@zuplo/runtime 6.70.48 → 6.70.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/out/esm/{browser-login-idp-WT4H7RKW.js → browser-login-idp-U763HG2Z.js} +2 -2
  2. package/out/esm/chunk-MJ6GX4IA.js +30 -0
  3. package/out/esm/chunk-MJ6GX4IA.js.map +1 -0
  4. package/out/esm/mcp-gateway/index.js +8 -8
  5. package/out/esm/mcp-gateway/index.js.map +1 -1
  6. package/out/types/mcp-gateway/index.d.ts +66 -0
  7. package/package.json +1 -1
  8. package/out/esm/chunk-WU5PDK6Z.js +0 -30
  9. package/out/esm/chunk-WU5PDK6Z.js.map +0 -1
  10. /package/out/esm/{browser-login-idp-WT4H7RKW.js.map → browser-login-idp-U763HG2Z.js.map} +0 -0
package/out/esm/mcp-gateway/index.js CHANGED
@@ -22,10 +22,10 @@
22
22
  * DEALINGS IN THE SOFTWARE.
23
23
  *--------------------------------------------------------------------------------------------*/
24
24
 
25
- import{$ as V,A as An,Aa as ro,B as Un,Ba as no,C as kn,Ca as oo,D as ht,Da as io,E as Tn,Ea as ao,F as Pn,Fa as so,G as En,Ga as b,H as On,Ha as v,I as qn,Ia as Y,J as Mn,Ja as I,K as N,Ka as co,L as Dn,La as xs,M as zn,Ma as uo,N as R,Na as lo,O as J,Oa as Rt,P as U,Pa as po,Q as Hn,Qa as mo,R as W,Sa as fo,T as Bn,Ta as ho,U as jn,Ua as bt,V as le,W as _,X as Ln,Y as Nn,Z as Gn,_ as gt,a as hn,aa as Zt,b as ue,ba as Ft,c as gn,ca as $n,d as B,da as Zn,e as yn,ea as Kt,f as Is,fa as Jt,g as _n,ga as Fn,h as wn,ha as P,i as Rn,ia as Kn,j as y,ja as Jn,k as be,ka as Wn,l as Se,la as Vn,m as ve,ma as Wt,n as Ce,na as Yn,o as bn,oa as Vt,p as Sn,pa as Yt,q as j,qa as yt,r as vn,ra as Ie,s as Cn,sa as Xn,t as In,ta as Qn,u as pt,ua as _t,v as xn,va as eo,w as $t,wa as Xt,x as mt,xa as to,y as ft,ya as je,z as Be,za as wt}from"../chunk-WU5PDK6Z.js";import{J as cn,L as u,M as dn,N as Gt,O as K,Q as un,S as h,T as re,U as lt,_ as ln,a as dt,ca as pn,da as mn,ea as d,fa as H,j as de,k as on,m as an,ma as fn,q as sn,s as ut}from"../chunk-J7JE2DD5.js";import"../chunk-JRXZBVXH.js";import{a as w}from"../chunk-4SACVMDH.js";import{$ as M,a as n,aa as g,ba as T,ca as nn,da as ct}from"../chunk-ZIKV2LUM.js";H();function As(e){let t=ft.safeParse(e);return t.success?t.data.id:void 0}n(As,"parseJsonRpcRequestId");function go(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return As(t)}catch{return}}n(go,"readJsonRpcRequestIdFromBody");function St(e){return An.parse({jsonrpc:mt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(St,"jsonRpcErrorResponse");function yo(e){return new kn([Un.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(yo,"urlElicitationRequiredError");var vt=d.record(d.string(),d.unknown()),Us=d.record(d.string(),d.unknown()),ks=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Us.optional(),_meta:vt.optional()}).strict(),Ts=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:vt.optional()}).strict(),Ps=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:vt.optional()}).strict(),Es=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:vt.optional()}).strict(),Os=d.array(d.union([d.string(),ks])),qs=d.array(d.union([d.string(),Ts])),Ms=d.array(d.union([d.string(),Ps])),Ds=d.array(d.union([d.string(),Es])),zs=d.object({tools:Os.optional(),prompts:qs.optional(),resources:Ms.optional(),resourceTemplates:Ds.optional()}).strict(),er=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function Hs(e,t){return yn(zs,e,`MCP capability filter policy "${t}"`)}n(Hs,"parseMcpCapabilityFilterOptions");function E(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(E,"isRecord");function Bs(e,t){if(!E(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Bs,"readParamString");function tr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(tr,"readRequestId");function bo(e){return e===void 0?void 0:JSON.stringify(e)}n(bo,"requestIdKey");function js(e){let t={};for(let r of er){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=$s(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(js,"buildProjectionMaps");function rr(e){return er.find(t=>t.listMethod===e)}n(rr,"findListRule");function Ls(e){return e.requests.some(t=>{if(!E(t))return!1;let r=rr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(Ls,"shouldFilterListResponses");function Ns(e){for(let t of er){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=Bs(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:tr(e.request)}}}}n(Ns,"findDisallowedDirectAccess");function Gs(e){return Response.json(St({id:e,error:{code:Be.MethodNotFound,message:"Method not found"}}))}n(Gs,"methodNotFoundResponse");function $s(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!E(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n($s,"buildProjection");function _o(e){let t=e.base[e.property],r=e.overlay[e.property];return E(r)?E(t)?{...t,...r}:r:t}n(_o,"mergeRecordProperty");function Zs(e,t){let r={...e,...t.overlay},o=_o({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=_o({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(Zs,"applyProjection");function wo(e,t,r){if(!E(e))return e;let o=e.result;if(!E(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>E(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.flatMap(a=>{if(!E(a))return[];let s=a[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[Zs(a,c)]})}}}n(wo,"filterAndProjectItems");function Fs(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!E(r))continue;let o=rr(r.method),i=tr(r),a=bo(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(Fs,"buildListRulesByResponseId");function Ks(e){if(Array.isArray(e.responseBody)){let o=Fs(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!E(i)||"error"in i)return i;let a=bo(tr(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:wo(i,s,c)})}if(!E(e.requestBody)||!E(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=rr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:wo(e.responseBody,t,r)}n(Ks,"filterJsonRpcResponse");async function Ro(e){return e.clone().json()}n(Ro,"readJson");function Js(e){return e.headers.get("content-type")?.includes("json")??!1}n(Js,"isJsonResponse");var Qt=class extends ut{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=Hs(t,r);super(o,r),this.#e=js(o)}async handler(t,r){dt("policy.inbound.mcp-capability-filter");let o;try{o=await Ro(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!E(a))continue;let s=Ns({request:a,projectionMaps:this.#e});if(s!==void 0)return Gs(s.id)}return Ls({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async a=>{if(!Js(a))return a;let s;try{s=await Ro(a)}catch{return a}let c=Ks({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return a;let l=new Headers(a.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:a.status,statusText:a.statusText,headers:l})}),t}};var nr;nr=globalThis.crypto;async function Ws(e){return(await nr).getRandomValues(new Uint8Array(e))}n(Ws,"getRandomValues");async function Vs(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await Ws(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(Vs,"random");async function Ys(e){return await Vs(e)}n(Ys,"generateVerifier");async function Xs(e){let t=await(await nr).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(Xs,"generateChallenge");async function or(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await Ys(e),r=await Xs(t);return{code_verifier:t,code_challenge:r}}n(or,"pkceChallenge");H();var k=dn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:pn.custom,message:"URL must be parseable",fatal:!0}),cn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),Ct=lt({resource:u().url(),authorization_servers:h(k).optional(),jwks_uri:u().url().optional(),scopes_supported:h(u()).optional(),bearer_methods_supported:h(u()).optional(),resource_signing_alg_values_supported:h(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:K().optional(),authorization_details_types_supported:h(u()).optional(),dpop_signing_alg_values_supported:h(u()).optional(),dpop_bound_access_tokens_required:K().optional()}),Le=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,registration_endpoint:k.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),service_documentation:k.optional(),revocation_endpoint:k.optional(),revocation_endpoint_auth_methods_supported:h(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:h(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:h(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:h(u()).optional(),code_challenge_methods_supported:h(u()).optional(),client_id_metadata_document_supported:K().optional()}),Qs=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,userinfo_endpoint:k.optional(),jwks_uri:k,registration_endpoint:k.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),acr_values_supported:h(u()).optional(),subject_types_supported:h(u()),id_token_signing_alg_values_supported:h(u()),id_token_encryption_alg_values_supported:h(u()).optional(),id_token_encryption_enc_values_supported:h(u()).optional(),userinfo_signing_alg_values_supported:h(u()).optional(),userinfo_encryption_alg_values_supported:h(u()).optional(),userinfo_encryption_enc_values_supported:h(u()).optional(),request_object_signing_alg_values_supported:h(u()).optional(),request_object_encryption_alg_values_supported:h(u()).optional(),request_object_encryption_enc_values_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),display_values_supported:h(u()).optional(),claim_types_supported:h(u()).optional(),claims_supported:h(u()).optional(),service_documentation:u().optional(),claims_locales_supported:h(u()).optional(),ui_locales_supported:h(u()).optional(),claims_parameter_supported:K().optional(),request_parameter_supported:K().optional(),request_uri_parameter_supported:K().optional(),require_request_uri_registration:K().optional(),op_policy_uri:k.optional(),op_tos_uri:k.optional(),client_id_metadata_document_supported:K().optional()}),It=re({...Qs.shape,...Le.pick({code_challenge_methods_supported:!0}).shape}),xe=re({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:mn.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),vo=re({error:u(),error_description:u().optional(),error_uri:u().optional()}),So=k.optional().or(ln("").transform(()=>{})),ec=re({redirect_uris:h(k),token_endpoint_auth_method:u().optional(),grant_types:h(u()).optional(),response_types:h(u()).optional(),client_name:u().optional(),client_uri:k.optional(),logo_uri:So,scope:u().optional(),contacts:h(u()).optional(),tos_uri:So,policy_uri:u().optional(),jwks_uri:k.optional(),jwks:un().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),ir=re({client_id:u(),client_secret:u().optional(),client_id_issued_at:Gt().optional(),client_secret_expires_at:Gt().optional()}).strip(),Ne=ec.merge(ir),Mm=re({error:u(),error_description:u().optional()}).strip(),Dm=re({token:u(),token_type_hint:u().optional()}).strip();function Co(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(Co,"resourceUrlFromServerUrl");function Io({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(Io,"checkResourceAllowed");var x=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Ge=class extends x{static{n(this,"InvalidRequestError")}};Ge.errorCode="invalid_request";var pe=class extends x{static{n(this,"InvalidClientError")}};pe.errorCode="invalid_client";var me=class extends x{static{n(this,"InvalidGrantError")}};me.errorCode="invalid_grant";var fe=class extends x{static{n(this,"UnauthorizedClientError")}};fe.errorCode="unauthorized_client";var $e=class extends x{static{n(this,"UnsupportedGrantTypeError")}};$e.errorCode="unsupported_grant_type";var Ze=class extends x{static{n(this,"InvalidScopeError")}};Ze.errorCode="invalid_scope";var Fe=class extends x{static{n(this,"AccessDeniedError")}};Fe.errorCode="access_denied";var X=class extends x{static{n(this,"ServerError")}};X.errorCode="server_error";var Ke=class extends x{static{n(this,"TemporarilyUnavailableError")}};Ke.errorCode="temporarily_unavailable";var Je=class extends x{static{n(this,"UnsupportedResponseTypeError")}};Je.errorCode="unsupported_response_type";var We=class extends x{static{n(this,"UnsupportedTokenTypeError")}};We.errorCode="unsupported_token_type";var Ve=class extends x{static{n(this,"InvalidTokenError")}};Ve.errorCode="invalid_token";var Ye=class extends x{static{n(this,"MethodNotAllowedError")}};Ye.errorCode="method_not_allowed";var Xe=class extends x{static{n(this,"TooManyRequestsError")}};Xe.errorCode="too_many_requests";var he=class extends x{static{n(this,"InvalidClientMetadataError")}};he.errorCode="invalid_client_metadata";var Qe=class extends x{static{n(this,"InsufficientScopeError")}};Qe.errorCode="insufficient_scope";var et=class extends x{static{n(this,"InvalidTargetError")}};et.errorCode="invalid_target";var xo={[Ge.errorCode]:Ge,[pe.errorCode]:pe,[me.errorCode]:me,[fe.errorCode]:fe,[$e.errorCode]:$e,[Ze.errorCode]:Ze,[Fe.errorCode]:Fe,[X.errorCode]:X,[Ke.errorCode]:Ke,[Je.errorCode]:Je,[We.errorCode]:We,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[he.errorCode]:he,[Qe.errorCode]:Qe,[et.errorCode]:et};function tc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(tc,"isClientAuthMethod");var ar="code",sr="S256";function rc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&tc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(rc,"selectClientAuthMethod");function nc(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":oc(i,a,r);return;case"client_secret_post":ic(i,a,o);return;case"none":ac(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(nc,"applyClientAuthentication");function oc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(oc,"applyBasicAuth");function ic(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(ic,"applyPostAuth");function ac(e,t){t.set("client_id",e)}n(ac,"applyPublicAuth");async function Uo(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=vo.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=xo[i]||X;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new X(i)}}n(Uo,"parseErrorResponse");async function ur(e,t){try{return await cr(e,t)}catch(r){if(r instanceof pe||r instanceof fe)return await e.invalidateCredentials?.("all"),await cr(e,t);if(r instanceof me)return await e.invalidateCredentials?.("tokens"),await cr(e,t);throw r}}n(ur,"auth");async function cr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,l,m,f=i;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,m=s.authorizationServerMetadata??await Po(l,{fetchFn:a}),!c)try{c=await To(t,{resourceMetadataUrl:f},a)}catch{}(m!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}else{let q=await pc(t,{resourceMetadataUrl:f,fetchFn:a});l=q.authorizationServerUrl,m=q.authorizationServerMetadata,c=q.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}let A=await sc(t,e,c),C=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,L=await Promise.resolve(e.clientInformation());if(!L){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let q=m?.client_id_metadata_document_supported===!0,He=e.clientMetadataUrl;if(He&&!lr(He))throw new he(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${He}`);if(q&&He)L={client_id:He},await e.saveClientInformation?.(L);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let rn=await yc(l,{metadata:m,clientMetadata:e.clientMetadata,scope:C,fetchFn:a});await e.saveClientInformation(rn),L=rn}}let Re=!e.redirectUrl;if(r!==void 0||Re){let q=await gc(e,l,{metadata:m,resource:A,authorizationCode:r,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}let tn=await e.tokens();if(tn?.refresh_token)try{let q=await hc(l,{metadata:m,clientInformation:L,refreshToken:tn.refresh_token,resource:A,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}catch(q){if(!(!(q instanceof x)||q instanceof X))throw q}let Ss=e.state?await e.state():void 0,{authorizationUrl:vs,codeVerifier:Cs}=await mc(l,{metadata:m,clientInformation:L,state:Ss,redirectUrl:e.redirectUrl,scope:C,resource:A});return await e.saveCodeVerifier(Cs),await e.redirectToAuthorization(vs),"REDIRECT"}n(cr,"authInternal");function lr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(lr,"isHttpsUrl");async function sc(e,t,r){let o=Co(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Io({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(sc,"selectResourceURL");function ko(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=dr(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=dr(e,"scope")||void 0,c=dr(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(ko,"extractWWWAuthenticateParams");function dr(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n(dr,"extractFieldFromWwwAuth");async function To(e,t,r=fetch){let o=await uc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return Ct.parse(await o.json())}n(To,"discoverOAuthProtectedResourceMetadata");async function pr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?pr(e,void 0,r):void 0;throw o}}n(pr,"fetchWithCorsRetry");function cc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(cc,"buildWellKnownPath");async function Ao(e,t,r=fetch){return await pr(e,{"MCP-Protocol-Version":t},r)}n(Ao,"tryMetadataDiscovery");function dc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(dc,"shouldAttemptFallback");async function uc(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??$t,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=cc(t,i.pathname);s=new URL(l,o?.metadataServerUrl??i),s.search=i.search}let c=await Ao(s,a,r);if(!o?.metadataUrl&&dc(c,i.pathname)){let l=new URL(`/.well-known/${t}`,i);c=await Ao(l,a,r)}return c}n(uc,"discoverMetadataWithFallback");function lc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(lc,"buildDiscoveryUrls");async function Po(e,{fetchFn:t=fetch,protocolVersion:r=$t}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=lc(e);for(let{url:a,type:s}of i){let c=await pr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?Le.parse(await c.json()):It.parse(await c.json())}}}n(Po,"discoverAuthorizationServerMetadata");async function pc(e,t){let r,o;try{r=await To(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await Po(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(pc,"discoverOAuthServerInfo");async function mc(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(ar))throw new Error(`Incompatible auth server: does not support response type ${ar}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(sr))throw new Error(`Incompatible auth server: does not support code challenge method ${sr}`)}else c=new URL("/authorize",e);let l=await or(),m=l.code_verifier,f=l.code_challenge;return c.searchParams.set("response_type",ar),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",sr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:m}}n(mc,"startAuthorization");function fc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(fc,"prepareAuthorizationCodeRequest");async function Eo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(l,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],A=rc(o,f);nc(A,o,l,r)}let m=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!m.ok)throw await Uo(m);return xe.parse(await m.json())}n(Eo,"executeTokenRequest");async function hc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await Eo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...l}}n(hc,"refreshAuthorization");async function gc(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let m=await e.codeVerifier();c=fc(i,m,e.redirectUrl)}let l=await e.clientInformation();return Eo(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(gc,"fetchToken");async function yc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await Uo(s);return Ne.parse(await s.json())}n(yc,"registerClient");var mr="zuplo.com",_c=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),wc=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function Oo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(Oo,"s2FaviconHref");function Rc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Rc,"strictFaviconHref");var xt=Oo(mr);function fr(e){let t=e.toLowerCase();return t===mr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Oo(mr):Rc(e)}n(fr,"resolveIconHref");function bc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(bc,"hostnameFromHost");function Sc(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Sc,"isLocalOrAddressHost");function vc(e){let t=bc(e).toLowerCase().replace(/\.$/,"");if(Sc(t)||wc.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=_c.has(o)?3:2;return r.slice(-i).join(".")}n(vc,"inferFaviconDomain");function hr(e){return{src:fr(vc(e)),mimeType:"image/png",sizes:["128x128"]}}n(hr,"resolveMcpFaviconIcon");function At(e){try{return hr(new URL(e).host)}catch{return}}n(At,"resolveMcpFaviconIconFromUrl");function ne(e){let t=N().connectionsById.get(e);if(!t)throw new T(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(ne,"getUpstreamServerConfig");function Cc(e){let t=N().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new T(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(Cc,"resolveUpstreamAuthProfileId");function gr(e){Cc(e);let t=N().connectionsById.get(e.upstreamServerId);if(!t)throw new T(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(gr,"getUpstreamAuthConfig");function ge(e,t){let r=gr({upstreamServerId:e,authProfileId:t});if(!Pn(r))throw new T(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(ge,"requireUpstreamOAuthConfig");var Ic={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function G(e){return Ic[e]}n(G,"describeUpstreamAuthMode");function Ut(e){return G(e).ownerMode}n(Ut,"resolveOwnerModeForUpstreamAuthMode");H();import{errors as Lo,jwtVerify as No,SignJWT as Go}from"jose";var O="zuplo-mcp-gateway",D=O,z="HS256";import{base64url as xc}from"jose";var Ac=new TextEncoder,Uc="MCP gateway could not initialize secure key material.",kc=32,qo=new Map,Mo=new Map,Tc;function Pc(){return Tc??nn.instance.authPrivateKey}n(Pc,"readAuthPrivateKey");function Do(e){return new M(Uc,e===void 0?void 0:{cause:e})}n(Do,"createGeneratedKeyMaterialError");function zo(e,t){let r=xc.decode(t);if(r.byteLength!==kc)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(zo,"decodeJwkKeyField");function Ec(e){let t=Pc();if(!t)throw Do();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=zo("d",r.d);zo("x",r.x);let i=Ac.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw Do(r)}}n(Ec,"decodeGeneratedKeyMaterial");function Oc(e){let t=qo.get(e);return t||(t=Ec(e),qo.set(e,t)),t}n(Oc,"getMasterKeyMaterial");async function $(e){let t=Mo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Oc(e.keyMaterialPurpose));return Mo.set(e.purpose,r),r}n($,"readCachedDerivedKey");var qc="SHA-256";var Mc="zuplo-mcp-gateway:",Dc=new TextEncoder,Ho=new WeakMap;async function oe(e,t){let r=Ho.get(e);r||(r=new Map,Ho.set(e,r));let o=r.get(t);if(o)return o;let i=await zc(e,t);return r.set(t,i),i}n(oe,"deriveGatewaySigningKey");async function zc(e,t){let r=Bo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=Dc.encode(`${Mc}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:qc,salt:new Uint8Array,info:Bo(i)},o,32*8);return new Uint8Array(a)}n(zc,"hkdfExpand");function Bo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Bo,"copyToArrayBuffer");var $o=15*60,Hc=15*60,Bc=to.extend({id:ro}),jc=Bc.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Zo=Xt.extend({id:no,purpose:d.literal("browser_connect")}),Lc=Xt.extend({purpose:d.literal("browser_connect")}),Nc=Zo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fo=$o*1e3;async function Ko(){return $({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"oauth-state"),"derive")})}n(Ko,"getOAuthStateKey");async function Jo(){return $({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-connect"),"derive")})}n(Jo,"getBrowserConnectKey");async function Wo(e){let t=Math.floor(Date.now()/1e3)+$o;return new Go(e).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Ko())}n(Wo,"signOAuthState");async function kt(e){try{let{payload:t}=await No(e,await Ko(),{algorithms:[z],issuer:O,audience:D});return jc.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new g({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new g({message:"OAuth state could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(kt,"verifyOAuthState");async function Vo(e){let t=Math.floor(Date.now()/1e3)+Hc,r=Lc.parse(e),o=Zo.parse({...r,id:so()});return new Go(o).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Jo())}n(Vo,"signBrowserConnectTicket");async function Yo(e){try{let{payload:t}=await No(e,await Jo(),{algorithms:[z],issuer:O,audience:D});return Nc.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new g({message:"Browser connect ticket has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new g({message:"Browser connect ticket could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(Yo,"verifyBrowserConnectTicket");async function Xo(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:R(new Date(e.exp*1e3)),now:R(new Date)})).kind==="consumed")throw new g({message:"Browser connect ticket has already been used",extensionMembers:{[y]:"oauth_state_reused"}})}n(Xo,"consumeBrowserConnectTicket");function Gc(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Gc,"buildConnectRequiredMessage");async function $c(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Vo({...je(e),purpose:"browser_connect"})),r.toString()}n($c,"buildGatewayBrowserTicketUrl");function Zc(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Zc,"buildGatewayConnectPath");async function yr(e){return $c({...e,path:Zc(e.upstreamServerId),redirect:!0})}n(yr,"buildGatewayConnectUrl");async function Tt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await yr(t),message:Gc(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Tt,"buildRedirectConnectRequiredResponse");function Qo(e){return Fc({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(Qo,"buildAdminConnectRequiredResponse");function Fc(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Fc,"buildAdminSetupRequiredResponse");H();function _r(e){return`Zuplo MCP Gateway - ${e}`}n(_r,"buildGatewayOAuthClientName");function ei(e,t,r){let o=new URL(e,U(t,r));return ue(o)&&hn(o.hostname)!=="localhost"&&(o.hostname="localhost"),o.toString()}n(ei,"buildGatewayOAuthRedirectUri");function wr(e){return new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}/${encodeURIComponent(e.authProfileId)}`,e.origin).toString()}n(wr,"buildOAuthClientMetadataDocumentUrl");function ti(e,t){return U(e,t)}n(ti,"requireOAuthClientMetadataOrigin");function ri(e,t,r){let o=ne(t),i=ge(t,r),a={client_id:wr({origin:e,upstreamServerId:t,authProfileId:r}),client_name:_r(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(i.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"};return i.scopes.length>0&&(a.scope=i.scopes.join(i.scopeDelimiter)),a}n(ri,"buildOAuthClientMetadataDocument");H();import{base64url as ie}from"jose";var Kc="SHA-256",Ue="AES-GCM",Jc=12,br="zuplo-secret",Sr=1,ni="generated:auth_private_key:token-encryption",Wc=d.object({version:d.literal(Sr),keyId:d.literal(ni),algorithm:d.literal(Ue),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function Ae(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Ae,"copyToArrayBuffer");async function Rr(){return $({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Kc,Ae(e));return crypto.subtle.importKey("raw",t,{name:Ue},!1,["encrypt","decrypt"])},"derive")})}n(Rr,"getEncryptionKey");function oi(e){return Ae(new TextEncoder().encode(`${br}:v${e.version}:${e.keyId}`))}n(oi,"getAssociatedData");function Vc(e){return`${br}:v${e.version}:${ie.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(Vc,"encodeEnvelope");function Yc(e){let t=`${br}:v${Sr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ie.decode(r));return Wc.parse(JSON.parse(o))}n(Yc,"decodeEnvelope");async function Pt(e){let t=await Rr(),r=crypto.getRandomValues(new Uint8Array(Jc)),o={version:Sr,keyId:ni},i=await crypto.subtle.encrypt({name:Ue,iv:r,additionalData:oi(o)},t,new TextEncoder().encode(e));return Vc({...o,algorithm:Ue,iv:ie.encode(r),ciphertext:ie.encode(new Uint8Array(i))})}n(Pt,"encryptSecret");async function tt(e){let t=Yc(e);if(t){let s=await Rr(),c=await crypto.subtle.decrypt({name:Ue,iv:Ae(ie.decode(t.iv)),additionalData:oi(t)},s,Ae(ie.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new M("Encrypted payload is malformed");let i=await Rr(),a=await crypto.subtle.decrypt({name:Ue,iv:Ae(ie.decode(r))},i,Ae(ie.decode(o)));return new TextDecoder().decode(a)}n(tt,"decryptSecret");var Xc=d.union([Ne,ir]),ii=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:Ct.optional(),authorizationServerMetadata:d.union([Le,It]).optional()}).passthrough(),Qc="Bearer",ed="__zuplo_refresh_only_upstream_access_token__",di=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function td(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(td,"splitScopes");function rd(e){let t=new URL(e);for(let r of di){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(rd,"normalizeDuplicateSingletonAuthorizationRequestParams");function nd(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of di)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(nd,"sanitizeAuthorizationServerMetadata");function ui(e){let t=nd(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(ui,"sanitizeOAuthDiscoveryState");function od(e){return gt.parse(e)}n(od,"parsePkceCodeVerifier");function id(e){if(typeof e.expires_in=="number")return R(new Date(Date.now()+e.expires_in*1e3))}n(id,"readTokenExpiry");async function ai(e){if(e!==void 0)return Pt(JSON.stringify(e))}n(ai,"encryptJson");async function si(e,t){if(!e)return;let r=await tt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new g({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:o})}}n(si,"decryptJson");function ad(e){if(e===void 0)return;e=ui(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(ad,"toOAuthDiscoveryState");function sd(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(sd,"clientInformationAllowsRedirectUri");function cd(e,t,r){let o=ne(e),i=ge(e,t),a=vr(i.scopes,i.scopeDelimiter);return{client_name:_r(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:a,token_endpoint_auth_method:"none"}}n(cd,"buildOAuthClientMetadata");function vr(e,t){return e&&e.length>0?e.join(t):void 0}n(vr,"joinOAuthScopes");function dd(e,t){return t===void 0?e:{...e,scope:t}}n(dd,"applyOAuthClientMetadataScope");function ci(e,t){return vr(e?.resourceMetadata?.scopes_supported,t)}n(ci,"readResourceMetadataScope");function ud(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new T(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ne.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(ud,"buildManualOAuthClientInformation");function ld(e,t,r){let o=wr({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return lr(o)?o:void 0}n(ld,"buildClientMetadataUrl");function li(e){for(let t of e)if(t!==void 0)return t}n(li,"firstDefined");function pd(e){let t=ge(e.target.upstreamServerId,e.target.authProfileId),r=cd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri),o=vr(t.scopes,t.scopeDelimiter);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:ud({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=ld(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return i===void 0?{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(pd,"buildInitialOAuthClientSetup");function md(e,t){if(t===void 0)return li([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(md,"readEncryptedClientInformation");function fd(e){return li([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(fd,"readEncryptedDiscoveryState");var ye=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=pd({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=md(t,this.configuredClientInformation),this.encryptedDiscoveryState=fd(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return dd(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Wo({id:t.id,...je({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.encryptedClientInformation=await ai(t),await this.syncPendingState(!1))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=ui(ii.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=ci(r,this.scopeDelimiter),this.encryptedDiscoveryState=await ai(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=xe.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await Pt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:xe.parse({...r,refresh_token:await tt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??io(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Pt(r.access_token),encryptedRefreshToken:i,scopes:td(r.scope??this.readEffectiveScope()),expiresAt:id(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(a)}async redirectToAuthorization(t){let r=rd(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:od(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new g({message:"OAuth code verifier is missing",extensionMembers:{[y]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:ao(),...je({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:R(new Date(Date.now()+Fo)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await si(this.encryptedClientInformation,Xc)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&!sd(t,this.redirectUriValue)){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=ad(await si(this.encryptedDiscoveryState,ii))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=ci(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await tt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await tt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=xe.parse({access_token:t??ed,token_type:Qc,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var hd=3e4,gd=256*1024,yd=2;function _d(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(_d,"hasUsableAccessToken");var wd="does not support dynamic client registration",Rd=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],bd=["HTTP 403 Forbidden","Access Denied","permission to access"];function Sd(e){return e instanceof Error&&e.message.includes(wd)}n(Sd,"isDynamicClientRegistrationUnsupported");function vd(e){return e instanceof Error&&Rd.some(t=>e.message.includes(t))}n(vd,"isProtectedResourceMetadataUnavailable");function Cd(e){return e instanceof Error&&bd.some(t=>e.message.includes(t))}n(Cd,"isUpstreamProviderAccessDenied");function Id(e){if(e.error instanceof g&&e.error.extensionMembers?.[y]!==void 0)return e.error;if(Sd(e.error))return new g({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[y]:"upstream_client_registration_required"}},{cause:e.error});if(vd(e.error))return new g({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[y]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(Cd(e.error))return new g({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[y]:"upstream_provider_access_denied"}},{cause:e.error})}n(Id,"mapUpstreamOAuthSetupError");function xd(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(xd,"readOAuthFetchRequest");function Ad(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Ad,"responseLooksJson");function Ud(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Ud,"responseLooksHtml");function kd(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new g({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[y]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[ve]:e.response.status,[be]:r,[Ce]:e.request.url.toString(),[Se]:e.body}})}n(kd,"throwUpstreamHtmlError");function pi(e){return async(t,r)=>{let o=xd(t),i=await mo(t,r,{maxRedirects:yd,maxResponseBytes:gd,problemCode:"upstream_token_exchange_failed",timeoutMs:hd}),a=await i.clone().text();if(!i.ok&&Ud(i,a)&&kd({upstreamServerId:e,request:o,response:i,body:a}),!Ad(i,a))return i;try{JSON.parse(a)}catch(s){throw new g({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[y]:"upstream_token_exchange_failed"}},{cause:s})}return i}}n(pi,"createUpstreamOAuthFetch");async function mi(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:pi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await ur(e,r)}catch(r){let o=Id({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(mi,"runUpstreamOAuth");async function Td(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:pi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),ur(e,r)}n(Td,"exchangeUpstreamAuthorizationCode");async function fi(e,t){let r=await mi(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new g({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new g({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(fi,"requireUpstreamAuthorizationRedirect");async function hi(e){if(!e.forceRefresh&&_d(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await mi(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new g({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new g({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Md({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(hi,"authorizeUpstreamOAuthSession");async function Pd(e){let t=await kt(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:R(new Date)}),o=Ed(r);return Od({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),qd(o),o}n(Pd,"consumeStoredCallbackState");function Ed(e){switch(e.kind){case"consumed":throw new g({message:"OAuth state has already been used",extensionMembers:{[y]:"oauth_state_reused"}});case"missing":throw new g({message:"OAuth state is missing or expired",extensionMembers:{[y]:"oauth_state_expired"}});case"available":return e.record}}n(Ed,"readConsumedCallbackState");function Od(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new g({message:"OAuth callback did not match the initiating request",extensionMembers:{[y]:"oauth_callback_mismatch"}})}n(Od,"assertStoredCallbackStateMatches");function qd(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new g({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}})}n(qd,"assertStoredCallbackStateFresh");async function Md(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Qo(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Tt(t)}n(Md,"buildOAuthConnectRequiredResponse");async function gi(e){let t=await Pd({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=wt(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new ye(i),s=await Td(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new g({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new g({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(gi,"finishUpstreamOAuthCallback");async function yi(e){let t=ne(e.upstreamServerId),r=ge(e.upstreamServerId,e.authProfileId),o=ei(r.redirectPath,e.request.url,e.request.headers),i="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(yi,"prepareUpstreamOAuthRequest");async function _i(e){let t=await yi(e),r=new ye({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return fi(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(_i,"startUpstreamConnect");async function wi(e){let t=await yi(e),r=new ye({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return hi({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(wi,"authorizeUpstreamRequest");async function ke(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return wi({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new M(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(ke,"resolveUpstreamCredentialForRoute");async function Ri(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=G(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await _i(r);break;case"none":throw new M(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Ri,"startUpstreamConnectForRequest");async function bi(e){let r=(await kt(e.callbackRequest.state)).authProfileId,o=gr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(G(o.mode).callbackSupport!=="authorization_code")throw new M(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return gi({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:ne(e.callbackRequest.upstreamServerId)})}n(bi,"finishUpstreamCallbackForRequest");function Dd(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Dd,"buildRouteAuthBaseFromConnection");function vi(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:ht(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(vi,"buildRouteAuthBaseFromPolicyOptions");function Et(e,t){let o=N().byOperationId.get(t);if(!o)throw new T(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new T(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new T(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Dd({connection:o.connection,operationId:t})}n(Et,"resolveRouteAuthBase");function Si(e,t){switch(e){case"user":return _t(t);case"shared":return eo()}}n(Si,"buildOwnerForSubject");function Te(e,t){switch(e.ownerMode){case"shared":return{...e,owner:Si(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,owner:Si(e.ownerMode,t),initiatedBySubjectId:t}}}n(Te,"resolveRouteAuthForSubject");var zd=Be.InvalidRequest,Hd=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function Bd(e,t){return{credentialType:e.type,forceRefresh:t,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}n(Bd,"buildCredentialResolvedAttributes");function jd(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(jd,"connectRequiredReasonCode");function Ci(e){v(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:Bd(e.credential,e.forceRefresh===!0)})}n(Ci,"emitCredentialResolvedAnalyticsEvent");function Ii(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(v(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){v(e.context,{eventType:w.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}v(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:jd(e.payload.state),reasonClass:"auth",attributes:t})}n(Ii,"emitCredentialMissingAnalyticsEvents");function Ld(e){let t=e.route.raw();return pt.parse(t?.operationId)}n(Ld,"readOperationId");async function Nd(e,t,r,o){let i=await ke({request:e,routeAuth:t});if(i.kind==="connect_required")return Ii({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;switch(Ci({context:o,credential:a,routeBinding:t}),a.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${a.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(a.headers)};case"mcp_oauth_provider":{let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(Nd,"buildCredentialHeaders");var Gd=new Set(["authorization","cookie","cookie2"]);function $d(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n($d,"readJsonRequestMethod");function Zd(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Zd,"isJsonResponse");function Cr(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(Cr,"isRecord");function Fd(e){return Array.isArray(e)&&e.length>0}n(Fd,"hasIconList");function Kd(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=At(vn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Kd,"readFallbackServerIcons");function Jd(e){if(!Cr(e.body))return e.body;let t=e.body.result;if(!Cr(t))return e.body;let r=t.serverInfo;return!Cr(r)||Fd(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(Jd,"addMissingServerIcons");function Wd(e,t){let r=new Headers(e.headers);for(let o of Gd)r.delete(o);for(let[o,i]of t)r.set(o,i);return new an(e,{headers:r})}n(Wd,"applyUpstreamHeaders");function Vd(e){let t=new Headers(e.headers);for(let r of Hd)t.delete(r);return t}n(Vd,"buildProxyHeaders");async function Yd(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(Yd,"readRetryBody");function xi(e,t){let r=t.authUrl===void 0?void 0:yo({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(St({id:go(e),error:{code:r?.code??zd,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(xi,"connectRequiredJsonRpcResponse");async function Xd(e){let{scope:t}=ko(e.upstreamResponse),r=await ke({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return Ii({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;switch(Ci({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0}),i.type){case"none":return o.delete("authorization"),{kind:"headers",headers:o};case"bearer_token":return o.set("authorization",`Bearer ${i.token}`),{kind:"headers",headers:o};case"headers":for(let[a,s]of Object.entries(i.headers))o.set(a,s);return{kind:"headers",headers:o};case"mcp_oauth_provider":{let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(Xd,"applyRefreshedCredentialHeaders");function Qd(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await Xd({request:e.request,context:e.context,headers:Vd(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return xi(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=Cn({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return ct.fetch(i.url,i.init)})}n(Qd,"installUpstreamAuthRetryHook");function eu(e){if($d(e.requestBody)!=="initialize")return;let t=Kd({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Zd(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=Jd({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(eu,"installInitializeIconHook");async function Ir(e,t,r){let o=Ld(t),i=await Yd(e),a=vi({connection:r,operationId:o}),s=Ie(e.user,e.url,e.headers);Bn(t,s);let c=Te(a,s.subjectId),l=await Nd(e,c,r,t);if(!(l instanceof Response)&&l.kind==="connect_required")return xi(i,l.payload);if(l instanceof Response)return l;let m=Wd(e,l.headers);return Qd({request:m,context:t,requestBody:i,routeAuth:c}),eu({context:t,requestBody:i,connection:r}),m}n(Ir,"mcpTokenExchangePolicy");var xr=class extends ut{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Tn(t,r);super(o,r)}async handler(t,r){return dt("policy.inbound.mcp-token-exchange"),Ir(t,r,this.options)}};H();var Ai=Symbol("Html");function tu(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(tu,"escapeHtml");function ru(e){return e===null||typeof e!="object"?!1:e[Ai]===!0}n(ru,"isHtml");function Ui(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Ui).join(""):ru(e)?e.value:tu(String(e))}n(Ui,"renderValue");function Q(e){return{[Ai]:!0,value:e}}n(Q,"trustedHtml");var Z=Q("");function S(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Ui(t[o]),r+=e[o+1]??"";return Q(r)}n(S,"html");function Pe(e){return e.value}n(Pe,"renderHtml");function ki(e){return S`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(ki,"renderBrowserErrorPage");var Ee=Q('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Oe(e){return S`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
25
+ import{$ as gt,A as Be,Aa as wt,B as An,Ba as ro,C as Un,Ca as no,D as kn,Da as oo,E as ht,Ea as ao,F as Tn,Fa as io,G as Pn,Ga as so,H as En,Ha as b,I as On,Ia as C,J as qn,Ja as Y,K as Mn,Ka as I,L as N,La as co,M as Dn,Ma as ks,N as zn,Na as uo,O as R,Oa as lo,P as J,Pa as Rt,Q as U,Qa as po,R as Hn,Ra as mo,S as W,Ta as fo,U as Bn,Ua as ho,V as jn,Va as bt,W as le,X as _,Y as Ln,Z as Nn,_ as Gn,a as hn,aa as V,b as ue,ba as Zt,c as gn,ca as Ft,d as B,da as $n,e as yn,ea as Zn,f as As,fa as Kt,g as Us,ga as Jt,h as _n,ha as Fn,i as wn,ia as P,j as Rn,ja as Kn,k as y,ka as Jn,l as be,la as Wn,m as Se,ma as Vn,n as Ce,na as Wt,o as ve,oa as Yn,p as bn,pa as Vt,q as Sn,qa as Yt,r as j,ra as yt,s as Cn,sa as Ie,t as vn,ta as Xn,u as In,ua as Qn,v as pt,va as _t,w as xn,wa as eo,x as $t,xa as Xt,y as mt,ya as to,z as ft,za as je}from"../chunk-MJ6GX4IA.js";import{J as cn,L as u,M as dn,N as Gt,O as K,Q as un,S as h,T as re,U as lt,_ as ln,a as dt,ca as pn,da as mn,ea as d,fa as H,j as de,k as on,m as an,ma as fn,q as sn,s as ut}from"../chunk-J7JE2DD5.js";import"../chunk-JRXZBVXH.js";import{a as w}from"../chunk-4SACVMDH.js";import{$ as M,a as n,aa as g,ba as T,ca as nn,da as ct}from"../chunk-ZIKV2LUM.js";H();function Ts(e){let t=ft.safeParse(e);return t.success?t.data.id:void 0}n(Ts,"parseJsonRpcRequestId");function go(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return Ts(t)}catch{return}}n(go,"readJsonRpcRequestIdFromBody");function St(e){return An.parse({jsonrpc:mt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(St,"jsonRpcErrorResponse");function yo(e){return new kn([Un.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(yo,"urlElicitationRequiredError");var Ct=d.record(d.string(),d.unknown()),Ps=d.record(d.string(),d.unknown()),Es=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Ps.optional(),_meta:Ct.optional()}).strict(),Os=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),qs=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Ms=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Ds=d.array(d.union([d.string(),Es])),zs=d.array(d.union([d.string(),Os])),Hs=d.array(d.union([d.string(),qs])),Bs=d.array(d.union([d.string(),Ms])),js=d.object({tools:Ds.optional(),prompts:zs.optional(),resources:Hs.optional(),resourceTemplates:Bs.optional()}).strict(),er=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function Ls(e,t){return yn(js,e,`MCP capability filter policy "${t}"`)}n(Ls,"parseMcpCapabilityFilterOptions");function E(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(E,"isRecord");function Ns(e,t){if(!E(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Ns,"readParamString");function tr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(tr,"readRequestId");function bo(e){return e===void 0?void 0:JSON.stringify(e)}n(bo,"requestIdKey");function Gs(e){let t={};for(let r of er){let o=e[r.option];if(o===void 0)continue;let a=new Map;for(let i of o){let s=Ks(i,r.itemProperty);s!==void 0&&a.set(s.key,s)}t[r.option]=a}return t}n(Gs,"buildProjectionMaps");function rr(e){return er.find(t=>t.listMethod===e)}n(rr,"findListRule");function $s(e){return e.requests.some(t=>{if(!E(t))return!1;let r=rr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n($s,"shouldFilterListResponses");function Zs(e){for(let t of er){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let a=Ns(e.request.params,o.paramProperty);if(a!==void 0&&!r.has(a))return{id:tr(e.request)}}}}n(Zs,"findDisallowedDirectAccess");function Fs(e){return Response.json(St({id:e,error:{code:Be.MethodNotFound,message:"Method not found"}}))}n(Fs,"methodNotFoundResponse");function Ks(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!E(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(Ks,"buildProjection");function _o(e){let t=e.base[e.property],r=e.overlay[e.property];return E(r)?E(t)?{...t,...r}:r:t}n(_o,"mergeRecordProperty");function Js(e,t){let r={...e,...t.overlay},o=_o({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let a=_o({base:e,overlay:t.overlay,property:"_meta"});return a!==void 0&&(r._meta=a),r}n(Js,"applyProjection");function wo(e,t,r){if(!E(e))return e;let o=e.result;if(!E(o))return e;let a=o[t.resultProperty];return!Array.isArray(a)||!a.every(i=>E(i)&&typeof i[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:a.flatMap(i=>{if(!E(i))return[];let s=i[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[Js(i,c)]})}}}n(wo,"filterAndProjectItems");function Ws(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!E(r))continue;let o=rr(r.method),a=tr(r),i=bo(a);o!==void 0&&i!==void 0&&t.set(i,o)}return t}n(Ws,"buildListRulesByResponseId");function Vs(e){if(Array.isArray(e.responseBody)){let o=Ws(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(a=>{if(!E(a)||"error"in a)return a;let i=bo(tr(a)),s=i===void 0?void 0:o.get(i),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?a:wo(a,s,c)})}if(!E(e.requestBody)||!E(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=rr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:wo(e.responseBody,t,r)}n(Vs,"filterJsonRpcResponse");async function Ro(e){return e.clone().json()}n(Ro,"readJson");function Ys(e){return e.headers.get("content-type")?.includes("json")??!1}n(Ys,"isJsonResponse");var Qt=class extends ut{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=Ls(t,r);super(o,r),this.#e=Gs(o)}async handler(t,r){dt("policy.inbound.mcp-capability-filter");let o;try{o=await Ro(t)}catch{return t}let a=Array.isArray(o)?o:[o];for(let i of a){if(!E(i))continue;let s=Zs({request:i,projectionMaps:this.#e});if(s!==void 0)return Fs(s.id)}return $s({requests:a,projectionMaps:this.#e})&&r.addResponseSendingHook(async i=>{if(!Ys(i))return i;let s;try{s=await Ro(i)}catch{return i}let c=Vs({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return i;let l=new Headers(i.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:i.status,statusText:i.statusText,headers:l})}),t}};var nr;nr=globalThis.crypto;async function Xs(e){return(await nr).getRandomValues(new Uint8Array(e))}n(Xs,"getRandomValues");async function Qs(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let a=await Xs(e-o.length);for(let i of a)i<r&&(o+=t[i%t.length])}return o}n(Qs,"random");async function ec(e){return await Qs(e)}n(ec,"generateVerifier");async function tc(e){let t=await(await nr).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(tc,"generateChallenge");async function or(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await ec(e),r=await tc(t);return{code_verifier:t,code_challenge:r}}n(or,"pkceChallenge");H();var k=dn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:pn.custom,message:"URL must be parseable",fatal:!0}),cn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),vt=lt({resource:u().url(),authorization_servers:h(k).optional(),jwks_uri:u().url().optional(),scopes_supported:h(u()).optional(),bearer_methods_supported:h(u()).optional(),resource_signing_alg_values_supported:h(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:K().optional(),authorization_details_types_supported:h(u()).optional(),dpop_signing_alg_values_supported:h(u()).optional(),dpop_bound_access_tokens_required:K().optional()}),Le=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,registration_endpoint:k.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),service_documentation:k.optional(),revocation_endpoint:k.optional(),revocation_endpoint_auth_methods_supported:h(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:h(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:h(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:h(u()).optional(),code_challenge_methods_supported:h(u()).optional(),client_id_metadata_document_supported:K().optional()}),rc=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,userinfo_endpoint:k.optional(),jwks_uri:k,registration_endpoint:k.optional(),scopes_supported:h(u()).optional(),response_types_supported:h(u()),response_modes_supported:h(u()).optional(),grant_types_supported:h(u()).optional(),acr_values_supported:h(u()).optional(),subject_types_supported:h(u()),id_token_signing_alg_values_supported:h(u()),id_token_encryption_alg_values_supported:h(u()).optional(),id_token_encryption_enc_values_supported:h(u()).optional(),userinfo_signing_alg_values_supported:h(u()).optional(),userinfo_encryption_alg_values_supported:h(u()).optional(),userinfo_encryption_enc_values_supported:h(u()).optional(),request_object_signing_alg_values_supported:h(u()).optional(),request_object_encryption_alg_values_supported:h(u()).optional(),request_object_encryption_enc_values_supported:h(u()).optional(),token_endpoint_auth_methods_supported:h(u()).optional(),token_endpoint_auth_signing_alg_values_supported:h(u()).optional(),display_values_supported:h(u()).optional(),claim_types_supported:h(u()).optional(),claims_supported:h(u()).optional(),service_documentation:u().optional(),claims_locales_supported:h(u()).optional(),ui_locales_supported:h(u()).optional(),claims_parameter_supported:K().optional(),request_parameter_supported:K().optional(),request_uri_parameter_supported:K().optional(),require_request_uri_registration:K().optional(),op_policy_uri:k.optional(),op_tos_uri:k.optional(),client_id_metadata_document_supported:K().optional()}),It=re({...rc.shape,...Le.pick({code_challenge_methods_supported:!0}).shape}),xe=re({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:mn.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),Co=re({error:u(),error_description:u().optional(),error_uri:u().optional()}),So=k.optional().or(ln("").transform(()=>{})),nc=re({redirect_uris:h(k),token_endpoint_auth_method:u().optional(),grant_types:h(u()).optional(),response_types:h(u()).optional(),client_name:u().optional(),client_uri:k.optional(),logo_uri:So,scope:u().optional(),contacts:h(u()).optional(),tos_uri:So,policy_uri:u().optional(),jwks_uri:k.optional(),jwks:un().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),ar=re({client_id:u(),client_secret:u().optional(),client_id_issued_at:Gt().optional(),client_secret_expires_at:Gt().optional()}).strip(),Ne=nc.merge(ar),jm=re({error:u(),error_description:u().optional()}).strip(),Lm=re({token:u(),token_type_hint:u().optional()}).strip();function vo(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(vo,"resourceUrlFromServerUrl");function Io({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let a=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",i=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return a.startsWith(i)}n(Io,"checkResourceAllowed");var x=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Ge=class extends x{static{n(this,"InvalidRequestError")}};Ge.errorCode="invalid_request";var pe=class extends x{static{n(this,"InvalidClientError")}};pe.errorCode="invalid_client";var me=class extends x{static{n(this,"InvalidGrantError")}};me.errorCode="invalid_grant";var fe=class extends x{static{n(this,"UnauthorizedClientError")}};fe.errorCode="unauthorized_client";var $e=class extends x{static{n(this,"UnsupportedGrantTypeError")}};$e.errorCode="unsupported_grant_type";var Ze=class extends x{static{n(this,"InvalidScopeError")}};Ze.errorCode="invalid_scope";var Fe=class extends x{static{n(this,"AccessDeniedError")}};Fe.errorCode="access_denied";var X=class extends x{static{n(this,"ServerError")}};X.errorCode="server_error";var Ke=class extends x{static{n(this,"TemporarilyUnavailableError")}};Ke.errorCode="temporarily_unavailable";var Je=class extends x{static{n(this,"UnsupportedResponseTypeError")}};Je.errorCode="unsupported_response_type";var We=class extends x{static{n(this,"UnsupportedTokenTypeError")}};We.errorCode="unsupported_token_type";var Ve=class extends x{static{n(this,"InvalidTokenError")}};Ve.errorCode="invalid_token";var Ye=class extends x{static{n(this,"MethodNotAllowedError")}};Ye.errorCode="method_not_allowed";var Xe=class extends x{static{n(this,"TooManyRequestsError")}};Xe.errorCode="too_many_requests";var he=class extends x{static{n(this,"InvalidClientMetadataError")}};he.errorCode="invalid_client_metadata";var Qe=class extends x{static{n(this,"InsufficientScopeError")}};Qe.errorCode="insufficient_scope";var et=class extends x{static{n(this,"InvalidTargetError")}};et.errorCode="invalid_target";var xo={[Ge.errorCode]:Ge,[pe.errorCode]:pe,[me.errorCode]:me,[fe.errorCode]:fe,[$e.errorCode]:$e,[Ze.errorCode]:Ze,[Fe.errorCode]:Fe,[X.errorCode]:X,[Ke.errorCode]:Ke,[Je.errorCode]:Je,[We.errorCode]:We,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[he.errorCode]:he,[Qe.errorCode]:Qe,[et.errorCode]:et};function oc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(oc,"isClientAuthMethod");var ir="code",sr="S256";function ac(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&oc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(ac,"selectClientAuthMethod");function ic(e,t,r,o){let{client_id:a,client_secret:i}=t;switch(e){case"client_secret_basic":sc(a,i,r);return;case"client_secret_post":cc(a,i,o);return;case"none":dc(a,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(ic,"applyClientAuthentication");function sc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(sc,"applyBasicAuth");function cc(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(cc,"applyPostAuth");function dc(e,t){t.set("client_id",e)}n(dc,"applyPublicAuth");async function Uo(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Co.parse(JSON.parse(r)),{error:a,error_description:i,error_uri:s}=o,c=xo[a]||X;return new c(i||"",s)}catch(o){let a=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new X(a)}}n(Uo,"parseErrorResponse");async function ur(e,t){try{return await cr(e,t)}catch(r){if(r instanceof pe||r instanceof fe)return await e.invalidateCredentials?.("all"),await cr(e,t);if(r instanceof me)return await e.invalidateCredentials?.("tokens"),await cr(e,t);throw r}}n(ur,"auth");async function cr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:a,fetchFn:i}){let s=await e.discoveryState?.(),c,l,m,f=a;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,m=s.authorizationServerMetadata??await Po(l,{fetchFn:i}),!c)try{c=await To(t,{resourceMetadataUrl:f},i)}catch{}(m!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}else{let q=await hc(t,{resourceMetadataUrl:f,fetchFn:i});l=q.authorizationServerUrl,m=q.authorizationServerMetadata,c=q.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}let A=await uc(t,e,c),v=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,L=await Promise.resolve(e.clientInformation());if(!L){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let q=m?.client_id_metadata_document_supported===!0,He=e.clientMetadataUrl;if(He&&!lr(He))throw new he(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${He}`);if(q&&He)L={client_id:He},await e.saveClientInformation?.(L);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let rn=await Rc(l,{metadata:m,clientMetadata:e.clientMetadata,scope:v,fetchFn:i});await e.saveClientInformation(rn),L=rn}}let Re=!e.redirectUrl;if(r!==void 0||Re){let q=await wc(e,l,{metadata:m,resource:A,authorizationCode:r,fetchFn:i});return await e.saveTokens(q),"AUTHORIZED"}let tn=await e.tokens();if(tn?.refresh_token)try{let q=await _c(l,{metadata:m,clientInformation:L,refreshToken:tn.refresh_token,resource:A,addClientAuthentication:e.addClientAuthentication,fetchFn:i});return await e.saveTokens(q),"AUTHORIZED"}catch(q){if(!(!(q instanceof x)||q instanceof X))throw q}let vs=e.state?await e.state():void 0,{authorizationUrl:Is,codeVerifier:xs}=await gc(l,{metadata:m,clientInformation:L,state:vs,redirectUrl:e.redirectUrl,scope:v,resource:A});return await e.saveCodeVerifier(xs),await e.redirectToAuthorization(Is),"REDIRECT"}n(cr,"authInternal");function lr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(lr,"isHttpsUrl");async function uc(e,t,r){let o=vo(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Io({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(uc,"selectResourceURL");function ko(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let a=dr(e,"resource_metadata")||void 0,i;if(a)try{i=new URL(a)}catch{}let s=dr(e,"scope")||void 0,c=dr(e,"error")||void 0;return{resourceMetadataUrl:i,scope:s,error:c}}n(ko,"extractWWWAuthenticateParams");function dr(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),a=r.match(o);return a?a[1]||a[2]:null}n(dr,"extractFieldFromWwwAuth");async function To(e,t,r=fetch){let o=await mc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return vt.parse(await o.json())}n(To,"discoverOAuthProtectedResourceMetadata");async function pr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?pr(e,void 0,r):void 0;throw o}}n(pr,"fetchWithCorsRetry");function lc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(lc,"buildWellKnownPath");async function Ao(e,t,r=fetch){return await pr(e,{"MCP-Protocol-Version":t},r)}n(Ao,"tryMetadataDiscovery");function pc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(pc,"shouldAttemptFallback");async function mc(e,t,r,o){let a=new URL(e),i=o?.protocolVersion??$t,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=lc(t,a.pathname);s=new URL(l,o?.metadataServerUrl??a),s.search=a.search}let c=await Ao(s,i,r);if(!o?.metadataUrl&&pc(c,a.pathname)){let l=new URL(`/.well-known/${t}`,a);c=await Ao(l,i,r)}return c}n(mc,"discoverMetadataWithFallback");function fc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let a=t.pathname;return a.endsWith("/")&&(a=a.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${a}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${a}`,t.origin),type:"oidc"}),o.push({url:new URL(`${a}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(fc,"buildDiscoveryUrls");async function Po(e,{fetchFn:t=fetch,protocolVersion:r=$t}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},a=fc(e);for(let{url:i,type:s}of a){let c=await pr(i,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${i}`)}return s==="oauth"?Le.parse(await c.json()):It.parse(await c.json())}}}n(Po,"discoverAuthorizationServerMetadata");async function hc(e,t){let r,o;try{r=await To(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let a=await Po(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:a,resourceMetadata:r}}n(hc,"discoverOAuthServerInfo");async function gc(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:a,state:i,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(ir))throw new Error(`Incompatible auth server: does not support response type ${ir}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(sr))throw new Error(`Incompatible auth server: does not support code challenge method ${sr}`)}else c=new URL("/authorize",e);let l=await or(),m=l.code_verifier,f=l.code_challenge;return c.searchParams.set("response_type",ir),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",sr),c.searchParams.set("redirect_uri",String(o)),i&&c.searchParams.set("state",i),a&&c.searchParams.set("scope",a),a?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:m}}n(gc,"startAuthorization");function yc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(yc,"prepareAuthorizationCodeRequest");async function Eo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:a,resource:i,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(i&&r.set("resource",i.href),a)await a(l,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],A=ac(o,f);ic(A,o,l,r)}let m=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!m.ok)throw await Uo(m);return xe.parse(await m.json())}n(Eo,"executeTokenRequest");async function _c(e,{metadata:t,clientInformation:r,refreshToken:o,resource:a,addClientAuthentication:i,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await Eo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:i,resource:a,fetchFn:s});return{refresh_token:o,...l}}n(_c,"refreshAuthorization");async function wc(e,t,{metadata:r,resource:o,authorizationCode:a,fetchFn:i}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!a)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let m=await e.codeVerifier();c=yc(a,m,e.redirectUrl)}let l=await e.clientInformation();return Eo(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:i})}n(wc,"fetchToken");async function Rc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:a}){let i;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");i=new URL(t.registration_endpoint)}else i=new URL("/register",e);let s=await(a??fetch)(i,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await Uo(s);return Ne.parse(await s.json())}n(Rc,"registerClient");var mr="zuplo.com",bc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Sc=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function Oo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(Oo,"s2FaviconHref");function Cc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Cc,"strictFaviconHref");var xt=Oo(mr);function fr(e){let t=e.toLowerCase();return t===mr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Oo(mr):Cc(e)}n(fr,"resolveIconHref");function vc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(vc,"hostnameFromHost");function Ic(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Ic,"isLocalOrAddressHost");function xc(e){let t=vc(e).toLowerCase().replace(/\.$/,"");if(Ic(t)||Sc.some(i=>t===i.slice(1)||t.endsWith(i)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),a=bc.has(o)?3:2;return r.slice(-a).join(".")}n(xc,"inferFaviconDomain");function hr(e){return{src:fr(xc(e)),mimeType:"image/png",sizes:["128x128"]}}n(hr,"resolveMcpFaviconIcon");function At(e){try{return hr(new URL(e).host)}catch{return}}n(At,"resolveMcpFaviconIconFromUrl");function ne(e){let t=N().connectionsById.get(e);if(!t)throw new T(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(ne,"getUpstreamServerConfig");function Ac(e){let t=N().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new T(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(Ac,"resolveUpstreamAuthProfileId");function gr(e){Ac(e);let t=N().connectionsById.get(e.upstreamServerId);if(!t)throw new T(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(gr,"getUpstreamAuthConfig");function ge(e,t){let r=gr({upstreamServerId:e,authProfileId:t});if(!Pn(r))throw new T(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(ge,"requireUpstreamOAuthConfig");var Uc={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function G(e){return Uc[e]}n(G,"describeUpstreamAuthMode");function Ut(e){return G(e).ownerMode}n(Ut,"resolveOwnerModeForUpstreamAuthMode");H();import{errors as Lo,jwtVerify as No,SignJWT as Go}from"jose";var O="zuplo-mcp-gateway",D=O,z="HS256";import{base64url as kc}from"jose";var Tc=new TextEncoder,Pc="MCP gateway could not initialize secure key material.",Ec=32,qo=new Map,Mo=new Map,Oc;function qc(){return Oc??nn.instance.authPrivateKey}n(qc,"readAuthPrivateKey");function Do(e){return new M(Pc,e===void 0?void 0:{cause:e})}n(Do,"createGeneratedKeyMaterialError");function zo(e,t){let r=kc.decode(t);if(r.byteLength!==Ec)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(zo,"decodeJwkKeyField");function Mc(e){let t=qc();if(!t)throw Do();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=zo("d",r.d);zo("x",r.x);let a=Tc.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),i=new Uint8Array(a.byteLength+o.byteLength);return i.set(a),i.set(o,a.byteLength),i}catch(r){throw Do(r)}}n(Mc,"decodeGeneratedKeyMaterial");function Dc(e){let t=qo.get(e);return t||(t=Mc(e),qo.set(e,t)),t}n(Dc,"getMasterKeyMaterial");async function $(e){let t=Mo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Dc(e.keyMaterialPurpose));return Mo.set(e.purpose,r),r}n($,"readCachedDerivedKey");var zc="SHA-256";var Hc="zuplo-mcp-gateway:",Bc=new TextEncoder,Ho=new WeakMap;async function oe(e,t){let r=Ho.get(e);r||(r=new Map,Ho.set(e,r));let o=r.get(t);if(o)return o;let a=await jc(e,t);return r.set(t,a),a}n(oe,"deriveGatewaySigningKey");async function jc(e,t){let r=Bo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),a=Bc.encode(`${Hc}${t}`),i=await crypto.subtle.deriveBits({name:"HKDF",hash:zc,salt:new Uint8Array,info:Bo(a)},o,32*8);return new Uint8Array(i)}n(jc,"hkdfExpand");function Bo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Bo,"copyToArrayBuffer");var $o=15*60,Lc=15*60,Nc=to.extend({id:ro}),Gc=Nc.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Zo=Xt.extend({id:no,purpose:d.literal("browser_connect")}),$c=Xt.extend({purpose:d.literal("browser_connect")}),Zc=Zo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fo=$o*1e3;async function Ko(){return $({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"oauth-state"),"derive")})}n(Ko,"getOAuthStateKey");async function Jo(){return $({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-connect"),"derive")})}n(Jo,"getBrowserConnectKey");async function Wo(e){let t=Math.floor(Date.now()/1e3)+$o;return new Go(e).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Ko())}n(Wo,"signOAuthState");async function kt(e){try{let{payload:t}=await No(e,await Ko(),{algorithms:[z],issuer:O,audience:D});return Gc.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new g({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new g({message:"OAuth state could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(kt,"verifyOAuthState");async function Vo(e){let t=Math.floor(Date.now()/1e3)+Lc,r=$c.parse(e),o=Zo.parse({...r,id:so()});return new Go(o).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Jo())}n(Vo,"signBrowserConnectTicket");async function Yo(e){try{let{payload:t}=await No(e,await Jo(),{algorithms:[z],issuer:O,audience:D});return Zc.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new g({message:"Browser connect ticket has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new g({message:"Browser connect ticket could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(Yo,"verifyBrowserConnectTicket");async function Xo(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:R(new Date(e.exp*1e3)),now:R(new Date)})).kind==="consumed")throw new g({message:"Browser connect ticket has already been used",extensionMembers:{[y]:"oauth_state_reused"}})}n(Xo,"consumeBrowserConnectTicket");function Fc(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(Fc,"buildConnectRequiredMessage");async function Kc(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Vo({...je(e),purpose:"browser_connect"})),r.toString()}n(Kc,"buildGatewayBrowserTicketUrl");function Jc(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(Jc,"buildGatewayConnectPath");async function yr(e){return Kc({...e,path:Jc(e.upstreamServerId),redirect:!0})}n(yr,"buildGatewayConnectUrl");async function Tt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await yr(t),message:Fc(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Tt,"buildRedirectConnectRequiredResponse");function Qo(e){return Wc({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(Qo,"buildAdminConnectRequiredResponse");function Wc(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(Wc,"buildAdminSetupRequiredResponse");H();var ea=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function Vc(e,t){return e&&e.length>0?e.join(t):void 0}n(Vc,"joinOAuthScopes");function Yc(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of ea)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(Yc,"sanitizeAuthorizationServerMetadata");function _r(e){let t=Yc(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(_r,"sanitizeOAuthDiscoveryState");function ta(e){let t=new URL(e);for(let r of ea){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(ta,"normalizeDuplicateSingletonAuthorizationRequestParams");function ra(e){return Vc(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(ra,"readProtectedResourceMetadataScope");function wr(e){return`Zuplo MCP Gateway - ${e}`}n(wr,"buildGatewayOAuthClientName");function na(e,t,r){let o=new URL(e,U(t,r));return ue(o)&&hn(o.hostname)!=="localhost"&&(o.hostname="localhost"),o.toString()}n(na,"buildGatewayOAuthRedirectUri");function Rr(e){return new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}/${encodeURIComponent(e.authProfileId)}`,e.origin).toString()}n(Rr,"buildOAuthClientMetadataDocumentUrl");function oa(e,t){return U(e,t)}n(oa,"requireOAuthClientMetadataOrigin");function aa(e,t,r){let o=ne(t),a=ge(t,r),i={client_id:Rr({origin:e,upstreamServerId:t,authProfileId:r}),client_name:wr(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(a.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"};return a.scopes.length>0&&(i.scope=a.scopes.join(a.scopeDelimiter)),i}n(aa,"buildOAuthClientMetadataDocument");H();import{base64url as ae}from"jose";var Xc="SHA-256",Ue="AES-GCM",Qc=12,Sr="zuplo-secret",Cr=1,ia="generated:auth_private_key:token-encryption",ed=d.object({version:d.literal(Cr),keyId:d.literal(ia),algorithm:d.literal(Ue),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function Ae(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Ae,"copyToArrayBuffer");async function br(){return $({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(Xc,Ae(e));return crypto.subtle.importKey("raw",t,{name:Ue},!1,["encrypt","decrypt"])},"derive")})}n(br,"getEncryptionKey");function sa(e){return Ae(new TextEncoder().encode(`${Sr}:v${e.version}:${e.keyId}`))}n(sa,"getAssociatedData");function td(e){return`${Sr}:v${e.version}:${ae.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(td,"encodeEnvelope");function rd(e){let t=`${Sr}:v${Cr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ae.decode(r));return ed.parse(JSON.parse(o))}n(rd,"decodeEnvelope");async function Pt(e){let t=await br(),r=crypto.getRandomValues(new Uint8Array(Qc)),o={version:Cr,keyId:ia},a=await crypto.subtle.encrypt({name:Ue,iv:r,additionalData:sa(o)},t,new TextEncoder().encode(e));return td({...o,algorithm:Ue,iv:ae.encode(r),ciphertext:ae.encode(new Uint8Array(a))})}n(Pt,"encryptSecret");async function tt(e){let t=rd(e);if(t){let s=await br(),c=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(t.iv)),additionalData:sa(t)},s,Ae(ae.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new M("Encrypted payload is malformed");let a=await br(),i=await crypto.subtle.decrypt({name:Ue,iv:Ae(ae.decode(r))},a,Ae(ae.decode(o)));return new TextDecoder().decode(i)}n(tt,"decryptSecret");var nd=d.union([Ne,ar]),ca=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:vt.optional(),authorizationServerMetadata:d.union([Le,It]).optional()}).passthrough(),od="Bearer",ad="__zuplo_refresh_only_upstream_access_token__";function id(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(id,"splitScopes");function sd(e){return gt.parse(e)}n(sd,"parsePkceCodeVerifier");function cd(e){if(typeof e.expires_in=="number")return R(new Date(Date.now()+e.expires_in*1e3))}n(cd,"readTokenExpiry");async function da(e){if(e!==void 0)return Pt(JSON.stringify(e))}n(da,"encryptJson");async function ua(e,t){if(!e)return;let r=await tt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new g({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:o})}}n(ua,"decryptJson");function dd(e){if(e===void 0)return;e=_r(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(dd,"toOAuthDiscoveryState");function ud(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(ud,"clientInformationAllowsRedirectUri");function ld(e){return e.clientMetadataUrl===void 0?!0:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(ld,"clientInformationMatchesCurrentClientMetadataUrl");function pd(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(pd,"isUrlBasedClientInformation");function md(e,t,r){let o=ne(e),a=ge(e,t),i=pa(a.scopes,a.scopeDelimiter);return{client_name:wr(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:i,token_endpoint_auth_method:"none"}}n(md,"buildOAuthClientMetadata");function pa(e,t){return e&&e.length>0?e.join(t):void 0}n(pa,"joinOAuthScopes");function fd(e,t){return t===void 0?e:{...e,scope:t}}n(fd,"applyOAuthClientMetadataScope");function la(e,t){return ra({state:e,delimiter:t})}n(la,"readResourceMetadataScope");function hd(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new T(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ne.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(hd,"buildManualOAuthClientInformation");function gd(e,t,r){let o=Rr({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return lr(o)?o:void 0}n(gd,"buildClientMetadataUrl");function ma(e){for(let t of e)if(t!==void 0)return t}n(ma,"firstDefined");function yd(e){let t=ge(e.target.upstreamServerId,e.target.authProfileId),r=md(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri),o=pa(t.scopes,t.scopeDelimiter);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:hd({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let a=gd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return a===void 0?{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:a}}n(yd,"buildInitialOAuthClientSetup");function _d(e,t){if(t===void 0)return ma([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(_d,"readEncryptedClientInformation");function wd(e){return ma([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(wd,"readEncryptedDiscoveryState");var ye=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=yd({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=_d(t,this.configuredClientInformation),this.encryptedDiscoveryState=wd(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return fd(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Wo({id:t.id,...je({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,!pd({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await da(t),await this.syncPendingState(!1)))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=_r(ca.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=la(r,this.scopeDelimiter),this.encryptedDiscoveryState=await da(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=xe.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,a=r.refresh_token?await Pt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:xe.parse({...r,refresh_token:await tt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let i={id:this.connection?.id??ao(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Pt(r.access_token),encryptedRefreshToken:a,scopes:id(r.scope??this.readEffectiveScope()),expiresAt:cd(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(i)}async redirectToAuthorization(t){let r=ta(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:sd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new g({message:"OAuth code verifier is missing",extensionMembers:{[y]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",a=t==="all"||t==="discovery",i=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),a&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(i),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:io(),...je({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:R(new Date(Date.now()+Fo)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await ua(this.encryptedClientInformation,nd)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!ud(t,this.redirectUriValue)||!ld({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=dd(await ua(this.encryptedDiscoveryState,ca))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=la(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await tt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await tt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=xe.parse({access_token:t??ad,token_type:od,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Rd=3e4,bd=256*1024,Sd=2;function Cd(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(Cd,"hasUsableAccessToken");var vd="does not support dynamic client registration",Id=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],xd=["HTTP 403 Forbidden","Access Denied","permission to access"];function Ad(e){return e instanceof Error&&e.message.includes(vd)}n(Ad,"isDynamicClientRegistrationUnsupported");function Ud(e){return e instanceof Error&&Id.some(t=>e.message.includes(t))}n(Ud,"isProtectedResourceMetadataUnavailable");function kd(e){return e instanceof Error&&xd.some(t=>e.message.includes(t))}n(kd,"isUpstreamProviderAccessDenied");function Td(e){if(e.error instanceof g&&e.error.extensionMembers?.[y]!==void 0)return e.error;if(Ad(e.error))return new g({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[y]:"upstream_client_registration_required"}},{cause:e.error});if(Ud(e.error))return new g({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[y]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(kd(e.error))return new g({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[y]:"upstream_provider_access_denied"}},{cause:e.error})}n(Td,"mapUpstreamOAuthSetupError");function Pd(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Pd,"readOAuthFetchRequest");function Ed(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Ed,"responseLooksJson");function Od(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Od,"responseLooksHtml");function qd(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new g({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[y]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[Ce]:e.response.status,[be]:r,[ve]:e.request.url.toString(),[Se]:e.body}})}n(qd,"throwUpstreamHtmlError");function fa(e){return async(t,r)=>{let o=Pd(t),a=await mo(t,r,{maxRedirects:Sd,maxResponseBytes:bd,problemCode:"upstream_token_exchange_failed",timeoutMs:Rd}),i=await a.clone().text();if(!a.ok&&Od(a,i)&&qd({upstreamServerId:e,request:o,response:a,body:i}),!Ed(a,i))return a;try{JSON.parse(i)}catch(s){throw new g({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[y]:"upstream_token_exchange_failed"}},{cause:s})}return a}}n(fa,"createUpstreamOAuthFetch");async function ha(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:fa(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await ur(e,r)}catch(r){let o=Td({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(ha,"runUpstreamOAuth");async function Md(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:fa(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),ur(e,r)}n(Md,"exchangeUpstreamAuthorizationCode");async function ga(e,t){let r=await ha(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new g({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new g({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(ga,"requireUpstreamAuthorizationRedirect");async function ya(e){if(!e.forceRefresh&&Cd(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await ha(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new g({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new g({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await jd({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(ya,"authorizeUpstreamOAuthSession");async function Dd(e){let t=await kt(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:R(new Date)}),o=zd(r);return Hd({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Bd(o),o}n(Dd,"consumeStoredCallbackState");function zd(e){switch(e.kind){case"consumed":throw new g({message:"OAuth state has already been used",extensionMembers:{[y]:"oauth_state_reused"}});case"missing":throw new g({message:"OAuth state is missing or expired",extensionMembers:{[y]:"oauth_state_expired"}});case"available":return e.record}}n(zd,"readConsumedCallbackState");function Hd(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new g({message:"OAuth callback did not match the initiating request",extensionMembers:{[y]:"oauth_callback_mismatch"}})}n(Hd,"assertStoredCallbackStateMatches");function Bd(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new g({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}})}n(Bd,"assertStoredCallbackStateFresh");async function jd(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Qo(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Tt(t)}n(jd,"buildOAuthConnectRequiredResponse");async function _a(e){let t=await Dd({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=wt(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),a={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(a.connection=o);let i=new ye(a),s=await Md(i,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new g({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new g({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(_a,"finishUpstreamOAuthCallback");async function wa(e){let t=ne(e.upstreamServerId),r=ge(e.upstreamServerId,e.authProfileId),o=na(r.redirectPath,e.request.url,e.request.headers),a="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:a,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(wa,"prepareUpstreamOAuthRequest");async function Ra(e){let t=await wa(e),r=new ye({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return ga(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Ra,"startUpstreamConnect");async function ba(e){let t=await wa(e),r=new ye({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return ya({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(ba,"authorizeUpstreamRequest");async function ke(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return ba({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new M(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(ke,"resolveUpstreamCredentialForRoute");async function Sa(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=G(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await Ra(r);break;case"none":throw new M(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Sa,"startUpstreamConnectForRequest");async function Ca(e){let r=(await kt(e.callbackRequest.state)).authProfileId,o=gr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(G(o.mode).callbackSupport!=="authorization_code")throw new M(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return _a({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:ne(e.callbackRequest.upstreamServerId)})}n(Ca,"finishUpstreamCallbackForRequest");function Ld(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Ld,"buildRouteAuthBaseFromConnection");function Ia(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:ht(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Ia,"buildRouteAuthBaseFromPolicyOptions");function Et(e,t){let o=N().byOperationId.get(t);if(!o)throw new T(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new T(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new T(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Ld({connection:o.connection,operationId:t})}n(Et,"resolveRouteAuthBase");function va(e,t){switch(e){case"user":return _t(t);case"shared":return eo()}}n(va,"buildOwnerForSubject");function Te(e,t){switch(e.ownerMode){case"shared":return{...e,owner:va(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,owner:va(e.ownerMode,t),initiatedBySubjectId:t}}}n(Te,"resolveRouteAuthForSubject");var Nd=Be.InvalidRequest,Gd=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function $d(e,t){return{credentialType:e.type,forceRefresh:t,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}n($d,"buildCredentialResolvedAttributes");function Zd(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(Zd,"connectRequiredReasonCode");function xa(e){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:$d(e.credential,e.forceRefresh===!0)})}n(xa,"emitCredentialResolvedAnalyticsEvent");function Aa(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:Zd(e.payload.state),reasonClass:"auth",attributes:t})}n(Aa,"emitCredentialMissingAnalyticsEvents");function Fd(e){let t=e.route.raw();return pt.parse(t?.operationId)}n(Fd,"readOperationId");async function Kd(e,t,r,o){let a=await ke({request:e,routeAuth:t});if(a.kind==="connect_required")return Aa({context:o,payload:a.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:a.payload};let i=a.credential;switch(xa({context:o,credential:i,routeBinding:t}),i.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${i.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(i.headers)};case"mcp_oauth_provider":{let s=await i.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(Kd,"buildCredentialHeaders");var Jd=new Set(["authorization","cookie","cookie2"]);function Wd(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(Wd,"readJsonRequestMethod");function Vd(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(Vd,"isJsonResponse");function vr(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(vr,"isRecord");function Yd(e){return Array.isArray(e)&&e.length>0}n(Yd,"hasIconList");function Xd(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=At(Cn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(Xd,"readFallbackServerIcons");function Qd(e){if(!vr(e.body))return e.body;let t=e.body.result;if(!vr(t))return e.body;let r=t.serverInfo;return!vr(r)||Yd(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(Qd,"addMissingServerIcons");function eu(e,t){let r=new Headers(e.headers);for(let o of Jd)r.delete(o);for(let[o,a]of t)r.set(o,a);return new an(e,{headers:r})}n(eu,"applyUpstreamHeaders");function tu(e){let t=new Headers(e.headers);for(let r of Gd)t.delete(r);return t}n(tu,"buildProxyHeaders");async function ru(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(ru,"readRetryBody");function Ua(e,t){let r=t.authUrl===void 0?void 0:yo({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(St({id:go(e),error:{code:r?.code??Nd,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Ua,"connectRequiredJsonRpcResponse");async function nu(e){let{scope:t}=ko(e.upstreamResponse),r=await ke({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return Aa({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),a=r.credential;switch(xa({context:e.context,credential:a,routeBinding:e.routeAuth,forceRefresh:!0}),a.type){case"none":return o.delete("authorization"),{kind:"headers",headers:o};case"bearer_token":return o.set("authorization",`Bearer ${a.token}`),{kind:"headers",headers:o};case"headers":for(let[i,s]of Object.entries(a.headers))o.set(i,s);return{kind:"headers",headers:o};case"mcp_oauth_provider":{let i=await a.provider.tokens();return i?(o.set("authorization",`${i.token_type??"Bearer"} ${i.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(nu,"applyRefreshedCredentialHeaders");function ou(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await nu({request:e.request,context:e.context,headers:tu(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Ua(e.requestBody,o.payload);if(o.kind==="response")return o.response;let a=vn({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return ct.fetch(a.url,a.init)})}n(ou,"installUpstreamAuthRetryHook");function au(e){if(Wd(e.requestBody)!=="initialize")return;let t=Xd({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!Vd(r))return r;let o;try{o=await r.clone().json()}catch{return r}let a=Qd({body:o,icons:t});if(a===o)return r;let i=new Headers(r.headers);return i.delete("content-length"),new Response(JSON.stringify(a),{status:r.status,statusText:r.statusText,headers:i})})}n(au,"installInitializeIconHook");async function Ir(e,t,r){let o=Fd(t),a=await ru(e),i=Ia({connection:r,operationId:o}),s=Ie(e.user,e.url,e.headers);Bn(t,s);let c=Te(i,s.subjectId),l=await Kd(e,c,r,t);if(!(l instanceof Response)&&l.kind==="connect_required")return Ua(a,l.payload);if(l instanceof Response)return l;let m=eu(e,l.headers);return ou({request:m,context:t,requestBody:a,routeAuth:c}),au({context:t,requestBody:a,connection:r}),m}n(Ir,"mcpTokenExchangePolicy");var xr=class extends ut{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Tn(t,r);super(o,r)}async handler(t,r){return dt("policy.inbound.mcp-token-exchange"),Ir(t,r,this.options)}};H();var ka=Symbol("Html");function iu(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(iu,"escapeHtml");function su(e){return e===null||typeof e!="object"?!1:e[ka]===!0}n(su,"isHtml");function Ta(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Ta).join(""):su(e)?e.value:iu(String(e))}n(Ta,"renderValue");function Q(e){return{[ka]:!0,value:e}}n(Q,"trustedHtml");var Z=Q("");function S(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Ta(t[o]),r+=e[o+1]??"";return Q(r)}n(S,"html");function Pe(e){return e.value}n(Pe,"renderHtml");function Pa(e){return S`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Pa,"renderBrowserErrorPage");var Ee=Q('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Oe(e){return S`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
26
26
  ${e.styles}
27
- </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Oe,"renderShell");var nu="text/html; charset=utf-8";function qe(e){try{return new URL(e).host}catch{return""}}n(qe,"safeHostFromUrl");function F(e){let t=iu(e.kind??"authorization_failed"),r=ou(e);return new Response(Pe(Oe({title:e.title??t.title,iconHref:"",styles:Ee,headerIcon:Z,heading:e.title??t.title,subhead:"",body:ki({detail:e.detail,guidance:S`<p class="card__description">${t.guidance}</p>`,technicalDetails:uu({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:cu(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":nu,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(F,"browserErrorPageResponse");function ou(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??au(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??su(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(ou,"buildBrowserErrorDiagnostic");function iu(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(iu,"readBrowserErrorPagePresentation");function au(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(au,"readBrowserErrorStage");function su(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(su,"readBrowserErrorSuggestedFix");function cu(e){return e===void 0?Z:S`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(cu,"renderAction");function du(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
28
- `);return S`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(du,"renderTechnicalPre");function Ot(e){return e.value===void 0||e.value===""?Z:S`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Ot,"renderOptionalTechnicalRow");function uu(e){return S`<section class="banner banner--warning" aria-label="Developer details">
27
+ </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Oe,"renderShell");var cu="text/html; charset=utf-8";function qe(e){try{return new URL(e).host}catch{return""}}n(qe,"safeHostFromUrl");function F(e){let t=uu(e.kind??"authorization_failed"),r=du(e);return new Response(Pe(Oe({title:e.title??t.title,iconHref:"",styles:Ee,headerIcon:Z,heading:e.title??t.title,subhead:"",body:Pa({detail:e.detail,guidance:S`<p class="card__description">${t.guidance}</p>`,technicalDetails:hu({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:mu(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":cu,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(F,"browserErrorPageResponse");function du(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??lu(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??pu(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(du,"buildBrowserErrorDiagnostic");function uu(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(uu,"readBrowserErrorPagePresentation");function lu(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(lu,"readBrowserErrorStage");function pu(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(pu,"readBrowserErrorSuggestedFix");function mu(e){return e===void 0?Z:S`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(mu,"renderAction");function fu(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
28
+ `);return S`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(fu,"renderTechnicalPre");function Ot(e){return e.value===void 0||e.value===""?Z:S`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Ot,"renderOptionalTechnicalRow");function hu(e){return S`<section class="banner banner--warning" aria-label="Developer details">
29
29
  <span class="banner__icon" aria-hidden="true">!</span>
30
30
  <div class="banner__body">
31
31
  <p class="banner__title">Developer details</p>
@@ -36,14 +36,14 @@ import{$ as V,A as An,Aa as ro,B as Un,Ba as no,C as kn,Ca as oo,D as ht,Da as i
36
36
  ${Ot({label:"Request ID",value:e.diagnostic.requestId})}
37
37
  ${Ot({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
38
38
  ${Ot({label:"Reason",value:e.diagnostic.underlyingError})}
39
- ${du(e.diagnostic)}
40
- ${lu(e.upstreamHtml)}
39
+ ${fu(e.diagnostic)}
40
+ ${gu(e.upstreamHtml)}
41
41
  </div>
42
- </section>`}n(uu,"renderTechnicalDetails");function lu(e){return e===void 0?Z:S`<iframe
42
+ </section>`}n(hu,"renderTechnicalDetails");function gu(e){return e===void 0?Z:S`<iframe
43
43
  title="Upstream HTML error response"
44
44
  sandbox
45
45
  srcdoc="${e}"
46
46
  style="border: 1px solid var(--warning-border); border-radius: var(--radius-sm); background: white; width: 100%; min-height: 220px; margin-top: 8px;"
47
- ></iframe>`}n(lu,"renderUpstreamHtml");var Ti="application/json",pu="application/x-www-form-urlencoded";function qt(e,t){return new g({message:e,extensionMembers:{[y]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(qt,"invalidRequestError");function mu(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(mu,"normalizeContentType");function fu(e,t){return e===t?!0:t===Ti&&e.endsWith("+json")}n(fu,"contentTypeMatches");function hu(e,t){if(!t||t.length===0)return;let r=mu(e.headers.get("content-type"));if(!t.some(o=>fu(r,o)))throw qt(`Request body must be ${t.join(" or ")}.`)}n(hu,"assertExpectedContentType");function gu(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw qt(`${r} exceeded the maximum allowed size.`)}n(gu,"assertContentLengthWithinLimit");async function Pi(e,t){let r=t.label??"Request body";hu(e,t.expectedContentTypes),gu(e,t.maxBytes,r);let o=await po(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>qt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Pi,"readBoundedTextBody");async function Ei(e,t){let r=await Pi(e,{...t,expectedContentTypes:[Ti]});try{return JSON.parse(r)}catch(o){throw qt("Request body must be valid JSON.",o)}}n(Ei,"readBoundedJsonBody");async function Oi(e,t){let r=await Pi(e,{...t,expectedContentTypes:[pu]});return new URLSearchParams(r)}n(Oi,"readBoundedFormUrlEncodedBody");H();H();import{errors as Bi,jwtVerify as ji,SignJWT as Li}from"jose";H();import{errors as yu,jwtVerify as _u,SignJWT as wu}from"jose";var Ur="zuplo_mcp_session",Ru=d.object({purpose:d.literal("gateway_browser_session"),sub:yt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function bu(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(bu,"parseCookieHeader");async function qi(){return $({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-session"),"derive")})}n(qi,"getBrowserSessionKey");function Ar(e,t){let r=new URL(U(e,t)),o=[`${Ur}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(Ar,"buildBrowserSessionEvictionCookie");function Su(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${Ur}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Su,"serializeSessionCookie");function Mi(){return new URL(bt("url")).origin}n(Mi,"readBrowserLoginOrigin");function kr(){return B().browserLogin.stateTtlSeconds}n(kr,"readBrowserLoginStateTtlSeconds");function Di(e){if(!e.user)throw _("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ie(e.user,e.url)}n(Di,"resolveCurrentRequestPrincipal");async function Mt(e,t={}){let r=bu(e.headers.get("cookie")).get(Ur);if(!r)return{};try{let{payload:o}=await _u(r,await qi(),{algorithms:[z],issuer:O,audience:D}),i=Ru.parse(o);if(i.browserLoginOrigin!==Mi())return{evictCookie:Ar(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof yu.JWTExpired?{evictCookie:Ar(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Ar(e.url,e.headers)})}}n(Mt,"readBrowserSession");async function Dt(e){let t=B().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:Mi()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new wu(r).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await qi());return Su({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(Dt,"createBrowserSessionCookie");async function zi(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Mt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw _("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:i}=await import("../browser-login-idp-WT4H7RKW.js");return i({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(zi,"resolveBrowserLoginCallbackPrincipal");function Hi(e){let t=B().browserLogin,r=new URL(bt("url")),o=new URL("/oauth/callback",Hn(e.requestUrl,e.requestHeaders));return Jn(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",bt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(Hi,"buildBrowserLoginUrl");var vu={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=vu[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Cu=5*60,Iu=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Zt,stateId:Ft,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),xu=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Zt,stateId:Ft,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function Ni(){return $({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-login"),"derive")})}n(Ni,"getBrowserLoginKey");async function Gi(){return $({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"authorization-csrf"),"derive")})}n(Gi,"getCsrfKey");function $i(e){return{now:e.now??new Date,ttlSeconds:kr()}}n($i,"readPendingTransactionDependencies");function Au(e,t){return e.subjectId===t.subjectId}n(Au,"principalsMatch");function Zi(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Zi,"toPendingPrincipal");function Fi(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:R(e.now),expiresAt:R(J(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw _("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Zi(e.principal)}}n(Fi,"createTransactionRecord");async function Ki(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw _("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(Ki,"startPendingTransaction");async function Uu(e){return new Li({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Ni())}n(Uu,"signBrowserLoginState");async function Ji(e){return new Li({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Jt()}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Gi())}n(Ji,"signCsrfToken");async function Tr(e){try{let{payload:t}=await ji(e,await Ni(),{algorithms:[z],issuer:O,audience:D}),r=Iu.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Bi.JWTExpired?_("oauth_state_expired","Browser login state has expired.",t):_("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Tr,"verifyBrowserLoginStateToken");async function zt(e){try{let{payload:t}=await ji(e,await Gi(),{algorithms:[z],issuer:O,audience:D});return{transactionId:xu.parse(t).transactionId}}catch(t){throw t instanceof Bi.JWTExpired?_("oauth_state_expired","Authorization setup state has expired.",t):_("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(zt,"verifyCsrfToken");function Pr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Pr,"pendingStateErrorCode");function ku(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(ku,"toPendingAuthorizationGetResult");function Tu(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Tu,"toPendingAuthorizationAdvanceResult");function Er(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Pr(e==="consumed_already"?"consumed_already":e)}n(Er,"setupDecisionErrorCode");async function Wi(e){let t=e.now??new Date,r=await zt(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(t)});if(o.kind!=="marked")throw _(Er(o.kind),"Authorization setup state is invalid, expired, or already used.");return Vi({kind:"available",record:o.transaction})}n(Wi,"markSetupApproved");function Vi(e){if(e.kind!=="available")throw _(Pr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Vi,"requireAwaitingSetup");function Pu(e){if(!Au(e.currentBrowserPrincipal,e.transaction.principal))throw _("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Pu,"requireCurrentPrincipalMatches");async function Yi(e){let t=e.now??new Date,r=kr(),o=Kt(),i=Jt(),a=await Uu({transactionId:o,stateId:i,ttlSeconds:r}),s=Fi({id:o,transaction:e.transaction,currentStateHash:await I(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Ki({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:a,browserLoginUrl:Hi({state:a,nonce:i,operationId:s.operationId,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Yi,"startAwaitingLogin");async function Xi(e){let{now:t,ttlSeconds:r}=$i(e),o=Kt(),i=await Ji({transactionId:o,ttlSeconds:r}),a=Fi({id:o,transaction:e.transaction,currentStateHash:await I(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Ki({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(Xi,"startAwaitingSetup");async function Qi(e){let{now:t,ttlSeconds:r}=$i(e),o=await Tr(e.browserLoginStateToken),i=await Ji({transactionId:o.transactionId,ttlSeconds:r}),a=Tu(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await I(e.browserLoginStateToken),nextStateHash:await I(i),nextPhase:"awaiting_setup",principal:Zi(e.principal),now:R(t)}));if(a.kind!=="advanced")throw _(Pr(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(Qi,"completeLogin");async function ea(e){let t=await Or(e);return Pu({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(ea,"getSetup");async function Or(e){let t=e.now??new Date,r=await zt(e.csrfToken);return Vi(ku(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),now:R(t)})))}n(Or,"getSetupTransaction");async function Eu(e){let t=await zt(e.csrfToken),r=Y(),o=R(J(e.now,Cu)),i=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await I(r),authorizationCodeExpiresAt:o,grantId:Fn(),now:R(e.now)});if(i.kind!=="approved")throw _(i.kind==="cancelled"?"oauth_state_invalid":Er(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(Eu,"createAuthorizationCodeRedirectWithDecision");async function Ou(e){let t=await zt(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(e.now)});if(r.kind!=="cancelled")throw _(r.kind==="approved"?"oauth_state_invalid":Er(r.kind),"Authorization setup state is invalid, expired, or already used.");return qu({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Ou,"createCancelRedirectWithDecision");function qu(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(qu,"buildClientCancelRedirect");async function ta(e){let t=e.now??new Date;return Eu({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ta,"approve");async function ra(e){let t=e.now??new Date;return Ou({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ra,"cancel");H();var Mu=1e4,Du=5*1024,zu=2,Hu=90*24*60*60,qr="dcr:pkjwt:",Bu="chatgpt.com",ju="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",Mr=["authorization_code","refresh_token"],Dr=["code"],Lu=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Mr)).min(1).max(2).optional(),response_types:d.array(d.enum(Dr)).min(1).max(1).optional(),scope:d.literal(P).optional(),token_endpoint_auth_method:$n.optional(),jwks_uri:d.string().min(1).optional()});function Nu(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ue(t))&&t.pathname!=="/"}catch{return!1}}n(Nu,"isCimdClientIdCandidate");function Gu(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===Bu&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(Gu,"isChatGptCimdClientId");function na(e){throw new p("invalid_client",Gu(e)?ju:"OAuth client is not registered.")}n(na,"invalidCimdClientError");function Me(e,t="invalid_request",r="authorize"){if($u(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let i={source:r},a=Nn({url:o,context:i});if(a.kind!=="rejected"){a.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Me,"assertValidRedirectUri");function $u(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n($u,"hasForbiddenRawRedirectUriCharacter");async function Zu(e){let{response:t,json:r}=await fo(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:zu,maxResponseBytes:Du,timeoutMs:Mu});if(!t.ok)throw _("invalid_request","CIMD metadata could not be fetched.");let o=Zn.parse(r);for(let i of o.redirect_uris)Me(i,"invalid_request","cimd");if(o.jwks_uri!==void 0&&Rt(o.jwks_uri),o.client_id!==e.clientId)throw _("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(Zu,"fetchCimdMetadata");async function Fu(e){let t=lo(e),r=await Zu({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(Fu,"resolveCimdClient");async function Ht(e,t){let r=V.parse(e);if(Nu(r)){B().gateway.cimdEnabled||na(r);try{return await Fu(r)}catch{na(r)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=tl(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new p("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let l={client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}},m={kind:"dcr",clientId:r,metadata:l};return i.hashedClientSecret&&(m.hashedClientSecret=i.hashedClientSecret),m}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Ht,"resolveClient");function oa(e,t){if(!e.metadata.redirect_uris.some(r=>Kn(r,t)))throw _("invalid_request","redirect_uri is not registered for the client.")}n(oa,"assertRedirectRegistered");function Ku(e){let t=ia(e.grant_types),r=e.response_types??[...Dr];if(!Ju(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!Wu(r))throw new p("invalid_client_metadata","response_types must be code.");if(!Vu(e.scope))throw new p("invalid_client_metadata",`Only the ${P} scope is supported.`)}n(Ku,"assertSupportedDcrRequest");function ia(e){return e===void 0?[...Mr]:Array.from(new Set(e))}n(ia,"normalizeGrantTypes");function Ju(e){return e.length===0?!1:e.every(t=>Mr.includes(t))}n(Ju,"isSupportedGrantTypes");function Wu(e){return e.length===Dr.length&&e[0]==="code"}n(Wu,"isSupportedResponseTypes");function Vu(e){return e===void 0||e===P}n(Vu,"isSupportedDcrScope");function Yu(e){try{Rt(e)}catch(t){throw new p("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials, query, or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(Yu,"assertValidDcrJwksUri");function Xu(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(Xu,"encodeBase64Url");function Qu(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let i=new Uint8Array(o.length);for(let a=0;a<o.length;a+=1)i[a]=o.charCodeAt(a);return new TextDecoder().decode(i)}n(Qu,"decodeBase64Url");function el(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?V.parse(`${qr}${crypto.randomUUID()}:${Xu(e.jwksUri)}`):V.parse(`dcr:${crypto.randomUUID()}`)}n(el,"createDcrClientId");function Bt(e){return e.startsWith(qr)}n(Bt,"isPrivateKeyJwtDcrCompatibilityClientId");function tl(e){if(!Bt(e))return;let t=e.slice(qr.length),r=t.indexOf(":");if(r===-1)return;let o=Qu(t.slice(r+1));if(o!==void 0){try{Rt(o)}catch{return}return o}}n(tl,"readPrivateKeyJwtDcrClientIdJwksUri");function rt(e){if(e===void 0||e===P)return P;throw new p("invalid_request",`Only the ${P} scope is supported.`)}n(rt,"assertSupportedOAuthScope");function De(e,t,r){let o;try{o=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new p("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!ue(o))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=U(e,r),a=zn(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new p("invalid_target","resource must match a published MCP route.");return s}n(De,"resolveResource");async function aa(e){let t;try{t=Lu.parse(e)}catch(C){if(C instanceof d.ZodError){let L=C.issues.some(Re=>Re.path[0]==="redirect_uris");throw new p(L?"invalid_redirect_uri":"invalid_client_metadata",C.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:C})}throw C}Ku(t);for(let C of t.redirect_uris)Me(C,"invalid_redirect_uri","dcr");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new p("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&Yu(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=el({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=J(r,Hu),c=Math.floor(r.getTime()/1e3),l=Math.floor(s.getTime()/1e3),m={client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:ia(t.grant_types),response_types:["code"],scope:P,token_endpoint_auth_method:o,client_id_issued_at:c,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}},f={clientId:a,clientName:String(m.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:i,createdAt:R(r),clientExpiresAt:R(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let C=Y();f.hashedClientSecret=await I(C),f.clientSecretExpiresAt=R(s),m.client_secret=C,m.client_secret_expires_at=l,m.client_secret_issued_at=c}if((await b().registerClient(f)).kind==="already_exists")throw _("invalid_request","OAuth client is already registered.");return m}n(aa,"registerDownstreamClient");function jt(e){return S`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(jt,"renderShellIcon");function sa(e){return S`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(sa,"renderActions");var wy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var Ry=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),by=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var Sy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var rl="data:,",ca=S`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,da=S`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function nl(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(nl,"safeGatewayConnectHref");function ol(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(ol,"deriveMode");function il(e){return sa({state:e.state,submitOnceAttrs:ca,authorizeAttrs:Z})}n(il,"renderActions");function zr(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let i=nl(o.connectUrl,t);if(i)return i}}n(zr,"firstUserConnectHref");function al(e){let t=e.connectHref?S`<a class="button button--primary" href="${e.connectHref}" ${da}>Connect</a>`:S`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return S`<form class="actions" method="post" action="/oauth/setup" ${ca}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(al,"renderSetupActions");function sl(e){return e?S`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${da}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Z}n(sl,"renderReconnectAction");function cl(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(cl,"isRenderableIconHref");function ua(e){return e?.find(t=>cl(t.src))?.src}n(ua,"readIconHref");function dl(e){return ua(e.serverIcons)??(e.transportHost===void 0?void 0:hr(e.transportHost).src)}n(dl,"readUpstreamIconHref");function ul(e){let t=ua(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=dl(r);if(o!==void 0)return o}}n(ul,"readHeaderIconHref");function ll(e){return S`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`}n(ll,"renderBody");function Hr(e){let t=ol(e.upstreams),r=zr(e.upstreams,e.gatewayOrigin,"not_connected"),o=zr(e.upstreams,e.gatewayOrigin,"reconsent_required"),i=zr(e.upstreams,e.gatewayOrigin,"active"),a=t==="setup"?r??o:void 0,s=ul({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?S`<footer class="card__footer">${al({state:e.state,connectHref:a})}</footer>`:S`<footer class="card__footer">${sl(i)}${il({state:e.state})}</footer>`;return Pe(Oe({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??rl,styles:Ee,headerIcon:s===void 0?Z:jt({iconHref:s,fallbackIconHref:xt}),heading:"Authorize access",subhead:Z,body:ll({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName}),footer:c}))}n(Hr,"renderConsentPage");var pl=1e4,la="mcp-session-id",ml,pa;function ya(){return{tools:[],prompts:[],resources:[]}}n(ya,"emptyCapabilities");function ma(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Wt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(ma,"buildCredentialHeaders");async function fa(e){if(e.type!=="mcp_oauth_provider")return ma(e);let t=await e.provider.tokens();if(!t)return;let r=ma({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(fa,"buildAsyncCredentialHeaders");function ha(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ft.parse({jsonrpc:mt,id:1,method:"initialize",params:{protocolVersion:Wt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(ha,"buildInitializePreflight");async function Br(e){uo(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),pl);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return pa?await pa(o):await ct.fetch(o)}finally{clearTimeout(r)}}n(Br,"runPreflight");function jr(e){e.body?.cancel().catch(()=>{})}n(jr,"releasePreflightBody");async function fl(e){let t=e.response.headers.get(la);if(!t)return;let r=new Headers(e.headers);r.set(la,t),r.delete("content-type");try{let o=await Br(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));jr(o)}catch{}}n(fl,"terminatePreflightSession");async function _a(e){let{response:t}=e;return jr(t),t.status>=200&&t.status<300?(await fl(e),{kind:"ready",upstreamStatus:t.status,capabilities:ya()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(_a,"classifyResponse");function ga(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(ga,"connectRequiredResult");async function hl(e){try{return _a({response:await Br(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(hl,"classifyPreflight");async function gl(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:ya()};let r=Et(t.upstreamServerId,e.route.operationId),o=Te(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ke({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return ga(s.payload);let c=await fa(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let l=ha({upstreamUrl:t.mcpUrl,headers:c}),m;try{m=await Br(l)}catch(C){return{kind:"upstream_unavailable",message:C instanceof Error?C.message:"Upstream MCP server readiness preflight failed."}}if(m.status!==401)return _a({response:m,upstreamUrl:t.mcpUrl,headers:c});jr(m);let f=await ke({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return ga(f.payload);let A=await fa(f.credential);return A===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:hl({request:ha({upstreamUrl:t.mcpUrl,headers:A}),upstreamUrl:t.mcpUrl,headers:A})}n(gl,"checkUpstreamRouteReadinessImpl");function wa(e){return(ml??gl)(e)}n(wa,"checkUpstreamRouteReadiness");function yl(e){try{return new URL(e).host}catch{return}}n(yl,"safeUrlHost");function _l(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(_l,"readOAuthScopes");function Ra(e){return e!==void 0&&e.length>0}n(Ra,"hasItems");function wl(e){let t=e.serverInfo?.icons;if(Ra(t))return t;let r=At(e.mcpUrl);return r===void 0?void 0:[r]}n(wl,"readServerIcons");async function Rl(e){if(!(e.returnTo===void 0||!e.isUserOwned))return yr({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Rl,"readConnectUrl");function _e(e,t){return t===void 0?{}:{[e]:t}}n(_e,"optionalRequirementField");function bl(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?oo(e.connection):{connected:!0,status:"active"}}n(bl,"readSetupConnectionStatus");function Sl(e){let t=_l(e);return Ra(t)?t:void 0}n(Sl,"readScopesRequested");function vl(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(vl,"readUpdatedAt");function Cl(){return{tools:[],prompts:[],resources:[]}}n(Cl,"readRouteCapabilities");async function Il(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=Ut(r),m=l==="user",f=bl({connection:e.connection,isUserOwned:m,readiness:e.readiness}),A=e.readiness?.connectUrl??await Rl({...e,connected:f.connected,isUserOwned:m});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:i,status:f.status,connected:f.connected,capabilities:Cl(),..._e("description",o),..._e("transportHost",yl(a)),..._e("scopesRequested",Sl(t)),..._e("serverIcons",wl(e.registeredConnection)),..._e("connectUrl",A),..._e("updatedAt",vl({connectionStatus:f,isUserOwned:m})),..._e("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Il,"buildSetupRequirement");function ba(e){let t=N().byOperationId.get(e);if(!t)throw _("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(ba,"requireRoute");async function Lr(e){let t=ba(e.transaction.operationId),r=_t(e.transaction.principal.subjectId),o=[],i=new Map,a=t.connection;if(a===void 0)return[];Ut(a.authMode)==="user"&&(i.set(a,o.length),o.push({owner:r,upstreamServerId:a.upstreamServerId,authProfileId:a.authProfileId}));let s=await b().batchGetUpstreamConnections(o),c=[],l=Ut(a.authMode)==="user",m=i.get(a),f=await wa({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:l&&m!==void 0?s[m]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),A=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),C=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Il({connection:l&&m!==void 0?s[m]:void 0,registeredConnection:a,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:A===void 0?void 0:{...A,...C===void 0?{}:{connectUrl:C}}})),c}n(Lr,"requirementsForSetup");function xl(e){return e.route.connection?.displayName??e.route.operationId}n(xl,"readRouteDisplayName");async function Nr(e){let t=ba(e.transaction.operationId),r=xl({route:t}),o=await b().readClient({clientId:e.transaction.clientId}),i=o.kind==="found"?o.client:void 0,a={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:i?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(a.routeDescription=s),a}n(Nr,"consentContext");function Gr(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Gr,"hasUnresolvedUserUpstream");var Al=["mcp_user"],Ul="dev-browser-user",kl=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Tl=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Gn,state:d.string().min(1).optional(),scope:d.literal(P).default(P)}),Pl=d.enum(["continue","approve","cancel"]).default("continue"),El=d.object({state:d.string().min(1),decision:Pl}),ae=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function Sa(e){return typeof e=="string"&&e.length>0?e:void 0}n(Sa,"readQueryString");function Ol(e){let t=Array.from(N().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Vt(r.operationId,e.url,e.headers)}n(Ol,"inferSingleRouteResource");function ql(e,t){let r=Sa(e.query.resource);if(t===void 0){if(r!==void 0)return r;let i=Ol(e);if(i!==void 0)return i;throw new p("invalid_target",kl)}let o=Vt(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(ql,"requireAuthorizeResource");async function Ml(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=Di(e);return{principal:i,setCookie:await Dt({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n(Ml,"resolveBrowserPrincipal");async function Dl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(!o.principal)throw _("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Dl,"requireSetupPrincipal");function va(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(va,"buildSetupReturnTo");async function Ca(e){let t=await Lr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:va(e.csrfToken)}),r=await Nr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:Hr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Ca,"renderSetup");function zl(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(zl,"toAuthorizationTransactionClient");async function $r(e,t={}){let r=Tl.parse({...e.query,resource:ql(e,t.operationId),state:Sa(e.query.state)}),o=rt(r.scope);Me(r.redirect_uri,"invalid_request","authorize");let i=new Date,a=V.parse(r.client_id),s=await Ht(r.client_id,i);oa(s,r.redirect_uri);try{let c=De(e.url,r.resource,e.headers),l=zl(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&v(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let m={clientId:s?.clientId??a,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:A}=await Ml(e,t.context);if(!f){let L=await Yi({transaction:m,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Re={kind:"redirect",location:L.browserLoginUrl};return A!==void 0&&(Re.setCookie=A),Re}let C=await Xi({transaction:m,principal:f,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&v(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),Ca({transaction:C.transaction,csrfToken:C.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:A})}catch(c){throw Hl({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n($r,"authorizeDownstreamClient");function Hl(e){if(e.cause instanceof ae)return e.cause;let t=Bl(e.cause);return t?new ae({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Hl,"toDownstreamAuthorizeRedirectError");function Bl(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(Bl,"mapToOAuthRedirectError");async function Ia(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let m=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...m===void 0?{}:{idpErrorDescription:m},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),_("provider_access_denied",m??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),_("oauth_state_invalid","Browser login callback is missing state.");let i=await Tr(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await zi(a),c=await Qi({browserLoginStateToken:o,principal:s}),l=await Ca({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return l.setCookie=await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),l}n(Ia,"completeBrowserLoginCallback");async function xa(e){let t=B(),r=new URL(e.url);if(!ue(r))throw _("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw _("oauth_state_invalid","Local browser login is missing state.");let i=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",U(e.url)),a=new URL(U(e.url)).origin;if(i.origin!==a||i.pathname!=="/oauth/callback")throw _("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");i.searchParams.set("state",o);let s={subjectId:yt.parse(Ul),roles:Al};return{kind:"redirect",location:i,setCookie:await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(xa,"completeLocalDevBrowserLogin");function jl(e){let t=e.method==="POST"?e.body:e.query;return El.parse(t)}n(jl,"readSetupContinueRequest");async function Aa(e){let{state:t,decision:r}=jl({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await Or({csrfToken:t,now:o}),a=await Dl(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await ra({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await ea({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await Lr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:va(t)});if(r==="approve"&&Gr(c)&&await Wi({csrfToken:t,currentBrowserPrincipal:a,now:o}),Gr(c)){let l=await Nr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:Hr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await ta({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(Aa,"continueDownstreamAuthorizeSetup");H();import{createLocalJWKSet as Ll,decodeJwt as Nl,errors as nt,jwtVerify as Gl}from"jose";var $l=new Set(["authorization_code","refresh_token"]),Zl="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",Fl=1e4,Kl=32*1024,Jl=2,Ua=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),Wl=d.discriminatedUnion("grant_type",[Ua.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:gt,resource:d.url().optional(),scope:d.literal(P).optional()}),Ua.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(P).optional()})]);function Vl(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!$l.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(Vl,"assertSupportedGrantType");var Yl=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),Xl=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function ka(){return B().gateway.accessTokenTtlSeconds}n(ka,"readAccessTokenTtlSeconds");function Ql(){return B().gateway.refreshTokenTtlSeconds}n(Ql,"readRefreshTokenTtlSeconds");function ep(e,t){let r=ka(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:R(J(e,i)),expiresIn:i}}n(ep,"calculateAccessTokenExpiresAt");function Ta(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(Ta,"readBasicClientSecret");function Pa(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Nl(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(Pa,"resolveAuthenticatedClientId");function tp(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(tp,"resolveClientSecretInput");function rp(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(rp,"hasClientAssertion");function np(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(np,"buildEndpointAudience");function op(e){return e instanceof nt.JWTExpired?"expired":e instanceof nt.JWTClaimValidationFailed?"claim":e instanceof nt.JWSSignatureVerificationFailed?"signature":e instanceof nt.JWKSNoMatchingKey?"jwks_no_match":e instanceof nt.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(op,"readJwtFailureKind");async function ip(e){let{response:t,json:r}=await ho(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:Jl,maxResponseBytes:Kl,timeoutMs:Fl});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return Xl.parse(r)}n(ip,"fetchClientJwks");async function ap(e){if(e.clientAssertionType!==Zl||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=V.parse(e.clientId),r=await Ht(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=np({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await ip({jwksUri:o,context:e.context});await Gl(e.clientAssertion,Ll(a),{issuer:t,subject:t,audience:i,currentDate:e.now})}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:op(a)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return Bt(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(ap,"verifyPrivateKeyJwtClientAssertion");async function sp(e){let t=V.parse(e.clientId);if(Bt(t))throw new p("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await I(e.clientSecret)}}n(sp,"buildRuntimeHttpClientAuth");async function Ea(e){if(rp({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return ap(e)}let t=tp({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return sp({clientId:e.clientId,...t})}n(Ea,"resolveRuntimeHttpClientAuth");async function Oa(e){Vl(e.body);let t=Wl.parse(e.body),r=Ta(e.authorizationHeader),o=Pa({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await Ea({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return cp({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Oa,"exchangeDownstreamToken");async function cp(e){if(e.parsed.grant_type==="authorization_code"){Me(e.parsed.redirect_uri,"invalid_request","token"),rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=Y(),c=Y(),l=R(J(e.now,Ql())),m=ep(e.now,l),f=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await I(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await co(e.parsed.code_verifier),currentRefreshTokenHash:await I(s),accessTokenHash:await I(c),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:R(e.now)});if(f.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(f.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(f.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&v(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:s,scope:f.grant.scope,resource:f.grant.resource}}rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=Y(),r=Y(),o=R(J(e.now,ka())),i=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await I(e.parsed.refresh_token),nextRefreshTokenHash:await I(t),accessTokenHash:await I(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:R(e.now)});if(i.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");De(e.requestUrl??i.grant.resource,i.grant.resource,e.requestHeaders);let a=i.accessToken.expiresAt;return e.context&&(v(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),v(e.context,{eventType:w.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(a).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:i.grant.scope,resource:i.grant.resource}}n(cp,"exchangeDownstreamTokenWithRuntimeHttp");async function qa(e){let t=Yl.parse(e.body),r=Ta(e.authorizationHeader),o=Pa({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await b().revokeOAuthToken({clientAuth:await Ea({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await I(t.token),now:R(i)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&v(e.context,{eventType:w.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(qa,"revokeDownstreamToken");var dp=64*1024,up=16*1024,lp="text/html; charset=utf-8";function pp(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(pp,"formDataToObject");async function mp(e){return Ei(e,{maxBytes:dp,label:"Request body"})}n(mp,"readJsonBody");async function Fr(e){return pp(await Oi(e,{maxBytes:up,label:"Request body"}))}n(Fr,"readFormBody");async function Da(e,t,r){let o=le(r),i=r instanceof d.ZodError?se(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),Ln(e,t,a)}n(Da,"handleProblem");function za(e){return e?.requestId}n(za,"readBrowserRequestId");function Ha(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(Ha,"readUpstreamHtmlError");function Ma(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(Ma,"readRuntimeErrorExtensionString");function fp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(fp,"readRuntimeErrorExtensionNumber");function hp(e){try{return new URL(e.url).pathname}catch{return}}n(hp,"readBrowserRequestPath");function we(e){let t={code:e.code,requestId:e.requestId,routePath:hp(e.request),underlyingError:e.underlyingError};return e.error instanceof g&&(t.httpStatus=fp(e.error,ve),t.contentType=Ma(e.error,be),t.upstreamUrl=Ma(e.error,Ce)),t}n(we,"buildBrowserErrorDiagnostic");function ot(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(ot,"oauthErrorResponse");function gp(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(gp,"readOAuthProtocolHeaders");function yp(e,t){let r=j("internal_server_error");return ot({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:gp(e,t)})}n(yp,"oauthProtocolErrorResponse");function Zr(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Zr,"readZodOAuthErrorCode");function _p(e){let t={error:Zr(e)},r=se(e);return r!==void 0&&(t.errorDescription=r),ot(t)}n(_p,"oauthZodErrorResponse");function wp(e){let t=le(e);if(t===void 0)return;let r=j(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:bp(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,ot(o)}n(wp,"oauthGatewayProblemResponse");function Rp(){let t={error:"server_error",status:500,errorDescription:j("internal_server_error").publicDetail};return ot(t)}n(Rp,"oauthFallbackErrorResponse");function bp(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(bp,"readOAuthStatus");function Kr(e,t={}){return e instanceof ae?La(e):e instanceof p?yp(e,t):e instanceof d.ZodError?_p(e):wp(e)??Rp()}n(Kr,"oauthProblemResponse");function Jr(e,t,r){let o=qe(e.url),i=za(t);if(r instanceof ae)return La(r);if(r instanceof p){let c=j("internal_server_error");return F({host:o,kind:Sp(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:we({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:Zr(r),diagnostic:we({request:e,requestId:i,code:Zr(r),underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=le(r);if(a!==void 0){let c=j(a);return F({host:o,kind:ja(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:we({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Ha(r),status:c.status})}let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:we({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(Jr,"browserOAuthProblemResponse");function Ba(e,t,r){let o=qe(e.url),i=za(t),a=le(r);if(a!==void 0){let c=j(a);return F({host:o,kind:ja(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:we({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:Ha(r),status:c.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:we({request:e,requestId:i,code:"invalid_request",underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:we({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(Ba,"browserGatewayProblemResponse");function Sp(e){return e==="server_error"?"internal_error":"invalid_request"}n(Sp,"readOAuthBrowserErrorKind");function ja(e){if(j(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(ja,"readGatewayBrowserErrorKind");function ee(e,t,r){let o={event:t},i=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,W(o,"error",r);else if(r instanceof ae)o.oauthError=r.errorCode,W(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",W(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=le(r);if(a!==void 0){let s=j(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",W(o,"error",r)}else i=!0,W(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ee,"logUnexpectedOAuthHandlerError");function La(e){let t;try{t=new URL(e.redirectUri)}catch{return ot({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(La,"downstreamAuthorizeRedirectErrorResponse");function se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(se,"formatZodErrorDetail");function vp(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};W(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(vp,"logBrowserLoginCallbackFailure");function Na(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n(Na,"redirectResultResponse");function Lt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":lp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return Na(e)}n(Lt,"authorizeResultResponse");async function Ga(e,t){try{return Response.json(Wn(e.url,e.headers))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Da(e,t,r)}}n(Ga,"authorizationServerMetadataHandler");async function $a(e,t){try{let r=Yt(e.params.routePath);return Response.json(Vn({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Da(e,t,r)}}n($a,"scopedAuthorizationServerMetadataHandler");async function Za(e,t){try{let r=await aa(await mp(e)),o=r,i=typeof o.client_id=="string"?o.client_id:void 0,a=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:i,clientName:a,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),v(t,{eventType:w.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:a,attributes:{clientId:i,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_register_failed",r),Kr(r)}}n(Za,"registerHandler");async function Fa(e,t){try{return Lt(await $r(e,{context:t}))}catch(r){return ee(t,"oauth_authorize_failed",r),Jr(e,t,r)}}n(Fa,"authorizeHandler");async function Ka(e,t){try{let r=Yt(e.params.routePath);return Lt(await $r(e,{operationId:r.operationId,context:t}))}catch(r){return ee(t,"oauth_authorize_scoped_failed",r),Jr(e,t,r)}}n(Ka,"scopedAuthorizeHandler");async function Ja(e,t){try{let r=await Ia(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Lt(r)}catch(r){return vp(t,r),Ba(e,t,r)}}n(Ja,"callbackHandler");async function Wa(e,t){try{return Na(await xa(e))}catch(r){return ee(t,"oauth_dev_login_failed",r),Jr(e,t,r)}}n(Wa,"devLoginHandler");async function Va(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await Aa({request:e,body:e.method==="POST"?await Fr(e):void 0,context:t});return Lt(r)}catch(r){return ee(t,"oauth_setup_failed",r),Ba(e,t,r)}}n(Va,"setupHandler");async function Ya(e,t){try{return Response.json(await Oa({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ee(t,"oauth_token_failed",r),Kr(r)}}n(Ya,"tokenHandler");async function Xa(e,t){try{return await qa({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_revoke_failed",r),Kr(r)}}n(Xa,"revokeHandler");var Cp={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},Qa=Symbol("upstream-request");function Ip(e){let t=e[Qa];if(!t)throw new M("Upstream request context has not been set");return t}n(Ip,"readUpstreamRequestContext");function xp(e,t){return t.some(r=>r===e)}n(xp,"requestContextMatchesKind");function Ap(e){return typeof e=="string"?[e]:e}n(Ap,"toExpectedKinds");function ze(e,t){Object.defineProperty(e,Qa,{configurable:!0,value:t})}n(ze,"setUpstreamRequestContext");function it(e,t){let r=Ip(e),o=Ap(t);if(!xp(r.kind,o)){let i=Cp[o[0]];throw new M(`${i} request context has not been set`)}return r}n(it,"requireUpstreamRequestContext");function es(e){return S`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(es,"renderBrowserResult");var Up="text/html; charset=utf-8",kp="none";function Tp(e){let t=fr(e.host);return Oe({title:e.title,iconHref:t,styles:Ee,headerIcon:jt({iconHref:t,fallbackIconHref:xt}),heading:e.title,subhead:"",body:es({body:e.body,code:e.code??kp}),footer:""})}n(Tp,"browserResultHtml");function Pp(e,t=200){return new Response(Pe(e),{status:t,headers:{"content-type":Up,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Pp,"browserResultResponse");function ts(e){return Pp(Tp(e))}n(ts,"browserConnectionSuccessResponse");function Nt(e,t,r={}){let o=jn(t);return F({host:e,kind:Ep(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Nt,"browserConnectionFailureResponse");function Ep(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Ep,"readCallbackFailureBrowserErrorKind");var Op=["callback_authorization_code","callback_provider_error","callback_invalid"];function Wr(e){try{return new URL(e.url).pathname}catch{return}}n(Wr,"readBrowserRequestPath");function qp(e){return"cause"in e?e.cause:void 0}n(qp,"readErrorCause");function Mp(e){return e.stack?.split(`
48
- `).slice(1,4).map(t=>t.trim()).join(" | ")}n(Mp,"readFirstStackFrame");function rs(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Mp(r))}n(rs,"addErrorAttributes");function Vr(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[y];return bn(t)?t:void 0}n(Vr,"readRuntimeGatewayCode");function ns(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(ns,"readRuntimeErrorExtensionString");function Dp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Dp,"readRuntimeErrorExtensionNumber");function zp(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),v(t,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Nt(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Nt(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(zp,"requireAuthorizationCallbackRequest");function Hp(e,t){v(e,{eventType:w.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Hp,"emitCallbackReceivedAnalyticsEvent");function Bp(e,t){v(e,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(Bp,"emitTokenExchangeSucceededAnalyticsEvent");function jp(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return ts({host:qe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(jp,"buildSuccessfulCallbackResponse");function Lp(e){let t={detail:e instanceof Error?e.message:void 0};return rs(t,"error",e),e instanceof Error&&rs(t,"cause",qp(e)),t}n(Lp,"buildTokenExchangeFailureAttributes");function Np(e){v(e.context,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Vr(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Lp(e.error)})}n(Np,"emitTokenExchangeFailedAnalyticsEvent");function Gp(e){let t=e.error,r=Vr(t),o=Sn(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:Wr(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof g?{httpStatus:Dp(t,ve),contentType:ns(t,be),upstreamUrl:ns(t,Ce)}:{}};return Nt(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:$p(t)})}n(Gp,"tokenExchangeFailureResponse");function $p(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n($p,"readUpstreamHtmlError");async function Yr(e,t){let r=it(e,Op),o=qe(e.url),i=zp(e,t,r,o);if(i instanceof Response)return i;Hp(t,i);try{let a=await bi({request:e,callbackRequest:i});return Bp(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),jp(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:Vr(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return W(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),Np({context:t,callbackRequest:i,error:a}),Gp({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(Yr,"callbackHandler");function Zp(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(Zp,"clientMetadataProblemDetail");async function os(e,t){let r=it(e,"connect"),o=await Ri({request:e,connectRequest:r});if(v(t,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await Tt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(os,"connectHandler");async function Xr(e,t){let r=it(e,"client_metadata");try{let o=ti(e.url,e.headers),i=ri(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof T))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),de.notFound(e,t,{code:"not_found",detail:Zp(o)})}}n(Xr,"oauthClientMetadataHandler");function ce(e){if(typeof e=="string"&&e.length!==0)return e}n(ce,"readOptionalQueryString");function Fp(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new M(`Validated path parameter ${t} is missing`);return r}n(Fp,"requirePathString");function Kp(e){let t=ce(e);return t?pt.parse(t):void 0}n(Kp,"readOptionalOperationId");function Jp(e,t){let r=ce(e);return r?xn.parse(r):ht(t,"user-oauth")}n(Jp,"readOptionalAuthProfileId");function Wp(e,t){let r=e.params[t];return typeof r=="string"&&r.length>0?r:void 0}n(Wp,"readOptionalPathString");function Vp(e){let t=Kp(e);if(!t)throw new g({message:"operationId query parameter is required.",extensionMembers:{[y]:"invalid_request"}});return t}n(Vp,"readRequiredOperationId");function Yp(e){let t=Qn(ce(e));return t===void 0?{}:{returnTo:t}}n(Yp,"readOptionalReturnTo");function Xp(e){let t=ce(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(Xp,"readOptionalProviderErrorDescription");function Qp(e){let t=G(e.authMode);if(t.connectSupport!=="none")return e;throw new g({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[y]:"invalid_request"}})}n(Qp,"requireConnectableRouteAuth");function em(e,t,r,o){return{kind:"connect",...Te(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(em,"buildConnectContextForUser");function tm(e,t,r){let o=wt(t),i=G(e.authMode);if(o.mode!==i.ownerMode)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(tm,"buildConnectContextForTicket");async function rm(e,t){let r=Qp(Et(t,Vp(e.query.operationId))),o=e.query.redirect==="true",i=ce(e.query.browserTicket);if(e.user){if(i)throw new g({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[y]:"invalid_request"}});let s=Ie(e.user,e.url);return em(r,s,o,Yp(e.query.returnTo).returnTo)}if(!i)throw new g({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[y]:"authentication_required"}});let a=await Yo(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return await Xo(a),tm(r,a,o)}n(rm,"resolveConnectContext");async function nm(e,t,r){let o=In.parse(Fp(e,"connection"));switch(r){case"connect":ze(e,await rm(e,o));return;case"callback":{let i=ce(e.query.error);if(i){ze(e,{kind:"callback_provider_error",upstreamServerId:o,error:i,...Xp(e)});return}let a=ce(e.query.code),s=ce(e.query.state);if(a&&s){ze(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}ze(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":ze(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:Jp(Wp(e,"authProfileId")??e.query.authProfileId,o)});return}}n(nm,"resolveUpstreamRequestInbound");async function om(e,t,r){try{await nm(e,t,r);return}catch(o){let i=o instanceof g?o.extensionMembers?.[y]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"oauth_callback_mismatch":return de.badRequest(e,t,{code:i,detail:a});case"authentication_required":return de.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(om,"applyUpstreamRequestContext");function at(e,t){return n(async(o,i)=>{let a=await om(o,i,e);return a||t(o,i)},"wrapped")}n(at,"withUpstreamRequestContext");var im={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function am(){return new Response(null,{status:204,headers:im})}n(am,"buildWellKnownPreflightResponse");function sm(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(sm,"withWellKnownCorsHeaders");function Qr(e){return async(t,r)=>t.method==="OPTIONS"?am():sm(await e(t,r))}n(Qr,"wrapWellKnownHandler");var ss=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Qr(Ga),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Qr($a),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Qr(Yn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Za},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Fa},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Ka},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Ja},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Wa},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Va},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Ya},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:Xa},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:at("client_metadata",Xr)},{routeName:"upstream_client_metadata_profile",path:"/.well-known/oauth-client/:connection/:authProfileId",methods:["GET"],handler:at("client_metadata",Xr)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:at("connect",os)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:at("callback",Yr)}],cm=ss.filter(e=>!e.routeName.startsWith("upstream_")),dm=ss.filter(e=>e.routeName.startsWith("upstream_"));function cs(e){return e?.some(wn)??!1}n(cs,"hasMcpOAuthRuntimeConfigPolicy");function ds(e){return e?.some(t=>En(t.policyType))??!1}n(ds,"hasMcpTokenExchangePolicy");function us(e){return cs(e)||ds(e)}n(us,"shouldRegisterMcpGatewayInternalRoutes");function um(e){Mn(On({routes:e.routes,policies:e.policies}))}n(um,"initializeMcpGatewayConnectionRegistry");function lm(e){let t=Rn(e.policies);if(!t){let r=[..._n].map(o=>`\`${o}\``).join(", ");throw new T(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(lm,"initializeMcpGatewayOAuthRuntimeConfig");function is(e,t,r){return async(o,i)=>{r&&gn(i,r());let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(is,"wrapInternalHandler");function as(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[sn],corsPolicy:t.corsPolicy??"none"})}n(as,"addInternalRoute");function ls(e,t){um(t);let r=cs(t.policies),o=ds(t.policies),i,a=n(()=>(i===void 0&&(i=lm(t)),i),"readOAuthConfig");if(r)for(let s of cm)as(e,s,is(s.routeName,s.handler,a));if(o)for(let s of dm)as(e,s,is(s.routeName,s.handler))}n(ls,"registerMcpGatewayInternalRoutes");function ps(e){qn(e)}n(ps,"configureLazyMcpGatewayState");var en=class extends on{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!us(r.policies))return;let o={routes:r.routes,policies:r.policies};ps(o),ls(t.router,o)}};var pm=new TextDecoder;function mm(e){if(e)try{return JSON.parse(pm.decode(e))}catch{return}}n(mm,"readBodyJson");function te(e){return e&&typeof e=="object"?e:void 0}n(te,"readRecord");function st(e,t){let r=te(e)?.[t];return typeof r=="string"?r:void 0}n(st,"readStringProperty");function fs(e,t){let r=te(e)?.[t];return typeof r=="number"?r:void 0}n(fs,"readNumberProperty");function ms(e,t){return fs(e,"code")??(t.status>=400?t.status:void 0)}n(ms,"readErrorCode");function hs(e){return Array.isArray(e)?e.map(hs).find(t=>t?.method):te(e)}n(hs,"readJsonRpcMessage");function gs(e){let t=hs(mm(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:st(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:st(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=st(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(gs,"buildBaseCapabilityInput");function ys(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(ys,"isCapabilityListMethod");function fm(e,t,r){let a=te(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(fm,"readItemCount");async function hm(e){try{return await e.clone().json()}catch{return}}n(hm,"readResponseJson");function _s(e){let t=gs(e);return!t||ys(t.mcpMethod)?null:{eventType:w.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(_s,"buildCapabilityInvokedAnalyticsInput");async function ws(e,t){let r=gs(e);if(!r)return null;let o=te(await hm(t)),i=te(o?.error),a=te(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&te(s)?.isError===!0;if(te(a?.connectRequired))return{eventType:w.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:fs(i,"code"),mcpErrorType:st(i,"message")};if(ys(r.mcpMethod)){let l=t.status>=400?void 0:fm(r.mcpMethod,r.capabilityType,s);return{eventType:w.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:ms(i,t)}:{},...l===void 0?{}:{attributes:{itemCount:l}}}}return t.status>=400||i?{eventType:w.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:ms(i,t),mcpErrorType:st(i,"message")}:{eventType:w.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(ws,"buildCapabilityFinalAnalyticsInput");var gm={Allow:"POST"};async function ym(e){try{return await e.clone().arrayBuffer()}catch{return}}n(ym,"readRequestBody");function Rs(e){try{let t=Dn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Rs,"readRouteAnalyticsFields");function bs(e){return Xn(e.user,e.url,e.headers)?.subjectId}n(bs,"readRequestSubjectId");function _m(e){let t=_s(e.requestBody);t&&v(e.context,{...t,...Rs(e.context),httpMethod:e.request.method,subjectId:bs(e.request),transport:"http"})}n(_m,"emitCapabilityInvokedAnalytics");async function wm(e){let t=await ws(e.requestBody,e.response);t&&v(e.context,{...t,...Rs(e.context),httpMethod:e.request.method,subjectId:bs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(wm,"emitCapabilityFinalAnalytics");async function Rm(e,t){if(e.method==="GET")return de.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},gm);let r=Date.now(),o=await ym(e);_m({context:t,request:e,requestBody:o});let i=await fn(e,t);return await wm({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(Rm,"McpProxyHandler");export{xs as McpAuth0OAuthInboundPolicy,Qt as McpCapabilityFilterInboundPolicy,en as McpGatewayPlugin,Is as McpOAuthInboundPolicy,Rm as McpProxyHandler,xr as McpTokenExchangeInboundPolicy};
47
+ ></iframe>`}n(gu,"renderUpstreamHtml");var Ea="application/json",yu="application/x-www-form-urlencoded";function qt(e,t){return new g({message:e,extensionMembers:{[y]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(qt,"invalidRequestError");function _u(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(_u,"normalizeContentType");function wu(e,t){return e===t?!0:t===Ea&&e.endsWith("+json")}n(wu,"contentTypeMatches");function Ru(e,t){if(!t||t.length===0)return;let r=_u(e.headers.get("content-type"));if(!t.some(o=>wu(r,o)))throw qt(`Request body must be ${t.join(" or ")}.`)}n(Ru,"assertExpectedContentType");function bu(e,t,r){let o=e.headers.get("content-length");if(!o)return;let a=Number.parseInt(o,10);if(Number.isFinite(a)&&a>t)throw qt(`${r} exceeded the maximum allowed size.`)}n(bu,"assertContentLengthWithinLimit");async function Oa(e,t){let r=t.label??"Request body";Ru(e,t.expectedContentTypes),bu(e,t.maxBytes,r);let o=await po(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>qt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Oa,"readBoundedTextBody");async function qa(e,t){let r=await Oa(e,{...t,expectedContentTypes:[Ea]});try{return JSON.parse(r)}catch(o){throw qt("Request body must be valid JSON.",o)}}n(qa,"readBoundedJsonBody");async function Ma(e,t){let r=await Oa(e,{...t,expectedContentTypes:[yu]});return new URLSearchParams(r)}n(Ma,"readBoundedFormUrlEncodedBody");H();H();import{errors as La,jwtVerify as Na,SignJWT as Ga}from"jose";H();import{errors as Su,jwtVerify as Cu,SignJWT as vu}from"jose";var Ur="zuplo_mcp_session",Iu=d.object({purpose:d.literal("gateway_browser_session"),sub:yt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function xu(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let a=r.slice(0,o).trim(),i=r.slice(o+1).trim();if(a)try{t.set(a,decodeURIComponent(i))}catch{t.set(a,i)}}return t}n(xu,"parseCookieHeader");async function Da(){return $({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-session"),"derive")})}n(Da,"getBrowserSessionKey");function Ar(e,t){let r=new URL(U(e,t)),o=[`${Ur}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(Ar,"buildBrowserSessionEvictionCookie");function Au(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${Ur}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(Au,"serializeSessionCookie");function za(){return new URL(bt("url")).origin}n(za,"readBrowserLoginOrigin");function kr(){return B().browserLogin.stateTtlSeconds}n(kr,"readBrowserLoginStateTtlSeconds");function Ha(e){if(!e.user)throw _("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ie(e.user,e.url)}n(Ha,"resolveCurrentRequestPrincipal");async function Mt(e,t={}){let r=xu(e.headers.get("cookie")).get(Ur);if(!r)return{};try{let{payload:o}=await Cu(r,await Da(),{algorithms:[z],issuer:O,audience:D}),a=Iu.parse(o);if(a.browserLoginOrigin!==za())return{evictCookie:Ar(e.url,e.headers)};let i={subjectId:a.sub};return a.roles&&a.roles.length>0&&(i.roles=a.roles),{principal:i}}catch(o){return o instanceof Su.JWTExpired?{evictCookie:Ar(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:Ar(e.url,e.headers)})}}n(Mt,"readBrowserSession");async function Dt(e){let t=B().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:za()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new vu(r).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Da());return Au({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(Dt,"createBrowserSessionCookie");async function Ba(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Mt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw _("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:a}=await import("../browser-login-idp-U763HG2Z.js");return a({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(Ba,"resolveBrowserLoginCallbackPrincipal");function ja(e){let t=B().browserLogin,r=new URL(bt("url")),o=new URL("/oauth/callback",Hn(e.requestUrl,e.requestHeaders));return Jn(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",bt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(ja,"buildBrowserLoginUrl");var Uu={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Uu[t],a){super(r,a),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var ku=5*60,Tu=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Zt,stateId:Ft,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Pu=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Zt,stateId:Ft,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function $a(){return $({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-login"),"derive")})}n($a,"getBrowserLoginKey");async function Za(){return $({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"authorization-csrf"),"derive")})}n(Za,"getCsrfKey");function Fa(e){return{now:e.now??new Date,ttlSeconds:kr()}}n(Fa,"readPendingTransactionDependencies");function Eu(e,t){return e.subjectId===t.subjectId}n(Eu,"principalsMatch");function Ka(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Ka,"toPendingPrincipal");function Ja(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:R(e.now),expiresAt:R(J(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw _("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Ka(e.principal)}}n(Ja,"createTransactionRecord");async function Wa(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw _("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(Wa,"startPendingTransaction");async function Ou(e){return new Ga({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await $a())}n(Ou,"signBrowserLoginState");async function Va(e){return new Ga({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Jt()}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Za())}n(Va,"signCsrfToken");async function Tr(e){try{let{payload:t}=await Na(e,await $a(),{algorithms:[z],issuer:O,audience:D}),r=Tu.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof La.JWTExpired?_("oauth_state_expired","Browser login state has expired.",t):_("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Tr,"verifyBrowserLoginStateToken");async function zt(e){try{let{payload:t}=await Na(e,await Za(),{algorithms:[z],issuer:O,audience:D});return{transactionId:Pu.parse(t).transactionId}}catch(t){throw t instanceof La.JWTExpired?_("oauth_state_expired","Authorization setup state has expired.",t):_("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(zt,"verifyCsrfToken");function Pr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Pr,"pendingStateErrorCode");function qu(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n(qu,"toPendingAuthorizationGetResult");function Mu(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Mu,"toPendingAuthorizationAdvanceResult");function Er(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Pr(e==="consumed_already"?"consumed_already":e)}n(Er,"setupDecisionErrorCode");async function Ya(e){let t=e.now??new Date,r=await zt(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(t)});if(o.kind!=="marked")throw _(Er(o.kind),"Authorization setup state is invalid, expired, or already used.");return Xa({kind:"available",record:o.transaction})}n(Ya,"markSetupApproved");function Xa(e){if(e.kind!=="available")throw _(Pr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Xa,"requireAwaitingSetup");function Du(e){if(!Eu(e.currentBrowserPrincipal,e.transaction.principal))throw _("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Du,"requireCurrentPrincipalMatches");async function Qa(e){let t=e.now??new Date,r=kr(),o=Kt(),a=Jt(),i=await Ou({transactionId:o,stateId:a,ttlSeconds:r}),s=Ja({id:o,transaction:e.transaction,currentStateHash:await I(i),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Wa({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:i,browserLoginUrl:ja({state:i,nonce:a,operationId:s.operationId,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Qa,"startAwaitingLogin");async function ei(e){let{now:t,ttlSeconds:r}=Fa(e),o=Kt(),a=await Va({transactionId:o,ttlSeconds:r}),i=Ja({id:o,transaction:e.transaction,currentStateHash:await I(a),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(i.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Wa({record:i,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:a}}n(ei,"startAwaitingSetup");async function ti(e){let{now:t,ttlSeconds:r}=Fa(e),o=await Tr(e.browserLoginStateToken),a=await Va({transactionId:o.transactionId,ttlSeconds:r}),i=Mu(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await I(e.browserLoginStateToken),nextStateHash:await I(a),nextPhase:"awaiting_setup",principal:Ka(e.principal),now:R(t)}));if(i.kind!=="advanced")throw _(Pr(i.kind),"Browser login state is invalid, expired, or already used.");if(i.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:i.record,csrfToken:a}}n(ti,"completeLogin");async function ri(e){let t=await Or(e);return Du({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(ri,"getSetup");async function Or(e){let t=e.now??new Date,r=await zt(e.csrfToken);return Xa(qu(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),now:R(t)})))}n(Or,"getSetupTransaction");async function zu(e){let t=await zt(e.csrfToken),r=Y(),o=R(J(e.now,ku)),a=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await I(r),authorizationCodeExpiresAt:o,grantId:Fn(),now:R(e.now)});if(a.kind!=="approved")throw _(a.kind==="cancelled"?"oauth_state_invalid":Er(a.kind),"Authorization setup state is invalid, expired, or already used.");let i=new URL(a.transaction.redirectUri);return i.searchParams.set("code",r),a.transaction.clientState&&i.searchParams.set("state",a.transaction.clientState),i}n(zu,"createAuthorizationCodeRedirectWithDecision");async function Hu(e){let t=await zt(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(e.now)});if(r.kind!=="cancelled")throw _(r.kind==="approved"?"oauth_state_invalid":Er(r.kind),"Authorization setup state is invalid, expired, or already used.");return Bu({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Hu,"createCancelRedirectWithDecision");function Bu(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Bu,"buildClientCancelRedirect");async function ni(e){let t=e.now??new Date;return zu({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(ni,"approve");async function oi(e){let t=e.now??new Date;return Hu({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(oi,"cancel");H();var ju=1e4,Lu=5*1024,Nu=2,Gu=90*24*60*60,qr="dcr:pkjwt:",$u="chatgpt.com",Zu="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",Mr=["authorization_code","refresh_token"],Dr=["code"],Fu=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Mr)).min(1).max(2).optional(),response_types:d.array(d.enum(Dr)).min(1).max(1).optional(),scope:d.literal(P).optional(),token_endpoint_auth_method:$n.optional(),jwks_uri:d.string().min(1).optional()});function Ku(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ue(t))&&t.pathname!=="/"}catch{return!1}}n(Ku,"isCimdClientIdCandidate");function Ju(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===$u&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(Ju,"isChatGptCimdClientId");function ai(e){throw new p("invalid_client",Ju(e)?Zu:"OAuth client is not registered.")}n(ai,"invalidCimdClientError");function Me(e,t="invalid_request",r="authorize"){if(Wu(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let a={source:r},i=Nn({url:o,context:a});if(i.kind!=="rejected"){i.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Me,"assertValidRedirectUri");function Wu(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(Wu,"hasForbiddenRawRedirectUriCharacter");async function Vu(e){let{response:t,json:r}=await fo(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Nu,maxResponseBytes:Lu,timeoutMs:ju});if(!t.ok)throw _("invalid_request","CIMD metadata could not be fetched.");let o=Zn.parse(r);for(let a of o.redirect_uris)Me(a,"invalid_request","cimd");if(o.jwks_uri!==void 0&&Rt(o.jwks_uri),o.client_id!==e.clientId)throw _("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(Vu,"fetchCimdMetadata");async function Yu(e){let t=lo(e),r=await Vu({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(Yu,"resolveCimdClient");async function Ht(e,t){let r=V.parse(e);if(Ku(r)){B().gateway.cimdEnabled||ai(r);try{return await Yu(r)}catch{ai(r)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let a=o.client,i=il(a.clientId),s=i===void 0?a.tokenEndpointAuthMethod:"private_key_jwt",c=a.jwksUri??i;if(s==="private_key_jwt"&&c===void 0)throw new p("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let l={client_id:a.clientId,client_name:a.clientName,redirect_uris:a.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}},m={kind:"dcr",clientId:r,metadata:l};return a.hashedClientSecret&&(m.hashedClientSecret=a.hashedClientSecret),m}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Ht,"resolveClient");function ii(e,t){if(!e.metadata.redirect_uris.some(r=>Kn(r,t)))throw _("invalid_request","redirect_uri is not registered for the client.")}n(ii,"assertRedirectRegistered");function Xu(e){let t=si(e.grant_types),r=e.response_types??[...Dr];if(!Qu(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!el(r))throw new p("invalid_client_metadata","response_types must be code.");if(!tl(e.scope))throw new p("invalid_client_metadata",`Only the ${P} scope is supported.`)}n(Xu,"assertSupportedDcrRequest");function si(e){return e===void 0?[...Mr]:Array.from(new Set(e))}n(si,"normalizeGrantTypes");function Qu(e){return e.length===0?!1:e.every(t=>Mr.includes(t))}n(Qu,"isSupportedGrantTypes");function el(e){return e.length===Dr.length&&e[0]==="code"}n(el,"isSupportedResponseTypes");function tl(e){return e===void 0||e===P}n(tl,"isSupportedDcrScope");function rl(e){try{Rt(e)}catch(t){throw new p("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials, query, or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(rl,"assertValidDcrJwksUri");function nl(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(nl,"encodeBase64Url");function ol(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let a=new Uint8Array(o.length);for(let i=0;i<o.length;i+=1)a[i]=o.charCodeAt(i);return new TextDecoder().decode(a)}n(ol,"decodeBase64Url");function al(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?V.parse(`${qr}${crypto.randomUUID()}:${nl(e.jwksUri)}`):V.parse(`dcr:${crypto.randomUUID()}`)}n(al,"createDcrClientId");function Bt(e){return e.startsWith(qr)}n(Bt,"isPrivateKeyJwtDcrCompatibilityClientId");function il(e){if(!Bt(e))return;let t=e.slice(qr.length),r=t.indexOf(":");if(r===-1)return;let o=ol(t.slice(r+1));if(o!==void 0){try{Rt(o)}catch{return}return o}}n(il,"readPrivateKeyJwtDcrClientIdJwksUri");function rt(e){if(e===void 0||e===P)return P;throw new p("invalid_request",`Only the ${P} scope is supported.`)}n(rt,"assertSupportedOAuthScope");function De(e,t,r){let o;try{o=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new p("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!ue(o))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let a=U(e,r),i=zn(),s=i?[...i.byOperationId.values()].find(c=>new URL(c.routePath,a).toString()===t):void 0;if(!s)throw new p("invalid_target","resource must match a published MCP route.");return s}n(De,"resolveResource");async function ci(e){let t;try{t=Fu.parse(e)}catch(v){if(v instanceof d.ZodError){let L=v.issues.some(Re=>Re.path[0]==="redirect_uris");throw new p(L?"invalid_redirect_uri":"invalid_client_metadata",v.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:v})}throw v}Xu(t);for(let v of t.redirect_uris)Me(v,"invalid_redirect_uri","dcr");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new p("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&rl(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",a=o==="private_key_jwt"?"none":o,i=al({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=J(r,Gu),c=Math.floor(r.getTime()/1e3),l=Math.floor(s.getTime()/1e3),m={client_id:i,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:si(t.grant_types),response_types:["code"],scope:P,token_endpoint_auth_method:o,client_id_issued_at:c,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}},f={clientId:i,clientName:String(m.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:a,createdAt:R(r),clientExpiresAt:R(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let v=Y();f.hashedClientSecret=await I(v),f.clientSecretExpiresAt=R(s),m.client_secret=v,m.client_secret_expires_at=l,m.client_secret_issued_at=c}if((await b().registerClient(f)).kind==="already_exists")throw _("invalid_request","OAuth client is already registered.");return m}n(ci,"registerDownstreamClient");function jt(e){return S`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(jt,"renderShellIcon");function di(e){return S`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(di,"renderActions");var Ay=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var Uy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),ky=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var Ty=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var sl="data:,",ui=S`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,li=S`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function cl(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(cl,"safeGatewayConnectHref");function dl(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(dl,"deriveMode");function ul(e){return di({state:e.state,submitOnceAttrs:ui,authorizeAttrs:Z})}n(ul,"renderActions");function zr(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let a=cl(o.connectUrl,t);if(a)return a}}n(zr,"firstUserConnectHref");function ll(e){let t=e.connectHref?S`<a class="button button--primary" href="${e.connectHref}" ${li}>Connect</a>`:S`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return S`<form class="actions" method="post" action="/oauth/setup" ${ui}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(ll,"renderSetupActions");function pl(e){return e?S`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${li}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Z}n(pl,"renderReconnectAction");function ml(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(ml,"isRenderableIconHref");function pi(e){return e?.find(t=>ml(t.src))?.src}n(pi,"readIconHref");function fl(e){return pi(e.serverIcons)??(e.transportHost===void 0?void 0:hr(e.transportHost).src)}n(fl,"readUpstreamIconHref");function hl(e){let t=pi(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=fl(r);if(o!==void 0)return o}}n(hl,"readHeaderIconHref");function gl(e){return S`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`}n(gl,"renderBody");function Hr(e){let t=dl(e.upstreams),r=zr(e.upstreams,e.gatewayOrigin,"not_connected"),o=zr(e.upstreams,e.gatewayOrigin,"reconsent_required"),a=zr(e.upstreams,e.gatewayOrigin,"active"),i=t==="setup"?r??o:void 0,s=hl({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?S`<footer class="card__footer">${ll({state:e.state,connectHref:i})}</footer>`:S`<footer class="card__footer">${pl(a)}${ul({state:e.state})}</footer>`;return Pe(Oe({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??sl,styles:Ee,headerIcon:s===void 0?Z:jt({iconHref:s,fallbackIconHref:xt}),heading:"Authorize access",subhead:Z,body:gl({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName}),footer:c}))}n(Hr,"renderConsentPage");var yl=1e4,mi="mcp-session-id",_l,fi;function wi(){return{tools:[],prompts:[],resources:[]}}n(wi,"emptyCapabilities");function hi(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Wt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(hi,"buildCredentialHeaders");async function gi(e){if(e.type!=="mcp_oauth_provider")return hi(e);let t=await e.provider.tokens();if(!t)return;let r=hi({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(gi,"buildAsyncCredentialHeaders");function yi(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ft.parse({jsonrpc:mt,id:1,method:"initialize",params:{protocolVersion:Wt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(yi,"buildInitializePreflight");async function Br(e){uo(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),yl);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return fi?await fi(o):await ct.fetch(o)}finally{clearTimeout(r)}}n(Br,"runPreflight");function jr(e){e.body?.cancel().catch(()=>{})}n(jr,"releasePreflightBody");async function wl(e){let t=e.response.headers.get(mi);if(!t)return;let r=new Headers(e.headers);r.set(mi,t),r.delete("content-type");try{let o=await Br(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));jr(o)}catch{}}n(wl,"terminatePreflightSession");async function Ri(e){let{response:t}=e;return jr(t),t.status>=200&&t.status<300?(await wl(e),{kind:"ready",upstreamStatus:t.status,capabilities:wi()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(Ri,"classifyResponse");function _i(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(_i,"connectRequiredResult");async function Rl(e){try{return Ri({response:await Br(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Rl,"classifyPreflight");async function bl(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:wi()};let r=Et(t.upstreamServerId,e.route.operationId),o=Te(r,e.subjectId),a=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},i=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ke({request:i,routeAuth:a,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return _i(s.payload);let c=await gi(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let l=yi({upstreamUrl:t.mcpUrl,headers:c}),m;try{m=await Br(l)}catch(v){return{kind:"upstream_unavailable",message:v instanceof Error?v.message:"Upstream MCP server readiness preflight failed."}}if(m.status!==401)return Ri({response:m,upstreamUrl:t.mcpUrl,headers:c});jr(m);let f=await ke({request:i,routeAuth:a,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return _i(f.payload);let A=await gi(f.credential);return A===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Rl({request:yi({upstreamUrl:t.mcpUrl,headers:A}),upstreamUrl:t.mcpUrl,headers:A})}n(bl,"checkUpstreamRouteReadinessImpl");function bi(e){return(_l??bl)(e)}n(bi,"checkUpstreamRouteReadiness");function Sl(e){try{return new URL(e).host}catch{return}}n(Sl,"safeUrlHost");function Cl(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(Cl,"readOAuthScopes");function Si(e){return e!==void 0&&e.length>0}n(Si,"hasItems");function vl(e){let t=e.serverInfo?.icons;if(Si(t))return t;let r=At(e.mcpUrl);return r===void 0?void 0:[r]}n(vl,"readServerIcons");async function Il(e){if(!(e.returnTo===void 0||!e.isUserOwned))return yr({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Il,"readConnectUrl");function _e(e,t){return t===void 0?{}:{[e]:t}}n(_e,"optionalRequirementField");function xl(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?oo(e.connection):{connected:!0,status:"active"}}n(xl,"readSetupConnectionStatus");function Al(e){let t=Cl(e);return Si(t)?t:void 0}n(Al,"readScopesRequested");function Ul(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Ul,"readUpdatedAt");function kl(){return{tools:[],prompts:[],resources:[]}}n(kl,"readRouteCapabilities");async function Tl(e){let{authConfig:t,authMode:r,description:o,displayName:a,mcpUrl:i,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=Ut(r),m=l==="user",f=xl({connection:e.connection,isUserOwned:m,readiness:e.readiness}),A=e.readiness?.connectUrl??await Il({...e,connected:f.connected,isUserOwned:m});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:a,status:f.status,connected:f.connected,capabilities:kl(),..._e("description",o),..._e("transportHost",Sl(i)),..._e("scopesRequested",Al(t)),..._e("serverIcons",vl(e.registeredConnection)),..._e("connectUrl",A),..._e("updatedAt",Ul({connectionStatus:f,isUserOwned:m})),..._e("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(Tl,"buildSetupRequirement");function Ci(e){let t=N().byOperationId.get(e);if(!t)throw _("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Ci,"requireRoute");async function Lr(e){let t=Ci(e.transaction.operationId),r=_t(e.transaction.principal.subjectId),o=[],a=new Map,i=t.connection;if(i===void 0)return[];Ut(i.authMode)==="user"&&(a.set(i,o.length),o.push({owner:r,upstreamServerId:i.upstreamServerId,authProfileId:i.authProfileId}));let s=await b().batchGetUpstreamConnections(o),c=[],l=Ut(i.authMode)==="user",m=a.get(i),f=await bi({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:l&&m!==void 0?s[m]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),A=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),v=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await Tl({connection:l&&m!==void 0?s[m]:void 0,registeredConnection:i,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:A===void 0?void 0:{...A,...v===void 0?{}:{connectUrl:v}}})),c}n(Lr,"requirementsForSetup");function Pl(e){return e.route.connection?.displayName??e.route.operationId}n(Pl,"readRouteDisplayName");async function Nr(e){let t=Ci(e.transaction.operationId),r=Pl({route:t}),o=await b().readClient({clientId:e.transaction.clientId}),a=o.kind==="found"?o.client:void 0,i={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:a?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(i.routeDescription=s),i}n(Nr,"consentContext");function Gr(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Gr,"hasUnresolvedUserUpstream");var El=["mcp_user"],Ol="dev-browser-user",ql=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Ml=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Gn,state:d.string().min(1).optional(),scope:d.literal(P).default(P)}),Dl=d.enum(["continue","approve","cancel"]).default("continue"),zl=d.object({state:d.string().min(1),decision:Dl}),ie=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function vi(e){return typeof e=="string"&&e.length>0?e:void 0}n(vi,"readQueryString");function Hl(e){let t=Array.from(N().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Vt(r.operationId,e.url,e.headers)}n(Hl,"inferSingleRouteResource");function Bl(e,t){let r=vi(e.query.resource);if(t===void 0){if(r!==void 0)return r;let a=Hl(e);if(a!==void 0)return a;throw new p("invalid_target",ql)}let o=Vt(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Bl,"requireAuthorizeResource");async function jl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let a=Ha(e);return{principal:a,setCookie:await Dt({principal:a,requestUrl:e.url,requestHeaders:e.headers})}}n(jl,"resolveBrowserPrincipal");async function Ll(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(!o.principal)throw _("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Ll,"requireSetupPrincipal");function Ii(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(Ii,"buildSetupReturnTo");async function xi(e){let t=await Lr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ii(e.csrfToken)}),r=await Nr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:Hr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(xi,"renderSetup");function Nl(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Nl,"toAuthorizationTransactionClient");async function $r(e,t={}){let r=Ml.parse({...e.query,resource:Bl(e,t.operationId),state:vi(e.query.state)}),o=rt(r.scope);Me(r.redirect_uri,"invalid_request","authorize");let a=new Date,i=V.parse(r.client_id),s=await Ht(r.client_id,a);ii(s,r.redirect_uri);try{let c=De(e.url,r.resource,e.headers),l=Nl(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:i,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&C(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type}});let m={clientId:s?.clientId??i,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:A}=await jl(e,t.context);if(!f){let L=await Qa({transaction:m,requestUrl:e.url,requestHeaders:e.headers,now:a});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:i,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Re={kind:"redirect",location:L.browserLoginUrl};return A!==void 0&&(Re.setCookie=A),Re}let v=await ei({transaction:m,principal:f,now:a});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:i,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&C(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:i,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),xi({transaction:v.transaction,csrfToken:v.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:A})}catch(c){throw Gl({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n($r,"authorizeDownstreamClient");function Gl(e){if(e.cause instanceof ie)return e.cause;let t=$l(e.cause);return t?new ie({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Gl,"toDownstreamAuthorizeRedirectError");function $l(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n($l,"mapToOAuthRedirectError");async function Ai(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let m=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...m===void 0?{}:{idpErrorDescription:m},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),_("provider_access_denied",m??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),_("oauth_state_invalid","Browser login callback is missing state.");let a=await Tr(o),i={request:e,stateId:a.stateId};t.context!==void 0&&(i.context=t.context);let s=await Ba(i),c=await ti({browserLoginStateToken:o,principal:s}),l=await xi({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return l.setCookie=await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),l}n(Ai,"completeBrowserLoginCallback");async function Ui(e){let t=B(),r=new URL(e.url);if(!ue(r))throw _("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw _("oauth_state_invalid","Local browser login is missing state.");let a=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",U(e.url)),i=new URL(U(e.url)).origin;if(a.origin!==i||a.pathname!=="/oauth/callback")throw _("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");a.searchParams.set("state",o);let s={subjectId:yt.parse(Ol),roles:El};return{kind:"redirect",location:a,setCookie:await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(Ui,"completeLocalDevBrowserLogin");function Zl(e){let t=e.method==="POST"?e.body:e.query;return zl.parse(t)}n(Zl,"readSetupContinueRequest");async function ki(e){let{state:t,decision:r}=Zl({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,a=await Or({csrfToken:t,now:o}),i=await Ll(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await oi({csrfToken:t,currentBrowserPrincipal:i,now:o})};let s=await ri({csrfToken:t,currentBrowserPrincipal:i,now:o}),c=await Lr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ii(t)});if(r==="approve"&&Gr(c)&&await Ya({csrfToken:t,currentBrowserPrincipal:i,now:o}),Gr(c)){let l=await Nr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:Hr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await ni({csrfToken:t,currentBrowserPrincipal:i,now:o})}}n(ki,"continueDownstreamAuthorizeSetup");H();import{createLocalJWKSet as Fl,decodeJwt as Kl,errors as nt,jwtVerify as Jl}from"jose";var Wl=new Set(["authorization_code","refresh_token"]),Vl="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",Yl=1e4,Xl=32*1024,Ql=2,Ti=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),ep=d.discriminatedUnion("grant_type",[Ti.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:gt,resource:d.url().optional(),scope:d.literal(P).optional()}),Ti.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(P).optional()})]);function tp(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!Wl.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(tp,"assertSupportedGrantType");var rp=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),np=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Pi(){return B().gateway.accessTokenTtlSeconds}n(Pi,"readAccessTokenTtlSeconds");function op(){return B().gateway.refreshTokenTtlSeconds}n(op,"readRefreshTokenTtlSeconds");function ap(e,t){let r=Pi(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),a=Math.min(r,o);return{expiresAt:R(J(e,a)),expiresIn:a}}n(ap,"calculateAccessTokenExpiresAt");function Ei(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(Ei,"readBasicClientSecret");function Oi(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=Kl(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(Oi,"resolveAuthenticatedClientId");function ip(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(ip,"resolveClientSecretInput");function sp(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(sp,"hasClientAssertion");function cp(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(cp,"buildEndpointAudience");function dp(e){return e instanceof nt.JWTExpired?"expired":e instanceof nt.JWTClaimValidationFailed?"claim":e instanceof nt.JWSSignatureVerificationFailed?"signature":e instanceof nt.JWKSNoMatchingKey?"jwks_no_match":e instanceof nt.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(dp,"readJwtFailureKind");async function up(e){let{response:t,json:r}=await ho(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:Ql,maxResponseBytes:Xl,timeoutMs:Yl});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return np.parse(r)}n(up,"fetchClientJwks");async function lp(e){if(e.clientAssertionType!==Vl||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=V.parse(e.clientId),r=await Ht(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let a=cp({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let i=await up({jwksUri:o,context:e.context});await Jl(e.clientAssertion,Fl(i),{issuer:t,subject:t,audience:a,currentDate:e.now})}catch(i){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:dp(i)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return Bt(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(lp,"verifyPrivateKeyJwtClientAssertion");async function pp(e){let t=V.parse(e.clientId);if(Bt(t))throw new p("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await I(e.clientSecret)}}n(pp,"buildRuntimeHttpClientAuth");async function qi(e){if(sp({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return lp(e)}let t=ip({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return pp({clientId:e.clientId,...t})}n(qi,"resolveRuntimeHttpClientAuth");async function Mi(e){tp(e.body);let t=ep.parse(e.body),r=Ei(e.authorizationHeader),o=Oi({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date,i=await qi({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:a,context:e.context});return mp({parsed:t,clientId:o,clientAuth:i,now:a,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Mi,"exchangeDownstreamToken");async function mp(e){if(e.parsed.grant_type==="authorization_code"){Me(e.parsed.redirect_uri,"invalid_request","token"),rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=Y(),c=Y(),l=R(J(e.now,op())),m=ap(e.now,l),f=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await I(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await co(e.parsed.code_verifier),currentRefreshTokenHash:await I(s),accessTokenHash:await I(c),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:R(e.now)});if(f.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(f.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(f.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&C(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:s,scope:f.grant.scope,resource:f.grant.resource}}rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=Y(),r=Y(),o=R(J(e.now,Pi())),a=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await I(e.parsed.refresh_token),nextRefreshTokenHash:await I(t),accessTokenHash:await I(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:R(e.now)});if(a.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(a.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(a.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");De(e.requestUrl??a.grant.resource,a.grant.resource,e.requestHeaders);let i=a.accessToken.expiresAt;return e.context&&(C(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),C(e.context,{eventType:w.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(i).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:a.grant.scope,resource:a.grant.resource}}n(mp,"exchangeDownstreamTokenWithRuntimeHttp");async function Di(e){let t=rp.parse(e.body),r=Ei(e.authorizationHeader),o=Oi({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),a=new Date;if((await b().revokeOAuthToken({clientAuth:await qi({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:a,context:e.context}),tokenHash:await I(t.token),now:R(a)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&C(e.context,{eventType:w.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Di,"revokeDownstreamToken");var fp=64*1024,hp=16*1024,gp="text/html; charset=utf-8";function yp(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(yp,"formDataToObject");async function _p(e){return qa(e,{maxBytes:fp,label:"Request body"})}n(_p,"readJsonBody");async function Fr(e){return yp(await Ma(e,{maxBytes:hp,label:"Request body"}))}n(Fr,"readFormBody");async function Hi(e,t,r){let o=le(r),a=r instanceof d.ZodError?se(r):void 0,i={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return a!==void 0&&(i.detail=a),Ln(e,t,i)}n(Hi,"handleProblem");function Bi(e){return e?.requestId}n(Bi,"readBrowserRequestId");function ji(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(ji,"readUpstreamHtmlError");function zi(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(zi,"readRuntimeErrorExtensionString");function wp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(wp,"readRuntimeErrorExtensionNumber");function Rp(e){try{return new URL(e.url).pathname}catch{return}}n(Rp,"readBrowserRequestPath");function we(e){let t={code:e.code,requestId:e.requestId,routePath:Rp(e.request),underlyingError:e.underlyingError};return e.error instanceof g&&(t.httpStatus=wp(e.error,Ce),t.contentType=zi(e.error,be),t.upstreamUrl=zi(e.error,ve)),t}n(we,"buildBrowserErrorDiagnostic");function ot(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(ot,"oauthErrorResponse");function bp(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(bp,"readOAuthProtocolHeaders");function Sp(e,t){let r=j("internal_server_error");return ot({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:bp(e,t)})}n(Sp,"oauthProtocolErrorResponse");function Zr(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Zr,"readZodOAuthErrorCode");function Cp(e){let t={error:Zr(e)},r=se(e);return r!==void 0&&(t.errorDescription=r),ot(t)}n(Cp,"oauthZodErrorResponse");function vp(e){let t=le(e);if(t===void 0)return;let r=j(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:xp(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,ot(o)}n(vp,"oauthGatewayProblemResponse");function Ip(){let t={error:"server_error",status:500,errorDescription:j("internal_server_error").publicDetail};return ot(t)}n(Ip,"oauthFallbackErrorResponse");function xp(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(xp,"readOAuthStatus");function Kr(e,t={}){return e instanceof ie?Gi(e):e instanceof p?Sp(e,t):e instanceof d.ZodError?Cp(e):vp(e)??Ip()}n(Kr,"oauthProblemResponse");function Jr(e,t,r){let o=qe(e.url),a=Bi(t);if(r instanceof ie)return Gi(r);if(r instanceof p){let c=j("internal_server_error");return F({host:o,kind:Ap(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:we({request:e,requestId:a,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:a,status:r.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:Zr(r),diagnostic:we({request:e,requestId:a,code:Zr(r),underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let i=le(r);if(i!==void 0){let c=j(i);return F({host:o,kind:Ni(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:ji(r),status:c.status})}let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:we({request:e,requestId:a,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n(Jr,"browserOAuthProblemResponse");function Li(e,t,r){let o=qe(e.url),a=Bi(t),i=le(r);if(i!==void 0){let c=j(i);return F({host:o,kind:Ni(i),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:i,diagnostic:we({request:e,requestId:a,code:i,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:a,upstreamHtml:ji(r),status:c.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:we({request:e,requestId:a,code:"invalid_request",underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:a});let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:we({request:e,requestId:a,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:a,status:s.status})}n(Li,"browserGatewayProblemResponse");function Ap(e){return e==="server_error"?"internal_error":"invalid_request"}n(Ap,"readOAuthBrowserErrorKind");function Ni(e){if(j(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Ni,"readGatewayBrowserErrorKind");function ee(e,t,r){let o={event:t},a=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,W(o,"error",r);else if(r instanceof ie)o.oauthError=r.errorCode,W(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",W(o,"error",r);let i=r.issues[0];i&&(o.zodPath=i.path.join("."))}else{let i=le(r);if(i!==void 0){let s=j(i);o.code=i,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),a=s.status>=500||s.oauthError==="server_error",W(o,"error",r)}else a=!0,W(o,"error",r)}if(a){let i=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,i.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ee,"logUnexpectedOAuthHandlerError");function Gi(e){let t;try{t=new URL(e.redirectUri)}catch{return ot({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Gi,"downstreamAuthorizeRedirectErrorResponse");function se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(se,"formatZodErrorDetail");function Up(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};W(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Up,"logBrowserLoginCallbackFailure");function $i(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n($i,"redirectResultResponse");function Lt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":gp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return $i(e)}n(Lt,"authorizeResultResponse");async function Zi(e,t){try{return Response.json(Wn(e.url,e.headers))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Hi(e,t,r)}}n(Zi,"authorizationServerMetadataHandler");async function Fi(e,t){try{let r=Yt(e.params.routePath);return Response.json(Vn({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Hi(e,t,r)}}n(Fi,"scopedAuthorizationServerMetadataHandler");async function Ki(e,t){try{let r=await ci(await _p(e)),o=r,a=typeof o.client_id=="string"?o.client_id:void 0,i=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:a,clientName:i,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),C(t,{eventType:w.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:i,attributes:{clientId:a,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_register_failed",r),Kr(r)}}n(Ki,"registerHandler");async function Ji(e,t){try{return Lt(await $r(e,{context:t}))}catch(r){return ee(t,"oauth_authorize_failed",r),Jr(e,t,r)}}n(Ji,"authorizeHandler");async function Wi(e,t){try{let r=Yt(e.params.routePath);return Lt(await $r(e,{operationId:r.operationId,context:t}))}catch(r){return ee(t,"oauth_authorize_scoped_failed",r),Jr(e,t,r)}}n(Wi,"scopedAuthorizeHandler");async function Vi(e,t){try{let r=await Ai(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Lt(r)}catch(r){return Up(t,r),Li(e,t,r)}}n(Vi,"callbackHandler");async function Yi(e,t){try{return $i(await Ui(e))}catch(r){return ee(t,"oauth_dev_login_failed",r),Jr(e,t,r)}}n(Yi,"devLoginHandler");async function Xi(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await ki({request:e,body:e.method==="POST"?await Fr(e):void 0,context:t});return Lt(r)}catch(r){return ee(t,"oauth_setup_failed",r),Li(e,t,r)}}n(Xi,"setupHandler");async function Qi(e,t){try{return Response.json(await Mi({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ee(t,"oauth_token_failed",r),Kr(r)}}n(Qi,"tokenHandler");async function es(e,t){try{return await Di({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_revoke_failed",r),Kr(r)}}n(es,"revokeHandler");var kp={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ts=Symbol("upstream-request");function Tp(e){let t=e[ts];if(!t)throw new M("Upstream request context has not been set");return t}n(Tp,"readUpstreamRequestContext");function Pp(e,t){return t.some(r=>r===e)}n(Pp,"requestContextMatchesKind");function Ep(e){return typeof e=="string"?[e]:e}n(Ep,"toExpectedKinds");function ze(e,t){Object.defineProperty(e,ts,{configurable:!0,value:t})}n(ze,"setUpstreamRequestContext");function at(e,t){let r=Tp(e),o=Ep(t);if(!Pp(r.kind,o)){let a=kp[o[0]];throw new M(`${a} request context has not been set`)}return r}n(at,"requireUpstreamRequestContext");function rs(e){return S`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(rs,"renderBrowserResult");var Op="text/html; charset=utf-8",qp="none";function Mp(e){let t=fr(e.host);return Oe({title:e.title,iconHref:t,styles:Ee,headerIcon:jt({iconHref:t,fallbackIconHref:xt}),heading:e.title,subhead:"",body:rs({body:e.body,code:e.code??qp}),footer:""})}n(Mp,"browserResultHtml");function Dp(e,t=200){return new Response(Pe(e),{status:t,headers:{"content-type":Op,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Dp,"browserResultResponse");function ns(e){return Dp(Mp(e))}n(ns,"browserConnectionSuccessResponse");function Nt(e,t,r={}){let o=jn(t);return F({host:e,kind:zp(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Nt,"browserConnectionFailureResponse");function zp(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(zp,"readCallbackFailureBrowserErrorKind");var Hp=["callback_authorization_code","callback_provider_error","callback_invalid"];function Wr(e){try{return new URL(e.url).pathname}catch{return}}n(Wr,"readBrowserRequestPath");function Bp(e){return"cause"in e?e.cause:void 0}n(Bp,"readErrorCause");function jp(e){return e.stack?.split(`
48
+ `).slice(1,4).map(t=>t.trim()).join(" | ")}n(jp,"readFirstStackFrame");function os(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=jp(r))}n(os,"addErrorAttributes");function Vr(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[y];return bn(t)?t:void 0}n(Vr,"readRuntimeGatewayCode");function as(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(as,"readRuntimeErrorExtensionString");function Lp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Lp,"readRuntimeErrorExtensionNumber");function Np(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),C(t,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Nt(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Nt(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(Np,"requireAuthorizationCallbackRequest");function Gp(e,t){C(e,{eventType:w.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Gp,"emitCallbackReceivedAnalyticsEvent");function $p(e,t){C(e,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n($p,"emitTokenExchangeSucceededAnalyticsEvent");function Zp(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return ns({host:qe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(Zp,"buildSuccessfulCallbackResponse");function Fp(e){let t={detail:e instanceof Error?e.message:void 0};return os(t,"error",e),e instanceof Error&&os(t,"cause",Bp(e)),t}n(Fp,"buildTokenExchangeFailureAttributes");function Kp(e){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Vr(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:Fp(e.error)})}n(Kp,"emitTokenExchangeFailedAnalyticsEvent");function Jp(e){let t=e.error,r=Vr(t),o=Sn(r)?r:"upstream_token_exchange_failed",a={code:o,requestId:e.context.requestId,routePath:Wr(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof g?{httpStatus:Lp(t,Ce),contentType:as(t,be),upstreamUrl:as(t,ve)}:{}};return Nt(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:a,upstreamHtml:Wp(t)})}n(Jp,"tokenExchangeFailureResponse");function Wp(e){if(!(e instanceof g))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(Wp,"readUpstreamHtmlError");async function Yr(e,t){let r=at(e,Hp),o=qe(e.url),a=Np(e,t,r,o);if(a instanceof Response)return a;Gp(t,a);try{let i=await Ca({request:e,callbackRequest:a});return $p(t,i),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:i.upstreamServerId,operationId:i.operationId,authProfileId:i.authProfileId,ownerMode:i.ownerMode},"Upstream OAuth token exchange completed; user connection established"),Zp(e,i)}catch(i){let s={event:"upstream_oauth_token_exchange_failed",code:Vr(i)??"upstream_token_exchange_failed",upstreamServerId:a.upstreamServerId};return W(s,"error",i),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),Kp({context:t,callbackRequest:a,error:i}),Jp({request:e,context:t,host:o,callbackRequest:a,error:i})}}n(Yr,"callbackHandler");function Vp(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(Vp,"clientMetadataProblemDetail");async function is(e,t){let r=at(e,"connect"),o=await Sa({request:e,connectRequest:r});if(C(t,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let a=await Tt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(a,{status:428})}n(is,"connectHandler");async function Xr(e,t){let r=at(e,"client_metadata");try{let o=oa(e.url,e.headers),a=aa(o,r.upstreamServerId,r.authProfileId);return Response.json(a)}catch(o){if(!(o instanceof T))throw o;let a=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:a},"Failed to serve OAuth client metadata document for upstream connection"),de.notFound(e,t,{code:"not_found",detail:Vp(o)})}}n(Xr,"oauthClientMetadataHandler");function ce(e){if(typeof e=="string"&&e.length!==0)return e}n(ce,"readOptionalQueryString");function Yp(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new M(`Validated path parameter ${t} is missing`);return r}n(Yp,"requirePathString");function Xp(e){let t=ce(e);return t?pt.parse(t):void 0}n(Xp,"readOptionalOperationId");function Qp(e,t){let r=ce(e);return r?xn.parse(r):ht(t,"user-oauth")}n(Qp,"readOptionalAuthProfileId");function em(e,t){let r=e.params[t];return typeof r=="string"&&r.length>0?r:void 0}n(em,"readOptionalPathString");function tm(e){let t=Xp(e);if(!t)throw new g({message:"operationId query parameter is required.",extensionMembers:{[y]:"invalid_request"}});return t}n(tm,"readRequiredOperationId");function rm(e){let t=Qn(ce(e));return t===void 0?{}:{returnTo:t}}n(rm,"readOptionalReturnTo");function nm(e){let t=ce(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(nm,"readOptionalProviderErrorDescription");function om(e){let t=G(e.authMode);if(t.connectSupport!=="none")return e;throw new g({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[y]:"invalid_request"}})}n(om,"requireConnectableRouteAuth");function am(e,t,r,o){return{kind:"connect",...Te(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(am,"buildConnectContextForUser");function im(e,t,r){let o=wt(t),a=G(e.authMode);if(o.mode!==a.ownerMode)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(im,"buildConnectContextForTicket");async function sm(e,t){let r=om(Et(t,tm(e.query.operationId))),o=e.query.redirect==="true",a=ce(e.query.browserTicket);if(e.user){if(a)throw new g({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[y]:"invalid_request"}});let s=Ie(e.user,e.url);return am(r,s,o,rm(e.query.returnTo).returnTo)}if(!a)throw new g({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[y]:"authentication_required"}});let i=await Yo(a);if(i.ownerMode!==r.ownerMode||i.upstreamServerId!==r.upstreamServerId||i.authProfileId!==r.authProfileId||i.operationId!==r.operationId)throw new g({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return await Xo(i),im(r,i,o)}n(sm,"resolveConnectContext");async function cm(e,t,r){let o=In.parse(Yp(e,"connection"));switch(r){case"connect":ze(e,await sm(e,o));return;case"callback":{let a=ce(e.query.error);if(a){ze(e,{kind:"callback_provider_error",upstreamServerId:o,error:a,...nm(e)});return}let i=ce(e.query.code),s=ce(e.query.state);if(i&&s){ze(e,{kind:"callback_authorization_code",upstreamServerId:o,code:i,state:s});return}ze(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":ze(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:Qp(em(e,"authProfileId")??e.query.authProfileId,o)});return}}n(cm,"resolveUpstreamRequestInbound");async function dm(e,t,r){try{await cm(e,t,r);return}catch(o){let a=o instanceof g?o.extensionMembers?.[y]:void 0,i=o instanceof Error?o.message:void 0;switch(a){case"invalid_request":case"oauth_callback_mismatch":return de.badRequest(e,t,{code:a,detail:i});case"authentication_required":return de.unauthorized(e,t,{code:a,detail:i});default:throw o}}}n(dm,"applyUpstreamRequestContext");function it(e,t){return n(async(o,a)=>{let i=await dm(o,a,e);return i||t(o,a)},"wrapped")}n(it,"withUpstreamRequestContext");var um={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function lm(){return new Response(null,{status:204,headers:um})}n(lm,"buildWellKnownPreflightResponse");function pm(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(pm,"withWellKnownCorsHeaders");function Qr(e){return async(t,r)=>t.method==="OPTIONS"?lm():pm(await e(t,r))}n(Qr,"wrapWellKnownHandler");var ds=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Qr(Zi),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Qr(Fi),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Qr(Yn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Ki},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ji},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Wi},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Vi},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Yi},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Xi},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Qi},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:es},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:it("client_metadata",Xr)},{routeName:"upstream_client_metadata_profile",path:"/.well-known/oauth-client/:connection/:authProfileId",methods:["GET"],handler:it("client_metadata",Xr)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:it("connect",is)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:it("callback",Yr)}],mm=ds.filter(e=>!e.routeName.startsWith("upstream_")),fm=ds.filter(e=>e.routeName.startsWith("upstream_"));function us(e){return e?.some(wn)??!1}n(us,"hasMcpOAuthRuntimeConfigPolicy");function ls(e){return e?.some(t=>En(t.policyType))??!1}n(ls,"hasMcpTokenExchangePolicy");function ps(e){return us(e)||ls(e)}n(ps,"shouldRegisterMcpGatewayInternalRoutes");function hm(e){Mn(On({routes:e.routes,policies:e.policies}))}n(hm,"initializeMcpGatewayConnectionRegistry");function gm(e){let t=Rn(e.policies);if(!t){let r=[..._n].map(o=>`\`${o}\``).join(", ");throw new T(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(gm,"initializeMcpGatewayOAuthRuntimeConfig");function ss(e,t,r){return async(o,a)=>{r&&gn(a,r());let i=o.method==="OPTIONS",s=Date.now();i||a.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,a);return i||a.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(ss,"wrapInternalHandler");function cs(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[sn],corsPolicy:t.corsPolicy??"none"})}n(cs,"addInternalRoute");function ms(e,t){hm(t);let r=us(t.policies),o=ls(t.policies),a,i=n(()=>(a===void 0&&(a=gm(t)),a),"readOAuthConfig");if(r)for(let s of mm)cs(e,s,ss(s.routeName,s.handler,i));if(o)for(let s of fm)cs(e,s,ss(s.routeName,s.handler))}n(ms,"registerMcpGatewayInternalRoutes");function fs(e){qn(e)}n(fs,"configureLazyMcpGatewayState");var en=class extends on{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!ps(r.policies))return;let o={routes:r.routes,policies:r.policies};fs(o),ms(t.router,o)}};var ym=new TextDecoder;function _m(e){if(e)try{return JSON.parse(ym.decode(e))}catch{return}}n(_m,"readBodyJson");function te(e){return e&&typeof e=="object"?e:void 0}n(te,"readRecord");function st(e,t){let r=te(e)?.[t];return typeof r=="string"?r:void 0}n(st,"readStringProperty");function gs(e,t){let r=te(e)?.[t];return typeof r=="number"?r:void 0}n(gs,"readNumberProperty");function hs(e,t){return gs(e,"code")??(t.status>=400?t.status:void 0)}n(hs,"readErrorCode");function ys(e){return Array.isArray(e)?e.map(ys).find(t=>t?.method):te(e)}n(ys,"readJsonRpcMessage");function _s(e){let t=ys(_m(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:st(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:st(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let a=st(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:a,resourceUri:a}}default:return null}}n(_s,"buildBaseCapabilityInput");function ws(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(ws,"isCapabilityListMethod");function wm(e,t,r){let i=te(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(i)?i.length:void 0}n(wm,"readItemCount");async function Rm(e){try{return await e.clone().json()}catch{return}}n(Rm,"readResponseJson");function Rs(e){let t=_s(e);return!t||ws(t.mcpMethod)?null:{eventType:w.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(Rs,"buildCapabilityInvokedAnalyticsInput");async function bs(e,t){let r=_s(e);if(!r)return null;let o=te(await Rm(t)),a=te(o?.error),i=te(a?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&te(s)?.isError===!0;if(te(i?.connectRequired))return{eventType:w.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:gs(a,"code"),mcpErrorType:st(a,"message")};if(ws(r.mcpMethod)){let l=t.status>=400?void 0:wm(r.mcpMethod,r.capabilityType,s);return{eventType:w.MCP_CAPABILITY_LISTED,outcome:t.status>=400||a?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||a?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:hs(a,t)}:{},...l===void 0?{}:{attributes:{itemCount:l}}}}return t.status>=400||a?{eventType:w.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:hs(a,t),mcpErrorType:st(a,"message")}:{eventType:w.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(bs,"buildCapabilityFinalAnalyticsInput");var bm={Allow:"POST"};async function Sm(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Sm,"readRequestBody");function Ss(e){try{let t=Dn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Ss,"readRouteAnalyticsFields");function Cs(e){return Xn(e.user,e.url,e.headers)?.subjectId}n(Cs,"readRequestSubjectId");function Cm(e){let t=Rs(e.requestBody);t&&C(e.context,{...t,...Ss(e.context),httpMethod:e.request.method,subjectId:Cs(e.request),transport:"http"})}n(Cm,"emitCapabilityInvokedAnalytics");async function vm(e){let t=await bs(e.requestBody,e.response);t&&C(e.context,{...t,...Ss(e.context),httpMethod:e.request.method,subjectId:Cs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(vm,"emitCapabilityFinalAnalytics");async function Im(e,t){if(e.method==="GET")return de.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},bm);let r=Date.now(),o=await Sm(e);Cm({context:t,request:e,requestBody:o});let a=await fn(e,t);return await vm({context:t,request:e,requestBody:o,response:a,startedAt:r}),a}n(Im,"McpProxyHandler");export{ks as McpAuth0OAuthInboundPolicy,Qt as McpCapabilityFilterInboundPolicy,en as McpGatewayPlugin,As as McpOAuthInboundPolicy,Im as McpProxyHandler,xr as McpTokenExchangeInboundPolicy,Us as McpWorkosOAuthInboundPolicy};
49
49
  //# sourceMappingURL=index.js.map