()=>{this.closeSSEStream(v.id)},"closeSSEStream"),b=o(()=>{this.closeStandaloneSSEStream()},"closeStandaloneSSEStream")),this.onmessage?.(v,{authInfo:r?.authInfo,requestInfo:i,closeSSEStream:w,closeStandaloneSSEStream:b})}return new Response(y,{status:200,headers:_})}catch(n){return this.onerror?.(n),this.createJsonErrorResponse(400,-32700,"Parse error",{data:String(n)})}}async handleDeleteRequest(t){let r=this.validateSession(t);if(r)return r;let n=this.validateProtocolVersion(t);return n||(await Promise.resolve(this._onsessionclosed?.(this.sessionId)),await this.close(),new Response(null,{status:200}))}validateSession(t){if(this.sessionIdGenerator===void 0)return;if(!this._initialized)return this.onerror?.(new Error("Bad Request: Server not initialized")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Server not initialized");let r=t.headers.get("mcp-session-id");if(!r)return this.onerror?.(new Error("Bad Request: Mcp-Session-Id header is required")),this.createJsonErrorResponse(400,-32e3,"Bad Request: Mcp-Session-Id header is required");if(r!==this.sessionId)return this.onerror?.(new Error("Session not found")),this.createJsonErrorResponse(404,-32001,"Session not found")}validateProtocolVersion(t){let r=t.headers.get("mcp-protocol-version");if(r!==null&&!Rr.includes(r))return this.onerror?.(new Error(`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Rr.join(", ")})`)),this.createJsonErrorResponse(400,-32e3,`Bad Request: Unsupported protocol version: ${r} (supported versions: ${Rr.join(", ")})`)}async close(){this._streamMapping.forEach(({cleanup:t})=>{t()}),this._streamMapping.clear(),this._requestResponseMap.clear(),this.onclose?.()}closeSSEStream(t){let r=this._requestToStreamMapping.get(t);if(!r)return;let n=this._streamMapping.get(r);n&&n.cleanup()}closeStandaloneSSEStream(){let t=this._streamMapping.get(this._standaloneSseStreamId);t&&t.cleanup()}async send(t,r){let n=r?.relatedRequestId;if((It(t)||Mn(t))&&(n=t.id),n===void 0){if(It(t)||Mn(t))throw new Error("Cannot send a response on a standalone SSE stream unless resuming a previous client request");let s;this._eventStore&&(s=await this._eventStore.storeEvent(this._standaloneSseStreamId,t));let c=this._streamMapping.get(this._standaloneSseStreamId);if(c===void 0)return;c.controller&&c.encoder&&this.writeSSEEvent(c.controller,c.encoder,t,s);return}let a=this._requestToStreamMapping.get(n);if(!a)throw new Error(`No connection established for request ID: ${String(n)}`);let i=this._streamMapping.get(a);if(!this._enableJsonResponse&&i?.controller&&i?.encoder){let s;this._eventStore&&(s=await this._eventStore.storeEvent(a,t)),this.writeSSEEvent(i.controller,i.encoder,t,s)}if(It(t)||Mn(t)){this._requestResponseMap.set(n,t);let s=Array.from(this._requestToStreamMapping.entries()).filter(([d,p])=>p===a).map(([d])=>d);if(s.every(d=>this._requestResponseMap.has(d))){if(!i)throw new Error(`No connection established for request ID: ${String(n)}`);if(this._enableJsonResponse&&i.resolveJson){let d={"Content-Type":"application/json"};this.sessionId!==void 0&&(d["mcp-session-id"]=this.sessionId);let p=s.map(l=>this._requestResponseMap.get(l));p.length===1?i.resolveJson(new Response(JSON.stringify(p[0]),{status:200,headers:d})):i.resolveJson(new Response(JSON.stringify(p),{status:200,headers:d}))}else i.cleanup();for(let d of s)this._requestResponseMap.delete(d),this._requestToStreamMapping.delete(d)}}}};function _o(e,t){let r=typeof e;if(r!==typeof t)return!1;if(Array.isArray(e)){if(!Array.isArray(t))return!1;let n=e.length;if(n!==t.length)return!1;for(let a=0;a<n;a++)if(!_o(e[a],t[a]))return!1;return!0}if(r==="object"){if(!e||!t)return e===t;let n=Object.keys(e),a=Object.keys(t);if(n.length!==a.length)return!1;for(let s of n)if(!_o(e[s],t[s]))return!1;return!0}return e===t}o(_o,"deepCompareStrict");function ft(e){return encodeURI(hO(e))}o(ft,"encodePointer");function hO(e){return e.replace(/~/g,"~0").replace(/\//g,"~1")}o(hO,"escapePointer");var gO={prefixItems:!0,items:!0,allOf:!0,anyOf:!0,oneOf:!0},yO={$defs:!0,definitions:!0,properties:!0,patternProperties:!0,dependentSchemas:!0},SO={id:!0,$id:!0,$ref:!0,$schema:!0,$anchor:!0,$vocabulary:!0,$comment:!0,default:!0,enum:!0,const:!0,required:!0,type:!0,maximum:!0,minimum:!0,exclusiveMaximum:!0,exclusiveMinimum:!0,multipleOf:!0,maxLength:!0,minLength:!0,pattern:!0,format:!0,maxItems:!0,minItems:!0,uniqueItems:!0,maxProperties:!0,minProperties:!0},_O=typeof self<"u"&&self.location&&self.location.origin!=="null"?new URL(self.location.origin+self.location.pathname+location.search):new URL("https://github.com/cfworker");function hr(e,t=Object.create(null),r=_O,n=""){if(e&&typeof e=="object"&&!Array.isArray(e)){let i=e.$id||e.id;if(i){let s=new URL(i,r.href);s.hash.length>1?t[s.href]=e:(s.hash="",n===""?r=s:hr(e,t,r))}}else if(e!==!0&&e!==!1)return t;let a=r.href+(n?"#"+n:"");if(t[a]!==void 0)throw new Error(`Duplicate schema URI "${a}".`);if(t[a]=e,e===!0||e===!1)return t;if(e.__absolute_uri__===void 0&&Object.defineProperty(e,"__absolute_uri__",{enumerable:!1,value:a}),e.$ref&&e.__absolute_ref__===void 0){let i=new URL(e.$ref,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_ref__",{enumerable:!1,value:i.href})}if(e.$recursiveRef&&e.__absolute_recursive_ref__===void 0){let i=new URL(e.$recursiveRef,r.href);i.hash=i.hash,Object.defineProperty(e,"__absolute_recursive_ref__",{enumerable:!1,value:i.href})}if(e.$anchor){let i=new URL("#"+e.$anchor,r.href);t[i.href]=e}for(let i in e){if(SO[i])continue;let s=`${n}/${ft(i)}`,c=e[i];if(Array.isArray(c)){if(gO[i]){let d=c.length;for(let p=0;p<d;p++)hr(c[p],t,r,`${s}/${p}`)}}else if(yO[i])for(let d in c)hr(c[d],t,r,`${s}/${ft(d)}`);else hr(c,t,r,s)}return t}o(hr,"dereference");var vO=/^(\d\d\d\d)-(\d\d)-(\d\d)$/,wO=[0,31,28,31,30,31,30,31,31,30,31,30,31],bO=/^(\d\d):(\d\d):(\d\d)(\.\d+)?(z|[+-]\d\d(?::?\d\d)?)?$/i,RO=/^(?=.{1,253}\.?$)[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[-0-9a-z]{0,61}[0-9a-z])?)*\.?$/i,CO=/^(?:[a-z][a-z0-9+\-.]*:)?(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'"()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'"()*+,;=:@]|%[0-9a-f]{2})*)*)?(?:\?(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'"()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i,IO=/^(?:(?:[^\x00-\x20"'<>%\\^`{|}]|%[0-9a-f]{2})|\{[+#./;?&=,!@|]?(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?(?:,(?:[a-z0-9_]|%[0-9a-f]{2})+(?::[1-9][0-9]{0,3}|\*)?)*\})*$/i,PO=/^(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)(?:\.(?:[a-z\u{00a1}-\u{ffff}0-9]+-?)*[a-z\u{00a1}-\u{ffff}0-9]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu,xO=/^(?:urn:uuid:)?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}$/i,kO=/^(?:\/(?:[^~/]|~0|~1)*)*$/,AO=/^#(?:\/(?:[a-z0-9_\-.!$&'()*+,;:=@]|%[0-9a-f]{2}|~0|~1)*)*$/i,TO=/^(?:0|[1-9][0-9]*)(?:#|(?:\/(?:[^~/]|~0|~1)*)*)$/,EO=o(e=>{if(e[0]==='"')return!1;let[t,r,...n]=e.split("@");return!t||!r||n.length!==0||t.length>64||r.length>253||t[0]==="."||t.endsWith(".")||t.includes("..")||!/^[a-z0-9.-]+$/i.test(r)||!/^[a-z0-9.!#$%&'*+/=?^_`{|}~-]+$/i.test(t)?!1:r.split(".").every(a=>/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/i.test(a))},"EMAIL"),UO=/^(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)$/,OO=/^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))$/i,MO=o(e=>e.length>1&&e.length<80&&(/^P\d+([.,]\d+)?W$/.test(e)||/^P[\dYMDTHS]*(\d[.,]\d+)?[YMDHS]$/.test(e)&&/^P([.,\d]+Y)?([.,\d]+M)?([.,\d]+D)?(T([.,\d]+H)?([.,\d]+M)?([.,\d]+S)?)?$/.test(e)),"DURATION");function Jt(e){return e.test.bind(e)}o(Jt,"bind");var fp={date:$_,time:q_.bind(void 0,!1),"date-time":qO,duration:MO,uri:jO,"uri-reference":Jt(CO),"uri-template":Jt(IO),url:Jt(PO),email:EO,hostname:Jt(RO),ipv4:Jt(UO),ipv6:Jt(OO),regex:LO,uuid:Jt(xO),"json-pointer":Jt(kO),"json-pointer-uri-fragment":Jt(AO),"relative-json-pointer":Jt(TO)};function zO(e){return e%4===0&&(e%100!==0||e%400===0)}o(zO,"isLeapYear");function $_(e){let t=e.match(vO);if(!t)return!1;let r=+t[1],n=+t[2],a=+t[3];return n>=1&&n<=12&&a>=1&&a<=(n==2&&zO(r)?29:wO[n])}o($_,"date");function q_(e,t){let r=t.match(bO);if(!r)return!1;let n=+r[1],a=+r[2],i=+r[3],s=!!r[5];return(n<=23&&a<=59&&i<=59||n==23&&a==59&&i==60)&&(!e||s)}o(q_,"time");var $O=/t|\s/i;function qO(e){let t=e.split($O);return t.length==2&&$_(t[0])&&q_(!0,t[1])}o(qO,"date_time");var NO=/\/|:/,DO=/^(?:[a-z][a-z0-9+\-.]*:)(?:\/?\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9a-f]{2})*@)?(?:\[(?:(?:(?:(?:[0-9a-f]{1,4}:){6}|::(?:[0-9a-f]{1,4}:){5}|(?:[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){4}|(?:(?:[0-9a-f]{1,4}:){0,1}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){3}|(?:(?:[0-9a-f]{1,4}:){0,2}[0-9a-f]{1,4})?::(?:[0-9a-f]{1,4}:){2}|(?:(?:[0-9a-f]{1,4}:){0,3}[0-9a-f]{1,4})?::[0-9a-f]{1,4}:|(?:(?:[0-9a-f]{1,4}:){0,4}[0-9a-f]{1,4})?::)(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?))|(?:(?:[0-9a-f]{1,4}:){0,5}[0-9a-f]{1,4})?::[0-9a-f]{1,4}|(?:(?:[0-9a-f]{1,4}:){0,6}[0-9a-f]{1,4})?::)|[Vv][0-9a-f]+\.[a-z0-9\-._~!$&'()*+,;=:]+)\]|(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9a-f]{2})*)(?::\d*)?(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*|\/(?:(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)?|(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})+(?:\/(?:[a-z0-9\-._~!$&'()*+,;=:@]|%[0-9a-f]{2})*)*)(?:\?(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?(?:#(?:[a-z0-9\-._~!$&'()*+,;=:@/?]|%[0-9a-f]{2})*)?$/i;function jO(e){return NO.test(e)&&DO.test(e)}o(jO,"uri");var HO=/[^\\]\\Z/;function LO(e){if(HO.test(e))return!1;try{return new RegExp(e,"u"),!0}catch{return!1}}o(LO,"regex");var N_;(function(e){e[e.Flag=1]="Flag",e[e.Basic=2]="Basic",e[e.Detailed=4]="Detailed"})(N_||(N_={}));function D_(e){let t=0,r=e.length,n=0,a;for(;n<r;)t++,a=e.charCodeAt(n++),a>=55296&&a<=56319&&n<r&&(a=e.charCodeAt(n),(a&64512)==56320&&n++);return t}o(D_,"ucs2length");function Se(e,t,r="2019-09",n=hr(t),a=!0,i=null,s="#",c="#",d=Object.create(null)){if(t===!0)return{valid:!0,errors:[]};if(t===!1)return{valid:!1,errors:[{instanceLocation:s,keyword:"false",keywordLocation:s,error:"False boolean schema."}]};let p=typeof e,l;switch(p){case"boolean":case"number":case"string":l=p;break;case"object":e===null?l="null":Array.isArray(e)?l="array":l="object";break;default:throw new Error(`Instances of "${p}" type are not supported.`)}let{$ref:m,$recursiveRef:h,$recursiveAnchor:g,type:S,const:y,enum:_,required:v,not:w,anyOf:b,allOf:N,oneOf:j,if:Be,then:ht,else:En,format:wr,properties:Qt,patternProperties:Yr,additionalProperties:Io,unevaluatedProperties:Po,minProperties:xo,maxProperties:lc,propertyNames:tm,dependentRequired:pc,dependentSchemas:mc,dependencies:fc,prefixItems:hc,items:ko,additionalItems:rm,unevaluatedItems:nm,contains:om,minContains:er,maxContains:Ya,minItems:gc,maxItems:yc,uniqueItems:eb,minimum:Xr,maximum:Qr,exclusiveMinimum:Ao,exclusiveMaximum:To,multipleOf:Xa,minLength:Qa,maxLength:ei,pattern:am,__absolute_ref__:ti,__absolute_recursive_ref__:tb}=t,A=[];if(g===!0&&i===null&&(i=t),h==="#"){let H=i===null?n[tb]:i,z=`${c}/$recursiveRef`,V=Se(e,i===null?t:i,r,n,a,H,s,z,d);V.valid||A.push({instanceLocation:s,keyword:"$recursiveRef",keywordLocation:z,error:"A subschema had errors."},...V.errors)}if(m!==void 0){let z=n[ti||m];if(z===void 0){let P=`Unresolved $ref "${m}".`;throw ti&&ti!==m&&(P+=`  Absolute URI "${ti}".`),P+=`
-Known schemas:
-- ${Object.keys(n).join(`
-- `)}`,new Error(P)}let V=`${c}/$ref`,U=Se(e,z,r,n,a,i,s,V,d);if(U.valid||A.push({instanceLocation:s,keyword:"$ref",keywordLocation:V,error:"A subschema had errors."},...U.errors),r==="4"||r==="7")return{valid:A.length===0,errors:A}}if(Array.isArray(S)){let H=S.length,z=!1;for(let V=0;V<H;V++)if(l===S[V]||S[V]==="integer"&&l==="number"&&e%1===0&&e===e){z=!0;break}z||A.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${S.join('", "')}".`})}else S==="integer"?(l!=="number"||e%1||e!==e)&&A.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${S}".`}):S!==void 0&&l!==S&&A.push({instanceLocation:s,keyword:"type",keywordLocation:`${c}/type`,error:`Instance type "${l}" is invalid. Expected "${S}".`});if(y!==void 0&&(l==="object"||l==="array"?_o(e,y)||A.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(y)}.`}):e!==y&&A.push({instanceLocation:s,keyword:"const",keywordLocation:`${c}/const`,error:`Instance does not match ${JSON.stringify(y)}.`})),_!==void 0&&(l==="object"||l==="array"?_.some(H=>_o(e,H))||A.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(_)}.`}):_.some(H=>e===H)||A.push({instanceLocation:s,keyword:"enum",keywordLocation:`${c}/enum`,error:`Instance does not match any of ${JSON.stringify(_)}.`})),w!==void 0){let H=`${c}/not`;Se(e,w,r,n,a,i,s,H).valid&&A.push({instanceLocation:s,keyword:"not",keywordLocation:H,error:'Instance matched "not" schema.'})}let ri=[];if(b!==void 0){let H=`${c}/anyOf`,z=A.length,V=!1;for(let U=0;U<b.length;U++){let P=b[U],B=Object.create(d),L=Se(e,P,r,n,a,g===!0?i:null,s,`${H}/${U}`,B);A.push(...L.errors),V=V||L.valid,L.valid&&ri.push(B)}V?A.length=z:A.splice(z,0,{instanceLocation:s,keyword:"anyOf",keywordLocation:H,error:"Instance does not match any subschemas."})}if(N!==void 0){let H=`${c}/allOf`,z=A.length,V=!0;for(let U=0;U<N.length;U++){let P=N[U],B=Object.create(d),L=Se(e,P,r,n,a,g===!0?i:null,s,`${H}/${U}`,B);A.push(...L.errors),V=V&&L.valid,L.valid&&ri.push(B)}V?A.length=z:A.splice(z,0,{instanceLocation:s,keyword:"allOf",keywordLocation:H,error:"Instance does not match every subschema."})}if(j!==void 0){let H=`${c}/oneOf`,z=A.length,V=j.filter((U,P)=>{let B=Object.create(d),L=Se(e,U,r,n,a,g===!0?i:null,s,`${H}/${P}`,B);return A.push(...L.errors),L.valid&&ri.push(B),L.valid}).length;V===1?A.length=z:A.splice(z,0,{instanceLocation:s,keyword:"oneOf",keywordLocation:H,error:`Instance does not match exactly one subschema (${V} matches).`})}if((l==="object"||l==="array")&&Object.assign(d,...ri),Be!==void 0){let H=`${c}/if`;if(Se(e,Be,r,n,a,i,s,H,d).valid){if(ht!==void 0){let V=Se(e,ht,r,n,a,i,s,`${c}/then`,d);V.valid||A.push({instanceLocation:s,keyword:"if",keywordLocation:H,error:'Instance does not match "then" schema.'},...V.errors)}}else if(En!==void 0){let V=Se(e,En,r,n,a,i,s,`${c}/else`,d);V.valid||A.push({instanceLocation:s,keyword:"if",keywordLocation:H,error:'Instance does not match "else" schema.'},...V.errors)}}if(l==="object"){if(v!==void 0)for(let U of v)U in e||A.push({instanceLocation:s,keyword:"required",keywordLocation:`${c}/required`,error:`Instance does not have required property "${U}".`});let H=Object.keys(e);if(xo!==void 0&&H.length<xo&&A.push({instanceLocation:s,keyword:"minProperties",keywordLocation:`${c}/minProperties`,error:`Instance does not have at least ${xo} properties.`}),lc!==void 0&&H.length>lc&&A.push({instanceLocation:s,keyword:"maxProperties",keywordLocation:`${c}/maxProperties`,error:`Instance does not have at least ${lc} properties.`}),tm!==void 0){let U=`${c}/propertyNames`;for(let P in e){let B=`${s}/${ft(P)}`,L=Se(P,tm,r,n,a,i,B,U);L.valid||A.push({instanceLocation:s,keyword:"propertyNames",keywordLocation:U,error:`Property name "${P}" does not match schema.`},...L.errors)}}if(pc!==void 0){let U=`${c}/dependantRequired`;for(let P in pc)if(P in e){let B=pc[P];for(let L of B)L in e||A.push({instanceLocation:s,keyword:"dependentRequired",keywordLocation:U,error:`Instance has "${P}" but does not have "${L}".`})}}if(mc!==void 0)for(let U in mc){let P=`${c}/dependentSchemas`;if(U in e){let B=Se(e,mc[U],r,n,a,i,s,`${P}/${ft(U)}`,d);B.valid||A.push({instanceLocation:s,keyword:"dependentSchemas",keywordLocation:P,error:`Instance has "${U}" but does not match dependant schema.`},...B.errors)}}if(fc!==void 0){let U=`${c}/dependencies`;for(let P in fc)if(P in e){let B=fc[P];if(Array.isArray(B))for(let L of B)L in e||A.push({instanceLocation:s,keyword:"dependencies",keywordLocation:U,error:`Instance has "${P}" but does not have "${L}".`});else{let L=Se(e,B,r,n,a,i,s,`${U}/${ft(P)}`);L.valid||A.push({instanceLocation:s,keyword:"dependencies",keywordLocation:U,error:`Instance has "${P}" but does not match dependant schema.`},...L.errors)}}}let z=Object.create(null),V=!1;if(Qt!==void 0){let U=`${c}/properties`;for(let P in Qt){if(!(P in e))continue;let B=`${s}/${ft(P)}`,L=Se(e[P],Qt[P],r,n,a,i,B,`${U}/${ft(P)}`);if(L.valid)d[P]=z[P]=!0;else if(V=a,A.push({instanceLocation:s,keyword:"properties",keywordLocation:U,error:`Property "${P}" does not match schema.`},...L.errors),V)break}}if(!V&&Yr!==void 0){let U=`${c}/patternProperties`;for(let P in Yr){let B=new RegExp(P,"u"),L=Yr[P];for(let Ye in e){if(!B.test(Ye))continue;let im=`${s}/${ft(Ye)}`,sm=Se(e[Ye],L,r,n,a,i,im,`${U}/${ft(P)}`);sm.valid?d[Ye]=z[Ye]=!0:(V=a,A.push({instanceLocation:s,keyword:"patternProperties",keywordLocation:U,error:`Property "${Ye}" matches pattern "${P}" but does not match associated schema.`},...sm.errors))}}}if(!V&&Io!==void 0){let U=`${c}/additionalProperties`;for(let P in e){if(z[P])continue;let B=`${s}/${ft(P)}`,L=Se(e[P],Io,r,n,a,i,B,U);L.valid?d[P]=!0:(V=a,A.push({instanceLocation:s,keyword:"additionalProperties",keywordLocation:U,error:`Property "${P}" does not match additional properties schema.`},...L.errors))}}else if(!V&&Po!==void 0){let U=`${c}/unevaluatedProperties`;for(let P in e)if(!d[P]){let B=`${s}/${ft(P)}`,L=Se(e[P],Po,r,n,a,i,B,U);L.valid?d[P]=!0:A.push({instanceLocation:s,keyword:"unevaluatedProperties",keywordLocation:U,error:`Property "${P}" does not match unevaluated properties schema.`},...L.errors)}}}else if(l==="array"){yc!==void 0&&e.length>yc&&A.push({instanceLocation:s,keyword:"maxItems",keywordLocation:`${c}/maxItems`,error:`Array has too many items (${e.length} > ${yc}).`}),gc!==void 0&&e.length<gc&&A.push({instanceLocation:s,keyword:"minItems",keywordLocation:`${c}/minItems`,error:`Array has too few items (${e.length} < ${gc}).`});let H=e.length,z=0,V=!1;if(hc!==void 0){let U=`${c}/prefixItems`,P=Math.min(hc.length,H);for(;z<P;z++){let B=Se(e[z],hc[z],r,n,a,i,`${s}/${z}`,`${U}/${z}`);if(d[z]=!0,!B.valid&&(V=a,A.push({instanceLocation:s,keyword:"prefixItems",keywordLocation:U,error:"Items did not match schema."},...B.errors),V))break}}if(ko!==void 0){let U=`${c}/items`;if(Array.isArray(ko)){let P=Math.min(ko.length,H);for(;z<P;z++){let B=Se(e[z],ko[z],r,n,a,i,`${s}/${z}`,`${U}/${z}`);if(d[z]=!0,!B.valid&&(V=a,A.push({instanceLocation:s,keyword:"items",keywordLocation:U,error:"Items did not match schema."},...B.errors),V))break}}else for(;z<H;z++){let P=Se(e[z],ko,r,n,a,i,`${s}/${z}`,U);if(d[z]=!0,!P.valid&&(V=a,A.push({instanceLocation:s,keyword:"items",keywordLocation:U,error:"Items did not match schema."},...P.errors),V))break}if(!V&&rm!==void 0){let P=`${c}/additionalItems`;for(;z<H;z++){let B=Se(e[z],rm,r,n,a,i,`${s}/${z}`,P);d[z]=!0,B.valid||(V=a,A.push({instanceLocation:s,keyword:"additionalItems",keywordLocation:P,error:"Items did not match additional items schema."},...B.errors))}}}if(om!==void 0)if(H===0&&er===void 0)A.push({instanceLocation:s,keyword:"contains",keywordLocation:`${c}/contains`,error:"Array is empty. It must contain at least one item matching the schema."});else if(er!==void 0&&H<er)A.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array has less items (${H}) than minContains (${er}).`});else{let U=`${c}/contains`,P=A.length,B=0;for(let L=0;L<H;L++){let Ye=Se(e[L],om,r,n,a,i,`${s}/${L}`,U);Ye.valid?(d[L]=!0,B++):A.push(...Ye.errors)}B>=(er||0)&&(A.length=P),er===void 0&&Ya===void 0&&B===0?A.splice(P,0,{instanceLocation:s,keyword:"contains",keywordLocation:U,error:"Array does not contain item matching schema."}):er!==void 0&&B<er?A.push({instanceLocation:s,keyword:"minContains",keywordLocation:`${c}/minContains`,error:`Array must contain at least ${er} items matching schema. Only ${B} items were found.`}):Ya!==void 0&&B>Ya&&A.push({instanceLocation:s,keyword:"maxContains",keywordLocation:`${c}/maxContains`,error:`Array may contain at most ${Ya} items matching schema. ${B} items were found.`})}if(!V&&nm!==void 0){let U=`${c}/unevaluatedItems`;for(z;z<H;z++){if(d[z])continue;let P=Se(e[z],nm,r,n,a,i,`${s}/${z}`,U);d[z]=!0,P.valid||A.push({instanceLocation:s,keyword:"unevaluatedItems",keywordLocation:U,error:"Items did not match unevaluated items schema."},...P.errors)}}if(eb)for(let U=0;U<H;U++){let P=e[U],B=typeof P=="object"&&P!==null;for(let L=0;L<H;L++){if(U===L)continue;let Ye=e[L];(P===Ye||B&&(typeof Ye=="object"&&Ye!==null)&&_o(P,Ye))&&(A.push({instanceLocation:s,keyword:"uniqueItems",keywordLocation:`${c}/uniqueItems`,error:`Duplicate items at indexes ${U} and ${L}.`}),U=Number.MAX_SAFE_INTEGER,L=Number.MAX_SAFE_INTEGER)}}}else if(l==="number"){if(r==="4"?(Xr!==void 0&&(Ao===!0&&e<=Xr||e<Xr)&&A.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${Ao?"or equal to ":""} ${Xr}.`}),Qr!==void 0&&(To===!0&&e>=Qr||e>Qr)&&A.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${To?"or equal to ":""} ${Qr}.`})):(Xr!==void 0&&e<Xr&&A.push({instanceLocation:s,keyword:"minimum",keywordLocation:`${c}/minimum`,error:`${e} is less than ${Xr}.`}),Qr!==void 0&&e>Qr&&A.push({instanceLocation:s,keyword:"maximum",keywordLocation:`${c}/maximum`,error:`${e} is greater than ${Qr}.`}),Ao!==void 0&&e<=Ao&&A.push({instanceLocation:s,keyword:"exclusiveMinimum",keywordLocation:`${c}/exclusiveMinimum`,error:`${e} is less than ${Ao}.`}),To!==void 0&&e>=To&&A.push({instanceLocation:s,keyword:"exclusiveMaximum",keywordLocation:`${c}/exclusiveMaximum`,error:`${e} is greater than or equal to ${To}.`})),Xa!==void 0){let H=e%Xa;Math.abs(0-H)>=11920929e-14&&Math.abs(Xa-H)>=11920929e-14&&A.push({instanceLocation:s,keyword:"multipleOf",keywordLocation:`${c}/multipleOf`,error:`${e} is not a multiple of ${Xa}.`})}}else if(l==="string"){let H=Qa===void 0&&ei===void 0?0:D_(e);Qa!==void 0&&H<Qa&&A.push({instanceLocation:s,keyword:"minLength",keywordLocation:`${c}/minLength`,error:`String is too short (${H} < ${Qa}).`}),ei!==void 0&&H>ei&&A.push({instanceLocation:s,keyword:"maxLength",keywordLocation:`${c}/maxLength`,error:`String is too long (${H} > ${ei}).`}),am!==void 0&&!new RegExp(am,"u").test(e)&&A.push({instanceLocation:s,keyword:"pattern",keywordLocation:`${c}/pattern`,error:"String does not match pattern."}),wr!==void 0&&fp[wr]&&!fp[wr](e)&&A.push({instanceLocation:s,keyword:"format",keywordLocation:`${c}/format`,error:`String does not match format "${wr}".`})}return{valid:A.length===0,errors:A}}o(Se,"validate");var js=class{static{o(this,"Validator")}schema;draft;shortCircuit;lookup;constructor(t,r="2019-09",n=!0){this.schema=t,this.draft=r,this.shortCircuit=n,this.lookup=hr(t)}validate(t){return Se(t,this.schema,this.draft,this.lookup,this.shortCircuit)}addSchema(t,r){r&&(t={...t,$id:r}),hr(t,this.lookup)}};var vo=class{static{o(this,"CfWorkerJsonSchemaValidator")}constructor(t){this.shortcircuit=t?.shortcircuit??!0,this.draft=t?.draft??"2020-12"}getValidator(t){let r=new js(t,this.draft,this.shortcircuit);return n=>{let a=r.validate(n);return a.valid?{valid:!0,data:n,errorMessage:void 0}:{valid:!1,data:void 0,errorMessage:a.errors.map(i=>`${i.instanceLocation}: ${i.error}`).join("; ")}}}};import{metrics as BO,context as Hs,propagation as H_,SpanKind as L_,SpanStatusCode as hp,trace as La}from"@opentelemetry/api";var GO="mcp-gateway",VO="mcp-gateway",FO=rn,ZO="2.0",B_=La.getTracer(GO),gp=BO.getMeter(VO),KO=gp.createHistogram("mcp.client.operation.duration",{description:"The duration of the MCP request or notification as observed on the sender.",unit:"s"}),JO=gp.createHistogram("mcp.server.operation.duration",{description:"MCP request or notification duration as observed on the receiver.",unit:"s"}),WO=gp.createHistogram("mcp.client.session.duration",{description:"The duration of the MCP session as observed on the MCP client.",unit:"s"}),YO=["traceparent","tracestate","baggage"];function yp(){return performance.now()/1e3}o(yp,"nowSeconds");function G_(e,t){t(Math.max(yp()-e,0))}o(G_,"recordDurationSeconds");function j_(e){return e===void 0?void 0:String(e)}o(j_,"stringifyAttribute");function Le(e,t,r){r!==void 0&&(e[t]=r)}o(Le,"assignAttribute");function XO(e){if(e.capabilityType==="tool"||e.capabilityType==="prompt")return e.capabilityName}o(XO,"readTargetName");function V_(e){let t=XO({kind:"client",...e});return t?`${e.methodName} ${t}`:e.methodName}o(V_,"buildMcpOperationSpanName");function Sp(e){let t={"mcp.method.name":e.methodName};return Le(t,"jsonrpc.protocol.version",e.jsonRpcProtocolVersion??ZO),Le(t,"jsonrpc.request.id",j_(e.jsonRpcRequestId)),Le(t,"mcp.protocol.version",e.mcpProtocolVersion??FO),Le(t,"mcp.session.id",e.mcpSessionId),Le(t,"mcp.resource.uri",e.resourceUri),Le(t,"rpc.response.status_code",j_(e.rpcResponseStatusCode)),Le(t,"error.type",e.errorType),e.capabilityType==="tool"&&(Le(t,"gen_ai.operation.name","execute_tool"),Le(t,"gen_ai.tool.name",e.capabilityName)),e.capabilityType==="prompt"&&Le(t,"gen_ai.prompt.name",e.capabilityName),Le(t,"network.protocol.name",e.networkProtocolName?.toLowerCase()),Le(t,"network.protocol.version",e.networkProtocolVersion),Le(t,"network.transport",e.networkTransport),Le(t,"server.address",e.serverAddress),Le(t,"server.port",e.serverPort),Le(t,"client.address",e.clientAddress),Le(t,"client.port",e.clientPort),t}o(Sp,"buildMcpOperationAttributes");function QO(e){let t=Sp({methodName:"initialize",...e});return delete t["mcp.method.name"],t}o(QO,"buildMcpSessionAttributes");function F_(e,t,r){e.setAttribute("error.type",r),e.setStatus({code:hp.ERROR}),t instanceof Error&&e.recordException(t)}o(F_,"setSpanError");function Z_(e){let t=e?.code;return typeof t=="string"||typeof t=="number"?String(t):e instanceof Error?e.name:"_OTHER"}o(Z_,"readErrorType");function eM(e){let t=e&&typeof e=="object"?e._meta:void 0;return!t||typeof t!="object"?Hs.active():H_.extract(Hs.active(),t,{get(r,n){let a=r[n];return typeof a=="string"?a:void 0},keys(r){return Object.keys(r)}})}o(eM,"readServerParentContext");function tM(e){let t=La.getSpanContext(Hs.active()),r=La.getSpanContext(e);if(!(!t||!La.isSpanContextValid(t))&&!(r&&La.isSpanContextValid(r)&&t.traceId===r.traceId&&t.spanId===r.spanId))return[{context:t}]}o(tM,"readAmbientSpanLink");function K_(e){return e&&typeof e=="object"&&e.isError===!0?"tool_error":void 0}o(K_,"readResultErrorType");async function Fr(e,t){let r=yp(),n=Sp({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});return B_.startActiveSpan(V_(e),{kind:L_.CLIENT,attributes:n},async a=>{try{let i=await t(),s=K_(i);return s&&(a.setAttribute("error.type",s),a.setStatus({code:hp.ERROR}),n["error.type"]=s),i}catch(i){let s=e.errorType??Z_(i);throw n["error.type"]=s,F_(a,i,s),i}finally{G_(r,i=>{KO.record(i,n)}),a.end()}})}o(Fr,"runMcpClientOperation");async function Zr(e,t){let r=yp(),n=eM(e.params),a=Sp({kind:"server",networkProtocolName:"http",networkTransport:"tcp",...e}),i=tM(n);return B_.startActiveSpan(V_(e),{kind:L_.SERVER,attributes:a,...i?{links:i}:{}},n,async s=>{try{let c=await t(),d=K_(c);return d&&(s.setAttribute("error.type",d),s.setStatus({code:hp.ERROR}),a["error.type"]=d),c}catch(c){let d=e.errorType??Z_(c);throw a["error.type"]=d,F_(s,c,d),c}finally{G_(r,c=>{JO.record(c,a)}),s.end()}})}o(Zr,"runMcpServerOperation");function J_(e){let t={...e??{},_meta:{...e?._meta&&typeof e._meta=="object"?e._meta:{}}};return H_.inject(Hs.active(),t._meta,{set(r,n,a){YO.includes(n)&&(r[n]=a)}}),t}o(J_,"injectMcpTraceContextIntoParams");function W_(e,t){let r=QO({kind:"client",networkProtocolName:"http",networkTransport:"tcp",...e});WO.record(Math.max(t,0),r)}o(W_,"recordMcpClientSessionDuration");var Ls=class{static{o(this,"ExperimentalClientTasks")}constructor(t){this._client=t}async*callToolStream(t,r=Ir,n){let a=this._client,i={...n,task:n?.task??(a.isToolTask(t.name)?{}:void 0)},s=a.requestStream({method:"tools/call",params:t},r,i),c=a.getToolOutputValidator(t.name);for await(let d of s){if(d.type==="result"&&c){let p=d.result;if(!p.structuredContent&&!p.isError){yield{type:"error",error:new I(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`)};return}if(p.structuredContent)try{let l=c(p.structuredContent);if(!l.valid){yield{type:"error",error:new I(k.InvalidParams,`Structured content does not match the tool's output schema: ${l.errorMessage}`)};return}}catch(l){if(l instanceof I){yield{type:"error",error:l};return}yield{type:"error",error:new I(k.InvalidParams,`Failed to validate structured content: ${l instanceof Error?l.message:String(l)}`)};return}}yield d}}async getTask(t,r){return this._client.getTask({taskId:t},r)}async getTaskResult(t,r,n){return this._client.getTaskResult({taskId:t},r,n)}async listTasks(t,r){return this._client.listTasks(t?{cursor:t}:void 0,r)}async cancelTask(t,r){return this._client.cancelTask({taskId:t},r)}requestStream(t,r,n){return this._client.requestStream(t,r,n)}};function Bs(e,t){if(!(!e||t===null||typeof t!="object")){if(e.type==="object"&&e.properties&&typeof e.properties=="object"){let r=t,n=e.properties;for(let a of Object.keys(n)){let i=n[a];r[a]===void 0&&Object.prototype.hasOwnProperty.call(i,"default")&&(r[a]=i.default),r[a]!==void 0&&Bs(i,r[a])}}if(Array.isArray(e.anyOf))for(let r of e.anyOf)typeof r!="boolean"&&Bs(r,t);if(Array.isArray(e.oneOf))for(let r of e.oneOf)typeof r!="boolean"&&Bs(r,t)}}o(Bs,"applyElicitationDefaults");function rM(e){if(!e)return{supportsFormMode:!1,supportsUrlMode:!1};let t=e.form!==void 0,r=e.url!==void 0;return{supportsFormMode:t||!t&&!r,supportsUrlMode:r}}o(rM,"getSupportedElicitationModes");var Gs=class extends eo{static{o(this,"Client")}constructor(t,r){super(r),this._clientInfo=t,this._cachedToolOutputValidators=new Map,this._cachedKnownTaskTools=new Set,this._cachedRequiredTaskTools=new Set,this._listChangedDebounceTimers=new Map,this._capabilities=r?.capabilities??{},this._jsonSchemaValidator=r?.jsonSchemaValidator??new So,r?.listChanged&&(this._pendingListChangedConfig=r.listChanged)}_setupListChangedHandlers(t){t.tools&&this._serverCapabilities?.tools?.listChanged&&this._setupListChangedHandler("tools",Wc,t.tools,async()=>(await this.listTools()).tools),t.prompts&&this._serverCapabilities?.prompts?.listChanged&&this._setupListChangedHandler("prompts",Zc,t.prompts,async()=>(await this.listPrompts()).prompts),t.resources&&this._serverCapabilities?.resources?.listChanged&&this._setupListChangedHandler("resources",Nc,t.resources,async()=>(await this.listResources()).resources)}get experimental(){return this._experimental||(this._experimental={tasks:new Ls(this)}),this._experimental}registerCapabilities(t){if(this.transport)throw new Error("Cannot register capabilities after connecting to transport");this._capabilities=Xi(this._capabilities,t)}setRequestHandler(t,r){let a=Qn(t)?.method;if(!a)throw new Error("Schema is missing a method literal");let i;if($r(a)){let c=a;i=c._zod?.def?.value??c.value}else{let c=a;i=c._def?.value??c.value}if(typeof i!="string")throw new Error("Schema method literal must be a string");let s=i;if(s==="elicitation/create"){let c=o(async(d,p)=>{let l=Ke(Qc,d);if(!l.success){let w=l.error instanceof Error?l.error.message:String(l.error);throw new I(k.InvalidParams,`Invalid elicitation request: ${w}`)}let{params:m}=l.data;m.mode=m.mode??"form";let{supportsFormMode:h,supportsUrlMode:g}=rM(this._capabilities.elicitation);if(m.mode==="form"&&!h)throw new I(k.InvalidParams,"Client does not support form-mode elicitation requests");if(m.mode==="url"&&!g)throw new I(k.InvalidParams,"Client does not support URL-mode elicitation requests");let S=await Promise.resolve(r(d,p));if(m.task){let w=Ke(rr,S);if(!w.success){let b=w.error instanceof Error?w.error.message:String(w.error);throw new I(k.InvalidParams,`Invalid task creation result: ${b}`)}return w.data}let y=Ke(Pr,S);if(!y.success){let w=y.error instanceof Error?y.error.message:String(y.error);throw new I(k.InvalidParams,`Invalid elicitation result: ${w}`)}let _=y.data,v=m.mode==="form"?m.requestedSchema:void 0;if(m.mode==="form"&&_.action==="accept"&&_.content&&v&&this._capabilities.elicitation?.form?.applyDefaults)try{Bs(v,_.content)}catch{}return _},"wrappedHandler");return super.setRequestHandler(t,c)}if(s==="sampling/createMessage"){let c=o(async(d,p)=>{let l=Ke(Xc,d);if(!l.success){let _=l.error instanceof Error?l.error.message:String(l.error);throw new I(k.InvalidParams,`Invalid sampling request: ${_}`)}let{params:m}=l.data,h=await Promise.resolve(r(d,p));if(m.task){let _=Ke(rr,h);if(!_.success){let v=_.error instanceof Error?_.error.message:String(_.error);throw new I(k.InvalidParams,`Invalid task creation result: ${v}`)}return _.data}let S=m.tools||m.toolChoice?Ho:tn,y=Ke(S,h);if(!y.success){let _=y.error instanceof Error?y.error.message:String(y.error);throw new I(k.InvalidParams,`Invalid sampling result: ${_}`)}return y.data},"wrappedHandler");return super.setRequestHandler(t,c)}return super.setRequestHandler(t,r)}assertCapability(t,r){if(!this._serverCapabilities?.[t])throw new Error(`Server does not support ${t} (required for ${r})`)}async connect(t,r){if(await super.connect(t),t.sessionId===void 0)try{let n=await this.request({method:"initialize",params:{protocolVersion:br,capabilities:this._capabilities,clientInfo:this._clientInfo}},Ac,r);if(n===void 0)throw new Error(`Server sent invalid initialize result: ${n}`);if(!Rr.includes(n.protocolVersion))throw new Error(`Server's protocol version is not supported: ${n.protocolVersion}`);this._serverCapabilities=n.capabilities,this._serverVersion=n.serverInfo,t.setProtocolVersion&&t.setProtocolVersion(n.protocolVersion),this._instructions=n.instructions,await this.notification({method:"notifications/initialized"}),this._pendingListChangedConfig&&(this._setupListChangedHandlers(this._pendingListChangedConfig),this._pendingListChangedConfig=void 0)}catch(n){throw this.close(),n}}getServerCapabilities(){return this._serverCapabilities}getServerVersion(){return this._serverVersion}getInstructions(){return this._instructions}assertCapabilityForMethod(t){switch(t){case"logging/setLevel":if(!this._serverCapabilities?.logging)throw new Error(`Server does not support logging (required for ${t})`);break;case"prompts/get":case"prompts/list":if(!this._serverCapabilities?.prompts)throw new Error(`Server does not support prompts (required for ${t})`);break;case"resources/list":case"resources/templates/list":case"resources/read":case"resources/subscribe":case"resources/unsubscribe":if(!this._serverCapabilities?.resources)throw new Error(`Server does not support resources (required for ${t})`);if(t==="resources/subscribe"&&!this._serverCapabilities.resources.subscribe)throw new Error(`Server does not support resource subscriptions (required for ${t})`);break;case"tools/call":case"tools/list":if(!this._serverCapabilities?.tools)throw new Error(`Server does not support tools (required for ${t})`);break;case"completion/complete":if(!this._serverCapabilities?.completions)throw new Error(`Server does not support completions (required for ${t})`);break;case"initialize":break;case"ping":break}}assertNotificationCapability(t){switch(t){case"notifications/roots/list_changed":if(!this._capabilities.roots?.listChanged)throw new Error(`Client does not support roots list changed notifications (required for ${t})`);break;case"notifications/initialized":break;case"notifications/cancelled":break;case"notifications/progress":break}}assertRequestHandlerCapability(t){if(this._capabilities)switch(t){case"sampling/createMessage":if(!this._capabilities.sampling)throw new Error(`Client does not support sampling capability (required for ${t})`);break;case"elicitation/create":if(!this._capabilities.elicitation)throw new Error(`Client does not support elicitation capability (required for ${t})`);break;case"roots/list":if(!this._capabilities.roots)throw new Error(`Client does not support roots capability (required for ${t})`);break;case"tasks/get":case"tasks/list":case"tasks/result":case"tasks/cancel":if(!this._capabilities.tasks)throw new Error(`Client does not support tasks capability (required for ${t})`);break;case"ping":break}}assertTaskCapability(t){$s(this._serverCapabilities?.tasks?.requests,t,"Server")}assertTaskHandlerCapability(t){this._capabilities&&qs(this._capabilities.tasks?.requests,t,"Client")}async ping(t){return this.request({method:"ping"},tr,t)}async complete(t,r){return this.request({method:"completion/complete",params:t},eu,r)}async setLoggingLevel(t,r){return this.request({method:"logging/setLevel",params:{level:t}},tr,r)}async getPrompt(t,r){return this.request({method:"prompts/get",params:t},Fc,r)}async listPrompts(t,r){return this.request({method:"prompts/list",params:t},jc,r)}async listResources(t,r){return this.request({method:"resources/list",params:t},Uc,r)}async listResourceTemplates(t,r){return this.request({method:"resources/templates/list",params:t},Mc,r)}async readResource(t,r){return this.request({method:"resources/read",params:t},qc,r)}async subscribeResource(t,r){return this.request({method:"resources/subscribe",params:t},tr,r)}async unsubscribeResource(t,r){return this.request({method:"resources/unsubscribe",params:t},tr,r)}async callTool(t,r=Ir,n){if(this.isToolTaskRequired(t.name))throw new I(k.InvalidRequest,`Tool "${t.name}" requires task-based execution. Use client.experimental.tasks.callToolStream() instead.`);let a=await this.request({method:"tools/call",params:t},r,n),i=this.getToolOutputValidator(t.name);if(i){if(!a.structuredContent&&!a.isError)throw new I(k.InvalidRequest,`Tool ${t.name} has an output schema but did not return structured content`);if(a.structuredContent)try{let s=i(a.structuredContent);if(!s.valid)throw new I(k.InvalidParams,`Structured content does not match the tool's output schema: ${s.errorMessage}`)}catch(s){throw s instanceof I?s:new I(k.InvalidParams,`Failed to validate structured content: ${s instanceof Error?s.message:String(s)}`)}}return a}isToolTask(t){return this._serverCapabilities?.tasks?.requests?.tools?.call?this._cachedKnownTaskTools.has(t):!1}isToolTaskRequired(t){return this._cachedRequiredTaskTools.has(t)}cacheToolMetadata(t){this._cachedToolOutputValidators.clear(),this._cachedKnownTaskTools.clear(),this._cachedRequiredTaskTools.clear();for(let r of t){if(r.outputSchema){let a=this._jsonSchemaValidator.getValidator(r.outputSchema);this._cachedToolOutputValidators.set(r.name,a)}let n=r.execution?.taskSupport;(n==="required"||n==="optional")&&this._cachedKnownTaskTools.add(r.name),n==="required"&&this._cachedRequiredTaskTools.add(r.name)}}getToolOutputValidator(t){return this._cachedToolOutputValidators.get(t)}async listTools(t,r){let n=await this.request({method:"tools/list",params:t},Jc,r);return this.cacheToolMetadata(n.tools),n}_setupListChangedHandler(t,r,n,a){let i=Mm.safeParse(n);if(!i.success)throw new Error(`Invalid ${t} listChanged options: ${i.error.message}`);if(typeof n.onChanged!="function")throw new Error(`Invalid ${t} listChanged options: onChanged must be a function`);let{autoRefresh:s,debounceMs:c}=i.data,{onChanged:d}=n,p=o(async()=>{if(!s){d(null,null);return}try{let m=await a();d(null,m)}catch(m){let h=m instanceof Error?m:new Error(String(m));d(h,null)}},"refresh"),l=o(()=>{if(c){let m=this._listChangedDebounceTimers.get(t);m&&clearTimeout(m);let h=setTimeout(p,c);this._listChangedDebounceTimers.set(t,h)}else p()},"handler");this.setNotificationHandler(r,l)}async sendRootsListChanged(){return this.notification({method:"notifications/roots/list_changed"})}};function Vs(e){return e?e instanceof Headers?Object.fromEntries(e.entries()):Array.isArray(e)?Object.fromEntries(e):{...e}:{}}o(Vs,"normalizeHeaders");function Y_(e=fetch,t){return t?async(r,n)=>{let a={...t,...n,headers:n?.headers?{...Vs(t.headers),...Vs(n.headers)}:t.headers};return e(r,a)}:e}o(Y_,"createFetchWithInit");var Fs=class extends Error{static{o(this,"ParseError")}constructor(t,r){super(t),this.name="ParseError",this.type=r.type,this.field=r.field,this.value=r.value,this.line=r.line}};function _p(e){}o(_p,"noop");function X_(e){if(typeof e=="function")throw new TypeError("`callbacks` must be an object, got a function instead. Did you mean `{onEvent: fn}`?");let{onEvent:t=_p,onError:r=_p,onRetry:n=_p,onComment:a}=e,i="",s=!0,c,d="",p="";function l(y){let _=s?y.replace(/^\xEF\xBB\xBF/,""):y,[v,w]=nM(`${i}${_}`);for(let b of v)m(b);i=w,s=!1}o(l,"feed");function m(y){if(y===""){g();return}if(y.startsWith(":")){a&&a(y.slice(y.startsWith(": ")?2:1));return}let _=y.indexOf(":");if(_!==-1){let v=y.slice(0,_),w=y[_+1]===" "?2:1,b=y.slice(_+w);h(v,b,y);return}h(y,"",y)}o(m,"parseLine");function h(y,_,v){switch(y){case"event":p=_;break;case"data":d=`${d}${_}
-`;break;case"id":c=_.includes("\0")?void 0:_;break;case"retry":/^\d+$/.test(_)?n(parseInt(_,10)):r(new Fs(`Invalid \`retry\` value: "${_}"`,{type:"invalid-retry",value:_,line:v}));break;default:r(new Fs(`Unknown field "${y.length>20?`${y.slice(0,20)}\u2026`:y}"`,{type:"unknown-field",field:y,value:_,line:v}));break}}o(h,"processField");function g(){d.length>0&&t({id:c,event:p||void 0,data:d.endsWith(`
-`)?d.slice(0,-1):d}),c=void 0,d="",p=""}o(g,"dispatchEvent");function S(y={}){i&&y.consume&&m(i),s=!0,c=void 0,d="",p="",i=""}return o(S,"reset"),{feed:l,reset:S}}o(X_,"createParser");function nM(e){let t=[],r="",n=0;for(;n<e.length;){let a=e.indexOf("\r",n),i=e.indexOf(`
-`,n),s=-1;if(a!==-1&&i!==-1?s=Math.min(a,i):a!==-1?a===e.length-1?s=-1:s=a:i!==-1&&(s=i),s===-1){r=e.slice(n);break}else{let c=e.slice(n,s);t.push(c),n=s+1,e[n-1]==="\r"&&e[n]===`
-`&&n++}}return[t,r]}o(nM,"splitLines");var Zs=class extends TransformStream{static{o(this,"EventSourceParserStream")}constructor({onError:t,onRetry:r,onComment:n}={}){let a;super({start(i){a=X_({onEvent:o(s=>{i.enqueue(s)},"onEvent"),onError(s){t==="terminate"?i.error(s):typeof t=="function"&&t(s)},onRetry:r,onComment:n})},transform(i){a.feed(i)}})}};var oM={initialReconnectionDelay:1e3,maxReconnectionDelay:3e4,reconnectionDelayGrowFactor:1.5,maxRetries:2},Kr=class extends Error{static{o(this,"StreamableHTTPError")}constructor(t,r){super(`Streamable HTTP error: ${r}`),this.code=t}},Ks=class{static{o(this,"StreamableHTTPClientTransport")}constructor(t,r){this._hasCompletedAuthFlow=!1,this._url=t,this._resourceMetadataUrl=void 0,this._scope=void 0,this._requestInit=r?.requestInit,this._authProvider=r?.authProvider,this._fetch=r?.fetch,this._fetchWithInit=Y_(r?.fetch,r?.requestInit),this._sessionId=r?.sessionId,this._reconnectionOptions=r?.reconnectionOptions??oM}async _authThenStart(){if(!this._authProvider)throw new xt("No auth provider");let t;try{t=await zr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})}catch(r){throw this.onerror?.(r),r}if(t!=="AUTHORIZED")throw new xt;return await this._startOrAuthSse({resumptionToken:void 0})}async _commonHeaders(){let t={};if(this._authProvider){let n=await this._authProvider.tokens();n&&(t.Authorization=`Bearer ${n.access_token}`)}this._sessionId&&(t["mcp-session-id"]=this._sessionId),this._protocolVersion&&(t["mcp-protocol-version"]=this._protocolVersion);let r=Vs(this._requestInit?.headers);return new Headers({...t,...r})}async _startOrAuthSse(t){let{resumptionToken:r}=t;try{let n=await this._commonHeaders();n.set("Accept","text/event-stream"),r&&n.set("last-event-id",r);let a=await(this._fetch??fetch)(this._url,{method:"GET",headers:n,signal:this._abortController?.signal});if(!a.ok){if(await a.body?.cancel(),a.status===401&&this._authProvider)return await this._authThenStart();if(a.status===405)return;throw new Kr(a.status,`Failed to open SSE stream: ${a.statusText}`)}this._handleSseStream(a.body,t,!0)}catch(n){throw this.onerror?.(n),n}}_getNextReconnectionDelay(t){if(this._serverRetryMs!==void 0)return this._serverRetryMs;let r=this._reconnectionOptions.initialReconnectionDelay,n=this._reconnectionOptions.reconnectionDelayGrowFactor,a=this._reconnectionOptions.maxReconnectionDelay;return Math.min(r*Math.pow(n,t),a)}_scheduleReconnection(t,r=0){let n=this._reconnectionOptions.maxRetries;if(r>=n){this.onerror?.(new Error(`Maximum reconnection attempts (${n}) exceeded.`));return}let a=this._getNextReconnectionDelay(r);this._reconnectionTimeout=setTimeout(()=>{this._startOrAuthSse(t).catch(i=>{this.onerror?.(new Error(`Failed to reconnect SSE stream: ${i instanceof Error?i.message:String(i)}`)),this._scheduleReconnection(t,r+1)})},a)}_handleSseStream(t,r,n){if(!t)return;let{onresumptiontoken:a,replayMessageId:i}=r,s,c=!1,d=!1;o(async()=>{try{let l=t.pipeThrough(new TextDecoderStream).pipeThrough(new Zs({onRetry:o(g=>{this._serverRetryMs=g},"onRetry")})).getReader();for(;;){let{value:g,done:S}=await l.read();if(S)break;if(g.id&&(s=g.id,c=!0,a?.(g.id)),!!g.data&&(!g.event||g.event==="message"))try{let y=en.parse(JSON.parse(g.data));It(y)&&(d=!0,i!==void 0&&(y.id=i)),this.onmessage?.(y)}catch(y){this.onerror?.(y)}}(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted&&this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(l){if(this.onerror?.(new Error(`SSE stream disconnected: ${l}`)),(n||c)&&!d&&this._abortController&&!this._abortController.signal.aborted)try{this._scheduleReconnection({resumptionToken:s,onresumptiontoken:a,replayMessageId:i},0)}catch(g){this.onerror?.(new Error(`Failed to reconnect: ${g instanceof Error?g.message:String(g)}`))}}},"processStream")()}async start(){if(this._abortController)throw new Error("StreamableHTTPClientTransport already started! If using Client class, note that connect() calls start() automatically.");this._abortController=new AbortController}async finishAuth(t){if(!this._authProvider)throw new xt("No auth provider");if(await zr(this._authProvider,{serverUrl:this._url,authorizationCode:t,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new xt("Failed to authorize")}async close(){this._reconnectionTimeout&&(clearTimeout(this._reconnectionTimeout),this._reconnectionTimeout=void 0),this._abortController?.abort(),this.onclose?.()}async send(t,r){try{let{resumptionToken:n,onresumptiontoken:a}=r||{};if(n){this._startOrAuthSse({resumptionToken:n,replayMessageId:qt(t)?t.id:void 0}).catch(h=>this.onerror?.(h));return}let i=await this._commonHeaders();i.set("content-type","application/json"),i.set("accept","application/json, text/event-stream");let s={...this._requestInit,method:"POST",headers:i,body:JSON.stringify(t),signal:this._abortController?.signal},c=await(this._fetch??fetch)(this._url,s),d=c.headers.get("mcp-session-id");if(d&&(this._sessionId=d),!c.ok){let h=await c.text().catch(()=>null);if(c.status===401&&this._authProvider){if(this._hasCompletedAuthFlow)throw new Kr(401,"Server returned 401 after successful authentication");let{resourceMetadataUrl:g,scope:S}=fd(c);if(this._resourceMetadataUrl=g,this._scope=S,await zr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetchWithInit})!=="AUTHORIZED")throw new xt;return this._hasCompletedAuthFlow=!0,this.send(t)}if(c.status===403&&this._authProvider){let{resourceMetadataUrl:g,scope:S,error:y}=fd(c);if(y==="insufficient_scope"){let _=c.headers.get("WWW-Authenticate");if(this._lastUpscopingHeader===_)throw new Kr(403,"Server returned 403 after trying upscoping");if(S&&(this._scope=S),g&&(this._resourceMetadataUrl=g),this._lastUpscopingHeader=_??void 0,await zr(this._authProvider,{serverUrl:this._url,resourceMetadataUrl:this._resourceMetadataUrl,scope:this._scope,fetchFn:this._fetch})!=="AUTHORIZED")throw new xt;return this.send(t)}}throw new Kr(c.status,`Error POSTing to endpoint: ${h}`)}if(this._hasCompletedAuthFlow=!1,this._lastUpscopingHeader=void 0,c.status===202){await c.body?.cancel(),xm(t)&&this._startOrAuthSse({resumptionToken:void 0}).catch(h=>this.onerror?.(h));return}let l=(Array.isArray(t)?t:[t]).filter(h=>"method"in h&&"id"in h&&h.id!==void 0).length>0,m=c.headers.get("content-type");if(l)if(m?.includes("text/event-stream"))this._handleSseStream(c.body,{onresumptiontoken:a},!1);else if(m?.includes("application/json")){let h=await c.json(),g=Array.isArray(h)?h.map(S=>en.parse(S)):[en.parse(h)];for(let S of g)this.onmessage?.(S)}else throw await c.body?.cancel(),new Kr(-1,`Unexpected content type: ${m}`);else await c.body?.cancel()}catch(n){throw this.onerror?.(n),n}}get sessionId(){return this._sessionId}async terminateSession(){if(this._sessionId)try{let t=await this._commonHeaders(),r={...this._requestInit,method:"DELETE",headers:t,signal:this._abortController?.signal},n=await(this._fetch??fetch)(this._url,r);if(await n.body?.cancel(),!n.ok&&n.status!==405)throw new Kr(n.status,`Failed to terminate session: ${n.statusText}`);this._sessionId=void 0}catch(t){throw this.onerror?.(t),t}}setProtocolVersion(t){this._protocolVersion=t}get protocolVersion(){return this._protocolVersion}async resumeStream(t,r){await this._startOrAuthSse({resumptionToken:t,onresumptiontoken:r?.onresumptiontoken})}};function Q_(e=[]){let t={};for(let r of e){if(!r.value){if(r.required)throw new q(`Native MCP transport header "${r.name}" is required but has no value configured. Set the env var that backs the header or mark the header optional.`);continue}t[r.name]=r.value}return t}o(Q_,"resolveNativeMcpRequestHeaders");var aM={name:"zuplo-mcp-gateway",version:"0.1.0"},iM=new vo({draft:"7",shortcircuit:!1}),sM=5,cM=500,nv=3e4,uM=2*1024*1024,dM=2,Ba="upstream_capability_invocation_failed",ev="upstream_import_failed";function tv(){return performance.now()/1e3}o(tv,"nowSeconds");function lM(e){if(e.port)return Number(e.port);if(e.protocol==="https:")return 443;if(e.protocol==="http:")return 80}o(lM,"readServerPort");function pM(e,t){return{mcpSessionId:t,serverAddress:e.hostname,serverPort:lM(e)}}o(pM,"buildNativeMcpOperationContext");function Rn(e){return J_(e)}o(Rn,"withTraceMeta");function Js(e){if(e>cM)throw new E({message:Qe[ev].publicDetail,extensionMembers:{[T]:ev}},{cause:new Error("Upstream import exceeded the maximum allowed capability count.")})}o(Js,"assertImportedCapabilityBudget");function rv(e){return Object.keys(e).length===0?{}:{requestInit:{headers:e}}}o(rv,"buildRequestInit");function mM(e){return(t,r)=>Jn(t,r,{additionalCrossOriginStrippedHeaders:e,maxRedirects:dM,maxResponseBytes:uM,problemCode:Ba,timeoutMs:nv})}o(mM,"createNativeMcpFetch");function fM(e){return new Promise((t,r)=>{let n=setTimeout(()=>{r(new E({message:Qe[Ba].publicDetail,extensionMembers:{[T]:Ba}},{cause:new Error("Upstream MCP request exceeded the maximum allowed time.")}))},nv);e.then(a=>{clearTimeout(n),t(a)},a=>{clearTimeout(n),r(a)})})}o(fM,"withNativeMcpRequestTimeout");function hM(e,t=[]){let r=Q_(t),n=e?.type==="headers"?Object.keys(e.headers):[],a=[...Object.keys(r),...n],i={fetch:mM(a)};if(!e)return{...i,...rv(r)};switch(e.type){case"mcp_oauth_provider":return{authProvider:e.provider,...i,...rv(r)};case"bearer_token":return{...i,requestInit:{headers:{...r,Authorization:`Bearer ${e.token}`}}};case"headers":return{...i,requestInit:{headers:{...r,...e.headers}}}}}o(hM,"buildNativeMcpTransportOptions");async function Cn(e,t,r){let{transport:n}=Ge(e),a=new URL(n.baseUrl),i=new Ks(a,hM(r,n.requestHeaders)),s=new Gs(aM,{capabilities:{},jsonSchemaValidator:iM});return fM((async()=>{let c=tv();await s.connect(i);let d=i.sessionId,p=pM(a,d),l,m=!1,h;try{h=await t(s,p)}catch(S){m=!0,l=S}let g;try{await s.close()}catch(S){g=S}if(d&&W_(p,tv()-c),m)throw l;if(g!==void 0)throw g;return h})())}o(Cn,"withNativeMcpClient");async function gM(e,t,r){let n=[],a,i=0;do{if(i>=sM)throw new E({message:Qe[Ba].publicDetail,extensionMembers:{[T]:Ba}},{cause:new Error(`${e} pagination exceeded the maximum allowed page count.`)});let s=await t(a);i+=1,n.push(...r(s)),a=s.nextCursor}while(a);return n}o(gM,"collectPaginatedSdkItems");async function Ws(e){return e.enabled?gM(e.label,e.fetchPage,e.readItems):[]}o(Ws,"listNativeMcpCapabilityItems");async function ov(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Fr({methodName:"tools/list",...r},()=>Ws({enabled:!!n?.tools,label:"Tool list",fetchPage:o(i=>t.listTools(Rn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.tools,"readItems")}));return Js(a.length),{tools:a}},e.credential)}o(ov,"listNativeMcpTools");async function av(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Fr({methodName:"prompts/list",...r},()=>Ws({enabled:!!n?.prompts,label:"Prompt list",fetchPage:o(i=>t.listPrompts(Rn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.prompts,"readItems")}));return Js(a.length),{prompts:a}},e.credential)}o(av,"listNativeMcpPrompts");async function iv(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Fr({methodName:"resources/list",...r},()=>Ws({enabled:!!n?.resources,label:"Resource list",fetchPage:o(i=>t.listResources(Rn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resources,"readItems")}));return Js(a.length),{resources:a}},e.credential)}o(iv,"listNativeMcpResources");async function sv(e){return Cn(e.upstreamServerId,async(t,r)=>{let n=t.getServerCapabilities(),a=await Fr({methodName:"resources/templates/list",...r},()=>Ws({enabled:!!n?.resources,label:"Resource template list",fetchPage:o(i=>t.listResourceTemplates(Rn(i?{cursor:i}:void 0)),"fetchPage"),readItems:o(i=>i.resourceTemplates,"readItems")}));return Js(a.length),{resourceTemplates:a}},e.credential)}o(sv,"listNativeMcpResourceTemplates");async function cv(e){return Cn(e.upstreamServerId,(t,r)=>Fr({methodName:"tools/call",capabilityType:"tool",capabilityName:e.params.name,...r},async()=>await t.callTool(Rn(e.params))),e.credential)}o(cv,"callNativeMcpTool");async function uv(e){return Cn(e.upstreamServerId,(t,r)=>Fr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:e.params.name,...r},()=>t.getPrompt(Rn(e.params))),e.credential)}o(uv,"getNativeMcpPrompt");async function dv(e){return Cn(e.upstreamServerId,(t,r)=>Fr({methodName:"resources/read",capabilityType:"resource",resourceUri:e.params.uri,...r},()=>t.readResource(Rn(e.params))),e.credential)}o(dv,"readNativeMcpResource");var wo=class extends I{static{o(this,"ConnectRequiredMcpError")}constructor(t){super(k.InvalidRequest,t.message),this.name="ConnectRequiredMcpError"}},Ga=class extends I{static{o(this,"GatewayAuthorizationMcpError")}authorizationFailureKind;constructor(t){super(k.InvalidRequest,vM(t)),this.name="GatewayAuthorizationMcpError",this.authorizationFailureKind=t}};function yM(e){return{content:[{type:"text",text:e}],isError:!0}}o(yM,"buildToolErrorResult");function hv(e){return e.authUrl?new Ct([{mode:"url",elicitationId:crypto.randomUUID(),message:e.message,url:e.authUrl}],e.message):new wo(e)}o(hv,"toConnectRequiredError");function SM(e){if(e.type!=="mcp_oauth_provider")return;let{provider:t}=e;if(!("authorizationUrl"in t))return;let{authorizationUrl:r}=t;return typeof r=="string"&&r.length>0?r:void 0}o(SM,"readOAuthAuthorizationUrl");function _M(e,t){return SM(t)===void 0?!1:e instanceof xt||e instanceof Error&&e.message==="Unauthorized"}o(_M,"isOAuthRedirectUnauthorizedError");function vM(e){switch(e){case"resource_mismatch":return"Gateway access token was not issued for this MCP resource.";case"principal_mismatch":return"Gateway access token principal did not match the request.";default:return"Gateway access token is expired, revoked, or invalid."}}o(vM,"readCompositeAuthorizationFailureDetail");function wM(e){return{credentialType:e.type,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}o(wM,"buildCredentialResolvedAttributes");function bM(e){J(e.context,{eventType:F.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:wM(e.credential)})}o(bM,"emitCredentialResolvedAnalyticsEvent");function gv(e){if(J(e.context,{eventType:F.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}}),e.payload.state==="reconsent_required")J(e.context,{eventType:F.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}});else{let t=RM(e.payload.state);J(e.context,{eventType:F.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:t,reasonClass:"auth",attributes:{nextAction:e.payload.nextAction,state:e.payload.state}})}}o(gv,"emitCredentialMissingAnalyticsEvent");function RM(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required";default:{let t=e;return"connect_required"}}}o(RM,"connectRequiredReasonCode");function CM(e){return e.ownerMode==="none"?JSON.stringify(["none",e.upstreamServerId,e.authProfileId]):Er({owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId})}o(CM,"readRouteBindingCredentialCacheKey");function bp(e){if(e.ownerMode!=="none")return{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}}o(bp,"readOwnedRouteBindingLookup");async function IM(e){let t=Uu(e.request);if(!t)return new Map;let r=new Map;for(let s of e.routeBindings){let c=bp(s);c!==void 0&&r.set(Er(c),c)}if(r.size===0)return new Map;let n=[...r.values()],a=await Y().authorizeAndLoadConnections({accessTokenHash:await fe(t),resource:Ar(e.virtualServerId,e.request.url),virtualServerId:e.virtualServerId,upstreamConnectionKeys:n,now:oe(new Date)});if(a.kind!=="authorized")throw new Ga(a.kind);let i=new Map;return a.upstreamConnections.forEach((s,c)=>{let d=n[c];d!==void 0&&i.set(Er(d),s.connection)}),i}o(IM,"preloadCompositeAuthorizedConnections");function PM(e){let t=new Map;return r=>{let n=CM(r),a=t.get(n);if(a)return a;let i=(async()=>{let s=await e.preloadedConnections,c=bp(r),d=c===void 0?void 0:Er(c),p=await Ji({request:e.request,routeAuth:r,...d!==void 0&&s.has(d)?{preloadedConnection:s.get(d)}:{}});if(p.kind==="connect_required")throw gv({context:e.context,payload:p.payload,routeBinding:r}),hv(p.payload);return bM({context:e.context,credential:p.credential,routeBinding:r}),p.credential})();return t.set(n,i),i}}o(PM,"createCredentialResolver");var lv=500;function Rp(e){return e.length<=lv?e:`${e.slice(0,lv)}...`}o(Rp,"truncateAnalyticsDetail");function xM(e){J(e.context,{eventType:F.MCP_CAPABILITY_COMPLETED,outcome:e.result.isError===!0?"application_error":"success",routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",toolResultIsError:e.result.isError===!0,applicationError:e.result.isError===!0,latencyMs:e.latencyMs})}o(xM,"emitToolInvocationCompletedAnalyticsEvent");function vp(e){J(e.context,{eventType:F.MCP_CAPABILITY_INVOKED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType})}o(vp,"emitCapabilityInvokedAnalyticsEvent");function pv(e){let t={};typeof e.itemCount=="number"&&(t.itemCount=e.itemCount),e.errorDetail!==void 0&&(t.detail=Rp(e.errorDetail)),J(e.context,{eventType:F.MCP_CAPABILITY_LISTED,outcome:e.outcome,...e.routeBinding?{routeBinding:e.routeBinding}:{},...e.virtualServerName?{virtualServerName:e.virtualServerName}:{},mcpMethod:e.mcpMethod,capabilityType:e.capabilityType,latencyMs:e.latencyMs,...e.reasonCode?{reasonCode:e.reasonCode}:{},...e.reasonClass?{reasonClass:e.reasonClass}:{},...e.errorType?{errorType:e.errorType}:{},attributes:t})}o(pv,"emitCapabilityListedAnalyticsEvent");function mv(e){J(e.context,{eventType:F.MCP_CAPABILITY_COMPLETED,outcome:"success",routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,latencyMs:e.latencyMs})}o(mv,"emitCapabilityCompletedAnalyticsEvent");function fv(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=e.error instanceof Ct||e.error instanceof wo,n=e.error instanceof I&&e.error.code===k.InvalidParams,a=r?F.MCP_CAPABILITY_CONNECT_REQUIRED:F.MCP_CAPABILITY_FAILED,i=r?"connect_required":"failure",s=r?"connect_required":n?"invalid_capability_arguments":"upstream_capability_invocation_failed",c=r?"auth":n?"client":"upstream";J(e.context,{eventType:a,outcome:i,routeBinding:e.routeBinding,mcpMethod:e.mcpMethod,capabilityName:e.capabilityName,capabilityType:e.capabilityType,reasonCode:s,reasonClass:c,errorType:r?"connect_required":"capability_error",...n?{mcpErrorType:"InvalidParams"}:{},latencyMs:e.latencyMs,attributes:{detail:Rp(t)}})}o(fv,"emitCapabilityFailedAnalyticsEvent");function kM(e){return e instanceof Ct||e instanceof wo?{eventType:F.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required"}:e instanceof Ga?{eventType:F.MCP_CAPABILITY_FAILED,outcome:"denied",reasonCode:`gateway_access_token_${e.authorizationFailureKind}`,reasonClass:"auth",errorType:"auth_error",mcpErrorType:"InvalidRequest"}:e instanceof I&&e.code===k.InvalidParams?{eventType:F.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"invalid_tool_arguments",reasonClass:"client",errorType:"tool_error",mcpErrorType:"InvalidParams"}:{eventType:F.MCP_CAPABILITY_FAILED,outcome:"failure",reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"tool_error"}}o(kM,"classifyToolInvocationFailure");function AM(e){let t=e.error instanceof Error?e.error.message:String(e.error),r=kM(e.error);J(e.context,{eventType:r.eventType,outcome:r.outcome,routeBinding:e.routeBinding,mcpMethod:"tools/call",capabilityName:e.toolName,capabilityType:"tool",reasonCode:r.reasonCode,reasonClass:r.reasonClass,errorType:r.errorType,mcpErrorType:r.mcpErrorType,latencyMs:e.latencyMs,attributes:{detail:Rp(t)}})}o(AM,"emitToolInvocationFailedAnalyticsEvent");var TM=256*1024;function EM(e){if(e.arguments===void 0)return;let t;try{t=new TextEncoder().encode(JSON.stringify(e.arguments)).length}catch{throw new I(k.InvalidParams,"Tool arguments must be JSON-serializable.")}if(t>TM)throw new I(k.InvalidParams,"Tool arguments exceed the maximum allowed size.")}o(EM,"assertToolArgumentsWithinLimit");function wp(e,t){throw e instanceof I||e instanceof q||e instanceof K?e:new I(k.InternalError,Qe[t].publicDetail)}o(wp,"throwSafeUpstreamMcpError");function Cp(e){if(e.routeBindings.length===1)return e.routeBindings[0];let t=e.routeBindings.filter(r=>r.connectionPolicyName===e.upstreamPolicyName);if(t.length!==1)throw new I(k.InvalidRequest,`Published item ${e.capabilityName} on virtual server ${e.virtualServerId} is claimed by ${t.length} upstream bindings.`);return t[0]}o(Cp,"findBindingForPublishedCapability");function In(e){let t=e.routeBindings[0];if(e.routeBindings.length!==1||t===void 0)throw new I(k.InternalError,`Upstream MCP catalog mode for virtual server ${e.publishedVirtualServer.virtualServerId} requires exactly one upstream binding.`);return t}o(In,"requireSingleTransparentBinding");function UM(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:In(e),upstreamName:e.toolName};let t=e.publishedVirtualServer.catalog.tools.find(r=>r.name===e.toolName&&r.enabled!==!1);if(!t)throw new I(k.MethodNotFound,`Tool ${e.toolName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Cp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(UM,"resolvePublishedToolRoute");function OM(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:In(e),upstreamName:e.promptName};let t=e.publishedVirtualServer.catalog.prompts.find(r=>r.name===e.promptName&&r.enabled!==!1);if(!t)throw new I(k.MethodNotFound,`Prompt ${e.promptName} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Cp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamName:t.upstreamName}}o(OM,"resolvePublishedPromptRoute");function MM(e){if(e.publishedVirtualServer.catalog.catalogSource==="upstream_mcp")return{binding:In(e),upstreamUri:e.resourceUri};let t=e.publishedVirtualServer.catalog.resources.find(r=>r.uri===e.resourceUri&&r.enabled!==!1);if(!t)throw new I(k.MethodNotFound,`Resource ${e.resourceUri} is not available on virtual server ${e.publishedVirtualServer.virtualServerId}.`);return{binding:Cp({capabilityName:String(t.name),routeBindings:e.routeBindings,upstreamPolicyName:t.upstreamPolicyName,virtualServerId:e.publishedVirtualServer.virtualServerId}),upstreamUri:t.upstreamUri}}o(MM,"resolvePublishedResourceRoute");function yv(e){let t=IM({request:e.request,routeBindings:e.routeBindings,virtualServerId:e.publishedVirtualServer.virtualServerId}),r=PM({context:e.context,preloadedConnections:t,request:e.request}),n=e.publishedVirtualServer.virtualServerId;async function a(c){if(!_M(c.error,c.credential)||c.routeBinding.ownerMode==="none")return;let d=bp(c.routeBinding);if(d===void 0)return;let l=(await t).get(Er(d))?.id,m=c.routeBinding.owner.mode==="shared"?Wn({upstreamServerId:c.routeBinding.upstreamServerId,authProfileId:c.routeBinding.authProfileId,upstreamDisplayName:c.routeBinding.upstreamDisplayName,virtualServerId:c.routeBinding.virtualServerId,...l===void 0?{}:{connectionId:l},requiresReconsent:!0}):await Lt({requestUrl:e.request.url,owner:c.routeBinding.owner,initiatedBySubjectId:c.routeBinding.initiatedBySubjectId,upstreamServerId:c.routeBinding.upstreamServerId,authProfileId:c.routeBinding.authProfileId,upstreamDisplayName:c.routeBinding.upstreamDisplayName,virtualServerId:c.routeBinding.virtualServerId,subject:"tool",...l===void 0?{}:{connectionId:l},requiresReconsent:!0,...c.routeBinding.returnTo===void 0?{}:{returnTo:c.routeBinding.returnTo}});return gv({context:e.context,payload:m,routeBinding:c.routeBinding}),hv(m)}o(a,"buildForwardingConnectRequiredError");async function i(c){let d=await r(c.routeBinding);try{return await c.invoke(d)}catch(p){let l=await a({credential:d,error:p,routeBinding:c.routeBinding});throw l!==void 0?l:p}}o(i,"invokeNativeMcpWithCredential");async function s(c){let d=Date.now();try{let p=await c.invoke();return pv({context:e.context,routeBinding:c.routeBinding,virtualServerName:n,capabilityType:c.capabilityType,mcpMethod:c.mcpMethod,outcome:"success",itemCount:c.countItems(p),latencyMs:Date.now()-d}),p}catch(p){let l=p instanceof Error?p.message:String(p);if(pv({context:e.context,routeBinding:c.routeBinding,virtualServerName:n,capabilityType:c.capabilityType,mcpMethod:c.mcpMethod,outcome:"failure",latencyMs:Date.now()-d,reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorDetail:l}),c.routeBinding===void 0)throw p;wp(p,"upstream_import_failed")}}return o(s,"listCapability"),{async listTools(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"tool",mcpMethod:"tools/list",invoke:o(async()=>({tools:e.publishedVirtualServer.catalog.tools.filter(d=>d.enabled!==!1).map($i)}),"invoke"),countItems:o(d=>d.tools.length,"countItems")});let c=In(e);return s({capabilityType:"tool",mcpMethod:"tools/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>ov({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.tools.length,"countItems")})},async callTool(c){let d=UM({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,toolName:c.name});vp({context:e.context,routeBinding:d.binding,capabilityType:"tool",capabilityName:c.name,mcpMethod:"tools/call"});let p=Date.now();try{EM(c);let l=await i({routeBinding:d.binding,invoke:o(m=>cv({upstreamServerId:d.binding.upstreamServerId,params:{...c,name:d.upstreamName},credential:m}),"invoke")});return xM({context:e.context,routeBinding:d.binding,toolName:c.name,result:l,latencyMs:Date.now()-p}),e.context.log.debug({event:"upstream_tool_invocation_succeeded",toolName:c.name,upstreamName:d.upstreamName,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,isError:l.isError===!0},"Upstream tool invocation completed"),l}catch(l){if(AM({context:e.context,routeBinding:d.binding,toolName:c.name,error:l,latencyMs:Date.now()-p}),l instanceof Ct||l instanceof wo)throw e.context.log.info({event:"upstream_tool_invocation_connect_required",toolName:c.name,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,ownerMode:d.binding.ownerMode,hasAuthUrl:l instanceof Ct},"Upstream tool invocation requires user to complete a connect flow"),l;if(l instanceof Ga)throw e.context.log.warn({event:"upstream_tool_invocation_gateway_auth_denied",toolName:c.name,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId,validationKind:l.authorizationFailureKind},"Gateway access token failed composite authorization; MCP tool invocation denied"),l;let m={event:"upstream_tool_invocation_failed",code:"upstream_capability_invocation_failed",toolName:c.name,upstreamName:d.upstreamName,upstreamServerId:d.binding.upstreamServerId,authProfileId:d.binding.authProfileId};return l instanceof I&&(m.mcpErrorCode=l.code),l instanceof Error?(m.errorName=l.name,m.errorMessage=l.message,l.cause instanceof Error&&(m.causeName=l.cause.name,m.causeMessage=l.cause.message)):m.errorMessage=String(l),e.context.log.warn(m,"Upstream tool invocation failed; returning generic gateway error to MCP client"),yM(Qe.upstream_capability_invocation_failed.publicDetail)}},async listPrompts(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"prompt",mcpMethod:"prompts/list",invoke:o(async()=>({prompts:e.publishedVirtualServer.catalog.prompts.filter(d=>d.enabled!==!1).map(qi)}),"invoke"),countItems:o(d=>d.prompts.length,"countItems")});let c=In(e);return s({capabilityType:"prompt",mcpMethod:"prompts/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>av({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.prompts.length,"countItems")})},async getPrompt(c){let d=OM({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,promptName:c.name});vp({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get"});let p=Date.now();try{let l=await i({routeBinding:d.binding,invoke:o(m=>uv({upstreamServerId:d.binding.upstreamServerId,params:{...c,name:d.upstreamName},credential:m}),"invoke")});return mv({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get",latencyMs:Date.now()-p}),l}catch(l){fv({context:e.context,routeBinding:d.binding,capabilityType:"prompt",capabilityName:c.name,mcpMethod:"prompts/get",error:l,latencyMs:Date.now()-p}),wp(l,"upstream_capability_invocation_failed")}},async listResources(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return s({capabilityType:"resource",mcpMethod:"resources/list",invoke:o(async()=>({resources:e.publishedVirtualServer.catalog.resources.filter(d=>d.enabled!==!1).map(Ni)}),"invoke"),countItems:o(d=>d.resources.length,"countItems")});let c=In(e);return s({capabilityType:"resource",mcpMethod:"resources/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>iv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.resources.length,"countItems")})},async listResourceTemplates(){if(e.publishedVirtualServer.catalog.catalogSource==="openapi")return{resourceTemplates:[]};let c=In(e);return s({capabilityType:"resource",mcpMethod:"resources/templates/list",routeBinding:c,invoke:o(async()=>i({routeBinding:c,invoke:o(d=>sv({upstreamServerId:c.upstreamServerId,credential:d}),"invoke")}),"invoke"),countItems:o(d=>d.resourceTemplates.length,"countItems")})},async readResource(c){let d=MM({publishedVirtualServer:e.publishedVirtualServer,routeBindings:e.routeBindings,resourceUri:c.uri});vp({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read"});let p=Date.now();try{let l=await i({routeBinding:d.binding,invoke:o(m=>dv({upstreamServerId:d.binding.upstreamServerId,params:{...c,uri:d.upstreamUri},credential:m}),"invoke")});return mv({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read",latencyMs:Date.now()-p}),l}catch(l){fv({context:e.context,routeBinding:d.binding,capabilityType:"resource",capabilityName:c.uri,mcpMethod:"resources/read",error:l,latencyMs:Date.now()-p}),wp(l,"upstream_capability_invocation_failed")}}}}o(yv,"createCapabilityDispatcher");var zM="0.1.0",_v="POST",$M="POST, OPTIONS",qM=new vo({draft:"7",shortcircuit:!1});function Ip(e){return Response.json({jsonrpc:"2.0",id:null,error:{code:-32e3,message:e}},{status:405,headers:{Allow:_v}})}o(Ip,"jsonRpcMethodNotAllowedResponse");function NM(e){let t={Allow:_v},r=e.headers.get("origin"),n=e.headers.get("access-control-request-method");if(r&&n){t["Access-Control-Allow-Methods"]=$M;let a=e.headers.get("access-control-request-headers");a&&(t["Access-Control-Allow-Headers"]=a)}return new Response(null,{status:204,headers:t})}o(NM,"buildOptionsResponse");function Pn(e){let t=e&&typeof e=="object"?e.id:void 0;return typeof t=="string"||typeof t=="number"?t:void 0}o(Pn,"readJsonRpcRequestId");function Ys(e){return e&&typeof e=="object"?e.params:void 0}o(Ys,"readMcpRequestParams");function Sv(e,t){return e.headers.get(t)??void 0}o(Sv,"readMcpHeader");function DM(e){return{mcpProtocolVersion:Sv(e,"mcp-protocol-version")??rn,mcpSessionId:Sv(e,"mcp-session-id")}}o(DM,"buildServerTelemetryBase");function jM(e){if(e.headers.has("mcp-protocol-version"))return e;let t=new Headers(e.headers);return t.set("mcp-protocol-version",rn),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(jM,"ensureProtocolVersionHeader");async function Pp(e,t){if(e.method==="OPTIONS")return NM(e);if(e.method==="GET")return Ip("Standalone SSE GET is not supported by this stateless virtual MCP server. Use POST streamable HTTP for MCP requests.");if(e.method==="DELETE")return Ip("Session termination via DELETE is not supported because this virtual MCP server is stateless.");if(e.method!=="POST")return Ip("Only POST is supported by this virtual MCP server.");let r=qn(t),n=Nt(r.virtualServerId),a=Wi(t);if(n.catalog.catalogSource==="upstream_mcp"&&a.length!==1)throw t.log.error({event:"virtual_server_binding_count_invalid",code:"internal_server_error",virtualServerId:r.virtualServerId,bindingCount:a.length,catalogSource:n.catalog.catalogSource},"MCP virtual server route requires exactly one upstream binding"),new q(`MCP virtual server route "${n.routePath}" requires exactly one upstream binding for upstream MCP mode; found ${a.length}. Check the route's upstream MCP binding policies and keep exactly one binding on this route.`);let i=DM(e),s=yv({context:t,publishedVirtualServer:n,request:e,routeBindings:a}),c=le(e.url),d=new Ds({enableDnsRebindingProtection:!0,allowedOrigins:[c]}),p=new Ns(n.catalog.serverInfo??{name:r.virtualServerId,version:zM},{capabilities:{prompts:{},resources:{},tools:{}},jsonSchemaValidator:qM});p.setRequestHandler(Kc,async m=>Zr({methodName:"tools/list",params:Ys(m),jsonRpcRequestId:Pn(m),...i},()=>s.listTools())),p.setRequestHandler(Do,async m=>Zr({methodName:"tools/call",capabilityType:"tool",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:Pn(m),...i},()=>s.callTool(m.params))),p.setRequestHandler(Dc,async m=>Zr({methodName:"prompts/list",params:Ys(m),jsonRpcRequestId:Pn(m),...i},()=>s.listPrompts())),p.setRequestHandler(Hc,async m=>Zr({methodName:"prompts/get",capabilityType:"prompt",capabilityName:m.params.name,params:m.params,jsonRpcRequestId:Pn(m),...i},()=>s.getPrompt(m.params))),p.setRequestHandler(Ec,async m=>Zr({methodName:"resources/list",params:Ys(m),jsonRpcRequestId:Pn(m),...i},()=>s.listResources())),p.setRequestHandler(Oc,async m=>Zr({methodName:"resources/templates/list",params:Ys(m),jsonRpcRequestId:Pn(m),...i},()=>s.listResourceTemplates())),p.setRequestHandler($c,async m=>Zr({methodName:"resources/read",capabilityType:"resource",resourceUri:m.params.uri,params:m.params,jsonRpcRequestId:Pn(m),...i},()=>s.readResource(m.params))),await p.connect(d);let l=await d.handleRequest(e);return jM(l)}o(Pp,"virtualServerHandler");async function HM(e,t){return zt("handler.mcp-virtual-server"),Pp(e,t)}o(HM,"McpVirtualServerHandler");function LM(e){let t=jt(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,virtualServerId:e.virtualServerId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.config.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}o(LM,"buildRouteAuthBaseFromConnection");function wv(e){if(!e.connection.authProfiles[e.authMode])throw new q(`Upstream connection "${e.connection.id}" does not declare auth mode "${e.authMode}". Check the MCP upstream connection policy and use one of the auth modes declared in policies.json.`);let r=jt(e.authMode);return{upstreamServerId:e.connection.id,virtualServerId:e.virtualServerId,authProfileId:Zn(e.connection.id,e.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.authMode,ownerMode:r.ownerMode}}o(wv,"buildRouteAuthBaseFromPolicyOptions");function bv(e,t){let n=rt().byVirtualServerId.get(t);if(!n)throw new q(`Unknown virtual server "${t}". Ensure routes.oas.json declares this MCP virtual server before starting an upstream connection flow.`);let a=n.connections.find(i=>i.upstreamServerId===e);if(!a)throw new q(`Virtual server "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream to this virtual server before starting an upstream connection flow.`);return LM({connection:a,virtualServerId:t})}o(bv,"resolveRouteAuthBase");function vv(e,t){switch(e){case"user":return Tr(t.subjectId);case"shared":return Ai()}}o(vv,"buildOwnerForPrincipal");function Xs(e,t){switch(e.ownerMode){case"shared":return{...e,owner:vv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:vv(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"none":return e}}o(Xs,"resolveRouteAuthForPrincipal");function BM(e){let t=Object.keys(e.connection.authProfiles);if(t.length!==1)throw new K(`Upstream policy ${e.policyName} must declare exactly one auth mode; found ${t.length}.`);let r=t[0];if(r===void 0)throw new K(`Upstream policy ${e.policyName} does not declare an auth mode.`);return vi.parse(r)}o(BM,"readSingleAuthMode");async function xp(e,t,r,n){let a=BM({policyName:n,connection:r}),i=qn(t),s=wv({connection:r,virtualServerId:i.virtualServerId,authMode:a});if(s.ownerMode==="none")return _d(t,{...s,connectionPolicyName:n}),e;let c=df(t);return _d(t,{...Xs(s,c),connectionPolicyName:n}),e}o(xp,"mcpUpstreamConnectionPolicy");var kp=class extends Un{static{o(this,"McpUpstreamConnectionInboundPolicy")}#t;constructor(t,r){let n=zi(t,r);super(n,r),this.#t=n}async handler(t,r){return zt("policy.inbound.mcp-upstream-connection"),xp(t,r,this.#t,this.policyName)}};de();var Rv=Symbol("Html");function GM(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}o(GM,"escapeHtml");function VM(e){return e===null||typeof e!="object"?!1:e[Rv]===!0}o(VM,"isHtml");function Cv(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Cv).join(""):VM(e)?e.value:GM(String(e))}o(Cv,"renderValue");function gr(e){return{[Rv]:!0,value:e}}o(gr,"trustedHtml");var xn=gr("");function se(e,...t){let r=e[0]??"";for(let n=0;n<t.length;n+=1)r+=Cv(t[n]),r+=e[n+1]??"";return gr(r)}o(se,"html");function Wt(e){return e.value}o(Wt,"renderHtml");function Iv(e){return se`<p data-gateway-error-code="${e.code}">${e.detail}</p>${e.guidance} ${e.action}`}o(Iv,"renderBrowserErrorPage");var Ot=gr('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Mt(e){return se`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
+import{$ as j,A as sn,B as qe,J as si,K as ci,L as c,M as ui,N as C,O as U,P as di,Q as pi,R as B,S as l,T as m,U as $,V as O,W as cn,X as un,Y as T,Z as se,_ as f,a as ot,aa as li,b as ii,ba as dn,ca as mi,da as hi,ea as i,fa as z,ga as fi,j as he,k as ai,m as lr,ma as gi,q as on,s as it,x as an}from"../chunk-YTQ3TTI6.js";import{d as at}from"../chunk-TOF2KNST.js";import{a as v}from"../chunk-A2CSR4RF.js";import{$ as re,a as n,aa as w,ba as _,ca as nt,da as oi}from"../chunk-2VLXJLVI.js";z();z();var Id=new Set(["localhost","::1"]);function ve(e){return e.replace(/^\[(.*)\]$/,"$1").replace(/\.+$/,"").toLowerCase()}n(ve,"normalizeHostname");function Z(e){let t=ve(e.hostname);return e.protocol==="http:"&&(Id.has(t)||/^127(?:\.\d{1,3}){3}$/.test(t))}n(Z,"isLoopbackHttpUrl");var yi=new qe("gateway-route");function wi(e,t){yi.set(e,t)}n(wi,"setGatewayRouteContext");function mr(e){return yi.get(e)}n(mr,"readGatewayRouteContext");var Si=new qe("mcp-oauth-runtime-config");function st(e,t){Si.set(e,t)}n(st,"setMcpOAuthRuntimeConfig");function Ri(e){let t=Si.get(e);if(!t)throw new _("MCP gateway OAuth config has not been set on the request context. An `mcp-oauth-inbound` policy (or `mcp-auth0-oauth-inbound`) must run before this handler, or the internal OAuth route wrapper must have populated the context.");return t}n(Ri,"requireMcpOAuthRuntimeConfig");var zt=i.string().trim().min(1),Ud=60,Td=24*60*60,Pd=15*Ud,Od=10*365*Td,Et={accessTokenTtlSeconds:Pd,refreshTokenTtlSeconds:Od,cimdEnabled:!0},zd=i.object({issuer:i.url(),jwksUrl:i.url(),audience:zt.optional()}),Ed=i.object({url:i.url(),tokenUrl:i.url().optional(),clientId:zt.optional(),clientSecret:zt.optional(),scope:zt.default("openid profile email"),audience:zt.optional(),remoteTimeoutMs:i.coerce.number().int().positive().default(1e4),stateTtlSeconds:i.coerce.number().int().positive().default(900),sessionTtlSeconds:i.coerce.number().int().positive().default(28800)}).strict().superRefine((e,t)=>{if(!bi(e.url))for(let r of["tokenUrl","clientId","clientSecret"])e[r]||t.addIssue({code:i.ZodIssueCode.custom,message:`${r} is required for federated browser login`,path:[r]})}),Md=i.object({accessTokenTtlSeconds:i.coerce.number().int().positive().default(Et.accessTokenTtlSeconds),refreshTokenTtlSeconds:i.coerce.number().int().positive().default(Et.refreshTokenTtlSeconds),cimdEnabled:i.boolean().default(Et.cimdEnabled)}).strict().default(Et),pn=i.object({oidc:zd,browserLogin:Ed,gateway:Md.optional().default(Et)}).strict();function _i(e){return bi(e.browserLogin.url)?"local_dev":"federated_oidc"}n(_i,"readBrowserLoginKind");function bi(e){let t;try{t=new URL(e)}catch{return!1}return Z(t)&&t.pathname==="/oauth/dev-login"}n(bi,"isLoopbackDevLoginUrl");function Ci(e){return pn.parse(e)}n(Ci,"parseMcpOAuthRuntimeConfig");function K(){let e;try{e=an()}catch(t){throw new re("MCP gateway OAuth config can only be read during a request. Wrap tests in `runWithRequestContext` and ensure MCP OAuth routes are registered through `McpGatewayPlugin`.",{cause:t})}return Ri(e)}n(K,"getGatewayOAuthConfig");function hr(e,t,r){let o=e.safeParse(t);if(o.success)return o.data;throw new _(`${r} is misconfigured. Validation failed:
+${qd(o.error)}`,{cause:o.error})}n(hr,"parseConfigOrThrow");function qd(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
+`)}n(qd,"formatZodIssues");var ln=class extends it{static{n(this,"McpOAuthInboundPolicy")}constructor(t,r){let o=mn(t,r);super(o,r)}async handler(t,r){return ot("policy.inbound.mcp-oauth"),st(r,this.options),Mt(t,r)}};function mn(e,t="mcp-oauth-inbound"){return hr(pn,e,`MCP OAuth policy "${t}"`)}n(mn,"mcpOAuthOptionsToRuntimeConfig");var hn=["mcp-oauth-inbound","mcp-auth0-oauth-inbound"],xi={"mcp-oauth-inbound":"McpOAuthInboundPolicy","mcp-auth0-oauth-inbound":"McpAuth0OAuthInboundPolicy"};function Hd(e,t,r){switch(e){case"mcp-oauth-inbound":return mn(r,t);case"mcp-auth0-oauth-inbound":return Ii(r,t);default:return}}n(Hd,"parseMcpOAuthPolicyConfig");function Ai(e){return e!==void 0&&hn.some(t=>t===e)}n(Ai,"isMcpOAuthInboundPolicyType");function fn(e){switch(e.policyType){case"mcp-oauth-inbound":return e.handler.export===xi["mcp-oauth-inbound"];case"mcp-auth0-oauth-inbound":return e.handler.export===xi["mcp-auth0-oauth-inbound"];default:return!1}}n(fn,"isMcpOAuthRuntimeConfigPolicy");function vi(e){if(!e)return;let t=e.filter(fn);if(t.length>1){let a=t.map(s=>`"${s.name}" (${s.policyType})`).join(", ");throw new _(`MCP gateway found multiple OAuth policies in policies.json: ${a}. Use exactly one MCP OAuth policy for the gateway so internal OAuth routes resolve a single runtime config.`)}let r=t[0];if(!r)return;let o=Hd(r.policyType,r.name,r.handler.options);if(!o)throw new _(`MCP gateway: policy '${r.name}' has unsupported MCP OAuth policy type '${r.policyType}'.`);return{policyName:r.name,config:o}}n(vi,"resolveMcpOAuthRuntimeConfigFromPolicies");var y="gatewayCode",ct={runtime:{invalid_request:{code:"invalid_request",status:400,title:"Bad Request",publicDetail:"The request did not match the route contract.",oauthError:"invalid_request"},forbidden:{code:"forbidden",status:403,title:"Forbidden",publicDetail:"The request is not allowed.",oauthError:"invalid_request"},not_found:{code:"not_found",status:404,title:"Not Found",publicDetail:"The requested resource was not found.",oauthError:"invalid_request"},too_many_requests:{code:"too_many_requests",status:429,title:"Too Many Requests",publicDetail:"The request exceeded the allowed rate.",oauthError:"invalid_request"},internal_server_error:{code:"internal_server_error",status:500,title:"Internal Server Error",publicDetail:"The gateway failed to process the request.",oauthError:"server_error"}},config:{mcp_route_not_enabled:{code:"mcp_route_not_enabled",status:404,title:"Not Found",publicDetail:"The requested MCP route is not enabled."},unknown_upstream_server:{code:"unknown_upstream_server",status:400,title:"Bad Request",publicDetail:"The requested upstream server is not configured.",oauthError:"invalid_request"},unknown_mcp_route:{code:"unknown_mcp_route",status:400,title:"Bad Request",publicDetail:"The requested MCP route is not configured.",oauthError:"invalid_target"},unknown_auth_profile:{code:"unknown_auth_profile",status:400,title:"Bad Request",publicDetail:"The requested upstream auth profile is not configured.",oauthError:"invalid_request"},mcp_route_upstream_mismatch:{code:"mcp_route_upstream_mismatch",status:400,title:"Bad Request",publicDetail:"The requested MCP route does not belong to the selected upstream server.",oauthError:"invalid_request"}},downstream_auth:{authentication_required:{code:"authentication_required",status:401,title:"Unauthorized",publicDetail:"Authentication is required to access this route.",oauthError:"invalid_client"},identity_context_missing:{code:"identity_context_missing",status:403,title:"Forbidden",publicDetail:"Authenticated requests must include a gateway principal subject.",oauthError:"invalid_request"}},downstream_oauth:{browser_login_verification_failed:{code:"browser_login_verification_failed",status:400,title:"Connection failed",publicDetail:"The gateway could not verify the browser login response. Retry the login flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_auth:{provider_access_denied:{code:"provider_access_denied",status:400,title:"Connection failed",publicDetail:"The upstream authorization request was denied. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_invalid:{code:"oauth_state_invalid",status:400,title:"Connection failed",publicDetail:"The upstream connection request could not be verified. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_expired:{code:"oauth_state_expired",status:400,title:"Connection failed",publicDetail:"The upstream connection request expired. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_state_reused:{code:"oauth_state_reused",status:400,title:"Connection failed",publicDetail:"This upstream connection request was already used. Start the connection flow again.",callbackFailure:!0,oauthError:"invalid_request"},oauth_callback_mismatch:{code:"oauth_callback_mismatch",status:400,title:"Connection failed",publicDetail:"The upstream callback did not match the initiating connection request.",callbackFailure:!0,oauthError:"invalid_request"},upstream_token_exchange_failed:{code:"upstream_token_exchange_failed",status:400,title:"Connection failed",publicDetail:"The gateway could not complete the upstream token exchange. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"},upstream_client_registration_required:{code:"upstream_client_registration_required",status:400,title:"Upstream OAuth client registration required",publicDetail:"The upstream authorization server supports neither gateway-hosted Client ID Metadata Documents nor Dynamic Client Registration. Register an upstream OAuth client manually before retrying.",oauthError:"invalid_request"},upstream_token_response_invalid:{code:"upstream_token_response_invalid",status:400,title:"Connection failed",publicDetail:"The upstream token response was invalid. Retry the connection flow.",callbackFailure:!0,oauthError:"invalid_request"}},upstream_mcp:{upstream_capability_invocation_failed:{code:"upstream_capability_invocation_failed",status:502,title:"Bad Gateway",publicDetail:"The upstream capability invocation failed. Retry later or reconnect the upstream if the issue persists."},upstream_capability_unavailable:{code:"upstream_capability_unavailable",status:503,title:"Service Unavailable",publicDetail:"The upstream capability is unavailable. Retry later or reconnect the upstream if the issue persists."},upstream_import_failed:{code:"upstream_import_failed",status:502,title:"Bad Gateway",publicDetail:"The upstream capability import failed. Retry later or reconnect the upstream if the issue persists."}}},fr={...ct.runtime,...ct.config,...ct.downstream_auth,...ct.downstream_oauth,...ct.upstream_auth,...ct.upstream_mcp};function Ie(e){return typeof e=="string"&&Object.hasOwn(fr,e)}n(Ie,"isGatewayProblemCode");function ki(e){return Ie(e)&&W(e).callbackFailure===!0}n(ki,"isGatewayCallbackFailureCode");function W(e){return fr[e]}n(W,"readGatewayProblemDefinition");function Ui(e){switch(e){case 400:return"invalid_request";case 401:return"authentication_required";case 403:return"forbidden";case 404:return"not_found";case 429:return"too_many_requests";default:return"internal_server_error"}}n(Ui,"readDefaultGatewayProblemCodeForStatus");var Dd=/^\$\{env\.([A-Za-z_][A-Za-z0-9_]*)\}$/;function Ti(e,t){let r;try{r=new URL(e)}catch{throw new _(`${t} must be an absolute URL.`)}if(r.protocol!=="https:"&&r.protocol!=="http:")throw new _(`${t} must be an HTTP(S) URL.`);return e}n(Ti,"assertHttpUrl");function Pi(e){return e.options??{}}n(Pi,"readHandlerOptions");function jd(e){let t=Dd.exec(e);if(t){let r=t[1],o=at[r];if(typeof o!="string"||o==="")throw new _(`MCP route handler rewritePattern references env.${r}, but that environment variable is not set.`);return Ti(o,`env.${r}`)}if(e.includes("${"))throw new _("MCP token exchange requires a static route handler rewritePattern. Dynamic request-based rewrite patterns are not supported for MCP upstream OAuth.");return Ti(e,"MCP route handler rewritePattern")}n(jd,"readRewritePatternUrl");function gn(e){let t=Pi(e);if(typeof t.rewritePattern=="string"&&t.rewritePattern!=="")return jd(t.rewritePattern);throw new _("MCP route must configure handler.options.rewritePattern.")}n(gn,"readMcpRouteUpstreamUrl");function Oi(e){let t=Pi(e.handler),r=new URL(gn(e.handler));if(t.forwardSearch!==!1)for(let[a,s]of new URL(e.request.url).searchParams)r.searchParams.append(a,s);let o={method:e.request.method,body:e.body,headers:e.headers,redirect:t.followRedirects===!0?"follow":"manual",zuplo:typeof t.mtlsCertificate=="string"&&t.mtlsCertificate.length>0?{mtlsCertificate:t.mtlsCertificate}:void 0};return{url:r.toString(),init:o}}n(Oi,"buildMcpRouteUpstreamFetch");z();var Ld=["shared-oauth","user-oauth"],Bd=["none","client_secret_basic","client_secret_post"],oe=i.string().min(1).brand(),G=i.string().min(1),ce=i.string().min(1).brand(),MR=i.string().min(1).brand(),yn=i.enum(Ld),wn=i.enum(Bd);z();var Rn="2025-11-25";var Gd="io.modelcontextprotocol/related-task",dt="2.0",F=li(e=>e!==null&&(typeof e=="object"||typeof e=="function")),zi=O([c(),C().int()]),Ei=c(),HR=$({ttl:C().optional(),pollInterval:C().optional()}),$d=m({ttl:C().optional()}),Zd=m({taskId:c()}),_n=$({progressToken:zi.optional(),[Gd]:Zd.optional()}),ue=m({_meta:_n.optional()}),yr=ue.extend({task:$d.optional()});var X=m({method:c(),params:ue.loose().optional()}),fe=m({_meta:_n.optional()}),ge=m({method:c(),params:fe.loose().optional()}),Q=$({_meta:_n.optional()}),wr=O([c(),C().int()]),bn=m({jsonrpc:f(dt),id:wr,...X.shape}).strict();var Fd=m({jsonrpc:f(dt),...ge.shape}).strict();var Mi=m({jsonrpc:f(dt),id:wr,result:Q}).strict();var ke;(function(e){e[e.ConnectionClosed=-32e3]="ConnectionClosed",e[e.RequestTimeout=-32001]="RequestTimeout",e[e.ParseError=-32700]="ParseError",e[e.InvalidRequest=-32600]="InvalidRequest",e[e.MethodNotFound=-32601]="MethodNotFound",e[e.InvalidParams=-32602]="InvalidParams",e[e.InternalError=-32603]="InternalError",e[e.UrlElicitationRequired=-32042]="UrlElicitationRequired"})(ke||(ke={}));var Sr=m({jsonrpc:f(dt),id:wr.optional(),error:m({code:C().int(),message:c(),data:B().optional()})}).strict();var DR=O([bn,Fd,Mi,Sr]),jR=O([Mi,Sr]),qi=Q.strict(),Kd=fe.extend({requestId:wr.optional(),reason:c().optional()}),Hi=ge.extend({method:f("notifications/cancelled"),params:Kd}),Wd=m({src:c(),mimeType:c().optional(),sizes:l(c()).optional(),theme:se(["light","dark"]).optional()}),Ht=m({icons:l(Wd).optional()}),ut=m({name:c(),title:c().optional()}),pt=ut.extend({...ut.shape,...Ht.shape,version:c(),websiteUrl:c().optional(),description:c().optional()}),Jd=un(m({applyDefaults:U().optional()}),T(c(),B())),Vd=dn(e=>e&&typeof e=="object"&&!Array.isArray(e)&&Object.keys(e).length===0?{form:{}}:e,un(m({form:Jd.optional(),url:F.optional()}),T(c(),B()).optional())),Yd=$({list:F.optional(),cancel:F.optional(),requests:$({sampling:$({createMessage:F.optional()}).optional(),elicitation:$({create:F.optional()}).optional()}).optional()}),Xd=$({list:F.optional(),cancel:F.optional(),requests:$({tools:$({call:F.optional()}).optional()}).optional()}),Qd=m({experimental:T(c(),F).optional(),sampling:m({context:F.optional(),tools:F.optional()}).optional(),elicitation:Vd.optional(),roots:m({listChanged:U().optional()}).optional(),tasks:Yd.optional(),extensions:T(c(),F).optional()}),ep=ue.extend({protocolVersion:c(),capabilities:Qd,clientInfo:pt}),tp=X.extend({method:f("initialize"),params:ep});var rp=m({experimental:T(c(),F).optional(),logging:F.optional(),completions:F.optional(),prompts:m({listChanged:U().optional()}).optional(),resources:m({subscribe:U().optional(),listChanged:U().optional()}).optional(),tools:m({listChanged:U().optional()}).optional(),tasks:Xd.optional(),extensions:T(c(),F).optional()}),np=Q.extend({protocolVersion:c(),capabilities:rp,serverInfo:pt,instructions:c().optional()}),op=ge.extend({method:f("notifications/initialized"),params:fe.optional()});var Di=X.extend({method:f("ping"),params:ue.optional()}),ip=m({progress:C(),total:j(C()),message:j(c())}),ap=m({...fe.shape,...ip.shape,progressToken:zi}),ji=ge.extend({method:f("notifications/progress"),params:ap}),sp=ue.extend({cursor:Ei.optional()}),Dt=X.extend({params:sp.optional()}),jt=Q.extend({nextCursor:Ei.optional()}),cp=se(["working","input_required","completed","failed","cancelled"]),Lt=m({taskId:c(),status:cp,ttl:O([C(),di()]),createdAt:c(),lastUpdatedAt:c(),pollInterval:j(C()),statusMessage:j(c())}),Li=Q.extend({task:Lt}),up=fe.merge(Lt),Bi=ge.extend({method:f("notifications/tasks/status"),params:up}),Ni=X.extend({method:f("tasks/get"),params:ue.extend({taskId:c()})}),Gi=Q.merge(Lt),$i=X.extend({method:f("tasks/result"),params:ue.extend({taskId:c()})}),LR=Q.loose(),Zi=Dt.extend({method:f("tasks/list")}),Fi=jt.extend({tasks:l(Lt)}),Ki=X.extend({method:f("tasks/cancel"),params:ue.extend({taskId:c()})}),BR=Q.merge(Lt),Wi=m({uri:c(),mimeType:j(c()),_meta:T(c(),B()).optional()}),Ji=Wi.extend({text:c()}),Cn=c().refine(e=>{try{return atob(e),!0}catch{return!1}},{message:"Invalid Base64 string"}),Vi=Wi.extend({blob:Cn}),Bt=se(["user","assistant"]),lt=m({audience:l(Bt).optional(),priority:C().min(0).max(1).optional(),lastModified:ci.datetime({offset:!0}).optional()}),Yi=m({...ut.shape,...Ht.shape,uri:c(),description:j(c()),mimeType:j(c()),size:j(C()),annotations:lt.optional(),_meta:j($({}))}),dp=m({...ut.shape,...Ht.shape,uriTemplate:c(),description:j(c()),mimeType:j(c()),annotations:lt.optional(),_meta:j($({}))}),pp=Dt.extend({method:f("resources/list")}),lp=jt.extend({resources:l(Yi)}),mp=Dt.extend({method:f("resources/templates/list")}),hp=jt.extend({resourceTemplates:l(dp)}),xn=ue.extend({uri:c()}),fp=xn,gp=X.extend({method:f("resources/read"),params:fp}),yp=Q.extend({contents:l(O([Ji,Vi]))}),wp=ge.extend({method:f("notifications/resources/list_changed"),params:fe.optional()}),Sp=xn,Rp=X.extend({method:f("resources/subscribe"),params:Sp}),_p=xn,bp=X.extend({method:f("resources/unsubscribe"),params:_p}),Cp=fe.extend({uri:c()}),xp=ge.extend({method:f("notifications/resources/updated"),params:Cp}),Ap=m({name:c(),description:j(c()),required:j(U())}),vp=m({...ut.shape,...Ht.shape,description:j(c()),arguments:j(l(Ap)),_meta:j($({}))}),Ip=Dt.extend({method:f("prompts/list")}),kp=jt.extend({prompts:l(vp)}),Up=ue.extend({name:c(),arguments:T(c(),c()).optional()}),Tp=X.extend({method:f("prompts/get"),params:Up}),An=m({type:f("text"),text:c(),annotations:lt.optional(),_meta:T(c(),B()).optional()}),vn=m({type:f("image"),data:Cn,mimeType:c(),annotations:lt.optional(),_meta:T(c(),B()).optional()}),In=m({type:f("audio"),data:Cn,mimeType:c(),annotations:lt.optional(),_meta:T(c(),B()).optional()}),Pp=m({type:f("tool_use"),name:c(),id:c(),input:T(c(),B()),_meta:T(c(),B()).optional()}),Op=m({type:f("resource"),resource:O([Ji,Vi]),annotations:lt.optional(),_meta:T(c(),B()).optional()}),zp=Yi.extend({type:f("resource_link")}),kn=O([An,vn,In,zp,Op]),Ep=m({role:Bt,content:kn}),Mp=Q.extend({description:c().optional(),messages:l(Ep)}),qp=ge.extend({method:f("notifications/prompts/list_changed"),params:fe.optional()}),Hp=m({title:c().optional(),readOnlyHint:U().optional(),destructiveHint:U().optional(),idempotentHint:U().optional(),openWorldHint:U().optional()}),Dp=m({taskSupport:se(["required","optional","forbidden"]).optional()}),Xi=m({...ut.shape,...Ht.shape,description:c().optional(),inputSchema:m({type:f("object"),properties:T(c(),F).optional(),required:l(c()).optional()}).catchall(B()),outputSchema:m({type:f("object"),properties:T(c(),F).optional(),required:l(c()).optional()}).catchall(B()).optional(),annotations:Hp.optional(),execution:Dp.optional(),_meta:T(c(),B()).optional()}),jp=Dt.extend({method:f("tools/list")}),Lp=jt.extend({tools:l(Xi)}),Qi=Q.extend({content:l(kn).default([]),structuredContent:T(c(),B()).optional(),isError:U().optional()}),NR=Qi.or(Q.extend({toolResult:B()})),Bp=yr.extend({name:c(),arguments:T(c(),B()).optional()}),Np=X.extend({method:f("tools/call"),params:Bp}),Gp=ge.extend({method:f("notifications/tools/list_changed"),params:fe.optional()}),GR=m({autoRefresh:U().default(!0),debounceMs:C().int().nonnegative().default(300)}),ea=se(["debug","info","notice","warning","error","critical","alert","emergency"]),$p=ue.extend({level:ea}),Zp=X.extend({method:f("logging/setLevel"),params:$p}),Fp=fe.extend({level:ea,logger:c().optional(),data:B()}),Kp=ge.extend({method:f("notifications/message"),params:Fp}),Wp=m({name:c().optional()}),Jp=m({hints:l(Wp).optional(),costPriority:C().min(0).max(1).optional(),speedPriority:C().min(0).max(1).optional(),intelligencePriority:C().min(0).max(1).optional()}),Vp=m({mode:se(["auto","required","none"]).optional()}),Yp=m({type:f("tool_result"),toolUseId:c().describe("The unique identifier for the corresponding tool call."),content:l(kn).default([]),structuredContent:m({}).loose().optional(),isError:U().optional(),_meta:T(c(),B()).optional()}),Xp=cn("type",[An,vn,In]),gr=cn("type",[An,vn,In,Pp,Yp]),Qp=m({role:Bt,content:O([gr,l(gr)]),_meta:T(c(),B()).optional()}),el=yr.extend({messages:l(Qp),modelPreferences:Jp.optional(),systemPrompt:c().optional(),includeContext:se(["none","thisServer","allServers"]).optional(),temperature:C().optional(),maxTokens:C().int(),stopSequences:l(c()).optional(),metadata:F.optional(),tools:l(Xi).optional(),toolChoice:Vp.optional()}),tl=X.extend({method:f("sampling/createMessage"),params:el}),rl=Q.extend({model:c(),stopReason:j(se(["endTurn","stopSequence","maxTokens"]).or(c())),role:Bt,content:Xp}),nl=Q.extend({model:c(),stopReason:j(se(["endTurn","stopSequence","maxTokens","toolUse"]).or(c())),role:Bt,content:O([gr,l(gr)])}),ol=m({type:f("boolean"),title:c().optional(),description:c().optional(),default:U().optional()}),il=m({type:f("string"),title:c().optional(),description:c().optional(),minLength:C().optional(),maxLength:C().optional(),format:se(["email","uri","date","date-time"]).optional(),default:c().optional()}),al=m({type:se(["number","integer"]),title:c().optional(),description:c().optional(),minimum:C().optional(),maximum:C().optional(),default:C().optional()}),sl=m({type:f("string"),title:c().optional(),description:c().optional(),enum:l(c()),default:c().optional()}),cl=m({type:f("string"),title:c().optional(),description:c().optional(),oneOf:l(m({const:c(),title:c()})),default:c().optional()}),ul=m({type:f("string"),title:c().optional(),description:c().optional(),enum:l(c()),enumNames:l(c()).optional(),default:c().optional()}),dl=O([sl,cl]),pl=m({type:f("array"),title:c().optional(),description:c().optional(),minItems:C().optional(),maxItems:C().optional(),items:m({type:f("string"),enum:l(c())}),default:l(c()).optional()}),ll=m({type:f("array"),title:c().optional(),description:c().optional(),minItems:C().optional(),maxItems:C().optional(),items:m({anyOf:l(m({const:c(),title:c()}))}),default:l(c()).optional()}),ml=O([pl,ll]),hl=O([ul,dl,ml]),fl=O([hl,ol,il,al]),gl=yr.extend({mode:f("form").optional(),message:c(),requestedSchema:m({type:f("object"),properties:T(c(),fl),required:l(c()).optional()})}),Un=yr.extend({mode:f("url"),message:c(),elicitationId:c(),url:c().url()}),yl=O([gl,Un]),wl=X.extend({method:f("elicitation/create"),params:yl}),Sl=fe.extend({elicitationId:c()}),Rl=ge.extend({method:f("notifications/elicitation/complete"),params:Sl}),_l=Q.extend({action:se(["accept","decline","cancel"]),content:dn(e=>e===null?void 0:e,T(c(),O([c(),C(),U(),l(c())])).optional())}),bl=m({type:f("ref/resource"),uri:c()});var Cl=m({type:f("ref/prompt"),name:c()}),xl=ue.extend({ref:O([Cl,bl]),argument:m({name:c(),value:c()}),context:m({arguments:T(c(),c()).optional()}).optional()}),Al=X.extend({method:f("completion/complete"),params:xl});var vl=Q.extend({completion:$({values:l(c()).max(100),total:j(C().int()),hasMore:j(U())})}),Il=m({uri:c().startsWith("file://"),name:c().optional(),_meta:T(c(),B()).optional()}),kl=X.extend({method:f("roots/list"),params:ue.optional()}),Ul=Q.extend({roots:l(Il)}),Tl=ge.extend({method:f("notifications/roots/list_changed"),params:fe.optional()}),$R=O([Di,tp,Al,Zp,Tp,Ip,pp,mp,gp,Rp,bp,Np,jp,Ni,$i,Zi,Ki]),ZR=O([Hi,ji,op,Tl,Bi]),FR=O([qi,rl,nl,_l,Ul,Gi,Fi,Li]),KR=O([Di,tl,wl,kl,Ni,$i,Zi,Ki]),WR=O([Hi,ji,Kp,xp,wp,Gp,qp,Bi,Rl]),JR=O([qi,np,vl,Mp,kp,lp,hp,yp,Qi,Lp,Gi,Fi,Li]),Sn=class e extends Error{static{n(this,"McpError")}constructor(t,r,o){super(`MCP error ${t}: ${r}`),this.code=t,this.data=o,this.name="McpError"}static fromError(t,r,o){if(t===ke.UrlElicitationRequired&&o){let a=o;if(a.elicitations)return new qt(a.elicitations,r)}return new e(t,r,o)}},qt=class extends Sn{static{n(this,"UrlElicitationRequiredError")}constructor(t,r=`URL elicitation${t.length>1?"s":""} required`){super(ke.UrlElicitationRequired,r,{elicitations:t})}get elicitations(){return this.data?.elicitations??[]}};z();var ra=oe,Pl=i.object({mode:i.literal("auto")}).strict(),Ol=i.object({mode:i.literal("manual"),clientId:i.string().trim().min(1),clientSecret:i.string().min(1).optional(),tokenEndpointAuthMethod:wn.default("client_secret_basic")}).strict().superRefine((e,t)=>{e.tokenEndpointAuthMethod!=="none"&&!e.clientSecret&&t.addIssue({code:i.ZodIssueCode.custom,message:`${e.tokenEndpointAuthMethod} requires clientSecret`,path:["clientSecret"]})}),na=i.discriminatedUnion("mode",[Pl,Ol]),zl=na.default({mode:"auto"}),El=i.object({scopes:i.array(i.string().min(1)).default([]),scopeDelimiter:i.string().min(1).default(" "),clientRegistration:zl}).strict(),ta=El.extend({redirectPath:i.string().startsWith("/auth/connections/")}).strict(),Ml=i.discriminatedUnion("mode",[i.object({mode:i.literal("shared-oauth"),oauth:ta}).strict(),i.object({mode:i.literal("user-oauth"),oauth:ta}).strict()]),ql=i.object({baseUrl:i.url(),resourceMetadataUrl:i.url()}).strict(),r_=i.object({displayName:i.string().min(1),description:i.string().min(1).optional(),serverInfo:pt.optional(),transport:ql}).strict(),Hl=i.object({id:ra,displayName:i.string().min(1),description:i.string().min(1).optional(),serverInfo:pt.optional(),protectedResourceMetadataUrl:i.url().optional(),authMode:yn,authConfig:Ml}).strict().refine(e=>e.authMode===e.authConfig.mode,{message:"authMode must match authConfig.mode",path:["authConfig","mode"]}),Dl={id:ra.optional(),displayName:i.string().min(1),summary:i.string().min(1).optional(),serverInfo:pt.optional(),protectedResourceMetadataUrl:i.url().optional()},jl=i.object({...Dl,authMode:yn,scopes:i.array(i.string().min(1)).default([]),scopeDelimiter:i.string().min(1).default(" "),clientRegistration:na.optional(),clientId:i.string().trim().min(1).optional(),clientSecret:i.string().min(1).optional(),tokenEndpointAuthMethod:wn.optional()}).strict();function Ll(e){return e.issues.map(t=>`  - ${t.path.length>0?t.path.join("."):"<root>"}: ${t.message}`).join(`
+`)}n(Ll,"formatZodIssues");function Bl(e){let t="mcp-token-exchange-";if(!e.startsWith(t))throw new _(`MCP token exchange policy ${e} must use the ${t}{upstream-id} naming convention when id is omitted.`);return oe.parse(e.slice(t.length))}n(Bl,"inferUpstreamConnectionIdFromPolicyName");function oa(e){let t=new URL(e),r=t.pathname==="/"?"":t.pathname;return`${t.origin}/.well-known/oauth-protected-resource${r}`}n(oa,"buildDefaultProtectedResourceMetadataUrl");function mt(e,t){return ce.parse(`${e}:${t}`)}n(mt,"buildUpstreamAuthProfileId");function Nl(e,t){let r=e.clientRegistration??(e.clientId===void 0?{mode:"auto"}:{mode:"manual",clientId:e.clientId,tokenEndpointAuthMethod:e.tokenEndpointAuthMethod??"client_secret_basic",...e.clientSecret===void 0?{}:{clientSecret:e.clientSecret}});return{mode:e.authMode,oauth:{scopes:e.scopes,scopeDelimiter:e.scopeDelimiter,redirectPath:`/auth/connections/${encodeURIComponent(t)}/callback`,clientRegistration:r}}}n(Nl,"resolveAuthConfig");function Rr(e,t){try{let r=jl.parse(e),o=r.id??(t===void 0?void 0:Bl(t));if(o===void 0)throw new _("MCP token exchange policy options must include id when policy name is unavailable.");return Hl.parse({id:o,displayName:r.displayName,...r.summary===void 0?{}:{description:r.summary},...r.serverInfo===void 0?{}:{serverInfo:r.serverInfo},...r.protectedResourceMetadataUrl===void 0?{}:{protectedResourceMetadataUrl:r.protectedResourceMetadataUrl},authMode:r.authMode,authConfig:Nl(r,o)})}catch(r){if(r instanceof i.ZodError){let o=t===void 0?"MCP token exchange policy":`Policy "${t}"`;throw new _(`${o} is misconfigured. Missing/invalid options in policies.json:
+${Ll(r)}`,{cause:r})}throw r}}n(Rr,"parseUpstreamTokenExchangePolicyOptions");function ia(e){return e.mode==="shared-oauth"||e.mode==="user-oauth"}n(ia,"isUpstreamOAuthAuthConfig");var Gl="mcp-token-exchange-inbound";function $l(e,t,r){let o=new _(t,r===void 0?void 0:{cause:r});return o.extensionMembers={[y]:e},o}n($l,"configurationProblem");function _r(e){return e===Gl}n(_r,"isMcpTokenExchangePolicyType");function Zl(e){let t=mt(e.connection.id,e.connection.authMode);return{policyName:e.policyName,upstreamServerId:e.connection.id,displayName:e.connection.displayName,...e.connection.description===void 0?{}:{description:e.connection.description},...e.connection.serverInfo===void 0?{}:{serverInfo:e.connection.serverInfo},mcpUrl:e.mcpUrl,protectedResourceMetadataUrl:e.connection.protectedResourceMetadataUrl??oa(e.mcpUrl),authMode:e.connection.authMode,authProfileId:t,authConfig:e.connection.authConfig}}n(Zl,"buildRegisteredConnection");function Fl(e){let t=new Map;for(let r of e){if(t.has(r.name))throw new _(`Duplicate policy name ${r.name} in policies.json.`);t.set(r.name,{name:r.name,policyType:r.policyType,handler:{options:r.handler.options}})}return t}n(Fl,"buildPolicyMap");function Kl(e){if(typeof e.raw!="function")throw new _(`MCP route ${e.path} must declare operationId in routes.oas.json. The operationId is used as the stable MCP route identity for OAuth tokens, storage, upstream auth state, and analytics.`);let t=e.raw();if(!t||typeof t.operationId!="string"||t.operationId==="")throw new _(`MCP route ${e.path} must declare operationId in routes.oas.json. The operationId is used as the stable MCP route identity for OAuth tokens, storage, upstream auth state, and analytics.`);return G.parse(t.operationId)}n(Kl,"readOperationId");function Wl(e){let t=[];for(let r of e.route.policies?.inbound??[]){let o=e.policyByName.get(r);o&&_r(o.policyType)&&t.push(o)}if(t.length>1)throw new _(`MCP route ${e.route.path} must bind at most one MCP token exchange policy; found ${t.length}.`);if(t.length!==0)return e.readConnectionForPolicy(t[0],gn(e.route.handler))}n(Wl,"readRouteUpstreamConnection");function Jl(e){let t=new Map,r=new Map,o=new Map,a=new Set;function s(u,d){let p=o.get(u.name);if(p)return p;let h=Rr(u.handler.options,u.name);if(a.has(h.id))throw new _(`Duplicate upstream MCP connection id ${h.id} in policies.json.`);a.add(h.id);let g=Zl({policyName:u.name,connection:h,mcpUrl:d});return o.set(u.name,g),g}n(s,"readConnectionForPolicy");for(let u of e.routes){let d=u.policies?.inbound??[];if(d.length===0||!d.map(k=>e.policyByName.get(k)).filter(k=>k!==void 0).some(k=>Ai(k.policyType)||_r(k.policyType)))continue;let h=Kl(u);if(t.has(h))throw new _(`Duplicate MCP route operationId ${h} across routes.`);if(r.has(u.path))throw new _(`Duplicate MCP route path ${u.path} across routes.`);let g=Wl({route:u,policyByName:e.policyByName,readConnectionForPolicy:s}),D={operationId:h,routePath:u.path,...g===void 0?{}:{connection:g}};t.set(h,D),r.set(u.path,D)}return{byOperationId:t,byRoutePath:r,connectionsByPolicyName:o}}n(Jl,"buildMcpRoutes");function Pn(e){let t=Fl(e.policies),{byOperationId:r,byRoutePath:o,connectionsByPolicyName:a}=Jl({routes:e.routes,policyByName:t}),s=new Map;for(let u of a.values())s.set(u.upstreamServerId,u);return{byOperationId:r,byRoutePath:o,connectionsById:s}}n(Pn,"buildGatewayConnectionRegistry");var Ze,Tn;function aa(e){Tn=e,Ze=void 0}n(aa,"configureGatewayConnectionRegistrySource");function sa(e){Ze=e}n(sa,"setGatewayConnectionRegistry");function ye(){if(!Ze&&Tn&&(Ze=Pn(Tn)),!Ze)throw new _("MCP gateway connection registry has not been initialized. Ensure routes.oas.json declares at least one OAuth-protected MCP route and policies.json registers the matching MCP OAuth and upstream connection policies.");return Ze}n(ye,"getGatewayConnectionRegistry");function He(e){let r=ye().byOperationId.get(e);if(!r)throw $l("unknown_mcp_route",`Unknown MCP route: ${e}`,new Error(`Unknown MCP route "${e}". Ensure routes.oas.json declares this operationId and policies.json registers the matching MCP upstream connection policy.`));return r}n(He,"getRegisteredMcpRoute");function ca(e){let r=ye().byRoutePath.get(e);if(!r)throw new _(`MCP route ${e} is not registered. Ensure routes.oas.json declares operationId on this MCP route and its inbound policies include MCP OAuth or MCP token exchange.`);return r}n(ca,"getRegisteredMcpRouteByRoutePath");function ua(){return Ze}n(ua,"tryGetGatewayConnectionRegistry");z();var b=i.string().datetime({offset:!0}).brand();function x(e){return b.parse(e.toISOString())}n(x,"toIsoTimestamp");function Ue(e,t){return new Date(e.getTime()+t*1e3)}n(Ue,"addSeconds");z();function P(e){return new URL(e).origin}n(P,"readGatewayRequestOrigin");function Te(e){return P(e)}n(Te,"readGatewayOAuthIssuer");function On(e){return e.length>512?`${e.slice(0,512)}\u2026`:e}n(On,"truncate");function da(e){return"cause"in e?e.cause:void 0}n(da,"readCause");function ie(e,t,r){if(!(r instanceof Error)){r!=null&&(e[`${t}Message`]=On(String(r)));return}e[`${t}Name`]=r.name,e[`${t}Message`]=On(r.message);let o=da(r);for(let a=1;a<=4&&o instanceof Error;a+=1){let s=a===1?"cause":`cause${a}`;e[`${s}Name`]=o.name,e[`${s}Message`]=On(o.message),o=da(o)}}n(ie,"addErrorLogFields");function we(e){if(e!==void 0)try{return typeof e=="string"?new URL(e).host:e.host}catch{return}}n(we,"safeHost");function pa(e,t){let r=Object.entries(t).filter(o=>o[1]!==void 0);r.length!==0&&e.log.setLogProperties?.(Object.fromEntries(r))}n(pa,"setLogProperties");function br(e,t){pa(e,{subjectId:t.subjectId})}n(br,"applyGatewayPrincipalLogProperties");function la(e,t){pa(e,{upstreamServerId:t.upstreamServerId,operationId:t.operationId})}n(la,"applyGatewayRouteLogProperties");function ma(e){let t=W(e);return{title:t.title,body:t.publicDetail}}n(ma,"readGatewayCallbackFailureContent");function de(e){if(!(e instanceof w))return;let t=e.extensionMembers?.[y];return Ie(t)?t:void 0}n(de,"readGatewayProblemCode");function R(e,t,r){let o=typeof e=="string"?{code:e,...t===void 0?{}:{publicDetail:t,privateDetail:t},...r===void 0?{}:{cause:r}}:e,a=W(o.code),s=o.privateDetail??(Cr(o.code)?o.publicDetail??a.publicDetail:a.publicDetail),u=Vl(o);return new w({message:s,extensionMembers:{[y]:o.code}},u===void 0?void 0:{cause:u})}n(R,"createGatewayRuntimeError");async function De(e,t,r){let o=W(r.code),a=Yl(r.code,r.detail),s=Cr(r.code)?r.title??o.title:o.title,d={problem:{...he.getProblemFromStatus(o.status,{detail:a,instance:r.instance,type:r.type}),...r.extensions??{},status:o.status,title:s,detail:a,code:r.code}};return r.headers!==void 0&&(d.additionalHeaders=r.headers),he.format(d,e,t)}n(De,"gatewayProblemResponse");function Cr(e){return W(e).status<500}n(Cr,"canExposeGatewayProblemDetail");function Vl(e){return!e.privateDetail||Cr(e.code)?e.cause:e.cause===void 0?new Error(e.privateDetail):new Error(e.privateDetail,{cause:e.cause})}n(Vl,"readRuntimeErrorCause");function Yl(e,t){let r=W(e);return Cr(e)&&t||r.publicDetail}n(Yl,"readSafeGatewayProblemDetail");var Xl=new Set(["about","blob","data","file","ftp","ftps","javascript","mailto","urn","ws","wss"]);function Ql(e){return e.protocol.replace(/:$/u,"").toLowerCase()}n(Ql,"readScheme");function em(e){return e.protocol==="https:"}n(em,"isSpecCompliantRedirectUri");function tm(e){let t=Ql(e);return t.length>0&&t!=="http"&&t!=="https"&&!Xl.has(t)}n(tm,"isNativeAppCustomSchemeRedirectUri");var fa=[{id:"oauth.redirect_uri.https",mode:"strict",accepts:n(e=>em(e),"accepts")},{id:"oauth.redirect_uri.loopback_http",mode:"native_app",accepts:n(e=>Z(e),"accepts"),matches:n((e,t)=>Z(e)&&Z(t)&&e.pathname===t.pathname&&e.search===t.search,"matches")},{id:"oauth.redirect_uri.custom_scheme",mode:"native_app",accepts:n(e=>tm(e),"accepts")}];function ga(e){let t=fa.find(r=>r.accepts(e.url,e.context));return t===void 0?{kind:"rejected"}:{kind:"allowed",ruleId:t.id,mode:t.mode}}n(ga,"evaluateBuiltInRedirectUriCompatibility");function ha(e){try{return new URL(e)}catch{return}}n(ha,"parseUrl");function ya(e){if(e.registeredRedirectUri===e.requestedRedirectUri)return!0;let t=ha(e.registeredRedirectUri),r=ha(e.requestedRedirectUri);if(t===void 0||r===void 0)return!1;let o=e.context??{source:"registration_match"};return fa.some(a=>a.matches?.(t,r,o))}n(ya,"redirectUriMatchesBuiltInCompatibility");z();var rm=43,nm=128,om=/^[A-Za-z0-9._~-]+$/,zn="S256",xr=i.literal(zn),Ar=i.string().min(rm).max(nm).regex(om);z();var wa=["none","client_secret_post","client_secret_basic"],En=[...wa,"private_key_jwt"],im=["awaiting_login","awaiting_setup"],am=i.string().min(1).brand(),J=i.string().min(1).brand(),Nt=i.uuid().brand(),pe=i.uuid().brand(),vr=i.uuid().brand(),Sa=i.enum(wa),Ra=i.enum(En),L_=i.enum(im),_a=i.object({client_id:J,client_name:i.string().min(1),redirect_uris:i.array(i.string().min(1)).min(1),jwks_uri:i.string().min(1).optional(),token_endpoint_auth_method:Ra.default("none")}).superRefine((e,t)=>{e.token_endpoint_auth_method==="private_key_jwt"&&e.jwks_uri===void 0&&t.addIssue({code:"custom",path:["jwks_uri"],message:"jwks_uri is required for private_key_jwt clients."})}),Mn=i.object({clientId:J,clientName:i.string().min(1),redirectUris:i.array(i.string().min(1)),tokenEndpointAuthMethod:Ra,hashedClientSecret:i.string().optional(),clientSecretExpiresAt:b.optional(),clientExpiresAt:b,revokedAt:b.optional(),createdAt:b}),qn=i.object({clientId:J,resource:i.string(),operationId:G,subjectId:am,scope:i.string(),roles:i.array(i.string()),createdAt:b,expiresAt:b}),B_=qn.extend({id:pe,redirectUri:i.string(),clientState:i.string().optional(),codeChallenge:i.string(),codeChallengeMethod:xr}),Hn=qn.extend({id:Nt,currentRefreshTokenHash:i.string().optional(),previousRefreshTokenHash:i.string().optional(),previousRefreshTokenRotatedAt:b.optional(),revokedAt:b.optional(),revokedReason:i.string().optional()}),Ir=qn.extend({tokenHash:i.string(),grantId:Nt,revokedAt:b.optional()});function Dn(){return pe.parse(crypto.randomUUID())}n(Dn,"createDownstreamAuthorizationTransactionId");function jn(){return vr.parse(crypto.randomUUID())}n(jn,"createDownstreamBrowserLoginStateId");function ba(){return Nt.parse(crypto.randomUUID())}n(ba,"createDownstreamGrantId");var M="mcp:tools";function Ca(e,t){return ya({registeredRedirectUri:e,requestedRedirectUri:t,context:{source:"registration_match"}})}n(Ca,"redirectUriMatchesRegistration");function xa(e){return Z(e)&&e.pathname==="/oauth/dev-login"}n(xa,"isLoopbackDevLoginUrl");function kr(e,t){return new URL(e,Te(t)).toString()}n(kr,"buildGatewayOAuthUrl");function Ln(e){let t=He(G.parse(e.operationId));return new URL(t.routePath,P(e.requestUrl)).toString()}n(Ln,"buildScopedAuthorizationServerIssuer");function sm(e){return new URL(`/oauth/authorize/mcp/${encodeURIComponent(e.operationId)}`,P(e.requestUrl)).toString()}n(sm,"buildScopedAuthorizationEndpoint");function Bn(e){let t=K();return{issuer:Te(e),authorization_endpoint:kr("/oauth/authorize",e),token_endpoint:kr("/oauth/token",e),registration_endpoint:kr("/oauth/register",e),revocation_endpoint:kr("/oauth/revoke",e),response_types_supported:["code"],response_modes_supported:["query"],grant_types_supported:["authorization_code","refresh_token"],scopes_supported:[M],code_challenge_methods_supported:[zn],token_endpoint_auth_methods_supported:En,revocation_endpoint_auth_methods_supported:["client_secret_basic","client_secret_post","private_key_jwt","none"],client_id_metadata_document_supported:t.gateway.cimdEnabled,"x-zuplo-browser-login-kind":_i(t)}}n(Bn,"buildAuthorizationServerMetadata");function Aa(e){let t=Ln(e);return{...Bn(e.requestUrl),issuer:t,authorization_endpoint:sm(e)}}n(Aa,"buildScopedAuthorizationServerMetadata");var va="2025-06-18";async function Ia(e,t){try{let r=G.parse(e.params.operationId),o=He(r);return Response.json(cm(o.operationId,e.url))}catch(r){let o=de(r);return De(e,t,{code:o==="unknown_mcp_route"?o:"not_found",detail:(r instanceof Error?r.message:void 0)??"The requested protected resource metadata document was not found."})}}n(Ia,"protectedResourceMetadataHandler");function cm(e,t){return{resource:ht(e,t),resource_name:e,authorization_servers:[Ln({operationId:e,requestUrl:t})],bearer_methods_supported:["header"],scopes_supported:[M],mcp_protocol_version:va}}n(cm,"buildProtectedResourceMetadataResponseBody");function ht(e,t){let r=He(e);return new URL(r.routePath,P(t)).toString()}n(ht,"buildCanonicalMcpResourceForRoute");function ka(e,t){return new URL(`/.well-known/oauth-protected-resource/mcp/${encodeURIComponent(e)}`,P(t)).toString()}n(ka,"buildProtectedResourceMetadataUrlForRoute");var um=i.record(i.string(),i.unknown()),Ua=i.string().min(1),dm=i.union([Ua.transform(e=>[e]),i.array(Ua)]),q=i.string().min(1).brand(),pm=["zuploSubjectId","zuplo_subject_id","gatewaySubjectId","gateway_subject_id","subjectId","subject_id","https://zuplo.com/subject_id"],lm=["https://zuplo.com/roles","roles","role","permissions","groups"],Ta=new qe("gateway-principal");function mm(e){let t=um.safeParse(e);return t.success?t.data:{}}n(mm,"toClaimRecord");function hm(e){return e.issues[0]?.message??"Gateway principal is invalid"}n(hm,"readValidationFailureDetail");function fm(e,t,r){for(let s of pm){let u=q.safeParse(t[s]);if(u.success)return u.data}let o=q.safeParse(e?.sub);if(!o.success)throw R("identity_context_missing",hm(o.error));let a=typeof t.iss=="string"?t.iss:void 0;return!a||a===Te(r)?o.data:q.parse(`${a}|${o.data}`)}n(fm,"readNormalizedSubjectId");function gm(e){let t=new Set;for(let r of lm){let o=dm.safeParse(e[r]);if(o.success)for(let a of o.data)t.add(a)}return t.size>0?[...t]:void 0}n(gm,"readRoles");function Fe(e,t){let r=mm(e?.data),o={subjectId:fm(e,r,t)},a=gm(r);return a&&(o.roles=a),o}n(Fe,"parseGatewayPrincipal");function Gn(e,t){Ta.set(e,t)}n(Gn,"setGatewayPrincipal");function $n(e){return Ta.get(e)}n($n,"readGatewayPrincipal");function Pa(e,t){let r=$n(t);if(r)return r;let o=Fe(e.user,e.url);return Gn(t,o),br(t,o),o}n(Pa,"readOrHydrateGatewayPrincipal");function Ur(e){let r=['realm="OAuth"',`resource_metadata="${Nn(ka(e.operationId,e.requestUrl))}"`];return e.error!==void 0&&r.push(`error="${e.error}"`),e.errorDescription!==void 0&&r.push(`error_description="${Nn(e.errorDescription)}"`),e.scope!==void 0&&r.push(`scope="${Nn(e.scope)}"`),`Bearer ${r.join(", ")}`}n(Ur,"buildGatewayBearerChallenge");function Nn(e){let t="";for(let r=0;r<e.length;r+=1){let o=e.charCodeAt(r);o<=31||o===127||(t+=e[r])}return t.replaceAll("\\","\\\\").replaceAll('"','\\"')}n(Nn,"sanitizeQuotedHeaderParameter");function Oa(e){let t=bn.safeParse(e);return t.success?t.data.id:void 0}n(Oa,"parseJsonRpcRequestId");function za(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Oa(t)}catch{return}}n(za,"readJsonRpcRequestIdFromBody");async function Ea(e){try{let t=await e.clone().json();return Oa(t)}catch{return}}n(Ea,"readJsonRpcRequestId");function Tr(e){return Sr.parse({jsonrpc:dt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(Tr,"jsonRpcErrorResponse");function Ma(e){return new qt([Un.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(Ma,"urlElicitationRequiredError");z();z();function qa(e){return new w({message:e,extensionMembers:{[y]:"invalid_request"}})}n(qa,"invalidReturnTo");function Pr(e){if(e===void 0||e.length===0)return;if(!e.startsWith("/")||e.startsWith("//"))throw qa("returnTo must be a same-origin relative path.");let t=new URL(e,"https://gateway.local");if(t.origin!=="https://gateway.local"||t.username||t.password||t.hash||t.pathname.startsWith("//"))throw qa("returnTo must be a same-origin relative path without credentials or fragments.");return`${t.pathname}${t.search}`}n(Pr,"parseSafeRelativeReturnTo");z();var ym=["user","shared"],ft=i.enum(ym);function gt(e){return{mode:"user",subjectId:e}}n(gt,"buildUserUpstreamConnectionOwner");function Or(){return{mode:"shared"}}n(Or,"buildSharedUpstreamConnectionOwner");var Ha=i.object({ownerMode:ft,initiatedBySubjectId:q,ownerSubjectId:q.optional(),upstreamServerId:oe,authProfileId:ce,operationId:G,returnTo:i.string().min(1).transform(e=>Pr(e)).optional()});function Da(e,t){e.ownerMode==="user"&&!e.ownerSubjectId&&t.addIssue({code:i.ZodIssueCode.custom,message:"User-owned state requires ownerSubjectId",path:["ownerSubjectId"]}),e.ownerMode==="shared"&&e.ownerSubjectId&&t.addIssue({code:i.ZodIssueCode.custom,message:"Shared state must not include ownerSubjectId",path:["ownerSubjectId"]})}n(Da,"validateUpstreamOwnerState");var yt=Ha.superRefine(Da),ja=Ha.omit({returnTo:!0}).superRefine(Da);function Gt(e){return yt.parse({ownerMode:e.owner.mode,initiatedBySubjectId:e.initiatedBySubjectId,ownerSubjectId:e.owner.mode==="user"?e.owner.subjectId:void 0,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,returnTo:e.returnTo})}n(Gt,"buildUpstreamOwnerState");function zr(e){if(e.ownerMode==="shared")return Or();if(!e.ownerSubjectId)throw new w({message:"User-owned upstream state is missing the owner subject.",extensionMembers:{[y]:"oauth_state_invalid"}});return gt(e.ownerSubjectId)}n(zr,"resolveUpstreamConnectionOwnerFromState");var wm=["active","not_connected","reconsent_required"],Sm=["basic_auth_app_password","bearer_token"],La=i.string().trim().min(1).brand(),wt=i.uuid().brand(),$t=i.uuid().brand(),Zn=i.enum(wm),Rm=i.enum(Sm),Ba=i.object({encryptedClientInformation:i.string().optional(),encryptedDiscoveryState:i.string().optional(),connectedBySubjectId:q.optional()}),_m=Ba.extend({encryptedStaticSecret:i.string().optional(),staticSecretKind:Rm.optional(),staticSecretLabel:i.string().min(1).optional(),staticSecretUsername:i.string().min(1).optional()}).strict(),bm=i.object({id:La,subjectId:q.optional(),ownerMode:ft,upstreamServerId:oe,authProfileId:ce,status:Zn,encryptedAccessToken:i.string().min(1).optional(),encryptedRefreshToken:i.string().min(1).optional(),scopes:i.array(i.string()),expiresAt:b.optional(),metadata:_m.optional(),createdAt:b,updatedAt:b});function Fn(e,t){e.ownerMode==="user"&&(e.subjectId||t.addIssue({code:i.ZodIssueCode.custom,message:"User-owned upstream connections require subjectId",path:["subjectId"]})),e.ownerMode==="shared"&&e.subjectId!==void 0&&t.addIssue({code:i.ZodIssueCode.custom,message:"Shared upstream connections must not include subjectId",path:["subjectId"]})}n(Fn,"validateUpstreamConnectionOwnerShape");var St=bm.superRefine(Fn);function Na(e){return JSON.stringify([e.owner.mode,e.owner.mode==="user"?e.owner.subjectId:"",e.upstreamServerId,e.authProfileId])}n(Na,"readUpstreamConnectionLookupKey");var Kn=yt.extend({id:wt,callbackPath:i.string().min(1),expiresAt:b,codeVerifier:i.string().optional(),redirectUri:i.url(),returnOrigin:i.url().optional()}).extend(Ba.shape);function Ga(e){let t=e?.status??"not_connected",r={connected:t==="active",status:t};return e?.updatedAt!==void 0&&(r.updatedAt=e.updatedAt),r}n(Ga,"readUpstreamConnectionStatus");function $a(){return La.parse(`mcpgw2uc_${crypto.randomUUID()}`)}n($a,"createUpstreamConnectionId");function Za(){return wt.parse(crypto.randomUUID())}n(Za,"createOAuthStateId");function Fa(){return $t.parse(crypto.randomUUID())}n(Fa,"createBrowserConnectTicketId");z();var Jn=i.discriminatedUnion("mode",[i.object({mode:i.literal("user"),subjectId:q}).strict(),i.object({mode:i.literal("shared")}).strict()]),Wa=i.object({owner:Jn,upstreamServerId:oe,authProfileId:ce}).strict(),Ja=i.object({items:i.array(Wa).min(1).max(100)}).strict(),Vn=i.object({items:i.array(i.object({key:i.object({ownerMode:ft,subjectId:q.optional(),upstreamServerId:oe,authProfileId:ce}).strict(),connection:St.strict().optional()}).strict())}).strict(),Va=St.omit({createdAt:!0,updatedAt:!0}).strict().superRefine(Fn),Ya=St.strict(),Xa=i.object({owner:Jn,upstreamServerId:oe,authProfileId:ce}).strict(),Qa=i.object({owner:Jn,upstreamServerId:oe,authProfileId:ce,connection:St.strict().optional(),connectionStatus:i.object({connected:i.boolean(),status:Zn,updatedAt:St.shape.updatedAt.optional()}).strict()}).strict(),Cm=i.enum(["none","client_secret_basic","client_secret_post","private_key_jwt"]),Ke=i.object({clientId:J,clientName:i.string().min(1),tokenEndpointAuthMethod:Cm}).strict(),Yn=i.discriminatedUnion("method",[i.object({method:i.literal("none"),clientId:J}).strict(),i.object({method:i.enum(["client_secret_basic","client_secret_post"]),clientId:J,clientSecretHashInput:i.string().min(1)}).strict(),i.object({method:i.literal("private_key_jwt"),clientId:J}).strict()]),Xn=i.object({id:pe,currentStateHash:i.string().min(1),clientId:J,redirectUri:i.string().min(1),resource:i.string().min(1),operationId:G,clientState:i.string().optional(),scope:i.string(),codeChallenge:i.string().min(1),codeChallengeMethod:i.literal("S256"),setupApprovedAt:b.optional(),createdAt:b,expiresAt:b,consumedAt:b.optional()}).strict(),Ka=Xn.omit({id:!0,consumedAt:!0}).extend({transactionId:pe,client:Ke.optional()}).strict(),Qn=i.object({subjectId:q,roles:i.array(i.string()).optional()}).strict(),xm=Xn.extend({phase:i.literal("awaiting_login")}).strict(),Wn=Xn.extend({phase:i.literal("awaiting_setup"),principal:Qn}).strict(),Am=i.discriminatedUnion("phase",[xm,Wn]),Er=i.object({transaction:Am,client:Ke}).strict(),es=Mn.omit({revokedAt:!0}).strict(),ts=i.discriminatedUnion("kind",[i.object({kind:i.literal("registered"),client:Ke}).strict(),i.object({kind:i.literal("already_exists")}).strict()]),rs=i.object({clientId:J}).strict(),ns=i.discriminatedUnion("kind",[i.object({kind:i.literal("found"),client:Mn.strict()}).strict(),i.object({kind:i.literal("missing")}).strict()]),os=i.discriminatedUnion("phase",[Ka.extend({phase:i.literal("awaiting_login")}).strict(),Ka.extend({phase:i.literal("awaiting_setup"),principal:Qn}).strict()]),is=i.discriminatedUnion("kind",[Er.extend({kind:i.literal("started")}).strict(),i.object({kind:i.literal("invalid_client")}).strict(),i.object({kind:i.literal("redirect_uri_mismatch")}).strict(),i.object({kind:i.literal("already_exists")}).strict()]),as=i.object({transactionId:pe,currentStateHash:i.string().min(1),now:b}).strict(),ss=i.discriminatedUnion("kind",[Er.extend({kind:i.literal("available")}).strict(),i.object({kind:i.literal("stale_hash")}).strict(),i.object({kind:i.literal("consumed")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("missing")}).strict()]),cs=i.object({transactionId:pe,expectedPhase:i.literal("awaiting_login"),currentStateHash:i.string().min(1),nextStateHash:i.string().min(1),nextPhase:i.literal("awaiting_setup"),principal:Qn,now:b}).strict(),us=i.discriminatedUnion("kind",[Er.extend({kind:i.literal("advanced")}).strict(),i.object({kind:i.literal("wrong_phase"),current:i.enum(["awaiting_login","awaiting_setup"])}).strict(),i.object({kind:i.literal("stale_hash")}).strict(),i.object({kind:i.literal("consumed")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("missing")}).strict()]),ds=i.object({transactionId:pe,currentStateHash:i.string().min(1),currentPrincipal:i.object({subjectId:q}).strict(),now:b}).strict(),ps=i.discriminatedUnion("kind",[Er.extend({kind:i.literal("marked")}).strict(),i.object({kind:i.literal("wrong_phase"),current:i.enum(["awaiting_login","awaiting_setup"])}).strict(),i.object({kind:i.literal("principal_mismatch")}).strict(),i.object({kind:i.literal("stale_hash")}).strict(),i.object({kind:i.literal("consumed")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("missing")}).strict()]),ls=i.discriminatedUnion("decision",[i.object({decision:i.literal("approve"),transactionId:pe,currentStateHash:i.string().min(1),currentPrincipal:i.object({subjectId:q}).strict(),authorizationCodeHash:i.string().min(1),authorizationCodeExpiresAt:b,grantId:Nt,now:b}).strict(),i.object({decision:i.literal("cancel"),transactionId:pe,currentStateHash:i.string().min(1),currentPrincipal:i.object({subjectId:q}).strict(),now:b}).strict()]),ms=i.discriminatedUnion("kind",[i.object({kind:i.literal("approved"),transaction:Wn,client:Ke}).strict(),i.object({kind:i.literal("cancelled"),transaction:Wn,client:Ke}).strict(),i.object({kind:i.literal("principal_mismatch")}).strict(),i.object({kind:i.literal("stale_hash")}).strict(),i.object({kind:i.literal("consumed_already")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("missing")}).strict()]),hs=i.object({clientAuth:Yn,codeHash:i.string().min(1),redirectUri:i.string().min(1),resource:i.string().min(1).optional(),codeChallenge:i.string().min(1),currentRefreshTokenHash:i.string().min(1),accessTokenHash:i.string().min(1),grantExpiresAt:b,accessTokenExpiresAt:b,now:b}).strict(),fs=i.discriminatedUnion("kind",[i.object({kind:i.literal("exchanged"),client:Ke,grant:Hn.strict()}).strict(),i.object({kind:i.literal("invalid_client")}).strict(),i.object({kind:i.literal("consumed")}).strict(),i.object({kind:i.literal("missing")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("resource_mismatch")}).strict(),i.object({kind:i.literal("binding_mismatch")}).strict()]),gs=i.object({clientAuth:Yn,currentRefreshTokenHash:i.string().min(1),nextRefreshTokenHash:i.string().min(1),accessTokenHash:i.string().min(1),resource:i.string().min(1).optional(),accessTokenExpiresAt:b,now:b}).strict(),ys=i.discriminatedUnion("kind",[i.object({kind:i.literal("rotated"),client:Ke,grant:Hn.strict(),accessToken:Ir.strict(),matched:i.literal("current")}).strict(),i.object({kind:i.literal("invalid_client")}).strict(),i.object({kind:i.literal("missing")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("resource_mismatch")}).strict(),i.object({kind:i.literal("previous_token_grace")}).strict(),i.object({kind:i.literal("revoked")}).strict()]),ws=i.object({clientAuth:Yn,tokenHash:i.string().min(1),now:b}).strict(),Ss=i.discriminatedUnion("kind",[i.object({kind:i.literal("revoked_access_token")}).strict(),i.object({kind:i.literal("revoked_grant")}).strict(),i.object({kind:i.literal("client_mismatch")}).strict(),i.object({kind:i.literal("missing")}).strict(),i.object({kind:i.literal("invalid_client")}).strict()]),Rs=i.object({tokenHash:i.string().min(1),now:b}).strict(),_s=i.discriminatedUnion("kind",[i.object({kind:i.literal("valid"),record:Ir.strict()}).strict(),i.object({kind:i.literal("missing")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("revoked")}).strict()]),bs=i.object({accessTokenHash:i.string().min(1),resource:i.string().min(1),operationId:G,upstreamConnectionKeys:i.array(Wa).max(100),now:b}).strict(),Cs=i.discriminatedUnion("kind",[i.object({kind:i.literal("authorized"),principal:i.object({subjectId:q,roles:i.array(i.string())}).strict(),accessToken:Ir.strict(),upstreamConnections:Vn.shape.items.optional().default([])}).strict(),i.object({kind:i.literal("missing")}).strict(),i.object({kind:i.literal("expired")}).strict(),i.object({kind:i.literal("revoked")}).strict(),i.object({kind:i.literal("resource_mismatch")}).strict(),i.object({kind:i.literal("principal_mismatch")}).strict()]),xs=i.object({record:Kn}).strict(),As=i.object({kind:i.literal("saved")}).strict(),vs=i.object({id:wt,now:b}).strict(),Is=i.discriminatedUnion("kind",[i.object({kind:i.literal("available"),record:Kn}).strict(),i.object({kind:i.literal("consumed")}).strict(),i.object({kind:i.literal("missing")}).strict()]),ks=i.object({id:$t,expiresAt:b,now:b}).strict(),Us=i.discriminatedUnion("kind",[i.object({kind:i.literal("available")}).strict(),i.object({kind:i.literal("consumed")}).strict()]);var Ts=100,vm=new Set(["undefined","null","nan"]);function Ps(e){return e!==null&&typeof e=="object"}n(Ps,"isProblemDetailsShape");var Os="bckt_";function V(e){let t=nt.instance.runtime.ZUPLO_SERVICE_BUCKET_ID;if(!t)throw We("internal_server_error","MCP Gateway runtime storage requires ZUPLO_SERVICE_BUCKET_ID.");if(!t.startsWith(Os))throw We("internal_server_error",`MCP Gateway runtime storage bucket ID must start with "${Os}".`);return`/zups/v2/buckets/${encodeURIComponent(t)}/mcp/storage/${e}`}n(V,"buildStoragePath");function Im(){return V("upstream-connections/batch-get")}n(Im,"buildBatchGetUpstreamConnectionsPath");function km(){return V("upstream-connections/upsert")}n(km,"buildUpsertUpstreamConnectionPath");function Um(){return V("authorization/read-setup")}n(Um,"buildReadAuthorizationSetupPath");function Tm(){return V("oauth/register-client")}n(Tm,"buildRegisterClientPath");function Pm(){return V("oauth/read-client")}n(Pm,"buildReadClientPath");function Om(){return V("authorization/start")}n(Om,"buildStartAuthorizationPath");function zm(){return V("authorization/read-pending")}n(zm,"buildReadPendingAuthorizationPath");function Em(){return V("authorization/advance-pending")}n(Em,"buildAdvancePendingAuthorizationPath");function Mm(){return V("authorization/mark-setup-approved")}n(Mm,"buildMarkAuthorizationSetupApprovedPath");function qm(){return V("authorization/decide-setup")}n(qm,"buildDecideAuthorizationSetupPath");function Hm(){return V("token/exchange-authorization-code")}n(Hm,"buildExchangeAuthorizationCodePath");function Dm(){return V("token/refresh")}n(Dm,"buildRefreshTokenPath");function jm(){return V("token/revoke")}n(jm,"buildRevokeOAuthTokenPath");function Lm(){return V("token/validate-access-token")}n(Lm,"buildValidateAccessTokenPath");function Bm(){return V("mcp/authorize-and-load-connections")}n(Bm,"buildAuthorizeAndLoadConnectionsPath");function Nm(){return V("upstream-oauth-state/save")}n(Nm,"buildSaveUpstreamOAuthStatePath");function Gm(){return V("upstream-oauth-state/consume")}n(Gm,"buildConsumeUpstreamOAuthStatePath");function $m(){return V("browser-connect-ticket/consume")}n($m,"buildConsumeBrowserConnectTicketPath");function Zm(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}n(Zm,"responseKeyMatchesLookup");function Fm(e,t){return e.owner.mode===t.owner.mode&&(e.owner.mode==="user"?e.owner.subjectId:"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}n(Fm,"authorizationSetupMatchesLookup");function Ms(e,t){return e.ownerMode===t.owner.mode&&(e.subjectId??"")===(t.owner.mode==="user"?t.owner.subjectId:"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId}n(Ms,"connectionMatchesLookup");function Km(e,t){return e.ownerMode===t.ownerMode&&(e.subjectId??"")===(t.subjectId??"")&&e.upstreamServerId===t.upstreamServerId&&e.authProfileId===t.authProfileId&&e.status===t.status&&(e.encryptedAccessToken??"")===(t.encryptedAccessToken??"")&&(e.encryptedRefreshToken??"")===(t.encryptedRefreshToken??"")&&ro(e.scopes,t.scopes)&&to(e.expiresAt,t.expiresAt)&&Wm(e.metadata,t.metadata)}n(Km,"connectionMatchesUpsertRecord");function to(e,t){return e===void 0||t===void 0?e===t:Date.parse(e)===Date.parse(t)}n(to,"optionalTimestampInstantsMatch");function zs(e,t){return Date.parse(e)<=Date.parse(t)}n(zs,"timestampInstantIsAtOrBefore");function ro(e,t){return e.length===t.length&&e.every((r,o)=>r===t[o])}n(ro,"stringArraysMatch");function Wm(e,t){let r=Es(e),o=Es(t),a=Object.fromEntries(o);return r.length===o.length&&r.every(([s,u])=>a[s]===u)}n(Wm,"metadataMatches");function Es(e){return Object.entries(e??{}).filter(t=>t[1]!==void 0)}n(Es,"definedMetadataEntries");function H(e,t){throw We("internal_server_error",e,t)}n(H,"throwInvalidStorageResponse");function We(e,t,r){let o=fr[e],a=o.status<500,s=a?r:new Error(t,r===void 0?void 0:{cause:r});return new w({message:a?t:o.publicDetail,extensionMembers:{[y]:e}},s===void 0?void 0:{cause:s})}n(We,"storageRuntimeError");async function Jm(e,t){try{let r=await e.json();return r&&typeof r=="object"&&!Array.isArray(r)&&delete r.$schema,t.parse(r)}catch(r){H("Gateway Service storage response did not match the runtime storage contract.",r)}}n(Jm,"parseRuntimeHttpStorageResponse");function qs(e,t){e.length!==t.length&&H("Gateway Service storage response item count did not match the request.");for(let[r,o]of e.entries()){let a=t[r];Zm(o.key,a)||H("Gateway Service storage response key did not match the request."),o.connection!==void 0&&!Ms(o.connection,a)&&H("Gateway Service storage response connection did not match the response key.")}}n(qs,"validateUpstreamConnectionItemsMatchLookups");function Vm(e,t){Fm(e,t)||H("Gateway Service storage response authorization setup did not match the request."),e.connection!==void 0&&!Ms(e.connection,t)&&H("Gateway Service storage response authorization setup connection did not match the request.");let r=e.connection?.status==="active",o=e.connection?.status??"not_connected",a=e.connection?.updatedAt;(e.connectionStatus.connected!==r||e.connectionStatus.status!==o||!to(e.connectionStatus.updatedAt,a))&&H("Gateway Service storage response authorization setup status did not match the connection.")}n(Vm,"validateAuthorizationSetupResponseMatchesLookup");function Ym(e,t){e.kind==="registered"&&(e.client.clientId!==t.clientId||e.client.clientName!==t.clientName||e.client.tokenEndpointAuthMethod!==t.tokenEndpointAuthMethod)&&H("Gateway Service storage response registered client did not match the request.")}n(Ym,"validateRegisterClientResponseMatchesRequest");function Xm(e,t){e.kind==="found"&&e.client.clientId!==t.clientId&&H("Gateway Service storage response client did not match the request.")}n(Xm,"validateReadClientResponseMatchesRequest");function Qm(e,t){e.kind==="started"&&((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.phase!==t.phase||e.transaction.clientId!==t.clientId||e.transaction.redirectUri!==t.redirectUri||e.transaction.resource!==t.resource||e.transaction.operationId!==t.operationId||(e.transaction.clientState??"")!==(t.clientState??"")||e.transaction.scope!==t.scope||e.transaction.codeChallenge!==t.codeChallenge||e.transaction.codeChallengeMethod!==t.codeChallengeMethod)&&H("Gateway Service storage response started authorization did not match the request."),t.phase==="awaiting_setup"&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&H("Gateway Service storage response started authorization principal did not match the request."))}n(Qm,"validateStartAuthorizationResponseMatchesRequest");function eo(e,t){e.kind!=="available"&&e.kind!=="advanced"&&e.kind!=="marked"||((e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==("nextStateHash"in t?t.nextStateHash:t.currentStateHash))&&H("Gateway Service storage response pending authorization did not match the request."),"nextPhase"in t&&(e.transaction.phase!==t.nextPhase||e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.principal.subjectId)&&H("Gateway Service storage response advanced authorization did not match the request."),"currentPrincipal"in t&&(e.transaction.phase!=="awaiting_setup"||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&H("Gateway Service storage response marked authorization principal did not match the request."),e.kind==="marked"&&"currentPrincipal"in t&&e.transaction.setupApprovedAt!==t.now&&H("Gateway Service storage response marked authorization setup approval timestamp did not match the request."))}n(eo,"validatePendingAuthorizationResponseMatchesRequest");function eh(e,t){e.kind!=="approved"&&e.kind!=="cancelled"||(e.transaction.id!==t.transactionId||e.transaction.currentStateHash!==t.currentStateHash||e.transaction.principal.subjectId!==t.currentPrincipal.subjectId)&&H("Gateway Service storage response authorization setup transaction did not match the request.")}n(eh,"validateAuthorizationSetupDecisionResponseMatchesRequest");function th(e,t){e.kind==="exchanged"&&(e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.currentRefreshTokenHash||!to(e.grant.expiresAt,t.grantExpiresAt)||t.resource!==void 0&&e.grant.resource!==t.resource)&&H("Gateway Service storage response authorization-code exchange did not match the request.")}n(th,"validateExchangeAuthorizationCodeResponseMatchesRequest");function rh(e,t){e.kind==="rotated"&&((e.client.clientId!==t.clientAuth.clientId||e.client.tokenEndpointAuthMethod!==t.clientAuth.method||e.grant.clientId!==t.clientAuth.clientId||e.grant.currentRefreshTokenHash!==t.nextRefreshTokenHash||e.grant.previousRefreshTokenHash!==t.currentRefreshTokenHash||t.resource!==void 0&&e.grant.resource!==t.resource)&&H("Gateway Service storage response token refresh grant did not match the request."),(e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.grantId!==e.grant.id||!zs(e.accessToken.expiresAt,t.accessTokenExpiresAt)||!zs(e.accessToken.expiresAt,e.grant.expiresAt)||!ih(e.accessToken,e.grant))&&H("Gateway Service storage response token refresh access token did not match the request."))}n(rh,"validateRefreshTokenResponseMatchesRequest");function nh(e,t){e.kind==="valid"&&e.record.tokenHash!==t.tokenHash&&H("Gateway Service storage response access token did not match the request.")}n(nh,"validateAccessTokenValidationResponseMatchesRequest");function oh(e,t){e.kind==="authorized"&&((e.accessToken.tokenHash!==t.accessTokenHash||e.accessToken.resource!==t.resource||e.accessToken.operationId!==t.operationId||e.principal.subjectId!==e.accessToken.subjectId||!ro(e.principal.roles,e.accessToken.roles))&&H("Gateway Service storage response MCP authorization did not match the request."),qs(e.upstreamConnections,t.upstreamConnectionKeys))}n(oh,"validateAuthorizeAndLoadConnectionsResponseMatchesRequest");function ih(e,t){return e.clientId===t.clientId&&e.resource===t.resource&&e.operationId===t.operationId&&e.subjectId===t.subjectId&&e.scope===t.scope&&ro(e.roles,t.roles)}n(ih,"accessTokenMatchesGrant");async function ah(e){try{return await e.clone().json()}catch{return}}n(ah,"readProblemDetails");async function sh(e){let t=await ah(e),r=Ps(t)&&typeof t.status=="number"?t.status:e.status,o=Ps(t)&&Ie(t.code)?t.code:Ui(r);throw We(o,`Gateway Service storage request failed with HTTP ${r}.`)}n(sh,"throwRuntimeHttpStorageError");var Mr=class{static{n(this,"RuntimeHttpStorageClient")}#t;#r;constructor(t){this.#t=t.baseUrl??nt.instance.zuploEdgeApiUrl,this.#r=t.fetch??fetch}#n(t){let r;try{r=new URL(t,this.#t)}catch(o){throw We("internal_server_error",`Gateway Service storage base URL is not a valid URL. Got ${JSON.stringify(this.#t)}. Verify the gateway runtime configuration.`,o)}if(r.protocol!=="https:"&&r.protocol!=="http:")throw We("internal_server_error",`Gateway Service storage base URL must use http(s); got protocol "${r.protocol}" from ${JSON.stringify(this.#t)}.`);if(!r.hostname||vm.has(r.hostname))throw We("internal_server_error",`Gateway Service storage base URL has an invalid hostname "${r.hostname}" (parsed from ${JSON.stringify(this.#t)}). The configured value is likely coerced from an unset environment variable.`);return r}async#e(t){let r=t.requestSchema.parse(t.input),o=this.#n(t.path),a=new Headers({"Content-Type":"application/json"});ii(a);let s=await this.#r(o,{method:"POST",headers:a,body:JSON.stringify(r)});return s.ok||await sh(s),{request:r,response:await Jm(s,t.responseSchema)}}async batchGetUpstreamConnections(t){if(t.length===0)return[];let r=[],o=new Map,a=t.map(u=>{let d=Na(u),p=o.get(d);if(p!==void 0)return p;let h=r.length;return r.push(u),o.set(d,h),h}),s=[];for(let u=0;u<r.length;u+=Ts){let d=r.slice(u,u+Ts);s.push(...await this.#o(d))}return a.map(u=>s[u])}async upsertUpstreamConnection(t){let{request:r,response:o}=await this.#e({input:t,path:km(),requestSchema:Va,responseSchema:Ya});return Km(o,r)||H("Gateway Service storage response connection did not match the request."),o}async readAuthorizationSetup(t){let{request:r,response:o}=await this.#e({input:t,path:Um(),requestSchema:Xa,responseSchema:Qa});return Vm(o,r),o}async registerClient(t){let{request:r,response:o}=await this.#e({input:t,path:Tm(),requestSchema:es,responseSchema:ts});return Ym(o,r),o}async readClient(t){let{request:r,response:o}=await this.#e({input:t,path:Pm(),requestSchema:rs,responseSchema:ns});return Xm(o,r),o}async startAuthorization(t){let{request:r,response:o}=await this.#e({input:t,path:Om(),requestSchema:os,responseSchema:is});return Qm(o,r),o}async readPendingAuthorization(t){let{request:r,response:o}=await this.#e({input:t,path:zm(),requestSchema:as,responseSchema:ss});return eo(o,r),o}async advancePendingAuthorization(t){let{request:r,response:o}=await this.#e({input:t,path:Em(),requestSchema:cs,responseSchema:us});return eo(o,r),o}async markAuthorizationSetupApproved(t){let{request:r,response:o}=await this.#e({input:t,path:Mm(),requestSchema:ds,responseSchema:ps});return eo(o,r),o}async decideAuthorizationSetup(t){let{request:r,response:o}=await this.#e({input:t,path:qm(),requestSchema:ls,responseSchema:ms});return eh(o,r),o}async saveUpstreamOAuthState(t){let{response:r}=await this.#e({input:t,path:Nm(),requestSchema:xs,responseSchema:As});return r}async consumeUpstreamOAuthState(t){let{request:r,response:o}=await this.#e({input:t,path:Gm(),requestSchema:vs,responseSchema:Is});return o.kind==="available"&&o.record.id!==r.id&&H("Gateway Service storage response upstream OAuth state did not match the request."),o}async consumeBrowserConnectTicket(t){let{response:r}=await this.#e({input:t,path:$m(),requestSchema:ks,responseSchema:Us});return r}async exchangeAuthorizationCode(t){let{request:r,response:o}=await this.#e({input:t,path:Hm(),requestSchema:hs,responseSchema:fs});return th(o,r),o}async refreshToken(t){let{request:r,response:o}=await this.#e({input:t,path:Dm(),requestSchema:gs,responseSchema:ys});return rh(o,r),o}async revokeOAuthToken(t){let{response:r}=await this.#e({input:t,path:jm(),requestSchema:ws,responseSchema:Ss});return r}async validateAccessToken(t){let{request:r,response:o}=await this.#e({input:t,path:Lm(),requestSchema:Rs,responseSchema:_s});return nh(o,r),o}async authorizeAndLoadConnections(t){let{request:r,response:o}=await this.#e({input:t,path:Bm(),requestSchema:bs,responseSchema:Cs});return oh(o,r),o}async#o(t){let r={items:[...t]},{response:o}=await this.#e({input:r,path:Im(),requestSchema:Ja,responseSchema:Vn});return qs(o.items,t),o.items.map(a=>a.connection)}};var ch="__zuploMcpGatewayStorageBackend",no;function uh(){return new Mr({})}n(uh,"buildProductionStorageBackend");function A(){let e=globalThis[ch];return e||(no||(no=uh()),no)}n(A,"getStorage");function dh(e,t){let r=$n(e),o=mr(e),a=t.ownerMode??t.routeBinding?.ownerMode,s=t.upstreamAuthMode??t.routeBinding?.authMode,u=t.virtualServerName??t.routeBinding?.operationId??o?.operationId,d=t.upstreamServerName??t.routeBinding?.upstreamServerId??o?.upstreamServerId,p=t.upstreamServerTitle??t.routeBinding?.upstreamDisplayName,h=t.authProfileId??t.routeBinding?.authProfileId??o?.authProfileId;return fi(e,{...t,subjectId:r?.subjectId,ownerMode:a,upstreamAuthMode:s,virtualServerName:u,upstreamServerName:d,upstreamServerTitle:p,authProfileId:h})}n(dh,"buildMcpAnalyticsMetadata");function I(e,t){try{e.analyticsContext.addAnalyticsEvent(t.value??1,t.eventType,dh(e,t),t.unit)}catch(r){e.log?.warn?.({event:"mcp_analytics_emit_failed",errorName:r instanceof Error?r.name:"unknown"})}}n(I,"emitMcpAnalyticsEvent");import{base64url as oo}from"jose";var ph="sha256:",lh=32;function Hs(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Hs,"copyToArrayBuffer");function Pe(){let e=crypto.getRandomValues(new Uint8Array(lh));return oo.encode(e)}n(Pe,"createOpaqueToken");async function E(e){let t=await crypto.subtle.digest("SHA-256",Hs(new TextEncoder().encode(e)));return`${ph}${oo.encode(new Uint8Array(t))}`}n(E,"hashOpaqueValue");async function Ds(e){let t=await crypto.subtle.digest("SHA-256",Hs(new TextEncoder().encode(e)));return oo.encode(new Uint8Array(t))}n(Ds,"calculatePkceS256Challenge");var mh=ke.InvalidRequest;function hh(e){let t=e.headers.get("authorization"),[r,o]=t?.split(/\s+/,2)??[];if(!(r?.toLowerCase()!=="bearer"||!o))return o}n(hh,"readBearerToken");function fh(e,t,r){return De(e,t,{code:"authentication_required",detail:"Gateway access token is required.",headers:{"WWW-Authenticate":r}})}n(fh,"gatewayAuthenticationRequiredResponse");function gh(e){switch(e){case"expired":return"expired_token";case"revoked":return"revoked_token";case"missing":return"invalid_token";default:{let t=e;return"invalid_token"}}}n(gh,"tokenValidationReasonCode");async function yh(e,t,r){let o=await A().validateAccessToken({tokenHash:await E(e),now:x(new Date)});if(o.kind!=="valid"){t.log.warn({event:"gateway_access_token_validate_failed",code:"authentication_required",validationKind:o.kind,operationId:r},"Gateway access token validation failed");let a=gh(o.kind);throw I(t,{eventType:v.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:r,reasonClass:"auth",reasonCode:a,attributes:{validationKind:o.kind}}),I(t,{eventType:v.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r,httpStatusCode:401,reasonClass:"auth",reasonCode:a}),R("authentication_required","Gateway access token is expired, revoked, or invalid.")}return o.record}n(yh,"validateGatewayAccessToken");function wh(e,t){if(e.accessToken.resource!==e.resource||e.accessToken.operationId!==e.operationId)throw t.log.warn({event:"gateway_access_token_resource_mismatch",code:"authentication_required",expectedResource:e.resource,tokenResource:e.accessToken.resource,expectedOperationId:e.operationId,tokenOperationId:e.accessToken.operationId,clientId:e.accessToken.clientId},"Gateway access token resource does not match the requested MCP resource"),I(t,{eventType:v.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:e.operationId,reasonClass:"auth",reasonCode:"invalid_audience"}),I(t,{eventType:v.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:e.operationId,httpStatusCode:401,reasonClass:"auth",reasonCode:"invalid_audience"}),R("authentication_required","Gateway access token was not issued for this MCP resource.")}n(wh,"assertAccessTokenResource");function Sh(e,t,r){return De(e,t,{code:"forbidden",detail:"Gateway access token is missing the required MCP scope.",headers:{"WWW-Authenticate":Ur({operationId:r,requestUrl:e.url,error:"insufficient_scope",errorDescription:`The access token is missing the ${M} scope required by this MCP resource.`,scope:M})}})}n(Sh,"insufficientScopeResponse");function Rh(e){return{subjectId:e.subjectId,roles:e.roles}}n(Rh,"principalFromAccessToken");async function js(e){return Response.json(Tr({id:await Ea(e.request),error:{code:mh,message:e.message}}))}n(js,"mcpAuthorizationDeniedResponse");async function _h(e){switch((await A().authorizeAndLoadConnections({accessTokenHash:await E(e.token),resource:e.resource,operationId:e.operationId,upstreamConnectionKeys:[],now:x(new Date)})).kind){case"authorized":return;case"resource_mismatch":return js({request:e.request,message:"Gateway access token was not issued for this MCP resource."});case"principal_mismatch":return js({request:e.request,message:"Gateway access token principal does not match this MCP resource."});case"missing":case"expired":case"revoked":throw R("authentication_required","Gateway access token is expired, revoked, or invalid.")}}n(_h,"assertCompositeMcpAuthorization");function bh(e){let t=de(e.error),r={event:"gateway_access_token_rejected",code:t??"authentication_required",operationId:e.operationId};return e.error instanceof Error?(r.errorName=e.error.name,r.errorMessage=e.error.message):e.error!==void 0&&e.error!==null&&(r.errorMessage=String(e.error)),e.context.log.warn(r,"Gateway access token rejected; MCP request denied"),De(e.request,e.context,{code:t??"authentication_required",detail:e.error instanceof Error?e.error.message:"Gateway access token could not be verified.",headers:{"WWW-Authenticate":Ur({operationId:e.operationId,requestUrl:e.request.url,error:"invalid_token",errorDescription:"The access token is expired, malformed, or invalid."})}})}n(bh,"gatewayTokenRejectedResponse");async function io(e,t,r){let o=ht(r.operationId,e.url),a=hh(e),s=Ur({operationId:r.operationId,requestUrl:e.url});if(!a)return t.log.debug({event:"gateway_access_token_missing",code:"authentication_required",operationId:r.operationId,hasAuthorizationHeader:e.headers.get("authorization")!==null},"MCP request did not include a gateway access token"),I(t,{eventType:v.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r.operationId,httpStatusCode:401,reasonClass:"auth",reasonCode:"missing_token"}),fh(e,t,s);try{let u=await yh(a,t,r.operationId);if(wh({accessToken:u,resource:o,operationId:r.operationId},t),u.scope!==M)return t.log.warn({event:"gateway_access_token_insufficient_scope",code:"forbidden",tokenScope:u.scope,requiredScope:M,operationId:r.operationId,clientId:u.clientId},"Gateway access token does not have the required MCP scope"),I(t,{eventType:v.MCP_AUTH_DOWNSTREAM_TOKEN_REJECTED,outcome:"failure",virtualServerName:r.operationId,reasonClass:"auth",reasonCode:"insufficient_scope",attributes:{tokenScope:u.scope,requiredScope:M,clientId:u.clientId}}),I(t,{eventType:v.MCP_REQUEST_REJECTED,outcome:"failure",virtualServerName:r.operationId,httpStatusCode:403,reasonClass:"auth",reasonCode:"insufficient_scope"}),Sh(e,t,r.operationId);let d=await _h({token:a,resource:o,operationId:r.operationId,request:e});if(d)return d;let p=Rh(u);Gn(t,p),br(t,p),I(t,{eventType:v.MCP_AUTH_DOWNSTREAM_TOKEN_VALIDATED,outcome:"success",virtualServerName:r.operationId,attributes:{clientId:u.clientId}});let h=new Headers(e.headers);return h.delete("authorization"),new lr(e,{headers:h})}catch(u){return bh({request:e,context:t,error:u,operationId:r.operationId})}}n(io,"gatewayTokenInbound");var Rt={OAUTH_PROTECTED_RESOURCE_METADATA:"oauth_metadata",VIRTUAL_MCP_SERVER:"gateway",OTHER:"other"},Ch="oauth-protected-resource-metadata",xh="/.well-known/oauth-protected-resource/";function Ah(e){let r=(typeof e.route.raw=="function"?e.route.raw():void 0)?.operationId;return typeof r=="string"?r:void 0}n(Ah,"readRouteOperationId");function vh(e){return e.hasGatewayRouteContext?Rt.VIRTUAL_MCP_SERVER:e.routeOperationId===Ch||e.routeOperationId===void 0&&e.routePath.startsWith(xh)?Rt.OAUTH_PROTECTED_RESOURCE_METADATA:Rt.OTHER}n(vh,"classifyAnalyticsRouteSurface");function Ih(e){let t=e.route.path;return{routePath:t,routeSurface:vh({routePath:t,routeOperationId:Ah(e),hasGatewayRouteContext:mr(e)!==void 0})}}n(Ih,"readAnalyticsRequestContext");function kh(e){return e.response.status===405&&e.response.headers.has("allow")&&e.routeSurface===Rt.VIRTUAL_MCP_SERVER}n(kh,"isIntentionalMethodRejection");function Uh(e){return kh(e)||e.response.status===401&&e.routeSurface===Rt.OAUTH_PROTECTED_RESOURCE_METADATA?"success":e.response.status>=400?"failure":"success"}n(Uh,"classifyRequestCompletedOutcome");async function ao(e,t){let r=Date.now(),o=Ih(t);return I(t,{eventType:v.MCP_REQUEST_RECEIVED,outcome:"success",routeSurface:o.routeSurface,httpMethod:e.method}),sn.getContextExtensions(t).addHandlerResponseHook(a=>{let s=Uh({response:a,routeSurface:o.routeSurface});I(t,{eventType:v.MCP_REQUEST_COMPLETED,outcome:s,routeSurface:o.routeSurface,httpStatusCode:a.status,httpMethod:e.method,latencyMs:Date.now()-r})}),e}n(ao,"analyticsContextInbound");function Th(e){return e instanceof Response}n(Th,"isResponse");async function Mt(e,t){let r=ca(t.route.path),o={operationId:r.operationId};wi(t,o),la(t,o);let a=await ao(e,t);return Th(a)?a:io(a,t,{operationId:r.operationId})}n(Mt,"mcpOAuthInboundPolicy");var Ph=i.string({error:"auth0Domain is required and must be a string"}).trim().min(1,"auth0Domain is required (commonly set via $env(AUTH0_DOMAIN))").refine(e=>!/[:/]/.test(e),{message:'auth0Domain must be a bare hostname (e.g. "tenant.us.auth0.com"); drop the "https://" prefix and any trailing path'}).refine(e=>e.includes("."),{message:'auth0Domain must be a fully-qualified domain name with at least one dot (e.g. "tenant.us.auth0.com"). If the value looks like "undefined" or is empty, the configured environment variable is likely unset.'}),Oh=i.object({auth0Domain:Ph,audience:i.string().trim().min(1).optional(),clientId:i.string({error:"clientId is required and must be a string"}).trim().min(1,"clientId is required (commonly set via $env(AUTH0_CLIENT_ID))"),clientSecret:i.string({error:"clientSecret is required and must be a string"}).trim().min(1,"clientSecret is required (commonly set via $env(AUTH0_CLIENT_SECRET))"),scope:i.string().trim().min(1).optional(),gateway:i.object({accessTokenTtlSeconds:i.number().int().positive().optional(),refreshTokenTtlSeconds:i.number().int().positive().optional(),cimdEnabled:i.boolean().optional()}).strict().optional(),browserLoginOverrides:i.object({remoteTimeoutMs:i.number().int().positive().optional(),stateTtlSeconds:i.number().int().positive().optional(),sessionTtlSeconds:i.number().int().positive().optional()}).strict().optional()}).strict(),so=class extends it{static{n(this,"McpAuth0OAuthInboundPolicy")}#t;constructor(t,r){let o=Ls(t,r);super(o,r),this.#t=Bs(o,r)}async handler(t,r){return ot("policy.inbound.mcp-auth0-oauth"),st(r,this.#t),Mt(t,r)}};function Ls(e,t){return hr(Oh,e,`MCP Auth0 OAuth policy "${t}"`)}n(Ls,"parseAuth0OAuthOptions");function Ii(e,t="mcp-auth0-oauth-inbound"){let r=Ls(e,t);return Bs(r,t)}n(Ii,"auth0OptionsToMcpOAuthRuntimeConfig");function Bs(e,t){let r=`https://${e.auth0Domain}/`,o=`https://${e.auth0Domain}/.well-known/jwks.json`,a=`https://${e.auth0Domain}/authorize`,s=`https://${e.auth0Domain}/oauth/token`;try{return Ci({oidc:{issuer:r,jwksUrl:o,...e.audience===void 0?{}:{audience:e.audience}},browserLogin:{url:a,tokenUrl:s,clientId:e.clientId,clientSecret:e.clientSecret,scope:e.scope??"openid profile email",...e.audience===void 0?{}:{audience:e.audience},...e.browserLoginOverrides??{}},gateway:e.gateway})}catch(u){let d=u instanceof Error?` Validation failed: ${u.message}`:"";throw new _(`MCP Auth0 OAuth policy "${t}" is misconfigured. Check the policy options in policies.json.${d}`,u instanceof Error?{cause:u}:void 0)}}n(Bs,"buildAuth0McpOAuthRuntimeConfig");function je(e){let t=ye().connectionsById.get(e);if(!t)throw new _(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(je,"getUpstreamServerConfig");function zh(e){let t=ye().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new _(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(zh,"resolveUpstreamAuthProfileId");function co(e){zh(e);let t=ye().connectionsById.get(e.upstreamServerId);if(!t)throw new _(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(co,"getUpstreamAuthConfig");function Je(e,t){let r=co({upstreamServerId:e,authProfileId:t});if(!ia(r))throw new _(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(Je,"requireUpstreamOAuthConfig");var Eh={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function Re(e){return Eh[e]}n(Re,"describeUpstreamAuthMode");function qr(e){return Re(e).ownerMode}n(qr,"resolveOwnerModeForUpstreamAuthMode");var uo;uo=globalThis.crypto;async function Mh(e){return(await uo).getRandomValues(new Uint8Array(e))}n(Mh,"getRandomValues");async function qh(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let a=await Mh(e-o.length);for(let s of a)s<r&&(o+=t[s%t.length])}return o}n(qh,"random");async function Hh(e){return await qh(e)}n(Hh,"generateVerifier");async function Dh(e){let t=await(await uo).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(Dh,"generateChallenge");async function po(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await Hh(e),r=await Dh(t);return{code_verifier:t,code_challenge:r}}n(po,"pkceChallenge");z();var ee=ui().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:mi.custom,message:"URL must be parseable",fatal:!0}),si}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Hr=$({resource:c().url(),authorization_servers:l(ee).optional(),jwks_uri:c().url().optional(),scopes_supported:l(c()).optional(),bearer_methods_supported:l(c()).optional(),resource_signing_alg_values_supported:l(c()).optional(),resource_name:c().optional(),resource_documentation:c().optional(),resource_policy_uri:c().url().optional(),resource_tos_uri:c().url().optional(),tls_client_certificate_bound_access_tokens:U().optional(),authorization_details_types_supported:l(c()).optional(),dpop_signing_alg_values_supported:l(c()).optional(),dpop_bound_access_tokens_required:U().optional()}),Zt=$({issuer:c(),authorization_endpoint:ee,token_endpoint:ee,registration_endpoint:ee.optional(),scopes_supported:l(c()).optional(),response_types_supported:l(c()),response_modes_supported:l(c()).optional(),grant_types_supported:l(c()).optional(),token_endpoint_auth_methods_supported:l(c()).optional(),token_endpoint_auth_signing_alg_values_supported:l(c()).optional(),service_documentation:ee.optional(),revocation_endpoint:ee.optional(),revocation_endpoint_auth_methods_supported:l(c()).optional(),revocation_endpoint_auth_signing_alg_values_supported:l(c()).optional(),introspection_endpoint:c().optional(),introspection_endpoint_auth_methods_supported:l(c()).optional(),introspection_endpoint_auth_signing_alg_values_supported:l(c()).optional(),code_challenge_methods_supported:l(c()).optional(),client_id_metadata_document_supported:U().optional()}),jh=$({issuer:c(),authorization_endpoint:ee,token_endpoint:ee,userinfo_endpoint:ee.optional(),jwks_uri:ee,registration_endpoint:ee.optional(),scopes_supported:l(c()).optional(),response_types_supported:l(c()),response_modes_supported:l(c()).optional(),grant_types_supported:l(c()).optional(),acr_values_supported:l(c()).optional(),subject_types_supported:l(c()),id_token_signing_alg_values_supported:l(c()),id_token_encryption_alg_values_supported:l(c()).optional(),id_token_encryption_enc_values_supported:l(c()).optional(),userinfo_signing_alg_values_supported:l(c()).optional(),userinfo_encryption_alg_values_supported:l(c()).optional(),userinfo_encryption_enc_values_supported:l(c()).optional(),request_object_signing_alg_values_supported:l(c()).optional(),request_object_encryption_alg_values_supported:l(c()).optional(),request_object_encryption_enc_values_supported:l(c()).optional(),token_endpoint_auth_methods_supported:l(c()).optional(),token_endpoint_auth_signing_alg_values_supported:l(c()).optional(),display_values_supported:l(c()).optional(),claim_types_supported:l(c()).optional(),claims_supported:l(c()).optional(),service_documentation:c().optional(),claims_locales_supported:l(c()).optional(),ui_locales_supported:l(c()).optional(),claims_parameter_supported:U().optional(),request_parameter_supported:U().optional(),request_uri_parameter_supported:U().optional(),require_request_uri_registration:U().optional(),op_policy_uri:ee.optional(),op_tos_uri:ee.optional(),client_id_metadata_document_supported:U().optional()}),Dr=m({...jh.shape,...Zt.pick({code_challenge_methods_supported:!0}).shape}),_t=m({access_token:c(),id_token:c().optional(),token_type:c(),expires_in:hi.number().optional(),scope:c().optional(),refresh_token:c().optional()}).strip(),Gs=m({error:c(),error_description:c().optional(),error_uri:c().optional()}),Ns=ee.optional().or(f("").transform(()=>{})),Lh=m({redirect_uris:l(ee),token_endpoint_auth_method:c().optional(),grant_types:l(c()).optional(),response_types:l(c()).optional(),client_name:c().optional(),client_uri:ee.optional(),logo_uri:Ns,scope:c().optional(),contacts:l(c()).optional(),tos_uri:Ns,policy_uri:c().optional(),jwks_uri:ee.optional(),jwks:pi().optional(),software_id:c().optional(),software_version:c().optional(),software_statement:c().optional()}).strip(),lo=m({client_id:c(),client_secret:c().optional(),client_id_issued_at:C().optional(),client_secret_expires_at:C().optional()}).strip(),Ft=Lh.merge(lo),bx=m({error:c(),error_description:c().optional()}).strip(),Cx=m({token:c(),token_type_hint:c().optional()}).strip();function $s(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n($s,"resourceUrlFromServerUrl");function Zs({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",s=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return a.startsWith(s)}n(Zs,"checkResourceAllowed");var N=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Kt=class extends N{static{n(this,"InvalidRequestError")}};Kt.errorCode="invalid_request";var Ve=class extends N{static{n(this,"InvalidClientError")}};Ve.errorCode="invalid_client";var Ye=class extends N{static{n(this,"InvalidGrantError")}};Ye.errorCode="invalid_grant";var Xe=class extends N{static{n(this,"UnauthorizedClientError")}};Xe.errorCode="unauthorized_client";var Wt=class extends N{static{n(this,"UnsupportedGrantTypeError")}};Wt.errorCode="unsupported_grant_type";var Jt=class extends N{static{n(this,"InvalidScopeError")}};Jt.errorCode="invalid_scope";var Vt=class extends N{static{n(this,"AccessDeniedError")}};Vt.errorCode="access_denied";var Oe=class extends N{static{n(this,"ServerError")}};Oe.errorCode="server_error";var Yt=class extends N{static{n(this,"TemporarilyUnavailableError")}};Yt.errorCode="temporarily_unavailable";var Xt=class extends N{static{n(this,"UnsupportedResponseTypeError")}};Xt.errorCode="unsupported_response_type";var Qt=class extends N{static{n(this,"UnsupportedTokenTypeError")}};Qt.errorCode="unsupported_token_type";var er=class extends N{static{n(this,"InvalidTokenError")}};er.errorCode="invalid_token";var tr=class extends N{static{n(this,"MethodNotAllowedError")}};tr.errorCode="method_not_allowed";var rr=class extends N{static{n(this,"TooManyRequestsError")}};rr.errorCode="too_many_requests";var Qe=class extends N{static{n(this,"InvalidClientMetadataError")}};Qe.errorCode="invalid_client_metadata";var nr=class extends N{static{n(this,"InsufficientScopeError")}};nr.errorCode="insufficient_scope";var or=class extends N{static{n(this,"InvalidTargetError")}};or.errorCode="invalid_target";var Fs={[Kt.errorCode]:Kt,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[Wt.errorCode]:Wt,[Jt.errorCode]:Jt,[Vt.errorCode]:Vt,[Oe.errorCode]:Oe,[Yt.errorCode]:Yt,[Xt.errorCode]:Xt,[Qt.errorCode]:Qt,[er.errorCode]:er,[tr.errorCode]:tr,[rr.errorCode]:rr,[Qe.errorCode]:Qe,[nr.errorCode]:nr,[or.errorCode]:or};function Bh(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(Bh,"isClientAuthMethod");var mo="code",ho="S256";function Nh(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&Bh(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(Nh,"selectClientAuthMethod");function Gh(e,t,r,o){let{client_id:a,client_secret:s}=t;switch(e){case"client_secret_basic":$h(a,s,r);return;case"client_secret_post":Zh(a,s,o);return;case"none":Fh(a,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(Gh,"applyClientAuthentication");function $h(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n($h,"applyBasicAuth");function Zh(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(Zh,"applyPostAuth");function Fh(e,t){t.set("client_id",e)}n(Fh,"applyPublicAuth");async function Ws(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Gs.parse(JSON.parse(r)),{error:a,error_description:s,error_uri:u}=o,d=Fs[a]||Oe;return new d(s||"",u)}catch(o){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new Oe(a)}}n(Ws,"parseErrorResponse");async function go(e,t){try{return await fo(e,t)}catch(r){if(r instanceof Ve||r instanceof Xe)return await e.invalidateCredentials?.("all"),await fo(e,t);if(r instanceof Ye)return await e.invalidateCredentials?.("tokens"),await fo(e,t);throw r}}n(go,"auth");async function fo(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:a,fetchFn:s}){let u=await e.discoveryState?.(),d,p,h,g=a;if(!g&&u?.resourceMetadataUrl&&(g=new URL(u.resourceMetadataUrl)),u?.authorizationServerUrl){if(p=u.authorizationServerUrl,d=u.resourceMetadata,h=u.authorizationServerMetadata??await Vs(p,{fetchFn:s}),!d)try{d=await Js(t,{resourceMetadataUrl:g},s)}catch{}(h!==u.authorizationServerMetadata||d!==u.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(p),resourceMetadataUrl:g?.toString(),resourceMetadata:d,authorizationServerMetadata:h})}else{let Y=await Xh(t,{resourceMetadataUrl:g,fetchFn:s});p=Y.authorizationServerUrl,h=Y.authorizationServerMetadata,d=Y.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(p),resourceMetadataUrl:g?.toString(),resourceMetadata:d,authorizationServerMetadata:h})}let D=await Kh(t,e,d),k=o||d?.scopes_supported?.join(" ")||e.clientMetadata.scope,ne=await Promise.resolve(e.clientInformation());if(!ne){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let Y=h?.client_id_metadata_document_supported===!0,te=e.clientMetadataUrl;if(te&&!yo(te))throw new Qe(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${te}`);if(Y&&te)ne={client_id:te},await e.saveClientInformation?.(ne);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let ni=await nf(p,{metadata:h,clientMetadata:e.clientMetadata,scope:k,fetchFn:s});await e.saveClientInformation(ni),ne=ni}}let Se=!e.redirectUrl;if(r!==void 0||Se){let Y=await rf(e,p,{metadata:h,resource:D,authorizationCode:r,fetchFn:s});return await e.saveTokens(Y),"AUTHORIZED"}let Me=await e.tokens();if(Me?.refresh_token)try{let Y=await tf(p,{metadata:h,clientInformation:ne,refreshToken:Me.refresh_token,resource:D,addClientAuthentication:e.addClientAuthentication,fetchFn:s});return await e.saveTokens(Y),"AUTHORIZED"}catch(Y){if(!(!(Y instanceof N)||Y instanceof Oe))throw Y}let xe=e.state?await e.state():void 0,{authorizationUrl:Ot,codeVerifier:Ae}=await Qh(p,{metadata:h,clientInformation:ne,state:xe,redirectUrl:e.redirectUrl,scope:k,resource:D});return await e.saveCodeVerifier(Ae),await e.redirectToAuthorization(Ot),"REDIRECT"}n(fo,"authInternal");function yo(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(yo,"isHttpsUrl");async function Kh(e,t,r){let o=$s(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Zs({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(Kh,"selectResourceURL");async function Js(e,t,r=fetch){let o=await Vh(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Hr.parse(await o.json())}n(Js,"discoverOAuthProtectedResourceMetadata");async function wo(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?wo(e,void 0,r):void 0;throw o}}n(wo,"fetchWithCorsRetry");function Wh(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(Wh,"buildWellKnownPath");async function Ks(e,t,r=fetch){return await wo(e,{"MCP-Protocol-Version":t},r)}n(Ks,"tryMetadataDiscovery");function Jh(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(Jh,"shouldAttemptFallback");async function Vh(e,t,r,o){let a=new URL(e),s=o?.protocolVersion??Rn,u;if(o?.metadataUrl)u=new URL(o.metadataUrl);else{let p=Wh(t,a.pathname);u=new URL(p,o?.metadataServerUrl??a),u.search=a.search}let d=await Ks(u,s,r);if(!o?.metadataUrl&&Jh(d,a.pathname)){let p=new URL(`/.well-known/${t}`,a);d=await Ks(p,s,r)}return d}n(Vh,"discoverMetadataWithFallback");function Yh(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),o.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(Yh,"buildDiscoveryUrls");async function Vs(e,{fetchFn:t=fetch,protocolVersion:r=Rn}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},a=Yh(e);for(let{url:s,type:u}of a){let d=await wo(s,o,t);if(d){if(!d.ok){if(await d.body?.cancel(),d.status>=400&&d.status<500)continue;throw new Error(`HTTP ${d.status} trying to load ${u==="oauth"?"OAuth":"OpenID provider"} metadata from ${s}`)}return u==="oauth"?Zt.parse(await d.json()):Dr.parse(await d.json())}}}n(Vs,"discoverAuthorizationServerMetadata");async function Xh(e,t){let r,o;try{r=await Js(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let a=await Vs(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:a,resourceMetadata:r}}n(Xh,"discoverOAuthServerInfo");async function Qh(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:a,state:s,resource:u}){let d;if(t){if(d=new URL(t.authorization_endpoint),!t.response_types_supported.includes(mo))throw new Error(`Incompatible auth server: does not support response type ${mo}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(ho))throw new Error(`Incompatible auth server: does not support code challenge method ${ho}`)}else d=new URL("/authorize",e);let p=await po(),h=p.code_verifier,g=p.code_challenge;return d.searchParams.set("response_type",mo),d.searchParams.set("client_id",r.client_id),d.searchParams.set("code_challenge",g),d.searchParams.set("code_challenge_method",ho),d.searchParams.set("redirect_uri",String(o)),s&&d.searchParams.set("state",s),a&&d.searchParams.set("scope",a),a?.includes("offline_access")&&d.searchParams.append("prompt","consent"),u&&d.searchParams.set("resource",u.href),{authorizationUrl:d,codeVerifier:h}}n(Qh,"startAuthorization");function ef(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(ef,"prepareAuthorizationCodeRequest");async function Ys(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:a,resource:s,fetchFn:u}){let d=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),p=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(s&&r.set("resource",s.href),a)await a(p,r,d,t);else if(o){let g=t?.token_endpoint_auth_methods_supported??[],D=Nh(o,g);Gh(D,o,p,r)}let h=await(u??fetch)(d,{method:"POST",headers:p,body:r});if(!h.ok)throw await Ws(h);return _t.parse(await h.json())}n(Ys,"executeTokenRequest");async function tf(e,{metadata:t,clientInformation:r,refreshToken:o,resource:a,addClientAuthentication:s,fetchFn:u}){let d=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),p=await Ys(e,{metadata:t,tokenRequestParams:d,clientInformation:r,addClientAuthentication:s,resource:a,fetchFn:u});return{refresh_token:o,...p}}n(tf,"refreshAuthorization");async function rf(e,t,{metadata:r,resource:o,authorizationCode:a,fetchFn:s}={}){let u=e.clientMetadata.scope,d;if(e.prepareTokenRequest&&(d=await e.prepareTokenRequest(u)),!d){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let h=await e.codeVerifier();d=ef(a,h,e.redirectUrl)}let p=await e.clientInformation();return Ys(t,{metadata:r,tokenRequestParams:d,clientInformation:p??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:s})}n(rf,"fetchToken");async function nf(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:a}){let s;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");s=new URL(t.registration_endpoint)}else s=new URL("/register",e);let u=await(a??fetch)(s,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!u.ok)throw await Ws(u);return Ft.parse(await u.json())}n(nf,"registerClient");function _e(e){return new w({message:e,extensionMembers:{[y]:"invalid_request"}})}n(_e,"invalidOutboundUrl");function of(){let e=at.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_IDP;return typeof e=="string"&&e==="1"}n(of,"isTestOnlyAllowHttpLoopbackIdpEnabled");function af(){let e=at.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD??globalThis.process?.env?.__TEST_ONLY_MCP_GATEWAY_ALLOW_HTTP_LOOPBACK_CIMD;return typeof e=="string"&&e==="1"}n(af,"isTestOnlyAllowHttpLoopbackCimdEnabled");var sf=new Set(["undefined","null","nan"]);function Ro(e,t){if(!e.hostname)throw _e(`Outbound URL has an empty hostname (got ${JSON.stringify(t)}). This typically indicates an unset $env(...) reference or a JS template literal coercing \`undefined\` into a URL. Check the policy options or runtime config that produced this URL.`);if(sf.has(e.hostname.toLowerCase()))throw _e(`Outbound URL hostname is ${JSON.stringify(e.hostname)} (from ${JSON.stringify(t)}). This almost always means an environment variable referenced by $env(...) is unset and a JS value was string-coerced into a URL. Set the missing env var or fix the policy option that produced this URL.`)}n(Ro,"assertSafeOutboundHostname");var cf=new Set(["localhost","169.254.169.254","metadata.google.internal","metadata"]),uf=[{first:0},{first:10},{first:127},{first:169,secondMin:254,secondMax:254},{first:172,secondMin:16,secondMax:31},{first:192,secondMin:168,secondMax:168},{first:100,secondMin:64,secondMax:127},{first:224,firstMax:239},{first:240,firstMax:255}];function Xs(e){if(!/^\d+\.\d+\.\d+\.\d+$/.test(e))return;let t=e.split(".").map(r=>Number(r));if(!(t.length!==4||t.some(r=>Number.isNaN(r)||r<0||r>255)))return t}n(Xs,"parseIpv4Octets");function df([e,t],r){let o=r.firstMax??r.first;return e<r.first||e>o?!1:r.secondMin===void 0||r.secondMax===void 0?!0:t>=r.secondMin&&t<=r.secondMax}n(df,"ipv4RangeMatches");function Qs(e){let t=Xs(e);return t!==void 0&&uf.some(r=>df(t,r))}n(Qs,"isPrivateIpv4");function So(e){if(!e||e.length>4)return;let t=Number.parseInt(e,16);return Number.isNaN(t)||t<0||t>65535?void 0:t}n(So,"parseIpv6Word");function pf(e,t){return[e>>8&255,e&255,t>>8&255,t&255].join(".")}n(pf,"formatIpv4FromWords");function lf(e){let t=e.slice(7),r=Xs(t);if(r!==void 0)return r.join(".");let[o,a,s]=t.split(":"),u=So(o),d=So(a);return s===void 0&&u!==void 0&&d!==void 0?pf(u,d):void 0}n(lf,"parseIpv6MappedIpv4");function mf(e){return So(e.split(":").find(Boolean))}n(mf,"readFirstIpv6Hextet");function hf(e){let t=ve(e);if(!t.includes(":"))return!1;if(t==="::"||t==="::1")return!0;if(t.startsWith("::ffff:")){let o=lf(t);return o===void 0||Qs(o)}let r=mf(t);return r===void 0?!1:(r&65024)===64512||(r&65472)===65152}n(hf,"isPrivateIpv6");function _o(e){let t=ve(e);return cf.has(t)||t.endsWith(".internal")||Qs(t)||hf(t)}n(_o,"isBlockedOutboundHostname");function ec(e){let t=new URL(e);if(t.protocol!=="https:"&&t.protocol!=="http:")throw _e(`Unsupported outbound protocol: ${t.protocol}`);Ro(t,e);let r=Z(t);if(t.protocol==="http:"&&!r)throw _e("Configured outbound HTTP URLs must target loopback hosts.");let o=ve(t.hostname);if(!r&&_o(o))throw _e(`Blocked outbound host: ${o}`);return t}n(ec,"validateConfiguredOutboundUrl");function tc(e){let t=new URL(e),r=Z(t),o=r&&of();if(t.protocol!=="https:"&&!o)throw _e("Identity provider URLs must use https.");if(t.username||t.password||t.search||t.hash)throw _e("Identity provider URLs must not include credentials, query params, or fragments.");Ro(t,e);let a=ve(t.hostname);if(!r&&_o(a))throw _e(`Blocked identity provider host: ${a}`);return t}n(tc,"validateIdentityProviderUrl");function rc(e,t){let r=new URL(e),o=r.protocol==="http:"&&Z(r)&&af();if(r.protocol!=="https:"&&!o||r.pathname==="/"||r.username||r.password||r.search||r.hash)throw _e(`CIMD ${t} must be an HTTPS URL with a path and no credentials, query, or fragment.`);if(Ro(r,e),!o&&_o(r.hostname))throw _e(`CIMD ${t} points at a blocked host.`);return r}n(rc,"validateCimdUrl");function jr(e){return rc(e,"client_id")}n(jr,"validateCimdClientMetadataUrl");function nc(e){return rc(e,"jwks_uri")}n(nc,"validateCimdClientJwksUrl");function oc(e,t){if(!t)return;if(t.aborted){e.abort(t.reason);return}let r=n(()=>e.abort(t.reason),"abort");return t.addEventListener("abort",r,{once:!0}),()=>t.removeEventListener("abort",r)}n(oc,"mergeAbortSignals");async function ff(e){try{await e.cancel()}catch{}}n(ff,"cancelReader");async function Lr(e,t){if(!e)return new Uint8Array;let r=e.getReader(),o=[],a=0,s=await r.read();for(;!s.done;){let p=s.value;if(a+=p.byteLength,a>t.maxBytes)throw await ff(r),t.createLimitError();o.push(p),s=await r.read()}let u=new Uint8Array(a),d=0;for(let p of o)u.set(p,d),d+=p.byteLength;return u}n(Lr,"readBoundedByteStream");var gf=2,yf=1024*1024,wf=1e4,Sf=new Set([301,302,303,307,308]),Rf=["authorization","proxy-authorization","cookie","cookie2"];function bo(e){return typeof e=="string"?e:e instanceof URL?e.toString():e.url}n(bo,"readRequestUrl");function bt(e,t){return t?.method!==void 0?t.method.toUpperCase():e instanceof Request?e.method.toUpperCase():"GET"}n(bt,"readRequestMethod");function _f(e,t,r){let o=e.headers.get("content-length");if(!o)return;let a=Number.parseInt(o,10);if(Number.isFinite(a)&&a>t)throw new w({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[y]:r}})}n(_f,"assertContentLengthWithinLimit");async function bf(e,t,r){return _f(e,t,r),Lr(e.body,{maxBytes:t,createLimitError:n(()=>new w({message:"Outbound response exceeded the maximum allowed size.",extensionMembers:{[y]:r}}),"createLimitError")})}n(bf,"readBoundedResponseBody");function Cf(e,t){let r=new ArrayBuffer(t.byteLength);return new Uint8Array(r).set(t),new Response(r,{status:e.status,statusText:e.statusText,headers:e.headers})}n(Cf,"responseFromBufferedBody");function xf(e,t){if(!Sf.has(e.status))return;let r=e.headers.get("location");if(r)return new URL(r,t).toString()}n(xf,"resolveRedirectUrl");function ic(e,t){try{return t.validateUrl(e)}catch(r){throw new w({message:"Outbound URL was not allowed.",extensionMembers:{[y]:t.problemCode}},{cause:r})}}n(ic,"validateOutboundUrl");function Af(e,t){throw e instanceof w&&Ie(e.extensionMembers?.[y])?e:new w({message:"Outbound fetch failed.",extensionMembers:{[y]:t}},{cause:e})}n(Af,"normalizeFetchError");function ir(e,t){if(e===void 0)return;let r={event:t.event,code:t.problemCode,method:t.method};if(t.host!==void 0&&(r.host=t.host),t.extra!==void 0)for(let[o,a]of Object.entries(t.extra))a!==void 0&&(r[o]=a);t.error!==void 0&&ie(r,"error",t.error),e.log.warn(r,"Outbound HTTP exchange rejected")}n(ir,"logOutboundFailure");async function vf(e,t,r,o,a,s,u){let d=bt(r,o);try{return await t(r,o)}catch(p){let h=p instanceof DOMException&&p.name==="AbortError";ir(e,{event:h?"outbound_fetch_aborted":"outbound_fetch_failed",problemCode:a,method:d,host:we(s),error:p,extra:{abortReason:u()}}),Af(p,a)}}n(vf,"fetchWithNormalizedError");function If(e){if(e.redirects>=e.maxRedirects)throw new w({message:"Outbound redirects exceeded the maximum allowed depth.",extensionMembers:{[y]:e.problemCode}});if(e.method!=="GET"&&e.method!=="HEAD")throw new w({message:"Outbound redirect after a non-idempotent request was blocked.",extensionMembers:{[y]:e.problemCode}})}n(If,"assertRedirectAllowed");function kf(e,t){let r=new Headers(e);for(let o of Rf)r.delete(o);for(let o of t)r.delete(o);return r}n(kf,"stripCrossOriginHeaders");function Uf(e,t,r,o,a){let s={...e,method:t,redirect:"manual",signal:r};return o&&(s.headers=kf(e.headers,a)),s}n(Uf,"buildRedirectInit");function Tf(e,t,r){let o={...t,redirect:"manual",signal:r};return o.headers===void 0&&e instanceof Request&&(o.headers=e.headers),o}n(Tf,"buildInitialRequestInit");function Pf(e){let t=bt(e.currentInput,e.currentInit);If({redirects:e.redirects,maxRedirects:e.maxRedirects,method:t,problemCode:e.problemCode});let r=ic(e.redirectUrl,{problemCode:e.problemCode,validateUrl:e.validateUrl}),o=new URL(e.currentUrl),a=r.origin!==o.origin,s=r.toString();return{currentInput:s,currentUrl:s,currentInit:Uf(e.currentInit,t,e.signal,a,e.additionalCrossOriginStrippedHeaders),redirects:e.redirects+1}}n(Pf,"followRedirect");async function Co(e,t,r){let o=r.problemCode??"invalid_request",a=r.maxRedirects??gf,s=r.maxResponseBytes??yf,u=r.timeoutMs??wf,d=r.fetchImpl??fetch,p=r.additionalCrossOriginStrippedHeaders??[],h=r.context,g=new AbortController,D=oc(g,t.signal),k=!1,ne=setTimeout(()=>{k=!0,g.abort()},u),Se=e,Me=Tf(e,t,g.signal),xe;try{xe=ic(bo(e),{problemCode:o,validateUrl:r.validateUrl}).toString()}catch(Ae){throw ir(h,{event:"outbound_url_blocked",problemCode:o,method:bt(e,t),host:we(bo(e)),error:Ae}),clearTimeout(ne),D?.(),Ae}let Ot=0;try{for(;;){let Ae=await vf(h,d,Se,Me,o,xe,()=>k?`timeout_after_${u}ms`:void 0),Y=xf(Ae,xe);if(Y!==void 0)try{let te=Pf({currentInput:Se,currentInit:Me,currentUrl:xe,redirectUrl:Y,redirects:Ot,maxRedirects:a,problemCode:o,validateUrl:r.validateUrl,signal:g.signal,additionalCrossOriginStrippedHeaders:p});Se=te.currentInput,Me=te.currentInit,xe=te.currentUrl,Ot=te.redirects;continue}catch(te){throw ir(h,{event:"outbound_redirect_blocked",problemCode:o,method:bt(Se,Me),host:we(xe),error:te,extra:{redirects:Ot,maxRedirects:a,redirectTargetHost:we(Y)}}),te}try{return Cf(Ae,await bf(Ae,s,o))}catch(te){throw ir(h,{event:"outbound_response_size_exceeded",problemCode:o,method:bt(Se,Me),host:we(xe),error:te,extra:{maxResponseBytes:s,status:Ae.status}}),te}}}finally{clearTimeout(ne),D?.()}}n(Co,"runSafeOutboundExchange");async function Br(e,t,r){let o=await Co(e,t,r);try{return{response:o,json:await o.clone().json()}}catch(a){throw ir(r.context,{event:"outbound_json_parse_failed",problemCode:r.problemCode??"invalid_request",method:bt(e,t),host:we(bo(e)),error:a,extra:{status:o.status,contentType:o.headers.get("content-type")??void 0}}),new w({message:"Outbound JSON response could not be parsed.",extensionMembers:{[y]:r.problemCode??"invalid_request"}},{cause:a})}}n(Br,"runSafeOutboundJsonExchange");function ac(e,t={},r={}){return Co(e,t,{...r,validateUrl:ec})}n(ac,"fetchConfiguredOutbound");function sc(e,t={},r={}){return Br(e,t,{...r,validateUrl:tc})}n(sc,"fetchIdentityProviderJson");function cc(e,t={},r={}){return Br(e,t,{...r,validateUrl:jr})}n(cc,"fetchCimdClientMetadataJson");function uc(e,t={},r={}){return Br(e,t,{...r,validateUrl:nc})}n(uc,"fetchCimdClientJwksJson");z();import{errors as yc,jwtVerify as wc,SignJWT as Sc}from"jose";var ae="zuplo-mcp-gateway",le=ae,me="HS256";import{base64url as Of}from"jose";var zf=new TextEncoder,Ef="MCP gateway could not initialize secure key material.",Mf=32,dc=new Map,pc=new Map,qf;function Hf(){return qf??nt.instance.authPrivateKey}n(Hf,"readAuthPrivateKey");function lc(e){return new re(Ef,e===void 0?void 0:{cause:e})}n(lc,"createGeneratedKeyMaterialError");function mc(e,t){let r=Of.decode(t);if(r.byteLength!==Mf)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(mc,"decodeJwkKeyField");function Df(e){let t=Hf();if(!t)throw lc();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=mc("d",r.d);mc("x",r.x);let a=zf.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),s=new Uint8Array(a.byteLength+o.byteLength);return s.set(a),s.set(o,a.byteLength),s}catch(r){throw lc(r)}}n(Df,"decodeGeneratedKeyMaterial");function jf(e){let t=dc.get(e);return t||(t=Df(e),dc.set(e,t)),t}n(jf,"getMasterKeyMaterial");async function be(e){let t=pc.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(jf(e.keyMaterialPurpose));return pc.set(e.purpose,r),r}n(be,"readCachedDerivedKey");var Lf="SHA-256";var Bf="zuplo-mcp-gateway:",Nf=new TextEncoder,hc=new WeakMap;async function Le(e,t){let r=hc.get(e);r||(r=new Map,hc.set(e,r));let o=r.get(t);if(o)return o;let a=await Gf(e,t);return r.set(t,a),a}n(Le,"deriveGatewaySigningKey");async function Gf(e,t){let r=fc(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=Nf.encode(`${Bf}${t}`),s=await crypto.subtle.deriveBits({name:"HKDF",hash:Lf,salt:new Uint8Array,info:fc(a)},o,32*8);return new Uint8Array(s)}n(Gf,"hkdfExpand");function fc(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(fc,"copyToArrayBuffer");var Rc=15*60,$f=15*60,Zf=ja.extend({id:wt}),Ff=Zf.extend({exp:i.number().int().positive(),iat:i.number().int().positive().optional()}),_c=yt.extend({id:$t,purpose:i.literal("browser_connect")}),Kf=yt.extend({purpose:i.literal("browser_connect")}),Wf=_c.extend({exp:i.number().int().positive(),iat:i.number().int().positive().optional()}),bc=Rc*1e3;async function Cc(){return be({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Le(e,"oauth-state"),"derive")})}n(Cc,"getOAuthStateKey");async function xc(){return be({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Le(e,"browser-connect"),"derive")})}n(xc,"getBrowserConnectKey");async function Ac(e){let t=Math.floor(Date.now()/1e3)+Rc;return new Sc(e).setProtectedHeader({alg:me,typ:"JWT"}).setIssuer(ae).setAudience(le).setIssuedAt().setExpirationTime(t).sign(await Cc())}n(Ac,"signOAuthState");async function Nr(e){try{let{payload:t}=await wc(e,await Cc(),{algorithms:[me],issuer:ae,audience:le});return Ff.parse(t)}catch(t){throw t instanceof yc.JWTExpired?new w({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new w({message:"OAuth state could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(Nr,"verifyOAuthState");async function vc(e){let t=Math.floor(Date.now()/1e3)+$f,r=Kf.parse(e),o=_c.parse({...r,id:Fa()});return new Sc(o).setProtectedHeader({alg:me,typ:"JWT"}).setIssuer(ae).setAudience(le).setIssuedAt().setExpirationTime(t).sign(await xc())}n(vc,"signBrowserConnectTicket");async function Ic(e){try{let{payload:t}=await wc(e,await xc(),{algorithms:[me],issuer:ae,audience:le});return Wf.parse(t)}catch(t){throw t instanceof yc.JWTExpired?new w({message:"Browser connect ticket has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new w({message:"Browser connect ticket could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(Ic,"verifyBrowserConnectTicket");async function kc(e){if((await A().consumeBrowserConnectTicket({id:e.id,expiresAt:x(new Date(e.exp*1e3)),now:x(new Date)})).kind==="consumed")throw new w({message:"Browser connect ticket has already been used",extensionMembers:{[y]:"oauth_state_reused"}})}n(kc,"consumeBrowserConnectTicket");function Jf(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Jf,"buildConnectRequiredMessage");async function Vf(e){let t=P(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await vc({...Gt(e),purpose:"browser_connect"})),r.toString()}n(Vf,"buildGatewayBrowserTicketUrl");function Yf(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Yf,"buildGatewayConnectPath");async function xo(e){return Vf({...e,path:Yf(e.upstreamServerId),redirect:!0})}n(xo,"buildGatewayConnectUrl");async function Gr(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await xo(t),message:Jf(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Gr,"buildRedirectConnectRequiredResponse");function Uc(e){return Xf({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(Uc,"buildAdminConnectRequiredResponse");function Xf(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Xf,"buildAdminSetupRequiredResponse");z();function Ao(e){return`Zuplo MCP Gateway - ${e}`}n(Ao,"buildGatewayOAuthClientName");function Tc(e,t){let r=new URL(e,P(t));return Z(r)&&ve(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}n(Tc,"buildGatewayOAuthRedirectUri");function vo(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}n(vo,"buildOAuthClientMetadataDocumentUrl");function Pc(e){return P(e)}n(Pc,"requireOAuthClientMetadataOrigin");function Oc(e,t,r){let o=je(t),a=Je(t,r);return{client_id:vo({origin:e,upstreamServerId:t,authProfileId:r}),client_name:Ao(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}n(Oc,"buildOAuthClientMetadataDocument");z();import{base64url as Be}from"jose";var Qf="SHA-256",xt="AES-GCM",eg=12,ko="zuplo-secret",Uo=1,zc="generated:auth_private_key:token-encryption",tg=i.object({version:i.literal(Uo),keyId:i.literal(zc),algorithm:i.literal(xt),iv:i.string().min(1),ciphertext:i.string().min(1)}).strict();function Ct(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Ct,"copyToArrayBuffer");async function Io(){return be({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Qf,Ct(e));return crypto.subtle.importKey("raw",t,{name:xt},!1,["encrypt","decrypt"])},"derive")})}n(Io,"getEncryptionKey");function Ec(e){return Ct(new TextEncoder().encode(`${ko}:v${e.version}:${e.keyId}`))}n(Ec,"getAssociatedData");function rg(e){return`${ko}:v${e.version}:${Be.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(rg,"encodeEnvelope");function ng(e){let t=`${ko}:v${Uo}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(Be.decode(r));return tg.parse(JSON.parse(o))}n(ng,"decodeEnvelope");async function $r(e){let t=await Io(),r=crypto.getRandomValues(new Uint8Array(eg)),o={version:Uo,keyId:zc},a=await crypto.subtle.encrypt({name:xt,iv:r,additionalData:Ec(o)},t,new TextEncoder().encode(e));return rg({...o,algorithm:xt,iv:Be.encode(r),ciphertext:Be.encode(new Uint8Array(a))})}n($r,"encryptSecret");async function ar(e){let t=ng(e);if(t){let u=await Io(),d=await crypto.subtle.decrypt({name:xt,iv:Ct(Be.decode(t.iv)),additionalData:Ec(t)},u,Ct(Be.decode(t.ciphertext)));return new TextDecoder().decode(d)}let[r,o]=e.split(".");if(!r||!o)throw new re("Encrypted payload is malformed");let a=await Io(),s=await crypto.subtle.decrypt({name:xt,iv:Ct(Be.decode(r))},a,Ct(Be.decode(o)));return new TextDecoder().decode(s)}n(ar,"decryptSecret");var og=i.union([Ft,lo]),ig=i.object({authorizationServerUrl:i.url(),resourceMetadataUrl:i.url().optional(),resourceMetadata:Hr.optional(),authorizationServerMetadata:i.union([Zt,Dr]).optional()}).passthrough(),ag="Bearer",sg="__zuplo_refresh_only_upstream_access_token__";function cg(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(cg,"splitScopes");function ug(e){return Ar.parse(e)}n(ug,"parsePkceCodeVerifier");function dg(e){if(typeof e.expires_in=="number")return x(new Date(Date.now()+e.expires_in*1e3))}n(dg,"readTokenExpiry");async function Mc(e){if(e!==void 0)return $r(JSON.stringify(e))}n(Mc,"encryptJson");async function qc(e,t){if(!e)return;let r=await ar(e);try{return t.parse(JSON.parse(r))}catch(o){throw new w({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:o})}}n(qc,"decryptJson");function pg(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(pg,"toOAuthDiscoveryState");function lg(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(lg,"clientInformationAllowsRedirectUri");function mg(e,t,r){let o=je(e),a=Je(e,t),s;return a.scopes.length>0&&(s=a.scopes.join(a.scopeDelimiter)),{client_name:Ao(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:s,token_endpoint_auth_method:"none"}}n(mg,"buildOAuthClientMetadata");function hg(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new _(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ft.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(hg,"buildManualOAuthClientInformation");function fg(e,t,r){let o=vo({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return yo(o)?o:void 0}n(fg,"buildClientMetadataUrl");function Hc(e){for(let t of e)if(t!==void 0)return t}n(Hc,"firstDefined");function gg(e){let t=Je(e.target.upstreamServerId,e.target.authProfileId),r=mg(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:hg({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let o=fg(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return o===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:o}}n(gg,"buildInitialOAuthClientSetup");function yg(e,t){if(t===void 0)return Hc([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(yg,"readEncryptedClientInformation");function wg(e){return Hc([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(wg,"readEncryptedDiscoveryState");var et=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=gg({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=yg(t,this.configuredClientInformation),this.encryptedDiscoveryState=wg(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return Ac({id:t.id,...Gt({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await Mc(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await Mc(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=_t.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,a=r.refresh_token?await $r(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:_t.parse({...r,refresh_token:await ar(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let s={id:this.connection?.id??$a(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await $r(r.access_token),encryptedRefreshToken:a,scopes:cg(r.scope??this.clientMetadataValue.scope),expiresAt:dg(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await A().upsertUpstreamConnection(s)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:ug(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new w({message:"OAuth code verifier is missing",extensionMembers:{[y]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",a=t==="all"||t==="discovery",s=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(s),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Za(),...Gt({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:x(new Date(Date.now()+bc)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await A().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await qc(this.encryptedClientInformation,og)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!lg(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=pg(await qc(this.encryptedDiscoveryState,ig))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await ar(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await ar(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=_t.parse({access_token:t??sg,token_type:ag,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await A().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Sg=3e4,Rg=256*1024,_g=2;function bg(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(bg,"hasUsableAccessToken");var Cg="does not support dynamic client registration";function xg(e){return e instanceof Error&&e.message.includes(Cg)}n(xg,"isDynamicClientRegistrationUnsupported");function Ag(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Ag,"readOAuthFetchRequest");function vg(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(vg,"responseLooksJson");function Dc(e){return async(t,r)=>{let o=Ag(t),a=await ac(t,r,{maxRedirects:_g,maxResponseBytes:Rg,problemCode:"upstream_token_exchange_failed",timeoutMs:Sg}),s=await a.clone().text();if(!vg(a,s))return a;try{JSON.parse(s)}catch(u){throw new w({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[y]:"upstream_token_exchange_failed"}},{cause:u})}return a}}n(Dc,"createUpstreamOAuthFetch");async function jc(e,t){try{return await go(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Dc(t.upstreamServerId)})}catch(r){throw xg(r)?new w({message:`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,extensionMembers:{[y]:"upstream_client_registration_required"}},{cause:r}):r}}n(jc,"runUpstreamOAuth");async function Ig(e,t){return go(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Dc(t.upstreamServerId)})}n(Ig,"exchangeUpstreamAuthorizationCode");async function Lc(e,t){let r=await jc(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new w({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new w({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(Lc,"requireUpstreamAuthorizationRedirect");async function Bc(e){if(!e.forceRefresh&&bg(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await jc(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new w({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new w({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Og({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(Bc,"authorizeUpstreamOAuthSession");async function kg(e){let t=await Nr(e.stateToken),r=await A().consumeUpstreamOAuthState({id:t.id,now:x(new Date)}),o=Ug(r);return Tg({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Pg(o),o}n(kg,"consumeStoredCallbackState");function Ug(e){switch(e.kind){case"consumed":throw new w({message:"OAuth state has already been used",extensionMembers:{[y]:"oauth_state_reused"}});case"missing":throw new w({message:"OAuth state is missing or expired",extensionMembers:{[y]:"oauth_state_expired"}});case"available":return e.record}}n(Ug,"readConsumedCallbackState");function Tg(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new w({message:"OAuth callback did not match the initiating request",extensionMembers:{[y]:"oauth_callback_mismatch"}})}n(Tg,"assertStoredCallbackStateMatches");function Pg(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new w({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}})}n(Pg,"assertStoredCallbackStateFresh");async function Og(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Uc(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Gr(t)}n(Og,"buildOAuthConnectRequiredResponse");async function Nc(e){let t=await kg({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=zr(t),[o]=await A().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(a.connection=o);let s=new et(a),u=await Ig(s,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(u==="AUTHORIZED")return t;throw u!=="REDIRECT"?new w({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${u}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new w({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(Nc,"finishUpstreamOAuthCallback");async function Gc(e){let t=je(e.upstreamServerId),r=Je(e.upstreamServerId,e.authProfileId),o=Tc(r.redirectPath,e.request.url),a="preloadedConnection"in e?e.preloadedConnection:(await A().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:P(e.request.url)}}}n(Gc,"prepareUpstreamOAuthRequest");async function $c(e){let t=await Gc(e),r=new et({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return Lc(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n($c,"startUpstreamConnect");async function Zc(e){let t=await Gc(e),r=new et({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return Bc({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Zc,"authorizeUpstreamRequest");async function To(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return Zc({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh})}let r=t;throw new re(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(To,"resolveUpstreamCredentialForRoute");async function Fc(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=Re(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await $c(r);break;case"none":throw new re(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Fc,"startUpstreamConnectForRequest");async function Kc(e){let r=(await Nr(e.callbackRequest.state)).authProfileId,o=co({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(Re(o.mode).callbackSupport!=="authorization_code")throw new re(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return Nc({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:je(e.callbackRequest.upstreamServerId)})}n(Kc,"finishUpstreamCallbackForRequest");function zg(e){let t=Re(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(zg,"buildRouteAuthBaseFromConnection");function Jc(e){let t=Re(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:mt(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Jc,"buildRouteAuthBaseFromPolicyOptions");function Vc(e,t){let o=ye().byOperationId.get(t);if(!o)throw new _(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new _(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new _(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return zg({connection:o.connection,operationId:t})}n(Vc,"resolveRouteAuthBase");function Wc(e,t){switch(e){case"user":return gt(t.subjectId);case"shared":return Or()}}n(Wc,"buildOwnerForPrincipal");function Zr(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Wc(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:Wc(e.ownerMode,t),initiatedBySubjectId:t.subjectId}}}n(Zr,"resolveRouteAuthForPrincipal");var Eg=ke.InvalidRequest,Mg=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function qg(e){let t=e.route.raw();return G.parse(t?.operationId)}n(qg,"readOperationId");async function Hg(e,t,r,o){let a=await To({request:e,routeAuth:t});if(a.kind==="connect_required")return o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:a.payload};let s=a.credential;switch(s.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${s.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(s.headers)};case"mcp_oauth_provider":{let u=await s.provider.tokens();return u?{kind:"headers",headers:[["authorization",`${u.token_type??"Bearer"} ${u.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(Hg,"buildCredentialHeaders");var Dg=new Set(["authorization","cookie","cookie2"]);function jg(e,t){let r=new Headers(e.headers);for(let o of Dg)r.delete(o);for(let[o,a]of t)r.set(o,a);return new lr(e,{headers:r})}n(jg,"applyUpstreamHeaders");function Lg(e){let t=new Headers(e.headers);for(let r of Mg)t.delete(r);return t}n(Lg,"buildProxyHeaders");async function Bg(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(Bg,"readRetryBody");function Yc(e,t){let r=t.authUrl===void 0?void 0:Ma({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(Tr({id:za(e),error:{code:r?.code??Eg,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Yc,"connectRequiredJsonRpcResponse");async function Ng(e){let t=await To({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0});if(t.kind==="connect_required")return{kind:"connect_required",payload:t.payload};let r=new Headers(e.headers),o=t.credential;switch(o.type){case"none":return r.delete("authorization"),{kind:"headers",headers:r};case"bearer_token":return r.set("authorization",`Bearer ${o.token}`),{kind:"headers",headers:r};case"headers":for(let[a,s]of Object.entries(o.headers))r.set(a,s);return{kind:"headers",headers:r};case"mcp_oauth_provider":{let a=await o.provider.tokens();return a?(r.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:r}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(Ng,"applyRefreshedCredentialHeaders");function Gg(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await Ng({request:e.request,context:e.context,headers:Lg(r),routeAuth:e.routeAuth});if(o.kind==="connect_required")return Yc(e.requestBody,o.payload);if(o.kind==="response")return o.response;let a=Oi({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return oi.fetch(a.url,a.init)})}n(Gg,"installUpstreamAuthRetryHook");async function Po(e,t,r){let o=qg(t),a=await Bg(e),s=Jc({connection:r,operationId:o}),u=Zr(s,Pa(e,t)),d=await Hg(e,u,r,t);if(!(d instanceof Response)&&d.kind==="connect_required")return Yc(a,d.payload);if(d instanceof Response)return d;let p=jg(e,d.headers);return Gg({request:p,context:t,requestBody:a,routeAuth:u}),p}n(Po,"mcpTokenExchangePolicy");var Oo=class extends it{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Rr(t,r);super(o,r)}async handler(t,r){return ot("policy.inbound.mcp-token-exchange"),Po(t,r,this.options)}};z();var Xc=Symbol("Html");function $g(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n($g,"escapeHtml");function Zg(e){return e===null||typeof e!="object"?!1:e[Xc]===!0}n(Zg,"isHtml");function Qc(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Qc).join(""):Zg(e)?e.value:$g(String(e))}n(Qc,"renderValue");function ze(e){return{[Xc]:!0,value:e}}n(ze,"trustedHtml");var tt=ze("");function L(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Qc(t[o]),r+=e[o+1]??"";return ze(r)}n(L,"html");function At(e){return e.value}n(At,"renderHtml");function eu(e){return L`<p data-gateway-error-code="${e.code}">${e.detail}</p>${e.guidance} ${e.action}`}n(eu,"renderBrowserErrorPage");var vt=ze('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function It(e){return L`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
       ${e.styles}
-    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}o(Mt,"renderShell");var Ap="zuplo.com";function Pv(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}o(Pv,"s2FaviconHref");function FM(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}o(FM,"strictFaviconHref");var yr=Pv(Ap);function Sr(e){let t=e.toLowerCase();return t===Ap||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Pv(Ap):FM(e)}o(Sr,"resolveIconHref");function _r(e){return se`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}o(_r,"renderShellIcon");var ZM="text/html; charset=utf-8";function Yt(e){try{return new URL(e).host}catch{return""}}o(Yt,"safeHostFromUrl");function Rt(e){let t=Sr(e.host),r=KM(e.kind??"authorization_failed");return new Response(Wt(Mt({title:e.title??r.title,iconHref:t,styles:Ot,headerIcon:_r({iconHref:t,fallbackIconHref:yr}),heading:e.title??r.title,subhead:"",body:Iv({code:e.code??"unknown",detail:e.detail,guidance:se`<p class="card__description">${r.guidance}</p>`,action:JM(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":ZM,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Rt,"browserErrorPageResponse");function KM(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}o(KM,"readBrowserErrorPagePresentation");function JM(e){return e===void 0?xn:se`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}o(JM,"renderAction");var xv="application/json",WM="application/x-www-form-urlencoded";function Qs(e,t){return new E({message:e,extensionMembers:{[T]:"invalid_request"}},t===void 0?void 0:{cause:t})}o(Qs,"invalidRequestError");function YM(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}o(YM,"normalizeContentType");function XM(e,t){return e===t?!0:t===xv&&e.endsWith("+json")}o(XM,"contentTypeMatches");function QM(e,t){if(!t||t.length===0)return;let r=YM(e.headers.get("content-type"));if(!t.some(n=>XM(r,n)))throw Qs(`Request body must be ${t.join(" or ")}.`)}o(QM,"assertExpectedContentType");function ez(e,t,r){let n=e.headers.get("content-length");if(!n)return;let a=Number.parseInt(n,10);if(Number.isFinite(a)&&a>t)throw Qs(`${r} exceeded the maximum allowed size.`)}o(ez,"assertContentLengthWithinLimit");async function kv(e,t){let r=t.label??"Request body";QM(e,t.expectedContentTypes),ez(e,t.maxBytes,r);let n=await ji(e.body,{maxBytes:t.maxBytes,createLimitError:o(()=>Qs(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(n)}o(kv,"readBoundedTextBody");async function Av(e,t){let r=await kv(e,{...t,expectedContentTypes:[xv]});try{return JSON.parse(r)}catch(n){throw Qs("Request body must be valid JSON.",n)}}o(Av,"readBoundedJsonBody");async function ec(e,t){let r=await kv(e,{...t,expectedContentTypes:[WM]});return new URLSearchParams(r)}o(ec,"readBoundedFormUrlEncodedBody");function Tv(e){return se`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}o(Tv,"renderActions");var vJ=gr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function Ev(){return se`<p>The API key could not be verified. Start the authorization flow again to try
-  once more.</p>`}o(Ev,"renderApiKeyLoginFailure");function Uv(e){return se`<form class="form" method="post" action="/oauth/api-key-login" autocomplete="off" ><input type="hidden" name="state" value="${e.state}" /><label class="form__label" for="apiKey">API key</label><input class="form__input" id="apiKey" name="apiKey" type="password" required autocomplete="off" /><button class="button button--primary button--block form__submit" type="submit" >Continue</button></form>`}o(Uv,"renderApiKeyLoginForm");var wJ=gr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),bJ=gr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var RJ=gr('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var tz="text/html; charset=utf-8";function Ov(e,t=200){return new Response(Wt(e),{status:t,headers:{"content-type":tz,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(Ov,"apiKeyLoginHtmlResponse");function Tp(e,t=401){let r=Sr(e);return Ov(Mt({title:"Sign-in failed",iconHref:r,styles:Ot,headerIcon:_r({iconHref:r,fallbackIconHref:yr}),heading:"Sign-in failed",subhead:"",body:Ev(),footer:""}),t)}o(Tp,"apiKeyLoginFailureResponse");function Mv(e,t){let r=Sr(e);return Ov(Mt({title:"Sign in",iconHref:r,styles:Ot,headerIcon:_r({iconHref:r,fallbackIconHref:yr}),heading:"Sign in",subhead:se`<p class="card__subtitle">Enter your API key to continue.</p>`,body:Uv({state:t}),footer:""}))}o(Mv,"renderApiKeyLoginForm");de();de();import{errors as Lv,jwtVerify as Bv,SignJWT as Gv}from"jose";de();import{errors as mz,jwtVerify as fz,SignJWT as hz}from"jose";function Jr(e){let t=Te().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw D("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}o(Jr,"requireBrowserLoginField");de();import{createRemoteJWKSet as nz,errors as Va,jwtVerify as oz}from"jose";var az=u.object({id_token:u.string().min(1),token_type:u.string().min(1).optional(),expires_in:u.number().optional(),access_token:u.string().min(1).optional(),refresh_token:u.string().min(1).optional(),scope:u.string().min(1).optional()}),iz=u.object({error:u.string().min(1).optional(),error_description:u.string().min(1).optional(),error_uri:u.string().min(1).optional()});function sz(e){let t=iz.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}o(sz,"readIdpErrorFields");function cz(e){return e instanceof Va.JWTExpired?"expired":e instanceof Va.JWTClaimValidationFailed?"claim":e instanceof Va.JWSSignatureVerificationFailed?"signature":e instanceof Va.JWKSNoMatchingKey?"jwks_no_match":e instanceof Va.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(cz,"readJwtFailureKind");var uz=u.object({sub:ve,nonce:u.string().min(1)}).catchall(u.unknown()),Ep;function dz(e){return e instanceof Error&&"cause"in e?e.cause:e}o(dz,"readErrorCause");function lz(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}o(lz,"readRuntimeGatewayCode");function pz(){if(!Ep){let e=Te();Ep=nz(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Ep}o(pz,"readFederatedJwks");async function zv(e){let t=Te(),r=Jr("tokenUrl"),n=Jr("clientId"),a=Jr("clientSecret"),i=new URL("/oauth/callback",Pt(e.requestUrl)).toString(),s=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:i,client_id:n,client_secret:a});try{let{response:c,json:d}=await jh(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:s},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!c.ok){let h=sz(d);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:St(r),idpStatus:c.status,...h},"Federated browser login token exchange returned non-2xx from the identity provider"),D({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${c.status}${h.idpError?` idp_error=${h.idpError}`:""}${h.idpErrorDescription?` idp_error_description=${h.idpErrorDescription}`:""})`)})}let p=az.parse(d),l;try{({payload:l}=await oz(p.id_token,pz(),{issuer:t.oidc.issuer,audience:n}))}catch(h){let g={};throw Xe(g,"error",h),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:cz(h),idpHost:St(r),expectedIssuer:t.oidc.issuer,...g},"Federated id_token failed jose verification"),h}if(l.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:St(r),nonceMissingFromIdToken:l.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),D("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let m=uz.parse(l);return jn({sub:m.sub,data:m},e.requestUrl)}catch(c){let d=dt(c)??lz(c);throw d!==void 0&&d!=="browser_login_verification_failed"?c:D("browser_login_verification_failed","Federated browser login callback could not be verified.",dz(c))}}o(zv,"exchangeFederatedAuthorizationCode");var Op="zuplo_mcp_session",gz=u.object({purpose:u.literal("gateway_browser_session"),sub:ve,browserLoginOrigin:u.string().min(1),roles:u.array(u.string().min(1)).optional(),exp:u.number().int().positive(),iat:u.number().int().positive().optional()});function yz(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let n=r.indexOf("=");if(n<0)continue;let a=r.slice(0,n).trim(),i=r.slice(n+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}o(yz,"parseCookieHeader");async function $v(){return Ht({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Or(e,"browser-session"),"derive")})}o($v,"getBrowserSessionKey");function Up(e){let t=new URL(le(e)),r=[`${Op}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Up,"buildBrowserSessionEvictionCookie");function Sz(e){let t=new URL(le(e.requestUrl)),r=[`${Op}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}o(Sz,"serializeSessionCookie");function qv(e={}){return new URL(Jr("url")).origin}o(qv,"readBrowserLoginOrigin");function Mp(){return Te().browserLogin.stateTtlSeconds}o(Mp,"readBrowserLoginStateTtlSeconds");function Nv(e){if(!e.user)throw D("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return jn(e.user,e.url)}o(Nv,"resolveCurrentRequestPrincipal");async function tc(e,t={}){let r=yz(e.headers.get("cookie")).get(Op);if(!r)return{};try{let{payload:n}=await fz(r,await $v(),{algorithms:[mt],issuer:nt,audience:pt}),a=gz.parse(n);if(a.browserLoginOrigin!==qv(t))return{evictCookie:Up(e.url)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(n){return n instanceof mz.JWTExpired?{evictCookie:Up(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:n instanceof Error?n.name:"unknown",errorMessage:n instanceof Error?n.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Up(e.url)})}}o(tc,"readBrowserSession");async function Fa(e){let t=Te().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:qv({virtualServerId:e.virtualServerId})};e.principal.roles&&(r.roles=e.principal.roles);let n=await new hz(r).setProtectedHeader({alg:mt,typ:"JWT"}).setIssuer(nt).setAudience(pt).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await $v());return Sz({value:n,requestUrl:e.requestUrl,ttlSeconds:t})}o(Fa,"createBrowserSessionCookie");async function Dv(e){throw D("forbidden","API-key browser login is not supported in this gateway.")}o(Dv,"resolveApiKeyBrowserLoginPrincipal");async function jv(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await tc(e.request,t);if(r.principal)return r.principal;let n=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!n)throw D("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return zv({code:n,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}o(jv,"resolveBrowserLoginCallbackPrincipal");function Hv(e){let t=Te().browserLogin,r=new URL(Jr("url")),n=new URL("/oauth/callback",Pt(e.requestUrl));return nf(r)?(r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Jr("clientId")),r.searchParams.set("redirect_uri",n.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}o(Hv,"buildBrowserLoginUrl");var _z={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},$=class extends Error{static{o(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,n=_z[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=n}};var vz=5*60,wz=u.object({purpose:u.literal("gateway_browser_login"),transactionId:lt,stateId:Ci,exp:u.number().int().positive(),iat:u.number().int().positive().optional()}),bz=u.object({purpose:u.literal("gateway_authorization_setup"),transactionId:lt,stateId:Ci,exp:u.number().int().positive(),iat:u.number().int().positive().optional()});async function Vv(){return Ht({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Or(e,"browser-login"),"derive")})}o(Vv,"getBrowserLoginKey");async function Fv(){return Ht({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:o(e=>Or(e,"authorization-csrf"),"derive")})}o(Fv,"getCsrfKey");function Zv(e){return{now:e.now??new Date,ttlSeconds:Mp()}}o(Zv,"readPendingTransactionDependencies");function Rz(e,t){return e.subjectId===t.subjectId}o(Rz,"principalsMatch");function Kv(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}o(Kv,"toPendingPrincipal");function Jv(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,virtualServerId:e.transaction.virtualServerId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:oe(e.now),expiresAt:oe(or(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw D("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Kv(e.principal)}}o(Jv,"createTransactionRecord");async function Wv(e){let{id:t,...r}=e.record,n=await Y().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(n.kind){case"started":return n.transaction;case"already_exists":throw D("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new $("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new $("invalid_request","redirect_uri is not registered for the client.")}}o(Wv,"startPendingTransaction");async function Cz(e){return new Gv({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:mt,typ:"JWT"}).setIssuer(nt).setAudience(pt).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Vv())}o(Cz,"signBrowserLoginState");async function Yv(e){return new Gv({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:mu()}).setProtectedHeader({alg:mt,typ:"JWT"}).setIssuer(nt).setAudience(pt).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Fv())}o(Yv,"signCsrfToken");async function rc(e){try{let{payload:t}=await Bv(e,await Vv(),{algorithms:[mt],issuer:nt,audience:pt}),r=wz.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Lv.JWTExpired?D("oauth_state_expired","Browser login state has expired.",t):D("oauth_state_invalid","Browser login state could not be verified.",t)}}o(rc,"verifyBrowserLoginStateToken");async function nc(e){try{let{payload:t}=await Bv(e,await Fv(),{algorithms:[mt],issuer:nt,audience:pt});return{transactionId:bz.parse(t).transactionId}}catch(t){throw t instanceof Lv.JWTExpired?D("oauth_state_expired","Authorization setup state has expired.",t):D("oauth_state_invalid","Authorization setup state could not be verified.",t)}}o(nc,"verifyCsrfToken");function oc(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}o(oc,"pendingStateErrorCode");function Xv(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}o(Xv,"toPendingAuthorizationGetResult");function Iz(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}o(Iz,"toPendingAuthorizationAdvanceResult");function zp(e){return e==="principal_mismatch"?"oauth_callback_mismatch":oc(e==="consumed_already"?"consumed_already":e)}o(zp,"setupDecisionErrorCode");async function Qv(e){let t=e.now??new Date,r=await nc(e.csrfToken),n=await Y().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await fe(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:oe(t)});if(n.kind!=="marked")throw D(zp(n.kind),"Authorization setup state is invalid, expired, or already used.");return ew({kind:"available",record:n.transaction})}o(Qv,"markSetupApproved");function ew(e){if(e.kind!=="available")throw D(oc(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw D("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}o(ew,"requireAwaitingSetup");function Pz(e){if(e.kind!=="available")throw D(oc(e.kind),"Browser login state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_login")throw D("oauth_state_invalid","Browser login state is not in the login phase.");return e.record}o(Pz,"requireAwaitingLogin");function xz(e){if(!Rz(e.currentBrowserPrincipal,e.transaction.principal))throw D("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}o(xz,"requireCurrentPrincipalMatches");async function tw(e){let t=e.now??new Date,r=Mp(),n=pu(),a=mu(),i=await Cz({transactionId:n,stateId:a,ttlSeconds:r}),s=Jv({id:n,transaction:e.transaction,currentStateHash:await fe(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw D("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Wv({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw D("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:Hv({state:i,nonce:a,virtualServerId:s.virtualServerId,requestUrl:e.requestUrl})}}o(tw,"startAwaitingLogin");async function rw(e){let{now:t,ttlSeconds:r}=Zv(e),n=pu(),a=await Yv({transactionId:n,ttlSeconds:r}),i=Jv({id:n,transaction:e.transaction,currentStateHash:await fe(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw D("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Wv({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw D("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}o(rw,"startAwaitingSetup");async function $p(e){let{now:t,ttlSeconds:r}=Zv(e),n=await rc(e.browserLoginStateToken),a=await Yv({transactionId:n.transactionId,ttlSeconds:r}),i=Iz(await Y().advancePendingAuthorization({transactionId:n.transactionId,expectedPhase:"awaiting_login",currentStateHash:await fe(e.browserLoginStateToken),nextStateHash:await fe(a),nextPhase:"awaiting_setup",principal:Kv(e.principal),now:oe(t)}));if(i.kind!=="advanced")throw D(oc(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw D("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}o($p,"completeLogin");async function nw(e){let t=e.now??new Date,r=await rc(e.browserLoginStateToken);return Pz(Xv(await Y().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await fe(e.browserLoginStateToken),now:oe(t)})))}o(nw,"getAwaitingLogin");async function ow(e){let t=await qp(e);return xz({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}o(ow,"getSetup");async function qp(e){let t=e.now??new Date,r=await nc(e.csrfToken);return ew(Xv(await Y().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await fe(e.csrfToken),now:oe(t)})))}o(qp,"getSetupTransaction");async function kz(e){let t=await nc(e.csrfToken),r=ir(),n=oe(or(e.now,vz)),a=await Y().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await fe(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await fe(r),authorizationCodeExpiresAt:n,grantId:tf(),now:oe(e.now)});if(a.kind!=="approved")throw D(a.kind==="cancelled"?"oauth_state_invalid":zp(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}o(kz,"createAuthorizationCodeRedirectWithDecision");async function Az(e){let t=await nc(e.csrfToken),r=await Y().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await fe(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:oe(e.now)});if(r.kind!=="cancelled")throw D(r.kind==="approved"?"oauth_state_invalid":zp(r.kind),"Authorization setup state is invalid, expired, or already used.");return Tz({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}o(Az,"createCancelRedirectWithDecision");function Tz(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}o(Tz,"buildClientCancelRedirect");async function aw(e){let t=e.now??new Date;return kz({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(aw,"approve");async function iw(e){let t=e.now??new Date;return Az({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}o(iw,"cancel");de();var Ez=1e4,Uz=5*1024,Oz=2,Mz=90*24*60*60,Np=["authorization_code","refresh_token"],Dp=["code"],zz=u.object({client_name:u.string().min(1).optional(),redirect_uris:u.array(u.string().min(1)).min(1),grant_types:u.array(u.enum(Np)).min(1).max(2).optional(),response_types:u.array(u.enum(Dp)).min(1).max(1).optional(),scope:u.literal(_e).optional(),token_endpoint_auth_method:Xm.default("none")});function $z(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ke(t))&&t.pathname!=="/"}catch{return!1}}o($z,"isCimdClientIdCandidate");function bo(e,t="invalid_request",r="authorize"){if(qz(e))throw new $(t,"redirect_uris must not include raw whitespace or control characters.");let n;try{n=new URL(e)}catch{throw new $(t,"redirect_uris must be absolute URIs.")}if(n.hash||n.username||n.password)throw new $(t,"redirect_uris must not include credentials or fragments.");let a={source:r},i=Jm({url:n,context:a});if(i.kind!=="rejected"){i.mode!=="strict"&&void 0;return}throw new $(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}o(bo,"assertValidRedirectUri");function qz(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}o(qz,"hasForbiddenRawRedirectUriCharacter");async function Nz(e){let{response:t,json:r}=await Hh(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Oz,maxResponseBytes:Uz,timeoutMs:Ez});if(!t.ok)throw D("invalid_request","CIMD metadata could not be fetched.");let n=ef.parse(r);for(let a of n.redirect_uris)bo(a,"invalid_request","cimd");if(n.client_id!==e.clientId)throw D("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return n}o(Nz,"fetchCimdMetadata");async function Dz(e){let t=Di(e),r=await Nz({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}o(Dz,"resolveCimdClient");async function ac(e,t){let r=Oe.parse(e);if($z(r)){if(!Te().gateway.cimdEnabled)throw new $("invalid_client","OAuth client is not registered.");try{return await Dz(r)}catch{throw new $("invalid_client","OAuth client is not registered.")}}let n=await Y().readClient({clientId:r});if(n.kind==="found"){let a=n.client,i={kind:"dcr",clientId:r,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(i.hashedClientSecret=a.hashedClientSecret),i}throw new $("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}o(ac,"resolveClient");function sw(e,t){if(!e.metadata.redirect_uris.some(r=>rf(r,t)))throw D("invalid_request","redirect_uri is not registered for the client.")}o(sw,"assertRedirectRegistered");function jz(e){let t=cw(e.grant_types),r=e.response_types??[...Dp];if(!Hz(t))throw new $("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Lz(r))throw new $("invalid_client_metadata","response_types must be code.");if(!Bz(e.scope))throw new $("invalid_client_metadata",`Only the ${_e} scope is supported.`)}o(jz,"assertSupportedDcrRequest");function cw(e){return e===void 0?[...Np]:Array.from(new Set(e))}o(cw,"normalizeGrantTypes");function Hz(e){return e.length===0?!1:e.every(t=>Np.includes(t))}o(Hz,"isSupportedGrantTypes");function Lz(e){return e.length===Dp.length&&e[0]==="code"}o(Lz,"isSupportedResponseTypes");function Bz(e){return e===void 0||e===_e}o(Bz,"isSupportedDcrScope");function Za(e){if(e===void 0||e===_e)return _e;throw new $("invalid_request",`Only the ${_e} scope is supported.`)}o(Za,"assertSupportedOAuthScope");function Ro(e,t){let r;try{r=new URL(t)}catch{throw new $("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new $("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!ke(r))throw new $("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let n=le(e),a=Eh(),i=a?[...a.byVirtualServerId.values()].find(s=>new URL(s.routePath,n).toString()===t):void 0;if(!i)throw new $("invalid_target","resource must match a published virtual MCP server.");return i}o(Ro,"resolveResource");async function uw(e){let t;try{t=zz.parse(e)}catch(l){if(l instanceof u.ZodError){let m=l.issues.some(h=>h.path[0]==="redirect_uris");throw new $(m?"invalid_redirect_uri":"invalid_client_metadata",l.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:l})}throw l}jz(t);for(let l of t.redirect_uris)bo(l,"invalid_redirect_uri","dcr");let r=new Date,n=Oe.parse(`dcr:${crypto.randomUUID()}`),a=or(r,Mz),i=Math.floor(r.getTime()/1e3),s=Math.floor(a.getTime()/1e3),c={client_id:n,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:cw(t.grant_types),response_types:["code"],scope:_e,token_endpoint_auth_method:t.token_endpoint_auth_method,client_id_issued_at:i},d={clientId:n,clientName:String(c.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:t.token_endpoint_auth_method,createdAt:oe(r),clientExpiresAt:oe(a)};if(t.token_endpoint_auth_method!=="none"){let l=ir();d.hashedClientSecret=await fe(l),d.clientSecretExpiresAt=oe(a),c.client_secret=l,c.client_secret_expires_at=s,c.client_secret_issued_at=i}if((await Y().registerClient(d)).kind==="already_exists")throw D("invalid_request","OAuth client is already registered.");return c}o(uw,"registerDownstreamClient");var Gz="data:,",dw=se`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,lw=se`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function Vz(e,t){if(e)try{let r=new URL(t).origin,n=new URL(e,r);return n.origin!==r||!n.pathname.startsWith("/auth/connections/")?void 0:n.toString()}catch{return}}o(Vz,"safeGatewayConnectHref");function Fz(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}o(Fz,"deriveMode");function Zz(e){return Tv({state:e.state,submitOnceAttrs:dw,authorizeAttrs:xn})}o(Zz,"renderActions");function jp(e,t,r){for(let n of e){if(n.ownerMode!=="user"||n.status!==r)continue;let a=Vz(n.connectUrl,t);if(a)return a}}o(jp,"firstUserConnectHref");function Kz(e){let t=e.connectHref?se`<a class="button button--primary" href="${e.connectHref}" ${lw}>Connect</a>`:se`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return se`<form class="actions" method="post" action="/oauth/setup" ${dw}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}o(Kz,"renderSetupActions");function Jz(e){return e?se`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${lw}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:xn}o(Jz,"renderReconnectAction");function Hp(e){let t=Fz(e.upstreams),r=jp(e.upstreams,e.gatewayOrigin,"not_connected"),n=jp(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=jp(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??n:void 0,s=se`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.virtualServerDisplayName}</strong>' on your behalf?</p>`,c=t==="setup"?se`<footer class="card__footer">${Kz({state:e.state,connectHref:i})}</footer>`:se`<footer class="card__footer">${Jz(a)}${Zz({state:e.state})}</footer>`;return Wt(Mt({title:`Authorize access \xB7 ${e.virtualServerDisplayName}`,iconHref:Gz,styles:Ot,headerIcon:xn,heading:"MCP Gateway",subhead:xn,body:s,footer:c}))}o(Hp,"renderConsentPage");function Wz(e){try{return new URL(e).host}catch{return}}o(Wz,"safeUrlHost");function Yz(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}o(Yz,"readOAuthScopes");function Lp(e){return e!==void 0&&e.length>0}o(Lp,"hasItems");function Xz(e){let t=e.registeredConnection.config.serverInfo?.icons;if(Lp(t))return t;let r=e.virtualServer.serverInfo?.icons;return e.virtualServer.connections.length===1&&Lp(r)?r:void 0}o(Xz,"readServerIcons");async function Qz(e){if(!(e.returnTo===void 0||!e.isUserOwned))return Qu({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,virtualServerId:e.virtualServer.virtualServerId,returnTo:e.returnTo})}o(Qz,"readConnectUrl");function kn(e,t){return t===void 0?{}:{[e]:t}}o(kn,"optionalRequirementField");function e$(e){return e.isUserOwned?Sf(e.connection):{connected:!0,status:"active"}}o(e$,"readSetupConnectionStatus");function t$(e){let t=Yz(e);return Lp(t)?t:void 0}o(t$,"readScopesRequested");function r$(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}o(r$,"readUpdatedAt");function n$(e){if(e.virtualServer.catalog.catalogSource!=="openapi")return{tools:[],prompts:[],resources:[]};let t=o(r=>r.upstreamPolicyName===e.registeredConnection.policyName,"ownsCapability");return{tools:e.virtualServer.catalog.tools.filter(r=>r.enabled!==!1&&t(r)).map($i),prompts:e.virtualServer.catalog.prompts.filter(r=>r.enabled!==!1&&t(r)).map(qi),resources:e.virtualServer.catalog.resources.filter(r=>r.enabled!==!1&&t(r)).map(Ni)}}o(n$,"readVirtualServerCapabilities");async function o$(e){let{authConfig:t,authMode:r,config:n,upstreamServerId:a,authProfileId:i}=e.registeredConnection,s=Li(r),c=s==="user",d=e$({connection:e.connection,isUserOwned:c}),p=await Qz({...e,connected:d.connected,isUserOwned:c});return{upstreamServerId:a,authProfileId:i,authMode:r,ownerMode:s,upstreamDisplayName:n.displayName,status:d.status,connected:d.connected,capabilities:n$({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer}),...kn("description",n.description),...kn("transportHost",Wz(n.transport.baseUrl)),...kn("scopesRequested",t$(t)),...kn("serverIcons",Xz({registeredConnection:e.registeredConnection,virtualServer:e.virtualServer})),...kn("connectUrl",p),...kn("updatedAt",r$({connectionStatus:d,isUserOwned:c})),...kn("expiresAt",e.connection?.expiresAt)}}o(o$,"buildSetupRequirement");function pw(e){let t=rt().byVirtualServerId.get(e);if(!t)throw D("unknown_virtual_server",`Unknown virtual server: ${e}`);return t}o(pw,"requireVirtualServer");async function Bp(e){let t=pw(e.transaction.virtualServerId),r=Tr(e.transaction.principal.subjectId),n=[],a=new Map;for(let c of t.connections)Li(c.authMode)==="user"&&(a.set(c,n.length),n.push({owner:r,upstreamServerId:c.upstreamServerId,authProfileId:c.authProfileId}));let i=await Y().batchGetUpstreamConnections(n),s=[];for(let c of t.connections){let d=Li(c.authMode)==="user",p=a.get(c);s.push(await o$({connection:d&&p!==void 0?i[p]:void 0,registeredConnection:c,virtualServer:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r}))}return s}o(Bp,"requirementsForSetup");function a$(e){return e.virtualServer.serverInfo?.title??e.virtualServer.serverInfo?.name??e.virtualServer.virtualServerId}o(a$,"readVirtualServerDisplayName");async function Gp(e){let t=pw(e.transaction.virtualServerId),r=a$({virtualServer:t}),n=await Y().readClient({clientId:e.transaction.clientId}),a=n.kind==="found"?n.client:void 0,i={gatewayOrigin:le(e.requestUrl),virtualServerDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.serverInfo?.title;return s!==void 0&&s!==r&&(i.virtualServerDescription=s),i}o(Gp,"consentContext");function Vp(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}o(Vp,"hasUnresolvedUserUpstream");var i$=["mcp_user"],s$="dev-browser-user",c$=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{virtualServerId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),u$=u.object({response_type:u.literal("code"),client_id:u.string().min(1),redirect_uri:u.string().min(1),resource:u.url(),code_challenge:u.string().min(43),code_challenge_method:bi,state:u.string().min(1).optional(),scope:u.literal(_e).default(_e)}),d$=u.enum(["continue","approve","cancel"]).default("continue"),l$=u.object({state:u.string().min(1),decision:d$}),p$=u.object({state:u.string().min(1),apiKey:u.string().min(1)}),Wr=class extends Error{static{o(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function mw(e){return typeof e=="string"&&e.length>0?e:void 0}o(mw,"readQueryString");function m$(e){let t=Array.from(rt().byVirtualServerId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Ar(r.virtualServerId,e.url)}o(m$,"inferSingleVirtualServerResource");function f$(e,t){let r=mw(e.query.resource);if(t===void 0){if(r!==void 0)return r;let a=m$(e);if(a!==void 0)return a;throw new $("invalid_target",c$)}let n=Ar(t,e.url);if(r===void 0||r===n)return n;throw new $("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}o(f$,"requireAuthorizeResource");async function h$(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await tc(e,n);if(a.principal)return{principal:a.principal};if(!e.user)return a.evictCookie===void 0?{}:{setCookie:a.evictCookie};let i=Nv(e);return{principal:i,setCookie:await Fa({principal:i,requestUrl:e.url,virtualServerId:t})}}o(h$,"resolveBrowserPrincipal");async function g$(e,t,r){let n={virtualServerId:t};r!==void 0&&(n.context=r);let a=await tc(e,n);if(!a.principal)throw D("authentication_required","Authorization setup requires a current browser session.");return a.principal}o(g$,"requireSetupPrincipal");function fw(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}o(fw,"buildSetupReturnTo");async function hw(e){let t=await Bp({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:fw(e.csrfToken)}),r=await Gp({transaction:e.transaction,requestUrl:e.requestUrl}),n={kind:"setup_page",html:Hp({state:e.csrfToken,virtualServerId:e.transaction.virtualServerId,upstreams:t,...r})};return e.setCookie!==void 0&&(n.setCookie=e.setCookie),n}o(hw,"renderSetup");function y$(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}o(y$,"toAuthorizationTransactionClient");async function Fp(e,t={}){let r=u$.parse({...e.query,resource:f$(e,t.virtualServerId),state:mw(e.query.state)}),n=Za(r.scope);bo(r.redirect_uri,"invalid_request","authorize");let a=new Date,i=Oe.parse(r.client_id),s=await ac(r.client_id,a);sw(s,r.redirect_uri);try{let c=Ro(e.url,r.resource),d=y$(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,virtualServerId:c.virtualServerId,scope:n,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&J(t.context,{eventType:F.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.virtualServerId,attributes:{clientId:i,scope:n,responseType:r.response_type}});let p={clientId:s?.clientId??i,...d===void 0?{}:{client:d},redirectUri:r.redirect_uri,resource:r.resource,virtualServerId:c.virtualServerId,scope:n,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:l,setCookie:m}=await h$(e,c.virtualServerId,t.context);if(!l){let g=await tw({transaction:p,requestUrl:e.url,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,virtualServerId:c.virtualServerId},"Downstream OAuth authorize: redirecting to browser login (no session)");let S={kind:"redirect",location:g.browserLoginUrl};return m!==void 0&&(S.setCookie=m),S}let h=await rw({transaction:p,principal:l,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,virtualServerId:c.virtualServerId,subjectId:l.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&J(t.context,{eventType:F.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.virtualServerId,attributes:{clientId:i,scope:n,responseType:r.response_type,subjectId:l.subjectId}}),hw({transaction:h.transaction,csrfToken:h.csrfToken,requestUrl:e.url,setCookie:m})}catch(c){throw S$({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}o(Fp,"authorizeDownstreamClient");function S$(e){if(e.cause instanceof Wr)return e.cause;let t=_$(e.cause);return t?new Wr({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}o(S$,"toDownstreamAuthorizeRedirectError");function _$(e){if(e instanceof $)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof u.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}o(_$,"mapToOAuthRedirectError");async function gw(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let p=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,l=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...p===void 0?{}:{idpErrorDescription:p},...l===void 0?{}:{idpErrorUri:l}},"Identity provider redirected browser-login callback with an error"),D("provider_access_denied",p??"The delegated browser login was not completed.")}let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),D("oauth_state_invalid","Browser login callback is missing state.");let a=await rc(n),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await jv(i),c=await $p({browserLoginStateToken:n,principal:s}),d=await hw({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url});return d.setCookie=await Fa({principal:s,requestUrl:e.url,virtualServerId:c.transaction.virtualServerId}),d}o(gw,"completeBrowserLoginCallback");async function yw(e){let t=Te(),r=new URL(e.url);if(!ke(r))throw D("forbidden","Local browser login is only available on loopback HTTP origins.");let n=typeof e.query.state=="string"?e.query.state:void 0;if(!n)throw D("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",le(e.url)),i=new URL(le(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw D("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",n);let s={subjectId:ve.parse(s$),roles:i$};return{kind:"redirect",location:a,setCookie:await Fa({principal:s,requestUrl:e.url})}}o(yw,"completeLocalDevBrowserLogin");async function Sw(e){let t=p$.parse(e.body),r=await nw({browserLoginStateToken:t.state}),n=await Dv({apiKey:t.apiKey,virtualServerId:r.virtualServerId}),a=await $p({browserLoginStateToken:t.state,principal:n});await Lg({apiKey:t.apiKey,principal:n,virtualServerId:a.transaction.virtualServerId});let i=new URL("/oauth/setup",Pt(e.request.url));return i.searchParams.set("state",a.csrfToken),{kind:"redirect",location:i,setCookie:await Fa({principal:n,requestUrl:e.request.url,virtualServerId:a.transaction.virtualServerId})}}o(Sw,"completeApiKeyBrowserLogin");function v$(e){let t=e.method==="POST"?e.body:e.query;return l$.parse(t)}o(v$,"readSetupContinueRequest");async function _w(e){let{state:t,decision:r}=v$({method:e.request.method,query:e.request.query,body:e.body}),n=new Date,a=await qp({csrfToken:t,now:n}),i=await g$(e.request,a.virtualServerId,e.context);if(r==="cancel")return{kind:"redirect",location:await iw({csrfToken:t,currentBrowserPrincipal:i,now:n})};let s=await ow({csrfToken:t,currentBrowserPrincipal:i,now:n}),c=await Bp({transaction:s,requestUrl:e.request.url,returnTo:fw(t)});if(r==="approve"&&Vp(c)&&await Qv({csrfToken:t,currentBrowserPrincipal:i,now:n}),Vp(c)){let d=await Gp({transaction:s,requestUrl:e.request.url});return{kind:"setup_page",html:Hp({state:t,virtualServerId:s.virtualServerId,upstreams:c,...d})}}return{kind:"redirect",location:await aw({csrfToken:t,currentBrowserPrincipal:i,now:n})}}o(_w,"continueDownstreamAuthorizeSetup");de();import{createLocalJWKSet as w$,decodeJwt as b$,errors as Ka,jwtVerify as R$}from"jose";var C$=new Set(["authorization_code","refresh_token"]),I$="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",P$=1e4,x$=32*1024,k$=2,vw=u.object({client_id:u.string().min(1).optional(),client_secret:u.string().min(1).optional(),client_assertion_type:u.string().min(1).optional(),client_assertion:u.string().min(1).optional()}),A$=u.discriminatedUnion("grant_type",[vw.extend({grant_type:u.literal("authorization_code"),code:u.string().min(1),redirect_uri:u.string().min(1),code_verifier:Ri,resource:u.url().optional(),scope:u.literal(_e).optional()}),vw.extend({grant_type:u.literal("refresh_token"),refresh_token:u.string().min(1),resource:u.url().optional(),scope:u.literal(_e).optional()})]);function T$(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!C$.has(t)))throw new $("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}o(T$,"assertSupportedGrantType");var E$=u.object({token:u.string().min(1),client_id:u.string().min(1).optional(),token_type_hint:u.string().optional(),client_secret:u.string().min(1).optional(),client_assertion_type:u.string().min(1).optional(),client_assertion:u.string().min(1).optional()}),U$=u.object({keys:u.array(u.record(u.string(),u.unknown())).min(1)}).passthrough();function ww(){return Te().gateway.accessTokenTtlSeconds}o(ww,"readAccessTokenTtlSeconds");function O$(){return Te().gateway.refreshTokenTtlSeconds}o(O$,"readRefreshTokenTtlSeconds");function M$(e,t){let r=ww(),n=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,n);return{expiresAt:oe(or(e,a)),expiresIn:a}}o(M$,"calculateAccessTokenExpiresAt");function bw(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new $("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new $("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new $("invalid_client","Malformed HTTP Basic client authentication.")}}o(bw,"readBasicClientSecret");function Rw(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new $("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=b$(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new $("invalid_client","Malformed private_key_jwt client assertion.")}throw new $("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new $("invalid_client","Client authentication or client_id is required.")}o(Rw,"resolveAuthenticatedClientId");function z$(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new $("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}o(z$,"resolveClientSecretInput");function $$(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}o($$,"hasClientAssertion");function q$(e){if(e.requestUrl===void 0)throw new $("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,e.requestUrl);return t.search="",t.hash="",t.toString()}o(q$,"buildEndpointAudience");function N$(e){return e instanceof Ka.JWTExpired?"expired":e instanceof Ka.JWTClaimValidationFailed?"claim":e instanceof Ka.JWSSignatureVerificationFailed?"signature":e instanceof Ka.JWKSNoMatchingKey?"jwks_no_match":e instanceof Ka.JWTInvalid?"invalid":e instanceof u.ZodError?"schema":"other"}o(N$,"readJwtFailureKind");async function D$(e){let{response:t,json:r}=await Lh(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:k$,maxResponseBytes:x$,timeoutMs:P$});if(!t.ok)throw new $("invalid_client","Client JWKS could not be fetched.");return U$.parse(r)}o(D$,"fetchClientJwks");async function j$(e){if(e.clientAssertionType!==I$||e.clientAssertion===void 0)throw new $("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=Oe.parse(e.clientId),r=await ac(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new $("invalid_client","Client is not registered for private_key_jwt authentication.");let n=r.metadata.jwks_uri;if(n===void 0)throw new $("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let a=q$({requestUrl:e.requestUrl,pathname:e.endpointPathname});try{let i=await D$({jwksUri:n,context:e.context});await R$(e.clientAssertion,w$(i),{issuer:t,subject:t,audience:a,currentDate:e.now})}catch(i){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:N$(i)},"OAuth private_key_jwt client authentication failed"),new $("invalid_client","Client authentication failed.")}return{method:"private_key_jwt",clientId:t}}o(j$,"verifyPrivateKeyJwtClientAssertion");async function H$(e){let t=Oe.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await fe(e.clientSecret)}}o(H$,"buildRuntimeHttpClientAuth");async function Cw(e){if($$({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new $("invalid_request","Use only one client authentication method per request.");return j$(e)}let t=z$({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return H$({clientId:e.clientId,...t})}o(Cw,"resolveRuntimeHttpClientAuth");async function Iw(e){T$(e.body);let t=A$.parse(e.body),r=bw(e.authorizationHeader),n=Rw({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date,i=await Cw({clientId:n,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/token",now:a,context:e.context});return L$({parsed:t,clientId:n,clientAuth:i,now:a,requestUrl:e.requestUrl,context:e.context})}o(Iw,"exchangeDownstreamToken");async function L$(e){if(e.parsed.grant_type==="authorization_code"){bo(e.parsed.redirect_uri,"invalid_request","token"),Za(e.parsed.scope),e.parsed.resource!==void 0&&Ro(e.requestUrl??e.parsed.resource,e.parsed.resource);let s=ir(),c=ir(),d=oe(or(e.now,O$())),p=M$(e.now,d),l=await Y().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await fe(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await lh(e.parsed.code_verifier),currentRefreshTokenHash:await fe(s),accessTokenHash:await fe(c),grantExpiresAt:d,accessTokenExpiresAt:p.expiresAt,now:oe(e.now)});if(l.kind==="invalid_client")throw new $("invalid_client","Client authentication failed.");if(l.kind==="resource_mismatch")throw new $("invalid_target","Token request resource must match the authorization code resource.");if(l.kind!=="exchanged")throw new $("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&J(e.context,{eventType:F.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:p.expiresIn,refresh_token:s,scope:l.grant.scope,resource:l.grant.resource}}Za(e.parsed.scope),e.parsed.resource!==void 0&&Ro(e.requestUrl??e.parsed.resource,e.parsed.resource);let t=ir(),r=ir(),n=oe(or(e.now,ww())),a=await Y().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await fe(e.parsed.refresh_token),nextRefreshTokenHash:await fe(t),accessTokenHash:await fe(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:n,now:oe(e.now)});if(a.kind==="invalid_client")throw new $("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new $("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new $("invalid_grant","Refresh token is invalid, expired, or revoked.");Ro(e.requestUrl??a.grant.resource,a.grant.resource);let i=a.accessToken.expiresAt;return e.context&&(J(e.context,{eventType:F.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),J(e.context,{eventType:F.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(i).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:a.grant.scope,resource:a.grant.resource}}o(L$,"exchangeDownstreamTokenWithRuntimeHttp");async function Pw(e){let t=E$.parse(e.body),r=bw(e.authorizationHeader),n=Rw({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date;if((await Y().revokeOAuthToken({clientAuth:await Cw({clientId:n,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/revoke",now:a,context:e.context}),tokenHash:await fe(t.token),now:oe(a)})).kind==="invalid_client")throw new $("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&J(e.context,{eventType:F.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:n,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}o(Pw,"revokeDownstreamToken");var B$=64*1024,G$=16*1024,V$="text/html; charset=utf-8";function F$(e){let t={};for(let[r,n]of e.entries())t[r]=n;return t}o(F$,"formDataToObject");async function Z$(e){return Av(e,{maxBytes:B$,label:"Request body"})}o(Z$,"readJsonBody");async function ic(e){return F$(await ec(e,{maxBytes:G$,label:"Request body"}))}o(ic,"readFormBody");async function xw(e,t,r){let n=dt(r),a=r instanceof u.ZodError?sc(r):void 0,i={code:n??(r instanceof u.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),xr(e,t,i)}o(xw,"handleProblem");function Ja(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}o(Ja,"oauthErrorResponse");function K$(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}o(K$,"readOAuthProtocolHeaders");function J$(e,t){let r=Ee("internal_server_error");return Ja({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:K$(e,t)})}o(J$,"oauthProtocolErrorResponse");function kw(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}o(kw,"readZodOAuthErrorCode");function W$(e){let t={error:kw(e)},r=sc(e);return r!==void 0&&(t.errorDescription=r),Ja(t)}o(W$,"oauthZodErrorResponse");function Y$(e){let t=dt(e);if(t===void 0)return;let r=Ee(t);if(r.oauthError===void 0)return;let n={error:r.oauthError,status:Q$(r.oauthError)};return r.oauthError==="server_error"?n.errorDescription=r.publicDetail:e instanceof Error?n.errorDescription=e.message:n.errorDescription=r.publicDetail,Ja(n)}o(Y$,"oauthGatewayProblemResponse");function X$(){let t={error:"server_error",status:500,errorDescription:Ee("internal_server_error").publicDetail};return Ja(t)}o(X$,"oauthFallbackErrorResponse");function Q$(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}o(Q$,"readOAuthStatus");function Zp(e,t={}){return e instanceof Wr?Ew(e):e instanceof $?J$(e,t):e instanceof u.ZodError?W$(e):Y$(e)??X$()}o(Zp,"oauthProblemResponse");function Kp(e,t){let r=Yt(e.url);if(t instanceof Wr)return Ew(t);if(t instanceof $){let i=Ee("internal_server_error");return Rt({host:r,kind:eq(t.errorCode),title:"Authorization failed",detail:t.errorCode==="server_error"?i.publicDetail:t.message,code:t.errorCode,status:t.status})}if(t instanceof u.ZodError)return Rt({host:r,kind:"invalid_request",detail:sc(t)??"The authorization request was invalid.",code:kw(t)});let n=dt(t);if(n!==void 0){let i=Ee(n);return Rt({host:r,kind:Tw(n),detail:i.status<500&&t instanceof Error?t.message:i.publicDetail,code:i.oauthError??n,status:i.status})}let a=Ee("internal_server_error");return Rt({host:r,kind:"internal_error",detail:a.publicDetail,code:"server_error",status:a.status})}o(Kp,"browserOAuthProblemResponse");function Aw(e,t){let r=Yt(e.url),n=dt(t);if(n!==void 0){let i=Ee(n);return Rt({host:r,kind:Tw(n),detail:i.status<500&&t instanceof Error?t.message:i.publicDetail,code:n,status:i.status})}if(t instanceof u.ZodError)return Rt({host:r,kind:"invalid_request",detail:sc(t)??"The authorization request was invalid.",code:"invalid_request"});let a=Ee("internal_server_error");return Rt({host:r,kind:"internal_error",detail:a.publicDetail,code:"internal_server_error",status:a.status})}o(Aw,"browserGatewayProblemResponse");function eq(e){return e==="server_error"?"internal_error":"invalid_request"}o(eq,"readOAuthBrowserErrorKind");function Tw(e){if(Ee(e).status>=500)return"internal_error";switch(e){case"virtual_server_not_enabled":case"unknown_upstream_server":case"unknown_virtual_server":case"unknown_auth_profile":case"virtual_server_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}o(Tw,"readGatewayBrowserErrorKind");function Xt(e,t,r){let n={event:t},a=!1;if(r instanceof $)n.oauthError=r.errorCode,n.status=r.status,Xe(n,"error",r);else if(r instanceof Wr)n.oauthError=r.errorCode,Xe(n,"error",r);else if(r instanceof u.ZodError){n.code="invalid_request",Xe(n,"error",r);let i=r.issues[0];i&&(n.zodPath=i.path.join("."))}else{let i=dt(r);if(i!==void 0){let s=Ee(i);n.code=i,n.status=s.status,s.oauthError!==void 0&&(n.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",Xe(n,"error",r)}else a=!0,Xe(n,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(n,i.message)}else e.log.warn(n,"OAuth handler rejected the request")}o(Xt,"logUnexpectedOAuthHandlerError");function Ew(e){let t;try{t=new URL(e.redirectUri)}catch{return Ja({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}o(Ew,"downstreamAuthorizeRedirectErrorResponse");function sc(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}o(sc,"formatZodErrorDetail");function tq(e,t){let r={event:"browser_login_callback_failed",code:dt(t)??"invalid_request"};Xe(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}o(tq,"logBrowserLoginCallbackFailure");function Jp(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}o(Jp,"redirectResultResponse");function cc(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":V$,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Jp(e)}o(cc,"authorizeResultResponse");async function Uw(e,t){try{return Response.json(hu(e.url))}catch(r){return Xt(t,"oauth_authorization_server_metadata_failed",r),xw(e,t,r)}}o(Uw,"authorizationServerMetadataHandler");async function Ow(e,t){try{let r=Ue.parse(e.params.virtualServerId),n=Nt(r);return Response.json(of({virtualServerId:n.virtualServerId,requestUrl:e.url}))}catch(r){return Xt(t,"oauth_authorization_server_metadata_failed",r),xw(e,t,r)}}o(Ow,"scopedAuthorizationServerMetadataHandler");async function Mw(e,t){try{let r=await uw(await Z$(e)),n=r,a=typeof n.client_id=="string"?n.client_id:void 0,i=typeof n.client_name=="string"?n.client_name:void 0,s=Array.isArray(n.redirect_uris)?n.redirect_uris.length:void 0,c=typeof n.token_endpoint_auth_method=="string"?n.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:i,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),J(t,{eventType:F.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:a,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Xt(t,"oauth_register_failed",r),Zp(r)}}o(Mw,"registerHandler");async function zw(e,t){try{return cc(await Fp(e,{context:t}))}catch(r){return Xt(t,"oauth_authorize_failed",r),Kp(e,r)}}o(zw,"authorizeHandler");async function $w(e,t){try{let r=Ue.parse(e.params.virtualServerId),n=Nt(r);return cc(await Fp(e,{virtualServerId:n.virtualServerId,context:t}))}catch(r){return Xt(t,"oauth_authorize_scoped_failed",r),Kp(e,r)}}o($w,"scopedAuthorizeHandler");async function qw(e,t){try{let r=await gw(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),cc(r)}catch(r){return tq(t,r),Aw(e,r)}}o(qw,"callbackHandler");async function Nw(e,t){try{return Jp(await yw(e))}catch(r){return Xt(t,"oauth_dev_login_failed",r),Kp(e,r)}}o(Nw,"devLoginHandler");async function Dw(e,t){let r=(()=>{try{return new URL(e.url).host}catch{return""}})();try{if(e.method==="GET"){let n=typeof e.query.state=="string"?e.query.state:void 0;return n?Mv(r,n):Tp(r,400)}return e.method!=="POST"?new Response(null,{status:405,headers:{allow:"GET, POST"}}):Jp(await Sw({request:e,body:await ic(e)}))}catch(n){return Xt(t,"oauth_api_key_login_failed",n),Tp(r)}}o(Dw,"apiKeyLoginHandler");async function jw(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await _w({request:e,body:e.method==="POST"?await ic(e):void 0,context:t});return cc(r)}catch(r){return Xt(t,"oauth_setup_failed",r),Aw(e,r)}}o(jw,"setupHandler");async function Hw(e,t){try{return Response.json(await Iw({body:await ic(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Xt(t,"oauth_token_failed",r),Zp(r)}}o(Hw,"tokenHandler");async function Lw(e,t){try{return await Pw({body:await ic(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Xt(t,"oauth_revoke_failed",r),Zp(r)}}o(Lw,"revokeHandler");var rq={connect:"Connect",app_password:"App password",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},Bw=new $t("upstream-request");function nq(e){let t=Bw.get(e);if(!t)throw new K("Upstream request context has not been set");return t}o(nq,"readUpstreamRequestContext");function oq(e,t){return t.some(r=>r===e)}o(oq,"requestContextMatchesKind");function aq(e){return typeof e=="string"?[e]:e}o(aq,"toExpectedKinds");function An(e,t){Bw.set(e,t)}o(An,"setUpstreamRequestContext");function Tn(e,t){let r=nq(e),n=aq(t);if(!oq(r.kind,n)){let a=rq[n[0]];throw new K(`${a} request context has not been set`)}return r}o(Tn,"requireUpstreamRequestContext");function Gw(e){return se`<form class="form" method="post" action="${e.action}" autocomplete="off"><input type="hidden" name="browserTicket" value="${e.browserTicket}" />${e.fields}<p class="form__note">The gateway stores this encrypted and keeps it out of MCP client
-    configuration.</p><button class="button button--primary button--block form__submit" type="submit" >Connect</button></form>`}o(Gw,"renderAppPassword");function Vw(e){return se`<p data-gateway-error-code="${e.code}">${e.body}</p>`}o(Vw,"renderBrowserResult");var iq="text/html; charset=utf-8",sq="none";function cq(e){let t=Sr(e.host);return Mt({title:e.title,iconHref:t,styles:Ot,headerIcon:_r({iconHref:t,fallbackIconHref:yr}),heading:e.title,subhead:"",body:Vw({body:e.body,code:e.code??sq}),footer:""})}o(cq,"browserResultHtml");function uq(e,t=200){return new Response(Wt(e),{status:t,headers:{"content-type":iq,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(uq,"browserResultResponse");function uc(e){return uq(cq(e))}o(uc,"browserConnectionSuccessResponse");function Co(e,t){let r=Fm(t);return Rt({host:e,kind:dq(t),detail:r.body,code:t})}o(Co,"browserConnectionFailureResponse");function dq(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed"}}o(dq,"readCallbackFailureBrowserErrorKind");var lq="text/html; charset=utf-8",pq=16*1024;function mq(e,t=200){return new Response(Wt(e),{status:t,headers:{"content-type":lq,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}o(mq,"htmlResponse");function fq(e,t){return Response.redirect(new URL(t,e).toString(),302)}o(fq,"safeRedirect");function hq(e){if(!e)throw new E({message:"App password capture requires a signed browser ticket.",extensionMembers:{[T]:"oauth_state_invalid"}});return e}o(hq,"requireBrowserTicket");function gq(e,t){return[e.ownerMode!=="user"||e.upstreamServerId!==t.upstreamServerId||t.virtualServerId!==void 0&&e.virtualServerId!==t.virtualServerId].every(n=>!n)}o(gq,"appPasswordTicketMatchesTarget");async function Fw(e){let t=hq(e.browserTicket),r=await Gi(t);if(!gq(r,e))throw new E({message:"App password capture ticket did not match the requested upstream flow.",extensionMembers:{[T]:"oauth_callback_mismatch"}});return{upstreamServerId:e.upstreamServerId,authProfileId:r.authProfileId,virtualServerId:r.virtualServerId,browserTicket:t,ticket:r}}o(Fw,"readAppPasswordTarget");function yq(e,t){let r=ad(e.upstreamServerId,e.authProfileId),n=`/auth/connections/${encodeURIComponent(e.upstreamServerId)}/app-password`,a=Sr(t),i=r.kind==="basic_auth_app_password"?se`<label class="form__label" for="username">${r.usernameLabel}</label><input class="form__input" id="username" name="username" required autocomplete="username"><label class="form__label" for="appPassword">${r.passwordLabel}</label><input class="form__input" id="appPassword" name="appPassword" type="password" required autocomplete="current-password">`:se`<label class="form__label" for="token">${r.label}</label><input class="form__input" id="token" name="token" type="password" required autocomplete="off">`;return mq(Mt({title:"Connect upstream",iconHref:a,styles:Ot,headerIcon:_r({iconHref:a,fallbackIconHref:yr}),heading:"Connect upstream",subhead:se`<p class="card__subtitle">Enter the per-user credential for this approved upstream.</p>`,body:Gw({action:n,browserTicket:e.browserTicket,fields:i}),footer:""}))}o(yq,"renderCaptureForm");function dc(e,t){let r=e.get(t);if(typeof r!="string"||r.length===0)throw new E({message:`Missing form field: ${t}`,extensionMembers:{[T]:"invalid_request"}});return r}o(dc,"readRequiredFormValue");function Sq(e){return{upstreamServerId:e.upstreamServerId,...e.virtualServerId===void 0?{}:{virtualServerId:e.virtualServerId},...e.browserTicket===void 0?{}:{browserTicket:e.browserTicket}}}o(Sq,"readCaptureFormTargetInput");async function _q(e,t){return yq(await Fw(Sq(e)),t)}o(_q,"handleCaptureFormRequest");async function vq(e){let t=await ec(e.request,{maxBytes:pq,label:"App password request body"});return{form:t,target:await Fw({upstreamServerId:e.upstreamServerId,browserTicket:dc(t,"browserTicket")})}}o(vq,"readSubmittedAppPasswordTarget");async function wq(e){let t=Bn(e.target.ticket);if(await Vi(e.target.ticket),ad(e.target.upstreamServerId,e.target.authProfileId).kind==="bearer_token"){await Fi({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,token:dc(e.form,"token")});return}await hg({owner:t,initiatedBySubjectId:e.target.ticket.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,username:dc(e.form,"username"),appPassword:dc(e.form,"appPassword")})}o(wq,"saveSubmittedAppPasswordCredential");function bq(e,t){return t.ticket.returnTo?fq(e,t.ticket.returnTo):uc({host:Yt(e),title:"Connection complete",body:"The upstream credential was saved. Return to your MCP client and retry the request."})}o(bq,"appPasswordSuccessResponse");async function Rq(e){let t=await vq({request:e.request,upstreamServerId:e.appPasswordRequest.upstreamServerId});return await wq(t),bq(e.request.url,t.target)}o(Rq,"handleAppPasswordSubmission");function Cq(){return new Response(null,{status:405,headers:{Allow:"GET, POST"}})}o(Cq,"methodNotAllowedResponse");function Iq(e,t,r,n){let a=n instanceof E?n.extensionMembers?.[T]:void 0;if(!Si(a)){if(a==="invalid_request")return Rt({host:r,kind:"invalid_request",title:"Connection failed",detail:n instanceof Error?n.message:"The upstream credential request was invalid.",code:a});throw n}return Co(r,a)}o(Iq,"appPasswordFailureResponse");async function Pq(e){let t=Yt(e.request.url);switch(e.request.method){case"GET":return _q(e.appPasswordRequest,t);case"POST":return Rq(e);default:return Cq()}}o(Pq,"handleAppPasswordMethod");async function Wp(e,t){let r=Tn(t,"app_password");try{return await Pq({request:e,appPasswordRequest:r})}catch(n){return Iq(e,t,Yt(e.url),n)}}o(Wp,"appPasswordHandler");var xq=["callback_authorization_code","callback_provider_error","callback_invalid"];function kq(e){return"cause"in e?e.cause:void 0}o(kq,"readErrorCause");function Aq(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}o(Aq,"readFirstStackFrame");function Zw(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Aq(r))}o(Zw,"addErrorAttributes");function Yp(e){if(!(e instanceof E))return;let t=e.extensionMembers?.[T];return ar(t)?t:void 0}o(Yp,"readRuntimeGatewayCode");function Tq(e,t,r){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),J(e,{eventType:F.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),Co(r,"provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Co(r,"oauth_state_invalid");case"callback_authorization_code":return t}}o(Tq,"requireAuthorizationCallbackRequest");function Eq(e,t){J(e,{eventType:F.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}o(Eq,"emitCallbackReceivedAnalyticsEvent");function Uq(e,t){J(e,{eventType:F.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.virtualServerId})}o(Uq,"emitTokenExchangeSucceededAnalyticsEvent");function Oq(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return uc({host:Yt(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}o(Oq,"buildSuccessfulCallbackResponse");function Mq(e){let t={detail:e instanceof Error?e.message:void 0};return Zw(t,"error",e),e instanceof Error&&Zw(t,"cause",kq(e)),t}o(Mq,"buildTokenExchangeFailureAttributes");function zq(e){J(e.context,{eventType:F.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Yp(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Mq(e.error)})}o(zq,"emitTokenExchangeFailedAnalyticsEvent");function $q(e,t){let r=Yp(t);return Co(e,Si(r)?r:"upstream_token_exchange_failed")}o($q,"tokenExchangeFailureResponse");async function Xp(e,t){let r=Tn(t,xq),n=Yt(e.url),a=Tq(t,r,n);if(a instanceof Response)return a;Eq(t,a);try{let i=await Gg({request:e,callbackRequest:a});return Uq(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,virtualServerId:i.virtualServerId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),Oq(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:Yp(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return Xe(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),zq({context:t,callbackRequest:a,error:i}),$q(n,i)}}o(Xp,"callbackHandler");function qq(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}o(qq,"clientMetadataProblemDetail");async function Kw(e,t){let r=Tn(t,"connect"),n=await Bg({request:e,connectRequest:r});if(J(t,{eventType:F.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:n.virtualServerId,upstreamServerTitle:n.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,virtualServerId:n.virtualServerId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(n.authUrl,302);let a=await Lt({requestUrl:e.url,owner:n.owner,initiatedBySubjectId:n.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:n.authProfileId,upstreamDisplayName:n.upstreamDisplayName,virtualServerId:n.virtualServerId,subject:"virtual server",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}o(Kw,"connectHandler");async function Jw(e,t){let r=Tn(t,"client_metadata");try{let n=Ag(e.url),a=Tg(n,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(n){if(!(n instanceof q))throw n;let a=n instanceof Error?n.message:String(n);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:a},"Failed to serve OAuth client metadata document for upstream connection"),Ae.notFound(e,t,{code:"not_found",detail:qq(n)})}}o(Jw,"oauthClientMetadataHandler");function vr(e){if(typeof e=="string"&&e.length!==0)return e}o(vr,"readOptionalQueryString");function Nq(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new K(`Validated path parameter ${t} is missing`);return r}o(Nq,"requirePathString");function Ww(e){let t=vr(e);return t?Ue.parse(t):void 0}o(Ww,"readOptionalVirtualServerId");function Dq(e,t){let r=vr(e);return r?tt.parse(r):Zn(t,"user-oauth")}o(Dq,"readOptionalAuthProfileId");function jq(e){let t=Ww(e);if(!t)throw new E({message:"virtualServerId query parameter is required.",extensionMembers:{[T]:"invalid_request"}});return t}o(jq,"readRequiredVirtualServerId");function Hq(e){let t=vr(e.query.browserTicket);return t===void 0?{}:{browserTicket:t}}o(Hq,"readOptionalBrowserTicket");function Lq(e){let t=ki(vr(e));return t===void 0?{}:{returnTo:t}}o(Lq,"readOptionalReturnTo");function Bq(e){let t=Ww(e.query.virtualServerId);return t===void 0?{}:{virtualServerId:t}}o(Bq,"readOptionalVirtualServerIdContext");function Gq(e){let t=vr(e.query.error_description);return t===void 0?{}:{errorDescription:t}}o(Gq,"readOptionalProviderErrorDescription");function Vq(e){let t=jt(e.authMode);if(t.connectSupport!=="none")return e;throw new E({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[T]:"invalid_request"}})}o(Vq,"requireConnectableRouteAuth");function Fq(e,t,r,n){let a=Xs(e,t);if(a.ownerMode==="none"||a.authMode==="shared-secret")throw new K("Static-secret upstreams do not support browser connection flows.");return{kind:"connect",...a,...n===void 0?{}:{returnTo:n},redirect:r}}o(Fq,"buildConnectContextForPrincipal");function Zq(e,t,r){let n=Bn(t),a=jt(e.authMode);if(n.mode!==a.ownerMode)throw new E({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[T]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:n,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}o(Zq,"buildConnectContextForTicket");async function Kq(e,t){let r=Vq(bv(t,jq(e.query.virtualServerId))),n=e.query.redirect==="true",a=vr(e.query.browserTicket);if(e.user){if(a)throw new E({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[T]:"invalid_request"}});let s=jn(e.user,e.url);return Fq(r,s,n,Lq(e.query.returnTo).returnTo)}if(!a)throw new E({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[T]:"authentication_required"}});let i=await Gi(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.virtualServerId!==r.virtualServerId)throw new E({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[T]:"oauth_callback_mismatch"}});return await Vi(i),Zq(r,i,n)}o(Kq,"resolveConnectContext");async function Jq(e,t,r){let n=et.parse(Nq(e,"connection"));switch(r){case"connect":An(t,await Kq(e,n));return;case"app_password":An(t,{kind:"app_password",upstreamServerId:n,...Bq(e),...Hq(e)});return;case"callback":{let a=vr(e.query.error);if(a){An(t,{kind:"callback_provider_error",upstreamServerId:n,error:a,...Gq(e)});return}let i=vr(e.query.code),s=vr(e.query.state);if(i&&s){An(t,{kind:"callback_authorization_code",upstreamServerId:n,code:i,state:s});return}An(t,{kind:"callback_invalid",upstreamServerId:n});return}case"client_metadata":An(t,{kind:"client_metadata",upstreamServerId:n,authProfileId:Dq(e.query.authProfileId,n)});return}}o(Jq,"resolveUpstreamRequestInbound");async function Wq(e,t,r){try{await Jq(e,t,r);return}catch(n){let a=n instanceof E?n.extensionMembers?.[T]:void 0,i=n instanceof Error?n.message:void 0;switch(a){case"invalid_request":case"oauth_callback_mismatch":return Ae.badRequest(e,t,{code:a,detail:i});case"authentication_required":return Ae.unauthorized(e,t,{code:a,detail:i});default:throw n}}}o(Wq,"applyUpstreamRequestContext");function Wa(e,t){return o(async(n,a)=>{let i=await Wq(n,a,e);return i||t(n,a)},"wrapped")}o(Wa,"withUpstreamRequestContext");var Yq={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function Xq(){return new Response(null,{status:204,headers:Yq})}o(Xq,"buildWellKnownPreflightResponse");function Qq(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}o(Qq,"withWellKnownCorsHeaders");function Qp(e){return async(t,r)=>t.method==="OPTIONS"?Xq():Qq(await e(t,r))}o(Qp,"wrapWellKnownHandler");var eN=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Qp(Uw),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:Qp(Ow),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:virtualServerId",methods:["GET","OPTIONS"],handler:Qp(af),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Mw},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:zw},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:virtualServerId",methods:["GET"],handler:$w},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:qw},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Nw},{routeName:"oauth_api_key_login",path:"/oauth/api-key-login",methods:["GET","POST"],handler:Dw},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:jw},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Hw},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Lw},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:Wa("client_metadata",Jw)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:Wa("connect",Kw)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:Wa("callback",Xp)},{routeName:"upstream_app_password",path:"/auth/connections/:connection/app-password",methods:["GET","POST"],handler:Wa("app_password",Wp)}];function Yw(e){return e?.some(Du)??!1}o(Yw,"shouldRegisterMcpGatewayInternalRoutes");function tN(e){let t=Sh(e.policies);if(!t){let r=[...Nu].map(n=>`\`${n}\``).join(", ");throw new q(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return Th(Zu({routes:e.routes,policies:e.policies})),t.config}o(tN,"initializeMcpGatewayState");function rN(e,t,r){return async(n,a)=>{let i=a;Nn(i,r());let s=n.method==="OPTIONS",c=Date.now();s||i.log.info({event:`${e}_received`,method:n.method},`MCP gateway: ${e} received`);let d=await t(n,a);return s||i.log.info({event:`${e}_responded`,status:d.status,durationMs:Date.now()-c},`MCP gateway: ${e} responded`),d}}o(rN,"wrapInternalHandler");function Xw(e,t){let r,n=o(()=>(r===void 0&&(r=tN(t)),r),"readOAuthConfig");for(let a of eN){let i=rN(a.routeName,a.handler,n),s=o((c,d)=>i(c,d),"handler");e.addPluginRoute({path:a.path,methods:a.methods,handler:s,processors:[Sc],corsPolicy:a.corsPolicy??"none"})}}o(Xw,"registerMcpGatewayInternalRoutes");function Qw(e){Ah(e)}o(Qw,"configureLazyMcpGatewayState");var em=class extends dm{static{o(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!Yw(r.policies))return;let n={routes:r.routes,policies:r.policies};Qw(n),Xw(t.router,n)}};export{zu as McpAuth0OAuthInboundPolicy,em as McpGatewayPlugin,$u as McpOAuthInboundPolicy,kp as McpUpstreamConnectionInboundPolicy,HM as McpVirtualServerHandler,gk as mcpUpstreamHandler};
+    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(It,"renderShell");var zo="zuplo.com";function tu(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(tu,"s2FaviconHref");function Fg(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Fg,"strictFaviconHref");var Fr=tu(zo);function Kr(e){let t=e.toLowerCase();return t===zo||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?tu(zo):Fg(e)}n(Kr,"resolveIconHref");function Wr(e){return L`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(Wr,"renderShellIcon");var Kg="text/html; charset=utf-8";function kt(e){try{return new URL(e).host}catch{return""}}n(kt,"safeHostFromUrl");function Ce(e){let t=Kr(e.host),r=Wg(e.kind??"authorization_failed");return new Response(At(It({title:e.title??r.title,iconHref:t,styles:vt,headerIcon:Wr({iconHref:t,fallbackIconHref:Fr}),heading:e.title??r.title,subhead:"",body:eu({code:e.code??"unknown",detail:e.detail,guidance:L`<p class="card__description">${r.guidance}</p>`,action:Jg(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":Kg,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Ce,"browserErrorPageResponse");function Wg(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(Wg,"readBrowserErrorPagePresentation");function Jg(e){return e===void 0?tt:L`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(Jg,"renderAction");var ru="application/json",Vg="application/x-www-form-urlencoded";function Jr(e,t){return new w({message:e,extensionMembers:{[y]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(Jr,"invalidRequestError");function Yg(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(Yg,"normalizeContentType");function Xg(e,t){return e===t?!0:t===ru&&e.endsWith("+json")}n(Xg,"contentTypeMatches");function Qg(e,t){if(!t||t.length===0)return;let r=Yg(e.headers.get("content-type"));if(!t.some(o=>Xg(r,o)))throw Jr(`Request body must be ${t.join(" or ")}.`)}n(Qg,"assertExpectedContentType");function ey(e,t,r){let o=e.headers.get("content-length");if(!o)return;let a=Number.parseInt(o,10);if(Number.isFinite(a)&&a>t)throw Jr(`${r} exceeded the maximum allowed size.`)}n(ey,"assertContentLengthWithinLimit");async function nu(e,t){let r=t.label??"Request body";Qg(e,t.expectedContentTypes),ey(e,t.maxBytes,r);let o=await Lr(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>Jr(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(nu,"readBoundedTextBody");async function ou(e,t){let r=await nu(e,{...t,expectedContentTypes:[ru]});try{return JSON.parse(r)}catch(o){throw Jr("Request body must be valid JSON.",o)}}n(ou,"readBoundedJsonBody");async function iu(e,t){let r=await nu(e,{...t,expectedContentTypes:[Vg]});return new URLSearchParams(r)}n(iu,"readBoundedFormUrlEncodedBody");z();z();import{errors as lu,jwtVerify as mu,SignJWT as hu}from"jose";z();import{errors as ly,jwtVerify as my,SignJWT as hy}from"jose";function Ne(e){let t=K().browserLogin[e];if(typeof t=="string"&&t.length>0)return t;throw R("internal_server_error",`browserLogin.${e} is required for federated browser login. Set it on the mcp-oauth-inbound policy options.`)}n(Ne,"requireBrowserLoginField");z();import{createRemoteJWKSet as ry,errors as sr,jwtVerify as ny}from"jose";var oy=i.object({id_token:i.string().min(1),token_type:i.string().min(1).optional(),expires_in:i.number().optional(),access_token:i.string().min(1).optional(),refresh_token:i.string().min(1).optional(),scope:i.string().min(1).optional()}),iy=i.object({error:i.string().min(1).optional(),error_description:i.string().min(1).optional(),error_uri:i.string().min(1).optional()});function ay(e){let t=iy.safeParse(e);if(!t.success)return{};let r={};return t.data.error!==void 0&&(r.idpError=t.data.error),t.data.error_description!==void 0&&(r.idpErrorDescription=t.data.error_description.slice(0,256)),t.data.error_uri!==void 0&&(r.idpErrorUri=t.data.error_uri.slice(0,256)),r}n(ay,"readIdpErrorFields");function sy(e){return e instanceof sr.JWTExpired?"expired":e instanceof sr.JWTClaimValidationFailed?"claim":e instanceof sr.JWSSignatureVerificationFailed?"signature":e instanceof sr.JWKSNoMatchingKey?"jwks_no_match":e instanceof sr.JWTInvalid?"invalid":e instanceof i.ZodError?"schema":"other"}n(sy,"readJwtFailureKind");var cy=i.object({sub:q,nonce:i.string().min(1)}).catchall(i.unknown()),Eo;function uy(e){return e instanceof Error&&"cause"in e?e.cause:e}n(uy,"readErrorCause");function dy(e){if(e!==null&&typeof e=="object"&&"extensionMembers"in e)return e.extensionMembers?.gatewayCode}n(dy,"readRuntimeGatewayCode");function py(){if(!Eo){let e=K();Eo=ry(new URL(e.oidc.jwksUrl),{timeoutDuration:e.browserLogin.remoteTimeoutMs})}return Eo}n(py,"readFederatedJwks");async function au(e){let t=K(),r=Ne("tokenUrl"),o=Ne("clientId"),a=Ne("clientSecret"),s=new URL("/oauth/callback",Te(e.requestUrl)).toString(),u=new URLSearchParams({grant_type:"authorization_code",code:e.code,redirect_uri:s,client_id:o,client_secret:a});try{let{response:d,json:p}=await sc(r,{method:"POST",headers:{accept:"application/json","content-type":"application/x-www-form-urlencoded"},body:u},{maxResponseBytes:32768,problemCode:"browser_login_verification_failed",timeoutMs:t.browserLogin.remoteTimeoutMs,...e.context===void 0?{}:{context:e.context}});if(!d.ok){let k=ay(p);throw e.context?.log.warn({event:"federated_token_exchange_failed",code:"provider_access_denied",idpHost:we(r),idpStatus:d.status,...k},"Federated browser login token exchange returned non-2xx from the identity provider"),R({code:"provider_access_denied",privateDetail:"Federated browser login token exchange failed.",cause:new Error(`IdP token exchange failed (status=${d.status}${k.idpError?` idp_error=${k.idpError}`:""}${k.idpErrorDescription?` idp_error_description=${k.idpErrorDescription}`:""})`)})}let h=oy.parse(p),g;try{({payload:g}=await ny(h.id_token,py(),{issuer:t.oidc.issuer,audience:o}))}catch(k){let ne={};throw ie(ne,"error",k),e.context?.log.warn({event:"federated_id_token_verification_failed",code:"browser_login_verification_failed",failureKind:sy(k),idpHost:we(r),expectedIssuer:t.oidc.issuer,...ne},"Federated id_token failed jose verification"),k}if(g.nonce!==e.nonce)throw e.context?.log.warn({event:"federated_nonce_mismatch",code:"oauth_callback_mismatch",idpHost:we(r),nonceMissingFromIdToken:g.nonce===void 0},"Federated id_token nonce did not match the signed gateway state"),R("oauth_callback_mismatch","Federated browser login nonce did not match the signed gateway state.");let D=cy.parse(g);return Fe({sub:D.sub,data:D},e.requestUrl)}catch(d){let p=de(d)??dy(d);throw p!==void 0&&p!=="browser_login_verification_failed"?d:R("browser_login_verification_failed","Federated browser login callback could not be verified.",uy(d))}}n(au,"exchangeFederatedAuthorizationCode");var qo="zuplo_mcp_session",fy=i.object({purpose:i.literal("gateway_browser_session"),sub:q,browserLoginOrigin:i.string().min(1),roles:i.array(i.string().min(1)).optional(),exp:i.number().int().positive(),iat:i.number().int().positive().optional()});function gy(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let a=r.slice(0,o).trim(),s=r.slice(o+1).trim();if(a)try{t.set(a,decodeURIComponent(s))}catch{t.set(a,s)}}return t}n(gy,"parseCookieHeader");async function su(){return be({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Le(e,"browser-session"),"derive")})}n(su,"getBrowserSessionKey");function Mo(e){let t=new URL(P(e)),r=[`${qo}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Mo,"buildBrowserSessionEvictionCookie");function yy(e){let t=new URL(P(e.requestUrl)),r=[`${qo}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(yy,"serializeSessionCookie");function cu(){return new URL(Ne("url")).origin}n(cu,"readBrowserLoginOrigin");function Ho(){return K().browserLogin.stateTtlSeconds}n(Ho,"readBrowserLoginStateTtlSeconds");function uu(e){if(!e.user)throw R("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Fe(e.user,e.url)}n(uu,"resolveCurrentRequestPrincipal");async function Vr(e,t={}){let r=gy(e.headers.get("cookie")).get(qo);if(!r)return{};try{let{payload:o}=await my(r,await su(),{algorithms:[me],issuer:ae,audience:le}),a=fy.parse(o);if(a.browserLoginOrigin!==cu())return{evictCookie:Mo(e.url)};let s={subjectId:a.sub};return a.roles&&a.roles.length>0&&(s.roles=a.roles),{principal:s}}catch(o){return o instanceof ly.JWTExpired?{evictCookie:Mo(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Mo(e.url)})}}n(Vr,"readBrowserSession");async function Yr(e){let t=K().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:cu()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new hy(r).setProtectedHeader({alg:me,typ:"JWT"}).setIssuer(ae).setAudience(le).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await su());return yy({value:o,requestUrl:e.requestUrl,ttlSeconds:t})}n(Yr,"createBrowserSessionCookie");async function du(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Vr(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw R("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");return au({code:o,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}n(du,"resolveBrowserLoginCallbackPrincipal");function pu(e){let t=K().browserLogin,r=new URL(Ne("url")),o=new URL("/oauth/callback",Te(e.requestUrl));return xa(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",Ne("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(pu,"buildBrowserLoginUrl");var wy={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},S=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=wy[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Sy=5*60,Ry=i.object({purpose:i.literal("gateway_browser_login"),transactionId:pe,stateId:vr,exp:i.number().int().positive(),iat:i.number().int().positive().optional()}),_y=i.object({purpose:i.literal("gateway_authorization_setup"),transactionId:pe,stateId:vr,exp:i.number().int().positive(),iat:i.number().int().positive().optional()});async function fu(){return be({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Le(e,"browser-login"),"derive")})}n(fu,"getBrowserLoginKey");async function gu(){return be({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>Le(e,"authorization-csrf"),"derive")})}n(gu,"getCsrfKey");function yu(e){return{now:e.now??new Date,ttlSeconds:Ho()}}n(yu,"readPendingTransactionDependencies");function by(e,t){return e.subjectId===t.subjectId}n(by,"principalsMatch");function wu(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(wu,"toPendingPrincipal");function Su(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:x(e.now),expiresAt:x(Ue(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw R("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:wu(e.principal)}}n(Su,"createTransactionRecord");async function Ru(e){let{id:t,...r}=e.record,o=await A().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw R("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new S("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new S("invalid_request","redirect_uri is not registered for the client.")}}n(Ru,"startPendingTransaction");async function Cy(e){return new hu({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:me,typ:"JWT"}).setIssuer(ae).setAudience(le).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await fu())}n(Cy,"signBrowserLoginState");async function _u(e){return new hu({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:jn()}).setProtectedHeader({alg:me,typ:"JWT"}).setIssuer(ae).setAudience(le).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await gu())}n(_u,"signCsrfToken");async function Do(e){try{let{payload:t}=await mu(e,await fu(),{algorithms:[me],issuer:ae,audience:le}),r=Ry.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof lu.JWTExpired?R("oauth_state_expired","Browser login state has expired.",t):R("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Do,"verifyBrowserLoginStateToken");async function Xr(e){try{let{payload:t}=await mu(e,await gu(),{algorithms:[me],issuer:ae,audience:le});return{transactionId:_y.parse(t).transactionId}}catch(t){throw t instanceof lu.JWTExpired?R("oauth_state_expired","Authorization setup state has expired.",t):R("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Xr,"verifyCsrfToken");function jo(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(jo,"pendingStateErrorCode");function xy(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(xy,"toPendingAuthorizationGetResult");function Ay(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Ay,"toPendingAuthorizationAdvanceResult");function Lo(e){return e==="principal_mismatch"?"oauth_callback_mismatch":jo(e==="consumed_already"?"consumed_already":e)}n(Lo,"setupDecisionErrorCode");async function bu(e){let t=e.now??new Date,r=await Xr(e.csrfToken),o=await A().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await E(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:x(t)});if(o.kind!=="marked")throw R(Lo(o.kind),"Authorization setup state is invalid, expired, or already used.");return Cu({kind:"available",record:o.transaction})}n(bu,"markSetupApproved");function Cu(e){if(e.kind!=="available")throw R(jo(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw R("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Cu,"requireAwaitingSetup");function vy(e){if(!by(e.currentBrowserPrincipal,e.transaction.principal))throw R("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(vy,"requireCurrentPrincipalMatches");async function xu(e){let t=e.now??new Date,r=Ho(),o=Dn(),a=jn(),s=await Cy({transactionId:o,stateId:a,ttlSeconds:r}),u=Su({id:o,transaction:e.transaction,currentStateHash:await E(s),phase:"awaiting_login",now:t,ttlSeconds:r});if(u.phase!=="awaiting_login")throw R("oauth_state_invalid","Authorization transaction did not start in login phase.");let d=await Ru({record:u,client:e.transaction.client});if(d.phase!=="awaiting_login")throw R("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:d,browserLoginStateToken:s,browserLoginUrl:pu({state:s,nonce:a,operationId:u.operationId,requestUrl:e.requestUrl})}}n(xu,"startAwaitingLogin");async function Au(e){let{now:t,ttlSeconds:r}=yu(e),o=Dn(),a=await _u({transactionId:o,ttlSeconds:r}),s=Su({id:o,transaction:e.transaction,currentStateHash:await E(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(s.phase!=="awaiting_setup")throw R("oauth_state_invalid","Authorization transaction did not start in setup phase.");let u=await Ru({record:s,client:e.transaction.client});if(u.phase!=="awaiting_setup")throw R("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:u,csrfToken:a}}n(Au,"startAwaitingSetup");async function vu(e){let{now:t,ttlSeconds:r}=yu(e),o=await Do(e.browserLoginStateToken),a=await _u({transactionId:o.transactionId,ttlSeconds:r}),s=Ay(await A().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await E(e.browserLoginStateToken),nextStateHash:await E(a),nextPhase:"awaiting_setup",principal:wu(e.principal),now:x(t)}));if(s.kind!=="advanced")throw R(jo(s.kind),"Browser login state is invalid, expired, or already used.");if(s.record.phase!=="awaiting_setup")throw R("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:s.record,csrfToken:a}}n(vu,"completeLogin");async function Iu(e){let t=await Bo(e);return vy({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(Iu,"getSetup");async function Bo(e){let t=e.now??new Date,r=await Xr(e.csrfToken);return Cu(xy(await A().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await E(e.csrfToken),now:x(t)})))}n(Bo,"getSetupTransaction");async function Iy(e){let t=await Xr(e.csrfToken),r=Pe(),o=x(Ue(e.now,Sy)),a=await A().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await E(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await E(r),authorizationCodeExpiresAt:o,grantId:ba(),now:x(e.now)});if(a.kind!=="approved")throw R(a.kind==="cancelled"?"oauth_state_invalid":Lo(a.kind),"Authorization setup state is invalid, expired, or already used.");let s=new URL(a.transaction.redirectUri);return s.searchParams.set("code",r),a.transaction.clientState&&s.searchParams.set("state",a.transaction.clientState),s}n(Iy,"createAuthorizationCodeRedirectWithDecision");async function ky(e){let t=await Xr(e.csrfToken),r=await A().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await E(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:x(e.now)});if(r.kind!=="cancelled")throw R(r.kind==="approved"?"oauth_state_invalid":Lo(r.kind),"Authorization setup state is invalid, expired, or already used.");return Uy({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(ky,"createCancelRedirectWithDecision");function Uy(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Uy,"buildClientCancelRedirect");async function ku(e){let t=e.now??new Date;return Iy({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ku,"approve");async function Uu(e){let t=e.now??new Date;return ky({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Uu,"cancel");z();var Ty=1e4,Py=5*1024,Oy=2,zy=90*24*60*60,No=["authorization_code","refresh_token"],Go=["code"],Ey=i.object({client_name:i.string().min(1).optional(),redirect_uris:i.array(i.string().min(1)).min(1),grant_types:i.array(i.enum(No)).min(1).max(2).optional(),response_types:i.array(i.enum(Go)).min(1).max(1).optional(),scope:i.literal(M).optional(),token_endpoint_auth_method:Sa.default("none")});function My(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&Z(t))&&t.pathname!=="/"}catch{return!1}}n(My,"isCimdClientIdCandidate");function Ut(e,t="invalid_request",r="authorize"){if(qy(e))throw new S(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new S(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new S(t,"redirect_uris must not include credentials or fragments.");let a={source:r},s=ga({url:o,context:a});if(s.kind!=="rejected"){s.mode!=="strict"&&void 0;return}throw new S(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Ut,"assertValidRedirectUri");function qy(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(qy,"hasForbiddenRawRedirectUriCharacter");async function Hy(e){let{response:t,json:r}=await cc(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Oy,maxResponseBytes:Py,timeoutMs:Ty});if(!t.ok)throw R("invalid_request","CIMD metadata could not be fetched.");let o=_a.parse(r);for(let a of o.redirect_uris)Ut(a,"invalid_request","cimd");if(o.client_id!==e.clientId)throw R("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(Hy,"fetchCimdMetadata");async function Dy(e){let t=jr(e),r=await Hy({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(Dy,"resolveCimdClient");async function Qr(e,t){let r=J.parse(e);if(My(r)){if(!K().gateway.cimdEnabled)throw new S("invalid_client","OAuth client is not registered.");try{return await Dy(r)}catch{throw new S("invalid_client","OAuth client is not registered.")}}let o=await A().readClient({clientId:r});if(o.kind==="found"){let a=o.client,s={kind:"dcr",clientId:r,metadata:{client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:a.tokenEndpointAuthMethod}};return a.hashedClientSecret&&(s.hashedClientSecret=a.hashedClientSecret),s}throw new S("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Qr,"resolveClient");function Tu(e,t){if(!e.metadata.redirect_uris.some(r=>Ca(r,t)))throw R("invalid_request","redirect_uri is not registered for the client.")}n(Tu,"assertRedirectRegistered");function jy(e){let t=Pu(e.grant_types),r=e.response_types??[...Go];if(!Ly(t))throw new S("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!By(r))throw new S("invalid_client_metadata","response_types must be code.");if(!Ny(e.scope))throw new S("invalid_client_metadata",`Only the ${M} scope is supported.`)}n(jy,"assertSupportedDcrRequest");function Pu(e){return e===void 0?[...No]:Array.from(new Set(e))}n(Pu,"normalizeGrantTypes");function Ly(e){return e.length===0?!1:e.every(t=>No.includes(t))}n(Ly,"isSupportedGrantTypes");function By(e){return e.length===Go.length&&e[0]==="code"}n(By,"isSupportedResponseTypes");function Ny(e){return e===void 0||e===M}n(Ny,"isSupportedDcrScope");function cr(e){if(e===void 0||e===M)return M;throw new S("invalid_request",`Only the ${M} scope is supported.`)}n(cr,"assertSupportedOAuthScope");function Tt(e,t){let r;try{r=new URL(t)}catch{throw new S("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new S("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!Z(r))throw new S("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let o=P(e),a=ua(),s=a?[...a.byOperationId.values()].find(u=>new URL(u.routePath,o).toString()===t):void 0;if(!s)throw new S("invalid_target","resource must match a published MCP route.");return s}n(Tt,"resolveResource");async function Ou(e){let t;try{t=Ey.parse(e)}catch(g){if(g instanceof i.ZodError){let D=g.issues.some(k=>k.path[0]==="redirect_uris");throw new S(D?"invalid_redirect_uri":"invalid_client_metadata",g.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:g})}throw g}jy(t);for(let g of t.redirect_uris)Ut(g,"invalid_redirect_uri","dcr");let r=new Date,o=J.parse(`dcr:${crypto.randomUUID()}`),a=Ue(r,zy),s=Math.floor(r.getTime()/1e3),u=Math.floor(a.getTime()/1e3),d={client_id:o,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:Pu(t.grant_types),response_types:["code"],scope:M,token_endpoint_auth_method:t.token_endpoint_auth_method,client_id_issued_at:s},p={clientId:o,clientName:String(d.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:t.token_endpoint_auth_method,createdAt:x(r),clientExpiresAt:x(a)};if(t.token_endpoint_auth_method!=="none"){let g=Pe();p.hashedClientSecret=await E(g),p.clientSecretExpiresAt=x(a),d.client_secret=g,d.client_secret_expires_at=u,d.client_secret_issued_at=s}if((await A().registerClient(p)).kind==="already_exists")throw R("invalid_request","OAuth client is already registered.");return d}n(Ou,"registerDownstreamClient");function zu(e){return L`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(zu,"renderActions");var Tk=ze('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var Pk=ze('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),Ok=ze('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var zk=ze('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var Gy="data:,",Eu=L`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Mu=L`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function $y(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n($y,"safeGatewayConnectHref");function Zy(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(Zy,"deriveMode");function Fy(e){return zu({state:e.state,submitOnceAttrs:Eu,authorizeAttrs:tt})}n(Fy,"renderActions");function $o(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let a=$y(o.connectUrl,t);if(a)return a}}n($o,"firstUserConnectHref");function Ky(e){let t=e.connectHref?L`<a class="button button--primary" href="${e.connectHref}" ${Mu}>Connect</a>`:L`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return L`<form class="actions" method="post" action="/oauth/setup" ${Eu}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(Ky,"renderSetupActions");function Wy(e){return e?L`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Mu}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:tt}n(Wy,"renderReconnectAction");function Zo(e){let t=Zy(e.upstreams),r=$o(e.upstreams,e.gatewayOrigin,"not_connected"),o=$o(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=$o(e.upstreams,e.gatewayOrigin,"active"),s=t==="setup"?r??o:void 0,u=L`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`,d=t==="setup"?L`<footer class="card__footer">${Ky({state:e.state,connectHref:s})}</footer>`:L`<footer class="card__footer">${Wy(a)}${Fy({state:e.state})}</footer>`;return At(It({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:Gy,styles:vt,headerIcon:tt,heading:"MCP Gateway",subhead:tt,body:u,footer:d}))}n(Zo,"renderConsentPage");function Jy(e){try{return new URL(e).host}catch{return}}n(Jy,"safeUrlHost");function Vy(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(Vy,"readOAuthScopes");function qu(e){return e!==void 0&&e.length>0}n(qu,"hasItems");function Yy(e){let t=e.serverInfo?.icons;return qu(t)?t:void 0}n(Yy,"readServerIcons");async function Xy(e){if(!(e.returnTo===void 0||!e.isUserOwned))return xo({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Xy,"readConnectUrl");function rt(e,t){return t===void 0?{}:{[e]:t}}n(rt,"optionalRequirementField");function Qy(e){return e.isUserOwned?Ga(e.connection):{connected:!0,status:"active"}}n(Qy,"readSetupConnectionStatus");function ew(e){let t=Vy(e);return qu(t)?t:void 0}n(ew,"readScopesRequested");function tw(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(tw,"readUpdatedAt");function rw(){return{tools:[],prompts:[],resources:[]}}n(rw,"readRouteCapabilities");async function nw(e){let{authConfig:t,authMode:r,description:o,displayName:a,mcpUrl:s,upstreamServerId:u,authProfileId:d}=e.registeredConnection,p=qr(r),h=p==="user",g=Qy({connection:e.connection,isUserOwned:h}),D=await Xy({...e,connected:g.connected,isUserOwned:h});return{upstreamServerId:u,authProfileId:d,authMode:r,ownerMode:p,upstreamDisplayName:a,status:g.status,connected:g.connected,capabilities:rw(),...rt("description",o),...rt("transportHost",Jy(s)),...rt("scopesRequested",ew(t)),...rt("serverIcons",Yy(e.registeredConnection)),...rt("connectUrl",D),...rt("updatedAt",tw({connectionStatus:g,isUserOwned:h})),...rt("expiresAt",e.connection?.expiresAt)}}n(nw,"buildSetupRequirement");function Hu(e){let t=ye().byOperationId.get(e);if(!t)throw R("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Hu,"requireRoute");async function Fo(e){let t=Hu(e.transaction.operationId),r=gt(e.transaction.principal.subjectId),o=[],a=new Map,s=t.connection;if(s===void 0)return[];qr(s.authMode)==="user"&&(a.set(s,o.length),o.push({owner:r,upstreamServerId:s.upstreamServerId,authProfileId:s.authProfileId}));let u=await A().batchGetUpstreamConnections(o),d=[],p=qr(s.authMode)==="user",h=a.get(s);return d.push(await nw({connection:p&&h!==void 0?u[h]:void 0,registeredConnection:s,route:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r})),d}n(Fo,"requirementsForSetup");function ow(e){return e.route.connection?.displayName??e.route.operationId}n(ow,"readRouteDisplayName");async function Ko(e){let t=Hu(e.transaction.operationId),r=ow({route:t}),o=await A().readClient({clientId:e.transaction.clientId}),a=o.kind==="found"?o.client:void 0,s={gatewayOrigin:P(e.requestUrl),routeDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},u=t.connection?.description;return u!==void 0&&(s.routeDescription=u),s}n(Ko,"consentContext");function Wo(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Wo,"hasUnresolvedUserUpstream");var iw=["mcp_user"],aw="dev-browser-user",sw=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/mcp/{operationId} or add resource={protected resource URI from protected-resource metadata}."].join(" "),cw=i.object({response_type:i.literal("code"),client_id:i.string().min(1),redirect_uri:i.string().min(1),resource:i.url(),code_challenge:i.string().min(43),code_challenge_method:xr,state:i.string().min(1).optional(),scope:i.literal(M).default(M)}),uw=i.enum(["continue","approve","cancel"]).default("continue"),dw=i.object({state:i.string().min(1),decision:uw}),Ge=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Du(e){return typeof e=="string"&&e.length>0?e:void 0}n(Du,"readQueryString");function pw(e){let t=Array.from(ye().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return ht(r.operationId,e.url)}n(pw,"inferSingleRouteResource");function lw(e,t){let r=Du(e.query.resource);if(t===void 0){if(r!==void 0)return r;let a=pw(e);if(a!==void 0)return a;throw new S("invalid_target",sw)}let o=ht(t,e.url);if(r===void 0||r===o)return o;throw new S("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(lw,"requireAuthorizeResource");async function mw(e,t){let r={};t!==void 0&&(r.context=t);let o=await Vr(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let a=uu(e);return{principal:a,setCookie:await Yr({principal:a,requestUrl:e.url})}}n(mw,"resolveBrowserPrincipal");async function hw(e,t){let r={};t!==void 0&&(r.context=t);let o=await Vr(e,r);if(!o.principal)throw R("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(hw,"requireSetupPrincipal");function ju(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(ju,"buildSetupReturnTo");async function Lu(e){let t=await Fo({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:ju(e.csrfToken)}),r=await Ko({transaction:e.transaction,requestUrl:e.requestUrl}),o={kind:"setup_page",html:Zo({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Lu,"renderSetup");function fw(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(fw,"toAuthorizationTransactionClient");async function Jo(e,t={}){let r=cw.parse({...e.query,resource:lw(e,t.operationId),state:Du(e.query.state)}),o=cr(r.scope);Ut(r.redirect_uri,"invalid_request","authorize");let a=new Date,s=J.parse(r.client_id),u=await Qr(r.client_id,a);Tu(u,r.redirect_uri);try{let d=Tt(e.url,r.resource),p=fw(u);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:s,operationId:d.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&I(t.context,{eventType:v.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:d.operationId,attributes:{clientId:s,scope:o,responseType:r.response_type}});let h={clientId:u?.clientId??s,...p===void 0?{}:{client:p},redirectUri:r.redirect_uri,resource:r.resource,operationId:d.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:g,setCookie:D}=await mw(e,t.context);if(!g){let ne=await xu({transaction:h,requestUrl:e.url,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:s,operationId:d.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Se={kind:"redirect",location:ne.browserLoginUrl};return D!==void 0&&(Se.setCookie=D),Se}let k=await Au({transaction:h,principal:g,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:s,operationId:d.operationId,subjectId:g.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&I(t.context,{eventType:v.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:d.operationId,attributes:{clientId:s,scope:o,responseType:r.response_type,subjectId:g.subjectId}}),Lu({transaction:k.transaction,csrfToken:k.csrfToken,requestUrl:e.url,setCookie:D})}catch(d){throw gw({redirectUri:r.redirect_uri,clientState:r.state,cause:d})}}n(Jo,"authorizeDownstreamClient");function gw(e){if(e.cause instanceof Ge)return e.cause;let t=yw(e.cause);return t?new Ge({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(gw,"toDownstreamAuthorizeRedirectError");function yw(e){if(e instanceof S)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof i.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(yw,"mapToOAuthRedirectError");async function Bu(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let h=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,g=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...h===void 0?{}:{idpErrorDescription:h},...g===void 0?{}:{idpErrorUri:g}},"Identity provider redirected browser-login callback with an error"),R("provider_access_denied",h??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),R("oauth_state_invalid","Browser login callback is missing state.");let a=await Do(o),s={request:e,stateId:a.stateId};t.context!==void 0&&(s.context=t.context);let u=await du(s),d=await vu({browserLoginStateToken:o,principal:u}),p=await Lu({transaction:d.transaction,csrfToken:d.csrfToken,requestUrl:e.url});return p.setCookie=await Yr({principal:u,requestUrl:e.url}),p}n(Bu,"completeBrowserLoginCallback");async function Nu(e){let t=K(),r=new URL(e.url);if(!Z(r))throw R("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw R("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",P(e.url)),s=new URL(P(e.url)).origin;if(a.origin!==s||a.pathname!=="/oauth/callback")throw R("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",o);let u={subjectId:q.parse(aw),roles:iw};return{kind:"redirect",location:a,setCookie:await Yr({principal:u,requestUrl:e.url})}}n(Nu,"completeLocalDevBrowserLogin");function ww(e){let t=e.method==="POST"?e.body:e.query;return dw.parse(t)}n(ww,"readSetupContinueRequest");async function Gu(e){let{state:t,decision:r}=ww({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,a=await Bo({csrfToken:t,now:o}),s=await hw(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await Uu({csrfToken:t,currentBrowserPrincipal:s,now:o})};let u=await Iu({csrfToken:t,currentBrowserPrincipal:s,now:o}),d=await Fo({transaction:u,requestUrl:e.request.url,returnTo:ju(t)});if(r==="approve"&&Wo(d)&&await bu({csrfToken:t,currentBrowserPrincipal:s,now:o}),Wo(d)){let p=await Ko({transaction:u,requestUrl:e.request.url});return{kind:"setup_page",html:Zo({state:t,operationId:u.operationId,upstreams:d,...p})}}return{kind:"redirect",location:await ku({csrfToken:t,currentBrowserPrincipal:s,now:o})}}n(Gu,"continueDownstreamAuthorizeSetup");z();import{createLocalJWKSet as Sw,decodeJwt as Rw,errors as ur,jwtVerify as _w}from"jose";var bw=new Set(["authorization_code","refresh_token"]),Cw="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",xw=1e4,Aw=32*1024,vw=2,$u=i.object({client_id:i.string().min(1).optional(),client_secret:i.string().min(1).optional(),client_assertion_type:i.string().min(1).optional(),client_assertion:i.string().min(1).optional()}),Iw=i.discriminatedUnion("grant_type",[$u.extend({grant_type:i.literal("authorization_code"),code:i.string().min(1),redirect_uri:i.string().min(1),code_verifier:Ar,resource:i.url().optional(),scope:i.literal(M).optional()}),$u.extend({grant_type:i.literal("refresh_token"),refresh_token:i.string().min(1),resource:i.url().optional(),scope:i.literal(M).optional()})]);function kw(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!bw.has(t)))throw new S("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(kw,"assertSupportedGrantType");var Uw=i.object({token:i.string().min(1),client_id:i.string().min(1).optional(),token_type_hint:i.string().optional(),client_secret:i.string().min(1).optional(),client_assertion_type:i.string().min(1).optional(),client_assertion:i.string().min(1).optional()}),Tw=i.object({keys:i.array(i.record(i.string(),i.unknown())).min(1)}).passthrough();function Zu(){return K().gateway.accessTokenTtlSeconds}n(Zu,"readAccessTokenTtlSeconds");function Pw(){return K().gateway.refreshTokenTtlSeconds}n(Pw,"readRefreshTokenTtlSeconds");function Ow(e,t){let r=Zu(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,o);return{expiresAt:x(Ue(e,a)),expiresIn:a}}n(Ow,"calculateAccessTokenExpiresAt");function Fu(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new S("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new S("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new S("invalid_client","Malformed HTTP Basic client authentication.")}}n(Fu,"readBasicClientSecret");function Ku(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new S("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Rw(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new S("invalid_client","Malformed private_key_jwt client assertion.")}throw new S("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new S("invalid_client","Client authentication or client_id is required.")}n(Ku,"resolveAuthenticatedClientId");function zw(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new S("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(zw,"resolveClientSecretInput");function Ew(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(Ew,"hasClientAssertion");function Mw(e){if(e.requestUrl===void 0)throw new S("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,e.requestUrl);return t.search="",t.hash="",t.toString()}n(Mw,"buildEndpointAudience");function qw(e){return e instanceof ur.JWTExpired?"expired":e instanceof ur.JWTClaimValidationFailed?"claim":e instanceof ur.JWSSignatureVerificationFailed?"signature":e instanceof ur.JWKSNoMatchingKey?"jwks_no_match":e instanceof ur.JWTInvalid?"invalid":e instanceof i.ZodError?"schema":"other"}n(qw,"readJwtFailureKind");async function Hw(e){let{response:t,json:r}=await uc(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:vw,maxResponseBytes:Aw,timeoutMs:xw});if(!t.ok)throw new S("invalid_client","Client JWKS could not be fetched.");return Tw.parse(r)}n(Hw,"fetchClientJwks");async function Dw(e){if(e.clientAssertionType!==Cw||e.clientAssertion===void 0)throw new S("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=J.parse(e.clientId),r=await Qr(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new S("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new S("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let a=Mw({requestUrl:e.requestUrl,pathname:e.endpointPathname});try{let s=await Hw({jwksUri:o,context:e.context});await _w(e.clientAssertion,Sw(s),{issuer:t,subject:t,audience:a,currentDate:e.now})}catch(s){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:qw(s)},"OAuth private_key_jwt client authentication failed"),new S("invalid_client","Client authentication failed.")}return{method:"private_key_jwt",clientId:t}}n(Dw,"verifyPrivateKeyJwtClientAssertion");async function jw(e){let t=J.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await E(e.clientSecret)}}n(jw,"buildRuntimeHttpClientAuth");async function Wu(e){if(Ew({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new S("invalid_request","Use only one client authentication method per request.");return Dw(e)}let t=zw({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return jw({clientId:e.clientId,...t})}n(Wu,"resolveRuntimeHttpClientAuth");async function Ju(e){kw(e.body);let t=Iw.parse(e.body),r=Fu(e.authorizationHeader),o=Ku({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date,s=await Wu({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/token",now:a,context:e.context});return Lw({parsed:t,clientId:o,clientAuth:s,now:a,requestUrl:e.requestUrl,context:e.context})}n(Ju,"exchangeDownstreamToken");async function Lw(e){if(e.parsed.grant_type==="authorization_code"){Ut(e.parsed.redirect_uri,"invalid_request","token"),cr(e.parsed.scope),e.parsed.resource!==void 0&&Tt(e.requestUrl??e.parsed.resource,e.parsed.resource);let u=Pe(),d=Pe(),p=x(Ue(e.now,Pw())),h=Ow(e.now,p),g=await A().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await E(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await Ds(e.parsed.code_verifier),currentRefreshTokenHash:await E(u),accessTokenHash:await E(d),grantExpiresAt:p,accessTokenExpiresAt:h.expiresAt,now:x(e.now)});if(g.kind==="invalid_client")throw new S("invalid_client","Client authentication failed.");if(g.kind==="resource_mismatch")throw new S("invalid_target","Token request resource must match the authorization code resource.");if(g.kind!=="exchanged")throw new S("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&I(e.context,{eventType:v.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:d,token_type:"Bearer",expires_in:h.expiresIn,refresh_token:u,scope:g.grant.scope,resource:g.grant.resource}}cr(e.parsed.scope),e.parsed.resource!==void 0&&Tt(e.requestUrl??e.parsed.resource,e.parsed.resource);let t=Pe(),r=Pe(),o=x(Ue(e.now,Zu())),a=await A().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await E(e.parsed.refresh_token),nextRefreshTokenHash:await E(t),accessTokenHash:await E(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:x(e.now)});if(a.kind==="invalid_client")throw new S("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new S("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new S("invalid_grant","Refresh token is invalid, expired, or revoked.");Tt(e.requestUrl??a.grant.resource,a.grant.resource);let s=a.accessToken.expiresAt;return e.context&&(I(e.context,{eventType:v.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),I(e.context,{eventType:v.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(s).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:a.grant.scope,resource:a.grant.resource}}n(Lw,"exchangeDownstreamTokenWithRuntimeHttp");async function Vu(e){let t=Uw.parse(e.body),r=Fu(e.authorizationHeader),o=Ku({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date;if((await A().revokeOAuthToken({clientAuth:await Wu({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/revoke",now:a,context:e.context}),tokenHash:await E(t.token),now:x(a)})).kind==="invalid_client")throw new S("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&I(e.context,{eventType:v.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Vu,"revokeDownstreamToken");var Bw=64*1024,Nw=16*1024,Gw="text/html; charset=utf-8";function $w(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n($w,"formDataToObject");async function Zw(e){return ou(e,{maxBytes:Bw,label:"Request body"})}n(Zw,"readJsonBody");async function Vo(e){return $w(await iu(e,{maxBytes:Nw,label:"Request body"}))}n(Vo,"readFormBody");async function Yu(e,t,r){let o=de(r),a=r instanceof i.ZodError?en(r):void 0,s={code:o??(r instanceof i.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(s.detail=a),De(e,t,s)}n(Yu,"handleProblem");function dr(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(dr,"oauthErrorResponse");function Fw(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Fw,"readOAuthProtocolHeaders");function Kw(e,t){let r=W("internal_server_error");return dr({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Fw(e,t)})}n(Kw,"oauthProtocolErrorResponse");function Xu(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Xu,"readZodOAuthErrorCode");function Ww(e){let t={error:Xu(e)},r=en(e);return r!==void 0&&(t.errorDescription=r),dr(t)}n(Ww,"oauthZodErrorResponse");function Jw(e){let t=de(e);if(t===void 0)return;let r=W(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Yw(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,dr(o)}n(Jw,"oauthGatewayProblemResponse");function Vw(){let t={error:"server_error",status:500,errorDescription:W("internal_server_error").publicDetail};return dr(t)}n(Vw,"oauthFallbackErrorResponse");function Yw(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Yw,"readOAuthStatus");function Yo(e,t={}){return e instanceof Ge?td(e):e instanceof S?Kw(e,t):e instanceof i.ZodError?Ww(e):Jw(e)??Vw()}n(Yo,"oauthProblemResponse");function Xo(e,t){let r=kt(e.url);if(t instanceof Ge)return td(t);if(t instanceof S){let s=W("internal_server_error");return Ce({host:r,kind:Xw(t.errorCode),title:"Authorization failed",detail:t.errorCode==="server_error"?s.publicDetail:t.message,code:t.errorCode,status:t.status})}if(t instanceof i.ZodError)return Ce({host:r,kind:"invalid_request",detail:en(t)??"The authorization request was invalid.",code:Xu(t)});let o=de(t);if(o!==void 0){let s=W(o);return Ce({host:r,kind:ed(o),detail:s.status<500&&t instanceof Error?t.message:s.publicDetail,code:s.oauthError??o,status:s.status})}let a=W("internal_server_error");return Ce({host:r,kind:"internal_error",detail:a.publicDetail,code:"server_error",status:a.status})}n(Xo,"browserOAuthProblemResponse");function Qu(e,t){let r=kt(e.url),o=de(t);if(o!==void 0){let s=W(o);return Ce({host:r,kind:ed(o),detail:s.status<500&&t instanceof Error?t.message:s.publicDetail,code:o,status:s.status})}if(t instanceof i.ZodError)return Ce({host:r,kind:"invalid_request",detail:en(t)??"The authorization request was invalid.",code:"invalid_request"});let a=W("internal_server_error");return Ce({host:r,kind:"internal_error",detail:a.publicDetail,code:"internal_server_error",status:a.status})}n(Qu,"browserGatewayProblemResponse");function Xw(e){return e==="server_error"?"internal_error":"invalid_request"}n(Xw,"readOAuthBrowserErrorKind");function ed(e){if(W(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(ed,"readGatewayBrowserErrorKind");function Ee(e,t,r){let o={event:t},a=!1;if(r instanceof S)o.oauthError=r.errorCode,o.status=r.status,ie(o,"error",r);else if(r instanceof Ge)o.oauthError=r.errorCode,ie(o,"error",r);else if(r instanceof i.ZodError){o.code="invalid_request",ie(o,"error",r);let s=r.issues[0];s&&(o.zodPath=s.path.join("."))}else{let s=de(r);if(s!==void 0){let u=W(s);o.code=s,o.status=u.status,u.oauthError!==void 0&&(o.oauthError=u.oauthError),a=u.status>=500||u.oauthError==="server_error",ie(o,"error",r)}else a=!0,ie(o,"error",r)}if(a){let s=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,s.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(Ee,"logUnexpectedOAuthHandlerError");function td(e){let t;try{t=new URL(e.redirectUri)}catch{return dr({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(td,"downstreamAuthorizeRedirectErrorResponse");function en(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(en,"formatZodErrorDetail");function Qw(e,t){let r={event:"browser_login_callback_failed",code:de(t)??"invalid_request"};ie(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Qw,"logBrowserLoginCallbackFailure");function rd(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(rd,"redirectResultResponse");function tn(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Gw,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return rd(e)}n(tn,"authorizeResultResponse");async function nd(e,t){try{return Response.json(Bn(e.url))}catch(r){return Ee(t,"oauth_authorization_server_metadata_failed",r),Yu(e,t,r)}}n(nd,"authorizationServerMetadataHandler");async function od(e,t){try{let r=G.parse(e.params.operationId),o=He(r);return Response.json(Aa({operationId:o.operationId,requestUrl:e.url}))}catch(r){return Ee(t,"oauth_authorization_server_metadata_failed",r),Yu(e,t,r)}}n(od,"scopedAuthorizationServerMetadataHandler");async function id(e,t){try{let r=await Ou(await Zw(e)),o=r,a=typeof o.client_id=="string"?o.client_id:void 0,s=typeof o.client_name=="string"?o.client_name:void 0,u=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,d=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:s,redirectUriCount:u,tokenEndpointAuthMethod:d},"OAuth Dynamic Client Registration completed"),I(t,{eventType:v.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:s,attributes:{clientId:a,redirectUriCount:u,tokenEndpointAuthMethod:d}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Ee(t,"oauth_register_failed",r),Yo(r)}}n(id,"registerHandler");async function ad(e,t){try{return tn(await Jo(e,{context:t}))}catch(r){return Ee(t,"oauth_authorize_failed",r),Xo(e,r)}}n(ad,"authorizeHandler");async function sd(e,t){try{let r=G.parse(e.params.operationId),o=He(r);return tn(await Jo(e,{operationId:o.operationId,context:t}))}catch(r){return Ee(t,"oauth_authorize_scoped_failed",r),Xo(e,r)}}n(sd,"scopedAuthorizeHandler");async function cd(e,t){try{let r=await Bu(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),tn(r)}catch(r){return Qw(t,r),Qu(e,r)}}n(cd,"callbackHandler");async function ud(e,t){try{return rd(await Nu(e))}catch(r){return Ee(t,"oauth_dev_login_failed",r),Xo(e,r)}}n(ud,"devLoginHandler");async function dd(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Gu({request:e,body:e.method==="POST"?await Vo(e):void 0,context:t});return tn(r)}catch(r){return Ee(t,"oauth_setup_failed",r),Qu(e,r)}}n(dd,"setupHandler");async function pd(e,t){try{return Response.json(await Ju({body:await Vo(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Ee(t,"oauth_token_failed",r),Yo(r)}}n(pd,"tokenHandler");async function ld(e,t){try{return await Vu({body:await Vo(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Ee(t,"oauth_revoke_failed",r),Yo(r)}}n(ld,"revokeHandler");var eS={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},md=new qe("upstream-request");function tS(e){let t=md.get(e);if(!t)throw new re("Upstream request context has not been set");return t}n(tS,"readUpstreamRequestContext");function rS(e,t){return t.some(r=>r===e)}n(rS,"requestContextMatchesKind");function nS(e){return typeof e=="string"?[e]:e}n(nS,"toExpectedKinds");function Pt(e,t){md.set(e,t)}n(Pt,"setUpstreamRequestContext");function pr(e,t){let r=tS(e),o=nS(t);if(!rS(r.kind,o)){let a=eS[o[0]];throw new re(`${a} request context has not been set`)}return r}n(pr,"requireUpstreamRequestContext");function hd(e){return L`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(hd,"renderBrowserResult");var oS="text/html; charset=utf-8",iS="none";function aS(e){let t=Kr(e.host);return It({title:e.title,iconHref:t,styles:vt,headerIcon:Wr({iconHref:t,fallbackIconHref:Fr}),heading:e.title,subhead:"",body:hd({body:e.body,code:e.code??iS}),footer:""})}n(aS,"browserResultHtml");function sS(e,t=200){return new Response(At(e),{status:t,headers:{"content-type":oS,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(sS,"browserResultResponse");function fd(e){return sS(aS(e))}n(fd,"browserConnectionSuccessResponse");function rn(e,t){let r=ma(t);return Ce({host:e,kind:cS(t),detail:r.body,code:t})}n(rn,"browserConnectionFailureResponse");function cS(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed"}}n(cS,"readCallbackFailureBrowserErrorKind");var uS=["callback_authorization_code","callback_provider_error","callback_invalid"];function dS(e){return"cause"in e?e.cause:void 0}n(dS,"readErrorCause");function pS(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}n(pS,"readFirstStackFrame");function gd(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=pS(r))}n(gd,"addErrorAttributes");function Qo(e){if(!(e instanceof w))return;let t=e.extensionMembers?.[y];return Ie(t)?t:void 0}n(Qo,"readRuntimeGatewayCode");function lS(e,t,r){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),I(e,{eventType:v.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),rn(r,"provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),rn(r,"oauth_state_invalid");case"callback_authorization_code":return t}}n(lS,"requireAuthorizationCallbackRequest");function mS(e,t){I(e,{eventType:v.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(mS,"emitCallbackReceivedAnalyticsEvent");function hS(e,t){I(e,{eventType:v.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(hS,"emitTokenExchangeSucceededAnalyticsEvent");function fS(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return fd({host:kt(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(fS,"buildSuccessfulCallbackResponse");function gS(e){let t={detail:e instanceof Error?e.message:void 0};return gd(t,"error",e),e instanceof Error&&gd(t,"cause",dS(e)),t}n(gS,"buildTokenExchangeFailureAttributes");function yS(e){I(e.context,{eventType:v.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Qo(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:gS(e.error)})}n(yS,"emitTokenExchangeFailedAnalyticsEvent");function wS(e,t){let r=Qo(t);return rn(e,ki(r)?r:"upstream_token_exchange_failed")}n(wS,"tokenExchangeFailureResponse");async function ei(e,t){let r=pr(t,uS),o=kt(e.url),a=lS(t,r,o);if(a instanceof Response)return a;mS(t,a);try{let s=await Kc({request:e,callbackRequest:a});return hS(t,s),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:s.upstreamServerId,operationId:s.operationId,authProfileId:s.authProfileId,ownerMode:s.ownerMode},"Upstream OAuth token exchange completed; user connection established"),fS(e,s)}catch(s){let u={event:"upstream_oauth_token_exchange_failed",code:Qo(s)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return ie(u,"error",s),t.log.warn(u,"Upstream OAuth token exchange failed; user shown connection-failure page"),yS({context:t,callbackRequest:a,error:s}),wS(o,s)}}n(ei,"callbackHandler");function SS(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(SS,"clientMetadataProblemDetail");async function yd(e,t){let r=pr(t,"connect"),o=await Fc({request:e,connectRequest:r});if(I(t,{eventType:v.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let a=await Gr({requestUrl:e.url,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}n(yd,"connectHandler");async function wd(e,t){let r=pr(t,"client_metadata");try{let o=Pc(e.url),a=Oc(o,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(o){if(!(o instanceof _))throw o;let a=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:a},"Failed to serve OAuth client metadata document for upstream connection"),he.notFound(e,t,{code:"not_found",detail:SS(o)})}}n(wd,"oauthClientMetadataHandler");function $e(e){if(typeof e=="string"&&e.length!==0)return e}n($e,"readOptionalQueryString");function RS(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new re(`Validated path parameter ${t} is missing`);return r}n(RS,"requirePathString");function _S(e){let t=$e(e);return t?G.parse(t):void 0}n(_S,"readOptionalOperationId");function bS(e,t){let r=$e(e);return r?ce.parse(r):mt(t,"user-oauth")}n(bS,"readOptionalAuthProfileId");function CS(e){let t=_S(e);if(!t)throw new w({message:"operationId query parameter is required.",extensionMembers:{[y]:"invalid_request"}});return t}n(CS,"readRequiredOperationId");function xS(e){let t=Pr($e(e));return t===void 0?{}:{returnTo:t}}n(xS,"readOptionalReturnTo");function AS(e){let t=$e(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(AS,"readOptionalProviderErrorDescription");function vS(e){let t=Re(e.authMode);if(t.connectSupport!=="none")return e;throw new w({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[y]:"invalid_request"}})}n(vS,"requireConnectableRouteAuth");function IS(e,t,r,o){return{kind:"connect",...Zr(e,t),...o===void 0?{}:{returnTo:o},redirect:r}}n(IS,"buildConnectContextForPrincipal");function kS(e,t,r){let o=zr(t),a=Re(e.authMode);if(o.mode!==a.ownerMode)throw new w({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(kS,"buildConnectContextForTicket");async function US(e,t){let r=vS(Vc(t,CS(e.query.operationId))),o=e.query.redirect==="true",a=$e(e.query.browserTicket);if(e.user){if(a)throw new w({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[y]:"invalid_request"}});let u=Fe(e.user,e.url);return IS(r,u,o,xS(e.query.returnTo).returnTo)}if(!a)throw new w({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[y]:"authentication_required"}});let s=await Ic(a);if(s.ownerMode!==r.ownerMode||s.upstreamServerId!==r.upstreamServerId||s.authProfileId!==r.authProfileId||s.operationId!==r.operationId)throw new w({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return await kc(s),kS(r,s,o)}n(US,"resolveConnectContext");async function TS(e,t,r){let o=oe.parse(RS(e,"connection"));switch(r){case"connect":Pt(t,await US(e,o));return;case"callback":{let a=$e(e.query.error);if(a){Pt(t,{kind:"callback_provider_error",upstreamServerId:o,error:a,...AS(e)});return}let s=$e(e.query.code),u=$e(e.query.state);if(s&&u){Pt(t,{kind:"callback_authorization_code",upstreamServerId:o,code:s,state:u});return}Pt(t,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":Pt(t,{kind:"client_metadata",upstreamServerId:o,authProfileId:bS(e.query.authProfileId,o)});return}}n(TS,"resolveUpstreamRequestInbound");async function PS(e,t,r){try{await TS(e,t,r);return}catch(o){let a=o instanceof w?o.extensionMembers?.[y]:void 0,s=o instanceof Error?o.message:void 0;switch(a){case"invalid_request":case"oauth_callback_mismatch":return he.badRequest(e,t,{code:a,detail:s});case"authentication_required":return he.unauthorized(e,t,{code:a,detail:s});default:throw o}}}n(PS,"applyUpstreamRequestContext");function nn(e,t){return n(async(o,a)=>{let s=await PS(o,a,e);return s||t(o,a)},"wrapped")}n(nn,"withUpstreamRequestContext");var OS={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function zS(){return new Response(null,{status:204,headers:OS})}n(zS,"buildWellKnownPreflightResponse");function ES(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(ES,"withWellKnownCorsHeaders");function ti(e){return async(t,r)=>t.method==="OPTIONS"?zS():ES(await e(t,r))}n(ti,"wrapWellKnownHandler");var _d=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:ti(nd),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/mcp/:operationId",methods:["GET","OPTIONS"],handler:ti(od),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/mcp/:operationId",methods:["GET","OPTIONS"],handler:ti(Ia),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:id},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:ad},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/mcp/:operationId",methods:["GET"],handler:sd},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:cd},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:ud},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:dd},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:pd},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:ld},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:nn("client_metadata",wd)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:nn("connect",yd)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:nn("callback",ei)}],MS=_d.filter(e=>!e.routeName.startsWith("upstream_")),qS=_d.filter(e=>e.routeName.startsWith("upstream_"));function bd(e){return e?.some(fn)??!1}n(bd,"hasMcpOAuthRuntimeConfigPolicy");function Cd(e){return e?.some(t=>_r(t.policyType))??!1}n(Cd,"hasMcpTokenExchangePolicy");function xd(e){return bd(e)||Cd(e)}n(xd,"shouldRegisterMcpGatewayInternalRoutes");function HS(e){sa(Pn({routes:e.routes,policies:e.policies}))}n(HS,"initializeMcpGatewayConnectionRegistry");function DS(e){let t=vi(e.policies);if(!t){let r=[...hn].map(o=>`\`${o}\``).join(", ");throw new _(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(DS,"initializeMcpGatewayOAuthRuntimeConfig");function Sd(e,t,r){return async(o,a)=>{r&&st(a,r());let s=o.method==="OPTIONS",u=Date.now();s||a.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let d=await t(o,a);return s||a.log.info({event:`${e}_responded`,status:d.status,durationMs:Date.now()-u},`MCP gateway: ${e} responded`),d}}n(Sd,"wrapInternalHandler");function Rd(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[on],corsPolicy:t.corsPolicy??"none"})}n(Rd,"addInternalRoute");function Ad(e,t){HS(t);let r=bd(t.policies),o=Cd(t.policies),a,s=n(()=>(a===void 0&&(a=DS(t)),a),"readOAuthConfig");if(r)for(let u of MS)Rd(e,u,Sd(u.routeName,u.handler,s));if(o)for(let u of qS)Rd(e,u,Sd(u.routeName,u.handler))}n(Ad,"registerMcpGatewayInternalRoutes");function vd(e){aa(e)}n(vd,"configureLazyMcpGatewayState");var ri=class extends ai{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!xd(r.policies))return;let o={routes:r.routes,policies:r.policies};vd(o),Ad(t.router,o)}};var jS={Allow:"POST"};async function LS(e,t){return e.method==="GET"?he.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},jS):gi(e,t)}n(LS,"McpProxyHandler");export{so as McpAuth0OAuthInboundPolicy,ri as McpGatewayPlugin,ln as McpOAuthInboundPolicy,LS as McpProxyHandler,Oo as McpTokenExchangeInboundPolicy};
 //# sourceMappingURL=index.js.map