@zuplo/runtime 6.70.50 → 6.70.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/out/esm/{browser-login-idp-NPHGGA54.js → browser-login-idp-QZEGTRKY.js} +2 -2
  2. package/out/esm/{chunk-OATPYDFL.js → chunk-ORBTGJIA.js} +2 -2
  3. package/out/esm/{chunk-OATPYDFL.js.map → chunk-ORBTGJIA.js.map} +1 -1
  4. package/out/esm/{chunk-GK7ZF3JA.js → chunk-WASXKKBJ.js} +2 -2
  5. package/out/esm/index.js +1 -1
  6. package/out/esm/mcp-gateway/index.js +8 -8
  7. package/out/esm/mcp-gateway/index.js.map +1 -1
  8. package/out/types/index.d.ts +4 -2
  9. package/out/types/mcp-gateway/index.d.ts +9 -5
  10. package/package.json +1 -1
  11. /package/out/esm/{browser-login-idp-NPHGGA54.js.map → browser-login-idp-QZEGTRKY.js.map} +0 -0
  12. /package/out/esm/{chunk-OATPYDFL.js.LEGAL.txt → chunk-ORBTGJIA.js.LEGAL.txt} +0 -0
  13. /package/out/esm/{chunk-GK7ZF3JA.js.map → chunk-WASXKKBJ.js.map} +0 -0
package/out/esm/mcp-gateway/index.js CHANGED
@@ -22,20 +22,20 @@
22
22
  * DEALINGS IN THE SOFTWARE.
23
23
  *--------------------------------------------------------------------------------------------*/
24
24
 
25
- import{a as uo,b as lo,c as Rt,d as po,e as mo,g as fo,h as ho,i as bt}from"../chunk-GK7ZF3JA.js";import{$b as Dn,$c as Bs,Ab as be,Ac as Wn,Bb as Se,Bc as Vn,Cb as Ce,Cc as Wt,Db as ve,Dc as Yn,Eb as bn,Ec as Vt,Fb as Sn,Fc as Yt,G as cn,Gb as j,Gc as yt,H as u,Hb as Cn,Hc as Ie,I as dn,Ib as vn,Ic as Xn,J as Gt,Jb as In,Jc as Qn,K,Kb as pt,Kc as _t,L as un,Lb as An,Lc as eo,M as g,Mb as $t,Mc as Xt,N as re,Nb as mt,Nc as to,O as lt,Ob as ft,Oc as je,P as ln,Pb as Be,Pc as wt,Q as pn,Qb as xn,Qc as ro,R as mn,Rb as Un,Rc as no,S as d,Sb as kn,Sc as oo,T as H,Tb as ht,Tc as io,Ub as Pn,Uc as ao,Vb as Tn,Vc as so,Wb as En,Wc as b,Xb as On,Xc as C,Yb as qn,Yc as Y,Z as fn,Zb as Mn,Zc as I,_b as N,_c as co,a as dt,ac as zn,bc as R,cc as J,dc as U,ec as Hn,fc as W,gb as hn,hb as ue,hc as Bn,i as de,ib as gn,ic as jn,j as on,jb as B,jc as le,kb as yn,kc as _,l as an,lb as Us,lc as Ln,mb as ks,mc as Nn,nb as Ps,nc as Gn,ob as Ts,oc as gt,p as sn,pb as Es,pc as V,qb as Os,qc as Zt,r as ut,rb as qs,rc as Ft,sb as Ms,sc as $n,tb as Ds,tc as Zn,ub as zs,uc as Kt,vb as Hs,vc as Jt,wb as _n,wc as Fn,xb as wn,xc as T,yb as Rn,yc as Kn,zb as y,zc as Jn}from"../chunk-OATPYDFL.js";import"../chunk-JRXZBVXH.js";import{a as w}from"../chunk-4SACVMDH.js";import{$ as M,a as n,aa as h,ba as P,ca as nn,da as ct}from"../chunk-ZIKV2LUM.js";H();function js(e){let t=ft.safeParse(e);return t.success?t.data.id:void 0}n(js,"parseJsonRpcRequestId");function go(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return js(t)}catch{return}}n(go,"readJsonRpcRequestIdFromBody");function St(e){return xn.parse({jsonrpc:mt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(St,"jsonRpcErrorResponse");function yo(e){return new kn([Un.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(yo,"urlElicitationRequiredError");var Ct=d.record(d.string(),d.unknown()),Ls=d.record(d.string(),d.unknown()),Ns=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Ls.optional(),_meta:Ct.optional()}).strict(),Gs=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),$s=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Zs=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Fs=d.array(d.union([d.string(),Ns])),Ks=d.array(d.union([d.string(),Gs])),Js=d.array(d.union([d.string(),$s])),Ws=d.array(d.union([d.string(),Zs])),Vs=d.object({tools:Fs.optional(),prompts:Ks.optional(),resources:Js.optional(),resourceTemplates:Ws.optional()}).strict(),er=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function Ys(e,t){return yn(Vs,e,`MCP capability filter policy "${t}"`)}n(Ys,"parseMcpCapabilityFilterOptions");function E(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(E,"isRecord");function Xs(e,t){if(!E(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Xs,"readParamString");function tr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(tr,"readRequestId");function bo(e){return e===void 0?void 0:JSON.stringify(e)}n(bo,"requestIdKey");function Qs(e){let t={};for(let r of er){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=nc(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(Qs,"buildProjectionMaps");function rr(e){return er.find(t=>t.listMethod===e)}n(rr,"findListRule");function ec(e){return e.requests.some(t=>{if(!E(t))return!1;let r=rr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(ec,"shouldFilterListResponses");function tc(e){for(let t of er){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=Xs(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:tr(e.request)}}}}n(tc,"findDisallowedDirectAccess");function rc(e){return Response.json(St({id:e,error:{code:Be.MethodNotFound,message:"Method not found"}}))}n(rc,"methodNotFoundResponse");function nc(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!E(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(nc,"buildProjection");function _o(e){let t=e.base[e.property],r=e.overlay[e.property];return E(r)?E(t)?{...t,...r}:r:t}n(_o,"mergeRecordProperty");function oc(e,t){let r={...e,...t.overlay},o=_o({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=_o({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(oc,"applyProjection");function wo(e,t,r){if(!E(e))return e;let o=e.result;if(!E(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>E(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.flatMap(a=>{if(!E(a))return[];let s=a[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[oc(a,c)]})}}}n(wo,"filterAndProjectItems");function ic(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!E(r))continue;let o=rr(r.method),i=tr(r),a=bo(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(ic,"buildListRulesByResponseId");function ac(e){if(Array.isArray(e.responseBody)){let o=ic(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!E(i)||"error"in i)return i;let a=bo(tr(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:wo(i,s,c)})}if(!E(e.requestBody)||!E(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=rr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:wo(e.responseBody,t,r)}n(ac,"filterJsonRpcResponse");async function Ro(e){return e.clone().json()}n(Ro,"readJson");function sc(e){return e.headers.get("content-type")?.includes("json")??!1}n(sc,"isJsonResponse");var Qt=class extends ut{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=Ys(t,r);super(o,r),this.#e=Qs(o)}async handler(t,r){dt("policy.inbound.mcp-capability-filter");let o;try{o=await Ro(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!E(a))continue;let s=tc({request:a,projectionMaps:this.#e});if(s!==void 0)return rc(s.id)}return ec({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async a=>{if(!sc(a))return a;let s;try{s=await Ro(a)}catch{return a}let c=ac({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return a;let l=new Headers(a.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:a.status,statusText:a.statusText,headers:l})}),t}};var nr;nr=globalThis.crypto;async function cc(e){return(await nr).getRandomValues(new Uint8Array(e))}n(cc,"getRandomValues");async function dc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await cc(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(dc,"random");async function uc(e){return await dc(e)}n(uc,"generateVerifier");async function lc(e){let t=await(await nr).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(lc,"generateChallenge");async function or(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await uc(e),r=await lc(t);return{code_verifier:t,code_challenge:r}}n(or,"pkceChallenge");H();var k=dn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:pn.custom,message:"URL must be parseable",fatal:!0}),cn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),vt=lt({resource:u().url(),authorization_servers:g(k).optional(),jwks_uri:u().url().optional(),scopes_supported:g(u()).optional(),bearer_methods_supported:g(u()).optional(),resource_signing_alg_values_supported:g(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:K().optional(),authorization_details_types_supported:g(u()).optional(),dpop_signing_alg_values_supported:g(u()).optional(),dpop_bound_access_tokens_required:K().optional()}),Le=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,registration_endpoint:k.optional(),scopes_supported:g(u()).optional(),response_types_supported:g(u()),response_modes_supported:g(u()).optional(),grant_types_supported:g(u()).optional(),token_endpoint_auth_methods_supported:g(u()).optional(),token_endpoint_auth_signing_alg_values_supported:g(u()).optional(),service_documentation:k.optional(),revocation_endpoint:k.optional(),revocation_endpoint_auth_methods_supported:g(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:g(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:g(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:g(u()).optional(),code_challenge_methods_supported:g(u()).optional(),client_id_metadata_document_supported:K().optional()}),pc=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,userinfo_endpoint:k.optional(),jwks_uri:k,registration_endpoint:k.optional(),scopes_supported:g(u()).optional(),response_types_supported:g(u()),response_modes_supported:g(u()).optional(),grant_types_supported:g(u()).optional(),acr_values_supported:g(u()).optional(),subject_types_supported:g(u()),id_token_signing_alg_values_supported:g(u()),id_token_encryption_alg_values_supported:g(u()).optional(),id_token_encryption_enc_values_supported:g(u()).optional(),userinfo_signing_alg_values_supported:g(u()).optional(),userinfo_encryption_alg_values_supported:g(u()).optional(),userinfo_encryption_enc_values_supported:g(u()).optional(),request_object_signing_alg_values_supported:g(u()).optional(),request_object_encryption_alg_values_supported:g(u()).optional(),request_object_encryption_enc_values_supported:g(u()).optional(),token_endpoint_auth_methods_supported:g(u()).optional(),token_endpoint_auth_signing_alg_values_supported:g(u()).optional(),display_values_supported:g(u()).optional(),claim_types_supported:g(u()).optional(),claims_supported:g(u()).optional(),service_documentation:u().optional(),claims_locales_supported:g(u()).optional(),ui_locales_supported:g(u()).optional(),claims_parameter_supported:K().optional(),request_parameter_supported:K().optional(),request_uri_parameter_supported:K().optional(),require_request_uri_registration:K().optional(),op_policy_uri:k.optional(),op_tos_uri:k.optional(),client_id_metadata_document_supported:K().optional()}),It=re({...pc.shape,...Le.pick({code_challenge_methods_supported:!0}).shape}),Ae=re({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:mn.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),Co=re({error:u(),error_description:u().optional(),error_uri:u().optional()}),So=k.optional().or(ln("").transform(()=>{})),mc=re({redirect_uris:g(k),token_endpoint_auth_method:u().optional(),grant_types:g(u()).optional(),response_types:g(u()).optional(),client_name:u().optional(),client_uri:k.optional(),logo_uri:So,scope:u().optional(),contacts:g(u()).optional(),tos_uri:So,policy_uri:u().optional(),jwks_uri:k.optional(),jwks:un().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),ir=re({client_id:u(),client_secret:u().optional(),client_id_issued_at:Gt().optional(),client_secret_expires_at:Gt().optional()}).strip(),Ne=mc.merge(ir),Vm=re({error:u(),error_description:u().optional()}).strip(),Ym=re({token:u(),token_type_hint:u().optional()}).strip();function vo(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(vo,"resourceUrlFromServerUrl");function Io({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(Io,"checkResourceAllowed");var A=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Ge=class extends A{static{n(this,"InvalidRequestError")}};Ge.errorCode="invalid_request";var pe=class extends A{static{n(this,"InvalidClientError")}};pe.errorCode="invalid_client";var me=class extends A{static{n(this,"InvalidGrantError")}};me.errorCode="invalid_grant";var fe=class extends A{static{n(this,"UnauthorizedClientError")}};fe.errorCode="unauthorized_client";var $e=class extends A{static{n(this,"UnsupportedGrantTypeError")}};$e.errorCode="unsupported_grant_type";var Ze=class extends A{static{n(this,"InvalidScopeError")}};Ze.errorCode="invalid_scope";var Fe=class extends A{static{n(this,"AccessDeniedError")}};Fe.errorCode="access_denied";var X=class extends A{static{n(this,"ServerError")}};X.errorCode="server_error";var Ke=class extends A{static{n(this,"TemporarilyUnavailableError")}};Ke.errorCode="temporarily_unavailable";var Je=class extends A{static{n(this,"UnsupportedResponseTypeError")}};Je.errorCode="unsupported_response_type";var We=class extends A{static{n(this,"UnsupportedTokenTypeError")}};We.errorCode="unsupported_token_type";var Ve=class extends A{static{n(this,"InvalidTokenError")}};Ve.errorCode="invalid_token";var Ye=class extends A{static{n(this,"MethodNotAllowedError")}};Ye.errorCode="method_not_allowed";var Xe=class extends A{static{n(this,"TooManyRequestsError")}};Xe.errorCode="too_many_requests";var he=class extends A{static{n(this,"InvalidClientMetadataError")}};he.errorCode="invalid_client_metadata";var Qe=class extends A{static{n(this,"InsufficientScopeError")}};Qe.errorCode="insufficient_scope";var et=class extends A{static{n(this,"InvalidTargetError")}};et.errorCode="invalid_target";var Ao={[Ge.errorCode]:Ge,[pe.errorCode]:pe,[me.errorCode]:me,[fe.errorCode]:fe,[$e.errorCode]:$e,[Ze.errorCode]:Ze,[Fe.errorCode]:Fe,[X.errorCode]:X,[Ke.errorCode]:Ke,[Je.errorCode]:Je,[We.errorCode]:We,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[he.errorCode]:he,[Qe.errorCode]:Qe,[et.errorCode]:et};function fc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(fc,"isClientAuthMethod");var ar="code",sr="S256";function hc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&fc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(hc,"selectClientAuthMethod");function gc(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":yc(i,a,r);return;case"client_secret_post":_c(i,a,o);return;case"none":wc(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(gc,"applyClientAuthentication");function yc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(yc,"applyBasicAuth");function _c(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(_c,"applyPostAuth");function wc(e,t){t.set("client_id",e)}n(wc,"applyPublicAuth");async function Uo(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Co.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=Ao[i]||X;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new X(i)}}n(Uo,"parseErrorResponse");async function ur(e,t){try{return await cr(e,t)}catch(r){if(r instanceof pe||r instanceof fe)return await e.invalidateCredentials?.("all"),await cr(e,t);if(r instanceof me)return await e.invalidateCredentials?.("tokens"),await cr(e,t);throw r}}n(ur,"auth");async function cr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,l,m,f=i;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,m=s.authorizationServerMetadata??await To(l,{fetchFn:a}),!c)try{c=await Po(t,{resourceMetadataUrl:f},a)}catch{}(m!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}else{let q=await Ic(t,{resourceMetadataUrl:f,fetchFn:a});l=q.authorizationServerUrl,m=q.authorizationServerMetadata,c=q.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}let x=await Rc(t,e,c),v=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,L=await Promise.resolve(e.clientInformation());if(!L){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let q=m?.client_id_metadata_document_supported===!0,He=e.clientMetadataUrl;if(He&&!lr(He))throw new he(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${He}`);if(q&&He)L={client_id:He},await e.saveClientInformation?.(L);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let rn=await Pc(l,{metadata:m,clientMetadata:e.clientMetadata,scope:v,fetchFn:a});await e.saveClientInformation(rn),L=rn}}let Re=!e.redirectUrl;if(r!==void 0||Re){let q=await kc(e,l,{metadata:m,resource:x,authorizationCode:r,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}let tn=await e.tokens();if(tn?.refresh_token)try{let q=await Uc(l,{metadata:m,clientInformation:L,refreshToken:tn.refresh_token,resource:x,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}catch(q){if(!(!(q instanceof A)||q instanceof X))throw q}let Is=e.state?await e.state():void 0,{authorizationUrl:As,codeVerifier:xs}=await Ac(l,{metadata:m,clientInformation:L,state:Is,redirectUrl:e.redirectUrl,scope:v,resource:x});return await e.saveCodeVerifier(xs),await e.redirectToAuthorization(As),"REDIRECT"}n(cr,"authInternal");function lr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(lr,"isHttpsUrl");async function Rc(e,t,r){let o=vo(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Io({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(Rc,"selectResourceURL");function ko(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=dr(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=dr(e,"scope")||void 0,c=dr(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(ko,"extractWWWAuthenticateParams");function dr(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n(dr,"extractFieldFromWwwAuth");async function Po(e,t,r=fetch){let o=await Cc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return vt.parse(await o.json())}n(Po,"discoverOAuthProtectedResourceMetadata");async function pr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?pr(e,void 0,r):void 0;throw o}}n(pr,"fetchWithCorsRetry");function bc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(bc,"buildWellKnownPath");async function xo(e,t,r=fetch){return await pr(e,{"MCP-Protocol-Version":t},r)}n(xo,"tryMetadataDiscovery");function Sc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(Sc,"shouldAttemptFallback");async function Cc(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??$t,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=bc(t,i.pathname);s=new URL(l,o?.metadataServerUrl??i),s.search=i.search}let c=await xo(s,a,r);if(!o?.metadataUrl&&Sc(c,i.pathname)){let l=new URL(`/.well-known/${t}`,i);c=await xo(l,a,r)}return c}n(Cc,"discoverMetadataWithFallback");function vc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(vc,"buildDiscoveryUrls");async function To(e,{fetchFn:t=fetch,protocolVersion:r=$t}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=vc(e);for(let{url:a,type:s}of i){let c=await pr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?Le.parse(await c.json()):It.parse(await c.json())}}}n(To,"discoverAuthorizationServerMetadata");async function Ic(e,t){let r,o;try{r=await Po(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await To(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(Ic,"discoverOAuthServerInfo");async function Ac(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(ar))throw new Error(`Incompatible auth server: does not support response type ${ar}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(sr))throw new Error(`Incompatible auth server: does not support code challenge method ${sr}`)}else c=new URL("/authorize",e);let l=await or(),m=l.code_verifier,f=l.code_challenge;return c.searchParams.set("response_type",ar),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",sr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:m}}n(Ac,"startAuthorization");function xc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(xc,"prepareAuthorizationCodeRequest");async function Eo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(l,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],x=hc(o,f);gc(x,o,l,r)}let m=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!m.ok)throw await Uo(m);return Ae.parse(await m.json())}n(Eo,"executeTokenRequest");async function Uc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await Eo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...l}}n(Uc,"refreshAuthorization");async function kc(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let m=await e.codeVerifier();c=xc(i,m,e.redirectUrl)}let l=await e.clientInformation();return Eo(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(kc,"fetchToken");async function Pc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await Uo(s);return Ne.parse(await s.json())}n(Pc,"registerClient");var mr="zuplo.com",Tc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Ec=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function Oo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(Oo,"s2FaviconHref");function Oc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Oc,"strictFaviconHref");var At=Oo(mr);function fr(e){let t=e.toLowerCase();return t===mr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Oo(mr):Oc(e)}n(fr,"resolveIconHref");function qc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(qc,"hostnameFromHost");function Mc(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Mc,"isLocalOrAddressHost");function Dc(e){let t=qc(e).toLowerCase().replace(/\.$/,"");if(Mc(t)||Ec.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=Tc.has(o)?3:2;return r.slice(-i).join(".")}n(Dc,"inferFaviconDomain");function hr(e){return{src:fr(Dc(e)),mimeType:"image/png",sizes:["128x128"]}}n(hr,"resolveMcpFaviconIcon");function xt(e){try{return hr(new URL(e).host)}catch{return}}n(xt,"resolveMcpFaviconIconFromUrl");function ne(e){let t=N().connectionsById.get(e);if(!t)throw new P(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(ne,"getUpstreamServerConfig");function zc(e){let t=N().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new P(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(zc,"resolveUpstreamAuthProfileId");function gr(e){zc(e);let t=N().connectionsById.get(e.upstreamServerId);if(!t)throw new P(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(gr,"getUpstreamAuthConfig");function ge(e,t){let r=gr({upstreamServerId:e,authProfileId:t});if(!Tn(r))throw new P(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(ge,"requireUpstreamOAuthConfig");var Hc={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function G(e){return Hc[e]}n(G,"describeUpstreamAuthMode");function Ut(e){return G(e).ownerMode}n(Ut,"resolveOwnerModeForUpstreamAuthMode");H();import{errors as Lo,jwtVerify as No,SignJWT as Go}from"jose";var O="zuplo-mcp-gateway",D=O,z="HS256";import{base64url as Bc}from"jose";var jc=new TextEncoder,Lc="MCP gateway could not initialize secure key material.",Nc=32,qo=new Map,Mo=new Map,Gc;function $c(){return Gc??nn.instance.authPrivateKey}n($c,"readAuthPrivateKey");function Do(e){return new M(Lc,e===void 0?void 0:{cause:e})}n(Do,"createGeneratedKeyMaterialError");function zo(e,t){let r=Bc.decode(t);if(r.byteLength!==Nc)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(zo,"decodeJwkKeyField");function Zc(e){let t=$c();if(!t)throw Do();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=zo("d",r.d);zo("x",r.x);let i=jc.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw Do(r)}}n(Zc,"decodeGeneratedKeyMaterial");function Fc(e){let t=qo.get(e);return t||(t=Zc(e),qo.set(e,t)),t}n(Fc,"getMasterKeyMaterial");async function $(e){let t=Mo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Fc(e.keyMaterialPurpose));return Mo.set(e.purpose,r),r}n($,"readCachedDerivedKey");var Kc="SHA-256";var Jc="zuplo-mcp-gateway:",Wc=new TextEncoder,Ho=new WeakMap;async function oe(e,t){let r=Ho.get(e);r||(r=new Map,Ho.set(e,r));let o=r.get(t);if(o)return o;let i=await Vc(e,t);return r.set(t,i),i}n(oe,"deriveGatewaySigningKey");async function Vc(e,t){let r=Bo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=Wc.encode(`${Jc}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:Kc,salt:new Uint8Array,info:Bo(i)},o,32*8);return new Uint8Array(a)}n(Vc,"hkdfExpand");function Bo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Bo,"copyToArrayBuffer");var $o=15*60,Yc=15*60,Xc=to.extend({id:ro}),Qc=Xc.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Zo=Xt.extend({id:no,purpose:d.literal("browser_connect")}),ed=Xt.extend({purpose:d.literal("browser_connect")}),td=Zo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fo=$o*1e3;async function Ko(){return $({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"oauth-state"),"derive")})}n(Ko,"getOAuthStateKey");async function Jo(){return $({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-connect"),"derive")})}n(Jo,"getBrowserConnectKey");async function Wo(e){let t=Math.floor(Date.now()/1e3)+$o;return new Go(e).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Ko())}n(Wo,"signOAuthState");async function kt(e){try{let{payload:t}=await No(e,await Ko(),{algorithms:[z],issuer:O,audience:D});return Qc.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new h({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new h({message:"OAuth state could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(kt,"verifyOAuthState");async function Vo(e){let t=Math.floor(Date.now()/1e3)+Yc,r=ed.parse(e),o=Zo.parse({...r,id:so()});return new Go(o).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Jo())}n(Vo,"signBrowserConnectTicket");async function Yo(e){try{let{payload:t}=await No(e,await Jo(),{algorithms:[z],issuer:O,audience:D});return td.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new h({message:"Browser connect ticket has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new h({message:"Browser connect ticket could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(Yo,"verifyBrowserConnectTicket");async function Xo(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:R(new Date(e.exp*1e3)),now:R(new Date)})).kind==="consumed")throw new h({message:"Browser connect ticket has already been used",extensionMembers:{[y]:"oauth_state_reused"}})}n(Xo,"consumeBrowserConnectTicket");function rd(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(rd,"buildConnectRequiredMessage");async function nd(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Vo({...je(e),purpose:"browser_connect"})),r.toString()}n(nd,"buildGatewayBrowserTicketUrl");function od(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(od,"buildGatewayConnectPath");async function yr(e){return nd({...e,path:od(e.upstreamServerId),redirect:!0})}n(yr,"buildGatewayConnectUrl");async function Pt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await yr(t),message:rd(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Pt,"buildRedirectConnectRequiredResponse");function Qo(e){return id({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(Qo,"buildAdminConnectRequiredResponse");function id(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(id,"buildAdminSetupRequiredResponse");H();var ei=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function ad(e,t){return e&&e.length>0?e.join(t):void 0}n(ad,"joinOAuthScopes");function sd(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of ei)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(sd,"sanitizeAuthorizationServerMetadata");function _r(e){let t=sd(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(_r,"sanitizeOAuthDiscoveryState");function ti(e){let t=new URL(e);for(let r of ei){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(ti,"normalizeDuplicateSingletonAuthorizationRequestParams");function ri(e){return ad(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(ri,"readProtectedResourceMetadataScope");function wr(e){return`Zuplo MCP Gateway - ${e}`}n(wr,"buildGatewayOAuthClientName");function ni(e,t,r){let o=new URL(e,U(t,r));return ue(o)&&hn(o.hostname)!=="localhost"&&(o.hostname="localhost"),o.toString()}n(ni,"buildGatewayOAuthRedirectUri");function Rr(e){return new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}/${encodeURIComponent(e.authProfileId)}`,e.origin).toString()}n(Rr,"buildOAuthClientMetadataDocumentUrl");function oi(e,t){return U(e,t)}n(oi,"requireOAuthClientMetadataOrigin");function ii(e,t,r){let o=ne(t),i=ge(t,r),a={client_id:Rr({origin:e,upstreamServerId:t,authProfileId:r}),client_name:wr(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(i.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"};return i.scopes.length>0&&(a.scope=i.scopes.join(i.scopeDelimiter)),a}n(ii,"buildOAuthClientMetadataDocument");H();import{base64url as ie}from"jose";var cd="SHA-256",Ue="AES-GCM",dd=12,Sr="zuplo-secret",Cr=1,ai="generated:auth_private_key:token-encryption",ud=d.object({version:d.literal(Cr),keyId:d.literal(ai),algorithm:d.literal(Ue),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function xe(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(xe,"copyToArrayBuffer");async function br(){return $({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(cd,xe(e));return crypto.subtle.importKey("raw",t,{name:Ue},!1,["encrypt","decrypt"])},"derive")})}n(br,"getEncryptionKey");function si(e){return xe(new TextEncoder().encode(`${Sr}:v${e.version}:${e.keyId}`))}n(si,"getAssociatedData");function ld(e){return`${Sr}:v${e.version}:${ie.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(ld,"encodeEnvelope");function pd(e){let t=`${Sr}:v${Cr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ie.decode(r));return ud.parse(JSON.parse(o))}n(pd,"decodeEnvelope");async function Tt(e){let t=await br(),r=crypto.getRandomValues(new Uint8Array(dd)),o={version:Cr,keyId:ai},i=await crypto.subtle.encrypt({name:Ue,iv:r,additionalData:si(o)},t,new TextEncoder().encode(e));return ld({...o,algorithm:Ue,iv:ie.encode(r),ciphertext:ie.encode(new Uint8Array(i))})}n(Tt,"encryptSecret");async function tt(e){let t=pd(e);if(t){let s=await br(),c=await crypto.subtle.decrypt({name:Ue,iv:xe(ie.decode(t.iv)),additionalData:si(t)},s,xe(ie.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new M("Encrypted payload is malformed");let i=await br(),a=await crypto.subtle.decrypt({name:Ue,iv:xe(ie.decode(r))},i,xe(ie.decode(o)));return new TextDecoder().decode(a)}n(tt,"decryptSecret");var md=d.union([Ne,ir]),ci=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:vt.optional(),authorizationServerMetadata:d.union([Le,It]).optional()}).passthrough(),fd="Bearer",hd="__zuplo_refresh_only_upstream_access_token__";function gd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(gd,"splitScopes");function yd(e){return gt.parse(e)}n(yd,"parsePkceCodeVerifier");function _d(e){if(typeof e.expires_in=="number")return R(new Date(Date.now()+e.expires_in*1e3))}n(_d,"readTokenExpiry");async function di(e){if(e!==void 0)return Tt(JSON.stringify(e))}n(di,"encryptJson");async function ui(e,t){if(!e)return;let r=await tt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new h({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:o})}}n(ui,"decryptJson");function wd(e){if(e===void 0)return;e=_r(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(wd,"toOAuthDiscoveryState");function Rd(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(Rd,"clientInformationAllowsRedirectUri");function bd(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(bd,"clientInformationMatchesCurrentClientMetadataUrl");function Sd(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(Sd,"isUrlBasedClientInformation");function Cd(e,t,r){let o=ne(e),i=ge(e,t),a=pi(i.scopes,i.scopeDelimiter);return{client_name:wr(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:a,token_endpoint_auth_method:"none"}}n(Cd,"buildOAuthClientMetadata");function pi(e,t){return e&&e.length>0?e.join(t):void 0}n(pi,"joinOAuthScopes");function vd(e,t){return t===void 0?e:{...e,scope:t}}n(vd,"applyOAuthClientMetadataScope");function li(e,t){return ri({state:e,delimiter:t})}n(li,"readResourceMetadataScope");function Id(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new P(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ne.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(Id,"buildManualOAuthClientInformation");function Ad(e,t,r){let o=Rr({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return lr(o)?o:void 0}n(Ad,"buildClientMetadataUrl");function mi(e){for(let t of e)if(t!==void 0)return t}n(mi,"firstDefined");function xd(e){let t=ge(e.target.upstreamServerId,e.target.authProfileId),r=Cd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri),o=pi(t.scopes,t.scopeDelimiter);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:Id({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=Ad(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return i===void 0?{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(xd,"buildInitialOAuthClientSetup");function Ud(e,t){if(t===void 0)return mi([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(Ud,"readEncryptedClientInformation");function kd(e){return mi([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(kd,"readEncryptedDiscoveryState");var ye=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=xd({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=Ud(t,this.configuredClientInformation),this.encryptedDiscoveryState=kd(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return vd(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Wo({id:t.id,...je({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,!Sd({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await di(t),await this.syncPendingState(!1)))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=_r(ci.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=li(r,this.scopeDelimiter),this.encryptedDiscoveryState=await di(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ae.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await Tt(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Ae.parse({...r,refresh_token:await tt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??io(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Tt(r.access_token),encryptedRefreshToken:i,scopes:gd(r.scope??this.readEffectiveScope()),expiresAt:_d(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(a)}async redirectToAuthorization(t){let r=ti(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:yd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new h({message:"OAuth code verifier is missing",extensionMembers:{[y]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:ao(),...je({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:R(new Date(Date.now()+Fo)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await ui(this.encryptedClientInformation,md)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!Rd(t,this.redirectUriValue)||!bd({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=wd(await ui(this.encryptedDiscoveryState,ci))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=li(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await tt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await tt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=Ae.parse({access_token:t??hd,token_type:fd,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Pd=3e4,Td=256*1024,Ed=2;function Od(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(Od,"hasUsableAccessToken");var qd="does not support dynamic client registration",Md=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],Dd=["HTTP 403 Forbidden","Access Denied","permission to access"];function zd(e){return e instanceof Error&&e.message.includes(qd)}n(zd,"isDynamicClientRegistrationUnsupported");function Hd(e){return e instanceof Error&&Md.some(t=>e.message.includes(t))}n(Hd,"isProtectedResourceMetadataUnavailable");function Bd(e){return e instanceof Error&&Dd.some(t=>e.message.includes(t))}n(Bd,"isUpstreamProviderAccessDenied");function jd(e){if(e.error instanceof h&&e.error.extensionMembers?.[y]!==void 0)return e.error;if(zd(e.error))return new h({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[y]:"upstream_client_registration_required"}},{cause:e.error});if(Hd(e.error))return new h({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[y]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(Bd(e.error))return new h({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[y]:"upstream_provider_access_denied"}},{cause:e.error})}n(jd,"mapUpstreamOAuthSetupError");function Ld(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Ld,"readOAuthFetchRequest");function Nd(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Nd,"responseLooksJson");function Gd(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Gd,"responseLooksHtml");function $d(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new h({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[y]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[Ce]:e.response.status,[be]:r,[ve]:e.request.url.toString(),[Se]:e.body}})}n($d,"throwUpstreamHtmlError");function fi(e){return async(t,r)=>{let o=Ld(t),i=await mo(t,r,{maxRedirects:Ed,maxResponseBytes:Td,problemCode:"upstream_token_exchange_failed",timeoutMs:Pd}),a=await i.clone().text();if(!i.ok&&Gd(i,a)&&$d({upstreamServerId:e,request:o,response:i,body:a}),!Nd(i,a))return i;try{JSON.parse(a)}catch(s){throw new h({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[y]:"upstream_token_exchange_failed"}},{cause:s})}return i}}n(fi,"createUpstreamOAuthFetch");async function hi(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:fi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await ur(e,r)}catch(r){let o=jd({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(hi,"runUpstreamOAuth");async function Zd(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:fi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),ur(e,r)}n(Zd,"exchangeUpstreamAuthorizationCode");async function gi(e,t){let r=await hi(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new h({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new h({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(gi,"requireUpstreamAuthorizationRedirect");async function yi(e){if(!e.forceRefresh&&Od(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await hi(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new h({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new h({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Vd({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(yi,"authorizeUpstreamOAuthSession");async function Fd(e){let t=await kt(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:R(new Date)}),o=Kd(r);return Jd({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Wd(o),o}n(Fd,"consumeStoredCallbackState");function Kd(e){switch(e.kind){case"consumed":throw new h({message:"OAuth state has already been used",extensionMembers:{[y]:"oauth_state_reused"}});case"missing":throw new h({message:"OAuth state is missing or expired",extensionMembers:{[y]:"oauth_state_expired"}});case"available":return e.record}}n(Kd,"readConsumedCallbackState");function Jd(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new h({message:"OAuth callback did not match the initiating request",extensionMembers:{[y]:"oauth_callback_mismatch"}})}n(Jd,"assertStoredCallbackStateMatches");function Wd(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new h({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}})}n(Wd,"assertStoredCallbackStateFresh");async function Vd(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Qo(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Pt(t)}n(Vd,"buildOAuthConnectRequiredResponse");async function _i(e){let t=await Fd({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=wt(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new ye(i),s=await Zd(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new h({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new h({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(_i,"finishUpstreamOAuthCallback");async function wi(e){let t=ne(e.upstreamServerId),r=ge(e.upstreamServerId,e.authProfileId),o=ni(r.redirectPath,e.request.url,e.request.headers),i="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(wi,"prepareUpstreamOAuthRequest");async function Ri(e){let t=await wi(e),r=new ye({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return gi(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Ri,"startUpstreamConnect");async function bi(e){let t=await wi(e),r=new ye({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return yi({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(bi,"authorizeUpstreamRequest");async function ke(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return bi({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new M(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(ke,"resolveUpstreamCredentialForRoute");async function Si(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=G(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await Ri(r);break;case"none":throw new M(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Si,"startUpstreamConnectForRequest");async function Ci(e){let r=(await kt(e.callbackRequest.state)).authProfileId,o=gr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(G(o.mode).callbackSupport!=="authorization_code")throw new M(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return _i({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:ne(e.callbackRequest.upstreamServerId)})}n(Ci,"finishUpstreamCallbackForRequest");function Yd(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Yd,"buildRouteAuthBaseFromConnection");function Ii(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:ht(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Ii,"buildRouteAuthBaseFromPolicyOptions");function Et(e,t){let o=N().byOperationId.get(t);if(!o)throw new P(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new P(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new P(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Yd({connection:o.connection,operationId:t})}n(Et,"resolveRouteAuthBase");function vi(e,t){switch(e){case"user":return _t(t);case"shared":return eo()}}n(vi,"buildOwnerForSubject");function Pe(e,t){switch(e.ownerMode){case"shared":return{...e,owner:vi(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,owner:vi(e.ownerMode,t),initiatedBySubjectId:t}}}n(Pe,"resolveRouteAuthForSubject");var Xd=Be.InvalidRequest,Qd=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function eu(e,t){return{credentialType:e.type,forceRefresh:t,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}n(eu,"buildCredentialResolvedAttributes");function tu(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(tu,"connectRequiredReasonCode");function Ai(e){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:eu(e.credential,e.forceRefresh===!0)})}n(Ai,"emitCredentialResolvedAnalyticsEvent");function xi(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:tu(e.payload.state),reasonClass:"auth",attributes:t})}n(xi,"emitCredentialMissingAnalyticsEvents");function ru(e){let t=e.route.raw();return pt.parse(t?.operationId)}n(ru,"readOperationId");async function nu(e,t,r,o){let i=await ke({request:e,routeAuth:t});if(i.kind==="connect_required")return xi({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;switch(Ai({context:o,credential:a,routeBinding:t}),a.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${a.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(a.headers)};case"mcp_oauth_provider":{let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(nu,"buildCredentialHeaders");var ou=new Set(["authorization","cookie","cookie2"]);function iu(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(iu,"readJsonRequestMethod");function au(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(au,"isJsonResponse");function vr(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(vr,"isRecord");function su(e){return Array.isArray(e)&&e.length>0}n(su,"hasIconList");function cu(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=xt(Cn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(cu,"readFallbackServerIcons");function du(e){if(!vr(e.body))return e.body;let t=e.body.result;if(!vr(t))return e.body;let r=t.serverInfo;return!vr(r)||su(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(du,"addMissingServerIcons");function uu(e,t){let r=new Headers(e.headers);for(let o of ou)r.delete(o);for(let[o,i]of t)r.set(o,i);return new an(e,{headers:r})}n(uu,"applyUpstreamHeaders");function lu(e){let t=new Headers(e.headers);for(let r of Qd)t.delete(r);return t}n(lu,"buildProxyHeaders");async function pu(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(pu,"readRetryBody");function Ui(e,t){let r=t.authUrl===void 0?void 0:yo({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(St({id:go(e),error:{code:r?.code??Xd,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Ui,"connectRequiredJsonRpcResponse");async function mu(e){let{scope:t}=ko(e.upstreamResponse),r=await ke({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return xi({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;switch(Ai({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0}),i.type){case"none":return o.delete("authorization"),{kind:"headers",headers:o};case"bearer_token":return o.set("authorization",`Bearer ${i.token}`),{kind:"headers",headers:o};case"headers":for(let[a,s]of Object.entries(i.headers))o.set(a,s);return{kind:"headers",headers:o};case"mcp_oauth_provider":{let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(mu,"applyRefreshedCredentialHeaders");function fu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await mu({request:e.request,context:e.context,headers:lu(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Ui(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=vn({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return ct.fetch(i.url,i.init)})}n(fu,"installUpstreamAuthRetryHook");function hu(e){if(iu(e.requestBody)!=="initialize")return;let t=cu({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!au(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=du({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(hu,"installInitializeIconHook");async function Ir(e,t,r){let o=ru(t),i=await pu(e),a=Ii({connection:r,operationId:o}),s=Ie(e.user,e.url,e.headers);Bn(t,s);let c=Pe(a,s.subjectId),l=await nu(e,c,r,t);if(!(l instanceof Response)&&l.kind==="connect_required")return Ui(i,l.payload);if(l instanceof Response)return l;let m=uu(e,l.headers);return fu({request:m,context:t,requestBody:i,routeAuth:c}),hu({context:t,requestBody:i,connection:r}),m}n(Ir,"mcpTokenExchangePolicy");var Ar=class extends ut{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Pn(t,r);super(o,r)}async handler(t,r){return dt("policy.inbound.mcp-token-exchange"),Ir(t,r,this.options)}};H();var ki=Symbol("Html");function gu(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(gu,"escapeHtml");function yu(e){return e===null||typeof e!="object"?!1:e[ki]===!0}n(yu,"isHtml");function Pi(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Pi).join(""):yu(e)?e.value:gu(String(e))}n(Pi,"renderValue");function Q(e){return{[ki]:!0,value:e}}n(Q,"trustedHtml");var Z=Q("");function S(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Pi(t[o]),r+=e[o+1]??"";return Q(r)}n(S,"html");function Te(e){return e.value}n(Te,"renderHtml");function Ti(e){return S`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Ti,"renderBrowserErrorPage");var Ee=Q('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Oe(e){return S`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
25
+ import{a as uo,b as lo,c as Rt,d as po,e as mo,g as fo,h as ho,i as bt}from"../chunk-WASXKKBJ.js";import{$b as Dn,$c as Bs,Ab as be,Ac as Wn,Bb as Se,Bc as Vn,Cb as Ce,Cc as Vt,Db as ve,Dc as Yn,Eb as bn,Ec as Yt,Fb as Sn,Fc as Xt,G as cn,Gb as j,Gc as yt,H as u,Hb as Cn,Hc as Ie,I as dn,Ib as vn,Ic as Xn,J as $t,Jb as In,Jc as Qn,K,Kb as pt,Kc as _t,L as un,Lb as An,Lc as eo,M as g,Mb as Zt,Mc as Qt,N as re,Nb as mt,Nc as to,O as lt,Ob as ft,Oc as je,P as ln,Pb as Be,Pc as wt,Q as pn,Qb as xn,Qc as ro,R as mn,Rb as Un,Rc as no,S as d,Sb as kn,Sc as oo,T as H,Tb as ht,Tc as io,Ub as Pn,Uc as ao,Vb as Tn,Vc as so,Wb as En,Wc as b,Xb as On,Xc as C,Yb as qn,Yc as Y,Z as fn,Zb as Mn,Zc as I,_b as N,_c as co,a as dt,ac as zn,bc as R,cc as J,dc as U,ec as Hn,fc as W,gb as hn,hb as ue,hc as Bn,i as de,ib as gn,ic as jn,j as on,jb as B,jc as le,kb as yn,kc as _,l as an,lb as Us,lc as Ln,mb as ks,mc as Nn,nb as Ps,nc as Gn,ob as Ts,oc as gt,p as sn,pb as Es,pc as V,qb as Os,qc as Ft,r as ut,rb as qs,rc as Kt,sb as Ms,sc as $n,tb as Ds,tc as Zn,ub as zs,uc as Jt,vb as Hs,vc as Wt,wb as _n,wc as Fn,xb as wn,xc as T,yb as Rn,yc as Kn,zb as y,zc as Jn}from"../chunk-ORBTGJIA.js";import"../chunk-JRXZBVXH.js";import{a as w}from"../chunk-4SACVMDH.js";import{$ as M,a as n,aa as h,ba as P,ca as nn,da as ct}from"../chunk-ZIKV2LUM.js";H();function js(e){let t=ft.safeParse(e);return t.success?t.data.id:void 0}n(js,"parseJsonRpcRequestId");function go(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return js(t)}catch{return}}n(go,"readJsonRpcRequestIdFromBody");function St(e){return xn.parse({jsonrpc:mt,...e.id===void 0?{}:{id:e.id},error:{code:e.error.code,message:e.error.message,...e.error.data===void 0?{}:{data:e.error.data}}})}n(St,"jsonRpcErrorResponse");function yo(e){return new kn([Un.parse({mode:"url",message:e.message,elicitationId:e.elicitationId,url:e.url})],e.message)}n(yo,"urlElicitationRequiredError");var Ct=d.record(d.string(),d.unknown()),Ls=d.record(d.string(),d.unknown()),Ns=d.object({name:d.string().min(1),description:d.string().min(1).optional(),annotations:Ls.optional(),_meta:Ct.optional()}).strict(),Gs=d.object({name:d.string().min(1),description:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),$s=d.object({uri:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Zs=d.object({uriTemplate:d.string().min(1),name:d.string().min(1).optional(),description:d.string().min(1).optional(),mimeType:d.string().min(1).optional(),_meta:Ct.optional()}).strict(),Fs=d.array(d.union([d.string(),Ns])),Ks=d.array(d.union([d.string(),Gs])),Js=d.array(d.union([d.string(),$s])),Ws=d.array(d.union([d.string(),Zs])),Vs=d.object({tools:Fs.optional(),prompts:Ks.optional(),resources:Js.optional(),resourceTemplates:Ws.optional()}).strict(),tr=[{option:"tools",listMethod:"tools/list",resultProperty:"tools",itemProperty:"name",directMethods:[{method:"tools/call",paramProperty:"name"}]},{option:"prompts",listMethod:"prompts/list",resultProperty:"prompts",itemProperty:"name",directMethods:[{method:"prompts/get",paramProperty:"name"}]},{option:"resources",listMethod:"resources/list",resultProperty:"resources",itemProperty:"uri",directMethods:[{method:"resources/read",paramProperty:"uri"}]},{option:"resourceTemplates",listMethod:"resources/templates/list",resultProperty:"resourceTemplates",itemProperty:"uriTemplate",directMethods:[]}];function Ys(e,t){return yn(Vs,e,`MCP capability filter policy "${t}"`)}n(Ys,"parseMcpCapabilityFilterOptions");function E(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(E,"isRecord");function Xs(e,t){if(!E(e))return;let r=e[t];return typeof r=="string"?r:void 0}n(Xs,"readParamString");function rr(e){let t=e.id;return typeof t=="string"||typeof t=="number"||t===null?t:void 0}n(rr,"readRequestId");function bo(e){return e===void 0?void 0:JSON.stringify(e)}n(bo,"requestIdKey");function Qs(e){let t={};for(let r of tr){let o=e[r.option];if(o===void 0)continue;let i=new Map;for(let a of o){let s=nc(a,r.itemProperty);s!==void 0&&i.set(s.key,s)}t[r.option]=i}return t}n(Qs,"buildProjectionMaps");function nr(e){return tr.find(t=>t.listMethod===e)}n(nr,"findListRule");function ec(e){return e.requests.some(t=>{if(!E(t))return!1;let r=nr(t.method);return r!==void 0&&e.projectionMaps[r.option]!==void 0})}n(ec,"shouldFilterListResponses");function tc(e){for(let t of tr){let r=e.projectionMaps[t.option];if(r!==void 0)for(let o of t.directMethods){if(e.request.method!==o.method)continue;let i=Xs(e.request.params,o.paramProperty);if(i!==void 0&&!r.has(i))return{id:rr(e.request)}}}}n(tc,"findDisallowedDirectAccess");function rc(e){return Response.json(St({id:e,error:{code:Be.MethodNotFound,message:"Method not found"}}))}n(rc,"methodNotFoundResponse");function nc(e,t){if(typeof e=="string")return{key:e,overlay:{}};if(!E(e))return;let r=e[t];if(typeof r=="string")return{key:r,overlay:e}}n(nc,"buildProjection");function _o(e){let t=e.base[e.property],r=e.overlay[e.property];return E(r)?E(t)?{...t,...r}:r:t}n(_o,"mergeRecordProperty");function oc(e,t){let r={...e,...t.overlay},o=_o({base:e,overlay:t.overlay,property:"annotations"});o!==void 0&&(r.annotations=o);let i=_o({base:e,overlay:t.overlay,property:"_meta"});return i!==void 0&&(r._meta=i),r}n(oc,"applyProjection");function wo(e,t,r){if(!E(e))return e;let o=e.result;if(!E(o))return e;let i=o[t.resultProperty];return!Array.isArray(i)||!i.every(a=>E(a)&&typeof a[t.itemProperty]=="string")?e:{...e,result:{...o,[t.resultProperty]:i.flatMap(a=>{if(!E(a))return[];let s=a[t.itemProperty];if(typeof s!="string")return[];let c=r.get(s);return c===void 0?[]:[oc(a,c)]})}}}n(wo,"filterAndProjectItems");function ic(e){let t=new Map;if(!Array.isArray(e))return t;for(let r of e){if(!E(r))continue;let o=nr(r.method),i=rr(r),a=bo(i);o!==void 0&&a!==void 0&&t.set(a,o)}return t}n(ic,"buildListRulesByResponseId");function ac(e){if(Array.isArray(e.responseBody)){let o=ic(e.requestBody);return o.size===0?e.responseBody:e.responseBody.map(i=>{if(!E(i)||"error"in i)return i;let a=bo(rr(i)),s=a===void 0?void 0:o.get(a),c=s===void 0?void 0:e.projectionMaps[s.option];return s===void 0||c===void 0?i:wo(i,s,c)})}if(!E(e.requestBody)||!E(e.responseBody)||"error"in e.responseBody)return e.responseBody;let t=nr(e.requestBody.method),r=t===void 0?void 0:e.projectionMaps[t.option];return t===void 0||r===void 0?e.responseBody:wo(e.responseBody,t,r)}n(ac,"filterJsonRpcResponse");async function Ro(e){return e.clone().json()}n(Ro,"readJson");function sc(e){return e.headers.get("content-type")?.includes("json")??!1}n(sc,"isJsonResponse");var er=class extends ut{static{n(this,"McpCapabilityFilterInboundPolicy")}#e;constructor(t,r){let o=Ys(t,r);super(o,r),this.#e=Qs(o)}async handler(t,r){dt("policy.inbound.mcp-capability-filter");let o;try{o=await Ro(t)}catch{return t}let i=Array.isArray(o)?o:[o];for(let a of i){if(!E(a))continue;let s=tc({request:a,projectionMaps:this.#e});if(s!==void 0)return rc(s.id)}return ec({requests:i,projectionMaps:this.#e})&&r.addResponseSendingHook(async a=>{if(!sc(a))return a;let s;try{s=await Ro(a)}catch{return a}let c=ac({requestBody:o,responseBody:s,projectionMaps:this.#e});if(c===s)return a;let l=new Headers(a.headers);return l.delete("content-length"),new Response(JSON.stringify(c),{status:a.status,statusText:a.statusText,headers:l})}),t}};var or;or=globalThis.crypto;async function cc(e){return(await or).getRandomValues(new Uint8Array(e))}n(cc,"getRandomValues");async function dc(e){let t="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~",r=Math.pow(2,8)-Math.pow(2,8)%t.length,o="";for(;o.length<e;){let i=await cc(e-o.length);for(let a of i)a<r&&(o+=t[a%t.length])}return o}n(dc,"random");async function uc(e){return await dc(e)}n(uc,"generateVerifier");async function lc(e){let t=await(await or).subtle.digest("SHA-256",new TextEncoder().encode(e));return btoa(String.fromCharCode(...new Uint8Array(t))).replace(/\//g,"_").replace(/\+/g,"-").replace(/=/g,"")}n(lc,"generateChallenge");async function ir(e){if(e||(e=43),e<43||e>128)throw`Expected a length between 43 and 128. Received ${e}.`;let t=await uc(e),r=await lc(t);return{code_verifier:t,code_challenge:r}}n(ir,"pkceChallenge");H();var k=dn().superRefine((e,t)=>{if(!URL.canParse(e))return t.addIssue({code:pn.custom,message:"URL must be parseable",fatal:!0}),cn}).refine(e=>{let t=new URL(e);return t.protocol!=="javascript:"&&t.protocol!=="data:"&&t.protocol!=="vbscript:"},{message:"URL cannot use javascript:, data:, or vbscript: scheme"}),vt=lt({resource:u().url(),authorization_servers:g(k).optional(),jwks_uri:u().url().optional(),scopes_supported:g(u()).optional(),bearer_methods_supported:g(u()).optional(),resource_signing_alg_values_supported:g(u()).optional(),resource_name:u().optional(),resource_documentation:u().optional(),resource_policy_uri:u().url().optional(),resource_tos_uri:u().url().optional(),tls_client_certificate_bound_access_tokens:K().optional(),authorization_details_types_supported:g(u()).optional(),dpop_signing_alg_values_supported:g(u()).optional(),dpop_bound_access_tokens_required:K().optional()}),Le=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,registration_endpoint:k.optional(),scopes_supported:g(u()).optional(),response_types_supported:g(u()),response_modes_supported:g(u()).optional(),grant_types_supported:g(u()).optional(),token_endpoint_auth_methods_supported:g(u()).optional(),token_endpoint_auth_signing_alg_values_supported:g(u()).optional(),service_documentation:k.optional(),revocation_endpoint:k.optional(),revocation_endpoint_auth_methods_supported:g(u()).optional(),revocation_endpoint_auth_signing_alg_values_supported:g(u()).optional(),introspection_endpoint:u().optional(),introspection_endpoint_auth_methods_supported:g(u()).optional(),introspection_endpoint_auth_signing_alg_values_supported:g(u()).optional(),code_challenge_methods_supported:g(u()).optional(),client_id_metadata_document_supported:K().optional()}),pc=lt({issuer:u(),authorization_endpoint:k,token_endpoint:k,userinfo_endpoint:k.optional(),jwks_uri:k,registration_endpoint:k.optional(),scopes_supported:g(u()).optional(),response_types_supported:g(u()),response_modes_supported:g(u()).optional(),grant_types_supported:g(u()).optional(),acr_values_supported:g(u()).optional(),subject_types_supported:g(u()),id_token_signing_alg_values_supported:g(u()),id_token_encryption_alg_values_supported:g(u()).optional(),id_token_encryption_enc_values_supported:g(u()).optional(),userinfo_signing_alg_values_supported:g(u()).optional(),userinfo_encryption_alg_values_supported:g(u()).optional(),userinfo_encryption_enc_values_supported:g(u()).optional(),request_object_signing_alg_values_supported:g(u()).optional(),request_object_encryption_alg_values_supported:g(u()).optional(),request_object_encryption_enc_values_supported:g(u()).optional(),token_endpoint_auth_methods_supported:g(u()).optional(),token_endpoint_auth_signing_alg_values_supported:g(u()).optional(),display_values_supported:g(u()).optional(),claim_types_supported:g(u()).optional(),claims_supported:g(u()).optional(),service_documentation:u().optional(),claims_locales_supported:g(u()).optional(),ui_locales_supported:g(u()).optional(),claims_parameter_supported:K().optional(),request_parameter_supported:K().optional(),request_uri_parameter_supported:K().optional(),require_request_uri_registration:K().optional(),op_policy_uri:k.optional(),op_tos_uri:k.optional(),client_id_metadata_document_supported:K().optional()}),It=re({...pc.shape,...Le.pick({code_challenge_methods_supported:!0}).shape}),Ae=re({access_token:u(),id_token:u().optional(),token_type:u(),expires_in:mn.number().optional(),scope:u().optional(),refresh_token:u().optional()}).strip(),Co=re({error:u(),error_description:u().optional(),error_uri:u().optional()}),So=k.optional().or(ln("").transform(()=>{})),mc=re({redirect_uris:g(k),token_endpoint_auth_method:u().optional(),grant_types:g(u()).optional(),response_types:g(u()).optional(),client_name:u().optional(),client_uri:k.optional(),logo_uri:So,scope:u().optional(),contacts:g(u()).optional(),tos_uri:So,policy_uri:u().optional(),jwks_uri:k.optional(),jwks:un().optional(),software_id:u().optional(),software_version:u().optional(),software_statement:u().optional()}).strip(),At=re({client_id:u(),client_secret:u().optional(),client_id_issued_at:$t().optional(),client_secret_expires_at:$t().optional()}).strip(),Ne=mc.merge(At),Vm=re({error:u(),error_description:u().optional()}).strip(),Ym=re({token:u(),token_type_hint:u().optional()}).strip();function vo(e){let t=typeof e=="string"?new URL(e):new URL(e.href);return t.hash="",t}n(vo,"resourceUrlFromServerUrl");function Io({requestedResource:e,configuredResource:t}){let r=typeof e=="string"?new URL(e):new URL(e.href),o=typeof t=="string"?new URL(t):new URL(t.href);if(r.origin!==o.origin||r.pathname.length<o.pathname.length)return!1;let i=r.pathname.endsWith("/")?r.pathname:r.pathname+"/",a=o.pathname.endsWith("/")?o.pathname:o.pathname+"/";return i.startsWith(a)}n(Io,"checkResourceAllowed");var A=class extends Error{static{n(this,"OAuthError")}constructor(t,r){super(t),this.errorUri=r,this.name=this.constructor.name}toResponseObject(){let t={error:this.errorCode,error_description:this.message};return this.errorUri&&(t.error_uri=this.errorUri),t}get errorCode(){return this.constructor.errorCode}},Ge=class extends A{static{n(this,"InvalidRequestError")}};Ge.errorCode="invalid_request";var pe=class extends A{static{n(this,"InvalidClientError")}};pe.errorCode="invalid_client";var me=class extends A{static{n(this,"InvalidGrantError")}};me.errorCode="invalid_grant";var fe=class extends A{static{n(this,"UnauthorizedClientError")}};fe.errorCode="unauthorized_client";var $e=class extends A{static{n(this,"UnsupportedGrantTypeError")}};$e.errorCode="unsupported_grant_type";var Ze=class extends A{static{n(this,"InvalidScopeError")}};Ze.errorCode="invalid_scope";var Fe=class extends A{static{n(this,"AccessDeniedError")}};Fe.errorCode="access_denied";var X=class extends A{static{n(this,"ServerError")}};X.errorCode="server_error";var Ke=class extends A{static{n(this,"TemporarilyUnavailableError")}};Ke.errorCode="temporarily_unavailable";var Je=class extends A{static{n(this,"UnsupportedResponseTypeError")}};Je.errorCode="unsupported_response_type";var We=class extends A{static{n(this,"UnsupportedTokenTypeError")}};We.errorCode="unsupported_token_type";var Ve=class extends A{static{n(this,"InvalidTokenError")}};Ve.errorCode="invalid_token";var Ye=class extends A{static{n(this,"MethodNotAllowedError")}};Ye.errorCode="method_not_allowed";var Xe=class extends A{static{n(this,"TooManyRequestsError")}};Xe.errorCode="too_many_requests";var he=class extends A{static{n(this,"InvalidClientMetadataError")}};he.errorCode="invalid_client_metadata";var Qe=class extends A{static{n(this,"InsufficientScopeError")}};Qe.errorCode="insufficient_scope";var et=class extends A{static{n(this,"InvalidTargetError")}};et.errorCode="invalid_target";var Ao={[Ge.errorCode]:Ge,[pe.errorCode]:pe,[me.errorCode]:me,[fe.errorCode]:fe,[$e.errorCode]:$e,[Ze.errorCode]:Ze,[Fe.errorCode]:Fe,[X.errorCode]:X,[Ke.errorCode]:Ke,[Je.errorCode]:Je,[We.errorCode]:We,[Ve.errorCode]:Ve,[Ye.errorCode]:Ye,[Xe.errorCode]:Xe,[he.errorCode]:he,[Qe.errorCode]:Qe,[et.errorCode]:et};function fc(e){return["client_secret_basic","client_secret_post","none"].includes(e)}n(fc,"isClientAuthMethod");var ar="code",sr="S256";function hc(e,t){let r=e.client_secret!==void 0;return"token_endpoint_auth_method"in e&&e.token_endpoint_auth_method&&fc(e.token_endpoint_auth_method)&&(t.length===0||t.includes(e.token_endpoint_auth_method))?e.token_endpoint_auth_method:t.length===0?r?"client_secret_basic":"none":r&&t.includes("client_secret_basic")?"client_secret_basic":r&&t.includes("client_secret_post")?"client_secret_post":t.includes("none")?"none":r?"client_secret_post":"none"}n(hc,"selectClientAuthMethod");function gc(e,t,r,o){let{client_id:i,client_secret:a}=t;switch(e){case"client_secret_basic":yc(i,a,r);return;case"client_secret_post":_c(i,a,o);return;case"none":wc(i,o);return;default:throw new Error(`Unsupported client authentication method: ${e}`)}}n(gc,"applyClientAuthentication");function yc(e,t,r){if(!t)throw new Error("client_secret_basic authentication requires a client_secret");let o=btoa(`${e}:${t}`);r.set("Authorization",`Basic ${o}`)}n(yc,"applyBasicAuth");function _c(e,t,r){r.set("client_id",e),t&&r.set("client_secret",t)}n(_c,"applyPostAuth");function wc(e,t){t.set("client_id",e)}n(wc,"applyPublicAuth");async function Uo(e){let t=e instanceof Response?e.status:void 0,r=e instanceof Response?await e.text():e;try{let o=Co.parse(JSON.parse(r)),{error:i,error_description:a,error_uri:s}=o,c=Ao[i]||X;return new c(a||"",s)}catch(o){let i=`${t?`HTTP ${t}: `:""}Invalid OAuth error response: ${o}. Raw body: ${r}`;return new X(i)}}n(Uo,"parseErrorResponse");async function ur(e,t){try{return await cr(e,t)}catch(r){if(r instanceof pe||r instanceof fe)return await e.invalidateCredentials?.("all"),await cr(e,t);if(r instanceof me)return await e.invalidateCredentials?.("tokens"),await cr(e,t);throw r}}n(ur,"auth");async function cr(e,{serverUrl:t,authorizationCode:r,scope:o,resourceMetadataUrl:i,fetchFn:a}){let s=await e.discoveryState?.(),c,l,m,f=i;if(!f&&s?.resourceMetadataUrl&&(f=new URL(s.resourceMetadataUrl)),s?.authorizationServerUrl){if(l=s.authorizationServerUrl,c=s.resourceMetadata,m=s.authorizationServerMetadata??await To(l,{fetchFn:a}),!c)try{c=await Po(t,{resourceMetadataUrl:f},a)}catch{}(m!==s.authorizationServerMetadata||c!==s.resourceMetadata)&&await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}else{let q=await Ic(t,{resourceMetadataUrl:f,fetchFn:a});l=q.authorizationServerUrl,m=q.authorizationServerMetadata,c=q.resourceMetadata,await e.saveDiscoveryState?.({authorizationServerUrl:String(l),resourceMetadataUrl:f?.toString(),resourceMetadata:c,authorizationServerMetadata:m})}let x=await Rc(t,e,c),v=o||c?.scopes_supported?.join(" ")||e.clientMetadata.scope,L=await Promise.resolve(e.clientInformation());if(!L){if(r!==void 0)throw new Error("Existing OAuth client information is required when exchanging an authorization code");let q=m?.client_id_metadata_document_supported===!0,He=e.clientMetadataUrl;if(He&&!lr(He))throw new he(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${He}`);if(q&&He)L={client_id:He},await e.saveClientInformation?.(L);else{if(!e.saveClientInformation)throw new Error("OAuth client information must be saveable for dynamic registration");let rn=await Pc(l,{metadata:m,clientMetadata:e.clientMetadata,scope:v,fetchFn:a});await e.saveClientInformation(rn),L=rn}}let Re=!e.redirectUrl;if(r!==void 0||Re){let q=await kc(e,l,{metadata:m,resource:x,authorizationCode:r,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}let tn=await e.tokens();if(tn?.refresh_token)try{let q=await Uc(l,{metadata:m,clientInformation:L,refreshToken:tn.refresh_token,resource:x,addClientAuthentication:e.addClientAuthentication,fetchFn:a});return await e.saveTokens(q),"AUTHORIZED"}catch(q){if(!(!(q instanceof A)||q instanceof X))throw q}let Is=e.state?await e.state():void 0,{authorizationUrl:As,codeVerifier:xs}=await Ac(l,{metadata:m,clientInformation:L,state:Is,redirectUrl:e.redirectUrl,scope:v,resource:x});return await e.saveCodeVerifier(xs),await e.redirectToAuthorization(As),"REDIRECT"}n(cr,"authInternal");function lr(e){if(!e)return!1;try{let t=new URL(e);return t.protocol==="https:"&&t.pathname!=="/"}catch{return!1}}n(lr,"isHttpsUrl");async function Rc(e,t,r){let o=vo(e);if(t.validateResourceURL)return await t.validateResourceURL(o,r?.resource);if(r){if(!Io({requestedResource:o,configuredResource:r.resource}))throw new Error(`Protected resource ${r.resource} does not match expected ${o} (or origin)`);return new URL(r.resource)}}n(Rc,"selectResourceURL");function ko(e){let t=e.headers.get("WWW-Authenticate");if(!t)return{};let[r,o]=t.split(" ");if(r.toLowerCase()!=="bearer"||!o)return{};let i=dr(e,"resource_metadata")||void 0,a;if(i)try{a=new URL(i)}catch{}let s=dr(e,"scope")||void 0,c=dr(e,"error")||void 0;return{resourceMetadataUrl:a,scope:s,error:c}}n(ko,"extractWWWAuthenticateParams");function dr(e,t){let r=e.headers.get("WWW-Authenticate");if(!r)return null;let o=new RegExp(`${t}=(?:"([^"]+)"|([^\\s,]+))`),i=r.match(o);return i?i[1]||i[2]:null}n(dr,"extractFieldFromWwwAuth");async function Po(e,t,r=fetch){let o=await Cc(e,"oauth-protected-resource",r,{protocolVersion:t?.protocolVersion,metadataUrl:t?.resourceMetadataUrl});if(!o||o.status===404)throw await o?.body?.cancel(),new Error("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");if(!o.ok)throw await o.body?.cancel(),new Error(`HTTP ${o.status} trying to load well-known OAuth protected resource metadata.`);return vt.parse(await o.json())}n(Po,"discoverOAuthProtectedResourceMetadata");async function pr(e,t,r=fetch){try{return await r(e,{headers:t})}catch(o){if(o instanceof TypeError)return t?pr(e,void 0,r):void 0;throw o}}n(pr,"fetchWithCorsRetry");function bc(e,t="",r={}){return t.endsWith("/")&&(t=t.slice(0,-1)),r.prependPathname?`${t}/.well-known/${e}`:`/.well-known/${e}${t}`}n(bc,"buildWellKnownPath");async function xo(e,t,r=fetch){return await pr(e,{"MCP-Protocol-Version":t},r)}n(xo,"tryMetadataDiscovery");function Sc(e,t){return!e||e.status>=400&&e.status<500&&t!=="/"}n(Sc,"shouldAttemptFallback");async function Cc(e,t,r,o){let i=new URL(e),a=o?.protocolVersion??Zt,s;if(o?.metadataUrl)s=new URL(o.metadataUrl);else{let l=bc(t,i.pathname);s=new URL(l,o?.metadataServerUrl??i),s.search=i.search}let c=await xo(s,a,r);if(!o?.metadataUrl&&Sc(c,i.pathname)){let l=new URL(`/.well-known/${t}`,i);c=await xo(l,a,r)}return c}n(Cc,"discoverMetadataWithFallback");function vc(e){let t=typeof e=="string"?new URL(e):e,r=t.pathname!=="/",o=[];if(!r)return o.push({url:new URL("/.well-known/oauth-authorization-server",t.origin),type:"oauth"}),o.push({url:new URL("/.well-known/openid-configuration",t.origin),type:"oidc"}),o;let i=t.pathname;return i.endsWith("/")&&(i=i.slice(0,-1)),o.push({url:new URL(`/.well-known/oauth-authorization-server${i}`,t.origin),type:"oauth"}),o.push({url:new URL(`/.well-known/openid-configuration${i}`,t.origin),type:"oidc"}),o.push({url:new URL(`${i}/.well-known/openid-configuration`,t.origin),type:"oidc"}),o}n(vc,"buildDiscoveryUrls");async function To(e,{fetchFn:t=fetch,protocolVersion:r=Zt}={}){let o={"MCP-Protocol-Version":r,Accept:"application/json"},i=vc(e);for(let{url:a,type:s}of i){let c=await pr(a,o,t);if(c){if(!c.ok){if(await c.body?.cancel(),c.status>=400&&c.status<500)continue;throw new Error(`HTTP ${c.status} trying to load ${s==="oauth"?"OAuth":"OpenID provider"} metadata from ${a}`)}return s==="oauth"?Le.parse(await c.json()):It.parse(await c.json())}}}n(To,"discoverAuthorizationServerMetadata");async function Ic(e,t){let r,o;try{r=await Po(e,{resourceMetadataUrl:t?.resourceMetadataUrl},t?.fetchFn),r.authorization_servers&&r.authorization_servers.length>0&&(o=r.authorization_servers[0])}catch{}o||(o=String(new URL("/",e)));let i=await To(o,{fetchFn:t?.fetchFn});return{authorizationServerUrl:o,authorizationServerMetadata:i,resourceMetadata:r}}n(Ic,"discoverOAuthServerInfo");async function Ac(e,{metadata:t,clientInformation:r,redirectUrl:o,scope:i,state:a,resource:s}){let c;if(t){if(c=new URL(t.authorization_endpoint),!t.response_types_supported.includes(ar))throw new Error(`Incompatible auth server: does not support response type ${ar}`);if(t.code_challenge_methods_supported&&!t.code_challenge_methods_supported.includes(sr))throw new Error(`Incompatible auth server: does not support code challenge method ${sr}`)}else c=new URL("/authorize",e);let l=await ir(),m=l.code_verifier,f=l.code_challenge;return c.searchParams.set("response_type",ar),c.searchParams.set("client_id",r.client_id),c.searchParams.set("code_challenge",f),c.searchParams.set("code_challenge_method",sr),c.searchParams.set("redirect_uri",String(o)),a&&c.searchParams.set("state",a),i&&c.searchParams.set("scope",i),i?.includes("offline_access")&&c.searchParams.append("prompt","consent"),s&&c.searchParams.set("resource",s.href),{authorizationUrl:c,codeVerifier:m}}n(Ac,"startAuthorization");function xc(e,t,r){return new URLSearchParams({grant_type:"authorization_code",code:e,code_verifier:t,redirect_uri:String(r)})}n(xc,"prepareAuthorizationCodeRequest");async function Eo(e,{metadata:t,tokenRequestParams:r,clientInformation:o,addClientAuthentication:i,resource:a,fetchFn:s}){let c=t?.token_endpoint?new URL(t.token_endpoint):new URL("/token",e),l=new Headers({"Content-Type":"application/x-www-form-urlencoded",Accept:"application/json"});if(a&&r.set("resource",a.href),i)await i(l,r,c,t);else if(o){let f=t?.token_endpoint_auth_methods_supported??[],x=hc(o,f);gc(x,o,l,r)}let m=await(s??fetch)(c,{method:"POST",headers:l,body:r});if(!m.ok)throw await Uo(m);return Ae.parse(await m.json())}n(Eo,"executeTokenRequest");async function Uc(e,{metadata:t,clientInformation:r,refreshToken:o,resource:i,addClientAuthentication:a,fetchFn:s}){let c=new URLSearchParams({grant_type:"refresh_token",refresh_token:o}),l=await Eo(e,{metadata:t,tokenRequestParams:c,clientInformation:r,addClientAuthentication:a,resource:i,fetchFn:s});return{refresh_token:o,...l}}n(Uc,"refreshAuthorization");async function kc(e,t,{metadata:r,resource:o,authorizationCode:i,fetchFn:a}={}){let s=e.clientMetadata.scope,c;if(e.prepareTokenRequest&&(c=await e.prepareTokenRequest(s)),!c){if(!i)throw new Error("Either provider.prepareTokenRequest() or authorizationCode is required");if(!e.redirectUrl)throw new Error("redirectUrl is required for authorization_code flow");let m=await e.codeVerifier();c=xc(i,m,e.redirectUrl)}let l=await e.clientInformation();return Eo(t,{metadata:r,tokenRequestParams:c,clientInformation:l??void 0,addClientAuthentication:e.addClientAuthentication,resource:o,fetchFn:a})}n(kc,"fetchToken");async function Pc(e,{metadata:t,clientMetadata:r,scope:o,fetchFn:i}){let a;if(t){if(!t.registration_endpoint)throw new Error("Incompatible auth server: does not support dynamic client registration");a=new URL(t.registration_endpoint)}else a=new URL("/register",e);let s=await(i??fetch)(a,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({...r,...o!==void 0?{scope:o}:{}})});if(!s.ok)throw await Uo(s);return Ne.parse(await s.json())}n(Pc,"registerClient");var mr="zuplo.com",Tc=new Set(["co.jp","co.kr","co.nz","co.uk","com.au","com.br","com.cn","com.mx","com.sg","co.in"]),Ec=[".example.test",".example.com",".example.org",".invalid",".localhost",".test"];function Oo(e){return`https://www.google.com/s2/favicons?domain=${e}&sz=128`}n(Oo,"s2FaviconHref");function Oc(e){return`https://t0.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&drop_404_icon=true&fallback_opts=TYPE,SIZE,URL&url=http://${e}&size=128`}n(Oc,"strictFaviconHref");var xt=Oo(mr);function fr(e){let t=e.toLowerCase();return t===mr||t==="zuplo.app"||t==="zuplo.dev"||t.endsWith(".zuplo.app")||t.endsWith(".zuplo.dev")?Oo(mr):Oc(e)}n(fr,"resolveIconHref");function qc(e){try{return new URL(`http://${e}`).hostname}catch{return e}}n(qc,"hostnameFromHost");function Mc(e){return e==="localhost"||e.includes(":")||/^\d{1,3}(?:\.\d{1,3}){3}$/.test(e)}n(Mc,"isLocalOrAddressHost");function Dc(e){let t=qc(e).toLowerCase().replace(/\.$/,"");if(Mc(t)||Ec.some(a=>t===a.slice(1)||t.endsWith(a)))return t;let r=t.split(".").filter(Boolean);if(r.length<=2)return t;let o=r.slice(-2).join("."),i=Tc.has(o)?3:2;return r.slice(-i).join(".")}n(Dc,"inferFaviconDomain");function hr(e){return{src:fr(Dc(e)),mimeType:"image/png",sizes:["128x128"]}}n(hr,"resolveMcpFaviconIcon");function Ut(e){try{return hr(new URL(e).host)}catch{return}}n(Ut,"resolveMcpFaviconIconFromUrl");function ne(e){let t=N().connectionsById.get(e);if(!t)throw new P(`Unknown upstream server "${e}". Check the route's MCP upstream policy and ensure policies.json declares a matching upstream connection.`);return{displayName:t.displayName,...t.description===void 0?{}:{description:t.description},...t.serverInfo===void 0?{}:{serverInfo:t.serverInfo},transport:{baseUrl:t.mcpUrl,resourceMetadataUrl:t.protectedResourceMetadataUrl}}}n(ne,"getUpstreamServerConfig");function zc(e){let t=N().connectionsById.get(e.upstreamServerId);if(!t||t.authProfileId!==e.authProfileId)throw new P(`Unknown auth profile "${String(e.authProfileId)}" for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares a matching auth mode for that upstream connection.`);return t.authProfileId}n(zc,"resolveUpstreamAuthProfileId");function gr(e){zc(e);let t=N().connectionsById.get(e.upstreamServerId);if(!t)throw new P(`Auth profile could not be resolved for upstream server "${e.upstreamServerId}". Check the route's MCP upstream policy and ensure policies.json declares the upstream connection before this handler runs.`);return t.authConfig}n(gr,"getUpstreamAuthConfig");function ge(e,t){let r=gr({upstreamServerId:e,authProfileId:t});if(!Tn(r))throw new P(`Upstream server "${e}" does not use upstream OAuth. Select an auth mode that supports the requested upstream connect flow or remove the upstream OAuth route for this server.`);return r.oauth}n(ge,"requireUpstreamOAuthConfig");var Hc={"shared-oauth":{authMode:"shared-oauth",ownerMode:"shared",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"},"user-oauth":{authMode:"user-oauth",ownerMode:"user",connectSupport:"oauth_authorization",connectUnsupportedDetail:void 0,callbackSupport:"authorization_code",credentialAcquisition:"oauth_connection"}};function G(e){return Hc[e]}n(G,"describeUpstreamAuthMode");function kt(e){return G(e).ownerMode}n(kt,"resolveOwnerModeForUpstreamAuthMode");H();import{errors as Lo,jwtVerify as No,SignJWT as Go}from"jose";var O="zuplo-mcp-gateway",D=O,z="HS256";import{base64url as Bc}from"jose";var jc=new TextEncoder,Lc="MCP gateway could not initialize secure key material.",Nc=32,qo=new Map,Mo=new Map,Gc;function $c(){return Gc??nn.instance.authPrivateKey}n($c,"readAuthPrivateKey");function Do(e){return new M(Lc,e===void 0?void 0:{cause:e})}n(Do,"createGeneratedKeyMaterialError");function zo(e,t){let r=Bc.decode(t);if(r.byteLength!==Nc)throw new Error(`Generated deployment auth key ${e} is invalid.`);return r}n(zo,"decodeJwkKeyField");function Zc(e){let t=$c();if(!t)throw Do();try{let r=JSON.parse(t);if(r.kty!=="OKP"||r.crv!=="Ed25519"||typeof r.d!="string"||typeof r.x!="string")throw new Error("Generated deployment auth key is not an Ed25519 JWK.");let o=zo("d",r.d);zo("x",r.x);let i=jc.encode(`zuplo-mcp-gateway:${e}:Ed25519:`),a=new Uint8Array(i.byteLength+o.byteLength);return a.set(i),a.set(o,i.byteLength),a}catch(r){throw Do(r)}}n(Zc,"decodeGeneratedKeyMaterial");function Fc(e){let t=qo.get(e);return t||(t=Zc(e),qo.set(e,t)),t}n(Fc,"getMasterKeyMaterial");async function $(e){let t=Mo.get(e.purpose);if(t!==void 0)return t;let r=await e.derive(Fc(e.keyMaterialPurpose));return Mo.set(e.purpose,r),r}n($,"readCachedDerivedKey");var Kc="SHA-256";var Jc="zuplo-mcp-gateway:",Wc=new TextEncoder,Ho=new WeakMap;async function oe(e,t){let r=Ho.get(e);r||(r=new Map,Ho.set(e,r));let o=r.get(t);if(o)return o;let i=await Vc(e,t);return r.set(t,i),i}n(oe,"deriveGatewaySigningKey");async function Vc(e,t){let r=Bo(e),o=await crypto.subtle.importKey("raw",r,{name:"HKDF"},!1,["deriveBits"]),i=Wc.encode(`${Jc}${t}`),a=await crypto.subtle.deriveBits({name:"HKDF",hash:Kc,salt:new Uint8Array,info:Bo(i)},o,32*8);return new Uint8Array(a)}n(Vc,"hkdfExpand");function Bo(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(Bo,"copyToArrayBuffer");var $o=15*60,Yc=15*60,Xc=to.extend({id:ro}),Qc=Xc.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Zo=Qt.extend({id:no,purpose:d.literal("browser_connect")}),ed=Qt.extend({purpose:d.literal("browser_connect")}),td=Zo.extend({exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Fo=$o*1e3;async function Ko(){return $({purpose:"oauth-state",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"oauth-state"),"derive")})}n(Ko,"getOAuthStateKey");async function Jo(){return $({purpose:"browser-connect",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-connect"),"derive")})}n(Jo,"getBrowserConnectKey");async function Wo(e){let t=Math.floor(Date.now()/1e3)+$o;return new Go(e).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Ko())}n(Wo,"signOAuthState");async function Pt(e){try{let{payload:t}=await No(e,await Ko(),{algorithms:[z],issuer:O,audience:D});return Qc.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new h({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new h({message:"OAuth state could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(Pt,"verifyOAuthState");async function Vo(e){let t=Math.floor(Date.now()/1e3)+Yc,r=ed.parse(e),o=Zo.parse({...r,id:so()});return new Go(o).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(t).sign(await Jo())}n(Vo,"signBrowserConnectTicket");async function Yo(e){try{let{payload:t}=await No(e,await Jo(),{algorithms:[z],issuer:O,audience:D});return td.parse(t)}catch(t){throw t instanceof Lo.JWTExpired?new h({message:"Browser connect ticket has expired",extensionMembers:{[y]:"oauth_state_expired"}},{cause:t}):new h({message:"Browser connect ticket could not be verified",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:t})}}n(Yo,"verifyBrowserConnectTicket");async function Xo(e){if((await b().consumeBrowserConnectTicket({id:e.id,expiresAt:R(new Date(e.exp*1e3)),now:R(new Date)})).kind==="consumed")throw new h({message:"Browser connect ticket has already been used",extensionMembers:{[y]:"oauth_state_reused"}})}n(Xo,"consumeBrowserConnectTicket");function rd(e,t,r=!1){return r?`${e} authorization must be renewed before this ${t} can be used.`:`${e} authorization is required before this ${t} can be used.`}n(rd,"buildConnectRequiredMessage");async function nd(e){let t=U(e.requestUrl,e.requestHeaders),r=new URL(e.path,t);return e.redirect&&r.searchParams.set("redirect","true"),r.searchParams.set("operationId",e.operationId),r.searchParams.set("browserTicket",await Vo({...je(e),purpose:"browser_connect"})),r.toString()}n(nd,"buildGatewayBrowserTicketUrl");function od(e){return`/auth/connections/${encodeURIComponent(e)}/connect`}n(od,"buildGatewayConnectPath");async function yr(e){return nd({...e,path:od(e.upstreamServerId),redirect:!0})}n(yr,"buildGatewayConnectUrl");async function Tt(e){let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return{state:e.requiresReconsent?"reconsent_required":"authenticating",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},authUrl:await yr(t),message:rd(e.upstreamDisplayName,e.subject,e.requiresReconsent),nextAction:"redirect"}}n(Tt,"buildRedirectConnectRequiredResponse");function Qo(e){return id({...e,message:e.requiresReconsent?`An administrator must reconnect ${e.upstreamDisplayName} before this tool can be used.`:`An administrator must connect ${e.upstreamDisplayName} before this tool can be used.`})}n(Qo,"buildAdminConnectRequiredResponse");function id(e){return{state:"admin_connect_required",upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.connectionId?{connectionId:e.connectionId}:{},message:e.message,nextAction:"admin_setup_required"}}n(id,"buildAdminSetupRequiredResponse");H();var ei=new Set(["client_id","code_challenge","code_challenge_method","display","login_hint","nonce","prompt","redirect_uri","response_mode","response_type","state"]);function ad(e,t){return e&&e.length>0?e.join(t):void 0}n(ad,"joinOAuthScopes");function sd(e){if(e?.authorization_endpoint===void 0)return e;let t=new URL(e.authorization_endpoint);for(let r of ei)t.searchParams.delete(r);return{...e,authorization_endpoint:t.toString()}}n(sd,"sanitizeAuthorizationServerMetadata");function _r(e){let t=sd(e.authorizationServerMetadata);return t===e.authorizationServerMetadata?e:{...e,authorizationServerMetadata:t}}n(_r,"sanitizeOAuthDiscoveryState");function ti(e){let t=new URL(e);for(let r of ei){let o=t.searchParams.getAll(r);o.length<=1||(t.searchParams.delete(r),t.searchParams.set(r,o.at(-1)??""))}return t}n(ti,"normalizeDuplicateSingletonAuthorizationRequestParams");function ri(e){return ad(e.state?.resourceMetadata?.scopes_supported,e.delimiter)}n(ri,"readProtectedResourceMetadataScope");function wr(e){return`Zuplo MCP Gateway - ${e}`}n(wr,"buildGatewayOAuthClientName");function ni(e,t,r){let o=new URL(e,U(t,r));return ue(o)&&hn(o.hostname)!=="localhost"&&(o.hostname="localhost"),o.toString()}n(ni,"buildGatewayOAuthRedirectUri");function Rr(e){return new URL(`/.well-known/oauth-client/${encodeURIComponent(e.upstreamServerId)}/${encodeURIComponent(e.authProfileId)}`,e.origin).toString()}n(Rr,"buildOAuthClientMetadataDocumentUrl");function oi(e,t){return U(e,t)}n(oi,"requireOAuthClientMetadataOrigin");function ii(e,t,r){let o=ne(t),i=ge(t,r),a={client_id:Rr({origin:e,upstreamServerId:t,authProfileId:r}),client_name:wr(o.displayName),client_uri:new URL("/",e).toString(),redirect_uris:[new URL(i.redirectPath,e).toString()],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",token_endpoint_auth_method:"none"};return i.scopes.length>0&&(a.scope=i.scopes.join(i.scopeDelimiter)),a}n(ii,"buildOAuthClientMetadataDocument");H();import{base64url as ie}from"jose";var cd="SHA-256",Ue="AES-GCM",dd=12,Sr="zuplo-secret",Cr=1,ai="generated:auth_private_key:token-encryption",ud=d.object({version:d.literal(Cr),keyId:d.literal(ai),algorithm:d.literal(Ue),iv:d.string().min(1),ciphertext:d.string().min(1)}).strict();function xe(e){let t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}n(xe,"copyToArrayBuffer");async function br(){return $({purpose:"token-encryption",keyMaterialPurpose:"token-encryption",derive:n(async e=>{let t=await crypto.subtle.digest(cd,xe(e));return crypto.subtle.importKey("raw",t,{name:Ue},!1,["encrypt","decrypt"])},"derive")})}n(br,"getEncryptionKey");function si(e){return xe(new TextEncoder().encode(`${Sr}:v${e.version}:${e.keyId}`))}n(si,"getAssociatedData");function ld(e){return`${Sr}:v${e.version}:${ie.encode(new TextEncoder().encode(JSON.stringify(e)))}`}n(ld,"encodeEnvelope");function pd(e){let t=`${Sr}:v${Cr}:`;if(!e.startsWith(t))return;let r=e.slice(t.length),o=new TextDecoder().decode(ie.decode(r));return ud.parse(JSON.parse(o))}n(pd,"decodeEnvelope");async function Et(e){let t=await br(),r=crypto.getRandomValues(new Uint8Array(dd)),o={version:Cr,keyId:ai},i=await crypto.subtle.encrypt({name:Ue,iv:r,additionalData:si(o)},t,new TextEncoder().encode(e));return ld({...o,algorithm:Ue,iv:ie.encode(r),ciphertext:ie.encode(new Uint8Array(i))})}n(Et,"encryptSecret");async function tt(e){let t=pd(e);if(t){let s=await br(),c=await crypto.subtle.decrypt({name:Ue,iv:xe(ie.decode(t.iv)),additionalData:si(t)},s,xe(ie.decode(t.ciphertext)));return new TextDecoder().decode(c)}let[r,o]=e.split(".");if(!r||!o)throw new M("Encrypted payload is malformed");let i=await br(),a=await crypto.subtle.decrypt({name:Ue,iv:xe(ie.decode(r))},i,xe(ie.decode(o)));return new TextDecoder().decode(a)}n(tt,"decryptSecret");var md=d.union([Ne,At]),ci=d.object({authorizationServerUrl:d.url(),resourceMetadataUrl:d.url().optional(),resourceMetadata:vt.optional(),authorizationServerMetadata:d.union([Le,It]).optional()}).passthrough(),fd="Bearer",hd="__zuplo_refresh_only_upstream_access_token__";function gd(e){return e?e.split(/[,\s]+/).filter(Boolean):[]}n(gd,"splitScopes");function yd(e){return gt.parse(e)}n(yd,"parsePkceCodeVerifier");function _d(e){if(typeof e.expires_in=="number")return R(new Date(Date.now()+e.expires_in*1e3))}n(_d,"readTokenExpiry");async function di(e){if(e!==void 0)return Et(JSON.stringify(e))}n(di,"encryptJson");async function ui(e,t){if(!e)return;let r=await tt(e);try{return t.parse(JSON.parse(r))}catch(o){throw new h({message:"Stored upstream OAuth JSON state is invalid.",extensionMembers:{[y]:"oauth_state_invalid"}},{cause:o})}}n(ui,"decryptJson");function wd(e){if(e===void 0)return;e=_r(e);let t={authorizationServerUrl:e.authorizationServerUrl};return e.resourceMetadataUrl!==void 0&&(t.resourceMetadataUrl=e.resourceMetadataUrl),e.resourceMetadata!==void 0&&(t.resourceMetadata=e.resourceMetadata),e.authorizationServerMetadata!==void 0&&(t.authorizationServerMetadata=e.authorizationServerMetadata),t}n(wd,"toOAuthDiscoveryState");function Rd(e,t){return"redirect_uris"in e?e.redirect_uris.includes(t):!0}n(Rd,"clientInformationAllowsRedirectUri");function bd(e){return e.clientMetadataUrl===void 0?"redirect_uris"in e.clientInformation:"redirect_uris"in e.clientInformation||e.clientInformation.client_id===e.clientMetadataUrl}n(bd,"clientInformationMatchesCurrentClientMetadataUrl");function Sd(e){return e.clientMetadataUrl!==void 0&&!("redirect_uris"in e.clientInformation)&&e.clientInformation.client_id===e.clientMetadataUrl}n(Sd,"isUrlBasedClientInformation");function Cd(e,t,r){let o=ne(e),i=ge(e,t),a=pi(i.scopes,i.scopeDelimiter);return{client_name:wr(o.displayName),client_uri:new URL("/",new URL(r).origin).toString(),redirect_uris:[r],grant_types:["authorization_code","refresh_token"],response_types:["code"],application_type:"web",scope:a,token_endpoint_auth_method:"none"}}n(Cd,"buildOAuthClientMetadata");function pi(e,t){return e&&e.length>0?e.join(t):void 0}n(pi,"joinOAuthScopes");function vd(e,t){return t===void 0?e:{...e,scope:t}}n(vd,"applyOAuthClientMetadataScope");function li(e,t){return ri({state:e,delimiter:t})}n(li,"readResourceMetadataScope");function Id(e){let t;if(e.registration.tokenEndpointAuthMethod!=="none"&&(t=e.registration.clientSecret,!t))throw new P(`Manual OAuth registration for upstream "${e.upstreamServerId}" requires clientSecret. Set the env var that backs the client secret or use tokenEndpointAuthMethod "none".`);return Ne.parse({...e.clientMetadata,client_id:e.registration.clientId,token_endpoint_auth_method:e.registration.tokenEndpointAuthMethod,...t===void 0?{}:{client_secret:t}})}n(Id,"buildManualOAuthClientInformation");function Ad(e,t,r){let o=Rr({origin:new URL(r).origin,upstreamServerId:e,authProfileId:t});return lr(o)?o:void 0}n(Ad,"buildClientMetadataUrl");function mi(e){for(let t of e)if(t!==void 0)return t}n(mi,"firstDefined");function xd(e){let t=ge(e.target.upstreamServerId,e.target.authProfileId),r=Cd(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri),o=pi(t.scopes,t.scopeDelimiter);if(t.clientRegistration.mode==="manual")return{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,configuredClientInformation:Id({clientMetadata:r,registration:t.clientRegistration,upstreamServerId:e.target.upstreamServerId})};let i=Ad(e.target.upstreamServerId,e.target.authProfileId,e.redirectUri);return i===void 0?{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter}:{clientMetadata:r,configuredScope:o,scopeDelimiter:t.scopeDelimiter,clientMetadataUrl:i}}n(xd,"buildInitialOAuthClientSetup");function Ud(e,t){if(t===void 0)return mi([e.pendingState?.encryptedClientInformation,e.connectionMetadata?.encryptedClientInformation,e.connection?.metadata?.encryptedClientInformation])}n(Ud,"readEncryptedClientInformation");function kd(e){return mi([e.pendingState?.encryptedDiscoveryState,e.connectionMetadata?.encryptedDiscoveryState,e.connection?.metadata?.encryptedDiscoveryState])}n(kd,"readEncryptedDiscoveryState");var ye=class{static{n(this,"UpstreamOAuthProvider")}clientMetadataUrl;target;redirectUriValue;returnOrigin;clientMetadataValue;configuredScope;scopeDelimiter;configuredClientInformation;challengeScope;inferredScope;authorizationUrlValue;connection;pendingState;encryptedClientInformation;encryptedDiscoveryState;cachedClientInformation;clientInformationLoaded=!1;cachedDiscoveryState;discoveryStateLoaded=!1;cachedTokens;tokensLoaded=!1;constructor(t){let r=xd({target:t.target,redirectUri:t.redirectUri});this.target=t.target,this.redirectUriValue=t.redirectUri,this.returnOrigin=t.returnOrigin,this.clientMetadataValue=r.clientMetadata,this.configuredScope=r.configuredScope,this.scopeDelimiter=r.scopeDelimiter,this.configuredClientInformation=r.configuredClientInformation,r.clientMetadataUrl!==void 0&&(this.clientMetadataUrl=r.clientMetadataUrl),this.connection=t.connection,this.pendingState=t.pendingState?{...t.pendingState}:void 0,this.encryptedClientInformation=Ud(t,this.configuredClientInformation),this.encryptedDiscoveryState=kd(t)}get authorizationUrl(){return this.authorizationUrlValue}get redirectUrl(){return this.redirectUriValue}get clientMetadata(){return vd(this.clientMetadataValue,this.readEffectiveScope())}async state(){let t=await this.createPendingState();return Wo({id:t.id,...je({owner:this.target.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId})})}async clientInformation(){return this.configuredClientInformation?this.configuredClientInformation:this.loadPersistedClientInformation()}async saveClientInformation(t){this.configuredClientInformation||(this.cachedClientInformation=t,this.clientInformationLoaded=!0,!Sd({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl})&&(this.encryptedClientInformation=await di(t),await this.syncPendingState(!1)))}async discoveryState(){return this.loadPersistedDiscoveryState()}applyChallengeScope(t){this.challengeScope=t}async saveDiscoveryState(t){let r=_r(ci.parse(t));this.cachedDiscoveryState=r,this.discoveryStateLoaded=!0,this.inferredScope=li(r,this.scopeDelimiter),this.encryptedDiscoveryState=await di(r),await this.syncPendingState(!1)}async tokens(){return this.loadStoredTokens()}async saveTokens(t){let r=Ae.parse(t),o=this.target.owner.mode==="user"?this.target.owner.subjectId:void 0,i=r.refresh_token?await Et(r.refresh_token):this.connection?.encryptedRefreshToken;this.cachedTokens=r.refresh_token||!this.connection?.encryptedRefreshToken?r:Ae.parse({...r,refresh_token:await tt(this.connection.encryptedRefreshToken)}),this.tokensLoaded=!0;let a={id:this.connection?.id??io(),ownerMode:this.target.owner.mode,subjectId:o,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,status:"active",encryptedAccessToken:await Et(r.access_token),encryptedRefreshToken:i,scopes:gd(r.scope??this.readEffectiveScope()),expiresAt:_d(r),metadata:this.readStoredOAuthPersistence(this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0)};this.connection=await b().upsertUpstreamConnection(a)}async redirectToAuthorization(t){let r=ti(t);this.authorizationUrlValue=r.toString()}async saveCodeVerifier(t){let r=await this.createPendingState();await this.persistPendingState({...r,codeVerifier:yd(t)})}async codeVerifier(){if(!this.pendingState?.codeVerifier)throw new h({message:"OAuth code verifier is missing",extensionMembers:{[y]:"oauth_state_invalid"}});return this.pendingState.codeVerifier}async invalidateCredentials(t){let r=t==="all"||t==="client"||t==="tokens",o=t==="all"||t==="client",i=t==="all"||t==="discovery",a=t==="all"||t==="verifier";o&&(this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,this.encryptedClientInformation=void 0),i&&(this.cachedDiscoveryState=void 0,this.discoveryStateLoaded=!0,this.encryptedDiscoveryState=void 0,this.challengeScope=void 0,this.inferredScope=void 0),r&&(this.cachedTokens=void 0,this.tokensLoaded=!0),await this.syncPendingState(a),await this.persistCredentialInvalidation(r)}async createPendingState(){if(this.pendingState)return this.pendingState;let t={id:ao(),...je({owner:this.target.owner,initiatedBySubjectId:this.target.initiatedBySubjectId,upstreamServerId:this.target.upstreamServerId,authProfileId:this.target.authProfileId,operationId:this.target.operationId,...this.target.returnTo===void 0?{}:{returnTo:this.target.returnTo}}),callbackPath:new URL(this.redirectUriValue).pathname,expiresAt:R(new Date(Date.now()+Fo)),redirectUri:this.redirectUriValue,...this.returnOrigin===void 0?{}:{returnOrigin:this.returnOrigin},encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:this.target.owner.mode==="shared"?this.target.initiatedBySubjectId:void 0};return await this.persistPendingState(t),t}async persistPendingState(t){await b().saveUpstreamOAuthState({record:t}),this.pendingState=t}async syncPendingState(t){this.pendingState&&await this.persistPendingState({...this.pendingState,codeVerifier:t?void 0:this.pendingState.codeVerifier,encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState})}async loadPersistedClientInformation(){if(this.clientInformationLoaded)return this.cachedClientInformation;let t;try{t=await ui(this.encryptedClientInformation,md)}catch{this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}if(t&&(!Rd(t,this.redirectUriValue)||!bd({clientInformation:t,clientMetadataUrl:this.clientMetadataUrl}))){this.encryptedClientInformation=void 0,this.cachedClientInformation=void 0,this.clientInformationLoaded=!0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1);return}return t===void 0&&this.pendingState?.codeVerifier!==void 0&&this.clientMetadataUrl!==void 0&&(t=At.parse({client_id:this.clientMetadataUrl})),this.cachedClientInformation=t,this.clientInformationLoaded=!0,this.cachedClientInformation}async loadPersistedDiscoveryState(){if(this.discoveryStateLoaded)return this.cachedDiscoveryState;try{this.cachedDiscoveryState=wd(await ui(this.encryptedDiscoveryState,ci))}catch{this.encryptedDiscoveryState=void 0,this.cachedDiscoveryState=void 0,await this.syncPendingState(!1),await this.persistCredentialInvalidation(!1)}return this.discoveryStateLoaded=!0,this.inferredScope=li(this.cachedDiscoveryState,this.scopeDelimiter),this.cachedDiscoveryState}readEffectiveScope(){return this.configuredScope??this.challengeScope??this.inferredScope}async loadStoredTokens(){if(this.tokensLoaded)return this.cachedTokens;if(this.tokensLoaded=!0,!this.connection||this.connection.status!=="active")return;let t=this.connection.encryptedAccessToken?await tt(this.connection.encryptedAccessToken):void 0,r=this.connection.encryptedRefreshToken?await tt(this.connection.encryptedRefreshToken):void 0;if(!t&&!r)return;let o=Ae.parse({access_token:t??hd,token_type:fd,refresh_token:r,scope:this.connection.scopes.length>0?this.connection.scopes.join(" "):void 0});return this.cachedTokens=o,o}async persistCredentialInvalidation(t){if(!this.connection)return;let r={id:this.connection.id,ownerMode:this.connection.ownerMode,subjectId:this.connection.subjectId,upstreamServerId:this.connection.upstreamServerId,authProfileId:this.connection.authProfileId,status:this.connection.status,encryptedAccessToken:this.connection.encryptedAccessToken,encryptedRefreshToken:this.connection.encryptedRefreshToken,scopes:[...this.connection.scopes],expiresAt:this.connection.expiresAt,metadata:this.connection.metadata?{...this.connection.metadata}:void 0};t&&(r.status="reconsent_required",r.encryptedAccessToken=void 0,r.encryptedRefreshToken=void 0,r.scopes=[],r.expiresAt=void 0),r.metadata=this.readStoredOAuthPersistence(this.connection.metadata?.connectedBySubjectId),this.connection=await b().upsertUpstreamConnection(r)}readStoredOAuthPersistence(t){if(!(!this.encryptedClientInformation&&!this.encryptedDiscoveryState&&!t))return{encryptedClientInformation:this.encryptedClientInformation,encryptedDiscoveryState:this.encryptedDiscoveryState,connectedBySubjectId:t}}};var Pd=3e4,Td=256*1024,Ed=2;function Od(e){return!e||e.status!=="active"||!e.encryptedAccessToken?!1:e.expiresAt?new Date(e.expiresAt).getTime()>Date.now():!0}n(Od,"hasUsableAccessToken");var qd="does not support dynamic client registration",Md=["Resource server does not implement OAuth 2.0 Protected Resource Metadata","trying to load well-known OAuth protected resource metadata"],Dd=["HTTP 403 Forbidden","Access Denied","permission to access"];function zd(e){return e instanceof Error&&e.message.includes(qd)}n(zd,"isDynamicClientRegistrationUnsupported");function Hd(e){return e instanceof Error&&Md.some(t=>e.message.includes(t))}n(Hd,"isProtectedResourceMetadataUnavailable");function Bd(e){return e instanceof Error&&Dd.some(t=>e.message.includes(t))}n(Bd,"isUpstreamProviderAccessDenied");function jd(e){if(e.error instanceof h&&e.error.extensionMembers?.[y]!==void 0)return e.error;if(zd(e.error))return new h({message:`The authorization server for ${e.upstreamServerId} does not advertise Client ID Metadata Document support and does not support Dynamic Client Registration. Register an OAuth client for the gateway manually before retrying.`,extensionMembers:{[y]:"upstream_client_registration_required"}},{cause:e.error});if(Hd(e.error))return new h({message:`The upstream MCP server "${e.upstreamServerId}" does not publish OAuth protected resource metadata at "${e.resourceMetadataUrl}". Configure protectedResourceMetadataUrl to a working metadata document, use a provider-supported legacy client, or contact the provider to approve/allowlist this gateway OAuth client before retrying.`,extensionMembers:{[y]:"upstream_oauth_discovery_unavailable"}},{cause:e.error});if(Bd(e.error))return new h({message:`The upstream provider denied access while connecting ${e.upstreamServerId}. Confirm the provider allows this gateway and its OAuth client, then retry.`,extensionMembers:{[y]:"upstream_provider_access_denied"}},{cause:e.error})}n(jd,"mapUpstreamOAuthSetupError");function Ld(e){return typeof e=="string"||e instanceof URL?{url:new URL(e.toString())}:{method:e.method,url:new URL(e.url)}}n(Ld,"readOAuthFetchRequest");function Nd(e,t){return(e.headers.get("content-type")??"").includes("json")||t.trimStart().startsWith("{")||t.trimStart().startsWith("[")}n(Nd,"responseLooksJson");function Gd(e,t){let r=e.headers.get("content-type")??"",o=t.trimStart().toLowerCase();return r.includes("html")||o.startsWith("<!doctype html")||o.startsWith("<html")}n(Gd,"responseLooksHtml");function $d(e){let t=e.response.statusText?` ${e.response.statusText}`:"",r=e.response.headers.get("content-type")??"text/html";throw new h({message:`The upstream provider returned ${e.response.status}${t} (${r}) from ${e.request.url.toString()} while connecting ${e.upstreamServerId}.`,extensionMembers:{[y]:e.response.status===403?"upstream_provider_access_denied":"upstream_token_exchange_failed",[Ce]:e.response.status,[be]:r,[ve]:e.request.url.toString(),[Se]:e.body}})}n($d,"throwUpstreamHtmlError");function fi(e){return async(t,r)=>{let o=Ld(t),i=await mo(t,r,{maxRedirects:Ed,maxResponseBytes:Td,problemCode:"upstream_token_exchange_failed",timeoutMs:Pd}),a=await i.clone().text();if(!i.ok&&Gd(i,a)&&$d({upstreamServerId:e,request:o,response:i,body:a}),!Nd(i,a))return i;try{JSON.parse(a)}catch(s){throw new h({message:`Upstream OAuth fetch ${o.url.origin}${o.url.pathname} for ${e} returned invalid JSON.`,extensionMembers:{[y]:"upstream_token_exchange_failed"}},{cause:s})}return i}}n(fi,"createUpstreamOAuthFetch");async function hi(e,t){e.applyChallengeScope(t.requestedScope);try{let r={serverUrl:t.serverUrl,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:fi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),await ur(e,r)}catch(r){let o=jd({upstreamServerId:t.upstreamServerId,resourceMetadataUrl:t.resourceMetadataUrl,error:r});throw o!==void 0?o:r}}n(hi,"runUpstreamOAuth");async function Zd(e,t){e.applyChallengeScope(t.requestedScope);let r={serverUrl:t.serverUrl,authorizationCode:t.authorizationCode,resourceMetadataUrl:new URL(t.resourceMetadataUrl),fetchFn:fi(t.upstreamServerId)};return t.requestedScope!==void 0&&(r.scope=t.requestedScope),ur(e,r)}n(Zd,"exchangeUpstreamAuthorizationCode");async function gi(e,t){let r=await hi(e,t);if(r==="REDIRECT"&&e.authorizationUrl)return e.authorizationUrl;throw r==="AUTHORIZED"?new h({message:`OAuth connect flow reused existing credentials instead of producing a redirect for ${t.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new h({message:`Unexpected OAuth result for ${t.upstreamServerId}: ${r}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(gi,"requireUpstreamAuthorizationRedirect");async function yi(e){if(!e.forceRefresh&&Od(e.connection))return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};let t=await hi(e.provider,{upstreamServerId:e.target.upstreamServerId,serverUrl:e.serverUrl,resourceMetadataUrl:e.resourceMetadataUrl,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope}});if(t==="AUTHORIZED")return{kind:"authorized",credential:{type:"mcp_oauth_provider",provider:e.provider}};if(t!=="REDIRECT")throw new h({message:`Unexpected OAuth result for ${e.target.upstreamServerId}: ${t}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});if(!e.provider.authorizationUrl)throw new h({message:`OAuth connect-required flow did not produce a redirect for ${e.target.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}});return{kind:"connect_required",payload:await Vd({requestUrl:e.target.request.url,requestHeaders:e.target.request.headers,connection:e.connection,owner:e.target.owner,initiatedBySubjectId:e.target.initiatedBySubjectId,upstreamServerId:e.target.upstreamServerId,authProfileId:e.target.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.target.operationId,...e.target.returnTo===void 0?{}:{returnTo:e.target.returnTo}})}}n(yi,"authorizeUpstreamOAuthSession");async function Fd(e){let t=await Pt(e.stateToken),r=await b().consumeUpstreamOAuthState({id:t.id,now:R(new Date)}),o=Kd(r);return Jd({storedState:o,signedState:t,upstreamServerId:e.upstreamServerId,callbackPath:new URL(e.request.url).pathname}),Wd(o),o}n(Fd,"consumeStoredCallbackState");function Kd(e){switch(e.kind){case"consumed":throw new h({message:"OAuth state has already been used",extensionMembers:{[y]:"oauth_state_reused"}});case"missing":throw new h({message:"OAuth state is missing or expired",extensionMembers:{[y]:"oauth_state_expired"}});case"available":return e.record}}n(Kd,"readConsumedCallbackState");function Jd(e){if(![e.storedState.ownerMode===e.signedState.ownerMode,e.storedState.initiatedBySubjectId===e.signedState.initiatedBySubjectId,e.storedState.ownerSubjectId===e.signedState.ownerSubjectId,e.storedState.upstreamServerId===e.signedState.upstreamServerId,e.storedState.authProfileId===e.signedState.authProfileId,e.storedState.operationId===e.signedState.operationId,e.storedState.upstreamServerId===e.upstreamServerId,e.storedState.callbackPath===e.callbackPath].every(Boolean))throw new h({message:"OAuth callback did not match the initiating request",extensionMembers:{[y]:"oauth_callback_mismatch"}})}n(Jd,"assertStoredCallbackStateMatches");function Wd(e){if(new Date(e.expiresAt).getTime()<=Date.now())throw new h({message:"OAuth state has expired",extensionMembers:{[y]:"oauth_state_expired"}})}n(Wd,"assertStoredCallbackStateFresh");async function Vd(e){if(e.owner.mode==="shared"){let r={upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,requiresReconsent:!!e.connection};return e.connection!==void 0&&(r.connectionId=e.connection.id),Qo(r)}let t={requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,upstreamDisplayName:e.upstreamDisplayName,operationId:e.operationId,subject:"tool",requiresReconsent:!!e.connection,...e.returnTo===void 0?{}:{returnTo:e.returnTo}};return e.connection!==void 0&&(t.connectionId=e.connection.id),Tt(t)}n(Vd,"buildOAuthConnectRequiredResponse");async function _i(e){let t=await Fd({request:e.request,upstreamServerId:e.upstreamServerId,stateToken:e.stateToken}),r=wt(t),[o]=await b().batchGetUpstreamConnections([{owner:r,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId}]),i={target:{owner:r,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,...t.returnTo===void 0?{}:{returnTo:t.returnTo}},redirectUri:t.redirectUri,pendingState:t};o!==void 0&&(i.connection=o);let a=new ye(i),s=await Zd(a,{upstreamServerId:e.upstreamServerId,serverUrl:e.upstreamServerConfig.transport.baseUrl,authorizationCode:e.authorizationCode,resourceMetadataUrl:e.upstreamServerConfig.transport.resourceMetadataUrl});if(s==="AUTHORIZED")return t;throw s!=="REDIRECT"?new h({message:`Unexpected OAuth result for ${e.upstreamServerId}: ${s}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}}):new h({message:`OAuth callback flow did not finish authorization for ${e.upstreamServerId}`,extensionMembers:{[y]:"upstream_token_exchange_failed"}})}n(_i,"finishUpstreamOAuthCallback");async function wi(e){let t=ne(e.upstreamServerId),r=ge(e.upstreamServerId,e.authProfileId),o=ni(r.redirectPath,e.request.url,e.request.headers),i="preloadedConnection"in e?e.preloadedConnection:(await b().batchGetUpstreamConnections([{owner:e.owner,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId}]))[0];return{upstreamServerConfig:t,connection:i,providerInput:{target:{owner:e.owner,initiatedBySubjectId:e.initiatedBySubjectId,upstreamServerId:e.upstreamServerId,authProfileId:e.authProfileId,operationId:e.operationId,...e.returnTo===void 0?{}:{returnTo:e.returnTo}},redirectUri:o,returnOrigin:U(e.request.url,e.request.headers)}}}n(wi,"prepareUpstreamOAuthRequest");async function Ri(e){let t=await wi(e),r=new ye({...t.providerInput,...t.connection?.metadata===void 0?{}:{connectionMetadata:t.connection.metadata}});return gi(r,{upstreamServerId:e.upstreamServerId,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(Ri,"startUpstreamConnect");async function bi(e){let t=await wi(e),r=new ye({...t.providerInput,...t.connection===void 0?{}:{connection:t.connection}});return yi({target:e,provider:r,connection:t.connection,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},upstreamDisplayName:t.upstreamServerConfig.displayName,serverUrl:t.upstreamServerConfig.transport.baseUrl,resourceMetadataUrl:t.upstreamServerConfig.transport.resourceMetadataUrl})}n(bi,"authorizeUpstreamRequest");async function ke(e){let{routeAuth:t}=e;switch(t.authMode){case"shared-oauth":case"user-oauth":return bi({request:e.request,owner:t.owner,initiatedBySubjectId:t.initiatedBySubjectId,upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId,operationId:t.operationId,forceRefresh:e.forceRefresh,...e.requestedScope===void 0?{}:{requestedScope:e.requestedScope},...e.preloadedConnection===void 0?{}:{preloadedConnection:e.preloadedConnection},...t.returnTo===void 0?{}:{returnTo:t.returnTo}})}let r=t;throw new M(`Unsupported upstream auth route context ${JSON.stringify(r)}.`)}n(ke,"resolveUpstreamCredentialForRoute");async function Si(e){let t,r={request:e.request,owner:e.connectRequest.owner,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,upstreamServerId:e.connectRequest.upstreamServerId,authProfileId:e.connectRequest.authProfileId,operationId:e.connectRequest.operationId,...e.connectRequest.returnTo===void 0?{}:{returnTo:e.connectRequest.returnTo}},o=G(e.connectRequest.authMode);switch(o.connectSupport){case"oauth_authorization":t=await Ri(r);break;case"none":throw new M(o.connectUnsupportedDetail??`Upstream server ${e.connectRequest.upstreamServerId} does not support browser connection flows.`)}return{authProfileId:e.connectRequest.authProfileId,authUrl:t,initiatedBySubjectId:e.connectRequest.initiatedBySubjectId,owner:e.connectRequest.owner,upstreamDisplayName:e.connectRequest.upstreamDisplayName,operationId:e.connectRequest.operationId}}n(Si,"startUpstreamConnectForRequest");async function Ci(e){let r=(await Pt(e.callbackRequest.state)).authProfileId,o=gr({upstreamServerId:e.callbackRequest.upstreamServerId,authProfileId:r});if(G(o.mode).callbackSupport!=="authorization_code")throw new M(`Upstream server ${e.callbackRequest.upstreamServerId} does not support OAuth callbacks.`);return _i({request:e.request,upstreamServerId:e.callbackRequest.upstreamServerId,authorizationCode:e.callbackRequest.code,stateToken:e.callbackRequest.state,upstreamServerConfig:ne(e.callbackRequest.upstreamServerId)})}n(Ci,"finishUpstreamCallbackForRequest");function Yd(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.upstreamServerId,operationId:e.operationId,authProfileId:e.connection.authProfileId,upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Yd,"buildRouteAuthBaseFromConnection");function Ii(e){let t=G(e.connection.authMode);return{upstreamServerId:e.connection.id,operationId:e.operationId,authProfileId:ht(e.connection.id,e.connection.authMode),upstreamDisplayName:e.connection.displayName,authMode:e.connection.authMode,ownerMode:t.ownerMode}}n(Ii,"buildRouteAuthBaseFromPolicyOptions");function Ot(e,t){let o=N().byOperationId.get(t);if(!o)throw new P(`Unknown MCP route "${t}". Ensure routes.oas.json declares this operationId before starting an upstream connection flow.`);if(o.connection===void 0)throw new P(`MCP route "${t}" does not declare an MCP token exchange policy. Add one before starting an upstream connection flow.`);if(o.connection.upstreamServerId!==e)throw new P(`MCP route "${t}" does not bind upstream "${e}". Check the route's MCP upstream policies and bind the upstream before starting an upstream connection flow.`);return Yd({connection:o.connection,operationId:t})}n(Ot,"resolveRouteAuthBase");function vi(e,t){switch(e){case"user":return _t(t);case"shared":return eo()}}n(vi,"buildOwnerForSubject");function Pe(e,t){switch(e.ownerMode){case"shared":return{...e,owner:vi(e.ownerMode,t),initiatedBySubjectId:t};case"user":return{...e,owner:vi(e.ownerMode,t),initiatedBySubjectId:t}}}n(Pe,"resolveRouteAuthForSubject");var Xd=Be.InvalidRequest,Qd=new Set(["connection","keep-alive","proxy-authenticate","te","trailer","transfer-encoding","upgrade"]);function eu(e,t){return{credentialType:e.type,forceRefresh:t,...e.type==="headers"?{headerNames:Object.keys(e.headers).sort()}:{}}}n(eu,"buildCredentialResolvedAttributes");function tu(e){switch(e){case"admin_connect_required":return"admin_connect_required";case"authenticating":return"connect_required"}}n(tu,"connectRequiredReasonCode");function Ai(e){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_RESOLVED,outcome:"success",routeBinding:e.routeBinding,attributes:eu(e.credential,e.forceRefresh===!0)})}n(Ai,"emitCredentialResolvedAnalyticsEvent");function xi(e){let t={forceRefresh:e.forceRefresh===!0,nextAction:e.payload.nextAction,state:e.payload.state};if(C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CREDENTIAL_MISSING,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"connect_required",reasonClass:"auth",attributes:t}),e.payload.state==="reconsent_required"){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_RECONSENT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:"reconsent_required",reasonClass:"auth",attributes:t});return}C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_REQUIRED,outcome:"connect_required",routeBinding:e.routeBinding,reasonCode:tu(e.payload.state),reasonClass:"auth",attributes:t})}n(xi,"emitCredentialMissingAnalyticsEvents");function ru(e){let t=e.route.raw();return pt.parse(t?.operationId)}n(ru,"readOperationId");async function nu(e,t,r,o){let i=await ke({request:e,routeAuth:t});if(i.kind==="connect_required")return xi({context:o,payload:i.payload,routeBinding:t}),o.log.info({event:"mcp_upstream_connect_required",upstreamServerId:t.upstreamServerId,authProfileId:t.authProfileId},"MCP upstream proxy: upstream connection required"),{kind:"connect_required",payload:i.payload};let a=i.credential;switch(Ai({context:o,credential:a,routeBinding:t}),a.type){case"none":return{kind:"headers",headers:[]};case"bearer_token":return{kind:"headers",headers:[["authorization",`Bearer ${a.token}`]]};case"headers":return{kind:"headers",headers:Object.entries(a.headers)};case"mcp_oauth_provider":{let s=await a.provider.tokens();return s?{kind:"headers",headers:[["authorization",`${s.token_type??"Bearer"} ${s.access_token}`]]}:(o.log.warn({event:"mcp_upstream_no_tokens",upstreamServerId:t.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens"),Response.json({error:"no_upstream_tokens"},{status:401}))}}}n(nu,"buildCredentialHeaders");var ou=new Set(["authorization","cookie","cookie2"]);function iu(e){if(e!==void 0)try{let t=JSON.parse(new TextDecoder().decode(e));return t&&typeof t=="object"&&!Array.isArray(t)&&"method"in t&&typeof t.method=="string"?t.method:void 0}catch{return}}n(iu,"readJsonRequestMethod");function au(e){let t=e.headers.get("content-type")??"";return/\bapplication\/(?:[\w.+-]+\+)?json\b/i.test(t)}n(au,"isJsonResponse");function vr(e){return e!==null&&typeof e=="object"&&!Array.isArray(e)}n(vr,"isRecord");function su(e){return Array.isArray(e)&&e.length>0}n(su,"hasIconList");function cu(e){if(e.connection.serverInfo?.icons!==void 0&&e.connection.serverInfo.icons.length>0)return e.connection.serverInfo.icons;try{let t=Ut(Cn(e.context.route.handler));return t===void 0?void 0:[t]}catch{return}}n(cu,"readFallbackServerIcons");function du(e){if(!vr(e.body))return e.body;let t=e.body.result;if(!vr(t))return e.body;let r=t.serverInfo;return!vr(r)||su(r.icons)?e.body:{...e.body,result:{...t,serverInfo:{...r,icons:e.icons}}}}n(du,"addMissingServerIcons");function uu(e,t){let r=new Headers(e.headers);for(let o of ou)r.delete(o);for(let[o,i]of t)r.set(o,i);return new an(e,{headers:r})}n(uu,"applyUpstreamHeaders");function lu(e){let t=new Headers(e.headers);for(let r of Qd)t.delete(r);return t}n(lu,"buildProxyHeaders");async function pu(e){if(!(e.method==="GET"||e.method==="HEAD"))return e.clone().arrayBuffer()}n(pu,"readRetryBody");function Ui(e,t){let r=t.authUrl===void 0?void 0:yo({message:t.message,elicitationId:["connect",t.operationId,t.upstreamServerId,t.authProfileId].join(":"),url:t.authUrl});return Response.json(St({id:go(e),error:{code:r?.code??Xd,message:t.message,data:{...r?.data??{},connectRequired:t}}}))}n(Ui,"connectRequiredJsonRpcResponse");async function mu(e){let{scope:t}=ko(e.upstreamResponse),r=await ke({request:e.request,routeAuth:e.routeAuth,forceRefresh:!0,...t===void 0?{}:{requestedScope:t}});if(r.kind==="connect_required")return xi({context:e.context,payload:r.payload,routeBinding:e.routeAuth,forceRefresh:!0}),{kind:"connect_required",payload:r.payload};let o=new Headers(e.headers),i=r.credential;switch(Ai({context:e.context,credential:i,routeBinding:e.routeAuth,forceRefresh:!0}),i.type){case"none":return o.delete("authorization"),{kind:"headers",headers:o};case"bearer_token":return o.set("authorization",`Bearer ${i.token}`),{kind:"headers",headers:o};case"headers":for(let[a,s]of Object.entries(i.headers))o.set(a,s);return{kind:"headers",headers:o};case"mcp_oauth_provider":{let a=await i.provider.tokens();return a?(o.set("authorization",`${a.token_type??"Bearer"} ${a.access_token}`),{kind:"headers",headers:o}):(e.context.log.warn({event:"mcp_upstream_no_tokens_after_refresh",upstreamServerId:e.routeAuth.upstreamServerId},"MCP upstream proxy: OAuth provider returned no tokens after refresh"),{kind:"response",response:Response.json({error:"no_upstream_tokens"},{status:401})})}}}n(mu,"applyRefreshedCredentialHeaders");function fu(e){e.context.addResponseSendingHook(async(t,r)=>{if(t.status!==401)return t;let o=await mu({request:e.request,context:e.context,headers:lu(r),routeAuth:e.routeAuth,upstreamResponse:t});if(o.kind==="connect_required")return Ui(e.requestBody,o.payload);if(o.kind==="response")return o.response;let i=vn({handler:e.context.route.handler,request:r,body:e.requestBody,headers:o.headers});return ct.fetch(i.url,i.init)})}n(fu,"installUpstreamAuthRetryHook");function hu(e){if(iu(e.requestBody)!=="initialize")return;let t=cu({connection:e.connection,context:e.context});t===void 0||t.length===0||e.context.addResponseSendingHook(async r=>{if(!au(r))return r;let o;try{o=await r.clone().json()}catch{return r}let i=du({body:o,icons:t});if(i===o)return r;let a=new Headers(r.headers);return a.delete("content-length"),new Response(JSON.stringify(i),{status:r.status,statusText:r.statusText,headers:a})})}n(hu,"installInitializeIconHook");async function Ir(e,t,r){let o=ru(t),i=await pu(e),a=Ii({connection:r,operationId:o}),s=Ie(e.user,e.url,e.headers);Bn(t,s);let c=Pe(a,s.subjectId),l=await nu(e,c,r,t);if(!(l instanceof Response)&&l.kind==="connect_required")return Ui(i,l.payload);if(l instanceof Response)return l;let m=uu(e,l.headers);return fu({request:m,context:t,requestBody:i,routeAuth:c}),hu({context:t,requestBody:i,connection:r}),m}n(Ir,"mcpTokenExchangePolicy");var Ar=class extends ut{static{n(this,"McpTokenExchangeInboundPolicy")}constructor(t,r){let o=Pn(t,r);super(o,r)}async handler(t,r){return dt("policy.inbound.mcp-token-exchange"),Ir(t,r,this.options)}};H();var ki=Symbol("Html");function gu(e){return e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;")}n(gu,"escapeHtml");function yu(e){return e===null||typeof e!="object"?!1:e[ki]===!0}n(yu,"isHtml");function Pi(e){return e==null||e===!1?"":Array.isArray(e)?e.map(Pi).join(""):yu(e)?e.value:gu(String(e))}n(Pi,"renderValue");function Q(e){return{[ki]:!0,value:e}}n(Q,"trustedHtml");var Z=Q("");function S(e,...t){let r=e[0]??"";for(let o=0;o<t.length;o+=1)r+=Pi(t[o]),r+=e[o+1]??"";return Q(r)}n(S,"html");function Te(e){return e.value}n(Te,"renderHtml");function Ti(e){return S`<p class="card__description">${e.detail}</p>${e.guidance} ${e.technicalDetails} ${e.action}`}n(Ti,"renderBrowserErrorPage");var Ee=Q('*,:before,:after{box-sizing:border-box}:root{--bg:#f5f6f8;--surface:#fff;--surface-2:#f8fafc;--border:#e5e7eb;--border-strong:#d1d5db;--text:#0f172a;--text-2:#475569;--text-3:#64748b;--text-muted:#94a3b8;--accent:#0f172a;--accent-hover:#1e293b;--accent-text:#fff;--focus-ring:#0f172a29;--danger:#b91c1c;--danger-bg:#b91c1c0f;--danger-border:#b91c1c38;--warning:#92400e;--warning-bg:#fffbeb;--warning-border:#fde68a;--success:#15803d;--success-bg:#f0fdf4;--success-border:#bbf7d0;--radius-sm:4px;--radius:8px;--radius-lg:12px;--radius-pill:9999px;--shadow-sm:0 1px 2px #0f172a0d;--shadow:0 1px 2px #0f172a0a,0 6px 16px #0f172a0f;--font-sans:-apple-system,BlinkMacSystemFont,"Segoe UI",Inter,system-ui,sans-serif;--font-mono:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Monaco,Consolas,monospace}@media (prefers-color-scheme:dark){:root{--bg:#0a0c10;--surface:#15171c;--surface-2:#1e2128;--border:#262932;--border-strong:#3a3e48;--text:#fafafa;--text-2:#cbd5e1;--text-3:#94a3b8;--text-muted:#71717a;--accent:#fafafa;--accent-hover:#e4e4e7;--accent-text:#0a0c10;--focus-ring:#fafafa2e;--danger:#f87171;--danger-bg:#f8717114;--danger-border:#f871714d;--warning:#fbbf24;--warning-bg:#fbbf2414;--warning-border:#fbbf2447;--success:#34d399;--success-bg:#34d39914;--success-border:#34d3994d;--shadow-sm:0 1px 2px #0006;--shadow:0 1px 2px #0006,0 8px 24px #0006}}html,body{margin:0;padding:0}body{font-family:var(--font-sans);background:var(--bg);color:var(--text);-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;flex-direction:column;justify-content:center;align-items:center;min-height:100dvh;padding:48px 20px;font-size:14px;line-height:1.5;display:flex}.card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);width:100%;max-width:480px;box-shadow:var(--shadow);overflow:hidden}.card__head{text-align:center;padding:32px 32px 24px}.card__icon{border-radius:var(--radius);background:var(--surface-2);object-fit:contain;border:1px solid var(--border);width:48px;height:48px;margin:0 auto 16px;display:block}.card__title{letter-spacing:-.01em;color:var(--text);margin:0;font-size:20px;font-weight:600;line-height:1.3}.card__subtitle{color:var(--text-2);margin:8px 0 0;font-size:14px;line-height:1.55}.card__subtitle strong{color:var(--text);font-weight:600}.card__description{color:var(--text-3);margin:12px 0 0;font-size:13px;line-height:1.55}.card__principal{color:var(--text-3);background:var(--surface-2);border-radius:var(--radius-pill);text-overflow:ellipsis;white-space:nowrap;align-items:center;gap:6px;max-width:100%;margin:16px 0 0;padding:4px 12px;font-size:12.5px;display:inline-flex;overflow:hidden}.card__body{flex-direction:column;gap:20px;padding:8px 32px 24px;display:flex}.card__head+.card__body{border-top:1px solid var(--border);padding-top:24px}.card__footer{border-top:1px solid var(--border);background:var(--surface-2);flex-wrap:wrap;justify-content:flex-end;align-items:center;gap:8px;padding:16px 24px;display:flex}.card__fineprint{color:var(--text-3);text-align:center;margin:0;font-size:12.5px;line-height:1.5}.card__fineprint strong{color:var(--text-2);font-weight:600}.section-label{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);align-items:baseline;gap:6px;margin:0;font-size:11px;font-weight:600;display:flex}.section-label__count{color:var(--text-3);letter-spacing:0;font-weight:500}.banner{border-radius:var(--radius);border:1px solid;align-items:flex-start;gap:10px;padding:12px 14px;font-size:13px;display:flex}.banner__icon{flex-shrink:0;justify-content:center;align-items:center;width:16px;height:16px;margin-top:1px;display:inline-flex}.banner__body{flex-direction:column;flex:1;gap:2px;min-width:0;display:flex}.banner__title{color:var(--text);margin:0;font-size:13px;font-weight:600}.banner__message{color:var(--text-2);margin:0;font-size:13px;line-height:1.5}.banner--warning{background:var(--warning-bg);border-color:var(--warning-border)}.banner--warning .banner__icon{color:var(--warning)}.banner--alert{background:var(--danger-bg);border-color:var(--danger-border)}.banner--alert .banner__icon,.banner--alert .banner__title{color:var(--danger)}.upstream-list{flex-direction:column;gap:8px;margin:0;padding:0;list-style:none;display:flex}.upstream-card{background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);flex-direction:column;gap:10px;padding:14px;display:flex}.upstream-card--needs-action{border-color:var(--warning-border);background:var(--warning-bg)}.upstream-card__head{align-items:flex-start;gap:10px;display:flex}.icon-frame{border-radius:var(--radius-sm);border:1px solid var(--border);background:var(--surface-2);width:32px;height:32px;color:var(--text-3);flex-shrink:0;justify-content:center;align-items:center;display:inline-flex;overflow:hidden}.icon-frame img{object-fit:contain;max-width:100%;max-height:100%}.icon-frame--fallback svg{width:18px;height:18px}.inline-icon{object-fit:contain;vertical-align:-2px;border-radius:2px;width:14px;height:14px;margin-right:4px}.upstream-card__main{flex-direction:column;flex:1;gap:3px;min-width:0;display:flex}.upstream-card__title-row{justify-content:space-between;align-items:center;gap:10px;min-width:0;display:flex}.upstream-card__title{color:var(--text);letter-spacing:-.005em;text-overflow:ellipsis;white-space:nowrap;flex:1;min-width:0;margin:0;font-size:14px;font-weight:600;line-height:1.3;overflow:hidden}.upstream-card__meta{color:var(--text-3);flex-wrap:wrap;align-items:center;gap:6px;font-size:12px;display:flex}.upstream-card__host{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);padding:1px 6px;font-size:11.5px}.upstream-card__sep{color:var(--border-strong)}.upstream-card__description{color:var(--text-2);margin:4px 0 0;font-size:12.5px;line-height:1.5}.status-badge{border-radius:var(--radius-pill);white-space:nowrap;border:1px solid #0000;flex-shrink:0;align-items:center;gap:6px;padding:2px 8px;font-size:11.5px;font-weight:600;display:inline-flex}.status-badge:before{content:"";background:currentColor;border-radius:50%;flex-shrink:0;width:5px;height:5px}.status-badge--success{background:var(--success-bg);color:var(--success);border-color:var(--success-border)}.status-badge--warning{background:var(--warning-bg);color:var(--warning);border-color:var(--warning-border)}.status-badge--neutral{background:var(--surface-2);color:var(--text-2);border-color:var(--border)}.upstream-card__capabilities,.upstream-card__scopes{border-top:1px solid var(--border);margin-top:2px;padding-top:10px}.upstream-card__capabilities--empty{color:var(--text-3);font-size:12px;font-style:italic}.capabilities-summary,.scopes-summary{cursor:pointer;user-select:none;color:var(--text-2);justify-content:space-between;align-items:center;gap:12px;padding:2px 0;font-size:12.5px;list-style:none;display:flex}.capabilities-summary::-webkit-details-marker,.scopes-summary::-webkit-details-marker{display:none}.capabilities-summary:hover,.scopes-summary:hover{color:var(--text)}.capabilities-summary:focus-visible,.scopes-summary:focus-visible{outline:2px solid var(--accent);outline-offset:2px;border-radius:var(--radius-sm)}.capabilities-summary__counts{flex-wrap:wrap;align-items:center;gap:12px;display:flex}.count-pill{color:var(--text-2);align-items:baseline;gap:4px;font-size:12.5px;display:inline-flex}.count-pill__num{font-variant-numeric:tabular-nums;color:var(--text);font-size:13px;font-weight:600}.count-pill--destructive .count-pill__num,.count-pill--destructive .count-pill__label{color:var(--danger)}.capabilities-summary__chevron{color:var(--text-3);flex-shrink:0;transition:transform .15s;display:inline-flex}details[open]>.capabilities-summary .capabilities-summary__chevron,details[open]>.scopes-summary .capabilities-summary__chevron{transform:rotate(180deg)}.capabilities-detail{margin-top:10px}.capability-section{margin-top:14px}.capability-section:first-child{margin-top:6px}.capability-section__title{text-transform:uppercase;letter-spacing:.07em;color:var(--text-3);margin:0 0 6px;font-size:11px;font-weight:600}.capability-list{flex-direction:column;gap:5px;margin:0;padding:0;font-size:12.5px;list-style:none;display:flex}.capability-row{flex-wrap:wrap;align-items:baseline;gap:6px;padding:2px 0;display:flex}.capability-row__name{font-weight:500;font-family:var(--font-mono);color:var(--text);font-size:12.5px}.capability-row__description{color:var(--text-3);flex-basis:100%;font-size:12px;line-height:1.45}.capability-row__description code{font-family:var(--font-mono);background:var(--surface-2);border-radius:var(--radius-sm);color:var(--text-2);padding:1px 4px}.capability-row--more{color:var(--text-3);font-size:12px;font-style:italic}.scopes-list{flex-wrap:wrap;gap:4px;margin-top:8px;display:flex}.scope-chip{font-family:var(--font-mono);background:var(--surface-2);color:var(--text-2);border-radius:var(--radius-sm);border:1px solid var(--border);padding:2px 7px;font-size:11.5px}.badge{border-radius:var(--radius-sm);letter-spacing:.04em;text-transform:uppercase;align-items:center;padding:1px 5px;font-size:10px;font-weight:600;display:inline-flex}.badge--destructive{background:var(--danger-bg);color:var(--danger)}.badge--muted{background:var(--surface-2);color:var(--text-3)}.badge-row{flex-wrap:wrap;gap:4px;display:inline-flex}.muted{color:var(--text-3)}.button{font:inherit;border-radius:var(--radius);cursor:pointer;white-space:nowrap;border:1px solid #0000;justify-content:center;align-items:center;gap:6px;min-height:40px;padding:8px 16px;font-size:14px;font-weight:500;text-decoration:none;transition:background .12s,border-color .12s,color .12s,box-shadow .12s,transform 40ms;display:inline-flex}.button:active{transform:translateY(1px)}.button:focus-visible{box-shadow:0 0 0 3px var(--focus-ring);outline:0}.button--small{padding:5px 10px;font-size:12.5px}.button--primary{background:var(--accent);color:var(--accent-text);border-color:var(--accent)}.button--primary:hover:not(:disabled):not([aria-disabled=true]){background:var(--accent-hover);border-color:var(--accent-hover)}.button:disabled,.button[aria-disabled=true]{cursor:not-allowed;opacity:.55}.button:disabled:hover,.button[aria-disabled=true]:hover{background:var(--accent);border-color:var(--accent)}.button--secondary{background:var(--surface);color:var(--text);border-color:var(--border-strong)}.button--secondary:hover{background:var(--surface-2);border-color:var(--border-strong)}.button--block{width:100%}.reconnect-action{align-items:center;margin-right:auto;display:inline-flex;position:relative}.reconnect-button{gap:7px}.tooltip{width:16px;height:16px;color:var(--accent);background:color-mix(in srgb,var(--accent)8%,transparent);cursor:help;border:1.5px solid;border-radius:50%;justify-content:center;align-items:center;font-size:10.5px;font-weight:700;line-height:1;display:inline-flex;position:relative}.tooltip:after{content:attr(aria-label);z-index:10;border-radius:var(--radius-sm);background:var(--accent);width:280px;max-width:min(280px,100vw - 48px);color:var(--accent-text);box-shadow:var(--shadow);text-align:left;white-space:normal;opacity:0;pointer-events:none;padding:12px 14px;font-size:13px;font-weight:600;line-height:1.45;transition:opacity .12s;position:absolute;bottom:calc(100% + 12px);left:50%;transform:translate(-50%)}.tooltip:before{content:"";z-index:11;border-left:7px solid #0000;border-right:7px solid #0000;border-top:8px solid var(--accent);opacity:0;pointer-events:none;transition:opacity .12s;position:absolute;bottom:calc(100% + 5px);left:50%;transform:translate(-50%)}.tooltip:hover:after,.tooltip:hover:before,.tooltip:focus-visible:after,.tooltip:focus-visible:before{opacity:1}.form{flex-direction:column;gap:6px;display:flex}.form__label{color:var(--text);margin:8px 0 0;font-size:13px;font-weight:600;display:block}.form__label:first-child{margin-top:0}.form__input{box-sizing:border-box;border:1px solid var(--border-strong);border-radius:var(--radius);width:100%;font:inherit;background:var(--surface);color:var(--text);padding:9px 12px;font-size:14px;transition:border-color .12s,box-shadow .12s}.form__input:focus{border-color:var(--accent);box-shadow:0 0 0 3px var(--focus-ring);outline:0}.form__note{color:var(--text-3);margin:4px 0 0;font-size:12.5px;line-height:1.5}.form__submit{margin-top:8px}.empty{text-align:center;color:var(--text-3);border:1px dashed var(--border);border-radius:var(--radius);background:var(--surface);padding:24px 16px;font-size:13px}.actions{gap:8px;margin:0;display:flex}@media (width<=480px){body{padding:0}.card{box-shadow:none;border-left:0;border-right:0;border-radius:0;min-height:100dvh}.card__head{padding:24px 20px 16px}.card__body{padding:16px 20px}.card__footer{flex-direction:column-reverse;align-items:stretch;padding:14px 20px}.card__footer .button{width:100%}.reconnect-action{justify-content:center;width:100%;margin-right:0}.reconnect-action .button{flex:1}.tooltip:after{left:auto;right:0;transform:none}}@media (prefers-reduced-motion:reduce){*{transition:none!important}}');function Oe(e){return S`<!doctype html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name="referrer" content="no-referrer" /><meta name="robots" content="noindex" /><title>${e.title}</title><link rel="icon" href="${e.iconHref}" /><style>
26
26
  ${e.styles}
27
27
  </style></head><body><main class="card"><header class="card__head">${e.headerIcon}<h1 class="card__title">${e.heading}</h1>${e.subhead}</header><div class="card__body">${e.body}</div>${e.footer}</main></body></html>`}n(Oe,"renderShell");var _u="text/html; charset=utf-8";function qe(e){try{return new URL(e).host}catch{return""}}n(qe,"safeHostFromUrl");function F(e){let t=Ru(e.kind??"authorization_failed"),r=wu(e);return new Response(Te(Oe({title:e.title??t.title,iconHref:"",styles:Ee,headerIcon:Z,heading:e.title??t.title,subhead:"",body:Ti({detail:e.detail,guidance:S`<p class="card__description">${t.guidance}</p>`,technicalDetails:Iu({diagnostic:r,upstreamHtml:e.upstreamHtml}),action:Cu(e.action)}),footer:""})),{status:e.status??400,headers:{"content-type":_u,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(F,"browserErrorPageResponse");function wu(e){let t=e.diagnostic?.code??e.code??"unknown";return{code:t,stage:e.diagnostic?.stage??bu(t),timestamp:e.diagnostic?.timestamp??new Date().toISOString(),...e.requestId===void 0&&e.diagnostic?.requestId===void 0?{}:{requestId:e.diagnostic?.requestId??e.requestId},...e.diagnostic?.operationId===void 0?{}:{operationId:e.diagnostic.operationId},...e.diagnostic?.routePath===void 0?{}:{routePath:e.diagnostic.routePath},...e.diagnostic?.upstreamServerId===void 0?{}:{upstreamServerId:e.diagnostic.upstreamServerId},...e.diagnostic?.authProfileId===void 0?{}:{authProfileId:e.diagnostic.authProfileId},...e.diagnostic?.upstreamUrl===void 0?{}:{upstreamUrl:e.diagnostic.upstreamUrl},...e.diagnostic?.metadataUrl===void 0?{}:{metadataUrl:e.diagnostic.metadataUrl},...e.diagnostic?.httpStatus===void 0?{}:{httpStatus:e.diagnostic.httpStatus},...e.diagnostic?.contentType===void 0?{}:{contentType:e.diagnostic.contentType},...e.diagnostic?.providerError===void 0?{}:{providerError:e.diagnostic.providerError},...e.diagnostic?.providerErrorDescription===void 0?{}:{providerErrorDescription:e.diagnostic.providerErrorDescription},suggestedFix:e.diagnostic?.suggestedFix??Su(t),underlyingError:e.diagnostic?.underlyingError??e.developerDetail}}n(wu,"buildBrowserErrorDiagnostic");function Ru(e){switch(e){case"session_expired":return{title:"Authorization expired",guidance:"Return to your MCP client and reconnect. Expired authorization requests cannot be resumed."};case"access_denied":return{title:"Authorization canceled",guidance:"Return to your MCP client to retry if you want to grant access."};case"configuration_error":return{title:"Configuration needs attention",guidance:"Contact your workspace admin with this error code. The gateway or upstream configuration must be fixed before retrying."};case"connection_failed":return{title:"Connection failed",guidance:"Return to your MCP client and reconnect this upstream. If this keeps happening, contact your gateway administrator with this error code."};case"invalid_request":return{title:"Authorization request invalid",guidance:"Return to your MCP client and try connecting again. If this keeps happening, the client request may need to be fixed."};case"admin_required":return{title:"Admin setup required",guidance:"Contact your workspace admin with this error code. This connection cannot be completed until setup is finished."};case"internal_error":return{title:"Gateway error",guidance:"Try again later from your MCP client. If this keeps happening, contact your gateway administrator with this error code."};case"authorization_failed":return{title:"Authorization failed",guidance:"Return to your MCP client and start authorization again. If this keeps happening, contact your gateway administrator with this error code."}}}n(Ru,"readBrowserErrorPagePresentation");function bu(e){switch(e){case"upstream_oauth_discovery_unavailable":return"upstream_oauth_discovery";case"upstream_client_registration_required":return"upstream_oauth_client_registration";case"upstream_provider_access_denied":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"upstream_token_exchange";case"provider_access_denied":return"upstream_oauth_callback";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"upstream_oauth_state";case"browser_login_verification_failed":return"downstream_browser_login";case"authentication_required":case"identity_context_missing":return"downstream_auth";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"gateway_configuration";case"server_error":case"internal_server_error":return"gateway_internal";default:return"gateway_request"}}n(bu,"readBrowserErrorStage");function Su(e){switch(e){case"upstream_oauth_discovery_unavailable":return"Confirm the upstream MCP URL and OAuth protected resource metadata. If the provider requires approval, configure the provider app or contact the provider.";case"upstream_client_registration_required":return"Register an OAuth client with the upstream provider, then configure the gateway to use that client before retrying.";case"upstream_provider_access_denied":return"Confirm the provider allows this gateway, OAuth client, and upstream MCP URL, then retry the connection.";case"upstream_token_exchange_failed":return"Retry the connection. If it repeats, verify the upstream OAuth client, redirect URI, token endpoint, and provider allowlist.";case"upstream_token_response_invalid":return"Verify the upstream token endpoint returns a valid OAuth token response for this gateway client.";case"provider_access_denied":return"Start the connection again if access was denied by mistake. Otherwise, grant the requested upstream provider access.";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"Start a new connection from the MCP client. The previous browser authorization request cannot be resumed.";case"browser_login_verification_failed":return"Retry the browser login flow. If it repeats, verify the downstream login callback configuration.";case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"Check the MCP route, upstream server, and auth profile entries in the gateway configuration.";case"authentication_required":case"identity_context_missing":return"Verify the normal Zuplo auth policy runs before the MCP gateway policy and sets request.user.";case"server_error":case"internal_server_error":return"Retry later and check gateway logs with the request ID.";default:return"Check the gateway configuration and request details associated with this error code."}}n(Su,"readBrowserErrorSuggestedFix");function Cu(e){return e===void 0?Z:S`<a class="button button--primary button--block" href="${e.href}">${e.label}</a>`}n(Cu,"renderAction");function vu(e){let t=[["Error code",e.code],["Stage",e.stage],["Request ID",e.requestId],["Time",e.timestamp],["Gateway route",e.routePath],["Operation ID",e.operationId],["Upstream",e.upstreamServerId],["Auth profile",e.authProfileId],["Upstream URL",e.upstreamUrl],["Metadata URL",e.metadataUrl],["HTTP status",e.httpStatus],["Content type",e.contentType],["Provider error",e.providerError],["Provider error description",e.providerErrorDescription],["Suggested fix",e.suggestedFix],["Underlying error",e.underlyingError]].filter(r=>r[1]!==void 0).map(([r,o])=>`${r}: ${o}`).join(`
28
- `);return S`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(vu,"renderTechnicalPre");function Ot(e){return e.value===void 0||e.value===""?Z:S`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(Ot,"renderOptionalTechnicalRow");function Iu(e){return S`<section class="banner banner--warning" aria-label="Developer details">
28
+ `);return S`<pre class="banner__message" style="white-space: pre-wrap; overflow-wrap: anywhere; margin-top: 8px;"><code>${t}</code></pre>`}n(vu,"renderTechnicalPre");function qt(e){return e.value===void 0||e.value===""?Z:S`<p class="banner__message"><strong>${e.label}:</strong> <code>${e.value}</code></p>`}n(qt,"renderOptionalTechnicalRow");function Iu(e){return S`<section class="banner banner--warning" aria-label="Developer details">
29
29
  <span class="banner__icon" aria-hidden="true">!</span>
30
30
  <div class="banner__body">
31
31
  <p class="banner__title">Developer details</p>
32
32
  <p class="banner__message" data-gateway-error-code="${e.diagnostic.code}">
33
33
  <strong>Error code:</strong> <code>${e.diagnostic.code}</code>
34
34
  </p>
35
- ${Ot({label:"Stage",value:e.diagnostic.stage})}
36
- ${Ot({label:"Request ID",value:e.diagnostic.requestId})}
37
- ${Ot({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
38
- ${Ot({label:"Reason",value:e.diagnostic.underlyingError})}
35
+ ${qt({label:"Stage",value:e.diagnostic.stage})}
36
+ ${qt({label:"Request ID",value:e.diagnostic.requestId})}
37
+ ${qt({label:"Suggested fix",value:e.diagnostic.suggestedFix})}
38
+ ${qt({label:"Reason",value:e.diagnostic.underlyingError})}
39
39
  ${vu(e.diagnostic)}
40
40
  ${Au(e.upstreamHtml)}
41
41
  </div>
@@ -44,6 +44,6 @@ import{a as uo,b as lo,c as Rt,d as po,e as mo,g as fo,h as ho,i as bt}from"../c
44
44
  sandbox
45
45
  srcdoc="${e}"
46
46
  style="border: 1px solid var(--warning-border); border-radius: var(--radius-sm); background: white; width: 100%; min-height: 220px; margin-top: 8px;"
47
- ></iframe>`}n(Au,"renderUpstreamHtml");var Ei="application/json",xu="application/x-www-form-urlencoded";function qt(e,t){return new h({message:e,extensionMembers:{[y]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(qt,"invalidRequestError");function Uu(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(Uu,"normalizeContentType");function ku(e,t){return e===t?!0:t===Ei&&e.endsWith("+json")}n(ku,"contentTypeMatches");function Pu(e,t){if(!t||t.length===0)return;let r=Uu(e.headers.get("content-type"));if(!t.some(o=>ku(r,o)))throw qt(`Request body must be ${t.join(" or ")}.`)}n(Pu,"assertExpectedContentType");function Tu(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw qt(`${r} exceeded the maximum allowed size.`)}n(Tu,"assertContentLengthWithinLimit");async function Oi(e,t){let r=t.label??"Request body";Pu(e,t.expectedContentTypes),Tu(e,t.maxBytes,r);let o=await po(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>qt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Oi,"readBoundedTextBody");async function qi(e,t){let r=await Oi(e,{...t,expectedContentTypes:[Ei]});try{return JSON.parse(r)}catch(o){throw qt("Request body must be valid JSON.",o)}}n(qi,"readBoundedJsonBody");async function Mi(e,t){let r=await Oi(e,{...t,expectedContentTypes:[xu]});return new URLSearchParams(r)}n(Mi,"readBoundedFormUrlEncodedBody");H();H();import{errors as Li,jwtVerify as Ni,SignJWT as Gi}from"jose";H();import{errors as Eu,jwtVerify as Ou,SignJWT as qu}from"jose";var Ur="zuplo_mcp_session",Mu=d.object({purpose:d.literal("gateway_browser_session"),sub:yt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function Du(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(Du,"parseCookieHeader");async function Di(){return $({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-session"),"derive")})}n(Di,"getBrowserSessionKey");function xr(e,t){let r=new URL(U(e,t)),o=[`${Ur}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(xr,"buildBrowserSessionEvictionCookie");function zu(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${Ur}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(zu,"serializeSessionCookie");function zi(){return new URL(bt("url")).origin}n(zi,"readBrowserLoginOrigin");function kr(){return B().browserLogin.stateTtlSeconds}n(kr,"readBrowserLoginStateTtlSeconds");function Hi(e){if(!e.user)throw _("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ie(e.user,e.url)}n(Hi,"resolveCurrentRequestPrincipal");async function Mt(e,t={}){let r=Du(e.headers.get("cookie")).get(Ur);if(!r)return{};try{let{payload:o}=await Ou(r,await Di(),{algorithms:[z],issuer:O,audience:D}),i=Mu.parse(o);if(i.browserLoginOrigin!==zi())return{evictCookie:xr(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof Eu.JWTExpired?{evictCookie:xr(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:xr(e.url,e.headers)})}}n(Mt,"readBrowserSession");async function Dt(e){let t=B().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:zi()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new qu(r).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Di());return zu({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(Dt,"createBrowserSessionCookie");async function Bi(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Mt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw _("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:i}=await import("../browser-login-idp-NPHGGA54.js");return i({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(Bi,"resolveBrowserLoginCallbackPrincipal");function ji(e){let t=B().browserLogin,r=new URL(bt("url")),o=new URL("/oauth/callback",Hn(e.requestUrl,e.requestHeaders));return Jn(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",bt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(ji,"buildBrowserLoginUrl");var Hu={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Hu[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Bu=5*60,ju=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Zt,stateId:Ft,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Lu=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Zt,stateId:Ft,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function $i(){return $({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-login"),"derive")})}n($i,"getBrowserLoginKey");async function Zi(){return $({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"authorization-csrf"),"derive")})}n(Zi,"getCsrfKey");function Fi(e){return{now:e.now??new Date,ttlSeconds:kr()}}n(Fi,"readPendingTransactionDependencies");function Nu(e,t){return e.subjectId===t.subjectId}n(Nu,"principalsMatch");function Ki(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Ki,"toPendingPrincipal");function Ji(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:R(e.now),expiresAt:R(J(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw _("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Ki(e.principal)}}n(Ji,"createTransactionRecord");async function Wi(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw _("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(Wi,"startPendingTransaction");async function Gu(e){return new Gi({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await $i())}n(Gu,"signBrowserLoginState");async function Vi(e){return new Gi({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Jt()}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Zi())}n(Vi,"signCsrfToken");async function Pr(e){try{let{payload:t}=await Ni(e,await $i(),{algorithms:[z],issuer:O,audience:D}),r=ju.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Li.JWTExpired?_("oauth_state_expired","Browser login state has expired.",t):_("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Pr,"verifyBrowserLoginStateToken");async function zt(e){try{let{payload:t}=await Ni(e,await Zi(),{algorithms:[z],issuer:O,audience:D});return{transactionId:Lu.parse(t).transactionId}}catch(t){throw t instanceof Li.JWTExpired?_("oauth_state_expired","Authorization setup state has expired.",t):_("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(zt,"verifyCsrfToken");function Tr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Tr,"pendingStateErrorCode");function $u(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n($u,"toPendingAuthorizationGetResult");function Zu(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Zu,"toPendingAuthorizationAdvanceResult");function Er(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Tr(e==="consumed_already"?"consumed_already":e)}n(Er,"setupDecisionErrorCode");async function Yi(e){let t=e.now??new Date,r=await zt(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(t)});if(o.kind!=="marked")throw _(Er(o.kind),"Authorization setup state is invalid, expired, or already used.");return Xi({kind:"available",record:o.transaction})}n(Yi,"markSetupApproved");function Xi(e){if(e.kind!=="available")throw _(Tr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Xi,"requireAwaitingSetup");function Fu(e){if(!Nu(e.currentBrowserPrincipal,e.transaction.principal))throw _("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Fu,"requireCurrentPrincipalMatches");async function Qi(e){let t=e.now??new Date,r=kr(),o=Kt(),i=Jt(),a=await Gu({transactionId:o,stateId:i,ttlSeconds:r}),s=Ji({id:o,transaction:e.transaction,currentStateHash:await I(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Wi({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:a,browserLoginUrl:ji({state:a,nonce:i,operationId:s.operationId,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Qi,"startAwaitingLogin");async function ea(e){let{now:t,ttlSeconds:r}=Fi(e),o=Kt(),i=await Vi({transactionId:o,ttlSeconds:r}),a=Ji({id:o,transaction:e.transaction,currentStateHash:await I(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Wi({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(ea,"startAwaitingSetup");async function ta(e){let{now:t,ttlSeconds:r}=Fi(e),o=await Pr(e.browserLoginStateToken),i=await Vi({transactionId:o.transactionId,ttlSeconds:r}),a=Zu(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await I(e.browserLoginStateToken),nextStateHash:await I(i),nextPhase:"awaiting_setup",principal:Ki(e.principal),now:R(t)}));if(a.kind!=="advanced")throw _(Tr(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(ta,"completeLogin");async function ra(e){let t=await Or(e);return Fu({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(ra,"getSetup");async function Or(e){let t=e.now??new Date,r=await zt(e.csrfToken);return Xi($u(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),now:R(t)})))}n(Or,"getSetupTransaction");async function Ku(e){let t=await zt(e.csrfToken),r=Y(),o=R(J(e.now,Bu)),i=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await I(r),authorizationCodeExpiresAt:o,grantId:Fn(),now:R(e.now)});if(i.kind!=="approved")throw _(i.kind==="cancelled"?"oauth_state_invalid":Er(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(Ku,"createAuthorizationCodeRedirectWithDecision");async function Ju(e){let t=await zt(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(e.now)});if(r.kind!=="cancelled")throw _(r.kind==="approved"?"oauth_state_invalid":Er(r.kind),"Authorization setup state is invalid, expired, or already used.");return Wu({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Ju,"createCancelRedirectWithDecision");function Wu(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Wu,"buildClientCancelRedirect");async function na(e){let t=e.now??new Date;return Ku({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(na,"approve");async function oa(e){let t=e.now??new Date;return Ju({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(oa,"cancel");H();var Vu=1e4,Yu=5*1024,Xu=2,Qu=90*24*60*60,qr="dcr:pkjwt:",el="chatgpt.com",tl="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",Mr=["authorization_code","refresh_token"],Dr=["code"],rl=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Mr)).min(1).max(2).optional(),response_types:d.array(d.enum(Dr)).min(1).max(1).optional(),scope:d.literal(T).optional(),token_endpoint_auth_method:$n.optional(),jwks_uri:d.string().min(1).optional()});function nl(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ue(t))&&t.pathname!=="/"}catch{return!1}}n(nl,"isCimdClientIdCandidate");function ol(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===el&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(ol,"isChatGptCimdClientId");function ia(e){throw new p("invalid_client",ol(e)?tl:"OAuth client is not registered.")}n(ia,"invalidCimdClientError");function Me(e,t="invalid_request",r="authorize"){if(il(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let i={source:r},a=Nn({url:o,context:i});if(a.kind!=="rejected"){a.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Me,"assertValidRedirectUri");function il(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(il,"hasForbiddenRawRedirectUriCharacter");async function al(e){let{response:t,json:r}=await fo(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Xu,maxResponseBytes:Yu,timeoutMs:Vu});if(!t.ok)throw _("invalid_request","CIMD metadata could not be fetched.");let o=Zn.parse(r);for(let i of o.redirect_uris)Me(i,"invalid_request","cimd");if(o.jwks_uri!==void 0&&Rt(o.jwks_uri),o.client_id!==e.clientId)throw _("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(al,"fetchCimdMetadata");async function sl(e){let t=lo(e),r=await al({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(sl,"resolveCimdClient");async function Ht(e,t){let r=V.parse(e);if(nl(r)){B().gateway.cimdEnabled||ia(r);try{return await sl(r)}catch{ia(r)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=gl(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new p("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let l={client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}},m={kind:"dcr",clientId:r,metadata:l};return i.hashedClientSecret&&(m.hashedClientSecret=i.hashedClientSecret),m}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Ht,"resolveClient");function aa(e,t){if(!e.metadata.redirect_uris.some(r=>Kn(r,t)))throw _("invalid_request","redirect_uri is not registered for the client.")}n(aa,"assertRedirectRegistered");function cl(e){let t=sa(e.grant_types),r=e.response_types??[...Dr];if(!dl(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!ul(r))throw new p("invalid_client_metadata","response_types must be code.");if(!ll(e.scope))throw new p("invalid_client_metadata",`Only the ${T} scope is supported.`)}n(cl,"assertSupportedDcrRequest");function sa(e){return e===void 0?[...Mr]:Array.from(new Set(e))}n(sa,"normalizeGrantTypes");function dl(e){return e.length===0?!1:e.every(t=>Mr.includes(t))}n(dl,"isSupportedGrantTypes");function ul(e){return e.length===Dr.length&&e[0]==="code"}n(ul,"isSupportedResponseTypes");function ll(e){return e===void 0||e===T}n(ll,"isSupportedDcrScope");function pl(e){try{Rt(e)}catch(t){throw new p("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(pl,"assertValidDcrJwksUri");function ml(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(ml,"encodeBase64Url");function fl(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let i=new Uint8Array(o.length);for(let a=0;a<o.length;a+=1)i[a]=o.charCodeAt(a);return new TextDecoder().decode(i)}n(fl,"decodeBase64Url");function hl(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?V.parse(`${qr}${crypto.randomUUID()}:${ml(e.jwksUri)}`):V.parse(`dcr:${crypto.randomUUID()}`)}n(hl,"createDcrClientId");function Bt(e){return e.startsWith(qr)}n(Bt,"isPrivateKeyJwtDcrCompatibilityClientId");function gl(e){if(!Bt(e))return;let t=e.slice(qr.length),r=t.indexOf(":");if(r===-1)return;let o=fl(t.slice(r+1));if(o!==void 0){try{Rt(o)}catch{return}return o}}n(gl,"readPrivateKeyJwtDcrClientIdJwksUri");function rt(e){if(e===void 0||e===T)return T;throw new p("invalid_request",`Only the ${T} scope is supported.`)}n(rt,"assertSupportedOAuthScope");function De(e,t,r){let o;try{o=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new p("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!ue(o))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=U(e,r),a=zn(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new p("invalid_target","resource must match a published MCP route.");return s}n(De,"resolveResource");async function ca(e){let t;try{t=rl.parse(e)}catch(v){if(v instanceof d.ZodError){let L=v.issues.some(Re=>Re.path[0]==="redirect_uris");throw new p(L?"invalid_redirect_uri":"invalid_client_metadata",v.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:v})}throw v}cl(t);for(let v of t.redirect_uris)Me(v,"invalid_redirect_uri","dcr");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new p("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&pl(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=hl({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=J(r,Qu),c=Math.floor(r.getTime()/1e3),l=Math.floor(s.getTime()/1e3),m={client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:sa(t.grant_types),response_types:["code"],scope:T,token_endpoint_auth_method:o,client_id_issued_at:c,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}},f={clientId:a,clientName:String(m.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:i,createdAt:R(r),clientExpiresAt:R(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let v=Y();f.hashedClientSecret=await I(v),f.clientSecretExpiresAt=R(s),m.client_secret=v,m.client_secret_expires_at=l,m.client_secret_issued_at=c}if((await b().registerClient(f)).kind==="already_exists")throw _("invalid_request","OAuth client is already registered.");return m}n(ca,"registerDownstreamClient");function jt(e){return S`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(jt,"renderShellIcon");function da(e){return S`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(da,"renderActions");var zy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var Hy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),By=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var jy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var yl="data:,",ua=S`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,la=S`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function _l(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(_l,"safeGatewayConnectHref");function wl(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(wl,"deriveMode");function Rl(e){return da({state:e.state,submitOnceAttrs:ua,authorizeAttrs:Z})}n(Rl,"renderActions");function zr(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let i=_l(o.connectUrl,t);if(i)return i}}n(zr,"firstUserConnectHref");function bl(e){let t=e.connectHref?S`<a class="button button--primary" href="${e.connectHref}" ${la}>Connect</a>`:S`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return S`<form class="actions" method="post" action="/oauth/setup" ${ua}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(bl,"renderSetupActions");function Sl(e){return e?S`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${la}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Z}n(Sl,"renderReconnectAction");function Cl(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(Cl,"isRenderableIconHref");function pa(e){return e?.find(t=>Cl(t.src))?.src}n(pa,"readIconHref");function vl(e){return pa(e.serverIcons)??(e.transportHost===void 0?void 0:hr(e.transportHost).src)}n(vl,"readUpstreamIconHref");function Il(e){let t=pa(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=vl(r);if(o!==void 0)return o}}n(Il,"readHeaderIconHref");function Al(e){return S`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`}n(Al,"renderBody");function Hr(e){let t=wl(e.upstreams),r=zr(e.upstreams,e.gatewayOrigin,"not_connected"),o=zr(e.upstreams,e.gatewayOrigin,"reconsent_required"),i=zr(e.upstreams,e.gatewayOrigin,"active"),a=t==="setup"?r??o:void 0,s=Il({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?S`<footer class="card__footer">${bl({state:e.state,connectHref:a})}</footer>`:S`<footer class="card__footer">${Sl(i)}${Rl({state:e.state})}</footer>`;return Te(Oe({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??yl,styles:Ee,headerIcon:s===void 0?Z:jt({iconHref:s,fallbackIconHref:At}),heading:"Authorize access",subhead:Z,body:Al({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName}),footer:c}))}n(Hr,"renderConsentPage");var xl=1e4,ma="mcp-session-id",Ul,fa;function wa(){return{tools:[],prompts:[],resources:[]}}n(wa,"emptyCapabilities");function ha(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Wt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(ha,"buildCredentialHeaders");async function ga(e){if(e.type!=="mcp_oauth_provider")return ha(e);let t=await e.provider.tokens();if(!t)return;let r=ha({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(ga,"buildAsyncCredentialHeaders");function ya(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ft.parse({jsonrpc:mt,id:1,method:"initialize",params:{protocolVersion:Wt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(ya,"buildInitializePreflight");async function Br(e){uo(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),xl);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return fa?await fa(o):await ct.fetch(o)}finally{clearTimeout(r)}}n(Br,"runPreflight");function jr(e){e.body?.cancel().catch(()=>{})}n(jr,"releasePreflightBody");async function kl(e){let t=e.response.headers.get(ma);if(!t)return;let r=new Headers(e.headers);r.set(ma,t),r.delete("content-type");try{let o=await Br(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));jr(o)}catch{}}n(kl,"terminatePreflightSession");async function Ra(e){let{response:t}=e;return jr(t),t.status>=200&&t.status<300?(await kl(e),{kind:"ready",upstreamStatus:t.status,capabilities:wa()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(Ra,"classifyResponse");function _a(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(_a,"connectRequiredResult");async function Pl(e){try{return Ra({response:await Br(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Pl,"classifyPreflight");async function Tl(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:wa()};let r=Et(t.upstreamServerId,e.route.operationId),o=Pe(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ke({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return _a(s.payload);let c=await ga(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let l=ya({upstreamUrl:t.mcpUrl,headers:c}),m;try{m=await Br(l)}catch(v){return{kind:"upstream_unavailable",message:v instanceof Error?v.message:"Upstream MCP server readiness preflight failed."}}if(m.status!==401)return Ra({response:m,upstreamUrl:t.mcpUrl,headers:c});jr(m);let f=await ke({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return _a(f.payload);let x=await ga(f.credential);return x===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Pl({request:ya({upstreamUrl:t.mcpUrl,headers:x}),upstreamUrl:t.mcpUrl,headers:x})}n(Tl,"checkUpstreamRouteReadinessImpl");function ba(e){return(Ul??Tl)(e)}n(ba,"checkUpstreamRouteReadiness");function El(e){try{return new URL(e).host}catch{return}}n(El,"safeUrlHost");function Ol(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(Ol,"readOAuthScopes");function Sa(e){return e!==void 0&&e.length>0}n(Sa,"hasItems");function ql(e){let t=e.serverInfo?.icons;if(Sa(t))return t;let r=xt(e.mcpUrl);return r===void 0?void 0:[r]}n(ql,"readServerIcons");async function Ml(e){if(!(e.returnTo===void 0||!e.isUserOwned))return yr({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Ml,"readConnectUrl");function _e(e,t){return t===void 0?{}:{[e]:t}}n(_e,"optionalRequirementField");function Dl(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?oo(e.connection):{connected:!0,status:"active"}}n(Dl,"readSetupConnectionStatus");function zl(e){let t=Ol(e);return Sa(t)?t:void 0}n(zl,"readScopesRequested");function Hl(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Hl,"readUpdatedAt");function Bl(){return{tools:[],prompts:[],resources:[]}}n(Bl,"readRouteCapabilities");async function jl(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=Ut(r),m=l==="user",f=Dl({connection:e.connection,isUserOwned:m,readiness:e.readiness}),x=e.readiness?.connectUrl??await Ml({...e,connected:f.connected,isUserOwned:m});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:i,status:f.status,connected:f.connected,capabilities:Bl(),..._e("description",o),..._e("transportHost",El(a)),..._e("scopesRequested",zl(t)),..._e("serverIcons",ql(e.registeredConnection)),..._e("connectUrl",x),..._e("updatedAt",Hl({connectionStatus:f,isUserOwned:m})),..._e("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(jl,"buildSetupRequirement");function Ca(e){let t=N().byOperationId.get(e);if(!t)throw _("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Ca,"requireRoute");async function Lr(e){let t=Ca(e.transaction.operationId),r=_t(e.transaction.principal.subjectId),o=[],i=new Map,a=t.connection;if(a===void 0)return[];Ut(a.authMode)==="user"&&(i.set(a,o.length),o.push({owner:r,upstreamServerId:a.upstreamServerId,authProfileId:a.authProfileId}));let s=await b().batchGetUpstreamConnections(o),c=[],l=Ut(a.authMode)==="user",m=i.get(a),f=await ba({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:l&&m!==void 0?s[m]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),x=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),v=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await jl({connection:l&&m!==void 0?s[m]:void 0,registeredConnection:a,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:x===void 0?void 0:{...x,...v===void 0?{}:{connectUrl:v}}})),c}n(Lr,"requirementsForSetup");function Ll(e){return e.route.connection?.displayName??e.route.operationId}n(Ll,"readRouteDisplayName");async function Nr(e){let t=Ca(e.transaction.operationId),r=Ll({route:t}),o=await b().readClient({clientId:e.transaction.clientId}),i=o.kind==="found"?o.client:void 0,a={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:i?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(a.routeDescription=s),a}n(Nr,"consentContext");function Gr(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Gr,"hasUnresolvedUserUpstream");var Nl=["mcp_user"],Gl="dev-browser-user",$l=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Zl=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Gn,state:d.string().min(1).optional(),scope:d.literal(T).default(T)}),Fl=d.enum(["continue","approve","cancel"]).default("continue"),Kl=d.object({state:d.string().min(1),decision:Fl}),ae=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function va(e){return typeof e=="string"&&e.length>0?e:void 0}n(va,"readQueryString");function Jl(e){let t=Array.from(N().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Vt(r.operationId,e.url,e.headers)}n(Jl,"inferSingleRouteResource");function Wl(e,t){let r=va(e.query.resource);if(t===void 0){if(r!==void 0)return r;let i=Jl(e);if(i!==void 0)return i;throw new p("invalid_target",$l)}let o=Vt(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Wl,"requireAuthorizeResource");async function Vl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=Hi(e);return{principal:i,setCookie:await Dt({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n(Vl,"resolveBrowserPrincipal");async function Yl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Mt(e,r);if(!o.principal)throw _("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Yl,"requireSetupPrincipal");function Ia(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(Ia,"buildSetupReturnTo");async function Aa(e){let t=await Lr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ia(e.csrfToken)}),r=await Nr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:Hr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Aa,"renderSetup");function Xl(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Xl,"toAuthorizationTransactionClient");async function $r(e,t={}){let r=Zl.parse({...e.query,resource:Wl(e,t.operationId),state:va(e.query.state)}),o=rt(r.scope);Me(r.redirect_uri,"invalid_request","authorize");let i=new Date,a=V.parse(r.client_id),s=await Ht(r.client_id,i);aa(s,r.redirect_uri);try{let c=De(e.url,r.resource,e.headers),l=Xl(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&C(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let m={clientId:s?.clientId??a,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:x}=await Vl(e,t.context);if(!f){let L=await Qi({transaction:m,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Re={kind:"redirect",location:L.browserLoginUrl};return x!==void 0&&(Re.setCookie=x),Re}let v=await ea({transaction:m,principal:f,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&C(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),Aa({transaction:v.transaction,csrfToken:v.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:x})}catch(c){throw Ql({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n($r,"authorizeDownstreamClient");function Ql(e){if(e.cause instanceof ae)return e.cause;let t=ep(e.cause);return t?new ae({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Ql,"toDownstreamAuthorizeRedirectError");function ep(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(ep,"mapToOAuthRedirectError");async function xa(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let m=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...m===void 0?{}:{idpErrorDescription:m},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),_("provider_access_denied",m??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),_("oauth_state_invalid","Browser login callback is missing state.");let i=await Pr(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await Bi(a),c=await ta({browserLoginStateToken:o,principal:s}),l=await Aa({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return l.setCookie=await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),l}n(xa,"completeBrowserLoginCallback");async function Ua(e){let t=B(),r=new URL(e.url);if(!ue(r))throw _("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw _("oauth_state_invalid","Local browser login is missing state.");let i=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",U(e.url)),a=new URL(U(e.url)).origin;if(i.origin!==a||i.pathname!=="/oauth/callback")throw _("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");i.searchParams.set("state",o);let s={subjectId:yt.parse(Gl),roles:Nl};return{kind:"redirect",location:i,setCookie:await Dt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(Ua,"completeLocalDevBrowserLogin");function tp(e){let t=e.method==="POST"?e.body:e.query;return Kl.parse(t)}n(tp,"readSetupContinueRequest");async function ka(e){let{state:t,decision:r}=tp({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await Or({csrfToken:t,now:o}),a=await Yl(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await oa({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await ra({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await Lr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ia(t)});if(r==="approve"&&Gr(c)&&await Yi({csrfToken:t,currentBrowserPrincipal:a,now:o}),Gr(c)){let l=await Nr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:Hr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await na({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(ka,"continueDownstreamAuthorizeSetup");H();import{createLocalJWKSet as rp,decodeJwt as np,errors as nt,jwtVerify as op}from"jose";var ip=new Set(["authorization_code","refresh_token"]),ap="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",sp=1e4,cp=32*1024,dp=2,Pa=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),up=d.discriminatedUnion("grant_type",[Pa.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:gt,resource:d.url().optional(),scope:d.literal(T).optional()}),Pa.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(T).optional()})]);function lp(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!ip.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(lp,"assertSupportedGrantType");var pp=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),mp=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Ta(){return B().gateway.accessTokenTtlSeconds}n(Ta,"readAccessTokenTtlSeconds");function fp(){return B().gateway.refreshTokenTtlSeconds}n(fp,"readRefreshTokenTtlSeconds");function hp(e,t){let r=Ta(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:R(J(e,i)),expiresIn:i}}n(hp,"calculateAccessTokenExpiresAt");function Ea(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(Ea,"readBasicClientSecret");function Oa(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=np(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(Oa,"resolveAuthenticatedClientId");function gp(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(gp,"resolveClientSecretInput");function yp(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(yp,"hasClientAssertion");function _p(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(_p,"buildEndpointAudience");function wp(e){return e instanceof nt.JWTExpired?"expired":e instanceof nt.JWTClaimValidationFailed?"claim":e instanceof nt.JWSSignatureVerificationFailed?"signature":e instanceof nt.JWKSNoMatchingKey?"jwks_no_match":e instanceof nt.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(wp,"readJwtFailureKind");async function Rp(e){let{response:t,json:r}=await ho(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:dp,maxResponseBytes:cp,timeoutMs:sp});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return mp.parse(r)}n(Rp,"fetchClientJwks");async function bp(e){if(e.clientAssertionType!==ap||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=V.parse(e.clientId),r=await Ht(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=_p({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await Rp({jwksUri:o,context:e.context});await op(e.clientAssertion,rp(a),{issuer:t,subject:t,audience:i,currentDate:e.now})}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:wp(a)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return Bt(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(bp,"verifyPrivateKeyJwtClientAssertion");async function Sp(e){let t=V.parse(e.clientId);if(Bt(t))throw new p("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await I(e.clientSecret)}}n(Sp,"buildRuntimeHttpClientAuth");async function qa(e){if(yp({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return bp(e)}let t=gp({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return Sp({clientId:e.clientId,...t})}n(qa,"resolveRuntimeHttpClientAuth");async function Ma(e){lp(e.body);let t=up.parse(e.body),r=Ea(e.authorizationHeader),o=Oa({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await qa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return Cp({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Ma,"exchangeDownstreamToken");async function Cp(e){if(e.parsed.grant_type==="authorization_code"){Me(e.parsed.redirect_uri,"invalid_request","token"),rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=Y(),c=Y(),l=R(J(e.now,fp())),m=hp(e.now,l),f=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await I(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await co(e.parsed.code_verifier),currentRefreshTokenHash:await I(s),accessTokenHash:await I(c),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:R(e.now)});if(f.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(f.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(f.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&C(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:s,scope:f.grant.scope,resource:f.grant.resource}}rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=Y(),r=Y(),o=R(J(e.now,Ta())),i=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await I(e.parsed.refresh_token),nextRefreshTokenHash:await I(t),accessTokenHash:await I(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:R(e.now)});if(i.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");De(e.requestUrl??i.grant.resource,i.grant.resource,e.requestHeaders);let a=i.accessToken.expiresAt;return e.context&&(C(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),C(e.context,{eventType:w.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(a).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:i.grant.scope,resource:i.grant.resource}}n(Cp,"exchangeDownstreamTokenWithRuntimeHttp");async function Da(e){let t=pp.parse(e.body),r=Ea(e.authorizationHeader),o=Oa({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await b().revokeOAuthToken({clientAuth:await qa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await I(t.token),now:R(i)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&C(e.context,{eventType:w.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Da,"revokeDownstreamToken");var vp=64*1024,Ip=16*1024,Ap="text/html; charset=utf-8";function xp(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(xp,"formDataToObject");async function Up(e){return qi(e,{maxBytes:vp,label:"Request body"})}n(Up,"readJsonBody");async function Fr(e){return xp(await Mi(e,{maxBytes:Ip,label:"Request body"}))}n(Fr,"readFormBody");async function Ha(e,t,r){let o=le(r),i=r instanceof d.ZodError?se(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),Ln(e,t,a)}n(Ha,"handleProblem");function Ba(e){return e?.requestId}n(Ba,"readBrowserRequestId");function ja(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(ja,"readUpstreamHtmlError");function za(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(za,"readRuntimeErrorExtensionString");function kp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(kp,"readRuntimeErrorExtensionNumber");function Pp(e){try{return new URL(e.url).pathname}catch{return}}n(Pp,"readBrowserRequestPath");function we(e){let t={code:e.code,requestId:e.requestId,routePath:Pp(e.request),underlyingError:e.underlyingError};return e.error instanceof h&&(t.httpStatus=kp(e.error,Ce),t.contentType=za(e.error,be),t.upstreamUrl=za(e.error,ve)),t}n(we,"buildBrowserErrorDiagnostic");function ot(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(ot,"oauthErrorResponse");function Tp(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Tp,"readOAuthProtocolHeaders");function Ep(e,t){let r=j("internal_server_error");return ot({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Tp(e,t)})}n(Ep,"oauthProtocolErrorResponse");function Zr(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Zr,"readZodOAuthErrorCode");function Op(e){let t={error:Zr(e)},r=se(e);return r!==void 0&&(t.errorDescription=r),ot(t)}n(Op,"oauthZodErrorResponse");function qp(e){let t=le(e);if(t===void 0)return;let r=j(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Dp(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,ot(o)}n(qp,"oauthGatewayProblemResponse");function Mp(){let t={error:"server_error",status:500,errorDescription:j("internal_server_error").publicDetail};return ot(t)}n(Mp,"oauthFallbackErrorResponse");function Dp(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Dp,"readOAuthStatus");function Kr(e,t={}){return e instanceof ae?Ga(e):e instanceof p?Ep(e,t):e instanceof d.ZodError?Op(e):qp(e)??Mp()}n(Kr,"oauthProblemResponse");function Jr(e,t,r){let o=qe(e.url),i=Ba(t);if(r instanceof ae)return Ga(r);if(r instanceof p){let c=j("internal_server_error");return F({host:o,kind:zp(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:we({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:Zr(r),diagnostic:we({request:e,requestId:i,code:Zr(r),underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=le(r);if(a!==void 0){let c=j(a);return F({host:o,kind:Na(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:we({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ja(r),status:c.status})}let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:we({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(Jr,"browserOAuthProblemResponse");function La(e,t,r){let o=qe(e.url),i=Ba(t),a=le(r);if(a!==void 0){let c=j(a);return F({host:o,kind:Na(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:we({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ja(r),status:c.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:we({request:e,requestId:i,code:"invalid_request",underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:we({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(La,"browserGatewayProblemResponse");function zp(e){return e==="server_error"?"internal_error":"invalid_request"}n(zp,"readOAuthBrowserErrorKind");function Na(e){if(j(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Na,"readGatewayBrowserErrorKind");function ee(e,t,r){let o={event:t},i=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,W(o,"error",r);else if(r instanceof ae)o.oauthError=r.errorCode,W(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",W(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=le(r);if(a!==void 0){let s=j(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",W(o,"error",r)}else i=!0,W(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ee,"logUnexpectedOAuthHandlerError");function Ga(e){let t;try{t=new URL(e.redirectUri)}catch{return ot({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Ga,"downstreamAuthorizeRedirectErrorResponse");function se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(se,"formatZodErrorDetail");function Hp(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};W(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Hp,"logBrowserLoginCallbackFailure");function $a(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n($a,"redirectResultResponse");function Lt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Ap,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return $a(e)}n(Lt,"authorizeResultResponse");async function Za(e,t){try{return Response.json(Wn(e.url,e.headers))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Ha(e,t,r)}}n(Za,"authorizationServerMetadataHandler");async function Fa(e,t){try{let r=Yt(e.params.routePath);return Response.json(Vn({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Ha(e,t,r)}}n(Fa,"scopedAuthorizationServerMetadataHandler");async function Ka(e,t){try{let r=await ca(await Up(e)),o=r,i=typeof o.client_id=="string"?o.client_id:void 0,a=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:i,clientName:a,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),C(t,{eventType:w.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:a,attributes:{clientId:i,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_register_failed",r),Kr(r)}}n(Ka,"registerHandler");async function Ja(e,t){try{return Lt(await $r(e,{context:t}))}catch(r){return ee(t,"oauth_authorize_failed",r),Jr(e,t,r)}}n(Ja,"authorizeHandler");async function Wa(e,t){try{let r=Yt(e.params.routePath);return Lt(await $r(e,{operationId:r.operationId,context:t}))}catch(r){return ee(t,"oauth_authorize_scoped_failed",r),Jr(e,t,r)}}n(Wa,"scopedAuthorizeHandler");async function Va(e,t){try{let r=await xa(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Lt(r)}catch(r){return Hp(t,r),La(e,t,r)}}n(Va,"callbackHandler");async function Ya(e,t){try{return $a(await Ua(e))}catch(r){return ee(t,"oauth_dev_login_failed",r),Jr(e,t,r)}}n(Ya,"devLoginHandler");async function Xa(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await ka({request:e,body:e.method==="POST"?await Fr(e):void 0,context:t});return Lt(r)}catch(r){return ee(t,"oauth_setup_failed",r),La(e,t,r)}}n(Xa,"setupHandler");async function Qa(e,t){try{return Response.json(await Ma({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ee(t,"oauth_token_failed",r),Kr(r)}}n(Qa,"tokenHandler");async function es(e,t){try{return await Da({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_revoke_failed",r),Kr(r)}}n(es,"revokeHandler");var Bp={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ts=Symbol("upstream-request");function jp(e){let t=e[ts];if(!t)throw new M("Upstream request context has not been set");return t}n(jp,"readUpstreamRequestContext");function Lp(e,t){return t.some(r=>r===e)}n(Lp,"requestContextMatchesKind");function Np(e){return typeof e=="string"?[e]:e}n(Np,"toExpectedKinds");function ze(e,t){Object.defineProperty(e,ts,{configurable:!0,value:t})}n(ze,"setUpstreamRequestContext");function it(e,t){let r=jp(e),o=Np(t);if(!Lp(r.kind,o)){let i=Bp[o[0]];throw new M(`${i} request context has not been set`)}return r}n(it,"requireUpstreamRequestContext");function rs(e){return S`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(rs,"renderBrowserResult");var Gp="text/html; charset=utf-8",$p="none";function Zp(e){let t=fr(e.host);return Oe({title:e.title,iconHref:t,styles:Ee,headerIcon:jt({iconHref:t,fallbackIconHref:At}),heading:e.title,subhead:"",body:rs({body:e.body,code:e.code??$p}),footer:""})}n(Zp,"browserResultHtml");function Fp(e,t=200){return new Response(Te(e),{status:t,headers:{"content-type":Gp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Fp,"browserResultResponse");function ns(e){return Fp(Zp(e))}n(ns,"browserConnectionSuccessResponse");function Nt(e,t,r={}){let o=jn(t);return F({host:e,kind:Kp(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Nt,"browserConnectionFailureResponse");function Kp(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Kp,"readCallbackFailureBrowserErrorKind");var Jp=["callback_authorization_code","callback_provider_error","callback_invalid"];function Wr(e){try{return new URL(e.url).pathname}catch{return}}n(Wr,"readBrowserRequestPath");function Wp(e){return"cause"in e?e.cause:void 0}n(Wp,"readErrorCause");function Vp(e){return e.stack?.split(`
48
- `).slice(1,4).map(t=>t.trim()).join(" | ")}n(Vp,"readFirstStackFrame");function os(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Vp(r))}n(os,"addErrorAttributes");function Vr(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[y];return bn(t)?t:void 0}n(Vr,"readRuntimeGatewayCode");function is(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(is,"readRuntimeErrorExtensionString");function Yp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Yp,"readRuntimeErrorExtensionNumber");function Xp(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),C(t,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Nt(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Nt(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(Xp,"requireAuthorizationCallbackRequest");function Qp(e,t){C(e,{eventType:w.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Qp,"emitCallbackReceivedAnalyticsEvent");function em(e,t){C(e,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(em,"emitTokenExchangeSucceededAnalyticsEvent");function tm(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return ns({host:qe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(tm,"buildSuccessfulCallbackResponse");function rm(e){let t={detail:e instanceof Error?e.message:void 0};return os(t,"error",e),e instanceof Error&&os(t,"cause",Wp(e)),t}n(rm,"buildTokenExchangeFailureAttributes");function nm(e){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Vr(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:rm(e.error)})}n(nm,"emitTokenExchangeFailedAnalyticsEvent");function om(e){let t=e.error,r=Vr(t),o=Sn(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:Wr(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof h?{httpStatus:Yp(t,Ce),contentType:is(t,be),upstreamUrl:is(t,ve)}:{}};return Nt(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:im(t)})}n(om,"tokenExchangeFailureResponse");function im(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(im,"readUpstreamHtmlError");async function Yr(e,t){let r=it(e,Jp),o=qe(e.url),i=Xp(e,t,r,o);if(i instanceof Response)return i;Qp(t,i);try{let a=await Ci({request:e,callbackRequest:i});return em(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),tm(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:Vr(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return W(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),nm({context:t,callbackRequest:i,error:a}),om({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(Yr,"callbackHandler");function am(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(am,"clientMetadataProblemDetail");async function as(e,t){let r=it(e,"connect"),o=await Si({request:e,connectRequest:r});if(C(t,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await Pt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(as,"connectHandler");async function Xr(e,t){let r=it(e,"client_metadata");try{let o=oi(e.url,e.headers),i=ii(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof P))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),de.notFound(e,t,{code:"not_found",detail:am(o)})}}n(Xr,"oauthClientMetadataHandler");function ce(e){if(typeof e=="string"&&e.length!==0)return e}n(ce,"readOptionalQueryString");function sm(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new M(`Validated path parameter ${t} is missing`);return ss(r,t)}n(sm,"requirePathString");function ss(e,t){try{return decodeURIComponent(e)}catch(r){throw new h({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[y]:"invalid_request"}},{cause:r})}}n(ss,"decodePathString");function cm(e){let t=ce(e);return t?pt.parse(t):void 0}n(cm,"readOptionalOperationId");function dm(e,t){let r=ce(e);return r?An.parse(r):ht(t,"user-oauth")}n(dm,"readOptionalAuthProfileId");function um(e,t){let r=e.params[t];return typeof r=="string"&&r.length>0?ss(r,t):void 0}n(um,"readOptionalPathString");function lm(e){let t=cm(e);if(!t)throw new h({message:"operationId query parameter is required.",extensionMembers:{[y]:"invalid_request"}});return t}n(lm,"readRequiredOperationId");function pm(e){let t=Qn(ce(e));return t===void 0?{}:{returnTo:t}}n(pm,"readOptionalReturnTo");function mm(e){let t=ce(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(mm,"readOptionalProviderErrorDescription");function fm(e){let t=G(e.authMode);if(t.connectSupport!=="none")return e;throw new h({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[y]:"invalid_request"}})}n(fm,"requireConnectableRouteAuth");function hm(e,t,r,o){return{kind:"connect",...Pe(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(hm,"buildConnectContextForUser");function gm(e,t,r){let o=wt(t),i=G(e.authMode);if(o.mode!==i.ownerMode)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(gm,"buildConnectContextForTicket");async function ym(e,t){let r=fm(Et(t,lm(e.query.operationId))),o=e.query.redirect==="true",i=ce(e.query.browserTicket);if(e.user){if(i)throw new h({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[y]:"invalid_request"}});let s=Ie(e.user,e.url);return hm(r,s,o,pm(e.query.returnTo).returnTo)}if(!i)throw new h({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[y]:"authentication_required"}});let a=await Yo(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return await Xo(a),gm(r,a,o)}n(ym,"resolveConnectContext");async function _m(e,t,r){let o=In.parse(sm(e,"connection"));switch(r){case"connect":ze(e,await ym(e,o));return;case"callback":{let i=ce(e.query.error);if(i){ze(e,{kind:"callback_provider_error",upstreamServerId:o,error:i,...mm(e)});return}let a=ce(e.query.code),s=ce(e.query.state);if(a&&s){ze(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}ze(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":ze(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:dm(um(e,"authProfileId")??e.query.authProfileId,o)});return}}n(_m,"resolveUpstreamRequestInbound");async function wm(e,t,r){try{await _m(e,t,r);return}catch(o){let i=o instanceof h?o.extensionMembers?.[y]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"oauth_callback_mismatch":return de.badRequest(e,t,{code:i,detail:a});case"authentication_required":return de.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(wm,"applyUpstreamRequestContext");function at(e,t){return n(async(o,i)=>{let a=await wm(o,i,e);return a||t(o,i)},"wrapped")}n(at,"withUpstreamRequestContext");var Rm={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function bm(){return new Response(null,{status:204,headers:Rm})}n(bm,"buildWellKnownPreflightResponse");function Sm(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(Sm,"withWellKnownCorsHeaders");function Qr(e){return async(t,r)=>t.method==="OPTIONS"?bm():Sm(await e(t,r))}n(Qr,"wrapWellKnownHandler");var us=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Qr(Za),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Qr(Fa),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Qr(Yn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Ka},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ja},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Wa},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Va},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Ya},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Xa},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Qa},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:es},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:at("client_metadata",Xr)},{routeName:"upstream_client_metadata_profile",path:"/.well-known/oauth-client/:connection/:authProfileId",methods:["GET"],handler:at("client_metadata",Xr)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:at("connect",as)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:at("callback",Yr)}],Cm=us.filter(e=>!e.routeName.startsWith("upstream_")),vm=us.filter(e=>e.routeName.startsWith("upstream_"));function ls(e){return e?.some(wn)??!1}n(ls,"hasMcpOAuthRuntimeConfigPolicy");function ps(e){return e?.some(t=>En(t.policyType))??!1}n(ps,"hasMcpTokenExchangePolicy");function ms(e){return ls(e)||ps(e)}n(ms,"shouldRegisterMcpGatewayInternalRoutes");function Im(e){Mn(On({routes:e.routes,policies:e.policies}))}n(Im,"initializeMcpGatewayConnectionRegistry");function Am(e){let t=Rn(e.policies);if(!t){let r=[..._n].map(o=>`\`${o}\``).join(", ");throw new P(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(Am,"initializeMcpGatewayOAuthRuntimeConfig");function cs(e,t,r){return async(o,i)=>{r&&gn(i,r());let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(cs,"wrapInternalHandler");function ds(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[sn],corsPolicy:t.corsPolicy??"none"})}n(ds,"addInternalRoute");function fs(e,t){Im(t);let r=ls(t.policies),o=ps(t.policies),i,a=n(()=>(i===void 0&&(i=Am(t)),i),"readOAuthConfig");if(r)for(let s of Cm)ds(e,s,cs(s.routeName,s.handler,a));if(o)for(let s of vm)ds(e,s,cs(s.routeName,s.handler))}n(fs,"registerMcpGatewayInternalRoutes");function hs(e){qn(e)}n(hs,"configureLazyMcpGatewayState");var en=class extends on{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!ms(r.policies))return;let o={routes:r.routes,policies:r.policies};hs(o),fs(t.router,o)}};var xm=new TextDecoder;function Um(e){if(e)try{return JSON.parse(xm.decode(e))}catch{return}}n(Um,"readBodyJson");function te(e){return e&&typeof e=="object"?e:void 0}n(te,"readRecord");function st(e,t){let r=te(e)?.[t];return typeof r=="string"?r:void 0}n(st,"readStringProperty");function ys(e,t){let r=te(e)?.[t];return typeof r=="number"?r:void 0}n(ys,"readNumberProperty");function gs(e,t){return ys(e,"code")??(t.status>=400?t.status:void 0)}n(gs,"readErrorCode");function _s(e){return Array.isArray(e)?e.map(_s).find(t=>t?.method):te(e)}n(_s,"readJsonRpcMessage");function ws(e){let t=_s(Um(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:st(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:st(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=st(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(ws,"buildBaseCapabilityInput");function Rs(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Rs,"isCapabilityListMethod");function km(e,t,r){let a=te(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(km,"readItemCount");async function Pm(e){try{return await e.clone().json()}catch{return}}n(Pm,"readResponseJson");function bs(e){let t=ws(e);return!t||Rs(t.mcpMethod)?null:{eventType:w.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(bs,"buildCapabilityInvokedAnalyticsInput");async function Ss(e,t){let r=ws(e);if(!r)return null;let o=te(await Pm(t)),i=te(o?.error),a=te(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&te(s)?.isError===!0;if(te(a?.connectRequired))return{eventType:w.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:ys(i,"code"),mcpErrorType:st(i,"message")};if(Rs(r.mcpMethod)){let l=t.status>=400?void 0:km(r.mcpMethod,r.capabilityType,s);return{eventType:w.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:gs(i,t)}:{},...l===void 0?{}:{attributes:{itemCount:l}}}}return t.status>=400||i?{eventType:w.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:gs(i,t),mcpErrorType:st(i,"message")}:{eventType:w.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Ss,"buildCapabilityFinalAnalyticsInput");var Tm={Allow:"POST"};async function Em(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Em,"readRequestBody");function Cs(e){try{let t=Dn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Cs,"readRouteAnalyticsFields");function vs(e){return Xn(e.user,e.url,e.headers)?.subjectId}n(vs,"readRequestSubjectId");function Om(e){let t=bs(e.requestBody);t&&C(e.context,{...t,...Cs(e.context),httpMethod:e.request.method,subjectId:vs(e.request),transport:"http"})}n(Om,"emitCapabilityInvokedAnalytics");async function qm(e){let t=await Ss(e.requestBody,e.response);t&&C(e.context,{...t,...Cs(e.context),httpMethod:e.request.method,subjectId:vs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(qm,"emitCapabilityFinalAnalytics");async function Mm(e,t){if(e.method==="GET")return de.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Tm);let r=Date.now(),o=await Em(e);Om({context:t,request:e,requestBody:o});let i=await fn(e,t);return await qm({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(Mm,"McpProxyHandler");export{Bs as McpAuth0OAuthInboundPolicy,Qt as McpCapabilityFilterInboundPolicy,Us as McpClerkOAuthInboundPolicy,ks as McpCognitoOAuthInboundPolicy,Ps as McpEntraOAuthInboundPolicy,en as McpGatewayPlugin,Ts as McpGoogleOAuthInboundPolicy,Es as McpKeycloakOAuthInboundPolicy,Os as McpLogtoOAuthInboundPolicy,qs as McpOAuthInboundPolicy,Ms as McpOktaOAuthInboundPolicy,Ds as McpOneLoginOAuthInboundPolicy,zs as McpPingOAuthInboundPolicy,Mm as McpProxyHandler,Ar as McpTokenExchangeInboundPolicy,Hs as McpWorkosOAuthInboundPolicy};
47
+ ></iframe>`}n(Au,"renderUpstreamHtml");var Ei="application/json",xu="application/x-www-form-urlencoded";function Mt(e,t){return new h({message:e,extensionMembers:{[y]:"invalid_request"}},t===void 0?void 0:{cause:t})}n(Mt,"invalidRequestError");function Uu(e){return(e??"").split(";")[0]?.trim().toLowerCase()??""}n(Uu,"normalizeContentType");function ku(e,t){return e===t?!0:t===Ei&&e.endsWith("+json")}n(ku,"contentTypeMatches");function Pu(e,t){if(!t||t.length===0)return;let r=Uu(e.headers.get("content-type"));if(!t.some(o=>ku(r,o)))throw Mt(`Request body must be ${t.join(" or ")}.`)}n(Pu,"assertExpectedContentType");function Tu(e,t,r){let o=e.headers.get("content-length");if(!o)return;let i=Number.parseInt(o,10);if(Number.isFinite(i)&&i>t)throw Mt(`${r} exceeded the maximum allowed size.`)}n(Tu,"assertContentLengthWithinLimit");async function Oi(e,t){let r=t.label??"Request body";Pu(e,t.expectedContentTypes),Tu(e,t.maxBytes,r);let o=await po(e.body,{maxBytes:t.maxBytes,createLimitError:n(()=>Mt(`${r} exceeded the maximum allowed size.`),"createLimitError")});return new TextDecoder().decode(o)}n(Oi,"readBoundedTextBody");async function qi(e,t){let r=await Oi(e,{...t,expectedContentTypes:[Ei]});try{return JSON.parse(r)}catch(o){throw Mt("Request body must be valid JSON.",o)}}n(qi,"readBoundedJsonBody");async function Mi(e,t){let r=await Oi(e,{...t,expectedContentTypes:[xu]});return new URLSearchParams(r)}n(Mi,"readBoundedFormUrlEncodedBody");H();H();import{errors as Li,jwtVerify as Ni,SignJWT as Gi}from"jose";H();import{errors as Eu,jwtVerify as Ou,SignJWT as qu}from"jose";var Ur="zuplo_mcp_session",Mu=d.object({purpose:d.literal("gateway_browser_session"),sub:yt,browserLoginOrigin:d.string().min(1),roles:d.array(d.string().min(1)).optional(),exp:d.number().int().positive(),iat:d.number().int().positive().optional()});function Du(e){let t=new Map;if(!e)return t;for(let r of e.split(";")){let o=r.indexOf("=");if(o<0)continue;let i=r.slice(0,o).trim(),a=r.slice(o+1).trim();if(i)try{t.set(i,decodeURIComponent(a))}catch{t.set(i,a)}}return t}n(Du,"parseCookieHeader");async function Di(){return $({purpose:"browser-session",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-session"),"derive")})}n(Di,"getBrowserSessionKey");function xr(e,t){let r=new URL(U(e,t)),o=[`${Ur}=`,"Path=/","HttpOnly","SameSite=Lax","Max-Age=0"];return r.protocol==="https:"&&o.push("Secure"),o.join("; ")}n(xr,"buildBrowserSessionEvictionCookie");function zu(e){let t=new URL(U(e.requestUrl,e.requestHeaders)),r=[`${Ur}=${encodeURIComponent(e.value)}`,"Path=/","HttpOnly","SameSite=Lax",`Max-Age=${e.ttlSeconds}`];return t.protocol==="https:"&&r.push("Secure"),r.join("; ")}n(zu,"serializeSessionCookie");function zi(){return new URL(bt("url")).origin}n(zi,"readBrowserLoginOrigin");function kr(){return B().browserLogin.stateTtlSeconds}n(kr,"readBrowserLoginStateTtlSeconds");function Hi(e){if(!e.user)throw _("authentication_required","The browser login callback did not include an authenticated Zuplo principal.");return Ie(e.user,e.url)}n(Hi,"resolveCurrentRequestPrincipal");async function Dt(e,t={}){let r=Du(e.headers.get("cookie")).get(Ur);if(!r)return{};try{let{payload:o}=await Ou(r,await Di(),{algorithms:[z],issuer:O,audience:D}),i=Mu.parse(o);if(i.browserLoginOrigin!==zi())return{evictCookie:xr(e.url,e.headers)};let a={subjectId:i.sub};return i.roles&&i.roles.length>0&&(a.roles=i.roles),{principal:a}}catch(o){return o instanceof Eu.JWTExpired?{evictCookie:xr(e.url,e.headers)}:(t.context?.log.warn({event:"browser_session_verification_failed",errorName:o instanceof Error?o.name:"unknown",errorMessage:o instanceof Error?o.message:"verification failed"},"Browser session JWT verification failed"),{evictCookie:xr(e.url,e.headers)})}}n(Dt,"readBrowserSession");async function zt(e){let t=B().browserLogin.sessionTtlSeconds,r={purpose:"gateway_browser_session",sub:e.principal.subjectId,browserLoginOrigin:zi()};e.principal.roles&&(r.roles=e.principal.roles);let o=await new qu(r).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+t).sign(await Di());return zu({value:o,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},ttlSeconds:t})}n(zt,"createBrowserSessionCookie");async function Bi(e){let t={};e.context!==void 0&&(t.context=e.context);let r=await Dt(e.request,t);if(r.principal)return r.principal;let o=typeof e.request.query.code=="string"?e.request.query.code:void 0;if(!o)throw _("oauth_callback_mismatch","Federated browser login callback is missing an authorization code.");let{exchangeFederatedAuthorizationCode:i}=await import("../browser-login-idp-QZEGTRKY.js");return i({code:o,nonce:e.stateId,requestUrl:e.request.url,requestHeaders:e.request.headers,...e.context===void 0?{}:{context:e.context}})}n(Bi,"resolveBrowserLoginCallbackPrincipal");function ji(e){let t=B().browserLogin,r=new URL(bt("url")),o=new URL("/oauth/callback",Hn(e.requestUrl,e.requestHeaders));return Jn(r)?(r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("state",e.state),r):(r.searchParams.set("response_type","code"),r.searchParams.set("client_id",bt("clientId")),r.searchParams.set("redirect_uri",o.toString()),r.searchParams.set("scope",t.scope),r.searchParams.set("state",e.state),r.searchParams.set("nonce",e.nonce),t.audience&&r.searchParams.set("audience",t.audience),r)}n(ji,"buildBrowserLoginUrl");var Hu={invalid_request:400,invalid_client:401,invalid_grant:400,invalid_target:400,unsupported_grant_type:400,server_error:500,invalid_redirect_uri:400,invalid_client_metadata:400},p=class extends Error{static{n(this,"OAuthProtocolError")}errorCode;status;constructor(t,r,o=Hu[t],i){super(r,i),this.name="OAuthProtocolError",this.errorCode=t,this.status=o}};var Bu=5*60,ju=d.object({purpose:d.literal("gateway_browser_login"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()}),Lu=d.object({purpose:d.literal("gateway_authorization_setup"),transactionId:Ft,stateId:Kt,exp:d.number().int().positive(),iat:d.number().int().positive().optional()});async function $i(){return $({purpose:"browser-login",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"browser-login"),"derive")})}n($i,"getBrowserLoginKey");async function Zi(){return $({purpose:"authorization-csrf",keyMaterialPurpose:"oauth-state-signing",derive:n(e=>oe(e,"authorization-csrf"),"derive")})}n(Zi,"getCsrfKey");function Fi(e){return{now:e.now??new Date,ttlSeconds:kr()}}n(Fi,"readPendingTransactionDependencies");function Nu(e,t){return e.subjectId===t.subjectId}n(Nu,"principalsMatch");function Ki(e){return{subjectId:e.subjectId,...e.roles===void 0?{}:{roles:e.roles}}}n(Ki,"toPendingPrincipal");function Ji(e){let t={id:e.id,currentStateHash:e.currentStateHash,clientId:e.transaction.clientId,redirectUri:e.transaction.redirectUri,resource:e.transaction.resource,operationId:e.transaction.operationId,scope:e.transaction.scope,codeChallenge:e.transaction.codeChallenge,codeChallengeMethod:e.transaction.codeChallengeMethod,createdAt:R(e.now),expiresAt:R(J(e.now,e.ttlSeconds)),...e.transaction.clientState===void 0?{}:{clientState:e.transaction.clientState}};if(e.phase==="awaiting_login")return{...t,phase:"awaiting_login"};if(!e.principal)throw _("identity_context_missing","Authorization setup requires a principal.");return{...t,phase:"awaiting_setup",principal:Ki(e.principal)}}n(Ji,"createTransactionRecord");async function Wi(e){let{id:t,...r}=e.record,o=await b().startAuthorization({...r,transactionId:t,...e.client===void 0?{}:{client:e.client}});switch(o.kind){case"started":return o.transaction;case"already_exists":throw _("oauth_state_reused","Authorization transaction state already exists.");case"invalid_client":throw new p("invalid_client","OAuth client is not registered.");case"redirect_uri_mismatch":throw new p("invalid_request","redirect_uri is not registered for the client.")}}n(Wi,"startPendingTransaction");async function Gu(e){return new Gi({purpose:"gateway_browser_login",transactionId:e.transactionId,stateId:e.stateId}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await $i())}n(Gu,"signBrowserLoginState");async function Vi(e){return new Gi({purpose:"gateway_authorization_setup",transactionId:e.transactionId,stateId:Wt()}).setProtectedHeader({alg:z,typ:"JWT"}).setIssuer(O).setAudience(D).setIssuedAt().setExpirationTime(Math.floor(Date.now()/1e3)+e.ttlSeconds).sign(await Zi())}n(Vi,"signCsrfToken");async function Pr(e){try{let{payload:t}=await Ni(e,await $i(),{algorithms:[z],issuer:O,audience:D}),r=ju.parse(t);return{transactionId:r.transactionId,stateId:r.stateId}}catch(t){throw t instanceof Li.JWTExpired?_("oauth_state_expired","Browser login state has expired.",t):_("oauth_state_invalid","Browser login state could not be verified.",t)}}n(Pr,"verifyBrowserLoginStateToken");async function Ht(e){try{let{payload:t}=await Ni(e,await Zi(),{algorithms:[z],issuer:O,audience:D});return{transactionId:Lu.parse(t).transactionId}}catch(t){throw t instanceof Li.JWTExpired?_("oauth_state_expired","Authorization setup state has expired.",t):_("oauth_state_invalid","Authorization setup state could not be verified.",t)}}n(Ht,"verifyCsrfToken");function Tr(e){return e==="consumed"||e==="consumed_already"||e==="stale_hash"?"oauth_state_reused":e==="expired"?"oauth_state_expired":"oauth_state_invalid"}n(Tr,"pendingStateErrorCode");function $u(e){return e.kind==="available"?{kind:"available",record:e.transaction}:e}n($u,"toPendingAuthorizationGetResult");function Zu(e){return e.kind==="advanced"?{kind:"advanced",record:e.transaction}:e}n(Zu,"toPendingAuthorizationAdvanceResult");function Er(e){return e==="principal_mismatch"?"oauth_callback_mismatch":Tr(e==="consumed_already"?"consumed_already":e)}n(Er,"setupDecisionErrorCode");async function Yi(e){let t=e.now??new Date,r=await Ht(e.csrfToken),o=await b().markAuthorizationSetupApproved({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(t)});if(o.kind!=="marked")throw _(Er(o.kind),"Authorization setup state is invalid, expired, or already used.");return Xi({kind:"available",record:o.transaction})}n(Yi,"markSetupApproved");function Xi(e){if(e.kind!=="available")throw _(Tr(e.kind),"Authorization setup state is invalid, expired, or already used.");if(e.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization setup state is not in the setup phase.");return e.record}n(Xi,"requireAwaitingSetup");function Fu(e){if(!Nu(e.currentBrowserPrincipal,e.transaction.principal))throw _("oauth_callback_mismatch","Authorization setup state does not match the current browser session.")}n(Fu,"requireCurrentPrincipalMatches");async function Qi(e){let t=e.now??new Date,r=kr(),o=Jt(),i=Wt(),a=await Gu({transactionId:o,stateId:i,ttlSeconds:r}),s=Ji({id:o,transaction:e.transaction,currentStateHash:await I(a),phase:"awaiting_login",now:t,ttlSeconds:r});if(s.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");let c=await Wi({record:s,client:e.transaction.client});if(c.phase!=="awaiting_login")throw _("oauth_state_invalid","Authorization transaction did not start in login phase.");return{transaction:c,browserLoginStateToken:a,browserLoginUrl:ji({state:a,nonce:i,operationId:s.operationId,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}})}}n(Qi,"startAwaitingLogin");async function ea(e){let{now:t,ttlSeconds:r}=Fi(e),o=Jt(),i=await Vi({transactionId:o,ttlSeconds:r}),a=Ji({id:o,transaction:e.transaction,currentStateHash:await I(i),phase:"awaiting_setup",principal:e.principal,now:t,ttlSeconds:r});if(a.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");let s=await Wi({record:a,client:e.transaction.client});if(s.phase!=="awaiting_setup")throw _("oauth_state_invalid","Authorization transaction did not start in setup phase.");return{transaction:s,csrfToken:i}}n(ea,"startAwaitingSetup");async function ta(e){let{now:t,ttlSeconds:r}=Fi(e),o=await Pr(e.browserLoginStateToken),i=await Vi({transactionId:o.transactionId,ttlSeconds:r}),a=Zu(await b().advancePendingAuthorization({transactionId:o.transactionId,expectedPhase:"awaiting_login",currentStateHash:await I(e.browserLoginStateToken),nextStateHash:await I(i),nextPhase:"awaiting_setup",principal:Ki(e.principal),now:R(t)}));if(a.kind!=="advanced")throw _(Tr(a.kind),"Browser login state is invalid, expired, or already used.");if(a.record.phase!=="awaiting_setup")throw _("oauth_state_invalid","Browser login did not advance to setup.");return{transaction:a.record,csrfToken:i}}n(ta,"completeLogin");async function ra(e){let t=await Or(e);return Fu({transaction:t,currentBrowserPrincipal:e.currentBrowserPrincipal}),t}n(ra,"getSetup");async function Or(e){let t=e.now??new Date,r=await Ht(e.csrfToken);return Xi($u(await b().readPendingAuthorization({transactionId:r.transactionId,currentStateHash:await I(e.csrfToken),now:R(t)})))}n(Or,"getSetupTransaction");async function Ku(e){let t=await Ht(e.csrfToken),r=Y(),o=R(J(e.now,Bu)),i=await b().decideAuthorizationSetup({decision:"approve",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},authorizationCodeHash:await I(r),authorizationCodeExpiresAt:o,grantId:Fn(),now:R(e.now)});if(i.kind!=="approved")throw _(i.kind==="cancelled"?"oauth_state_invalid":Er(i.kind),"Authorization setup state is invalid, expired, or already used.");let a=new URL(i.transaction.redirectUri);return a.searchParams.set("code",r),i.transaction.clientState&&a.searchParams.set("state",i.transaction.clientState),a}n(Ku,"createAuthorizationCodeRedirectWithDecision");async function Ju(e){let t=await Ht(e.csrfToken),r=await b().decideAuthorizationSetup({decision:"cancel",transactionId:t.transactionId,currentStateHash:await I(e.csrfToken),currentPrincipal:{subjectId:e.currentBrowserPrincipal.subjectId},now:R(e.now)});if(r.kind!=="cancelled")throw _(r.kind==="approved"?"oauth_state_invalid":Er(r.kind),"Authorization setup state is invalid, expired, or already used.");return Wu({redirectUri:r.transaction.redirectUri,clientState:r.transaction.clientState})}n(Ju,"createCancelRedirectWithDecision");function Wu(e){let t=new URL(e.redirectUri);return t.searchParams.set("error","access_denied"),t.searchParams.set("error_description","The user cancelled the MCP authorization request."),e.clientState!==void 0&&t.searchParams.set("state",e.clientState),t}n(Wu,"buildClientCancelRedirect");async function na(e){let t=e.now??new Date;return Ku({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(na,"approve");async function oa(e){let t=e.now??new Date;return Ju({csrfToken:e.csrfToken,currentBrowserPrincipal:e.currentBrowserPrincipal,now:t})}n(oa,"cancel");H();var Vu=1e4,Yu=5*1024,Xu=2,Qu=90*24*60*60,qr="dcr:pkjwt:",el="chatgpt.com",tl="ChatGPT CIMD client metadata could not be used by this gateway. In ChatGPT advanced OAuth settings, change Registration method to Dynamic Client Registration (DCR), keep the discovered Registration URL, and retry connecting.",Mr=["authorization_code","refresh_token"],Dr=["code"],rl=d.object({client_name:d.string().min(1).optional(),redirect_uris:d.array(d.string().min(1)).min(1),grant_types:d.array(d.enum(Mr)).min(1).max(2).optional(),response_types:d.array(d.enum(Dr)).min(1).max(1).optional(),scope:d.literal(T).optional(),token_endpoint_auth_method:$n.optional(),jwks_uri:d.string().min(1).optional()});function nl(e){try{let t=new URL(e);return(t.protocol==="https:"||t.protocol==="http:"&&ue(t))&&t.pathname!=="/"}catch{return!1}}n(nl,"isCimdClientIdCandidate");function ol(e){try{let t=new URL(e);return t.protocol==="https:"&&t.hostname===el&&t.pathname.startsWith("/oauth/")&&t.pathname.endsWith("/client.json")}catch{return!1}}n(ol,"isChatGptCimdClientId");function ia(e){throw new p("invalid_client",ol(e)?tl:"OAuth client is not registered.")}n(ia,"invalidCimdClientError");function Me(e,t="invalid_request",r="authorize"){if(il(e))throw new p(t,"redirect_uris must not include raw whitespace or control characters.");let o;try{o=new URL(e)}catch{throw new p(t,"redirect_uris must be absolute URIs.")}if(o.hash||o.username||o.password)throw new p(t,"redirect_uris must not include credentials or fragments.");let i={source:r},a=Nn({url:o,context:i});if(a.kind!=="rejected"){a.mode!=="strict"&&void 0;return}throw new p(t,"redirect_uris must use HTTPS, loopback HTTP, or a native-app private-use URI scheme.")}n(Me,"assertValidRedirectUri");function il(e){for(let t=0;t<e.length;t+=1){let r=e.charCodeAt(t);if(r<=32||r>=127&&r<=159)return!0}return!1}n(il,"hasForbiddenRawRedirectUriCharacter");async function al(e){let{response:t,json:r}=await fo(e.initialUrl,{headers:{accept:"application/json"}},{maxRedirects:Xu,maxResponseBytes:Yu,timeoutMs:Vu});if(!t.ok)throw _("invalid_request","CIMD metadata could not be fetched.");let o=Zn.parse(r);for(let i of o.redirect_uris)Me(i,"invalid_request","cimd");if(o.jwks_uri!==void 0&&Rt(o.jwks_uri),o.client_id!==e.clientId)throw _("invalid_request","Fetched CIMD client_id must exactly match the requested client_id.");return o}n(al,"fetchCimdMetadata");async function sl(e){let t=lo(e),r=await al({clientId:e,initialUrl:t});return{kind:"cimd",clientId:e,metadata:r}}n(sl,"resolveCimdClient");async function Bt(e,t){let r=V.parse(e);if(nl(r)){B().gateway.cimdEnabled||ia(r);try{return await sl(r)}catch{ia(r)}}let o=await b().readClient({clientId:r});if(o.kind==="found"){let i=o.client,a=gl(i.clientId),s=a===void 0?i.tokenEndpointAuthMethod:"private_key_jwt",c=i.jwksUri??a;if(s==="private_key_jwt"&&c===void 0)throw new p("invalid_client","Dynamic private_key_jwt client is missing JWKS metadata. Re-run client registration before authorization.");let l={client_id:i.clientId,client_name:i.clientName,redirect_uris:i.redirectUris,token_endpoint_auth_method:s,...c===void 0?{}:{jwks_uri:c}},m={kind:"dcr",clientId:r,metadata:l};return i.hashedClientSecret&&(m.hashedClientSecret=i.hashedClientSecret),m}throw new p("invalid_client",r.startsWith("dcr:")?"Dynamic client is not registered. Re-run client registration before authorization.":"OAuth client is not registered.")}n(Bt,"resolveClient");function aa(e,t){if(!e.metadata.redirect_uris.some(r=>Kn(r,t)))throw _("invalid_request","redirect_uri is not registered for the client.")}n(aa,"assertRedirectRegistered");function cl(e){let t=sa(e.grant_types),r=e.response_types??[...Dr];if(!dl(t))throw new p("invalid_client_metadata","grant_types must be a subset of authorization_code and refresh_token.");if(!ul(r))throw new p("invalid_client_metadata","response_types must be code.");if(!ll(e.scope))throw new p("invalid_client_metadata",`Only the ${T} scope is supported.`)}n(cl,"assertSupportedDcrRequest");function sa(e){return e===void 0?[...Mr]:Array.from(new Set(e))}n(sa,"normalizeGrantTypes");function dl(e){return e.length===0?!1:e.every(t=>Mr.includes(t))}n(dl,"isSupportedGrantTypes");function ul(e){return e.length===Dr.length&&e[0]==="code"}n(ul,"isSupportedResponseTypes");function ll(e){return e===void 0||e===T}n(ll,"isSupportedDcrScope");function pl(e){try{Rt(e)}catch(t){throw new p("invalid_client_metadata","jwks_uri must be an HTTPS URL with a path, no credentials or fragment, and must not point at a blocked host.",void 0,{cause:t})}}n(pl,"assertValidDcrJwksUri");function ml(e){let t=new TextEncoder().encode(e),r="";for(let o of t)r+=String.fromCharCode(o);return btoa(r).replaceAll("+","-").replaceAll("/","_").replace(/=+$/,"")}n(ml,"encodeBase64Url");function fl(e){let t=e.replaceAll("-","+").replaceAll("_","/"),r=t.padEnd(t.length+(4-t.length%4)%4,"="),o;try{o=atob(r)}catch{return}let i=new Uint8Array(o.length);for(let a=0;a<o.length;a+=1)i[a]=o.charCodeAt(a);return new TextDecoder().decode(i)}n(fl,"decodeBase64Url");function hl(e){return e.tokenEndpointAuthMethod==="private_key_jwt"&&e.jwksUri!==void 0?V.parse(`${qr}${crypto.randomUUID()}:${ml(e.jwksUri)}`):V.parse(`dcr:${crypto.randomUUID()}`)}n(hl,"createDcrClientId");function jt(e){return e.startsWith(qr)}n(jt,"isPrivateKeyJwtDcrCompatibilityClientId");function gl(e){if(!jt(e))return;let t=e.slice(qr.length),r=t.indexOf(":");if(r===-1)return;let o=fl(t.slice(r+1));if(o!==void 0){try{Rt(o)}catch{return}return o}}n(gl,"readPrivateKeyJwtDcrClientIdJwksUri");function rt(e){if(e===void 0||e===T)return T;throw new p("invalid_request",`Only the ${T} scope is supported.`)}n(rt,"assertSupportedOAuthScope");function De(e,t,r){let o;try{o=new URL(t)}catch{throw new p("invalid_target","resource must be an absolute URI.")}if(o.hash)throw new p("invalid_target","resource must not include a fragment.");if(o.protocol!=="https:"&&!ue(o))throw new p("invalid_target","resource must use HTTPS except loopback HTTP resources in local development.");let i=U(e,r),a=zn(),s=a?[...a.byOperationId.values()].find(c=>new URL(c.routePath,i).toString()===t):void 0;if(!s)throw new p("invalid_target","resource must match a published MCP route.");return s}n(De,"resolveResource");async function ca(e){let t;try{t=rl.parse(e)}catch(v){if(v instanceof d.ZodError){let L=v.issues.some(Re=>Re.path[0]==="redirect_uris");throw new p(L?"invalid_redirect_uri":"invalid_client_metadata",v.issues[0]?.message??"Client metadata is invalid.",void 0,{cause:v})}throw v}cl(t);for(let v of t.redirect_uris)Me(v,"invalid_redirect_uri","dcr");if(t.token_endpoint_auth_method==="private_key_jwt"&&t.jwks_uri===void 0)throw new p("invalid_client_metadata","jwks_uri is required for private_key_jwt clients.");t.jwks_uri!==void 0&&pl(t.jwks_uri);let r=new Date,o=t.token_endpoint_auth_method??"none",i=o==="private_key_jwt"?"none":o,a=hl({tokenEndpointAuthMethod:o,jwksUri:t.jwks_uri}),s=J(r,Qu),c=Math.floor(r.getTime()/1e3),l=Math.floor(s.getTime()/1e3),m={client_id:a,client_name:t.client_name??"Dynamically registered MCP client",redirect_uris:t.redirect_uris,grant_types:sa(t.grant_types),response_types:["code"],scope:T,token_endpoint_auth_method:o,client_id_issued_at:c,...t.jwks_uri===void 0?{}:{jwks_uri:t.jwks_uri}},f={clientId:a,clientName:String(m.client_name),redirectUris:t.redirect_uris,tokenEndpointAuthMethod:i,createdAt:R(r),clientExpiresAt:R(s)};if(o==="client_secret_basic"||o==="client_secret_post"){let v=Y();f.hashedClientSecret=await I(v),f.clientSecretExpiresAt=R(s),m.client_secret=v,m.client_secret_expires_at=l,m.client_secret_issued_at=c}if((await b().registerClient(f)).kind==="already_exists")throw _("invalid_request","OAuth client is already registered.");return m}n(ca,"registerDownstreamClient");function Lt(e){return S`<img class="card__icon" src="${e.iconHref}" alt="" width="48" height="48" referrerpolicy="no-referrer" onerror=" this.onerror = null; this.src = '${e.fallbackIconHref}'; " />`}n(Lt,"renderShellIcon");function da(e){return S`<form class="actions" method="post" action="/oauth/setup" ${e.submitOnceAttrs}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate >Cancel</button><button class="button button--primary" type="submit" name="decision" value="approve" ${e.authorizeAttrs} >Authorize</button></form>`}n(da,"renderActions");var zy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="8" cy="8" r="6.5"/><line x1="8" y1="4.6" x2="8" y2="8.4"/><circle cx="8" cy="11" r=".7" fill="currentColor" stroke="none"/></svg>');var Hy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="14" height="14" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M4 6.5l4 4 4-4"/></svg>'),By=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><rect x="3" y="4" width="18" height="7" rx="1.5"/><rect x="3" y="13" width="18" height="7" rx="1.5"/><circle cx="7" cy="7.5" r=".75" fill="currentColor" stroke="none"/><circle cx="7" cy="16.5" r=".75" fill="currentColor" stroke="none"/></svg>');var jy=Q('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7.13 2.46 1.39 12.5a1 1 0 0 0 .87 1.5h11.48a1 1 0 0 0 .87-1.5L8.87 2.46a1 1 0 0 0-1.74 0Z"/><line x1="8" y1="6" x2="8" y2="9.4"/><circle cx="8" cy="11.4" r=".7" fill="currentColor" stroke="none"/></svg>');var yl="data:,",ua=S`data-submit-once="true" onsubmit="if (this.dataset.submitted === 'true') return false; this.dataset.submitted = 'true'; setTimeout(() => this.querySelectorAll('button').forEach((button) => { button.disabled = true; }), 0);"`,la=S`data-activate-once="true" onclick="if (this.dataset.activated === 'true') return false; this.dataset.activated = 'true'; this.setAttribute('aria-disabled', 'true'); this.style.pointerEvents = 'none';"`;function _l(e,t){if(e)try{let r=new URL(t).origin,o=new URL(e,r);return o.origin!==r||!o.pathname.startsWith("/auth/connections/")?void 0:o.toString()}catch{return}}n(_l,"safeGatewayConnectHref");function wl(e){return e.some(r=>r.ownerMode==="user"&&r.status!=="active")?"setup":"grant"}n(wl,"deriveMode");function Rl(e){return da({state:e.state,submitOnceAttrs:ua,authorizeAttrs:Z})}n(Rl,"renderActions");function zr(e,t,r){for(let o of e){if(o.ownerMode!=="user"||o.status!==r)continue;let i=_l(o.connectUrl,t);if(i)return i}}n(zr,"firstUserConnectHref");function bl(e){let t=e.connectHref?S`<a class="button button--primary" href="${e.connectHref}" ${la}>Connect</a>`:S`<button class="button button--primary" type="button" disabled aria-disabled="true">Connect</button>`;return S`<form class="actions" method="post" action="/oauth/setup" ${ua}><input type="hidden" name="state" value="${e.state}" /><button class="button button--secondary" type="submit" name="decision" value="cancel" formnovalidate>Cancel</button>${t}</form>`}n(bl,"renderSetupActions");function Sl(e){return e?S`<span class="reconnect-action"><a class="button button--secondary reconnect-button" href="${e}" ${la}>Re-connect<span class="tooltip" tabindex="0" aria-label="Reset or change how the gateway connects to the upstream service, including changing scopes.">?</span></a></span>`:Z}n(Sl,"renderReconnectAction");function Cl(e){try{let t=new URL(e);return t.protocol==="https:"||t.protocol==="http:"?!0:t.protocol==="data:"&&/^data:image\/(?:png|jpe?g|webp|svg\+xml);/i.test(e)}catch{return!1}}n(Cl,"isRenderableIconHref");function pa(e){return e?.find(t=>Cl(t.src))?.src}n(pa,"readIconHref");function vl(e){return pa(e.serverIcons)??(e.transportHost===void 0?void 0:hr(e.transportHost).src)}n(vl,"readUpstreamIconHref");function Il(e){let t=pa(e.routeIcons);if(t!==void 0)return t;for(let r of e.upstreams){let o=vl(r);if(o!==void 0)return o}}n(Il,"readHeaderIconHref");function Al(e){return S`<p class="card__subtitle">Authorize '<strong>${e.clientDisplayName}</strong>' to access '<strong>${e.routeDisplayName}</strong>' on your behalf?</p>`}n(Al,"renderBody");function Hr(e){let t=wl(e.upstreams),r=zr(e.upstreams,e.gatewayOrigin,"not_connected"),o=zr(e.upstreams,e.gatewayOrigin,"reconsent_required"),i=zr(e.upstreams,e.gatewayOrigin,"active"),a=t==="setup"?r??o:void 0,s=Il({routeIcons:e.routeIcons,upstreams:e.upstreams}),c=t==="setup"?S`<footer class="card__footer">${bl({state:e.state,connectHref:a})}</footer>`:S`<footer class="card__footer">${Sl(i)}${Rl({state:e.state})}</footer>`;return Te(Oe({title:`Authorize access \xB7 ${e.routeDisplayName}`,iconHref:s??yl,styles:Ee,headerIcon:s===void 0?Z:Lt({iconHref:s,fallbackIconHref:xt}),heading:"Authorize access",subhead:Z,body:Al({routeDisplayName:e.routeDisplayName,clientDisplayName:e.clientDisplayName}),footer:c}))}n(Hr,"renderConsentPage");var xl=1e4,ma="mcp-session-id",Ul,fa;function wa(){return{tools:[],prompts:[],resources:[]}}n(wa,"emptyCapabilities");function ha(e){let t=new Headers({accept:"application/json, text/event-stream","content-type":"application/json","mcp-protocol-version":Vt});switch(e.type){case"none":return t;case"bearer_token":return t.set("authorization",`Bearer ${e.token}`),t;case"headers":for(let[r,o]of Object.entries(e.headers))t.set(r,o);return t;case"mcp_oauth_provider":throw new Error("MCP OAuth provider credentials require async headers.")}}n(ha,"buildCredentialHeaders");async function ga(e){if(e.type!=="mcp_oauth_provider")return ha(e);let t=await e.provider.tokens();if(!t)return;let r=ha({type:"none"});return r.set("authorization",`${t.token_type??"Bearer"} ${t.access_token}`),r}n(ga,"buildAsyncCredentialHeaders");function ya(e){return new Request(e.upstreamUrl,{method:"POST",headers:e.headers,body:JSON.stringify(ft.parse({jsonrpc:mt,id:1,method:"initialize",params:{protocolVersion:Vt,capabilities:{},clientInfo:{name:"zuplo-mcp-gateway-readiness",version:"0.0.0"}}}))})}n(ya,"buildInitializePreflight");async function Br(e){uo(e.url);let t=new AbortController,r=setTimeout(()=>t.abort(),xl);try{let o=new Request(e,{redirect:"manual",signal:t.signal});return fa?await fa(o):await ct.fetch(o)}finally{clearTimeout(r)}}n(Br,"runPreflight");function jr(e){e.body?.cancel().catch(()=>{})}n(jr,"releasePreflightBody");async function kl(e){let t=e.response.headers.get(ma);if(!t)return;let r=new Headers(e.headers);r.set(ma,t),r.delete("content-type");try{let o=await Br(new Request(e.upstreamUrl,{method:"DELETE",headers:r}));jr(o)}catch{}}n(kl,"terminatePreflightSession");async function Ra(e){let{response:t}=e;return jr(t),t.status>=200&&t.status<300?(await kl(e),{kind:"ready",upstreamStatus:t.status,capabilities:wa()}):t.status===401||t.status===403?{kind:"upstream_auth_rejected",status:t.status,message:"Upstream MCP server rejected the configured credential."}:{kind:"upstream_unavailable",status:t.status,message:"Upstream MCP server did not accept the readiness preflight."}}n(Ra,"classifyResponse");function _a(e){let t={status:e.state==="reconsent_required"?"reconsent_required":"not_connected",connected:!1};return e.nextAction==="admin_setup_required"?{kind:"admin_setup_required",payload:e,connectionStatus:t}:{kind:"connect_required",payload:e,connectionStatus:t}}n(_a,"connectRequiredResult");async function Pl(e){try{return Ra({response:await Br(e.request),upstreamUrl:e.upstreamUrl,headers:e.headers})}catch(t){return{kind:"upstream_unavailable",message:t instanceof Error?t.message:"Upstream MCP server readiness preflight failed."}}}n(Pl,"classifyPreflight");async function Tl(e){let t=e.route.connection;if(t===void 0)return{kind:"ready",upstreamStatus:204,capabilities:wa()};let r=Ot(t.upstreamServerId,e.route.operationId),o=Pe(r,e.subjectId),i=e.returnTo===void 0?o:{...o,returnTo:e.returnTo},a=new Request(e.requestUrl,{...e.requestHeaders===void 0?{}:{headers:e.requestHeaders}}),s=await ke({request:a,routeAuth:i,preloadedConnection:e.preloadedConnection});if(s.kind==="connect_required")return _a(s.payload);let c=await ga(s.credential);if(c===void 0)return{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens."};let l=ya({upstreamUrl:t.mcpUrl,headers:c}),m;try{m=await Br(l)}catch(v){return{kind:"upstream_unavailable",message:v instanceof Error?v.message:"Upstream MCP server readiness preflight failed."}}if(m.status!==401)return Ra({response:m,upstreamUrl:t.mcpUrl,headers:c});jr(m);let f=await ke({request:a,routeAuth:i,forceRefresh:!0,preloadedConnection:e.preloadedConnection});if(f.kind==="connect_required")return _a(f.payload);let x=await ga(f.credential);return x===void 0?{kind:"upstream_auth_rejected",status:401,message:"Upstream credential did not produce tokens after refresh."}:Pl({request:ya({upstreamUrl:t.mcpUrl,headers:x}),upstreamUrl:t.mcpUrl,headers:x})}n(Tl,"checkUpstreamRouteReadinessImpl");function ba(e){return(Ul??Tl)(e)}n(ba,"checkUpstreamRouteReadiness");function El(e){try{return new URL(e).host}catch{return}}n(El,"safeUrlHost");function Ol(e){if(e.mode==="user-oauth"||e.mode==="shared-oauth")return e.oauth.scopes}n(Ol,"readOAuthScopes");function Sa(e){return e!==void 0&&e.length>0}n(Sa,"hasItems");function ql(e){let t=e.serverInfo?.icons;if(Sa(t))return t;let r=Ut(e.mcpUrl);return r===void 0?void 0:[r]}n(ql,"readServerIcons");async function Ml(e){if(!(e.returnTo===void 0||!e.isUserOwned))return yr({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},owner:e.userOwner,initiatedBySubjectId:e.transaction.principal.subjectId,upstreamServerId:e.registeredConnection.upstreamServerId,authProfileId:e.registeredConnection.authProfileId,operationId:e.route.operationId,returnTo:e.returnTo})}n(Ml,"readConnectUrl");function _e(e,t){return t===void 0?{}:{[e]:t}}n(_e,"optionalRequirementField");function Dl(e){return e.readiness!==void 0?e.readiness:e.isUserOwned?oo(e.connection):{connected:!0,status:"active"}}n(Dl,"readSetupConnectionStatus");function zl(e){let t=Ol(e);return Sa(t)?t:void 0}n(zl,"readScopesRequested");function Hl(e){return e.isUserOwned&&"updatedAt"in e.connectionStatus&&e.connectionStatus.updatedAt!==void 0?e.connectionStatus.updatedAt:void 0}n(Hl,"readUpdatedAt");function Bl(){return{tools:[],prompts:[],resources:[]}}n(Bl,"readRouteCapabilities");async function jl(e){let{authConfig:t,authMode:r,description:o,displayName:i,mcpUrl:a,upstreamServerId:s,authProfileId:c}=e.registeredConnection,l=kt(r),m=l==="user",f=Dl({connection:e.connection,isUserOwned:m,readiness:e.readiness}),x=e.readiness?.connectUrl??await Ml({...e,connected:f.connected,isUserOwned:m});return{upstreamServerId:s,authProfileId:c,authMode:r,ownerMode:l,upstreamDisplayName:i,status:f.status,connected:f.connected,capabilities:Bl(),..._e("description",o),..._e("transportHost",El(a)),..._e("scopesRequested",zl(t)),..._e("serverIcons",ql(e.registeredConnection)),..._e("connectUrl",x),..._e("updatedAt",Hl({connectionStatus:f,isUserOwned:m})),..._e("expiresAt",e.readiness?.expiresAt??e.connection?.expiresAt)}}n(jl,"buildSetupRequirement");function Ca(e){let t=N().byOperationId.get(e);if(!t)throw _("unknown_mcp_route",`Unknown MCP route: ${e}`);return t}n(Ca,"requireRoute");async function Lr(e){let t=Ca(e.transaction.operationId),r=_t(e.transaction.principal.subjectId),o=[],i=new Map,a=t.connection;if(a===void 0)return[];kt(a.authMode)==="user"&&(i.set(a,o.length),o.push({owner:r,upstreamServerId:a.upstreamServerId,authProfileId:a.authProfileId}));let s=await b().batchGetUpstreamConnections(o),c=[],l=kt(a.authMode)==="user",m=i.get(a),f=await ba({requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},route:t,subjectId:e.transaction.principal.subjectId,preloadedConnection:l&&m!==void 0?s[m]:void 0,...e.returnTo===void 0?{}:{returnTo:e.returnTo}}),x=(()=>{if("connectionStatus"in f&&f.connectionStatus)return f.connectionStatus})(),v=(f.kind==="connect_required"||f.kind==="admin_setup_required")&&f.payload.authUrl!==void 0?f.payload.authUrl:void 0;return c.push(await jl({connection:l&&m!==void 0?s[m]:void 0,registeredConnection:a,route:t,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:e.returnTo,transaction:e.transaction,userOwner:r,readiness:x===void 0?void 0:{...x,...v===void 0?{}:{connectUrl:v}}})),c}n(Lr,"requirementsForSetup");function Ll(e){return e.route.connection?.displayName??e.route.operationId}n(Ll,"readRouteDisplayName");async function Nr(e){let t=Ca(e.transaction.operationId),r=Ll({route:t}),o=await b().readClient({clientId:e.transaction.clientId}),i=o.kind==="found"?o.client:void 0,a={gatewayOrigin:U(e.requestUrl,e.requestHeaders),routeDisplayName:r,clientDisplayName:i?.clientName??String(e.transaction.clientId),principalLabel:e.transaction.principal.subjectId},s=t.connection?.description;return s!==void 0&&(a.routeDescription=s),a}n(Nr,"consentContext");function Gr(e){return e.some(t=>t.ownerMode==="user"&&t.status!=="active")}n(Gr,"hasUnresolvedUserUpstream");var Nl=["mcp_user"],Gl="dev-browser-user",$l=["resource is required for /oauth/authorize.","MCP clients should start at the MCP server URL and follow its WWW-Authenticate resource_metadata link.","If your client reached this endpoint directly, use /oauth/authorize/{routePath} where {routePath} is the published MCP route path without a leading slash and each segment is URL-encoded as needed, for example /oauth/authorize/mcp/linear, or add resource={protected resource URI from protected-resource metadata}."].join(" "),Zl=d.object({response_type:d.literal("code"),client_id:d.string().min(1),redirect_uri:d.string().min(1),resource:d.url(),code_challenge:d.string().min(43),code_challenge_method:Gn,state:d.string().min(1).optional(),scope:d.literal(T).default(T)}),Fl=d.enum(["continue","approve","cancel"]).default("continue"),Kl=d.object({state:d.string().min(1),decision:Fl}),ae=class extends Error{static{n(this,"DownstreamAuthorizeRedirectError")}redirectUri;clientState;errorCode;errorDescription;constructor(t){super(t.errorDescription?`${t.errorCode}: ${t.errorDescription}`:t.errorCode,t.cause===void 0?void 0:{cause:t.cause}),this.name="DownstreamAuthorizeRedirectError",this.redirectUri=t.redirectUri,this.clientState=t.clientState,this.errorCode=t.errorCode,this.errorDescription=t.errorDescription}};function va(e){return typeof e=="string"&&e.length>0?e:void 0}n(va,"readQueryString");function Jl(e){let t=Array.from(N().byOperationId.values());if(t.length!==1)return;let r=t[0];if(r!==void 0)return Yt(r.operationId,e.url,e.headers)}n(Jl,"inferSingleRouteResource");function Wl(e,t){let r=va(e.query.resource);if(t===void 0){if(r!==void 0)return r;let i=Jl(e);if(i!==void 0)return i;throw new p("invalid_target",$l)}let o=Yt(t,e.url,e.headers);if(r===void 0||r===o)return o;throw new p("invalid_target","resource must match the scoped OAuth authorization endpoint resource.")}n(Wl,"requireAuthorizeResource");async function Vl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Dt(e,r);if(o.principal)return{principal:o.principal};if(!e.user)return o.evictCookie===void 0?{}:{setCookie:o.evictCookie};let i=Hi(e);return{principal:i,setCookie:await zt({principal:i,requestUrl:e.url,requestHeaders:e.headers})}}n(Vl,"resolveBrowserPrincipal");async function Yl(e,t){let r={};t!==void 0&&(r.context=t);let o=await Dt(e,r);if(!o.principal)throw _("authentication_required","Authorization setup requires a current browser session.");return o.principal}n(Yl,"requireSetupPrincipal");function Ia(e){return`/oauth/setup?state=${encodeURIComponent(e)}`}n(Ia,"buildSetupReturnTo");async function Aa(e){let t=await Lr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders},returnTo:Ia(e.csrfToken)}),r=await Nr({transaction:e.transaction,requestUrl:e.requestUrl,...e.requestHeaders===void 0?{}:{requestHeaders:e.requestHeaders}}),o={kind:"setup_page",html:Hr({state:e.csrfToken,operationId:e.transaction.operationId,upstreams:t,...r})};return e.setCookie!==void 0&&(o.setCookie=e.setCookie),o}n(Aa,"renderSetup");function Xl(e){if(e===void 0)return;let t=e.metadata.token_endpoint_auth_method;return{clientId:e.clientId,clientName:e.metadata.client_name,tokenEndpointAuthMethod:t}}n(Xl,"toAuthorizationTransactionClient");async function $r(e,t={}){let r=Zl.parse({...e.query,resource:Wl(e,t.operationId),state:va(e.query.state)}),o=rt(r.scope);Me(r.redirect_uri,"invalid_request","authorize");let i=new Date,a=V.parse(r.client_id),s=await Bt(r.client_id,i);aa(s,r.redirect_uri);try{let c=De(e.url,r.resource,e.headers),l=Xl(s);t.context?.log.info({event:"oauth_authorize_request_parsed",clientId:a,operationId:c.operationId,scope:o,hasClientState:r.state!==void 0},"Downstream OAuth authorize: request parsed and client resolved"),t.context&&C(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_STARTED,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type}});let m={clientId:s?.clientId??a,...l===void 0?{}:{client:l},redirectUri:r.redirect_uri,resource:r.resource,operationId:c.operationId,scope:o,codeChallenge:r.code_challenge,codeChallengeMethod:r.code_challenge_method,...r.state===void 0?{}:{clientState:r.state}},{principal:f,setCookie:x}=await Vl(e,t.context);if(!f){let L=await Qi({transaction:m,requestUrl:e.url,requestHeaders:e.headers,now:i});t.context?.log.info({event:"oauth_authorize_awaiting_login",clientId:a,operationId:c.operationId},"Downstream OAuth authorize: redirecting to browser login (no session)");let Re={kind:"redirect",location:L.browserLoginUrl};return x!==void 0&&(Re.setCookie=x),Re}let v=await ea({transaction:m,principal:f,now:i});return t.context?.log.info({event:"oauth_authorize_awaiting_setup",clientId:a,operationId:c.operationId,subjectId:f.subjectId},"Downstream OAuth authorize: rendering consent/setup page"),t.context&&C(t.context,{eventType:w.MCP_OAUTH_AUTHORIZE_AWAITING_SETUP,outcome:"success",virtualServerName:c.operationId,attributes:{clientId:a,scope:o,responseType:r.response_type,subjectId:f.subjectId}}),Aa({transaction:v.transaction,csrfToken:v.csrfToken,requestUrl:e.url,requestHeaders:e.headers,setCookie:x})}catch(c){throw Ql({redirectUri:r.redirect_uri,clientState:r.state,cause:c})}}n($r,"authorizeDownstreamClient");function Ql(e){if(e.cause instanceof ae)return e.cause;let t=ep(e.cause);return t?new ae({redirectUri:e.redirectUri,clientState:e.clientState,errorCode:t.errorCode,errorDescription:t.errorDescription,cause:e.cause}):e.cause}n(Ql,"toDownstreamAuthorizeRedirectError");function ep(e){if(e instanceof p)return{errorCode:e.errorCode,errorDescription:e.message};if(e instanceof d.ZodError){let t=e.issues[0];return{errorCode:t?.path.includes("resource")?"invalid_target":"invalid_request",errorDescription:t?.message}}}n(ep,"mapToOAuthRedirectError");async function xa(e,t={}){let r=typeof e.query.error=="string"?e.query.error:void 0;if(r){let m=typeof e.query.error_description=="string"?e.query.error_description.slice(0,256):void 0,f=typeof e.query.error_uri=="string"?e.query.error_uri.slice(0,256):void 0;throw t.context?.log.warn({event:"browser_login_callback_idp_error",code:"provider_access_denied",idpError:r,...m===void 0?{}:{idpErrorDescription:m},...f===void 0?{}:{idpErrorUri:f}},"Identity provider redirected browser-login callback with an error"),_("provider_access_denied",m??"The delegated browser login was not completed.")}let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw t.context?.log.warn({event:"browser_login_callback_state_missing",code:"oauth_state_invalid"},"Browser login callback was invoked without a state parameter"),_("oauth_state_invalid","Browser login callback is missing state.");let i=await Pr(o),a={request:e,stateId:i.stateId};t.context!==void 0&&(a.context=t.context);let s=await Bi(a),c=await ta({browserLoginStateToken:o,principal:s}),l=await Aa({transaction:c.transaction,csrfToken:c.csrfToken,requestUrl:e.url,requestHeaders:e.headers});return l.setCookie=await zt({principal:s,requestUrl:e.url,requestHeaders:e.headers}),l}n(xa,"completeBrowserLoginCallback");async function Ua(e){let t=B(),r=new URL(e.url);if(!ue(r))throw _("forbidden","Local browser login is only available on loopback HTTP origins.");let o=typeof e.query.state=="string"?e.query.state:void 0;if(!o)throw _("oauth_state_invalid","Local browser login is missing state.");let i=new URL(typeof e.query.redirect_uri=="string"?e.query.redirect_uri:"/oauth/callback",U(e.url)),a=new URL(U(e.url)).origin;if(i.origin!==a||i.pathname!=="/oauth/callback")throw _("oauth_callback_mismatch","Local browser login redirect_uri must target this gateway's /oauth/callback route.");i.searchParams.set("state",o);let s={subjectId:yt.parse(Gl),roles:Nl};return{kind:"redirect",location:i,setCookie:await zt({principal:s,requestUrl:e.url,requestHeaders:e.headers})}}n(Ua,"completeLocalDevBrowserLogin");function tp(e){let t=e.method==="POST"?e.body:e.query;return Kl.parse(t)}n(tp,"readSetupContinueRequest");async function ka(e){let{state:t,decision:r}=tp({method:e.request.method,query:e.request.query,body:e.body}),o=new Date,i=await Or({csrfToken:t,now:o}),a=await Yl(e.request,e.context);if(r==="cancel")return{kind:"redirect",location:await oa({csrfToken:t,currentBrowserPrincipal:a,now:o})};let s=await ra({csrfToken:t,currentBrowserPrincipal:a,now:o}),c=await Lr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers,returnTo:Ia(t)});if(r==="approve"&&Gr(c)&&await Yi({csrfToken:t,currentBrowserPrincipal:a,now:o}),Gr(c)){let l=await Nr({transaction:s,requestUrl:e.request.url,requestHeaders:e.request.headers});return{kind:"setup_page",html:Hr({state:t,operationId:s.operationId,upstreams:c,...l})}}return{kind:"redirect",location:await na({csrfToken:t,currentBrowserPrincipal:a,now:o})}}n(ka,"continueDownstreamAuthorizeSetup");H();import{createLocalJWKSet as rp,decodeJwt as np,errors as nt,jwtVerify as op}from"jose";var ip=new Set(["authorization_code","refresh_token"]),ap="urn:ietf:params:oauth:client-assertion-type:jwt-bearer",sp=1e4,cp=32*1024,dp=2,Pa=d.object({client_id:d.string().min(1).optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),up=d.discriminatedUnion("grant_type",[Pa.extend({grant_type:d.literal("authorization_code"),code:d.string().min(1),redirect_uri:d.string().min(1),code_verifier:gt,resource:d.url().optional(),scope:d.literal(T).optional()}),Pa.extend({grant_type:d.literal("refresh_token"),refresh_token:d.string().min(1),resource:d.url().optional(),scope:d.literal(T).optional()})]);function lp(e){if(typeof e!="object"||e===null)return;let t=e.grant_type;if(t!==void 0&&(typeof t!="string"||!ip.has(t)))throw new p("unsupported_grant_type",`Grant type "${typeof t=="string"?t:""}" is not supported.`)}n(lp,"assertSupportedGrantType");var pp=d.object({token:d.string().min(1),client_id:d.string().min(1).optional(),token_type_hint:d.string().optional(),client_secret:d.string().min(1).optional(),client_assertion_type:d.string().min(1).optional(),client_assertion:d.string().min(1).optional()}),mp=d.object({keys:d.array(d.record(d.string(),d.unknown())).min(1)}).passthrough();function Ta(){return B().gateway.accessTokenTtlSeconds}n(Ta,"readAccessTokenTtlSeconds");function fp(){return B().gateway.refreshTokenTtlSeconds}n(fp,"readRefreshTokenTtlSeconds");function hp(e,t){let r=Ta(),o=Math.max(1,Math.floor((new Date(t).getTime()-e.getTime())/1e3)),i=Math.min(r,o);return{expiresAt:R(J(e,i)),expiresIn:i}}n(hp,"calculateAccessTokenExpiresAt");function Ea(e){if(!e?.startsWith("Basic "))return{};let t;try{t=atob(e.slice(6))}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}let r=t.indexOf(":");if(r<0)throw new p("invalid_client","Malformed HTTP Basic client authentication.");try{return{clientId:decodeURIComponent(t.slice(0,r)),clientSecret:decodeURIComponent(t.slice(r+1))}}catch{throw new p("invalid_client","Malformed HTTP Basic client authentication.")}}n(Ea,"readBasicClientSecret");function Oa(e){if(e.basicClientId!==void 0&&e.bodyClientId!==void 0&&e.basicClientId!==e.bodyClientId)throw new p("invalid_request","Authenticated client_id must match request client_id.");let t=e.basicClientId??e.bodyClientId;if(t!==void 0)return t;if(e.clientAssertion!==void 0){try{let r=np(e.clientAssertion);if(typeof r.iss=="string"&&typeof r.sub=="string"&&r.iss===r.sub)return r.iss}catch{throw new p("invalid_client","Malformed private_key_jwt client assertion.")}throw new p("invalid_client","private_key_jwt client assertion must identify the client with matching iss and sub claims.")}throw new p("invalid_client","Client authentication or client_id is required.")}n(Oa,"resolveAuthenticatedClientId");function gp(e){if(e.basicClientSecret!==void 0&&e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return e.basicClientSecret!==void 0?{clientSecret:e.basicClientSecret,clientSecretSource:"basic"}:e.bodyClientSecret!==void 0?{clientSecret:e.bodyClientSecret,clientSecretSource:"post"}:{}}n(gp,"resolveClientSecretInput");function yp(e){return e.clientAssertion!==void 0||e.clientAssertionType!==void 0}n(yp,"hasClientAssertion");function _p(e){if(e.requestUrl===void 0)throw new p("invalid_request","Request URL is required for private_key_jwt client authentication.");let t=new URL(e.pathname,U(e.requestUrl,e.requestHeaders));return t.search="",t.hash="",t.toString()}n(_p,"buildEndpointAudience");function wp(e){return e instanceof nt.JWTExpired?"expired":e instanceof nt.JWTClaimValidationFailed?"claim":e instanceof nt.JWSSignatureVerificationFailed?"signature":e instanceof nt.JWKSNoMatchingKey?"jwks_no_match":e instanceof nt.JWTInvalid?"invalid":e instanceof d.ZodError?"schema":"other"}n(wp,"readJwtFailureKind");async function Rp(e){let{response:t,json:r}=await ho(e.jwksUri,{headers:{accept:"application/json"}},{context:e.context,maxRedirects:dp,maxResponseBytes:cp,timeoutMs:sp});if(!t.ok)throw new p("invalid_client","Client JWKS could not be fetched.");return mp.parse(r)}n(Rp,"fetchClientJwks");async function bp(e){if(e.clientAssertionType!==ap||e.clientAssertion===void 0)throw new p("invalid_request","private_key_jwt client authentication requires a JWT bearer client_assertion and client_assertion_type.");let t=V.parse(e.clientId),r=await Bt(t,e.now);if(r.metadata.token_endpoint_auth_method!=="private_key_jwt")throw new p("invalid_client","Client is not registered for private_key_jwt authentication.");let o=r.metadata.jwks_uri;if(o===void 0)throw new p("invalid_client","Client JWKS URI is required for private_key_jwt authentication.");let i=_p({requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,pathname:e.endpointPathname});try{let a=await Rp({jwksUri:o,context:e.context});await op(e.clientAssertion,rp(a),{issuer:t,subject:t,audience:i,currentDate:e.now})}catch(a){throw e.context?.log.warn({event:"oauth_private_key_jwt_client_auth_failed",clientId:t,failureKind:wp(a)},"OAuth private_key_jwt client authentication failed"),new p("invalid_client","Client authentication failed.")}return jt(t)?{method:"none",clientId:t}:{method:"private_key_jwt",clientId:t}}n(bp,"verifyPrivateKeyJwtClientAssertion");async function Sp(e){let t=V.parse(e.clientId);if(jt(t))throw new p("invalid_client","Client is registered for private_key_jwt authentication.");return e.clientSecret===void 0?{method:"none",clientId:t}:{method:e.clientSecretSource==="post"?"client_secret_post":"client_secret_basic",clientId:t,clientSecretHashInput:await I(e.clientSecret)}}n(Sp,"buildRuntimeHttpClientAuth");async function qa(e){if(yp({clientAssertion:e.clientAssertion,clientAssertionType:e.clientAssertionType})){if(e.basicClientSecret!==void 0||e.bodyClientSecret!==void 0)throw new p("invalid_request","Use only one client authentication method per request.");return bp(e)}let t=gp({basicClientSecret:e.basicClientSecret,bodyClientSecret:e.bodyClientSecret});return Sp({clientId:e.clientId,...t})}n(qa,"resolveRuntimeHttpClientAuth");async function Ma(e){lp(e.body);let t=up.parse(e.body),r=Ea(e.authorizationHeader),o=Oa({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date,a=await qa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/token",now:i,context:e.context});return Cp({parsed:t,clientId:o,clientAuth:a,now:i,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,context:e.context})}n(Ma,"exchangeDownstreamToken");async function Cp(e){if(e.parsed.grant_type==="authorization_code"){Me(e.parsed.redirect_uri,"invalid_request","token"),rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let s=Y(),c=Y(),l=R(J(e.now,fp())),m=hp(e.now,l),f=await b().exchangeAuthorizationCode({clientAuth:e.clientAuth,codeHash:await I(e.parsed.code),redirectUri:e.parsed.redirect_uri,...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},codeChallenge:await co(e.parsed.code_verifier),currentRefreshTokenHash:await I(s),accessTokenHash:await I(c),grantExpiresAt:l,accessTokenExpiresAt:m.expiresAt,now:R(e.now)});if(f.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(f.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the authorization code resource.");if(f.kind!=="exchanged")throw new p("invalid_grant","Authorization code is invalid, expired, already used, or failed binding validation.");return e.context&&C(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"authorization_code"}}),{access_token:c,token_type:"Bearer",expires_in:m.expiresIn,refresh_token:s,scope:f.grant.scope,resource:f.grant.resource}}rt(e.parsed.scope),e.parsed.resource!==void 0&&De(e.requestUrl??e.parsed.resource,e.parsed.resource,e.requestHeaders);let t=Y(),r=Y(),o=R(J(e.now,Ta())),i=await b().refreshToken({clientAuth:e.clientAuth,currentRefreshTokenHash:await I(e.parsed.refresh_token),nextRefreshTokenHash:await I(t),accessTokenHash:await I(r),...e.parsed.resource===void 0?{}:{resource:e.parsed.resource},accessTokenExpiresAt:o,now:R(e.now)});if(i.kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");if(i.kind==="resource_mismatch")throw new p("invalid_target","Token request resource must match the refresh token grant resource.");if(i.kind!=="rotated")throw new p("invalid_grant","Refresh token is invalid, expired, or revoked.");De(e.requestUrl??i.grant.resource,i.grant.resource,e.requestHeaders);let a=i.accessToken.expiresAt;return e.context&&(C(e.context,{eventType:w.MCP_OAUTH_TOKEN_ISSUED,outcome:"success",attributes:{clientId:e.clientId,grantType:"refresh_token"}}),C(e.context,{eventType:w.MCP_OAUTH_TOKEN_REFRESH_ROTATED,outcome:"success",attributes:{clientId:e.clientId}})),{access_token:r,token_type:"Bearer",expires_in:Math.max(1,Math.floor((new Date(a).getTime()-e.now.getTime())/1e3)),refresh_token:t,scope:i.grant.scope,resource:i.grant.resource}}n(Cp,"exchangeDownstreamTokenWithRuntimeHttp");async function Da(e){let t=pp.parse(e.body),r=Ea(e.authorizationHeader),o=Oa({basicClientId:r.clientId,bodyClientId:t.client_id,clientAssertion:t.client_assertion}),i=new Date;if((await b().revokeOAuthToken({clientAuth:await qa({clientId:o,basicClientSecret:r.clientSecret,bodyClientSecret:t.client_secret,clientAssertion:t.client_assertion,clientAssertionType:t.client_assertion_type,requestUrl:e.requestUrl,requestHeaders:e.requestHeaders,endpointPathname:"/oauth/revoke",now:i,context:e.context}),tokenHash:await I(t.token),now:R(i)})).kind==="invalid_client")throw new p("invalid_client","Client authentication failed.");e.context?.log.info({event:"oauth_token_revoked",clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}},"OAuth token revocation request processed"),e.context&&C(e.context,{eventType:w.MCP_OAUTH_TOKEN_REVOKED,outcome:"success",attributes:{clientId:o,...t.token_type_hint===void 0?{}:{tokenTypeHint:t.token_type_hint}}})}n(Da,"revokeDownstreamToken");var vp=64*1024,Ip=16*1024,Ap="text/html; charset=utf-8";function xp(e){let t={};for(let[r,o]of e.entries())t[r]=o;return t}n(xp,"formDataToObject");async function Up(e){return qi(e,{maxBytes:vp,label:"Request body"})}n(Up,"readJsonBody");async function Fr(e){return xp(await Mi(e,{maxBytes:Ip,label:"Request body"}))}n(Fr,"readFormBody");async function Ha(e,t,r){let o=le(r),i=r instanceof d.ZodError?se(r):void 0,a={code:o??(r instanceof d.ZodError?"invalid_request":"internal_server_error")};return i!==void 0&&(a.detail=i),Ln(e,t,a)}n(Ha,"handleProblem");function Ba(e){return e?.requestId}n(Ba,"readBrowserRequestId");function ja(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(ja,"readUpstreamHtmlError");function za(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(za,"readRuntimeErrorExtensionString");function kp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(kp,"readRuntimeErrorExtensionNumber");function Pp(e){try{return new URL(e.url).pathname}catch{return}}n(Pp,"readBrowserRequestPath");function we(e){let t={code:e.code,requestId:e.requestId,routePath:Pp(e.request),underlyingError:e.underlyingError};return e.error instanceof h&&(t.httpStatus=kp(e.error,Ce),t.contentType=za(e.error,be),t.upstreamUrl=za(e.error,ve)),t}n(we,"buildBrowserErrorDiagnostic");function ot(e){let t=new Headers(e.headers);t.set("cache-control","no-store"),t.set("pragma","no-cache");let r={error:e.error};return e.errorDescription!==void 0&&(r.error_description=e.errorDescription),Response.json(r,{status:e.status??400,headers:t})}n(ot,"oauthErrorResponse");function Tp(e,t){return e.errorCode!=="invalid_client"?{}:t.includeInvalidClientChallenge===!1?{}:{"WWW-Authenticate":'Basic realm="OAuth"'}}n(Tp,"readOAuthProtocolHeaders");function Ep(e,t){let r=j("internal_server_error");return ot({error:e.errorCode,errorDescription:e.errorCode==="server_error"?r.publicDetail:e.message,status:e.status,headers:Tp(e,t)})}n(Ep,"oauthProtocolErrorResponse");function Zr(e){return e.issues[0]?.path.includes("resource")===!0?"invalid_target":"invalid_request"}n(Zr,"readZodOAuthErrorCode");function Op(e){let t={error:Zr(e)},r=se(e);return r!==void 0&&(t.errorDescription=r),ot(t)}n(Op,"oauthZodErrorResponse");function qp(e){let t=le(e);if(t===void 0)return;let r=j(t);if(r.oauthError===void 0)return;let o={error:r.oauthError,status:Dp(r.oauthError)};return r.oauthError==="server_error"?o.errorDescription=r.publicDetail:e instanceof Error?o.errorDescription=e.message:o.errorDescription=r.publicDetail,ot(o)}n(qp,"oauthGatewayProblemResponse");function Mp(){let t={error:"server_error",status:500,errorDescription:j("internal_server_error").publicDetail};return ot(t)}n(Mp,"oauthFallbackErrorResponse");function Dp(e){switch(e){case"invalid_client":return 401;case"server_error":return 500;default:return 400}}n(Dp,"readOAuthStatus");function Kr(e,t={}){return e instanceof ae?Ga(e):e instanceof p?Ep(e,t):e instanceof d.ZodError?Op(e):qp(e)??Mp()}n(Kr,"oauthProblemResponse");function Jr(e,t,r){let o=qe(e.url),i=Ba(t);if(r instanceof ae)return Ga(r);if(r instanceof p){let c=j("internal_server_error");return F({host:o,kind:zp(r.errorCode),title:"Authorization failed",detail:r.errorCode==="server_error"?c.publicDetail:r.message,developerDetail:r.errorCode==="server_error"?c.publicDetail:r.message,code:r.errorCode,diagnostic:we({request:e,requestId:i,code:r.errorCode,underlyingError:r.errorCode==="server_error"?c.publicDetail:r.message,error:r}),requestId:i,status:r.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:Zr(r),diagnostic:we({request:e,requestId:i,code:Zr(r),underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:i});let a=le(r);if(a!==void 0){let c=j(a);return F({host:o,kind:Na(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:we({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ja(r),status:c.status})}let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"server_error",diagnostic:we({request:e,requestId:i,code:"server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(Jr,"browserOAuthProblemResponse");function La(e,t,r){let o=qe(e.url),i=Ba(t),a=le(r);if(a!==void 0){let c=j(a);return F({host:o,kind:Na(a),detail:c.publicDetail,developerDetail:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,code:a,diagnostic:we({request:e,requestId:i,code:a,underlyingError:c.status>=500||!(r instanceof Error)?c.publicDetail:r.message,error:r}),requestId:i,upstreamHtml:ja(r),status:c.status})}if(r instanceof d.ZodError)return F({host:o,kind:"invalid_request",detail:se(r)??"The authorization request was invalid.",developerDetail:se(r)??"The authorization request was invalid.",code:"invalid_request",diagnostic:we({request:e,requestId:i,code:"invalid_request",underlyingError:se(r)??"The authorization request was invalid.",error:r}),requestId:i});let s=j("internal_server_error");return F({host:o,kind:"internal_error",detail:s.publicDetail,developerDetail:s.publicDetail,code:"internal_server_error",diagnostic:we({request:e,requestId:i,code:"internal_server_error",underlyingError:s.publicDetail,error:r}),requestId:i,status:s.status})}n(La,"browserGatewayProblemResponse");function zp(e){return e==="server_error"?"internal_error":"invalid_request"}n(zp,"readOAuthBrowserErrorKind");function Na(e){if(j(e).status>=500)return"internal_error";switch(e){case"mcp_route_not_enabled":case"unknown_upstream_server":case"unknown_mcp_route":case"unknown_auth_profile":case"mcp_route_upstream_mismatch":return"configuration_error";case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"invalid_request":case"authentication_required":case"forbidden":case"not_found":case"too_many_requests":case"identity_context_missing":return"invalid_request";case"upstream_capability_invocation_failed":case"upstream_capability_unavailable":case"upstream_import_failed":return"connection_failed";case"internal_server_error":return"internal_error"}return"authorization_failed"}n(Na,"readGatewayBrowserErrorKind");function ee(e,t,r){let o={event:t},i=!1;if(r instanceof p)o.oauthError=r.errorCode,o.status=r.status,W(o,"error",r);else if(r instanceof ae)o.oauthError=r.errorCode,W(o,"error",r);else if(r instanceof d.ZodError){o.code="invalid_request",W(o,"error",r);let a=r.issues[0];a&&(o.zodPath=a.path.join("."))}else{let a=le(r);if(a!==void 0){let s=j(a);o.code=a,o.status=s.status,s.oauthError!==void 0&&(o.oauthError=s.oauthError),i=s.status>=500||s.oauthError==="server_error",W(o,"error",r)}else i=!0,W(o,"error",r)}if(i){let a=r instanceof Error?r:new Error("Non-Error thrown from OAuth handler",{cause:r});e.log.error(o,a.message)}else e.log.warn(o,"OAuth handler rejected the request")}n(ee,"logUnexpectedOAuthHandlerError");function Ga(e){let t;try{t=new URL(e.redirectUri)}catch{return ot({error:e.errorCode,...e.errorDescription===void 0?{}:{errorDescription:e.errorDescription}})}t.searchParams.set("error",e.errorCode),e.errorDescription!==void 0&&t.searchParams.set("error_description",e.errorDescription),e.clientState!==void 0&&t.searchParams.set("state",e.clientState);let r=new Headers({location:t.toString(),"cache-control":"no-store"});return new Response(null,{status:302,headers:r})}n(Ga,"downstreamAuthorizeRedirectErrorResponse");function se(e){let t=e.issues[0];if(!t)return;let r=t.path.join(".");return r?`${r}: ${t.message}`:t.message}n(se,"formatZodErrorDetail");function Hp(e,t){let r={event:"browser_login_callback_failed",code:le(t)??"invalid_request"};W(r,"error",t),e.log.warn(r,"Browser login callback failed; client received a connection-failure page")}n(Hp,"logBrowserLoginCallbackFailure");function $a(e){e.location.hash||(e.location.hash="#");let t=new Headers({location:e.location.toString(),"cache-control":"no-store"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(null,{status:302,headers:t})}n($a,"redirectResultResponse");function Nt(e){if(e.kind==="setup_page"){let t=new Headers({"content-type":Ap,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"});return e.setCookie&&t.append("set-cookie",e.setCookie),new Response(e.html,{status:200,headers:t})}return $a(e)}n(Nt,"authorizeResultResponse");async function Za(e,t){try{return Response.json(Wn(e.url,e.headers))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Ha(e,t,r)}}n(Za,"authorizationServerMetadataHandler");async function Fa(e,t){try{let r=Xt(e.params.routePath);return Response.json(Vn({operationId:r.operationId,requestUrl:e.url,requestHeaders:e.headers}))}catch(r){return ee(t,"oauth_authorization_server_metadata_failed",r),Ha(e,t,r)}}n(Fa,"scopedAuthorizationServerMetadataHandler");async function Ka(e,t){try{let r=await ca(await Up(e)),o=r,i=typeof o.client_id=="string"?o.client_id:void 0,a=typeof o.client_name=="string"?o.client_name:void 0,s=Array.isArray(o.redirect_uris)?o.redirect_uris.length:void 0,c=typeof o.token_endpoint_auth_method=="string"?o.token_endpoint_auth_method:void 0;return t.log.info({event:"oauth_dcr_client_registered",clientId:i,clientName:a,redirectUriCount:s,tokenEndpointAuthMethod:c},"OAuth Dynamic Client Registration completed"),C(t,{eventType:w.MCP_OAUTH_CLIENT_REGISTERED,outcome:"success",clientName:a,attributes:{clientId:i,redirectUriCount:s,tokenEndpointAuthMethod:c}}),Response.json(r,{status:201,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_register_failed",r),Kr(r)}}n(Ka,"registerHandler");async function Ja(e,t){try{return Nt(await $r(e,{context:t}))}catch(r){return ee(t,"oauth_authorize_failed",r),Jr(e,t,r)}}n(Ja,"authorizeHandler");async function Wa(e,t){try{let r=Xt(e.params.routePath);return Nt(await $r(e,{operationId:r.operationId,context:t}))}catch(r){return ee(t,"oauth_authorize_scoped_failed",r),Jr(e,t,r)}}n(Wa,"scopedAuthorizeHandler");async function Va(e,t){try{let r=await xa(e,{context:t});return t.log.info({event:"browser_login_callback_completed",resultKind:r.kind},"Browser login callback completed; consent setup rendered"),Nt(r)}catch(r){return Hp(t,r),La(e,t,r)}}n(Va,"callbackHandler");async function Ya(e,t){try{return $a(await Ua(e))}catch(r){return ee(t,"oauth_dev_login_failed",r),Jr(e,t,r)}}n(Ya,"devLoginHandler");async function Xa(e,t){try{if(!["GET","POST"].includes(e.method))return new Response(null,{status:405,headers:{allow:"GET, POST"}});let r=await ka({request:e,body:e.method==="POST"?await Fr(e):void 0,context:t});return Nt(r)}catch(r){return ee(t,"oauth_setup_failed",r),La(e,t,r)}}n(Xa,"setupHandler");async function Qa(e,t){try{return Response.json(await Ma({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),{headers:{"cache-control":"no-store",pragma:"no-cache"}})}catch(r){return ee(t,"oauth_token_failed",r),Kr(r)}}n(Qa,"tokenHandler");async function es(e,t){try{return await Da({body:await Fr(e),authorizationHeader:e.headers.get("authorization"),requestUrl:e.url,requestHeaders:e.headers,context:t}),new Response(null,{status:200,headers:{"cache-control":"no-store"}})}catch(r){return ee(t,"oauth_revoke_failed",r),Kr(r)}}n(es,"revokeHandler");var Bp={connect:"Connect",callback_authorization_code:"Callback",callback_provider_error:"Callback",callback_invalid:"Callback",client_metadata:"Client metadata"},ts=Symbol("upstream-request");function jp(e){let t=e[ts];if(!t)throw new M("Upstream request context has not been set");return t}n(jp,"readUpstreamRequestContext");function Lp(e,t){return t.some(r=>r===e)}n(Lp,"requestContextMatchesKind");function Np(e){return typeof e=="string"?[e]:e}n(Np,"toExpectedKinds");function ze(e,t){Object.defineProperty(e,ts,{configurable:!0,value:t})}n(ze,"setUpstreamRequestContext");function it(e,t){let r=jp(e),o=Np(t);if(!Lp(r.kind,o)){let i=Bp[o[0]];throw new M(`${i} request context has not been set`)}return r}n(it,"requireUpstreamRequestContext");function rs(e){return S`<p data-gateway-error-code="${e.code}">${e.body}</p>`}n(rs,"renderBrowserResult");var Gp="text/html; charset=utf-8",$p="none";function Zp(e){let t=fr(e.host);return Oe({title:e.title,iconHref:t,styles:Ee,headerIcon:Lt({iconHref:t,fallbackIconHref:xt}),heading:e.title,subhead:"",body:rs({body:e.body,code:e.code??$p}),footer:""})}n(Zp,"browserResultHtml");function Fp(e,t=200){return new Response(Te(e),{status:t,headers:{"content-type":Gp,"cache-control":"no-store","referrer-policy":"no-referrer","x-frame-options":"DENY"}})}n(Fp,"browserResultResponse");function ns(e){return Fp(Zp(e))}n(ns,"browserConnectionSuccessResponse");function Gt(e,t,r={}){let o=jn(t);return F({host:e,kind:Kp(t),detail:o.body,developerDetail:r.developerDetail,code:t,diagnostic:r.diagnostic,upstreamHtml:r.upstreamHtml})}n(Gt,"browserConnectionFailureResponse");function Kp(e){switch(e){case"provider_access_denied":return"access_denied";case"oauth_state_invalid":case"oauth_state_expired":case"oauth_state_reused":case"oauth_callback_mismatch":return"session_expired";case"browser_login_verification_failed":case"upstream_token_exchange_failed":case"upstream_token_response_invalid":return"connection_failed";case"upstream_oauth_discovery_unavailable":case"upstream_provider_access_denied":case"upstream_client_registration_required":return"admin_required"}}n(Kp,"readCallbackFailureBrowserErrorKind");var Jp=["callback_authorization_code","callback_provider_error","callback_invalid"];function Wr(e){try{return new URL(e.url).pathname}catch{return}}n(Wr,"readBrowserRequestPath");function Wp(e){return"cause"in e?e.cause:void 0}n(Wp,"readErrorCause");function Vp(e){return e.stack?.split(`
48
+ `).slice(1,4).map(t=>t.trim()).join(" | ")}n(Vp,"readFirstStackFrame");function os(e,t,r){r instanceof Error&&(e[`${t}Name`]=r.name,e[`${t}Message`]=r.message,e[`${t}StackFrame`]=Vp(r))}n(os,"addErrorAttributes");function Vr(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[y];return bn(t)?t:void 0}n(Vr,"readRuntimeGatewayCode");function is(e,t){let r=e.extensionMembers?.[t];return typeof r=="string"?r:void 0}n(is,"readRuntimeErrorExtensionString");function Yp(e,t){let r=e.extensionMembers?.[t];return typeof r=="number"?r:void 0}n(Yp,"readRuntimeErrorExtensionNumber");function Xp(e,t,r,o){switch(r.kind){case"callback_provider_error":return t.log.warn({event:"upstream_oauth_provider_error",code:"provider_access_denied",upstreamServerId:r.upstreamServerId,providerError:r.error,...r.errorDescription===void 0?{}:{providerErrorDescription:r.errorDescription.slice(0,256)}},"Upstream identity provider returned an error to the OAuth callback"),C(t,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:r.upstreamServerId,reasonCode:"provider_access_denied",reasonClass:"auth",attributes:{error:r.error,errorDescription:r.errorDescription}}),Gt(o,"provider_access_denied",{developerDetail:r.errorDescription??r.error,diagnostic:{code:"provider_access_denied",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId,providerError:r.error,providerErrorDescription:r.errorDescription,underlyingError:r.errorDescription??r.error}});case"callback_invalid":return t.log.warn({event:"upstream_oauth_callback_invalid",code:"oauth_state_invalid",upstreamServerId:r.upstreamServerId},"Upstream OAuth callback request missing required code/state parameters"),Gt(o,"oauth_state_invalid",{diagnostic:{code:"oauth_state_invalid",requestId:t.requestId,routePath:Wr(e),upstreamServerId:r.upstreamServerId}});case"callback_authorization_code":return r}}n(Xp,"requireAuthorizationCallbackRequest");function Qp(e,t){C(e,{eventType:w.MCP_AUTH_UPSTREAM_CALLBACK_RECEIVED,outcome:"success",upstreamServerName:t.upstreamServerId})}n(Qp,"emitCallbackReceivedAnalyticsEvent");function em(e,t){C(e,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_SUCCEEDED,outcome:"success",upstreamServerName:t.upstreamServerId,virtualServerName:t.operationId})}n(em,"emitTokenExchangeSucceededAnalyticsEvent");function tm(e,t){if(t.returnTo){let r=t.returnOrigin??e.url;return Response.redirect(new URL(t.returnTo,r).toString(),302)}return ns({host:qe(e.url),title:"Connection complete",body:"The upstream authorization flow completed successfully. You can return to your MCP client."})}n(tm,"buildSuccessfulCallbackResponse");function rm(e){let t={detail:e instanceof Error?e.message:void 0};return os(t,"error",e),e instanceof Error&&os(t,"cause",Wp(e)),t}n(rm,"buildTokenExchangeFailureAttributes");function nm(e){C(e.context,{eventType:w.MCP_AUTH_UPSTREAM_TOKEN_EXCHANGE_FAILED,outcome:"failure",upstreamServerName:e.callbackRequest.upstreamServerId,reasonCode:Vr(e.error)??"token_exchange_failed",reasonClass:"auth",errorType:e.error instanceof Error?e.error.name:"unknown",attributes:rm(e.error)})}n(nm,"emitTokenExchangeFailedAnalyticsEvent");function om(e){let t=e.error,r=Vr(t),o=Sn(r)?r:"upstream_token_exchange_failed",i={code:o,requestId:e.context.requestId,routePath:Wr(e.request),upstreamServerId:e.callbackRequest.upstreamServerId,underlyingError:t instanceof Error?t.message:void 0,...t instanceof h?{httpStatus:Yp(t,Ce),contentType:is(t,be),upstreamUrl:is(t,ve)}:{}};return Gt(e.host,o,{developerDetail:t instanceof Error?t.message:void 0,diagnostic:i,upstreamHtml:im(t)})}n(om,"tokenExchangeFailureResponse");function im(e){if(!(e instanceof h))return;let t=e.extensionMembers?.[Se];return typeof t=="string"?t:void 0}n(im,"readUpstreamHtmlError");async function Yr(e,t){let r=it(e,Jp),o=qe(e.url),i=Xp(e,t,r,o);if(i instanceof Response)return i;Qp(t,i);try{let a=await Ci({request:e,callbackRequest:i});return em(t,a),t.log.info({event:"upstream_oauth_token_exchange_succeeded",upstreamServerId:a.upstreamServerId,operationId:a.operationId,authProfileId:a.authProfileId,ownerMode:a.ownerMode},"Upstream OAuth token exchange completed; user connection established"),tm(e,a)}catch(a){let s={event:"upstream_oauth_token_exchange_failed",code:Vr(a)??"upstream_token_exchange_failed",upstreamServerId:i.upstreamServerId};return W(s,"error",a),t.log.warn(s,"Upstream OAuth token exchange failed; user shown connection-failure page"),nm({context:t,callbackRequest:i,error:a}),om({request:e,context:t,host:o,callbackRequest:i,error:a})}}n(Yr,"callbackHandler");function am(e){return(e instanceof Error?e.message:void 0)??"The requested upstream client metadata document was not found."}n(am,"clientMetadataProblemDetail");async function as(e,t){let r=it(e,"connect"),o=await Si({request:e,connectRequest:r});if(C(t,{eventType:w.MCP_AUTH_UPSTREAM_CONNECT_STARTED,outcome:"success",upstreamServerName:r.upstreamServerId,virtualServerName:o.operationId,upstreamServerTitle:o.upstreamDisplayName}),t.log.info({event:"upstream_connect_started",upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,operationId:o.operationId,ownerMode:r.ownerMode,redirect:r.redirect,hasReturnTo:r.returnTo!==void 0},"Upstream OAuth connect flow started"),r.redirect)return Response.redirect(o.authUrl,302);let i=await Tt({requestUrl:e.url,requestHeaders:e.headers,owner:o.owner,initiatedBySubjectId:o.initiatedBySubjectId,upstreamServerId:r.upstreamServerId,authProfileId:o.authProfileId,upstreamDisplayName:o.upstreamDisplayName,operationId:o.operationId,subject:"MCP route",...r.returnTo===void 0?{}:{returnTo:r.returnTo}});return Response.json(i,{status:428})}n(as,"connectHandler");async function Xr(e,t){let r=it(e,"client_metadata");try{let o=oi(e.url,e.headers),i=ii(o,r.upstreamServerId,r.authProfileId);return Response.json(i)}catch(o){if(!(o instanceof P))throw o;let i=o instanceof Error?o.message:String(o);return t.log.warn({event:"oauth_client_metadata_request_failed",upstreamServerId:r.upstreamServerId,authProfileId:r.authProfileId,errorMessage:i},"Failed to serve OAuth client metadata document for upstream connection"),de.notFound(e,t,{code:"not_found",detail:am(o)})}}n(Xr,"oauthClientMetadataHandler");function ce(e){if(typeof e=="string"&&e.length!==0)return e}n(ce,"readOptionalQueryString");function sm(e,t){let r=e.params[t];if(typeof r!="string"||r.length===0)throw new M(`Validated path parameter ${t} is missing`);return ss(r,t)}n(sm,"requirePathString");function ss(e,t){try{return decodeURIComponent(e)}catch(r){throw new h({message:`Path parameter "${t}" must be valid URL encoding.`,extensionMembers:{[y]:"invalid_request"}},{cause:r})}}n(ss,"decodePathString");function cm(e){let t=ce(e);return t?pt.parse(t):void 0}n(cm,"readOptionalOperationId");function dm(e,t){let r=ce(e);return r?An.parse(r):ht(t,"user-oauth")}n(dm,"readOptionalAuthProfileId");function um(e,t){let r=e.params[t];return typeof r=="string"&&r.length>0?ss(r,t):void 0}n(um,"readOptionalPathString");function lm(e){let t=cm(e);if(!t)throw new h({message:"operationId query parameter is required.",extensionMembers:{[y]:"invalid_request"}});return t}n(lm,"readRequiredOperationId");function pm(e){let t=Qn(ce(e));return t===void 0?{}:{returnTo:t}}n(pm,"readOptionalReturnTo");function mm(e){let t=ce(e.query.error_description);return t===void 0?{}:{errorDescription:t}}n(mm,"readOptionalProviderErrorDescription");function fm(e){let t=G(e.authMode);if(t.connectSupport!=="none")return e;throw new h({message:t.connectUnsupportedDetail??"This upstream does not support browser connection flows.",extensionMembers:{[y]:"invalid_request"}})}n(fm,"requireConnectableRouteAuth");function hm(e,t,r,o){return{kind:"connect",...Pe(e,t.subjectId),...o===void 0?{}:{returnTo:o},redirect:r}}n(hm,"buildConnectContextForUser");function gm(e,t,r){let o=wt(t),i=G(e.authMode);if(o.mode!==i.ownerMode)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return{kind:"connect",...e,...t.returnTo===void 0?{}:{returnTo:t.returnTo},owner:o,initiatedBySubjectId:t.initiatedBySubjectId,redirect:r}}n(gm,"buildConnectContextForTicket");async function ym(e,t){let r=fm(Ot(t,lm(e.query.operationId))),o=e.query.redirect==="true",i=ce(e.query.browserTicket);if(e.user){if(i)throw new h({message:"Use either an authenticated gateway request or a browser connect ticket, not both.",extensionMembers:{[y]:"invalid_request"}});let s=Ie(e.user,e.url);return hm(r,s,o,pm(e.query.returnTo).returnTo)}if(!i)throw new h({message:"Authentication is required to start the upstream connection flow.",extensionMembers:{[y]:"authentication_required"}});let a=await Yo(i);if(a.ownerMode!==r.ownerMode||a.upstreamServerId!==r.upstreamServerId||a.authProfileId!==r.authProfileId||a.operationId!==r.operationId)throw new h({message:"Browser connect ticket did not match the requested upstream flow",extensionMembers:{[y]:"oauth_callback_mismatch"}});return await Xo(a),gm(r,a,o)}n(ym,"resolveConnectContext");async function _m(e,t,r){let o=In.parse(sm(e,"connection"));switch(r){case"connect":ze(e,await ym(e,o));return;case"callback":{let i=ce(e.query.error);if(i){ze(e,{kind:"callback_provider_error",upstreamServerId:o,error:i,...mm(e)});return}let a=ce(e.query.code),s=ce(e.query.state);if(a&&s){ze(e,{kind:"callback_authorization_code",upstreamServerId:o,code:a,state:s});return}ze(e,{kind:"callback_invalid",upstreamServerId:o});return}case"client_metadata":ze(e,{kind:"client_metadata",upstreamServerId:o,authProfileId:dm(um(e,"authProfileId")??e.query.authProfileId,o)});return}}n(_m,"resolveUpstreamRequestInbound");async function wm(e,t,r){try{await _m(e,t,r);return}catch(o){let i=o instanceof h?o.extensionMembers?.[y]:void 0,a=o instanceof Error?o.message:void 0;switch(i){case"invalid_request":case"oauth_callback_mismatch":return de.badRequest(e,t,{code:i,detail:a});case"authentication_required":return de.unauthorized(e,t,{code:i,detail:a});default:throw o}}}n(wm,"applyUpstreamRequestContext");function at(e,t){return n(async(o,i)=>{let a=await wm(o,i,e);return a||t(o,i)},"wrapped")}n(at,"withUpstreamRequestContext");var Rm={"access-control-allow-origin":"*","access-control-allow-methods":"GET, OPTIONS","access-control-allow-headers":"content-type, authorization","access-control-max-age":"86400"};function bm(){return new Response(null,{status:204,headers:Rm})}n(bm,"buildWellKnownPreflightResponse");function Sm(e){let t=new Headers(e.headers);return t.set("access-control-allow-origin","*"),new Response(e.body,{status:e.status,statusText:e.statusText,headers:t})}n(Sm,"withWellKnownCorsHeaders");function Qr(e){return async(t,r)=>t.method==="OPTIONS"?bm():Sm(await e(t,r))}n(Qr,"wrapWellKnownHandler");var us=[{routeName:"oauth_as_metadata",path:"/.well-known/oauth-authorization-server",methods:["GET","OPTIONS"],handler:Qr(Za),corsPolicy:"anything-goes"},{routeName:"oauth_as_metadata_scoped",path:"/.well-known/oauth-authorization-server/:routePath*",methods:["GET","OPTIONS"],handler:Qr(Fa),corsPolicy:"anything-goes"},{routeName:"oauth_protected_resource_metadata",path:"/.well-known/oauth-protected-resource/:routePath*",methods:["GET","OPTIONS"],handler:Qr(Yn),corsPolicy:"anything-goes"},{routeName:"oauth_register",path:"/oauth/register",methods:["POST"],handler:Ka},{routeName:"oauth_authorize",path:"/oauth/authorize",methods:["GET"],handler:Ja},{routeName:"oauth_authorize_scoped",path:"/oauth/authorize/:routePath*",methods:["GET"],handler:Wa},{routeName:"oauth_callback",path:"/oauth/callback",methods:["GET"],handler:Va},{routeName:"oauth_dev_login",path:"/oauth/dev-login",methods:["GET"],handler:Ya},{routeName:"oauth_setup",path:"/oauth/setup",methods:["GET","POST"],handler:Xa},{routeName:"oauth_token",path:"/oauth/token",methods:["POST"],handler:Qa},{routeName:"oauth_revoke",path:"/oauth/revoke",methods:["POST"],handler:es},{routeName:"upstream_client_metadata",path:"/.well-known/oauth-client/:connection",methods:["GET"],handler:at("client_metadata",Xr)},{routeName:"upstream_client_metadata_profile",path:"/.well-known/oauth-client/:connection/:authProfileId",methods:["GET"],handler:at("client_metadata",Xr)},{routeName:"upstream_connect",path:"/auth/connections/:connection/connect",methods:["GET"],handler:at("connect",as)},{routeName:"upstream_callback",path:"/auth/connections/:connection/callback",methods:["GET"],handler:at("callback",Yr)}],Cm=us.filter(e=>!e.routeName.startsWith("upstream_")),vm=us.filter(e=>e.routeName.startsWith("upstream_"));function ls(e){return e?.some(wn)??!1}n(ls,"hasMcpOAuthRuntimeConfigPolicy");function ps(e){return e?.some(t=>En(t.policyType))??!1}n(ps,"hasMcpTokenExchangePolicy");function ms(e){return ls(e)||ps(e)}n(ms,"shouldRegisterMcpGatewayInternalRoutes");function Im(e){Mn(On({routes:e.routes,policies:e.policies}))}n(Im,"initializeMcpGatewayConnectionRegistry");function Am(e){let t=Rn(e.policies);if(!t){let r=[..._n].map(o=>`\`${o}\``).join(", ");throw new P(`MCP gateway: could not find an MCP authorization policy in policies.json. Add one of [${r}] and reference it on your MCP routes.`)}return t.config}n(Am,"initializeMcpGatewayOAuthRuntimeConfig");function cs(e,t,r){return async(o,i)=>{r&&gn(i,r());let a=o.method==="OPTIONS",s=Date.now();a||i.log.info({event:`${e}_received`,method:o.method},`MCP gateway: ${e} received`);let c=await t(o,i);return a||i.log.info({event:`${e}_responded`,status:c.status,durationMs:Date.now()-s},`MCP gateway: ${e} responded`),c}}n(cs,"wrapInternalHandler");function ds(e,t,r){e.addPluginRoute({path:t.path,methods:t.methods,handler:r,processors:[sn],corsPolicy:t.corsPolicy??"none"})}n(ds,"addInternalRoute");function fs(e,t){Im(t);let r=ls(t.policies),o=ps(t.policies),i,a=n(()=>(i===void 0&&(i=Am(t)),i),"readOAuthConfig");if(r)for(let s of Cm)ds(e,s,cs(s.routeName,s.handler,a));if(o)for(let s of vm)ds(e,s,cs(s.routeName,s.handler))}n(fs,"registerMcpGatewayInternalRoutes");function hs(e){qn(e)}n(hs,"configureLazyMcpGatewayState");var en=class extends on{static{n(this,"McpGatewayPlugin")}registerRoutes(t){let r=t.parsedRouteData;if(!r||!ms(r.policies))return;let o={routes:r.routes,policies:r.policies};hs(o),fs(t.router,o)}};var xm=new TextDecoder;function Um(e){if(e)try{return JSON.parse(xm.decode(e))}catch{return}}n(Um,"readBodyJson");function te(e){return e&&typeof e=="object"?e:void 0}n(te,"readRecord");function st(e,t){let r=te(e)?.[t];return typeof r=="string"?r:void 0}n(st,"readStringProperty");function ys(e,t){let r=te(e)?.[t];return typeof r=="number"?r:void 0}n(ys,"readNumberProperty");function gs(e,t){return ys(e,"code")??(t.status>=400?t.status:void 0)}n(gs,"readErrorCode");function _s(e){return Array.isArray(e)?e.map(_s).find(t=>t?.method):te(e)}n(_s,"readJsonRpcMessage");function ws(e){let t=_s(Um(e)),r=typeof t?.method=="string"?t.method:"",o=t?.params;switch(r){case"tools/list":return{mcpMethod:r,capabilityType:"tool"};case"tools/call":return{mcpMethod:r,capabilityType:"tool",capabilityName:st(o,"name")};case"prompts/list":return{mcpMethod:r,capabilityType:"prompt"};case"prompts/get":return{mcpMethod:r,capabilityType:"prompt",capabilityName:st(o,"name")};case"resources/list":case"resources/templates/list":return{mcpMethod:r,capabilityType:"resource"};case"resources/read":{let i=st(o,"uri");return{mcpMethod:r,capabilityType:"resource",capabilityName:i,resourceUri:i}}default:return null}}n(ws,"buildBaseCapabilityInput");function Rs(e){return e==="tools/list"||e==="prompts/list"||e==="resources/list"||e==="resources/templates/list"}n(Rs,"isCapabilityListMethod");function km(e,t,r){let a=te(r)?.[e==="resources/templates/list"?"resourceTemplates":t==="tool"?"tools":t==="prompt"?"prompts":"resources"];return Array.isArray(a)?a.length:void 0}n(km,"readItemCount");async function Pm(e){try{return await e.clone().json()}catch{return}}n(Pm,"readResponseJson");function bs(e){let t=ws(e);return!t||Rs(t.mcpMethod)?null:{eventType:w.MCP_CAPABILITY_INVOKED,outcome:"success",...t}}n(bs,"buildCapabilityInvokedAnalyticsInput");async function Ss(e,t){let r=ws(e);if(!r)return null;let o=te(await Pm(t)),i=te(o?.error),a=te(i?.data),s=o?.result,c=r.mcpMethod==="tools/call"&&te(s)?.isError===!0;if(te(a?.connectRequired))return{eventType:w.MCP_CAPABILITY_CONNECT_REQUIRED,outcome:"connect_required",...r,httpStatusCode:t.status,reasonCode:"connect_required",reasonClass:"auth",errorType:"connect_required",errorCode:ys(i,"code"),mcpErrorType:st(i,"message")};if(Rs(r.mcpMethod)){let l=t.status>=400?void 0:km(r.mcpMethod,r.capabilityType,s);return{eventType:w.MCP_CAPABILITY_LISTED,outcome:t.status>=400||i?"failure":"success",...r,httpStatusCode:t.status,...t.status>=400||i?{reasonCode:"upstream_capability_list_failed",reasonClass:"upstream",errorType:"capability_list_error",errorCode:gs(i,t)}:{},...l===void 0?{}:{attributes:{itemCount:l}}}}return t.status>=400||i?{eventType:w.MCP_CAPABILITY_FAILED,outcome:"failure",...r,httpStatusCode:t.status,reasonCode:"upstream_capability_invocation_failed",reasonClass:"upstream",errorType:"capability_error",errorCode:gs(i,t),mcpErrorType:st(i,"message")}:{eventType:w.MCP_CAPABILITY_COMPLETED,outcome:c?"application_error":"success",...r,httpStatusCode:t.status,toolResultIsError:c,applicationError:c}}n(Ss,"buildCapabilityFinalAnalyticsInput");var Tm={Allow:"POST"};async function Em(e){try{return await e.clone().arrayBuffer()}catch{return}}n(Em,"readRequestBody");function Cs(e){try{let t=Dn(e.route.path);return{virtualServerName:t.operationId,upstreamServerName:t.connection?.upstreamServerId,upstreamServerTitle:t.connection?.displayName,authProfileId:t.connection?.authProfileId,upstreamAuthMode:t.connection?.authMode}}catch{return{}}}n(Cs,"readRouteAnalyticsFields");function vs(e){return Xn(e.user,e.url,e.headers)?.subjectId}n(vs,"readRequestSubjectId");function Om(e){let t=bs(e.requestBody);t&&C(e.context,{...t,...Cs(e.context),httpMethod:e.request.method,subjectId:vs(e.request),transport:"http"})}n(Om,"emitCapabilityInvokedAnalytics");async function qm(e){let t=await Ss(e.requestBody,e.response);t&&C(e.context,{...t,...Cs(e.context),httpMethod:e.request.method,subjectId:vs(e.request),transport:"http",latencyMs:Date.now()-e.startedAt})}n(qm,"emitCapabilityFinalAnalytics");async function Mm(e,t){if(e.method==="GET")return de.methodNotAllowed(e,t,{detail:"MCP Gateway routes support stateless Streamable HTTP requests over POST. Server-sent event GET streams are not supported."},Tm);let r=Date.now(),o=await Em(e);Om({context:t,request:e,requestBody:o});let i=await fn(e,t);return await qm({context:t,request:e,requestBody:o,response:i,startedAt:r}),i}n(Mm,"McpProxyHandler");export{Bs as McpAuth0OAuthInboundPolicy,er as McpCapabilityFilterInboundPolicy,Us as McpClerkOAuthInboundPolicy,ks as McpCognitoOAuthInboundPolicy,Ps as McpEntraOAuthInboundPolicy,en as McpGatewayPlugin,Ts as McpGoogleOAuthInboundPolicy,Es as McpKeycloakOAuthInboundPolicy,Os as McpLogtoOAuthInboundPolicy,qs as McpOAuthInboundPolicy,Ms as McpOktaOAuthInboundPolicy,Ds as McpOneLoginOAuthInboundPolicy,zs as McpPingOAuthInboundPolicy,Mm as McpProxyHandler,Ar as McpTokenExchangeInboundPolicy,Hs as McpWorkosOAuthInboundPolicy};
49
49
  //# sourceMappingURL=index.js.map