@zuplo/runtime 6.70.40 → 6.70.42

package/out/esm/mcp-gateway/index.js

@@ -22,8 +22,28 @@
  *  DEALINGS IN THE SOFTWARE.
  *--------------------------------------------------------------------------------------------*/
     
-import{$ as xn,A as pn,Aa as A,B as mn,Ba as W,C as fn,Ca as C,D as hn,Da as jn,E as gn,Ea as Ha,F as j,Fa as Nn,G as yn,Ga as Gn,H as _,Ha as $n,I as F,Ia as Zn,J as I,K as wn,Ka as Fn,L as K,La as Kn,Ma as lt,N as _n,O as ce,P as g,Q as Rn,R as bn,S as Cn,T as at,U as ee,V as Mt,W as zt,X as Sn,Y as vn,Z as Dt,_ as Ht,a as Vr,aa as P,b as se,ba as In,c as Yr,ca as An,d as D,da as Un,e as Xr,ea as kn,f as Da,fa as Bt,g as Qr,ga as Pn,h as en,ha as Lt,i as tn,ia as jt,j as w,ja as st,k as rn,ka as ct,l as nn,la as Tn,m as H,ma as On,n as on,na as dt,o as an,oa as En,p as rt,pa as Nt,q as sn,qa as qn,r as qt,ra as Te,s as nt,sa as ut,t as ot,ta as Mn,u as Pe,ua as zn,v as cn,va as Dn,w as dn,wa as Hn,x as un,xa as Bn,y as it,ya as Ln,z as ln,za as R}from"../chunk-FYGTTP3G.js";import{B as Nr,J as Gr,L as u,M as $r,N as Et,O as Z,Q as Zr,S as f,T as Q,U as tt,_ as Fr,a as Qe,ca as Kr,da as Wr,ea as d,fa as z,j as ae,k as Br,m as Lr,ma as Jr,q as jr,s as et}from"../chunk-2GVPMQ7M.js";import"../chunk-JRXZBVXH.js";import{a as x}from"../chunk-4SACVMDH.js";import{$ as E,a as n,aa as y,ba as k,ca as Hr,da as Xe}from"../chunk-ZIKV2LUM.js";z();function Ba(e){let t=ot.safeParse(e);return t.success?t.data.id:void 0}n(Ba,"parseJsonRpcRequestId");function Wn(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Ba(t)}catch{return}}n(Wn,"readJsonRpcRequestIdFromBody");function pt(e){return cn.parse({jsonrpc:nt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(pt,"jsonRpcErrorResponse");function Jn(e){return new un([dn.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(Jn,"urlElicitationRequiredError");var mt=d.array(d.string()),La=d.object({tools:mt.optional(),prompts:mt.optional(),resources:mt.optional(),resourceTemplates:mt.optional()}).strict(),$t=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function ja(e,t){return Xr(La,e,`MCP capability filter policy "${t}"`)}n(ja,"parseMcpCapabilityFilterOptions");function B(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(B,"isRecord");function Na(e,t){if(!B(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Na,"readParamString");function Zt(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(Zt,"readRequestId");function Xn(e){return e===void 0?void 0:JSON.stringify(e)}n(Xn,"requestIdKey");function Ga(e){let t={};for(let r of $t){let o=e[r.option];o!==void 0&&(t[r.option]=new Set(o))}return t}n(Ga,"buildAllowSets");function Ft(e){return $t.find(t=>t.listMethod===e)}n(Ft,"findListRule");function $a(e){return e.requests.some(t=>{if(!B(t))return!1;let r=Ft(t.method);return r!==void 0&&e.allowSets[r.option]!==void 0})}n($a,"shouldFilterListResponses");function Za(e){for(let t of $t){let r=e.allowSets[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=Na(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:Zt(e.request)}}}}n(Za,"findDisallowedDirectAccess");function Fa(e){return Response.json(pt({id:e,error:{code:Pe.MethodNotFound,message:"Method not found"}}))}n(Fa,"methodNotFoundResponse");function Vn(e,t,r){if(!B(e))return e;let o=e.result;if(!B(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>B(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.filter(a=>{if(!B(a))return!1;let s=a[t.itemProperty];return typeof s=="string"&&r.has(s)})}}}n(Vn,"filterItems");function Ka(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!B(r))continue;let o=Ft(r.method),i=Zt(r),a=Xn(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(Ka,"buildListRulesByResponseId");function Wa(e){if(Array.isArray(e.responseBody)){let o=Ka(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!B(i)||"error"in i)return i;let a=Xn(Zt(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.allowSets[s.option];return s===void 0||c===void 0?i:Vn(i,s,c)})}if(!B(e.requestBody)||!B(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=Ft(e.requestBody.method),r=t===void 0?void 0:e.allowSets[t.option];return t===void 0||r===void 0?e.responseBody:Vn(e.responseBody,t,r)}n(Wa,"filterJsonRpcResponse");async function Yn(e){return e.clone().json()}n(Yn,"readJson");function Ja(e){return e.headers.get("content-type")?.includes("json")??!1}n(Ja,"isJsonResponse");var Gt=class extends et{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=ja(t,r);super(o,r),this.#e=Ga(o)}async handler(t,r){Qe("policy.inbound.mcp-capability-filter");let o;try{o=await Yn(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!B(a))continue;let s=Za({request:a,allowSets:this.#e});if(s!==void 0)return Fa(s.id)}return $a({requests:i,allowSets:this.#e})&&r.addResponseSendingHook(async a=>{if(!Ja(a))return a;let s;try{s=await Yn(a)}catch{return a}let c=Wa({requestBody:o,responseBody:s,allowSets:this.#e});if(c===s)return a;let l=new Headers(a.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:a.status,statusText:a.statusText,headers:l})}),t}};function te(e){let t=j().connectionsById.get(e);if(!t)throw new k(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(te,"getUpstreamServerConfig");function Va(e){let t=j().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new k(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(Va,"resolveUpstreamAuthProfileId");function Kt(e){Va(e);let t=j().connectionsById.get(e.upstreamServerId);if(!t)throw new k(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(Kt,"getUpstreamAuthConfig");function de(e,t){let r=Kt({upstreamServerId:e,authProfileId:t});if(!pn(r))throw new k(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(de,"requireUpstreamOAuthConfig");var Ya={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function N(e){return Ya[e]}n(N,"describeUpstreamAuthMode");function ft(e){return N(e).ownerMode}n(ft,"resolveOwnerModeForUpstreamAuthMode");var Wt;Wt=globalThis.crypto;async function Xa(e){return(await Wt).getRandomValues(new Uint8Array(e))}n(Xa,"getRandomValues");async function Qa(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await Xa(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(Qa,"random");async function es(e){return await Qa(e)}n(es,"generateVerifier");async function ts(e){let t=await(await Wt).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(ts,"generateChallenge");async function Jt(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await es(e),r=await ts(t);return{code_verifier:t,code_challenge:r}}n(Jt,"pkceChallenge");z();var U=$r().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:Kr.custom,message:"URL must be parseable",fatal:!0}),Gr}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),ht=tt({resource:u().url(),authorization_servers:f(U).optional(),jwks_uri:u().url().optional(),scopes_supported:f(u()).optional(),bearer_methods_supported:f(u()).optional(),resource_signing_alg_values_supported:f(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:Z().optional(),authorization_details_types_supported:f(u()).optional(),dpop_signing_alg_values_supported:f(u()).optional(),dpop_bound_access_tokens_required:Z().optional()}),Oe=tt({issuer:u(),authorization_endpoint:U,token_endpoint:U,registration_endpoint:U.optional(),scopes_supported:f(u()).optional(),response_types_supported:f(u()),response_modes_supported:f(u()).optional(),grant_types_supported:f(u()).optional(),token_endpoint_auth_methods_supported:f(u()).optional(),token_endpoint_auth_signing_alg_values_supported:f(u()).optional(),service_documentation:U.optional(),revocation_endpoint:U.optional(),revocation_endpoint_auth_methods_supported:f(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:f(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:f(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:f(u()).optional(),code_challenge_methods_supported:f(u()).optional(),client_id_metadata_document_supported:Z().optional()}),rs=tt({issuer:u(),authorization_endpoint:U,token_endpoint:U,userinfo_endpoint:U.optional(),jwks_uri:U,registration_endpoint:U.optional(),scopes_supported:f(u()).optional(),response_types_supported:f(u()),response_modes_supported:f(u()).optional(),grant_types_supported:f(u()).optional(),acr_values_supported:f(u()).optional(),subject_types_supported:f(u()),id_token_signing_alg_values_supported:f(u()),id_token_encryption_alg_values_supported:f(u()).optional(),id_token_encryption_enc_values_supported:f(u()).optional(),userinfo_signing_alg_values_supported:f(u()).optional(),userinfo_encryption_alg_values_supported:f(u()).optional(),userinfo_encryption_enc_values_supported:f(u()).optional(),request_object_signing_alg_values_supported:f(u()).optional(),request_object_encryption_alg_values_supported:f(u()).optional(),request_object_encryption_enc_values_supported:f(u()).optional(),token_endpoint_auth_methods_supported:f(u()).optional(),token_endpoint_auth_signing_alg_values_supported:f(u()).optional(),display_values_supported:f(u()).optional(),claim_types_supported:f(u()).optional(),claims_supported:f(u()).optional(),service_documentation:u().optional(),claims_locales_supported:f(u()).optional(),ui_locales_supported:f(u()).optional(),claims_parameter_supported:Z().optional(),request_parameter_supported:Z().optional(),request_uri_parameter_supported:Z().optional(),require_request_uri_registration:Z().optional(),op_policy_uri:U.optional(),op_tos_uri:U.optional(),client_id_metadata_document_supported:Z().optional()}),gt=Q({...rs.shape,...Oe.pick({code_challenge_methods_supported:!0}).shape}),ye=Q({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:Wr.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),eo=Q({error:u(),error_description:u().optional(),error_uri:u().optional()}),Qn=U.optional().or(Fr("").transform(()=>{})),ns=Q({redirect_uris:f(U),token_endpoint_auth_method:u().optional(),grant_types:f(u()).optional(),response_types:f(u()).optional(),client_name:u().optional(),client_uri:U.optional(),logo_uri:Qn,scope:u().optional(),contacts:f(u()).optional(),tos_uri:Qn,policy_uri:u().optional(),jwks_uri:U.optional(),jwks:Zr().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),Vt=Q({client_id:u(),client_secret:u().optional(),client_id_issued_at:Et().optional(),client_secret_expires_at:Et().optional()}).strip(),Ee=ns.merge(Vt),Zl=Q({error:u(),error_description:u().optional()}).strip(),Fl=Q({token:u(),token_type_hint:u().optional()}).strip();function to(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(to,"resourceUrlFromServerUrl");function ro({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(ro,"checkResourceAllowed");var S=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},qe=class extends S{static{n(this,"InvalidRequestError")}};qe.errorCode="invalid_request";var ue=class extends S{static{n(this,"InvalidClientError")}};ue.errorCode="invalid_client";var le=class extends S{static{n(this,"InvalidGrantError")}};le.errorCode="invalid_grant";var pe=class extends S{static{n(this,"UnauthorizedClientError")}};pe.errorCode="unauthorized_client";var Me=class extends S{static{n(this,"UnsupportedGrantTypeError")}};Me.errorCode="unsupported_grant_type";var ze=class extends S{static{n(this,"InvalidScopeError")}};ze.errorCode="invalid_scope";var De=class extends S{static{n(this,"AccessDeniedError")}};De.errorCode="access_denied";var J=class extends S{static{n(this,"ServerError")}};J.errorCode="server_error";var He=class extends S{static{n(this,"TemporarilyUnavailableError")}};He.errorCode="temporarily_unavailable";var Be=class extends S{static{n(this,"UnsupportedResponseTypeError")}};Be.errorCode="unsupported_response_type";var Le=class extends S{static{n(this,"UnsupportedTokenTypeError")}};Le.errorCode="unsupported_token_type";var je=class extends S{static{n(this,"InvalidTokenError")}};je.errorCode="invalid_token";var Ne=class extends S{static{n(this,"MethodNotAllowedError")}};Ne.errorCode="method_not_allowed";var Ge=class extends S{static{n(this,"TooManyRequestsError")}};Ge.errorCode="too_many_requests";var me=class extends S{static{n(this,"InvalidClientMetadataError")}};me.errorCode="invalid_client_metadata";var $e=class extends S{static{n(this,"InsufficientScopeError")}};$e.errorCode="insufficient_scope";var Ze=class extends S{static{n(this,"InvalidTargetError")}};Ze.errorCode="invalid_target";var no={[qe.errorCode]:qe,[ue.errorCode]:ue,[le.errorCode]:le,[pe.errorCode]:pe,[Me.errorCode]:Me,[ze.errorCode]:ze,[De.errorCode]:De,[J.errorCode]:J,[He.errorCode]:He,[Be.errorCode]:Be,[Le.errorCode]:Le,[je.errorCode]:je,[Ne.errorCode]:Ne,[Ge.errorCode]:Ge,[me.errorCode]:me,[$e.errorCode]:$e,[Ze.errorCode]:Ze};function os(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(os,"isClientAuthMethod");var Yt="code",Xt="S256";function is(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&os(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(is,"selectClientAuthMethod");function as(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":ss(i,a,r);return;case"client_secret_post":cs(i,a,o);return;case"none":ds(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(as,"applyClientAuthentication");function ss(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(ss,"applyBasicAuth");function cs(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(cs,"applyPostAuth");function ds(e,t){t.set("client_id",e)}n(ds,"applyPublicAuth");async function io(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=eo.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=no[i]||J;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new J(i)}}n(io,"parseErrorResponse");async function er(e,t){try{return await Qt(e,t)}catch(r){if(r instanceof ue||r instanceof pe)return await e.invalidateCredentials?.("all"),await Qt(e,t);if(r instanceof le)return await e.invalidateCredentials?.("tokens"),await Qt(e,t);throw r}}n(er,"auth");async function Qt(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,l,h,m=i;if(!m&&s?.resourceMetadataUrl&&(m=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,h=s.authorizationServerMetadata??await so(l,{fetchFn:a}),!c)try{c=await ao(t,{resourceMetadataUrl:m},a)}catch{}(h!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:m?.toString(),resourceMetadata:c,authorizationServerMetadata:h})}else{let O=await hs(t,{resourceMetadataUrl:m,fetchFn:a});l=O.authorizationServerUrl,h=O.authorizationServerMetadata,c=O.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:m?.toString(),resourceMetadata:c,authorizationServerMetadata:h})}let v=await us(t,e,c),L=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,X=await Promise.resolve(e.clientInformation());if(!X){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let O=h?.client_id_metadata_document_supported===!0,ke=e.clientMetadataUrl;if(ke&&!tr(ke))throw new me(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${ke}`);if(O&&ke)X={client_id:ke},await e.saveClientInformation?.(X);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let Dr=await Rs(l,{metadata:h,clientMetadata:e.clientMetadata,scope:L,fetchFn:a});await e.saveClientInformation(Dr),X=Dr}}let Ye=!e.redirectUrl;if(r!==void 0||Ye){let O=await _s(e,l,{metadata:h,resource:v,authorizationCode:r,fetchFn:a});return await e.saveTokens(O),"AUTHORIZED"}let zr=await e.tokens();if(zr?.refresh_token)try{let O=await ws(l,{metadata:h,clientInformation:X,refreshToken:zr.refresh_token,resource:v,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(O),"AUTHORIZED"}catch(O){if(!(!(O instanceof S)||O instanceof J))throw O}let qa=e.state?await e.state():void 0,{authorizationUrl:Ma,codeVerifier:za}=await gs(l,{metadata:h,clientInformation:X,state:qa,redirectUrl:e.redirectUrl,scope:L,resource:v});return await e.saveCodeVerifier(za),await e.redirectToAuthorization(Ma),"REDIRECT"}n(Qt,"authInternal");function tr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(tr,"isHttpsUrl");async function us(e,t,r){let o=to(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!ro({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(us,"selectResourceURL");async function ao(e,t,r=fetch){let o=await ms(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return ht.parse(await o.json())}n(ao,"discoverOAuthProtectedResourceMetadata");async function rr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?rr(e,void 0,r):void 0;throw o}}n(rr,"fetchWithCorsRetry");function ls(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(ls,"buildWellKnownPath");async function oo(e,t,r=fetch){return await rr(e,{"MCP-Protocol-Version":t},r)}n(oo,"tryMetadataDiscovery");function ps(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(ps,"shouldAttemptFallback");async function ms(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??qt,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=ls(t,i.pathname);s=new URL(l,o?.metadataServerUrl??i),s.search=i.search}let c=await oo(s,a,r);if(!o?.metadataUrl&&ps(c,i.pathname)){let l=new URL(`/.well-known/${t}`,i);c=await oo(l,a,r)}return c}n(ms,"discoverMetadataWithFallback");function fs(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(fs,"buildDiscoveryUrls");async function so(e,{fetchFn:t=fetch,protocolVersion:r=qt}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=fs(e);for(let{url:a,type:s}of i){let c=await rr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?Oe.parse(await c.json()):gt.parse(await c.json())}}}n(so,"discoverAuthorizationServerMetadata");async function hs(e,t){let r,o;try{r=await ao(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await so(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(hs,"discoverOAuthServerInfo");async function gs(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(Yt))throw new Error(`Incompatible auth server: does not support response type ${Yt}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(Xt))throw new Error(`Incompatible auth server: does not support code challenge method ${Xt}`)}else c=new URL("/authorize",e);let l=await Jt(),h=l.code_verifier,m=l.code_challenge;return c.searchParams.set("response_type",Yt),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",m),c.searchParams.set("code_challenge_method",Xt),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:h}}n(gs,"startAuthorization");function ys(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(ys,"prepareAuthorizationCodeRequest");async function co(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(l,r,c,t);else if(o){let m=t?.token_endpoint_auth_methods_supported??[],v=is(o,m);as(v,o,l,r)}let h=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!h.ok)throw await io(h);return ye.parse(await h.json())}n(co,"executeTokenRequest");async function ws(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await co(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...l}}n(ws,"refreshAuthorization");async function _s(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let h=await e.codeVerifier();c=ys(i,h,e.redirectUrl)}let l=await e.clientInformation();return co(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(_s,"fetchToken");async function Rs(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await io(s);return Ee.parse(await s.json())}n(Rs,"registerClient");z();import{errors as yo,jwtVerify as wo,SignJWT as _o}from"jose";var T="zuplo-mcp-gateway",q=T,M="HS256";import{base64url as bs}from"jose";var Cs=new TextEncoder,Ss="MCP gateway could not initialize secure key material.",vs=32,uo=new Map,lo=new Map,xs;function Is(){return xs??Hr.instance.authPrivateKey}n(Is,"readAuthPrivateKey");function po(e){return new E(Ss,e===void 0?void 0:{cause:e})}n(po,"createGeneratedKeyMaterialError");function mo(e,t){let r=bs.decode(t);if(r.byteLength!==vs)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(mo,"decodeJwkKeyField");function As(e){let t=Is();if(!t)throw po();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=mo("d",r.d);mo("x",r.x);let i=Cs.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw po(r)}}n(As,"decodeGeneratedKeyMaterial");function Us(e){let t=uo.get(e);return t||(t=As(e),uo.set(e,t)),t}n(Us,"getMasterKeyMaterial");async function G(e){let t=lo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Us(e.keyMaterialPurpose));return lo.set(e.purpose,r),r}n(G,"readCachedDerivedKey");var ks="SHA-256";var Ps="zuplo-mcp-gateway:",Ts=new TextEncoder,fo=new WeakMap;async function re(e,t){let r=fo.get(e);r||(r=new Map,fo.set(e,r));let o=r.get(t);if(o)return o;let i=await Os(e,t);return r.set(t,i),i}n(re,"deriveGatewaySigningKey");async function Os(e,t){let r=ho(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=Ts.encode(`${Ps}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:ks,salt:new Uint8Array,info:ho(i)},o,32*8);return new Uint8Array(a)}n(Os,"hkdfExpand");function ho(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(ho,"copyToArrayBuffer");var Ro=15*60,Es=15*60,qs=qn.extend({id:Mn}),Ms=qs.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),bo=Nt.extend({id:zn,purpose:d.literal("browser_connect")}),zs=Nt.extend({purpose:d.literal("browser_connect")}),Ds=bo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Co=Ro*1e3;async function So(){return G({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>re(e,"oauth-state"),"derive")})}n(So,"getOAuthStateKey");async function vo(){return G({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>re(e,"browser-connect"),"derive")})}n(vo,"getBrowserConnectKey");async function xo(e){let t=Math.floor(Date.now()/1e3)+Ro;return new _o(e).setProtectedHeader({alg:M,typ:"JWT"}).setIssuer(T).setAudience(q).setIssuedAt().setExpirationTime(t).sign(await So())}n(xo,"signOAuthState");async function yt(e){try{let{payload:t}=await wo(e,await So(),{algorithms:[M],issuer:T,audience:q});return Ms.parse(t)}catch(t){throw t instanceof yo.JWTExpired?new y({message:"OAuth state has expired",extensionMembers:{[w]:"oauth_state_expired"}},{cause:t}):new y({message:"OAuth state could not be verified",extensionMembers:{[w]:"oauth_state_invalid"}},{cause:t})}}n(yt,"verifyOAuthState");async function Io(e){let t=Math.floor(Date.now()/1e3)+Es,r=zs.parse(e),o=bo.parse({...r,id:Ln()});return new _o(o).setProtectedHeader({alg:M,typ:"JWT"}).setIssuer(T).setAudience(q).setIssuedAt().setExpirationTime(t).sign(await vo())}n(Io,"signBrowserConnectTicket");async function Ao(e){try{let{payload:t}=await wo(e,await vo(),{algorithms:[M],issuer:T,audience:q});return Ds.parse(t)}catch(t){throw t instanceof yo.JWTExpired?new y({message:"Browser connect ticket has expired",extensionMembers:{[w]:"oauth_state_expired"}},{cause:t}):new y({message:"Browser connect ticket could not be verified",extensionMembers:{[w]:"oauth_state_invalid"}},{cause:t})}}n(Ao,"verifyBrowserConnectTicket");async function Uo(e){if((await R().consumeBrowserConnectTicket({id:e.id,expiresAt:_(new Date(e.exp*1e3)),now:_(new Date)})).kind==="consumed")throw new y({message:"Browser connect ticket has already been used",extensionMembers:{[w]:"oauth_state_reused"}})}n(Uo,"consumeBrowserConnectTicket");function Hs(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Hs,"buildConnectRequiredMessage");async function Bs(e){let t=I(e.requestUrl),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Io({...Te(e),purpose:"browser_connect"})),r.toString()}n(Bs,"buildGatewayBrowserTicketUrl");function Ls(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Ls,"buildGatewayConnectPath");async function nr(e){return Bs({...e,path:Ls(e.upstreamServerId),redirect:!0})}n(nr,"buildGatewayConnectUrl");async function wt(e){let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await nr(t),message:Hs(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(wt,"buildRedirectConnectRequiredResponse");function ko(e){return js({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(ko,"buildAdminConnectRequiredResponse");function js(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(js,"buildAdminSetupRequiredResponse");z();function or(e){return`Zuplo MCP Gateway - ${e}`}n(or,"buildGatewayOAuthClientName");function Po(e,t){let r=new URL(e,I(t));return se(r)&&Vr(r.hostname)!=="localhost"&&(r.hostname="localhost"),r.toString()}n(Po,"buildGatewayOAuthRedirectUri");function ir(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}n(ir,"buildOAuthClientMetadataDocumentUrl");function To(e){return I(e)}n(To,"requireOAuthClientMetadataOrigin");function Oo(e,t,r){let o=te(t),i=de(t,r);return{client_id:ir({origin:e,upstreamServerId:t,authProfileId:r}),client_name:or(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(i.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"}}n(Oo,"buildOAuthClientMetadataDocument");z();import{base64url as ne}from"jose";var Ns="SHA-256",_e="AES-GCM",Gs=12,sr="zuplo-secret",cr=1,Eo="generated:auth_private_key:token-encryption",$s=d.object({version:d.literal(cr),keyId:d.literal(Eo),algorithm:d.literal(_e),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function we(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(we,"copyToArrayBuffer");async function ar(){return G({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Ns,we(e));return crypto.subtle.importKey("raw",t,{name:_e},!1,["encrypt","decrypt"])},"derive")})}n(ar,"getEncryptionKey");function qo(e){return we(new TextEncoder().encode(`${sr}:v${e.version}:${e.keyId}`))}n(qo,"getAssociatedData");function Zs(e){return`${sr}:v${e.version}:${ne.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(Zs,"encodeEnvelope");function Fs(e){let t=`${sr}:v${cr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ne.decode(r));return $s.parse(JSON.parse(o))}n(Fs,"decodeEnvelope");async function _t(e){let t=await ar(),r=crypto.getRandomValues(new Uint8Array(Gs)),o={version:cr,keyId:Eo},i=await crypto.subtle.encrypt({name:_e,iv:r,additionalData:qo(o)},t,new TextEncoder().encode(e));return Zs({...o,algorithm:_e,iv:ne.encode(r),ciphertext:ne.encode(new Uint8Array(i))})}n(_t,"encryptSecret");async function Fe(e){let t=Fs(e);if(t){let s=await ar(),c=await crypto.subtle.decrypt({name:_e,iv:we(ne.decode(t.iv)),additionalData:qo(t)},s,we(ne.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new E("Encrypted payload is malformed");let i=await ar(),a=await crypto.subtle.decrypt({name:_e,iv:we(ne.decode(r))},i,we(ne.decode(o)));return new TextDecoder().decode(a)}n(Fe,"decryptSecret");var Ks=d.union([Ee,Vt]),Ws=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:ht.optional(),authorizationServerMetadata:d.union([Oe,gt]).optional()}).passthrough(),Js="Bearer",Vs="__zuplo_refresh_only_upstream_access_token__";function Ys(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(Ys,"splitScopes");function Xs(e){return at.parse(e)}n(Xs,"parsePkceCodeVerifier");function Qs(e){if(typeof e.expires_in=="number")return _(new Date(Date.now()+e.expires_in*1e3))}n(Qs,"readTokenExpiry");async function Mo(e){if(e!==void 0)return _t(JSON.stringify(e))}n(Mo,"encryptJson");async function zo(e,t){if(!e)return;let r=await Fe(e);try{return t.parse(JSON.parse(r))}catch(o){throw new y({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[w]:"oauth_state_invalid"}},{cause:o})}}n(zo,"decryptJson");function ec(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(ec,"toOAuthDiscoveryState");function tc(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(tc,"clientInformationAllowsRedirectUri");function rc(e,t,r){let o=te(e),i=de(e,t),a;return i.scopes.length>0&&(a=i.scopes.join(i.scopeDelimiter)),{client_name:or(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:a,token_endpoint_auth_method:"none"}}n(rc,"buildOAuthClientMetadata");function nc(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new k(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ee.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(nc,"buildManualOAuthClientInformation");function oc(e,t,r){let o=ir({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return tr(o)?o:void 0}n(oc,"buildClientMetadataUrl");function Do(e){for(let t of e)if(t!==void 0)return t}n(Do,"firstDefined");function ic(e){let t=de(e.target.upstreamServerId,e.target.authProfileId),r=rc(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredClientInformation:nc({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let o=oc(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return o===void 0?{clientMetadata:r}:{clientMetadata:r,clientMetadataUrl:o}}n(ic,"buildInitialOAuthClientSetup");function ac(e,t){if(t===void 0)return Do([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(ac,"readEncryptedClientInformation");function sc(e){return Do([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(sc,"readEncryptedDiscoveryState");var fe=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredClientInformation;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=ic({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=ac(t,this.configuredClientInformation),this.encryptedDiscoveryState=sc(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return this.clientMetadataValue}async state(){let t=await this.createPendingState();return xo({id:t.id,...Te({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await Mo(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=await Mo(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=ye.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await _t(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:ye.parse({...r,refresh_token:await Fe(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??Hn(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await _t(r.access_token),encryptedRefreshToken:i,scopes:Ys(r.scope??this.clientMetadataValue.scope),expiresAt:Qs(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await R().upsertUpstreamConnection(a)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:Xs(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new y({message:"OAuth code verifier is missing",extensionMembers:{[w]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:Bn(),...Te({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:_(new Date(Date.now()+Co)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await R().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await zo(this.encryptedClientInformation,Ks)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!tc(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=ec(await zo(this.encryptedDiscoveryState,Ws))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.cachedDiscoveryState}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await Fe(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await Fe(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=ye.parse({access_token:t??Vs,token_type:Js,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await R().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var cc=3e4,dc=256*1024,uc=2;function lc(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(lc,"hasUsableAccessToken");var pc="does not support dynamic client registration";function mc(e){return e instanceof Error&&e.message.includes(pc)}n(mc,"isDynamicClientRegistrationUnsupported");function fc(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(fc,"readOAuthFetchRequest");function hc(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(hc,"responseLooksJson");function Ho(e){return async(t,r)=>{let o=fc(t),i=await Zn(t,r,{maxRedirects:uc,maxResponseBytes:dc,problemCode:"upstream_token_exchange_failed",timeoutMs:cc}),a=await i.clone().text();if(!hc(i,a))return i;try{JSON.parse(a)}catch(s){throw new y({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[w]:"upstream_token_exchange_failed"}},{cause:s})}return i}}n(Ho,"createUpstreamOAuthFetch");async function Bo(e,t){try{return await er(e,{serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Ho(t.upstreamServerId)})}catch(r){throw mc(r)?new y({message:`The authorization server for ${t.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register a client for the gateway manually before retrying.`,extensionMembers:{[w]:"upstream_client_registration_required"}},{cause:r}):r}}n(Bo,"runUpstreamOAuth");async function gc(e,t){return er(e,{serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:Ho(t.upstreamServerId)})}n(gc,"exchangeUpstreamAuthorizationCode");async function Lo(e,t){let r=await Bo(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new y({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[w]:"upstream_token_exchange_failed"}}):new y({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[w]:"upstream_token_exchange_failed"}})}n(Lo,"requireUpstreamAuthorizationRedirect");async function jo(e){if(!e.forceRefresh&&lc(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await Bo(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new y({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[w]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new y({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[w]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await bc({requestUrl:e.target.request.url,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(jo,"authorizeUpstreamOAuthSession");async function yc(e){let t=await yt(e.stateToken),r=await R().consumeUpstreamOAuthState({id:t.id,now:_(new Date)}),o=wc(r);return _c({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Rc(o),o}n(yc,"consumeStoredCallbackState");function wc(e){switch(e.kind){case"consumed":throw new y({message:"OAuth state has already been used",extensionMembers:{[w]:"oauth_state_reused"}});case"missing":throw new y({message:"OAuth state is missing or expired",extensionMembers:{[w]:"oauth_state_expired"}});case"available":return e.record}}n(wc,"readConsumedCallbackState");function _c(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new y({message:"OAuth callback did not match the initiating request",extensionMembers:{[w]:"oauth_callback_mismatch"}})}n(_c,"assertStoredCallbackStateMatches");function Rc(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new y({message:"OAuth state has expired",extensionMembers:{[w]:"oauth_state_expired"}})}n(Rc,"assertStoredCallbackStateFresh");async function bc(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ko(r)}let t={requestUrl:e.requestUrl,owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),wt(t)}n(bc,"buildOAuthConnectRequiredResponse");async function No(e){let t=await yc({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=ut(t),[o]=await R().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new fe(i),s=await gc(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new y({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[w]:"upstream_token_exchange_failed"}}):new y({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[w]:"upstream_token_exchange_failed"}})}n(No,"finishUpstreamOAuthCallback");async function Go(e){let t=te(e.upstreamServerId),r=de(e.upstreamServerId,e.authProfileId),o=Po(r.redirectPath,e.request.url),i="preloadedConnection"in e?e.preloadedConnection:(await R().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:I(e.request.url)}}}n(Go,"prepareUpstreamOAuthRequest");async function $o(e){let t=await Go(e),r=new fe({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return Lo(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n($o,"startUpstreamConnect");async function Zo(e){let t=await Go(e),r=new fe({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return jo({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Zo,"authorizeUpstreamRequest");async function Re(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return Zo({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new E(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(Re,"resolveUpstreamCredentialForRoute");async function Fo(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=N(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await $o(r);break;case"none":throw new E(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Fo,"startUpstreamConnectForRequest");async function Ko(e){let r=(await yt(e.callbackRequest.state)).authProfileId,o=Kt({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(N(o.mode).callbackSupport!=="authorization_code")throw new E(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return No({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:te(e.callbackRequest.upstreamServerId)})}n(Ko,"finishUpstreamCallbackForRequest");function Cc(e){let t=N(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Cc,"buildRouteAuthBaseFromConnection");function Jo(e){let t=N(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:it(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Jo,"buildRouteAuthBaseFromPolicyOptions");function Rt(e,t){let o=j().byOperationId.get(t);if(!o)throw new k(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new k(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new k(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Cc({connection:o.connection,operationId:t})}n(Rt,"resolveRouteAuthBase");function Wo(e,t){switch(e){case"user":return dt(t.subjectId);case"shared":return En()}}n(Wo,"buildOwnerForPrincipal");function be(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Wo(e.ownerMode,t),initiatedBySubjectId:t.subjectId};case"user":return{...e,owner:Wo(e.ownerMode,t),initiatedBySubjectId:t.subjectId}}}n(be,"resolveRouteAuthForPrincipal");var Sc=Pe.InvalidRequest,vc=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function xc(e){let t=e.route.raw();return rt.parse(t?.operationId)}n(xc,"readOperationId");async function Ic(e,t,r,o){let i=await Re({request:e,routeAuth:t});if(i.kind==="connect_required")return o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;switch(a.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${a.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(a.headers)};case"mcp_oauth_provider":{let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(Ic,"buildCredentialHeaders");var Ac=new Set(["authorization","cookie","cookie2"]);function Uc(e,t){let r=new Headers(e.headers);for(let o of Ac)r.delete(o);for(let[o,i]of t)r.set(o,i);return new Lr(e,{headers:r})}n(Uc,"applyUpstreamHeaders");function kc(e){let t=new Headers(e.headers);for(let r of vc)t.delete(r);return t}n(kc,"buildProxyHeaders");async function Pc(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(Pc,"readRetryBody");function Vo(e,t){let r=t.authUrl===void 0?void 0:Jn({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(pt({id:Wn(e),error:{code:r?.code??Sc,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Vo,"connectRequiredJsonRpcResponse");async function Tc(e){let t=await Re({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0});if(t.kind==="connect_required")return{kind:"connect_required",payload:t.payload};let r=new Headers(e.headers),o=t.credential;switch(o.type){case"none":return r.delete("authorization"),{kind:"headers",headers:r};case"bearer_token":return r.set("authorization",`Bearer ${o.token}`),{kind:"headers",headers:r};case"headers":for(let[i,a]of Object.entries(o.headers))r.set(i,a);return{kind:"headers",headers:r};case"mcp_oauth_provider":{let i=await o.provider.tokens();return i?(r.set("authorization",`${i.token_type??"Bearer"} ${i.access_token}`),{kind:"headers",headers:r}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(Tc,"applyRefreshedCredentialHeaders");function Oc(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await Tc({request:e.request,context:e.context,headers:kc(r),routeAuth:e.routeAuth});if(o.kind==="connect_required")return Vo(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=on({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return Xe.fetch(i.url,i.init)})}n(Oc,"installUpstreamAuthRetryHook");async function dr(e,t,r){let o=xc(t),i=await Pc(e),a=Jo({connection:r,operationId:o}),s=be(a,Tn(e,t)),c=await Ic(e,s,r,t);if(!(c instanceof Response)&&c.kind==="connect_required")return Vo(i,c.payload);if(c instanceof Response)return c;let l=Uc(e,c.headers);return Oc({request:l,context:t,requestBody:i,routeAuth:s}),l}n(dr,"mcpTokenExchangePolicy");var ur=class extends et{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=ln(t,r);super(o,r)}async handler(t,r){return Qe("policy.inbound.mcp-token-exchange"),dr(t,r,this.options)}};z();var Yo=Symbol("Html");function Ec(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(Ec,"escapeHtml");function qc(e){return e===null||typeof e!="object"?!1:e[Yo]===!0}n(qc,"isHtml");function Xo(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Xo).join(""):qc(e)?e.value:Ec(String(e))}n(Xo,"renderValue");function V(e){return{[Yo]:!0,value:e}}n(V,"trustedHtml");var he=V("");function b(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Xo(t[o]),r+=e[o+1]??"";return V(r)}n(b,"html");function Ce(e){return e.value}n(Ce,"renderHtml");function Qo(e){return b`<p data-gateway-error-code="${e.code}">${e.detail}</p>${e.guidance} ${e.action}`}n(Qo,"renderBrowserErrorPage");var Se=V('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function ve(e){return b`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
+import{$ as Y,A as Un,Aa as no,B as kn,Ba as oo,C as Tn,Ca as ao,D as ht,Da as io,E as Pn,Ea as so,F as En,Fa as co,G as On,Ga as S,H as qn,Ha as v,I as Mn,Ia as X,J as Dn,Ja as I,K as $,Ka as uo,L as Hn,La as Ps,M as zn,Ma as lo,N as b,Na as po,O as W,Oa as Rt,P as U,Pa as mo,Q as Bn,Qa as fo,R as V,Sa as ho,T as jn,Ta as go,U as Ln,Ua as bt,V as le,W as w,X as Nn,Y as $n,Z as Gn,_ as gt,a as gn,aa as Ft,b as ue,ba as Kt,c as yn,ca as Zn,d as j,da as Fn,e as _n,ea as Jt,f as Ts,fa as Wt,g as wn,ga as Kn,h as Rn,ha as E,i as bn,ia as Jn,j as _,ja as Wn,k as be,ka as Vn,l as Se,la as Yn,m as ve,ma as Vt,n as Ce,na as Xn,o as Sn,oa as Yt,p as vn,pa as Xt,q as L,qa as yt,r as Cn,ra as Ie,s as In,sa as Qn,t as xn,ta as eo,u as pt,ua as _t,v as An,va as to,w as Zt,wa as Qt,x as mt,xa as ro,y as ft,ya as je,z as Be,za as wt}from"../chunk-B6R5XTUK.js";import{J as dn,L as u,M as un,N as Gt,O as J,Q as ln,S as h,T as re,U as lt,_ as pn,a as dt,ca as mn,da as fn,ea as d,fa as B,j as de,k as an,m as sn,ma as hn,q as cn,s as ut}from"../chunk-A6TMPOZH.js";import"../chunk-JRXZBVXH.js";import{a as R}from"../chunk-4SACVMDH.js";import{$ as D,a as n,aa as g,ba as P,ca as on,da as ct}from"../chunk-ZIKV2LUM.js";B();function Es(e){let t=ft.safeParse(e);return t.success?t.data.id:void 0}n(Es,"parseJsonRpcRequestId");function yo(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Es(t)}catch{return}}n(yo,"readJsonRpcRequestIdFromBody");function St(e){return Un.parse({jsonrpc:mt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(St,"jsonRpcErrorResponse");function _o(e){return new Tn([kn.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(_o,"urlElicitationRequiredError");var vt=d.record(d.string(),d.unknown()),Os=d.record(d.string(),d.unknown()),qs=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Os.optional(),_meta:vt.optional()}).strict(),Ms=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:vt.optional()}).strict(),Ds=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:vt.optional()}).strict(),Hs=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:vt.optional()}).strict(),zs=d.array(d.union([d.string(),qs])),Bs=d.array(d.union([d.string(),Ms])),js=d.array(d.union([d.string(),Ds])),Ls=d.array(d.union([d.string(),Hs])),Ns=d.object({tools:zs.optional(),prompts:Bs.optional(),resources:js.optional(),resourceTemplates:Ls.optional()}).strict(),tr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function $s(e,t){return _n(Ns,e,`MCP capability filter policy "${t}"`)}n($s,"parseMcpCapabilityFilterOptions");function O(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(O,"isRecord");function Gs(e,t){if(!O(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Gs,"readParamString");function rr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(rr,"readRequestId");function So(e){return e===void 0?void 0:JSON.stringify(e)}n(So,"requestIdKey");function Zs(e){let t={};for(let r of tr){let o=e[r.option];if(o===void 0)continue;let a=new Map;for(let i of o){let s=Ws(i,r.itemProperty);s!==void 0&&a.set(s.key,s)}t[r.option]=a}return t}n(Zs,"buildProjectionMaps");function nr(e){return tr.find(t=>t.listMethod===e)}n(nr,"findListRule");function Fs(e){return e.requests.some(t=>{if(!O(t))return!1;let r=nr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(Fs,"shouldFilterListResponses");function Ks(e){for(let t of tr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let a=Gs(e.request.params,o.paramProperty);if(a!==void 0&&!r.has(a))return{id:rr(e.request)}}}}n(Ks,"findDisallowedDirectAccess");function Js(e){return Response.json(St({id:e,error:{code:Be.MethodNotFound,message:"Method not found"}}))}n(Js,"methodNotFoundResponse");function Ws(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!O(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(Ws,"buildProjection");function wo(e){let t=e.base[e.property],r=e.overlay[e.property];return O(r)?O(t)?{...t,...r}:r:t}n(wo,"mergeRecordProperty");function Vs(e,t){let r={...e,...t.overlay},o=wo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let a=wo({base:e,overlay:t.overlay,property:"_meta"});return a!==void 0&&(r._meta=a),r}n(Vs,"applyProjection");function Ro(e,t,r){if(!O(e))return e;let o=e.result;if(!O(o))return e;let a=o[t.resultProperty];return!Array.isArray(a)||!a.every(i=>O(i)&&typeof i[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:a.flatMap(i=>{if(!O(i))return[];let s=i[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[Vs(i,c)]})}}}n(Ro,"filterAndProjectItems");function Ys(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!O(r))continue;let o=nr(r.method),a=rr(r),i=So(a);o!==void 0&&i!==void 0&&t.set(i,o)}return t}n(Ys,"buildListRulesByResponseId");function Xs(e){if(Array.isArray(e.responseBody)){let o=Ys(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(a=>{if(!O(a)||"error"in a)return a;let i=So(rr(a)),s=i===void 0?void 0:o.get(i),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?a:Ro(a,s,c)})}if(!O(e.requestBody)||!O(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=nr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Ro(e.responseBody,t,r)}n(Xs,"filterJsonRpcResponse");async function bo(e){return e.clone().json()}n(bo,"readJson");function Qs(e){return e.headers.get("content-type")?.includes("json")??!1}n(Qs,"isJsonResponse");var er=class extends ut{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=$s(t,r);super(o,r),this.#e=Zs(o)}async handler(t,r){dt("policy.inbound.mcp-capability-filter");let o;try{o=await bo(t)}catch{return t}let a=Array.isArray(o)?o:[o];for(let i of a){if(!O(i))continue;let s=Ks({request:i,projectionMaps:this.#e});if(s!==void 0)return Js(s.id)}return Fs({requests:a,projectionMaps:this.#e})&&r.addResponseSendingHook(async i=>{if(!Qs(i))return i;let s;try{s=await bo(i)}catch{return i}let c=Xs({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return i;let l=new Headers(i.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:i.status,statusText:i.statusText,headers:l})}),t}};var or;or=globalThis.crypto;async function ec(e){return(await or).getRandomValues(new Uint8Array(e))}n(ec,"getRandomValues");async function tc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let a=await ec(e-o.length);for(let i of a)i<r&&(o+=t[i%t.length])}return o}n(tc,"random");async function rc(e){return await tc(e)}n(rc,"generateVerifier");async function nc(e){let t=await(await or).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(nc,"generateChallenge");async function ar(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await rc(e),r=await nc(t);return{code_verifier:t,code_challenge:r}}n(ar,"pkceChallenge");B();var T=un().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:mn.custom,message:"URL must be parseable",fatal:!0}),dn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Ct=lt({resource:u().url(),authorization_servers:h(T).optional(),jwks_uri:u().url().optional(),scopes_supported:h(u()).optional(),bearer_methods_supported:h(u()).optional(),resource_signing_alg_values_supported:h(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:J().optional(),authorization_details_types_supported:h(u()).optional(),dpop_signing_alg_values_supported:h(u()).optional(),dpop_bound_access_tokens_required:J().optional()}),Le=lt({issuer:u(),authorization_endpoint:T,token_endpoint:T,registration_endpoint:T.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),service_documentation:T.optional(),revocation_endpoint:T.optional(),revocation_endpoint_auth_methods_supported:h(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:h(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:h(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:h(u()).optional(),code_challenge_methods_supported:h(u()).optional(),client_id_metadata_document_supported:J().optional()}),oc=lt({issuer:u(),authorization_endpoint:T,token_endpoint:T,userinfo_endpoint:T.optional(),jwks_uri:T,registration_endpoint:T.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),acr_values_supported:h(u()).optional(),subject_types_supported:h(u()),id_token_signing_alg_values_supported:h(u()),id_token_encryption_alg_values_supported:h(u()).optional(),id_token_encryption_enc_values_supported:h(u()).optional(),userinfo_signing_alg_values_supported:h(u()).optional(),userinfo_encryption_alg_values_supported:h(u()).optional(),userinfo_encryption_enc_values_supported:h(u()).optional(),request_object_signing_alg_values_supported:h(u()).optional(),request_object_encryption_alg_values_supported:h(u()).optional(),request_object_encryption_enc_values_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),display_values_supported:h(u()).optional(),claim_types_supported:h(u()).optional(),claims_supported:h(u()).optional(),service_documentation:u().optional(),claims_locales_supported:h(u()).optional(),ui_locales_supported:h(u()).optional(),claims_parameter_supported:J().optional(),request_parameter_supported:J().optional(),request_uri_parameter_supported:J().optional(),require_request_uri_registration:J().optional(),op_policy_uri:T.optional(),op_tos_uri:T.optional(),client_id_metadata_document_supported:J().optional()}),It=re({...oc.shape,...Le.pick({code_challenge_methods_supported:!0}).shape}),xe=re({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:fn.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),Co=re({error:u(),error_description:u().optional(),error_uri:u().optional()}),vo=T.optional().or(pn("").transform(()=>{})),ac=re({redirect_uris:h(T),token_endpoint_auth_method:u().optional(),grant_types:h(u()).optional(),response_types:h(u()).optional(),client_name:u().optional(),client_uri:T.optional(),logo_uri:vo,scope:u().optional(),contacts:h(u()).optional(),tos_uri:vo,policy_uri:u().optional(),jwks_uri:T.optional(),jwks:ln().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),ir=re({client_id:u(),client_secret:u().optional(),client_id_issued_at:Gt().optional(),client_secret_expires_at:Gt().optional()}).strip(),Ne=ac.merge(ir),Gm=re({error:u(),error_description:u().optional()}).strip(),Zm=re({token:u(),token_type_hint:u().optional()}).strip();function Io(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(Io,"resourceUrlFromServerUrl");function xo({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return a.startsWith(i)}n(xo,"checkResourceAllowed");var x=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},$e=class extends x{static{n(this,"InvalidRequestError")}};$e.errorCode="invalid_request";var pe=class extends x{static{n(this,"InvalidClientError")}};pe.errorCode="invalid_client";var me=class extends x{static{n(this,"InvalidGrantError")}};me.errorCode="invalid_grant";var fe=class extends x{static{n(this,"UnauthorizedClientError")}};fe.errorCode="unauthorized_client";var Ge=class extends x{static{n(this,"UnsupportedGrantTypeError")}};Ge.errorCode="unsupported_grant_type";var Ze=class extends x{static{n(this,"InvalidScopeError")}};Ze.errorCode="invalid_scope";var Fe=class extends x{static{n(this,"AccessDeniedError")}};Fe.errorCode="access_denied";var Q=class extends x{static{n(this,"ServerError")}};Q.errorCode="server_error";var Ke=class extends x{static{n(this,"TemporarilyUnavailableError")}};Ke.errorCode="temporarily_unavailable";var Je=class extends x{static{n(this,"UnsupportedResponseTypeError")}};Je.errorCode="unsupported_response_type";var We=class extends x{static{n(this,"UnsupportedTokenTypeError")}};We.errorCode="unsupported_token_type";var Ve=class extends x{static{n(this,"InvalidTokenError")}};Ve.errorCode="invalid_token";var Ye=class extends x{static{n(this,"MethodNotAllowedError")}};Ye.errorCode="method_not_allowed";var Xe=class extends x{static{n(this,"TooManyRequestsError")}};Xe.errorCode="too_many_requests";var he=class extends x{static{n(this,"InvalidClientMetadataError")}};he.errorCode="invalid_client_metadata";var Qe=class extends x{static{n(this,"InsufficientScopeError")}};Qe.errorCode="insufficient_scope";var et=class extends x{static{n(this,"InvalidTargetError")}};et.errorCode="invalid_target";var Ao={[$e.errorCode]:$e,[pe.errorCode]:pe,[me.errorCode]:me,[fe.errorCode]:fe,[Ge.errorCode]:Ge,[Ze.errorCode]:Ze,[Fe.errorCode]:Fe,[Q.errorCode]:Q,[Ke.errorCode]:Ke,[Je.errorCode]:Je,[We.errorCode]:We,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[he.errorCode]:he,[Qe.errorCode]:Qe,[et.errorCode]:et};function ic(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(ic,"isClientAuthMethod");var sr="code",cr="S256";function sc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&ic(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(sc,"selectClientAuthMethod");function cc(e,t,r,o){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":dc(a,i,r);return;case"client_secret_post":uc(a,i,o);return;case"none":lc(a,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(cc,"applyClientAuthentication");function dc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(dc,"applyBasicAuth");function uc(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(uc,"applyPostAuth");function lc(e,t){t.set("client_id",e)}n(lc,"applyPublicAuth");async function ko(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Co.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=o,c=Ao[a]||Q;return new c(i||"",s)}catch(o){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new Q(a)}}n(ko,"parseErrorResponse");async function lr(e,t){try{return await dr(e,t)}catch(r){if(r instanceof pe||r instanceof fe)return await e.invalidateCredentials?.("all"),await dr(e,t);if(r instanceof me)return await e.invalidateCredentials?.("tokens"),await dr(e,t);throw r}}n(lr,"auth");async function dr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,l,m,f=a;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,m=s.authorizationServerMetadata??await Eo(l,{fetchFn:i}),!c)try{c=await Po(t,{resourceMetadataUrl:f},i)}catch{}(m!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}else{let M=await yc(t,{resourceMetadataUrl:f,fetchFn:i});l=M.authorizationServerUrl,m=M.authorizationServerMetadata,c=M.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}let A=await pc(t,e,c),C=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,N=await Promise.resolve(e.clientInformation());if(!N){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let M=m?.client_id_metadata_document_supported===!0,ze=e.clientMetadataUrl;if(ze&&!pr(ze))throw new he(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${ze}`);if(M&&ze)N={client_id:ze},await e.saveClientInformation?.(N);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let nn=await Sc(l,{metadata:m,clientMetadata:e.clientMetadata,scope:C,fetchFn:i});await e.saveClientInformation(nn),N=nn}}let Re=!e.redirectUrl;if(r!==void 0||Re){let M=await bc(e,l,{metadata:m,resource:A,authorizationCode:r,fetchFn:i});return await e.saveTokens(M),"AUTHORIZED"}let rn=await e.tokens();if(rn?.refresh_token)try{let M=await Rc(l,{metadata:m,clientInformation:N,refreshToken:rn.refresh_token,resource:A,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(M),"AUTHORIZED"}catch(M){if(!(!(M instanceof x)||M instanceof Q))throw M}let As=e.state?await e.state():void 0,{authorizationUrl:Us,codeVerifier:ks}=await _c(l,{metadata:m,clientInformation:N,state:As,redirectUrl:e.redirectUrl,scope:C,resource:A});return await e.saveCodeVerifier(ks),await e.redirectToAuthorization(Us),"REDIRECT"}n(dr,"authInternal");function pr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(pr,"isHttpsUrl");async function pc(e,t,r){let o=Io(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!xo({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(pc,"selectResourceURL");function To(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let a=ur(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=ur(e,"scope")||void 0,c=ur(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}n(To,"extractWWWAuthenticateParams");function ur(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(o);return a?a[1]||a[2]:null}n(ur,"extractFieldFromWwwAuth");async function Po(e,t,r=fetch){let o=await hc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Ct.parse(await o.json())}n(Po,"discoverOAuthProtectedResourceMetadata");async function mr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?mr(e,void 0,r):void 0;throw o}}n(mr,"fetchWithCorsRetry");function mc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(mc,"buildWellKnownPath");async function Uo(e,t,r=fetch){return await mr(e,{"MCP-Protocol-Version":t},r)}n(Uo,"tryMetadataDiscovery");function fc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(fc,"shouldAttemptFallback");async function hc(e,t,r,o){let a=new URL(e),i=o?.protocolVersion??Zt,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=mc(t,a.pathname);s=new URL(l,o?.metadataServerUrl??a),s.search=a.search}let c=await Uo(s,i,r);if(!o?.metadataUrl&&fc(c,a.pathname)){let l=new URL(`/.well-known/${t}`,a);c=await Uo(l,i,r)}return c}n(hc,"discoverMetadataWithFallback");function gc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),o.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(gc,"buildDiscoveryUrls");async function Eo(e,{fetchFn:t=fetch,protocolVersion:r=Zt}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},a=gc(e);for(let{url:i,type:s}of a){let c=await mr(i,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Le.parse(await c.json()):It.parse(await c.json())}}}n(Eo,"discoverAuthorizationServerMetadata");async function yc(e,t){let r,o;try{r=await Po(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let a=await Eo(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:a,resourceMetadata:r}}n(yc,"discoverOAuthServerInfo");async function _c(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(sr))throw new Error(`Incompatible auth server: does not support response type ${sr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(cr))throw new Error(`Incompatible auth server: does not support code challenge method ${cr}`)}else c=new URL("/authorize",e);let l=await ar(),m=l.code_verifier,f=l.code_challenge;return c.searchParams.set("response_type",sr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",cr),c.searchParams.set("redirect_uri",String(o)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:m}}n(_c,"startAuthorization");function wc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(wc,"prepareAuthorizationCodeRequest");async function Oo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(l,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],A=sc(o,f);cc(A,o,l,r)}let m=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!m.ok)throw await ko(m);return xe.parse(await m.json())}n(Oo,"executeTokenRequest");async function Rc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await Oo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:o,...l}}n(Rc,"refreshAuthorization");async function bc(e,t,{metadata:r,resource:o,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let m=await e.codeVerifier();c=wc(a,m,e.redirectUrl)}let l=await e.clientInformation();return Oo(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:i})}n(bc,"fetchToken");async function Sc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await ko(s);return Ne.parse(await s.json())}n(Sc,"registerClient");var fr="zuplo.com",vc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Cc=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function qo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(qo,"s2FaviconHref");function Ic(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Ic,"strictFaviconHref");var tt=qo(fr);function hr(e){let t=e.toLowerCase();return t===fr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?qo(fr):Ic(e)}n(hr,"resolveIconHref");function xc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(xc,"hostnameFromHost");function Ac(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Ac,"isLocalOrAddressHost");function Uc(e){let t=xc(e).toLowerCase().replace(/\.$/,"");if(Ac(t)||Cc.some(i=>t===i.slice(1)||t.endsWith(i)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),a=vc.has(o)?3:2;return r.slice(-a).join(".")}n(Uc,"inferFaviconDomain");function gr(e){return{src:hr(Uc(e)),mimeType:"image/png",sizes:["128x128"]}}n(gr,"resolveMcpFaviconIcon");function xt(e){try{return gr(new URL(e).host)}catch{return}}n(xt,"resolveMcpFaviconIconFromUrl");function ne(e){let t=$().connectionsById.get(e);if(!t)throw new P(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(ne,"getUpstreamServerConfig");function kc(e){let t=$().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new P(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(kc,"resolveUpstreamAuthProfileId");function yr(e){kc(e);let t=$().connectionsById.get(e.upstreamServerId);if(!t)throw new P(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(yr,"getUpstreamAuthConfig");function ge(e,t){let r=yr({upstreamServerId:e,authProfileId:t});if(!En(r))throw new P(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(ge,"requireUpstreamOAuthConfig");var Tc={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function G(e){return Tc[e]}n(G,"describeUpstreamAuthMode");function At(e){return G(e).ownerMode}n(At,"resolveOwnerModeForUpstreamAuthMode");B();import{errors as No,jwtVerify as $o,SignJWT as Go}from"jose";var q="zuplo-mcp-gateway",H=q,z="HS256";import{base64url as Pc}from"jose";var Ec=new TextEncoder,Oc="MCP gateway could not initialize secure key material.",qc=32,Mo=new Map,Do=new Map,Mc;function Dc(){return Mc??on.instance.authPrivateKey}n(Dc,"readAuthPrivateKey");function Ho(e){return new D(Oc,e===void 0?void 0:{cause:e})}n(Ho,"createGeneratedKeyMaterialError");function zo(e,t){let r=Pc.decode(t);if(r.byteLength!==qc)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(zo,"decodeJwkKeyField");function Hc(e){let t=Dc();if(!t)throw Ho();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=zo("d",r.d);zo("x",r.x);let a=Ec.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),i=new Uint8Array(a.byteLength+o.byteLength);return i.set(a),i.set(o,a.byteLength),i}catch(r){throw Ho(r)}}n(Hc,"decodeGeneratedKeyMaterial");function zc(e){let t=Mo.get(e);return t||(t=Hc(e),Mo.set(e,t)),t}n(zc,"getMasterKeyMaterial");async function Z(e){let t=Do.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(zc(e.keyMaterialPurpose));return Do.set(e.purpose,r),r}n(Z,"readCachedDerivedKey");var Bc="SHA-256";var jc="zuplo-mcp-gateway:",Lc=new TextEncoder,Bo=new WeakMap;async function oe(e,t){let r=Bo.get(e);r||(r=new Map,Bo.set(e,r));let o=r.get(t);if(o)return o;let a=await Nc(e,t);return r.set(t,a),a}n(oe,"deriveGatewaySigningKey");async function Nc(e,t){let r=jo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=Lc.encode(`${jc}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:Bc,salt:new Uint8Array,info:jo(a)},o,32*8);return new Uint8Array(i)}n(Nc,"hkdfExpand");function jo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(jo,"copyToArrayBuffer");var Zo=15*60,$c=15*60,Gc=ro.extend({id:no}),Zc=Gc.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fo=Qt.extend({id:oo,purpose:d.literal("browser_connect")}),Fc=Qt.extend({purpose:d.literal("browser_connect")}),Kc=Fo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Ko=Zo*1e3;async function Jo(){return Z({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"oauth-state"),"derive")})}n(Jo,"getOAuthStateKey");async function Wo(){return Z({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-connect"),"derive")})}n(Wo,"getBrowserConnectKey");async function Vo(e){let t=Math.floor(Date.now()/1e3)+Zo;return new Go(e).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(t).sign(await Jo())}n(Vo,"signOAuthState");async function Ut(e){try{let{payload:t}=await $o(e,await Jo(),{algorithms:[z],issuer:q,audience:H});return Zc.parse(t)}catch(t){throw t instanceof No.JWTExpired?new g({message:"OAuth state has expired",extensionMembers:{[_]:"oauth_state_expired"}},{cause:t}):new g({message:"OAuth state could not be verified",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:t})}}n(Ut,"verifyOAuthState");async function Yo(e){let t=Math.floor(Date.now()/1e3)+$c,r=Fc.parse(e),o=Fo.parse({...r,id:co()});return new Go(o).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(t).sign(await Wo())}n(Yo,"signBrowserConnectTicket");async function Xo(e){try{let{payload:t}=await $o(e,await Wo(),{algorithms:[z],issuer:q,audience:H});return Kc.parse(t)}catch(t){throw t instanceof No.JWTExpired?new g({message:"Browser connect ticket has expired",extensionMembers:{[_]:"oauth_state_expired"}},{cause:t}):new g({message:"Browser connect ticket could not be verified",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:t})}}n(Xo,"verifyBrowserConnectTicket");async function Qo(e){if((await S().consumeBrowserConnectTicket({id:e.id,expiresAt:b(new Date(e.exp*1e3)),now:b(new Date)})).kind==="consumed")throw new g({message:"Browser connect ticket has already been used",extensionMembers:{[_]:"oauth_state_reused"}})}n(Qo,"consumeBrowserConnectTicket");function Jc(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Jc,"buildConnectRequiredMessage");async function Wc(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Yo({...je(e),purpose:"browser_connect"})),r.toString()}n(Wc,"buildGatewayBrowserTicketUrl");function Vc(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Vc,"buildGatewayConnectPath");async function _r(e){return Wc({...e,path:Vc(e.upstreamServerId),redirect:!0})}n(_r,"buildGatewayConnectUrl");async function kt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await _r(t),message:Jc(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(kt,"buildRedirectConnectRequiredResponse");function ea(e){return Yc({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(ea,"buildAdminConnectRequiredResponse");function Yc(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Yc,"buildAdminSetupRequiredResponse");B();function wr(e){return`Zuplo MCP Gateway - ${e}`}n(wr,"buildGatewayOAuthClientName");function ta(e,t,r){let o=new URL(e,U(t,r));return ue(o)&&gn(o.hostname)!=="localhost"&&(o.hostname="localhost"),o.toString()}n(ta,"buildGatewayOAuthRedirectUri");function Rr(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}n(Rr,"buildOAuthClientMetadataDocumentUrl");function ra(e,t){return U(e,t)}n(ra,"requireOAuthClientMetadataOrigin");function na(e,t,r){let o=ne(t),a=ge(t,r),i={client_id:Rr({origin:e,upstreamServerId:t,authProfileId:r}),client_name:wr(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"};return a.scopes.length>0&&(i.scope=a.scopes.join(a.scopeDelimiter)),i}n(na,"buildOAuthClientMetadataDocument");B();import{base64url as ae}from"jose";var Xc="SHA-256",Ue="AES-GCM",Qc=12,Sr="zuplo-secret",vr=1,oa="generated:auth_private_key:token-encryption",ed=d.object({version:d.literal(vr),keyId:d.literal(oa),algorithm:d.literal(Ue),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function Ae(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Ae,"copyToArrayBuffer");async function br(){return Z({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Xc,Ae(e));return crypto.subtle.importKey("raw",t,{name:Ue},!1,["encrypt","decrypt"])},"derive")})}n(br,"getEncryptionKey");function aa(e){return Ae(new TextEncoder().encode(`${Sr}:v${e.version}:${e.keyId}`))}n(aa,"getAssociatedData");function td(e){return`${Sr}:v${e.version}:${ae.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(td,"encodeEnvelope");function rd(e){let t=`${Sr}:v${vr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ae.decode(r));return ed.parse(JSON.parse(o))}n(rd,"decodeEnvelope");async function Tt(e){let t=await br(),r=crypto.getRandomValues(new Uint8Array(Qc)),o={version:vr,keyId:oa},a=await crypto.subtle.encrypt({name:Ue,iv:r,additionalData:aa(o)},t,new TextEncoder().encode(e));return td({...o,algorithm:Ue,iv:ae.encode(r),ciphertext:ae.encode(new Uint8Array(a))})}n(Tt,"encryptSecret");async function rt(e){let t=rd(e);if(t){let s=await br(),c=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(t.iv)),additionalData:aa(t)},s,Ae(ae.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new D("Encrypted payload is malformed");let a=await br(),i=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(r))},a,Ae(ae.decode(o)));return new TextDecoder().decode(i)}n(rt,"decryptSecret");var nd=d.union([Ne,ir]),od=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:Ct.optional(),authorizationServerMetadata:d.union([Le,It]).optional()}).passthrough(),ad="Bearer",id="__zuplo_refresh_only_upstream_access_token__";function sd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(sd,"splitScopes");function cd(e){return gt.parse(e)}n(cd,"parsePkceCodeVerifier");function dd(e){if(typeof e.expires_in=="number")return b(new Date(Date.now()+e.expires_in*1e3))}n(dd,"readTokenExpiry");async function ia(e){if(e!==void 0)return Tt(JSON.stringify(e))}n(ia,"encryptJson");async function sa(e,t){if(!e)return;let r=await rt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new g({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:o})}}n(sa,"decryptJson");function ud(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(ud,"toOAuthDiscoveryState");function ld(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(ld,"clientInformationAllowsRedirectUri");function pd(e,t,r){let o=ne(e),a=ge(e,t),i=Cr(a.scopes,a.scopeDelimiter);return{client_name:wr(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}n(pd,"buildOAuthClientMetadata");function Cr(e,t){return e&&e.length>0?e.join(t):void 0}n(Cr,"joinOAuthScopes");function md(e,t){return t===void 0?e:{...e,scope:t}}n(md,"applyOAuthClientMetadataScope");function ca(e,t){return Cr(e?.resourceMetadata?.scopes_supported,t)}n(ca,"readResourceMetadataScope");function fd(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new P(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ne.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(fd,"buildManualOAuthClientInformation");function hd(e,t,r){let o=Rr({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return pr(o)?o:void 0}n(hd,"buildClientMetadataUrl");function da(e){for(let t of e)if(t!==void 0)return t}n(da,"firstDefined");function gd(e){let t=ge(e.target.upstreamServerId,e.target.authProfileId),r=pd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri),o=Cr(t.scopes,t.scopeDelimiter);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:fd({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let a=hd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return a===void 0?{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:a}}n(gd,"buildInitialOAuthClientSetup");function yd(e,t){if(t===void 0)return da([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(yd,"readEncryptedClientInformation");function _d(e){return da([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(_d,"readEncryptedDiscoveryState");var ye=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=gd({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=yd(t,this.configuredClientInformation),this.encryptedDiscoveryState=_d(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return md(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Vo({id:t.id,...je({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await ia(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.inferredScope=ca(t,this.scopeDelimiter),this.encryptedDiscoveryState=await ia(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=xe.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,a=r.refresh_token?await Tt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:xe.parse({...r,refresh_token:await rt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let i={id:this.connection?.id??io(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Tt(r.access_token),encryptedRefreshToken:a,scopes:sd(r.scope??this.readEffectiveScope()),expiresAt:dd(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await S().upsertUpstreamConnection(i)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:cd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new g({message:"OAuth code verifier is missing",extensionMembers:{[_]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:so(),...je({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:b(new Date(Date.now()+Ko)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await S().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await sa(this.encryptedClientInformation,nd)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!ld(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=ud(await sa(this.encryptedDiscoveryState,od))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=ca(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await rt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await rt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=xe.parse({access_token:t??id,token_type:ad,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await S().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var wd=3e4,Rd=256*1024,bd=2;function Sd(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(Sd,"hasUsableAccessToken");var vd="does not support dynamic client registration",Cd=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],Id=["HTTP 403 Forbidden","Access Denied","permission to access"];function xd(e){return e instanceof Error&&e.message.includes(vd)}n(xd,"isDynamicClientRegistrationUnsupported");function Ad(e){return e instanceof Error&&Cd.some(t=>e.message.includes(t))}n(Ad,"isProtectedResourceMetadataUnavailable");function Ud(e){return e instanceof Error&&Id.some(t=>e.message.includes(t))}n(Ud,"isUpstreamProviderAccessDenied");function kd(e){if(e.error instanceof g&&e.error.extensionMembers?.[_]!==void 0)return e.error;if(xd(e.error))return new g({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[_]:"upstream_client_registration_required"}},{cause:e.error});if(Ad(e.error))return new g({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[_]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(Ud(e.error))return new g({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[_]:"upstream_provider_access_denied"}},{cause:e.error})}n(kd,"mapUpstreamOAuthSetupError");function Td(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Td,"readOAuthFetchRequest");function Pd(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Pd,"responseLooksJson");function Ed(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Ed,"responseLooksHtml");function Od(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new g({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[_]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[ve]:e.response.status,[be]:r,[Ce]:e.request.url.toString(),[Se]:e.body}})}n(Od,"throwUpstreamHtmlError");function ua(e){return async(t,r)=>{let o=Td(t),a=await fo(t,r,{maxRedirects:bd,maxResponseBytes:Rd,problemCode:"upstream_token_exchange_failed",timeoutMs:wd}),i=await a.clone().text();if(!a.ok&&Ed(a,i)&&Od({upstreamServerId:e,request:o,response:a,body:i}),!Pd(a,i))return a;try{JSON.parse(i)}catch(s){throw new g({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[_]:"upstream_token_exchange_failed"}},{cause:s})}return a}}n(ua,"createUpstreamOAuthFetch");async function la(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ua(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await lr(e,r)}catch(r){let o=kd({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(la,"runUpstreamOAuth");async function qd(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ua(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),lr(e,r)}n(qd,"exchangeUpstreamAuthorizationCode");async function pa(e,t){let r=await la(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new g({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}}):new g({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}})}n(pa,"requireUpstreamAuthorizationRedirect");async function ma(e){if(!e.forceRefresh&&Sd(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await la(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new g({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new g({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Bd({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(ma,"authorizeUpstreamOAuthSession");async function Md(e){let t=await Ut(e.stateToken),r=await S().consumeUpstreamOAuthState({id:t.id,now:b(new Date)}),o=Dd(r);return Hd({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),zd(o),o}n(Md,"consumeStoredCallbackState");function Dd(e){switch(e.kind){case"consumed":throw new g({message:"OAuth state has already been used",extensionMembers:{[_]:"oauth_state_reused"}});case"missing":throw new g({message:"OAuth state is missing or expired",extensionMembers:{[_]:"oauth_state_expired"}});case"available":return e.record}}n(Dd,"readConsumedCallbackState");function Hd(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new g({message:"OAuth callback did not match the initiating request",extensionMembers:{[_]:"oauth_callback_mismatch"}})}n(Hd,"assertStoredCallbackStateMatches");function zd(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new g({message:"OAuth state has expired",extensionMembers:{[_]:"oauth_state_expired"}})}n(zd,"assertStoredCallbackStateFresh");async function Bd(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ea(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),kt(t)}n(Bd,"buildOAuthConnectRequiredResponse");async function fa(e){let t=await Md({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=wt(t),[o]=await S().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(a.connection=o);let i=new ye(a),s=await qd(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new g({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}}):new g({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}})}n(fa,"finishUpstreamOAuthCallback");async function ha(e){let t=ne(e.upstreamServerId),r=ge(e.upstreamServerId,e.authProfileId),o=ta(r.redirectPath,e.request.url,e.request.headers),a="preloadedConnection"in e?e.preloadedConnection:(await S().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(ha,"prepareUpstreamOAuthRequest");async function ga(e){let t=await ha(e),r=new ye({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return pa(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ga,"startUpstreamConnect");async function ya(e){let t=await ha(e),r=new ye({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return ma({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ya,"authorizeUpstreamRequest");async function ke(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return ya({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new D(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(ke,"resolveUpstreamCredentialForRoute");async function _a(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=G(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await ga(r);break;case"none":throw new D(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(_a,"startUpstreamConnectForRequest");async function wa(e){let r=(await Ut(e.callbackRequest.state)).authProfileId,o=yr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(G(o.mode).callbackSupport!=="authorization_code")throw new D(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return fa({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:ne(e.callbackRequest.upstreamServerId)})}n(wa,"finishUpstreamCallbackForRequest");function jd(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(jd,"buildRouteAuthBaseFromConnection");function ba(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:ht(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(ba,"buildRouteAuthBaseFromPolicyOptions");function Pt(e,t){let o=$().byOperationId.get(t);if(!o)throw new P(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new P(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new P(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return jd({connection:o.connection,operationId:t})}n(Pt,"resolveRouteAuthBase");function Ra(e,t){switch(e){case"user":return _t(t);case"shared":return to()}}n(Ra,"buildOwnerForSubject");function Te(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Ra(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,owner:Ra(e.ownerMode,t),initiatedBySubjectId:t}}}n(Te,"resolveRouteAuthForSubject");var Ld=Be.InvalidRequest,Nd=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function $d(e,t){return{credentialType:e.type,forceRefresh:t,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}n($d,"buildCredentialResolvedAttributes");function Gd(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(Gd,"connectRequiredReasonCode");function Sa(e){v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:$d(e.credential,e.forceRefresh===!0)})}n(Sa,"emitCredentialResolvedAnalyticsEvent");function va(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:Gd(e.payload.state),reasonClass:"auth",attributes:t})}n(va,"emitCredentialMissingAnalyticsEvents");function Zd(e){let t=e.route.raw();return pt.parse(t?.operationId)}n(Zd,"readOperationId");async function Fd(e,t,r,o){let a=await ke({request:e,routeAuth:t});if(a.kind==="connect_required")return va({context:o,payload:a.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:a.payload};let i=a.credential;switch(Sa({context:o,credential:i,routeBinding:t}),i.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${i.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(i.headers)};case"mcp_oauth_provider":{let s=await i.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(Fd,"buildCredentialHeaders");var Kd=new Set(["authorization","cookie","cookie2"]);function Jd(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Jd,"readJsonRequestMethod");function Wd(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Wd,"isJsonResponse");function Ir(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(Ir,"isRecord");function Vd(e){return Array.isArray(e)&&e.length>0}n(Vd,"hasIconList");function Yd(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=xt(Cn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Yd,"readFallbackServerIcons");function Xd(e){if(!Ir(e.body))return e.body;let t=e.body.result;if(!Ir(t))return e.body;let r=t.serverInfo;return!Ir(r)||Vd(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(Xd,"addMissingServerIcons");function Qd(e,t){let r=new Headers(e.headers);for(let o of Kd)r.delete(o);for(let[o,a]of t)r.set(o,a);return new sn(e,{headers:r})}n(Qd,"applyUpstreamHeaders");function eu(e){let t=new Headers(e.headers);for(let r of Nd)t.delete(r);return t}n(eu,"buildProxyHeaders");async function tu(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(tu,"readRetryBody");function Ca(e,t){let r=t.authUrl===void 0?void 0:_o({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(St({id:yo(e),error:{code:r?.code??Ld,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Ca,"connectRequiredJsonRpcResponse");async function ru(e){let{scope:t}=To(e.upstreamResponse),r=await ke({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return va({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),a=r.credential;switch(Sa({context:e.context,credential:a,routeBinding:e.routeAuth,forceRefresh:!0}),a.type){case"none":return o.delete("authorization"),{kind:"headers",headers:o};case"bearer_token":return o.set("authorization",`Bearer ${a.token}`),{kind:"headers",headers:o};case"headers":for(let[i,s]of Object.entries(a.headers))o.set(i,s);return{kind:"headers",headers:o};case"mcp_oauth_provider":{let i=await a.provider.tokens();return i?(o.set("authorization",`${i.token_type??"Bearer"} ${i.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(ru,"applyRefreshedCredentialHeaders");function nu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await ru({request:e.request,context:e.context,headers:eu(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Ca(e.requestBody,o.payload);if(o.kind==="response")return o.response;let a=In({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return ct.fetch(a.url,a.init)})}n(nu,"installUpstreamAuthRetryHook");function ou(e){if(Jd(e.requestBody)!=="initialize")return;let t=Yd({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Wd(r))return r;let o;try{o=await r.clone().json()}catch{return r}let a=Xd({body:o,icons:t});if(a===o)return r;let i=new Headers(r.headers);return i.delete("content-length"),new Response(JSON.stringify(a),{status:r.status,statusText:r.statusText,headers:i})})}n(ou,"installInitializeIconHook");async function xr(e,t,r){let o=Zd(t),a=await tu(e),i=ba({connection:r,operationId:o}),s=Ie(e.user,e.url,e.headers);jn(t,s);let c=Te(i,s.subjectId),l=await Fd(e,c,r,t);if(!(l instanceof Response)&&l.kind==="connect_required")return Ca(a,l.payload);if(l instanceof Response)return l;let m=Qd(e,l.headers);return nu({request:m,context:t,requestBody:a,routeAuth:c}),ou({context:t,requestBody:a,connection:r}),m}n(xr,"mcpTokenExchangePolicy");var Ar=class extends ut{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Pn(t,r);super(o,r)}async handler(t,r){return dt("policy.inbound.mcp-token-exchange"),xr(t,r,this.options)}};B();var Ia=Symbol("Html");function au(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(au,"escapeHtml");function iu(e){return e===null||typeof e!="object"?!1:e[Ia]===!0}n(iu,"isHtml");function Et(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Et).join(""):iu(e)?e.value:au(String(e))}n(Et,"renderValue");function F(e){return{[Ia]:!0,value:e}}n(F,"trustedHtml");var k=F("");function y(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Et(t[o]),r+=e[o+1]??"";return F(r)}n(y,"html");function xa(e,t=k){let r=Et(t),o="",a=!0;for(let i of e)a||(o+=r),o+=Et(i),a=!1;return F(o)}n(xa,"joinHtml");function Pe(e){return e.value}n(Pe,"renderHtml");function Aa(e){return y`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Aa,"renderBrowserErrorPage");var Ee=F('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Oe(e){return y`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
       ${e.styles}
-    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(ve,"renderShell");var lr="zuplo.com";function ei(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(ei,"s2FaviconHref");function Mc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Mc,"strictFaviconHref");var bt=ei(lr);function Ct(e){let t=e.toLowerCase();return t===lr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?ei(lr):Mc(e)}n(Ct,"resolveIconHref");function St(e){return b`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(St,"renderShellIcon");var zc="text/html; charset=utf-8";function xe(e){try{return new URL(e).host}catch{return""}}n(xe,"safeHostFromUrl");function $(e){let t=Ct(e.host),r=Dc(e.kind??"authorization_failed");return new Response(Ce(ve({title:e.title??r.title,iconHref:t,styles:Se,headerIcon:St({iconHref:t,fallbackIconHref:bt}),heading:e.title??r.title,subhead:"",body:Qo({code:e.code??"unknown",detail:e.detail,guidance:b`<p class="card__description">${r.guidance}</p>`,action:Hc(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":zc,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n($,"browserErrorPageResponse");function Dc(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(Dc,"readBrowserErrorPagePresentation");function Hc(e){return e===void 0?he:b`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(Hc,"renderAction");var ti="application/json",Bc="application/x-www-form-urlencoded";function vt(e,t){return new y({message:e,extensionMembers:{[w]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(vt,"invalidRequestError");function Lc(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(Lc,"normalizeContentType");function jc(e,t){return e===t?!0:t===ti&&e.endsWith("+json")}n(jc,"contentTypeMatches");function Nc(e,t){if(!t||t.length===0)return;let r=Lc(e.headers.get("content-type"));if(!t.some(o=>jc(r,o)))throw vt(`Request body must be ${t.join(" or ")}.`)}n(Nc,"assertExpectedContentType");function Gc(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw vt(`${r} exceeded the maximum allowed size.`)}n(Gc,"assertContentLengthWithinLimit");async function ri(e,t){let r=t.label??"Request body";Nc(e,t.expectedContentTypes),Gc(e,t.maxBytes,r);let o=await $n(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>vt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(ri,"readBoundedTextBody");async function ni(e,t){let r=await ri(e,{...t,expectedContentTypes:[ti]});try{return JSON.parse(r)}catch(o){throw vt("Request body must be valid JSON.",o)}}n(ni,"readBoundedJsonBody");async function oi(e,t){let r=await ri(e,{...t,expectedContentTypes:[Bc]});return new URLSearchParams(r)}n(oi,"readBoundedFormUrlEncodedBody");z();z();import{errors as ui,jwtVerify as li,SignJWT as pi}from"jose";z();import{errors as $c,jwtVerify as Zc,SignJWT as Fc}from"jose";var mr="zuplo_mcp_session",Kc=d.object({purpose:d.literal("gateway_browser_session"),sub:st,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function Wc(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(Wc,"parseCookieHeader");async function ii(){return G({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>re(e,"browser-session"),"derive")})}n(ii,"getBrowserSessionKey");function pr(e){let t=new URL(I(e)),r=[`${mr}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(pr,"buildBrowserSessionEvictionCookie");function Jc(e){let t=new URL(I(e.requestUrl)),r=[`${mr}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Jc,"serializeSessionCookie");function ai(){return new URL(lt("url")).origin}n(ai,"readBrowserLoginOrigin");function fr(){return D().browserLogin.stateTtlSeconds}n(fr,"readBrowserLoginStateTtlSeconds");function si(e){if(!e.user)throw g("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return ct(e.user,e.url)}n(si,"resolveCurrentRequestPrincipal");async function xt(e,t={}){let r=Wc(e.headers.get("cookie")).get(mr);if(!r)return{};try{let{payload:o}=await Zc(r,await ii(),{algorithms:[M],issuer:T,audience:q}),i=Kc.parse(o);if(i.browserLoginOrigin!==ai())return{evictCookie:pr(e.url)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof $c.JWTExpired?{evictCookie:pr(e.url)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:pr(e.url)})}}n(xt,"readBrowserSession");async function It(e){let t=D().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:ai()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new Fc(r).setProtectedHeader({alg:M,typ:"JWT"}).setIssuer(T).setAudience(q).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await ii());return Jc({value:o,requestUrl:e.requestUrl,ttlSeconds:t})}n(It,"createBrowserSessionCookie");async function ci(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await xt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw g("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:i}=await import("../browser-login-idp-HWMCSYMR.js");return i({code:o,nonce:e.stateId,requestUrl:e.request.url,...e.context===void 0?{}:{context:e.context}})}n(ci,"resolveBrowserLoginCallbackPrincipal");function di(e){let t=D().browserLogin,r=new URL(lt("url")),o=new URL("/oauth/callback",wn(e.requestUrl));return An(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",lt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(di,"buildBrowserLoginUrl");var Vc={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Vc[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Yc=5*60,Xc=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Mt,stateId:zt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Qc=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Mt,stateId:zt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function mi(){return G({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>re(e,"browser-login"),"derive")})}n(mi,"getBrowserLoginKey");async function fi(){return G({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>re(e,"authorization-csrf"),"derive")})}n(fi,"getCsrfKey");function hi(e){return{now:e.now??new Date,ttlSeconds:fr()}}n(hi,"readPendingTransactionDependencies");function ed(e,t){return e.subjectId===t.subjectId}n(ed,"principalsMatch");function gi(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(gi,"toPendingPrincipal");function yi(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:_(e.now),expiresAt:_(F(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw g("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:gi(e.principal)}}n(yi,"createTransactionRecord");async function wi(e){let{id:t,...r}=e.record,o=await R().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw g("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(wi,"startPendingTransaction");async function td(e){return new pi({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:M,typ:"JWT"}).setIssuer(T).setAudience(q).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await mi())}n(td,"signBrowserLoginState");async function _i(e){return new pi({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Ht()}).setProtectedHeader({alg:M,typ:"JWT"}).setIssuer(T).setAudience(q).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await fi())}n(_i,"signCsrfToken");async function hr(e){try{let{payload:t}=await li(e,await mi(),{algorithms:[M],issuer:T,audience:q}),r=Xc.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof ui.JWTExpired?g("oauth_state_expired","Browser login state has expired.",t):g("oauth_state_invalid","Browser login state could not be verified.",t)}}n(hr,"verifyBrowserLoginStateToken");async function At(e){try{let{payload:t}=await li(e,await fi(),{algorithms:[M],issuer:T,audience:q});return{transactionId:Qc.parse(t).transactionId}}catch(t){throw t instanceof ui.JWTExpired?g("oauth_state_expired","Authorization setup state has expired.",t):g("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(At,"verifyCsrfToken");function gr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(gr,"pendingStateErrorCode");function rd(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(rd,"toPendingAuthorizationGetResult");function nd(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(nd,"toPendingAuthorizationAdvanceResult");function yr(e){return e==="principal_mismatch"?"oauth_callback_mismatch":gr(e==="consumed_already"?"consumed_already":e)}n(yr,"setupDecisionErrorCode");async function Ri(e){let t=e.now??new Date,r=await At(e.csrfToken),o=await R().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await C(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:_(t)});if(o.kind!=="marked")throw g(yr(o.kind),"Authorization setup state is invalid, expired, or already used.");return bi({kind:"available",record:o.transaction})}n(Ri,"markSetupApproved");function bi(e){if(e.kind!=="available")throw g(gr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(bi,"requireAwaitingSetup");function od(e){if(!ed(e.currentBrowserPrincipal,e.transaction.principal))throw g("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(od,"requireCurrentPrincipalMatches");async function Ci(e){let t=e.now??new Date,r=fr(),o=Dt(),i=Ht(),a=await td({transactionId:o,stateId:i,ttlSeconds:r}),s=yi({id:o,transaction:e.transaction,currentStateHash:await C(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await wi({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw g("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:a,browserLoginUrl:di({state:a,nonce:i,operationId:s.operationId,requestUrl:e.requestUrl})}}n(Ci,"startAwaitingLogin");async function Si(e){let{now:t,ttlSeconds:r}=hi(e),o=Dt(),i=await _i({transactionId:o,ttlSeconds:r}),a=yi({id:o,transaction:e.transaction,currentStateHash:await C(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await wi({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw g("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(Si,"startAwaitingSetup");async function vi(e){let{now:t,ttlSeconds:r}=hi(e),o=await hr(e.browserLoginStateToken),i=await _i({transactionId:o.transactionId,ttlSeconds:r}),a=nd(await R().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await C(e.browserLoginStateToken),nextStateHash:await C(i),nextPhase:"awaiting_setup",principal:gi(e.principal),now:_(t)}));if(a.kind!=="advanced")throw g(gr(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw g("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(vi,"completeLogin");async function xi(e){let t=await wr(e);return od({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(xi,"getSetup");async function wr(e){let t=e.now??new Date,r=await At(e.csrfToken);return bi(rd(await R().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await C(e.csrfToken),now:_(t)})))}n(wr,"getSetupTransaction");async function id(e){let t=await At(e.csrfToken),r=W(),o=_(F(e.now,Yc)),i=await R().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await C(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await C(r),authorizationCodeExpiresAt:o,grantId:xn(),now:_(e.now)});if(i.kind!=="approved")throw g(i.kind==="cancelled"?"oauth_state_invalid":yr(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(id,"createAuthorizationCodeRedirectWithDecision");async function ad(e){let t=await At(e.csrfToken),r=await R().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await C(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:_(e.now)});if(r.kind!=="cancelled")throw g(r.kind==="approved"?"oauth_state_invalid":yr(r.kind),"Authorization setup state is invalid, expired, or already used.");return sd({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(ad,"createCancelRedirectWithDecision");function sd(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(sd,"buildClientCancelRedirect");async function Ii(e){let t=e.now??new Date;return id({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Ii,"approve");async function Ai(e){let t=e.now??new Date;return ad({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Ai,"cancel");z();var cd=1e4,dd=5*1024,ud=2,ld=90*24*60*60,_r=["authorization_code","refresh_token"],Rr=["code"],pd=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(_r)).min(1).max(2).optional(),response_types:d.array(d.enum(Rr)).min(1).max(1).optional(),scope:d.literal(P).optional(),token_endpoint_auth_method:Sn.default("none")});function md(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&se(t))&&t.pathname!=="/"}catch{return!1}}n(md,"isCimdClientIdCandidate");function Ie(e,t="invalid_request",r="authorize"){if(fd(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let i={source:r},a=bn({url:o,context:i});if(a.kind!=="rejected"){a.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Ie,"assertValidRedirectUri");function fd(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(fd,"hasForbiddenRawRedirectUriCharacter");async function hd(e){let{response:t,json:r}=await Fn(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:ud,maxResponseBytes:dd,timeoutMs:cd});if(!t.ok)throw g("invalid_request","CIMD metadata could not be fetched.");let o=vn.parse(r);for(let i of o.redirect_uris)Ie(i,"invalid_request","cimd");if(o.client_id!==e.clientId)throw g("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(hd,"fetchCimdMetadata");async function gd(e){let t=Gn(e),r=await hd({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(gd,"resolveCimdClient");async function Ut(e,t){let r=ee.parse(e);if(md(r)){if(!D().gateway.cimdEnabled)throw new p("invalid_client","OAuth client is not registered.");try{return await gd(r)}catch{throw new p("invalid_client","OAuth client is not registered.")}}let o=await R().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a={kind:"dcr",clientId:r,metadata:{client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:i.tokenEndpointAuthMethod}};return i.hashedClientSecret&&(a.hashedClientSecret=i.hashedClientSecret),a}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Ut,"resolveClient");function Ui(e,t){if(!e.metadata.redirect_uris.some(r=>In(r,t)))throw g("invalid_request","redirect_uri is not registered for the client.")}n(Ui,"assertRedirectRegistered");function yd(e){let t=ki(e.grant_types),r=e.response_types??[...Rr];if(!wd(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!_d(r))throw new p("invalid_client_metadata","response_types must be code.");if(!Rd(e.scope))throw new p("invalid_client_metadata",`Only the ${P} scope is supported.`)}n(yd,"assertSupportedDcrRequest");function ki(e){return e===void 0?[..._r]:Array.from(new Set(e))}n(ki,"normalizeGrantTypes");function wd(e){return e.length===0?!1:e.every(t=>_r.includes(t))}n(wd,"isSupportedGrantTypes");function _d(e){return e.length===Rr.length&&e[0]==="code"}n(_d,"isSupportedResponseTypes");function Rd(e){return e===void 0||e===P}n(Rd,"isSupportedDcrScope");function Ke(e){if(e===void 0||e===P)return P;throw new p("invalid_request",`Only the ${P} scope is supported.`)}n(Ke,"assertSupportedOAuthScope");function Ae(e,t){let r;try{r=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(r.hash)throw new p("invalid_target","resource must not include a fragment.");if(r.protocol!=="https:"&&!se(r))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let o=I(e),i=yn(),a=i?[...i.byOperationId.values()].find(s=>new URL(s.routePath,o).toString()===t):void 0;if(!a)throw new p("invalid_target","resource must match a published MCP route.");return a}n(Ae,"resolveResource");async function Pi(e){let t;try{t=pd.parse(e)}catch(m){if(m instanceof d.ZodError){let v=m.issues.some(L=>L.path[0]==="redirect_uris");throw new p(v?"invalid_redirect_uri":"invalid_client_metadata",m.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:m})}throw m}yd(t);for(let m of t.redirect_uris)Ie(m,"invalid_redirect_uri","dcr");let r=new Date,o=ee.parse(`dcr:${crypto.randomUUID()}`),i=F(r,ld),a=Math.floor(r.getTime()/1e3),s=Math.floor(i.getTime()/1e3),c={client_id:o,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:ki(t.grant_types),response_types:["code"],scope:P,token_endpoint_auth_method:t.token_endpoint_auth_method,client_id_issued_at:a},l={clientId:o,clientName:String(c.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:t.token_endpoint_auth_method,createdAt:_(r),clientExpiresAt:_(i)};if(t.token_endpoint_auth_method!=="none"){let m=W();l.hashedClientSecret=await C(m),l.clientSecretExpiresAt=_(i),c.client_secret=m,c.client_secret_expires_at=s,c.client_secret_issued_at=a}if((await R().registerClient(l)).kind==="already_exists")throw g("invalid_request","OAuth client is already registered.");return c}n(Pi,"registerDownstreamClient");function Ti(e){return b`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(Ti,"renderActions");var _h=V('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var Rh=V('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),bh=V('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var Ch=V('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var bd="data:,",Oi=b`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Ei=b`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function Cd(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(Cd,"safeGatewayConnectHref");function Sd(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(Sd,"deriveMode");function vd(e){return Ti({state:e.state,submitOnceAttrs:Oi,authorizeAttrs:he})}n(vd,"renderActions");function br(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let i=Cd(o.connectUrl,t);if(i)return i}}n(br,"firstUserConnectHref");function xd(e){let t=e.connectHref?b`<a class="button button--primary" href="${e.connectHref}" ${Ei}>Connect</a>`:b`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return b`<form class="actions" method="post" action="/oauth/setup" ${Oi}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(xd,"renderSetupActions");function Id(e){return e?b`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Ei}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:he}n(Id,"renderReconnectAction");function Cr(e){let t=Sd(e.upstreams),r=br(e.upstreams,e.gatewayOrigin,"not_connected"),o=br(e.upstreams,e.gatewayOrigin,"reconsent_required"),i=br(e.upstreams,e.gatewayOrigin,"active"),a=t==="setup"?r??o:void 0,s=b`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`,c=t==="setup"?b`<footer class="card__footer">${xd({state:e.state,connectHref:a})}</footer>`:b`<footer class="card__footer">${Id(i)}${vd({state:e.state})}</footer>`;return Ce(ve({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:bd,styles:Se,headerIcon:he,heading:"MCP Gateway",subhead:he,body:s,footer:c}))}n(Cr,"renderConsentPage");var Ad=1e4,qi="mcp-session-id",Ud,Mi;function Li(){return{tools:[],prompts:[],resources:[]}}n(Li,"emptyCapabilities");function zi(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Bt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(zi,"buildCredentialHeaders");async function Di(e){if(e.type!=="mcp_oauth_provider")return zi(e);let t=await e.provider.tokens();if(!t)return;let r=zi({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(Di,"buildAsyncCredentialHeaders");function Hi(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ot.parse({jsonrpc:nt,id:1,method:"initialize",params:{protocolVersion:Bt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(Hi,"buildInitializePreflight");async function Sr(e){Nn(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),Ad);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return Mi?await Mi(o):await Xe.fetch(o)}finally{clearTimeout(r)}}n(Sr,"runPreflight");function vr(e){e.body?.cancel().catch(()=>{})}n(vr,"releasePreflightBody");async function kd(e){let t=e.response.headers.get(qi);if(!t)return;let r=new Headers(e.headers);r.set(qi,t),r.delete("content-type");try{let o=await Sr(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));vr(o)}catch{}}n(kd,"terminatePreflightSession");async function ji(e){let{response:t}=e;return vr(t),t.status>=200&&t.status<300?(await kd(e),{kind:"ready",upstreamStatus:t.status,capabilities:Li()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(ji,"classifyResponse");function Bi(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(Bi,"connectRequiredResult");async function Pd(e){try{return ji({response:await Sr(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Pd,"classifyPreflight");async function Td(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:Li()};let r=Rt(t.upstreamServerId,e.route.operationId),o=be(r,e.principal),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=await Re({request:new Request(e.requestUrl),routeAuth:i,preloadedConnection:e.preloadedConnection});if(a.kind==="connect_required")return Bi(a.payload);let s=await Di(a.credential);if(s===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let c=Hi({upstreamUrl:t.mcpUrl,headers:s}),l;try{l=await Sr(c)}catch(v){return{kind:"upstream_unavailable",message:v instanceof Error?v.message:"Upstream MCP server readiness preflight failed."}}if(l.status!==401)return ji({response:l,upstreamUrl:t.mcpUrl,headers:s});vr(l);let h=await Re({request:new Request(e.requestUrl),routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(h.kind==="connect_required")return Bi(h.payload);let m=await Di(h.credential);return m===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Pd({request:Hi({upstreamUrl:t.mcpUrl,headers:m}),upstreamUrl:t.mcpUrl,headers:m})}n(Td,"checkUpstreamRouteReadinessImpl");function Ni(e){return(Ud??Td)(e)}n(Ni,"checkUpstreamRouteReadiness");function Od(e){try{return new URL(e).host}catch{return}}n(Od,"safeUrlHost");function Ed(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(Ed,"readOAuthScopes");function Gi(e){return e!==void 0&&e.length>0}n(Gi,"hasItems");function qd(e){let t=e.serverInfo?.icons;return Gi(t)?t:void 0}n(qd,"readServerIcons");async function Md(e){if(!(e.returnTo===void 0||!e.isUserOwned))return nr({requestUrl:e.requestUrl,owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Md,"readConnectUrl");function ge(e,t){return t===void 0?{}:{[e]:t}}n(ge,"optionalRequirementField");function zd(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?Dn(e.connection):{connected:!0,status:"active"}}n(zd,"readSetupConnectionStatus");function Dd(e){let t=Ed(e);return Gi(t)?t:void 0}n(Dd,"readScopesRequested");function Hd(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Hd,"readUpdatedAt");function Bd(){return{tools:[],prompts:[],resources:[]}}n(Bd,"readRouteCapabilities");async function Ld(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=ft(r),h=l==="user",m=zd({connection:e.connection,isUserOwned:h,readiness:e.readiness}),v=e.readiness?.connectUrl??await Md({...e,connected:m.connected,isUserOwned:h});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:i,status:m.status,connected:m.connected,capabilities:Bd(),...ge("description",o),...ge("transportHost",Od(a)),...ge("scopesRequested",Dd(t)),...ge("serverIcons",qd(e.registeredConnection)),...ge("connectUrl",v),...ge("updatedAt",Hd({connectionStatus:m,isUserOwned:h})),...ge("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Ld,"buildSetupRequirement");function $i(e){let t=j().byOperationId.get(e);if(!t)throw g("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n($i,"requireRoute");async function xr(e){let t=$i(e.transaction.operationId),r=dt(e.transaction.principal.subjectId),o=[],i=new Map,a=t.connection;if(a===void 0)return[];ft(a.authMode)==="user"&&(i.set(a,o.length),o.push({owner:r,upstreamServerId:a.upstreamServerId,authProfileId:a.authProfileId}));let s=await R().batchGetUpstreamConnections(o),c=[],l=ft(a.authMode)==="user",h=i.get(a),m=await Ni({requestUrl:e.requestUrl,route:t,principal:e.transaction.principal,preloadedConnection:l&&h!==void 0?s[h]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),v=(()=>{if("connectionStatus"in m&&m.connectionStatus)return m.connectionStatus})(),L=(m.kind==="connect_required"||m.kind==="admin_setup_required")&&m.payload.authUrl!==void 0?m.payload.authUrl:void 0;return c.push(await Ld({connection:l&&h!==void 0?s[h]:void 0,registeredConnection:a,route:t,requestUrl:e.requestUrl,returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:v===void 0?void 0:{...v,...L===void 0?{}:{connectUrl:L}}})),c}n(xr,"requirementsForSetup");function jd(e){return e.route.connection?.displayName??e.route.operationId}n(jd,"readRouteDisplayName");async function Ir(e){let t=$i(e.transaction.operationId),r=jd({route:t}),o=await R().readClient({clientId:e.transaction.clientId}),i=o.kind==="found"?o.client:void 0,a={gatewayOrigin:I(e.requestUrl),routeDisplayName:r,clientDisplayName:i?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(a.routeDescription=s),a}n(Ir,"consentContext");function Ar(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Ar,"hasUnresolvedUserUpstream");var Nd=["mcp_user"],Gd="dev-browser-user",$d=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Zd=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Cn,state:d.string().min(1).optional(),scope:d.literal(P).default(P)}),Fd=d.enum(["continue","approve","cancel"]).default("continue"),Kd=d.object({state:d.string().min(1),decision:Fd}),oe=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Zi(e){return typeof e=="string"&&e.length>0?e:void 0}n(Zi,"readQueryString");function Wd(e){let t=Array.from(j().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Lt(r.operationId,e.url)}n(Wd,"inferSingleRouteResource");function Jd(e,t){let r=Zi(e.query.resource);if(t===void 0){if(r!==void 0)return r;let i=Wd(e);if(i!==void 0)return i;throw new p("invalid_target",$d)}let o=Lt(t,e.url);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Jd,"requireAuthorizeResource");async function Vd(e,t){let r={};t!==void 0&&(r.context=t);let o=await xt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=si(e);return{principal:i,setCookie:await It({principal:i,requestUrl:e.url})}}n(Vd,"resolveBrowserPrincipal");async function Yd(e,t){let r={};t!==void 0&&(r.context=t);let o=await xt(e,r);if(!o.principal)throw g("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Yd,"requireSetupPrincipal");function Fi(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(Fi,"buildSetupReturnTo");async function Ki(e){let t=await xr({transaction:e.transaction,requestUrl:e.requestUrl,returnTo:Fi(e.csrfToken)}),r=await Ir({transaction:e.transaction,requestUrl:e.requestUrl}),o={kind:"setup_page",html:Cr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Ki,"renderSetup");function Xd(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Xd,"toAuthorizationTransactionClient");async function Ur(e,t={}){let r=Zd.parse({...e.query,resource:Jd(e,t.operationId),state:Zi(e.query.state)}),o=Ke(r.scope);Ie(r.redirect_uri,"invalid_request","authorize");let i=new Date,a=ee.parse(r.client_id),s=await Ut(r.client_id,i);Ui(s,r.redirect_uri);try{let c=Ae(e.url,r.resource),l=Xd(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&A(t.context,{eventType:x.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let h={clientId:s?.clientId??a,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:m,setCookie:v}=await Vd(e,t.context);if(!m){let X=await Ci({transaction:h,requestUrl:e.url,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Ye={kind:"redirect",location:X.browserLoginUrl};return v!==void 0&&(Ye.setCookie=v),Ye}let L=await Si({transaction:h,principal:m,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:m.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&A(t.context,{eventType:x.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:m.subjectId}}),Ki({transaction:L.transaction,csrfToken:L.csrfToken,requestUrl:e.url,setCookie:v})}catch(c){throw Qd({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(Ur,"authorizeDownstreamClient");function Qd(e){if(e.cause instanceof oe)return e.cause;let t=eu(e.cause);return t?new oe({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Qd,"toDownstreamAuthorizeRedirectError");function eu(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(eu,"mapToOAuthRedirectError");async function Wi(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let h=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,m=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...h===void 0?{}:{idpErrorDescription:h},...m===void 0?{}:{idpErrorUri:m}},"Identity provider redirected browser-login callback with an error"),g("provider_access_denied",h??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),g("oauth_state_invalid","Browser login callback is missing state.");let i=await hr(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await ci(a),c=await vi({browserLoginStateToken:o,principal:s}),l=await Ki({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url});return l.setCookie=await It({principal:s,requestUrl:e.url}),l}n(Wi,"completeBrowserLoginCallback");async function Ji(e){let t=D(),r=new URL(e.url);if(!se(r))throw g("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw g("oauth_state_invalid","Local browser login is missing state.");let i=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",I(e.url)),a=new URL(I(e.url)).origin;if(i.origin!==a||i.pathname!=="/oauth/callback")throw g("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");i.searchParams.set("state",o);let s={subjectId:st.parse(Gd),roles:Nd};return{kind:"redirect",location:i,setCookie:await It({principal:s,requestUrl:e.url})}}n(Ji,"completeLocalDevBrowserLogin");function tu(e){let t=e.method==="POST"?e.body:e.query;return Kd.parse(t)}n(tu,"readSetupContinueRequest");async function Vi(e){let{state:t,decision:r}=tu({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await wr({csrfToken:t,now:o}),a=await Yd(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await Ai({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await xi({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await xr({transaction:s,requestUrl:e.request.url,returnTo:Fi(t)});if(r==="approve"&&Ar(c)&&await Ri({csrfToken:t,currentBrowserPrincipal:a,now:o}),Ar(c)){let l=await Ir({transaction:s,requestUrl:e.request.url});return{kind:"setup_page",html:Cr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await Ii({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(Vi,"continueDownstreamAuthorizeSetup");z();import{createLocalJWKSet as ru,decodeJwt as nu,errors as We,jwtVerify as ou}from"jose";var iu=new Set(["authorization_code","refresh_token"]),au="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",su=1e4,cu=32*1024,du=2,Yi=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),uu=d.discriminatedUnion("grant_type",[Yi.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:at,resource:d.url().optional(),scope:d.literal(P).optional()}),Yi.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(P).optional()})]);function lu(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!iu.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(lu,"assertSupportedGrantType");var pu=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),mu=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Xi(){return D().gateway.accessTokenTtlSeconds}n(Xi,"readAccessTokenTtlSeconds");function fu(){return D().gateway.refreshTokenTtlSeconds}n(fu,"readRefreshTokenTtlSeconds");function hu(e,t){let r=Xi(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:_(F(e,i)),expiresIn:i}}n(hu,"calculateAccessTokenExpiresAt");function Qi(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(Qi,"readBasicClientSecret");function ea(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=nu(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(ea,"resolveAuthenticatedClientId");function gu(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(gu,"resolveClientSecretInput");function yu(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(yu,"hasClientAssertion");function wu(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,e.requestUrl);return t.search="",t.hash="",t.toString()}n(wu,"buildEndpointAudience");function _u(e){return e instanceof We.JWTExpired?"expired":e instanceof We.JWTClaimValidationFailed?"claim":e instanceof We.JWSSignatureVerificationFailed?"signature":e instanceof We.JWKSNoMatchingKey?"jwks_no_match":e instanceof We.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(_u,"readJwtFailureKind");async function Ru(e){let{response:t,json:r}=await Kn(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:du,maxResponseBytes:cu,timeoutMs:su});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return mu.parse(r)}n(Ru,"fetchClientJwks");async function bu(e){if(e.clientAssertionType!==au||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=ee.parse(e.clientId),r=await Ut(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=wu({requestUrl:e.requestUrl,pathname:e.endpointPathname});try{let a=await Ru({jwksUri:o,context:e.context});await ou(e.clientAssertion,ru(a),{issuer:t,subject:t,audience:i,currentDate:e.now})}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:_u(a)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return{method:"private_key_jwt",clientId:t}}n(bu,"verifyPrivateKeyJwtClientAssertion");async function Cu(e){let t=ee.parse(e.clientId);return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await C(e.clientSecret)}}n(Cu,"buildRuntimeHttpClientAuth");async function ta(e){if(yu({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return bu(e)}let t=gu({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return Cu({clientId:e.clientId,...t})}n(ta,"resolveRuntimeHttpClientAuth");async function ra(e){lu(e.body);let t=uu.parse(e.body),r=Qi(e.authorizationHeader),o=ea({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await ta({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/token",now:i,context:e.context});return Su({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,context:e.context})}n(ra,"exchangeDownstreamToken");async function Su(e){if(e.parsed.grant_type==="authorization_code"){Ie(e.parsed.redirect_uri,"invalid_request","token"),Ke(e.parsed.scope),e.parsed.resource!==void 0&&Ae(e.requestUrl??e.parsed.resource,e.parsed.resource);let s=W(),c=W(),l=_(F(e.now,fu())),h=hu(e.now,l),m=await R().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await C(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await jn(e.parsed.code_verifier),currentRefreshTokenHash:await C(s),accessTokenHash:await C(c),grantExpiresAt:l,accessTokenExpiresAt:h.expiresAt,now:_(e.now)});if(m.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(m.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(m.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&A(e.context,{eventType:x.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:h.expiresIn,refresh_token:s,scope:m.grant.scope,resource:m.grant.resource}}Ke(e.parsed.scope),e.parsed.resource!==void 0&&Ae(e.requestUrl??e.parsed.resource,e.parsed.resource);let t=W(),r=W(),o=_(F(e.now,Xi())),i=await R().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await C(e.parsed.refresh_token),nextRefreshTokenHash:await C(t),accessTokenHash:await C(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:_(e.now)});if(i.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");Ae(e.requestUrl??i.grant.resource,i.grant.resource);let a=i.accessToken.expiresAt;return e.context&&(A(e.context,{eventType:x.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),A(e.context,{eventType:x.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(a).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:i.grant.scope,resource:i.grant.resource}}n(Su,"exchangeDownstreamTokenWithRuntimeHttp");async function na(e){let t=pu.parse(e.body),r=Qi(e.authorizationHeader),o=ea({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await R().revokeOAuthToken({clientAuth:await ta({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await C(t.token),now:_(i)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&A(e.context,{eventType:x.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(na,"revokeDownstreamToken");var vu=64*1024,xu=16*1024,Iu="text/html; charset=utf-8";function Au(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(Au,"formDataToObject");async function Uu(e){return ni(e,{maxBytes:vu,label:"Request body"})}n(Uu,"readJsonBody");async function kr(e){return Au(await oi(e,{maxBytes:xu,label:"Request body"}))}n(kr,"readFormBody");async function oa(e,t,r){let o=ce(r),i=r instanceof d.ZodError?kt(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),Rn(e,t,a)}n(oa,"handleProblem");function Je(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(Je,"oauthErrorResponse");function ku(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(ku,"readOAuthProtocolHeaders");function Pu(e,t){let r=H("internal_server_error");return Je({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:ku(e,t)})}n(Pu,"oauthProtocolErrorResponse");function ia(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(ia,"readZodOAuthErrorCode");function Tu(e){let t={error:ia(e)},r=kt(e);return r!==void 0&&(t.errorDescription=r),Je(t)}n(Tu,"oauthZodErrorResponse");function Ou(e){let t=ce(e);if(t===void 0)return;let r=H(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:qu(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,Je(o)}n(Ou,"oauthGatewayProblemResponse");function Eu(){let t={error:"server_error",status:500,errorDescription:H("internal_server_error").publicDetail};return Je(t)}n(Eu,"oauthFallbackErrorResponse");function qu(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(qu,"readOAuthStatus");function Pr(e,t={}){return e instanceof oe?ca(e):e instanceof p?Pu(e,t):e instanceof d.ZodError?Tu(e):Ou(e)??Eu()}n(Pr,"oauthProblemResponse");function Tr(e,t){let r=xe(e.url);if(t instanceof oe)return ca(t);if(t instanceof p){let a=H("internal_server_error");return $({host:r,kind:Mu(t.errorCode),title:"Authorization failed",detail:t.errorCode==="server_error"?a.publicDetail:t.message,code:t.errorCode,status:t.status})}if(t instanceof d.ZodError)return $({host:r,kind:"invalid_request",detail:kt(t)??"The authorization request was invalid.",code:ia(t)});let o=ce(t);if(o!==void 0){let a=H(o);return $({host:r,kind:sa(o),detail:a.status<500&&t instanceof Error?t.message:a.publicDetail,code:a.oauthError??o,status:a.status})}let i=H("internal_server_error");return $({host:r,kind:"internal_error",detail:i.publicDetail,code:"server_error",status:i.status})}n(Tr,"browserOAuthProblemResponse");function aa(e,t){let r=xe(e.url),o=ce(t);if(o!==void 0){let a=H(o);return $({host:r,kind:sa(o),detail:a.status<500&&t instanceof Error?t.message:a.publicDetail,code:o,status:a.status})}if(t instanceof d.ZodError)return $({host:r,kind:"invalid_request",detail:kt(t)??"The authorization request was invalid.",code:"invalid_request"});let i=H("internal_server_error");return $({host:r,kind:"internal_error",detail:i.publicDetail,code:"internal_server_error",status:i.status})}n(aa,"browserGatewayProblemResponse");function Mu(e){return e==="server_error"?"internal_error":"invalid_request"}n(Mu,"readOAuthBrowserErrorKind");function sa(e){if(H(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(sa,"readGatewayBrowserErrorKind");function Y(e,t,r){let o={event:t},i=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,K(o,"error",r);else if(r instanceof oe)o.oauthError=r.errorCode,K(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",K(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=ce(r);if(a!==void 0){let s=H(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",K(o,"error",r)}else i=!0,K(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(Y,"logUnexpectedOAuthHandlerError");function ca(e){let t;try{t=new URL(e.redirectUri)}catch{return Je({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(ca,"downstreamAuthorizeRedirectErrorResponse");function kt(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(kt,"formatZodErrorDetail");function zu(e,t){let r={event:"browser_login_callback_failed",code:ce(t)??"invalid_request"};K(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(zu,"logBrowserLoginCallbackFailure");function da(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(da,"redirectResultResponse");function Pt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Iu,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return da(e)}n(Pt,"authorizeResultResponse");async function ua(e,t){try{return Response.json(Un(e.url))}catch(r){return Y(t,"oauth_authorization_server_metadata_failed",r),oa(e,t,r)}}n(ua,"authorizationServerMetadataHandler");async function la(e,t){try{let r=jt(e.params.routePath);return Response.json(kn({operationId:r.operationId,requestUrl:e.url}))}catch(r){return Y(t,"oauth_authorization_server_metadata_failed",r),oa(e,t,r)}}n(la,"scopedAuthorizationServerMetadataHandler");async function pa(e,t){try{let r=await Pi(await Uu(e)),o=r,i=typeof o.client_id=="string"?o.client_id:void 0,a=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:i,clientName:a,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),A(t,{eventType:x.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:a,attributes:{clientId:i,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return Y(t,"oauth_register_failed",r),Pr(r)}}n(pa,"registerHandler");async function ma(e,t){try{return Pt(await Ur(e,{context:t}))}catch(r){return Y(t,"oauth_authorize_failed",r),Tr(e,r)}}n(ma,"authorizeHandler");async function fa(e,t){try{let r=jt(e.params.routePath);return Pt(await Ur(e,{operationId:r.operationId,context:t}))}catch(r){return Y(t,"oauth_authorize_scoped_failed",r),Tr(e,r)}}n(fa,"scopedAuthorizeHandler");async function ha(e,t){try{let r=await Wi(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Pt(r)}catch(r){return zu(t,r),aa(e,r)}}n(ha,"callbackHandler");async function ga(e,t){try{return da(await Ji(e))}catch(r){return Y(t,"oauth_dev_login_failed",r),Tr(e,r)}}n(ga,"devLoginHandler");async function ya(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Vi({request:e,body:e.method==="POST"?await kr(e):void 0,context:t});return Pt(r)}catch(r){return Y(t,"oauth_setup_failed",r),aa(e,r)}}n(ya,"setupHandler");async function wa(e,t){try{return Response.json(await ra({body:await kr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return Y(t,"oauth_token_failed",r),Pr(r)}}n(wa,"tokenHandler");async function _a(e,t){try{return await na({body:await kr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return Y(t,"oauth_revoke_failed",r),Pr(r)}}n(_a,"revokeHandler");var Du={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},Ra=new Nr("upstream-request");function Hu(e){let t=Ra.get(e);if(!t)throw new E("Upstream request context has not been set");return t}n(Hu,"readUpstreamRequestContext");function Bu(e,t){return t.some(r=>r===e)}n(Bu,"requestContextMatchesKind");function Lu(e){return typeof e=="string"?[e]:e}n(Lu,"toExpectedKinds");function Ue(e,t){Ra.set(e,t)}n(Ue,"setUpstreamRequestContext");function Ve(e,t){let r=Hu(e),o=Lu(t);if(!Bu(r.kind,o)){let i=Du[o[0]];throw new E(`${i} request context has not been set`)}return r}n(Ve,"requireUpstreamRequestContext");function ba(e){return b`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(ba,"renderBrowserResult");var ju="text/html; charset=utf-8",Nu="none";function Gu(e){let t=Ct(e.host);return ve({title:e.title,iconHref:t,styles:Se,headerIcon:St({iconHref:t,fallbackIconHref:bt}),heading:e.title,subhead:"",body:ba({body:e.body,code:e.code??Nu}),footer:""})}n(Gu,"browserResultHtml");function $u(e,t=200){return new Response(Ce(e),{status:t,headers:{"content-type":ju,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n($u,"browserResultResponse");function Ca(e){return $u(Gu(e))}n(Ca,"browserConnectionSuccessResponse");function Tt(e,t){let r=_n(t);return $({host:e,kind:Zu(t),detail:r.body,code:t})}n(Tt,"browserConnectionFailureResponse");function Zu(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed"}}n(Zu,"readCallbackFailureBrowserErrorKind");var Fu=["callback_authorization_code","callback_provider_error","callback_invalid"];function Ku(e){return"cause"in e?e.cause:void 0}n(Ku,"readErrorCause");function Wu(e){return e.stack?.split(`
-`).slice(1,4).map(t=>t.trim()).join(" | ")}n(Wu,"readFirstStackFrame");function Sa(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Wu(r))}n(Sa,"addErrorAttributes");function Or(e){if(!(e instanceof y))return;let t=e.extensionMembers?.[w];return rn(t)?t:void 0}n(Or,"readRuntimeGatewayCode");function Ju(e,t,r){switch(t.kind){case"callback_provider_error":return e.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:t.upstreamServerId,providerError:t.error,...t.errorDescription===void 0?{}:{providerErrorDescription:t.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),A(e,{eventType:x.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:t.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:t.error,errorDescription:t.errorDescription}}),Tt(r,"provider_access_denied");case"callback_invalid":return e.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:t.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Tt(r,"oauth_state_invalid");case"callback_authorization_code":return t}}n(Ju,"requireAuthorizationCallbackRequest");function Vu(e,t){A(e,{eventType:x.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Vu,"emitCallbackReceivedAnalyticsEvent");function Yu(e,t){A(e,{eventType:x.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(Yu,"emitTokenExchangeSucceededAnalyticsEvent");function Xu(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return Ca({host:xe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(Xu,"buildSuccessfulCallbackResponse");function Qu(e){let t={detail:e instanceof Error?e.message:void 0};return Sa(t,"error",e),e instanceof Error&&Sa(t,"cause",Ku(e)),t}n(Qu,"buildTokenExchangeFailureAttributes");function el(e){A(e.context,{eventType:x.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Or(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Qu(e.error)})}n(el,"emitTokenExchangeFailedAnalyticsEvent");function tl(e,t){let r=Or(t);return Tt(e,nn(r)?r:"upstream_token_exchange_failed")}n(tl,"tokenExchangeFailureResponse");async function Er(e,t){let r=Ve(t,Fu),o=xe(e.url),i=Ju(t,r,o);if(i instanceof Response)return i;Vu(t,i);try{let a=await Ko({request:e,callbackRequest:i});return Yu(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),Xu(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:Or(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return K(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),el({context:t,callbackRequest:i,error:a}),tl(o,a)}}n(Er,"callbackHandler");function rl(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(rl,"clientMetadataProblemDetail");async function va(e,t){let r=Ve(t,"connect"),o=await Fo({request:e,connectRequest:r});if(A(t,{eventType:x.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await wt({requestUrl:e.url,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(va,"connectHandler");async function xa(e,t){let r=Ve(t,"client_metadata");try{let o=To(e.url),i=Oo(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof k))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),ae.notFound(e,t,{code:"not_found",detail:rl(o)})}}n(xa,"oauthClientMetadataHandler");function ie(e){if(typeof e=="string"&&e.length!==0)return e}n(ie,"readOptionalQueryString");function nl(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new E(`Validated path parameter ${t} is missing`);return r}n(nl,"requirePathString");function ol(e){let t=ie(e);return t?rt.parse(t):void 0}n(ol,"readOptionalOperationId");function il(e,t){let r=ie(e);return r?sn.parse(r):it(t,"user-oauth")}n(il,"readOptionalAuthProfileId");function al(e){let t=ol(e);if(!t)throw new y({message:"operationId query parameter is required.",extensionMembers:{[w]:"invalid_request"}});return t}n(al,"readRequiredOperationId");function sl(e){let t=On(ie(e));return t===void 0?{}:{returnTo:t}}n(sl,"readOptionalReturnTo");function cl(e){let t=ie(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(cl,"readOptionalProviderErrorDescription");function dl(e){let t=N(e.authMode);if(t.connectSupport!=="none")return e;throw new y({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[w]:"invalid_request"}})}n(dl,"requireConnectableRouteAuth");function ul(e,t,r,o){return{kind:"connect",...be(e,t),...o===void 0?{}:{returnTo:o},redirect:r}}n(ul,"buildConnectContextForPrincipal");function ll(e,t,r){let o=ut(t),i=N(e.authMode);if(o.mode!==i.ownerMode)throw new y({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[w]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(ll,"buildConnectContextForTicket");async function pl(e,t){let r=dl(Rt(t,al(e.query.operationId))),o=e.query.redirect==="true",i=ie(e.query.browserTicket);if(e.user){if(i)throw new y({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[w]:"invalid_request"}});let s=ct(e.user,e.url);return ul(r,s,o,sl(e.query.returnTo).returnTo)}if(!i)throw new y({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[w]:"authentication_required"}});let a=await Ao(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new y({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[w]:"oauth_callback_mismatch"}});return await Uo(a),ll(r,a,o)}n(pl,"resolveConnectContext");async function ml(e,t,r){let o=an.parse(nl(e,"connection"));switch(r){case"connect":Ue(t,await pl(e,o));return;case"callback":{let i=ie(e.query.error);if(i){Ue(t,{kind:"callback_provider_error",upstreamServerId:o,error:i,...cl(e)});return}let a=ie(e.query.code),s=ie(e.query.state);if(a&&s){Ue(t,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}Ue(t,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":Ue(t,{kind:"client_metadata",upstreamServerId:o,authProfileId:il(e.query.authProfileId,o)});return}}n(ml,"resolveUpstreamRequestInbound");async function fl(e,t,r){try{await ml(e,t,r);return}catch(o){let i=o instanceof y?o.extensionMembers?.[w]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"oauth_callback_mismatch":return ae.badRequest(e,t,{code:i,detail:a});case"authentication_required":return ae.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(fl,"applyUpstreamRequestContext");function Ot(e,t){return n(async(o,i)=>{let a=await fl(o,i,e);return a||t(o,i)},"wrapped")}n(Ot,"withUpstreamRequestContext");var hl={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function gl(){return new Response(null,{status:204,headers:hl})}n(gl,"buildWellKnownPreflightResponse");function yl(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(yl,"withWellKnownCorsHeaders");function qr(e){return async(t,r)=>t.method==="OPTIONS"?gl():yl(await e(t,r))}n(qr,"wrapWellKnownHandler");var Ua=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:qr(ua),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:qr(la),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:qr(Pn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:pa},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:ma},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:fa},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:ha},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:ga},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:ya},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:wa},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:_a},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:Ot("client_metadata",xa)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:Ot("connect",va)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:Ot("callback",Er)}],wl=Ua.filter(e=>!e.routeName.startsWith("upstream_")),_l=Ua.filter(e=>e.routeName.startsWith("upstream_"));function ka(e){return e?.some(en)??!1}n(ka,"hasMcpOAuthRuntimeConfigPolicy");function Pa(e){return e?.some(t=>mn(t.policyType))??!1}n(Pa,"hasMcpTokenExchangePolicy");function Ta(e){return ka(e)||Pa(e)}n(Ta,"shouldRegisterMcpGatewayInternalRoutes");function Rl(e){gn(fn({routes:e.routes,policies:e.policies}))}n(Rl,"initializeMcpGatewayConnectionRegistry");function bl(e){let t=tn(e.policies);if(!t){let r=[...Qr].map(o=>`\`${o}\``).join(", ");throw new k(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(bl,"initializeMcpGatewayOAuthRuntimeConfig");function Ia(e,t,r){return async(o,i)=>{r&&Yr(i,r());let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(Ia,"wrapInternalHandler");function Aa(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[jr],corsPolicy:t.corsPolicy??"none"})}n(Aa,"addInternalRoute");function Oa(e,t){Rl(t);let r=ka(t.policies),o=Pa(t.policies),i,a=n(()=>(i===void 0&&(i=bl(t)),i),"readOAuthConfig");if(r)for(let s of wl)Aa(e,s,Ia(s.routeName,s.handler,a));if(o)for(let s of _l)Aa(e,s,Ia(s.routeName,s.handler))}n(Oa,"registerMcpGatewayInternalRoutes");function Ea(e){hn(e)}n(Ea,"configureLazyMcpGatewayState");var Mr=class extends Br{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!Ta(r.policies))return;let o={routes:r.routes,policies:r.policies};Ea(o),Oa(t.router,o)}};var Cl={Allow:"POST"};async function Sl(e,t){return e.method==="GET"?ae.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Cl):Jr(e,t)}n(Sl,"McpProxyHandler");export{Ha as McpAuth0OAuthInboundPolicy,Gt as McpCapabilityFilterInboundPolicy,Mr as McpGatewayPlugin,Da as McpOAuthInboundPolicy,Sl as McpProxyHandler,ur as McpTokenExchangeInboundPolicy};
+    </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Oe,"renderShell");var su="text/html; charset=utf-8";function qe(e){try{return new URL(e).host}catch{return""}}n(qe,"safeHostFromUrl");function K(e){let t=du(e.kind??"authorization_failed"),r=cu(e);return new Response(Pe(Oe({title:e.title??t.title,iconHref:"",styles:Ee,headerIcon:k,heading:e.title??t.title,subhead:"",body:Aa({detail:e.detail,guidance:y`<p class="card__description">${t.guidance}</p>`,technicalDetails:fu({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:pu(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":su,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(K,"browserErrorPageResponse");function cu(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??uu(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??lu(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(cu,"buildBrowserErrorDiagnostic");function du(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(du,"readBrowserErrorPagePresentation");function uu(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(uu,"readBrowserErrorStage");function lu(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(lu,"readBrowserErrorSuggestedFix");function pu(e){return e===void 0?k:y`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(pu,"renderAction");function mu(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
+`);return y`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(mu,"renderTechnicalPre");function Ot(e){return e.value===void 0||e.value===""?k:y`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Ot,"renderOptionalTechnicalRow");function fu(e){return y`<section class="banner banner--warning" aria-label="Developer details">
+    <span class="banner__icon" aria-hidden="true">!</span>
+    <div class="banner__body">
+      <p class="banner__title">Developer details</p>
+      <p class="banner__message" data-gateway-error-code="${e.diagnostic.code}">
+        <strong>Error code:</strong> <code>${e.diagnostic.code}</code>
+      </p>
+      ${Ot({label:"Stage",value:e.diagnostic.stage})}
+      ${Ot({label:"Request ID",value:e.diagnostic.requestId})}
+      ${Ot({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
+      ${Ot({label:"Reason",value:e.diagnostic.underlyingError})}
+      ${mu(e.diagnostic)}
+      ${hu(e.upstreamHtml)}
+    </div>
+  </section>`}n(fu,"renderTechnicalDetails");function hu(e){return e===void 0?k:y`<iframe
+    title="Upstream HTML error response"
+    sandbox
+    srcdoc="${e}"
+    style="border: 1px solid var(--warning-border); border-radius: var(--radius-sm); background: white; width: 100%; min-height: 220px; margin-top: 8px;"
+  ></iframe>`}n(hu,"renderUpstreamHtml");var Ua="application/json",gu="application/x-www-form-urlencoded";function qt(e,t){return new g({message:e,extensionMembers:{[_]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(qt,"invalidRequestError");function yu(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(yu,"normalizeContentType");function _u(e,t){return e===t?!0:t===Ua&&e.endsWith("+json")}n(_u,"contentTypeMatches");function wu(e,t){if(!t||t.length===0)return;let r=yu(e.headers.get("content-type"));if(!t.some(o=>_u(r,o)))throw qt(`Request body must be ${t.join(" or ")}.`)}n(wu,"assertExpectedContentType");function Ru(e,t,r){let o=e.headers.get("content-length");if(!o)return;let a=Number.parseInt(o,10);if(Number.isFinite(a)&&a>t)throw qt(`${r} exceeded the maximum allowed size.`)}n(Ru,"assertContentLengthWithinLimit");async function ka(e,t){let r=t.label??"Request body";wu(e,t.expectedContentTypes),Ru(e,t.maxBytes,r);let o=await mo(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>qt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(ka,"readBoundedTextBody");async function Ta(e,t){let r=await ka(e,{...t,expectedContentTypes:[Ua]});try{return JSON.parse(r)}catch(o){throw qt("Request body must be valid JSON.",o)}}n(Ta,"readBoundedJsonBody");async function Pa(e,t){let r=await ka(e,{...t,expectedContentTypes:[gu]});return new URLSearchParams(r)}n(Pa,"readBoundedFormUrlEncodedBody");B();B();import{errors as Ha,jwtVerify as za,SignJWT as Ba}from"jose";B();import{errors as bu,jwtVerify as Su,SignJWT as vu}from"jose";var kr="zuplo_mcp_session",Cu=d.object({purpose:d.literal("gateway_browser_session"),sub:yt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function Iu(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let a=r.slice(0,o).trim(),i=r.slice(o+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}n(Iu,"parseCookieHeader");async function Ea(){return Z({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-session"),"derive")})}n(Ea,"getBrowserSessionKey");function Ur(e,t){let r=new URL(U(e,t)),o=[`${kr}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(Ur,"buildBrowserSessionEvictionCookie");function xu(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${kr}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(xu,"serializeSessionCookie");function Oa(){return new URL(bt("url")).origin}n(Oa,"readBrowserLoginOrigin");function Tr(){return j().browserLogin.stateTtlSeconds}n(Tr,"readBrowserLoginStateTtlSeconds");function qa(e){if(!e.user)throw w("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ie(e.user,e.url)}n(qa,"resolveCurrentRequestPrincipal");async function Mt(e,t={}){let r=Iu(e.headers.get("cookie")).get(kr);if(!r)return{};try{let{payload:o}=await Su(r,await Ea(),{algorithms:[z],issuer:q,audience:H}),a=Cu.parse(o);if(a.browserLoginOrigin!==Oa())return{evictCookie:Ur(e.url,e.headers)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(o){return o instanceof bu.JWTExpired?{evictCookie:Ur(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Ur(e.url,e.headers)})}}n(Mt,"readBrowserSession");async function Dt(e){let t=j().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:Oa()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new vu(r).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Ea());return xu({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(Dt,"createBrowserSessionCookie");async function Ma(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Mt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw w("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:a}=await import("../browser-login-idp-HQB254PW.js");return a({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(Ma,"resolveBrowserLoginCallbackPrincipal");function Da(e){let t=j().browserLogin,r=new URL(bt("url")),o=new URL("/oauth/callback",Bn(e.requestUrl,e.requestHeaders));return Wn(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",bt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(Da,"buildBrowserLoginUrl");var Au={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Au[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Uu=5*60,ku=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Tu=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function ja(){return Z({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-login"),"derive")})}n(ja,"getBrowserLoginKey");async function La(){return Z({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"authorization-csrf"),"derive")})}n(La,"getCsrfKey");function Na(e){return{now:e.now??new Date,ttlSeconds:Tr()}}n(Na,"readPendingTransactionDependencies");function Pu(e,t){return e.subjectId===t.subjectId}n(Pu,"principalsMatch");function $a(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n($a,"toPendingPrincipal");function Ga(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:b(e.now),expiresAt:b(W(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw w("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:$a(e.principal)}}n(Ga,"createTransactionRecord");async function Za(e){let{id:t,...r}=e.record,o=await S().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw w("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(Za,"startPendingTransaction");async function Eu(e){return new Ba({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await ja())}n(Eu,"signBrowserLoginState");async function Fa(e){return new Ba({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Wt()}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await La())}n(Fa,"signCsrfToken");async function Pr(e){try{let{payload:t}=await za(e,await ja(),{algorithms:[z],issuer:q,audience:H}),r=ku.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Ha.JWTExpired?w("oauth_state_expired","Browser login state has expired.",t):w("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Pr,"verifyBrowserLoginStateToken");async function Ht(e){try{let{payload:t}=await za(e,await La(),{algorithms:[z],issuer:q,audience:H});return{transactionId:Tu.parse(t).transactionId}}catch(t){throw t instanceof Ha.JWTExpired?w("oauth_state_expired","Authorization setup state has expired.",t):w("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Ht,"verifyCsrfToken");function Er(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Er,"pendingStateErrorCode");function Ou(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(Ou,"toPendingAuthorizationGetResult");function qu(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(qu,"toPendingAuthorizationAdvanceResult");function Or(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Er(e==="consumed_already"?"consumed_already":e)}n(Or,"setupDecisionErrorCode");async function Ka(e){let t=e.now??new Date,r=await Ht(e.csrfToken),o=await S().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:b(t)});if(o.kind!=="marked")throw w(Or(o.kind),"Authorization setup state is invalid, expired, or already used.");return Ja({kind:"available",record:o.transaction})}n(Ka,"markSetupApproved");function Ja(e){if(e.kind!=="available")throw w(Er(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Ja,"requireAwaitingSetup");function Mu(e){if(!Pu(e.currentBrowserPrincipal,e.transaction.principal))throw w("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Mu,"requireCurrentPrincipalMatches");async function Wa(e){let t=e.now??new Date,r=Tr(),o=Jt(),a=Wt(),i=await Eu({transactionId:o,stateId:a,ttlSeconds:r}),s=Ga({id:o,transaction:e.transaction,currentStateHash:await I(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Za({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:Da({state:i,nonce:a,operationId:s.operationId,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Wa,"startAwaitingLogin");async function Va(e){let{now:t,ttlSeconds:r}=Na(e),o=Jt(),a=await Fa({transactionId:o,ttlSeconds:r}),i=Ga({id:o,transaction:e.transaction,currentStateHash:await I(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Za({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}n(Va,"startAwaitingSetup");async function Ya(e){let{now:t,ttlSeconds:r}=Na(e),o=await Pr(e.browserLoginStateToken),a=await Fa({transactionId:o.transactionId,ttlSeconds:r}),i=qu(await S().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await I(e.browserLoginStateToken),nextStateHash:await I(a),nextPhase:"awaiting_setup",principal:$a(e.principal),now:b(t)}));if(i.kind!=="advanced")throw w(Er(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}n(Ya,"completeLogin");async function Xa(e){let t=await qr(e);return Mu({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(Xa,"getSetup");async function qr(e){let t=e.now??new Date,r=await Ht(e.csrfToken);return Ja(Ou(await S().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),now:b(t)})))}n(qr,"getSetupTransaction");async function Du(e){let t=await Ht(e.csrfToken),r=X(),o=b(W(e.now,Uu)),a=await S().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await I(r),authorizationCodeExpiresAt:o,grantId:Kn(),now:b(e.now)});if(a.kind!=="approved")throw w(a.kind==="cancelled"?"oauth_state_invalid":Or(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}n(Du,"createAuthorizationCodeRedirectWithDecision");async function Hu(e){let t=await Ht(e.csrfToken),r=await S().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:b(e.now)});if(r.kind!=="cancelled")throw w(r.kind==="approved"?"oauth_state_invalid":Or(r.kind),"Authorization setup state is invalid, expired, or already used.");return zu({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Hu,"createCancelRedirectWithDecision");function zu(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(zu,"buildClientCancelRedirect");async function Qa(e){let t=e.now??new Date;return Du({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Qa,"approve");async function ei(e){let t=e.now??new Date;return Hu({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ei,"cancel");B();var Bu=1e4,ju=5*1024,Lu=2,Nu=90*24*60*60,Mr="dcr:pkjwt:",Dr=["authorization_code","refresh_token"],Hr=["code"],$u=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Dr)).min(1).max(2).optional(),response_types:d.array(d.enum(Hr)).min(1).max(1).optional(),scope:d.literal(E).optional(),token_endpoint_auth_method:Zn.optional(),jwks_uri:d.string().min(1).optional()});function Gu(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ue(t))&&t.pathname!=="/"}catch{return!1}}n(Gu,"isCimdClientIdCandidate");function Me(e,t="invalid_request",r="authorize"){if(Zu(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let a={source:r},i=$n({url:o,context:a});if(i.kind!=="rejected"){i.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Me,"assertValidRedirectUri");function Zu(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(Zu,"hasForbiddenRawRedirectUriCharacter");async function Fu(e){let{response:t,json:r}=await ho(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Lu,maxResponseBytes:ju,timeoutMs:Bu});if(!t.ok)throw w("invalid_request","CIMD metadata could not be fetched.");let o=Fn.parse(r);for(let a of o.redirect_uris)Me(a,"invalid_request","cimd");if(o.jwks_uri!==void 0&&Rt(o.jwks_uri),o.client_id!==e.clientId)throw w("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(Fu,"fetchCimdMetadata");async function Ku(e){let t=po(e),r=await Fu({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(Ku,"resolveCimdClient");async function zt(e,t){let r=Y.parse(e);if(Gu(r)){if(!j().gateway.cimdEnabled)throw new p("invalid_client","OAuth client is not registered.");try{return await Ku(r)}catch{throw new p("invalid_client","OAuth client is not registered.")}}let o=await S().readClient({clientId:r});if(o.kind==="found"){let a=o.client,i=rl(a.clientId),s=i===void 0?a.tokenEndpointAuthMethod:"private_key_jwt",c=a.jwksUri??i;if(s==="private_key_jwt"&&c===void 0)throw new p("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let l={client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}},m={kind:"dcr",clientId:r,metadata:l};return a.hashedClientSecret&&(m.hashedClientSecret=a.hashedClientSecret),m}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(zt,"resolveClient");function ti(e,t){if(!e.metadata.redirect_uris.some(r=>Jn(r,t)))throw w("invalid_request","redirect_uri is not registered for the client.")}n(ti,"assertRedirectRegistered");function Ju(e){let t=ri(e.grant_types),r=e.response_types??[...Hr];if(!Wu(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Vu(r))throw new p("invalid_client_metadata","response_types must be code.");if(!Yu(e.scope))throw new p("invalid_client_metadata",`Only the ${E} scope is supported.`)}n(Ju,"assertSupportedDcrRequest");function ri(e){return e===void 0?[...Dr]:Array.from(new Set(e))}n(ri,"normalizeGrantTypes");function Wu(e){return e.length===0?!1:e.every(t=>Dr.includes(t))}n(Wu,"isSupportedGrantTypes");function Vu(e){return e.length===Hr.length&&e[0]==="code"}n(Vu,"isSupportedResponseTypes");function Yu(e){return e===void 0||e===E}n(Yu,"isSupportedDcrScope");function Xu(e){try{Rt(e)}catch(t){throw new p("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials, query, or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(Xu,"assertValidDcrJwksUri");function Qu(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(Qu,"encodeBase64Url");function el(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let a=new Uint8Array(o.length);for(let i=0;i<o.length;i+=1)a[i]=o.charCodeAt(i);return new TextDecoder().decode(a)}n(el,"decodeBase64Url");function tl(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?Y.parse(`${Mr}${crypto.randomUUID()}:${Qu(e.jwksUri)}`):Y.parse(`dcr:${crypto.randomUUID()}`)}n(tl,"createDcrClientId");function Bt(e){return e.startsWith(Mr)}n(Bt,"isPrivateKeyJwtDcrCompatibilityClientId");function rl(e){if(!Bt(e))return;let t=e.slice(Mr.length),r=t.indexOf(":");if(r===-1)return;let o=el(t.slice(r+1));if(o!==void 0){try{Rt(o)}catch{return}return o}}n(rl,"readPrivateKeyJwtDcrClientIdJwksUri");function nt(e){if(e===void 0||e===E)return E;throw new p("invalid_request",`Only the ${E} scope is supported.`)}n(nt,"assertSupportedOAuthScope");function De(e,t,r){let o;try{o=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new p("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!ue(o))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let a=U(e,r),i=zn(),s=i?[...i.byOperationId.values()].find(c=>new URL(c.routePath,a).toString()===t):void 0;if(!s)throw new p("invalid_target","resource must match a published MCP route.");return s}n(De,"resolveResource");async function ni(e){let t;try{t=$u.parse(e)}catch(C){if(C instanceof d.ZodError){let N=C.issues.some(Re=>Re.path[0]==="redirect_uris");throw new p(N?"invalid_redirect_uri":"invalid_client_metadata",C.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:C})}throw C}Ju(t);for(let C of t.redirect_uris)Me(C,"invalid_redirect_uri","dcr");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new p("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&Xu(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",a=o==="private_key_jwt"?"none":o,i=tl({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=W(r,Nu),c=Math.floor(r.getTime()/1e3),l=Math.floor(s.getTime()/1e3),m={client_id:i,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:ri(t.grant_types),response_types:["code"],scope:E,token_endpoint_auth_method:o,client_id_issued_at:c,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}},f={clientId:i,clientName:String(m.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:a,createdAt:b(r),clientExpiresAt:b(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let C=X();f.hashedClientSecret=await I(C),f.clientSecretExpiresAt=b(s),m.client_secret=C,m.client_secret_expires_at=l,m.client_secret_issued_at=c}if((await S().registerClient(f)).kind==="already_exists")throw w("invalid_request","OAuth client is already registered.");return m}n(ni,"registerDownstreamClient");function jt(e){return y`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(jt,"renderShellIcon");function oi(e){return y`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(oi,"renderActions");var Uy=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function ai(e){return y`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${e.message}</p></div></div>`}n(ai,"renderBannerWarning");var ky=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),ii=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');function si(e){return y`${e.banner}<section class="upstreams"><header class="section-label">Upstream services <span class="section-label__count">${e.sectionCount}</span></header><ul class="upstream-list">${e.cards}</ul></section>${e.fineprint}`}n(si,"renderSetupPage");function ci(e){return y`<article class="${e.cardClass}"><div class="upstream-card__head">${e.iconFrame}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${e.control}</div><div class="upstream-card__meta">${e.host}<span>${e.authModeLabel}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${e.ownerModeLabel}</span></div>${e.description}</div></div>${e.capabilities} ${e.scopes}</article>`}n(ci,"renderUpstreamCard");var di=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var nl="data:,",li=y`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Br=y`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function pi(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(pi,"safeGatewayConnectHref");function ol(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(ol,"deriveMode");function al(e){return oi({state:e.state,submitOnceAttrs:li,authorizeAttrs:k})}n(al,"renderActions");function zr(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let a=pi(o.connectUrl,t);if(a)return a}}n(zr,"firstUserConnectHref");function il(e){let t=e.connectHref?y`<a class="button button--primary" href="${e.connectHref}" ${Br}>Connect</a>`:y`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return y`<form class="actions" method="post" action="/oauth/setup" ${li}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(il,"renderSetupActions");function sl(e){return e?y`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Br}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:k}n(sl,"renderReconnectAction");function cl(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(cl,"isRenderableIconHref");function mi(e){return e?.find(t=>cl(t.src))?.src}n(mi,"readIconHref");function fi(e){return mi(e.serverIcons)??(e.transportHost===void 0?void 0:gr(e.transportHost).src)}n(fi,"readUpstreamIconHref");function dl(e){let t=fi(e);return t===void 0?y`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${ii}</span>`:y`<span class="icon-frame"><img src="${t}" alt="" referrerpolicy="no-referrer" loading="lazy" onerror=" this.onerror = null; this.src = '${tt}'; " /></span>`}n(dl,"renderIconFrame");function ul(e){let t=mi(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=fi(r);if(o!==void 0)return o}}n(ul,"readHeaderIconHref");function ll(e){return y`<p class="card__subtitle"><strong>${e.clientDisplayName}</strong> wants to access <strong>${e.routeDisplayName}</strong></p>${e.routeDescription===void 0?k:y`<p class="card__description">${e.routeDescription}</p>`}${e.principalLabel===void 0?k:y`<span class="card__principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`}`}n(ll,"renderSubhead");function pl(e){let t=e.filter(o=>o.ownerMode==="user"&&o.status!=="active");if(t.length===0)return k;let r=t.length===1?y`Connect ${t[0]?.upstreamDisplayName??"the required service"} before continuing. Authorization will continue automatically once it is ready.`:y`Connect the ${t.length} services below before continuing. Authorization will continue automatically once each is ready.`;return ai({icon:di,message:r})}n(pl,"renderSetupBanner");function ml(e){return e===void 0?k:y`<code class="upstream-card__host">${e}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`}n(ml,"renderHost");function fl(e){switch(e){case"shared-oauth":case"user-oauth":return"OAuth";default:return e}}n(fl,"readAuthModeLabel");function hl(e){switch(e){case"user":return"your account";case"shared":return"workspace";case"none":return"no auth"}}n(hl,"readOwnerModeLabel");function gl(e){switch(e){case"active":return"Connected";case"reconsent_required":return"Reconnect";case"not_connected":return"Setup required"}}n(gl,"readStatusLabel");function ui(e){let t=e.status==="active"?"status-badge status-badge--success":"status-badge status-badge--warning";return y`<span class="${t}">${gl(e.status)}</span>`}n(ui,"renderStatusBadge");function yl(e,t){if(!(e.ownerMode==="user"&&e.status!=="active"))return ui(e);let o=pi(e.connectUrl,t);return o===void 0?ui(e):y`<a class="button button--secondary button--small" href="${o}" ${Br}>Connect</a>`}n(yl,"renderUpstreamControl");function _l(e){return e===void 0?k:y`<p class="upstream-card__description">${e}</p>`}n(_l,"renderDescription");function wl(e){return xa(e.upstreams.map(t=>{let r=t.ownerMode==="user"&&t.status!=="active";return y`<li>${ci({cardClass:r?"upstream-card upstream-card--needs-action":"upstream-card",iconFrame:dl(t),upstreamDisplayName:t.upstreamDisplayName,control:yl(t,e.gatewayOrigin),host:ml(t.transportHost),authModeLabel:fl(t.authMode),ownerModeLabel:hl(t.ownerMode),description:_l(t.description),capabilities:k,scopes:k})}</li>`}))}n(wl,"renderUpstreamCards");function Rl(e){return e.mode==="setup"?y`<p class="card__fineprint">Authorization continues automatically once every required service is connected.</p>`:y`<p class="card__fineprint"><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.routeDisplayName}</strong>.</p>`}n(Rl,"renderFineprint");function bl(e){return e.upstreams.length===0?k:si({banner:e.mode==="setup"?pl(e.upstreams):k,sectionCount:`(${e.upstreams.length})`,cards:wl({upstreams:e.upstreams,gatewayOrigin:e.gatewayOrigin}),fineprint:Rl({mode:e.mode,clientDisplayName:e.clientDisplayName,routeDisplayName:e.routeDisplayName})})}n(bl,"renderBody");function jr(e){let t=ol(e.upstreams),r=zr(e.upstreams,e.gatewayOrigin,"not_connected"),o=zr(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=zr(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??o:void 0,s=ul({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?y`<footer class="card__footer">${il({state:e.state,connectHref:i})}</footer>`:y`<footer class="card__footer">${sl(a)}${al({state:e.state})}</footer>`;return Pe(Oe({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??nl,styles:Ee,headerIcon:s===void 0?k:jt({iconHref:s,fallbackIconHref:tt}),heading:"Authorize access",subhead:ll({routeDisplayName:e.routeDisplayName,routeDescription:e.routeDescription,clientDisplayName:e.clientDisplayName,principalLabel:e.principalLabel}),body:bl({mode:t,gatewayOrigin:e.gatewayOrigin,routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName,upstreams:e.upstreams}),footer:c}))}n(jr,"renderConsentPage");var Sl=1e4,hi="mcp-session-id",vl,gi;function bi(){return{tools:[],prompts:[],resources:[]}}n(bi,"emptyCapabilities");function yi(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Vt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(yi,"buildCredentialHeaders");async function _i(e){if(e.type!=="mcp_oauth_provider")return yi(e);let t=await e.provider.tokens();if(!t)return;let r=yi({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(_i,"buildAsyncCredentialHeaders");function wi(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ft.parse({jsonrpc:mt,id:1,method:"initialize",params:{protocolVersion:Vt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(wi,"buildInitializePreflight");async function Lr(e){lo(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),Sl);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return gi?await gi(o):await ct.fetch(o)}finally{clearTimeout(r)}}n(Lr,"runPreflight");function Nr(e){e.body?.cancel().catch(()=>{})}n(Nr,"releasePreflightBody");async function Cl(e){let t=e.response.headers.get(hi);if(!t)return;let r=new Headers(e.headers);r.set(hi,t),r.delete("content-type");try{let o=await Lr(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));Nr(o)}catch{}}n(Cl,"terminatePreflightSession");async function Si(e){let{response:t}=e;return Nr(t),t.status>=200&&t.status<300?(await Cl(e),{kind:"ready",upstreamStatus:t.status,capabilities:bi()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(Si,"classifyResponse");function Ri(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(Ri,"connectRequiredResult");async function Il(e){try{return Si({response:await Lr(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Il,"classifyPreflight");async function xl(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:bi()};let r=Pt(t.upstreamServerId,e.route.operationId),o=Te(r,e.subjectId),a=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},i=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ke({request:i,routeAuth:a,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return Ri(s.payload);let c=await _i(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let l=wi({upstreamUrl:t.mcpUrl,headers:c}),m;try{m=await Lr(l)}catch(C){return{kind:"upstream_unavailable",message:C instanceof Error?C.message:"Upstream MCP server readiness preflight failed."}}if(m.status!==401)return Si({response:m,upstreamUrl:t.mcpUrl,headers:c});Nr(m);let f=await ke({request:i,routeAuth:a,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return Ri(f.payload);let A=await _i(f.credential);return A===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Il({request:wi({upstreamUrl:t.mcpUrl,headers:A}),upstreamUrl:t.mcpUrl,headers:A})}n(xl,"checkUpstreamRouteReadinessImpl");function vi(e){return(vl??xl)(e)}n(vi,"checkUpstreamRouteReadiness");function Al(e){try{return new URL(e).host}catch{return}}n(Al,"safeUrlHost");function Ul(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(Ul,"readOAuthScopes");function Ci(e){return e!==void 0&&e.length>0}n(Ci,"hasItems");function kl(e){let t=e.serverInfo?.icons;if(Ci(t))return t;let r=xt(e.mcpUrl);return r===void 0?void 0:[r]}n(kl,"readServerIcons");async function Tl(e){if(!(e.returnTo===void 0||!e.isUserOwned))return _r({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Tl,"readConnectUrl");function _e(e,t){return t===void 0?{}:{[e]:t}}n(_e,"optionalRequirementField");function Pl(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?ao(e.connection):{connected:!0,status:"active"}}n(Pl,"readSetupConnectionStatus");function El(e){let t=Ul(e);return Ci(t)?t:void 0}n(El,"readScopesRequested");function Ol(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Ol,"readUpdatedAt");function ql(){return{tools:[],prompts:[],resources:[]}}n(ql,"readRouteCapabilities");async function Ml(e){let{authConfig:t,authMode:r,description:o,displayName:a,mcpUrl:i,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=At(r),m=l==="user",f=Pl({connection:e.connection,isUserOwned:m,readiness:e.readiness}),A=e.readiness?.connectUrl??await Tl({...e,connected:f.connected,isUserOwned:m});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:a,status:f.status,connected:f.connected,capabilities:ql(),..._e("description",o),..._e("transportHost",Al(i)),..._e("scopesRequested",El(t)),..._e("serverIcons",kl(e.registeredConnection)),..._e("connectUrl",A),..._e("updatedAt",Ol({connectionStatus:f,isUserOwned:m})),..._e("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Ml,"buildSetupRequirement");function Ii(e){let t=$().byOperationId.get(e);if(!t)throw w("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Ii,"requireRoute");async function $r(e){let t=Ii(e.transaction.operationId),r=_t(e.transaction.principal.subjectId),o=[],a=new Map,i=t.connection;if(i===void 0)return[];At(i.authMode)==="user"&&(a.set(i,o.length),o.push({owner:r,upstreamServerId:i.upstreamServerId,authProfileId:i.authProfileId}));let s=await S().batchGetUpstreamConnections(o),c=[],l=At(i.authMode)==="user",m=a.get(i),f=await vi({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:l&&m!==void 0?s[m]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),A=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),C=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Ml({connection:l&&m!==void 0?s[m]:void 0,registeredConnection:i,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:A===void 0?void 0:{...A,...C===void 0?{}:{connectUrl:C}}})),c}n($r,"requirementsForSetup");function Dl(e){return e.route.connection?.displayName??e.route.operationId}n(Dl,"readRouteDisplayName");async function Gr(e){let t=Ii(e.transaction.operationId),r=Dl({route:t}),o=await S().readClient({clientId:e.transaction.clientId}),a=o.kind==="found"?o.client:void 0,i={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(i.routeDescription=s),i}n(Gr,"consentContext");function Zr(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Zr,"hasUnresolvedUserUpstream");var Hl=["mcp_user"],zl="dev-browser-user",Bl=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),jl=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Gn,state:d.string().min(1).optional(),scope:d.literal(E).default(E)}),Ll=d.enum(["continue","approve","cancel"]).default("continue"),Nl=d.object({state:d.string().min(1),decision:Ll}),ie=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function xi(e){return typeof e=="string"&&e.length>0?e:void 0}n(xi,"readQueryString");function $l(e){let t=Array.from($().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Yt(r.operationId,e.url,e.headers)}n($l,"inferSingleRouteResource");function Gl(e,t){let r=xi(e.query.resource);if(t===void 0){if(r!==void 0)return r;let a=$l(e);if(a!==void 0)return a;throw new p("invalid_target",Bl)}let o=Yt(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Gl,"requireAuthorizeResource");async function Zl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let a=qa(e);return{principal:a,setCookie:await Dt({principal:a,requestUrl:e.url,requestHeaders:e.headers})}}n(Zl,"resolveBrowserPrincipal");async function Fl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(!o.principal)throw w("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Fl,"requireSetupPrincipal");function Ai(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(Ai,"buildSetupReturnTo");async function Ui(e){let t=await $r({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ai(e.csrfToken)}),r=await Gr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:jr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Ui,"renderSetup");function Kl(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Kl,"toAuthorizationTransactionClient");async function Fr(e,t={}){let r=jl.parse({...e.query,resource:Gl(e,t.operationId),state:xi(e.query.state)}),o=nt(r.scope);Me(r.redirect_uri,"invalid_request","authorize");let a=new Date,i=Y.parse(r.client_id),s=await zt(r.client_id,a);ti(s,r.redirect_uri);try{let c=De(e.url,r.resource,e.headers),l=Kl(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&v(t.context,{eventType:R.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type}});let m={clientId:s?.clientId??i,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:A}=await Zl(e,t.context);if(!f){let N=await Wa({transaction:m,requestUrl:e.url,requestHeaders:e.headers,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Re={kind:"redirect",location:N.browserLoginUrl};return A!==void 0&&(Re.setCookie=A),Re}let C=await Va({transaction:m,principal:f,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&v(t.context,{eventType:R.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),Ui({transaction:C.transaction,csrfToken:C.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:A})}catch(c){throw Jl({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(Fr,"authorizeDownstreamClient");function Jl(e){if(e.cause instanceof ie)return e.cause;let t=Wl(e.cause);return t?new ie({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Jl,"toDownstreamAuthorizeRedirectError");function Wl(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Wl,"mapToOAuthRedirectError");async function ki(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let m=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...m===void 0?{}:{idpErrorDescription:m},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),w("provider_access_denied",m??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),w("oauth_state_invalid","Browser login callback is missing state.");let a=await Pr(o),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await Ma(i),c=await Ya({browserLoginStateToken:o,principal:s}),l=await Ui({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return l.setCookie=await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),l}n(ki,"completeBrowserLoginCallback");async function Ti(e){let t=j(),r=new URL(e.url);if(!ue(r))throw w("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw w("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",U(e.url)),i=new URL(U(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw w("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",o);let s={subjectId:yt.parse(zl),roles:Hl};return{kind:"redirect",location:a,setCookie:await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(Ti,"completeLocalDevBrowserLogin");function Vl(e){let t=e.method==="POST"?e.body:e.query;return Nl.parse(t)}n(Vl,"readSetupContinueRequest");async function Pi(e){let{state:t,decision:r}=Vl({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,a=await qr({csrfToken:t,now:o}),i=await Fl(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await ei({csrfToken:t,currentBrowserPrincipal:i,now:o})};let s=await Xa({csrfToken:t,currentBrowserPrincipal:i,now:o}),c=await $r({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ai(t)});if(r==="approve"&&Zr(c)&&await Ka({csrfToken:t,currentBrowserPrincipal:i,now:o}),Zr(c)){let l=await Gr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:jr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await Qa({csrfToken:t,currentBrowserPrincipal:i,now:o})}}n(Pi,"continueDownstreamAuthorizeSetup");B();import{createLocalJWKSet as Yl,decodeJwt as Xl,errors as ot,jwtVerify as Ql}from"jose";var ep=new Set(["authorization_code","refresh_token"]),tp="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",rp=1e4,np=32*1024,op=2,Ei=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),ap=d.discriminatedUnion("grant_type",[Ei.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:gt,resource:d.url().optional(),scope:d.literal(E).optional()}),Ei.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(E).optional()})]);function ip(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!ep.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(ip,"assertSupportedGrantType");var sp=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),cp=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Oi(){return j().gateway.accessTokenTtlSeconds}n(Oi,"readAccessTokenTtlSeconds");function dp(){return j().gateway.refreshTokenTtlSeconds}n(dp,"readRefreshTokenTtlSeconds");function up(e,t){let r=Oi(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,o);return{expiresAt:b(W(e,a)),expiresIn:a}}n(up,"calculateAccessTokenExpiresAt");function qi(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(qi,"readBasicClientSecret");function Mi(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Xl(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(Mi,"resolveAuthenticatedClientId");function lp(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(lp,"resolveClientSecretInput");function pp(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(pp,"hasClientAssertion");function mp(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(mp,"buildEndpointAudience");function fp(e){return e instanceof ot.JWTExpired?"expired":e instanceof ot.JWTClaimValidationFailed?"claim":e instanceof ot.JWSSignatureVerificationFailed?"signature":e instanceof ot.JWKSNoMatchingKey?"jwks_no_match":e instanceof ot.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(fp,"readJwtFailureKind");async function hp(e){let{response:t,json:r}=await go(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:op,maxResponseBytes:np,timeoutMs:rp});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return cp.parse(r)}n(hp,"fetchClientJwks");async function gp(e){if(e.clientAssertionType!==tp||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=Y.parse(e.clientId),r=await zt(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let a=mp({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let i=await hp({jwksUri:o,context:e.context});await Ql(e.clientAssertion,Yl(i),{issuer:t,subject:t,audience:a,currentDate:e.now})}catch(i){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:fp(i)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return Bt(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(gp,"verifyPrivateKeyJwtClientAssertion");async function yp(e){let t=Y.parse(e.clientId);if(Bt(t))throw new p("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await I(e.clientSecret)}}n(yp,"buildRuntimeHttpClientAuth");async function Di(e){if(pp({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return gp(e)}let t=lp({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return yp({clientId:e.clientId,...t})}n(Di,"resolveRuntimeHttpClientAuth");async function Hi(e){ip(e.body);let t=ap.parse(e.body),r=qi(e.authorizationHeader),o=Mi({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date,i=await Di({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:a,context:e.context});return _p({parsed:t,clientId:o,clientAuth:i,now:a,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Hi,"exchangeDownstreamToken");async function _p(e){if(e.parsed.grant_type==="authorization_code"){Me(e.parsed.redirect_uri,"invalid_request","token"),nt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=X(),c=X(),l=b(W(e.now,dp())),m=up(e.now,l),f=await S().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await I(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await uo(e.parsed.code_verifier),currentRefreshTokenHash:await I(s),accessTokenHash:await I(c),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:b(e.now)});if(f.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(f.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(f.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&v(e.context,{eventType:R.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:s,scope:f.grant.scope,resource:f.grant.resource}}nt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=X(),r=X(),o=b(W(e.now,Oi())),a=await S().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await I(e.parsed.refresh_token),nextRefreshTokenHash:await I(t),accessTokenHash:await I(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:b(e.now)});if(a.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");De(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let i=a.accessToken.expiresAt;return e.context&&(v(e.context,{eventType:R.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),v(e.context,{eventType:R.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(i).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:a.grant.scope,resource:a.grant.resource}}n(_p,"exchangeDownstreamTokenWithRuntimeHttp");async function zi(e){let t=sp.parse(e.body),r=qi(e.authorizationHeader),o=Mi({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date;if((await S().revokeOAuthToken({clientAuth:await Di({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:a,context:e.context}),tokenHash:await I(t.token),now:b(a)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&v(e.context,{eventType:R.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(zi,"revokeDownstreamToken");var wp=64*1024,Rp=16*1024,bp="text/html; charset=utf-8";function Sp(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(Sp,"formDataToObject");async function vp(e){return Ta(e,{maxBytes:wp,label:"Request body"})}n(vp,"readJsonBody");async function Jr(e){return Sp(await Pa(e,{maxBytes:Rp,label:"Request body"}))}n(Jr,"readFormBody");async function ji(e,t,r){let o=le(r),a=r instanceof d.ZodError?se(r):void 0,i={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),Nn(e,t,i)}n(ji,"handleProblem");function Li(e){return e?.requestId}n(Li,"readBrowserRequestId");function Ni(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(Ni,"readUpstreamHtmlError");function Bi(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Bi,"readRuntimeErrorExtensionString");function Cp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Cp,"readRuntimeErrorExtensionNumber");function Ip(e){try{return new URL(e.url).pathname}catch{return}}n(Ip,"readBrowserRequestPath");function we(e){let t={code:e.code,requestId:e.requestId,routePath:Ip(e.request),underlyingError:e.underlyingError};return e.error instanceof g&&(t.httpStatus=Cp(e.error,ve),t.contentType=Bi(e.error,be),t.upstreamUrl=Bi(e.error,Ce)),t}n(we,"buildBrowserErrorDiagnostic");function at(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(at,"oauthErrorResponse");function xp(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(xp,"readOAuthProtocolHeaders");function Ap(e,t){let r=L("internal_server_error");return at({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:xp(e,t)})}n(Ap,"oauthProtocolErrorResponse");function Kr(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Kr,"readZodOAuthErrorCode");function Up(e){let t={error:Kr(e)},r=se(e);return r!==void 0&&(t.errorDescription=r),at(t)}n(Up,"oauthZodErrorResponse");function kp(e){let t=le(e);if(t===void 0)return;let r=L(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Pp(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,at(o)}n(kp,"oauthGatewayProblemResponse");function Tp(){let t={error:"server_error",status:500,errorDescription:L("internal_server_error").publicDetail};return at(t)}n(Tp,"oauthFallbackErrorResponse");function Pp(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Pp,"readOAuthStatus");function Wr(e,t={}){return e instanceof ie?Zi(e):e instanceof p?Ap(e,t):e instanceof d.ZodError?Up(e):kp(e)??Tp()}n(Wr,"oauthProblemResponse");function Vr(e,t,r){let o=qe(e.url),a=Li(t);if(r instanceof ie)return Zi(r);if(r instanceof p){let c=L("internal_server_error");return K({host:o,kind:Ep(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:we({request:e,requestId:a,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:a,status:r.status})}if(r instanceof d.ZodError)return K({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:Kr(r),diagnostic:we({request:e,requestId:a,code:Kr(r),underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let i=le(r);if(i!==void 0){let c=L(i);return K({host:o,kind:Gi(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:Ni(r),status:c.status})}let s=L("internal_server_error");return K({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:we({request:e,requestId:a,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n(Vr,"browserOAuthProblemResponse");function $i(e,t,r){let o=qe(e.url),a=Li(t),i=le(r);if(i!==void 0){let c=L(i);return K({host:o,kind:Gi(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:Ni(r),status:c.status})}if(r instanceof d.ZodError)return K({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:we({request:e,requestId:a,code:"invalid_request",underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let s=L("internal_server_error");return K({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:we({request:e,requestId:a,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n($i,"browserGatewayProblemResponse");function Ep(e){return e==="server_error"?"internal_error":"invalid_request"}n(Ep,"readOAuthBrowserErrorKind");function Gi(e){if(L(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Gi,"readGatewayBrowserErrorKind");function ee(e,t,r){let o={event:t},a=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,V(o,"error",r);else if(r instanceof ie)o.oauthError=r.errorCode,V(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",V(o,"error",r);let i=r.issues[0];i&&(o.zodPath=i.path.join("."))}else{let i=le(r);if(i!==void 0){let s=L(i);o.code=i,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",V(o,"error",r)}else a=!0,V(o,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,i.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ee,"logUnexpectedOAuthHandlerError");function Zi(e){let t;try{t=new URL(e.redirectUri)}catch{return at({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Zi,"downstreamAuthorizeRedirectErrorResponse");function se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(se,"formatZodErrorDetail");function Op(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};V(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Op,"logBrowserLoginCallbackFailure");function Fi(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(Fi,"redirectResultResponse");function Lt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":bp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Fi(e)}n(Lt,"authorizeResultResponse");async function Ki(e,t){try{return Response.json(Vn(e.url,e.headers))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),ji(e,t,r)}}n(Ki,"authorizationServerMetadataHandler");async function Ji(e,t){try{let r=Xt(e.params.routePath);return Response.json(Yn({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),ji(e,t,r)}}n(Ji,"scopedAuthorizationServerMetadataHandler");async function Wi(e,t){try{let r=await ni(await vp(e)),o=r,a=typeof o.client_id=="string"?o.client_id:void 0,i=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:i,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),v(t,{eventType:R.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:a,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_register_failed",r),Wr(r)}}n(Wi,"registerHandler");async function Vi(e,t){try{return Lt(await Fr(e,{context:t}))}catch(r){return ee(t,"oauth_authorize_failed",r),Vr(e,t,r)}}n(Vi,"authorizeHandler");async function Yi(e,t){try{let r=Xt(e.params.routePath);return Lt(await Fr(e,{operationId:r.operationId,context:t}))}catch(r){return ee(t,"oauth_authorize_scoped_failed",r),Vr(e,t,r)}}n(Yi,"scopedAuthorizeHandler");async function Xi(e,t){try{let r=await ki(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Lt(r)}catch(r){return Op(t,r),$i(e,t,r)}}n(Xi,"callbackHandler");async function Qi(e,t){try{return Fi(await Ti(e))}catch(r){return ee(t,"oauth_dev_login_failed",r),Vr(e,t,r)}}n(Qi,"devLoginHandler");async function es(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Pi({request:e,body:e.method==="POST"?await Jr(e):void 0,context:t});return Lt(r)}catch(r){return ee(t,"oauth_setup_failed",r),$i(e,t,r)}}n(es,"setupHandler");async function ts(e,t){try{return Response.json(await Hi({body:await Jr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ee(t,"oauth_token_failed",r),Wr(r)}}n(ts,"tokenHandler");async function rs(e,t){try{return await zi({body:await Jr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_revoke_failed",r),Wr(r)}}n(rs,"revokeHandler");var qp={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ns=Symbol("upstream-request");function Mp(e){let t=e[ns];if(!t)throw new D("Upstream request context has not been set");return t}n(Mp,"readUpstreamRequestContext");function Dp(e,t){return t.some(r=>r===e)}n(Dp,"requestContextMatchesKind");function Hp(e){return typeof e=="string"?[e]:e}n(Hp,"toExpectedKinds");function He(e,t){Object.defineProperty(e,ns,{configurable:!0,value:t})}n(He,"setUpstreamRequestContext");function it(e,t){let r=Mp(e),o=Hp(t);if(!Dp(r.kind,o)){let a=qp[o[0]];throw new D(`${a} request context has not been set`)}return r}n(it,"requireUpstreamRequestContext");function os(e){return y`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(os,"renderBrowserResult");var zp="text/html; charset=utf-8",Bp="none";function jp(e){let t=hr(e.host);return Oe({title:e.title,iconHref:t,styles:Ee,headerIcon:jt({iconHref:t,fallbackIconHref:tt}),heading:e.title,subhead:"",body:os({body:e.body,code:e.code??Bp}),footer:""})}n(jp,"browserResultHtml");function Lp(e,t=200){return new Response(Pe(e),{status:t,headers:{"content-type":zp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Lp,"browserResultResponse");function as(e){return Lp(jp(e))}n(as,"browserConnectionSuccessResponse");function Nt(e,t,r={}){let o=Ln(t);return K({host:e,kind:Np(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Nt,"browserConnectionFailureResponse");function Np(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Np,"readCallbackFailureBrowserErrorKind");var $p=["callback_authorization_code","callback_provider_error","callback_invalid"];function Yr(e){try{return new URL(e.url).pathname}catch{return}}n(Yr,"readBrowserRequestPath");function Gp(e){return"cause"in e?e.cause:void 0}n(Gp,"readErrorCause");function Zp(e){return e.stack?.split(`
+`).slice(1,4).map(t=>t.trim()).join(" | ")}n(Zp,"readFirstStackFrame");function is(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Zp(r))}n(is,"addErrorAttributes");function Xr(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[_];return Sn(t)?t:void 0}n(Xr,"readRuntimeGatewayCode");function ss(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(ss,"readRuntimeErrorExtensionString");function Fp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Fp,"readRuntimeErrorExtensionNumber");function Kp(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),v(t,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Nt(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Yr(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Nt(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Yr(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(Kp,"requireAuthorizationCallbackRequest");function Jp(e,t){v(e,{eventType:R.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Jp,"emitCallbackReceivedAnalyticsEvent");function Wp(e,t){v(e,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(Wp,"emitTokenExchangeSucceededAnalyticsEvent");function Vp(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return as({host:qe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(Vp,"buildSuccessfulCallbackResponse");function Yp(e){let t={detail:e instanceof Error?e.message:void 0};return is(t,"error",e),e instanceof Error&&is(t,"cause",Gp(e)),t}n(Yp,"buildTokenExchangeFailureAttributes");function Xp(e){v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Xr(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Yp(e.error)})}n(Xp,"emitTokenExchangeFailedAnalyticsEvent");function Qp(e){let t=e.error,r=Xr(t),o=vn(r)?r:"upstream_token_exchange_failed",a={code:o,requestId:e.context.requestId,routePath:Yr(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof g?{httpStatus:Fp(t,ve),contentType:ss(t,be),upstreamUrl:ss(t,Ce)}:{}};return Nt(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:a,upstreamHtml:em(t)})}n(Qp,"tokenExchangeFailureResponse");function em(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(em,"readUpstreamHtmlError");async function Qr(e,t){let r=it(e,$p),o=qe(e.url),a=Kp(e,t,r,o);if(a instanceof Response)return a;Jp(t,a);try{let i=await wa({request:e,callbackRequest:a});return Wp(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,operationId:i.operationId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),Vp(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:Xr(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return V(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),Xp({context:t,callbackRequest:a,error:i}),Qp({request:e,context:t,host:o,callbackRequest:a,error:i})}}n(Qr,"callbackHandler");function tm(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(tm,"clientMetadataProblemDetail");async function cs(e,t){let r=it(e,"connect"),o=await _a({request:e,connectRequest:r});if(v(t,{eventType:R.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let a=await kt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}n(cs,"connectHandler");async function ds(e,t){let r=it(e,"client_metadata");try{let o=ra(e.url,e.headers),a=na(o,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(o){if(!(o instanceof P))throw o;let a=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:a},"Failed to serve OAuth client metadata document for upstream connection"),de.notFound(e,t,{code:"not_found",detail:tm(o)})}}n(ds,"oauthClientMetadataHandler");function ce(e){if(typeof e=="string"&&e.length!==0)return e}n(ce,"readOptionalQueryString");function rm(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new D(`Validated path parameter ${t} is missing`);return r}n(rm,"requirePathString");function nm(e){let t=ce(e);return t?pt.parse(t):void 0}n(nm,"readOptionalOperationId");function om(e,t){let r=ce(e);return r?An.parse(r):ht(t,"user-oauth")}n(om,"readOptionalAuthProfileId");function am(e){let t=nm(e);if(!t)throw new g({message:"operationId query parameter is required.",extensionMembers:{[_]:"invalid_request"}});return t}n(am,"readRequiredOperationId");function im(e){let t=eo(ce(e));return t===void 0?{}:{returnTo:t}}n(im,"readOptionalReturnTo");function sm(e){let t=ce(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(sm,"readOptionalProviderErrorDescription");function cm(e){let t=G(e.authMode);if(t.connectSupport!=="none")return e;throw new g({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[_]:"invalid_request"}})}n(cm,"requireConnectableRouteAuth");function dm(e,t,r,o){return{kind:"connect",...Te(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(dm,"buildConnectContextForUser");function um(e,t,r){let o=wt(t),a=G(e.authMode);if(o.mode!==a.ownerMode)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[_]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(um,"buildConnectContextForTicket");async function lm(e,t){let r=cm(Pt(t,am(e.query.operationId))),o=e.query.redirect==="true",a=ce(e.query.browserTicket);if(e.user){if(a)throw new g({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[_]:"invalid_request"}});let s=Ie(e.user,e.url);return dm(r,s,o,im(e.query.returnTo).returnTo)}if(!a)throw new g({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[_]:"authentication_required"}});let i=await Xo(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.operationId!==r.operationId)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[_]:"oauth_callback_mismatch"}});return await Qo(i),um(r,i,o)}n(lm,"resolveConnectContext");async function pm(e,t,r){let o=xn.parse(rm(e,"connection"));switch(r){case"connect":He(e,await lm(e,o));return;case"callback":{let a=ce(e.query.error);if(a){He(e,{kind:"callback_provider_error",upstreamServerId:o,error:a,...sm(e)});return}let i=ce(e.query.code),s=ce(e.query.state);if(i&&s){He(e,{kind:"callback_authorization_code",upstreamServerId:o,code:i,state:s});return}He(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":He(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:om(e.query.authProfileId,o)});return}}n(pm,"resolveUpstreamRequestInbound");async function mm(e,t,r){try{await pm(e,t,r);return}catch(o){let a=o instanceof g?o.extensionMembers?.[_]:void 0,i=o instanceof Error?o.message:void 0;switch(a){case"invalid_request":case"oauth_callback_mismatch":return de.badRequest(e,t,{code:a,detail:i});case"authentication_required":return de.unauthorized(e,t,{code:a,detail:i});default:throw o}}}n(mm,"applyUpstreamRequestContext");function $t(e,t){return n(async(o,a)=>{let i=await mm(o,a,e);return i||t(o,a)},"wrapped")}n($t,"withUpstreamRequestContext");var fm={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function hm(){return new Response(null,{status:204,headers:fm})}n(hm,"buildWellKnownPreflightResponse");function gm(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(gm,"withWellKnownCorsHeaders");function en(e){return async(t,r)=>t.method==="OPTIONS"?hm():gm(await e(t,r))}n(en,"wrapWellKnownHandler");var ps=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:en(Ki),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:en(Ji),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:en(Xn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Wi},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Vi},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Yi},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Xi},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Qi},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:es},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:ts},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:rs},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:$t("client_metadata",ds)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:$t("connect",cs)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:$t("callback",Qr)}],ym=ps.filter(e=>!e.routeName.startsWith("upstream_")),_m=ps.filter(e=>e.routeName.startsWith("upstream_"));function ms(e){return e?.some(Rn)??!1}n(ms,"hasMcpOAuthRuntimeConfigPolicy");function fs(e){return e?.some(t=>On(t.policyType))??!1}n(fs,"hasMcpTokenExchangePolicy");function hs(e){return ms(e)||fs(e)}n(hs,"shouldRegisterMcpGatewayInternalRoutes");function wm(e){Dn(qn({routes:e.routes,policies:e.policies}))}n(wm,"initializeMcpGatewayConnectionRegistry");function Rm(e){let t=bn(e.policies);if(!t){let r=[...wn].map(o=>`\`${o}\``).join(", ");throw new P(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(Rm,"initializeMcpGatewayOAuthRuntimeConfig");function us(e,t,r){return async(o,a)=>{r&&yn(a,r());let i=o.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,a);return i||a.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(us,"wrapInternalHandler");function ls(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[cn],corsPolicy:t.corsPolicy??"none"})}n(ls,"addInternalRoute");function gs(e,t){wm(t);let r=ms(t.policies),o=fs(t.policies),a,i=n(()=>(a===void 0&&(a=Rm(t)),a),"readOAuthConfig");if(r)for(let s of ym)ls(e,s,us(s.routeName,s.handler,i));if(o)for(let s of _m)ls(e,s,us(s.routeName,s.handler))}n(gs,"registerMcpGatewayInternalRoutes");function ys(e){Mn(e)}n(ys,"configureLazyMcpGatewayState");var tn=class extends an{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!hs(r.policies))return;let o={routes:r.routes,policies:r.policies};ys(o),gs(t.router,o)}};var bm=new TextDecoder;function Sm(e){if(e)try{return JSON.parse(bm.decode(e))}catch{return}}n(Sm,"readBodyJson");function te(e){return e&&typeof e=="object"?e:void 0}n(te,"readRecord");function st(e,t){let r=te(e)?.[t];return typeof r=="string"?r:void 0}n(st,"readStringProperty");function ws(e,t){let r=te(e)?.[t];return typeof r=="number"?r:void 0}n(ws,"readNumberProperty");function _s(e,t){return ws(e,"code")??(t.status>=400?t.status:void 0)}n(_s,"readErrorCode");function Rs(e){return Array.isArray(e)?e.map(Rs).find(t=>t?.method):te(e)}n(Rs,"readJsonRpcMessage");function bs(e){let t=Rs(Sm(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:st(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:st(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let a=st(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:a,resourceUri:a}}default:return null}}n(bs,"buildBaseCapabilityInput");function Ss(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Ss,"isCapabilityListMethod");function vm(e,t,r){let i=te(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(i)?i.length:void 0}n(vm,"readItemCount");async function Cm(e){try{return await e.clone().json()}catch{return}}n(Cm,"readResponseJson");function vs(e){let t=bs(e);return!t||Ss(t.mcpMethod)?null:{eventType:R.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(vs,"buildCapabilityInvokedAnalyticsInput");async function Cs(e,t){let r=bs(e);if(!r)return null;let o=te(await Cm(t)),a=te(o?.error),i=te(a?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&te(s)?.isError===!0;if(te(i?.connectRequired))return{eventType:R.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:ws(a,"code"),mcpErrorType:st(a,"message")};if(Ss(r.mcpMethod)){let l=t.status>=400?void 0:vm(r.mcpMethod,r.capabilityType,s);return{eventType:R.MCP_CAPABILITY_LISTED,outcome:t.status>=400||a?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||a?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:_s(a,t)}:{},...l===void 0?{}:{attributes:{itemCount:l}}}}return t.status>=400||a?{eventType:R.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:_s(a,t),mcpErrorType:st(a,"message")}:{eventType:R.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Cs,"buildCapabilityFinalAnalyticsInput");var Im={Allow:"POST"};async function xm(e){try{return await e.clone().arrayBuffer()}catch{return}}n(xm,"readRequestBody");function Is(e){try{let t=Hn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Is,"readRouteAnalyticsFields");function xs(e){return Qn(e.user,e.url,e.headers)?.subjectId}n(xs,"readRequestSubjectId");function Am(e){let t=vs(e.requestBody);t&&v(e.context,{...t,...Is(e.context),httpMethod:e.request.method,subjectId:xs(e.request),transport:"http"})}n(Am,"emitCapabilityInvokedAnalytics");async function Um(e){let t=await Cs(e.requestBody,e.response);t&&v(e.context,{...t,...Is(e.context),httpMethod:e.request.method,subjectId:xs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(Um,"emitCapabilityFinalAnalytics");async function km(e,t){if(e.method==="GET")return de.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Im);let r=Date.now(),o=await xm(e);Am({context:t,request:e,requestBody:o});let a=await hn(e,t);return await Um({context:t,request:e,requestBody:o,response:a,startedAt:r}),a}n(km,"McpProxyHandler");export{Ps as McpAuth0OAuthInboundPolicy,er as McpCapabilityFilterInboundPolicy,tn as McpGatewayPlugin,Ts as McpOAuthInboundPolicy,km as McpProxyHandler,Ar as McpTokenExchangeInboundPolicy};
 //# sourceMappingURL=index.js.map