@zuplo/runtime 6.70.42 → 6.70.43
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/out/esm/{browser-login-idp-HQB254PW.js → browser-login-idp-SQ4CJMPN.js} +2 -2
- package/out/esm/{chunk-A6TMPOZH.js → chunk-J7JE2DD5.js} +52 -52
- package/out/esm/chunk-J7JE2DD5.js.map +1 -0
- package/out/esm/{chunk-B6R5XTUK.js → chunk-LU6CEICL.js} +2 -2
- package/out/esm/index.js +1 -1
- package/out/esm/mcp-gateway/index.js +8 -8
- package/out/esm/mcp-gateway/index.js.map +1 -1
- package/package.json +1 -1
- package/out/esm/chunk-A6TMPOZH.js.map +0 -1
- /package/out/esm/{browser-login-idp-HQB254PW.js.map → browser-login-idp-SQ4CJMPN.js.map} +0 -0
- /package/out/esm/{chunk-A6TMPOZH.js.LEGAL.txt → chunk-J7JE2DD5.js.LEGAL.txt} +0 -0
- /package/out/esm/{chunk-B6R5XTUK.js.map → chunk-LU6CEICL.js.map} +0 -0
|
@@ -22,10 +22,10 @@
|
|
|
22
22
|
* DEALINGS IN THE SOFTWARE.
|
|
23
23
|
*--------------------------------------------------------------------------------------------*/
|
|
24
24
|
|
|
25
|
-
import{$ as Y,A as Un,Aa as no,B as kn,Ba as oo,C as Tn,Ca as ao,D as ht,Da as io,E as Pn,Ea as so,F as En,Fa as co,G as On,Ga as S,H as qn,Ha as v,I as Mn,Ia as X,J as Dn,Ja as I,K as $,Ka as uo,L as Hn,La as Ps,M as zn,Ma as lo,N as b,Na as po,O as W,Oa as Rt,P as U,Pa as mo,Q as Bn,Qa as fo,R as V,Sa as ho,T as jn,Ta as go,U as Ln,Ua as bt,V as le,W as w,X as Nn,Y as $n,Z as Gn,_ as gt,a as gn,aa as Ft,b as ue,ba as Kt,c as yn,ca as Zn,d as j,da as Fn,e as _n,ea as Jt,f as Ts,fa as Wt,g as wn,ga as Kn,h as Rn,ha as E,i as bn,ia as Jn,j as _,ja as Wn,k as be,ka as Vn,l as Se,la as Yn,m as ve,ma as Vt,n as Ce,na as Xn,o as Sn,oa as Yt,p as vn,pa as Xt,q as L,qa as yt,r as Cn,ra as Ie,s as In,sa as Qn,t as xn,ta as eo,u as pt,ua as _t,v as An,va as to,w as Zt,wa as Qt,x as mt,xa as ro,y as ft,ya as je,z as Be,za as wt}from"../chunk-B6R5XTUK.js";import{J as dn,L as u,M as un,N as Gt,O as J,Q as ln,S as h,T as re,U as lt,_ as pn,a as dt,ca as mn,da as fn,ea as d,fa as B,j as de,k as an,m as sn,ma as hn,q as cn,s as ut}from"../chunk-A6TMPOZH.js";import"../chunk-JRXZBVXH.js";import{a as R}from"../chunk-4SACVMDH.js";import{$ as D,a as n,aa as g,ba as P,ca as on,da as ct}from"../chunk-ZIKV2LUM.js";B();function Es(e){let t=ft.safeParse(e);return t.success?t.data.id:void 0}n(Es,"parseJsonRpcRequestId");function yo(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Es(t)}catch{return}}n(yo,"readJsonRpcRequestIdFromBody");function St(e){return Un.parse({jsonrpc:mt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(St,"jsonRpcErrorResponse");function _o(e){return new Tn([kn.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(_o,"urlElicitationRequiredError");var vt=d.record(d.string(),d.unknown()),Os=d.record(d.string(),d.unknown()),qs=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Os.optional(),_meta:vt.optional()}).strict(),Ms=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:vt.optional()}).strict(),Ds=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:vt.optional()}).strict(),Hs=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:vt.optional()}).strict(),zs=d.array(d.union([d.string(),qs])),Bs=d.array(d.union([d.string(),Ms])),js=d.array(d.union([d.string(),Ds])),Ls=d.array(d.union([d.string(),Hs])),Ns=d.object({tools:zs.optional(),prompts:Bs.optional(),resources:js.optional(),resourceTemplates:Ls.optional()}).strict(),tr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function $s(e,t){return _n(Ns,e,`MCP capability filter policy "${t}"`)}n($s,"parseMcpCapabilityFilterOptions");function O(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(O,"isRecord");function Gs(e,t){if(!O(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Gs,"readParamString");function rr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(rr,"readRequestId");function So(e){return e===void 0?void 0:JSON.stringify(e)}n(So,"requestIdKey");function Zs(e){let t={};for(let r of tr){let o=e[r.option];if(o===void 0)continue;let a=new Map;for(let i of o){let s=Ws(i,r.itemProperty);s!==void 0&&a.set(s.key,s)}t[r.option]=a}return t}n(Zs,"buildProjectionMaps");function nr(e){return tr.find(t=>t.listMethod===e)}n(nr,"findListRule");function Fs(e){return e.requests.some(t=>{if(!O(t))return!1;let r=nr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(Fs,"shouldFilterListResponses");function Ks(e){for(let t of tr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let a=Gs(e.request.params,o.paramProperty);if(a!==void 0&&!r.has(a))return{id:rr(e.request)}}}}n(Ks,"findDisallowedDirectAccess");function Js(e){return Response.json(St({id:e,error:{code:Be.MethodNotFound,message:"Method not found"}}))}n(Js,"methodNotFoundResponse");function Ws(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!O(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(Ws,"buildProjection");function wo(e){let t=e.base[e.property],r=e.overlay[e.property];return O(r)?O(t)?{...t,...r}:r:t}n(wo,"mergeRecordProperty");function Vs(e,t){let r={...e,...t.overlay},o=wo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let a=wo({base:e,overlay:t.overlay,property:"_meta"});return a!==void 0&&(r._meta=a),r}n(Vs,"applyProjection");function Ro(e,t,r){if(!O(e))return e;let o=e.result;if(!O(o))return e;let a=o[t.resultProperty];return!Array.isArray(a)||!a.every(i=>O(i)&&typeof i[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:a.flatMap(i=>{if(!O(i))return[];let s=i[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[Vs(i,c)]})}}}n(Ro,"filterAndProjectItems");function Ys(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!O(r))continue;let o=nr(r.method),a=rr(r),i=So(a);o!==void 0&&i!==void 0&&t.set(i,o)}return t}n(Ys,"buildListRulesByResponseId");function Xs(e){if(Array.isArray(e.responseBody)){let o=Ys(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(a=>{if(!O(a)||"error"in a)return a;let i=So(rr(a)),s=i===void 0?void 0:o.get(i),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?a:Ro(a,s,c)})}if(!O(e.requestBody)||!O(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=nr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Ro(e.responseBody,t,r)}n(Xs,"filterJsonRpcResponse");async function bo(e){return e.clone().json()}n(bo,"readJson");function Qs(e){return e.headers.get("content-type")?.includes("json")??!1}n(Qs,"isJsonResponse");var er=class extends ut{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=$s(t,r);super(o,r),this.#e=Zs(o)}async handler(t,r){dt("policy.inbound.mcp-capability-filter");let o;try{o=await bo(t)}catch{return t}let a=Array.isArray(o)?o:[o];for(let i of a){if(!O(i))continue;let s=Ks({request:i,projectionMaps:this.#e});if(s!==void 0)return Js(s.id)}return Fs({requests:a,projectionMaps:this.#e})&&r.addResponseSendingHook(async i=>{if(!Qs(i))return i;let s;try{s=await bo(i)}catch{return i}let c=Xs({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return i;let l=new Headers(i.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:i.status,statusText:i.statusText,headers:l})}),t}};var or;or=globalThis.crypto;async function ec(e){return(await or).getRandomValues(new Uint8Array(e))}n(ec,"getRandomValues");async function tc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let a=await ec(e-o.length);for(let i of a)i<r&&(o+=t[i%t.length])}return o}n(tc,"random");async function rc(e){return await tc(e)}n(rc,"generateVerifier");async function nc(e){let t=await(await or).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(nc,"generateChallenge");async function ar(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await rc(e),r=await nc(t);return{code_verifier:t,code_challenge:r}}n(ar,"pkceChallenge");B();var T=un().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:mn.custom,message:"URL must be parseable",fatal:!0}),dn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Ct=lt({resource:u().url(),authorization_servers:h(T).optional(),jwks_uri:u().url().optional(),scopes_supported:h(u()).optional(),bearer_methods_supported:h(u()).optional(),resource_signing_alg_values_supported:h(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:J().optional(),authorization_details_types_supported:h(u()).optional(),dpop_signing_alg_values_supported:h(u()).optional(),dpop_bound_access_tokens_required:J().optional()}),Le=lt({issuer:u(),authorization_endpoint:T,token_endpoint:T,registration_endpoint:T.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),service_documentation:T.optional(),revocation_endpoint:T.optional(),revocation_endpoint_auth_methods_supported:h(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:h(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:h(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:h(u()).optional(),code_challenge_methods_supported:h(u()).optional(),client_id_metadata_document_supported:J().optional()}),oc=lt({issuer:u(),authorization_endpoint:T,token_endpoint:T,userinfo_endpoint:T.optional(),jwks_uri:T,registration_endpoint:T.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),acr_values_supported:h(u()).optional(),subject_types_supported:h(u()),id_token_signing_alg_values_supported:h(u()),id_token_encryption_alg_values_supported:h(u()).optional(),id_token_encryption_enc_values_supported:h(u()).optional(),userinfo_signing_alg_values_supported:h(u()).optional(),userinfo_encryption_alg_values_supported:h(u()).optional(),userinfo_encryption_enc_values_supported:h(u()).optional(),request_object_signing_alg_values_supported:h(u()).optional(),request_object_encryption_alg_values_supported:h(u()).optional(),request_object_encryption_enc_values_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),display_values_supported:h(u()).optional(),claim_types_supported:h(u()).optional(),claims_supported:h(u()).optional(),service_documentation:u().optional(),claims_locales_supported:h(u()).optional(),ui_locales_supported:h(u()).optional(),claims_parameter_supported:J().optional(),request_parameter_supported:J().optional(),request_uri_parameter_supported:J().optional(),require_request_uri_registration:J().optional(),op_policy_uri:T.optional(),op_tos_uri:T.optional(),client_id_metadata_document_supported:J().optional()}),It=re({...oc.shape,...Le.pick({code_challenge_methods_supported:!0}).shape}),xe=re({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:fn.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),Co=re({error:u(),error_description:u().optional(),error_uri:u().optional()}),vo=T.optional().or(pn("").transform(()=>{})),ac=re({redirect_uris:h(T),token_endpoint_auth_method:u().optional(),grant_types:h(u()).optional(),response_types:h(u()).optional(),client_name:u().optional(),client_uri:T.optional(),logo_uri:vo,scope:u().optional(),contacts:h(u()).optional(),tos_uri:vo,policy_uri:u().optional(),jwks_uri:T.optional(),jwks:ln().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),ir=re({client_id:u(),client_secret:u().optional(),client_id_issued_at:Gt().optional(),client_secret_expires_at:Gt().optional()}).strip(),Ne=ac.merge(ir),Gm=re({error:u(),error_description:u().optional()}).strip(),Zm=re({token:u(),token_type_hint:u().optional()}).strip();function Io(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(Io,"resourceUrlFromServerUrl");function xo({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return a.startsWith(i)}n(xo,"checkResourceAllowed");var x=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},$e=class extends x{static{n(this,"InvalidRequestError")}};$e.errorCode="invalid_request";var pe=class extends x{static{n(this,"InvalidClientError")}};pe.errorCode="invalid_client";var me=class extends x{static{n(this,"InvalidGrantError")}};me.errorCode="invalid_grant";var fe=class extends x{static{n(this,"UnauthorizedClientError")}};fe.errorCode="unauthorized_client";var Ge=class extends x{static{n(this,"UnsupportedGrantTypeError")}};Ge.errorCode="unsupported_grant_type";var Ze=class extends x{static{n(this,"InvalidScopeError")}};Ze.errorCode="invalid_scope";var Fe=class extends x{static{n(this,"AccessDeniedError")}};Fe.errorCode="access_denied";var Q=class extends x{static{n(this,"ServerError")}};Q.errorCode="server_error";var Ke=class extends x{static{n(this,"TemporarilyUnavailableError")}};Ke.errorCode="temporarily_unavailable";var Je=class extends x{static{n(this,"UnsupportedResponseTypeError")}};Je.errorCode="unsupported_response_type";var We=class extends x{static{n(this,"UnsupportedTokenTypeError")}};We.errorCode="unsupported_token_type";var Ve=class extends x{static{n(this,"InvalidTokenError")}};Ve.errorCode="invalid_token";var Ye=class extends x{static{n(this,"MethodNotAllowedError")}};Ye.errorCode="method_not_allowed";var Xe=class extends x{static{n(this,"TooManyRequestsError")}};Xe.errorCode="too_many_requests";var he=class extends x{static{n(this,"InvalidClientMetadataError")}};he.errorCode="invalid_client_metadata";var Qe=class extends x{static{n(this,"InsufficientScopeError")}};Qe.errorCode="insufficient_scope";var et=class extends x{static{n(this,"InvalidTargetError")}};et.errorCode="invalid_target";var Ao={[$e.errorCode]:$e,[pe.errorCode]:pe,[me.errorCode]:me,[fe.errorCode]:fe,[Ge.errorCode]:Ge,[Ze.errorCode]:Ze,[Fe.errorCode]:Fe,[Q.errorCode]:Q,[Ke.errorCode]:Ke,[Je.errorCode]:Je,[We.errorCode]:We,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[he.errorCode]:he,[Qe.errorCode]:Qe,[et.errorCode]:et};function ic(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(ic,"isClientAuthMethod");var sr="code",cr="S256";function sc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&ic(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(sc,"selectClientAuthMethod");function cc(e,t,r,o){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":dc(a,i,r);return;case"client_secret_post":uc(a,i,o);return;case"none":lc(a,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(cc,"applyClientAuthentication");function dc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(dc,"applyBasicAuth");function uc(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(uc,"applyPostAuth");function lc(e,t){t.set("client_id",e)}n(lc,"applyPublicAuth");async function ko(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Co.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=o,c=Ao[a]||Q;return new c(i||"",s)}catch(o){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new Q(a)}}n(ko,"parseErrorResponse");async function lr(e,t){try{return await dr(e,t)}catch(r){if(r instanceof pe||r instanceof fe)return await e.invalidateCredentials?.("all"),await dr(e,t);if(r instanceof me)return await e.invalidateCredentials?.("tokens"),await dr(e,t);throw r}}n(lr,"auth");async function dr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,l,m,f=a;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,m=s.authorizationServerMetadata??await Eo(l,{fetchFn:i}),!c)try{c=await Po(t,{resourceMetadataUrl:f},i)}catch{}(m!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}else{let M=await yc(t,{resourceMetadataUrl:f,fetchFn:i});l=M.authorizationServerUrl,m=M.authorizationServerMetadata,c=M.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}let A=await pc(t,e,c),C=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,N=await Promise.resolve(e.clientInformation());if(!N){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let M=m?.client_id_metadata_document_supported===!0,ze=e.clientMetadataUrl;if(ze&&!pr(ze))throw new he(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${ze}`);if(M&&ze)N={client_id:ze},await e.saveClientInformation?.(N);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let nn=await Sc(l,{metadata:m,clientMetadata:e.clientMetadata,scope:C,fetchFn:i});await e.saveClientInformation(nn),N=nn}}let Re=!e.redirectUrl;if(r!==void 0||Re){let M=await bc(e,l,{metadata:m,resource:A,authorizationCode:r,fetchFn:i});return await e.saveTokens(M),"AUTHORIZED"}let rn=await e.tokens();if(rn?.refresh_token)try{let M=await Rc(l,{metadata:m,clientInformation:N,refreshToken:rn.refresh_token,resource:A,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(M),"AUTHORIZED"}catch(M){if(!(!(M instanceof x)||M instanceof Q))throw M}let As=e.state?await e.state():void 0,{authorizationUrl:Us,codeVerifier:ks}=await _c(l,{metadata:m,clientInformation:N,state:As,redirectUrl:e.redirectUrl,scope:C,resource:A});return await e.saveCodeVerifier(ks),await e.redirectToAuthorization(Us),"REDIRECT"}n(dr,"authInternal");function pr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(pr,"isHttpsUrl");async function pc(e,t,r){let o=Io(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!xo({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(pc,"selectResourceURL");function To(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let a=ur(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=ur(e,"scope")||void 0,c=ur(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}n(To,"extractWWWAuthenticateParams");function ur(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(o);return a?a[1]||a[2]:null}n(ur,"extractFieldFromWwwAuth");async function Po(e,t,r=fetch){let o=await hc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Ct.parse(await o.json())}n(Po,"discoverOAuthProtectedResourceMetadata");async function mr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?mr(e,void 0,r):void 0;throw o}}n(mr,"fetchWithCorsRetry");function mc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(mc,"buildWellKnownPath");async function Uo(e,t,r=fetch){return await mr(e,{"MCP-Protocol-Version":t},r)}n(Uo,"tryMetadataDiscovery");function fc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(fc,"shouldAttemptFallback");async function hc(e,t,r,o){let a=new URL(e),i=o?.protocolVersion??Zt,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=mc(t,a.pathname);s=new URL(l,o?.metadataServerUrl??a),s.search=a.search}let c=await Uo(s,i,r);if(!o?.metadataUrl&&fc(c,a.pathname)){let l=new URL(`/.well-known/${t}`,a);c=await Uo(l,i,r)}return c}n(hc,"discoverMetadataWithFallback");function gc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),o.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(gc,"buildDiscoveryUrls");async function Eo(e,{fetchFn:t=fetch,protocolVersion:r=Zt}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},a=gc(e);for(let{url:i,type:s}of a){let c=await mr(i,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Le.parse(await c.json()):It.parse(await c.json())}}}n(Eo,"discoverAuthorizationServerMetadata");async function yc(e,t){let r,o;try{r=await Po(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let a=await Eo(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:a,resourceMetadata:r}}n(yc,"discoverOAuthServerInfo");async function _c(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(sr))throw new Error(`Incompatible auth server: does not support response type ${sr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(cr))throw new Error(`Incompatible auth server: does not support code challenge method ${cr}`)}else c=new URL("/authorize",e);let l=await ar(),m=l.code_verifier,f=l.code_challenge;return c.searchParams.set("response_type",sr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",cr),c.searchParams.set("redirect_uri",String(o)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:m}}n(_c,"startAuthorization");function wc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(wc,"prepareAuthorizationCodeRequest");async function Oo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(l,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],A=sc(o,f);cc(A,o,l,r)}let m=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!m.ok)throw await ko(m);return xe.parse(await m.json())}n(Oo,"executeTokenRequest");async function Rc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await Oo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:o,...l}}n(Rc,"refreshAuthorization");async function bc(e,t,{metadata:r,resource:o,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let m=await e.codeVerifier();c=wc(a,m,e.redirectUrl)}let l=await e.clientInformation();return Oo(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:i})}n(bc,"fetchToken");async function Sc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await ko(s);return Ne.parse(await s.json())}n(Sc,"registerClient");var fr="zuplo.com",vc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Cc=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function qo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(qo,"s2FaviconHref");function Ic(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Ic,"strictFaviconHref");var tt=qo(fr);function hr(e){let t=e.toLowerCase();return t===fr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?qo(fr):Ic(e)}n(hr,"resolveIconHref");function xc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(xc,"hostnameFromHost");function Ac(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Ac,"isLocalOrAddressHost");function Uc(e){let t=xc(e).toLowerCase().replace(/\.$/,"");if(Ac(t)||Cc.some(i=>t===i.slice(1)||t.endsWith(i)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),a=vc.has(o)?3:2;return r.slice(-a).join(".")}n(Uc,"inferFaviconDomain");function gr(e){return{src:hr(Uc(e)),mimeType:"image/png",sizes:["128x128"]}}n(gr,"resolveMcpFaviconIcon");function xt(e){try{return gr(new URL(e).host)}catch{return}}n(xt,"resolveMcpFaviconIconFromUrl");function ne(e){let t=$().connectionsById.get(e);if(!t)throw new P(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(ne,"getUpstreamServerConfig");function kc(e){let t=$().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new P(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(kc,"resolveUpstreamAuthProfileId");function yr(e){kc(e);let t=$().connectionsById.get(e.upstreamServerId);if(!t)throw new P(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(yr,"getUpstreamAuthConfig");function ge(e,t){let r=yr({upstreamServerId:e,authProfileId:t});if(!En(r))throw new P(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(ge,"requireUpstreamOAuthConfig");var Tc={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function G(e){return Tc[e]}n(G,"describeUpstreamAuthMode");function At(e){return G(e).ownerMode}n(At,"resolveOwnerModeForUpstreamAuthMode");B();import{errors as No,jwtVerify as $o,SignJWT as Go}from"jose";var q="zuplo-mcp-gateway",H=q,z="HS256";import{base64url as Pc}from"jose";var Ec=new TextEncoder,Oc="MCP gateway could not initialize secure key material.",qc=32,Mo=new Map,Do=new Map,Mc;function Dc(){return Mc??on.instance.authPrivateKey}n(Dc,"readAuthPrivateKey");function Ho(e){return new D(Oc,e===void 0?void 0:{cause:e})}n(Ho,"createGeneratedKeyMaterialError");function zo(e,t){let r=Pc.decode(t);if(r.byteLength!==qc)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(zo,"decodeJwkKeyField");function Hc(e){let t=Dc();if(!t)throw Ho();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=zo("d",r.d);zo("x",r.x);let a=Ec.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),i=new Uint8Array(a.byteLength+o.byteLength);return i.set(a),i.set(o,a.byteLength),i}catch(r){throw Ho(r)}}n(Hc,"decodeGeneratedKeyMaterial");function zc(e){let t=Mo.get(e);return t||(t=Hc(e),Mo.set(e,t)),t}n(zc,"getMasterKeyMaterial");async function Z(e){let t=Do.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(zc(e.keyMaterialPurpose));return Do.set(e.purpose,r),r}n(Z,"readCachedDerivedKey");var Bc="SHA-256";var jc="zuplo-mcp-gateway:",Lc=new TextEncoder,Bo=new WeakMap;async function oe(e,t){let r=Bo.get(e);r||(r=new Map,Bo.set(e,r));let o=r.get(t);if(o)return o;let a=await Nc(e,t);return r.set(t,a),a}n(oe,"deriveGatewaySigningKey");async function Nc(e,t){let r=jo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=Lc.encode(`${jc}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:Bc,salt:new Uint8Array,info:jo(a)},o,32*8);return new Uint8Array(i)}n(Nc,"hkdfExpand");function jo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(jo,"copyToArrayBuffer");var Zo=15*60,$c=15*60,Gc=ro.extend({id:no}),Zc=Gc.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fo=Qt.extend({id:oo,purpose:d.literal("browser_connect")}),Fc=Qt.extend({purpose:d.literal("browser_connect")}),Kc=Fo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Ko=Zo*1e3;async function Jo(){return Z({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"oauth-state"),"derive")})}n(Jo,"getOAuthStateKey");async function Wo(){return Z({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-connect"),"derive")})}n(Wo,"getBrowserConnectKey");async function Vo(e){let t=Math.floor(Date.now()/1e3)+Zo;return new Go(e).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(t).sign(await Jo())}n(Vo,"signOAuthState");async function Ut(e){try{let{payload:t}=await $o(e,await Jo(),{algorithms:[z],issuer:q,audience:H});return Zc.parse(t)}catch(t){throw t instanceof No.JWTExpired?new g({message:"OAuth state has expired",extensionMembers:{[_]:"oauth_state_expired"}},{cause:t}):new g({message:"OAuth state could not be verified",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:t})}}n(Ut,"verifyOAuthState");async function Yo(e){let t=Math.floor(Date.now()/1e3)+$c,r=Fc.parse(e),o=Fo.parse({...r,id:co()});return new Go(o).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(t).sign(await Wo())}n(Yo,"signBrowserConnectTicket");async function Xo(e){try{let{payload:t}=await $o(e,await Wo(),{algorithms:[z],issuer:q,audience:H});return Kc.parse(t)}catch(t){throw t instanceof No.JWTExpired?new g({message:"Browser connect ticket has expired",extensionMembers:{[_]:"oauth_state_expired"}},{cause:t}):new g({message:"Browser connect ticket could not be verified",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:t})}}n(Xo,"verifyBrowserConnectTicket");async function Qo(e){if((await S().consumeBrowserConnectTicket({id:e.id,expiresAt:b(new Date(e.exp*1e3)),now:b(new Date)})).kind==="consumed")throw new g({message:"Browser connect ticket has already been used",extensionMembers:{[_]:"oauth_state_reused"}})}n(Qo,"consumeBrowserConnectTicket");function Jc(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Jc,"buildConnectRequiredMessage");async function Wc(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Yo({...je(e),purpose:"browser_connect"})),r.toString()}n(Wc,"buildGatewayBrowserTicketUrl");function Vc(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Vc,"buildGatewayConnectPath");async function _r(e){return Wc({...e,path:Vc(e.upstreamServerId),redirect:!0})}n(_r,"buildGatewayConnectUrl");async function kt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await _r(t),message:Jc(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(kt,"buildRedirectConnectRequiredResponse");function ea(e){return Yc({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(ea,"buildAdminConnectRequiredResponse");function Yc(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Yc,"buildAdminSetupRequiredResponse");B();function wr(e){return`Zuplo MCP Gateway - ${e}`}n(wr,"buildGatewayOAuthClientName");function ta(e,t,r){let o=new URL(e,U(t,r));return ue(o)&&gn(o.hostname)!=="localhost"&&(o.hostname="localhost"),o.toString()}n(ta,"buildGatewayOAuthRedirectUri");function Rr(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}n(Rr,"buildOAuthClientMetadataDocumentUrl");function ra(e,t){return U(e,t)}n(ra,"requireOAuthClientMetadataOrigin");function na(e,t,r){let o=ne(t),a=ge(t,r),i={client_id:Rr({origin:e,upstreamServerId:t,authProfileId:r}),client_name:wr(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"};return a.scopes.length>0&&(i.scope=a.scopes.join(a.scopeDelimiter)),i}n(na,"buildOAuthClientMetadataDocument");B();import{base64url as ae}from"jose";var Xc="SHA-256",Ue="AES-GCM",Qc=12,Sr="zuplo-secret",vr=1,oa="generated:auth_private_key:token-encryption",ed=d.object({version:d.literal(vr),keyId:d.literal(oa),algorithm:d.literal(Ue),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function Ae(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Ae,"copyToArrayBuffer");async function br(){return Z({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Xc,Ae(e));return crypto.subtle.importKey("raw",t,{name:Ue},!1,["encrypt","decrypt"])},"derive")})}n(br,"getEncryptionKey");function aa(e){return Ae(new TextEncoder().encode(`${Sr}:v${e.version}:${e.keyId}`))}n(aa,"getAssociatedData");function td(e){return`${Sr}:v${e.version}:${ae.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(td,"encodeEnvelope");function rd(e){let t=`${Sr}:v${vr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ae.decode(r));return ed.parse(JSON.parse(o))}n(rd,"decodeEnvelope");async function Tt(e){let t=await br(),r=crypto.getRandomValues(new Uint8Array(Qc)),o={version:vr,keyId:oa},a=await crypto.subtle.encrypt({name:Ue,iv:r,additionalData:aa(o)},t,new TextEncoder().encode(e));return td({...o,algorithm:Ue,iv:ae.encode(r),ciphertext:ae.encode(new Uint8Array(a))})}n(Tt,"encryptSecret");async function rt(e){let t=rd(e);if(t){let s=await br(),c=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(t.iv)),additionalData:aa(t)},s,Ae(ae.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new D("Encrypted payload is malformed");let a=await br(),i=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(r))},a,Ae(ae.decode(o)));return new TextDecoder().decode(i)}n(rt,"decryptSecret");var nd=d.union([Ne,ir]),od=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:Ct.optional(),authorizationServerMetadata:d.union([Le,It]).optional()}).passthrough(),ad="Bearer",id="__zuplo_refresh_only_upstream_access_token__";function sd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(sd,"splitScopes");function cd(e){return gt.parse(e)}n(cd,"parsePkceCodeVerifier");function dd(e){if(typeof e.expires_in=="number")return b(new Date(Date.now()+e.expires_in*1e3))}n(dd,"readTokenExpiry");async function ia(e){if(e!==void 0)return Tt(JSON.stringify(e))}n(ia,"encryptJson");async function sa(e,t){if(!e)return;let r=await rt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new g({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:o})}}n(sa,"decryptJson");function ud(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(ud,"toOAuthDiscoveryState");function ld(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(ld,"clientInformationAllowsRedirectUri");function pd(e,t,r){let o=ne(e),a=ge(e,t),i=Cr(a.scopes,a.scopeDelimiter);return{client_name:wr(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}n(pd,"buildOAuthClientMetadata");function Cr(e,t){return e&&e.length>0?e.join(t):void 0}n(Cr,"joinOAuthScopes");function md(e,t){return t===void 0?e:{...e,scope:t}}n(md,"applyOAuthClientMetadataScope");function ca(e,t){return Cr(e?.resourceMetadata?.scopes_supported,t)}n(ca,"readResourceMetadataScope");function fd(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new P(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ne.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(fd,"buildManualOAuthClientInformation");function hd(e,t,r){let o=Rr({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return pr(o)?o:void 0}n(hd,"buildClientMetadataUrl");function da(e){for(let t of e)if(t!==void 0)return t}n(da,"firstDefined");function gd(e){let t=ge(e.target.upstreamServerId,e.target.authProfileId),r=pd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri),o=Cr(t.scopes,t.scopeDelimiter);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:fd({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let a=hd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return a===void 0?{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:a}}n(gd,"buildInitialOAuthClientSetup");function yd(e,t){if(t===void 0)return da([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(yd,"readEncryptedClientInformation");function _d(e){return da([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(_d,"readEncryptedDiscoveryState");var ye=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=gd({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=yd(t,this.configuredClientInformation),this.encryptedDiscoveryState=_d(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return md(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Vo({id:t.id,...je({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await ia(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.inferredScope=ca(t,this.scopeDelimiter),this.encryptedDiscoveryState=await ia(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=xe.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,a=r.refresh_token?await Tt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:xe.parse({...r,refresh_token:await rt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let i={id:this.connection?.id??io(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Tt(r.access_token),encryptedRefreshToken:a,scopes:sd(r.scope??this.readEffectiveScope()),expiresAt:dd(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await S().upsertUpstreamConnection(i)}async redirectToAuthorization(t){this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:cd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new g({message:"OAuth code verifier is missing",extensionMembers:{[_]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:so(),...je({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:b(new Date(Date.now()+Ko)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await S().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await sa(this.encryptedClientInformation,nd)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!ld(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=ud(await sa(this.encryptedDiscoveryState,od))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=ca(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await rt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await rt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=xe.parse({access_token:t??id,token_type:ad,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await S().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var wd=3e4,Rd=256*1024,bd=2;function Sd(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(Sd,"hasUsableAccessToken");var vd="does not support dynamic client registration",Cd=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],Id=["HTTP 403 Forbidden","Access Denied","permission to access"];function xd(e){return e instanceof Error&&e.message.includes(vd)}n(xd,"isDynamicClientRegistrationUnsupported");function Ad(e){return e instanceof Error&&Cd.some(t=>e.message.includes(t))}n(Ad,"isProtectedResourceMetadataUnavailable");function Ud(e){return e instanceof Error&&Id.some(t=>e.message.includes(t))}n(Ud,"isUpstreamProviderAccessDenied");function kd(e){if(e.error instanceof g&&e.error.extensionMembers?.[_]!==void 0)return e.error;if(xd(e.error))return new g({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[_]:"upstream_client_registration_required"}},{cause:e.error});if(Ad(e.error))return new g({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[_]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(Ud(e.error))return new g({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[_]:"upstream_provider_access_denied"}},{cause:e.error})}n(kd,"mapUpstreamOAuthSetupError");function Td(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Td,"readOAuthFetchRequest");function Pd(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Pd,"responseLooksJson");function Ed(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Ed,"responseLooksHtml");function Od(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new g({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[_]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[ve]:e.response.status,[be]:r,[Ce]:e.request.url.toString(),[Se]:e.body}})}n(Od,"throwUpstreamHtmlError");function ua(e){return async(t,r)=>{let o=Td(t),a=await fo(t,r,{maxRedirects:bd,maxResponseBytes:Rd,problemCode:"upstream_token_exchange_failed",timeoutMs:wd}),i=await a.clone().text();if(!a.ok&&Ed(a,i)&&Od({upstreamServerId:e,request:o,response:a,body:i}),!Pd(a,i))return a;try{JSON.parse(i)}catch(s){throw new g({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[_]:"upstream_token_exchange_failed"}},{cause:s})}return a}}n(ua,"createUpstreamOAuthFetch");async function la(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ua(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await lr(e,r)}catch(r){let o=kd({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(la,"runUpstreamOAuth");async function qd(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ua(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),lr(e,r)}n(qd,"exchangeUpstreamAuthorizationCode");async function pa(e,t){let r=await la(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new g({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}}):new g({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}})}n(pa,"requireUpstreamAuthorizationRedirect");async function ma(e){if(!e.forceRefresh&&Sd(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await la(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new g({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new g({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Bd({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(ma,"authorizeUpstreamOAuthSession");async function Md(e){let t=await Ut(e.stateToken),r=await S().consumeUpstreamOAuthState({id:t.id,now:b(new Date)}),o=Dd(r);return Hd({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),zd(o),o}n(Md,"consumeStoredCallbackState");function Dd(e){switch(e.kind){case"consumed":throw new g({message:"OAuth state has already been used",extensionMembers:{[_]:"oauth_state_reused"}});case"missing":throw new g({message:"OAuth state is missing or expired",extensionMembers:{[_]:"oauth_state_expired"}});case"available":return e.record}}n(Dd,"readConsumedCallbackState");function Hd(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new g({message:"OAuth callback did not match the initiating request",extensionMembers:{[_]:"oauth_callback_mismatch"}})}n(Hd,"assertStoredCallbackStateMatches");function zd(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new g({message:"OAuth state has expired",extensionMembers:{[_]:"oauth_state_expired"}})}n(zd,"assertStoredCallbackStateFresh");async function Bd(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ea(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),kt(t)}n(Bd,"buildOAuthConnectRequiredResponse");async function fa(e){let t=await Md({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=wt(t),[o]=await S().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(a.connection=o);let i=new ye(a),s=await qd(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new g({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}}):new g({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}})}n(fa,"finishUpstreamOAuthCallback");async function ha(e){let t=ne(e.upstreamServerId),r=ge(e.upstreamServerId,e.authProfileId),o=ta(r.redirectPath,e.request.url,e.request.headers),a="preloadedConnection"in e?e.preloadedConnection:(await S().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(ha,"prepareUpstreamOAuthRequest");async function ga(e){let t=await ha(e),r=new ye({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return pa(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ga,"startUpstreamConnect");async function ya(e){let t=await ha(e),r=new ye({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return ma({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ya,"authorizeUpstreamRequest");async function ke(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return ya({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new D(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(ke,"resolveUpstreamCredentialForRoute");async function _a(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=G(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await ga(r);break;case"none":throw new D(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(_a,"startUpstreamConnectForRequest");async function wa(e){let r=(await Ut(e.callbackRequest.state)).authProfileId,o=yr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(G(o.mode).callbackSupport!=="authorization_code")throw new D(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return fa({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:ne(e.callbackRequest.upstreamServerId)})}n(wa,"finishUpstreamCallbackForRequest");function jd(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(jd,"buildRouteAuthBaseFromConnection");function ba(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:ht(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(ba,"buildRouteAuthBaseFromPolicyOptions");function Pt(e,t){let o=$().byOperationId.get(t);if(!o)throw new P(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new P(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new P(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return jd({connection:o.connection,operationId:t})}n(Pt,"resolveRouteAuthBase");function Ra(e,t){switch(e){case"user":return _t(t);case"shared":return to()}}n(Ra,"buildOwnerForSubject");function Te(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Ra(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,owner:Ra(e.ownerMode,t),initiatedBySubjectId:t}}}n(Te,"resolveRouteAuthForSubject");var Ld=Be.InvalidRequest,Nd=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function $d(e,t){return{credentialType:e.type,forceRefresh:t,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}n($d,"buildCredentialResolvedAttributes");function Gd(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(Gd,"connectRequiredReasonCode");function Sa(e){v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:$d(e.credential,e.forceRefresh===!0)})}n(Sa,"emitCredentialResolvedAnalyticsEvent");function va(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:Gd(e.payload.state),reasonClass:"auth",attributes:t})}n(va,"emitCredentialMissingAnalyticsEvents");function Zd(e){let t=e.route.raw();return pt.parse(t?.operationId)}n(Zd,"readOperationId");async function Fd(e,t,r,o){let a=await ke({request:e,routeAuth:t});if(a.kind==="connect_required")return va({context:o,payload:a.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:a.payload};let i=a.credential;switch(Sa({context:o,credential:i,routeBinding:t}),i.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${i.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(i.headers)};case"mcp_oauth_provider":{let s=await i.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(Fd,"buildCredentialHeaders");var Kd=new Set(["authorization","cookie","cookie2"]);function Jd(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Jd,"readJsonRequestMethod");function Wd(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Wd,"isJsonResponse");function Ir(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(Ir,"isRecord");function Vd(e){return Array.isArray(e)&&e.length>0}n(Vd,"hasIconList");function Yd(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=xt(Cn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Yd,"readFallbackServerIcons");function Xd(e){if(!Ir(e.body))return e.body;let t=e.body.result;if(!Ir(t))return e.body;let r=t.serverInfo;return!Ir(r)||Vd(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(Xd,"addMissingServerIcons");function Qd(e,t){let r=new Headers(e.headers);for(let o of Kd)r.delete(o);for(let[o,a]of t)r.set(o,a);return new sn(e,{headers:r})}n(Qd,"applyUpstreamHeaders");function eu(e){let t=new Headers(e.headers);for(let r of Nd)t.delete(r);return t}n(eu,"buildProxyHeaders");async function tu(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(tu,"readRetryBody");function Ca(e,t){let r=t.authUrl===void 0?void 0:_o({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(St({id:yo(e),error:{code:r?.code??Ld,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Ca,"connectRequiredJsonRpcResponse");async function ru(e){let{scope:t}=To(e.upstreamResponse),r=await ke({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return va({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),a=r.credential;switch(Sa({context:e.context,credential:a,routeBinding:e.routeAuth,forceRefresh:!0}),a.type){case"none":return o.delete("authorization"),{kind:"headers",headers:o};case"bearer_token":return o.set("authorization",`Bearer ${a.token}`),{kind:"headers",headers:o};case"headers":for(let[i,s]of Object.entries(a.headers))o.set(i,s);return{kind:"headers",headers:o};case"mcp_oauth_provider":{let i=await a.provider.tokens();return i?(o.set("authorization",`${i.token_type??"Bearer"} ${i.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(ru,"applyRefreshedCredentialHeaders");function nu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await ru({request:e.request,context:e.context,headers:eu(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Ca(e.requestBody,o.payload);if(o.kind==="response")return o.response;let a=In({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return ct.fetch(a.url,a.init)})}n(nu,"installUpstreamAuthRetryHook");function ou(e){if(Jd(e.requestBody)!=="initialize")return;let t=Yd({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Wd(r))return r;let o;try{o=await r.clone().json()}catch{return r}let a=Xd({body:o,icons:t});if(a===o)return r;let i=new Headers(r.headers);return i.delete("content-length"),new Response(JSON.stringify(a),{status:r.status,statusText:r.statusText,headers:i})})}n(ou,"installInitializeIconHook");async function xr(e,t,r){let o=Zd(t),a=await tu(e),i=ba({connection:r,operationId:o}),s=Ie(e.user,e.url,e.headers);jn(t,s);let c=Te(i,s.subjectId),l=await Fd(e,c,r,t);if(!(l instanceof Response)&&l.kind==="connect_required")return Ca(a,l.payload);if(l instanceof Response)return l;let m=Qd(e,l.headers);return nu({request:m,context:t,requestBody:a,routeAuth:c}),ou({context:t,requestBody:a,connection:r}),m}n(xr,"mcpTokenExchangePolicy");var Ar=class extends ut{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Pn(t,r);super(o,r)}async handler(t,r){return dt("policy.inbound.mcp-token-exchange"),xr(t,r,this.options)}};B();var Ia=Symbol("Html");function au(e){return e.replaceAll("&","&").replaceAll("<","<").replaceAll(">",">").replaceAll('"',""").replaceAll("'","'")}n(au,"escapeHtml");function iu(e){return e===null||typeof e!="object"?!1:e[Ia]===!0}n(iu,"isHtml");function Et(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Et).join(""):iu(e)?e.value:au(String(e))}n(Et,"renderValue");function F(e){return{[Ia]:!0,value:e}}n(F,"trustedHtml");var k=F("");function y(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Et(t[o]),r+=e[o+1]??"";return F(r)}n(y,"html");function xa(e,t=k){let r=Et(t),o="",a=!0;for(let i of e)a||(o+=r),o+=Et(i),a=!1;return F(o)}n(xa,"joinHtml");function Pe(e){return e.value}n(Pe,"renderHtml");function Aa(e){return y`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Aa,"renderBrowserErrorPage");var Ee=F('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Oe(e){return y`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
|
|
25
|
+
import{$ as Y,A as Un,Aa as no,B as kn,Ba as oo,C as Tn,Ca as ao,D as ht,Da as io,E as Pn,Ea as so,F as En,Fa as co,G as On,Ga as S,H as qn,Ha as C,I as Mn,Ia as X,J as Dn,Ja as I,K as $,Ka as uo,L as Hn,La as Es,M as zn,Ma as lo,N as b,Na as po,O as W,Oa as Rt,P as U,Pa as mo,Q as Bn,Qa as fo,R as V,Sa as ho,T as jn,Ta as go,U as Ln,Ua as bt,V as le,W as w,X as Nn,Y as $n,Z as Gn,_ as gt,a as gn,aa as Ft,b as ue,ba as Kt,c as yn,ca as Zn,d as j,da as Fn,e as _n,ea as Jt,f as Ps,fa as Wt,g as wn,ga as Kn,h as Rn,ha as E,i as bn,ia as Jn,j as _,ja as Wn,k as be,ka as Vn,l as Se,la as Yn,m as Ce,ma as Vt,n as ve,na as Xn,o as Sn,oa as Yt,p as Cn,pa as Xt,q as L,qa as yt,r as vn,ra as Ie,s as In,sa as Qn,t as xn,ta as eo,u as pt,ua as _t,v as An,va as to,w as Zt,wa as Qt,x as mt,xa as ro,y as ft,ya as je,z as Be,za as wt}from"../chunk-LU6CEICL.js";import{J as dn,L as u,M as un,N as Gt,O as J,Q as ln,S as h,T as re,U as lt,_ as pn,a as dt,ca as mn,da as fn,ea as d,fa as B,j as de,k as an,m as sn,ma as hn,q as cn,s as ut}from"../chunk-J7JE2DD5.js";import"../chunk-JRXZBVXH.js";import{a as R}from"../chunk-4SACVMDH.js";import{$ as D,a as n,aa as g,ba as P,ca as on,da as ct}from"../chunk-ZIKV2LUM.js";B();function Os(e){let t=ft.safeParse(e);return t.success?t.data.id:void 0}n(Os,"parseJsonRpcRequestId");function yo(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Os(t)}catch{return}}n(yo,"readJsonRpcRequestIdFromBody");function St(e){return Un.parse({jsonrpc:mt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(St,"jsonRpcErrorResponse");function _o(e){return new Tn([kn.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(_o,"urlElicitationRequiredError");var Ct=d.record(d.string(),d.unknown()),qs=d.record(d.string(),d.unknown()),Ms=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:qs.optional(),_meta:Ct.optional()}).strict(),Ds=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Hs=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),zs=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Bs=d.array(d.union([d.string(),Ms])),js=d.array(d.union([d.string(),Ds])),Ls=d.array(d.union([d.string(),Hs])),Ns=d.array(d.union([d.string(),zs])),$s=d.object({tools:Bs.optional(),prompts:js.optional(),resources:Ls.optional(),resourceTemplates:Ns.optional()}).strict(),tr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function Gs(e,t){return _n($s,e,`MCP capability filter policy "${t}"`)}n(Gs,"parseMcpCapabilityFilterOptions");function O(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(O,"isRecord");function Zs(e,t){if(!O(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Zs,"readParamString");function rr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(rr,"readRequestId");function So(e){return e===void 0?void 0:JSON.stringify(e)}n(So,"requestIdKey");function Fs(e){let t={};for(let r of tr){let o=e[r.option];if(o===void 0)continue;let a=new Map;for(let i of o){let s=Vs(i,r.itemProperty);s!==void 0&&a.set(s.key,s)}t[r.option]=a}return t}n(Fs,"buildProjectionMaps");function nr(e){return tr.find(t=>t.listMethod===e)}n(nr,"findListRule");function Ks(e){return e.requests.some(t=>{if(!O(t))return!1;let r=nr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(Ks,"shouldFilterListResponses");function Js(e){for(let t of tr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let a=Zs(e.request.params,o.paramProperty);if(a!==void 0&&!r.has(a))return{id:rr(e.request)}}}}n(Js,"findDisallowedDirectAccess");function Ws(e){return Response.json(St({id:e,error:{code:Be.MethodNotFound,message:"Method not found"}}))}n(Ws,"methodNotFoundResponse");function Vs(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!O(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(Vs,"buildProjection");function wo(e){let t=e.base[e.property],r=e.overlay[e.property];return O(r)?O(t)?{...t,...r}:r:t}n(wo,"mergeRecordProperty");function Ys(e,t){let r={...e,...t.overlay},o=wo({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let a=wo({base:e,overlay:t.overlay,property:"_meta"});return a!==void 0&&(r._meta=a),r}n(Ys,"applyProjection");function Ro(e,t,r){if(!O(e))return e;let o=e.result;if(!O(o))return e;let a=o[t.resultProperty];return!Array.isArray(a)||!a.every(i=>O(i)&&typeof i[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:a.flatMap(i=>{if(!O(i))return[];let s=i[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[Ys(i,c)]})}}}n(Ro,"filterAndProjectItems");function Xs(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!O(r))continue;let o=nr(r.method),a=rr(r),i=So(a);o!==void 0&&i!==void 0&&t.set(i,o)}return t}n(Xs,"buildListRulesByResponseId");function Qs(e){if(Array.isArray(e.responseBody)){let o=Xs(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(a=>{if(!O(a)||"error"in a)return a;let i=So(rr(a)),s=i===void 0?void 0:o.get(i),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?a:Ro(a,s,c)})}if(!O(e.requestBody)||!O(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=nr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:Ro(e.responseBody,t,r)}n(Qs,"filterJsonRpcResponse");async function bo(e){return e.clone().json()}n(bo,"readJson");function ec(e){return e.headers.get("content-type")?.includes("json")??!1}n(ec,"isJsonResponse");var er=class extends ut{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=Gs(t,r);super(o,r),this.#e=Fs(o)}async handler(t,r){dt("policy.inbound.mcp-capability-filter");let o;try{o=await bo(t)}catch{return t}let a=Array.isArray(o)?o:[o];for(let i of a){if(!O(i))continue;let s=Js({request:i,projectionMaps:this.#e});if(s!==void 0)return Ws(s.id)}return Ks({requests:a,projectionMaps:this.#e})&&r.addResponseSendingHook(async i=>{if(!ec(i))return i;let s;try{s=await bo(i)}catch{return i}let c=Qs({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return i;let l=new Headers(i.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:i.status,statusText:i.statusText,headers:l})}),t}};var or;or=globalThis.crypto;async function tc(e){return(await or).getRandomValues(new Uint8Array(e))}n(tc,"getRandomValues");async function rc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let a=await tc(e-o.length);for(let i of a)i<r&&(o+=t[i%t.length])}return o}n(rc,"random");async function nc(e){return await rc(e)}n(nc,"generateVerifier");async function oc(e){let t=await(await or).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(oc,"generateChallenge");async function ar(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await nc(e),r=await oc(t);return{code_verifier:t,code_challenge:r}}n(ar,"pkceChallenge");B();var T=un().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:mn.custom,message:"URL must be parseable",fatal:!0}),dn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),vt=lt({resource:u().url(),authorization_servers:h(T).optional(),jwks_uri:u().url().optional(),scopes_supported:h(u()).optional(),bearer_methods_supported:h(u()).optional(),resource_signing_alg_values_supported:h(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:J().optional(),authorization_details_types_supported:h(u()).optional(),dpop_signing_alg_values_supported:h(u()).optional(),dpop_bound_access_tokens_required:J().optional()}),Le=lt({issuer:u(),authorization_endpoint:T,token_endpoint:T,registration_endpoint:T.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),service_documentation:T.optional(),revocation_endpoint:T.optional(),revocation_endpoint_auth_methods_supported:h(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:h(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:h(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:h(u()).optional(),code_challenge_methods_supported:h(u()).optional(),client_id_metadata_document_supported:J().optional()}),ac=lt({issuer:u(),authorization_endpoint:T,token_endpoint:T,userinfo_endpoint:T.optional(),jwks_uri:T,registration_endpoint:T.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),acr_values_supported:h(u()).optional(),subject_types_supported:h(u()),id_token_signing_alg_values_supported:h(u()),id_token_encryption_alg_values_supported:h(u()).optional(),id_token_encryption_enc_values_supported:h(u()).optional(),userinfo_signing_alg_values_supported:h(u()).optional(),userinfo_encryption_alg_values_supported:h(u()).optional(),userinfo_encryption_enc_values_supported:h(u()).optional(),request_object_signing_alg_values_supported:h(u()).optional(),request_object_encryption_alg_values_supported:h(u()).optional(),request_object_encryption_enc_values_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),display_values_supported:h(u()).optional(),claim_types_supported:h(u()).optional(),claims_supported:h(u()).optional(),service_documentation:u().optional(),claims_locales_supported:h(u()).optional(),ui_locales_supported:h(u()).optional(),claims_parameter_supported:J().optional(),request_parameter_supported:J().optional(),request_uri_parameter_supported:J().optional(),require_request_uri_registration:J().optional(),op_policy_uri:T.optional(),op_tos_uri:T.optional(),client_id_metadata_document_supported:J().optional()}),It=re({...ac.shape,...Le.pick({code_challenge_methods_supported:!0}).shape}),xe=re({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:fn.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),vo=re({error:u(),error_description:u().optional(),error_uri:u().optional()}),Co=T.optional().or(pn("").transform(()=>{})),ic=re({redirect_uris:h(T),token_endpoint_auth_method:u().optional(),grant_types:h(u()).optional(),response_types:h(u()).optional(),client_name:u().optional(),client_uri:T.optional(),logo_uri:Co,scope:u().optional(),contacts:h(u()).optional(),tos_uri:Co,policy_uri:u().optional(),jwks_uri:T.optional(),jwks:ln().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),ir=re({client_id:u(),client_secret:u().optional(),client_id_issued_at:Gt().optional(),client_secret_expires_at:Gt().optional()}).strip(),Ne=ic.merge(ir),Vm=re({error:u(),error_description:u().optional()}).strip(),Ym=re({token:u(),token_type_hint:u().optional()}).strip();function Io(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(Io,"resourceUrlFromServerUrl");function xo({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return a.startsWith(i)}n(xo,"checkResourceAllowed");var x=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},$e=class extends x{static{n(this,"InvalidRequestError")}};$e.errorCode="invalid_request";var pe=class extends x{static{n(this,"InvalidClientError")}};pe.errorCode="invalid_client";var me=class extends x{static{n(this,"InvalidGrantError")}};me.errorCode="invalid_grant";var fe=class extends x{static{n(this,"UnauthorizedClientError")}};fe.errorCode="unauthorized_client";var Ge=class extends x{static{n(this,"UnsupportedGrantTypeError")}};Ge.errorCode="unsupported_grant_type";var Ze=class extends x{static{n(this,"InvalidScopeError")}};Ze.errorCode="invalid_scope";var Fe=class extends x{static{n(this,"AccessDeniedError")}};Fe.errorCode="access_denied";var Q=class extends x{static{n(this,"ServerError")}};Q.errorCode="server_error";var Ke=class extends x{static{n(this,"TemporarilyUnavailableError")}};Ke.errorCode="temporarily_unavailable";var Je=class extends x{static{n(this,"UnsupportedResponseTypeError")}};Je.errorCode="unsupported_response_type";var We=class extends x{static{n(this,"UnsupportedTokenTypeError")}};We.errorCode="unsupported_token_type";var Ve=class extends x{static{n(this,"InvalidTokenError")}};Ve.errorCode="invalid_token";var Ye=class extends x{static{n(this,"MethodNotAllowedError")}};Ye.errorCode="method_not_allowed";var Xe=class extends x{static{n(this,"TooManyRequestsError")}};Xe.errorCode="too_many_requests";var he=class extends x{static{n(this,"InvalidClientMetadataError")}};he.errorCode="invalid_client_metadata";var Qe=class extends x{static{n(this,"InsufficientScopeError")}};Qe.errorCode="insufficient_scope";var et=class extends x{static{n(this,"InvalidTargetError")}};et.errorCode="invalid_target";var Ao={[$e.errorCode]:$e,[pe.errorCode]:pe,[me.errorCode]:me,[fe.errorCode]:fe,[Ge.errorCode]:Ge,[Ze.errorCode]:Ze,[Fe.errorCode]:Fe,[Q.errorCode]:Q,[Ke.errorCode]:Ke,[Je.errorCode]:Je,[We.errorCode]:We,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[he.errorCode]:he,[Qe.errorCode]:Qe,[et.errorCode]:et};function sc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(sc,"isClientAuthMethod");var sr="code",cr="S256";function cc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&sc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(cc,"selectClientAuthMethod");function dc(e,t,r,o){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":uc(a,i,r);return;case"client_secret_post":lc(a,i,o);return;case"none":pc(a,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(dc,"applyClientAuthentication");function uc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(uc,"applyBasicAuth");function lc(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(lc,"applyPostAuth");function pc(e,t){t.set("client_id",e)}n(pc,"applyPublicAuth");async function ko(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=vo.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=o,c=Ao[a]||Q;return new c(i||"",s)}catch(o){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new Q(a)}}n(ko,"parseErrorResponse");async function lr(e,t){try{return await dr(e,t)}catch(r){if(r instanceof pe||r instanceof fe)return await e.invalidateCredentials?.("all"),await dr(e,t);if(r instanceof me)return await e.invalidateCredentials?.("tokens"),await dr(e,t);throw r}}n(lr,"auth");async function dr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,l,m,f=a;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,m=s.authorizationServerMetadata??await Eo(l,{fetchFn:i}),!c)try{c=await Po(t,{resourceMetadataUrl:f},i)}catch{}(m!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}else{let M=await _c(t,{resourceMetadataUrl:f,fetchFn:i});l=M.authorizationServerUrl,m=M.authorizationServerMetadata,c=M.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}let A=await mc(t,e,c),v=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,N=await Promise.resolve(e.clientInformation());if(!N){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let M=m?.client_id_metadata_document_supported===!0,ze=e.clientMetadataUrl;if(ze&&!pr(ze))throw new he(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${ze}`);if(M&&ze)N={client_id:ze},await e.saveClientInformation?.(N);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let nn=await Cc(l,{metadata:m,clientMetadata:e.clientMetadata,scope:v,fetchFn:i});await e.saveClientInformation(nn),N=nn}}let Re=!e.redirectUrl;if(r!==void 0||Re){let M=await Sc(e,l,{metadata:m,resource:A,authorizationCode:r,fetchFn:i});return await e.saveTokens(M),"AUTHORIZED"}let rn=await e.tokens();if(rn?.refresh_token)try{let M=await bc(l,{metadata:m,clientInformation:N,refreshToken:rn.refresh_token,resource:A,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(M),"AUTHORIZED"}catch(M){if(!(!(M instanceof x)||M instanceof Q))throw M}let Us=e.state?await e.state():void 0,{authorizationUrl:ks,codeVerifier:Ts}=await wc(l,{metadata:m,clientInformation:N,state:Us,redirectUrl:e.redirectUrl,scope:v,resource:A});return await e.saveCodeVerifier(Ts),await e.redirectToAuthorization(ks),"REDIRECT"}n(dr,"authInternal");function pr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(pr,"isHttpsUrl");async function mc(e,t,r){let o=Io(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!xo({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(mc,"selectResourceURL");function To(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let a=ur(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=ur(e,"scope")||void 0,c=ur(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}n(To,"extractWWWAuthenticateParams");function ur(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(o);return a?a[1]||a[2]:null}n(ur,"extractFieldFromWwwAuth");async function Po(e,t,r=fetch){let o=await gc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return vt.parse(await o.json())}n(Po,"discoverOAuthProtectedResourceMetadata");async function mr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?mr(e,void 0,r):void 0;throw o}}n(mr,"fetchWithCorsRetry");function fc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(fc,"buildWellKnownPath");async function Uo(e,t,r=fetch){return await mr(e,{"MCP-Protocol-Version":t},r)}n(Uo,"tryMetadataDiscovery");function hc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(hc,"shouldAttemptFallback");async function gc(e,t,r,o){let a=new URL(e),i=o?.protocolVersion??Zt,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=fc(t,a.pathname);s=new URL(l,o?.metadataServerUrl??a),s.search=a.search}let c=await Uo(s,i,r);if(!o?.metadataUrl&&hc(c,a.pathname)){let l=new URL(`/.well-known/${t}`,a);c=await Uo(l,i,r)}return c}n(gc,"discoverMetadataWithFallback");function yc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),o.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(yc,"buildDiscoveryUrls");async function Eo(e,{fetchFn:t=fetch,protocolVersion:r=Zt}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},a=yc(e);for(let{url:i,type:s}of a){let c=await mr(i,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Le.parse(await c.json()):It.parse(await c.json())}}}n(Eo,"discoverAuthorizationServerMetadata");async function _c(e,t){let r,o;try{r=await Po(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let a=await Eo(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:a,resourceMetadata:r}}n(_c,"discoverOAuthServerInfo");async function wc(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(sr))throw new Error(`Incompatible auth server: does not support response type ${sr}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(cr))throw new Error(`Incompatible auth server: does not support code challenge method ${cr}`)}else c=new URL("/authorize",e);let l=await ar(),m=l.code_verifier,f=l.code_challenge;return c.searchParams.set("response_type",sr),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",cr),c.searchParams.set("redirect_uri",String(o)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:m}}n(wc,"startAuthorization");function Rc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(Rc,"prepareAuthorizationCodeRequest");async function Oo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(l,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],A=cc(o,f);dc(A,o,l,r)}let m=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!m.ok)throw await ko(m);return xe.parse(await m.json())}n(Oo,"executeTokenRequest");async function bc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await Oo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:o,...l}}n(bc,"refreshAuthorization");async function Sc(e,t,{metadata:r,resource:o,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let m=await e.codeVerifier();c=Rc(a,m,e.redirectUrl)}let l=await e.clientInformation();return Oo(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:i})}n(Sc,"fetchToken");async function Cc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await ko(s);return Ne.parse(await s.json())}n(Cc,"registerClient");var fr="zuplo.com",vc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Ic=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function qo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(qo,"s2FaviconHref");function xc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(xc,"strictFaviconHref");var tt=qo(fr);function hr(e){let t=e.toLowerCase();return t===fr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?qo(fr):xc(e)}n(hr,"resolveIconHref");function Ac(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(Ac,"hostnameFromHost");function Uc(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Uc,"isLocalOrAddressHost");function kc(e){let t=Ac(e).toLowerCase().replace(/\.$/,"");if(Uc(t)||Ic.some(i=>t===i.slice(1)||t.endsWith(i)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),a=vc.has(o)?3:2;return r.slice(-a).join(".")}n(kc,"inferFaviconDomain");function gr(e){return{src:hr(kc(e)),mimeType:"image/png",sizes:["128x128"]}}n(gr,"resolveMcpFaviconIcon");function xt(e){try{return gr(new URL(e).host)}catch{return}}n(xt,"resolveMcpFaviconIconFromUrl");function ne(e){let t=$().connectionsById.get(e);if(!t)throw new P(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(ne,"getUpstreamServerConfig");function Tc(e){let t=$().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new P(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(Tc,"resolveUpstreamAuthProfileId");function yr(e){Tc(e);let t=$().connectionsById.get(e.upstreamServerId);if(!t)throw new P(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(yr,"getUpstreamAuthConfig");function ge(e,t){let r=yr({upstreamServerId:e,authProfileId:t});if(!En(r))throw new P(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(ge,"requireUpstreamOAuthConfig");var Pc={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function G(e){return Pc[e]}n(G,"describeUpstreamAuthMode");function At(e){return G(e).ownerMode}n(At,"resolveOwnerModeForUpstreamAuthMode");B();import{errors as No,jwtVerify as $o,SignJWT as Go}from"jose";var q="zuplo-mcp-gateway",H=q,z="HS256";import{base64url as Ec}from"jose";var Oc=new TextEncoder,qc="MCP gateway could not initialize secure key material.",Mc=32,Mo=new Map,Do=new Map,Dc;function Hc(){return Dc??on.instance.authPrivateKey}n(Hc,"readAuthPrivateKey");function Ho(e){return new D(qc,e===void 0?void 0:{cause:e})}n(Ho,"createGeneratedKeyMaterialError");function zo(e,t){let r=Ec.decode(t);if(r.byteLength!==Mc)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(zo,"decodeJwkKeyField");function zc(e){let t=Hc();if(!t)throw Ho();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=zo("d",r.d);zo("x",r.x);let a=Oc.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),i=new Uint8Array(a.byteLength+o.byteLength);return i.set(a),i.set(o,a.byteLength),i}catch(r){throw Ho(r)}}n(zc,"decodeGeneratedKeyMaterial");function Bc(e){let t=Mo.get(e);return t||(t=zc(e),Mo.set(e,t)),t}n(Bc,"getMasterKeyMaterial");async function Z(e){let t=Do.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Bc(e.keyMaterialPurpose));return Do.set(e.purpose,r),r}n(Z,"readCachedDerivedKey");var jc="SHA-256";var Lc="zuplo-mcp-gateway:",Nc=new TextEncoder,Bo=new WeakMap;async function oe(e,t){let r=Bo.get(e);r||(r=new Map,Bo.set(e,r));let o=r.get(t);if(o)return o;let a=await $c(e,t);return r.set(t,a),a}n(oe,"deriveGatewaySigningKey");async function $c(e,t){let r=jo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=Nc.encode(`${Lc}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:jc,salt:new Uint8Array,info:jo(a)},o,32*8);return new Uint8Array(i)}n($c,"hkdfExpand");function jo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(jo,"copyToArrayBuffer");var Zo=15*60,Gc=15*60,Zc=ro.extend({id:no}),Fc=Zc.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fo=Qt.extend({id:oo,purpose:d.literal("browser_connect")}),Kc=Qt.extend({purpose:d.literal("browser_connect")}),Jc=Fo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Ko=Zo*1e3;async function Jo(){return Z({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"oauth-state"),"derive")})}n(Jo,"getOAuthStateKey");async function Wo(){return Z({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-connect"),"derive")})}n(Wo,"getBrowserConnectKey");async function Vo(e){let t=Math.floor(Date.now()/1e3)+Zo;return new Go(e).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(t).sign(await Jo())}n(Vo,"signOAuthState");async function Ut(e){try{let{payload:t}=await $o(e,await Jo(),{algorithms:[z],issuer:q,audience:H});return Fc.parse(t)}catch(t){throw t instanceof No.JWTExpired?new g({message:"OAuth state has expired",extensionMembers:{[_]:"oauth_state_expired"}},{cause:t}):new g({message:"OAuth state could not be verified",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:t})}}n(Ut,"verifyOAuthState");async function Yo(e){let t=Math.floor(Date.now()/1e3)+Gc,r=Kc.parse(e),o=Fo.parse({...r,id:co()});return new Go(o).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(t).sign(await Wo())}n(Yo,"signBrowserConnectTicket");async function Xo(e){try{let{payload:t}=await $o(e,await Wo(),{algorithms:[z],issuer:q,audience:H});return Jc.parse(t)}catch(t){throw t instanceof No.JWTExpired?new g({message:"Browser connect ticket has expired",extensionMembers:{[_]:"oauth_state_expired"}},{cause:t}):new g({message:"Browser connect ticket could not be verified",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:t})}}n(Xo,"verifyBrowserConnectTicket");async function Qo(e){if((await S().consumeBrowserConnectTicket({id:e.id,expiresAt:b(new Date(e.exp*1e3)),now:b(new Date)})).kind==="consumed")throw new g({message:"Browser connect ticket has already been used",extensionMembers:{[_]:"oauth_state_reused"}})}n(Qo,"consumeBrowserConnectTicket");function Wc(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Wc,"buildConnectRequiredMessage");async function Vc(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Yo({...je(e),purpose:"browser_connect"})),r.toString()}n(Vc,"buildGatewayBrowserTicketUrl");function Yc(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Yc,"buildGatewayConnectPath");async function _r(e){return Vc({...e,path:Yc(e.upstreamServerId),redirect:!0})}n(_r,"buildGatewayConnectUrl");async function kt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await _r(t),message:Wc(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(kt,"buildRedirectConnectRequiredResponse");function ea(e){return Xc({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(ea,"buildAdminConnectRequiredResponse");function Xc(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Xc,"buildAdminSetupRequiredResponse");B();function wr(e){return`Zuplo MCP Gateway - ${e}`}n(wr,"buildGatewayOAuthClientName");function ta(e,t,r){let o=new URL(e,U(t,r));return ue(o)&&gn(o.hostname)!=="localhost"&&(o.hostname="localhost"),o.toString()}n(ta,"buildGatewayOAuthRedirectUri");function Rr(e){let t=new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}`,e.origin);return t.searchParams.set("authProfileId",e.authProfileId),t.toString()}n(Rr,"buildOAuthClientMetadataDocumentUrl");function ra(e,t){return U(e,t)}n(ra,"requireOAuthClientMetadataOrigin");function na(e,t,r){let o=ne(t),a=ge(t,r),i={client_id:Rr({origin:e,upstreamServerId:t,authProfileId:r}),client_name:wr(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"};return a.scopes.length>0&&(i.scope=a.scopes.join(a.scopeDelimiter)),i}n(na,"buildOAuthClientMetadataDocument");B();import{base64url as ae}from"jose";var Qc="SHA-256",Ue="AES-GCM",ed=12,Sr="zuplo-secret",Cr=1,oa="generated:auth_private_key:token-encryption",td=d.object({version:d.literal(Cr),keyId:d.literal(oa),algorithm:d.literal(Ue),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function Ae(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Ae,"copyToArrayBuffer");async function br(){return Z({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Qc,Ae(e));return crypto.subtle.importKey("raw",t,{name:Ue},!1,["encrypt","decrypt"])},"derive")})}n(br,"getEncryptionKey");function aa(e){return Ae(new TextEncoder().encode(`${Sr}:v${e.version}:${e.keyId}`))}n(aa,"getAssociatedData");function rd(e){return`${Sr}:v${e.version}:${ae.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(rd,"encodeEnvelope");function nd(e){let t=`${Sr}:v${Cr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ae.decode(r));return td.parse(JSON.parse(o))}n(nd,"decodeEnvelope");async function Tt(e){let t=await br(),r=crypto.getRandomValues(new Uint8Array(ed)),o={version:Cr,keyId:oa},a=await crypto.subtle.encrypt({name:Ue,iv:r,additionalData:aa(o)},t,new TextEncoder().encode(e));return rd({...o,algorithm:Ue,iv:ae.encode(r),ciphertext:ae.encode(new Uint8Array(a))})}n(Tt,"encryptSecret");async function rt(e){let t=nd(e);if(t){let s=await br(),c=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(t.iv)),additionalData:aa(t)},s,Ae(ae.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new D("Encrypted payload is malformed");let a=await br(),i=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(r))},a,Ae(ae.decode(o)));return new TextDecoder().decode(i)}n(rt,"decryptSecret");var od=d.union([Ne,ir]),ad=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:vt.optional(),authorizationServerMetadata:d.union([Le,It]).optional()}).passthrough(),id="Bearer",sd="__zuplo_refresh_only_upstream_access_token__",cd=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function dd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(dd,"splitScopes");function ud(e){let t=[];for(let r of cd)e.authorizationUrl.searchParams.getAll(r).length>1&&t.push(r);if(t.length!==0)throw new P(`Upstream OAuth authorization metadata for upstream "${e.upstreamServerId}" produced duplicate singleton authorization request parameter(s): ${t.join(", ")}. Remove request-specific query parameters such as "prompt" from the upstream authorization_endpoint; the gateway and OAuth client SDK add per-request parameters during the authorization flow.`)}n(ud,"assertNoDuplicateSingletonAuthorizationRequestParams");function ld(e){return gt.parse(e)}n(ld,"parsePkceCodeVerifier");function pd(e){if(typeof e.expires_in=="number")return b(new Date(Date.now()+e.expires_in*1e3))}n(pd,"readTokenExpiry");async function ia(e){if(e!==void 0)return Tt(JSON.stringify(e))}n(ia,"encryptJson");async function sa(e,t){if(!e)return;let r=await rt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new g({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[_]:"oauth_state_invalid"}},{cause:o})}}n(sa,"decryptJson");function md(e){if(e===void 0)return;let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(md,"toOAuthDiscoveryState");function fd(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(fd,"clientInformationAllowsRedirectUri");function hd(e,t,r){let o=ne(e),a=ge(e,t),i=vr(a.scopes,a.scopeDelimiter);return{client_name:wr(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}n(hd,"buildOAuthClientMetadata");function vr(e,t){return e&&e.length>0?e.join(t):void 0}n(vr,"joinOAuthScopes");function gd(e,t){return t===void 0?e:{...e,scope:t}}n(gd,"applyOAuthClientMetadataScope");function ca(e,t){return vr(e?.resourceMetadata?.scopes_supported,t)}n(ca,"readResourceMetadataScope");function yd(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new P(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ne.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(yd,"buildManualOAuthClientInformation");function _d(e,t,r){let o=Rr({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return pr(o)?o:void 0}n(_d,"buildClientMetadataUrl");function da(e){for(let t of e)if(t!==void 0)return t}n(da,"firstDefined");function wd(e){let t=ge(e.target.upstreamServerId,e.target.authProfileId),r=hd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri),o=vr(t.scopes,t.scopeDelimiter);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:yd({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let a=_d(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return a===void 0?{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:a}}n(wd,"buildInitialOAuthClientSetup");function Rd(e,t){if(t===void 0)return da([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(Rd,"readEncryptedClientInformation");function bd(e){return da([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(bd,"readEncryptedDiscoveryState");var ye=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=wd({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=Rd(t,this.configuredClientInformation),this.encryptedDiscoveryState=bd(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return gd(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Vo({id:t.id,...je({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await ia(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){this.cachedDiscoveryState=t,this.discoveryStateLoaded=!0,this.inferredScope=ca(t,this.scopeDelimiter),this.encryptedDiscoveryState=await ia(t),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=xe.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,a=r.refresh_token?await Tt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:xe.parse({...r,refresh_token:await rt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let i={id:this.connection?.id??io(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Tt(r.access_token),encryptedRefreshToken:a,scopes:dd(r.scope??this.readEffectiveScope()),expiresAt:pd(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await S().upsertUpstreamConnection(i)}async redirectToAuthorization(t){ud({authorizationUrl:t,upstreamServerId:this.target.upstreamServerId}),this.authorizationUrlValue=t.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:ld(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new g({message:"OAuth code verifier is missing",extensionMembers:{[_]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:so(),...je({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:b(new Date(Date.now()+Ko)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await S().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await sa(this.encryptedClientInformation,od)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!fd(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=md(await sa(this.encryptedDiscoveryState,ad))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=ca(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await rt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await rt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=xe.parse({access_token:t??sd,token_type:id,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await S().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Sd=3e4,Cd=256*1024,vd=2;function Id(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(Id,"hasUsableAccessToken");var xd="does not support dynamic client registration",Ad=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],Ud=["HTTP 403 Forbidden","Access Denied","permission to access"];function kd(e){return e instanceof Error&&e.message.includes(xd)}n(kd,"isDynamicClientRegistrationUnsupported");function Td(e){return e instanceof Error&&Ad.some(t=>e.message.includes(t))}n(Td,"isProtectedResourceMetadataUnavailable");function Pd(e){return e instanceof Error&&Ud.some(t=>e.message.includes(t))}n(Pd,"isUpstreamProviderAccessDenied");function Ed(e){if(e.error instanceof g&&e.error.extensionMembers?.[_]!==void 0)return e.error;if(kd(e.error))return new g({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[_]:"upstream_client_registration_required"}},{cause:e.error});if(Td(e.error))return new g({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[_]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(Pd(e.error))return new g({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[_]:"upstream_provider_access_denied"}},{cause:e.error})}n(Ed,"mapUpstreamOAuthSetupError");function Od(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Od,"readOAuthFetchRequest");function qd(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(qd,"responseLooksJson");function Md(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Md,"responseLooksHtml");function Dd(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new g({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[_]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[Ce]:e.response.status,[be]:r,[ve]:e.request.url.toString(),[Se]:e.body}})}n(Dd,"throwUpstreamHtmlError");function ua(e){return async(t,r)=>{let o=Od(t),a=await fo(t,r,{maxRedirects:vd,maxResponseBytes:Cd,problemCode:"upstream_token_exchange_failed",timeoutMs:Sd}),i=await a.clone().text();if(!a.ok&&Md(a,i)&&Dd({upstreamServerId:e,request:o,response:a,body:i}),!qd(a,i))return a;try{JSON.parse(i)}catch(s){throw new g({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[_]:"upstream_token_exchange_failed"}},{cause:s})}return a}}n(ua,"createUpstreamOAuthFetch");async function la(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ua(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await lr(e,r)}catch(r){let o=Ed({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(la,"runUpstreamOAuth");async function Hd(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:ua(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),lr(e,r)}n(Hd,"exchangeUpstreamAuthorizationCode");async function pa(e,t){let r=await la(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new g({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}}):new g({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}})}n(pa,"requireUpstreamAuthorizationRedirect");async function ma(e){if(!e.forceRefresh&&Id(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await la(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new g({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new g({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Nd({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(ma,"authorizeUpstreamOAuthSession");async function zd(e){let t=await Ut(e.stateToken),r=await S().consumeUpstreamOAuthState({id:t.id,now:b(new Date)}),o=Bd(r);return jd({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Ld(o),o}n(zd,"consumeStoredCallbackState");function Bd(e){switch(e.kind){case"consumed":throw new g({message:"OAuth state has already been used",extensionMembers:{[_]:"oauth_state_reused"}});case"missing":throw new g({message:"OAuth state is missing or expired",extensionMembers:{[_]:"oauth_state_expired"}});case"available":return e.record}}n(Bd,"readConsumedCallbackState");function jd(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new g({message:"OAuth callback did not match the initiating request",extensionMembers:{[_]:"oauth_callback_mismatch"}})}n(jd,"assertStoredCallbackStateMatches");function Ld(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new g({message:"OAuth state has expired",extensionMembers:{[_]:"oauth_state_expired"}})}n(Ld,"assertStoredCallbackStateFresh");async function Nd(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),ea(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),kt(t)}n(Nd,"buildOAuthConnectRequiredResponse");async function fa(e){let t=await zd({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=wt(t),[o]=await S().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(a.connection=o);let i=new ye(a),s=await Hd(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new g({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}}):new g({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[_]:"upstream_token_exchange_failed"}})}n(fa,"finishUpstreamOAuthCallback");async function ha(e){let t=ne(e.upstreamServerId),r=ge(e.upstreamServerId,e.authProfileId),o=ta(r.redirectPath,e.request.url,e.request.headers),a="preloadedConnection"in e?e.preloadedConnection:(await S().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(ha,"prepareUpstreamOAuthRequest");async function ga(e){let t=await ha(e),r=new ye({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return pa(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ga,"startUpstreamConnect");async function ya(e){let t=await ha(e),r=new ye({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return ma({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ya,"authorizeUpstreamRequest");async function ke(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return ya({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new D(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(ke,"resolveUpstreamCredentialForRoute");async function _a(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=G(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await ga(r);break;case"none":throw new D(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(_a,"startUpstreamConnectForRequest");async function wa(e){let r=(await Ut(e.callbackRequest.state)).authProfileId,o=yr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(G(o.mode).callbackSupport!=="authorization_code")throw new D(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return fa({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:ne(e.callbackRequest.upstreamServerId)})}n(wa,"finishUpstreamCallbackForRequest");function $d(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n($d,"buildRouteAuthBaseFromConnection");function ba(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:ht(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(ba,"buildRouteAuthBaseFromPolicyOptions");function Pt(e,t){let o=$().byOperationId.get(t);if(!o)throw new P(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new P(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new P(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return $d({connection:o.connection,operationId:t})}n(Pt,"resolveRouteAuthBase");function Ra(e,t){switch(e){case"user":return _t(t);case"shared":return to()}}n(Ra,"buildOwnerForSubject");function Te(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Ra(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,owner:Ra(e.ownerMode,t),initiatedBySubjectId:t}}}n(Te,"resolveRouteAuthForSubject");var Gd=Be.InvalidRequest,Zd=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function Fd(e,t){return{credentialType:e.type,forceRefresh:t,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}n(Fd,"buildCredentialResolvedAttributes");function Kd(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(Kd,"connectRequiredReasonCode");function Sa(e){C(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Fd(e.credential,e.forceRefresh===!0)})}n(Sa,"emitCredentialResolvedAnalyticsEvent");function Ca(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(C(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){C(e.context,{eventType:R.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}C(e.context,{eventType:R.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:Kd(e.payload.state),reasonClass:"auth",attributes:t})}n(Ca,"emitCredentialMissingAnalyticsEvents");function Jd(e){let t=e.route.raw();return pt.parse(t?.operationId)}n(Jd,"readOperationId");async function Wd(e,t,r,o){let a=await ke({request:e,routeAuth:t});if(a.kind==="connect_required")return Ca({context:o,payload:a.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:a.payload};let i=a.credential;switch(Sa({context:o,credential:i,routeBinding:t}),i.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${i.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(i.headers)};case"mcp_oauth_provider":{let s=await i.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(Wd,"buildCredentialHeaders");var Vd=new Set(["authorization","cookie","cookie2"]);function Yd(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Yd,"readJsonRequestMethod");function Xd(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Xd,"isJsonResponse");function Ir(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(Ir,"isRecord");function Qd(e){return Array.isArray(e)&&e.length>0}n(Qd,"hasIconList");function eu(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=xt(vn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(eu,"readFallbackServerIcons");function tu(e){if(!Ir(e.body))return e.body;let t=e.body.result;if(!Ir(t))return e.body;let r=t.serverInfo;return!Ir(r)||Qd(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(tu,"addMissingServerIcons");function ru(e,t){let r=new Headers(e.headers);for(let o of Vd)r.delete(o);for(let[o,a]of t)r.set(o,a);return new sn(e,{headers:r})}n(ru,"applyUpstreamHeaders");function nu(e){let t=new Headers(e.headers);for(let r of Zd)t.delete(r);return t}n(nu,"buildProxyHeaders");async function ou(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(ou,"readRetryBody");function va(e,t){let r=t.authUrl===void 0?void 0:_o({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(St({id:yo(e),error:{code:r?.code??Gd,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(va,"connectRequiredJsonRpcResponse");async function au(e){let{scope:t}=To(e.upstreamResponse),r=await ke({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return Ca({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),a=r.credential;switch(Sa({context:e.context,credential:a,routeBinding:e.routeAuth,forceRefresh:!0}),a.type){case"none":return o.delete("authorization"),{kind:"headers",headers:o};case"bearer_token":return o.set("authorization",`Bearer ${a.token}`),{kind:"headers",headers:o};case"headers":for(let[i,s]of Object.entries(a.headers))o.set(i,s);return{kind:"headers",headers:o};case"mcp_oauth_provider":{let i=await a.provider.tokens();return i?(o.set("authorization",`${i.token_type??"Bearer"} ${i.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(au,"applyRefreshedCredentialHeaders");function iu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await au({request:e.request,context:e.context,headers:nu(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return va(e.requestBody,o.payload);if(o.kind==="response")return o.response;let a=In({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return ct.fetch(a.url,a.init)})}n(iu,"installUpstreamAuthRetryHook");function su(e){if(Yd(e.requestBody)!=="initialize")return;let t=eu({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Xd(r))return r;let o;try{o=await r.clone().json()}catch{return r}let a=tu({body:o,icons:t});if(a===o)return r;let i=new Headers(r.headers);return i.delete("content-length"),new Response(JSON.stringify(a),{status:r.status,statusText:r.statusText,headers:i})})}n(su,"installInitializeIconHook");async function xr(e,t,r){let o=Jd(t),a=await ou(e),i=ba({connection:r,operationId:o}),s=Ie(e.user,e.url,e.headers);jn(t,s);let c=Te(i,s.subjectId),l=await Wd(e,c,r,t);if(!(l instanceof Response)&&l.kind==="connect_required")return va(a,l.payload);if(l instanceof Response)return l;let m=ru(e,l.headers);return iu({request:m,context:t,requestBody:a,routeAuth:c}),su({context:t,requestBody:a,connection:r}),m}n(xr,"mcpTokenExchangePolicy");var Ar=class extends ut{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Pn(t,r);super(o,r)}async handler(t,r){return dt("policy.inbound.mcp-token-exchange"),xr(t,r,this.options)}};B();var Ia=Symbol("Html");function cu(e){return e.replaceAll("&","&").replaceAll("<","<").replaceAll(">",">").replaceAll('"',""").replaceAll("'","'")}n(cu,"escapeHtml");function du(e){return e===null||typeof e!="object"?!1:e[Ia]===!0}n(du,"isHtml");function Et(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Et).join(""):du(e)?e.value:cu(String(e))}n(Et,"renderValue");function F(e){return{[Ia]:!0,value:e}}n(F,"trustedHtml");var k=F("");function y(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Et(t[o]),r+=e[o+1]??"";return F(r)}n(y,"html");function xa(e,t=k){let r=Et(t),o="",a=!0;for(let i of e)a||(o+=r),o+=Et(i),a=!1;return F(o)}n(xa,"joinHtml");function Pe(e){return e.value}n(Pe,"renderHtml");function Aa(e){return y`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Aa,"renderBrowserErrorPage");var Ee=F('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Oe(e){return y`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
|
|
26
26
|
${e.styles}
|
|
27
|
-
</style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Oe,"renderShell");var
|
|
28
|
-
`);return y`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(
|
|
27
|
+
</style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Oe,"renderShell");var uu="text/html; charset=utf-8";function qe(e){try{return new URL(e).host}catch{return""}}n(qe,"safeHostFromUrl");function K(e){let t=pu(e.kind??"authorization_failed"),r=lu(e);return new Response(Pe(Oe({title:e.title??t.title,iconHref:"",styles:Ee,headerIcon:k,heading:e.title??t.title,subhead:"",body:Aa({detail:e.detail,guidance:y`<p class="card__description">${t.guidance}</p>`,technicalDetails:yu({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:hu(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":uu,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(K,"browserErrorPageResponse");function lu(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??mu(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??fu(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(lu,"buildBrowserErrorDiagnostic");function pu(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(pu,"readBrowserErrorPagePresentation");function mu(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(mu,"readBrowserErrorStage");function fu(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(fu,"readBrowserErrorSuggestedFix");function hu(e){return e===void 0?k:y`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(hu,"renderAction");function gu(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
|
|
28
|
+
`);return y`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(gu,"renderTechnicalPre");function Ot(e){return e.value===void 0||e.value===""?k:y`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Ot,"renderOptionalTechnicalRow");function yu(e){return y`<section class="banner banner--warning" aria-label="Developer details">
|
|
29
29
|
<span class="banner__icon" aria-hidden="true">!</span>
|
|
30
30
|
<div class="banner__body">
|
|
31
31
|
<p class="banner__title">Developer details</p>
|
|
@@ -36,14 +36,14 @@ import{$ as Y,A as Un,Aa as no,B as kn,Ba as oo,C as Tn,Ca as ao,D as ht,Da as i
|
|
|
36
36
|
${Ot({label:"Request ID",value:e.diagnostic.requestId})}
|
|
37
37
|
${Ot({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
|
|
38
38
|
${Ot({label:"Reason",value:e.diagnostic.underlyingError})}
|
|
39
|
-
${
|
|
40
|
-
${
|
|
39
|
+
${gu(e.diagnostic)}
|
|
40
|
+
${_u(e.upstreamHtml)}
|
|
41
41
|
</div>
|
|
42
|
-
</section>`}n(
|
|
42
|
+
</section>`}n(yu,"renderTechnicalDetails");function _u(e){return e===void 0?k:y`<iframe
|
|
43
43
|
title="Upstream HTML error response"
|
|
44
44
|
sandbox
|
|
45
45
|
srcdoc="${e}"
|
|
46
46
|
style="border: 1px solid var(--warning-border); border-radius: var(--radius-sm); background: white; width: 100%; min-height: 220px; margin-top: 8px;"
|
|
47
|
-
></iframe>`}n(hu,"renderUpstreamHtml");var Ua="application/json",gu="application/x-www-form-urlencoded";function qt(e,t){return new g({message:e,extensionMembers:{[_]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(qt,"invalidRequestError");function yu(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(yu,"normalizeContentType");function _u(e,t){return e===t?!0:t===Ua&&e.endsWith("+json")}n(_u,"contentTypeMatches");function wu(e,t){if(!t||t.length===0)return;let r=yu(e.headers.get("content-type"));if(!t.some(o=>_u(r,o)))throw qt(`Request body must be ${t.join(" or ")}.`)}n(wu,"assertExpectedContentType");function Ru(e,t,r){let o=e.headers.get("content-length");if(!o)return;let a=Number.parseInt(o,10);if(Number.isFinite(a)&&a>t)throw qt(`${r} exceeded the maximum allowed size.`)}n(Ru,"assertContentLengthWithinLimit");async function ka(e,t){let r=t.label??"Request body";wu(e,t.expectedContentTypes),Ru(e,t.maxBytes,r);let o=await mo(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>qt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(ka,"readBoundedTextBody");async function Ta(e,t){let r=await ka(e,{...t,expectedContentTypes:[Ua]});try{return JSON.parse(r)}catch(o){throw qt("Request body must be valid JSON.",o)}}n(Ta,"readBoundedJsonBody");async function Pa(e,t){let r=await ka(e,{...t,expectedContentTypes:[gu]});return new URLSearchParams(r)}n(Pa,"readBoundedFormUrlEncodedBody");B();B();import{errors as Ha,jwtVerify as za,SignJWT as Ba}from"jose";B();import{errors as bu,jwtVerify as Su,SignJWT as vu}from"jose";var kr="zuplo_mcp_session",Cu=d.object({purpose:d.literal("gateway_browser_session"),sub:yt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function Iu(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let a=r.slice(0,o).trim(),i=r.slice(o+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}n(Iu,"parseCookieHeader");async function Ea(){return Z({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-session"),"derive")})}n(Ea,"getBrowserSessionKey");function Ur(e,t){let r=new URL(U(e,t)),o=[`${kr}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(Ur,"buildBrowserSessionEvictionCookie");function xu(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${kr}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(xu,"serializeSessionCookie");function Oa(){return new URL(bt("url")).origin}n(Oa,"readBrowserLoginOrigin");function Tr(){return j().browserLogin.stateTtlSeconds}n(Tr,"readBrowserLoginStateTtlSeconds");function qa(e){if(!e.user)throw w("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ie(e.user,e.url)}n(qa,"resolveCurrentRequestPrincipal");async function Mt(e,t={}){let r=Iu(e.headers.get("cookie")).get(kr);if(!r)return{};try{let{payload:o}=await Su(r,await Ea(),{algorithms:[z],issuer:q,audience:H}),a=Cu.parse(o);if(a.browserLoginOrigin!==Oa())return{evictCookie:Ur(e.url,e.headers)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(o){return o instanceof bu.JWTExpired?{evictCookie:Ur(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Ur(e.url,e.headers)})}}n(Mt,"readBrowserSession");async function Dt(e){let t=j().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:Oa()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new vu(r).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Ea());return xu({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(Dt,"createBrowserSessionCookie");async function Ma(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Mt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw w("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:a}=await import("../browser-login-idp-HQB254PW.js");return a({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(Ma,"resolveBrowserLoginCallbackPrincipal");function Da(e){let t=j().browserLogin,r=new URL(bt("url")),o=new URL("/oauth/callback",Bn(e.requestUrl,e.requestHeaders));return Wn(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",bt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(Da,"buildBrowserLoginUrl");var Au={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Au[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Uu=5*60,ku=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Tu=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function ja(){return Z({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-login"),"derive")})}n(ja,"getBrowserLoginKey");async function La(){return Z({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"authorization-csrf"),"derive")})}n(La,"getCsrfKey");function Na(e){return{now:e.now??new Date,ttlSeconds:Tr()}}n(Na,"readPendingTransactionDependencies");function Pu(e,t){return e.subjectId===t.subjectId}n(Pu,"principalsMatch");function $a(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n($a,"toPendingPrincipal");function Ga(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:b(e.now),expiresAt:b(W(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw w("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:$a(e.principal)}}n(Ga,"createTransactionRecord");async function Za(e){let{id:t,...r}=e.record,o=await S().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw w("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(Za,"startPendingTransaction");async function Eu(e){return new Ba({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await ja())}n(Eu,"signBrowserLoginState");async function Fa(e){return new Ba({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Wt()}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await La())}n(Fa,"signCsrfToken");async function Pr(e){try{let{payload:t}=await za(e,await ja(),{algorithms:[z],issuer:q,audience:H}),r=ku.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Ha.JWTExpired?w("oauth_state_expired","Browser login state has expired.",t):w("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Pr,"verifyBrowserLoginStateToken");async function Ht(e){try{let{payload:t}=await za(e,await La(),{algorithms:[z],issuer:q,audience:H});return{transactionId:Tu.parse(t).transactionId}}catch(t){throw t instanceof Ha.JWTExpired?w("oauth_state_expired","Authorization setup state has expired.",t):w("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Ht,"verifyCsrfToken");function Er(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Er,"pendingStateErrorCode");function Ou(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(Ou,"toPendingAuthorizationGetResult");function qu(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(qu,"toPendingAuthorizationAdvanceResult");function Or(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Er(e==="consumed_already"?"consumed_already":e)}n(Or,"setupDecisionErrorCode");async function Ka(e){let t=e.now??new Date,r=await Ht(e.csrfToken),o=await S().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:b(t)});if(o.kind!=="marked")throw w(Or(o.kind),"Authorization setup state is invalid, expired, or already used.");return Ja({kind:"available",record:o.transaction})}n(Ka,"markSetupApproved");function Ja(e){if(e.kind!=="available")throw w(Er(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Ja,"requireAwaitingSetup");function Mu(e){if(!Pu(e.currentBrowserPrincipal,e.transaction.principal))throw w("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Mu,"requireCurrentPrincipalMatches");async function Wa(e){let t=e.now??new Date,r=Tr(),o=Jt(),a=Wt(),i=await Eu({transactionId:o,stateId:a,ttlSeconds:r}),s=Ga({id:o,transaction:e.transaction,currentStateHash:await I(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Za({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:Da({state:i,nonce:a,operationId:s.operationId,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Wa,"startAwaitingLogin");async function Va(e){let{now:t,ttlSeconds:r}=Na(e),o=Jt(),a=await Fa({transactionId:o,ttlSeconds:r}),i=Ga({id:o,transaction:e.transaction,currentStateHash:await I(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Za({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}n(Va,"startAwaitingSetup");async function Ya(e){let{now:t,ttlSeconds:r}=Na(e),o=await Pr(e.browserLoginStateToken),a=await Fa({transactionId:o.transactionId,ttlSeconds:r}),i=qu(await S().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await I(e.browserLoginStateToken),nextStateHash:await I(a),nextPhase:"awaiting_setup",principal:$a(e.principal),now:b(t)}));if(i.kind!=="advanced")throw w(Er(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}n(Ya,"completeLogin");async function Xa(e){let t=await qr(e);return Mu({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(Xa,"getSetup");async function qr(e){let t=e.now??new Date,r=await Ht(e.csrfToken);return Ja(Ou(await S().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),now:b(t)})))}n(qr,"getSetupTransaction");async function Du(e){let t=await Ht(e.csrfToken),r=X(),o=b(W(e.now,Uu)),a=await S().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await I(r),authorizationCodeExpiresAt:o,grantId:Kn(),now:b(e.now)});if(a.kind!=="approved")throw w(a.kind==="cancelled"?"oauth_state_invalid":Or(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}n(Du,"createAuthorizationCodeRedirectWithDecision");async function Hu(e){let t=await Ht(e.csrfToken),r=await S().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:b(e.now)});if(r.kind!=="cancelled")throw w(r.kind==="approved"?"oauth_state_invalid":Or(r.kind),"Authorization setup state is invalid, expired, or already used.");return zu({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Hu,"createCancelRedirectWithDecision");function zu(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(zu,"buildClientCancelRedirect");async function Qa(e){let t=e.now??new Date;return Du({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Qa,"approve");async function ei(e){let t=e.now??new Date;return Hu({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ei,"cancel");B();var Bu=1e4,ju=5*1024,Lu=2,Nu=90*24*60*60,Mr="dcr:pkjwt:",Dr=["authorization_code","refresh_token"],Hr=["code"],$u=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Dr)).min(1).max(2).optional(),response_types:d.array(d.enum(Hr)).min(1).max(1).optional(),scope:d.literal(E).optional(),token_endpoint_auth_method:Zn.optional(),jwks_uri:d.string().min(1).optional()});function Gu(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ue(t))&&t.pathname!=="/"}catch{return!1}}n(Gu,"isCimdClientIdCandidate");function Me(e,t="invalid_request",r="authorize"){if(Zu(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let a={source:r},i=$n({url:o,context:a});if(i.kind!=="rejected"){i.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Me,"assertValidRedirectUri");function Zu(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(Zu,"hasForbiddenRawRedirectUriCharacter");async function Fu(e){let{response:t,json:r}=await ho(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Lu,maxResponseBytes:ju,timeoutMs:Bu});if(!t.ok)throw w("invalid_request","CIMD metadata could not be fetched.");let o=Fn.parse(r);for(let a of o.redirect_uris)Me(a,"invalid_request","cimd");if(o.jwks_uri!==void 0&&Rt(o.jwks_uri),o.client_id!==e.clientId)throw w("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(Fu,"fetchCimdMetadata");async function Ku(e){let t=po(e),r=await Fu({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(Ku,"resolveCimdClient");async function zt(e,t){let r=Y.parse(e);if(Gu(r)){if(!j().gateway.cimdEnabled)throw new p("invalid_client","OAuth client is not registered.");try{return await Ku(r)}catch{throw new p("invalid_client","OAuth client is not registered.")}}let o=await S().readClient({clientId:r});if(o.kind==="found"){let a=o.client,i=rl(a.clientId),s=i===void 0?a.tokenEndpointAuthMethod:"private_key_jwt",c=a.jwksUri??i;if(s==="private_key_jwt"&&c===void 0)throw new p("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let l={client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}},m={kind:"dcr",clientId:r,metadata:l};return a.hashedClientSecret&&(m.hashedClientSecret=a.hashedClientSecret),m}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(zt,"resolveClient");function ti(e,t){if(!e.metadata.redirect_uris.some(r=>Jn(r,t)))throw w("invalid_request","redirect_uri is not registered for the client.")}n(ti,"assertRedirectRegistered");function Ju(e){let t=ri(e.grant_types),r=e.response_types??[...Hr];if(!Wu(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Vu(r))throw new p("invalid_client_metadata","response_types must be code.");if(!Yu(e.scope))throw new p("invalid_client_metadata",`Only the ${E} scope is supported.`)}n(Ju,"assertSupportedDcrRequest");function ri(e){return e===void 0?[...Dr]:Array.from(new Set(e))}n(ri,"normalizeGrantTypes");function Wu(e){return e.length===0?!1:e.every(t=>Dr.includes(t))}n(Wu,"isSupportedGrantTypes");function Vu(e){return e.length===Hr.length&&e[0]==="code"}n(Vu,"isSupportedResponseTypes");function Yu(e){return e===void 0||e===E}n(Yu,"isSupportedDcrScope");function Xu(e){try{Rt(e)}catch(t){throw new p("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials, query, or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(Xu,"assertValidDcrJwksUri");function Qu(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(Qu,"encodeBase64Url");function el(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let a=new Uint8Array(o.length);for(let i=0;i<o.length;i+=1)a[i]=o.charCodeAt(i);return new TextDecoder().decode(a)}n(el,"decodeBase64Url");function tl(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?Y.parse(`${Mr}${crypto.randomUUID()}:${Qu(e.jwksUri)}`):Y.parse(`dcr:${crypto.randomUUID()}`)}n(tl,"createDcrClientId");function Bt(e){return e.startsWith(Mr)}n(Bt,"isPrivateKeyJwtDcrCompatibilityClientId");function rl(e){if(!Bt(e))return;let t=e.slice(Mr.length),r=t.indexOf(":");if(r===-1)return;let o=el(t.slice(r+1));if(o!==void 0){try{Rt(o)}catch{return}return o}}n(rl,"readPrivateKeyJwtDcrClientIdJwksUri");function nt(e){if(e===void 0||e===E)return E;throw new p("invalid_request",`Only the ${E} scope is supported.`)}n(nt,"assertSupportedOAuthScope");function De(e,t,r){let o;try{o=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new p("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!ue(o))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let a=U(e,r),i=zn(),s=i?[...i.byOperationId.values()].find(c=>new URL(c.routePath,a).toString()===t):void 0;if(!s)throw new p("invalid_target","resource must match a published MCP route.");return s}n(De,"resolveResource");async function ni(e){let t;try{t=$u.parse(e)}catch(C){if(C instanceof d.ZodError){let N=C.issues.some(Re=>Re.path[0]==="redirect_uris");throw new p(N?"invalid_redirect_uri":"invalid_client_metadata",C.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:C})}throw C}Ju(t);for(let C of t.redirect_uris)Me(C,"invalid_redirect_uri","dcr");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new p("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&Xu(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",a=o==="private_key_jwt"?"none":o,i=tl({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=W(r,Nu),c=Math.floor(r.getTime()/1e3),l=Math.floor(s.getTime()/1e3),m={client_id:i,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:ri(t.grant_types),response_types:["code"],scope:E,token_endpoint_auth_method:o,client_id_issued_at:c,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}},f={clientId:i,clientName:String(m.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:a,createdAt:b(r),clientExpiresAt:b(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let C=X();f.hashedClientSecret=await I(C),f.clientSecretExpiresAt=b(s),m.client_secret=C,m.client_secret_expires_at=l,m.client_secret_issued_at=c}if((await S().registerClient(f)).kind==="already_exists")throw w("invalid_request","OAuth client is already registered.");return m}n(ni,"registerDownstreamClient");function jt(e){return y`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(jt,"renderShellIcon");function oi(e){return y`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(oi,"renderActions");var Uy=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function ai(e){return y`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${e.message}</p></div></div>`}n(ai,"renderBannerWarning");var ky=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),ii=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');function si(e){return y`${e.banner}<section class="upstreams"><header class="section-label">Upstream services <span class="section-label__count">${e.sectionCount}</span></header><ul class="upstream-list">${e.cards}</ul></section>${e.fineprint}`}n(si,"renderSetupPage");function ci(e){return y`<article class="${e.cardClass}"><div class="upstream-card__head">${e.iconFrame}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${e.control}</div><div class="upstream-card__meta">${e.host}<span>${e.authModeLabel}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${e.ownerModeLabel}</span></div>${e.description}</div></div>${e.capabilities} ${e.scopes}</article>`}n(ci,"renderUpstreamCard");var di=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var nl="data:,",li=y`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Br=y`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function pi(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(pi,"safeGatewayConnectHref");function ol(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(ol,"deriveMode");function al(e){return oi({state:e.state,submitOnceAttrs:li,authorizeAttrs:k})}n(al,"renderActions");function zr(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let a=pi(o.connectUrl,t);if(a)return a}}n(zr,"firstUserConnectHref");function il(e){let t=e.connectHref?y`<a class="button button--primary" href="${e.connectHref}" ${Br}>Connect</a>`:y`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return y`<form class="actions" method="post" action="/oauth/setup" ${li}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(il,"renderSetupActions");function sl(e){return e?y`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Br}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:k}n(sl,"renderReconnectAction");function cl(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(cl,"isRenderableIconHref");function mi(e){return e?.find(t=>cl(t.src))?.src}n(mi,"readIconHref");function fi(e){return mi(e.serverIcons)??(e.transportHost===void 0?void 0:gr(e.transportHost).src)}n(fi,"readUpstreamIconHref");function dl(e){let t=fi(e);return t===void 0?y`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${ii}</span>`:y`<span class="icon-frame"><img src="${t}" alt="" referrerpolicy="no-referrer" loading="lazy" onerror=" this.onerror = null; this.src = '${tt}'; " /></span>`}n(dl,"renderIconFrame");function ul(e){let t=mi(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=fi(r);if(o!==void 0)return o}}n(ul,"readHeaderIconHref");function ll(e){return y`<p class="card__subtitle"><strong>${e.clientDisplayName}</strong> wants to access <strong>${e.routeDisplayName}</strong></p>${e.routeDescription===void 0?k:y`<p class="card__description">${e.routeDescription}</p>`}${e.principalLabel===void 0?k:y`<span class="card__principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`}`}n(ll,"renderSubhead");function pl(e){let t=e.filter(o=>o.ownerMode==="user"&&o.status!=="active");if(t.length===0)return k;let r=t.length===1?y`Connect ${t[0]?.upstreamDisplayName??"the required service"} before continuing. Authorization will continue automatically once it is ready.`:y`Connect the ${t.length} services below before continuing. Authorization will continue automatically once each is ready.`;return ai({icon:di,message:r})}n(pl,"renderSetupBanner");function ml(e){return e===void 0?k:y`<code class="upstream-card__host">${e}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`}n(ml,"renderHost");function fl(e){switch(e){case"shared-oauth":case"user-oauth":return"OAuth";default:return e}}n(fl,"readAuthModeLabel");function hl(e){switch(e){case"user":return"your account";case"shared":return"workspace";case"none":return"no auth"}}n(hl,"readOwnerModeLabel");function gl(e){switch(e){case"active":return"Connected";case"reconsent_required":return"Reconnect";case"not_connected":return"Setup required"}}n(gl,"readStatusLabel");function ui(e){let t=e.status==="active"?"status-badge status-badge--success":"status-badge status-badge--warning";return y`<span class="${t}">${gl(e.status)}</span>`}n(ui,"renderStatusBadge");function yl(e,t){if(!(e.ownerMode==="user"&&e.status!=="active"))return ui(e);let o=pi(e.connectUrl,t);return o===void 0?ui(e):y`<a class="button button--secondary button--small" href="${o}" ${Br}>Connect</a>`}n(yl,"renderUpstreamControl");function _l(e){return e===void 0?k:y`<p class="upstream-card__description">${e}</p>`}n(_l,"renderDescription");function wl(e){return xa(e.upstreams.map(t=>{let r=t.ownerMode==="user"&&t.status!=="active";return y`<li>${ci({cardClass:r?"upstream-card upstream-card--needs-action":"upstream-card",iconFrame:dl(t),upstreamDisplayName:t.upstreamDisplayName,control:yl(t,e.gatewayOrigin),host:ml(t.transportHost),authModeLabel:fl(t.authMode),ownerModeLabel:hl(t.ownerMode),description:_l(t.description),capabilities:k,scopes:k})}</li>`}))}n(wl,"renderUpstreamCards");function Rl(e){return e.mode==="setup"?y`<p class="card__fineprint">Authorization continues automatically once every required service is connected.</p>`:y`<p class="card__fineprint"><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.routeDisplayName}</strong>.</p>`}n(Rl,"renderFineprint");function bl(e){return e.upstreams.length===0?k:si({banner:e.mode==="setup"?pl(e.upstreams):k,sectionCount:`(${e.upstreams.length})`,cards:wl({upstreams:e.upstreams,gatewayOrigin:e.gatewayOrigin}),fineprint:Rl({mode:e.mode,clientDisplayName:e.clientDisplayName,routeDisplayName:e.routeDisplayName})})}n(bl,"renderBody");function jr(e){let t=ol(e.upstreams),r=zr(e.upstreams,e.gatewayOrigin,"not_connected"),o=zr(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=zr(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??o:void 0,s=ul({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?y`<footer class="card__footer">${il({state:e.state,connectHref:i})}</footer>`:y`<footer class="card__footer">${sl(a)}${al({state:e.state})}</footer>`;return Pe(Oe({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??nl,styles:Ee,headerIcon:s===void 0?k:jt({iconHref:s,fallbackIconHref:tt}),heading:"Authorize access",subhead:ll({routeDisplayName:e.routeDisplayName,routeDescription:e.routeDescription,clientDisplayName:e.clientDisplayName,principalLabel:e.principalLabel}),body:bl({mode:t,gatewayOrigin:e.gatewayOrigin,routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName,upstreams:e.upstreams}),footer:c}))}n(jr,"renderConsentPage");var Sl=1e4,hi="mcp-session-id",vl,gi;function bi(){return{tools:[],prompts:[],resources:[]}}n(bi,"emptyCapabilities");function yi(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Vt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(yi,"buildCredentialHeaders");async function _i(e){if(e.type!=="mcp_oauth_provider")return yi(e);let t=await e.provider.tokens();if(!t)return;let r=yi({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(_i,"buildAsyncCredentialHeaders");function wi(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ft.parse({jsonrpc:mt,id:1,method:"initialize",params:{protocolVersion:Vt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(wi,"buildInitializePreflight");async function Lr(e){lo(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),Sl);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return gi?await gi(o):await ct.fetch(o)}finally{clearTimeout(r)}}n(Lr,"runPreflight");function Nr(e){e.body?.cancel().catch(()=>{})}n(Nr,"releasePreflightBody");async function Cl(e){let t=e.response.headers.get(hi);if(!t)return;let r=new Headers(e.headers);r.set(hi,t),r.delete("content-type");try{let o=await Lr(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));Nr(o)}catch{}}n(Cl,"terminatePreflightSession");async function Si(e){let{response:t}=e;return Nr(t),t.status>=200&&t.status<300?(await Cl(e),{kind:"ready",upstreamStatus:t.status,capabilities:bi()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(Si,"classifyResponse");function Ri(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(Ri,"connectRequiredResult");async function Il(e){try{return Si({response:await Lr(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Il,"classifyPreflight");async function xl(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:bi()};let r=Pt(t.upstreamServerId,e.route.operationId),o=Te(r,e.subjectId),a=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},i=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ke({request:i,routeAuth:a,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return Ri(s.payload);let c=await _i(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let l=wi({upstreamUrl:t.mcpUrl,headers:c}),m;try{m=await Lr(l)}catch(C){return{kind:"upstream_unavailable",message:C instanceof Error?C.message:"Upstream MCP server readiness preflight failed."}}if(m.status!==401)return Si({response:m,upstreamUrl:t.mcpUrl,headers:c});Nr(m);let f=await ke({request:i,routeAuth:a,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return Ri(f.payload);let A=await _i(f.credential);return A===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Il({request:wi({upstreamUrl:t.mcpUrl,headers:A}),upstreamUrl:t.mcpUrl,headers:A})}n(xl,"checkUpstreamRouteReadinessImpl");function vi(e){return(vl??xl)(e)}n(vi,"checkUpstreamRouteReadiness");function Al(e){try{return new URL(e).host}catch{return}}n(Al,"safeUrlHost");function Ul(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(Ul,"readOAuthScopes");function Ci(e){return e!==void 0&&e.length>0}n(Ci,"hasItems");function kl(e){let t=e.serverInfo?.icons;if(Ci(t))return t;let r=xt(e.mcpUrl);return r===void 0?void 0:[r]}n(kl,"readServerIcons");async function Tl(e){if(!(e.returnTo===void 0||!e.isUserOwned))return _r({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Tl,"readConnectUrl");function _e(e,t){return t===void 0?{}:{[e]:t}}n(_e,"optionalRequirementField");function Pl(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?ao(e.connection):{connected:!0,status:"active"}}n(Pl,"readSetupConnectionStatus");function El(e){let t=Ul(e);return Ci(t)?t:void 0}n(El,"readScopesRequested");function Ol(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Ol,"readUpdatedAt");function ql(){return{tools:[],prompts:[],resources:[]}}n(ql,"readRouteCapabilities");async function Ml(e){let{authConfig:t,authMode:r,description:o,displayName:a,mcpUrl:i,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=At(r),m=l==="user",f=Pl({connection:e.connection,isUserOwned:m,readiness:e.readiness}),A=e.readiness?.connectUrl??await Tl({...e,connected:f.connected,isUserOwned:m});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:a,status:f.status,connected:f.connected,capabilities:ql(),..._e("description",o),..._e("transportHost",Al(i)),..._e("scopesRequested",El(t)),..._e("serverIcons",kl(e.registeredConnection)),..._e("connectUrl",A),..._e("updatedAt",Ol({connectionStatus:f,isUserOwned:m})),..._e("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Ml,"buildSetupRequirement");function Ii(e){let t=$().byOperationId.get(e);if(!t)throw w("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Ii,"requireRoute");async function $r(e){let t=Ii(e.transaction.operationId),r=_t(e.transaction.principal.subjectId),o=[],a=new Map,i=t.connection;if(i===void 0)return[];At(i.authMode)==="user"&&(a.set(i,o.length),o.push({owner:r,upstreamServerId:i.upstreamServerId,authProfileId:i.authProfileId}));let s=await S().batchGetUpstreamConnections(o),c=[],l=At(i.authMode)==="user",m=a.get(i),f=await vi({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:l&&m!==void 0?s[m]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),A=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),C=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Ml({connection:l&&m!==void 0?s[m]:void 0,registeredConnection:i,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:A===void 0?void 0:{...A,...C===void 0?{}:{connectUrl:C}}})),c}n($r,"requirementsForSetup");function Dl(e){return e.route.connection?.displayName??e.route.operationId}n(Dl,"readRouteDisplayName");async function Gr(e){let t=Ii(e.transaction.operationId),r=Dl({route:t}),o=await S().readClient({clientId:e.transaction.clientId}),a=o.kind==="found"?o.client:void 0,i={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(i.routeDescription=s),i}n(Gr,"consentContext");function Zr(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Zr,"hasUnresolvedUserUpstream");var Hl=["mcp_user"],zl="dev-browser-user",Bl=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),jl=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Gn,state:d.string().min(1).optional(),scope:d.literal(E).default(E)}),Ll=d.enum(["continue","approve","cancel"]).default("continue"),Nl=d.object({state:d.string().min(1),decision:Ll}),ie=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function xi(e){return typeof e=="string"&&e.length>0?e:void 0}n(xi,"readQueryString");function $l(e){let t=Array.from($().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Yt(r.operationId,e.url,e.headers)}n($l,"inferSingleRouteResource");function Gl(e,t){let r=xi(e.query.resource);if(t===void 0){if(r!==void 0)return r;let a=$l(e);if(a!==void 0)return a;throw new p("invalid_target",Bl)}let o=Yt(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Gl,"requireAuthorizeResource");async function Zl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let a=qa(e);return{principal:a,setCookie:await Dt({principal:a,requestUrl:e.url,requestHeaders:e.headers})}}n(Zl,"resolveBrowserPrincipal");async function Fl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(!o.principal)throw w("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Fl,"requireSetupPrincipal");function Ai(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(Ai,"buildSetupReturnTo");async function Ui(e){let t=await $r({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ai(e.csrfToken)}),r=await Gr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:jr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Ui,"renderSetup");function Kl(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Kl,"toAuthorizationTransactionClient");async function Fr(e,t={}){let r=jl.parse({...e.query,resource:Gl(e,t.operationId),state:xi(e.query.state)}),o=nt(r.scope);Me(r.redirect_uri,"invalid_request","authorize");let a=new Date,i=Y.parse(r.client_id),s=await zt(r.client_id,a);ti(s,r.redirect_uri);try{let c=De(e.url,r.resource,e.headers),l=Kl(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&v(t.context,{eventType:R.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type}});let m={clientId:s?.clientId??i,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:A}=await Zl(e,t.context);if(!f){let N=await Wa({transaction:m,requestUrl:e.url,requestHeaders:e.headers,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Re={kind:"redirect",location:N.browserLoginUrl};return A!==void 0&&(Re.setCookie=A),Re}let C=await Va({transaction:m,principal:f,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&v(t.context,{eventType:R.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),Ui({transaction:C.transaction,csrfToken:C.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:A})}catch(c){throw Jl({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(Fr,"authorizeDownstreamClient");function Jl(e){if(e.cause instanceof ie)return e.cause;let t=Wl(e.cause);return t?new ie({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Jl,"toDownstreamAuthorizeRedirectError");function Wl(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Wl,"mapToOAuthRedirectError");async function ki(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let m=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...m===void 0?{}:{idpErrorDescription:m},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),w("provider_access_denied",m??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),w("oauth_state_invalid","Browser login callback is missing state.");let a=await Pr(o),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await Ma(i),c=await Ya({browserLoginStateToken:o,principal:s}),l=await Ui({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return l.setCookie=await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),l}n(ki,"completeBrowserLoginCallback");async function Ti(e){let t=j(),r=new URL(e.url);if(!ue(r))throw w("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw w("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",U(e.url)),i=new URL(U(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw w("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",o);let s={subjectId:yt.parse(zl),roles:Hl};return{kind:"redirect",location:a,setCookie:await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(Ti,"completeLocalDevBrowserLogin");function Vl(e){let t=e.method==="POST"?e.body:e.query;return Nl.parse(t)}n(Vl,"readSetupContinueRequest");async function Pi(e){let{state:t,decision:r}=Vl({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,a=await qr({csrfToken:t,now:o}),i=await Fl(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await ei({csrfToken:t,currentBrowserPrincipal:i,now:o})};let s=await Xa({csrfToken:t,currentBrowserPrincipal:i,now:o}),c=await $r({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ai(t)});if(r==="approve"&&Zr(c)&&await Ka({csrfToken:t,currentBrowserPrincipal:i,now:o}),Zr(c)){let l=await Gr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:jr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await Qa({csrfToken:t,currentBrowserPrincipal:i,now:o})}}n(Pi,"continueDownstreamAuthorizeSetup");B();import{createLocalJWKSet as Yl,decodeJwt as Xl,errors as ot,jwtVerify as Ql}from"jose";var ep=new Set(["authorization_code","refresh_token"]),tp="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",rp=1e4,np=32*1024,op=2,Ei=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),ap=d.discriminatedUnion("grant_type",[Ei.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:gt,resource:d.url().optional(),scope:d.literal(E).optional()}),Ei.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(E).optional()})]);function ip(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!ep.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(ip,"assertSupportedGrantType");var sp=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),cp=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Oi(){return j().gateway.accessTokenTtlSeconds}n(Oi,"readAccessTokenTtlSeconds");function dp(){return j().gateway.refreshTokenTtlSeconds}n(dp,"readRefreshTokenTtlSeconds");function up(e,t){let r=Oi(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,o);return{expiresAt:b(W(e,a)),expiresIn:a}}n(up,"calculateAccessTokenExpiresAt");function qi(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(qi,"readBasicClientSecret");function Mi(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Xl(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(Mi,"resolveAuthenticatedClientId");function lp(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(lp,"resolveClientSecretInput");function pp(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(pp,"hasClientAssertion");function mp(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(mp,"buildEndpointAudience");function fp(e){return e instanceof ot.JWTExpired?"expired":e instanceof ot.JWTClaimValidationFailed?"claim":e instanceof ot.JWSSignatureVerificationFailed?"signature":e instanceof ot.JWKSNoMatchingKey?"jwks_no_match":e instanceof ot.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(fp,"readJwtFailureKind");async function hp(e){let{response:t,json:r}=await go(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:op,maxResponseBytes:np,timeoutMs:rp});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return cp.parse(r)}n(hp,"fetchClientJwks");async function gp(e){if(e.clientAssertionType!==tp||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=Y.parse(e.clientId),r=await zt(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let a=mp({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let i=await hp({jwksUri:o,context:e.context});await Ql(e.clientAssertion,Yl(i),{issuer:t,subject:t,audience:a,currentDate:e.now})}catch(i){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:fp(i)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return Bt(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(gp,"verifyPrivateKeyJwtClientAssertion");async function yp(e){let t=Y.parse(e.clientId);if(Bt(t))throw new p("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await I(e.clientSecret)}}n(yp,"buildRuntimeHttpClientAuth");async function Di(e){if(pp({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return gp(e)}let t=lp({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return yp({clientId:e.clientId,...t})}n(Di,"resolveRuntimeHttpClientAuth");async function Hi(e){ip(e.body);let t=ap.parse(e.body),r=qi(e.authorizationHeader),o=Mi({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date,i=await Di({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:a,context:e.context});return _p({parsed:t,clientId:o,clientAuth:i,now:a,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Hi,"exchangeDownstreamToken");async function _p(e){if(e.parsed.grant_type==="authorization_code"){Me(e.parsed.redirect_uri,"invalid_request","token"),nt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=X(),c=X(),l=b(W(e.now,dp())),m=up(e.now,l),f=await S().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await I(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await uo(e.parsed.code_verifier),currentRefreshTokenHash:await I(s),accessTokenHash:await I(c),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:b(e.now)});if(f.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(f.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(f.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&v(e.context,{eventType:R.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:s,scope:f.grant.scope,resource:f.grant.resource}}nt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=X(),r=X(),o=b(W(e.now,Oi())),a=await S().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await I(e.parsed.refresh_token),nextRefreshTokenHash:await I(t),accessTokenHash:await I(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:b(e.now)});if(a.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");De(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let i=a.accessToken.expiresAt;return e.context&&(v(e.context,{eventType:R.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),v(e.context,{eventType:R.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(i).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:a.grant.scope,resource:a.grant.resource}}n(_p,"exchangeDownstreamTokenWithRuntimeHttp");async function zi(e){let t=sp.parse(e.body),r=qi(e.authorizationHeader),o=Mi({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date;if((await S().revokeOAuthToken({clientAuth:await Di({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:a,context:e.context}),tokenHash:await I(t.token),now:b(a)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&v(e.context,{eventType:R.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(zi,"revokeDownstreamToken");var wp=64*1024,Rp=16*1024,bp="text/html; charset=utf-8";function Sp(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(Sp,"formDataToObject");async function vp(e){return Ta(e,{maxBytes:wp,label:"Request body"})}n(vp,"readJsonBody");async function Jr(e){return Sp(await Pa(e,{maxBytes:Rp,label:"Request body"}))}n(Jr,"readFormBody");async function ji(e,t,r){let o=le(r),a=r instanceof d.ZodError?se(r):void 0,i={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),Nn(e,t,i)}n(ji,"handleProblem");function Li(e){return e?.requestId}n(Li,"readBrowserRequestId");function Ni(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(Ni,"readUpstreamHtmlError");function Bi(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Bi,"readRuntimeErrorExtensionString");function Cp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Cp,"readRuntimeErrorExtensionNumber");function Ip(e){try{return new URL(e.url).pathname}catch{return}}n(Ip,"readBrowserRequestPath");function we(e){let t={code:e.code,requestId:e.requestId,routePath:Ip(e.request),underlyingError:e.underlyingError};return e.error instanceof g&&(t.httpStatus=Cp(e.error,ve),t.contentType=Bi(e.error,be),t.upstreamUrl=Bi(e.error,Ce)),t}n(we,"buildBrowserErrorDiagnostic");function at(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(at,"oauthErrorResponse");function xp(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(xp,"readOAuthProtocolHeaders");function Ap(e,t){let r=L("internal_server_error");return at({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:xp(e,t)})}n(Ap,"oauthProtocolErrorResponse");function Kr(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Kr,"readZodOAuthErrorCode");function Up(e){let t={error:Kr(e)},r=se(e);return r!==void 0&&(t.errorDescription=r),at(t)}n(Up,"oauthZodErrorResponse");function kp(e){let t=le(e);if(t===void 0)return;let r=L(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Pp(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,at(o)}n(kp,"oauthGatewayProblemResponse");function Tp(){let t={error:"server_error",status:500,errorDescription:L("internal_server_error").publicDetail};return at(t)}n(Tp,"oauthFallbackErrorResponse");function Pp(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Pp,"readOAuthStatus");function Wr(e,t={}){return e instanceof ie?Zi(e):e instanceof p?Ap(e,t):e instanceof d.ZodError?Up(e):kp(e)??Tp()}n(Wr,"oauthProblemResponse");function Vr(e,t,r){let o=qe(e.url),a=Li(t);if(r instanceof ie)return Zi(r);if(r instanceof p){let c=L("internal_server_error");return K({host:o,kind:Ep(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:we({request:e,requestId:a,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:a,status:r.status})}if(r instanceof d.ZodError)return K({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:Kr(r),diagnostic:we({request:e,requestId:a,code:Kr(r),underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let i=le(r);if(i!==void 0){let c=L(i);return K({host:o,kind:Gi(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:Ni(r),status:c.status})}let s=L("internal_server_error");return K({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:we({request:e,requestId:a,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n(Vr,"browserOAuthProblemResponse");function $i(e,t,r){let o=qe(e.url),a=Li(t),i=le(r);if(i!==void 0){let c=L(i);return K({host:o,kind:Gi(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:Ni(r),status:c.status})}if(r instanceof d.ZodError)return K({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:we({request:e,requestId:a,code:"invalid_request",underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let s=L("internal_server_error");return K({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:we({request:e,requestId:a,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n($i,"browserGatewayProblemResponse");function Ep(e){return e==="server_error"?"internal_error":"invalid_request"}n(Ep,"readOAuthBrowserErrorKind");function Gi(e){if(L(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Gi,"readGatewayBrowserErrorKind");function ee(e,t,r){let o={event:t},a=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,V(o,"error",r);else if(r instanceof ie)o.oauthError=r.errorCode,V(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",V(o,"error",r);let i=r.issues[0];i&&(o.zodPath=i.path.join("."))}else{let i=le(r);if(i!==void 0){let s=L(i);o.code=i,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",V(o,"error",r)}else a=!0,V(o,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,i.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ee,"logUnexpectedOAuthHandlerError");function Zi(e){let t;try{t=new URL(e.redirectUri)}catch{return at({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Zi,"downstreamAuthorizeRedirectErrorResponse");function se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(se,"formatZodErrorDetail");function Op(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};V(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Op,"logBrowserLoginCallbackFailure");function Fi(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(Fi,"redirectResultResponse");function Lt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":bp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Fi(e)}n(Lt,"authorizeResultResponse");async function Ki(e,t){try{return Response.json(Vn(e.url,e.headers))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),ji(e,t,r)}}n(Ki,"authorizationServerMetadataHandler");async function Ji(e,t){try{let r=Xt(e.params.routePath);return Response.json(Yn({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),ji(e,t,r)}}n(Ji,"scopedAuthorizationServerMetadataHandler");async function Wi(e,t){try{let r=await ni(await vp(e)),o=r,a=typeof o.client_id=="string"?o.client_id:void 0,i=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:i,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),v(t,{eventType:R.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:a,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_register_failed",r),Wr(r)}}n(Wi,"registerHandler");async function Vi(e,t){try{return Lt(await Fr(e,{context:t}))}catch(r){return ee(t,"oauth_authorize_failed",r),Vr(e,t,r)}}n(Vi,"authorizeHandler");async function Yi(e,t){try{let r=Xt(e.params.routePath);return Lt(await Fr(e,{operationId:r.operationId,context:t}))}catch(r){return ee(t,"oauth_authorize_scoped_failed",r),Vr(e,t,r)}}n(Yi,"scopedAuthorizeHandler");async function Xi(e,t){try{let r=await ki(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Lt(r)}catch(r){return Op(t,r),$i(e,t,r)}}n(Xi,"callbackHandler");async function Qi(e,t){try{return Fi(await Ti(e))}catch(r){return ee(t,"oauth_dev_login_failed",r),Vr(e,t,r)}}n(Qi,"devLoginHandler");async function es(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Pi({request:e,body:e.method==="POST"?await Jr(e):void 0,context:t});return Lt(r)}catch(r){return ee(t,"oauth_setup_failed",r),$i(e,t,r)}}n(es,"setupHandler");async function ts(e,t){try{return Response.json(await Hi({body:await Jr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ee(t,"oauth_token_failed",r),Wr(r)}}n(ts,"tokenHandler");async function rs(e,t){try{return await zi({body:await Jr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_revoke_failed",r),Wr(r)}}n(rs,"revokeHandler");var qp={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ns=Symbol("upstream-request");function Mp(e){let t=e[ns];if(!t)throw new D("Upstream request context has not been set");return t}n(Mp,"readUpstreamRequestContext");function Dp(e,t){return t.some(r=>r===e)}n(Dp,"requestContextMatchesKind");function Hp(e){return typeof e=="string"?[e]:e}n(Hp,"toExpectedKinds");function He(e,t){Object.defineProperty(e,ns,{configurable:!0,value:t})}n(He,"setUpstreamRequestContext");function it(e,t){let r=Mp(e),o=Hp(t);if(!Dp(r.kind,o)){let a=qp[o[0]];throw new D(`${a} request context has not been set`)}return r}n(it,"requireUpstreamRequestContext");function os(e){return y`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(os,"renderBrowserResult");var zp="text/html; charset=utf-8",Bp="none";function jp(e){let t=hr(e.host);return Oe({title:e.title,iconHref:t,styles:Ee,headerIcon:jt({iconHref:t,fallbackIconHref:tt}),heading:e.title,subhead:"",body:os({body:e.body,code:e.code??Bp}),footer:""})}n(jp,"browserResultHtml");function Lp(e,t=200){return new Response(Pe(e),{status:t,headers:{"content-type":zp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Lp,"browserResultResponse");function as(e){return Lp(jp(e))}n(as,"browserConnectionSuccessResponse");function Nt(e,t,r={}){let o=Ln(t);return K({host:e,kind:Np(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Nt,"browserConnectionFailureResponse");function Np(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Np,"readCallbackFailureBrowserErrorKind");var $p=["callback_authorization_code","callback_provider_error","callback_invalid"];function Yr(e){try{return new URL(e.url).pathname}catch{return}}n(Yr,"readBrowserRequestPath");function Gp(e){return"cause"in e?e.cause:void 0}n(Gp,"readErrorCause");function Zp(e){return e.stack?.split(`
|
|
48
|
-
`).slice(1,4).map(t=>t.trim()).join(" | ")}n(Zp,"readFirstStackFrame");function is(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Zp(r))}n(is,"addErrorAttributes");function Xr(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[_];return Sn(t)?t:void 0}n(Xr,"readRuntimeGatewayCode");function ss(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(ss,"readRuntimeErrorExtensionString");function Fp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Fp,"readRuntimeErrorExtensionNumber");function Kp(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),v(t,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Nt(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Yr(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Nt(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Yr(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(Kp,"requireAuthorizationCallbackRequest");function Jp(e,t){v(e,{eventType:R.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Jp,"emitCallbackReceivedAnalyticsEvent");function Wp(e,t){v(e,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(Wp,"emitTokenExchangeSucceededAnalyticsEvent");function Vp(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return as({host:qe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(Vp,"buildSuccessfulCallbackResponse");function Yp(e){let t={detail:e instanceof Error?e.message:void 0};return is(t,"error",e),e instanceof Error&&is(t,"cause",Gp(e)),t}n(Yp,"buildTokenExchangeFailureAttributes");function Xp(e){v(e.context,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Xr(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Yp(e.error)})}n(Xp,"emitTokenExchangeFailedAnalyticsEvent");function Qp(e){let t=e.error,r=Xr(t),o=vn(r)?r:"upstream_token_exchange_failed",a={code:o,requestId:e.context.requestId,routePath:Yr(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof g?{httpStatus:Fp(t,ve),contentType:ss(t,be),upstreamUrl:ss(t,Ce)}:{}};return Nt(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:a,upstreamHtml:em(t)})}n(Qp,"tokenExchangeFailureResponse");function em(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(em,"readUpstreamHtmlError");async function Qr(e,t){let r=it(e,$p),o=qe(e.url),a=Kp(e,t,r,o);if(a instanceof Response)return a;Jp(t,a);try{let i=await wa({request:e,callbackRequest:a});return Wp(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,operationId:i.operationId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),Vp(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:Xr(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return V(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),Xp({context:t,callbackRequest:a,error:i}),Qp({request:e,context:t,host:o,callbackRequest:a,error:i})}}n(Qr,"callbackHandler");function tm(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(tm,"clientMetadataProblemDetail");async function cs(e,t){let r=it(e,"connect"),o=await _a({request:e,connectRequest:r});if(v(t,{eventType:R.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let a=await kt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}n(cs,"connectHandler");async function ds(e,t){let r=it(e,"client_metadata");try{let o=ra(e.url,e.headers),a=na(o,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(o){if(!(o instanceof P))throw o;let a=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:a},"Failed to serve OAuth client metadata document for upstream connection"),de.notFound(e,t,{code:"not_found",detail:tm(o)})}}n(ds,"oauthClientMetadataHandler");function ce(e){if(typeof e=="string"&&e.length!==0)return e}n(ce,"readOptionalQueryString");function rm(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new D(`Validated path parameter ${t} is missing`);return r}n(rm,"requirePathString");function nm(e){let t=ce(e);return t?pt.parse(t):void 0}n(nm,"readOptionalOperationId");function om(e,t){let r=ce(e);return r?An.parse(r):ht(t,"user-oauth")}n(om,"readOptionalAuthProfileId");function am(e){let t=nm(e);if(!t)throw new g({message:"operationId query parameter is required.",extensionMembers:{[_]:"invalid_request"}});return t}n(am,"readRequiredOperationId");function im(e){let t=eo(ce(e));return t===void 0?{}:{returnTo:t}}n(im,"readOptionalReturnTo");function sm(e){let t=ce(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(sm,"readOptionalProviderErrorDescription");function cm(e){let t=G(e.authMode);if(t.connectSupport!=="none")return e;throw new g({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[_]:"invalid_request"}})}n(cm,"requireConnectableRouteAuth");function dm(e,t,r,o){return{kind:"connect",...Te(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(dm,"buildConnectContextForUser");function um(e,t,r){let o=wt(t),a=G(e.authMode);if(o.mode!==a.ownerMode)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[_]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(um,"buildConnectContextForTicket");async function lm(e,t){let r=cm(Pt(t,am(e.query.operationId))),o=e.query.redirect==="true",a=ce(e.query.browserTicket);if(e.user){if(a)throw new g({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[_]:"invalid_request"}});let s=Ie(e.user,e.url);return dm(r,s,o,im(e.query.returnTo).returnTo)}if(!a)throw new g({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[_]:"authentication_required"}});let i=await Xo(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.operationId!==r.operationId)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[_]:"oauth_callback_mismatch"}});return await Qo(i),um(r,i,o)}n(lm,"resolveConnectContext");async function pm(e,t,r){let o=xn.parse(rm(e,"connection"));switch(r){case"connect":He(e,await lm(e,o));return;case"callback":{let a=ce(e.query.error);if(a){He(e,{kind:"callback_provider_error",upstreamServerId:o,error:a,...sm(e)});return}let i=ce(e.query.code),s=ce(e.query.state);if(i&&s){He(e,{kind:"callback_authorization_code",upstreamServerId:o,code:i,state:s});return}He(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":He(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:om(e.query.authProfileId,o)});return}}n(pm,"resolveUpstreamRequestInbound");async function mm(e,t,r){try{await pm(e,t,r);return}catch(o){let a=o instanceof g?o.extensionMembers?.[_]:void 0,i=o instanceof Error?o.message:void 0;switch(a){case"invalid_request":case"oauth_callback_mismatch":return de.badRequest(e,t,{code:a,detail:i});case"authentication_required":return de.unauthorized(e,t,{code:a,detail:i});default:throw o}}}n(mm,"applyUpstreamRequestContext");function $t(e,t){return n(async(o,a)=>{let i=await mm(o,a,e);return i||t(o,a)},"wrapped")}n($t,"withUpstreamRequestContext");var fm={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function hm(){return new Response(null,{status:204,headers:fm})}n(hm,"buildWellKnownPreflightResponse");function gm(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(gm,"withWellKnownCorsHeaders");function en(e){return async(t,r)=>t.method==="OPTIONS"?hm():gm(await e(t,r))}n(en,"wrapWellKnownHandler");var ps=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:en(Ki),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:en(Ji),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:en(Xn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Wi},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Vi},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Yi},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Xi},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Qi},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:es},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:ts},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:rs},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:$t("client_metadata",ds)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:$t("connect",cs)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:$t("callback",Qr)}],ym=ps.filter(e=>!e.routeName.startsWith("upstream_")),_m=ps.filter(e=>e.routeName.startsWith("upstream_"));function ms(e){return e?.some(Rn)??!1}n(ms,"hasMcpOAuthRuntimeConfigPolicy");function fs(e){return e?.some(t=>On(t.policyType))??!1}n(fs,"hasMcpTokenExchangePolicy");function hs(e){return ms(e)||fs(e)}n(hs,"shouldRegisterMcpGatewayInternalRoutes");function wm(e){Dn(qn({routes:e.routes,policies:e.policies}))}n(wm,"initializeMcpGatewayConnectionRegistry");function Rm(e){let t=bn(e.policies);if(!t){let r=[...wn].map(o=>`\`${o}\``).join(", ");throw new P(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(Rm,"initializeMcpGatewayOAuthRuntimeConfig");function us(e,t,r){return async(o,a)=>{r&&yn(a,r());let i=o.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,a);return i||a.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(us,"wrapInternalHandler");function ls(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[cn],corsPolicy:t.corsPolicy??"none"})}n(ls,"addInternalRoute");function gs(e,t){wm(t);let r=ms(t.policies),o=fs(t.policies),a,i=n(()=>(a===void 0&&(a=Rm(t)),a),"readOAuthConfig");if(r)for(let s of ym)ls(e,s,us(s.routeName,s.handler,i));if(o)for(let s of _m)ls(e,s,us(s.routeName,s.handler))}n(gs,"registerMcpGatewayInternalRoutes");function ys(e){Mn(e)}n(ys,"configureLazyMcpGatewayState");var tn=class extends an{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!hs(r.policies))return;let o={routes:r.routes,policies:r.policies};ys(o),gs(t.router,o)}};var bm=new TextDecoder;function Sm(e){if(e)try{return JSON.parse(bm.decode(e))}catch{return}}n(Sm,"readBodyJson");function te(e){return e&&typeof e=="object"?e:void 0}n(te,"readRecord");function st(e,t){let r=te(e)?.[t];return typeof r=="string"?r:void 0}n(st,"readStringProperty");function ws(e,t){let r=te(e)?.[t];return typeof r=="number"?r:void 0}n(ws,"readNumberProperty");function _s(e,t){return ws(e,"code")??(t.status>=400?t.status:void 0)}n(_s,"readErrorCode");function Rs(e){return Array.isArray(e)?e.map(Rs).find(t=>t?.method):te(e)}n(Rs,"readJsonRpcMessage");function bs(e){let t=Rs(Sm(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:st(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:st(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let a=st(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:a,resourceUri:a}}default:return null}}n(bs,"buildBaseCapabilityInput");function Ss(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Ss,"isCapabilityListMethod");function vm(e,t,r){let i=te(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(i)?i.length:void 0}n(vm,"readItemCount");async function Cm(e){try{return await e.clone().json()}catch{return}}n(Cm,"readResponseJson");function vs(e){let t=bs(e);return!t||Ss(t.mcpMethod)?null:{eventType:R.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(vs,"buildCapabilityInvokedAnalyticsInput");async function Cs(e,t){let r=bs(e);if(!r)return null;let o=te(await Cm(t)),a=te(o?.error),i=te(a?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&te(s)?.isError===!0;if(te(i?.connectRequired))return{eventType:R.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:ws(a,"code"),mcpErrorType:st(a,"message")};if(Ss(r.mcpMethod)){let l=t.status>=400?void 0:vm(r.mcpMethod,r.capabilityType,s);return{eventType:R.MCP_CAPABILITY_LISTED,outcome:t.status>=400||a?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||a?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:_s(a,t)}:{},...l===void 0?{}:{attributes:{itemCount:l}}}}return t.status>=400||a?{eventType:R.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:_s(a,t),mcpErrorType:st(a,"message")}:{eventType:R.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Cs,"buildCapabilityFinalAnalyticsInput");var Im={Allow:"POST"};async function xm(e){try{return await e.clone().arrayBuffer()}catch{return}}n(xm,"readRequestBody");function Is(e){try{let t=Hn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Is,"readRouteAnalyticsFields");function xs(e){return Qn(e.user,e.url,e.headers)?.subjectId}n(xs,"readRequestSubjectId");function Am(e){let t=vs(e.requestBody);t&&v(e.context,{...t,...Is(e.context),httpMethod:e.request.method,subjectId:xs(e.request),transport:"http"})}n(Am,"emitCapabilityInvokedAnalytics");async function Um(e){let t=await Cs(e.requestBody,e.response);t&&v(e.context,{...t,...Is(e.context),httpMethod:e.request.method,subjectId:xs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(Um,"emitCapabilityFinalAnalytics");async function km(e,t){if(e.method==="GET")return de.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Im);let r=Date.now(),o=await xm(e);Am({context:t,request:e,requestBody:o});let a=await hn(e,t);return await Um({context:t,request:e,requestBody:o,response:a,startedAt:r}),a}n(km,"McpProxyHandler");export{Ps as McpAuth0OAuthInboundPolicy,er as McpCapabilityFilterInboundPolicy,tn as McpGatewayPlugin,Ts as McpOAuthInboundPolicy,km as McpProxyHandler,Ar as McpTokenExchangeInboundPolicy};
|
|
47
|
+
></iframe>`}n(_u,"renderUpstreamHtml");var Ua="application/json",wu="application/x-www-form-urlencoded";function qt(e,t){return new g({message:e,extensionMembers:{[_]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(qt,"invalidRequestError");function Ru(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(Ru,"normalizeContentType");function bu(e,t){return e===t?!0:t===Ua&&e.endsWith("+json")}n(bu,"contentTypeMatches");function Su(e,t){if(!t||t.length===0)return;let r=Ru(e.headers.get("content-type"));if(!t.some(o=>bu(r,o)))throw qt(`Request body must be ${t.join(" or ")}.`)}n(Su,"assertExpectedContentType");function Cu(e,t,r){let o=e.headers.get("content-length");if(!o)return;let a=Number.parseInt(o,10);if(Number.isFinite(a)&&a>t)throw qt(`${r} exceeded the maximum allowed size.`)}n(Cu,"assertContentLengthWithinLimit");async function ka(e,t){let r=t.label??"Request body";Su(e,t.expectedContentTypes),Cu(e,t.maxBytes,r);let o=await mo(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>qt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(ka,"readBoundedTextBody");async function Ta(e,t){let r=await ka(e,{...t,expectedContentTypes:[Ua]});try{return JSON.parse(r)}catch(o){throw qt("Request body must be valid JSON.",o)}}n(Ta,"readBoundedJsonBody");async function Pa(e,t){let r=await ka(e,{...t,expectedContentTypes:[wu]});return new URLSearchParams(r)}n(Pa,"readBoundedFormUrlEncodedBody");B();B();import{errors as Ha,jwtVerify as za,SignJWT as Ba}from"jose";B();import{errors as vu,jwtVerify as Iu,SignJWT as xu}from"jose";var kr="zuplo_mcp_session",Au=d.object({purpose:d.literal("gateway_browser_session"),sub:yt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function Uu(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let a=r.slice(0,o).trim(),i=r.slice(o+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}n(Uu,"parseCookieHeader");async function Ea(){return Z({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-session"),"derive")})}n(Ea,"getBrowserSessionKey");function Ur(e,t){let r=new URL(U(e,t)),o=[`${kr}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(Ur,"buildBrowserSessionEvictionCookie");function ku(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${kr}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(ku,"serializeSessionCookie");function Oa(){return new URL(bt("url")).origin}n(Oa,"readBrowserLoginOrigin");function Tr(){return j().browserLogin.stateTtlSeconds}n(Tr,"readBrowserLoginStateTtlSeconds");function qa(e){if(!e.user)throw w("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ie(e.user,e.url)}n(qa,"resolveCurrentRequestPrincipal");async function Mt(e,t={}){let r=Uu(e.headers.get("cookie")).get(kr);if(!r)return{};try{let{payload:o}=await Iu(r,await Ea(),{algorithms:[z],issuer:q,audience:H}),a=Au.parse(o);if(a.browserLoginOrigin!==Oa())return{evictCookie:Ur(e.url,e.headers)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(o){return o instanceof vu.JWTExpired?{evictCookie:Ur(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Ur(e.url,e.headers)})}}n(Mt,"readBrowserSession");async function Dt(e){let t=j().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:Oa()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new xu(r).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Ea());return ku({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(Dt,"createBrowserSessionCookie");async function Ma(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Mt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw w("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:a}=await import("../browser-login-idp-SQ4CJMPN.js");return a({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(Ma,"resolveBrowserLoginCallbackPrincipal");function Da(e){let t=j().browserLogin,r=new URL(bt("url")),o=new URL("/oauth/callback",Bn(e.requestUrl,e.requestHeaders));return Wn(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",bt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(Da,"buildBrowserLoginUrl");var Tu={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Tu[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Pu=5*60,Eu=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Ou=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function ja(){return Z({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-login"),"derive")})}n(ja,"getBrowserLoginKey");async function La(){return Z({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"authorization-csrf"),"derive")})}n(La,"getCsrfKey");function Na(e){return{now:e.now??new Date,ttlSeconds:Tr()}}n(Na,"readPendingTransactionDependencies");function qu(e,t){return e.subjectId===t.subjectId}n(qu,"principalsMatch");function $a(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n($a,"toPendingPrincipal");function Ga(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:b(e.now),expiresAt:b(W(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw w("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:$a(e.principal)}}n(Ga,"createTransactionRecord");async function Za(e){let{id:t,...r}=e.record,o=await S().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw w("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(Za,"startPendingTransaction");async function Mu(e){return new Ba({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await ja())}n(Mu,"signBrowserLoginState");async function Fa(e){return new Ba({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Wt()}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(q).setAudience(H).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await La())}n(Fa,"signCsrfToken");async function Pr(e){try{let{payload:t}=await za(e,await ja(),{algorithms:[z],issuer:q,audience:H}),r=Eu.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Ha.JWTExpired?w("oauth_state_expired","Browser login state has expired.",t):w("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Pr,"verifyBrowserLoginStateToken");async function Ht(e){try{let{payload:t}=await za(e,await La(),{algorithms:[z],issuer:q,audience:H});return{transactionId:Ou.parse(t).transactionId}}catch(t){throw t instanceof Ha.JWTExpired?w("oauth_state_expired","Authorization setup state has expired.",t):w("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Ht,"verifyCsrfToken");function Er(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Er,"pendingStateErrorCode");function Du(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(Du,"toPendingAuthorizationGetResult");function Hu(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Hu,"toPendingAuthorizationAdvanceResult");function Or(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Er(e==="consumed_already"?"consumed_already":e)}n(Or,"setupDecisionErrorCode");async function Ka(e){let t=e.now??new Date,r=await Ht(e.csrfToken),o=await S().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:b(t)});if(o.kind!=="marked")throw w(Or(o.kind),"Authorization setup state is invalid, expired, or already used.");return Ja({kind:"available",record:o.transaction})}n(Ka,"markSetupApproved");function Ja(e){if(e.kind!=="available")throw w(Er(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Ja,"requireAwaitingSetup");function zu(e){if(!qu(e.currentBrowserPrincipal,e.transaction.principal))throw w("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(zu,"requireCurrentPrincipalMatches");async function Wa(e){let t=e.now??new Date,r=Tr(),o=Jt(),a=Wt(),i=await Mu({transactionId:o,stateId:a,ttlSeconds:r}),s=Ga({id:o,transaction:e.transaction,currentStateHash:await I(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Za({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw w("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:Da({state:i,nonce:a,operationId:s.operationId,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Wa,"startAwaitingLogin");async function Va(e){let{now:t,ttlSeconds:r}=Na(e),o=Jt(),a=await Fa({transactionId:o,ttlSeconds:r}),i=Ga({id:o,transaction:e.transaction,currentStateHash:await I(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Za({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw w("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}n(Va,"startAwaitingSetup");async function Ya(e){let{now:t,ttlSeconds:r}=Na(e),o=await Pr(e.browserLoginStateToken),a=await Fa({transactionId:o.transactionId,ttlSeconds:r}),i=Hu(await S().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await I(e.browserLoginStateToken),nextStateHash:await I(a),nextPhase:"awaiting_setup",principal:$a(e.principal),now:b(t)}));if(i.kind!=="advanced")throw w(Er(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw w("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}n(Ya,"completeLogin");async function Xa(e){let t=await qr(e);return zu({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(Xa,"getSetup");async function qr(e){let t=e.now??new Date,r=await Ht(e.csrfToken);return Ja(Du(await S().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),now:b(t)})))}n(qr,"getSetupTransaction");async function Bu(e){let t=await Ht(e.csrfToken),r=X(),o=b(W(e.now,Pu)),a=await S().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await I(r),authorizationCodeExpiresAt:o,grantId:Kn(),now:b(e.now)});if(a.kind!=="approved")throw w(a.kind==="cancelled"?"oauth_state_invalid":Or(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}n(Bu,"createAuthorizationCodeRedirectWithDecision");async function ju(e){let t=await Ht(e.csrfToken),r=await S().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:b(e.now)});if(r.kind!=="cancelled")throw w(r.kind==="approved"?"oauth_state_invalid":Or(r.kind),"Authorization setup state is invalid, expired, or already used.");return Lu({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(ju,"createCancelRedirectWithDecision");function Lu(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Lu,"buildClientCancelRedirect");async function Qa(e){let t=e.now??new Date;return Bu({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(Qa,"approve");async function ei(e){let t=e.now??new Date;return ju({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ei,"cancel");B();var Nu=1e4,$u=5*1024,Gu=2,Zu=90*24*60*60,Mr="dcr:pkjwt:",Fu="chatgpt.com",Ku="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",Dr=["authorization_code","refresh_token"],Hr=["code"],Ju=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Dr)).min(1).max(2).optional(),response_types:d.array(d.enum(Hr)).min(1).max(1).optional(),scope:d.literal(E).optional(),token_endpoint_auth_method:Zn.optional(),jwks_uri:d.string().min(1).optional()});function Wu(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ue(t))&&t.pathname!=="/"}catch{return!1}}n(Wu,"isCimdClientIdCandidate");function Vu(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===Fu&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(Vu,"isChatGptCimdClientId");function ti(e){throw new p("invalid_client",Vu(e)?Ku:"OAuth client is not registered.")}n(ti,"invalidCimdClientError");function Me(e,t="invalid_request",r="authorize"){if(Yu(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let a={source:r},i=$n({url:o,context:a});if(i.kind!=="rejected"){i.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Me,"assertValidRedirectUri");function Yu(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(Yu,"hasForbiddenRawRedirectUriCharacter");async function Xu(e){let{response:t,json:r}=await ho(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Gu,maxResponseBytes:$u,timeoutMs:Nu});if(!t.ok)throw w("invalid_request","CIMD metadata could not be fetched.");let o=Fn.parse(r);for(let a of o.redirect_uris)Me(a,"invalid_request","cimd");if(o.jwks_uri!==void 0&&Rt(o.jwks_uri),o.client_id!==e.clientId)throw w("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(Xu,"fetchCimdMetadata");async function Qu(e){let t=po(e),r=await Xu({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(Qu,"resolveCimdClient");async function zt(e,t){let r=Y.parse(e);if(Wu(r)){j().gateway.cimdEnabled||ti(r);try{return await Qu(r)}catch{ti(r)}}let o=await S().readClient({clientId:r});if(o.kind==="found"){let a=o.client,i=cl(a.clientId),s=i===void 0?a.tokenEndpointAuthMethod:"private_key_jwt",c=a.jwksUri??i;if(s==="private_key_jwt"&&c===void 0)throw new p("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let l={client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}},m={kind:"dcr",clientId:r,metadata:l};return a.hashedClientSecret&&(m.hashedClientSecret=a.hashedClientSecret),m}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(zt,"resolveClient");function ri(e,t){if(!e.metadata.redirect_uris.some(r=>Jn(r,t)))throw w("invalid_request","redirect_uri is not registered for the client.")}n(ri,"assertRedirectRegistered");function el(e){let t=ni(e.grant_types),r=e.response_types??[...Hr];if(!tl(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!rl(r))throw new p("invalid_client_metadata","response_types must be code.");if(!nl(e.scope))throw new p("invalid_client_metadata",`Only the ${E} scope is supported.`)}n(el,"assertSupportedDcrRequest");function ni(e){return e===void 0?[...Dr]:Array.from(new Set(e))}n(ni,"normalizeGrantTypes");function tl(e){return e.length===0?!1:e.every(t=>Dr.includes(t))}n(tl,"isSupportedGrantTypes");function rl(e){return e.length===Hr.length&&e[0]==="code"}n(rl,"isSupportedResponseTypes");function nl(e){return e===void 0||e===E}n(nl,"isSupportedDcrScope");function ol(e){try{Rt(e)}catch(t){throw new p("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials, query, or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(ol,"assertValidDcrJwksUri");function al(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(al,"encodeBase64Url");function il(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let a=new Uint8Array(o.length);for(let i=0;i<o.length;i+=1)a[i]=o.charCodeAt(i);return new TextDecoder().decode(a)}n(il,"decodeBase64Url");function sl(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?Y.parse(`${Mr}${crypto.randomUUID()}:${al(e.jwksUri)}`):Y.parse(`dcr:${crypto.randomUUID()}`)}n(sl,"createDcrClientId");function Bt(e){return e.startsWith(Mr)}n(Bt,"isPrivateKeyJwtDcrCompatibilityClientId");function cl(e){if(!Bt(e))return;let t=e.slice(Mr.length),r=t.indexOf(":");if(r===-1)return;let o=il(t.slice(r+1));if(o!==void 0){try{Rt(o)}catch{return}return o}}n(cl,"readPrivateKeyJwtDcrClientIdJwksUri");function nt(e){if(e===void 0||e===E)return E;throw new p("invalid_request",`Only the ${E} scope is supported.`)}n(nt,"assertSupportedOAuthScope");function De(e,t,r){let o;try{o=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new p("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!ue(o))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let a=U(e,r),i=zn(),s=i?[...i.byOperationId.values()].find(c=>new URL(c.routePath,a).toString()===t):void 0;if(!s)throw new p("invalid_target","resource must match a published MCP route.");return s}n(De,"resolveResource");async function oi(e){let t;try{t=Ju.parse(e)}catch(v){if(v instanceof d.ZodError){let N=v.issues.some(Re=>Re.path[0]==="redirect_uris");throw new p(N?"invalid_redirect_uri":"invalid_client_metadata",v.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:v})}throw v}el(t);for(let v of t.redirect_uris)Me(v,"invalid_redirect_uri","dcr");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new p("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&ol(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",a=o==="private_key_jwt"?"none":o,i=sl({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=W(r,Zu),c=Math.floor(r.getTime()/1e3),l=Math.floor(s.getTime()/1e3),m={client_id:i,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:ni(t.grant_types),response_types:["code"],scope:E,token_endpoint_auth_method:o,client_id_issued_at:c,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}},f={clientId:i,clientName:String(m.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:a,createdAt:b(r),clientExpiresAt:b(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let v=X();f.hashedClientSecret=await I(v),f.clientSecretExpiresAt=b(s),m.client_secret=v,m.client_secret_expires_at=l,m.client_secret_issued_at=c}if((await S().registerClient(f)).kind==="already_exists")throw w("invalid_request","OAuth client is already registered.");return m}n(oi,"registerDownstreamClient");function jt(e){return y`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(jt,"renderShellIcon");function ai(e){return y`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(ai,"renderActions");var qy=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');function ii(e){return y`<div class="banner banner--warning" role="status"><span class="banner__icon" aria-hidden="true">${e.icon}</span><div class="banner__body"><p class="banner__title">Setup required</p><p class="banner__message">${e.message}</p></div></div>`}n(ii,"renderBannerWarning");var My=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),si=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');function ci(e){return y`${e.banner}<section class="upstreams"><header class="section-label">Upstream services <span class="section-label__count">${e.sectionCount}</span></header><ul class="upstream-list">${e.cards}</ul></section>${e.fineprint}`}n(ci,"renderSetupPage");function di(e){return y`<article class="${e.cardClass}"><div class="upstream-card__head">${e.iconFrame}<div class="upstream-card__main"><div class="upstream-card__title-row"><h3 class="upstream-card__title">${e.upstreamDisplayName}</h3>${e.control}</div><div class="upstream-card__meta">${e.host}<span>${e.authModeLabel}</span><span class="upstream-card__sep" aria-hidden="true">·</span><span>${e.ownerModeLabel}</span></div>${e.description}</div></div>${e.capabilities} ${e.scopes}</article>`}n(di,"renderUpstreamCard");var ui=F('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var dl="data:,",pi=y`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,Br=y`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function mi(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(mi,"safeGatewayConnectHref");function ul(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(ul,"deriveMode");function ll(e){return ai({state:e.state,submitOnceAttrs:pi,authorizeAttrs:k})}n(ll,"renderActions");function zr(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let a=mi(o.connectUrl,t);if(a)return a}}n(zr,"firstUserConnectHref");function pl(e){let t=e.connectHref?y`<a class="button button--primary" href="${e.connectHref}" ${Br}>Connect</a>`:y`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return y`<form class="actions" method="post" action="/oauth/setup" ${pi}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(pl,"renderSetupActions");function ml(e){return e?y`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${Br}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:k}n(ml,"renderReconnectAction");function fl(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(fl,"isRenderableIconHref");function fi(e){return e?.find(t=>fl(t.src))?.src}n(fi,"readIconHref");function hi(e){return fi(e.serverIcons)??(e.transportHost===void 0?void 0:gr(e.transportHost).src)}n(hi,"readUpstreamIconHref");function hl(e){let t=hi(e);return t===void 0?y`<span class="icon-frame icon-frame--fallback" aria-hidden="true">${si}</span>`:y`<span class="icon-frame"><img src="${t}" alt="" referrerpolicy="no-referrer" loading="lazy" onerror=" this.onerror = null; this.src = '${tt}'; " /></span>`}n(hl,"renderIconFrame");function gl(e){let t=fi(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=hi(r);if(o!==void 0)return o}}n(gl,"readHeaderIconHref");function yl(e){return y`<p class="card__subtitle"><strong>${e.clientDisplayName}</strong> wants to access <strong>${e.routeDisplayName}</strong></p>${e.routeDescription===void 0?k:y`<p class="card__description">${e.routeDescription}</p>`}${e.principalLabel===void 0?k:y`<span class="card__principal" title="Signed in as ${e.principalLabel}">${e.principalLabel}</span>`}`}n(yl,"renderSubhead");function _l(e){let t=e.filter(o=>o.ownerMode==="user"&&o.status!=="active");if(t.length===0)return k;let r=t.length===1?y`Connect ${t[0]?.upstreamDisplayName??"the required service"} before continuing. Authorization will continue automatically once it is ready.`:y`Connect the ${t.length} services below before continuing. Authorization will continue automatically once each is ready.`;return ii({icon:ui,message:r})}n(_l,"renderSetupBanner");function wl(e){return e===void 0?k:y`<code class="upstream-card__host">${e}</code><span class="upstream-card__sep" aria-hidden="true">·</span>`}n(wl,"renderHost");function Rl(e){switch(e){case"shared-oauth":case"user-oauth":return"OAuth";default:return e}}n(Rl,"readAuthModeLabel");function bl(e){switch(e){case"user":return"your account";case"shared":return"workspace";case"none":return"no auth"}}n(bl,"readOwnerModeLabel");function Sl(e){switch(e){case"active":return"Connected";case"reconsent_required":return"Reconnect";case"not_connected":return"Setup required"}}n(Sl,"readStatusLabel");function li(e){let t=e.status==="active"?"status-badge status-badge--success":"status-badge status-badge--warning";return y`<span class="${t}">${Sl(e.status)}</span>`}n(li,"renderStatusBadge");function Cl(e,t){if(!(e.ownerMode==="user"&&e.status!=="active"))return li(e);let o=mi(e.connectUrl,t);return o===void 0?li(e):y`<a class="button button--secondary button--small" href="${o}" ${Br}>Connect</a>`}n(Cl,"renderUpstreamControl");function vl(e){return e===void 0?k:y`<p class="upstream-card__description">${e}</p>`}n(vl,"renderDescription");function Il(e){return xa(e.upstreams.map(t=>{let r=t.ownerMode==="user"&&t.status!=="active";return y`<li>${di({cardClass:r?"upstream-card upstream-card--needs-action":"upstream-card",iconFrame:hl(t),upstreamDisplayName:t.upstreamDisplayName,control:Cl(t,e.gatewayOrigin),host:wl(t.transportHost),authModeLabel:Rl(t.authMode),ownerModeLabel:bl(t.ownerMode),description:vl(t.description),capabilities:k,scopes:k})}</li>`}))}n(Il,"renderUpstreamCards");function xl(e){return e.mode==="setup"?y`<p class="card__fineprint">Authorization continues automatically once every required service is connected.</p>`:y`<p class="card__fineprint"><strong>${e.clientDisplayName}</strong> will receive a token scoped to <strong>${e.routeDisplayName}</strong>.</p>`}n(xl,"renderFineprint");function Al(e){return e.upstreams.length===0?k:ci({banner:e.mode==="setup"?_l(e.upstreams):k,sectionCount:`(${e.upstreams.length})`,cards:Il({upstreams:e.upstreams,gatewayOrigin:e.gatewayOrigin}),fineprint:xl({mode:e.mode,clientDisplayName:e.clientDisplayName,routeDisplayName:e.routeDisplayName})})}n(Al,"renderBody");function jr(e){let t=ul(e.upstreams),r=zr(e.upstreams,e.gatewayOrigin,"not_connected"),o=zr(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=zr(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??o:void 0,s=gl({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?y`<footer class="card__footer">${pl({state:e.state,connectHref:i})}</footer>`:y`<footer class="card__footer">${ml(a)}${ll({state:e.state})}</footer>`;return Pe(Oe({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??dl,styles:Ee,headerIcon:s===void 0?k:jt({iconHref:s,fallbackIconHref:tt}),heading:"Authorize access",subhead:yl({routeDisplayName:e.routeDisplayName,routeDescription:e.routeDescription,clientDisplayName:e.clientDisplayName,principalLabel:e.principalLabel}),body:Al({mode:t,gatewayOrigin:e.gatewayOrigin,routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName,upstreams:e.upstreams}),footer:c}))}n(jr,"renderConsentPage");var Ul=1e4,gi="mcp-session-id",kl,yi;function Si(){return{tools:[],prompts:[],resources:[]}}n(Si,"emptyCapabilities");function _i(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Vt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(_i,"buildCredentialHeaders");async function wi(e){if(e.type!=="mcp_oauth_provider")return _i(e);let t=await e.provider.tokens();if(!t)return;let r=_i({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(wi,"buildAsyncCredentialHeaders");function Ri(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ft.parse({jsonrpc:mt,id:1,method:"initialize",params:{protocolVersion:Vt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(Ri,"buildInitializePreflight");async function Lr(e){lo(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),Ul);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return yi?await yi(o):await ct.fetch(o)}finally{clearTimeout(r)}}n(Lr,"runPreflight");function Nr(e){e.body?.cancel().catch(()=>{})}n(Nr,"releasePreflightBody");async function Tl(e){let t=e.response.headers.get(gi);if(!t)return;let r=new Headers(e.headers);r.set(gi,t),r.delete("content-type");try{let o=await Lr(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));Nr(o)}catch{}}n(Tl,"terminatePreflightSession");async function Ci(e){let{response:t}=e;return Nr(t),t.status>=200&&t.status<300?(await Tl(e),{kind:"ready",upstreamStatus:t.status,capabilities:Si()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(Ci,"classifyResponse");function bi(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(bi,"connectRequiredResult");async function Pl(e){try{return Ci({response:await Lr(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Pl,"classifyPreflight");async function El(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:Si()};let r=Pt(t.upstreamServerId,e.route.operationId),o=Te(r,e.subjectId),a=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},i=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ke({request:i,routeAuth:a,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return bi(s.payload);let c=await wi(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let l=Ri({upstreamUrl:t.mcpUrl,headers:c}),m;try{m=await Lr(l)}catch(v){return{kind:"upstream_unavailable",message:v instanceof Error?v.message:"Upstream MCP server readiness preflight failed."}}if(m.status!==401)return Ci({response:m,upstreamUrl:t.mcpUrl,headers:c});Nr(m);let f=await ke({request:i,routeAuth:a,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return bi(f.payload);let A=await wi(f.credential);return A===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Pl({request:Ri({upstreamUrl:t.mcpUrl,headers:A}),upstreamUrl:t.mcpUrl,headers:A})}n(El,"checkUpstreamRouteReadinessImpl");function vi(e){return(kl??El)(e)}n(vi,"checkUpstreamRouteReadiness");function Ol(e){try{return new URL(e).host}catch{return}}n(Ol,"safeUrlHost");function ql(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(ql,"readOAuthScopes");function Ii(e){return e!==void 0&&e.length>0}n(Ii,"hasItems");function Ml(e){let t=e.serverInfo?.icons;if(Ii(t))return t;let r=xt(e.mcpUrl);return r===void 0?void 0:[r]}n(Ml,"readServerIcons");async function Dl(e){if(!(e.returnTo===void 0||!e.isUserOwned))return _r({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Dl,"readConnectUrl");function _e(e,t){return t===void 0?{}:{[e]:t}}n(_e,"optionalRequirementField");function Hl(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?ao(e.connection):{connected:!0,status:"active"}}n(Hl,"readSetupConnectionStatus");function zl(e){let t=ql(e);return Ii(t)?t:void 0}n(zl,"readScopesRequested");function Bl(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Bl,"readUpdatedAt");function jl(){return{tools:[],prompts:[],resources:[]}}n(jl,"readRouteCapabilities");async function Ll(e){let{authConfig:t,authMode:r,description:o,displayName:a,mcpUrl:i,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=At(r),m=l==="user",f=Hl({connection:e.connection,isUserOwned:m,readiness:e.readiness}),A=e.readiness?.connectUrl??await Dl({...e,connected:f.connected,isUserOwned:m});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:a,status:f.status,connected:f.connected,capabilities:jl(),..._e("description",o),..._e("transportHost",Ol(i)),..._e("scopesRequested",zl(t)),..._e("serverIcons",Ml(e.registeredConnection)),..._e("connectUrl",A),..._e("updatedAt",Bl({connectionStatus:f,isUserOwned:m})),..._e("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Ll,"buildSetupRequirement");function xi(e){let t=$().byOperationId.get(e);if(!t)throw w("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(xi,"requireRoute");async function $r(e){let t=xi(e.transaction.operationId),r=_t(e.transaction.principal.subjectId),o=[],a=new Map,i=t.connection;if(i===void 0)return[];At(i.authMode)==="user"&&(a.set(i,o.length),o.push({owner:r,upstreamServerId:i.upstreamServerId,authProfileId:i.authProfileId}));let s=await S().batchGetUpstreamConnections(o),c=[],l=At(i.authMode)==="user",m=a.get(i),f=await vi({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:l&&m!==void 0?s[m]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),A=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),v=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Ll({connection:l&&m!==void 0?s[m]:void 0,registeredConnection:i,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:A===void 0?void 0:{...A,...v===void 0?{}:{connectUrl:v}}})),c}n($r,"requirementsForSetup");function Nl(e){return e.route.connection?.displayName??e.route.operationId}n(Nl,"readRouteDisplayName");async function Gr(e){let t=xi(e.transaction.operationId),r=Nl({route:t}),o=await S().readClient({clientId:e.transaction.clientId}),a=o.kind==="found"?o.client:void 0,i={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(i.routeDescription=s),i}n(Gr,"consentContext");function Zr(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Zr,"hasUnresolvedUserUpstream");var $l=["mcp_user"],Gl="dev-browser-user",Zl=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Fl=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Gn,state:d.string().min(1).optional(),scope:d.literal(E).default(E)}),Kl=d.enum(["continue","approve","cancel"]).default("continue"),Jl=d.object({state:d.string().min(1),decision:Kl}),ie=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Ai(e){return typeof e=="string"&&e.length>0?e:void 0}n(Ai,"readQueryString");function Wl(e){let t=Array.from($().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Yt(r.operationId,e.url,e.headers)}n(Wl,"inferSingleRouteResource");function Vl(e,t){let r=Ai(e.query.resource);if(t===void 0){if(r!==void 0)return r;let a=Wl(e);if(a!==void 0)return a;throw new p("invalid_target",Zl)}let o=Yt(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Vl,"requireAuthorizeResource");async function Yl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let a=qa(e);return{principal:a,setCookie:await Dt({principal:a,requestUrl:e.url,requestHeaders:e.headers})}}n(Yl,"resolveBrowserPrincipal");async function Xl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(!o.principal)throw w("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Xl,"requireSetupPrincipal");function Ui(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(Ui,"buildSetupReturnTo");async function ki(e){let t=await $r({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ui(e.csrfToken)}),r=await Gr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:jr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(ki,"renderSetup");function Ql(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Ql,"toAuthorizationTransactionClient");async function Fr(e,t={}){let r=Fl.parse({...e.query,resource:Vl(e,t.operationId),state:Ai(e.query.state)}),o=nt(r.scope);Me(r.redirect_uri,"invalid_request","authorize");let a=new Date,i=Y.parse(r.client_id),s=await zt(r.client_id,a);ri(s,r.redirect_uri);try{let c=De(e.url,r.resource,e.headers),l=Ql(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&C(t.context,{eventType:R.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type}});let m={clientId:s?.clientId??i,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:A}=await Yl(e,t.context);if(!f){let N=await Wa({transaction:m,requestUrl:e.url,requestHeaders:e.headers,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Re={kind:"redirect",location:N.browserLoginUrl};return A!==void 0&&(Re.setCookie=A),Re}let v=await Va({transaction:m,principal:f,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&C(t.context,{eventType:R.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),ki({transaction:v.transaction,csrfToken:v.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:A})}catch(c){throw ep({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n(Fr,"authorizeDownstreamClient");function ep(e){if(e.cause instanceof ie)return e.cause;let t=tp(e.cause);return t?new ie({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(ep,"toDownstreamAuthorizeRedirectError");function tp(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(tp,"mapToOAuthRedirectError");async function Ti(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let m=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...m===void 0?{}:{idpErrorDescription:m},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),w("provider_access_denied",m??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),w("oauth_state_invalid","Browser login callback is missing state.");let a=await Pr(o),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await Ma(i),c=await Ya({browserLoginStateToken:o,principal:s}),l=await ki({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return l.setCookie=await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),l}n(Ti,"completeBrowserLoginCallback");async function Pi(e){let t=j(),r=new URL(e.url);if(!ue(r))throw w("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw w("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",U(e.url)),i=new URL(U(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw w("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",o);let s={subjectId:yt.parse(Gl),roles:$l};return{kind:"redirect",location:a,setCookie:await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(Pi,"completeLocalDevBrowserLogin");function rp(e){let t=e.method==="POST"?e.body:e.query;return Jl.parse(t)}n(rp,"readSetupContinueRequest");async function Ei(e){let{state:t,decision:r}=rp({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,a=await qr({csrfToken:t,now:o}),i=await Xl(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await ei({csrfToken:t,currentBrowserPrincipal:i,now:o})};let s=await Xa({csrfToken:t,currentBrowserPrincipal:i,now:o}),c=await $r({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ui(t)});if(r==="approve"&&Zr(c)&&await Ka({csrfToken:t,currentBrowserPrincipal:i,now:o}),Zr(c)){let l=await Gr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:jr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await Qa({csrfToken:t,currentBrowserPrincipal:i,now:o})}}n(Ei,"continueDownstreamAuthorizeSetup");B();import{createLocalJWKSet as np,decodeJwt as op,errors as ot,jwtVerify as ap}from"jose";var ip=new Set(["authorization_code","refresh_token"]),sp="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",cp=1e4,dp=32*1024,up=2,Oi=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),lp=d.discriminatedUnion("grant_type",[Oi.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:gt,resource:d.url().optional(),scope:d.literal(E).optional()}),Oi.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(E).optional()})]);function pp(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!ip.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(pp,"assertSupportedGrantType");var mp=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),fp=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function qi(){return j().gateway.accessTokenTtlSeconds}n(qi,"readAccessTokenTtlSeconds");function hp(){return j().gateway.refreshTokenTtlSeconds}n(hp,"readRefreshTokenTtlSeconds");function gp(e,t){let r=qi(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,o);return{expiresAt:b(W(e,a)),expiresIn:a}}n(gp,"calculateAccessTokenExpiresAt");function Mi(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(Mi,"readBasicClientSecret");function Di(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=op(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(Di,"resolveAuthenticatedClientId");function yp(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(yp,"resolveClientSecretInput");function _p(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(_p,"hasClientAssertion");function wp(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(wp,"buildEndpointAudience");function Rp(e){return e instanceof ot.JWTExpired?"expired":e instanceof ot.JWTClaimValidationFailed?"claim":e instanceof ot.JWSSignatureVerificationFailed?"signature":e instanceof ot.JWKSNoMatchingKey?"jwks_no_match":e instanceof ot.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(Rp,"readJwtFailureKind");async function bp(e){let{response:t,json:r}=await go(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:up,maxResponseBytes:dp,timeoutMs:cp});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return fp.parse(r)}n(bp,"fetchClientJwks");async function Sp(e){if(e.clientAssertionType!==sp||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=Y.parse(e.clientId),r=await zt(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let a=wp({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let i=await bp({jwksUri:o,context:e.context});await ap(e.clientAssertion,np(i),{issuer:t,subject:t,audience:a,currentDate:e.now})}catch(i){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:Rp(i)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return Bt(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(Sp,"verifyPrivateKeyJwtClientAssertion");async function Cp(e){let t=Y.parse(e.clientId);if(Bt(t))throw new p("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await I(e.clientSecret)}}n(Cp,"buildRuntimeHttpClientAuth");async function Hi(e){if(_p({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return Sp(e)}let t=yp({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return Cp({clientId:e.clientId,...t})}n(Hi,"resolveRuntimeHttpClientAuth");async function zi(e){pp(e.body);let t=lp.parse(e.body),r=Mi(e.authorizationHeader),o=Di({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date,i=await Hi({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:a,context:e.context});return vp({parsed:t,clientId:o,clientAuth:i,now:a,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(zi,"exchangeDownstreamToken");async function vp(e){if(e.parsed.grant_type==="authorization_code"){Me(e.parsed.redirect_uri,"invalid_request","token"),nt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=X(),c=X(),l=b(W(e.now,hp())),m=gp(e.now,l),f=await S().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await I(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await uo(e.parsed.code_verifier),currentRefreshTokenHash:await I(s),accessTokenHash:await I(c),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:b(e.now)});if(f.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(f.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(f.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&C(e.context,{eventType:R.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:s,scope:f.grant.scope,resource:f.grant.resource}}nt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=X(),r=X(),o=b(W(e.now,qi())),a=await S().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await I(e.parsed.refresh_token),nextRefreshTokenHash:await I(t),accessTokenHash:await I(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:b(e.now)});if(a.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");De(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let i=a.accessToken.expiresAt;return e.context&&(C(e.context,{eventType:R.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),C(e.context,{eventType:R.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(i).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:a.grant.scope,resource:a.grant.resource}}n(vp,"exchangeDownstreamTokenWithRuntimeHttp");async function Bi(e){let t=mp.parse(e.body),r=Mi(e.authorizationHeader),o=Di({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date;if((await S().revokeOAuthToken({clientAuth:await Hi({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:a,context:e.context}),tokenHash:await I(t.token),now:b(a)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&C(e.context,{eventType:R.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Bi,"revokeDownstreamToken");var Ip=64*1024,xp=16*1024,Ap="text/html; charset=utf-8";function Up(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(Up,"formDataToObject");async function kp(e){return Ta(e,{maxBytes:Ip,label:"Request body"})}n(kp,"readJsonBody");async function Jr(e){return Up(await Pa(e,{maxBytes:xp,label:"Request body"}))}n(Jr,"readFormBody");async function Li(e,t,r){let o=le(r),a=r instanceof d.ZodError?se(r):void 0,i={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),Nn(e,t,i)}n(Li,"handleProblem");function Ni(e){return e?.requestId}n(Ni,"readBrowserRequestId");function $i(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n($i,"readUpstreamHtmlError");function ji(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(ji,"readRuntimeErrorExtensionString");function Tp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Tp,"readRuntimeErrorExtensionNumber");function Pp(e){try{return new URL(e.url).pathname}catch{return}}n(Pp,"readBrowserRequestPath");function we(e){let t={code:e.code,requestId:e.requestId,routePath:Pp(e.request),underlyingError:e.underlyingError};return e.error instanceof g&&(t.httpStatus=Tp(e.error,Ce),t.contentType=ji(e.error,be),t.upstreamUrl=ji(e.error,ve)),t}n(we,"buildBrowserErrorDiagnostic");function at(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(at,"oauthErrorResponse");function Ep(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Ep,"readOAuthProtocolHeaders");function Op(e,t){let r=L("internal_server_error");return at({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Ep(e,t)})}n(Op,"oauthProtocolErrorResponse");function Kr(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Kr,"readZodOAuthErrorCode");function qp(e){let t={error:Kr(e)},r=se(e);return r!==void 0&&(t.errorDescription=r),at(t)}n(qp,"oauthZodErrorResponse");function Mp(e){let t=le(e);if(t===void 0)return;let r=L(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Hp(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,at(o)}n(Mp,"oauthGatewayProblemResponse");function Dp(){let t={error:"server_error",status:500,errorDescription:L("internal_server_error").publicDetail};return at(t)}n(Dp,"oauthFallbackErrorResponse");function Hp(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Hp,"readOAuthStatus");function Wr(e,t={}){return e instanceof ie?Fi(e):e instanceof p?Op(e,t):e instanceof d.ZodError?qp(e):Mp(e)??Dp()}n(Wr,"oauthProblemResponse");function Vr(e,t,r){let o=qe(e.url),a=Ni(t);if(r instanceof ie)return Fi(r);if(r instanceof p){let c=L("internal_server_error");return K({host:o,kind:zp(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:we({request:e,requestId:a,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:a,status:r.status})}if(r instanceof d.ZodError)return K({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:Kr(r),diagnostic:we({request:e,requestId:a,code:Kr(r),underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let i=le(r);if(i!==void 0){let c=L(i);return K({host:o,kind:Zi(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:$i(r),status:c.status})}let s=L("internal_server_error");return K({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:we({request:e,requestId:a,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n(Vr,"browserOAuthProblemResponse");function Gi(e,t,r){let o=qe(e.url),a=Ni(t),i=le(r);if(i!==void 0){let c=L(i);return K({host:o,kind:Zi(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:$i(r),status:c.status})}if(r instanceof d.ZodError)return K({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:we({request:e,requestId:a,code:"invalid_request",underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let s=L("internal_server_error");return K({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:we({request:e,requestId:a,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n(Gi,"browserGatewayProblemResponse");function zp(e){return e==="server_error"?"internal_error":"invalid_request"}n(zp,"readOAuthBrowserErrorKind");function Zi(e){if(L(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Zi,"readGatewayBrowserErrorKind");function ee(e,t,r){let o={event:t},a=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,V(o,"error",r);else if(r instanceof ie)o.oauthError=r.errorCode,V(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",V(o,"error",r);let i=r.issues[0];i&&(o.zodPath=i.path.join("."))}else{let i=le(r);if(i!==void 0){let s=L(i);o.code=i,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",V(o,"error",r)}else a=!0,V(o,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,i.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ee,"logUnexpectedOAuthHandlerError");function Fi(e){let t;try{t=new URL(e.redirectUri)}catch{return at({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Fi,"downstreamAuthorizeRedirectErrorResponse");function se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(se,"formatZodErrorDetail");function Bp(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};V(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Bp,"logBrowserLoginCallbackFailure");function Ki(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(Ki,"redirectResultResponse");function Lt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Ap,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Ki(e)}n(Lt,"authorizeResultResponse");async function Ji(e,t){try{return Response.json(Vn(e.url,e.headers))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Li(e,t,r)}}n(Ji,"authorizationServerMetadataHandler");async function Wi(e,t){try{let r=Xt(e.params.routePath);return Response.json(Yn({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Li(e,t,r)}}n(Wi,"scopedAuthorizationServerMetadataHandler");async function Vi(e,t){try{let r=await oi(await kp(e)),o=r,a=typeof o.client_id=="string"?o.client_id:void 0,i=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:i,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),C(t,{eventType:R.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:a,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_register_failed",r),Wr(r)}}n(Vi,"registerHandler");async function Yi(e,t){try{return Lt(await Fr(e,{context:t}))}catch(r){return ee(t,"oauth_authorize_failed",r),Vr(e,t,r)}}n(Yi,"authorizeHandler");async function Xi(e,t){try{let r=Xt(e.params.routePath);return Lt(await Fr(e,{operationId:r.operationId,context:t}))}catch(r){return ee(t,"oauth_authorize_scoped_failed",r),Vr(e,t,r)}}n(Xi,"scopedAuthorizeHandler");async function Qi(e,t){try{let r=await Ti(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Lt(r)}catch(r){return Bp(t,r),Gi(e,t,r)}}n(Qi,"callbackHandler");async function es(e,t){try{return Ki(await Pi(e))}catch(r){return ee(t,"oauth_dev_login_failed",r),Vr(e,t,r)}}n(es,"devLoginHandler");async function ts(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Ei({request:e,body:e.method==="POST"?await Jr(e):void 0,context:t});return Lt(r)}catch(r){return ee(t,"oauth_setup_failed",r),Gi(e,t,r)}}n(ts,"setupHandler");async function rs(e,t){try{return Response.json(await zi({body:await Jr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ee(t,"oauth_token_failed",r),Wr(r)}}n(rs,"tokenHandler");async function ns(e,t){try{return await Bi({body:await Jr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_revoke_failed",r),Wr(r)}}n(ns,"revokeHandler");var jp={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},os=Symbol("upstream-request");function Lp(e){let t=e[os];if(!t)throw new D("Upstream request context has not been set");return t}n(Lp,"readUpstreamRequestContext");function Np(e,t){return t.some(r=>r===e)}n(Np,"requestContextMatchesKind");function $p(e){return typeof e=="string"?[e]:e}n($p,"toExpectedKinds");function He(e,t){Object.defineProperty(e,os,{configurable:!0,value:t})}n(He,"setUpstreamRequestContext");function it(e,t){let r=Lp(e),o=$p(t);if(!Np(r.kind,o)){let a=jp[o[0]];throw new D(`${a} request context has not been set`)}return r}n(it,"requireUpstreamRequestContext");function as(e){return y`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(as,"renderBrowserResult");var Gp="text/html; charset=utf-8",Zp="none";function Fp(e){let t=hr(e.host);return Oe({title:e.title,iconHref:t,styles:Ee,headerIcon:jt({iconHref:t,fallbackIconHref:tt}),heading:e.title,subhead:"",body:as({body:e.body,code:e.code??Zp}),footer:""})}n(Fp,"browserResultHtml");function Kp(e,t=200){return new Response(Pe(e),{status:t,headers:{"content-type":Gp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Kp,"browserResultResponse");function is(e){return Kp(Fp(e))}n(is,"browserConnectionSuccessResponse");function Nt(e,t,r={}){let o=Ln(t);return K({host:e,kind:Jp(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Nt,"browserConnectionFailureResponse");function Jp(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Jp,"readCallbackFailureBrowserErrorKind");var Wp=["callback_authorization_code","callback_provider_error","callback_invalid"];function Yr(e){try{return new URL(e.url).pathname}catch{return}}n(Yr,"readBrowserRequestPath");function Vp(e){return"cause"in e?e.cause:void 0}n(Vp,"readErrorCause");function Yp(e){return e.stack?.split(`
|
|
48
|
+
`).slice(1,4).map(t=>t.trim()).join(" | ")}n(Yp,"readFirstStackFrame");function ss(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Yp(r))}n(ss,"addErrorAttributes");function Xr(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[_];return Sn(t)?t:void 0}n(Xr,"readRuntimeGatewayCode");function cs(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(cs,"readRuntimeErrorExtensionString");function Xp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Xp,"readRuntimeErrorExtensionNumber");function Qp(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),C(t,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Nt(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Yr(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Nt(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Yr(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(Qp,"requireAuthorizationCallbackRequest");function em(e,t){C(e,{eventType:R.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(em,"emitCallbackReceivedAnalyticsEvent");function tm(e,t){C(e,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(tm,"emitTokenExchangeSucceededAnalyticsEvent");function rm(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return is({host:qe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(rm,"buildSuccessfulCallbackResponse");function nm(e){let t={detail:e instanceof Error?e.message:void 0};return ss(t,"error",e),e instanceof Error&&ss(t,"cause",Vp(e)),t}n(nm,"buildTokenExchangeFailureAttributes");function om(e){C(e.context,{eventType:R.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Xr(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:nm(e.error)})}n(om,"emitTokenExchangeFailedAnalyticsEvent");function am(e){let t=e.error,r=Xr(t),o=Cn(r)?r:"upstream_token_exchange_failed",a={code:o,requestId:e.context.requestId,routePath:Yr(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof g?{httpStatus:Xp(t,Ce),contentType:cs(t,be),upstreamUrl:cs(t,ve)}:{}};return Nt(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:a,upstreamHtml:im(t)})}n(am,"tokenExchangeFailureResponse");function im(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(im,"readUpstreamHtmlError");async function Qr(e,t){let r=it(e,Wp),o=qe(e.url),a=Qp(e,t,r,o);if(a instanceof Response)return a;em(t,a);try{let i=await wa({request:e,callbackRequest:a});return tm(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,operationId:i.operationId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),rm(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:Xr(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return V(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),om({context:t,callbackRequest:a,error:i}),am({request:e,context:t,host:o,callbackRequest:a,error:i})}}n(Qr,"callbackHandler");function sm(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(sm,"clientMetadataProblemDetail");async function ds(e,t){let r=it(e,"connect"),o=await _a({request:e,connectRequest:r});if(C(t,{eventType:R.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let a=await kt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}n(ds,"connectHandler");async function us(e,t){let r=it(e,"client_metadata");try{let o=ra(e.url,e.headers),a=na(o,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(o){if(!(o instanceof P))throw o;let a=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:a},"Failed to serve OAuth client metadata document for upstream connection"),de.notFound(e,t,{code:"not_found",detail:sm(o)})}}n(us,"oauthClientMetadataHandler");function ce(e){if(typeof e=="string"&&e.length!==0)return e}n(ce,"readOptionalQueryString");function cm(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new D(`Validated path parameter ${t} is missing`);return r}n(cm,"requirePathString");function dm(e){let t=ce(e);return t?pt.parse(t):void 0}n(dm,"readOptionalOperationId");function um(e,t){let r=ce(e);return r?An.parse(r):ht(t,"user-oauth")}n(um,"readOptionalAuthProfileId");function lm(e){let t=dm(e);if(!t)throw new g({message:"operationId query parameter is required.",extensionMembers:{[_]:"invalid_request"}});return t}n(lm,"readRequiredOperationId");function pm(e){let t=eo(ce(e));return t===void 0?{}:{returnTo:t}}n(pm,"readOptionalReturnTo");function mm(e){let t=ce(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(mm,"readOptionalProviderErrorDescription");function fm(e){let t=G(e.authMode);if(t.connectSupport!=="none")return e;throw new g({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[_]:"invalid_request"}})}n(fm,"requireConnectableRouteAuth");function hm(e,t,r,o){return{kind:"connect",...Te(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(hm,"buildConnectContextForUser");function gm(e,t,r){let o=wt(t),a=G(e.authMode);if(o.mode!==a.ownerMode)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[_]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(gm,"buildConnectContextForTicket");async function ym(e,t){let r=fm(Pt(t,lm(e.query.operationId))),o=e.query.redirect==="true",a=ce(e.query.browserTicket);if(e.user){if(a)throw new g({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[_]:"invalid_request"}});let s=Ie(e.user,e.url);return hm(r,s,o,pm(e.query.returnTo).returnTo)}if(!a)throw new g({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[_]:"authentication_required"}});let i=await Xo(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.operationId!==r.operationId)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[_]:"oauth_callback_mismatch"}});return await Qo(i),gm(r,i,o)}n(ym,"resolveConnectContext");async function _m(e,t,r){let o=xn.parse(cm(e,"connection"));switch(r){case"connect":He(e,await ym(e,o));return;case"callback":{let a=ce(e.query.error);if(a){He(e,{kind:"callback_provider_error",upstreamServerId:o,error:a,...mm(e)});return}let i=ce(e.query.code),s=ce(e.query.state);if(i&&s){He(e,{kind:"callback_authorization_code",upstreamServerId:o,code:i,state:s});return}He(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":He(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:um(e.query.authProfileId,o)});return}}n(_m,"resolveUpstreamRequestInbound");async function wm(e,t,r){try{await _m(e,t,r);return}catch(o){let a=o instanceof g?o.extensionMembers?.[_]:void 0,i=o instanceof Error?o.message:void 0;switch(a){case"invalid_request":case"oauth_callback_mismatch":return de.badRequest(e,t,{code:a,detail:i});case"authentication_required":return de.unauthorized(e,t,{code:a,detail:i});default:throw o}}}n(wm,"applyUpstreamRequestContext");function $t(e,t){return n(async(o,a)=>{let i=await wm(o,a,e);return i||t(o,a)},"wrapped")}n($t,"withUpstreamRequestContext");var Rm={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function bm(){return new Response(null,{status:204,headers:Rm})}n(bm,"buildWellKnownPreflightResponse");function Sm(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(Sm,"withWellKnownCorsHeaders");function en(e){return async(t,r)=>t.method==="OPTIONS"?bm():Sm(await e(t,r))}n(en,"wrapWellKnownHandler");var ms=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:en(Ji),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:en(Wi),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:en(Xn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Vi},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Yi},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Xi},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Qi},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:es},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:ts},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:rs},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:ns},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:$t("client_metadata",us)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:$t("connect",ds)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:$t("callback",Qr)}],Cm=ms.filter(e=>!e.routeName.startsWith("upstream_")),vm=ms.filter(e=>e.routeName.startsWith("upstream_"));function fs(e){return e?.some(Rn)??!1}n(fs,"hasMcpOAuthRuntimeConfigPolicy");function hs(e){return e?.some(t=>On(t.policyType))??!1}n(hs,"hasMcpTokenExchangePolicy");function gs(e){return fs(e)||hs(e)}n(gs,"shouldRegisterMcpGatewayInternalRoutes");function Im(e){Dn(qn({routes:e.routes,policies:e.policies}))}n(Im,"initializeMcpGatewayConnectionRegistry");function xm(e){let t=bn(e.policies);if(!t){let r=[...wn].map(o=>`\`${o}\``).join(", ");throw new P(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(xm,"initializeMcpGatewayOAuthRuntimeConfig");function ls(e,t,r){return async(o,a)=>{r&&yn(a,r());let i=o.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,a);return i||a.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(ls,"wrapInternalHandler");function ps(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[cn],corsPolicy:t.corsPolicy??"none"})}n(ps,"addInternalRoute");function ys(e,t){Im(t);let r=fs(t.policies),o=hs(t.policies),a,i=n(()=>(a===void 0&&(a=xm(t)),a),"readOAuthConfig");if(r)for(let s of Cm)ps(e,s,ls(s.routeName,s.handler,i));if(o)for(let s of vm)ps(e,s,ls(s.routeName,s.handler))}n(ys,"registerMcpGatewayInternalRoutes");function _s(e){Mn(e)}n(_s,"configureLazyMcpGatewayState");var tn=class extends an{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!gs(r.policies))return;let o={routes:r.routes,policies:r.policies};_s(o),ys(t.router,o)}};var Am=new TextDecoder;function Um(e){if(e)try{return JSON.parse(Am.decode(e))}catch{return}}n(Um,"readBodyJson");function te(e){return e&&typeof e=="object"?e:void 0}n(te,"readRecord");function st(e,t){let r=te(e)?.[t];return typeof r=="string"?r:void 0}n(st,"readStringProperty");function Rs(e,t){let r=te(e)?.[t];return typeof r=="number"?r:void 0}n(Rs,"readNumberProperty");function ws(e,t){return Rs(e,"code")??(t.status>=400?t.status:void 0)}n(ws,"readErrorCode");function bs(e){return Array.isArray(e)?e.map(bs).find(t=>t?.method):te(e)}n(bs,"readJsonRpcMessage");function Ss(e){let t=bs(Um(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:st(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:st(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let a=st(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:a,resourceUri:a}}default:return null}}n(Ss,"buildBaseCapabilityInput");function Cs(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Cs,"isCapabilityListMethod");function km(e,t,r){let i=te(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(i)?i.length:void 0}n(km,"readItemCount");async function Tm(e){try{return await e.clone().json()}catch{return}}n(Tm,"readResponseJson");function vs(e){let t=Ss(e);return!t||Cs(t.mcpMethod)?null:{eventType:R.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(vs,"buildCapabilityInvokedAnalyticsInput");async function Is(e,t){let r=Ss(e);if(!r)return null;let o=te(await Tm(t)),a=te(o?.error),i=te(a?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&te(s)?.isError===!0;if(te(i?.connectRequired))return{eventType:R.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:Rs(a,"code"),mcpErrorType:st(a,"message")};if(Cs(r.mcpMethod)){let l=t.status>=400?void 0:km(r.mcpMethod,r.capabilityType,s);return{eventType:R.MCP_CAPABILITY_LISTED,outcome:t.status>=400||a?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||a?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:ws(a,t)}:{},...l===void 0?{}:{attributes:{itemCount:l}}}}return t.status>=400||a?{eventType:R.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:ws(a,t),mcpErrorType:st(a,"message")}:{eventType:R.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Is,"buildCapabilityFinalAnalyticsInput");var Pm={Allow:"POST"};async function Em(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Em,"readRequestBody");function xs(e){try{let t=Hn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(xs,"readRouteAnalyticsFields");function As(e){return Qn(e.user,e.url,e.headers)?.subjectId}n(As,"readRequestSubjectId");function Om(e){let t=vs(e.requestBody);t&&C(e.context,{...t,...xs(e.context),httpMethod:e.request.method,subjectId:As(e.request),transport:"http"})}n(Om,"emitCapabilityInvokedAnalytics");async function qm(e){let t=await Is(e.requestBody,e.response);t&&C(e.context,{...t,...xs(e.context),httpMethod:e.request.method,subjectId:As(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(qm,"emitCapabilityFinalAnalytics");async function Mm(e,t){if(e.method==="GET")return de.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Pm);let r=Date.now(),o=await Em(e);Om({context:t,request:e,requestBody:o});let a=await hn(e,t);return await qm({context:t,request:e,requestBody:o,response:a,startedAt:r}),a}n(Mm,"McpProxyHandler");export{Es as McpAuth0OAuthInboundPolicy,er as McpCapabilityFilterInboundPolicy,tn as McpGatewayPlugin,Ps as McpOAuthInboundPolicy,Mm as McpProxyHandler,Ar as McpTokenExchangeInboundPolicy};
|
|
49
49
|
//# sourceMappingURL=index.js.map
|